cobaltstrike | 4c70098bb041a43c73f604ee408fc97ffba22d41f1fcaccec2a081f5cee48165

Analysis

max time kernel
140s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2024, 09:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

0e3c48810862e57adf019bc2338120c2
SHA1

b687fa5577598db21f0189f388fe0e52db99f234
SHA256

4c70098bb041a43c73f604ee408fc97ffba22d41f1fcaccec2a081f5cee48165
SHA512

54ffc052d7ceee532916ba477d8a8441851e03062afc713efab32f349368c8e1601f724b48cc8990ba1762c26e232072bc1ceef1a0b6c4aa733c72c441455162
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lK:RWWBibf56utgpPFotBER/mQ32lUO

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023477-5.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347c-10.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347b-18.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347d-21.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347e-23.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023480-40.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347f-32.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023484-82.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023489-91.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023488-101.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348d-120.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348b-118.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348c-115.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348a-113.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023478-104.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023487-94.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023486-87.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023485-84.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023483-92.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023482-74.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023481-56.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 47 IoCs

miner

resource	yara_rule
behavioral2/memory/536-124-0x00007FF7F55A0000-0x00007FF7F58F1000-memory.dmp	xmrig
behavioral2/memory/2988-126-0x00007FF64F2D0000-0x00007FF64F621000-memory.dmp	xmrig
behavioral2/memory/1600-125-0x00007FF76FB50000-0x00007FF76FEA1000-memory.dmp	xmrig
behavioral2/memory/1860-123-0x00007FF6CC1E0000-0x00007FF6CC531000-memory.dmp	xmrig
behavioral2/memory/3792-122-0x00007FF64C800000-0x00007FF64CB51000-memory.dmp	xmrig
behavioral2/memory/3700-117-0x00007FF6C44C0000-0x00007FF6C4811000-memory.dmp	xmrig
behavioral2/memory/4628-41-0x00007FF6970A0000-0x00007FF6973F1000-memory.dmp	xmrig
behavioral2/memory/2812-129-0x00007FF7FC5B0000-0x00007FF7FC901000-memory.dmp	xmrig
behavioral2/memory/2488-133-0x00007FF617C20000-0x00007FF617F71000-memory.dmp	xmrig
behavioral2/memory/3472-134-0x00007FF672E40000-0x00007FF673191000-memory.dmp	xmrig
behavioral2/memory/2200-131-0x00007FF60F090000-0x00007FF60F3E1000-memory.dmp	xmrig
behavioral2/memory/1176-128-0x00007FF786FE0000-0x00007FF787331000-memory.dmp	xmrig
behavioral2/memory/4628-132-0x00007FF6970A0000-0x00007FF6973F1000-memory.dmp	xmrig
behavioral2/memory/3888-130-0x00007FF609920000-0x00007FF609C71000-memory.dmp	xmrig
behavioral2/memory/4492-144-0x00007FF6BA920000-0x00007FF6BAC71000-memory.dmp	xmrig
behavioral2/memory/2980-147-0x00007FF7A4E60000-0x00007FF7A51B1000-memory.dmp	xmrig
behavioral2/memory/536-145-0x00007FF7F55A0000-0x00007FF7F58F1000-memory.dmp	xmrig
behavioral2/memory/840-143-0x00007FF60ECE0000-0x00007FF60F031000-memory.dmp	xmrig
behavioral2/memory/428-139-0x00007FF7C5EE0000-0x00007FF7C6231000-memory.dmp	xmrig
behavioral2/memory/5052-140-0x00007FF7E1A40000-0x00007FF7E1D91000-memory.dmp	xmrig
behavioral2/memory/3716-148-0x00007FF64E4B0000-0x00007FF64E801000-memory.dmp	xmrig
behavioral2/memory/5040-137-0x00007FF6B1610000-0x00007FF6B1961000-memory.dmp	xmrig
behavioral2/memory/1912-141-0x00007FF6CABF0000-0x00007FF6CAF41000-memory.dmp	xmrig
behavioral2/memory/3436-135-0x00007FF7B23B0000-0x00007FF7B2701000-memory.dmp	xmrig
behavioral2/memory/1176-150-0x00007FF786FE0000-0x00007FF787331000-memory.dmp	xmrig
behavioral2/memory/1176-151-0x00007FF786FE0000-0x00007FF787331000-memory.dmp	xmrig
behavioral2/memory/2812-211-0x00007FF7FC5B0000-0x00007FF7FC901000-memory.dmp	xmrig
behavioral2/memory/3888-213-0x00007FF609920000-0x00007FF609C71000-memory.dmp	xmrig
behavioral2/memory/2488-217-0x00007FF617C20000-0x00007FF617F71000-memory.dmp	xmrig
behavioral2/memory/2200-216-0x00007FF60F090000-0x00007FF60F3E1000-memory.dmp	xmrig
behavioral2/memory/4628-219-0x00007FF6970A0000-0x00007FF6973F1000-memory.dmp	xmrig
behavioral2/memory/3700-230-0x00007FF6C44C0000-0x00007FF6C4811000-memory.dmp	xmrig
behavioral2/memory/3436-232-0x00007FF7B23B0000-0x00007FF7B2701000-memory.dmp	xmrig
behavioral2/memory/3472-223-0x00007FF672E40000-0x00007FF673191000-memory.dmp	xmrig
behavioral2/memory/428-240-0x00007FF7C5EE0000-0x00007FF7C6231000-memory.dmp	xmrig
behavioral2/memory/1860-242-0x00007FF6CC1E0000-0x00007FF6CC531000-memory.dmp	xmrig
behavioral2/memory/5052-239-0x00007FF7E1A40000-0x00007FF7E1D91000-memory.dmp	xmrig
behavioral2/memory/5040-235-0x00007FF6B1610000-0x00007FF6B1961000-memory.dmp	xmrig
behavioral2/memory/3792-237-0x00007FF64C800000-0x00007FF64CB51000-memory.dmp	xmrig
behavioral2/memory/1912-250-0x00007FF6CABF0000-0x00007FF6CAF41000-memory.dmp	xmrig
behavioral2/memory/840-248-0x00007FF60ECE0000-0x00007FF60F031000-memory.dmp	xmrig
behavioral2/memory/1600-252-0x00007FF76FB50000-0x00007FF76FEA1000-memory.dmp	xmrig
behavioral2/memory/2980-254-0x00007FF7A4E60000-0x00007FF7A51B1000-memory.dmp	xmrig
behavioral2/memory/2988-256-0x00007FF64F2D0000-0x00007FF64F621000-memory.dmp	xmrig
behavioral2/memory/4492-247-0x00007FF6BA920000-0x00007FF6BAC71000-memory.dmp	xmrig
behavioral2/memory/3716-245-0x00007FF64E4B0000-0x00007FF64E801000-memory.dmp	xmrig
behavioral2/memory/536-259-0x00007FF7F55A0000-0x00007FF7F58F1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2812	HswzurV.exe
3888	PvtYjUV.exe
2200	akdkKEh.exe
4628	tdpeCnn.exe
2488	mlrnixW.exe
3472	gUeByeV.exe
3436	leodnrj.exe
3700	hhTSfng.exe
5040	XofQUXZ.exe
3792	jqtmTUY.exe
428	CiPHXlX.exe
5052	kGoJOIq.exe
1912	VOjJrUG.exe
1860	OjiYfDp.exe
840	QlXUUcf.exe
4492	BArkQpA.exe
536	xDhkYju.exe
1600	XlfMxdq.exe
2980	EejUoDh.exe
3716	ennqPbu.exe
2988	GrqQUvI.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1176-0-0x00007FF786FE0000-0x00007FF787331000-memory.dmp	upx
behavioral2/files/0x0008000000023477-5.dat	upx
behavioral2/memory/2812-7-0x00007FF7FC5B0000-0x00007FF7FC901000-memory.dmp	upx
behavioral2/files/0x000700000002347c-10.dat	upx
behavioral2/files/0x000700000002347b-18.dat	upx
behavioral2/files/0x000700000002347d-21.dat	upx
behavioral2/files/0x000700000002347e-23.dat	upx
behavioral2/files/0x0007000000023480-40.dat	upx
behavioral2/memory/3472-36-0x00007FF672E40000-0x00007FF673191000-memory.dmp	upx
behavioral2/files/0x000700000002347f-32.dat	upx
behavioral2/memory/5040-67-0x00007FF6B1610000-0x00007FF6B1961000-memory.dmp	upx
behavioral2/files/0x0007000000023484-82.dat	upx
behavioral2/files/0x0007000000023489-91.dat	upx
behavioral2/files/0x0007000000023488-101.dat	upx
behavioral2/memory/3716-112-0x00007FF64E4B0000-0x00007FF64E801000-memory.dmp	upx
behavioral2/files/0x000700000002348d-120.dat	upx
behavioral2/memory/536-124-0x00007FF7F55A0000-0x00007FF7F58F1000-memory.dmp	upx
behavioral2/memory/2988-126-0x00007FF64F2D0000-0x00007FF64F621000-memory.dmp	upx
behavioral2/memory/1600-125-0x00007FF76FB50000-0x00007FF76FEA1000-memory.dmp	upx
behavioral2/memory/1860-123-0x00007FF6CC1E0000-0x00007FF6CC531000-memory.dmp	upx
behavioral2/memory/3792-122-0x00007FF64C800000-0x00007FF64CB51000-memory.dmp	upx
behavioral2/files/0x000700000002348b-118.dat	upx
behavioral2/memory/3700-117-0x00007FF6C44C0000-0x00007FF6C4811000-memory.dmp	upx
behavioral2/files/0x000700000002348c-115.dat	upx
behavioral2/files/0x000700000002348a-113.dat	upx
behavioral2/memory/2980-109-0x00007FF7A4E60000-0x00007FF7A51B1000-memory.dmp	upx
behavioral2/memory/4492-108-0x00007FF6BA920000-0x00007FF6BAC71000-memory.dmp	upx
behavioral2/files/0x0008000000023478-104.dat	upx
behavioral2/memory/840-96-0x00007FF60ECE0000-0x00007FF60F031000-memory.dmp	upx
behavioral2/files/0x0007000000023487-94.dat	upx
behavioral2/files/0x0007000000023486-87.dat	upx
behavioral2/files/0x0007000000023485-84.dat	upx
behavioral2/memory/1912-80-0x00007FF6CABF0000-0x00007FF6CAF41000-memory.dmp	upx
behavioral2/memory/5052-79-0x00007FF7E1A40000-0x00007FF7E1D91000-memory.dmp	upx
behavioral2/files/0x0007000000023483-92.dat	upx
behavioral2/files/0x0007000000023482-74.dat	upx
behavioral2/memory/428-70-0x00007FF7C5EE0000-0x00007FF7C6231000-memory.dmp	upx
behavioral2/memory/3436-58-0x00007FF7B23B0000-0x00007FF7B2701000-memory.dmp	upx
behavioral2/files/0x0007000000023481-56.dat	upx
behavioral2/memory/4628-41-0x00007FF6970A0000-0x00007FF6973F1000-memory.dmp	upx
behavioral2/memory/2488-30-0x00007FF617C20000-0x00007FF617F71000-memory.dmp	upx
behavioral2/memory/2200-27-0x00007FF60F090000-0x00007FF60F3E1000-memory.dmp	upx
behavioral2/memory/3888-15-0x00007FF609920000-0x00007FF609C71000-memory.dmp	upx
behavioral2/memory/2812-129-0x00007FF7FC5B0000-0x00007FF7FC901000-memory.dmp	upx
behavioral2/memory/2488-133-0x00007FF617C20000-0x00007FF617F71000-memory.dmp	upx
behavioral2/memory/3472-134-0x00007FF672E40000-0x00007FF673191000-memory.dmp	upx
behavioral2/memory/2200-131-0x00007FF60F090000-0x00007FF60F3E1000-memory.dmp	upx
behavioral2/memory/1176-128-0x00007FF786FE0000-0x00007FF787331000-memory.dmp	upx
behavioral2/memory/4628-132-0x00007FF6970A0000-0x00007FF6973F1000-memory.dmp	upx
behavioral2/memory/3888-130-0x00007FF609920000-0x00007FF609C71000-memory.dmp	upx
behavioral2/memory/4492-144-0x00007FF6BA920000-0x00007FF6BAC71000-memory.dmp	upx
behavioral2/memory/2980-147-0x00007FF7A4E60000-0x00007FF7A51B1000-memory.dmp	upx
behavioral2/memory/536-145-0x00007FF7F55A0000-0x00007FF7F58F1000-memory.dmp	upx
behavioral2/memory/840-143-0x00007FF60ECE0000-0x00007FF60F031000-memory.dmp	upx
behavioral2/memory/428-139-0x00007FF7C5EE0000-0x00007FF7C6231000-memory.dmp	upx
behavioral2/memory/5052-140-0x00007FF7E1A40000-0x00007FF7E1D91000-memory.dmp	upx
behavioral2/memory/3716-148-0x00007FF64E4B0000-0x00007FF64E801000-memory.dmp	upx
behavioral2/memory/5040-137-0x00007FF6B1610000-0x00007FF6B1961000-memory.dmp	upx
behavioral2/memory/1912-141-0x00007FF6CABF0000-0x00007FF6CAF41000-memory.dmp	upx
behavioral2/memory/3436-135-0x00007FF7B23B0000-0x00007FF7B2701000-memory.dmp	upx
behavioral2/memory/1176-150-0x00007FF786FE0000-0x00007FF787331000-memory.dmp	upx
behavioral2/memory/1176-151-0x00007FF786FE0000-0x00007FF787331000-memory.dmp	upx
behavioral2/memory/2812-211-0x00007FF7FC5B0000-0x00007FF7FC901000-memory.dmp	upx
behavioral2/memory/3888-213-0x00007FF609920000-0x00007FF609C71000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\gUeByeV.exe	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hhTSfng.exe	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jqtmTUY.exe	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OjiYfDp.exe	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QlXUUcf.exe	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\akdkKEh.exe	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PvtYjUV.exe	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\leodnrj.exe	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XofQUXZ.exe	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HswzurV.exe	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kGoJOIq.exe	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VOjJrUG.exe	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XlfMxdq.exe	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GrqQUvI.exe	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mlrnixW.exe	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CiPHXlX.exe	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BArkQpA.exe	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xDhkYju.exe	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EejUoDh.exe	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ennqPbu.exe	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tdpeCnn.exe	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1176	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1176	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1176 wrote to memory of 2812	1176	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 1176 wrote to memory of 2812	1176	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 1176 wrote to memory of 3888	1176	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1176 wrote to memory of 3888	1176	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1176 wrote to memory of 2200	1176	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1176 wrote to memory of 2200	1176	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1176 wrote to memory of 4628	1176	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1176 wrote to memory of 4628	1176	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1176 wrote to memory of 2488	1176	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1176 wrote to memory of 2488	1176	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1176 wrote to memory of 3472	1176	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1176 wrote to memory of 3472	1176	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1176 wrote to memory of 3436	1176	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1176 wrote to memory of 3436	1176	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1176 wrote to memory of 3700	1176	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1176 wrote to memory of 3700	1176	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1176 wrote to memory of 5040	1176	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1176 wrote to memory of 5040	1176	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1176 wrote to memory of 3792	1176	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1176 wrote to memory of 3792	1176	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1176 wrote to memory of 428	1176	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1176 wrote to memory of 428	1176	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1176 wrote to memory of 5052	1176	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1176 wrote to memory of 5052	1176	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1176 wrote to memory of 1912	1176	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1176 wrote to memory of 1912	1176	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1176 wrote to memory of 1860	1176	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1176 wrote to memory of 1860	1176	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1176 wrote to memory of 840	1176	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1176 wrote to memory of 840	1176	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1176 wrote to memory of 4492	1176	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1176 wrote to memory of 4492	1176	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1176 wrote to memory of 536	1176	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1176 wrote to memory of 536	1176	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1176 wrote to memory of 1600	1176	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1176 wrote to memory of 1600	1176	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1176 wrote to memory of 2980	1176	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1176 wrote to memory of 2980	1176	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1176 wrote to memory of 3716	1176	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1176 wrote to memory of 3716	1176	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1176 wrote to memory of 2988	1176	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1176 wrote to memory of 2988	1176	2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-01_0e3c48810862e57adf019bc2338120c2_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Windows\System\HswzurV.exe
  C:\Windows\System\HswzurV.exe
  2⤵
  - Executes dropped EXE
  PID:2812
- C:\Windows\System\PvtYjUV.exe
  C:\Windows\System\PvtYjUV.exe
  2⤵
  - Executes dropped EXE
  PID:3888
- C:\Windows\System\akdkKEh.exe
  C:\Windows\System\akdkKEh.exe
  2⤵
  - Executes dropped EXE
  PID:2200
- C:\Windows\System\tdpeCnn.exe
  C:\Windows\System\tdpeCnn.exe
  2⤵
  - Executes dropped EXE
  PID:4628
- C:\Windows\System\mlrnixW.exe
  C:\Windows\System\mlrnixW.exe
  2⤵
  - Executes dropped EXE
  PID:2488
- C:\Windows\System\gUeByeV.exe
  C:\Windows\System\gUeByeV.exe
  2⤵
  - Executes dropped EXE
  PID:3472
- C:\Windows\System\leodnrj.exe
  C:\Windows\System\leodnrj.exe
  2⤵
  - Executes dropped EXE
  PID:3436
- C:\Windows\System\hhTSfng.exe
  C:\Windows\System\hhTSfng.exe
  2⤵
  - Executes dropped EXE
  PID:3700
- C:\Windows\System\XofQUXZ.exe
  C:\Windows\System\XofQUXZ.exe
  2⤵
  - Executes dropped EXE
  PID:5040
- C:\Windows\System\jqtmTUY.exe
  C:\Windows\System\jqtmTUY.exe
  2⤵
  - Executes dropped EXE
  PID:3792
- C:\Windows\System\CiPHXlX.exe
  C:\Windows\System\CiPHXlX.exe
  2⤵
  - Executes dropped EXE
  PID:428
- C:\Windows\System\kGoJOIq.exe
  C:\Windows\System\kGoJOIq.exe
  2⤵
  - Executes dropped EXE
  PID:5052
- C:\Windows\System\VOjJrUG.exe
  C:\Windows\System\VOjJrUG.exe
  2⤵
  - Executes dropped EXE
  PID:1912
- C:\Windows\System\OjiYfDp.exe
  C:\Windows\System\OjiYfDp.exe
  2⤵
  - Executes dropped EXE
  PID:1860
- C:\Windows\System\QlXUUcf.exe
  C:\Windows\System\QlXUUcf.exe
  2⤵
  - Executes dropped EXE
  PID:840
- C:\Windows\System\BArkQpA.exe
  C:\Windows\System\BArkQpA.exe
  2⤵
  - Executes dropped EXE
  PID:4492
- C:\Windows\System\xDhkYju.exe
  C:\Windows\System\xDhkYju.exe
  2⤵
  - Executes dropped EXE
  PID:536
- C:\Windows\System\XlfMxdq.exe
  C:\Windows\System\XlfMxdq.exe
  2⤵
  - Executes dropped EXE
  PID:1600
- C:\Windows\System\EejUoDh.exe
  C:\Windows\System\EejUoDh.exe
  2⤵
  - Executes dropped EXE
  PID:2980
- C:\Windows\System\ennqPbu.exe
  C:\Windows\System\ennqPbu.exe
  2⤵
  - Executes dropped EXE
  PID:3716
- C:\Windows\System\GrqQUvI.exe
  C:\Windows\System\GrqQUvI.exe
  2⤵
  - Executes dropped EXE
  PID:2988

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BArkQpA.exe

Filesize
5.2MB

MD5
3acc0e8da9e86535b78aa81cabfd92e7

SHA1
61a95b2bd130de9e62f4f9cdef38e8e68fc3991f

SHA256
9b7f5d921dc679f01288f8042f5c29741d65dc0cbc01079d43137c3cc1892a13

SHA512
37a42fcefb57015fc6f14fd29935ae2d1e21e98ad6b5583412a9190e8b8e10d1937f01c89cdf88ce325ac24a77eca59c3b77cf123e63fb8b31dbd6569658e0b1

Download Submit
C:\Windows\System\CiPHXlX.exe

Filesize
5.2MB

MD5
f03c2d857779589e6a1319ad26e54680

SHA1
5e18e590b0312c278cdd30e17381a2cdbf686635

SHA256
800cc2d465a07ac85b08060a491a11f4541c23033785d100a6558a7d52028593

SHA512
c36439d5805d6c2d71a8e5e7eae9d6e76fe0120490945d66eb3002a7594107ecf8f5f7fe49bb9a7ea93021f8b94c4728b3ab9032c9a83eb9633bd7202cb3609f

Download Submit
C:\Windows\System\EejUoDh.exe

Filesize
5.2MB

MD5
37c2862f059082c3b9de05ca2d61577d

SHA1
2137e2b5e82e4e969a0ec384c435757d774a17c8

SHA256
f7d2796022614c6d8d4118da881d31bd3c40a0d71a68d9c6cf5dc5b0b8ffb5d6

SHA512
df5a8f5c05e1a9e21e8c25fc6f908cef612aa0f02abfa15329e2317823bb420138f732341ee36db2c4d2c1785adc0d15a1ad1baf24008ac81e02533dc6fbb466

Download Submit
C:\Windows\System\GrqQUvI.exe

Filesize
5.2MB

MD5
227abe62b011657bc4cd773a20a58b2d

SHA1
123b8122fd5b66bacc36a9703a96a283e55b942e

SHA256
895bf2c840bf5ed38959baccfa669cad25f502f197a6ba3fb8c5d05108b002cf

SHA512
d08315051173edddab93cae215ae70afd730ceb2e3ea8ceae6e08b93d4b3c44e663541c1e225575a95c0943226f9ff68ce1e55c6b7bd48866299b759bdc434a2

Download Submit
C:\Windows\System\HswzurV.exe

Filesize
5.2MB

MD5
696ec4aa2ef0d0ae36ce647d8da166fd

SHA1
b88c97811b8965c74a63b09999a1fe393cc1672b

SHA256
cdd2ca6c8165590c4315a4e42c6fc51f5700ba685eea5931c7f2303217ab7dd0

SHA512
0812048085a05abb3e226223b056a245b43da8d1528b365a70acf36eb20c04f4c3c372b2852bf3c646770caec12f48c66247d068d730384f789011f1c8ef797f

Download Submit
C:\Windows\System\OjiYfDp.exe

Filesize
5.2MB

MD5
0c089d6168a1bad3a8715967af143833

SHA1
e4fd395db36f7534ffa4f0c911da1019ce025e55

SHA256
a9057d11121ef626ff13045def6458da92ccfbc3773cd2898f3bc13277d4686f

SHA512
873fa5b45dbf7a46ce1c84a423e8b97e9b0e4da411947b976026ecf0c1575cb7635d3ed2eb8573b4619ace45d2b6909a9c74f28095c40505dca5a12dae2e311e

Download Submit
C:\Windows\System\PvtYjUV.exe

Filesize
5.2MB

MD5
f8b8ca087d8627125f05674a52529d8f

SHA1
1e89633f6f015bdeced3c5b4cde212b3db6422e6

SHA256
1972c3ea72a7fd3a9021b343f7903203a19af34741032739e744ce6dd092dadb

SHA512
764fee7d8eca26ba6b44f23e7bbe366aee35b1052aae10615272eac371aa77d4ee0b7669f3353f3cba12ae09cd1f43b195bf93ba4c31697fe44e760fccd38665

Download Submit
C:\Windows\System\QlXUUcf.exe

Filesize
5.2MB

MD5
57da504b2097c336f0c85cbb14c76923

SHA1
3155eebca2887a84e6ded8540707d8be7dc6bdae

SHA256
c1ca2a9047c88083181f28f92a06549b0070cfcd8aab5c6fb6222107311ff3f3

SHA512
be9dc97b457b4ece09998d9419dffde85bf0f9531a6a0871b641009c3a65a37d07746cad222298ee7612b2d4c2aad00dd20fa0132e63e4be39dd0c962612912d

Download Submit
C:\Windows\System\VOjJrUG.exe

Filesize
5.2MB

MD5
3612a527de416bf1dfeee9f9534d2c4a

SHA1
965a563800d6f7dce1fe0aa3eb922ef387d7fdbc

SHA256
78224769bf6709587ef8e579625b03c8c70e6189c7a70edad5cf420524d96847

SHA512
cd251db25a906387b9d8e36664ab9e74b7e54bd336e1367f2e127fc77a7607e88af327d2d3b30cb7e0be3ad30488d97cf726ce23cdb0eaa0081321a60bb82450

Download Submit
C:\Windows\System\XlfMxdq.exe

Filesize
5.2MB

MD5
dae95494ae25ba480b154696ee7960c3

SHA1
5f775b1360a08e93e5b20d994f4fff647cf36394

SHA256
a47008d08486545926ae2cd1bb5b73cc93be144e8ceff2b2fe38832f5ef76dc8

SHA512
68d410df481865478f43f99685c4274a8336ed657b9101c9e112e04e9655e0648f00e4723846c257cda404bdbeb1cbf939dbceb9e5cae9d9461cc3de980e8b27

Download Submit
C:\Windows\System\XofQUXZ.exe

Filesize
5.2MB

MD5
069f73c839889691e5cdf591b8204d91

SHA1
552b0fd4826915a6da7066a5416b44e96c9d6530

SHA256
bd899ed09dc79c725697f4b56ae362203ce9b5508146664b49c8305f3b0bbe54

SHA512
9f2a854a2249b1ed3b1b10d07c1d29543cde288e2c9592aabac6fee2a8749870dac079fa01ca7eda6597ecc1d7eedd8512f7c492d4868f76c7026a3f8d932fb0

Download Submit
C:\Windows\System\akdkKEh.exe

Filesize
5.2MB

MD5
4fdab18dd0760014259bfe9c46b5d6f0

SHA1
428219d2d4c14f8e46b3eb54e5bd82e0cc4b239e

SHA256
bd9af4d721339e0255331b88bb2290baea526190c89d6deaa298cbcdf6f19f2c

SHA512
e5f7306d4ce7b6f8af7302f9e2b10f12945f99f80eb2fdbb8ed4bb9dd818b5efda39d96b052879c21506c8665ffba91bcffef70e69304f99b296c757e8519c14

Download Submit
C:\Windows\System\ennqPbu.exe

Filesize
5.2MB

MD5
ae920c057192d2c37c22f20455fa691b

SHA1
be484f25346a95c82bdd0d49f4cf6589f16b71f1

SHA256
47b6f8b56e43a82d84070ab95324424eaebbfc3ffa957a5cc70f91afc0ee33fb

SHA512
e71bbc147dd9a3a1d3ef5856930bc0ae2a3e43b03fb72e4f63c2d5959167c7f1ccefbfb1e2d0ac7a08fee5d848399a9cb3b6f8885febaea09a5de7366b80edf4

Download Submit
C:\Windows\System\gUeByeV.exe

Filesize
5.2MB

MD5
cfc26d5f69fd568028ed72b759e6da37

SHA1
c871c961ff42e8d04ad9fbb2fcaa33cd80914f99

SHA256
dd707f1449130fcaea395796a27f47cba1db6e3cb87719d0fd0225130340e400

SHA512
89ed5c5580ea9a16a58748049bafb26abd2ac0bbd297f93c5bf05d308a39e088460b8923464bebd41f32b5125045a38bdb2c2c9ac8306b1ef7900590ed84f5df

Download Submit
C:\Windows\System\hhTSfng.exe

Filesize
5.2MB

MD5
81b0b3f487acf124a385873ba72ce2c1

SHA1
0a58e126c0c198a86e877b0de4b4ca71f90b1453

SHA256
5e3073e8a5e2098580a5b6bb66e07821e74c131aca22690f0041e70ea2a15f1d

SHA512
e93e8b3c4fe20969677cdea735e07ca7e080775a97a9b3c55b815c72238a7865100c7d3fc980458b72a41a06113fd80f4219fa996d7f0a203f2a25fa51fe11f1

Download Submit
C:\Windows\System\jqtmTUY.exe

Filesize
5.2MB

MD5
95c8ad0f944ca9faea0d7170ca2d510a

SHA1
5489ac3332732ac3790dafb8b1a30e2b820bfd71

SHA256
4e065492bc33da97e2ad77984a3c0453833354b6fc37283cf961367d91c2f65e

SHA512
f3b4ae2b5be63a8ca17bf07701877771584e12152a9183c0352bf6e0032281fddb4ef1f7bc47956dc6a8996d4758c9792dbeac7be3ba05e76c9bcae172b477c6

Download Submit
C:\Windows\System\kGoJOIq.exe

Filesize
5.2MB

MD5
24020d3393d1fce4cf8c0dae63c72133

SHA1
ca25cd720b2b76b2969bd61cba230e8b84b62f82

SHA256
df18b59228fd6ddc1e8a70e989c83ef8149c6607527f997390f609bf3737c284

SHA512
ffd06895f6c0a9220560551433e30ba9f229feef428868dfa5e5aad617b6df282d513134f6898d4bffb7a74d45283b9ee307f54123d45410b8b2ff909f3c7621

Download Submit
C:\Windows\System\leodnrj.exe

Filesize
5.2MB

MD5
cfe849a572db0f69e8a70988e43343cf

SHA1
3e015b952f834c35c524e24e6ddd49609e527dfd

SHA256
a066ec07fafa3303be54cfe9f1693a6f9ff3706ed1dd07231b1cf965e5e69474

SHA512
c7b846729bc4c22be177e3f25c880f9035e815de7348c8ce483731903a90a240628485c39e3364b61eac710cd08aa29c6fe90fcb5a355e030fa9ac0982a98ccb

Download Submit
C:\Windows\System\mlrnixW.exe

Filesize
5.2MB

MD5
c3f2ab0963c71bf9f806dd9881c57ec4

SHA1
b90b25fa9913527c3471bd6e7113c988d1c58c0b

SHA256
55b6af3ece4229820463f1a9c951a6d67084aa5870d8afae0f70cdf324dbbff3

SHA512
0b6ab5681c00dc70758d164c3d6f368cbf2382aec30e843400c055ec880b7068bf8ac46a059a5540a7481e92cf603023e44c89aaf1b329a56d9ef475ad73e6b5

Download Submit
C:\Windows\System\tdpeCnn.exe

Filesize
5.2MB

MD5
70960083a18829f478ebd76e31f5c349

SHA1
8d02e968de26a8a8dcc0bf11423c685686b11c03

SHA256
8bc532610109a4b5005c31e1a13090d134bd446259b0fa59d1686981b0abc3fd

SHA512
8e5a9b89cf2a57eb2e74b92131010139280fdd092ca431806cff41a27eb09f516e4f6d47628e26d82040797b2199946e03c41d2e3cffabcc8fa5718214fe9fff

Download Submit
C:\Windows\System\xDhkYju.exe

Filesize
5.2MB

MD5
1d319bd6097d9f34d8925b42ae359e7c

SHA1
c966fe04e25864a4f7c2bd69f7b97f5e900ef97f

SHA256
6269e296313b883b64bf85438c70567c29dec2e043258f2829a202382a9fbcd9

SHA512
2bff5cb9ff82a74788d3b26136265191623b1b1cfe1a69a379ff3dbcfa13b91c06d0fa8068f035602826be9d3219536def4faf7396b10164ca789fcaac791b2c

Download Submit
memory/428-139-0x00007FF7C5EE0000-0x00007FF7C6231000-memory.dmp

Filesize
3.3MB

Download
memory/428-240-0x00007FF7C5EE0000-0x00007FF7C6231000-memory.dmp

Filesize
3.3MB

Download
memory/428-70-0x00007FF7C5EE0000-0x00007FF7C6231000-memory.dmp

Filesize
3.3MB

Download
memory/536-124-0x00007FF7F55A0000-0x00007FF7F58F1000-memory.dmp

Filesize
3.3MB

Download
memory/536-259-0x00007FF7F55A0000-0x00007FF7F58F1000-memory.dmp

Filesize
3.3MB

Download
memory/536-145-0x00007FF7F55A0000-0x00007FF7F58F1000-memory.dmp

Filesize
3.3MB

Download
memory/840-248-0x00007FF60ECE0000-0x00007FF60F031000-memory.dmp

Filesize
3.3MB

Download
memory/840-96-0x00007FF60ECE0000-0x00007FF60F031000-memory.dmp

Filesize
3.3MB

Download
memory/840-143-0x00007FF60ECE0000-0x00007FF60F031000-memory.dmp

Filesize
3.3MB

Download
memory/1176-151-0x00007FF786FE0000-0x00007FF787331000-memory.dmp

Filesize
3.3MB

Download
memory/1176-128-0x00007FF786FE0000-0x00007FF787331000-memory.dmp

Filesize
3.3MB

Download
memory/1176-150-0x00007FF786FE0000-0x00007FF787331000-memory.dmp

Filesize
3.3MB

Download
memory/1176-1-0x000001DF7DC10000-0x000001DF7DC20000-memory.dmp

Filesize
64KB

Download
memory/1176-0-0x00007FF786FE0000-0x00007FF787331000-memory.dmp

Filesize
3.3MB

Download
memory/1600-252-0x00007FF76FB50000-0x00007FF76FEA1000-memory.dmp

Filesize
3.3MB

Download
memory/1600-125-0x00007FF76FB50000-0x00007FF76FEA1000-memory.dmp

Filesize
3.3MB

Download
memory/1860-123-0x00007FF6CC1E0000-0x00007FF6CC531000-memory.dmp

Filesize
3.3MB

Download
memory/1860-242-0x00007FF6CC1E0000-0x00007FF6CC531000-memory.dmp

Filesize
3.3MB

Download
memory/1912-250-0x00007FF6CABF0000-0x00007FF6CAF41000-memory.dmp

Filesize
3.3MB

Download
memory/1912-141-0x00007FF6CABF0000-0x00007FF6CAF41000-memory.dmp

Filesize
3.3MB

Download
memory/1912-80-0x00007FF6CABF0000-0x00007FF6CAF41000-memory.dmp

Filesize
3.3MB

Download
memory/2200-131-0x00007FF60F090000-0x00007FF60F3E1000-memory.dmp

Filesize
3.3MB

Download
memory/2200-27-0x00007FF60F090000-0x00007FF60F3E1000-memory.dmp

Filesize
3.3MB

Download
memory/2200-216-0x00007FF60F090000-0x00007FF60F3E1000-memory.dmp

Filesize
3.3MB

Download
memory/2488-30-0x00007FF617C20000-0x00007FF617F71000-memory.dmp

Filesize
3.3MB

Download
memory/2488-217-0x00007FF617C20000-0x00007FF617F71000-memory.dmp

Filesize
3.3MB

Download
memory/2488-133-0x00007FF617C20000-0x00007FF617F71000-memory.dmp

Filesize
3.3MB

Download
memory/2812-129-0x00007FF7FC5B0000-0x00007FF7FC901000-memory.dmp

Filesize
3.3MB

Download
memory/2812-7-0x00007FF7FC5B0000-0x00007FF7FC901000-memory.dmp

Filesize
3.3MB

Download
memory/2812-211-0x00007FF7FC5B0000-0x00007FF7FC901000-memory.dmp

Filesize
3.3MB

Download
memory/2980-147-0x00007FF7A4E60000-0x00007FF7A51B1000-memory.dmp

Filesize
3.3MB

Download
memory/2980-254-0x00007FF7A4E60000-0x00007FF7A51B1000-memory.dmp

Filesize
3.3MB

Download
memory/2980-109-0x00007FF7A4E60000-0x00007FF7A51B1000-memory.dmp

Filesize
3.3MB

Download
memory/2988-126-0x00007FF64F2D0000-0x00007FF64F621000-memory.dmp

Filesize
3.3MB

Download
memory/2988-256-0x00007FF64F2D0000-0x00007FF64F621000-memory.dmp

Filesize
3.3MB

Download
memory/3436-58-0x00007FF7B23B0000-0x00007FF7B2701000-memory.dmp

Filesize
3.3MB

Download
memory/3436-232-0x00007FF7B23B0000-0x00007FF7B2701000-memory.dmp

Filesize
3.3MB

Download
memory/3436-135-0x00007FF7B23B0000-0x00007FF7B2701000-memory.dmp

Filesize
3.3MB

Download
memory/3472-134-0x00007FF672E40000-0x00007FF673191000-memory.dmp

Filesize
3.3MB

Download
memory/3472-223-0x00007FF672E40000-0x00007FF673191000-memory.dmp

Filesize
3.3MB

Download
memory/3472-36-0x00007FF672E40000-0x00007FF673191000-memory.dmp

Filesize
3.3MB

Download
memory/3700-230-0x00007FF6C44C0000-0x00007FF6C4811000-memory.dmp

Filesize
3.3MB

Download
memory/3700-117-0x00007FF6C44C0000-0x00007FF6C4811000-memory.dmp

Filesize
3.3MB

Download
memory/3716-112-0x00007FF64E4B0000-0x00007FF64E801000-memory.dmp

Filesize
3.3MB

Download
memory/3716-148-0x00007FF64E4B0000-0x00007FF64E801000-memory.dmp

Filesize
3.3MB

Download
memory/3716-245-0x00007FF64E4B0000-0x00007FF64E801000-memory.dmp

Filesize
3.3MB

Download
memory/3792-122-0x00007FF64C800000-0x00007FF64CB51000-memory.dmp

Filesize
3.3MB

Download
memory/3792-237-0x00007FF64C800000-0x00007FF64CB51000-memory.dmp

Filesize
3.3MB

Download
memory/3888-213-0x00007FF609920000-0x00007FF609C71000-memory.dmp

Filesize
3.3MB

Download
memory/3888-130-0x00007FF609920000-0x00007FF609C71000-memory.dmp

Filesize
3.3MB

Download
memory/3888-15-0x00007FF609920000-0x00007FF609C71000-memory.dmp

Filesize
3.3MB

Download
memory/4492-247-0x00007FF6BA920000-0x00007FF6BAC71000-memory.dmp

Filesize
3.3MB

Download
memory/4492-108-0x00007FF6BA920000-0x00007FF6BAC71000-memory.dmp

Filesize
3.3MB

Download
memory/4492-144-0x00007FF6BA920000-0x00007FF6BAC71000-memory.dmp

Filesize
3.3MB

Download
memory/4628-132-0x00007FF6970A0000-0x00007FF6973F1000-memory.dmp

Filesize
3.3MB

Download
memory/4628-219-0x00007FF6970A0000-0x00007FF6973F1000-memory.dmp

Filesize
3.3MB

Download
memory/4628-41-0x00007FF6970A0000-0x00007FF6973F1000-memory.dmp

Filesize
3.3MB

Download
memory/5040-235-0x00007FF6B1610000-0x00007FF6B1961000-memory.dmp

Filesize
3.3MB

Download
memory/5040-137-0x00007FF6B1610000-0x00007FF6B1961000-memory.dmp

Filesize
3.3MB

Download
memory/5040-67-0x00007FF6B1610000-0x00007FF6B1961000-memory.dmp

Filesize
3.3MB

Download
memory/5052-239-0x00007FF7E1A40000-0x00007FF7E1D91000-memory.dmp

Filesize
3.3MB

Download
memory/5052-140-0x00007FF7E1A40000-0x00007FF7E1D91000-memory.dmp

Filesize
3.3MB

Download
memory/5052-79-0x00007FF7E1A40000-0x00007FF7E1D91000-memory.dmp

Filesize
3.3MB

Download