cobaltstrike | 29b7c4bdae840f1d0dc3849bb54f5f8d16d114a128d03eae742362c3b2d25151

Analysis

max time kernel
140s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2024 10:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

17ddb31575df19633bf62f3ba6ba27c1
SHA1

c3446ef2fb02a5238511d67952f97428b3b2944a
SHA256

29b7c4bdae840f1d0dc3849bb54f5f8d16d114a128d03eae742362c3b2d25151
SHA512

ff9fcc6a7af54ba92b0c7127ebeea2952e0a987120bca3ee49dc0f89ba9fda018d62e57efbe6c437d99911d97249d867e3bbbb8e188420b19fc320f43f1b9ab7
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6ly:RWWBibf56utgpPFotBER/mQ32lUm

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00090000000234c7-5.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234cc-9.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234cb-17.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ce-22.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d6-77.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d1-71.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d4-84.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d8-101.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234dd-111.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000234c8-115.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234db-121.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234dc-118.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234da-114.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d9-113.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d7-99.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d3-68.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d5-65.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d0-55.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d2-50.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234cf-47.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234cd-26.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/1628-106-0x00007FF7E2040000-0x00007FF7E2391000-memory.dmp	xmrig
behavioral2/memory/5032-108-0x00007FF749160000-0x00007FF7494B1000-memory.dmp	xmrig
behavioral2/memory/4688-127-0x00007FF637140000-0x00007FF637491000-memory.dmp	xmrig
behavioral2/memory/4996-126-0x00007FF7DA880000-0x00007FF7DABD1000-memory.dmp	xmrig
behavioral2/memory/3348-125-0x00007FF71E710000-0x00007FF71EA61000-memory.dmp	xmrig
behavioral2/memory/1724-107-0x00007FF73F110000-0x00007FF73F461000-memory.dmp	xmrig
behavioral2/memory/2328-98-0x00007FF617D10000-0x00007FF618061000-memory.dmp	xmrig
behavioral2/memory/1580-87-0x00007FF779900000-0x00007FF779C51000-memory.dmp	xmrig
behavioral2/memory/3540-78-0x00007FF7EA8F0000-0x00007FF7EAC41000-memory.dmp	xmrig
behavioral2/memory/4724-63-0x00007FF743000000-0x00007FF743351000-memory.dmp	xmrig
behavioral2/memory/4248-56-0x00007FF73B020000-0x00007FF73B371000-memory.dmp	xmrig
behavioral2/memory/4108-133-0x00007FF6D4050000-0x00007FF6D43A1000-memory.dmp	xmrig
behavioral2/memory/1232-130-0x00007FF7F3E50000-0x00007FF7F41A1000-memory.dmp	xmrig
behavioral2/memory/852-134-0x00007FF68AF60000-0x00007FF68B2B1000-memory.dmp	xmrig
behavioral2/memory/640-132-0x00007FF6E99F0000-0x00007FF6E9D41000-memory.dmp	xmrig
behavioral2/memory/3340-129-0x00007FF6310E0000-0x00007FF631431000-memory.dmp	xmrig
behavioral2/memory/3768-128-0x00007FF7FBA90000-0x00007FF7FBDE1000-memory.dmp	xmrig
behavioral2/memory/1416-136-0x00007FF7A66D0000-0x00007FF7A6A21000-memory.dmp	xmrig
behavioral2/memory/2000-145-0x00007FF6EDCF0000-0x00007FF6EE041000-memory.dmp	xmrig
behavioral2/memory/4896-146-0x00007FF7C93A0000-0x00007FF7C96F1000-memory.dmp	xmrig
behavioral2/memory/116-144-0x00007FF792C40000-0x00007FF792F91000-memory.dmp	xmrig
behavioral2/memory/3268-143-0x00007FF686EE0000-0x00007FF687231000-memory.dmp	xmrig
behavioral2/memory/3768-150-0x00007FF7FBA90000-0x00007FF7FBDE1000-memory.dmp	xmrig
behavioral2/memory/3768-151-0x00007FF7FBA90000-0x00007FF7FBDE1000-memory.dmp	xmrig
behavioral2/memory/3340-215-0x00007FF6310E0000-0x00007FF631431000-memory.dmp	xmrig
behavioral2/memory/1232-217-0x00007FF7F3E50000-0x00007FF7F41A1000-memory.dmp	xmrig
behavioral2/memory/4724-220-0x00007FF743000000-0x00007FF743351000-memory.dmp	xmrig
behavioral2/memory/640-221-0x00007FF6E99F0000-0x00007FF6E9D41000-memory.dmp	xmrig
behavioral2/memory/4108-223-0x00007FF6D4050000-0x00007FF6D43A1000-memory.dmp	xmrig
behavioral2/memory/852-228-0x00007FF68AF60000-0x00007FF68B2B1000-memory.dmp	xmrig
behavioral2/memory/3540-229-0x00007FF7EA8F0000-0x00007FF7EAC41000-memory.dmp	xmrig
behavioral2/memory/1580-233-0x00007FF779900000-0x00007FF779C51000-memory.dmp	xmrig
behavioral2/memory/2328-232-0x00007FF617D10000-0x00007FF618061000-memory.dmp	xmrig
behavioral2/memory/4248-226-0x00007FF73B020000-0x00007FF73B371000-memory.dmp	xmrig
behavioral2/memory/5032-239-0x00007FF749160000-0x00007FF7494B1000-memory.dmp	xmrig
behavioral2/memory/1416-246-0x00007FF7A66D0000-0x00007FF7A6A21000-memory.dmp	xmrig
behavioral2/memory/1724-244-0x00007FF73F110000-0x00007FF73F461000-memory.dmp	xmrig
behavioral2/memory/1628-243-0x00007FF7E2040000-0x00007FF7E2391000-memory.dmp	xmrig
behavioral2/memory/3268-241-0x00007FF686EE0000-0x00007FF687231000-memory.dmp	xmrig
behavioral2/memory/3348-255-0x00007FF71E710000-0x00007FF71EA61000-memory.dmp	xmrig
behavioral2/memory/4896-257-0x00007FF7C93A0000-0x00007FF7C96F1000-memory.dmp	xmrig
behavioral2/memory/4996-258-0x00007FF7DA880000-0x00007FF7DABD1000-memory.dmp	xmrig
behavioral2/memory/2000-253-0x00007FF6EDCF0000-0x00007FF6EE041000-memory.dmp	xmrig
behavioral2/memory/4688-249-0x00007FF637140000-0x00007FF637491000-memory.dmp	xmrig
behavioral2/memory/116-251-0x00007FF792C40000-0x00007FF792F91000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3340	JmARDhJ.exe
1232	FxzXJCk.exe
640	hJhJrdV.exe
4724	PlbHpaq.exe
4108	IeKRcTX.exe
852	OoLtemk.exe
3540	VouAoFj.exe
1416	RrGPMhH.exe
4248	wCOwlMp.exe
1580	JtvFJJA.exe
1628	cBgvOAc.exe
2328	ORwjmWc.exe
1724	zxuAFLu.exe
5032	JTZsStH.exe
3268	mkbzVQh.exe
116	xPcqzjj.exe
2000	QhVazsh.exe
4896	NNFZyHe.exe
3348	AqPFusE.exe
4996	aScHJmx.exe
4688	DxMEHhW.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3768-0-0x00007FF7FBA90000-0x00007FF7FBDE1000-memory.dmp	upx
behavioral2/files/0x00090000000234c7-5.dat	upx
behavioral2/files/0x00070000000234cc-9.dat	upx
behavioral2/files/0x00070000000234cb-17.dat	upx
behavioral2/files/0x00070000000234ce-22.dat	upx
behavioral2/memory/640-25-0x00007FF6E99F0000-0x00007FF6E9D41000-memory.dmp	upx
behavioral2/files/0x00070000000234d6-77.dat	upx
behavioral2/files/0x00070000000234d1-71.dat	upx
behavioral2/files/0x00070000000234d4-84.dat	upx
behavioral2/files/0x00070000000234d8-101.dat	upx
behavioral2/memory/116-104-0x00007FF792C40000-0x00007FF792F91000-memory.dmp	upx
behavioral2/memory/1628-106-0x00007FF7E2040000-0x00007FF7E2391000-memory.dmp	upx
behavioral2/memory/5032-108-0x00007FF749160000-0x00007FF7494B1000-memory.dmp	upx
behavioral2/files/0x00070000000234dd-111.dat	upx
behavioral2/files/0x00080000000234c8-115.dat	upx
behavioral2/memory/4688-127-0x00007FF637140000-0x00007FF637491000-memory.dmp	upx
behavioral2/memory/4996-126-0x00007FF7DA880000-0x00007FF7DABD1000-memory.dmp	upx
behavioral2/memory/3348-125-0x00007FF71E710000-0x00007FF71EA61000-memory.dmp	upx
behavioral2/files/0x00070000000234db-121.dat	upx
behavioral2/files/0x00070000000234dc-118.dat	upx
behavioral2/files/0x00070000000234da-114.dat	upx
behavioral2/files/0x00070000000234d9-113.dat	upx
behavioral2/memory/2000-109-0x00007FF6EDCF0000-0x00007FF6EE041000-memory.dmp	upx
behavioral2/memory/1724-107-0x00007FF73F110000-0x00007FF73F461000-memory.dmp	upx
behavioral2/memory/4896-105-0x00007FF7C93A0000-0x00007FF7C96F1000-memory.dmp	upx
behavioral2/memory/3268-103-0x00007FF686EE0000-0x00007FF687231000-memory.dmp	upx
behavioral2/files/0x00070000000234d7-99.dat	upx
behavioral2/memory/2328-98-0x00007FF617D10000-0x00007FF618061000-memory.dmp	upx
behavioral2/memory/1580-87-0x00007FF779900000-0x00007FF779C51000-memory.dmp	upx
behavioral2/memory/3540-78-0x00007FF7EA8F0000-0x00007FF7EAC41000-memory.dmp	upx
behavioral2/files/0x00070000000234d3-68.dat	upx
behavioral2/files/0x00070000000234d5-65.dat	upx
behavioral2/memory/4724-63-0x00007FF743000000-0x00007FF743351000-memory.dmp	upx
behavioral2/memory/4248-56-0x00007FF73B020000-0x00007FF73B371000-memory.dmp	upx
behavioral2/files/0x00070000000234d0-55.dat	upx
behavioral2/memory/1416-52-0x00007FF7A66D0000-0x00007FF7A6A21000-memory.dmp	upx
behavioral2/files/0x00070000000234d2-50.dat	upx
behavioral2/files/0x00070000000234cf-47.dat	upx
behavioral2/memory/852-46-0x00007FF68AF60000-0x00007FF68B2B1000-memory.dmp	upx
behavioral2/memory/4108-36-0x00007FF6D4050000-0x00007FF6D43A1000-memory.dmp	upx
behavioral2/files/0x00070000000234cd-26.dat	upx
behavioral2/memory/1232-18-0x00007FF7F3E50000-0x00007FF7F41A1000-memory.dmp	upx
behavioral2/memory/3340-7-0x00007FF6310E0000-0x00007FF631431000-memory.dmp	upx
behavioral2/memory/4108-133-0x00007FF6D4050000-0x00007FF6D43A1000-memory.dmp	upx
behavioral2/memory/1232-130-0x00007FF7F3E50000-0x00007FF7F41A1000-memory.dmp	upx
behavioral2/memory/852-134-0x00007FF68AF60000-0x00007FF68B2B1000-memory.dmp	upx
behavioral2/memory/640-132-0x00007FF6E99F0000-0x00007FF6E9D41000-memory.dmp	upx
behavioral2/memory/3340-129-0x00007FF6310E0000-0x00007FF631431000-memory.dmp	upx
behavioral2/memory/3768-128-0x00007FF7FBA90000-0x00007FF7FBDE1000-memory.dmp	upx
behavioral2/memory/1416-136-0x00007FF7A66D0000-0x00007FF7A6A21000-memory.dmp	upx
behavioral2/memory/2000-145-0x00007FF6EDCF0000-0x00007FF6EE041000-memory.dmp	upx
behavioral2/memory/4896-146-0x00007FF7C93A0000-0x00007FF7C96F1000-memory.dmp	upx
behavioral2/memory/116-144-0x00007FF792C40000-0x00007FF792F91000-memory.dmp	upx
behavioral2/memory/3268-143-0x00007FF686EE0000-0x00007FF687231000-memory.dmp	upx
behavioral2/memory/3768-150-0x00007FF7FBA90000-0x00007FF7FBDE1000-memory.dmp	upx
behavioral2/memory/3768-151-0x00007FF7FBA90000-0x00007FF7FBDE1000-memory.dmp	upx
behavioral2/memory/3340-215-0x00007FF6310E0000-0x00007FF631431000-memory.dmp	upx
behavioral2/memory/1232-217-0x00007FF7F3E50000-0x00007FF7F41A1000-memory.dmp	upx
behavioral2/memory/4724-220-0x00007FF743000000-0x00007FF743351000-memory.dmp	upx
behavioral2/memory/640-221-0x00007FF6E99F0000-0x00007FF6E9D41000-memory.dmp	upx
behavioral2/memory/4108-223-0x00007FF6D4050000-0x00007FF6D43A1000-memory.dmp	upx
behavioral2/memory/852-228-0x00007FF68AF60000-0x00007FF68B2B1000-memory.dmp	upx
behavioral2/memory/3540-229-0x00007FF7EA8F0000-0x00007FF7EAC41000-memory.dmp	upx
behavioral2/memory/1580-233-0x00007FF779900000-0x00007FF779C51000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\VouAoFj.exe	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JtvFJJA.exe	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mkbzVQh.exe	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NNFZyHe.exe	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AqPFusE.exe	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PlbHpaq.exe	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OoLtemk.exe	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cBgvOAc.exe	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zxuAFLu.exe	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QhVazsh.exe	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IeKRcTX.exe	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wCOwlMp.exe	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ORwjmWc.exe	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JTZsStH.exe	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xPcqzjj.exe	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DxMEHhW.exe	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aScHJmx.exe	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JmARDhJ.exe	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hJhJrdV.exe	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FxzXJCk.exe	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RrGPMhH.exe	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3768	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3768	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3768 wrote to memory of 3340	3768	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3768 wrote to memory of 3340	3768	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3768 wrote to memory of 1232	3768	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3768 wrote to memory of 1232	3768	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3768 wrote to memory of 4724	3768	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3768 wrote to memory of 4724	3768	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3768 wrote to memory of 640	3768	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3768 wrote to memory of 640	3768	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3768 wrote to memory of 4108	3768	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3768 wrote to memory of 4108	3768	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3768 wrote to memory of 852	3768	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3768 wrote to memory of 852	3768	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3768 wrote to memory of 3540	3768	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3768 wrote to memory of 3540	3768	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3768 wrote to memory of 1416	3768	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3768 wrote to memory of 1416	3768	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3768 wrote to memory of 4248	3768	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3768 wrote to memory of 4248	3768	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3768 wrote to memory of 1580	3768	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3768 wrote to memory of 1580	3768	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3768 wrote to memory of 1628	3768	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3768 wrote to memory of 1628	3768	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3768 wrote to memory of 2328	3768	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3768 wrote to memory of 2328	3768	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3768 wrote to memory of 1724	3768	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3768 wrote to memory of 1724	3768	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3768 wrote to memory of 5032	3768	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3768 wrote to memory of 5032	3768	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3768 wrote to memory of 3268	3768	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3768 wrote to memory of 3268	3768	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3768 wrote to memory of 116	3768	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3768 wrote to memory of 116	3768	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3768 wrote to memory of 2000	3768	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3768 wrote to memory of 2000	3768	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3768 wrote to memory of 4896	3768	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3768 wrote to memory of 4896	3768	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3768 wrote to memory of 4688	3768	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3768 wrote to memory of 4688	3768	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3768 wrote to memory of 3348	3768	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3768 wrote to memory of 3348	3768	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3768 wrote to memory of 4996	3768	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 3768 wrote to memory of 4996	3768	2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe	105

C:\Users\Admin\AppData\Local\Temp\2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-13_17ddb31575df19633bf62f3ba6ba27c1_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3768
- C:\Windows\System\JmARDhJ.exe
  C:\Windows\System\JmARDhJ.exe
  2⤵
  - Executes dropped EXE
  PID:3340
- C:\Windows\System\FxzXJCk.exe
  C:\Windows\System\FxzXJCk.exe
  2⤵
  - Executes dropped EXE
  PID:1232
- C:\Windows\System\PlbHpaq.exe
  C:\Windows\System\PlbHpaq.exe
  2⤵
  - Executes dropped EXE
  PID:4724
- C:\Windows\System\hJhJrdV.exe
  C:\Windows\System\hJhJrdV.exe
  2⤵
  - Executes dropped EXE
  PID:640
- C:\Windows\System\IeKRcTX.exe
  C:\Windows\System\IeKRcTX.exe
  2⤵
  - Executes dropped EXE
  PID:4108
- C:\Windows\System\OoLtemk.exe
  C:\Windows\System\OoLtemk.exe
  2⤵
  - Executes dropped EXE
  PID:852
- C:\Windows\System\VouAoFj.exe
  C:\Windows\System\VouAoFj.exe
  2⤵
  - Executes dropped EXE
  PID:3540
- C:\Windows\System\RrGPMhH.exe
  C:\Windows\System\RrGPMhH.exe
  2⤵
  - Executes dropped EXE
  PID:1416
- C:\Windows\System\wCOwlMp.exe
  C:\Windows\System\wCOwlMp.exe
  2⤵
  - Executes dropped EXE
  PID:4248
- C:\Windows\System\JtvFJJA.exe
  C:\Windows\System\JtvFJJA.exe
  2⤵
  - Executes dropped EXE
  PID:1580
- C:\Windows\System\cBgvOAc.exe
  C:\Windows\System\cBgvOAc.exe
  2⤵
  - Executes dropped EXE
  PID:1628
- C:\Windows\System\ORwjmWc.exe
  C:\Windows\System\ORwjmWc.exe
  2⤵
  - Executes dropped EXE
  PID:2328
- C:\Windows\System\zxuAFLu.exe
  C:\Windows\System\zxuAFLu.exe
  2⤵
  - Executes dropped EXE
  PID:1724
- C:\Windows\System\JTZsStH.exe
  C:\Windows\System\JTZsStH.exe
  2⤵
  - Executes dropped EXE
  PID:5032
- C:\Windows\System\mkbzVQh.exe
  C:\Windows\System\mkbzVQh.exe
  2⤵
  - Executes dropped EXE
  PID:3268
- C:\Windows\System\xPcqzjj.exe
  C:\Windows\System\xPcqzjj.exe
  2⤵
  - Executes dropped EXE
  PID:116
- C:\Windows\System\QhVazsh.exe
  C:\Windows\System\QhVazsh.exe
  2⤵
  - Executes dropped EXE
  PID:2000
- C:\Windows\System\NNFZyHe.exe
  C:\Windows\System\NNFZyHe.exe
  2⤵
  - Executes dropped EXE
  PID:4896
- C:\Windows\System\DxMEHhW.exe
  C:\Windows\System\DxMEHhW.exe
  2⤵
  - Executes dropped EXE
  PID:4688
- C:\Windows\System\AqPFusE.exe
  C:\Windows\System\AqPFusE.exe
  2⤵
  - Executes dropped EXE
  PID:3348
- C:\Windows\System\aScHJmx.exe
  C:\Windows\System\aScHJmx.exe
  2⤵
  - Executes dropped EXE
  PID:4996

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AqPFusE.exe

Filesize
5.2MB

MD5
1a66cacd15026a9b29e1d91f894af2fc

SHA1
4983bd481d927746013f556bb23830eda45ce25e

SHA256
2ad3e7be4a0212d3cffc3fc8142f055d53d2a9fa7a23fe08a658e69c5b052bd7

SHA512
460bd8e444f95b0263120f009f0c4f6178f95077b196411e0e7aec8370517afb7452bb7c92a9d898572353d693dbc84df86f0bb7df67f53184c6d281765747d7

Download Submit
C:\Windows\System\DxMEHhW.exe

Filesize
5.2MB

MD5
3d48a59f5539ae6794969cfd660b2417

SHA1
8a62b283f2fa256d778d4ea1724e030b5ac9a51d

SHA256
91641fbb0a150aaf7dd1c7a02df72c0154831cb836f7e555602d0494a3c1552a

SHA512
53b74cc1968912665f99c38e1d15a0c0451acd44ac7d21959b7b18148d44d5202d676dc940e9736201f6f638fe0cc1b92c71b1e3e33f2f3b3eeba317e862fd02

Download Submit
C:\Windows\System\FxzXJCk.exe

Filesize
5.2MB

MD5
51c21f9b1ba1fe6f2a84a16f22a8fb5d

SHA1
6daa4f23e2160a8698db4f0c79b38c6e05eb12e4

SHA256
b173fb8a7b378912a13d6962b5d1029406f8c4652bf3de7b9131dc57fa7df132

SHA512
fbc6a5054716524141c4d7d2416e8072718bd92c14864731a42863eda5fb4eacec273707a457fa340141b83cd1994b73c8e15535fbc9bf13d5da02145fc3b83d

Download Submit
C:\Windows\System\IeKRcTX.exe

Filesize
5.2MB

MD5
067e135c114e5b8155469dc3e56fe78b

SHA1
3e7cfe1daee6c1ba20d105b3d61ecc4087b8edfc

SHA256
1ab4dd1bd1aacf297d48caa920ca9480997100be196abc3b48ffd47f462da655

SHA512
89d8ef207744d87e84c7fe3a327b58e1104fa59062f27ac839b1966063349ca5629907d742e970d4c060ce90e2ed19a94bc2f1460f1f0d35b1aacbdd40a80a58

Download Submit
C:\Windows\System\JTZsStH.exe

Filesize
5.2MB

MD5
03454c7de79d0e205331ea94df772bda

SHA1
0252d6a41708c137a5e4a54d9337974271d2dd88

SHA256
99d133ac92fd3e32227a352a866fcac052600940bf3adb6879d9989df74bc6c4

SHA512
35061e4982cb9cbdf20789f76a2218478761f105c45707be70a8b85367de55f5f7a015571b7cda9d966944ef502e6b5ed02a8249a418626032787eb1d2f64129

Download Submit
C:\Windows\System\JmARDhJ.exe

Filesize
5.2MB

MD5
fb3da4f0509223a1729e7c5002e3c4fa

SHA1
0cbf3a8448070405a3136998e283f27a8bedfe5a

SHA256
220a9658b556b69ef80ee881da0f0822bb5cfa6cd4a982da3311f067bee88d39

SHA512
16a6284eb05ba73fde492c01a925cdf269735dce6cb32b4bbc8c33e8f4fd968613422a90b133578e5c94a65aa59d4089e3ac1acd0ffa78017835cea17e7b84e8

Download Submit
C:\Windows\System\JtvFJJA.exe

Filesize
5.2MB

MD5
624ee57592ac940a13ea537b5dfa953d

SHA1
a87fa483c3f91388859a85584f4cff7fa9c64717

SHA256
d41d4892ed8c6f85db852e094fa92123b7dba2f69b8a8f292d676b1b3b0aa2f0

SHA512
d498c09766a2fc78fe6b8095a4e2ea8e70c28ee789299345070b727879469e349466c4d8862cd968758d5dec5ff62b9e33383ebb079daaab6f0946d483d66a71

Download Submit
C:\Windows\System\NNFZyHe.exe

Filesize
5.2MB

MD5
0e0fb9947aa18437b244771ed3583446

SHA1
aba982a76570f80533816627be9120713080aab7

SHA256
f56f9134be9459b2953b3e28187d477016b1092db110b8b0709b782dcec1fabb

SHA512
1ec60ec3b850d0d091e59d92043a7474ee530ee60e9ff095f7e9bb0f58bf0bdaa3ef532cd8f88a0972d5145414879586347cf73a2ee2785f3749f8e16dabdb58

Download Submit
C:\Windows\System\ORwjmWc.exe

Filesize
5.2MB

MD5
45c8a6d5a9d66cdf826a4c6fd3dd646f

SHA1
0606756bbb003c8ee825d36bbcef6578c208734d

SHA256
f6534f5fc22db65a3171eea0d42ff77188f14ba4c496eae42061097bb102cad4

SHA512
8e6194c2ca61875bd7cab46711d91795d0ce11c6b92fcc55a8b853fcd4d5cc986b31aec0fd6e6ee0aac44e90e962a1f497b68e407e9b49382c706aa58c8e8a4e

Download Submit
C:\Windows\System\OoLtemk.exe

Filesize
5.2MB

MD5
f8fc95689a33bb43731b6ac09f79ef26

SHA1
d298cb699a7011a4d06608e6dce58a69694a7acd

SHA256
dca7e7caf8e49289886ecc228b8a2242108c857880251dc0d64a55a70c12afb2

SHA512
775f9c81ef71139c8b3768676bc49cfa4d316c441a31dfeb2993ab9fafb2ab086aff84e31f49278625d4b17763af84552dff90d9108f40b458b0f05aaef53afd

Download Submit
C:\Windows\System\PlbHpaq.exe

Filesize
5.2MB

MD5
23166d47347762ec06e9767581497a0c

SHA1
db327bff54845fe1d70b0d09f2a612bc7a7dc89d

SHA256
681007af4905bc701d911055e05dcc19c101b903d4eba7d2e2da37f5e35e073e

SHA512
79c31c4e0eaa6ed42799cbd0c018a4d245880c69abf239085ccb222ca4e4f825029d90077355c02f0aefa8c5a7b4c7f59a5f6bc8e8cdee3742711f595eb54300

Download Submit
C:\Windows\System\QhVazsh.exe

Filesize
5.2MB

MD5
6c926ce4a57fd36018f1d8ff3a0880cb

SHA1
faf0c3e802d13701aeed42965d7db9555cd44940

SHA256
9a4796af8167bf43c710b2e41f7557ac8631fc257f732e245779756f3090ba28

SHA512
fb876b87de55522295a409c6fc58cf4f1822323ecc88c5098c23551a6aacfed635ca1bb62898806097862bca1ddb6aa25a9da5032e5202edd1be67ff9dff1c21

Download Submit
C:\Windows\System\RrGPMhH.exe

Filesize
5.2MB

MD5
9cc62fff52db558f524700c351098365

SHA1
44f94904e157b18f5963dd84e3548a6c0a69d3b9

SHA256
39e3ed0e252ef43379e3efdbb99a25773cb8c6984e579b0923d4429884352d94

SHA512
bda6413c33ecf99eda172c38b8f9c7faf256435f79884ed730f603892ebc0e02ca83f78561b6c22ca02c05257ac9cce5c855dd74ebe21cc7bfbc5cffbc3abc6e

Download Submit
C:\Windows\System\VouAoFj.exe

Filesize
5.2MB

MD5
020693dc02c99137dd2bbaa6188748a8

SHA1
d022e95568f4b5668d0f83223a7c9fbd2148c43d

SHA256
543580de9dcb2724ab7d5405b308e358d72a19f029bd1bfa48f67a4d090249ae

SHA512
cfa984c0df55503b2de9ae2fc64061da27f6a772e5ed53fdbe1c6e19afe224de2153cbe1ed8645b96595f2b14150a5d89508843c81dcac856f59936de9e6a4be

Download Submit
C:\Windows\System\aScHJmx.exe

Filesize
5.2MB

MD5
93d36794cee839090aa0f79933146e9d

SHA1
b393bc2dc8e1dc41d7164c3c0cd0761a5fd7dbce

SHA256
c38db34d1bfca519edc1b4266a0542b48a32662b498c01e4aeeec6ad5c3325c4

SHA512
5efcb7cc47010c68003d37eaed4120725d0eec8f9021272f8a9c66051b0b270aa09715d936d2b2bee309e5327a6d1dfdf9e3dfb19ea924d2be942579165f011b

Download Submit
C:\Windows\System\cBgvOAc.exe

Filesize
5.2MB

MD5
e81c05a85ae5e7369ac4f52c807c2465

SHA1
376f62a2419c4e3846eec9e4974b2ea21cf04cca

SHA256
19f33cc889637d5acf72e593983a82dde86f5857e3fbcd0641fa367f27aecc0c

SHA512
da82b1b5a24a0a0354574c0ee427c2816d25f32ec405043c96dfbcdec7f19091ae3e5c2cfc0f0281b5e259dfc5075a412d73dbe7380d026b2f17149f65e51abb

Download Submit
C:\Windows\System\hJhJrdV.exe

Filesize
5.2MB

MD5
bc4f7e58d844ecd2fddc5d5bca4ccd05

SHA1
8228f5857f8ea81a8bcbd79984ad9ca9e396519f

SHA256
0a3207d1e4111b3b58162b1b32736a81a827d02bb077671d07994d828d5bcd90

SHA512
4e6509d0d72884eafe55c300b185fdee7aa2c10e88537bbd0397e93b24760fbfd247e5c068224892b21461c0839b4758eab00b4087b012728f6d23244a294982

Download Submit
C:\Windows\System\mkbzVQh.exe

Filesize
5.2MB

MD5
c17b22b51942d2b84ff93bd18f81d734

SHA1
a3f4c9cba42b8e3570d4696c2799a9d116d7beda

SHA256
67af90853762019cc69c11c1620f9aced3ef0fde7198d4233bcdcda476affb3f

SHA512
662f457d67862ec567ec074ff831b07c7333d5881e859e4baf215c24dcb91e8f42849f2fb9c3d1cf2e15bde36b9e1e3049d89f9e510c0126ff84cd8cb4a1a5fa

Download Submit
C:\Windows\System\wCOwlMp.exe

Filesize
5.2MB

MD5
9f6e326bf52ae31c46cd67d21cd1c6fb

SHA1
3ae55102bca96d712e338e3c0673c3f8b0ddec2b

SHA256
ceda1eecce749d6b16aa73394eb289a881d103fd279079d907cdf6acdffe4eb2

SHA512
b0970bc7c1da67aa8edabd7c30a7003ef74fd65393fb7b3201f4babbfd5bb91dcf34beb32e0ad43d8eadd289c90e5eb87ceca54e091856d0835374f324bb3cc2

Download Submit
C:\Windows\System\xPcqzjj.exe

Filesize
5.2MB

MD5
fbf4f6cdbdbae4492e361aa14e404555

SHA1
45c572dc7e86bc491a6c991ae9569713aeadc4cf

SHA256
67107d12c6a8d0f4ca6899b009b63348408a6380e0c27495c7bdc35545c6e7e4

SHA512
cb3e8891243b9bde18f3e9fd2b3822dfcd20b8495799d3356ae5949ed01f24143cbb0ee2fdcf0ee0c1b455c738dafcbdc56aa8a16019e45d1e7740a4b1259e5b

Download Submit
C:\Windows\System\zxuAFLu.exe

Filesize
5.2MB

MD5
c98500be242a107535a5e454ed3a6e11

SHA1
26b4592e36952d13623773fbdd41798370f07b6f

SHA256
25385f31f9063c86c0acf87d8259b3d700a3a4fcc826f0c8f91a2b6f2cbf0f07

SHA512
aab99a4c04f8bdcee07f889c0c643761f5de78d751421d55e1fbb7aec064ae3d68be81538a42d6cfb122fefdc85938225945e82d08ad0a98ce64d52b5fa92b56

Download Submit
memory/116-104-0x00007FF792C40000-0x00007FF792F91000-memory.dmp

Filesize
3.3MB

Download
memory/116-251-0x00007FF792C40000-0x00007FF792F91000-memory.dmp

Filesize
3.3MB

Download
memory/116-144-0x00007FF792C40000-0x00007FF792F91000-memory.dmp

Filesize
3.3MB

Download
memory/640-221-0x00007FF6E99F0000-0x00007FF6E9D41000-memory.dmp

Filesize
3.3MB

Download
memory/640-132-0x00007FF6E99F0000-0x00007FF6E9D41000-memory.dmp

Filesize
3.3MB

Download
memory/640-25-0x00007FF6E99F0000-0x00007FF6E9D41000-memory.dmp

Filesize
3.3MB

Download
memory/852-228-0x00007FF68AF60000-0x00007FF68B2B1000-memory.dmp

Filesize
3.3MB

Download
memory/852-46-0x00007FF68AF60000-0x00007FF68B2B1000-memory.dmp

Filesize
3.3MB

Download
memory/852-134-0x00007FF68AF60000-0x00007FF68B2B1000-memory.dmp

Filesize
3.3MB

Download
memory/1232-18-0x00007FF7F3E50000-0x00007FF7F41A1000-memory.dmp

Filesize
3.3MB

Download
memory/1232-130-0x00007FF7F3E50000-0x00007FF7F41A1000-memory.dmp

Filesize
3.3MB

Download
memory/1232-217-0x00007FF7F3E50000-0x00007FF7F41A1000-memory.dmp

Filesize
3.3MB

Download
memory/1416-136-0x00007FF7A66D0000-0x00007FF7A6A21000-memory.dmp

Filesize
3.3MB

Download
memory/1416-246-0x00007FF7A66D0000-0x00007FF7A6A21000-memory.dmp

Filesize
3.3MB

Download
memory/1416-52-0x00007FF7A66D0000-0x00007FF7A6A21000-memory.dmp

Filesize
3.3MB

Download
memory/1580-87-0x00007FF779900000-0x00007FF779C51000-memory.dmp

Filesize
3.3MB

Download
memory/1580-233-0x00007FF779900000-0x00007FF779C51000-memory.dmp

Filesize
3.3MB

Download
memory/1628-243-0x00007FF7E2040000-0x00007FF7E2391000-memory.dmp

Filesize
3.3MB

Download
memory/1628-106-0x00007FF7E2040000-0x00007FF7E2391000-memory.dmp

Filesize
3.3MB

Download
memory/1724-244-0x00007FF73F110000-0x00007FF73F461000-memory.dmp

Filesize
3.3MB

Download
memory/1724-107-0x00007FF73F110000-0x00007FF73F461000-memory.dmp

Filesize
3.3MB

Download
memory/2000-109-0x00007FF6EDCF0000-0x00007FF6EE041000-memory.dmp

Filesize
3.3MB

Download
memory/2000-145-0x00007FF6EDCF0000-0x00007FF6EE041000-memory.dmp

Filesize
3.3MB

Download
memory/2000-253-0x00007FF6EDCF0000-0x00007FF6EE041000-memory.dmp

Filesize
3.3MB

Download
memory/2328-232-0x00007FF617D10000-0x00007FF618061000-memory.dmp

Filesize
3.3MB

Download
memory/2328-98-0x00007FF617D10000-0x00007FF618061000-memory.dmp

Filesize
3.3MB

Download
memory/3268-143-0x00007FF686EE0000-0x00007FF687231000-memory.dmp

Filesize
3.3MB

Download
memory/3268-241-0x00007FF686EE0000-0x00007FF687231000-memory.dmp

Filesize
3.3MB

Download
memory/3268-103-0x00007FF686EE0000-0x00007FF687231000-memory.dmp

Filesize
3.3MB

Download
memory/3340-7-0x00007FF6310E0000-0x00007FF631431000-memory.dmp

Filesize
3.3MB

Download
memory/3340-129-0x00007FF6310E0000-0x00007FF631431000-memory.dmp

Filesize
3.3MB

Download
memory/3340-215-0x00007FF6310E0000-0x00007FF631431000-memory.dmp

Filesize
3.3MB

Download
memory/3348-125-0x00007FF71E710000-0x00007FF71EA61000-memory.dmp

Filesize
3.3MB

Download
memory/3348-255-0x00007FF71E710000-0x00007FF71EA61000-memory.dmp

Filesize
3.3MB

Download
memory/3540-78-0x00007FF7EA8F0000-0x00007FF7EAC41000-memory.dmp

Filesize
3.3MB

Download
memory/3540-229-0x00007FF7EA8F0000-0x00007FF7EAC41000-memory.dmp

Filesize
3.3MB

Download
memory/3768-1-0x0000025C3BB30000-0x0000025C3BB40000-memory.dmp

Filesize
64KB

Download
memory/3768-150-0x00007FF7FBA90000-0x00007FF7FBDE1000-memory.dmp

Filesize
3.3MB

Download
memory/3768-151-0x00007FF7FBA90000-0x00007FF7FBDE1000-memory.dmp

Filesize
3.3MB

Download
memory/3768-0-0x00007FF7FBA90000-0x00007FF7FBDE1000-memory.dmp

Filesize
3.3MB

Download
memory/3768-128-0x00007FF7FBA90000-0x00007FF7FBDE1000-memory.dmp

Filesize
3.3MB

Download
memory/4108-223-0x00007FF6D4050000-0x00007FF6D43A1000-memory.dmp

Filesize
3.3MB

Download
memory/4108-133-0x00007FF6D4050000-0x00007FF6D43A1000-memory.dmp

Filesize
3.3MB

Download
memory/4108-36-0x00007FF6D4050000-0x00007FF6D43A1000-memory.dmp

Filesize
3.3MB

Download
memory/4248-226-0x00007FF73B020000-0x00007FF73B371000-memory.dmp

Filesize
3.3MB

Download
memory/4248-56-0x00007FF73B020000-0x00007FF73B371000-memory.dmp

Filesize
3.3MB

Download
memory/4688-127-0x00007FF637140000-0x00007FF637491000-memory.dmp

Filesize
3.3MB

Download
memory/4688-249-0x00007FF637140000-0x00007FF637491000-memory.dmp

Filesize
3.3MB

Download
memory/4724-63-0x00007FF743000000-0x00007FF743351000-memory.dmp

Filesize
3.3MB

Download
memory/4724-220-0x00007FF743000000-0x00007FF743351000-memory.dmp

Filesize
3.3MB

Download
memory/4896-105-0x00007FF7C93A0000-0x00007FF7C96F1000-memory.dmp

Filesize
3.3MB

Download
memory/4896-257-0x00007FF7C93A0000-0x00007FF7C96F1000-memory.dmp

Filesize
3.3MB

Download
memory/4896-146-0x00007FF7C93A0000-0x00007FF7C96F1000-memory.dmp

Filesize
3.3MB

Download
memory/4996-258-0x00007FF7DA880000-0x00007FF7DABD1000-memory.dmp

Filesize
3.3MB

Download
memory/4996-126-0x00007FF7DA880000-0x00007FF7DABD1000-memory.dmp

Filesize
3.3MB

Download
memory/5032-239-0x00007FF749160000-0x00007FF7494B1000-memory.dmp

Filesize
3.3MB

Download
memory/5032-108-0x00007FF749160000-0x00007FF7494B1000-memory.dmp

Filesize
3.3MB

Download