cobaltstrike | 8cddde4d830aaefb56bcab67aabf1f3879cfe8e6a90cd06396929a9dceddb83d

Analysis

max time kernel
140s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2024 12:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

095a2ddda2f001900c22a50e695fb267
SHA1

5cd8bea21ee12887f23674870104430f022e288c
SHA256

8cddde4d830aaefb56bcab67aabf1f3879cfe8e6a90cd06396929a9dceddb83d
SHA512

d06f382a4c0b7e2751df88806c4e8f091a7b960a8187932ae1cc5559c2d5bf03d00372f755d05f16c77e8958e457b3aa985b19a063b66c1ca775c3bbedbd5c3c
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lY:RWWBibf56utgpPFotBER/mQ32lU0

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023479-4.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347e-14.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347d-15.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347f-26.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023484-47.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023485-55.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023487-70.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023488-90.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348d-99.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348f-114.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002347a-118.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348e-120.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348b-112.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348a-110.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348c-103.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023489-93.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023486-63.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023483-50.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023481-44.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023482-39.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023480-31.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 47 IoCs

miner

resource	yara_rule
behavioral2/memory/404-126-0x00007FF645E10000-0x00007FF646161000-memory.dmp	xmrig
behavioral2/memory/2440-125-0x00007FF6B3EA0000-0x00007FF6B41F1000-memory.dmp	xmrig
behavioral2/memory/3564-124-0x00007FF609FF0000-0x00007FF60A341000-memory.dmp	xmrig
behavioral2/memory/2912-117-0x00007FF64B010000-0x00007FF64B361000-memory.dmp	xmrig
behavioral2/memory/4436-116-0x00007FF79BF70000-0x00007FF79C2C1000-memory.dmp	xmrig
behavioral2/memory/3048-73-0x00007FF7B8810000-0x00007FF7B8B61000-memory.dmp	xmrig
behavioral2/memory/3152-64-0x00007FF6744E0000-0x00007FF674831000-memory.dmp	xmrig
behavioral2/memory/3544-35-0x00007FF767450000-0x00007FF7677A1000-memory.dmp	xmrig
behavioral2/memory/2376-22-0x00007FF62A110000-0x00007FF62A461000-memory.dmp	xmrig
behavioral2/memory/3544-133-0x00007FF767450000-0x00007FF7677A1000-memory.dmp	xmrig
behavioral2/memory/3760-132-0x00007FF6FBE10000-0x00007FF6FC161000-memory.dmp	xmrig
behavioral2/memory/4384-130-0x00007FF6DB2F0000-0x00007FF6DB641000-memory.dmp	xmrig
behavioral2/memory/3536-129-0x00007FF62C350000-0x00007FF62C6A1000-memory.dmp	xmrig
behavioral2/memory/1640-128-0x00007FF67B280000-0x00007FF67B5D1000-memory.dmp	xmrig
behavioral2/memory/3164-135-0x00007FF6FAE30000-0x00007FF6FB181000-memory.dmp	xmrig
behavioral2/memory/4092-141-0x00007FF6D3790000-0x00007FF6D3AE1000-memory.dmp	xmrig
behavioral2/memory/3564-143-0x00007FF609FF0000-0x00007FF60A341000-memory.dmp	xmrig
behavioral2/memory/868-149-0x00007FF6B5520000-0x00007FF6B5871000-memory.dmp	xmrig
behavioral2/memory/1640-150-0x00007FF67B280000-0x00007FF67B5D1000-memory.dmp	xmrig
behavioral2/memory/4428-147-0x00007FF64A600000-0x00007FF64A951000-memory.dmp	xmrig
behavioral2/memory/4992-144-0x00007FF7D25F0000-0x00007FF7D2941000-memory.dmp	xmrig
behavioral2/memory/1840-142-0x00007FF6311C0000-0x00007FF631511000-memory.dmp	xmrig
behavioral2/memory/3040-138-0x00007FF7448A0000-0x00007FF744BF1000-memory.dmp	xmrig
behavioral2/memory/5016-145-0x00007FF6AFC00000-0x00007FF6AFF51000-memory.dmp	xmrig
behavioral2/memory/1108-137-0x00007FF7CA630000-0x00007FF7CA981000-memory.dmp	xmrig
behavioral2/memory/1640-151-0x00007FF67B280000-0x00007FF67B5D1000-memory.dmp	xmrig
behavioral2/memory/3536-215-0x00007FF62C350000-0x00007FF62C6A1000-memory.dmp	xmrig
behavioral2/memory/4384-217-0x00007FF6DB2F0000-0x00007FF6DB641000-memory.dmp	xmrig
behavioral2/memory/2376-219-0x00007FF62A110000-0x00007FF62A461000-memory.dmp	xmrig
behavioral2/memory/3760-221-0x00007FF6FBE10000-0x00007FF6FC161000-memory.dmp	xmrig
behavioral2/memory/3544-223-0x00007FF767450000-0x00007FF7677A1000-memory.dmp	xmrig
behavioral2/memory/3164-225-0x00007FF6FAE30000-0x00007FF6FB181000-memory.dmp	xmrig
behavioral2/memory/3048-227-0x00007FF7B8810000-0x00007FF7B8B61000-memory.dmp	xmrig
behavioral2/memory/3152-229-0x00007FF6744E0000-0x00007FF674831000-memory.dmp	xmrig
behavioral2/memory/4436-232-0x00007FF79BF70000-0x00007FF79C2C1000-memory.dmp	xmrig
behavioral2/memory/1108-233-0x00007FF7CA630000-0x00007FF7CA981000-memory.dmp	xmrig
behavioral2/memory/2912-235-0x00007FF64B010000-0x00007FF64B361000-memory.dmp	xmrig
behavioral2/memory/3040-237-0x00007FF7448A0000-0x00007FF744BF1000-memory.dmp	xmrig
behavioral2/memory/4092-244-0x00007FF6D3790000-0x00007FF6D3AE1000-memory.dmp	xmrig
behavioral2/memory/5016-246-0x00007FF6AFC00000-0x00007FF6AFF51000-memory.dmp	xmrig
behavioral2/memory/1840-243-0x00007FF6311C0000-0x00007FF631511000-memory.dmp	xmrig
behavioral2/memory/404-249-0x00007FF645E10000-0x00007FF646161000-memory.dmp	xmrig
behavioral2/memory/4428-253-0x00007FF64A600000-0x00007FF64A951000-memory.dmp	xmrig
behavioral2/memory/2440-256-0x00007FF6B3EA0000-0x00007FF6B41F1000-memory.dmp	xmrig
behavioral2/memory/868-250-0x00007FF6B5520000-0x00007FF6B5871000-memory.dmp	xmrig
behavioral2/memory/4992-255-0x00007FF7D25F0000-0x00007FF7D2941000-memory.dmp	xmrig
behavioral2/memory/3564-259-0x00007FF609FF0000-0x00007FF60A341000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3536	ePonnbs.exe
4384	pxSOtKv.exe
2376	gjpmxQs.exe
3760	MHUhYvL.exe
3544	RsSdKHu.exe
3152	JTlPRVK.exe
3164	OiXonEN.exe
3048	neBUlqj.exe
1108	LSiygKI.exe
3040	bTRzOLo.exe
4436	GSsmfrt.exe
2912	VyGecTq.exe
4092	zGOerWl.exe
1840	sHefPWl.exe
3564	lhkTmyR.exe
4992	ggIdJcm.exe
5016	zZnzvvO.exe
2440	JxOuumW.exe
4428	AGBngRB.exe
404	efwZLpX.exe
868	EKJKlGs.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1640-0-0x00007FF67B280000-0x00007FF67B5D1000-memory.dmp	upx
behavioral2/files/0x0008000000023479-4.dat	upx
behavioral2/memory/3536-7-0x00007FF62C350000-0x00007FF62C6A1000-memory.dmp	upx
behavioral2/files/0x000700000002347e-14.dat	upx
behavioral2/files/0x000700000002347d-15.dat	upx
behavioral2/files/0x000700000002347f-26.dat	upx
behavioral2/files/0x0007000000023484-47.dat	upx
behavioral2/files/0x0007000000023485-55.dat	upx
behavioral2/files/0x0007000000023487-70.dat	upx
behavioral2/files/0x0007000000023488-90.dat	upx
behavioral2/files/0x000700000002348d-99.dat	upx
behavioral2/files/0x000700000002348f-114.dat	upx
behavioral2/files/0x000800000002347a-118.dat	upx
behavioral2/memory/404-126-0x00007FF645E10000-0x00007FF646161000-memory.dmp	upx
behavioral2/memory/2440-125-0x00007FF6B3EA0000-0x00007FF6B41F1000-memory.dmp	upx
behavioral2/memory/3564-124-0x00007FF609FF0000-0x00007FF60A341000-memory.dmp	upx
behavioral2/files/0x000700000002348e-120.dat	upx
behavioral2/memory/2912-117-0x00007FF64B010000-0x00007FF64B361000-memory.dmp	upx
behavioral2/memory/4436-116-0x00007FF79BF70000-0x00007FF79C2C1000-memory.dmp	upx
behavioral2/memory/868-115-0x00007FF6B5520000-0x00007FF6B5871000-memory.dmp	upx
behavioral2/files/0x000700000002348b-112.dat	upx
behavioral2/files/0x000700000002348a-110.dat	upx
behavioral2/memory/4428-106-0x00007FF64A600000-0x00007FF64A951000-memory.dmp	upx
behavioral2/memory/5016-105-0x00007FF6AFC00000-0x00007FF6AFF51000-memory.dmp	upx
behavioral2/files/0x000700000002348c-103.dat	upx
behavioral2/memory/4992-98-0x00007FF7D25F0000-0x00007FF7D2941000-memory.dmp	upx
behavioral2/files/0x0007000000023489-93.dat	upx
behavioral2/memory/4092-83-0x00007FF6D3790000-0x00007FF6D3AE1000-memory.dmp	upx
behavioral2/memory/1840-86-0x00007FF6311C0000-0x00007FF631511000-memory.dmp	upx
behavioral2/memory/3040-74-0x00007FF7448A0000-0x00007FF744BF1000-memory.dmp	upx
behavioral2/memory/3048-73-0x00007FF7B8810000-0x00007FF7B8B61000-memory.dmp	upx
behavioral2/memory/3152-64-0x00007FF6744E0000-0x00007FF674831000-memory.dmp	upx
behavioral2/files/0x0007000000023486-63.dat	upx
behavioral2/memory/1108-58-0x00007FF7CA630000-0x00007FF7CA981000-memory.dmp	upx
behavioral2/memory/3164-51-0x00007FF6FAE30000-0x00007FF6FB181000-memory.dmp	upx
behavioral2/files/0x0007000000023483-50.dat	upx
behavioral2/files/0x0007000000023481-44.dat	upx
behavioral2/files/0x0007000000023482-39.dat	upx
behavioral2/memory/3544-35-0x00007FF767450000-0x00007FF7677A1000-memory.dmp	upx
behavioral2/memory/3760-32-0x00007FF6FBE10000-0x00007FF6FC161000-memory.dmp	upx
behavioral2/files/0x0007000000023480-31.dat	upx
behavioral2/memory/2376-22-0x00007FF62A110000-0x00007FF62A461000-memory.dmp	upx
behavioral2/memory/4384-19-0x00007FF6DB2F0000-0x00007FF6DB641000-memory.dmp	upx
behavioral2/memory/3544-133-0x00007FF767450000-0x00007FF7677A1000-memory.dmp	upx
behavioral2/memory/3760-132-0x00007FF6FBE10000-0x00007FF6FC161000-memory.dmp	upx
behavioral2/memory/4384-130-0x00007FF6DB2F0000-0x00007FF6DB641000-memory.dmp	upx
behavioral2/memory/3536-129-0x00007FF62C350000-0x00007FF62C6A1000-memory.dmp	upx
behavioral2/memory/1640-128-0x00007FF67B280000-0x00007FF67B5D1000-memory.dmp	upx
behavioral2/memory/3164-135-0x00007FF6FAE30000-0x00007FF6FB181000-memory.dmp	upx
behavioral2/memory/4092-141-0x00007FF6D3790000-0x00007FF6D3AE1000-memory.dmp	upx
behavioral2/memory/3564-143-0x00007FF609FF0000-0x00007FF60A341000-memory.dmp	upx
behavioral2/memory/868-149-0x00007FF6B5520000-0x00007FF6B5871000-memory.dmp	upx
behavioral2/memory/1640-150-0x00007FF67B280000-0x00007FF67B5D1000-memory.dmp	upx
behavioral2/memory/4428-147-0x00007FF64A600000-0x00007FF64A951000-memory.dmp	upx
behavioral2/memory/4992-144-0x00007FF7D25F0000-0x00007FF7D2941000-memory.dmp	upx
behavioral2/memory/1840-142-0x00007FF6311C0000-0x00007FF631511000-memory.dmp	upx
behavioral2/memory/3040-138-0x00007FF7448A0000-0x00007FF744BF1000-memory.dmp	upx
behavioral2/memory/5016-145-0x00007FF6AFC00000-0x00007FF6AFF51000-memory.dmp	upx
behavioral2/memory/1108-137-0x00007FF7CA630000-0x00007FF7CA981000-memory.dmp	upx
behavioral2/memory/1640-151-0x00007FF67B280000-0x00007FF67B5D1000-memory.dmp	upx
behavioral2/memory/3536-215-0x00007FF62C350000-0x00007FF62C6A1000-memory.dmp	upx
behavioral2/memory/4384-217-0x00007FF6DB2F0000-0x00007FF6DB641000-memory.dmp	upx
behavioral2/memory/2376-219-0x00007FF62A110000-0x00007FF62A461000-memory.dmp	upx
behavioral2/memory/3760-221-0x00007FF6FBE10000-0x00007FF6FC161000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\ePonnbs.exe	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MHUhYvL.exe	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VyGecTq.exe	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zGOerWl.exe	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sHefPWl.exe	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JTlPRVK.exe	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OiXonEN.exe	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JxOuumW.exe	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AGBngRB.exe	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\efwZLpX.exe	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EKJKlGs.exe	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pxSOtKv.exe	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RsSdKHu.exe	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\neBUlqj.exe	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lhkTmyR.exe	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ggIdJcm.exe	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zZnzvvO.exe	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gjpmxQs.exe	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LSiygKI.exe	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bTRzOLo.exe	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GSsmfrt.exe	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1640	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1640	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 3536	1640	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1640 wrote to memory of 3536	1640	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1640 wrote to memory of 4384	1640	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1640 wrote to memory of 4384	1640	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1640 wrote to memory of 2376	1640	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1640 wrote to memory of 2376	1640	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1640 wrote to memory of 3760	1640	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1640 wrote to memory of 3760	1640	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1640 wrote to memory of 3544	1640	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1640 wrote to memory of 3544	1640	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1640 wrote to memory of 3152	1640	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1640 wrote to memory of 3152	1640	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1640 wrote to memory of 3164	1640	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1640 wrote to memory of 3164	1640	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1640 wrote to memory of 3048	1640	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1640 wrote to memory of 3048	1640	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1640 wrote to memory of 1108	1640	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1640 wrote to memory of 1108	1640	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1640 wrote to memory of 3040	1640	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1640 wrote to memory of 3040	1640	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1640 wrote to memory of 4436	1640	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1640 wrote to memory of 4436	1640	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1640 wrote to memory of 2912	1640	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1640 wrote to memory of 2912	1640	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1640 wrote to memory of 4092	1640	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1640 wrote to memory of 4092	1640	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1640 wrote to memory of 1840	1640	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1640 wrote to memory of 1840	1640	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1640 wrote to memory of 3564	1640	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1640 wrote to memory of 3564	1640	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1640 wrote to memory of 4992	1640	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1640 wrote to memory of 4992	1640	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1640 wrote to memory of 5016	1640	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1640 wrote to memory of 5016	1640	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1640 wrote to memory of 2440	1640	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1640 wrote to memory of 2440	1640	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1640 wrote to memory of 4428	1640	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 1640 wrote to memory of 4428	1640	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 1640 wrote to memory of 404	1640	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 1640 wrote to memory of 404	1640	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 1640 wrote to memory of 868	1640	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 1640 wrote to memory of 868	1640	2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe	107

C:\Users\Admin\AppData\Local\Temp\2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-13_095a2ddda2f001900c22a50e695fb267_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Windows\System\ePonnbs.exe
  C:\Windows\System\ePonnbs.exe
  2⤵
  - Executes dropped EXE
  PID:3536
- C:\Windows\System\pxSOtKv.exe
  C:\Windows\System\pxSOtKv.exe
  2⤵
  - Executes dropped EXE
  PID:4384
- C:\Windows\System\gjpmxQs.exe
  C:\Windows\System\gjpmxQs.exe
  2⤵
  - Executes dropped EXE
  PID:2376
- C:\Windows\System\MHUhYvL.exe
  C:\Windows\System\MHUhYvL.exe
  2⤵
  - Executes dropped EXE
  PID:3760
- C:\Windows\System\RsSdKHu.exe
  C:\Windows\System\RsSdKHu.exe
  2⤵
  - Executes dropped EXE
  PID:3544
- C:\Windows\System\JTlPRVK.exe
  C:\Windows\System\JTlPRVK.exe
  2⤵
  - Executes dropped EXE
  PID:3152
- C:\Windows\System\OiXonEN.exe
  C:\Windows\System\OiXonEN.exe
  2⤵
  - Executes dropped EXE
  PID:3164
- C:\Windows\System\neBUlqj.exe
  C:\Windows\System\neBUlqj.exe
  2⤵
  - Executes dropped EXE
  PID:3048
- C:\Windows\System\LSiygKI.exe
  C:\Windows\System\LSiygKI.exe
  2⤵
  - Executes dropped EXE
  PID:1108
- C:\Windows\System\bTRzOLo.exe
  C:\Windows\System\bTRzOLo.exe
  2⤵
  - Executes dropped EXE
  PID:3040
- C:\Windows\System\GSsmfrt.exe
  C:\Windows\System\GSsmfrt.exe
  2⤵
  - Executes dropped EXE
  PID:4436
- C:\Windows\System\VyGecTq.exe
  C:\Windows\System\VyGecTq.exe
  2⤵
  - Executes dropped EXE
  PID:2912
- C:\Windows\System\zGOerWl.exe
  C:\Windows\System\zGOerWl.exe
  2⤵
  - Executes dropped EXE
  PID:4092
- C:\Windows\System\sHefPWl.exe
  C:\Windows\System\sHefPWl.exe
  2⤵
  - Executes dropped EXE
  PID:1840
- C:\Windows\System\lhkTmyR.exe
  C:\Windows\System\lhkTmyR.exe
  2⤵
  - Executes dropped EXE
  PID:3564
- C:\Windows\System\ggIdJcm.exe
  C:\Windows\System\ggIdJcm.exe
  2⤵
  - Executes dropped EXE
  PID:4992
- C:\Windows\System\zZnzvvO.exe
  C:\Windows\System\zZnzvvO.exe
  2⤵
  - Executes dropped EXE
  PID:5016
- C:\Windows\System\JxOuumW.exe
  C:\Windows\System\JxOuumW.exe
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Windows\System\AGBngRB.exe
  C:\Windows\System\AGBngRB.exe
  2⤵
  - Executes dropped EXE
  PID:4428
- C:\Windows\System\efwZLpX.exe
  C:\Windows\System\efwZLpX.exe
  2⤵
  - Executes dropped EXE
  PID:404
- C:\Windows\System\EKJKlGs.exe
  C:\Windows\System\EKJKlGs.exe
  2⤵
  - Executes dropped EXE
  PID:868

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AGBngRB.exe

Filesize
5.2MB

MD5
2ad2d05ce5eca47ce4732e276a8b8a5e

SHA1
ad685132efa0d6fe3548e4f6a3a2dacba63d5816

SHA256
5f788264f4ef218fb28943e9af123cf25f49f325ebca4db41fd6249e03f231a5

SHA512
eb68a13a23811fde706e1435a914fe28cfc7134b0650d3ce37e917b322517a9ff20a06b2f39de7570b2dceeade69e6ad268d6d7d8eba222315ddc86be7605e18

Download Submit
C:\Windows\System\EKJKlGs.exe

Filesize
5.2MB

MD5
6390da5392da6da3c8a2e514efe6da7d

SHA1
e55f0aba15e52d90b553d0bccdc36a18f5eaf350

SHA256
cb05d5f666ce3764c7126e6e9c71c15cd79e58572635ff75bb6f257be0bd49f8

SHA512
a5d60b88d88442153a10e41fdc009985563a823b671d8937fa326f5317dba0a4c908b1e5092ccd24f07f9939306d5069677f5018222d4cad25fa1611ecd91d92

Download Submit
C:\Windows\System\GSsmfrt.exe

Filesize
5.2MB

MD5
ab74bf609b21d02cd8fcfb10b5397cf3

SHA1
cdbe05900c72b8d1d0004db14a556fba4b31d028

SHA256
29a0a38ca4311d527491e43173ac70c305f8f8cd80fb56d36463d9e7b910e89e

SHA512
778a37aa48bd07c877f429ae0d6597ff78f23062be36631e767385b34b56c61b63551644597806ca328eca072777b3eeebaf8720b10e21dfabdce9f2404b6e16

Download Submit
C:\Windows\System\JTlPRVK.exe

Filesize
5.2MB

MD5
2c7cbfe37bce720ffab63d7bc06e57d0

SHA1
0b693fbc8a8e951298a92a28f565d871f78e27ab

SHA256
a4499f6a8d9e9e76e4ec108dc88650b4ecc67fdcdbc831dab278f1932fec187d

SHA512
4ebcd52b646aa4e3e3c056258241b9369cbc417135071974c968f93c7cecfa63f815206de5b0632373cd6ef0a1477b58ce499075360f3c13eefc481485bd061b

Download Submit
C:\Windows\System\JxOuumW.exe

Filesize
5.2MB

MD5
cf089caeaabb77572895da08337143c3

SHA1
864e19fa62f835a4da649387ccf7a98d5c74e847

SHA256
eeb8ed9b583cee88be0f187bbf5c6dbbacf93d254eb3625bab94f0790cac9b76

SHA512
a1707a0534fba6645996c138e370d31716b4262dcc598ec7c78819fbe64b598ecae12c5d97865f03a9e37c29e108e7b2dfac4590e26b4cbb9b9cf5b04ba10d69

Download Submit
C:\Windows\System\LSiygKI.exe

Filesize
5.2MB

MD5
f44a4933c253e8afbed5d29e8f23d551

SHA1
47289267307f639dfd6ade871255eabe1d04ddbd

SHA256
454379a4b94b3136e691d0832b270ff67f3ee0f1f2a601ef0ba64e1da269b815

SHA512
e47661a0db0141c555e4c607f7bf99adafe369e1165b0caea4cd555544ae88b2184c50910428d98f7dc647b40d471d4d3fe84db9a08312ad348d45f2a64847ff

Download Submit
C:\Windows\System\MHUhYvL.exe

Filesize
5.2MB

MD5
ff689de94bcca692866c5c9176aaa45a

SHA1
05578ce23c38db5f61d486fd46b5a16414b2dc61

SHA256
d2bddd7e366676da00aacc271af7eff73f7e6ec44eba03b18b1b17502ad421a5

SHA512
86165e78e2156d9cf24ae9b4cec983bd574ece45c73d272e6600932d0ed9fb1ce6a3b168c153a8f3521986604e4308e3d47f51c614148e691fdd240bce12517b

Download Submit
C:\Windows\System\OiXonEN.exe

Filesize
5.2MB

MD5
5799fb669e86ed483848ddefe52519c6

SHA1
2cafba3fae3488332d7d6f04601adc7c5da70454

SHA256
daa0e37493e5e024f4ed71b8450bd6d4eb5f661a12b9611881e86a828b340011

SHA512
0a1d7fa11e7219d5970f02c88ce610ed93d2a2751f47cfe12294e84e55f67490abff30e706789571c5a581426433553dac806a15e48f275d5b3354c737b6ed3f

Download Submit
C:\Windows\System\RsSdKHu.exe

Filesize
5.2MB

MD5
41a9a6f3e5c2bf36487bfd266f991920

SHA1
281bbf0e2e8892bfca2c1c3d20c3cec3daeb4f0e

SHA256
8fc5dd05727f757c956438aac1e858452ac146e47cc59082f61379d10cd9692d

SHA512
1ec0b24897ddaf617fdcafc41e68fb9e8e58ae40d5f064656b00eef5b973c3631a23bde3293d09571b1d1d81c557f34033654448f23ffba45ca32c11dba4e7cb

Download Submit
C:\Windows\System\VyGecTq.exe

Filesize
5.2MB

MD5
8f11b15f4f2509804880275089109c30

SHA1
7991a932deb74301bbeb1de8699d7127456a8c85

SHA256
b9c00e1d98df9b0d89e01f125f7dca1c939aed3709a342ee577fa04504911a1b

SHA512
776364bc640a1181ba1ae689b655fb09e2b7629e8189543a2d64e7a29b51694761e0ed115a286ebde3b7c166eaca5ddc99194214c251bf8932ec1fbdb79558f4

Download Submit
C:\Windows\System\bTRzOLo.exe

Filesize
5.2MB

MD5
979a7851f13b89c5a4bc3ad5137231f6

SHA1
83294376b29e4ad057d8c490ac6dbf1ecd8dcc28

SHA256
3c67a1362b4b5e9c8f60aa4e7909c58d007b114402bb5faebe46c12b040288da

SHA512
cefb6be5aceed6a9f6f58af055dc7ed1380aa8f2c99cfaa028f19bbe068bc859f0a82becc3451c6f0330e04785b4ac284938d1a3d12b79696d42f9619abc927f

Download Submit
C:\Windows\System\ePonnbs.exe

Filesize
5.2MB

MD5
a35cd53754b6b93a03ee9ab49ac17993

SHA1
89c2aaf5e3a58368fc21de3a823aa1b3821ce0bb

SHA256
9d4b7c734dfffccc15adffa94ec0cecef11066faa1bf66bd38b89e0383ae6661

SHA512
dd018261a9e2459126c4edbe7247fb3308429421f90d1d2c44918896262976deec7c183dd44797c159508dd053015fd1d7547b5f183a9e67ec6db719636e75c1

Download Submit
C:\Windows\System\efwZLpX.exe

Filesize
5.2MB

MD5
5142024d31002414870f1423c94f1a4e

SHA1
46ed80df3bf8fd761435008cb8198766bbabe18b

SHA256
d647c0b2b914151a9d2bef6a1fe4eb18d79db3c2339001d7b77dc9f3e037df7c

SHA512
fee341e43bd409bc20f501bfe71075ee9347df25b93084766657285f28adde243612b99335c7fcd58d4240b112a815ffb17ac5716df570fd60d5d8932b79ae2b

Download Submit
C:\Windows\System\ggIdJcm.exe

Filesize
5.2MB

MD5
dcc46d59d8e49824951b5cc45a97711a

SHA1
29e198f106f1b93f16f351cf1ebf860576764deb

SHA256
8ef53ecadc81ab4c684ea0f6fd69945628b69561833b0137f4b259012515f958

SHA512
d0d8b80154cad0b9949216527dcfbab1e5d79bb1a00955140fa5898870065f2163a07d6aa0492c73b995fc07bc1dafb167ee77e5a336ea8868f7a1d653e74207

Download Submit
C:\Windows\System\gjpmxQs.exe

Filesize
5.2MB

MD5
0b8db1dd6f06c240bb479f111a0b1dee

SHA1
8a80f6e1d3d3d8af2f7f909412b8225327968fb8

SHA256
076f7b356e0b1febb8a7c78c2b44d13d6e4ff3f8b47f5f7116af54a208bf0447

SHA512
5470aebee6a6039af93c420ca94919b0b435d8701cceb0f94be5f7fedf2568001bd3ce1bfb08e029af961e871bda8d8e9aafa8ce29d43be80cbc46b0567e6c32

Download Submit
C:\Windows\System\lhkTmyR.exe

Filesize
5.2MB

MD5
2b7f1dd8dfcc040f25ed69314dd58f0e

SHA1
d127602a2bb398ad7f4550571f0d182a425010ed

SHA256
ef8155f83c321c5a098a903c780c975dfefab79aa7df269f7ea2c638aa206d2a

SHA512
77c8b51019dfbb5a7e8d9da404efc8e4593fce3f0d6559f1ee98921136d0a78286deb09d54710598239e0d3200c816813a6cf659b22e7df06e6b6aec516f1193

Download Submit
C:\Windows\System\neBUlqj.exe

Filesize
5.2MB

MD5
3bebafa2bf67c0bd904b254c0b87f888

SHA1
158a074dd79247c219a40d16634404da4a28c020

SHA256
0b7407be69ad16d1098a92831b2228f4488bec0ab73ae04eeff15f19f906fa68

SHA512
1da47e57073bb02033343f06e2ed037abdf320b884c93ceae3890ea66f09970f3c939e0af2fd1de42e7e15c69ef87510f616c9c1a82c8e6d5b5e26723b635402

Download Submit
C:\Windows\System\pxSOtKv.exe

Filesize
5.2MB

MD5
3dba4f1f72e92842891c57ab1bc4edfe

SHA1
134b5e25daf47a61ea75036540e0fd103e0df220

SHA256
0f214883779dcbc60e02808f9faf25971354290a3a392649d079d33b761b6103

SHA512
1b30571e3d45b815fe1c0f58fccb3ab6193ba57bb7168d4f4b9b2061f8076456d0464f8676d7bb9de67ea33f82eb548ca88cd7ecc633861834d4438d5e92f433

Download Submit
C:\Windows\System\sHefPWl.exe

Filesize
5.2MB

MD5
de5eecab51bd9209052e55a0b0d9cf6a

SHA1
8036c6e33c807b0ba52e919c313e423657f0795e

SHA256
58baae171c7f07e3405b435f9b2c8a0e91115e288b4230d67a6035b2b0346323

SHA512
f4f9943a58ea60a55e9b63bb0670fb47ca6ecaf0d89141516127ed45fbdcf1926ccd9d2a4d399ca73e1a33957b2f0ae32cb016caa8becf28ad0a56c5ca027bec

Download Submit
C:\Windows\System\zGOerWl.exe

Filesize
5.2MB

MD5
7648f960db6378be0ad68004351efd37

SHA1
91c55eff3f6addce98325d94886866a5fb63e141

SHA256
5990c266487e399aa93a2676b49ba0da3ad9c44ef081b9a523d56244d0ad3207

SHA512
6204f2ba345144f446c55db12b7d0521b31d21fb897c94002983ae8a46012415c419aaa3458c819cb54080d0f72cfa5da59ec63997795c92a1857a6863fcfd0f

Download Submit
C:\Windows\System\zZnzvvO.exe

Filesize
5.2MB

MD5
a438fa58c7d2f4c3c7f47f4eb8b7d7fd

SHA1
8b86d1d898dfcbf8332893fb5cce55a193ee2b8a

SHA256
68d2c11b1d4007e7baaa35c83eb868ce00272e6f843cd2ab88ed8d932cb1f717

SHA512
10f3e704bc8feae1e2b5261bfa8bb68a23701ee01889eed0c8b2fcd24e9dcbec1733d7af82e5bdabc627355449dee06e530eb47c8346e5c3d0cc91f374e45009

Download Submit
memory/404-249-0x00007FF645E10000-0x00007FF646161000-memory.dmp

Filesize
3.3MB

Download
memory/404-126-0x00007FF645E10000-0x00007FF646161000-memory.dmp

Filesize
3.3MB

Download
memory/868-115-0x00007FF6B5520000-0x00007FF6B5871000-memory.dmp

Filesize
3.3MB

Download
memory/868-250-0x00007FF6B5520000-0x00007FF6B5871000-memory.dmp

Filesize
3.3MB

Download
memory/868-149-0x00007FF6B5520000-0x00007FF6B5871000-memory.dmp

Filesize
3.3MB

Download
memory/1108-137-0x00007FF7CA630000-0x00007FF7CA981000-memory.dmp

Filesize
3.3MB

Download
memory/1108-233-0x00007FF7CA630000-0x00007FF7CA981000-memory.dmp

Filesize
3.3MB

Download
memory/1108-58-0x00007FF7CA630000-0x00007FF7CA981000-memory.dmp

Filesize
3.3MB

Download
memory/1640-151-0x00007FF67B280000-0x00007FF67B5D1000-memory.dmp

Filesize
3.3MB

Download
memory/1640-150-0x00007FF67B280000-0x00007FF67B5D1000-memory.dmp

Filesize
3.3MB

Download
memory/1640-1-0x00000281ACDE0000-0x00000281ACDF0000-memory.dmp

Filesize
64KB

Download
memory/1640-128-0x00007FF67B280000-0x00007FF67B5D1000-memory.dmp

Filesize
3.3MB

Download
memory/1640-0-0x00007FF67B280000-0x00007FF67B5D1000-memory.dmp

Filesize
3.3MB

Download
memory/1840-86-0x00007FF6311C0000-0x00007FF631511000-memory.dmp

Filesize
3.3MB

Download
memory/1840-243-0x00007FF6311C0000-0x00007FF631511000-memory.dmp

Filesize
3.3MB

Download
memory/1840-142-0x00007FF6311C0000-0x00007FF631511000-memory.dmp

Filesize
3.3MB

Download
memory/2376-219-0x00007FF62A110000-0x00007FF62A461000-memory.dmp

Filesize
3.3MB

Download
memory/2376-22-0x00007FF62A110000-0x00007FF62A461000-memory.dmp

Filesize
3.3MB

Download
memory/2440-256-0x00007FF6B3EA0000-0x00007FF6B41F1000-memory.dmp

Filesize
3.3MB

Download
memory/2440-125-0x00007FF6B3EA0000-0x00007FF6B41F1000-memory.dmp

Filesize
3.3MB

Download
memory/2912-235-0x00007FF64B010000-0x00007FF64B361000-memory.dmp

Filesize
3.3MB

Download
memory/2912-117-0x00007FF64B010000-0x00007FF64B361000-memory.dmp

Filesize
3.3MB

Download
memory/3040-74-0x00007FF7448A0000-0x00007FF744BF1000-memory.dmp

Filesize
3.3MB

Download
memory/3040-138-0x00007FF7448A0000-0x00007FF744BF1000-memory.dmp

Filesize
3.3MB

Download
memory/3040-237-0x00007FF7448A0000-0x00007FF744BF1000-memory.dmp

Filesize
3.3MB

Download
memory/3048-227-0x00007FF7B8810000-0x00007FF7B8B61000-memory.dmp

Filesize
3.3MB

Download
memory/3048-73-0x00007FF7B8810000-0x00007FF7B8B61000-memory.dmp

Filesize
3.3MB

Download
memory/3152-229-0x00007FF6744E0000-0x00007FF674831000-memory.dmp

Filesize
3.3MB

Download
memory/3152-64-0x00007FF6744E0000-0x00007FF674831000-memory.dmp

Filesize
3.3MB

Download
memory/3164-51-0x00007FF6FAE30000-0x00007FF6FB181000-memory.dmp

Filesize
3.3MB

Download
memory/3164-225-0x00007FF6FAE30000-0x00007FF6FB181000-memory.dmp

Filesize
3.3MB

Download
memory/3164-135-0x00007FF6FAE30000-0x00007FF6FB181000-memory.dmp

Filesize
3.3MB

Download
memory/3536-215-0x00007FF62C350000-0x00007FF62C6A1000-memory.dmp

Filesize
3.3MB

Download
memory/3536-7-0x00007FF62C350000-0x00007FF62C6A1000-memory.dmp

Filesize
3.3MB

Download
memory/3536-129-0x00007FF62C350000-0x00007FF62C6A1000-memory.dmp

Filesize
3.3MB

Download
memory/3544-223-0x00007FF767450000-0x00007FF7677A1000-memory.dmp

Filesize
3.3MB

Download
memory/3544-35-0x00007FF767450000-0x00007FF7677A1000-memory.dmp

Filesize
3.3MB

Download
memory/3544-133-0x00007FF767450000-0x00007FF7677A1000-memory.dmp

Filesize
3.3MB

Download
memory/3564-259-0x00007FF609FF0000-0x00007FF60A341000-memory.dmp

Filesize
3.3MB

Download
memory/3564-124-0x00007FF609FF0000-0x00007FF60A341000-memory.dmp

Filesize
3.3MB

Download
memory/3564-143-0x00007FF609FF0000-0x00007FF60A341000-memory.dmp

Filesize
3.3MB

Download
memory/3760-32-0x00007FF6FBE10000-0x00007FF6FC161000-memory.dmp

Filesize
3.3MB

Download
memory/3760-132-0x00007FF6FBE10000-0x00007FF6FC161000-memory.dmp

Filesize
3.3MB

Download
memory/3760-221-0x00007FF6FBE10000-0x00007FF6FC161000-memory.dmp

Filesize
3.3MB

Download
memory/4092-141-0x00007FF6D3790000-0x00007FF6D3AE1000-memory.dmp

Filesize
3.3MB

Download
memory/4092-83-0x00007FF6D3790000-0x00007FF6D3AE1000-memory.dmp

Filesize
3.3MB

Download
memory/4092-244-0x00007FF6D3790000-0x00007FF6D3AE1000-memory.dmp

Filesize
3.3MB

Download
memory/4384-130-0x00007FF6DB2F0000-0x00007FF6DB641000-memory.dmp

Filesize
3.3MB

Download
memory/4384-217-0x00007FF6DB2F0000-0x00007FF6DB641000-memory.dmp

Filesize
3.3MB

Download
memory/4384-19-0x00007FF6DB2F0000-0x00007FF6DB641000-memory.dmp

Filesize
3.3MB

Download
memory/4428-147-0x00007FF64A600000-0x00007FF64A951000-memory.dmp

Filesize
3.3MB

Download
memory/4428-106-0x00007FF64A600000-0x00007FF64A951000-memory.dmp

Filesize
3.3MB

Download
memory/4428-253-0x00007FF64A600000-0x00007FF64A951000-memory.dmp

Filesize
3.3MB

Download
memory/4436-116-0x00007FF79BF70000-0x00007FF79C2C1000-memory.dmp

Filesize
3.3MB

Download
memory/4436-232-0x00007FF79BF70000-0x00007FF79C2C1000-memory.dmp

Filesize
3.3MB

Download
memory/4992-98-0x00007FF7D25F0000-0x00007FF7D2941000-memory.dmp

Filesize
3.3MB

Download
memory/4992-144-0x00007FF7D25F0000-0x00007FF7D2941000-memory.dmp

Filesize
3.3MB

Download
memory/4992-255-0x00007FF7D25F0000-0x00007FF7D2941000-memory.dmp

Filesize
3.3MB

Download
memory/5016-246-0x00007FF6AFC00000-0x00007FF6AFF51000-memory.dmp

Filesize
3.3MB

Download
memory/5016-105-0x00007FF6AFC00000-0x00007FF6AFF51000-memory.dmp

Filesize
3.3MB

Download
memory/5016-145-0x00007FF6AFC00000-0x00007FF6AFF51000-memory.dmp

Filesize
3.3MB

Download