cobaltstrike | 7559ea1bb99e220a1ba12b18ea8675bf7dc275a4c4548124991ead689a78e5ae

Analysis

max time kernel
140s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 21:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

7bcc2babb3151a0bd9a1888d5370501e
SHA1

6b1bb98f036de763da9655c8be9727c1d21d5794
SHA256

7559ea1bb99e220a1ba12b18ea8675bf7dc275a4c4548124991ead689a78e5ae
SHA512

2f8f935005788de4aa6b88b7ef79076f821cf8f021f0abeeab642713c70d233f6000319c1edff13221b0c72798a65be8c4818c941c085f3e7a53c91cce630c2f
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lP:RWWBibf56utgpPFotBER/mQ32lU7

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023c65-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c67-24.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c6b-33.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c6f-73.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c75-91.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c72-102.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c76-109.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c79-120.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c78-115.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c77-113.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c73-104.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c70-95.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c6e-93.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c71-83.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c74-81.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c6c-59.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c6d-57.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c6a-52.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c69-36.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c68-30.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c66-14.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/2296-126-0x00007FF632300000-0x00007FF632651000-memory.dmp	xmrig
behavioral2/memory/2292-124-0x00007FF65A370000-0x00007FF65A6C1000-memory.dmp	xmrig
behavioral2/memory/5000-123-0x00007FF6EA9D0000-0x00007FF6EAD21000-memory.dmp	xmrig
behavioral2/memory/1008-122-0x00007FF68A6E0000-0x00007FF68AA31000-memory.dmp	xmrig
behavioral2/memory/4492-119-0x00007FF7817E0000-0x00007FF781B31000-memory.dmp	xmrig
behavioral2/memory/4756-117-0x00007FF63BC00000-0x00007FF63BF51000-memory.dmp	xmrig
behavioral2/memory/4368-107-0x00007FF6C5600000-0x00007FF6C5951000-memory.dmp	xmrig
behavioral2/memory/3652-106-0x00007FF6CDB40000-0x00007FF6CDE91000-memory.dmp	xmrig
behavioral2/memory/4872-99-0x00007FF782880000-0x00007FF782BD1000-memory.dmp	xmrig
behavioral2/memory/2072-87-0x00007FF638C30000-0x00007FF638F81000-memory.dmp	xmrig
behavioral2/memory/1952-70-0x00007FF624700000-0x00007FF624A51000-memory.dmp	xmrig
behavioral2/memory/4896-67-0x00007FF76B8F0000-0x00007FF76BC41000-memory.dmp	xmrig
behavioral2/memory/3436-28-0x00007FF756580000-0x00007FF7568D1000-memory.dmp	xmrig
behavioral2/memory/2300-128-0x00007FF646160000-0x00007FF6464B1000-memory.dmp	xmrig
behavioral2/memory/3772-131-0x00007FF7B60C0000-0x00007FF7B6411000-memory.dmp	xmrig
behavioral2/memory/4040-133-0x00007FF606520000-0x00007FF606871000-memory.dmp	xmrig
behavioral2/memory/5072-136-0x00007FF786BA0000-0x00007FF786EF1000-memory.dmp	xmrig
behavioral2/memory/3420-130-0x00007FF7A0590000-0x00007FF7A08E1000-memory.dmp	xmrig
behavioral2/memory/2300-129-0x00007FF646160000-0x00007FF6464B1000-memory.dmp	xmrig
behavioral2/memory/4936-137-0x00007FF63DA90000-0x00007FF63DDE1000-memory.dmp	xmrig
behavioral2/memory/2484-141-0x00007FF741790000-0x00007FF741AE1000-memory.dmp	xmrig
behavioral2/memory/228-143-0x00007FF6F9630000-0x00007FF6F9981000-memory.dmp	xmrig
behavioral2/memory/2624-146-0x00007FF78BBB0000-0x00007FF78BF01000-memory.dmp	xmrig
behavioral2/memory/2300-151-0x00007FF646160000-0x00007FF6464B1000-memory.dmp	xmrig
behavioral2/memory/3420-217-0x00007FF7A0590000-0x00007FF7A08E1000-memory.dmp	xmrig
behavioral2/memory/3772-219-0x00007FF7B60C0000-0x00007FF7B6411000-memory.dmp	xmrig
behavioral2/memory/3436-221-0x00007FF756580000-0x00007FF7568D1000-memory.dmp	xmrig
behavioral2/memory/4040-223-0x00007FF606520000-0x00007FF606871000-memory.dmp	xmrig
behavioral2/memory/4896-225-0x00007FF76B8F0000-0x00007FF76BC41000-memory.dmp	xmrig
behavioral2/memory/5072-229-0x00007FF786BA0000-0x00007FF786EF1000-memory.dmp	xmrig
behavioral2/memory/2072-228-0x00007FF638C30000-0x00007FF638F81000-memory.dmp	xmrig
behavioral2/memory/4936-231-0x00007FF63DA90000-0x00007FF63DDE1000-memory.dmp	xmrig
behavioral2/memory/1952-233-0x00007FF624700000-0x00007FF624A51000-memory.dmp	xmrig
behavioral2/memory/4368-236-0x00007FF6C5600000-0x00007FF6C5951000-memory.dmp	xmrig
behavioral2/memory/4872-237-0x00007FF782880000-0x00007FF782BD1000-memory.dmp	xmrig
behavioral2/memory/1008-254-0x00007FF68A6E0000-0x00007FF68AA31000-memory.dmp	xmrig
behavioral2/memory/2296-256-0x00007FF632300000-0x00007FF632651000-memory.dmp	xmrig
behavioral2/memory/2624-258-0x00007FF78BBB0000-0x00007FF78BF01000-memory.dmp	xmrig
behavioral2/memory/2484-252-0x00007FF741790000-0x00007FF741AE1000-memory.dmp	xmrig
behavioral2/memory/4756-247-0x00007FF63BC00000-0x00007FF63BF51000-memory.dmp	xmrig
behavioral2/memory/228-244-0x00007FF6F9630000-0x00007FF6F9981000-memory.dmp	xmrig
behavioral2/memory/4492-243-0x00007FF7817E0000-0x00007FF781B31000-memory.dmp	xmrig
behavioral2/memory/5000-250-0x00007FF6EA9D0000-0x00007FF6EAD21000-memory.dmp	xmrig
behavioral2/memory/3652-249-0x00007FF6CDB40000-0x00007FF6CDE91000-memory.dmp	xmrig
behavioral2/memory/2292-241-0x00007FF65A370000-0x00007FF65A6C1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3420	DfqOtQC.exe
3772	koKWLOo.exe
3436	vzViUfy.exe
4040	JMbPyRR.exe
4896	saSHLeU.exe
1952	rqHDiUt.exe
5072	DjYuvqq.exe
4936	CKwthNA.exe
2072	bkjkrJL.exe
5000	WtOennY.exe
2484	KZzohWP.exe
4872	PYxaTgp.exe
2292	ohDyXzD.exe
228	PqZltwv.exe
3652	VVvcZPE.exe
4368	ZohxDkB.exe
2624	spQlmgy.exe
4756	HokmUoS.exe
4492	ZQUoZxP.exe
1008	eOxsmyP.exe
2296	vsMfAhE.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2300-0-0x00007FF646160000-0x00007FF6464B1000-memory.dmp	upx
behavioral2/files/0x0008000000023c65-5.dat	upx
behavioral2/memory/3772-15-0x00007FF7B60C0000-0x00007FF7B6411000-memory.dmp	upx
behavioral2/files/0x0007000000023c67-24.dat	upx
behavioral2/files/0x0007000000023c6b-33.dat	upx
behavioral2/files/0x0007000000023c6f-73.dat	upx
behavioral2/files/0x0007000000023c75-91.dat	upx
behavioral2/files/0x0007000000023c72-102.dat	upx
behavioral2/files/0x0007000000023c76-109.dat	upx
behavioral2/files/0x0007000000023c79-120.dat	upx
behavioral2/memory/2624-125-0x00007FF78BBB0000-0x00007FF78BF01000-memory.dmp	upx
behavioral2/memory/2296-126-0x00007FF632300000-0x00007FF632651000-memory.dmp	upx
behavioral2/memory/2292-124-0x00007FF65A370000-0x00007FF65A6C1000-memory.dmp	upx
behavioral2/memory/5000-123-0x00007FF6EA9D0000-0x00007FF6EAD21000-memory.dmp	upx
behavioral2/memory/1008-122-0x00007FF68A6E0000-0x00007FF68AA31000-memory.dmp	upx
behavioral2/memory/4492-119-0x00007FF7817E0000-0x00007FF781B31000-memory.dmp	upx
behavioral2/memory/4756-117-0x00007FF63BC00000-0x00007FF63BF51000-memory.dmp	upx
behavioral2/files/0x0007000000023c78-115.dat	upx
behavioral2/files/0x0007000000023c77-113.dat	upx
behavioral2/memory/4368-107-0x00007FF6C5600000-0x00007FF6C5951000-memory.dmp	upx
behavioral2/memory/3652-106-0x00007FF6CDB40000-0x00007FF6CDE91000-memory.dmp	upx
behavioral2/files/0x0007000000023c73-104.dat	upx
behavioral2/memory/228-100-0x00007FF6F9630000-0x00007FF6F9981000-memory.dmp	upx
behavioral2/memory/4872-99-0x00007FF782880000-0x00007FF782BD1000-memory.dmp	upx
behavioral2/files/0x0007000000023c70-95.dat	upx
behavioral2/files/0x0007000000023c6e-93.dat	upx
behavioral2/memory/2484-89-0x00007FF741790000-0x00007FF741AE1000-memory.dmp	upx
behavioral2/memory/2072-87-0x00007FF638C30000-0x00007FF638F81000-memory.dmp	upx
behavioral2/files/0x0007000000023c71-83.dat	upx
behavioral2/files/0x0007000000023c74-81.dat	upx
behavioral2/memory/1952-70-0x00007FF624700000-0x00007FF624A51000-memory.dmp	upx
behavioral2/files/0x0007000000023c6c-59.dat	upx
behavioral2/files/0x0007000000023c6d-57.dat	upx
behavioral2/memory/4896-67-0x00007FF76B8F0000-0x00007FF76BC41000-memory.dmp	upx
behavioral2/files/0x0007000000023c6a-52.dat	upx
behavioral2/memory/4936-49-0x00007FF63DA90000-0x00007FF63DDE1000-memory.dmp	upx
behavioral2/memory/5072-41-0x00007FF786BA0000-0x00007FF786EF1000-memory.dmp	upx
behavioral2/files/0x0007000000023c69-36.dat	upx
behavioral2/memory/4040-39-0x00007FF606520000-0x00007FF606871000-memory.dmp	upx
behavioral2/files/0x0007000000023c68-30.dat	upx
behavioral2/memory/3436-28-0x00007FF756580000-0x00007FF7568D1000-memory.dmp	upx
behavioral2/files/0x0007000000023c66-14.dat	upx
behavioral2/memory/3420-9-0x00007FF7A0590000-0x00007FF7A08E1000-memory.dmp	upx
behavioral2/memory/2300-128-0x00007FF646160000-0x00007FF6464B1000-memory.dmp	upx
behavioral2/memory/3772-131-0x00007FF7B60C0000-0x00007FF7B6411000-memory.dmp	upx
behavioral2/memory/4040-133-0x00007FF606520000-0x00007FF606871000-memory.dmp	upx
behavioral2/memory/5072-136-0x00007FF786BA0000-0x00007FF786EF1000-memory.dmp	upx
behavioral2/memory/3420-130-0x00007FF7A0590000-0x00007FF7A08E1000-memory.dmp	upx
behavioral2/memory/2300-129-0x00007FF646160000-0x00007FF6464B1000-memory.dmp	upx
behavioral2/memory/4936-137-0x00007FF63DA90000-0x00007FF63DDE1000-memory.dmp	upx
behavioral2/memory/2484-141-0x00007FF741790000-0x00007FF741AE1000-memory.dmp	upx
behavioral2/memory/228-143-0x00007FF6F9630000-0x00007FF6F9981000-memory.dmp	upx
behavioral2/memory/2624-146-0x00007FF78BBB0000-0x00007FF78BF01000-memory.dmp	upx
behavioral2/memory/2300-151-0x00007FF646160000-0x00007FF6464B1000-memory.dmp	upx
behavioral2/memory/3420-217-0x00007FF7A0590000-0x00007FF7A08E1000-memory.dmp	upx
behavioral2/memory/3772-219-0x00007FF7B60C0000-0x00007FF7B6411000-memory.dmp	upx
behavioral2/memory/3436-221-0x00007FF756580000-0x00007FF7568D1000-memory.dmp	upx
behavioral2/memory/4040-223-0x00007FF606520000-0x00007FF606871000-memory.dmp	upx
behavioral2/memory/4896-225-0x00007FF76B8F0000-0x00007FF76BC41000-memory.dmp	upx
behavioral2/memory/5072-229-0x00007FF786BA0000-0x00007FF786EF1000-memory.dmp	upx
behavioral2/memory/2072-228-0x00007FF638C30000-0x00007FF638F81000-memory.dmp	upx
behavioral2/memory/4936-231-0x00007FF63DA90000-0x00007FF63DDE1000-memory.dmp	upx
behavioral2/memory/1952-233-0x00007FF624700000-0x00007FF624A51000-memory.dmp	upx
behavioral2/memory/4368-236-0x00007FF6C5600000-0x00007FF6C5951000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\DfqOtQC.exe	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JMbPyRR.exe	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WtOennY.exe	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eOxsmyP.exe	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZQUoZxP.exe	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DjYuvqq.exe	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CKwthNA.exe	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KZzohWP.exe	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZohxDkB.exe	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bkjkrJL.exe	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\spQlmgy.exe	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HokmUoS.exe	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vsMfAhE.exe	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ohDyXzD.exe	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PYxaTgp.exe	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PqZltwv.exe	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VVvcZPE.exe	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\koKWLOo.exe	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vzViUfy.exe	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\saSHLeU.exe	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rqHDiUt.exe	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2300	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2300	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 3420	2300	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2300 wrote to memory of 3420	2300	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2300 wrote to memory of 3772	2300	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2300 wrote to memory of 3772	2300	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2300 wrote to memory of 3436	2300	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2300 wrote to memory of 3436	2300	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2300 wrote to memory of 4040	2300	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2300 wrote to memory of 4040	2300	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2300 wrote to memory of 4896	2300	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2300 wrote to memory of 4896	2300	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2300 wrote to memory of 1952	2300	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2300 wrote to memory of 1952	2300	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2300 wrote to memory of 5072	2300	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2300 wrote to memory of 5072	2300	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2300 wrote to memory of 4936	2300	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2300 wrote to memory of 4936	2300	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2300 wrote to memory of 2072	2300	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2300 wrote to memory of 2072	2300	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2300 wrote to memory of 5000	2300	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2300 wrote to memory of 5000	2300	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2300 wrote to memory of 2292	2300	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2300 wrote to memory of 2292	2300	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2300 wrote to memory of 2484	2300	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2300 wrote to memory of 2484	2300	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2300 wrote to memory of 4872	2300	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2300 wrote to memory of 4872	2300	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2300 wrote to memory of 228	2300	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2300 wrote to memory of 228	2300	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2300 wrote to memory of 3652	2300	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2300 wrote to memory of 3652	2300	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2300 wrote to memory of 4368	2300	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2300 wrote to memory of 4368	2300	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2300 wrote to memory of 2624	2300	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2300 wrote to memory of 2624	2300	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2300 wrote to memory of 4756	2300	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2300 wrote to memory of 4756	2300	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2300 wrote to memory of 4492	2300	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2300 wrote to memory of 4492	2300	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2300 wrote to memory of 1008	2300	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2300 wrote to memory of 1008	2300	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2300 wrote to memory of 2296	2300	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2300 wrote to memory of 2296	2300	2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-11_7bcc2babb3151a0bd9a1888d5370501e_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\System\DfqOtQC.exe
  C:\Windows\System\DfqOtQC.exe
  2⤵
  - Executes dropped EXE
  PID:3420
- C:\Windows\System\koKWLOo.exe
  C:\Windows\System\koKWLOo.exe
  2⤵
  - Executes dropped EXE
  PID:3772
- C:\Windows\System\vzViUfy.exe
  C:\Windows\System\vzViUfy.exe
  2⤵
  - Executes dropped EXE
  PID:3436
- C:\Windows\System\JMbPyRR.exe
  C:\Windows\System\JMbPyRR.exe
  2⤵
  - Executes dropped EXE
  PID:4040
- C:\Windows\System\saSHLeU.exe
  C:\Windows\System\saSHLeU.exe
  2⤵
  - Executes dropped EXE
  PID:4896
- C:\Windows\System\rqHDiUt.exe
  C:\Windows\System\rqHDiUt.exe
  2⤵
  - Executes dropped EXE
  PID:1952
- C:\Windows\System\DjYuvqq.exe
  C:\Windows\System\DjYuvqq.exe
  2⤵
  - Executes dropped EXE
  PID:5072
- C:\Windows\System\CKwthNA.exe
  C:\Windows\System\CKwthNA.exe
  2⤵
  - Executes dropped EXE
  PID:4936
- C:\Windows\System\bkjkrJL.exe
  C:\Windows\System\bkjkrJL.exe
  2⤵
  - Executes dropped EXE
  PID:2072
- C:\Windows\System\WtOennY.exe
  C:\Windows\System\WtOennY.exe
  2⤵
  - Executes dropped EXE
  PID:5000
- C:\Windows\System\ohDyXzD.exe
  C:\Windows\System\ohDyXzD.exe
  2⤵
  - Executes dropped EXE
  PID:2292
- C:\Windows\System\KZzohWP.exe
  C:\Windows\System\KZzohWP.exe
  2⤵
  - Executes dropped EXE
  PID:2484
- C:\Windows\System\PYxaTgp.exe
  C:\Windows\System\PYxaTgp.exe
  2⤵
  - Executes dropped EXE
  PID:4872
- C:\Windows\System\PqZltwv.exe
  C:\Windows\System\PqZltwv.exe
  2⤵
  - Executes dropped EXE
  PID:228
- C:\Windows\System\VVvcZPE.exe
  C:\Windows\System\VVvcZPE.exe
  2⤵
  - Executes dropped EXE
  PID:3652
- C:\Windows\System\ZohxDkB.exe
  C:\Windows\System\ZohxDkB.exe
  2⤵
  - Executes dropped EXE
  PID:4368
- C:\Windows\System\spQlmgy.exe
  C:\Windows\System\spQlmgy.exe
  2⤵
  - Executes dropped EXE
  PID:2624
- C:\Windows\System\HokmUoS.exe
  C:\Windows\System\HokmUoS.exe
  2⤵
  - Executes dropped EXE
  PID:4756
- C:\Windows\System\ZQUoZxP.exe
  C:\Windows\System\ZQUoZxP.exe
  2⤵
  - Executes dropped EXE
  PID:4492
- C:\Windows\System\eOxsmyP.exe
  C:\Windows\System\eOxsmyP.exe
  2⤵
  - Executes dropped EXE
  PID:1008
- C:\Windows\System\vsMfAhE.exe
  C:\Windows\System\vsMfAhE.exe
  2⤵
  - Executes dropped EXE
  PID:2296

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CKwthNA.exe

Filesize
5.2MB

MD5
e1699c76e6414f3d922b165417393029

SHA1
238d565bb89d3c7e078f87255fb92c2287137abc

SHA256
a16f3f46f7b43676061d3ccb3530e722bc093fcbab2a6131f90a906d4fdef3f1

SHA512
8469e84925a8a59429e9e07b385d5d3dd62f8cecc37207ef7f0d6533737fa2ee329988934cfaa230b3b806228aa43a09e553531314bce02253238f4227ffac0b

Download Submit
C:\Windows\System\DfqOtQC.exe

Filesize
5.2MB

MD5
098bec13403f64c4f4f4fe04635f1447

SHA1
f2576f9514079dc9c1b8f8ebd6d1d4d2146ce21a

SHA256
3175c06033df949c7ebfc28d59f2ee116eacb3b43841335c4141e9bd2995c587

SHA512
a50446116c495be8c5ef76597ec241db7ffe2c0dcbb7830d62bd4a9a10c228fd7a06e46758f6482a172595906a9592bcaeac1a1602ecb047aad7a0eea8fedc66

Download Submit
C:\Windows\System\DjYuvqq.exe

Filesize
5.2MB

MD5
b9621e168bc144b347c50885622ec4ff

SHA1
2c68f11739310fa2042d9a185a872e02c71694f4

SHA256
422f09d6ffb02208d91e88038c5a3503aa5d7f2a4e15d643951b2aad4c08b184

SHA512
d1ca53a0532bf078f7e70ecc4ea6cf952d20f76c907ae0254318244c31c5741c981048d1c3dad64f09d3ff77972c5e239f840681a53b65d5b92fa91e739e9638

Download Submit
C:\Windows\System\HokmUoS.exe

Filesize
5.2MB

MD5
f2ea8fc5c16012ed4cbbe4b078c7483c

SHA1
e9e8eed7178c26509be1082633979a7fe9ea6be3

SHA256
d55e2adc86ebcea9b39cd498e577a7f2a994297d1b83d5e51a9f6dea480dc1c3

SHA512
337bf47fd1b0361325ffa03abefa8140e4fb669dfeda2a1b5a017cb7dcbc5c393f63e7fdbc3d289a15ce55659b5b98a41199cfe18378e53b5a2b879d2b90a0f4

Download Submit
C:\Windows\System\JMbPyRR.exe

Filesize
5.2MB

MD5
82f6170b76cea83c8adfee66699d1c3b

SHA1
99b1acd7eadd44dcad375ed9e260eb68e4fb17a2

SHA256
dd750e865250308913ca5334c3bd5d616b3e1c0e86b3d9f90ef43cb912412694

SHA512
551b6ddeeaf140624d32baacdd4d7a5fd61d5ec27972e7ed3334b193c3bff7ddb9424c8e27d5e813bca1ad0318cb73b83e007d9c914b2bd25e5c0c4b0218f55c

Download Submit
C:\Windows\System\KZzohWP.exe

Filesize
5.2MB

MD5
e9caa9df3c16f20aecf4f14b269f07dd

SHA1
b204106464545872b4069cd9f1471d45025a82e0

SHA256
b57e414e598da13863b259da141a8b98397e60992278cc5ccda2740b94eaad90

SHA512
083ff645bb5372faa460f3ffbde5d8bbcc0c70525843909e17ecc9f8525b959fa6cab51493ace3419a53c42a6e4cc0552767ba2d61073586d922d73ea4e52e41

Download Submit
C:\Windows\System\PYxaTgp.exe

Filesize
5.2MB

MD5
452a3d391b9a85b5f7fab6143404057c

SHA1
f8c86245e7ae055d54b5b5073eb20fe8082e08df

SHA256
f85b50ad2759b38fcd7b2dce28b3c3f035b894aa4647beb645bbca5c50645780

SHA512
9afb4d245bd86917f4b238f6eb1b9c0bb31f21be1b35724f780f52c783c341785faa9101cafbe5b9c926f9d4ea5470238d9ab7062e055ec9b22aa511d85d106f

Download Submit
C:\Windows\System\PqZltwv.exe

Filesize
5.2MB

MD5
f34282164e6de4395d99fe6fd4dfe4e8

SHA1
55e0634132b2327bebf254cb55e6b540dfe08b91

SHA256
8413479c4f450d068bb7bb1c5fd6b1bac611aba3b6c7de81711bc9959311194f

SHA512
00dd6ef242e0c90f699257170834ab127a3fabacb975ab7ff60548e320843a8afaf4697a96488f44f00e6bb924f15e9511754a239cfc86458bcf39c106e36aac

Download Submit
C:\Windows\System\VVvcZPE.exe

Filesize
5.2MB

MD5
8924a9e258355c48e12db91b65ff17fe

SHA1
ddfe4d9b63e09c6f2a3e8036a344522117a7f174

SHA256
077ead239f2d8d2d2c51838d7a1ed7dc1831112e030d8c94f6d6e01860969671

SHA512
50adc225db3822d70c7beb9f07a473ce9df68abfdd97a3f1e83ff7d9912254b7b5d14ac59c160dc57d9df1c7caa8f77ece6227471b539560d959a6fd94f41acd

Download Submit
C:\Windows\System\WtOennY.exe

Filesize
5.2MB

MD5
ed04e612982406a12fc6eb6f4a94f8c7

SHA1
971a5b904d4ebd349da41a07c7f656227da53cb3

SHA256
60f32f8e8e63f4c2d3564cd9208aabb92e8488233fa1dfd97709b2825928e77a

SHA512
808ae3743fbd459c97f4d9eed9623a03539e91af4fefc450c9318eeac0fe2aad3633b3bd8264aca80051c9f71777ae345c5516ddc837dbc5a6f60b313b304462

Download Submit
C:\Windows\System\ZQUoZxP.exe

Filesize
5.2MB

MD5
95861fcb8375f8d740d145dc893fec93

SHA1
3b845bc510ef049fb7bdb1ada5cf3c54d2df32ad

SHA256
4103a819c725f32c6554dc26bc88f2212046a90778566a27b9805da2d4725249

SHA512
9807c1a6156b41c615ef7de814e7cc1c0512b7b409d3c2aab0bbfbbf6cd11308b2d0625b6c2e9cbd8948a08a6a04d39479cb17bfd0d496db2e3acf499e93f436

Download Submit
C:\Windows\System\ZohxDkB.exe

Filesize
5.2MB

MD5
90fde9ff6b4ec40568864efba38f47e3

SHA1
1c4ecdd3a361fa53880c9f38bad19498287e2330

SHA256
d430b51391cf9238f93dff94e36b1b8ed929b18a8f73be6396c55da7653a37a0

SHA512
2be29b3af71a069b88a8b9dfbc7ce351d57c8a3681f9a7c20efba19e368c44944ef54960073305ab897157b9a4c9b95970fce124ed0792b6eefec3f8e50f8369

Download Submit
C:\Windows\System\bkjkrJL.exe

Filesize
5.2MB

MD5
342572ac556a07bd5611f895a6efcce0

SHA1
8be79e213d633161cc2fd30099cd02c0e90fa9d1

SHA256
87995ba3b7a93677dd62dcd394252d9245cb8f1b4cff48db1decb1c5cfdd1b31

SHA512
c4eebc3783dd3e90f5ea1f2e0807f7a4d685d6d88835078bcee3b59160386b60c850d66248711ada59208ef317e470e9a69278a66f9e934cbb23d8c7523d5553

Download Submit
C:\Windows\System\eOxsmyP.exe

Filesize
5.2MB

MD5
fa7f3ec0ce4ea05d4324e63d958f5f97

SHA1
ff35d67370b1151ba455db835b882b80a53b4f6f

SHA256
5100527661739f976dbe4267082f43b6cf931d71987bf4cc8cc8b909b691312e

SHA512
6ba1c7829602aab34c4bb50ca40378c0150f71e4850af494ec9733dfdae203219b105c6b621df2b191119ed89ac4a0ed25f63eff7fed3ff604b772abebd92a84

Download Submit
C:\Windows\System\koKWLOo.exe

Filesize
5.2MB

MD5
2a42533fe09b419560c8f26d910d43ab

SHA1
f524efd51d733ec0135be539fc9cac995afc49d7

SHA256
75fa20642eada37cd6c2305a7654a7feea7efeb6235f1f344b93385ec85dc21c

SHA512
4eb96d092eea2b4d1a23f343b66d7334c28ad9a7af6cf54a983304eda1d8b582749d58c6dcf870a9c2882d30728563ef70c984ec6d0c1779fd128f7a1be565ba

Download Submit
C:\Windows\System\ohDyXzD.exe

Filesize
5.2MB

MD5
d9e55a425705d33dbb1bedbe781f6bbe

SHA1
8e25ed8de3759348751f2af2687f0b779cbb825b

SHA256
cbf3c0fd7806f607edfc2c0c85fcc3062e7cf158129004669820f1ad8d78c6ed

SHA512
d4e0e869a31070f0a9a19fe92ad2e75ec2d9881a07c6480aa973f92682c50ee92ed81c976c45be11ec82d3ca584dc02a2c9c055b174f946437a4cf0049cb96a3

Download Submit
C:\Windows\System\rqHDiUt.exe

Filesize
5.2MB

MD5
1962e10bbc2c23b062a0fa51a7ce16e6

SHA1
98617769659fccaecd0995094c3ef953c1d6e342

SHA256
db676a282d0aa4a28aa104d77feb38679b3e3bb59ea458550b9d73daa04b711b

SHA512
48684e246e64e5b38723854ba7d19e154a9a91e5c9b31745bc3b6a9f64043a6dab2d310fdc974c399b94e67dd760d126b0e8b2ac7d285b5d0b6c39b96891e878

Download Submit
C:\Windows\System\saSHLeU.exe

Filesize
5.2MB

MD5
c48e43665aea48f36cf4f2b784c8b68e

SHA1
92d6eb5e0a5af7c617aecf3841c8fced894b4592

SHA256
d94307d73c73017112a8c6b341843d6f285b468bb471aa418f2beb3aba13874e

SHA512
31cb588181ca405843da2717ff336ab4aada38fe25a97966b7f09cdf182fff0e3472540220e256dfac9b3ade066e54c48626a08cffa64f93c7900fa407f32332

Download Submit
C:\Windows\System\spQlmgy.exe

Filesize
5.2MB

MD5
a7e8e0954c35a82fad7a1acdb8ed9dc3

SHA1
2d022a6e018a122229efd003063ef9c47a7b6e20

SHA256
e2bb988c5cd4f2b47a576ccc9e4dd6227658a7e8fb46d9bc71029f1c45e156e9

SHA512
97e7fb55b318e0e8b79336b664d0a73ed0ddd1109f2ac0881f6f8f8d71e9b919e112bf51fe2f2a3f1144562428df9aa9082fd08c5b1640470f5b8846bd21e660

Download Submit
C:\Windows\System\vsMfAhE.exe

Filesize
5.2MB

MD5
c051ef12fab662ddf9213ea9eeb0de94

SHA1
6cc38e1d2864931feacad9ad78ef103a5645c57e

SHA256
e59b64c8e298d1eb8c317f8e75cd94f864093235c5a6ea3b9d329a0ecfaa5485

SHA512
69f124c66c2b6f770d285831e68bd685a6041d90afe63a58cc8eacc7849beb0b135efc2399dd7d31eb065199842d2793dfc9acf05cc52f76699f22c9232e227d

Download Submit
C:\Windows\System\vzViUfy.exe

Filesize
5.2MB

MD5
a056b007b76c343d0daec912ab758311

SHA1
94353635f683a0d5fedc3731130ebd9b90719994

SHA256
7e7204c757def03370d676a8a4b3043849f947f566c84520bcae23416501a143

SHA512
a342011b31efd8ac058a69147f4deb499ffdcf1c11dd3ee639d930cbdb28056fd6db1f89f768d2922c7b9a7afff3d73d1de2245877bc4643866f34263acfcc71

Download Submit
memory/228-244-0x00007FF6F9630000-0x00007FF6F9981000-memory.dmp

Filesize
3.3MB

Download
memory/228-143-0x00007FF6F9630000-0x00007FF6F9981000-memory.dmp

Filesize
3.3MB

Download
memory/228-100-0x00007FF6F9630000-0x00007FF6F9981000-memory.dmp

Filesize
3.3MB

Download
memory/1008-122-0x00007FF68A6E0000-0x00007FF68AA31000-memory.dmp

Filesize
3.3MB

Download
memory/1008-254-0x00007FF68A6E0000-0x00007FF68AA31000-memory.dmp

Filesize
3.3MB

Download
memory/1952-70-0x00007FF624700000-0x00007FF624A51000-memory.dmp

Filesize
3.3MB

Download
memory/1952-233-0x00007FF624700000-0x00007FF624A51000-memory.dmp

Filesize
3.3MB

Download
memory/2072-228-0x00007FF638C30000-0x00007FF638F81000-memory.dmp

Filesize
3.3MB

Download
memory/2072-87-0x00007FF638C30000-0x00007FF638F81000-memory.dmp

Filesize
3.3MB

Download
memory/2292-124-0x00007FF65A370000-0x00007FF65A6C1000-memory.dmp

Filesize
3.3MB

Download
memory/2292-241-0x00007FF65A370000-0x00007FF65A6C1000-memory.dmp

Filesize
3.3MB

Download
memory/2296-126-0x00007FF632300000-0x00007FF632651000-memory.dmp

Filesize
3.3MB

Download
memory/2296-256-0x00007FF632300000-0x00007FF632651000-memory.dmp

Filesize
3.3MB

Download
memory/2300-129-0x00007FF646160000-0x00007FF6464B1000-memory.dmp

Filesize
3.3MB

Download
memory/2300-128-0x00007FF646160000-0x00007FF6464B1000-memory.dmp

Filesize
3.3MB

Download
memory/2300-0-0x00007FF646160000-0x00007FF6464B1000-memory.dmp

Filesize
3.3MB

Download
memory/2300-1-0x000001BA2BC00000-0x000001BA2BC10000-memory.dmp

Filesize
64KB

Download
memory/2300-151-0x00007FF646160000-0x00007FF6464B1000-memory.dmp

Filesize
3.3MB

Download
memory/2484-252-0x00007FF741790000-0x00007FF741AE1000-memory.dmp

Filesize
3.3MB

Download
memory/2484-141-0x00007FF741790000-0x00007FF741AE1000-memory.dmp

Filesize
3.3MB

Download
memory/2484-89-0x00007FF741790000-0x00007FF741AE1000-memory.dmp

Filesize
3.3MB

Download
memory/2624-258-0x00007FF78BBB0000-0x00007FF78BF01000-memory.dmp

Filesize
3.3MB

Download
memory/2624-146-0x00007FF78BBB0000-0x00007FF78BF01000-memory.dmp

Filesize
3.3MB

Download
memory/2624-125-0x00007FF78BBB0000-0x00007FF78BF01000-memory.dmp

Filesize
3.3MB

Download
memory/3420-217-0x00007FF7A0590000-0x00007FF7A08E1000-memory.dmp

Filesize
3.3MB

Download
memory/3420-9-0x00007FF7A0590000-0x00007FF7A08E1000-memory.dmp

Filesize
3.3MB

Download
memory/3420-130-0x00007FF7A0590000-0x00007FF7A08E1000-memory.dmp

Filesize
3.3MB

Download
memory/3436-28-0x00007FF756580000-0x00007FF7568D1000-memory.dmp

Filesize
3.3MB

Download
memory/3436-221-0x00007FF756580000-0x00007FF7568D1000-memory.dmp

Filesize
3.3MB

Download
memory/3652-106-0x00007FF6CDB40000-0x00007FF6CDE91000-memory.dmp

Filesize
3.3MB

Download
memory/3652-249-0x00007FF6CDB40000-0x00007FF6CDE91000-memory.dmp

Filesize
3.3MB

Download
memory/3772-219-0x00007FF7B60C0000-0x00007FF7B6411000-memory.dmp

Filesize
3.3MB

Download
memory/3772-15-0x00007FF7B60C0000-0x00007FF7B6411000-memory.dmp

Filesize
3.3MB

Download
memory/3772-131-0x00007FF7B60C0000-0x00007FF7B6411000-memory.dmp

Filesize
3.3MB

Download
memory/4040-223-0x00007FF606520000-0x00007FF606871000-memory.dmp

Filesize
3.3MB

Download
memory/4040-133-0x00007FF606520000-0x00007FF606871000-memory.dmp

Filesize
3.3MB

Download
memory/4040-39-0x00007FF606520000-0x00007FF606871000-memory.dmp

Filesize
3.3MB

Download
memory/4368-107-0x00007FF6C5600000-0x00007FF6C5951000-memory.dmp

Filesize
3.3MB

Download
memory/4368-236-0x00007FF6C5600000-0x00007FF6C5951000-memory.dmp

Filesize
3.3MB

Download
memory/4492-243-0x00007FF7817E0000-0x00007FF781B31000-memory.dmp

Filesize
3.3MB

Download
memory/4492-119-0x00007FF7817E0000-0x00007FF781B31000-memory.dmp

Filesize
3.3MB

Download
memory/4756-247-0x00007FF63BC00000-0x00007FF63BF51000-memory.dmp

Filesize
3.3MB

Download
memory/4756-117-0x00007FF63BC00000-0x00007FF63BF51000-memory.dmp

Filesize
3.3MB

Download
memory/4872-99-0x00007FF782880000-0x00007FF782BD1000-memory.dmp

Filesize
3.3MB

Download
memory/4872-237-0x00007FF782880000-0x00007FF782BD1000-memory.dmp

Filesize
3.3MB

Download
memory/4896-67-0x00007FF76B8F0000-0x00007FF76BC41000-memory.dmp

Filesize
3.3MB

Download
memory/4896-225-0x00007FF76B8F0000-0x00007FF76BC41000-memory.dmp

Filesize
3.3MB

Download
memory/4936-137-0x00007FF63DA90000-0x00007FF63DDE1000-memory.dmp

Filesize
3.3MB

Download
memory/4936-49-0x00007FF63DA90000-0x00007FF63DDE1000-memory.dmp

Filesize
3.3MB

Download
memory/4936-231-0x00007FF63DA90000-0x00007FF63DDE1000-memory.dmp

Filesize
3.3MB

Download
memory/5000-250-0x00007FF6EA9D0000-0x00007FF6EAD21000-memory.dmp

Filesize
3.3MB

Download
memory/5000-123-0x00007FF6EA9D0000-0x00007FF6EAD21000-memory.dmp

Filesize
3.3MB

Download
memory/5072-41-0x00007FF786BA0000-0x00007FF786EF1000-memory.dmp

Filesize
3.3MB

Download
memory/5072-229-0x00007FF786BA0000-0x00007FF786EF1000-memory.dmp

Filesize
3.3MB

Download
memory/5072-136-0x00007FF786BA0000-0x00007FF786EF1000-memory.dmp

Filesize
3.3MB

Download