cobaltstrike | b4289e222a8802a0f6075b7c51fd6324908996151d9daacf2d5fd4ea029a286c

Analysis

max time kernel
140s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16/09/2024, 05:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

213b0425d1fbb0f6559c270061da9ff6
SHA1

0a184c3950eefbde3c0d43db34c8b848edf8a305
SHA256

b4289e222a8802a0f6075b7c51fd6324908996151d9daacf2d5fd4ea029a286c
SHA512

12c2d2389f2e1e67bfb43a7f70e67843bf7d5ae47728e69a6aa371d2b3d9bc69e7a42c425f61dda7b8d1480dfe0b9fd09b1c8219f887a1156d4cead832378297
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l7:RWWBibf56utgpPFotBER/mQ32lUX

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023430-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023434-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023435-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023436-22.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023437-27.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023438-35.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023439-42.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343b-52.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343a-51.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343c-60.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343d-69.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343e-77.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023440-88.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023442-102.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023445-123.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023446-127.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023447-138.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023444-121.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023443-115.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023441-100.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343f-86.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/1444-13-0x00007FF68F850000-0x00007FF68FBA1000-memory.dmp	xmrig
behavioral2/memory/4128-57-0x00007FF7A2C20000-0x00007FF7A2F71000-memory.dmp	xmrig
behavioral2/memory/1444-68-0x00007FF68F850000-0x00007FF68FBA1000-memory.dmp	xmrig
behavioral2/memory/4464-82-0x00007FF702A70000-0x00007FF702DC1000-memory.dmp	xmrig
behavioral2/memory/4272-109-0x00007FF706E50000-0x00007FF7071A1000-memory.dmp	xmrig
behavioral2/memory/1804-137-0x00007FF654150000-0x00007FF6544A1000-memory.dmp	xmrig
behavioral2/memory/1660-132-0x00007FF7265A0000-0x00007FF7268F1000-memory.dmp	xmrig
behavioral2/memory/800-117-0x00007FF6725C0000-0x00007FF672911000-memory.dmp	xmrig
behavioral2/memory/4452-105-0x00007FF648D90000-0x00007FF6490E1000-memory.dmp	xmrig
behavioral2/memory/2652-96-0x00007FF7CA200000-0x00007FF7CA551000-memory.dmp	xmrig
behavioral2/memory/1640-140-0x00007FF75A4A0000-0x00007FF75A7F1000-memory.dmp	xmrig
behavioral2/memory/1212-89-0x00007FF7F07C0000-0x00007FF7F0B11000-memory.dmp	xmrig
behavioral2/memory/1948-75-0x00007FF7D2DD0000-0x00007FF7D3121000-memory.dmp	xmrig
behavioral2/memory/2320-61-0x00007FF6B1980000-0x00007FF6B1CD1000-memory.dmp	xmrig
behavioral2/memory/4056-141-0x00007FF660740000-0x00007FF660A91000-memory.dmp	xmrig
behavioral2/memory/4128-142-0x00007FF7A2C20000-0x00007FF7A2F71000-memory.dmp	xmrig
behavioral2/memory/4284-145-0x00007FF7912D0000-0x00007FF791621000-memory.dmp	xmrig
behavioral2/memory/2188-153-0x00007FF664AE0000-0x00007FF664E31000-memory.dmp	xmrig
behavioral2/memory/4804-154-0x00007FF6AB740000-0x00007FF6ABA91000-memory.dmp	xmrig
behavioral2/memory/3352-155-0x00007FF6096C0000-0x00007FF609A11000-memory.dmp	xmrig
behavioral2/memory/4552-162-0x00007FF6D15F0000-0x00007FF6D1941000-memory.dmp	xmrig
behavioral2/memory/2840-167-0x00007FF68AE00000-0x00007FF68B151000-memory.dmp	xmrig
behavioral2/memory/1600-168-0x00007FF6FC700000-0x00007FF6FCA51000-memory.dmp	xmrig
behavioral2/memory/5036-169-0x00007FF717440000-0x00007FF717791000-memory.dmp	xmrig
behavioral2/memory/4128-170-0x00007FF7A2C20000-0x00007FF7A2F71000-memory.dmp	xmrig
behavioral2/memory/2320-221-0x00007FF6B1980000-0x00007FF6B1CD1000-memory.dmp	xmrig
behavioral2/memory/1444-223-0x00007FF68F850000-0x00007FF68FBA1000-memory.dmp	xmrig
behavioral2/memory/4464-227-0x00007FF702A70000-0x00007FF702DC1000-memory.dmp	xmrig
behavioral2/memory/1948-231-0x00007FF7D2DD0000-0x00007FF7D3121000-memory.dmp	xmrig
behavioral2/memory/1212-233-0x00007FF7F07C0000-0x00007FF7F0B11000-memory.dmp	xmrig
behavioral2/memory/4452-236-0x00007FF648D90000-0x00007FF6490E1000-memory.dmp	xmrig
behavioral2/memory/2652-239-0x00007FF7CA200000-0x00007FF7CA551000-memory.dmp	xmrig
behavioral2/memory/4272-238-0x00007FF706E50000-0x00007FF7071A1000-memory.dmp	xmrig
behavioral2/memory/800-241-0x00007FF6725C0000-0x00007FF672911000-memory.dmp	xmrig
behavioral2/memory/1660-252-0x00007FF7265A0000-0x00007FF7268F1000-memory.dmp	xmrig
behavioral2/memory/1804-254-0x00007FF654150000-0x00007FF6544A1000-memory.dmp	xmrig
behavioral2/memory/1640-256-0x00007FF75A4A0000-0x00007FF75A7F1000-memory.dmp	xmrig
behavioral2/memory/4284-258-0x00007FF7912D0000-0x00007FF791621000-memory.dmp	xmrig
behavioral2/memory/4056-260-0x00007FF660740000-0x00007FF660A91000-memory.dmp	xmrig
behavioral2/memory/2188-262-0x00007FF664AE0000-0x00007FF664E31000-memory.dmp	xmrig
behavioral2/memory/4804-267-0x00007FF6AB740000-0x00007FF6ABA91000-memory.dmp	xmrig
behavioral2/memory/3352-269-0x00007FF6096C0000-0x00007FF609A11000-memory.dmp	xmrig
behavioral2/memory/4552-271-0x00007FF6D15F0000-0x00007FF6D1941000-memory.dmp	xmrig
behavioral2/memory/5036-273-0x00007FF717440000-0x00007FF717791000-memory.dmp	xmrig
behavioral2/memory/2840-275-0x00007FF68AE00000-0x00007FF68B151000-memory.dmp	xmrig
behavioral2/memory/1600-277-0x00007FF6FC700000-0x00007FF6FCA51000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2320	CYjDkaF.exe
1444	lzpssXs.exe
1948	gRXfrUC.exe
4464	LqotSXC.exe
1212	HSSvyQy.exe
2652	HhFmIsu.exe
4452	gysDZMc.exe
4272	nAZdGSz.exe
800	kDJIbrx.exe
1660	UXajtsv.exe
1804	TwMihJp.exe
1640	WzaFSeS.exe
4056	TbBcpXg.exe
4284	NhhwkUZ.exe
2188	olhCtAu.exe
4804	wCPhYVo.exe
3352	uvsuFnr.exe
4552	zweMaek.exe
5036	AFHPFnn.exe
2840	qxVRXbK.exe
1600	DpFZxmm.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4128-0-0x00007FF7A2C20000-0x00007FF7A2F71000-memory.dmp	upx
behavioral2/files/0x0008000000023430-4.dat	upx
behavioral2/memory/2320-7-0x00007FF6B1980000-0x00007FF6B1CD1000-memory.dmp	upx
behavioral2/files/0x0007000000023434-10.dat	upx
behavioral2/files/0x0007000000023435-11.dat	upx
behavioral2/memory/1444-13-0x00007FF68F850000-0x00007FF68FBA1000-memory.dmp	upx
behavioral2/files/0x0007000000023436-22.dat	upx
behavioral2/files/0x0007000000023437-27.dat	upx
behavioral2/files/0x0007000000023438-35.dat	upx
behavioral2/files/0x0007000000023439-42.dat	upx
behavioral2/memory/4272-47-0x00007FF706E50000-0x00007FF7071A1000-memory.dmp	upx
behavioral2/files/0x000700000002343b-52.dat	upx
behavioral2/memory/800-54-0x00007FF6725C0000-0x00007FF672911000-memory.dmp	upx
behavioral2/files/0x000700000002343a-51.dat	upx
behavioral2/memory/4452-41-0x00007FF648D90000-0x00007FF6490E1000-memory.dmp	upx
behavioral2/memory/2652-36-0x00007FF7CA200000-0x00007FF7CA551000-memory.dmp	upx
behavioral2/memory/1212-29-0x00007FF7F07C0000-0x00007FF7F0B11000-memory.dmp	upx
behavioral2/memory/4464-23-0x00007FF702A70000-0x00007FF702DC1000-memory.dmp	upx
behavioral2/memory/1948-18-0x00007FF7D2DD0000-0x00007FF7D3121000-memory.dmp	upx
behavioral2/memory/4128-57-0x00007FF7A2C20000-0x00007FF7A2F71000-memory.dmp	upx
behavioral2/files/0x000700000002343c-60.dat	upx
behavioral2/memory/1660-62-0x00007FF7265A0000-0x00007FF7268F1000-memory.dmp	upx
behavioral2/files/0x000700000002343d-69.dat	upx
behavioral2/memory/1444-68-0x00007FF68F850000-0x00007FF68FBA1000-memory.dmp	upx
behavioral2/memory/1804-71-0x00007FF654150000-0x00007FF6544A1000-memory.dmp	upx
behavioral2/files/0x000700000002343e-77.dat	upx
behavioral2/memory/4464-82-0x00007FF702A70000-0x00007FF702DC1000-memory.dmp	upx
behavioral2/files/0x0007000000023440-88.dat	upx
behavioral2/memory/2188-97-0x00007FF664AE0000-0x00007FF664E31000-memory.dmp	upx
behavioral2/files/0x0007000000023442-102.dat	upx
behavioral2/memory/4804-108-0x00007FF6AB740000-0x00007FF6ABA91000-memory.dmp	upx
behavioral2/memory/3352-112-0x00007FF6096C0000-0x00007FF609A11000-memory.dmp	upx
behavioral2/memory/4272-109-0x00007FF706E50000-0x00007FF7071A1000-memory.dmp	upx
behavioral2/memory/4552-118-0x00007FF6D15F0000-0x00007FF6D1941000-memory.dmp	upx
behavioral2/files/0x0007000000023445-123.dat	upx
behavioral2/files/0x0007000000023446-127.dat	upx
behavioral2/files/0x0007000000023447-138.dat	upx
behavioral2/memory/1804-137-0x00007FF654150000-0x00007FF6544A1000-memory.dmp	upx
behavioral2/memory/1600-136-0x00007FF6FC700000-0x00007FF6FCA51000-memory.dmp	upx
behavioral2/memory/2840-133-0x00007FF68AE00000-0x00007FF68B151000-memory.dmp	upx
behavioral2/memory/1660-132-0x00007FF7265A0000-0x00007FF7268F1000-memory.dmp	upx
behavioral2/memory/5036-126-0x00007FF717440000-0x00007FF717791000-memory.dmp	upx
behavioral2/files/0x0007000000023444-121.dat	upx
behavioral2/memory/800-117-0x00007FF6725C0000-0x00007FF672911000-memory.dmp	upx
behavioral2/files/0x0007000000023443-115.dat	upx
behavioral2/memory/4452-105-0x00007FF648D90000-0x00007FF6490E1000-memory.dmp	upx
behavioral2/files/0x0007000000023441-100.dat	upx
behavioral2/memory/2652-96-0x00007FF7CA200000-0x00007FF7CA551000-memory.dmp	upx
behavioral2/memory/4284-90-0x00007FF7912D0000-0x00007FF791621000-memory.dmp	upx
behavioral2/memory/1640-140-0x00007FF75A4A0000-0x00007FF75A7F1000-memory.dmp	upx
behavioral2/memory/1212-89-0x00007FF7F07C0000-0x00007FF7F0B11000-memory.dmp	upx
behavioral2/files/0x000700000002343f-86.dat	upx
behavioral2/memory/4056-83-0x00007FF660740000-0x00007FF660A91000-memory.dmp	upx
behavioral2/memory/1640-76-0x00007FF75A4A0000-0x00007FF75A7F1000-memory.dmp	upx
behavioral2/memory/1948-75-0x00007FF7D2DD0000-0x00007FF7D3121000-memory.dmp	upx
behavioral2/memory/2320-61-0x00007FF6B1980000-0x00007FF6B1CD1000-memory.dmp	upx
behavioral2/memory/4056-141-0x00007FF660740000-0x00007FF660A91000-memory.dmp	upx
behavioral2/memory/4128-142-0x00007FF7A2C20000-0x00007FF7A2F71000-memory.dmp	upx
behavioral2/memory/4284-145-0x00007FF7912D0000-0x00007FF791621000-memory.dmp	upx
behavioral2/memory/2188-153-0x00007FF664AE0000-0x00007FF664E31000-memory.dmp	upx
behavioral2/memory/4804-154-0x00007FF6AB740000-0x00007FF6ABA91000-memory.dmp	upx
behavioral2/memory/3352-155-0x00007FF6096C0000-0x00007FF609A11000-memory.dmp	upx
behavioral2/memory/4552-162-0x00007FF6D15F0000-0x00007FF6D1941000-memory.dmp	upx
behavioral2/memory/2840-167-0x00007FF68AE00000-0x00007FF68B151000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\TwMihJp.exe	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NhhwkUZ.exe	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wCPhYVo.exe	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zweMaek.exe	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gysDZMc.exe	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kDJIbrx.exe	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HhFmIsu.exe	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nAZdGSz.exe	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WzaFSeS.exe	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uvsuFnr.exe	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qxVRXbK.exe	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lzpssXs.exe	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gRXfrUC.exe	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TbBcpXg.exe	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\olhCtAu.exe	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AFHPFnn.exe	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DpFZxmm.exe	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CYjDkaF.exe	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HSSvyQy.exe	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LqotSXC.exe	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UXajtsv.exe	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4128	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4128	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4128 wrote to memory of 2320	4128	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4128 wrote to memory of 2320	4128	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4128 wrote to memory of 1444	4128	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4128 wrote to memory of 1444	4128	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4128 wrote to memory of 1948	4128	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4128 wrote to memory of 1948	4128	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4128 wrote to memory of 4464	4128	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4128 wrote to memory of 4464	4128	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4128 wrote to memory of 1212	4128	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4128 wrote to memory of 1212	4128	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4128 wrote to memory of 2652	4128	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4128 wrote to memory of 2652	4128	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4128 wrote to memory of 4452	4128	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4128 wrote to memory of 4452	4128	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4128 wrote to memory of 4272	4128	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4128 wrote to memory of 4272	4128	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4128 wrote to memory of 800	4128	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4128 wrote to memory of 800	4128	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4128 wrote to memory of 1660	4128	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4128 wrote to memory of 1660	4128	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4128 wrote to memory of 1804	4128	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4128 wrote to memory of 1804	4128	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4128 wrote to memory of 1640	4128	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4128 wrote to memory of 1640	4128	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4128 wrote to memory of 4056	4128	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4128 wrote to memory of 4056	4128	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4128 wrote to memory of 4284	4128	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4128 wrote to memory of 4284	4128	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4128 wrote to memory of 2188	4128	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4128 wrote to memory of 2188	4128	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4128 wrote to memory of 4804	4128	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4128 wrote to memory of 4804	4128	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4128 wrote to memory of 3352	4128	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4128 wrote to memory of 3352	4128	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4128 wrote to memory of 4552	4128	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4128 wrote to memory of 4552	4128	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4128 wrote to memory of 5036	4128	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4128 wrote to memory of 5036	4128	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4128 wrote to memory of 2840	4128	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4128 wrote to memory of 2840	4128	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4128 wrote to memory of 1600	4128	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4128 wrote to memory of 1600	4128	2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-16_213b0425d1fbb0f6559c270061da9ff6_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4128
- C:\Windows\System\CYjDkaF.exe
  C:\Windows\System\CYjDkaF.exe
  2⤵
  - Executes dropped EXE
  PID:2320
- C:\Windows\System\lzpssXs.exe
  C:\Windows\System\lzpssXs.exe
  2⤵
  - Executes dropped EXE
  PID:1444
- C:\Windows\System\gRXfrUC.exe
  C:\Windows\System\gRXfrUC.exe
  2⤵
  - Executes dropped EXE
  PID:1948
- C:\Windows\System\LqotSXC.exe
  C:\Windows\System\LqotSXC.exe
  2⤵
  - Executes dropped EXE
  PID:4464
- C:\Windows\System\HSSvyQy.exe
  C:\Windows\System\HSSvyQy.exe
  2⤵
  - Executes dropped EXE
  PID:1212
- C:\Windows\System\HhFmIsu.exe
  C:\Windows\System\HhFmIsu.exe
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\System\gysDZMc.exe
  C:\Windows\System\gysDZMc.exe
  2⤵
  - Executes dropped EXE
  PID:4452
- C:\Windows\System\nAZdGSz.exe
  C:\Windows\System\nAZdGSz.exe
  2⤵
  - Executes dropped EXE
  PID:4272
- C:\Windows\System\kDJIbrx.exe
  C:\Windows\System\kDJIbrx.exe
  2⤵
  - Executes dropped EXE
  PID:800
- C:\Windows\System\UXajtsv.exe
  C:\Windows\System\UXajtsv.exe
  2⤵
  - Executes dropped EXE
  PID:1660
- C:\Windows\System\TwMihJp.exe
  C:\Windows\System\TwMihJp.exe
  2⤵
  - Executes dropped EXE
  PID:1804
- C:\Windows\System\WzaFSeS.exe
  C:\Windows\System\WzaFSeS.exe
  2⤵
  - Executes dropped EXE
  PID:1640
- C:\Windows\System\TbBcpXg.exe
  C:\Windows\System\TbBcpXg.exe
  2⤵
  - Executes dropped EXE
  PID:4056
- C:\Windows\System\NhhwkUZ.exe
  C:\Windows\System\NhhwkUZ.exe
  2⤵
  - Executes dropped EXE
  PID:4284
- C:\Windows\System\olhCtAu.exe
  C:\Windows\System\olhCtAu.exe
  2⤵
  - Executes dropped EXE
  PID:2188
- C:\Windows\System\wCPhYVo.exe
  C:\Windows\System\wCPhYVo.exe
  2⤵
  - Executes dropped EXE
  PID:4804
- C:\Windows\System\uvsuFnr.exe
  C:\Windows\System\uvsuFnr.exe
  2⤵
  - Executes dropped EXE
  PID:3352
- C:\Windows\System\zweMaek.exe
  C:\Windows\System\zweMaek.exe
  2⤵
  - Executes dropped EXE
  PID:4552
- C:\Windows\System\AFHPFnn.exe
  C:\Windows\System\AFHPFnn.exe
  2⤵
  - Executes dropped EXE
  PID:5036
- C:\Windows\System\qxVRXbK.exe
  C:\Windows\System\qxVRXbK.exe
  2⤵
  - Executes dropped EXE
  PID:2840
- C:\Windows\System\DpFZxmm.exe
  C:\Windows\System\DpFZxmm.exe
  2⤵
  - Executes dropped EXE
  PID:1600

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AFHPFnn.exe

Filesize
5.2MB

MD5
a712b3e10e693f490789de2361d04bd6

SHA1
eb4c3f93c221b6b898810f5e5c9aca846c45b1d2

SHA256
efbee3fa49638c88003c6b430dcc0ed631832b32f567048e794b5fdb1230b27f

SHA512
905e2b8d02049cd37d09f350bc2163b0411c6c9f6d8c362343dba219d58f6414ee92e63941b9f7dc8dc51cdf725707299993636439bfef696a1f1b0c59071244

Download Submit
C:\Windows\System\CYjDkaF.exe

Filesize
5.2MB

MD5
8ffb582cc7bb1898710786fae2f4d20d

SHA1
60d3fa55e1a3cdae3784e000f664bce72cd33ace

SHA256
7907c3b2b70f719fe1cec15e5e996621516872bd8d0946ea67b06bcc9217b3a1

SHA512
75ef282bb11249c849a2006fe4fec4f6fa8af90fd6c255c50f050d3fd8e530fa7b9003969ef99f65a61917dd54bc5ea38c5df69536008ebe5c53ec90dd57886c

Download Submit
C:\Windows\System\DpFZxmm.exe

Filesize
5.2MB

MD5
2974bf446a278d48cef7507819dc2037

SHA1
78666c7945187e8a663f46e7191a9747091e5ed8

SHA256
4c629b3491417d4bf56654f3d09d083fa30d49f4f6bbecbe1700bffa2d72ad5a

SHA512
06369e52c44533ad5786c2234189c8dfdb4c45373e6a09123b4320102d6ae8c6f87da018464dce5705e9fc1aa3def3f03cae98e0266d9d7cd5ca7c5501315938

Download Submit
C:\Windows\System\HSSvyQy.exe

Filesize
5.2MB

MD5
0973221f796a797f97a22b4f02fd53da

SHA1
a118ceaa3a5ede629962ad07833a447759e3c3f2

SHA256
573e884695492f246b8f6438eeb2f06d938c6d51a7e2a4d3609dbb7f9bb277e3

SHA512
4c1f0b702980eeb81b64f1437a77151465acb15963c34d1c33d93b2ac780bb7f8cd6c6e9b9022c4c3f280244a084d116e9331564f3aafd52df4d20043cf4d6c8

Download Submit
C:\Windows\System\HhFmIsu.exe

Filesize
5.2MB

MD5
4f8047b6060876070e933bb8d0072031

SHA1
1274b87c67a59fce030cd4b5d7c97405e7644fbe

SHA256
2f455c3b3bef5d7146bbd8956a65096899bf30343c53fe662d8740533fedb526

SHA512
d4e48608f881ed9ce7dcff5e5e0f2e80a177ad200175e8e4b4929e8e05e3a210b1cb096421c81c9f59a212f49daa5b496db8693f97f9ccf2db06ab1cca2df47a

Download Submit
C:\Windows\System\LqotSXC.exe

Filesize
5.2MB

MD5
a2b997df935e534b43923558fda317ce

SHA1
7f0c72d9b82da4636d802a7583d9d0cba4aba22a

SHA256
23f996bfaf4482da7232e360f9a41bcd514387dbfccb3ed381ccec3618754540

SHA512
7fe0b7ac90a3cd04d31e40577551a5f6d97720883f46e831f3cab99740117cf0f9de4e292402ab4996a7dc1a0a7faf282d6761b54f76c1dcdcbebd37939b3e5f

Download Submit
C:\Windows\System\NhhwkUZ.exe

Filesize
5.2MB

MD5
375138cf037304b323a7180f9746a755

SHA1
ed568019ed251dea3947753a9b09f80a3807abd1

SHA256
ffa94e73d8f44165c3f513a636a1b5da971a3f2796a29356de6d52b10eb8cabf

SHA512
a1e8bef12c2e77e06e230e5700c1a49062c639bc260b30d1bff62a8d2ce042700ad26d8fe65480eb6d5ab86dd2edbe4cbdef701f27e94f0d51faf98256bd9e90

Download Submit
C:\Windows\System\TbBcpXg.exe

Filesize
5.2MB

MD5
a620ec61a28752b0f8fecf51a4eb3ce4

SHA1
dc51dd502961f12718e01995374c48c709554d88

SHA256
c3e7657800044af7569040d3c61b65825b2210ffd4e057492cef23747745a356

SHA512
d6f3dc30a64654066116c24798ac28fee4055010d7533609f327c7f64ddfac62db06a162e95e7df2765faecded4b0d010077b6a2043d4477deb4dba4df06e6ab

Download Submit
C:\Windows\System\TwMihJp.exe

Filesize
5.2MB

MD5
8cc7d0fade38917ed1165fcd0fafb75e

SHA1
13b3b7e6fa042db6ac0f50becaf9cc8e268e1fd5

SHA256
bd96d7217b3cfe038f4c60a0d2911119a951d128b78447ad5f46b335161db0b9

SHA512
25d1b092385179110b242317f220208daef2d8d1ec8ab2d3a8a20c16363cd4f3b3e73177e684141a40c3ba4e758ddfb7a4b0f2e49f1dde5541676ef6c3b8e909

Download Submit
C:\Windows\System\UXajtsv.exe

Filesize
5.2MB

MD5
55171d68bfad92d8e1f365203af42b6e

SHA1
2003568c5e50be7b385aefbaeba8f4d746d9da8f

SHA256
e366f08d61760c178f5b217f917ca71b4f43ba126fea42ef20c715beb5103f78

SHA512
f138840a64bb9a8c98383499d7503325a5dc10258299e8382cd74d0e43372a42ee2472a9a4f5850098a2437a03580c32047765749422d72ca997edc9f25739f9

Download Submit
C:\Windows\System\WzaFSeS.exe

Filesize
5.2MB

MD5
b3acfe126775a34256edd723245ba0b4

SHA1
c09eb2914234b3292fac25818320d91d6b1159c6

SHA256
3aa3f2d08181b847f3286a485d452a6d55122794b11db9578790cbfc41dfe1be

SHA512
6d2f509adad5d7930af76e3a15d05e76580fcf2c9a9b47b64b26026af625b9c9c04eddfce39c732c0b4c0e2861694a1642ebfa02b87de667b96d048100ed4e9e

Download Submit
C:\Windows\System\gRXfrUC.exe

Filesize
5.2MB

MD5
8451201bd9872b24c78ad241c16122e2

SHA1
850864bd39e512290ec49d43cdd650dd74e30132

SHA256
2a09e8f1d84507328024d9b5de1a2f96d3490725630a68ec8712fc3689b7edc5

SHA512
be7454112e4a3fa6196938a5edb8df07708a5ece3611394431368520f76906bbf03d13501751d2b18c1ceff9fe9c9ee4d7f65342e81d439bf73ea05d86227b0b

Download Submit
C:\Windows\System\gysDZMc.exe

Filesize
5.2MB

MD5
2fff1c66b3761f9545f48c9f6e65f8d5

SHA1
55bfb1173e03777ce793cb936892815bef307c3c

SHA256
aae684e07979007e21e02170b72889bb0bba3710676e7058eda5688a086c2fb2

SHA512
a21771d50cae77b67120ada1f7b9efa63d0109a386726f8655b99d12bb3cba7ad3905bc47b04c159ca237218e7ee41e84c101a7bbd60dfaee43a09fa74adb071

Download Submit
C:\Windows\System\kDJIbrx.exe

Filesize
5.2MB

MD5
d850be2588f805585655eec23f3b8699

SHA1
ad7274a789b2852f6b073e6e6714e6f8c87d41ab

SHA256
04a50f3a089736136246665638a1a408d299c9660dbf526b269f5fa14b1cf288

SHA512
cbd993b510421f360572af3388d9e0cd712a773a04d04847efc85ca1edc061dcb9333d80f67c69e8763cf6116a7e7f864fa43d7f35f35049825b07fe12c92ef3

Download Submit
C:\Windows\System\lzpssXs.exe

Filesize
5.2MB

MD5
06b175c9a59ec789a2b251ed179abd33

SHA1
9de4ffb9d6d5014726e43140d798d2f220d5403a

SHA256
ac74ff74e8cd132a62eefa14e2a478aa7836c869ed8efa85cbd9d4dc28d7cd1a

SHA512
2278b3f383532969a166e372f1905c3c0af42ab7a1a2fea7cbcb97ffc1124620d7e74bba260c7fdcaa65c5c97239a1d6236f0d5804b733fdf162c1bec7573b39

Download Submit
C:\Windows\System\nAZdGSz.exe

Filesize
5.2MB

MD5
20ec6cb753f67402d52ff2d34f52d7c9

SHA1
18da604399c6ece0ef3f320cf96724062b0e5a1b

SHA256
14272ec8b49d3ec10e7b8b74b76703b7c4c7fbb13eca72deb2a13aa6ef817abd

SHA512
05ff8865a90fd7f9024d9397e8830af84b810fe9b80165271936f096081970a0edaa1006dc33b1fb862013937f4eda1734793818ed05ce5e946e5b6d319540ef

Download Submit
C:\Windows\System\olhCtAu.exe

Filesize
5.2MB

MD5
eba0f990be13826b8fd798ff48b43143

SHA1
e551378179c1bdae96354b16e8370e4f79101dd6

SHA256
7c09e59e9ca419a6237696de816d2a4558461e6ecd10995d54ad577df1413f4c

SHA512
36bc7ac1443fd31d699c7ba6a8117901ca19f1850acd93ad090f25e851ba9f4708e84c4014d93aae033cea4a61091707b98168a67d8b63611e8515406eed0a47

Download Submit
C:\Windows\System\qxVRXbK.exe

Filesize
5.2MB

MD5
a678ad6da75e8015c136f6b9d3b614a1

SHA1
7e890ec9c7e6178dffbb201800064871f96f72da

SHA256
ab3d14fa5de078b6cf5c2283df6e688aa5cc5b090973f2edf4bb7c217c3c7ab2

SHA512
e6efb881e648f07690a534f3ee8ec1848f4547b9b6487cf1dcf032f8caadf4fd52bf65973e2ad558f0df6214aa0098a0bbe686f7d2b450135ce152f2b323ac79

Download Submit
C:\Windows\System\uvsuFnr.exe

Filesize
5.2MB

MD5
9e73745cb95f9afc7b30ae100df39fea

SHA1
268a1f1eac6efbea37ec9fabe7407e66e0d88ad7

SHA256
35f4d0c5972d53e0633d4614819297d4974a1a5414824fe5f1af8f5eb32c172e

SHA512
a46c88f2369a00e0e15aade4b68e3ec78a82aa99fa1b7280d3bf727a7cc39c48aac5ecbd2e1ac07225179036906a838b1ce7e57f171bfd6490c76deebe069d08

Download Submit
C:\Windows\System\wCPhYVo.exe

Filesize
5.2MB

MD5
7cf4a0b905e69c8c9b7701e34c69e3e7

SHA1
4b177eff42cc5d4c1f4df8008a57eee2d18b32d4

SHA256
47b6acf365fe1ade5e475f4770551d32546484e75543bf611e12c0335b34d328

SHA512
9cb23103db42977d7d9d017f9fec6101e41ecb18fbf9e2a027992a6399dc33ebeda903afac08fcd354165a603f6579dc689f69ed9eb5442b5f960aec5d8dd78b

Download Submit
C:\Windows\System\zweMaek.exe

Filesize
5.2MB

MD5
93fafd167e76ca4e06635226dc92184a

SHA1
5196f496be69e7baa30ba6db6ff7d72215c218d6

SHA256
4dd26e8b4a1154e6e9a17ac13b0cb416f547eb546b83635e9c085786efb60c31

SHA512
244daa9236dca4c967d2ff4a9f890ec8bed497db915f1bd643077d6d9a349c051ce603dbe3c07a1b12667bc81f89130b098608edc2d544c99c873c1e1ee86cdc

Download Submit
memory/800-241-0x00007FF6725C0000-0x00007FF672911000-memory.dmp

Filesize
3.3MB

Download
memory/800-54-0x00007FF6725C0000-0x00007FF672911000-memory.dmp

Filesize
3.3MB

Download
memory/800-117-0x00007FF6725C0000-0x00007FF672911000-memory.dmp

Filesize
3.3MB

Download
memory/1212-233-0x00007FF7F07C0000-0x00007FF7F0B11000-memory.dmp

Filesize
3.3MB

Download
memory/1212-29-0x00007FF7F07C0000-0x00007FF7F0B11000-memory.dmp

Filesize
3.3MB

Download
memory/1212-89-0x00007FF7F07C0000-0x00007FF7F0B11000-memory.dmp

Filesize
3.3MB

Download
memory/1444-13-0x00007FF68F850000-0x00007FF68FBA1000-memory.dmp

Filesize
3.3MB

Download
memory/1444-68-0x00007FF68F850000-0x00007FF68FBA1000-memory.dmp

Filesize
3.3MB

Download
memory/1444-223-0x00007FF68F850000-0x00007FF68FBA1000-memory.dmp

Filesize
3.3MB

Download
memory/1600-168-0x00007FF6FC700000-0x00007FF6FCA51000-memory.dmp

Filesize
3.3MB

Download
memory/1600-136-0x00007FF6FC700000-0x00007FF6FCA51000-memory.dmp

Filesize
3.3MB

Download
memory/1600-277-0x00007FF6FC700000-0x00007FF6FCA51000-memory.dmp

Filesize
3.3MB

Download
memory/1640-140-0x00007FF75A4A0000-0x00007FF75A7F1000-memory.dmp

Filesize
3.3MB

Download
memory/1640-76-0x00007FF75A4A0000-0x00007FF75A7F1000-memory.dmp

Filesize
3.3MB

Download
memory/1640-256-0x00007FF75A4A0000-0x00007FF75A7F1000-memory.dmp

Filesize
3.3MB

Download
memory/1660-252-0x00007FF7265A0000-0x00007FF7268F1000-memory.dmp

Filesize
3.3MB

Download
memory/1660-62-0x00007FF7265A0000-0x00007FF7268F1000-memory.dmp

Filesize
3.3MB

Download
memory/1660-132-0x00007FF7265A0000-0x00007FF7268F1000-memory.dmp

Filesize
3.3MB

Download
memory/1804-71-0x00007FF654150000-0x00007FF6544A1000-memory.dmp

Filesize
3.3MB

Download
memory/1804-137-0x00007FF654150000-0x00007FF6544A1000-memory.dmp

Filesize
3.3MB

Download
memory/1804-254-0x00007FF654150000-0x00007FF6544A1000-memory.dmp

Filesize
3.3MB

Download
memory/1948-75-0x00007FF7D2DD0000-0x00007FF7D3121000-memory.dmp

Filesize
3.3MB

Download
memory/1948-18-0x00007FF7D2DD0000-0x00007FF7D3121000-memory.dmp

Filesize
3.3MB

Download
memory/1948-231-0x00007FF7D2DD0000-0x00007FF7D3121000-memory.dmp

Filesize
3.3MB

Download
memory/2188-262-0x00007FF664AE0000-0x00007FF664E31000-memory.dmp

Filesize
3.3MB

Download
memory/2188-153-0x00007FF664AE0000-0x00007FF664E31000-memory.dmp

Filesize
3.3MB

Download
memory/2188-97-0x00007FF664AE0000-0x00007FF664E31000-memory.dmp

Filesize
3.3MB

Download
memory/2320-221-0x00007FF6B1980000-0x00007FF6B1CD1000-memory.dmp

Filesize
3.3MB

Download
memory/2320-7-0x00007FF6B1980000-0x00007FF6B1CD1000-memory.dmp

Filesize
3.3MB

Download
memory/2320-61-0x00007FF6B1980000-0x00007FF6B1CD1000-memory.dmp

Filesize
3.3MB

Download
memory/2652-36-0x00007FF7CA200000-0x00007FF7CA551000-memory.dmp

Filesize
3.3MB

Download
memory/2652-96-0x00007FF7CA200000-0x00007FF7CA551000-memory.dmp

Filesize
3.3MB

Download
memory/2652-239-0x00007FF7CA200000-0x00007FF7CA551000-memory.dmp

Filesize
3.3MB

Download
memory/2840-167-0x00007FF68AE00000-0x00007FF68B151000-memory.dmp

Filesize
3.3MB

Download
memory/2840-275-0x00007FF68AE00000-0x00007FF68B151000-memory.dmp

Filesize
3.3MB

Download
memory/2840-133-0x00007FF68AE00000-0x00007FF68B151000-memory.dmp

Filesize
3.3MB

Download
memory/3352-269-0x00007FF6096C0000-0x00007FF609A11000-memory.dmp

Filesize
3.3MB

Download
memory/3352-155-0x00007FF6096C0000-0x00007FF609A11000-memory.dmp

Filesize
3.3MB

Download
memory/3352-112-0x00007FF6096C0000-0x00007FF609A11000-memory.dmp

Filesize
3.3MB

Download
memory/4056-141-0x00007FF660740000-0x00007FF660A91000-memory.dmp

Filesize
3.3MB

Download
memory/4056-83-0x00007FF660740000-0x00007FF660A91000-memory.dmp

Filesize
3.3MB

Download
memory/4056-260-0x00007FF660740000-0x00007FF660A91000-memory.dmp

Filesize
3.3MB

Download
memory/4128-142-0x00007FF7A2C20000-0x00007FF7A2F71000-memory.dmp

Filesize
3.3MB

Download
memory/4128-57-0x00007FF7A2C20000-0x00007FF7A2F71000-memory.dmp

Filesize
3.3MB

Download
memory/4128-1-0x00000257BEFA0000-0x00000257BEFB0000-memory.dmp

Filesize
64KB

Download
memory/4128-0-0x00007FF7A2C20000-0x00007FF7A2F71000-memory.dmp

Filesize
3.3MB

Download
memory/4128-170-0x00007FF7A2C20000-0x00007FF7A2F71000-memory.dmp

Filesize
3.3MB

Download
memory/4272-109-0x00007FF706E50000-0x00007FF7071A1000-memory.dmp

Filesize
3.3MB

Download
memory/4272-47-0x00007FF706E50000-0x00007FF7071A1000-memory.dmp

Filesize
3.3MB

Download
memory/4272-238-0x00007FF706E50000-0x00007FF7071A1000-memory.dmp

Filesize
3.3MB

Download
memory/4284-258-0x00007FF7912D0000-0x00007FF791621000-memory.dmp

Filesize
3.3MB

Download
memory/4284-90-0x00007FF7912D0000-0x00007FF791621000-memory.dmp

Filesize
3.3MB

Download
memory/4284-145-0x00007FF7912D0000-0x00007FF791621000-memory.dmp

Filesize
3.3MB

Download
memory/4452-105-0x00007FF648D90000-0x00007FF6490E1000-memory.dmp

Filesize
3.3MB

Download
memory/4452-236-0x00007FF648D90000-0x00007FF6490E1000-memory.dmp

Filesize
3.3MB

Download
memory/4452-41-0x00007FF648D90000-0x00007FF6490E1000-memory.dmp

Filesize
3.3MB

Download
memory/4464-23-0x00007FF702A70000-0x00007FF702DC1000-memory.dmp

Filesize
3.3MB

Download
memory/4464-82-0x00007FF702A70000-0x00007FF702DC1000-memory.dmp

Filesize
3.3MB

Download
memory/4464-227-0x00007FF702A70000-0x00007FF702DC1000-memory.dmp

Filesize
3.3MB

Download
memory/4552-118-0x00007FF6D15F0000-0x00007FF6D1941000-memory.dmp

Filesize
3.3MB

Download
memory/4552-162-0x00007FF6D15F0000-0x00007FF6D1941000-memory.dmp

Filesize
3.3MB

Download
memory/4552-271-0x00007FF6D15F0000-0x00007FF6D1941000-memory.dmp

Filesize
3.3MB

Download
memory/4804-154-0x00007FF6AB740000-0x00007FF6ABA91000-memory.dmp

Filesize
3.3MB

Download
memory/4804-108-0x00007FF6AB740000-0x00007FF6ABA91000-memory.dmp

Filesize
3.3MB

Download
memory/4804-267-0x00007FF6AB740000-0x00007FF6ABA91000-memory.dmp

Filesize
3.3MB

Download
memory/5036-169-0x00007FF717440000-0x00007FF717791000-memory.dmp

Filesize
3.3MB

Download
memory/5036-273-0x00007FF717440000-0x00007FF717791000-memory.dmp

Filesize
3.3MB

Download
memory/5036-126-0x00007FF717440000-0x00007FF717791000-memory.dmp

Filesize
3.3MB

Download