cobaltstrike | 41f7635af1e0bda8a4521d45f8908268dd5d47ab69cb592081cf0375463b57e7

Analysis

max time kernel
143s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2024 04:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

d5094982bc8de82fd5c3b394c5704daa
SHA1

b13023d30bb50fd1fe271a8d8c5e968c76b2a921
SHA256

41f7635af1e0bda8a4521d45f8908268dd5d47ab69cb592081cf0375463b57e7
SHA512

3d0dbaf875a870ef2b6961e3a53b76df777af6365b17b48504008b346c1c8f3a2ac6646451008b4965a3995200912e57910cf877e13dc70d89c5519395bf3b0b
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l2:RWWBibf56utgpPFotBER/mQ32lUy

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000b0000000234b3-4.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234bc-10.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234bb-11.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234bd-27.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234bf-34.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c0-45.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c1-47.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c2-50.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c3-56.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c4-72.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c5-77.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000234b8-74.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234be-33.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c6-85.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c7-92.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c8-101.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c9-111.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ca-116.dat	cobalt_reflective_dll
behavioral2/files/0x0002000000022b25-136.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234cb-128.dat	cobalt_reflective_dll
behavioral2/files/0x0002000000022b23-127.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/3244-80-0x00007FF7B2020000-0x00007FF7B2371000-memory.dmp	xmrig
behavioral2/memory/4824-79-0x00007FF75A6C0000-0x00007FF75AA11000-memory.dmp	xmrig
behavioral2/memory/3272-70-0x00007FF6C36F0000-0x00007FF6C3A41000-memory.dmp	xmrig
behavioral2/memory/2580-66-0x00007FF7CD0B0000-0x00007FF7CD401000-memory.dmp	xmrig
behavioral2/memory/2544-81-0x00007FF7977A0000-0x00007FF797AF1000-memory.dmp	xmrig
behavioral2/memory/3456-89-0x00007FF727620000-0x00007FF727971000-memory.dmp	xmrig
behavioral2/memory/1688-98-0x00007FF640480000-0x00007FF6407D1000-memory.dmp	xmrig
behavioral2/memory/5036-100-0x00007FF74DA40000-0x00007FF74DD91000-memory.dmp	xmrig
behavioral2/memory/788-103-0x00007FF7AE2C0000-0x00007FF7AE611000-memory.dmp	xmrig
behavioral2/memory/1764-107-0x00007FF76E680000-0x00007FF76E9D1000-memory.dmp	xmrig
behavioral2/memory/4748-113-0x00007FF65B120000-0x00007FF65B471000-memory.dmp	xmrig
behavioral2/memory/4368-95-0x00007FF7DCF20000-0x00007FF7DD271000-memory.dmp	xmrig
behavioral2/memory/2040-88-0x00007FF6CBA40000-0x00007FF6CBD91000-memory.dmp	xmrig
behavioral2/memory/1188-119-0x00007FF723490000-0x00007FF7237E1000-memory.dmp	xmrig
behavioral2/memory/2660-118-0x00007FF693590000-0x00007FF6938E1000-memory.dmp	xmrig
behavioral2/memory/4548-130-0x00007FF60B950000-0x00007FF60BCA1000-memory.dmp	xmrig
behavioral2/memory/3168-134-0x00007FF74D880000-0x00007FF74DBD1000-memory.dmp	xmrig
behavioral2/memory/3816-133-0x00007FF60A880000-0x00007FF60ABD1000-memory.dmp	xmrig
behavioral2/memory/4824-139-0x00007FF75A6C0000-0x00007FF75AA11000-memory.dmp	xmrig
behavioral2/memory/4400-153-0x00007FF6128A0000-0x00007FF612BF1000-memory.dmp	xmrig
behavioral2/memory/1716-158-0x00007FF7CEA20000-0x00007FF7CED71000-memory.dmp	xmrig
behavioral2/memory/4056-160-0x00007FF77F0A0000-0x00007FF77F3F1000-memory.dmp	xmrig
behavioral2/memory/2572-162-0x00007FF7F74B0000-0x00007FF7F7801000-memory.dmp	xmrig
behavioral2/memory/4824-163-0x00007FF75A6C0000-0x00007FF75AA11000-memory.dmp	xmrig
behavioral2/memory/2544-220-0x00007FF7977A0000-0x00007FF797AF1000-memory.dmp	xmrig
behavioral2/memory/2040-222-0x00007FF6CBA40000-0x00007FF6CBD91000-memory.dmp	xmrig
behavioral2/memory/3456-225-0x00007FF727620000-0x00007FF727971000-memory.dmp	xmrig
behavioral2/memory/5036-226-0x00007FF74DA40000-0x00007FF74DD91000-memory.dmp	xmrig
behavioral2/memory/2660-229-0x00007FF693590000-0x00007FF6938E1000-memory.dmp	xmrig
behavioral2/memory/1764-232-0x00007FF76E680000-0x00007FF76E9D1000-memory.dmp	xmrig
behavioral2/memory/4748-230-0x00007FF65B120000-0x00007FF65B471000-memory.dmp	xmrig
behavioral2/memory/3272-236-0x00007FF6C36F0000-0x00007FF6C3A41000-memory.dmp	xmrig
behavioral2/memory/1188-240-0x00007FF723490000-0x00007FF7237E1000-memory.dmp	xmrig
behavioral2/memory/4548-244-0x00007FF60B950000-0x00007FF60BCA1000-memory.dmp	xmrig
behavioral2/memory/3816-246-0x00007FF60A880000-0x00007FF60ABD1000-memory.dmp	xmrig
behavioral2/memory/3244-242-0x00007FF7B2020000-0x00007FF7B2371000-memory.dmp	xmrig
behavioral2/memory/2580-239-0x00007FF7CD0B0000-0x00007FF7CD401000-memory.dmp	xmrig
behavioral2/memory/4368-254-0x00007FF7DCF20000-0x00007FF7DD271000-memory.dmp	xmrig
behavioral2/memory/1688-256-0x00007FF640480000-0x00007FF6407D1000-memory.dmp	xmrig
behavioral2/memory/788-258-0x00007FF7AE2C0000-0x00007FF7AE611000-memory.dmp	xmrig
behavioral2/memory/4400-260-0x00007FF6128A0000-0x00007FF612BF1000-memory.dmp	xmrig
behavioral2/memory/1716-262-0x00007FF7CEA20000-0x00007FF7CED71000-memory.dmp	xmrig
behavioral2/memory/3168-266-0x00007FF74D880000-0x00007FF74DBD1000-memory.dmp	xmrig
behavioral2/memory/2572-268-0x00007FF7F74B0000-0x00007FF7F7801000-memory.dmp	xmrig
behavioral2/memory/4056-271-0x00007FF77F0A0000-0x00007FF77F3F1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2544	PVJgjDw.exe
2040	qjECAVD.exe
3456	pKhOhzL.exe
5036	yTaBZzQ.exe
1764	zohykdT.exe
4748	ryJaPsQ.exe
2660	qslELSz.exe
1188	gBpuKHN.exe
3272	SAlklco.exe
2580	rKhjDUu.exe
4548	cyVLkmC.exe
3244	LDoXHEl.exe
3816	mWqPRZK.exe
4368	sUTEnVP.exe
1688	foSlFPO.exe
788	WyYhGNM.exe
4400	idYbfCw.exe
1716	DaqvKIK.exe
4056	kWHpYfy.exe
3168	qLdKKvM.exe
2572	JCbHdFo.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4824-0-0x00007FF75A6C0000-0x00007FF75AA11000-memory.dmp	upx
behavioral2/files/0x000b0000000234b3-4.dat	upx
behavioral2/files/0x00070000000234bc-10.dat	upx
behavioral2/files/0x00070000000234bb-11.dat	upx
behavioral2/memory/2040-14-0x00007FF6CBA40000-0x00007FF6CBD91000-memory.dmp	upx
behavioral2/memory/3456-21-0x00007FF727620000-0x00007FF727971000-memory.dmp	upx
behavioral2/files/0x00070000000234bd-27.dat	upx
behavioral2/files/0x00070000000234bf-34.dat	upx
behavioral2/memory/2660-42-0x00007FF693590000-0x00007FF6938E1000-memory.dmp	upx
behavioral2/files/0x00070000000234c0-45.dat	upx
behavioral2/files/0x00070000000234c1-47.dat	upx
behavioral2/files/0x00070000000234c2-50.dat	upx
behavioral2/files/0x00070000000234c3-56.dat	upx
behavioral2/files/0x00070000000234c4-72.dat	upx
behavioral2/files/0x00070000000234c5-77.dat	upx
behavioral2/memory/3244-80-0x00007FF7B2020000-0x00007FF7B2371000-memory.dmp	upx
behavioral2/memory/4824-79-0x00007FF75A6C0000-0x00007FF75AA11000-memory.dmp	upx
behavioral2/memory/3816-76-0x00007FF60A880000-0x00007FF60ABD1000-memory.dmp	upx
behavioral2/files/0x00080000000234b8-74.dat	upx
behavioral2/memory/4548-71-0x00007FF60B950000-0x00007FF60BCA1000-memory.dmp	upx
behavioral2/memory/3272-70-0x00007FF6C36F0000-0x00007FF6C3A41000-memory.dmp	upx
behavioral2/memory/2580-66-0x00007FF7CD0B0000-0x00007FF7CD401000-memory.dmp	upx
behavioral2/memory/1188-58-0x00007FF723490000-0x00007FF7237E1000-memory.dmp	upx
behavioral2/memory/4748-35-0x00007FF65B120000-0x00007FF65B471000-memory.dmp	upx
behavioral2/files/0x00070000000234be-33.dat	upx
behavioral2/memory/1764-32-0x00007FF76E680000-0x00007FF76E9D1000-memory.dmp	upx
behavioral2/memory/5036-22-0x00007FF74DA40000-0x00007FF74DD91000-memory.dmp	upx
behavioral2/memory/2544-7-0x00007FF7977A0000-0x00007FF797AF1000-memory.dmp	upx
behavioral2/memory/2544-81-0x00007FF7977A0000-0x00007FF797AF1000-memory.dmp	upx
behavioral2/files/0x00070000000234c6-85.dat	upx
behavioral2/memory/3456-89-0x00007FF727620000-0x00007FF727971000-memory.dmp	upx
behavioral2/files/0x00070000000234c7-92.dat	upx
behavioral2/memory/1688-98-0x00007FF640480000-0x00007FF6407D1000-memory.dmp	upx
behavioral2/memory/5036-100-0x00007FF74DA40000-0x00007FF74DD91000-memory.dmp	upx
behavioral2/files/0x00070000000234c8-101.dat	upx
behavioral2/memory/788-103-0x00007FF7AE2C0000-0x00007FF7AE611000-memory.dmp	upx
behavioral2/memory/1764-107-0x00007FF76E680000-0x00007FF76E9D1000-memory.dmp	upx
behavioral2/memory/4400-108-0x00007FF6128A0000-0x00007FF612BF1000-memory.dmp	upx
behavioral2/files/0x00070000000234c9-111.dat	upx
behavioral2/files/0x00070000000234ca-116.dat	upx
behavioral2/memory/1716-115-0x00007FF7CEA20000-0x00007FF7CED71000-memory.dmp	upx
behavioral2/memory/4748-113-0x00007FF65B120000-0x00007FF65B471000-memory.dmp	upx
behavioral2/memory/4368-95-0x00007FF7DCF20000-0x00007FF7DD271000-memory.dmp	upx
behavioral2/memory/2040-88-0x00007FF6CBA40000-0x00007FF6CBD91000-memory.dmp	upx
behavioral2/memory/1188-119-0x00007FF723490000-0x00007FF7237E1000-memory.dmp	upx
behavioral2/memory/2660-118-0x00007FF693590000-0x00007FF6938E1000-memory.dmp	upx
behavioral2/memory/4056-125-0x00007FF77F0A0000-0x00007FF77F3F1000-memory.dmp	upx
behavioral2/memory/4548-130-0x00007FF60B950000-0x00007FF60BCA1000-memory.dmp	upx
behavioral2/memory/3168-134-0x00007FF74D880000-0x00007FF74DBD1000-memory.dmp	upx
behavioral2/files/0x0002000000022b25-136.dat	upx
behavioral2/memory/2572-135-0x00007FF7F74B0000-0x00007FF7F7801000-memory.dmp	upx
behavioral2/memory/3816-133-0x00007FF60A880000-0x00007FF60ABD1000-memory.dmp	upx
behavioral2/files/0x00070000000234cb-128.dat	upx
behavioral2/files/0x0002000000022b23-127.dat	upx
behavioral2/memory/4824-139-0x00007FF75A6C0000-0x00007FF75AA11000-memory.dmp	upx
behavioral2/memory/4400-153-0x00007FF6128A0000-0x00007FF612BF1000-memory.dmp	upx
behavioral2/memory/1716-158-0x00007FF7CEA20000-0x00007FF7CED71000-memory.dmp	upx
behavioral2/memory/4056-160-0x00007FF77F0A0000-0x00007FF77F3F1000-memory.dmp	upx
behavioral2/memory/2572-162-0x00007FF7F74B0000-0x00007FF7F7801000-memory.dmp	upx
behavioral2/memory/4824-163-0x00007FF75A6C0000-0x00007FF75AA11000-memory.dmp	upx
behavioral2/memory/2544-220-0x00007FF7977A0000-0x00007FF797AF1000-memory.dmp	upx
behavioral2/memory/2040-222-0x00007FF6CBA40000-0x00007FF6CBD91000-memory.dmp	upx
behavioral2/memory/3456-225-0x00007FF727620000-0x00007FF727971000-memory.dmp	upx
behavioral2/memory/5036-226-0x00007FF74DA40000-0x00007FF74DD91000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\zohykdT.exe	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sUTEnVP.exe	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WyYhGNM.exe	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JCbHdFo.exe	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SAlklco.exe	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mWqPRZK.exe	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\idYbfCw.exe	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DaqvKIK.exe	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kWHpYfy.exe	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qLdKKvM.exe	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pKhOhzL.exe	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ryJaPsQ.exe	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gBpuKHN.exe	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cyVLkmC.exe	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PVJgjDw.exe	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qjECAVD.exe	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yTaBZzQ.exe	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qslELSz.exe	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rKhjDUu.exe	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LDoXHEl.exe	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\foSlFPO.exe	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4824	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4824	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4824 wrote to memory of 2544	4824	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4824 wrote to memory of 2544	4824	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4824 wrote to memory of 2040	4824	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4824 wrote to memory of 2040	4824	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4824 wrote to memory of 3456	4824	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4824 wrote to memory of 3456	4824	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4824 wrote to memory of 5036	4824	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4824 wrote to memory of 5036	4824	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4824 wrote to memory of 1764	4824	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4824 wrote to memory of 1764	4824	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4824 wrote to memory of 4748	4824	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4824 wrote to memory of 4748	4824	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4824 wrote to memory of 2660	4824	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4824 wrote to memory of 2660	4824	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4824 wrote to memory of 1188	4824	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4824 wrote to memory of 1188	4824	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4824 wrote to memory of 3272	4824	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4824 wrote to memory of 3272	4824	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4824 wrote to memory of 2580	4824	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4824 wrote to memory of 2580	4824	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4824 wrote to memory of 4548	4824	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4824 wrote to memory of 4548	4824	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4824 wrote to memory of 3244	4824	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4824 wrote to memory of 3244	4824	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4824 wrote to memory of 3816	4824	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4824 wrote to memory of 3816	4824	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4824 wrote to memory of 4368	4824	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4824 wrote to memory of 4368	4824	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4824 wrote to memory of 1688	4824	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4824 wrote to memory of 1688	4824	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4824 wrote to memory of 788	4824	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4824 wrote to memory of 788	4824	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4824 wrote to memory of 4400	4824	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4824 wrote to memory of 4400	4824	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4824 wrote to memory of 1716	4824	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4824 wrote to memory of 1716	4824	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4824 wrote to memory of 4056	4824	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4824 wrote to memory of 4056	4824	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4824 wrote to memory of 3168	4824	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4824 wrote to memory of 3168	4824	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4824 wrote to memory of 2572	4824	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 4824 wrote to memory of 2572	4824	2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe	106

C:\Users\Admin\AppData\Local\Temp\2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-13_d5094982bc8de82fd5c3b394c5704daa_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4824
- C:\Windows\System\PVJgjDw.exe
  C:\Windows\System\PVJgjDw.exe
  2⤵
  - Executes dropped EXE
  PID:2544
- C:\Windows\System\qjECAVD.exe
  C:\Windows\System\qjECAVD.exe
  2⤵
  - Executes dropped EXE
  PID:2040
- C:\Windows\System\pKhOhzL.exe
  C:\Windows\System\pKhOhzL.exe
  2⤵
  - Executes dropped EXE
  PID:3456
- C:\Windows\System\yTaBZzQ.exe
  C:\Windows\System\yTaBZzQ.exe
  2⤵
  - Executes dropped EXE
  PID:5036
- C:\Windows\System\zohykdT.exe
  C:\Windows\System\zohykdT.exe
  2⤵
  - Executes dropped EXE
  PID:1764
- C:\Windows\System\ryJaPsQ.exe
  C:\Windows\System\ryJaPsQ.exe
  2⤵
  - Executes dropped EXE
  PID:4748
- C:\Windows\System\qslELSz.exe
  C:\Windows\System\qslELSz.exe
  2⤵
  - Executes dropped EXE
  PID:2660
- C:\Windows\System\gBpuKHN.exe
  C:\Windows\System\gBpuKHN.exe
  2⤵
  - Executes dropped EXE
  PID:1188
- C:\Windows\System\SAlklco.exe
  C:\Windows\System\SAlklco.exe
  2⤵
  - Executes dropped EXE
  PID:3272
- C:\Windows\System\rKhjDUu.exe
  C:\Windows\System\rKhjDUu.exe
  2⤵
  - Executes dropped EXE
  PID:2580
- C:\Windows\System\cyVLkmC.exe
  C:\Windows\System\cyVLkmC.exe
  2⤵
  - Executes dropped EXE
  PID:4548
- C:\Windows\System\LDoXHEl.exe
  C:\Windows\System\LDoXHEl.exe
  2⤵
  - Executes dropped EXE
  PID:3244
- C:\Windows\System\mWqPRZK.exe
  C:\Windows\System\mWqPRZK.exe
  2⤵
  - Executes dropped EXE
  PID:3816
- C:\Windows\System\sUTEnVP.exe
  C:\Windows\System\sUTEnVP.exe
  2⤵
  - Executes dropped EXE
  PID:4368
- C:\Windows\System\foSlFPO.exe
  C:\Windows\System\foSlFPO.exe
  2⤵
  - Executes dropped EXE
  PID:1688
- C:\Windows\System\WyYhGNM.exe
  C:\Windows\System\WyYhGNM.exe
  2⤵
  - Executes dropped EXE
  PID:788
- C:\Windows\System\idYbfCw.exe
  C:\Windows\System\idYbfCw.exe
  2⤵
  - Executes dropped EXE
  PID:4400
- C:\Windows\System\DaqvKIK.exe
  C:\Windows\System\DaqvKIK.exe
  2⤵
  - Executes dropped EXE
  PID:1716
- C:\Windows\System\kWHpYfy.exe
  C:\Windows\System\kWHpYfy.exe
  2⤵
  - Executes dropped EXE
  PID:4056
- C:\Windows\System\qLdKKvM.exe
  C:\Windows\System\qLdKKvM.exe
  2⤵
  - Executes dropped EXE
  PID:3168
- C:\Windows\System\JCbHdFo.exe
  C:\Windows\System\JCbHdFo.exe
  2⤵
  - Executes dropped EXE
  PID:2572

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\DaqvKIK.exe

Filesize
5.2MB

MD5
1837cf883564c9ba450774f0863e5a2a

SHA1
9f3c8f5251f4d826d7de15efa0511834eff6ce94

SHA256
b31bdc54b5723173162ef6fb56301a3e7a73e322bf5922361f233716f560a145

SHA512
d0fe428fe860c9add19ff4c0fcf08666a912ab87d5922db3aeba0d40b2fe75a67d1c8818fe1cdfca12a0cdeca8c5c3f98cb76233211d05dcca971ed792e13c91

Download Submit
C:\Windows\System\JCbHdFo.exe

Filesize
5.2MB

MD5
8c54ce7f7c113011e9ed709962a5c986

SHA1
34d18bc0affe25366bfa2d6110bd75cb6c8be208

SHA256
08121c1f6404ccd8924e5920cf5755d5f4d9d8fbad9ed0327753cb92705808f3

SHA512
8dee501bf6c232f80975a95c67807f585898b2c0855438350a61d7601ff8872ef97f6bc7b583c18556772b3184c4ff8757fe1e68c50a3ebe4f58028fd0047135

Download Submit
C:\Windows\System\LDoXHEl.exe

Filesize
5.2MB

MD5
4fbe47d07d5271128f0fc03179b24619

SHA1
178c4d004b7c7de90122d3d1f2c0bfce14e97af5

SHA256
8a27734877020ef12a8e1ace6968a67941c59042676ac3f78f3dde9d6f1b3f9f

SHA512
ba7cc6d311e73c804b18a45174dc89f3ab8bcd0839f48de171e4bc562910106f37392ea98cf9c42e49e0bdd78e52cf340764ddb532a9a4bc21a7bc264cf8cfe4

Download Submit
C:\Windows\System\PVJgjDw.exe

Filesize
5.2MB

MD5
dea0bde5795f2db70d95328eebf54e85

SHA1
43cedb115f8fdac10c2fc96f8c691aad0df5f52a

SHA256
56acc2d233f0de14318fd0076c20bf79d14d5603b4c9e8ab00a970f5341277f3

SHA512
ab31b753acb9ba64cd17f7fe7a481d369d0a13dfa6d1501d9f64cba525db8fb7cfc4d1c3ea78bf7125a8beb34207bea417ed9e51abdff6cda6c39d52d4048fca

Download Submit
C:\Windows\System\SAlklco.exe

Filesize
5.2MB

MD5
2f251d1de0ee9a4d42b0b661e91aee1b

SHA1
7fa81e42c36d876bb5588f28d171efa5d1978fb6

SHA256
91f873ba706882cab9a8685d1032ed2c355b19843cca13df44285435b6e0f038

SHA512
c2a77388e74541c142a84990ac7c742e8baaf8f93b283083abf99cbee16d2950c109a0f0051b880e5b510f1e0cfce159154d2d6292f0669fc7bd768e8de6ccab

Download Submit
C:\Windows\System\WyYhGNM.exe

Filesize
5.2MB

MD5
317bbde83728b1b8e76aa50b307f5773

SHA1
fd2925076c1ce388f94f3448185e047cfd88d4e2

SHA256
8cf851f1071ec351dc84c12b0b645dd7340bcccb592cdac04e688b2a9e18a501

SHA512
688402020af765bd0f5de4dbba4969bfe9c1973975e7264b9e746c5b424c570a88b0d6212e76f0a9cbf0a89cf7d9af08dbb8626559d10d7b6d7dcfcdb6a2a886

Download Submit
C:\Windows\System\cyVLkmC.exe

Filesize
5.2MB

MD5
4c7d429a5bb3c75144e3a0d44fab7aac

SHA1
743b2ce337d4970c7accb1686a2e4910accd6663

SHA256
e8f2e8af22483846c4fe2245da5dc9981415a006cbad6ae2b167b017c48983a4

SHA512
6cce50d0ef00cedf45ca110d966749705c19d13c863fe3301f0706a8af4abab523c288749f5809ea6c5813269520822f507e8efe9e3f1d5a80e36e0174ff007f

Download Submit
C:\Windows\System\foSlFPO.exe

Filesize
5.2MB

MD5
ecd0ef515e520c4e5c67346cb69a8953

SHA1
3d21770cb0ace9319518558ac9cc6cd870df2d96

SHA256
2bac7797e07e11e1c0ec596dfdb220f4d793ab9330faed110154d503cb261fb6

SHA512
e235fde768a0ba9e6f557bb3bc92ad10babc5feea8fee35bc8912f80335de9fea698cadf95c172a59ee1035d502d4635824e2ac267cdec215b1de7fb575e79e1

Download Submit
C:\Windows\System\gBpuKHN.exe

Filesize
5.2MB

MD5
29100975cd4c33aa1ee081b2ffc43b6c

SHA1
4cdfe6b0ee71f8e81ec02eb91b65b2df1b4f1a39

SHA256
a513af847c062a54429abaa3594de7e83b536e2c7a4e89eb476d5a65ceb2d731

SHA512
5d35c249b91a94cd7970902b985d470756358e2897aaf11d049bb13f2a83f97535d831a6add912fb6d8d5da7fa72ab7a4e81f0181575281a1f768f242ae2d96d

Download Submit
C:\Windows\System\idYbfCw.exe

Filesize
5.2MB

MD5
acef707839c5d2ae5f653282f106e45e

SHA1
640343600059e2c12e40ee2acf3ec2ec7119e6e9

SHA256
0ec9e1edf890a491e1e6533a0d6ad3cb5d2cda296cf781dd9520a0a1ab27fd9b

SHA512
232d41a0a5e8ff73ad5cdd4d016bca8833a7453e89f7246c709591ef0f0f7af1705f4adfa331d7344053d3821095a8a5ee97684e7847248648aae4254c132ee3

Download Submit
C:\Windows\System\kWHpYfy.exe

Filesize
5.2MB

MD5
225f2be03bc09ce481cc6a79cda67685

SHA1
4dcacc9a616899098ac1710408b20bd1f0889a8a

SHA256
9b088925d27bc71dd7404f04f70c4705ebff040419b1aafc89d7f4385cd6eac8

SHA512
ca9a4e8ca0bf21929753df7108ac3075c3ed7977c2683ad6287d164abf551e80e17cfc1763042f0173a211bd6e8f887311f307fe093c58ebe3a0c1f3e369dab4

Download Submit
C:\Windows\System\mWqPRZK.exe

Filesize
5.2MB

MD5
09213d6f2dcb198fc06d1962f3c62bab

SHA1
bc83b598b61d9959035cbc5aacfc2108ceda1ece

SHA256
9e28f954848148cb4e00dcdf36258a493d1e15ad9787642426961084c59bfbcc

SHA512
ad0454c66466e706f2da82bf365a7a317f39678726036c181aabfa042d70730cc7592a1762b411403249ae7afea052efb309f626ad02782567439f243b51e578

Download Submit
C:\Windows\System\pKhOhzL.exe

Filesize
5.2MB

MD5
9887b2ff1c3efb79eae2203dbbc3a9e3

SHA1
ec01e93f7f1ff9c6ea344d009b28365088b4be79

SHA256
9e2b3b1b6ed615ce6461ac58c95c7d8599cc8d824f2fba3a91f1726f9850e152

SHA512
fabc910ce39b0d71572f7a7703bbba42ef4ccb88f32982942d402b46f462a4c112d2a6eaf83b9b31b42da345d6e41308b7a65e5a08a3a6e097623c7f4b2b4321

Download Submit
C:\Windows\System\qLdKKvM.exe

Filesize
5.2MB

MD5
068ea1580fe798b28bcea8b82a090624

SHA1
580e7020ab54c000f0998dfa77a012a20e87f434

SHA256
c94646548e1eb7b5f9b4706f536327b29bb69d4765a0aa95b0ab43e4d724b6e8

SHA512
d93f41b48573e4bd1c228f7efc023dc84daf59c1653686d9ab4d5cf4540e673daae250297ad5a20d171598c7d294162a659c649a10170ae19a952f3133f12fd9

Download Submit
C:\Windows\System\qjECAVD.exe

Filesize
5.2MB

MD5
3467d0bceee5de63ddd4443444a076aa

SHA1
bcb0fd836fd50db8b9c9b957eb2929392a0d3f6f

SHA256
4251d3255fae1a0d91a0b8c4e6502ec6e97842cb789c879951fd103cc1eb2cd5

SHA512
f54be8867c38346e5729c39cd7abc56d67c9ae59d367ecf49655c4f88e1b09741c55d52faff572517be01feb043d65dd2444c209ddb5b448a0f1617f6873296f

Download Submit
C:\Windows\System\qslELSz.exe

Filesize
5.2MB

MD5
35cc0d78153771a54920bcb657a21b58

SHA1
f3e6059a2d92e73314a285543bd4227097bba99e

SHA256
54e23a2023814f32a17489d663acf34cce94efa4492241dd85875e32e156e4f1

SHA512
527c4435232dab4be72e87295ea1f4e66b8d07f2fc15cd2b83e4ba8b90ec3a3526843bd22c605b4f0252cf8d9e7a564e2bbc55e695f85bfe308c60fdec0a4970

Download Submit
C:\Windows\System\rKhjDUu.exe

Filesize
5.2MB

MD5
94ab56eb01889aff792e155d9098ea10

SHA1
89bf972d7a3078415ef3c387f7a030e01209b518

SHA256
366e7c0136dc0e19bf7ad845dd71b15d3c79027fcabcfef2e6ac2f5d2e762f59

SHA512
db194e5767ebf200c6ed75f080f16b58462460039412d6febee9c41478b1b922921bb1a617fd9a093e4472a5ab1d4ee5facbc78febec60eaafa612bbaf931d75

Download Submit
C:\Windows\System\ryJaPsQ.exe

Filesize
5.2MB

MD5
527a36b5ef3349c6fe361b80d8887f11

SHA1
c270f2aafa2ae72a690120239e75430ef07aa953

SHA256
e92d26a96af75f926a8eb0e26b238380a65c5358b519db8197ef125c93ea2777

SHA512
d91093a7d4d6313368d67b4babbae2fea2254d6d07f771c39f9cb5cf00fa39d446c9af1b78d5c633cbc31400a963328dce51924810c8c0adaa8eba59d91a357a

Download Submit
C:\Windows\System\sUTEnVP.exe

Filesize
5.2MB

MD5
b40402c16f3e046162bccb0cbd93c05b

SHA1
1bda5af66905d95c5d4c3bff6af7cf957a40ab0f

SHA256
3eb712b39b9ab06bc17728ade143049c8e38b2f22f2b9e816cc73863033f01f2

SHA512
4ac62f91abbd6152ba42714a123614efb84cb731999e781f93d8cb7c83ca35be010a6caef7dbed723f3c44d45428017be7f62b833ac0726033060a24733bd5da

Download Submit
C:\Windows\System\yTaBZzQ.exe

Filesize
5.2MB

MD5
f49ef0ef9567d77839c4520e1074f424

SHA1
03ff277848e85a77fec7b9247b175ac15b78921b

SHA256
6264c7db6e6472c0445fb5003ef29cccd7cbf7d47f7629dab82d2123da3ad782

SHA512
cb11770fb0b62d5aeaacbf711d83afa0fe83b206691ac1340fed340426837ce0f3b17c30f4b3ff141617d9bcd593ae510ae1af1d6546d706ce534cfdd894d839

Download Submit
C:\Windows\System\zohykdT.exe

Filesize
5.2MB

MD5
e46e714982cdd1727417a6b56d820eb4

SHA1
e1e47e3e4751038bdfb7fe5bac0b623f7dd2171f

SHA256
47c72cdd9b14954cedcc11841e39a796bf5750a95fdb1382bf5feac892af4202

SHA512
04b34947ec7d4af1762d25b9f2f44d67965d58db1cda8cbef08208aa26b9556d831e4af0eaf1ae45ebe1413f52c90f0e9ef628f6f91beaabcae72e0418beca0f

Download Submit
memory/788-103-0x00007FF7AE2C0000-0x00007FF7AE611000-memory.dmp

Filesize
3.3MB

Download
memory/788-258-0x00007FF7AE2C0000-0x00007FF7AE611000-memory.dmp

Filesize
3.3MB

Download
memory/1188-119-0x00007FF723490000-0x00007FF7237E1000-memory.dmp

Filesize
3.3MB

Download
memory/1188-58-0x00007FF723490000-0x00007FF7237E1000-memory.dmp

Filesize
3.3MB

Download
memory/1188-240-0x00007FF723490000-0x00007FF7237E1000-memory.dmp

Filesize
3.3MB

Download
memory/1688-98-0x00007FF640480000-0x00007FF6407D1000-memory.dmp

Filesize
3.3MB

Download
memory/1688-256-0x00007FF640480000-0x00007FF6407D1000-memory.dmp

Filesize
3.3MB

Download
memory/1716-115-0x00007FF7CEA20000-0x00007FF7CED71000-memory.dmp

Filesize
3.3MB

Download
memory/1716-158-0x00007FF7CEA20000-0x00007FF7CED71000-memory.dmp

Filesize
3.3MB

Download
memory/1716-262-0x00007FF7CEA20000-0x00007FF7CED71000-memory.dmp

Filesize
3.3MB

Download
memory/1764-107-0x00007FF76E680000-0x00007FF76E9D1000-memory.dmp

Filesize
3.3MB

Download
memory/1764-32-0x00007FF76E680000-0x00007FF76E9D1000-memory.dmp

Filesize
3.3MB

Download
memory/1764-232-0x00007FF76E680000-0x00007FF76E9D1000-memory.dmp

Filesize
3.3MB

Download
memory/2040-88-0x00007FF6CBA40000-0x00007FF6CBD91000-memory.dmp

Filesize
3.3MB

Download
memory/2040-14-0x00007FF6CBA40000-0x00007FF6CBD91000-memory.dmp

Filesize
3.3MB

Download
memory/2040-222-0x00007FF6CBA40000-0x00007FF6CBD91000-memory.dmp

Filesize
3.3MB

Download
memory/2544-81-0x00007FF7977A0000-0x00007FF797AF1000-memory.dmp

Filesize
3.3MB

Download
memory/2544-7-0x00007FF7977A0000-0x00007FF797AF1000-memory.dmp

Filesize
3.3MB

Download
memory/2544-220-0x00007FF7977A0000-0x00007FF797AF1000-memory.dmp

Filesize
3.3MB

Download
memory/2572-162-0x00007FF7F74B0000-0x00007FF7F7801000-memory.dmp

Filesize
3.3MB

Download
memory/2572-268-0x00007FF7F74B0000-0x00007FF7F7801000-memory.dmp

Filesize
3.3MB

Download
memory/2572-135-0x00007FF7F74B0000-0x00007FF7F7801000-memory.dmp

Filesize
3.3MB

Download
memory/2580-66-0x00007FF7CD0B0000-0x00007FF7CD401000-memory.dmp

Filesize
3.3MB

Download
memory/2580-239-0x00007FF7CD0B0000-0x00007FF7CD401000-memory.dmp

Filesize
3.3MB

Download
memory/2660-229-0x00007FF693590000-0x00007FF6938E1000-memory.dmp

Filesize
3.3MB

Download
memory/2660-118-0x00007FF693590000-0x00007FF6938E1000-memory.dmp

Filesize
3.3MB

Download
memory/2660-42-0x00007FF693590000-0x00007FF6938E1000-memory.dmp

Filesize
3.3MB

Download
memory/3168-266-0x00007FF74D880000-0x00007FF74DBD1000-memory.dmp

Filesize
3.3MB

Download
memory/3168-134-0x00007FF74D880000-0x00007FF74DBD1000-memory.dmp

Filesize
3.3MB

Download
memory/3244-80-0x00007FF7B2020000-0x00007FF7B2371000-memory.dmp

Filesize
3.3MB

Download
memory/3244-242-0x00007FF7B2020000-0x00007FF7B2371000-memory.dmp

Filesize
3.3MB

Download
memory/3272-236-0x00007FF6C36F0000-0x00007FF6C3A41000-memory.dmp

Filesize
3.3MB

Download
memory/3272-70-0x00007FF6C36F0000-0x00007FF6C3A41000-memory.dmp

Filesize
3.3MB

Download
memory/3456-89-0x00007FF727620000-0x00007FF727971000-memory.dmp

Filesize
3.3MB

Download
memory/3456-21-0x00007FF727620000-0x00007FF727971000-memory.dmp

Filesize
3.3MB

Download
memory/3456-225-0x00007FF727620000-0x00007FF727971000-memory.dmp

Filesize
3.3MB

Download
memory/3816-246-0x00007FF60A880000-0x00007FF60ABD1000-memory.dmp

Filesize
3.3MB

Download
memory/3816-133-0x00007FF60A880000-0x00007FF60ABD1000-memory.dmp

Filesize
3.3MB

Download
memory/3816-76-0x00007FF60A880000-0x00007FF60ABD1000-memory.dmp

Filesize
3.3MB

Download
memory/4056-125-0x00007FF77F0A0000-0x00007FF77F3F1000-memory.dmp

Filesize
3.3MB

Download
memory/4056-160-0x00007FF77F0A0000-0x00007FF77F3F1000-memory.dmp

Filesize
3.3MB

Download
memory/4056-271-0x00007FF77F0A0000-0x00007FF77F3F1000-memory.dmp

Filesize
3.3MB

Download
memory/4368-254-0x00007FF7DCF20000-0x00007FF7DD271000-memory.dmp

Filesize
3.3MB

Download
memory/4368-95-0x00007FF7DCF20000-0x00007FF7DD271000-memory.dmp

Filesize
3.3MB

Download
memory/4400-260-0x00007FF6128A0000-0x00007FF612BF1000-memory.dmp

Filesize
3.3MB

Download
memory/4400-153-0x00007FF6128A0000-0x00007FF612BF1000-memory.dmp

Filesize
3.3MB

Download
memory/4400-108-0x00007FF6128A0000-0x00007FF612BF1000-memory.dmp

Filesize
3.3MB

Download
memory/4548-130-0x00007FF60B950000-0x00007FF60BCA1000-memory.dmp

Filesize
3.3MB

Download
memory/4548-244-0x00007FF60B950000-0x00007FF60BCA1000-memory.dmp

Filesize
3.3MB

Download
memory/4548-71-0x00007FF60B950000-0x00007FF60BCA1000-memory.dmp

Filesize
3.3MB

Download
memory/4748-35-0x00007FF65B120000-0x00007FF65B471000-memory.dmp

Filesize
3.3MB

Download
memory/4748-230-0x00007FF65B120000-0x00007FF65B471000-memory.dmp

Filesize
3.3MB

Download
memory/4748-113-0x00007FF65B120000-0x00007FF65B471000-memory.dmp

Filesize
3.3MB

Download
memory/4824-79-0x00007FF75A6C0000-0x00007FF75AA11000-memory.dmp

Filesize
3.3MB

Download
memory/4824-139-0x00007FF75A6C0000-0x00007FF75AA11000-memory.dmp

Filesize
3.3MB

Download
memory/4824-163-0x00007FF75A6C0000-0x00007FF75AA11000-memory.dmp

Filesize
3.3MB

Download
memory/4824-0-0x00007FF75A6C0000-0x00007FF75AA11000-memory.dmp

Filesize
3.3MB

Download
memory/4824-1-0x00000229BCAC0000-0x00000229BCAD0000-memory.dmp

Filesize
64KB

Download
memory/5036-226-0x00007FF74DA40000-0x00007FF74DD91000-memory.dmp

Filesize
3.3MB

Download
memory/5036-100-0x00007FF74DA40000-0x00007FF74DD91000-memory.dmp

Filesize
3.3MB

Download
memory/5036-22-0x00007FF74DA40000-0x00007FF74DD91000-memory.dmp

Filesize
3.3MB

Download