cobaltstrike | a422c117affe2ecd3c063d980b69fe510f1d9739271dc9a6451a9b75601b99aa

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2024, 06:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

eb9cc142ff20ff3f648675325c1b1ec0
SHA1

01e09ed04648dbb29ef317e5af99af0a7b5f7f31
SHA256

a422c117affe2ecd3c063d980b69fe510f1d9739271dc9a6451a9b75601b99aa
SHA512

9fbd6d8aa5e3604b95097a5daf090ac15ad030f89b3ea0f9928abd931ab43c210bbd41ba5ee879675a2fff5e51ae949211aa5e8294d274560993cc9ec1d1ac23
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lF:RWWBibf56utgpPFotBER/mQ32lUx

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00080000000234d1-5.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d8-12.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d9-11.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234da-23.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234db-28.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234dd-36.dat	cobalt_reflective_dll
behavioral2/files/0x0004000000022abb-41.dat	cobalt_reflective_dll
behavioral2/files/0x00030000000230ad-49.dat	cobalt_reflective_dll
behavioral2/files/0x000300000002327a-55.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234df-77.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e0-90.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e1-95.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234de-76.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000234d5-72.dat	cobalt_reflective_dll
behavioral2/files/0x000900000002342e-61.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e3-106.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e4-116.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e5-122.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e6-131.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e7-139.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e2-105.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/832-87-0x00007FF6EF680000-0x00007FF6EF9D1000-memory.dmp	xmrig
behavioral2/memory/3960-93-0x00007FF762C00000-0x00007FF762F51000-memory.dmp	xmrig
behavioral2/memory/336-79-0x00007FF64B100000-0x00007FF64B451000-memory.dmp	xmrig
behavioral2/memory/3504-71-0x00007FF657BE0000-0x00007FF657F31000-memory.dmp	xmrig
behavioral2/memory/1676-66-0x00007FF642230000-0x00007FF642581000-memory.dmp	xmrig
behavioral2/memory/1900-37-0x00007FF75CAF0000-0x00007FF75CE41000-memory.dmp	xmrig
behavioral2/memory/2528-97-0x00007FF7AEA40000-0x00007FF7AED91000-memory.dmp	xmrig
behavioral2/memory/2344-126-0x00007FF66AF30000-0x00007FF66B281000-memory.dmp	xmrig
behavioral2/memory/3664-137-0x00007FF770420000-0x00007FF770771000-memory.dmp	xmrig
behavioral2/memory/4772-129-0x00007FF66AF30000-0x00007FF66B281000-memory.dmp	xmrig
behavioral2/memory/4464-123-0x00007FF7919C0000-0x00007FF791D11000-memory.dmp	xmrig
behavioral2/memory/4184-117-0x00007FF6E1960000-0x00007FF6E1CB1000-memory.dmp	xmrig
behavioral2/memory/4612-115-0x00007FF616EF0000-0x00007FF617241000-memory.dmp	xmrig
behavioral2/memory/4220-112-0x00007FF68AAF0000-0x00007FF68AE41000-memory.dmp	xmrig
behavioral2/memory/3436-111-0x00007FF7F0770000-0x00007FF7F0AC1000-memory.dmp	xmrig
behavioral2/memory/1900-102-0x00007FF75CAF0000-0x00007FF75CE41000-memory.dmp	xmrig
behavioral2/memory/4504-141-0x00007FF799900000-0x00007FF799C51000-memory.dmp	xmrig
behavioral2/memory/1676-142-0x00007FF642230000-0x00007FF642581000-memory.dmp	xmrig
behavioral2/memory/2712-146-0x00007FF77C700000-0x00007FF77CA51000-memory.dmp	xmrig
behavioral2/memory/968-155-0x00007FF748D50000-0x00007FF7490A1000-memory.dmp	xmrig
behavioral2/memory/1728-160-0x00007FF613470000-0x00007FF6137C1000-memory.dmp	xmrig
behavioral2/memory/216-161-0x00007FF761710000-0x00007FF761A61000-memory.dmp	xmrig
behavioral2/memory/2312-164-0x00007FF707DA0000-0x00007FF7080F1000-memory.dmp	xmrig
behavioral2/memory/2436-169-0x00007FF62C460000-0x00007FF62C7B1000-memory.dmp	xmrig
behavioral2/memory/1676-170-0x00007FF642230000-0x00007FF642581000-memory.dmp	xmrig
behavioral2/memory/3504-222-0x00007FF657BE0000-0x00007FF657F31000-memory.dmp	xmrig
behavioral2/memory/336-224-0x00007FF64B100000-0x00007FF64B451000-memory.dmp	xmrig
behavioral2/memory/832-226-0x00007FF6EF680000-0x00007FF6EF9D1000-memory.dmp	xmrig
behavioral2/memory/3960-228-0x00007FF762C00000-0x00007FF762F51000-memory.dmp	xmrig
behavioral2/memory/2528-230-0x00007FF7AEA40000-0x00007FF7AED91000-memory.dmp	xmrig
behavioral2/memory/1900-240-0x00007FF75CAF0000-0x00007FF75CE41000-memory.dmp	xmrig
behavioral2/memory/3436-242-0x00007FF7F0770000-0x00007FF7F0AC1000-memory.dmp	xmrig
behavioral2/memory/4184-245-0x00007FF6E1960000-0x00007FF6E1CB1000-memory.dmp	xmrig
behavioral2/memory/4220-246-0x00007FF68AAF0000-0x00007FF68AE41000-memory.dmp	xmrig
behavioral2/memory/2344-250-0x00007FF66AF30000-0x00007FF66B281000-memory.dmp	xmrig
behavioral2/memory/4464-249-0x00007FF7919C0000-0x00007FF791D11000-memory.dmp	xmrig
behavioral2/memory/3664-255-0x00007FF770420000-0x00007FF770771000-memory.dmp	xmrig
behavioral2/memory/4504-253-0x00007FF799900000-0x00007FF799C51000-memory.dmp	xmrig
behavioral2/memory/968-258-0x00007FF748D50000-0x00007FF7490A1000-memory.dmp	xmrig
behavioral2/memory/2712-259-0x00007FF77C700000-0x00007FF77CA51000-memory.dmp	xmrig
behavioral2/memory/1728-268-0x00007FF613470000-0x00007FF6137C1000-memory.dmp	xmrig
behavioral2/memory/4612-269-0x00007FF616EF0000-0x00007FF617241000-memory.dmp	xmrig
behavioral2/memory/216-272-0x00007FF761710000-0x00007FF761A61000-memory.dmp	xmrig
behavioral2/memory/4772-273-0x00007FF66AF30000-0x00007FF66B281000-memory.dmp	xmrig
behavioral2/memory/2312-277-0x00007FF707DA0000-0x00007FF7080F1000-memory.dmp	xmrig
behavioral2/memory/2436-276-0x00007FF62C460000-0x00007FF62C7B1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3504	OcaxtsF.exe
336	sJfmmPR.exe
832	NqcmDCM.exe
3960	YQFIMLE.exe
2528	jzzmRvu.exe
1900	LkGaAin.exe
3436	cQhZVEZ.exe
4184	YOCNpPo.exe
4220	fBmkMll.exe
4464	IJTKQHw.exe
2344	kENWkqO.exe
3664	ePWbqlS.exe
4504	HFYEbpT.exe
2712	YwGdCQM.exe
968	GguOdlG.exe
1728	pcHSFGf.exe
4612	BsKIfND.exe
216	KYxjWKr.exe
4772	sKsFDLt.exe
2312	WePeLqd.exe
2436	jaqrzZy.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1676-0-0x00007FF642230000-0x00007FF642581000-memory.dmp	upx
behavioral2/files/0x00080000000234d1-5.dat	upx
behavioral2/memory/3504-7-0x00007FF657BE0000-0x00007FF657F31000-memory.dmp	upx
behavioral2/files/0x00070000000234d8-12.dat	upx
behavioral2/files/0x00070000000234d9-11.dat	upx
behavioral2/memory/336-14-0x00007FF64B100000-0x00007FF64B451000-memory.dmp	upx
behavioral2/memory/832-20-0x00007FF6EF680000-0x00007FF6EF9D1000-memory.dmp	upx
behavioral2/files/0x00070000000234da-23.dat	upx
behavioral2/files/0x00070000000234db-28.dat	upx
behavioral2/memory/2528-30-0x00007FF7AEA40000-0x00007FF7AED91000-memory.dmp	upx
behavioral2/memory/3960-24-0x00007FF762C00000-0x00007FF762F51000-memory.dmp	upx
behavioral2/files/0x00070000000234dd-36.dat	upx
behavioral2/files/0x0004000000022abb-41.dat	upx
behavioral2/files/0x00030000000230ad-49.dat	upx
behavioral2/files/0x000300000002327a-55.dat	upx
behavioral2/memory/4220-56-0x00007FF68AAF0000-0x00007FF68AE41000-memory.dmp	upx
behavioral2/memory/2344-70-0x00007FF66AF30000-0x00007FF66B281000-memory.dmp	upx
behavioral2/files/0x00070000000234df-77.dat	upx
behavioral2/memory/4504-83-0x00007FF799900000-0x00007FF799C51000-memory.dmp	upx
behavioral2/memory/832-87-0x00007FF6EF680000-0x00007FF6EF9D1000-memory.dmp	upx
behavioral2/files/0x00070000000234e0-90.dat	upx
behavioral2/files/0x00070000000234e1-95.dat	upx
behavioral2/memory/968-94-0x00007FF748D50000-0x00007FF7490A1000-memory.dmp	upx
behavioral2/memory/3960-93-0x00007FF762C00000-0x00007FF762F51000-memory.dmp	upx
behavioral2/memory/2712-88-0x00007FF77C700000-0x00007FF77CA51000-memory.dmp	upx
behavioral2/memory/336-79-0x00007FF64B100000-0x00007FF64B451000-memory.dmp	upx
behavioral2/files/0x00070000000234de-76.dat	upx
behavioral2/memory/3664-75-0x00007FF770420000-0x00007FF770771000-memory.dmp	upx
behavioral2/files/0x00080000000234d5-72.dat	upx
behavioral2/memory/3504-71-0x00007FF657BE0000-0x00007FF657F31000-memory.dmp	upx
behavioral2/memory/1676-66-0x00007FF642230000-0x00007FF642581000-memory.dmp	upx
behavioral2/memory/4464-63-0x00007FF7919C0000-0x00007FF791D11000-memory.dmp	upx
behavioral2/files/0x000900000002342e-61.dat	upx
behavioral2/memory/4184-51-0x00007FF6E1960000-0x00007FF6E1CB1000-memory.dmp	upx
behavioral2/memory/3436-46-0x00007FF7F0770000-0x00007FF7F0AC1000-memory.dmp	upx
behavioral2/memory/1900-37-0x00007FF75CAF0000-0x00007FF75CE41000-memory.dmp	upx
behavioral2/memory/2528-97-0x00007FF7AEA40000-0x00007FF7AED91000-memory.dmp	upx
behavioral2/files/0x00070000000234e3-106.dat	upx
behavioral2/files/0x00070000000234e4-116.dat	upx
behavioral2/files/0x00070000000234e5-122.dat	upx
behavioral2/memory/2344-126-0x00007FF66AF30000-0x00007FF66B281000-memory.dmp	upx
behavioral2/files/0x00070000000234e6-131.dat	upx
behavioral2/memory/2312-134-0x00007FF707DA0000-0x00007FF7080F1000-memory.dmp	upx
behavioral2/memory/3664-137-0x00007FF770420000-0x00007FF770771000-memory.dmp	upx
behavioral2/files/0x00070000000234e7-139.dat	upx
behavioral2/memory/2436-138-0x00007FF62C460000-0x00007FF62C7B1000-memory.dmp	upx
behavioral2/memory/4772-129-0x00007FF66AF30000-0x00007FF66B281000-memory.dmp	upx
behavioral2/memory/4464-123-0x00007FF7919C0000-0x00007FF791D11000-memory.dmp	upx
behavioral2/memory/216-118-0x00007FF761710000-0x00007FF761A61000-memory.dmp	upx
behavioral2/memory/4184-117-0x00007FF6E1960000-0x00007FF6E1CB1000-memory.dmp	upx
behavioral2/memory/4612-115-0x00007FF616EF0000-0x00007FF617241000-memory.dmp	upx
behavioral2/memory/4220-112-0x00007FF68AAF0000-0x00007FF68AE41000-memory.dmp	upx
behavioral2/memory/3436-111-0x00007FF7F0770000-0x00007FF7F0AC1000-memory.dmp	upx
behavioral2/files/0x00070000000234e2-105.dat	upx
behavioral2/memory/1728-103-0x00007FF613470000-0x00007FF6137C1000-memory.dmp	upx
behavioral2/memory/1900-102-0x00007FF75CAF0000-0x00007FF75CE41000-memory.dmp	upx
behavioral2/memory/4504-141-0x00007FF799900000-0x00007FF799C51000-memory.dmp	upx
behavioral2/memory/1676-142-0x00007FF642230000-0x00007FF642581000-memory.dmp	upx
behavioral2/memory/2712-146-0x00007FF77C700000-0x00007FF77CA51000-memory.dmp	upx
behavioral2/memory/968-155-0x00007FF748D50000-0x00007FF7490A1000-memory.dmp	upx
behavioral2/memory/1728-160-0x00007FF613470000-0x00007FF6137C1000-memory.dmp	upx
behavioral2/memory/216-161-0x00007FF761710000-0x00007FF761A61000-memory.dmp	upx
behavioral2/memory/2312-164-0x00007FF707DA0000-0x00007FF7080F1000-memory.dmp	upx
behavioral2/memory/2436-169-0x00007FF62C460000-0x00007FF62C7B1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\IJTKQHw.exe	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kENWkqO.exe	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ePWbqlS.exe	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YwGdCQM.exe	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BsKIfND.exe	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jaqrzZy.exe	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sJfmmPR.exe	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YQFIMLE.exe	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fBmkMll.exe	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cQhZVEZ.exe	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HFYEbpT.exe	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GguOdlG.exe	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pcHSFGf.exe	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KYxjWKr.exe	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OcaxtsF.exe	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NqcmDCM.exe	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LkGaAin.exe	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sKsFDLt.exe	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jzzmRvu.exe	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YOCNpPo.exe	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WePeLqd.exe	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1676	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1676	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 3504	1676	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1676 wrote to memory of 3504	1676	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1676 wrote to memory of 336	1676	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1676 wrote to memory of 336	1676	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1676 wrote to memory of 832	1676	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1676 wrote to memory of 832	1676	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1676 wrote to memory of 3960	1676	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1676 wrote to memory of 3960	1676	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1676 wrote to memory of 2528	1676	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1676 wrote to memory of 2528	1676	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1676 wrote to memory of 1900	1676	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1676 wrote to memory of 1900	1676	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1676 wrote to memory of 3436	1676	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1676 wrote to memory of 3436	1676	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1676 wrote to memory of 4184	1676	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1676 wrote to memory of 4184	1676	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1676 wrote to memory of 4220	1676	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1676 wrote to memory of 4220	1676	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1676 wrote to memory of 4464	1676	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1676 wrote to memory of 4464	1676	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1676 wrote to memory of 2344	1676	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1676 wrote to memory of 2344	1676	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1676 wrote to memory of 3664	1676	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1676 wrote to memory of 3664	1676	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1676 wrote to memory of 4504	1676	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1676 wrote to memory of 4504	1676	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1676 wrote to memory of 2712	1676	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1676 wrote to memory of 2712	1676	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1676 wrote to memory of 968	1676	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1676 wrote to memory of 968	1676	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1676 wrote to memory of 1728	1676	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1676 wrote to memory of 1728	1676	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1676 wrote to memory of 4612	1676	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1676 wrote to memory of 4612	1676	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1676 wrote to memory of 216	1676	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1676 wrote to memory of 216	1676	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1676 wrote to memory of 4772	1676	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1676 wrote to memory of 4772	1676	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1676 wrote to memory of 2312	1676	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 1676 wrote to memory of 2312	1676	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 1676 wrote to memory of 2436	1676	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 1676 wrote to memory of 2436	1676	2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe	106

C:\Users\Admin\AppData\Local\Temp\2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-14_eb9cc142ff20ff3f648675325c1b1ec0_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Windows\System\OcaxtsF.exe
  C:\Windows\System\OcaxtsF.exe
  2⤵
  - Executes dropped EXE
  PID:3504
- C:\Windows\System\sJfmmPR.exe
  C:\Windows\System\sJfmmPR.exe
  2⤵
  - Executes dropped EXE
  PID:336
- C:\Windows\System\NqcmDCM.exe
  C:\Windows\System\NqcmDCM.exe
  2⤵
  - Executes dropped EXE
  PID:832
- C:\Windows\System\YQFIMLE.exe
  C:\Windows\System\YQFIMLE.exe
  2⤵
  - Executes dropped EXE
  PID:3960
- C:\Windows\System\jzzmRvu.exe
  C:\Windows\System\jzzmRvu.exe
  2⤵
  - Executes dropped EXE
  PID:2528
- C:\Windows\System\LkGaAin.exe
  C:\Windows\System\LkGaAin.exe
  2⤵
  - Executes dropped EXE
  PID:1900
- C:\Windows\System\cQhZVEZ.exe
  C:\Windows\System\cQhZVEZ.exe
  2⤵
  - Executes dropped EXE
  PID:3436
- C:\Windows\System\YOCNpPo.exe
  C:\Windows\System\YOCNpPo.exe
  2⤵
  - Executes dropped EXE
  PID:4184
- C:\Windows\System\fBmkMll.exe
  C:\Windows\System\fBmkMll.exe
  2⤵
  - Executes dropped EXE
  PID:4220
- C:\Windows\System\IJTKQHw.exe
  C:\Windows\System\IJTKQHw.exe
  2⤵
  - Executes dropped EXE
  PID:4464
- C:\Windows\System\kENWkqO.exe
  C:\Windows\System\kENWkqO.exe
  2⤵
  - Executes dropped EXE
  PID:2344
- C:\Windows\System\ePWbqlS.exe
  C:\Windows\System\ePWbqlS.exe
  2⤵
  - Executes dropped EXE
  PID:3664
- C:\Windows\System\HFYEbpT.exe
  C:\Windows\System\HFYEbpT.exe
  2⤵
  - Executes dropped EXE
  PID:4504
- C:\Windows\System\YwGdCQM.exe
  C:\Windows\System\YwGdCQM.exe
  2⤵
  - Executes dropped EXE
  PID:2712
- C:\Windows\System\GguOdlG.exe
  C:\Windows\System\GguOdlG.exe
  2⤵
  - Executes dropped EXE
  PID:968
- C:\Windows\System\pcHSFGf.exe
  C:\Windows\System\pcHSFGf.exe
  2⤵
  - Executes dropped EXE
  PID:1728
- C:\Windows\System\BsKIfND.exe
  C:\Windows\System\BsKIfND.exe
  2⤵
  - Executes dropped EXE
  PID:4612
- C:\Windows\System\KYxjWKr.exe
  C:\Windows\System\KYxjWKr.exe
  2⤵
  - Executes dropped EXE
  PID:216
- C:\Windows\System\sKsFDLt.exe
  C:\Windows\System\sKsFDLt.exe
  2⤵
  - Executes dropped EXE
  PID:4772
- C:\Windows\System\WePeLqd.exe
  C:\Windows\System\WePeLqd.exe
  2⤵
  - Executes dropped EXE
  PID:2312
- C:\Windows\System\jaqrzZy.exe
  C:\Windows\System\jaqrzZy.exe
  2⤵
  - Executes dropped EXE
  PID:2436

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BsKIfND.exe

Filesize
5.2MB

MD5
41503601b6ed0671eab9a9593ad905f1

SHA1
aae39d874bff3523b696d9b917ff638dcb3d317d

SHA256
4771a952cbcaecac9fcc239014f1519865b4434ee9dca433f452d42c629330e5

SHA512
cf6ba0d97001ea4356949c03ea96049d7088c5156832d389551f641a3d4aba51c7bd07123f34f8d2e94de57a0d058a007ba0f31a9c3ff6901fd7caec1d0b309e

Download Submit
C:\Windows\System\GguOdlG.exe

Filesize
5.2MB

MD5
5750e1b7b71353ba319be5968dea3a57

SHA1
6b1eb8bc2cd6fb369b14856a924e5848fb993497

SHA256
a421985bccce459c80d46d124062e74dd1d3d5bdd5dd5f4f7f503d51f9ba5654

SHA512
b99ae41e44c71ed2516326a263ac04d6bdf7ffe2c5c1df576991297f52e1dcdd713ffd452c2eba78380cc364c0f21d0956e7e018d08ebc6129f99dd726659c2c

Download Submit
C:\Windows\System\HFYEbpT.exe

Filesize
5.2MB

MD5
75c8c3306a55e36f4e4ac12997518225

SHA1
156c050860b43fcfdcdb4c00ab525ebe5435e144

SHA256
8a98ad2cc9c0629c2ee4b84314773036820607ad45485e1ac2f45e62acb449fe

SHA512
e41ca4c71004fd06af8e2db7fe12302a7cbd62510d6f88a654dae7fcd014dfa42ca1f99f110607021b038eb6a841b0877bac0f9a8ba7771687bf2e10b796a58a

Download Submit
C:\Windows\System\IJTKQHw.exe

Filesize
5.2MB

MD5
3c8956ed9d5d7faad49439ac6beb2fd3

SHA1
5cc0e02f22e7ed6fd2e6f6356f2ee651d726c014

SHA256
392cb8777ff38a80f620a7831f01a56c82a2d825dede107f609df045347ee4d6

SHA512
97d4906d1fd6feb1e55692e42f0eabf03b2ac7f62618ebd164332b97189b8c0519cd2bb7fa4955b9bbb098c8f76ba95beab1f2eadce4f93bd0538e4da85f4e04

Download Submit
C:\Windows\System\KYxjWKr.exe

Filesize
5.2MB

MD5
74ecbe1bef451db205b05e43d29b3141

SHA1
d19e8dc969c0f4334b82f22aec571b9de2c3ec90

SHA256
d98472a05360d8285b3d48a0e56c4bd8766d24f099e2c401e1166d7fd037f3b3

SHA512
ac98d769195203eb884c50edfc80718f52798496abe837a69b3a78cb02c98cebb3764ecfbbbbca585a0ff443e76c794615862252a918463039a329d7f949ffef

Download Submit
C:\Windows\System\LkGaAin.exe

Filesize
5.2MB

MD5
42beaecded657c2d03e414e9ec5039a5

SHA1
7bf4a98a6d7d454bdf25253948e81194959e60a9

SHA256
7a4a6636ecd5aa0b4bc11c8b7c773cc8c80bdb62f4a148002c57bb79de931594

SHA512
7b2e85f7ad023996cb4e3d62ae9c028349965a91200176d2a79f93a840d244ccf6bcbd0da793851f6da348b4833454e8d12c9233afd43ae011d3e14f09124fbc

Download Submit
C:\Windows\System\NqcmDCM.exe

Filesize
5.2MB

MD5
107ea206999d838cf1cba07a0e25d192

SHA1
5a60e75bd53c89d49a8e9d633093c34e8d83a95a

SHA256
25b5ff0d2650369d3a04f44fb115204e9f6c4103cb3205826bb2984d6423b95e

SHA512
d34165bb94deb42bfc195eaf676fbb1886aeae30f98eff57ddc49e35d143fb10131dc3f055531ea8bbd397aec6bdcf655ea2479c26ca986a5113bce8b51b73a8

Download Submit
C:\Windows\System\OcaxtsF.exe

Filesize
5.2MB

MD5
211cb5618eb05fc96bd762de033d02b7

SHA1
e5bb2a59a3748116a905603392a8cdd18f91f6ad

SHA256
d1fd5134148861e746246c817e90a8f01a98bfc7ebb2833831d52d5100d89be7

SHA512
02d296f62fa335164b22d38b00f639d51b77e7a760e2d23eb30fa36da6c4aff7538183b8b93cf76ab6b18afc9c8c4c3d7cad858753e7dc3e565cfbb72c437521

Download Submit
C:\Windows\System\WePeLqd.exe

Filesize
5.2MB

MD5
a02955073600abc56f270a0c2481f8ca

SHA1
e2d38708f8e3f58f576c6d2db23cc2c6c0d1f922

SHA256
82d2b557fe4fbc9c9cbb3d8159c9ca7ce6b25be59d39ac509a1235af1ca0d0cc

SHA512
ff1d15d83a2412a3d33d34ef457c4a253eeb932e2fa862946d807f43d7dec35f735167c87b091127305c3ec9907e80b0c00eff16b3239e68929fe78bdceac306

Download Submit
C:\Windows\System\YOCNpPo.exe

Filesize
5.2MB

MD5
590ca295b51b2824bfdefe63eea600b6

SHA1
f25f6e24894777616ac75fdebb3a1e0ed9de2378

SHA256
162d546886c49cde7a5b5b3bca30568c1cca97b081f4cf008f10c2f5eb0413f9

SHA512
59b45b9edd2dfabf394e97a67f6e0068b5cbfbed545c58830c99ccae8cdad16b9919b23c6e69c1dae5f3d681dfa016c7f689ccdb278f2b6d717e98432c4f2c1c

Download Submit
C:\Windows\System\YQFIMLE.exe

Filesize
5.2MB

MD5
2ca5291567ca42ce56aed6d1f5eb4c5e

SHA1
d96cfc6be940f401ac38c0628b5f1aec1fcdb52f

SHA256
91595cb6ed5f56df766e90f0b7ee6751b405a598ecb24e1253a5e1beb4cdb601

SHA512
629ca69b36469aa6f6b02f2dee7f0b4d6207736bcffee106185957c2031fd9d0d49f560298aaeba5c7be3bfc2420f5e8d33ae3c9849327fbe6a93139d3fa79fc

Download Submit
C:\Windows\System\YwGdCQM.exe

Filesize
5.2MB

MD5
a8879e25b7f1025e424396118f170303

SHA1
5fb29b0428d3338a90cf090c6c8c79d0eb37d92a

SHA256
45c45348d10b1f16f8469ff790d7271c312b4579ac9e9ed69d5552ada6ab6d3a

SHA512
c5c319bd62dc81bf2ca8cba5d0d9eb23f89c4076cd035acc5471cb4c8cf775e93299d5682bacf9a0c816f203bdc69e929dd29d10be0b217829780211bf67973b

Download Submit
C:\Windows\System\cQhZVEZ.exe

Filesize
5.2MB

MD5
ed0c9995f7f10680529e7f457a4fdced

SHA1
ec56d7792777c540c7730271686fc7e7c33cb858

SHA256
f18b1a28e69e1e01222481db8846ebc7b75770d66c89642a30776a3f0a7e1891

SHA512
efe3688d69d294ea5d9743bd57cb5fbe3a43670e02819d1b7a983871343573086c3d7e9f0806b0713dfb295f450be593489f5ac181e1aaa2a8d3bfb3f8a2b71b

Download Submit
C:\Windows\System\ePWbqlS.exe

Filesize
5.2MB

MD5
43f49764373b36f59e658c65de776357

SHA1
30afdf98dd2222ab705f0884e06af8bfcbbff49f

SHA256
e56ddea245501d8d2df156d16ea4271c1eb6d79533c7009ae6cc6678ca102c62

SHA512
64a80643be97b3a2f0c85996aed4a0b3cc128185107487c9058cfaa6674248198cec0be8279c6ab77e3dd9998a948988e98907290e5c59c51cf662e5f6f030b7

Download Submit
C:\Windows\System\fBmkMll.exe

Filesize
5.2MB

MD5
eecbe7aefa2943cc34ead0f13e8ee4a2

SHA1
4117c8612c8418b140836b6c6b8cae1721caae7a

SHA256
7869826792dd957f050e71af2e3ec30c645d78571a17228eb422c62b30614e96

SHA512
83d2b7cb33d3e0cf40f8f84c2366c1d3222bdcd4c70043b55efe1acba1ce6f84e72efc7fa9896695102905d9bd42f8728a244fdf8648d5a940c51c44456b921e

Download Submit
C:\Windows\System\jaqrzZy.exe

Filesize
5.2MB

MD5
3ac9d4a71a9f52da294782515d0ac78d

SHA1
d259d64e7a352a7037d336372ac79111c9b1eac5

SHA256
454ace3cd497c32400fd50921b2bb1a5c7f36d3075fca0120b191d25cbe8e369

SHA512
fa17b304e064ec02adbff6bf5a0c54799ccdf5bac9a6047ebe5ccc86463bed611a2fbf05e12f58ef70424f9ec8b1198aae0cee56eb81e33d7c6aadf6a349cea4

Download Submit
C:\Windows\System\jzzmRvu.exe

Filesize
5.2MB

MD5
04670336c5faccbb48de17290872d35d

SHA1
198b5e16d5eeb48e3c41411c0ce9967794b09e83

SHA256
b58791350086da4fca4229027803cc2f2585a7025447c388bc3bab3a93e4a3b0

SHA512
c665ed004f899afd1cafcf70321bb80d84e3d91dbacc9a2b18b7269ecaf4d226fb93fe4e16f8c62cba5719c27b5b3e1fc64f577bcb69fd302604502073db5ad2

Download Submit
C:\Windows\System\kENWkqO.exe

Filesize
5.2MB

MD5
14c0e31fcb9675e190cde8e305f34ea6

SHA1
343f95cd2709dee397fe7caef20826184dfb1280

SHA256
fb4ca19ec3795a0e1bf5b814b3db89c7ccfa7675c83d1fa76fa4fa0805b896c0

SHA512
2a9509be64663e682fcc21169c253000087442ec4e8658dfa426fff2c086fe96b40cacf190b1f0b2e0bfddb784334ff70e3fb37bad13d2820d0300709144ae91

Download Submit
C:\Windows\System\pcHSFGf.exe

Filesize
5.2MB

MD5
942344d46830064d6ca709b4481840c2

SHA1
ffc29e5238c8ed9d61e45649d645c41109ddb538

SHA256
642fa26cfa823cabadc97f2a5c7ac881e35dcab199248dd1c76fcea99e3824ff

SHA512
b38f8eb01de72851e64d0b3d5b594e4bc7cb3da0a9c65096f6116d05bb276013273c37ea19b0b47850d3d78600957c2ff056e8d96f253cb26d90c59dd4fb5d34

Download Submit
C:\Windows\System\sJfmmPR.exe

Filesize
5.2MB

MD5
63b418d6355bdde484bccb6188a8e03b

SHA1
2b824a130a381a777ce15e4951c5afe1c3840d8c

SHA256
1b44d3566bb433c434ddce09d077ade5fe6160eeaa71b67de8d3dbc8ba371b1e

SHA512
de71dd47502ab9e0915605c7570f800728b2f43b08f6ea96f9259588be042cef8869680382f11b3fe2b77c97595a20fb20d3e87eb8dcd9e685cb82926d8f5c67

Download Submit
C:\Windows\System\sKsFDLt.exe

Filesize
5.2MB

MD5
28bedcf6aa9f115cb60430eeabf6cfa1

SHA1
e55fb52911a9a7df509e3d239a5f56045b1b6554

SHA256
776845d7741b214263c1ebc09b6ec2ec6e26fef6eeaa9649924d1cbe35ef299a

SHA512
73f00dd42daf843b96453ceb333979bf8187c4bc209a9bae18be3b2f2d61cbd122cb238c9f39febae9a77b51c4ce4892ae80643bb85e8569f263ab7261129d26

Download Submit
memory/216-161-0x00007FF761710000-0x00007FF761A61000-memory.dmp

Filesize
3.3MB

Download
memory/216-272-0x00007FF761710000-0x00007FF761A61000-memory.dmp

Filesize
3.3MB

Download
memory/216-118-0x00007FF761710000-0x00007FF761A61000-memory.dmp

Filesize
3.3MB

Download
memory/336-14-0x00007FF64B100000-0x00007FF64B451000-memory.dmp

Filesize
3.3MB

Download
memory/336-224-0x00007FF64B100000-0x00007FF64B451000-memory.dmp

Filesize
3.3MB

Download
memory/336-79-0x00007FF64B100000-0x00007FF64B451000-memory.dmp

Filesize
3.3MB

Download
memory/832-87-0x00007FF6EF680000-0x00007FF6EF9D1000-memory.dmp

Filesize
3.3MB

Download
memory/832-226-0x00007FF6EF680000-0x00007FF6EF9D1000-memory.dmp

Filesize
3.3MB

Download
memory/832-20-0x00007FF6EF680000-0x00007FF6EF9D1000-memory.dmp

Filesize
3.3MB

Download
memory/968-258-0x00007FF748D50000-0x00007FF7490A1000-memory.dmp

Filesize
3.3MB

Download
memory/968-155-0x00007FF748D50000-0x00007FF7490A1000-memory.dmp

Filesize
3.3MB

Download
memory/968-94-0x00007FF748D50000-0x00007FF7490A1000-memory.dmp

Filesize
3.3MB

Download
memory/1676-170-0x00007FF642230000-0x00007FF642581000-memory.dmp

Filesize
3.3MB

Download
memory/1676-142-0x00007FF642230000-0x00007FF642581000-memory.dmp

Filesize
3.3MB

Download
memory/1676-1-0x000001CA69670000-0x000001CA69680000-memory.dmp

Filesize
64KB

Download
memory/1676-66-0x00007FF642230000-0x00007FF642581000-memory.dmp

Filesize
3.3MB

Download
memory/1676-0-0x00007FF642230000-0x00007FF642581000-memory.dmp

Filesize
3.3MB

Download
memory/1728-103-0x00007FF613470000-0x00007FF6137C1000-memory.dmp

Filesize
3.3MB

Download
memory/1728-160-0x00007FF613470000-0x00007FF6137C1000-memory.dmp

Filesize
3.3MB

Download
memory/1728-268-0x00007FF613470000-0x00007FF6137C1000-memory.dmp

Filesize
3.3MB

Download
memory/1900-102-0x00007FF75CAF0000-0x00007FF75CE41000-memory.dmp

Filesize
3.3MB

Download
memory/1900-37-0x00007FF75CAF0000-0x00007FF75CE41000-memory.dmp

Filesize
3.3MB

Download
memory/1900-240-0x00007FF75CAF0000-0x00007FF75CE41000-memory.dmp

Filesize
3.3MB

Download
memory/2312-134-0x00007FF707DA0000-0x00007FF7080F1000-memory.dmp

Filesize
3.3MB

Download
memory/2312-277-0x00007FF707DA0000-0x00007FF7080F1000-memory.dmp

Filesize
3.3MB

Download
memory/2312-164-0x00007FF707DA0000-0x00007FF7080F1000-memory.dmp

Filesize
3.3MB

Download
memory/2344-70-0x00007FF66AF30000-0x00007FF66B281000-memory.dmp

Filesize
3.3MB

Download
memory/2344-126-0x00007FF66AF30000-0x00007FF66B281000-memory.dmp

Filesize
3.3MB

Download
memory/2344-250-0x00007FF66AF30000-0x00007FF66B281000-memory.dmp

Filesize
3.3MB

Download
memory/2436-138-0x00007FF62C460000-0x00007FF62C7B1000-memory.dmp

Filesize
3.3MB

Download
memory/2436-276-0x00007FF62C460000-0x00007FF62C7B1000-memory.dmp

Filesize
3.3MB

Download
memory/2436-169-0x00007FF62C460000-0x00007FF62C7B1000-memory.dmp

Filesize
3.3MB

Download
memory/2528-97-0x00007FF7AEA40000-0x00007FF7AED91000-memory.dmp

Filesize
3.3MB

Download
memory/2528-230-0x00007FF7AEA40000-0x00007FF7AED91000-memory.dmp

Filesize
3.3MB

Download
memory/2528-30-0x00007FF7AEA40000-0x00007FF7AED91000-memory.dmp

Filesize
3.3MB

Download
memory/2712-146-0x00007FF77C700000-0x00007FF77CA51000-memory.dmp

Filesize
3.3MB

Download
memory/2712-259-0x00007FF77C700000-0x00007FF77CA51000-memory.dmp

Filesize
3.3MB

Download
memory/2712-88-0x00007FF77C700000-0x00007FF77CA51000-memory.dmp

Filesize
3.3MB

Download
memory/3436-46-0x00007FF7F0770000-0x00007FF7F0AC1000-memory.dmp

Filesize
3.3MB

Download
memory/3436-111-0x00007FF7F0770000-0x00007FF7F0AC1000-memory.dmp

Filesize
3.3MB

Download
memory/3436-242-0x00007FF7F0770000-0x00007FF7F0AC1000-memory.dmp

Filesize
3.3MB

Download
memory/3504-222-0x00007FF657BE0000-0x00007FF657F31000-memory.dmp

Filesize
3.3MB

Download
memory/3504-7-0x00007FF657BE0000-0x00007FF657F31000-memory.dmp

Filesize
3.3MB

Download
memory/3504-71-0x00007FF657BE0000-0x00007FF657F31000-memory.dmp

Filesize
3.3MB

Download
memory/3664-137-0x00007FF770420000-0x00007FF770771000-memory.dmp

Filesize
3.3MB

Download
memory/3664-255-0x00007FF770420000-0x00007FF770771000-memory.dmp

Filesize
3.3MB

Download
memory/3664-75-0x00007FF770420000-0x00007FF770771000-memory.dmp

Filesize
3.3MB

Download
memory/3960-228-0x00007FF762C00000-0x00007FF762F51000-memory.dmp

Filesize
3.3MB

Download
memory/3960-93-0x00007FF762C00000-0x00007FF762F51000-memory.dmp

Filesize
3.3MB

Download
memory/3960-24-0x00007FF762C00000-0x00007FF762F51000-memory.dmp

Filesize
3.3MB

Download
memory/4184-51-0x00007FF6E1960000-0x00007FF6E1CB1000-memory.dmp

Filesize
3.3MB

Download
memory/4184-117-0x00007FF6E1960000-0x00007FF6E1CB1000-memory.dmp

Filesize
3.3MB

Download
memory/4184-245-0x00007FF6E1960000-0x00007FF6E1CB1000-memory.dmp

Filesize
3.3MB

Download
memory/4220-56-0x00007FF68AAF0000-0x00007FF68AE41000-memory.dmp

Filesize
3.3MB

Download
memory/4220-246-0x00007FF68AAF0000-0x00007FF68AE41000-memory.dmp

Filesize
3.3MB

Download
memory/4220-112-0x00007FF68AAF0000-0x00007FF68AE41000-memory.dmp

Filesize
3.3MB

Download
memory/4464-249-0x00007FF7919C0000-0x00007FF791D11000-memory.dmp

Filesize
3.3MB

Download
memory/4464-63-0x00007FF7919C0000-0x00007FF791D11000-memory.dmp

Filesize
3.3MB

Download
memory/4464-123-0x00007FF7919C0000-0x00007FF791D11000-memory.dmp

Filesize
3.3MB

Download
memory/4504-83-0x00007FF799900000-0x00007FF799C51000-memory.dmp

Filesize
3.3MB

Download
memory/4504-253-0x00007FF799900000-0x00007FF799C51000-memory.dmp

Filesize
3.3MB

Download
memory/4504-141-0x00007FF799900000-0x00007FF799C51000-memory.dmp

Filesize
3.3MB

Download
memory/4612-115-0x00007FF616EF0000-0x00007FF617241000-memory.dmp

Filesize
3.3MB

Download
memory/4612-269-0x00007FF616EF0000-0x00007FF617241000-memory.dmp

Filesize
3.3MB

Download
memory/4772-273-0x00007FF66AF30000-0x00007FF66B281000-memory.dmp

Filesize
3.3MB

Download
memory/4772-129-0x00007FF66AF30000-0x00007FF66B281000-memory.dmp

Filesize
3.3MB

Download