cobaltstrike | 35cdbb1337f35b208dd50aaa6ec7b409ea658ce2aeb7d21beb03b07ac0cd8d44

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 06:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

0d51b9c6a2137d589c2d6399ac2ce542
SHA1

4a2598fb195b066f16d763fe93431bde9b256a8e
SHA256

35cdbb1337f35b208dd50aaa6ec7b409ea658ce2aeb7d21beb03b07ac0cd8d44
SHA512

5f17957ffcbbf2f92681b0ec13c6313aa6fd1675e1ee677ae0d14cf13e1b69ab134f478bf25957876afe3f8b547a8b0d34ad1e2ed7cc80516f4f78f507c4e406
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l1:RWWBibf56utgpPFotBER/mQ32lUp

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00080000000234e5-5.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e7-10.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e6-13.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000234e3-24.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e9-35.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e8-29.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ea-42.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ed-51.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ec-52.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ee-60.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ef-72.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234f0-74.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234f1-83.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234f4-106.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234f6-114.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234f5-113.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234f2-104.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234f3-101.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234f7-125.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234f8-129.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234f9-137.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/2488-62-0x00007FF67F080000-0x00007FF67F3D1000-memory.dmp	xmrig
behavioral2/memory/1252-98-0x00007FF7B0630000-0x00007FF7B0981000-memory.dmp	xmrig
behavioral2/memory/2324-109-0x00007FF75B550000-0x00007FF75B8A1000-memory.dmp	xmrig
behavioral2/memory/3820-108-0x00007FF712B30000-0x00007FF712E81000-memory.dmp	xmrig
behavioral2/memory/4416-95-0x00007FF75BF80000-0x00007FF75C2D1000-memory.dmp	xmrig
behavioral2/memory/5012-89-0x00007FF7B3B30000-0x00007FF7B3E81000-memory.dmp	xmrig
behavioral2/memory/556-81-0x00007FF64C7F0000-0x00007FF64CB41000-memory.dmp	xmrig
behavioral2/memory/1320-78-0x00007FF603E40000-0x00007FF604191000-memory.dmp	xmrig
behavioral2/memory/1392-70-0x00007FF686AC0000-0x00007FF686E11000-memory.dmp	xmrig
behavioral2/memory/3768-66-0x00007FF64A6E0000-0x00007FF64AA31000-memory.dmp	xmrig
behavioral2/memory/4548-120-0x00007FF657030000-0x00007FF657381000-memory.dmp	xmrig
behavioral2/memory/1664-135-0x00007FF7707B0000-0x00007FF770B01000-memory.dmp	xmrig
behavioral2/memory/2524-130-0x00007FF7B7620000-0x00007FF7B7971000-memory.dmp	xmrig
behavioral2/memory/652-141-0x00007FF66D300000-0x00007FF66D651000-memory.dmp	xmrig
behavioral2/memory/2488-140-0x00007FF67F080000-0x00007FF67F3D1000-memory.dmp	xmrig
behavioral2/memory/4720-142-0x00007FF70AD00000-0x00007FF70B051000-memory.dmp	xmrig
behavioral2/memory/3664-150-0x00007FF796450000-0x00007FF7967A1000-memory.dmp	xmrig
behavioral2/memory/2500-161-0x00007FF647070000-0x00007FF6473C1000-memory.dmp	xmrig
behavioral2/memory/920-162-0x00007FF6C3140000-0x00007FF6C3491000-memory.dmp	xmrig
behavioral2/memory/4988-160-0x00007FF7256A0000-0x00007FF7259F1000-memory.dmp	xmrig
behavioral2/memory/3696-163-0x00007FF6A6BB0000-0x00007FF6A6F01000-memory.dmp	xmrig
behavioral2/memory/764-164-0x00007FF7B20B0000-0x00007FF7B2401000-memory.dmp	xmrig
behavioral2/memory/1752-168-0x00007FF6751D0000-0x00007FF675521000-memory.dmp	xmrig
behavioral2/memory/2488-169-0x00007FF67F080000-0x00007FF67F3D1000-memory.dmp	xmrig
behavioral2/memory/1392-218-0x00007FF686AC0000-0x00007FF686E11000-memory.dmp	xmrig
behavioral2/memory/1320-220-0x00007FF603E40000-0x00007FF604191000-memory.dmp	xmrig
behavioral2/memory/5012-228-0x00007FF7B3B30000-0x00007FF7B3E81000-memory.dmp	xmrig
behavioral2/memory/4416-230-0x00007FF75BF80000-0x00007FF75C2D1000-memory.dmp	xmrig
behavioral2/memory/556-226-0x00007FF64C7F0000-0x00007FF64CB41000-memory.dmp	xmrig
behavioral2/memory/1252-232-0x00007FF7B0630000-0x00007FF7B0981000-memory.dmp	xmrig
behavioral2/memory/3820-238-0x00007FF712B30000-0x00007FF712E81000-memory.dmp	xmrig
behavioral2/memory/2324-240-0x00007FF75B550000-0x00007FF75B8A1000-memory.dmp	xmrig
behavioral2/memory/4548-242-0x00007FF657030000-0x00007FF657381000-memory.dmp	xmrig
behavioral2/memory/3768-251-0x00007FF64A6E0000-0x00007FF64AA31000-memory.dmp	xmrig
behavioral2/memory/2524-255-0x00007FF7B7620000-0x00007FF7B7971000-memory.dmp	xmrig
behavioral2/memory/1664-253-0x00007FF7707B0000-0x00007FF770B01000-memory.dmp	xmrig
behavioral2/memory/652-257-0x00007FF66D300000-0x00007FF66D651000-memory.dmp	xmrig
behavioral2/memory/3664-263-0x00007FF796450000-0x00007FF7967A1000-memory.dmp	xmrig
behavioral2/memory/920-261-0x00007FF6C3140000-0x00007FF6C3491000-memory.dmp	xmrig
behavioral2/memory/2500-265-0x00007FF647070000-0x00007FF6473C1000-memory.dmp	xmrig
behavioral2/memory/4988-267-0x00007FF7256A0000-0x00007FF7259F1000-memory.dmp	xmrig
behavioral2/memory/4720-259-0x00007FF70AD00000-0x00007FF70B051000-memory.dmp	xmrig
behavioral2/memory/3696-272-0x00007FF6A6BB0000-0x00007FF6A6F01000-memory.dmp	xmrig
behavioral2/memory/764-276-0x00007FF7B20B0000-0x00007FF7B2401000-memory.dmp	xmrig
behavioral2/memory/1752-274-0x00007FF6751D0000-0x00007FF675521000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1392	qlRlDKG.exe
1320	aTqmMMj.exe
556	RrOFixg.exe
5012	wyadGbQ.exe
4416	CfPgpzK.exe
1252	eLXlNEV.exe
3820	rHlXbAT.exe
2324	kUbBPHR.exe
4548	oOyCgTk.exe
3768	jcEvpum.exe
2524	YPSwrxk.exe
1664	oiwRxJj.exe
652	UGdjDVM.exe
4720	gaVzeKP.exe
3664	wnrDopv.exe
920	uSHlGoU.exe
4988	kqARSnM.exe
2500	dKbFHCJ.exe
3696	ZhucWnW.exe
764	dFrNibE.exe
1752	PpWBmME.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2488-0-0x00007FF67F080000-0x00007FF67F3D1000-memory.dmp	upx
behavioral2/files/0x00080000000234e5-5.dat	upx
behavioral2/files/0x00070000000234e7-10.dat	upx
behavioral2/memory/1320-12-0x00007FF603E40000-0x00007FF604191000-memory.dmp	upx
behavioral2/files/0x00070000000234e6-13.dat	upx
behavioral2/memory/1392-7-0x00007FF686AC0000-0x00007FF686E11000-memory.dmp	upx
behavioral2/memory/556-19-0x00007FF64C7F0000-0x00007FF64CB41000-memory.dmp	upx
behavioral2/files/0x00080000000234e3-24.dat	upx
behavioral2/memory/5012-26-0x00007FF7B3B30000-0x00007FF7B3E81000-memory.dmp	upx
behavioral2/memory/4416-32-0x00007FF75BF80000-0x00007FF75C2D1000-memory.dmp	upx
behavioral2/files/0x00070000000234e9-35.dat	upx
behavioral2/memory/1252-36-0x00007FF7B0630000-0x00007FF7B0981000-memory.dmp	upx
behavioral2/files/0x00070000000234e8-29.dat	upx
behavioral2/files/0x00070000000234ea-42.dat	upx
behavioral2/files/0x00070000000234ed-51.dat	upx
behavioral2/memory/4548-54-0x00007FF657030000-0x00007FF657381000-memory.dmp	upx
behavioral2/files/0x00070000000234ec-52.dat	upx
behavioral2/memory/2324-49-0x00007FF75B550000-0x00007FF75B8A1000-memory.dmp	upx
behavioral2/memory/3820-43-0x00007FF712B30000-0x00007FF712E81000-memory.dmp	upx
behavioral2/files/0x00070000000234ee-60.dat	upx
behavioral2/memory/2488-62-0x00007FF67F080000-0x00007FF67F3D1000-memory.dmp	upx
behavioral2/files/0x00070000000234ef-72.dat	upx
behavioral2/files/0x00070000000234f0-74.dat	upx
behavioral2/files/0x00070000000234f1-83.dat	upx
behavioral2/memory/4720-94-0x00007FF70AD00000-0x00007FF70B051000-memory.dmp	upx
behavioral2/memory/1252-98-0x00007FF7B0630000-0x00007FF7B0981000-memory.dmp	upx
behavioral2/files/0x00070000000234f4-106.dat	upx
behavioral2/files/0x00070000000234f6-114.dat	upx
behavioral2/memory/2500-115-0x00007FF647070000-0x00007FF6473C1000-memory.dmp	upx
behavioral2/files/0x00070000000234f5-113.dat	upx
behavioral2/memory/4988-111-0x00007FF7256A0000-0x00007FF7259F1000-memory.dmp	upx
behavioral2/memory/2324-109-0x00007FF75B550000-0x00007FF75B8A1000-memory.dmp	upx
behavioral2/memory/3820-108-0x00007FF712B30000-0x00007FF712E81000-memory.dmp	upx
behavioral2/files/0x00070000000234f2-104.dat	upx
behavioral2/memory/920-102-0x00007FF6C3140000-0x00007FF6C3491000-memory.dmp	upx
behavioral2/files/0x00070000000234f3-101.dat	upx
behavioral2/memory/3664-97-0x00007FF796450000-0x00007FF7967A1000-memory.dmp	upx
behavioral2/memory/4416-95-0x00007FF75BF80000-0x00007FF75C2D1000-memory.dmp	upx
behavioral2/memory/5012-89-0x00007FF7B3B30000-0x00007FF7B3E81000-memory.dmp	upx
behavioral2/memory/652-82-0x00007FF66D300000-0x00007FF66D651000-memory.dmp	upx
behavioral2/memory/556-81-0x00007FF64C7F0000-0x00007FF64CB41000-memory.dmp	upx
behavioral2/memory/1320-78-0x00007FF603E40000-0x00007FF604191000-memory.dmp	upx
behavioral2/memory/1664-73-0x00007FF7707B0000-0x00007FF770B01000-memory.dmp	upx
behavioral2/memory/2524-71-0x00007FF7B7620000-0x00007FF7B7971000-memory.dmp	upx
behavioral2/memory/1392-70-0x00007FF686AC0000-0x00007FF686E11000-memory.dmp	upx
behavioral2/memory/3768-66-0x00007FF64A6E0000-0x00007FF64AA31000-memory.dmp	upx
behavioral2/memory/4548-120-0x00007FF657030000-0x00007FF657381000-memory.dmp	upx
behavioral2/memory/3696-124-0x00007FF6A6BB0000-0x00007FF6A6F01000-memory.dmp	upx
behavioral2/files/0x00070000000234f7-125.dat	upx
behavioral2/files/0x00070000000234f8-129.dat	upx
behavioral2/memory/1664-135-0x00007FF7707B0000-0x00007FF770B01000-memory.dmp	upx
behavioral2/files/0x00070000000234f9-137.dat	upx
behavioral2/memory/1752-136-0x00007FF6751D0000-0x00007FF675521000-memory.dmp	upx
behavioral2/memory/764-131-0x00007FF7B20B0000-0x00007FF7B2401000-memory.dmp	upx
behavioral2/memory/2524-130-0x00007FF7B7620000-0x00007FF7B7971000-memory.dmp	upx
behavioral2/memory/652-141-0x00007FF66D300000-0x00007FF66D651000-memory.dmp	upx
behavioral2/memory/2488-140-0x00007FF67F080000-0x00007FF67F3D1000-memory.dmp	upx
behavioral2/memory/4720-142-0x00007FF70AD00000-0x00007FF70B051000-memory.dmp	upx
behavioral2/memory/3664-150-0x00007FF796450000-0x00007FF7967A1000-memory.dmp	upx
behavioral2/memory/2500-161-0x00007FF647070000-0x00007FF6473C1000-memory.dmp	upx
behavioral2/memory/920-162-0x00007FF6C3140000-0x00007FF6C3491000-memory.dmp	upx
behavioral2/memory/4988-160-0x00007FF7256A0000-0x00007FF7259F1000-memory.dmp	upx
behavioral2/memory/3696-163-0x00007FF6A6BB0000-0x00007FF6A6F01000-memory.dmp	upx
behavioral2/memory/764-164-0x00007FF7B20B0000-0x00007FF7B2401000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\oOyCgTk.exe	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UGdjDVM.exe	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PpWBmME.exe	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kUbBPHR.exe	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YPSwrxk.exe	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oiwRxJj.exe	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gaVzeKP.exe	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wnrDopv.exe	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uSHlGoU.exe	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dKbFHCJ.exe	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dFrNibE.exe	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aTqmMMj.exe	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wyadGbQ.exe	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rHlXbAT.exe	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jcEvpum.exe	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kqARSnM.exe	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZhucWnW.exe	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qlRlDKG.exe	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RrOFixg.exe	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CfPgpzK.exe	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eLXlNEV.exe	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2488	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2488	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 1392	2488	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2488 wrote to memory of 1392	2488	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2488 wrote to memory of 1320	2488	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2488 wrote to memory of 1320	2488	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2488 wrote to memory of 556	2488	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2488 wrote to memory of 556	2488	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2488 wrote to memory of 5012	2488	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2488 wrote to memory of 5012	2488	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2488 wrote to memory of 4416	2488	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2488 wrote to memory of 4416	2488	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2488 wrote to memory of 1252	2488	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2488 wrote to memory of 1252	2488	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2488 wrote to memory of 3820	2488	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2488 wrote to memory of 3820	2488	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2488 wrote to memory of 2324	2488	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2488 wrote to memory of 2324	2488	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2488 wrote to memory of 4548	2488	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2488 wrote to memory of 4548	2488	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2488 wrote to memory of 3768	2488	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2488 wrote to memory of 3768	2488	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2488 wrote to memory of 2524	2488	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2488 wrote to memory of 2524	2488	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2488 wrote to memory of 1664	2488	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2488 wrote to memory of 1664	2488	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2488 wrote to memory of 652	2488	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2488 wrote to memory of 652	2488	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2488 wrote to memory of 4720	2488	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2488 wrote to memory of 4720	2488	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2488 wrote to memory of 3664	2488	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2488 wrote to memory of 3664	2488	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2488 wrote to memory of 920	2488	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2488 wrote to memory of 920	2488	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2488 wrote to memory of 4988	2488	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2488 wrote to memory of 4988	2488	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2488 wrote to memory of 2500	2488	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2488 wrote to memory of 2500	2488	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2488 wrote to memory of 3696	2488	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2488 wrote to memory of 3696	2488	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2488 wrote to memory of 764	2488	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 2488 wrote to memory of 764	2488	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 2488 wrote to memory of 1752	2488	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 2488 wrote to memory of 1752	2488	2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe	106

C:\Users\Admin\AppData\Local\Temp\2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-19_0d51b9c6a2137d589c2d6399ac2ce542_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Windows\System\qlRlDKG.exe
  C:\Windows\System\qlRlDKG.exe
  2⤵
  - Executes dropped EXE
  PID:1392
- C:\Windows\System\aTqmMMj.exe
  C:\Windows\System\aTqmMMj.exe
  2⤵
  - Executes dropped EXE
  PID:1320
- C:\Windows\System\RrOFixg.exe
  C:\Windows\System\RrOFixg.exe
  2⤵
  - Executes dropped EXE
  PID:556
- C:\Windows\System\wyadGbQ.exe
  C:\Windows\System\wyadGbQ.exe
  2⤵
  - Executes dropped EXE
  PID:5012
- C:\Windows\System\CfPgpzK.exe
  C:\Windows\System\CfPgpzK.exe
  2⤵
  - Executes dropped EXE
  PID:4416
- C:\Windows\System\eLXlNEV.exe
  C:\Windows\System\eLXlNEV.exe
  2⤵
  - Executes dropped EXE
  PID:1252
- C:\Windows\System\rHlXbAT.exe
  C:\Windows\System\rHlXbAT.exe
  2⤵
  - Executes dropped EXE
  PID:3820
- C:\Windows\System\kUbBPHR.exe
  C:\Windows\System\kUbBPHR.exe
  2⤵
  - Executes dropped EXE
  PID:2324
- C:\Windows\System\oOyCgTk.exe
  C:\Windows\System\oOyCgTk.exe
  2⤵
  - Executes dropped EXE
  PID:4548
- C:\Windows\System\jcEvpum.exe
  C:\Windows\System\jcEvpum.exe
  2⤵
  - Executes dropped EXE
  PID:3768
- C:\Windows\System\YPSwrxk.exe
  C:\Windows\System\YPSwrxk.exe
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Windows\System\oiwRxJj.exe
  C:\Windows\System\oiwRxJj.exe
  2⤵
  - Executes dropped EXE
  PID:1664
- C:\Windows\System\UGdjDVM.exe
  C:\Windows\System\UGdjDVM.exe
  2⤵
  - Executes dropped EXE
  PID:652
- C:\Windows\System\gaVzeKP.exe
  C:\Windows\System\gaVzeKP.exe
  2⤵
  - Executes dropped EXE
  PID:4720
- C:\Windows\System\wnrDopv.exe
  C:\Windows\System\wnrDopv.exe
  2⤵
  - Executes dropped EXE
  PID:3664
- C:\Windows\System\uSHlGoU.exe
  C:\Windows\System\uSHlGoU.exe
  2⤵
  - Executes dropped EXE
  PID:920
- C:\Windows\System\kqARSnM.exe
  C:\Windows\System\kqARSnM.exe
  2⤵
  - Executes dropped EXE
  PID:4988
- C:\Windows\System\dKbFHCJ.exe
  C:\Windows\System\dKbFHCJ.exe
  2⤵
  - Executes dropped EXE
  PID:2500
- C:\Windows\System\ZhucWnW.exe
  C:\Windows\System\ZhucWnW.exe
  2⤵
  - Executes dropped EXE
  PID:3696
- C:\Windows\System\dFrNibE.exe
  C:\Windows\System\dFrNibE.exe
  2⤵
  - Executes dropped EXE
  PID:764
- C:\Windows\System\PpWBmME.exe
  C:\Windows\System\PpWBmME.exe
  2⤵
  - Executes dropped EXE
  PID:1752

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CfPgpzK.exe

Filesize
5.2MB

MD5
2c3bd66a8d2ad6d25d45af5128051898

SHA1
b0c5e85cc80e6e2e60aeabf141ff7a4062cb9584

SHA256
33f7dbdccaf183099af87c00aca1a763bbf651c7b4e642f44752b1255b0d9029

SHA512
601565d19a3b2ddbccc159c1be291b3ce94cf10dcbb47156a13f0adfa090de559c47c9fa359870eadb0f88ffeacb173794f4c96a3405b6aac2ad8cf608d01b7a

Download Submit
C:\Windows\System\PpWBmME.exe

Filesize
5.2MB

MD5
0ff0a30b2e6c34122eef4a81fd7c3161

SHA1
00ce992f4d2d735b56bf1b1e6d51222723767be3

SHA256
33afa5657073c3f3ed23388f7cb51aa79367b5c158510cb630c7f3aaaabb1381

SHA512
7a8b8a5049014258a0e004caa01750096d54ecf07363231fbfdfde1e879bd00716f8f4ed03c7705c7dfede461ecb25b760e343ef1817759f3cc6f20e86d82643

Download Submit
C:\Windows\System\RrOFixg.exe

Filesize
5.2MB

MD5
91bb5487a91db4aa4877f838f8250eff

SHA1
234ecf428b9ae5ed3b4f8e4ca0bd5f3deae7c0bb

SHA256
d7c3f9f397413376180228c8bc5faa4e129ebf293a1e746759c314d195e00864

SHA512
09996335e829bd1fe6f54fedf8f0079b885758df024bf14020f26b31333f1ca1b0e7cd9ff349b875edbef60b9db4d05c3b2c96e2093a4da27e238109e28622ee

Download Submit
C:\Windows\System\UGdjDVM.exe

Filesize
5.2MB

MD5
ee5dc464455cd2f76612d4c230a2c6f8

SHA1
f128f0f6d0159175a563283360277aae8bcac543

SHA256
8dd8e6dab36973cc582d38fc59ab51a7f85182937f465af6671abdacebc438d9

SHA512
9f4ef487e0656a7d3c3fb4dbcc6db55eba18910024f31785850f57d4871998b5868b992a6d3693b15916f8318ae5dbac328703961f1648fa89f57fd324c0d233

Download Submit
C:\Windows\System\YPSwrxk.exe

Filesize
5.2MB

MD5
c0afa657df64cd4116e9c6e35c48dbc0

SHA1
b644645be7797938fbea403863198e6632c50134

SHA256
127472839d650a6f688c2ceb41cec26fa1525836f2347a4a8e0f0dbd9f10eeb3

SHA512
3ed657d400ff2b4bd03d74736433ec930667b219bba2fd1cfc3ae36ae4c34c31a832172eedba50bf7cd36f459dc84676852830c25bf898fb3c17d9b1e7dce927

Download Submit
C:\Windows\System\ZhucWnW.exe

Filesize
5.2MB

MD5
8b2fd05237918a82701fdf6d4ead8f94

SHA1
2f31e2800fe3d8f330eb294c1b7488973b7b74e2

SHA256
f4dec959d2d347335e2043dbc8921d94aeaf3bfc58a4d385bf317c9f514990b6

SHA512
773e5d1452f58a07f0d9df53724ea12fa6e53942becc6c4b385f744302537395b6c46afff283d5e16df50bc1cf29e03ae2aaa6d45213ac9f101db7126a775f96

Download Submit
C:\Windows\System\aTqmMMj.exe

Filesize
5.2MB

MD5
2bf2dd418af55f793a6ee6fd43000690

SHA1
a5531beaa1425e8364cef115a4311eb2d9c96b35

SHA256
a2cd0dcfa36ee6e092932d50d4cd2c66ce3ab641e552b3bed1c533e41740f79d

SHA512
51779cf1af37d67aa5d0e649c474df434383f07ae6c1ef4ace0ae0775ce814ad09407d862a3dc57cc3bc330f88fa194181ce3e8015c4ef9b87e69b931b4ae7f8

Download Submit
C:\Windows\System\dFrNibE.exe

Filesize
5.2MB

MD5
94a339b205e5031bdb38fd943cf9d463

SHA1
ea1565c6faf39074f69f87d74548e6121557b491

SHA256
e73e115739f6708ee948829d0ee5caaa1197f716a0be23d0fd76e5ec3ec8d48f

SHA512
78911e04870541e93cefd3a8083fb60f120c9944f36ff81da9f61a70dfda078f74b1e4561b8102c0d5937206c5bf2014c55f6eeb014829108ad83952d371de50

Download Submit
C:\Windows\System\dKbFHCJ.exe

Filesize
5.2MB

MD5
a87193d71f988458f64715499c41b618

SHA1
c5f5d6ba6979807d3ad7ebf3476058aa508eb701

SHA256
479eca743154f63adcfbc793161648bf6f739dbf39367457af43bf725d66824c

SHA512
c49b6684144ebe3ae0248a3eb19261006d7e2bb4094926ef2697d41a65c8d56699da6c438918f30be59aae5557cc45bd58c68c91d0016c3a685c648d1bed0e85

Download Submit
C:\Windows\System\eLXlNEV.exe

Filesize
5.2MB

MD5
7dc74cd3284e5d628358c898900767af

SHA1
08faaac0caf425fc6752849838de3526ea5dbf3b

SHA256
12af1c2bdfbb401a8e8492e99a6bd759db1a05ce3d0edf82078f2a374c5f09cf

SHA512
a901fbf1b6739a71885072de40143dbf76c22692e223e99983c2e50f5c09605107e173c41611058920296ae1dad0dc32e5f40c5352ed4753ba72fc6ad61748d2

Download Submit
C:\Windows\System\gaVzeKP.exe

Filesize
5.2MB

MD5
7a57762a75cf5317299959cc9ab57f18

SHA1
a754161a31e26295816978efdfedf15969bab0ff

SHA256
8f9115908a59e3a36e7532f19495de7c4fff7e796b8e12bbe8936599bbe58634

SHA512
ccd1ea1b11926a02493a916d9912b598e38cee066fb620ee318d3d8db8a6bc9061306f55bb78327206eb837a00fe0e8acf922d49cdd71724731f59d7edfa4437

Download Submit
C:\Windows\System\jcEvpum.exe

Filesize
5.2MB

MD5
1953fdcad5b85e4661d4bc69636424fc

SHA1
30b09938191cb72c2115a10abdc72cd663441d87

SHA256
f3ded6864ffbada011bd31ce85df6079fc136ba8b4d96b394dd1a9ff03696beb

SHA512
68766bf3a16ab6a2748e583d6080cf285d174e8ca7006d82c3c6d8e0dd8cf9d37ab81d60a7c90de240ee0bbe287b79f55c05ab88cba7bd99cfe67f56f6b99dfa

Download Submit
C:\Windows\System\kUbBPHR.exe

Filesize
5.2MB

MD5
0c25ed279dbfc063df0d54b38d294be1

SHA1
617fb0c09171308438a04daeabfb925517964822

SHA256
da65c823fae2efe7eb0d36fd87b504bb278b2bc2985253c02d755514badbb895

SHA512
25d2f5df0dab458ecdbc7ceeb14b7ebc4e679a9d1485e4c2ee4244ab7506977b88e14abdc3b35f23920333257d31d89f5321a71bca72ee2f23d07eed976ceff0

Download Submit
C:\Windows\System\kqARSnM.exe

Filesize
5.2MB

MD5
498312fc0acf4f503f0a0335c3d4fcfc

SHA1
48834b8ca9c5b62736098610021fa20106e9d454

SHA256
0c183c24f499adf17f62c806e38980b0203db958b95d39c69ce9b095e00c866e

SHA512
2f34550c555bb218327cf348d18aabe9f88153aea223ec81b22aea79f15895823f7edd332face54dd6a1e3cb251d04e544e58fd6fde80399dd88269c7b6896d8

Download Submit
C:\Windows\System\oOyCgTk.exe

Filesize
5.2MB

MD5
4fe3c586b7466d8f1252eb2bed8c69f0

SHA1
1fa8cee9be6b65e51fadde21ab4f611aa7e51e28

SHA256
3dab08aab8246c7a3cab037a443a3e9ecae7b101aa95a5a11d83e121b75b26b6

SHA512
e0327920e3b5b84094c795c65d6f743c64a04ad66f19e02101d20e526b6718d5e0d3f17e2d24ccc045275e8ddf52c2e735795c4e87710de401759e69025124bd

Download Submit
C:\Windows\System\oiwRxJj.exe

Filesize
5.2MB

MD5
9dda3deed054a9e5c1c05b7b4b1384fd

SHA1
571b78a7e3bba5302b18a47aac65fd565ba7b3b0

SHA256
202611bded72e3e4aa18514615833972e9bf3d382e2117648f664914c8296ec1

SHA512
377f5c582eb30543e5e98d92bc355e1df915ae7d15eb41a7429c18bfca0aef72df9dea18d01eaf8a552513279b0d1e721d7cba7aa2ea838fc98b88f45e851f2a

Download Submit
C:\Windows\System\qlRlDKG.exe

Filesize
5.2MB

MD5
08cff78deb284f6781d3240ac031aecd

SHA1
b72049c1a9773fb4b19986d52414cd1ddfcbc243

SHA256
0d5eaf5cad0b67a1c4e429155ed8ad027e8d2b60261bb377089da25d183718dd

SHA512
37a0be17dc28614a628d44fcf14ba1e2f09459741d80b48356ee12aa8d6cdee672b2839607a176fdb6e0f1d05af5d582ddcb0da5c37e6ba2e6f00e0da8f514b1

Download Submit
C:\Windows\System\rHlXbAT.exe

Filesize
5.2MB

MD5
38d2e5297c999b0e038f97c5a96517df

SHA1
fd34027fb333d095fe866ff94370635e9c175c3c

SHA256
e35c2367213ff240f8ae79b57f66a245c817337b5e24c6ec6f4f5e3f9a21b96d

SHA512
61acba8d987f24cc766ed513113a3eb58712e5a9aef65cd88bb36b36a14a9aad2ff13e560b6253ce33d3ed063cb3c9e4b91014c63a54fac1e9345e98730a5488

Download Submit
C:\Windows\System\uSHlGoU.exe

Filesize
5.2MB

MD5
e7ff55207502669702f2e75540200567

SHA1
800106625835a020d98a186e62bfb5104672e82d

SHA256
8febd6027f4bbc3576672af0e4ca1479660b1980786106cf7e1733d6a6b07a03

SHA512
066d8b1c41cb0154a61902a2d984c600c52a6e88456ba0fc8580997ef6a74acec6bf4e546e33e88b03e5dc05241c2687da3b99f12ac17139d535d9cf936b802e

Download Submit
C:\Windows\System\wnrDopv.exe

Filesize
5.2MB

MD5
5c8b5fcde4dea941545405dda81417ad

SHA1
5ada8165afb2e7b596c7f398dda590fa1a018707

SHA256
6a8b201f474779bc1dfc27da77d7fa0afe7c6796ba2a5d1751778d4fb25caf11

SHA512
884dfd944ee65b6bc4a9f5a4a1f7d1e782af0031a1860e5a46895efd5dac90cb4ae214a687a4fb23a55c9c9b853163f28b67071ce8bec58072f4eb815a86afe6

Download Submit
C:\Windows\System\wyadGbQ.exe

Filesize
5.2MB

MD5
5873113c071d5f5fec1f5f1c749a4f66

SHA1
953933436132e03531356f230380bc1e48dc55ad

SHA256
7185510ad2ce7a745a23f8d676cea3458ffd385a649c335e991a4f90b24d7a60

SHA512
56e41a8fdc91f45db57c8eb581dcfe94a7554fdb66c10b439d22c088672ae1cad53f497a097422de5d3b594838bbdaa6f57d1bbb76d740715cece4b6c1ddd3ee

Download Submit
memory/556-226-0x00007FF64C7F0000-0x00007FF64CB41000-memory.dmp

Filesize
3.3MB

Download
memory/556-81-0x00007FF64C7F0000-0x00007FF64CB41000-memory.dmp

Filesize
3.3MB

Download
memory/556-19-0x00007FF64C7F0000-0x00007FF64CB41000-memory.dmp

Filesize
3.3MB

Download
memory/652-257-0x00007FF66D300000-0x00007FF66D651000-memory.dmp

Filesize
3.3MB

Download
memory/652-141-0x00007FF66D300000-0x00007FF66D651000-memory.dmp

Filesize
3.3MB

Download
memory/652-82-0x00007FF66D300000-0x00007FF66D651000-memory.dmp

Filesize
3.3MB

Download
memory/764-276-0x00007FF7B20B0000-0x00007FF7B2401000-memory.dmp

Filesize
3.3MB

Download
memory/764-164-0x00007FF7B20B0000-0x00007FF7B2401000-memory.dmp

Filesize
3.3MB

Download
memory/764-131-0x00007FF7B20B0000-0x00007FF7B2401000-memory.dmp

Filesize
3.3MB

Download
memory/920-102-0x00007FF6C3140000-0x00007FF6C3491000-memory.dmp

Filesize
3.3MB

Download
memory/920-162-0x00007FF6C3140000-0x00007FF6C3491000-memory.dmp

Filesize
3.3MB

Download
memory/920-261-0x00007FF6C3140000-0x00007FF6C3491000-memory.dmp

Filesize
3.3MB

Download
memory/1252-98-0x00007FF7B0630000-0x00007FF7B0981000-memory.dmp

Filesize
3.3MB

Download
memory/1252-36-0x00007FF7B0630000-0x00007FF7B0981000-memory.dmp

Filesize
3.3MB

Download
memory/1252-232-0x00007FF7B0630000-0x00007FF7B0981000-memory.dmp

Filesize
3.3MB

Download
memory/1320-78-0x00007FF603E40000-0x00007FF604191000-memory.dmp

Filesize
3.3MB

Download
memory/1320-12-0x00007FF603E40000-0x00007FF604191000-memory.dmp

Filesize
3.3MB

Download
memory/1320-220-0x00007FF603E40000-0x00007FF604191000-memory.dmp

Filesize
3.3MB

Download
memory/1392-7-0x00007FF686AC0000-0x00007FF686E11000-memory.dmp

Filesize
3.3MB

Download
memory/1392-218-0x00007FF686AC0000-0x00007FF686E11000-memory.dmp

Filesize
3.3MB

Download
memory/1392-70-0x00007FF686AC0000-0x00007FF686E11000-memory.dmp

Filesize
3.3MB

Download
memory/1664-73-0x00007FF7707B0000-0x00007FF770B01000-memory.dmp

Filesize
3.3MB

Download
memory/1664-135-0x00007FF7707B0000-0x00007FF770B01000-memory.dmp

Filesize
3.3MB

Download
memory/1664-253-0x00007FF7707B0000-0x00007FF770B01000-memory.dmp

Filesize
3.3MB

Download
memory/1752-274-0x00007FF6751D0000-0x00007FF675521000-memory.dmp

Filesize
3.3MB

Download
memory/1752-168-0x00007FF6751D0000-0x00007FF675521000-memory.dmp

Filesize
3.3MB

Download
memory/1752-136-0x00007FF6751D0000-0x00007FF675521000-memory.dmp

Filesize
3.3MB

Download
memory/2324-109-0x00007FF75B550000-0x00007FF75B8A1000-memory.dmp

Filesize
3.3MB

Download
memory/2324-49-0x00007FF75B550000-0x00007FF75B8A1000-memory.dmp

Filesize
3.3MB

Download
memory/2324-240-0x00007FF75B550000-0x00007FF75B8A1000-memory.dmp

Filesize
3.3MB

Download
memory/2488-140-0x00007FF67F080000-0x00007FF67F3D1000-memory.dmp

Filesize
3.3MB

Download
memory/2488-1-0x000002C7B4430000-0x000002C7B4440000-memory.dmp

Filesize
64KB

Download
memory/2488-0-0x00007FF67F080000-0x00007FF67F3D1000-memory.dmp

Filesize
3.3MB

Download
memory/2488-62-0x00007FF67F080000-0x00007FF67F3D1000-memory.dmp

Filesize
3.3MB

Download
memory/2488-169-0x00007FF67F080000-0x00007FF67F3D1000-memory.dmp

Filesize
3.3MB

Download
memory/2500-161-0x00007FF647070000-0x00007FF6473C1000-memory.dmp

Filesize
3.3MB

Download
memory/2500-115-0x00007FF647070000-0x00007FF6473C1000-memory.dmp

Filesize
3.3MB

Download
memory/2500-265-0x00007FF647070000-0x00007FF6473C1000-memory.dmp

Filesize
3.3MB

Download
memory/2524-255-0x00007FF7B7620000-0x00007FF7B7971000-memory.dmp

Filesize
3.3MB

Download
memory/2524-71-0x00007FF7B7620000-0x00007FF7B7971000-memory.dmp

Filesize
3.3MB

Download
memory/2524-130-0x00007FF7B7620000-0x00007FF7B7971000-memory.dmp

Filesize
3.3MB

Download
memory/3664-150-0x00007FF796450000-0x00007FF7967A1000-memory.dmp

Filesize
3.3MB

Download
memory/3664-263-0x00007FF796450000-0x00007FF7967A1000-memory.dmp

Filesize
3.3MB

Download
memory/3664-97-0x00007FF796450000-0x00007FF7967A1000-memory.dmp

Filesize
3.3MB

Download
memory/3696-124-0x00007FF6A6BB0000-0x00007FF6A6F01000-memory.dmp

Filesize
3.3MB

Download
memory/3696-163-0x00007FF6A6BB0000-0x00007FF6A6F01000-memory.dmp

Filesize
3.3MB

Download
memory/3696-272-0x00007FF6A6BB0000-0x00007FF6A6F01000-memory.dmp

Filesize
3.3MB

Download
memory/3768-251-0x00007FF64A6E0000-0x00007FF64AA31000-memory.dmp

Filesize
3.3MB

Download
memory/3768-66-0x00007FF64A6E0000-0x00007FF64AA31000-memory.dmp

Filesize
3.3MB

Download
memory/3820-43-0x00007FF712B30000-0x00007FF712E81000-memory.dmp

Filesize
3.3MB

Download
memory/3820-238-0x00007FF712B30000-0x00007FF712E81000-memory.dmp

Filesize
3.3MB

Download
memory/3820-108-0x00007FF712B30000-0x00007FF712E81000-memory.dmp

Filesize
3.3MB

Download
memory/4416-32-0x00007FF75BF80000-0x00007FF75C2D1000-memory.dmp

Filesize
3.3MB

Download
memory/4416-230-0x00007FF75BF80000-0x00007FF75C2D1000-memory.dmp

Filesize
3.3MB

Download
memory/4416-95-0x00007FF75BF80000-0x00007FF75C2D1000-memory.dmp

Filesize
3.3MB

Download
memory/4548-54-0x00007FF657030000-0x00007FF657381000-memory.dmp

Filesize
3.3MB

Download
memory/4548-242-0x00007FF657030000-0x00007FF657381000-memory.dmp

Filesize
3.3MB

Download
memory/4548-120-0x00007FF657030000-0x00007FF657381000-memory.dmp

Filesize
3.3MB

Download
memory/4720-94-0x00007FF70AD00000-0x00007FF70B051000-memory.dmp

Filesize
3.3MB

Download
memory/4720-142-0x00007FF70AD00000-0x00007FF70B051000-memory.dmp

Filesize
3.3MB

Download
memory/4720-259-0x00007FF70AD00000-0x00007FF70B051000-memory.dmp

Filesize
3.3MB

Download
memory/4988-160-0x00007FF7256A0000-0x00007FF7259F1000-memory.dmp

Filesize
3.3MB

Download
memory/4988-267-0x00007FF7256A0000-0x00007FF7259F1000-memory.dmp

Filesize
3.3MB

Download
memory/4988-111-0x00007FF7256A0000-0x00007FF7259F1000-memory.dmp

Filesize
3.3MB

Download
memory/5012-26-0x00007FF7B3B30000-0x00007FF7B3E81000-memory.dmp

Filesize
3.3MB

Download
memory/5012-89-0x00007FF7B3B30000-0x00007FF7B3E81000-memory.dmp

Filesize
3.3MB

Download
memory/5012-228-0x00007FF7B3B30000-0x00007FF7B3E81000-memory.dmp

Filesize
3.3MB

Download