cobaltstrike | 2f73b01d0cdda8d330f8a35dd9c4ac2dd48c8482290cecb7cf38542cbdc7ff16

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23-09-2024 07:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

2381a4489df6611069121ab2ba4a5272
SHA1

75ba3c4309308ffa69c4830a106558ee8921539b
SHA256

2f73b01d0cdda8d330f8a35dd9c4ac2dd48c8482290cecb7cf38542cbdc7ff16
SHA512

3c781ebe845f2571f2764a19a51c1f4143b800f053007db19fb448fc9aa5f4c3e546b668d8387a93e199b77f8976a18c62556c6b754023515414b72341f92275
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lX:RWWBibf56utgpPFotBER/mQ32lUz

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00080000000235c4-4.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235c8-11.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235c9-18.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235ca-23.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235cb-29.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000235c5-35.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235cc-41.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235ce-46.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235cf-51.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235d0-62.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235d2-71.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235d1-78.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235d5-89.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235d6-107.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235d7-112.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235d4-99.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235d3-92.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235d9-132.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235d8-135.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235db-148.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235da-143.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/4652-37-0x00007FF6C7970000-0x00007FF6C7CC1000-memory.dmp	xmrig
behavioral2/memory/2884-55-0x00007FF6D1CE0000-0x00007FF6D2031000-memory.dmp	xmrig
behavioral2/memory/1496-54-0x00007FF728C70000-0x00007FF728FC1000-memory.dmp	xmrig
behavioral2/memory/2200-59-0x00007FF7EDFB0000-0x00007FF7EE301000-memory.dmp	xmrig
behavioral2/memory/820-109-0x00007FF62F9D0000-0x00007FF62FD21000-memory.dmp	xmrig
behavioral2/memory/1216-104-0x00007FF6C26E0000-0x00007FF6C2A31000-memory.dmp	xmrig
behavioral2/memory/4652-97-0x00007FF6C7970000-0x00007FF6C7CC1000-memory.dmp	xmrig
behavioral2/memory/5100-90-0x00007FF74B1D0000-0x00007FF74B521000-memory.dmp	xmrig
behavioral2/memory/1680-82-0x00007FF7EDE40000-0x00007FF7EE191000-memory.dmp	xmrig
behavioral2/memory/3412-73-0x00007FF633810000-0x00007FF633B61000-memory.dmp	xmrig
behavioral2/memory/2116-127-0x00007FF7088E0000-0x00007FF708C31000-memory.dmp	xmrig
behavioral2/memory/2732-126-0x00007FF736770000-0x00007FF736AC1000-memory.dmp	xmrig
behavioral2/memory/656-147-0x00007FF6E9170000-0x00007FF6E94C1000-memory.dmp	xmrig
behavioral2/memory/2240-144-0x00007FF7F6A70000-0x00007FF7F6DC1000-memory.dmp	xmrig
behavioral2/memory/4664-154-0x00007FF7CE0F0000-0x00007FF7CE441000-memory.dmp	xmrig
behavioral2/memory/4820-158-0x00007FF6198F0000-0x00007FF619C41000-memory.dmp	xmrig
behavioral2/memory/1580-157-0x00007FF667950000-0x00007FF667CA1000-memory.dmp	xmrig
behavioral2/memory/1612-156-0x00007FF604370000-0x00007FF6046C1000-memory.dmp	xmrig
behavioral2/memory/4376-153-0x00007FF6EEFE0000-0x00007FF6EF331000-memory.dmp	xmrig
behavioral2/memory/2208-155-0x00007FF6FF540000-0x00007FF6FF891000-memory.dmp	xmrig
behavioral2/memory/1496-159-0x00007FF728C70000-0x00007FF728FC1000-memory.dmp	xmrig
behavioral2/memory/3752-168-0x00007FF748A50000-0x00007FF748DA1000-memory.dmp	xmrig
behavioral2/memory/1180-172-0x00007FF6A95C0000-0x00007FF6A9911000-memory.dmp	xmrig
behavioral2/memory/1656-173-0x00007FF67B600000-0x00007FF67B951000-memory.dmp	xmrig
behavioral2/memory/1496-182-0x00007FF728C70000-0x00007FF728FC1000-memory.dmp	xmrig
behavioral2/memory/2200-210-0x00007FF7EDFB0000-0x00007FF7EE301000-memory.dmp	xmrig
behavioral2/memory/2884-214-0x00007FF6D1CE0000-0x00007FF6D2031000-memory.dmp	xmrig
behavioral2/memory/3412-215-0x00007FF633810000-0x00007FF633B61000-memory.dmp	xmrig
behavioral2/memory/1680-217-0x00007FF7EDE40000-0x00007FF7EE191000-memory.dmp	xmrig
behavioral2/memory/4652-225-0x00007FF6C7970000-0x00007FF6C7CC1000-memory.dmp	xmrig
behavioral2/memory/5100-227-0x00007FF74B1D0000-0x00007FF74B521000-memory.dmp	xmrig
behavioral2/memory/1216-229-0x00007FF6C26E0000-0x00007FF6C2A31000-memory.dmp	xmrig
behavioral2/memory/820-231-0x00007FF62F9D0000-0x00007FF62FD21000-memory.dmp	xmrig
behavioral2/memory/2732-235-0x00007FF736770000-0x00007FF736AC1000-memory.dmp	xmrig
behavioral2/memory/2116-245-0x00007FF7088E0000-0x00007FF708C31000-memory.dmp	xmrig
behavioral2/memory/2240-247-0x00007FF7F6A70000-0x00007FF7F6DC1000-memory.dmp	xmrig
behavioral2/memory/656-249-0x00007FF6E9170000-0x00007FF6E94C1000-memory.dmp	xmrig
behavioral2/memory/1612-254-0x00007FF604370000-0x00007FF6046C1000-memory.dmp	xmrig
behavioral2/memory/4664-255-0x00007FF7CE0F0000-0x00007FF7CE441000-memory.dmp	xmrig
behavioral2/memory/2208-257-0x00007FF6FF540000-0x00007FF6FF891000-memory.dmp	xmrig
behavioral2/memory/4376-252-0x00007FF6EEFE0000-0x00007FF6EF331000-memory.dmp	xmrig
behavioral2/memory/1580-259-0x00007FF667950000-0x00007FF667CA1000-memory.dmp	xmrig
behavioral2/memory/4820-265-0x00007FF6198F0000-0x00007FF619C41000-memory.dmp	xmrig
behavioral2/memory/1180-267-0x00007FF6A95C0000-0x00007FF6A9911000-memory.dmp	xmrig
behavioral2/memory/3752-269-0x00007FF748A50000-0x00007FF748DA1000-memory.dmp	xmrig
behavioral2/memory/1656-271-0x00007FF67B600000-0x00007FF67B951000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2200	lXYWIyJ.exe
2884	SrZnpfY.exe
3412	rdYOXnw.exe
1680	utLYhSv.exe
5100	KARneZR.exe
4652	uxYcCWN.exe
1216	fksHDol.exe
820	hgocxUq.exe
2732	deIVzHv.exe
2116	eVMiQwd.exe
2240	CIPUTgV.exe
656	SnTFwUu.exe
4376	YVgWFgE.exe
4664	tYNibpe.exe
2208	MeDlCHQ.exe
1612	oCEaMrm.exe
1580	BiWzLcS.exe
4820	mWaKvRs.exe
3752	leMWpdI.exe
1180	YoPmswD.exe
1656	vxknBvI.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1496-0-0x00007FF728C70000-0x00007FF728FC1000-memory.dmp	upx
behavioral2/files/0x00080000000235c4-4.dat	upx
behavioral2/files/0x00070000000235c8-11.dat	upx
behavioral2/files/0x00070000000235c9-18.dat	upx
behavioral2/memory/3412-19-0x00007FF633810000-0x00007FF633B61000-memory.dmp	upx
behavioral2/files/0x00070000000235ca-23.dat	upx
behavioral2/memory/1680-24-0x00007FF7EDE40000-0x00007FF7EE191000-memory.dmp	upx
behavioral2/memory/2884-16-0x00007FF6D1CE0000-0x00007FF6D2031000-memory.dmp	upx
behavioral2/memory/2200-9-0x00007FF7EDFB0000-0x00007FF7EE301000-memory.dmp	upx
behavioral2/files/0x00070000000235cb-29.dat	upx
behavioral2/memory/5100-30-0x00007FF74B1D0000-0x00007FF74B521000-memory.dmp	upx
behavioral2/files/0x00080000000235c5-35.dat	upx
behavioral2/memory/4652-37-0x00007FF6C7970000-0x00007FF6C7CC1000-memory.dmp	upx
behavioral2/files/0x00070000000235cc-41.dat	upx
behavioral2/memory/1216-43-0x00007FF6C26E0000-0x00007FF6C2A31000-memory.dmp	upx
behavioral2/files/0x00070000000235ce-46.dat	upx
behavioral2/files/0x00070000000235cf-51.dat	upx
behavioral2/memory/2884-55-0x00007FF6D1CE0000-0x00007FF6D2031000-memory.dmp	upx
behavioral2/memory/2732-56-0x00007FF736770000-0x00007FF736AC1000-memory.dmp	upx
behavioral2/memory/1496-54-0x00007FF728C70000-0x00007FF728FC1000-memory.dmp	upx
behavioral2/memory/820-48-0x00007FF62F9D0000-0x00007FF62FD21000-memory.dmp	upx
behavioral2/memory/2200-59-0x00007FF7EDFB0000-0x00007FF7EE301000-memory.dmp	upx
behavioral2/files/0x00070000000235d0-62.dat	upx
behavioral2/memory/2116-65-0x00007FF7088E0000-0x00007FF708C31000-memory.dmp	upx
behavioral2/files/0x00070000000235d2-71.dat	upx
behavioral2/files/0x00070000000235d1-78.dat	upx
behavioral2/files/0x00070000000235d5-89.dat	upx
behavioral2/memory/4664-91-0x00007FF7CE0F0000-0x00007FF7CE441000-memory.dmp	upx
behavioral2/files/0x00070000000235d6-107.dat	upx
behavioral2/files/0x00070000000235d7-112.dat	upx
behavioral2/memory/1580-111-0x00007FF667950000-0x00007FF667CA1000-memory.dmp	upx
behavioral2/memory/820-109-0x00007FF62F9D0000-0x00007FF62FD21000-memory.dmp	upx
behavioral2/memory/1612-105-0x00007FF604370000-0x00007FF6046C1000-memory.dmp	upx
behavioral2/memory/1216-104-0x00007FF6C26E0000-0x00007FF6C2A31000-memory.dmp	upx
behavioral2/files/0x00070000000235d4-99.dat	upx
behavioral2/memory/4652-97-0x00007FF6C7970000-0x00007FF6C7CC1000-memory.dmp	upx
behavioral2/memory/2208-95-0x00007FF6FF540000-0x00007FF6FF891000-memory.dmp	upx
behavioral2/memory/5100-90-0x00007FF74B1D0000-0x00007FF74B521000-memory.dmp	upx
behavioral2/files/0x00070000000235d3-92.dat	upx
behavioral2/memory/4376-83-0x00007FF6EEFE0000-0x00007FF6EF331000-memory.dmp	upx
behavioral2/memory/1680-82-0x00007FF7EDE40000-0x00007FF7EE191000-memory.dmp	upx
behavioral2/memory/656-76-0x00007FF6E9170000-0x00007FF6E94C1000-memory.dmp	upx
behavioral2/memory/2240-75-0x00007FF7F6A70000-0x00007FF7F6DC1000-memory.dmp	upx
behavioral2/memory/3412-73-0x00007FF633810000-0x00007FF633B61000-memory.dmp	upx
behavioral2/files/0x00070000000235d9-132.dat	upx
behavioral2/files/0x00070000000235d8-135.dat	upx
behavioral2/memory/4820-131-0x00007FF6198F0000-0x00007FF619C41000-memory.dmp	upx
behavioral2/memory/2116-127-0x00007FF7088E0000-0x00007FF708C31000-memory.dmp	upx
behavioral2/memory/2732-126-0x00007FF736770000-0x00007FF736AC1000-memory.dmp	upx
behavioral2/memory/3752-138-0x00007FF748A50000-0x00007FF748DA1000-memory.dmp	upx
behavioral2/memory/656-147-0x00007FF6E9170000-0x00007FF6E94C1000-memory.dmp	upx
behavioral2/files/0x00070000000235db-148.dat	upx
behavioral2/memory/1180-146-0x00007FF6A95C0000-0x00007FF6A9911000-memory.dmp	upx
behavioral2/memory/2240-144-0x00007FF7F6A70000-0x00007FF7F6DC1000-memory.dmp	upx
behavioral2/files/0x00070000000235da-143.dat	upx
behavioral2/memory/1656-150-0x00007FF67B600000-0x00007FF67B951000-memory.dmp	upx
behavioral2/memory/4664-154-0x00007FF7CE0F0000-0x00007FF7CE441000-memory.dmp	upx
behavioral2/memory/4820-158-0x00007FF6198F0000-0x00007FF619C41000-memory.dmp	upx
behavioral2/memory/1580-157-0x00007FF667950000-0x00007FF667CA1000-memory.dmp	upx
behavioral2/memory/1612-156-0x00007FF604370000-0x00007FF6046C1000-memory.dmp	upx
behavioral2/memory/4376-153-0x00007FF6EEFE0000-0x00007FF6EF331000-memory.dmp	upx
behavioral2/memory/2208-155-0x00007FF6FF540000-0x00007FF6FF891000-memory.dmp	upx
behavioral2/memory/1496-159-0x00007FF728C70000-0x00007FF728FC1000-memory.dmp	upx
behavioral2/memory/3752-168-0x00007FF748A50000-0x00007FF748DA1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\SrZnpfY.exe	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KARneZR.exe	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uxYcCWN.exe	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hgocxUq.exe	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YVgWFgE.exe	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oCEaMrm.exe	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YoPmswD.exe	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eVMiQwd.exe	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tYNibpe.exe	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\leMWpdI.exe	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mWaKvRs.exe	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lXYWIyJ.exe	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rdYOXnw.exe	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\utLYhSv.exe	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\deIVzHv.exe	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CIPUTgV.exe	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SnTFwUu.exe	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MeDlCHQ.exe	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vxknBvI.exe	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fksHDol.exe	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BiWzLcS.exe	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1496	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1496	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 2200	1496	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1496 wrote to memory of 2200	1496	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1496 wrote to memory of 2884	1496	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1496 wrote to memory of 2884	1496	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1496 wrote to memory of 3412	1496	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1496 wrote to memory of 3412	1496	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1496 wrote to memory of 1680	1496	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1496 wrote to memory of 1680	1496	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1496 wrote to memory of 5100	1496	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1496 wrote to memory of 5100	1496	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1496 wrote to memory of 4652	1496	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1496 wrote to memory of 4652	1496	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1496 wrote to memory of 1216	1496	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1496 wrote to memory of 1216	1496	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1496 wrote to memory of 820	1496	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1496 wrote to memory of 820	1496	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1496 wrote to memory of 2732	1496	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1496 wrote to memory of 2732	1496	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1496 wrote to memory of 2116	1496	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1496 wrote to memory of 2116	1496	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1496 wrote to memory of 2240	1496	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1496 wrote to memory of 2240	1496	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1496 wrote to memory of 656	1496	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1496 wrote to memory of 656	1496	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1496 wrote to memory of 4376	1496	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1496 wrote to memory of 4376	1496	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1496 wrote to memory of 4664	1496	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1496 wrote to memory of 4664	1496	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1496 wrote to memory of 2208	1496	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1496 wrote to memory of 2208	1496	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1496 wrote to memory of 1612	1496	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 1496 wrote to memory of 1612	1496	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 1496 wrote to memory of 1580	1496	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 1496 wrote to memory of 1580	1496	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 1496 wrote to memory of 4820	1496	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 1496 wrote to memory of 4820	1496	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 1496 wrote to memory of 3752	1496	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe	112
PID 1496 wrote to memory of 3752	1496	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe	112
PID 1496 wrote to memory of 1180	1496	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe	113
PID 1496 wrote to memory of 1180	1496	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe	113
PID 1496 wrote to memory of 1656	1496	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe	114
PID 1496 wrote to memory of 1656	1496	2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe	114

C:\Users\Admin\AppData\Local\Temp\2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-23_2381a4489df6611069121ab2ba4a5272_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Windows\System\lXYWIyJ.exe
  C:\Windows\System\lXYWIyJ.exe
  2⤵
  - Executes dropped EXE
  PID:2200
- C:\Windows\System\SrZnpfY.exe
  C:\Windows\System\SrZnpfY.exe
  2⤵
  - Executes dropped EXE
  PID:2884
- C:\Windows\System\rdYOXnw.exe
  C:\Windows\System\rdYOXnw.exe
  2⤵
  - Executes dropped EXE
  PID:3412
- C:\Windows\System\utLYhSv.exe
  C:\Windows\System\utLYhSv.exe
  2⤵
  - Executes dropped EXE
  PID:1680
- C:\Windows\System\KARneZR.exe
  C:\Windows\System\KARneZR.exe
  2⤵
  - Executes dropped EXE
  PID:5100
- C:\Windows\System\uxYcCWN.exe
  C:\Windows\System\uxYcCWN.exe
  2⤵
  - Executes dropped EXE
  PID:4652
- C:\Windows\System\fksHDol.exe
  C:\Windows\System\fksHDol.exe
  2⤵
  - Executes dropped EXE
  PID:1216
- C:\Windows\System\hgocxUq.exe
  C:\Windows\System\hgocxUq.exe
  2⤵
  - Executes dropped EXE
  PID:820
- C:\Windows\System\deIVzHv.exe
  C:\Windows\System\deIVzHv.exe
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\Windows\System\eVMiQwd.exe
  C:\Windows\System\eVMiQwd.exe
  2⤵
  - Executes dropped EXE
  PID:2116
- C:\Windows\System\CIPUTgV.exe
  C:\Windows\System\CIPUTgV.exe
  2⤵
  - Executes dropped EXE
  PID:2240
- C:\Windows\System\SnTFwUu.exe
  C:\Windows\System\SnTFwUu.exe
  2⤵
  - Executes dropped EXE
  PID:656
- C:\Windows\System\YVgWFgE.exe
  C:\Windows\System\YVgWFgE.exe
  2⤵
  - Executes dropped EXE
  PID:4376
- C:\Windows\System\tYNibpe.exe
  C:\Windows\System\tYNibpe.exe
  2⤵
  - Executes dropped EXE
  PID:4664
- C:\Windows\System\MeDlCHQ.exe
  C:\Windows\System\MeDlCHQ.exe
  2⤵
  - Executes dropped EXE
  PID:2208
- C:\Windows\System\oCEaMrm.exe
  C:\Windows\System\oCEaMrm.exe
  2⤵
  - Executes dropped EXE
  PID:1612
- C:\Windows\System\BiWzLcS.exe
  C:\Windows\System\BiWzLcS.exe
  2⤵
  - Executes dropped EXE
  PID:1580
- C:\Windows\System\mWaKvRs.exe
  C:\Windows\System\mWaKvRs.exe
  2⤵
  - Executes dropped EXE
  PID:4820
- C:\Windows\System\leMWpdI.exe
  C:\Windows\System\leMWpdI.exe
  2⤵
  - Executes dropped EXE
  PID:3752
- C:\Windows\System\YoPmswD.exe
  C:\Windows\System\YoPmswD.exe
  2⤵
  - Executes dropped EXE
  PID:1180
- C:\Windows\System\vxknBvI.exe
  C:\Windows\System\vxknBvI.exe
  2⤵
  - Executes dropped EXE
  PID:1656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4388,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=1044 /prefetch:8
1⤵
PID:1168

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BiWzLcS.exe

Filesize
5.2MB

MD5
552d446aef22201e327cf38b06dc4672

SHA1
c3e786319df22663f50429c841e41a47daf771e6

SHA256
251d8982a8f117a24ca803197838bd184f839416b373e14af8f688305c6350a1

SHA512
45e7a0d255ccf9605ec201772982951360baaaa36ebe35446695c2a8e527a61615ed4d4e7451b59b7826b0791307975987e821556820cb55388d2e98954cf767

Download Submit
C:\Windows\System\CIPUTgV.exe

Filesize
5.2MB

MD5
1cbadbb5fa41b47a728af49c9309b7c6

SHA1
294eaf0dbbb4016d8d9af8d6a1a100be344ee1b5

SHA256
2b60a65747263d0d1d154380ed0f380910b7efe7fb10669180ab4c27d3d953cc

SHA512
2d8f99ec97026ee6ab691f3db5d09c29a3c293d155578d8f0c7f8027e44dc17f54c6beb527b1d5847de339a19163d25117be066d975fabb1a3002da34bc0010c

Download Submit
C:\Windows\System\KARneZR.exe

Filesize
5.2MB

MD5
4f2f31a3fa8d5d7bc6ee14571718c8f1

SHA1
c9c24923c61525c7429d9d3a25cd6e03ba3bbbe6

SHA256
73475a548eeda90370246f9ceb8abf33b50742432b4d5d8571538784201d2f11

SHA512
14b44df55b02ad6fdb10d88b3a925c92cb3732915580142ef04279eba28820ccba0e2adc963e419bf94622d86262278aa51287a0605eea7e7235f7566c04f4b8

Download Submit
C:\Windows\System\MeDlCHQ.exe

Filesize
5.2MB

MD5
c2fa52be588c06e05e554792aac6ff1b

SHA1
63ef9d9cd33f49c52fde6ffc6d6b7485db5e81b7

SHA256
65eb7d8748fb8ad494279d8696b9d0c84b922b479d75778958aea7259d5e903c

SHA512
5cddfa40e3c594fb38022bfae28854f0bf5ac1c4d4a2609a636a3d9eacc343c8199903c7b96805339f72e61ae6b3ad250db550e3af71dcf3062543c24c655b4c

Download Submit
C:\Windows\System\SnTFwUu.exe

Filesize
5.2MB

MD5
5c66f452fdc7e14d0de44e10513e271d

SHA1
9e1060790505f40d0af685652744ad77bfffbe49

SHA256
90f48060c3cdaa4e6f1752071913a91c820fb319e7a066b06dabd42cd1092adb

SHA512
568f900370eecfb4b007a33737ae0ccca35551883c8cde2693eb008cd7993d0e2d8633da986238ee3d48ef8918ff5362c2c56a7596dde0ea961a7b102ca7c473

Download Submit
C:\Windows\System\SrZnpfY.exe

Filesize
5.2MB

MD5
cc98291f543b5030ab4cd5529df059d0

SHA1
b20f7cf242c73b0332b32277148def4af381e45a

SHA256
b829a5c8b4df2f40d84f0af6a0067e1e73cdeb3186641208627e52d3ad66f1f1

SHA512
635f8417bdbee3d3e0a7ce7e23f20e49c7acc7a2f12cab69e78d346c3ca22e8d3014bec6e71e933687950546ad31b8c34f02327820cdcc65e92ff1b903b254c5

Download Submit
C:\Windows\System\YVgWFgE.exe

Filesize
5.2MB

MD5
cfd3157f736015633ab0a236b50b2dce

SHA1
5dcca29e206bee27a1af5d078f91052a636aa90b

SHA256
d799f6460083982873815c18df142da9483bfb3c4f1adbcede984f3fd79b6662

SHA512
cbb553536fe9a98d92567b686c28f59c083605b44eca16745ec9ede8f4151b99d652e3694e8eabbf81a639e86bda4a3831799c617874786de29e9de11e486079

Download Submit
C:\Windows\System\YoPmswD.exe

Filesize
5.2MB

MD5
6d71c053ee9f11de7f1c4e964bca2381

SHA1
bc08ba5649abfaf68c5288b8cea6b749e3fefa77

SHA256
31a4f1ced7f8c20093237430fac764280cc989383ff15fc76e10bc37b141764b

SHA512
cf937b84abee299ce2e33641c12da773c5b30e9cad41137c248556518033fe0f78fa3e55379567eb09f6f8560ff7c50778551b770108fb8840a2e98708738d2b

Download Submit
C:\Windows\System\deIVzHv.exe

Filesize
5.2MB

MD5
97465f6466408b9936c9be4933910b9e

SHA1
c265082877844c02cc7f84a7054fd8397c69ba26

SHA256
f16d97e38403c092eb2792021ca54b390565fb3a6234dea38debf445576fe198

SHA512
020391fbca16b4e2523fbeb56e8e80b537211cdd5de9539e8aae44a80b3f3395bca9c1967b7a14af8127fdef813c5ddb32cf49df5f4e82196defefe2836cf532

Download Submit
C:\Windows\System\eVMiQwd.exe

Filesize
5.2MB

MD5
207c89a10c677ac8ad1a0d7ce7890467

SHA1
5aedae937c1de804630643a8e8c34fe2ae32ef82

SHA256
b0cfdbeb283856dfe326be5233cafe78354aab3eef0fc0a0a42b48f574acc37c

SHA512
64cee4a30c3697b8440ceb324ce1de4c8d278bec2ca9f6056162457121c068a82ed9569e2ec4c1915ee3d369e5863f6354f1f332a4534d3ce31b115f2de46924

Download Submit
C:\Windows\System\fksHDol.exe

Filesize
5.2MB

MD5
468bee29cd4b318e1f4bc593376dd091

SHA1
784889cdf2e42ad7cb7c7cca82a6a348954e8b60

SHA256
ed10818e1ca665aff44b3b57c7002ca441f17b0926776d51b6b4c1801c7d19f0

SHA512
ddc5565265ade1b77641bc2fa0cf6b6d10d92c674bc46bc5e8f43bda57e092a383626a0994fabafc88f7e670b6759af5b03970c8b3e212b56153137a2698607a

Download Submit
C:\Windows\System\hgocxUq.exe

Filesize
5.2MB

MD5
7521174f142ba698155131fc29ecb00d

SHA1
df47a482e36924f6b7c1e4f5ba3f2d3442792aaf

SHA256
a81424ae5b91a94defe93ff3cc905067e3c3dcfd79779dcb0dbb83cc4e57caeb

SHA512
998c1664018f2422d68cfab7a050933aa8aa6a15144941ddc3e98d8b4c2d824ad3d2c5a20c45b5a481227b493a5fa3d62d5308b0e96f72b01a2581096c744d36

Download Submit
C:\Windows\System\lXYWIyJ.exe

Filesize
5.2MB

MD5
95d863f5a86dc665710624c9bcb9b654

SHA1
399bf42edc578b0d9f97f1385db56943b54a2220

SHA256
360e2ccbf40ff523ee5a6aa4ec76a436be1832e0b32c45e936e52238b6f2f975

SHA512
4b42e9e2a8e09d6579d8e300a3b9c0b528cda5aeff4e376f31ce56b81b83417586d0b7508e5d71281fd6331a52249cbba006c44158825c7b8dc7a35452bf1a4a

Download Submit
C:\Windows\System\leMWpdI.exe

Filesize
5.2MB

MD5
9837245e76dabbe1a71efd7ded2ad1d1

SHA1
833d69cfe10a9bdb0ed38dd8dde22040d4e6c83e

SHA256
b72bb74d5c3eab0fac731ef721e1777e0e5587611529bc2de510866f9d7b6a08

SHA512
f310f4daffead4d31b6a6447c423273712d0e29bf7336fc3f5849dc88c88d3bfcecb07389879e7655d81d032ad37fc213b1c47cc5dfbfbd50d3b0eeb3c1e5cd6

Download Submit
C:\Windows\System\mWaKvRs.exe

Filesize
5.2MB

MD5
320310a525bd496ceb40fcad2208f021

SHA1
8d5d78e6c63b0583c2bbd61dec10eaccd82dc0c6

SHA256
b98f3c2c4a4ceb3cd0404c050ed54cbb96f5e67bf63deb3b34d65dc1f379fd9e

SHA512
7d7b21c1a0bf7ecf135530d327cf2763ae0c9cc6f1cb799ae97fb0d91c118cc4e01b24dbe91f5dfe4f764fb78b3c015e612006893e03787f8d1a9815b37ffda4

Download Submit
C:\Windows\System\oCEaMrm.exe

Filesize
5.2MB

MD5
9524bfd058ea64951c1cd166d69541b2

SHA1
6226cfb81db261c77d8193710471c3b8fe92690e

SHA256
922d16bc28478fa126e6547569391e4dd132aec7c75433bfd167f00a551ee611

SHA512
39d9f71919c74e21d2f91fa3c758cc2392e24e18f7db62553cafeafc453c2e1552fc3f584ff70f21a05c273db7d061ff825a79e8e37045227741c8b3a1b1e641

Download Submit
C:\Windows\System\rdYOXnw.exe

Filesize
5.2MB

MD5
5d2eafcb11cc3141bdc19c4426622377

SHA1
a0d7076da723eb4a226b7be6ab2777462330ecde

SHA256
c48aa5c4a70110ecf767242f43e8bdc5750d03db0537839810bb877f056b223b

SHA512
ffd7384f0ff42c8ed8dddaa8418c40fd9f4ee11b66a5018a6892480b921e3c4f87f7c2e4be9aa13d4f6f1c1b374b604c0d9e86a8701d3fa3d7af7de84d00ddf0

Download Submit
C:\Windows\System\tYNibpe.exe

Filesize
5.2MB

MD5
3cf77a3412933aadcd20e394a468bc7c

SHA1
4b430fd05948a25e756ad00be8f211f09311683a

SHA256
9210e7186da76df07480525ddfb5c6049ad8adeeda1efebcdeef71c689722605

SHA512
6698a8c0fe79078b15a14e4d902af5692c1c63d5728a65ab7eb65b766634b0826ca23fa0bdc09e88bc473782c95a993d0a4d52a1e1069be2e7170a3a457ce645

Download Submit
C:\Windows\System\utLYhSv.exe

Filesize
5.2MB

MD5
392a779c59d19420f3ce88e971040479

SHA1
2dc39ef3014f4f95e1d70ab58d186a3c36c20689

SHA256
99b2b7e7a326e18585ac63b12b4bc7d7368664e7fa25678e82cb90f942e1046c

SHA512
c387e0f048282d26d1d41aca718aa7fb6657530260ed3b9d0b66d5c7e317f399f3e5ed8f17100469b12b51bc367a35f88eb5946cab32d5a2141626ce9c2a0103

Download Submit
C:\Windows\System\uxYcCWN.exe

Filesize
5.2MB

MD5
b1962ae622af863acf032b9515fcb385

SHA1
e953cc20cdaa58103599610f872e356e38702ce4

SHA256
c46db83de2e269523d434fb17be607d7f7e7fb3f0497607880808d63f7842177

SHA512
c50caea6d742c850441c88b74ebfc41868a55f5b593c22370d4b23b75b3a8e5ee64ff87644dc199359025bc2def6cf70efd1dae9377d886d1ceac54139d0a5da

Download Submit
C:\Windows\System\vxknBvI.exe

Filesize
5.2MB

MD5
4276d6ade0cf3872bbcbface11cc86ec

SHA1
114a344e0fad9f000b5f763bed46843cece018be

SHA256
c91141fd0e4e2f8b96574d07f55de3ae0c719edb8885a83b967eb4249b55c553

SHA512
63392272c78d947be1e5aad96cdd24863756fc7e43bfc573cb876852e4ace32129ba9eb64f1e88d586db53c8fbb13e3a9384d3368d5d527d3e0c0c4f4c7c8d3e

Download Submit
memory/656-76-0x00007FF6E9170000-0x00007FF6E94C1000-memory.dmp

Filesize
3.3MB

Download
memory/656-147-0x00007FF6E9170000-0x00007FF6E94C1000-memory.dmp

Filesize
3.3MB

Download
memory/656-249-0x00007FF6E9170000-0x00007FF6E94C1000-memory.dmp

Filesize
3.3MB

Download
memory/820-48-0x00007FF62F9D0000-0x00007FF62FD21000-memory.dmp

Filesize
3.3MB

Download
memory/820-231-0x00007FF62F9D0000-0x00007FF62FD21000-memory.dmp

Filesize
3.3MB

Download
memory/820-109-0x00007FF62F9D0000-0x00007FF62FD21000-memory.dmp

Filesize
3.3MB

Download
memory/1180-146-0x00007FF6A95C0000-0x00007FF6A9911000-memory.dmp

Filesize
3.3MB

Download
memory/1180-172-0x00007FF6A95C0000-0x00007FF6A9911000-memory.dmp

Filesize
3.3MB

Download
memory/1180-267-0x00007FF6A95C0000-0x00007FF6A9911000-memory.dmp

Filesize
3.3MB

Download
memory/1216-104-0x00007FF6C26E0000-0x00007FF6C2A31000-memory.dmp

Filesize
3.3MB

Download
memory/1216-43-0x00007FF6C26E0000-0x00007FF6C2A31000-memory.dmp

Filesize
3.3MB

Download
memory/1216-229-0x00007FF6C26E0000-0x00007FF6C2A31000-memory.dmp

Filesize
3.3MB

Download
memory/1496-182-0x00007FF728C70000-0x00007FF728FC1000-memory.dmp

Filesize
3.3MB

Download
memory/1496-0-0x00007FF728C70000-0x00007FF728FC1000-memory.dmp

Filesize
3.3MB

Download
memory/1496-54-0x00007FF728C70000-0x00007FF728FC1000-memory.dmp

Filesize
3.3MB

Download
memory/1496-159-0x00007FF728C70000-0x00007FF728FC1000-memory.dmp

Filesize
3.3MB

Download
memory/1496-1-0x000001D99E7B0000-0x000001D99E7C0000-memory.dmp

Filesize
64KB

Download
memory/1580-259-0x00007FF667950000-0x00007FF667CA1000-memory.dmp

Filesize
3.3MB

Download
memory/1580-111-0x00007FF667950000-0x00007FF667CA1000-memory.dmp

Filesize
3.3MB

Download
memory/1580-157-0x00007FF667950000-0x00007FF667CA1000-memory.dmp

Filesize
3.3MB

Download
memory/1612-254-0x00007FF604370000-0x00007FF6046C1000-memory.dmp

Filesize
3.3MB

Download
memory/1612-156-0x00007FF604370000-0x00007FF6046C1000-memory.dmp

Filesize
3.3MB

Download
memory/1612-105-0x00007FF604370000-0x00007FF6046C1000-memory.dmp

Filesize
3.3MB

Download
memory/1656-150-0x00007FF67B600000-0x00007FF67B951000-memory.dmp

Filesize
3.3MB

Download
memory/1656-173-0x00007FF67B600000-0x00007FF67B951000-memory.dmp

Filesize
3.3MB

Download
memory/1656-271-0x00007FF67B600000-0x00007FF67B951000-memory.dmp

Filesize
3.3MB

Download
memory/1680-24-0x00007FF7EDE40000-0x00007FF7EE191000-memory.dmp

Filesize
3.3MB

Download
memory/1680-82-0x00007FF7EDE40000-0x00007FF7EE191000-memory.dmp

Filesize
3.3MB

Download
memory/1680-217-0x00007FF7EDE40000-0x00007FF7EE191000-memory.dmp

Filesize
3.3MB

Download
memory/2116-127-0x00007FF7088E0000-0x00007FF708C31000-memory.dmp

Filesize
3.3MB

Download
memory/2116-245-0x00007FF7088E0000-0x00007FF708C31000-memory.dmp

Filesize
3.3MB

Download
memory/2116-65-0x00007FF7088E0000-0x00007FF708C31000-memory.dmp

Filesize
3.3MB

Download
memory/2200-9-0x00007FF7EDFB0000-0x00007FF7EE301000-memory.dmp

Filesize
3.3MB

Download
memory/2200-59-0x00007FF7EDFB0000-0x00007FF7EE301000-memory.dmp

Filesize
3.3MB

Download
memory/2200-210-0x00007FF7EDFB0000-0x00007FF7EE301000-memory.dmp

Filesize
3.3MB

Download
memory/2208-155-0x00007FF6FF540000-0x00007FF6FF891000-memory.dmp

Filesize
3.3MB

Download
memory/2208-95-0x00007FF6FF540000-0x00007FF6FF891000-memory.dmp

Filesize
3.3MB

Download
memory/2208-257-0x00007FF6FF540000-0x00007FF6FF891000-memory.dmp

Filesize
3.3MB

Download
memory/2240-144-0x00007FF7F6A70000-0x00007FF7F6DC1000-memory.dmp

Filesize
3.3MB

Download
memory/2240-247-0x00007FF7F6A70000-0x00007FF7F6DC1000-memory.dmp

Filesize
3.3MB

Download
memory/2240-75-0x00007FF7F6A70000-0x00007FF7F6DC1000-memory.dmp

Filesize
3.3MB

Download
memory/2732-235-0x00007FF736770000-0x00007FF736AC1000-memory.dmp

Filesize
3.3MB

Download
memory/2732-56-0x00007FF736770000-0x00007FF736AC1000-memory.dmp

Filesize
3.3MB

Download
memory/2732-126-0x00007FF736770000-0x00007FF736AC1000-memory.dmp

Filesize
3.3MB

Download
memory/2884-214-0x00007FF6D1CE0000-0x00007FF6D2031000-memory.dmp

Filesize
3.3MB

Download
memory/2884-55-0x00007FF6D1CE0000-0x00007FF6D2031000-memory.dmp

Filesize
3.3MB

Download
memory/2884-16-0x00007FF6D1CE0000-0x00007FF6D2031000-memory.dmp

Filesize
3.3MB

Download
memory/3412-73-0x00007FF633810000-0x00007FF633B61000-memory.dmp

Filesize
3.3MB

Download
memory/3412-215-0x00007FF633810000-0x00007FF633B61000-memory.dmp

Filesize
3.3MB

Download
memory/3412-19-0x00007FF633810000-0x00007FF633B61000-memory.dmp

Filesize
3.3MB

Download
memory/3752-138-0x00007FF748A50000-0x00007FF748DA1000-memory.dmp

Filesize
3.3MB

Download
memory/3752-168-0x00007FF748A50000-0x00007FF748DA1000-memory.dmp

Filesize
3.3MB

Download
memory/3752-269-0x00007FF748A50000-0x00007FF748DA1000-memory.dmp

Filesize
3.3MB

Download
memory/4376-153-0x00007FF6EEFE0000-0x00007FF6EF331000-memory.dmp

Filesize
3.3MB

Download
memory/4376-83-0x00007FF6EEFE0000-0x00007FF6EF331000-memory.dmp

Filesize
3.3MB

Download
memory/4376-252-0x00007FF6EEFE0000-0x00007FF6EF331000-memory.dmp

Filesize
3.3MB

Download
memory/4652-97-0x00007FF6C7970000-0x00007FF6C7CC1000-memory.dmp

Filesize
3.3MB

Download
memory/4652-37-0x00007FF6C7970000-0x00007FF6C7CC1000-memory.dmp

Filesize
3.3MB

Download
memory/4652-225-0x00007FF6C7970000-0x00007FF6C7CC1000-memory.dmp

Filesize
3.3MB

Download
memory/4664-255-0x00007FF7CE0F0000-0x00007FF7CE441000-memory.dmp

Filesize
3.3MB

Download
memory/4664-91-0x00007FF7CE0F0000-0x00007FF7CE441000-memory.dmp

Filesize
3.3MB

Download
memory/4664-154-0x00007FF7CE0F0000-0x00007FF7CE441000-memory.dmp

Filesize
3.3MB

Download
memory/4820-265-0x00007FF6198F0000-0x00007FF619C41000-memory.dmp

Filesize
3.3MB

Download
memory/4820-158-0x00007FF6198F0000-0x00007FF619C41000-memory.dmp

Filesize
3.3MB

Download
memory/4820-131-0x00007FF6198F0000-0x00007FF619C41000-memory.dmp

Filesize
3.3MB

Download
memory/5100-30-0x00007FF74B1D0000-0x00007FF74B521000-memory.dmp

Filesize
3.3MB

Download
memory/5100-90-0x00007FF74B1D0000-0x00007FF74B521000-memory.dmp

Filesize
3.3MB

Download
memory/5100-227-0x00007FF74B1D0000-0x00007FF74B521000-memory.dmp

Filesize
3.3MB

Download