cobaltstrike | 78a9f6a986f8128360441ab0efedce232fda5855a17e114062d65d5daa62df7b

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2024 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

6f1fdf49960393610b5282359ed112b6
SHA1

e07528f88d859c54a7649e3f7e81dc0b8ba4ff82
SHA256

78a9f6a986f8128360441ab0efedce232fda5855a17e114062d65d5daa62df7b
SHA512

0abe4e0e3b0df2ef3ae871c396c6080df845daf5bca4ab42944561d3cd4862ae816d502a70bd8c9dedfe73678caa2a1dfa4e2af0b4e7758bdad46823d41a618e
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l7:RWWBibf56utgpPFotBER/mQ32lUv

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00080000000233bc-4.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233c1-9.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233c0-14.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233c2-23.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000233bd-28.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233c3-37.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233c5-43.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233c6-47.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233c7-52.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233c8-67.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233cb-73.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233c9-76.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233ca-81.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233cc-88.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233cd-100.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233d0-113.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233cf-112.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233ce-104.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233d1-122.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233d2-128.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233d3-133.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/4276-84-0x00007FF6E90F0000-0x00007FF6E9441000-memory.dmp	xmrig
behavioral2/memory/3564-69-0x00007FF737930000-0x00007FF737C81000-memory.dmp	xmrig
behavioral2/memory/4624-74-0x00007FF785E90000-0x00007FF7861E1000-memory.dmp	xmrig
behavioral2/memory/2888-63-0x00007FF7685C0000-0x00007FF768911000-memory.dmp	xmrig
behavioral2/memory/2144-54-0x00007FF72D2E0000-0x00007FF72D631000-memory.dmp	xmrig
behavioral2/memory/1172-91-0x00007FF6968A0000-0x00007FF696BF1000-memory.dmp	xmrig
behavioral2/memory/4280-102-0x00007FF63A5A0000-0x00007FF63A8F1000-memory.dmp	xmrig
behavioral2/memory/1436-114-0x00007FF7B17A0000-0x00007FF7B1AF1000-memory.dmp	xmrig
behavioral2/memory/4904-95-0x00007FF7DF510000-0x00007FF7DF861000-memory.dmp	xmrig
behavioral2/memory/2408-129-0x00007FF79C400000-0x00007FF79C751000-memory.dmp	xmrig
behavioral2/memory/2908-127-0x00007FF7C4850000-0x00007FF7C4BA1000-memory.dmp	xmrig
behavioral2/memory/3884-124-0x00007FF75B790000-0x00007FF75BAE1000-memory.dmp	xmrig
behavioral2/memory/2144-137-0x00007FF72D2E0000-0x00007FF72D631000-memory.dmp	xmrig
behavioral2/memory/1660-136-0x00007FF687AD0000-0x00007FF687E21000-memory.dmp	xmrig
behavioral2/memory/3408-138-0x00007FF61DDC0000-0x00007FF61E111000-memory.dmp	xmrig
behavioral2/memory/4896-139-0x00007FF636B70000-0x00007FF636EC1000-memory.dmp	xmrig
behavioral2/memory/4720-141-0x00007FF79F040000-0x00007FF79F391000-memory.dmp	xmrig
behavioral2/memory/4416-145-0x00007FF7E3840000-0x00007FF7E3B91000-memory.dmp	xmrig
behavioral2/memory/872-149-0x00007FF6CE740000-0x00007FF6CEA91000-memory.dmp	xmrig
behavioral2/memory/3880-158-0x00007FF7A07F0000-0x00007FF7A0B41000-memory.dmp	xmrig
behavioral2/memory/4020-159-0x00007FF6B36C0000-0x00007FF6B3A11000-memory.dmp	xmrig
behavioral2/memory/5072-162-0x00007FF7C1520000-0x00007FF7C1871000-memory.dmp	xmrig
behavioral2/memory/1520-164-0x00007FF734350000-0x00007FF7346A1000-memory.dmp	xmrig
behavioral2/memory/1660-165-0x00007FF687AD0000-0x00007FF687E21000-memory.dmp	xmrig
behavioral2/memory/2144-167-0x00007FF72D2E0000-0x00007FF72D631000-memory.dmp	xmrig
behavioral2/memory/2888-217-0x00007FF7685C0000-0x00007FF768911000-memory.dmp	xmrig
behavioral2/memory/3564-219-0x00007FF737930000-0x00007FF737C81000-memory.dmp	xmrig
behavioral2/memory/4276-221-0x00007FF6E90F0000-0x00007FF6E9441000-memory.dmp	xmrig
behavioral2/memory/1172-226-0x00007FF6968A0000-0x00007FF696BF1000-memory.dmp	xmrig
behavioral2/memory/4904-228-0x00007FF7DF510000-0x00007FF7DF861000-memory.dmp	xmrig
behavioral2/memory/4280-230-0x00007FF63A5A0000-0x00007FF63A8F1000-memory.dmp	xmrig
behavioral2/memory/1436-238-0x00007FF7B17A0000-0x00007FF7B1AF1000-memory.dmp	xmrig
behavioral2/memory/3884-240-0x00007FF75B790000-0x00007FF75BAE1000-memory.dmp	xmrig
behavioral2/memory/2408-242-0x00007FF79C400000-0x00007FF79C751000-memory.dmp	xmrig
behavioral2/memory/4624-244-0x00007FF785E90000-0x00007FF7861E1000-memory.dmp	xmrig
behavioral2/memory/4416-248-0x00007FF7E3840000-0x00007FF7E3B91000-memory.dmp	xmrig
behavioral2/memory/4896-250-0x00007FF636B70000-0x00007FF636EC1000-memory.dmp	xmrig
behavioral2/memory/3408-254-0x00007FF61DDC0000-0x00007FF61E111000-memory.dmp	xmrig
behavioral2/memory/872-253-0x00007FF6CE740000-0x00007FF6CEA91000-memory.dmp	xmrig
behavioral2/memory/3880-260-0x00007FF7A07F0000-0x00007FF7A0B41000-memory.dmp	xmrig
behavioral2/memory/4020-262-0x00007FF6B36C0000-0x00007FF6B3A11000-memory.dmp	xmrig
behavioral2/memory/5072-264-0x00007FF7C1520000-0x00007FF7C1871000-memory.dmp	xmrig
behavioral2/memory/1520-266-0x00007FF734350000-0x00007FF7346A1000-memory.dmp	xmrig
behavioral2/memory/2908-270-0x00007FF7C4850000-0x00007FF7C4BA1000-memory.dmp	xmrig
behavioral2/memory/1660-272-0x00007FF687AD0000-0x00007FF687E21000-memory.dmp	xmrig
behavioral2/memory/4720-274-0x00007FF79F040000-0x00007FF79F391000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2888	ezGmlFR.exe
3564	ZMVSAbK.exe
4276	rBUuCOj.exe
1172	hOwYdgE.exe
4904	huVEEmd.exe
4280	rpslZNz.exe
1436	AGtBgUV.exe
3884	wXgcVHW.exe
2408	jjsMinI.exe
4624	oaNHSxi.exe
4416	aUXsLce.exe
4896	iMkPXxT.exe
3408	wFuhgnT.exe
872	CDCeXvd.exe
3880	uCqyyLX.exe
4020	bIYStQG.exe
1520	mxONuqD.exe
5072	UvFDdrp.exe
2908	ipIokZr.exe
1660	yOXiOdu.exe
4720	kCknteA.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2144-0-0x00007FF72D2E0000-0x00007FF72D631000-memory.dmp	upx
behavioral2/files/0x00080000000233bc-4.dat	upx
behavioral2/files/0x00070000000233c1-9.dat	upx
behavioral2/files/0x00070000000233c0-14.dat	upx
behavioral2/memory/3564-16-0x00007FF737930000-0x00007FF737C81000-memory.dmp	upx
behavioral2/memory/4276-18-0x00007FF6E90F0000-0x00007FF6E9441000-memory.dmp	upx
behavioral2/memory/2888-7-0x00007FF7685C0000-0x00007FF768911000-memory.dmp	upx
behavioral2/files/0x00070000000233c2-23.dat	upx
behavioral2/files/0x00080000000233bd-28.dat	upx
behavioral2/memory/4904-29-0x00007FF7DF510000-0x00007FF7DF861000-memory.dmp	upx
behavioral2/memory/1172-25-0x00007FF6968A0000-0x00007FF696BF1000-memory.dmp	upx
behavioral2/memory/4280-36-0x00007FF63A5A0000-0x00007FF63A8F1000-memory.dmp	upx
behavioral2/files/0x00070000000233c3-37.dat	upx
behavioral2/files/0x00070000000233c5-43.dat	upx
behavioral2/memory/1436-42-0x00007FF7B17A0000-0x00007FF7B1AF1000-memory.dmp	upx
behavioral2/files/0x00070000000233c6-47.dat	upx
behavioral2/memory/3884-48-0x00007FF75B790000-0x00007FF75BAE1000-memory.dmp	upx
behavioral2/files/0x00070000000233c7-52.dat	upx
behavioral2/memory/2408-55-0x00007FF79C400000-0x00007FF79C751000-memory.dmp	upx
behavioral2/files/0x00070000000233c8-67.dat	upx
behavioral2/files/0x00070000000233cb-73.dat	upx
behavioral2/files/0x00070000000233c9-76.dat	upx
behavioral2/files/0x00070000000233ca-81.dat	upx
behavioral2/files/0x00070000000233cc-88.dat	upx
behavioral2/memory/872-87-0x00007FF6CE740000-0x00007FF6CEA91000-memory.dmp	upx
behavioral2/memory/4276-84-0x00007FF6E90F0000-0x00007FF6E9441000-memory.dmp	upx
behavioral2/memory/4896-83-0x00007FF636B70000-0x00007FF636EC1000-memory.dmp	upx
behavioral2/memory/4416-80-0x00007FF7E3840000-0x00007FF7E3B91000-memory.dmp	upx
behavioral2/memory/3408-75-0x00007FF61DDC0000-0x00007FF61E111000-memory.dmp	upx
behavioral2/memory/3564-69-0x00007FF737930000-0x00007FF737C81000-memory.dmp	upx
behavioral2/memory/4624-74-0x00007FF785E90000-0x00007FF7861E1000-memory.dmp	upx
behavioral2/memory/2888-63-0x00007FF7685C0000-0x00007FF768911000-memory.dmp	upx
behavioral2/memory/2144-54-0x00007FF72D2E0000-0x00007FF72D631000-memory.dmp	upx
behavioral2/memory/1172-91-0x00007FF6968A0000-0x00007FF696BF1000-memory.dmp	upx
behavioral2/memory/3880-96-0x00007FF7A07F0000-0x00007FF7A0B41000-memory.dmp	upx
behavioral2/files/0x00070000000233cd-100.dat	upx
behavioral2/memory/4280-102-0x00007FF63A5A0000-0x00007FF63A8F1000-memory.dmp	upx
behavioral2/files/0x00070000000233d0-113.dat	upx
behavioral2/memory/5072-115-0x00007FF7C1520000-0x00007FF7C1871000-memory.dmp	upx
behavioral2/memory/1436-114-0x00007FF7B17A0000-0x00007FF7B1AF1000-memory.dmp	upx
behavioral2/files/0x00070000000233cf-112.dat	upx
behavioral2/memory/1520-109-0x00007FF734350000-0x00007FF7346A1000-memory.dmp	upx
behavioral2/files/0x00070000000233ce-104.dat	upx
behavioral2/memory/4020-103-0x00007FF6B36C0000-0x00007FF6B3A11000-memory.dmp	upx
behavioral2/memory/4904-95-0x00007FF7DF510000-0x00007FF7DF861000-memory.dmp	upx
behavioral2/files/0x00070000000233d1-122.dat	upx
behavioral2/files/0x00070000000233d2-128.dat	upx
behavioral2/memory/2408-129-0x00007FF79C400000-0x00007FF79C751000-memory.dmp	upx
behavioral2/files/0x00070000000233d3-133.dat	upx
behavioral2/memory/2908-127-0x00007FF7C4850000-0x00007FF7C4BA1000-memory.dmp	upx
behavioral2/memory/3884-124-0x00007FF75B790000-0x00007FF75BAE1000-memory.dmp	upx
behavioral2/memory/2144-137-0x00007FF72D2E0000-0x00007FF72D631000-memory.dmp	upx
behavioral2/memory/1660-136-0x00007FF687AD0000-0x00007FF687E21000-memory.dmp	upx
behavioral2/memory/3408-138-0x00007FF61DDC0000-0x00007FF61E111000-memory.dmp	upx
behavioral2/memory/4896-139-0x00007FF636B70000-0x00007FF636EC1000-memory.dmp	upx
behavioral2/memory/4720-141-0x00007FF79F040000-0x00007FF79F391000-memory.dmp	upx
behavioral2/memory/4416-145-0x00007FF7E3840000-0x00007FF7E3B91000-memory.dmp	upx
behavioral2/memory/872-149-0x00007FF6CE740000-0x00007FF6CEA91000-memory.dmp	upx
behavioral2/memory/3880-158-0x00007FF7A07F0000-0x00007FF7A0B41000-memory.dmp	upx
behavioral2/memory/4020-159-0x00007FF6B36C0000-0x00007FF6B3A11000-memory.dmp	upx
behavioral2/memory/5072-162-0x00007FF7C1520000-0x00007FF7C1871000-memory.dmp	upx
behavioral2/memory/1520-164-0x00007FF734350000-0x00007FF7346A1000-memory.dmp	upx
behavioral2/memory/1660-165-0x00007FF687AD0000-0x00007FF687E21000-memory.dmp	upx
behavioral2/memory/2144-167-0x00007FF72D2E0000-0x00007FF72D631000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\bIYStQG.exe	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZMVSAbK.exe	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rBUuCOj.exe	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jjsMinI.exe	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oaNHSxi.exe	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aUXsLce.exe	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iMkPXxT.exe	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uCqyyLX.exe	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mxONuqD.exe	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UvFDdrp.exe	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ipIokZr.exe	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ezGmlFR.exe	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hOwYdgE.exe	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CDCeXvd.exe	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yOXiOdu.exe	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AGtBgUV.exe	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wXgcVHW.exe	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kCknteA.exe	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\huVEEmd.exe	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rpslZNz.exe	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wFuhgnT.exe	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2144	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2144	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 2888	2144	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 2144 wrote to memory of 2888	2144	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 2144 wrote to memory of 3564	2144	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2144 wrote to memory of 3564	2144	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2144 wrote to memory of 4276	2144	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2144 wrote to memory of 4276	2144	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2144 wrote to memory of 1172	2144	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2144 wrote to memory of 1172	2144	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2144 wrote to memory of 4904	2144	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2144 wrote to memory of 4904	2144	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2144 wrote to memory of 4280	2144	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2144 wrote to memory of 4280	2144	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2144 wrote to memory of 1436	2144	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2144 wrote to memory of 1436	2144	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2144 wrote to memory of 3884	2144	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2144 wrote to memory of 3884	2144	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2144 wrote to memory of 2408	2144	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2144 wrote to memory of 2408	2144	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2144 wrote to memory of 4624	2144	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2144 wrote to memory of 4624	2144	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2144 wrote to memory of 4416	2144	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2144 wrote to memory of 4416	2144	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2144 wrote to memory of 4896	2144	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2144 wrote to memory of 4896	2144	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2144 wrote to memory of 3408	2144	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2144 wrote to memory of 3408	2144	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2144 wrote to memory of 872	2144	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2144 wrote to memory of 872	2144	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2144 wrote to memory of 3880	2144	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2144 wrote to memory of 3880	2144	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2144 wrote to memory of 4020	2144	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2144 wrote to memory of 4020	2144	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2144 wrote to memory of 1520	2144	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2144 wrote to memory of 1520	2144	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2144 wrote to memory of 5072	2144	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2144 wrote to memory of 5072	2144	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2144 wrote to memory of 2908	2144	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2144 wrote to memory of 2908	2144	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2144 wrote to memory of 1660	2144	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2144 wrote to memory of 1660	2144	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2144 wrote to memory of 4720	2144	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 2144 wrote to memory of 4720	2144	2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe	105

C:\Users\Admin\AppData\Local\Temp\2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-20_6f1fdf49960393610b5282359ed112b6_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Windows\System\ezGmlFR.exe
  C:\Windows\System\ezGmlFR.exe
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\System\ZMVSAbK.exe
  C:\Windows\System\ZMVSAbK.exe
  2⤵
  - Executes dropped EXE
  PID:3564
- C:\Windows\System\rBUuCOj.exe
  C:\Windows\System\rBUuCOj.exe
  2⤵
  - Executes dropped EXE
  PID:4276
- C:\Windows\System\hOwYdgE.exe
  C:\Windows\System\hOwYdgE.exe
  2⤵
  - Executes dropped EXE
  PID:1172
- C:\Windows\System\huVEEmd.exe
  C:\Windows\System\huVEEmd.exe
  2⤵
  - Executes dropped EXE
  PID:4904
- C:\Windows\System\rpslZNz.exe
  C:\Windows\System\rpslZNz.exe
  2⤵
  - Executes dropped EXE
  PID:4280
- C:\Windows\System\AGtBgUV.exe
  C:\Windows\System\AGtBgUV.exe
  2⤵
  - Executes dropped EXE
  PID:1436
- C:\Windows\System\wXgcVHW.exe
  C:\Windows\System\wXgcVHW.exe
  2⤵
  - Executes dropped EXE
  PID:3884
- C:\Windows\System\jjsMinI.exe
  C:\Windows\System\jjsMinI.exe
  2⤵
  - Executes dropped EXE
  PID:2408
- C:\Windows\System\oaNHSxi.exe
  C:\Windows\System\oaNHSxi.exe
  2⤵
  - Executes dropped EXE
  PID:4624
- C:\Windows\System\aUXsLce.exe
  C:\Windows\System\aUXsLce.exe
  2⤵
  - Executes dropped EXE
  PID:4416
- C:\Windows\System\iMkPXxT.exe
  C:\Windows\System\iMkPXxT.exe
  2⤵
  - Executes dropped EXE
  PID:4896
- C:\Windows\System\wFuhgnT.exe
  C:\Windows\System\wFuhgnT.exe
  2⤵
  - Executes dropped EXE
  PID:3408
- C:\Windows\System\CDCeXvd.exe
  C:\Windows\System\CDCeXvd.exe
  2⤵
  - Executes dropped EXE
  PID:872
- C:\Windows\System\uCqyyLX.exe
  C:\Windows\System\uCqyyLX.exe
  2⤵
  - Executes dropped EXE
  PID:3880
- C:\Windows\System\bIYStQG.exe
  C:\Windows\System\bIYStQG.exe
  2⤵
  - Executes dropped EXE
  PID:4020
- C:\Windows\System\mxONuqD.exe
  C:\Windows\System\mxONuqD.exe
  2⤵
  - Executes dropped EXE
  PID:1520
- C:\Windows\System\UvFDdrp.exe
  C:\Windows\System\UvFDdrp.exe
  2⤵
  - Executes dropped EXE
  PID:5072
- C:\Windows\System\ipIokZr.exe
  C:\Windows\System\ipIokZr.exe
  2⤵
  - Executes dropped EXE
  PID:2908
- C:\Windows\System\yOXiOdu.exe
  C:\Windows\System\yOXiOdu.exe
  2⤵
  - Executes dropped EXE
  PID:1660
- C:\Windows\System\kCknteA.exe
  C:\Windows\System\kCknteA.exe
  2⤵
  - Executes dropped EXE
  PID:4720

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AGtBgUV.exe

Filesize
5.2MB

MD5
589241115bd25826c9b529ea45077327

SHA1
55d76fcd70a76cc988d8cf28d34318e8d7d542ec

SHA256
d367226655f0b7d5a7a751be11d0af020430ece8406cd68254ad7883b7760885

SHA512
c2122151ea4d36a5c579bbf8d1ad1832d7ba3766b9f9ed1110dc971ab84ea5f0e9317b170f1c0ded35c78a37972afe14cac517546f4ebbf66ed715d1c01f716c

Download Submit
C:\Windows\System\CDCeXvd.exe

Filesize
5.2MB

MD5
b5ab953876bc7630866f5ee9e63c197b

SHA1
edbfb3d001abf8828a20fba1c344fbb634a49303

SHA256
8656cef7bd5486e80b8ef25dd197385bc992c90e5b6d8872b236002c1188fb35

SHA512
7f844d6e0ba85c01c4158453671fa365029de184bac0119dd42ba60e66c1c91f220cadb738b18579961b519b3ab2178ee29e29b639325ba5caa76fb7cfe4335f

Download Submit
C:\Windows\System\UvFDdrp.exe

Filesize
5.2MB

MD5
18ed5399a168d785a0666283b2308652

SHA1
f6f64eca0e190e88e31acf3050813e767a608d27

SHA256
cc2657ea3a8671ee13e8ea1f1808b7501bdd02945f2a3f33bc4765723ecb023a

SHA512
92bb745af5fe0881b60806fecc42e0f106a05731f48d0c367f637cb6a25dc9530dc44f2d2f5519fd6212cd3a8287fa81f0c6da06cdb105627fef73a43d605820

Download Submit
C:\Windows\System\ZMVSAbK.exe

Filesize
5.2MB

MD5
3a4d706933b4fc79c8372d8434d92113

SHA1
90c055c514386da78d87a88c91706333c451911c

SHA256
800e5eea7c0e593bcd9eda25b1fc1d57760b880f303d177861f3c7f8bd941173

SHA512
bddc98dfa10714fc32f33ec5262a5d9f2ddc7d65f305d4886ee1e26aa0af082847cf18a7a55b5dbe5aaa10a0b35ffebb119b588fc8daf93117d3cd34b39cfd2c

Download Submit
C:\Windows\System\aUXsLce.exe

Filesize
5.2MB

MD5
6645f19e9a0dc38d1aa08c025ebb38da

SHA1
7a9d3e4215d7f0900cdd1a3022a6cfa5cd877dfb

SHA256
712a3a21ad1bcc317613b439259c279d79ab50b757c09cd7bb1ecd24c769bcc7

SHA512
676dedee08d4cfd4bdb7e231fd54c17b9899e824d3f949ef9b5914885e71b49c27acb872d37fb0d45907e3b11f3398498c9b95c152f138cefa5fa49436431290

Download Submit
C:\Windows\System\bIYStQG.exe

Filesize
5.2MB

MD5
75132c66845dd56da4f470b5b6e4e2ba

SHA1
47b5c6353ec8d98be86a821b4e65f5f82a1adb5d

SHA256
726f7ab6cdcfcd807c2e4ee00a61a880bd25f04d7f3af54c770f47e3f76188bc

SHA512
0816dfdc976603a661ddf147597f0b0e3024df8f4a23ebbaf15e18cd62b239bc458304110543ff8d4eeda5654a12fca3b9ab1aee754631da6990a061176dec96

Download Submit
C:\Windows\System\ezGmlFR.exe

Filesize
5.2MB

MD5
79d02357ee79f29d82517c4f993bf638

SHA1
000e001fe5cd856e953348967068a653bdfa8d22

SHA256
a94c1a446a62d5058f71163816cd4566fe91ec30c66c020c4c7258aa9065b247

SHA512
d1076b71d8d25b2b1ba2b6d3500e3595cde12a5cf384b1cfc1542d328053024a8086a74fab8ed6aa16e32ece300c8f78eea466140a2049d6375cca6254d8b329

Download Submit
C:\Windows\System\hOwYdgE.exe

Filesize
5.2MB

MD5
a36a9f24232dcbcf9f09f99e92cae77c

SHA1
0d3be8c9498d320e88774ccf1b2aed3e81601e42

SHA256
32eb67c4f556ce739c2f8a5313f3b6776584ed9a4b5c15429eb3ccfbee498286

SHA512
79bb1c55a6289c8cc1276543e7feac2f92ff5c6802b3239fdbeae3465688b67e6b95c80c10c548fce4f06f312ca4beccb03c139ce222f1aa18006252296dd6d5

Download Submit
C:\Windows\System\huVEEmd.exe

Filesize
5.2MB

MD5
d9c18ed1021d5d5cce02f14606328dc2

SHA1
907e4e360b8313b2b8895e04dea0cc3c4b9eb9f8

SHA256
57cc0efce2c4709c6d8de691a0bb4ebc6886c457db263f43abccd529e5236e9b

SHA512
8bf372cd0106842270a0a36ec8a084eda5a372b5bbdf1fa138df5883bb22f160b9cc172a91019701ec23ad823462a8c267fce5f1c77d9d46e50676bba75b2c2f

Download Submit
C:\Windows\System\iMkPXxT.exe

Filesize
5.2MB

MD5
99d2a1baddb5f9c4db3bf730319df443

SHA1
5fe1df1e16748e293cda8859305786078f56ac72

SHA256
f91396378e30e1aaeb59e368567432b4915af306c7b7ef97d24d2f3f93d83623

SHA512
3a259ccaac9538f15f900a0749e2af4d2a89ede637217ba7a95df66b7362cc20718f3c7aac099efd4e1ddf491cafa5b7da56beedbf6347350c6ffc3a6845c6c5

Download Submit
C:\Windows\System\ipIokZr.exe

Filesize
5.2MB

MD5
7015a8d8b1e9a7caba0213248e1a9422

SHA1
dbc83df76fd57b20ae21fca23b9ccaa28a809fc1

SHA256
4e9da205e6e686875c36d066559aae2c1f00476692288dcf59831b2339544299

SHA512
c64d2709e9983fcdfef8cd9746c6c65f716af747453b798167fca50cf3a152093ea48679e84eac9a3edc8b3cd3f7b899f594c9df70a368a46924c7c7a280a618

Download Submit
C:\Windows\System\jjsMinI.exe

Filesize
5.2MB

MD5
897226bd449bf6f6ef751443dca776e2

SHA1
504c73c3db9c6302d05a14379070f40cac26275f

SHA256
cf5dea2d0d1725c58d39d37123aadc89b6eac67b7a5f991fb36f62310160d209

SHA512
063a547fbcacddeeaca1f4e0eff71b1556794856b8c898750f76ab3b54c6811d48758a628e49fc15e64788aaf7efe456457cec8d01da502cae2733bb2cd08d08

Download Submit
C:\Windows\System\kCknteA.exe

Filesize
5.2MB

MD5
a2af771a0465043132be1e0ec8e77c38

SHA1
8024c6ba6df22341d4a93563e597cba7db25325b

SHA256
85e1b829f2c796e585235c247d32d25e47d0594133eb7bb57562bef4e7170f77

SHA512
80f0446755cb4c8e082b9961843c3003717e2914165af0951bfb7b6d0b7636b3131f0e72ad2d19b3e4d419b57aa2725118b629dfeb0d5d3eed5e586cbfdbba1a

Download Submit
C:\Windows\System\mxONuqD.exe

Filesize
5.2MB

MD5
3919bebb5263a2e8346026998eb1dae0

SHA1
757d9fd8c515184f156385a7641708a3fb0490cc

SHA256
5d9863ab5f0b30a71a82c2067a6fd10743df5ed0e6eae2ce9838b4baf02ae226

SHA512
4c0c8d673f1731ecad4af7586ac04deed17dbced9a43a6ce4201b60f8b55bcb645a72cd9fd295af468c640e49a3ce3ccf5e8017add15b18b10177937320e48e8

Download Submit
C:\Windows\System\oaNHSxi.exe

Filesize
5.2MB

MD5
822a69435a5d9dba84efb527d1a5198e

SHA1
f7fdce3decf747d106057c7bb30844d170524533

SHA256
a2a0ba439ef168d14fce1c928cd21fe3ed832c5d646703dd9cd0393b587086f7

SHA512
738065acfd5782e1be66372b39deb7c0157ef8ef6eb1536a22f482eb7811377d442abc3a1dbc824cffa777fa925e4e25fb32d4985c589a108b86be9e5cec9357

Download Submit
C:\Windows\System\rBUuCOj.exe

Filesize
5.2MB

MD5
8bfc879136a5de35ab978da4ed9fbfff

SHA1
b1fa8418ab6416c9c464f4b911b27d7a7f667b9f

SHA256
9d805925e57a5e29184f511319a7430541982d6545bd7dc253ff8e8b0a3229b2

SHA512
c65d1e89a120856476df842c0d46d71e5788fc32def58e4d7923e1ff8e147ea1a60e069c4f66bb61481240c8dedc85a646b77c259e9a95bb3559cfbc4ab4c29e

Download Submit
C:\Windows\System\rpslZNz.exe

Filesize
5.2MB

MD5
2735ea230ca38fcad433e2a1ffc87e82

SHA1
bb627312dd0bf097a43c587542cdf9ff7affa55b

SHA256
e2f15172c1aeffa1751d4e13532daf4e21d9653e24668d48b6cf7519d99f98f7

SHA512
4592dd617afc62bd9bca13d0a97e2e19de2067ee4f0e30dd9f44f1676ef8200b3e1e1731e9bd9e7c0d3a7cdd0ff781be9425969fc29da14c481ed56db6fb7454

Download Submit
C:\Windows\System\uCqyyLX.exe

Filesize
5.2MB

MD5
44d26e4273693fff4529076929b339f6

SHA1
d8435bc185b3a95458776db88f65894e8ad995b8

SHA256
fea81c48a11bc690898fd44860c91f5085f9170ba8c27048c0f7f5badfc9cc40

SHA512
871a6b63f4b996851ebe5618839de261e65a772eb48987fb41a76e2f33ec14c0b60049e1377a4174d87cf91193a5bfd5f7f252ee31f71605c3eeb85580ab0a1d

Download Submit
C:\Windows\System\wFuhgnT.exe

Filesize
5.2MB

MD5
3171363b43e2635d143d5b04639e80d6

SHA1
ca6e78f6cad5a454f9cd10a423fb3860ec66dcb7

SHA256
98053fc301121c4debffbf36e930232930f7159cd8de7b1aa011d737f39d0dd5

SHA512
71861f17c2152034b9a141f3bd980d6d631a359a7dc7d3ca139a48edcafcd696195a7ca795736bb77be235059a14202b33895d5cf930b487f9a78a2a49388601

Download Submit
C:\Windows\System\wXgcVHW.exe

Filesize
5.2MB

MD5
ef68791fcb9ae5428b30881a4a9af54a

SHA1
21b1f3314f466aade2cd5f6445ec7b34a044f04e

SHA256
fb0a8919830bdd279161906b978bc3dd57dd7d44345cc78e727b81c4f2b3efc4

SHA512
d25ffc9f801ae3597469e52a92887051ff69925b0fbdfff908239408f02feb1ac52b49a66c3e159e8c346d70593a3b919fcae72f136b28a1e2664244d8f05b2d

Download Submit
C:\Windows\System\yOXiOdu.exe

Filesize
5.2MB

MD5
6727fea54586713d3b5bb77d655ed772

SHA1
5c4cc9d1d8871577c2da4fa509d8f15cd0f9a5b6

SHA256
6000c435a65ef4c6a6e16d79f2eec54901e7781d0568f9afb41a0ab516b272c1

SHA512
9070b97248a74d0ca16974af5c2e26c32ed63193749e235764b66a495db53d62f0a4f390ca16c878b2e3a4aae14e3a03b55427092a5815b07a0b10cd71be2e15

Download Submit
memory/872-253-0x00007FF6CE740000-0x00007FF6CEA91000-memory.dmp

Filesize
3.3MB

Download
memory/872-87-0x00007FF6CE740000-0x00007FF6CEA91000-memory.dmp

Filesize
3.3MB

Download
memory/872-149-0x00007FF6CE740000-0x00007FF6CEA91000-memory.dmp

Filesize
3.3MB

Download
memory/1172-25-0x00007FF6968A0000-0x00007FF696BF1000-memory.dmp

Filesize
3.3MB

Download
memory/1172-226-0x00007FF6968A0000-0x00007FF696BF1000-memory.dmp

Filesize
3.3MB

Download
memory/1172-91-0x00007FF6968A0000-0x00007FF696BF1000-memory.dmp

Filesize
3.3MB

Download
memory/1436-114-0x00007FF7B17A0000-0x00007FF7B1AF1000-memory.dmp

Filesize
3.3MB

Download
memory/1436-42-0x00007FF7B17A0000-0x00007FF7B1AF1000-memory.dmp

Filesize
3.3MB

Download
memory/1436-238-0x00007FF7B17A0000-0x00007FF7B1AF1000-memory.dmp

Filesize
3.3MB

Download
memory/1520-266-0x00007FF734350000-0x00007FF7346A1000-memory.dmp

Filesize
3.3MB

Download
memory/1520-164-0x00007FF734350000-0x00007FF7346A1000-memory.dmp

Filesize
3.3MB

Download
memory/1520-109-0x00007FF734350000-0x00007FF7346A1000-memory.dmp

Filesize
3.3MB

Download
memory/1660-136-0x00007FF687AD0000-0x00007FF687E21000-memory.dmp

Filesize
3.3MB

Download
memory/1660-165-0x00007FF687AD0000-0x00007FF687E21000-memory.dmp

Filesize
3.3MB

Download
memory/1660-272-0x00007FF687AD0000-0x00007FF687E21000-memory.dmp

Filesize
3.3MB

Download
memory/2144-167-0x00007FF72D2E0000-0x00007FF72D631000-memory.dmp

Filesize
3.3MB

Download
memory/2144-0-0x00007FF72D2E0000-0x00007FF72D631000-memory.dmp

Filesize
3.3MB

Download
memory/2144-137-0x00007FF72D2E0000-0x00007FF72D631000-memory.dmp

Filesize
3.3MB

Download
memory/2144-1-0x000001DE1C040000-0x000001DE1C050000-memory.dmp

Filesize
64KB

Download
memory/2144-54-0x00007FF72D2E0000-0x00007FF72D631000-memory.dmp

Filesize
3.3MB

Download
memory/2408-55-0x00007FF79C400000-0x00007FF79C751000-memory.dmp

Filesize
3.3MB

Download
memory/2408-129-0x00007FF79C400000-0x00007FF79C751000-memory.dmp

Filesize
3.3MB

Download
memory/2408-242-0x00007FF79C400000-0x00007FF79C751000-memory.dmp

Filesize
3.3MB

Download
memory/2888-63-0x00007FF7685C0000-0x00007FF768911000-memory.dmp

Filesize
3.3MB

Download
memory/2888-7-0x00007FF7685C0000-0x00007FF768911000-memory.dmp

Filesize
3.3MB

Download
memory/2888-217-0x00007FF7685C0000-0x00007FF768911000-memory.dmp

Filesize
3.3MB

Download
memory/2908-127-0x00007FF7C4850000-0x00007FF7C4BA1000-memory.dmp

Filesize
3.3MB

Download
memory/2908-270-0x00007FF7C4850000-0x00007FF7C4BA1000-memory.dmp

Filesize
3.3MB

Download
memory/3408-138-0x00007FF61DDC0000-0x00007FF61E111000-memory.dmp

Filesize
3.3MB

Download
memory/3408-75-0x00007FF61DDC0000-0x00007FF61E111000-memory.dmp

Filesize
3.3MB

Download
memory/3408-254-0x00007FF61DDC0000-0x00007FF61E111000-memory.dmp

Filesize
3.3MB

Download
memory/3564-69-0x00007FF737930000-0x00007FF737C81000-memory.dmp

Filesize
3.3MB

Download
memory/3564-16-0x00007FF737930000-0x00007FF737C81000-memory.dmp

Filesize
3.3MB

Download
memory/3564-219-0x00007FF737930000-0x00007FF737C81000-memory.dmp

Filesize
3.3MB

Download
memory/3880-96-0x00007FF7A07F0000-0x00007FF7A0B41000-memory.dmp

Filesize
3.3MB

Download
memory/3880-260-0x00007FF7A07F0000-0x00007FF7A0B41000-memory.dmp

Filesize
3.3MB

Download
memory/3880-158-0x00007FF7A07F0000-0x00007FF7A0B41000-memory.dmp

Filesize
3.3MB

Download
memory/3884-124-0x00007FF75B790000-0x00007FF75BAE1000-memory.dmp

Filesize
3.3MB

Download
memory/3884-48-0x00007FF75B790000-0x00007FF75BAE1000-memory.dmp

Filesize
3.3MB

Download
memory/3884-240-0x00007FF75B790000-0x00007FF75BAE1000-memory.dmp

Filesize
3.3MB

Download
memory/4020-262-0x00007FF6B36C0000-0x00007FF6B3A11000-memory.dmp

Filesize
3.3MB

Download
memory/4020-159-0x00007FF6B36C0000-0x00007FF6B3A11000-memory.dmp

Filesize
3.3MB

Download
memory/4020-103-0x00007FF6B36C0000-0x00007FF6B3A11000-memory.dmp

Filesize
3.3MB

Download
memory/4276-18-0x00007FF6E90F0000-0x00007FF6E9441000-memory.dmp

Filesize
3.3MB

Download
memory/4276-221-0x00007FF6E90F0000-0x00007FF6E9441000-memory.dmp

Filesize
3.3MB

Download
memory/4276-84-0x00007FF6E90F0000-0x00007FF6E9441000-memory.dmp

Filesize
3.3MB

Download
memory/4280-36-0x00007FF63A5A0000-0x00007FF63A8F1000-memory.dmp

Filesize
3.3MB

Download
memory/4280-102-0x00007FF63A5A0000-0x00007FF63A8F1000-memory.dmp

Filesize
3.3MB

Download
memory/4280-230-0x00007FF63A5A0000-0x00007FF63A8F1000-memory.dmp

Filesize
3.3MB

Download
memory/4416-248-0x00007FF7E3840000-0x00007FF7E3B91000-memory.dmp

Filesize
3.3MB

Download
memory/4416-80-0x00007FF7E3840000-0x00007FF7E3B91000-memory.dmp

Filesize
3.3MB

Download
memory/4416-145-0x00007FF7E3840000-0x00007FF7E3B91000-memory.dmp

Filesize
3.3MB

Download
memory/4624-244-0x00007FF785E90000-0x00007FF7861E1000-memory.dmp

Filesize
3.3MB

Download
memory/4624-74-0x00007FF785E90000-0x00007FF7861E1000-memory.dmp

Filesize
3.3MB

Download
memory/4720-141-0x00007FF79F040000-0x00007FF79F391000-memory.dmp

Filesize
3.3MB

Download
memory/4720-274-0x00007FF79F040000-0x00007FF79F391000-memory.dmp

Filesize
3.3MB

Download
memory/4896-83-0x00007FF636B70000-0x00007FF636EC1000-memory.dmp

Filesize
3.3MB

Download
memory/4896-250-0x00007FF636B70000-0x00007FF636EC1000-memory.dmp

Filesize
3.3MB

Download
memory/4896-139-0x00007FF636B70000-0x00007FF636EC1000-memory.dmp

Filesize
3.3MB

Download
memory/4904-95-0x00007FF7DF510000-0x00007FF7DF861000-memory.dmp

Filesize
3.3MB

Download
memory/4904-29-0x00007FF7DF510000-0x00007FF7DF861000-memory.dmp

Filesize
3.3MB

Download
memory/4904-228-0x00007FF7DF510000-0x00007FF7DF861000-memory.dmp

Filesize
3.3MB

Download
memory/5072-162-0x00007FF7C1520000-0x00007FF7C1871000-memory.dmp

Filesize
3.3MB

Download
memory/5072-264-0x00007FF7C1520000-0x00007FF7C1871000-memory.dmp

Filesize
3.3MB

Download
memory/5072-115-0x00007FF7C1520000-0x00007FF7C1871000-memory.dmp

Filesize
3.3MB

Download