cobaltstrike | 816ade539cc0351766c79e45c66f4d2b46ac420ebcd6fe738f94bfcfe4e0737b

Analysis

max time kernel
141s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23-09-2024 00:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

9c583759e4ec4728e1d8e7d6b8b8fa74
SHA1

8adcd5ac075736bcac31edbd6df0e0fc92c4a17c
SHA256

816ade539cc0351766c79e45c66f4d2b46ac420ebcd6fe738f94bfcfe4e0737b
SHA512

45cd065ecb0c656845a25edc4d756db40957598a7ce8feee80c5c33489b00ea8abf505e85137d9532b22cfa1ecc88711d1a306ddd1e8434c701c09c8f52c3c29
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lV:RWWBibf56utgpPFotBER/mQ32lUh

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00070000000234df-14.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e1-24.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e2-26.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e0-20.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e4-38.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e5-45.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e6-55.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e8-62.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e9-81.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ea-79.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e7-65.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e3-42.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000234db-12.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234eb-85.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ed-103.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ee-107.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ef-112.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ec-95.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234f2-127.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234f3-134.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234f0-126.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/4804-23-0x00007FF693A30000-0x00007FF693D81000-memory.dmp	xmrig
behavioral2/memory/2520-77-0x00007FF753480000-0x00007FF7537D1000-memory.dmp	xmrig
behavioral2/memory/5020-71-0x00007FF683CF0000-0x00007FF684041000-memory.dmp	xmrig
behavioral2/memory/4424-70-0x00007FF663300000-0x00007FF663651000-memory.dmp	xmrig
behavioral2/memory/2680-93-0x00007FF74C720000-0x00007FF74CA71000-memory.dmp	xmrig
behavioral2/memory/2256-101-0x00007FF671C10000-0x00007FF671F61000-memory.dmp	xmrig
behavioral2/memory/4140-111-0x00007FF77E8C0000-0x00007FF77EC11000-memory.dmp	xmrig
behavioral2/memory/4472-110-0x00007FF711D10000-0x00007FF712061000-memory.dmp	xmrig
behavioral2/memory/2248-94-0x00007FF676820000-0x00007FF676B71000-memory.dmp	xmrig
behavioral2/memory/2076-121-0x00007FF712970000-0x00007FF712CC1000-memory.dmp	xmrig
behavioral2/memory/3912-140-0x00007FF6DD5B0000-0x00007FF6DD901000-memory.dmp	xmrig
behavioral2/memory/3228-139-0x00007FF760BC0000-0x00007FF760F11000-memory.dmp	xmrig
behavioral2/memory/4980-137-0x00007FF78E350000-0x00007FF78E6A1000-memory.dmp	xmrig
behavioral2/memory/1900-130-0x00007FF6556E0000-0x00007FF655A31000-memory.dmp	xmrig
behavioral2/memory/1332-129-0x00007FF7ABE80000-0x00007FF7AC1D1000-memory.dmp	xmrig
behavioral2/memory/3460-122-0x00007FF794340000-0x00007FF794691000-memory.dmp	xmrig
behavioral2/memory/4424-141-0x00007FF663300000-0x00007FF663651000-memory.dmp	xmrig
behavioral2/memory/4732-155-0x00007FF6E39C0000-0x00007FF6E3D11000-memory.dmp	xmrig
behavioral2/memory/3792-156-0x00007FF79A2F0000-0x00007FF79A641000-memory.dmp	xmrig
behavioral2/memory/4668-157-0x00007FF6AAC80000-0x00007FF6AAFD1000-memory.dmp	xmrig
behavioral2/memory/2688-158-0x00007FF621D70000-0x00007FF6220C1000-memory.dmp	xmrig
behavioral2/memory/4328-159-0x00007FF73F4C0000-0x00007FF73F811000-memory.dmp	xmrig
behavioral2/memory/4128-166-0x00007FF634720000-0x00007FF634A71000-memory.dmp	xmrig
behavioral2/memory/4424-167-0x00007FF663300000-0x00007FF663651000-memory.dmp	xmrig
behavioral2/memory/5020-225-0x00007FF683CF0000-0x00007FF684041000-memory.dmp	xmrig
behavioral2/memory/2520-229-0x00007FF753480000-0x00007FF7537D1000-memory.dmp	xmrig
behavioral2/memory/4804-228-0x00007FF693A30000-0x00007FF693D81000-memory.dmp	xmrig
behavioral2/memory/2680-231-0x00007FF74C720000-0x00007FF74CA71000-memory.dmp	xmrig
behavioral2/memory/2248-233-0x00007FF676820000-0x00007FF676B71000-memory.dmp	xmrig
behavioral2/memory/4472-235-0x00007FF711D10000-0x00007FF712061000-memory.dmp	xmrig
behavioral2/memory/2256-237-0x00007FF671C10000-0x00007FF671F61000-memory.dmp	xmrig
behavioral2/memory/4140-239-0x00007FF77E8C0000-0x00007FF77EC11000-memory.dmp	xmrig
behavioral2/memory/2076-241-0x00007FF712970000-0x00007FF712CC1000-memory.dmp	xmrig
behavioral2/memory/3460-246-0x00007FF794340000-0x00007FF794691000-memory.dmp	xmrig
behavioral2/memory/1332-248-0x00007FF7ABE80000-0x00007FF7AC1D1000-memory.dmp	xmrig
behavioral2/memory/4980-251-0x00007FF78E350000-0x00007FF78E6A1000-memory.dmp	xmrig
behavioral2/memory/3228-252-0x00007FF760BC0000-0x00007FF760F11000-memory.dmp	xmrig
behavioral2/memory/4732-260-0x00007FF6E39C0000-0x00007FF6E3D11000-memory.dmp	xmrig
behavioral2/memory/3792-262-0x00007FF79A2F0000-0x00007FF79A641000-memory.dmp	xmrig
behavioral2/memory/4668-264-0x00007FF6AAC80000-0x00007FF6AAFD1000-memory.dmp	xmrig
behavioral2/memory/2688-266-0x00007FF621D70000-0x00007FF6220C1000-memory.dmp	xmrig
behavioral2/memory/4328-268-0x00007FF73F4C0000-0x00007FF73F811000-memory.dmp	xmrig
behavioral2/memory/1900-273-0x00007FF6556E0000-0x00007FF655A31000-memory.dmp	xmrig
behavioral2/memory/4128-275-0x00007FF634720000-0x00007FF634A71000-memory.dmp	xmrig
behavioral2/memory/3912-277-0x00007FF6DD5B0000-0x00007FF6DD901000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
5020	pvENEps.exe
2520	MXlscBO.exe
4804	aRgWTzg.exe
2680	qZqLxLA.exe
2248	xwTpvdU.exe
4472	svhARhU.exe
2256	rzsHJSz.exe
4140	IZGnojU.exe
2076	nIpGrkC.exe
3460	iAnUfaE.exe
1332	ktsYSeS.exe
4980	DPNTkoz.exe
3228	zpIOrCn.exe
4732	UQteWpU.exe
3792	rmUYBdZ.exe
4668	jYRPNNF.exe
2688	LXHIoUE.exe
4328	NIUAyik.exe
1900	DeDJLDx.exe
4128	GzLhwyW.exe
3912	POlizgc.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4424-0-0x00007FF663300000-0x00007FF663651000-memory.dmp	upx
behavioral2/files/0x00070000000234df-14.dat	upx
behavioral2/files/0x00070000000234e1-24.dat	upx
behavioral2/memory/2248-30-0x00007FF676820000-0x00007FF676B71000-memory.dmp	upx
behavioral2/memory/2680-29-0x00007FF74C720000-0x00007FF74CA71000-memory.dmp	upx
behavioral2/files/0x00070000000234e2-26.dat	upx
behavioral2/memory/4804-23-0x00007FF693A30000-0x00007FF693D81000-memory.dmp	upx
behavioral2/files/0x00070000000234e0-20.dat	upx
behavioral2/memory/2520-19-0x00007FF753480000-0x00007FF7537D1000-memory.dmp	upx
behavioral2/files/0x00070000000234e4-38.dat	upx
behavioral2/files/0x00070000000234e5-45.dat	upx
behavioral2/files/0x00070000000234e6-55.dat	upx
behavioral2/memory/2076-54-0x00007FF712970000-0x00007FF712CC1000-memory.dmp	upx
behavioral2/memory/4140-51-0x00007FF77E8C0000-0x00007FF77EC11000-memory.dmp	upx
behavioral2/files/0x00070000000234e8-62.dat	upx
behavioral2/memory/1332-73-0x00007FF7ABE80000-0x00007FF7AC1D1000-memory.dmp	upx
behavioral2/memory/3228-78-0x00007FF760BC0000-0x00007FF760F11000-memory.dmp	upx
behavioral2/files/0x00070000000234e9-81.dat	upx
behavioral2/files/0x00070000000234ea-79.dat	upx
behavioral2/memory/2520-77-0x00007FF753480000-0x00007FF7537D1000-memory.dmp	upx
behavioral2/memory/4980-74-0x00007FF78E350000-0x00007FF78E6A1000-memory.dmp	upx
behavioral2/memory/5020-71-0x00007FF683CF0000-0x00007FF684041000-memory.dmp	upx
behavioral2/memory/4424-70-0x00007FF663300000-0x00007FF663651000-memory.dmp	upx
behavioral2/memory/3460-66-0x00007FF794340000-0x00007FF794691000-memory.dmp	upx
behavioral2/files/0x00070000000234e7-65.dat	upx
behavioral2/memory/2256-46-0x00007FF671C10000-0x00007FF671F61000-memory.dmp	upx
behavioral2/memory/4472-41-0x00007FF711D10000-0x00007FF712061000-memory.dmp	upx
behavioral2/files/0x00070000000234e3-42.dat	upx
behavioral2/files/0x00080000000234db-12.dat	upx
behavioral2/memory/5020-9-0x00007FF683CF0000-0x00007FF684041000-memory.dmp	upx
behavioral2/files/0x00070000000234eb-85.dat	upx
behavioral2/memory/2680-93-0x00007FF74C720000-0x00007FF74CA71000-memory.dmp	upx
behavioral2/memory/3792-97-0x00007FF79A2F0000-0x00007FF79A641000-memory.dmp	upx
behavioral2/memory/2256-101-0x00007FF671C10000-0x00007FF671F61000-memory.dmp	upx
behavioral2/files/0x00070000000234ed-103.dat	upx
behavioral2/files/0x00070000000234ee-107.dat	upx
behavioral2/files/0x00070000000234ef-112.dat	upx
behavioral2/memory/4328-114-0x00007FF73F4C0000-0x00007FF73F811000-memory.dmp	upx
behavioral2/memory/2688-113-0x00007FF621D70000-0x00007FF6220C1000-memory.dmp	upx
behavioral2/memory/4140-111-0x00007FF77E8C0000-0x00007FF77EC11000-memory.dmp	upx
behavioral2/memory/4472-110-0x00007FF711D10000-0x00007FF712061000-memory.dmp	upx
behavioral2/memory/4668-102-0x00007FF6AAC80000-0x00007FF6AAFD1000-memory.dmp	upx
behavioral2/files/0x00070000000234ec-95.dat	upx
behavioral2/memory/2248-94-0x00007FF676820000-0x00007FF676B71000-memory.dmp	upx
behavioral2/memory/4732-88-0x00007FF6E39C0000-0x00007FF6E3D11000-memory.dmp	upx
behavioral2/memory/2076-121-0x00007FF712970000-0x00007FF712CC1000-memory.dmp	upx
behavioral2/files/0x00070000000234f2-127.dat	upx
behavioral2/files/0x00070000000234f3-134.dat	upx
behavioral2/memory/3912-140-0x00007FF6DD5B0000-0x00007FF6DD901000-memory.dmp	upx
behavioral2/memory/3228-139-0x00007FF760BC0000-0x00007FF760F11000-memory.dmp	upx
behavioral2/memory/4980-137-0x00007FF78E350000-0x00007FF78E6A1000-memory.dmp	upx
behavioral2/memory/4128-131-0x00007FF634720000-0x00007FF634A71000-memory.dmp	upx
behavioral2/memory/1900-130-0x00007FF6556E0000-0x00007FF655A31000-memory.dmp	upx
behavioral2/memory/1332-129-0x00007FF7ABE80000-0x00007FF7AC1D1000-memory.dmp	upx
behavioral2/files/0x00070000000234f0-126.dat	upx
behavioral2/memory/3460-122-0x00007FF794340000-0x00007FF794691000-memory.dmp	upx
behavioral2/memory/4424-141-0x00007FF663300000-0x00007FF663651000-memory.dmp	upx
behavioral2/memory/4732-155-0x00007FF6E39C0000-0x00007FF6E3D11000-memory.dmp	upx
behavioral2/memory/3792-156-0x00007FF79A2F0000-0x00007FF79A641000-memory.dmp	upx
behavioral2/memory/4668-157-0x00007FF6AAC80000-0x00007FF6AAFD1000-memory.dmp	upx
behavioral2/memory/2688-158-0x00007FF621D70000-0x00007FF6220C1000-memory.dmp	upx
behavioral2/memory/4328-159-0x00007FF73F4C0000-0x00007FF73F811000-memory.dmp	upx
behavioral2/memory/4128-166-0x00007FF634720000-0x00007FF634A71000-memory.dmp	upx
behavioral2/memory/4424-167-0x00007FF663300000-0x00007FF663651000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\rmUYBdZ.exe	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NIUAyik.exe	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GzLhwyW.exe	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MXlscBO.exe	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qZqLxLA.exe	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\svhARhU.exe	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iAnUfaE.exe	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DPNTkoz.exe	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\POlizgc.exe	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aRgWTzg.exe	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rzsHJSz.exe	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zpIOrCn.exe	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UQteWpU.exe	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DeDJLDx.exe	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IZGnojU.exe	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nIpGrkC.exe	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ktsYSeS.exe	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jYRPNNF.exe	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LXHIoUE.exe	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pvENEps.exe	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xwTpvdU.exe	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4424	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4424	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4424 wrote to memory of 5020	4424	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4424 wrote to memory of 5020	4424	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4424 wrote to memory of 2520	4424	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4424 wrote to memory of 2520	4424	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4424 wrote to memory of 4804	4424	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4424 wrote to memory of 4804	4424	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4424 wrote to memory of 2680	4424	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4424 wrote to memory of 2680	4424	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4424 wrote to memory of 2248	4424	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4424 wrote to memory of 2248	4424	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4424 wrote to memory of 4472	4424	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4424 wrote to memory of 4472	4424	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4424 wrote to memory of 2256	4424	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4424 wrote to memory of 2256	4424	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4424 wrote to memory of 4140	4424	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4424 wrote to memory of 4140	4424	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4424 wrote to memory of 2076	4424	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4424 wrote to memory of 2076	4424	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4424 wrote to memory of 3460	4424	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4424 wrote to memory of 3460	4424	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4424 wrote to memory of 1332	4424	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4424 wrote to memory of 1332	4424	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4424 wrote to memory of 4980	4424	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4424 wrote to memory of 4980	4424	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4424 wrote to memory of 3228	4424	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4424 wrote to memory of 3228	4424	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4424 wrote to memory of 4732	4424	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4424 wrote to memory of 4732	4424	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4424 wrote to memory of 3792	4424	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4424 wrote to memory of 3792	4424	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4424 wrote to memory of 4668	4424	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4424 wrote to memory of 4668	4424	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4424 wrote to memory of 2688	4424	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4424 wrote to memory of 2688	4424	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4424 wrote to memory of 4328	4424	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4424 wrote to memory of 4328	4424	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4424 wrote to memory of 1900	4424	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4424 wrote to memory of 1900	4424	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4424 wrote to memory of 4128	4424	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4424 wrote to memory of 4128	4424	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4424 wrote to memory of 3912	4424	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 4424 wrote to memory of 3912	4424	2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe	106

C:\Users\Admin\AppData\Local\Temp\2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-23_9c583759e4ec4728e1d8e7d6b8b8fa74_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4424
- C:\Windows\System\pvENEps.exe
  C:\Windows\System\pvENEps.exe
  2⤵
  - Executes dropped EXE
  PID:5020
- C:\Windows\System\MXlscBO.exe
  C:\Windows\System\MXlscBO.exe
  2⤵
  - Executes dropped EXE
  PID:2520
- C:\Windows\System\aRgWTzg.exe
  C:\Windows\System\aRgWTzg.exe
  2⤵
  - Executes dropped EXE
  PID:4804
- C:\Windows\System\qZqLxLA.exe
  C:\Windows\System\qZqLxLA.exe
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Windows\System\xwTpvdU.exe
  C:\Windows\System\xwTpvdU.exe
  2⤵
  - Executes dropped EXE
  PID:2248
- C:\Windows\System\svhARhU.exe
  C:\Windows\System\svhARhU.exe
  2⤵
  - Executes dropped EXE
  PID:4472
- C:\Windows\System\rzsHJSz.exe
  C:\Windows\System\rzsHJSz.exe
  2⤵
  - Executes dropped EXE
  PID:2256
- C:\Windows\System\IZGnojU.exe
  C:\Windows\System\IZGnojU.exe
  2⤵
  - Executes dropped EXE
  PID:4140
- C:\Windows\System\nIpGrkC.exe
  C:\Windows\System\nIpGrkC.exe
  2⤵
  - Executes dropped EXE
  PID:2076
- C:\Windows\System\iAnUfaE.exe
  C:\Windows\System\iAnUfaE.exe
  2⤵
  - Executes dropped EXE
  PID:3460
- C:\Windows\System\ktsYSeS.exe
  C:\Windows\System\ktsYSeS.exe
  2⤵
  - Executes dropped EXE
  PID:1332
- C:\Windows\System\DPNTkoz.exe
  C:\Windows\System\DPNTkoz.exe
  2⤵
  - Executes dropped EXE
  PID:4980
- C:\Windows\System\zpIOrCn.exe
  C:\Windows\System\zpIOrCn.exe
  2⤵
  - Executes dropped EXE
  PID:3228
- C:\Windows\System\UQteWpU.exe
  C:\Windows\System\UQteWpU.exe
  2⤵
  - Executes dropped EXE
  PID:4732
- C:\Windows\System\rmUYBdZ.exe
  C:\Windows\System\rmUYBdZ.exe
  2⤵
  - Executes dropped EXE
  PID:3792
- C:\Windows\System\jYRPNNF.exe
  C:\Windows\System\jYRPNNF.exe
  2⤵
  - Executes dropped EXE
  PID:4668
- C:\Windows\System\LXHIoUE.exe
  C:\Windows\System\LXHIoUE.exe
  2⤵
  - Executes dropped EXE
  PID:2688
- C:\Windows\System\NIUAyik.exe
  C:\Windows\System\NIUAyik.exe
  2⤵
  - Executes dropped EXE
  PID:4328
- C:\Windows\System\DeDJLDx.exe
  C:\Windows\System\DeDJLDx.exe
  2⤵
  - Executes dropped EXE
  PID:1900
- C:\Windows\System\GzLhwyW.exe
  C:\Windows\System\GzLhwyW.exe
  2⤵
  - Executes dropped EXE
  PID:4128
- C:\Windows\System\POlizgc.exe
  C:\Windows\System\POlizgc.exe
  2⤵
  - Executes dropped EXE
  PID:3912

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\DPNTkoz.exe

Filesize
5.2MB

MD5
ac4a6d47e58be919806ecdbd53477d65

SHA1
0b9a37c3bfc8de351880665741afad780b795638

SHA256
a6be3c5dbaa6a35a518197ff9b5d6b1ba6a94270af55861daa88dcfd94cb9fb5

SHA512
a5bed28d7914258e2f43e2a79de53e9c12148ccd862cfe897053e6021c019f43816a7e3684369bf92d5a75d2d6792c2105d432fef3ca7d27064d2634d908cac9

Download Submit
C:\Windows\System\DeDJLDx.exe

Filesize
5.2MB

MD5
576326e8b8601a1142d0fc45e78d8e32

SHA1
ee2e87a06701e510ebfa7aeafd4ffe2c10125db5

SHA256
5708fa28b128b53329d6ccfdd8230c2fa8753c00284d0c942989e22f1dd38fa1

SHA512
93875b0897bad21c646e5a49e36ecebbd73ac3a713b9810767a7af13faddaa797d6dfcc01b2a8dea65049d490e66fe47418c84b6726ed2f1154444bab524e959

Download Submit
C:\Windows\System\GzLhwyW.exe

Filesize
5.2MB

MD5
2dc53e1450f32427f79a486fcb3e1ba9

SHA1
c12a0b8be077a7c40d2412b3f1d4b7fd5e48fbb0

SHA256
91ffc3630d7660c49a0f4a4461f804682e9d10122fef82856f3c3db957eed54e

SHA512
497498f27a909989a3e631027b04cddddd16b9281026803409c50f249ca7491e06f6cdf02423d837b1a69069b2c7a42121a0e59cd6a575f7398977eef8535ed0

Download Submit
C:\Windows\System\IZGnojU.exe

Filesize
5.2MB

MD5
cf4666449ccbf93716f54ace1483bce1

SHA1
789c6e299fb3548e1077c2673ea7d71c554f8741

SHA256
3ea4204b045337347f29d3e2e92f28e8c75ea0d2d1bf6c4bd4110c290e68e636

SHA512
4aa42d821776f762d13c8eb15e6dd565e882bf038dcbf639cdf3cc4ee69d4af40360c37bcc1de2a9c831dfdc99d641088339bfe420cc2b200464a263d5fa147a

Download Submit
C:\Windows\System\LXHIoUE.exe

Filesize
5.2MB

MD5
63538a6a907d41e7f84d847b7d64706b

SHA1
46ff3aa19ee09abe4668f9c6fad1bb33cc0479c8

SHA256
7310963bc4ae1fa9bd7926be53b21db7fcbf13096b16f372d592875f35ec0c40

SHA512
0c1b1470d49bf0696b754d47653ec072ca34507c406245ee12c9bb295006acfe7cc0660ee5688989f9b33bc80bf0476eb4a3c06e150706527793b3be6dd90e2b

Download Submit
C:\Windows\System\MXlscBO.exe

Filesize
5.2MB

MD5
f16a0063e66e124451912efc3928c0ef

SHA1
b9cbeaded0b93b125502529874407c8afdb3c6c6

SHA256
86dabcfc132795ee161322f8d94ca1e8969de98729cf4d6eaaee268ce7eebc55

SHA512
1e870502861b892d511a9878789ee10ee27fd8fc6ea680f4dc31f857ddb67497d7835558f7362f4e067bdcdc9327701e76668cfbad9abd33fd711862ea3a83e1

Download Submit
C:\Windows\System\NIUAyik.exe

Filesize
5.2MB

MD5
98e357f234c1c1c17be8e81bab451850

SHA1
2ebba30b049b956a93f31d52901b5602b4dcd1df

SHA256
d1232c60ce6722913fffed953ee86ba30ba200929f3d9c64a73c7f69b9d5d23a

SHA512
99540e7386391269ce1da87ca8424d36b38515c0e25075ee934a47b94a41d56faad37070f215aec8b52436961c7adf276a9c70cb518cfd3fb658ca899b4b57b5

Download Submit
C:\Windows\System\POlizgc.exe

Filesize
5.2MB

MD5
30f031a7ceffe6c78c53b94b389a7c69

SHA1
8c45194302c2506ac14577db2db0d11c059e5d1f

SHA256
849004fd5fb196a8b801dcc27d18b4ba0af2aee70c8156b77e1415c9711836a8

SHA512
72c1fc618a694b81c4cc883b11567a16f5a4127f40db25730a03befc51ce87fad399c7481e188b5512b8f2784d4ca04f9d0e15aef2ebad70a297b86cf5f6104f

Download Submit
C:\Windows\System\UQteWpU.exe

Filesize
5.2MB

MD5
16f1f68e686c2bb16d1c74ee9be50b72

SHA1
ee945a460bacfeb6fc505ebd7d80459beb3885e9

SHA256
8371d6c117c69b2c74c00e765486cd682466cde1c071a4d44e67ef8bdb725501

SHA512
4affba695177de54629e4faeb8cc13cb5f7015c0253ea2c79a9a1462a925ce916552aa0773445de3df3969b438715ac6025c05e8eb75bf9af007704ab4dceebc

Download Submit
C:\Windows\System\aRgWTzg.exe

Filesize
5.2MB

MD5
8a80951cf479fe78aaa3f71fce7c9171

SHA1
5481b0ea013d87da1fa48107ab4f56f286bea9ea

SHA256
22527289dfb545bf326113c4efd1eaebb0a2a334778f17dcb53abdad91cc8fb0

SHA512
d4bee146199777196d3d3ac56b8e12b87b196f35accb0099c91d2b008f18ca58460e19854d45a4d350f8129116eb0a6a4dfd4f3836d3f98acc7a066586023460

Download Submit
C:\Windows\System\iAnUfaE.exe

Filesize
5.2MB

MD5
cab63615b638ec7abeaf1e2470a5cdb0

SHA1
9ddefbaa8ce0a6ea961e1f238ea4fee03aafe065

SHA256
52fea2366f80f27290772821313599d219de06a7a38290ba79dc1e1a19bc30e2

SHA512
97ab1da181d199eb77ffdebea6310ce73fb26cad875ad6d7249baa4bb61550af54a9b8cd1790aebef667be30b65a078e7b0ccecca2561f787c92ab4cb0c252c7

Download Submit
C:\Windows\System\jYRPNNF.exe

Filesize
5.2MB

MD5
3502d7d107a759086a6e6245864c422e

SHA1
69e975ad509564a19a15b8061513901618949ca1

SHA256
6fa6941b4e3bf08e6592756e433e2438a6ec4d0d33bda3c8499978d76358fff1

SHA512
0a84e69d3906ec36c00aa8f3e567fb40d3533037b12f0bcd11b727296dbd12c7c4207e11e393ac36369079009c4f4fdf705820da27e5239b0d55ab46369c4ec0

Download Submit
C:\Windows\System\ktsYSeS.exe

Filesize
5.2MB

MD5
31c8e083b60a2134360a0b0f1a18d0c3

SHA1
a516b6cd5a785a914fbfbd44346fa734db6cadba

SHA256
6b0e2fbcebc334ff6052f0c6abe4bb0c1b53619246cd3c916a6ff30351335ca7

SHA512
8f0fa686e1e2e18618fdb6bbd5004cb599b1551236a6d62d3abe4009d3e6dfc5bf91c6764c8388fbb91f7e69c3537806f157e5f1691a49457b2819ccaaa87ba1

Download Submit
C:\Windows\System\nIpGrkC.exe

Filesize
5.2MB

MD5
6ce98a8517f9bd63683c5a4624403bf5

SHA1
2be37607c7956f694a93dea47761d5e6da02c113

SHA256
8f1331c6c3f6c9f0cf6f617b416d0f8c29110dc137c4519af6182377a59f119a

SHA512
28d0df8ef8f25ea0c152e5c8d0ae3e204c7c04a81c4555c91f88029290e3363823b687a5c94d804bec26ec2c6e10e44813576eda3d55961e33cd0a2946d57e00

Download Submit
C:\Windows\System\pvENEps.exe

Filesize
5.2MB

MD5
ec7cf9a1bcc6512f53a5c127ab8ac03a

SHA1
0b8324a4fab2709060f32bf9f284ddafd283bff6

SHA256
aa2cae03eba3e1678a44a2228d7519015bc9483fcac058ba038ba3437740de5e

SHA512
61c4cc93f106d573a9cc9144e208233e164573a67acc4a9ebf4efd25990073d915a7bc7fc76ee6b089453307c9917c2ef62216c2173a1c87cde7115eb5182716

Download Submit
C:\Windows\System\qZqLxLA.exe

Filesize
5.2MB

MD5
d8bf376957c871ec63f9fe06b539a982

SHA1
baefaad88eea40bf6968e7be5370625f0990f8a6

SHA256
f27c3061779ac396a5a4f1b8112b6b5bd43b8d573f3032752426ebe55780536b

SHA512
2b7f53e9d0e00a9610de909c418670b9cd6452ef9287c95456ac16fbd76b7407b240f20b2ea301e68fbe3da97c469b49008618847789a8ba5b6052ea6c52e4c2

Download Submit
C:\Windows\System\rmUYBdZ.exe

Filesize
5.2MB

MD5
45d619c94e93f5b451bbd7be545d7a98

SHA1
3e7d4b461c5c7abd1a08bb2d02c62647e953e167

SHA256
ae9867312d82bc3d05923e605893f1fc989f7122e61d75305c3beb512eb10c10

SHA512
983e1a788f6edae5bf46cd6581c5bf0b41f6bc6b446aec727eb490d2a4975c4d237fad5a0fc3db6e50a9037a47b282b976b673f3aed63ab0708f9289e703ff4d

Download Submit
C:\Windows\System\rzsHJSz.exe

Filesize
5.2MB

MD5
b6efa1bebb0b55f4893b27c243bc8435

SHA1
035c7064168ae65fbe9cfc763a1859e151bb3770

SHA256
31754d5dc1844da2ae1525c54d57789684d62231606a2929d7ce615cfbf54793

SHA512
f25f119870cd524d60679647317e26ce27a41da6ff24003a83598b51d0fc8c635024a5beaf0e04f92865d254d6211c301ffa4ccfd1ac43912629129a044d2c14

Download Submit
C:\Windows\System\svhARhU.exe

Filesize
5.2MB

MD5
7b25a1461a906a404145dafdf8289922

SHA1
304ebe69e2d1b8496bbb2d97c662e7798237739c

SHA256
88bef6c9eb3fcf8e792a4f719746d2981260169c58be001a4eaa1ea2ca90fd39

SHA512
8da53ea17517414e1a9e00fe2a7ca4050712f18f0599b84f691940dedeed89fb3abfc08650cc9d72699ab227f83a90859d2e39061e3dc0242505c11116917acd

Download Submit
C:\Windows\System\xwTpvdU.exe

Filesize
5.2MB

MD5
7cb03d31f5408cbf365162ac252927d6

SHA1
93611af1a6485d628429fd3bbdf76cf6fe2858a5

SHA256
dac95ff507dfb72618f43a935ba88ea18faa9051aa7bde4fb206b2d0256b1ae5

SHA512
dfa6c168d57e5bd53f90403b731fdf62ece0715ba85df5a11afcf4366c3af0a4222c6a518504715a3215604adb8a94ce5d858dc70ca0d2f884c611328465bab5

Download Submit
C:\Windows\System\zpIOrCn.exe

Filesize
5.2MB

MD5
571c8fe5038d44537109f9b8204c2316

SHA1
f679d17fd88defc17a3dfdcec1811a58fcc25f83

SHA256
ded10e6d73acfa83ed8a6b4bf0fc6236e608dce106c47e0d390ba391060dbf7f

SHA512
7e323ce1ca085b905b99f594c9c972bafed00b628d2e7170dfa01cd0f4f19cae45a156f0d2ea73bb1e43419d191c1df1cf9418be38c5c3c09dbfc91dece4c5f6

Download Submit
memory/1332-248-0x00007FF7ABE80000-0x00007FF7AC1D1000-memory.dmp

Filesize
3.3MB

Download
memory/1332-73-0x00007FF7ABE80000-0x00007FF7AC1D1000-memory.dmp

Filesize
3.3MB

Download
memory/1332-129-0x00007FF7ABE80000-0x00007FF7AC1D1000-memory.dmp

Filesize
3.3MB

Download
memory/1900-130-0x00007FF6556E0000-0x00007FF655A31000-memory.dmp

Filesize
3.3MB

Download
memory/1900-273-0x00007FF6556E0000-0x00007FF655A31000-memory.dmp

Filesize
3.3MB

Download
memory/2076-54-0x00007FF712970000-0x00007FF712CC1000-memory.dmp

Filesize
3.3MB

Download
memory/2076-121-0x00007FF712970000-0x00007FF712CC1000-memory.dmp

Filesize
3.3MB

Download
memory/2076-241-0x00007FF712970000-0x00007FF712CC1000-memory.dmp

Filesize
3.3MB

Download
memory/2248-233-0x00007FF676820000-0x00007FF676B71000-memory.dmp

Filesize
3.3MB

Download
memory/2248-94-0x00007FF676820000-0x00007FF676B71000-memory.dmp

Filesize
3.3MB

Download
memory/2248-30-0x00007FF676820000-0x00007FF676B71000-memory.dmp

Filesize
3.3MB

Download
memory/2256-101-0x00007FF671C10000-0x00007FF671F61000-memory.dmp

Filesize
3.3MB

Download
memory/2256-46-0x00007FF671C10000-0x00007FF671F61000-memory.dmp

Filesize
3.3MB

Download
memory/2256-237-0x00007FF671C10000-0x00007FF671F61000-memory.dmp

Filesize
3.3MB

Download
memory/2520-229-0x00007FF753480000-0x00007FF7537D1000-memory.dmp

Filesize
3.3MB

Download
memory/2520-19-0x00007FF753480000-0x00007FF7537D1000-memory.dmp

Filesize
3.3MB

Download
memory/2520-77-0x00007FF753480000-0x00007FF7537D1000-memory.dmp

Filesize
3.3MB

Download
memory/2680-93-0x00007FF74C720000-0x00007FF74CA71000-memory.dmp

Filesize
3.3MB

Download
memory/2680-231-0x00007FF74C720000-0x00007FF74CA71000-memory.dmp

Filesize
3.3MB

Download
memory/2680-29-0x00007FF74C720000-0x00007FF74CA71000-memory.dmp

Filesize
3.3MB

Download
memory/2688-158-0x00007FF621D70000-0x00007FF6220C1000-memory.dmp

Filesize
3.3MB

Download
memory/2688-266-0x00007FF621D70000-0x00007FF6220C1000-memory.dmp

Filesize
3.3MB

Download
memory/2688-113-0x00007FF621D70000-0x00007FF6220C1000-memory.dmp

Filesize
3.3MB

Download
memory/3228-252-0x00007FF760BC0000-0x00007FF760F11000-memory.dmp

Filesize
3.3MB

Download
memory/3228-139-0x00007FF760BC0000-0x00007FF760F11000-memory.dmp

Filesize
3.3MB

Download
memory/3228-78-0x00007FF760BC0000-0x00007FF760F11000-memory.dmp

Filesize
3.3MB

Download
memory/3460-122-0x00007FF794340000-0x00007FF794691000-memory.dmp

Filesize
3.3MB

Download
memory/3460-66-0x00007FF794340000-0x00007FF794691000-memory.dmp

Filesize
3.3MB

Download
memory/3460-246-0x00007FF794340000-0x00007FF794691000-memory.dmp

Filesize
3.3MB

Download
memory/3792-97-0x00007FF79A2F0000-0x00007FF79A641000-memory.dmp

Filesize
3.3MB

Download
memory/3792-262-0x00007FF79A2F0000-0x00007FF79A641000-memory.dmp

Filesize
3.3MB

Download
memory/3792-156-0x00007FF79A2F0000-0x00007FF79A641000-memory.dmp

Filesize
3.3MB

Download
memory/3912-140-0x00007FF6DD5B0000-0x00007FF6DD901000-memory.dmp

Filesize
3.3MB

Download
memory/3912-277-0x00007FF6DD5B0000-0x00007FF6DD901000-memory.dmp

Filesize
3.3MB

Download
memory/4128-131-0x00007FF634720000-0x00007FF634A71000-memory.dmp

Filesize
3.3MB

Download
memory/4128-166-0x00007FF634720000-0x00007FF634A71000-memory.dmp

Filesize
3.3MB

Download
memory/4128-275-0x00007FF634720000-0x00007FF634A71000-memory.dmp

Filesize
3.3MB

Download
memory/4140-51-0x00007FF77E8C0000-0x00007FF77EC11000-memory.dmp

Filesize
3.3MB

Download
memory/4140-239-0x00007FF77E8C0000-0x00007FF77EC11000-memory.dmp

Filesize
3.3MB

Download
memory/4140-111-0x00007FF77E8C0000-0x00007FF77EC11000-memory.dmp

Filesize
3.3MB

Download
memory/4328-159-0x00007FF73F4C0000-0x00007FF73F811000-memory.dmp

Filesize
3.3MB

Download
memory/4328-114-0x00007FF73F4C0000-0x00007FF73F811000-memory.dmp

Filesize
3.3MB

Download
memory/4328-268-0x00007FF73F4C0000-0x00007FF73F811000-memory.dmp

Filesize
3.3MB

Download
memory/4424-141-0x00007FF663300000-0x00007FF663651000-memory.dmp

Filesize
3.3MB

Download
memory/4424-1-0x0000018F5BF70000-0x0000018F5BF80000-memory.dmp

Filesize
64KB

Download
memory/4424-70-0x00007FF663300000-0x00007FF663651000-memory.dmp

Filesize
3.3MB

Download
memory/4424-0-0x00007FF663300000-0x00007FF663651000-memory.dmp

Filesize
3.3MB

Download
memory/4424-167-0x00007FF663300000-0x00007FF663651000-memory.dmp

Filesize
3.3MB

Download
memory/4472-110-0x00007FF711D10000-0x00007FF712061000-memory.dmp

Filesize
3.3MB

Download
memory/4472-41-0x00007FF711D10000-0x00007FF712061000-memory.dmp

Filesize
3.3MB

Download
memory/4472-235-0x00007FF711D10000-0x00007FF712061000-memory.dmp

Filesize
3.3MB

Download
memory/4668-102-0x00007FF6AAC80000-0x00007FF6AAFD1000-memory.dmp

Filesize
3.3MB

Download
memory/4668-264-0x00007FF6AAC80000-0x00007FF6AAFD1000-memory.dmp

Filesize
3.3MB

Download
memory/4668-157-0x00007FF6AAC80000-0x00007FF6AAFD1000-memory.dmp

Filesize
3.3MB

Download
memory/4732-155-0x00007FF6E39C0000-0x00007FF6E3D11000-memory.dmp

Filesize
3.3MB

Download
memory/4732-88-0x00007FF6E39C0000-0x00007FF6E3D11000-memory.dmp

Filesize
3.3MB

Download
memory/4732-260-0x00007FF6E39C0000-0x00007FF6E3D11000-memory.dmp

Filesize
3.3MB

Download
memory/4804-228-0x00007FF693A30000-0x00007FF693D81000-memory.dmp

Filesize
3.3MB

Download
memory/4804-23-0x00007FF693A30000-0x00007FF693D81000-memory.dmp

Filesize
3.3MB

Download
memory/4980-251-0x00007FF78E350000-0x00007FF78E6A1000-memory.dmp

Filesize
3.3MB

Download
memory/4980-137-0x00007FF78E350000-0x00007FF78E6A1000-memory.dmp

Filesize
3.3MB

Download
memory/4980-74-0x00007FF78E350000-0x00007FF78E6A1000-memory.dmp

Filesize
3.3MB

Download
memory/5020-225-0x00007FF683CF0000-0x00007FF684041000-memory.dmp

Filesize
3.3MB

Download
memory/5020-9-0x00007FF683CF0000-0x00007FF684041000-memory.dmp

Filesize
3.3MB

Download
memory/5020-71-0x00007FF683CF0000-0x00007FF684041000-memory.dmp

Filesize
3.3MB

Download