cobaltstrike | 35ca215b492719ea0a6a96cf23682970cb8bb25609f05a5f66f47d328ad1614a

Analysis

max time kernel
144s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-11-2024 01:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

297712cd8138dd42d5b87117a1feb336
SHA1

94aff345125f6e02ab4f2d5ae7f8c7ea139e74ce
SHA256

35ca215b492719ea0a6a96cf23682970cb8bb25609f05a5f66f47d328ad1614a
SHA512

a4ea8307fcd3ff4e3bafbdf0ee97e262cc0298baf62e285cefedb2286ea06a6e6b0744cbdef2a2b70829bdcb4e7a873532370e890d6d5b8040367356f293f3ec
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lY:RWWBibf56utgpPFotBER/mQ32lUM

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023cc0-6.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc4-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc5-17.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc6-24.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc7-32.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc8-33.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023cc1-48.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ccb-52.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc9-45.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cce-71.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ccf-78.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ccd-73.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ccc-64.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd0-92.dat	cobalt_reflective_dll
behavioral2/files/0x000a00000001e582-99.dat	cobalt_reflective_dll
behavioral2/files/0x000800000001e58d-106.dat	cobalt_reflective_dll
behavioral2/files/0x000900000001e596-111.dat	cobalt_reflective_dll
behavioral2/files/0x000b00000001e5c0-122.dat	cobalt_reflective_dll
behavioral2/files/0x00050000000229c7-137.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd1-142.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000022719-135.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/696-50-0x00007FF720170000-0x00007FF7204C1000-memory.dmp	xmrig
behavioral2/memory/3916-56-0x00007FF6B5E10000-0x00007FF6B6161000-memory.dmp	xmrig
behavioral2/memory/1440-68-0x00007FF75BC60000-0x00007FF75BFB1000-memory.dmp	xmrig
behavioral2/memory/1716-81-0x00007FF7006B0000-0x00007FF700A01000-memory.dmp	xmrig
behavioral2/memory/3932-80-0x00007FF6F7530000-0x00007FF6F7881000-memory.dmp	xmrig
behavioral2/memory/4676-74-0x00007FF6A84C0000-0x00007FF6A8811000-memory.dmp	xmrig
behavioral2/memory/184-61-0x00007FF76C0F0000-0x00007FF76C441000-memory.dmp	xmrig
behavioral2/memory/2284-90-0x00007FF646B00000-0x00007FF646E51000-memory.dmp	xmrig
behavioral2/memory/3652-93-0x00007FF67EE60000-0x00007FF67F1B1000-memory.dmp	xmrig
behavioral2/memory/2452-105-0x00007FF612670000-0x00007FF6129C1000-memory.dmp	xmrig
behavioral2/memory/2224-132-0x00007FF68E4C0000-0x00007FF68E811000-memory.dmp	xmrig
behavioral2/memory/2908-138-0x00007FF798E60000-0x00007FF7991B1000-memory.dmp	xmrig
behavioral2/memory/1432-130-0x00007FF7E7E90000-0x00007FF7E81E1000-memory.dmp	xmrig
behavioral2/memory/3944-129-0x00007FF75DCB0000-0x00007FF75E001000-memory.dmp	xmrig
behavioral2/memory/2528-149-0x00007FF63FA00000-0x00007FF63FD51000-memory.dmp	xmrig
behavioral2/memory/3032-150-0x00007FF6B8270000-0x00007FF6B85C1000-memory.dmp	xmrig
behavioral2/memory/4588-152-0x00007FF66B9D0000-0x00007FF66BD21000-memory.dmp	xmrig
behavioral2/memory/2156-157-0x00007FF6B5660000-0x00007FF6B59B1000-memory.dmp	xmrig
behavioral2/memory/3600-159-0x00007FF72C5C0000-0x00007FF72C911000-memory.dmp	xmrig
behavioral2/memory/3212-160-0x00007FF6FC5D0000-0x00007FF6FC921000-memory.dmp	xmrig
behavioral2/memory/3916-162-0x00007FF6B5E10000-0x00007FF6B6161000-memory.dmp	xmrig
behavioral2/memory/432-174-0x00007FF617EB0000-0x00007FF618201000-memory.dmp	xmrig
behavioral2/memory/2844-173-0x00007FF635440000-0x00007FF635791000-memory.dmp	xmrig
behavioral2/memory/3916-185-0x00007FF6B5E10000-0x00007FF6B6161000-memory.dmp	xmrig
behavioral2/memory/184-214-0x00007FF76C0F0000-0x00007FF76C441000-memory.dmp	xmrig
behavioral2/memory/1440-216-0x00007FF75BC60000-0x00007FF75BFB1000-memory.dmp	xmrig
behavioral2/memory/4676-225-0x00007FF6A84C0000-0x00007FF6A8811000-memory.dmp	xmrig
behavioral2/memory/1716-227-0x00007FF7006B0000-0x00007FF700A01000-memory.dmp	xmrig
behavioral2/memory/3932-229-0x00007FF6F7530000-0x00007FF6F7881000-memory.dmp	xmrig
behavioral2/memory/2284-231-0x00007FF646B00000-0x00007FF646E51000-memory.dmp	xmrig
behavioral2/memory/3652-235-0x00007FF67EE60000-0x00007FF67F1B1000-memory.dmp	xmrig
behavioral2/memory/696-237-0x00007FF720170000-0x00007FF7204C1000-memory.dmp	xmrig
behavioral2/memory/2452-239-0x00007FF612670000-0x00007FF6129C1000-memory.dmp	xmrig
behavioral2/memory/3944-246-0x00007FF75DCB0000-0x00007FF75E001000-memory.dmp	xmrig
behavioral2/memory/1432-248-0x00007FF7E7E90000-0x00007FF7E81E1000-memory.dmp	xmrig
behavioral2/memory/2908-250-0x00007FF798E60000-0x00007FF7991B1000-memory.dmp	xmrig
behavioral2/memory/2528-252-0x00007FF63FA00000-0x00007FF63FD51000-memory.dmp	xmrig
behavioral2/memory/4588-256-0x00007FF66B9D0000-0x00007FF66BD21000-memory.dmp	xmrig
behavioral2/memory/2156-258-0x00007FF6B5660000-0x00007FF6B59B1000-memory.dmp	xmrig
behavioral2/memory/3600-262-0x00007FF72C5C0000-0x00007FF72C911000-memory.dmp	xmrig
behavioral2/memory/2224-268-0x00007FF68E4C0000-0x00007FF68E811000-memory.dmp	xmrig
behavioral2/memory/3212-270-0x00007FF6FC5D0000-0x00007FF6FC921000-memory.dmp	xmrig
behavioral2/memory/432-272-0x00007FF617EB0000-0x00007FF618201000-memory.dmp	xmrig
behavioral2/memory/3032-274-0x00007FF6B8270000-0x00007FF6B85C1000-memory.dmp	xmrig
behavioral2/memory/2844-276-0x00007FF635440000-0x00007FF635791000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
184	TDEWDjn.exe
1440	PJZIUCe.exe
4676	MhXIibv.exe
3932	hWnOIHF.exe
1716	wwUUucB.exe
2284	EWHYsiu.exe
3652	sAbVjVj.exe
696	eMgOXMp.exe
2452	ZuCISwe.exe
3944	EFUpyoq.exe
1432	KCjqMMf.exe
2908	MFqXNnA.exe
2528	PWxsFKq.exe
4588	dbdnZnE.exe
2156	ouvJgzF.exe
3600	pNcrqXN.exe
3212	xzhBHZl.exe
2224	lJycTqB.exe
432	UuuuHeN.exe
2844	EnZvaiE.exe
3032	TrzhHGZ.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3916-0-0x00007FF6B5E10000-0x00007FF6B6161000-memory.dmp	upx
behavioral2/files/0x0008000000023cc0-6.dat	upx
behavioral2/files/0x0007000000023cc4-11.dat	upx
behavioral2/files/0x0007000000023cc5-17.dat	upx
behavioral2/memory/1440-16-0x00007FF75BC60000-0x00007FF75BFB1000-memory.dmp	upx
behavioral2/memory/4676-21-0x00007FF6A84C0000-0x00007FF6A8811000-memory.dmp	upx
behavioral2/files/0x0007000000023cc6-24.dat	upx
behavioral2/memory/3932-27-0x00007FF6F7530000-0x00007FF6F7881000-memory.dmp	upx
behavioral2/files/0x0007000000023cc7-32.dat	upx
behavioral2/files/0x0007000000023cc8-33.dat	upx
behavioral2/memory/2284-36-0x00007FF646B00000-0x00007FF646E51000-memory.dmp	upx
behavioral2/memory/1716-28-0x00007FF7006B0000-0x00007FF700A01000-memory.dmp	upx
behavioral2/memory/184-8-0x00007FF76C0F0000-0x00007FF76C441000-memory.dmp	upx
behavioral2/memory/3652-42-0x00007FF67EE60000-0x00007FF67F1B1000-memory.dmp	upx
behavioral2/files/0x0008000000023cc1-48.dat	upx
behavioral2/files/0x0007000000023ccb-52.dat	upx
behavioral2/memory/2452-53-0x00007FF612670000-0x00007FF6129C1000-memory.dmp	upx
behavioral2/memory/696-50-0x00007FF720170000-0x00007FF7204C1000-memory.dmp	upx
behavioral2/files/0x0007000000023cc9-45.dat	upx
behavioral2/memory/3916-56-0x00007FF6B5E10000-0x00007FF6B6161000-memory.dmp	upx
behavioral2/memory/3944-65-0x00007FF75DCB0000-0x00007FF75E001000-memory.dmp	upx
behavioral2/files/0x0007000000023cce-71.dat	upx
behavioral2/memory/1440-68-0x00007FF75BC60000-0x00007FF75BFB1000-memory.dmp	upx
behavioral2/memory/2908-76-0x00007FF798E60000-0x00007FF7991B1000-memory.dmp	upx
behavioral2/files/0x0007000000023ccf-78.dat	upx
behavioral2/memory/1716-81-0x00007FF7006B0000-0x00007FF700A01000-memory.dmp	upx
behavioral2/memory/2528-84-0x00007FF63FA00000-0x00007FF63FD51000-memory.dmp	upx
behavioral2/memory/3932-80-0x00007FF6F7530000-0x00007FF6F7881000-memory.dmp	upx
behavioral2/memory/4676-74-0x00007FF6A84C0000-0x00007FF6A8811000-memory.dmp	upx
behavioral2/files/0x0007000000023ccd-73.dat	upx
behavioral2/memory/1432-72-0x00007FF7E7E90000-0x00007FF7E81E1000-memory.dmp	upx
behavioral2/files/0x0007000000023ccc-64.dat	upx
behavioral2/memory/184-61-0x00007FF76C0F0000-0x00007FF76C441000-memory.dmp	upx
behavioral2/files/0x0007000000023cd0-92.dat	upx
behavioral2/memory/4588-91-0x00007FF66B9D0000-0x00007FF66BD21000-memory.dmp	upx
behavioral2/memory/2284-90-0x00007FF646B00000-0x00007FF646E51000-memory.dmp	upx
behavioral2/memory/3652-93-0x00007FF67EE60000-0x00007FF67F1B1000-memory.dmp	upx
behavioral2/memory/2156-98-0x00007FF6B5660000-0x00007FF6B59B1000-memory.dmp	upx
behavioral2/files/0x000a00000001e582-99.dat	upx
behavioral2/memory/2452-105-0x00007FF612670000-0x00007FF6129C1000-memory.dmp	upx
behavioral2/memory/3600-108-0x00007FF72C5C0000-0x00007FF72C911000-memory.dmp	upx
behavioral2/files/0x000800000001e58d-106.dat	upx
behavioral2/files/0x000900000001e596-111.dat	upx
behavioral2/files/0x000b00000001e5c0-122.dat	upx
behavioral2/memory/3212-125-0x00007FF6FC5D0000-0x00007FF6FC921000-memory.dmp	upx
behavioral2/memory/2224-132-0x00007FF68E4C0000-0x00007FF68E811000-memory.dmp	upx
behavioral2/memory/432-133-0x00007FF617EB0000-0x00007FF618201000-memory.dmp	upx
behavioral2/memory/2908-138-0x00007FF798E60000-0x00007FF7991B1000-memory.dmp	upx
behavioral2/files/0x00050000000229c7-137.dat	upx
behavioral2/files/0x0007000000023cd1-142.dat	upx
behavioral2/files/0x0008000000022719-135.dat	upx
behavioral2/memory/1432-130-0x00007FF7E7E90000-0x00007FF7E81E1000-memory.dmp	upx
behavioral2/memory/3944-129-0x00007FF75DCB0000-0x00007FF75E001000-memory.dmp	upx
behavioral2/memory/2844-146-0x00007FF635440000-0x00007FF635791000-memory.dmp	upx
behavioral2/memory/2528-149-0x00007FF63FA00000-0x00007FF63FD51000-memory.dmp	upx
behavioral2/memory/3032-150-0x00007FF6B8270000-0x00007FF6B85C1000-memory.dmp	upx
behavioral2/memory/4588-152-0x00007FF66B9D0000-0x00007FF66BD21000-memory.dmp	upx
behavioral2/memory/2156-157-0x00007FF6B5660000-0x00007FF6B59B1000-memory.dmp	upx
behavioral2/memory/3600-159-0x00007FF72C5C0000-0x00007FF72C911000-memory.dmp	upx
behavioral2/memory/3212-160-0x00007FF6FC5D0000-0x00007FF6FC921000-memory.dmp	upx
behavioral2/memory/3916-162-0x00007FF6B5E10000-0x00007FF6B6161000-memory.dmp	upx
behavioral2/memory/432-174-0x00007FF617EB0000-0x00007FF618201000-memory.dmp	upx
behavioral2/memory/2844-173-0x00007FF635440000-0x00007FF635791000-memory.dmp	upx
behavioral2/memory/3916-185-0x00007FF6B5E10000-0x00007FF6B6161000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\TDEWDjn.exe	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eMgOXMp.exe	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZuCISwe.exe	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dbdnZnE.exe	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UuuuHeN.exe	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MhXIibv.exe	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sAbVjVj.exe	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PWxsFKq.exe	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hWnOIHF.exe	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wwUUucB.exe	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EWHYsiu.exe	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EFUpyoq.exe	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MFqXNnA.exe	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pNcrqXN.exe	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xzhBHZl.exe	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lJycTqB.exe	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TrzhHGZ.exe	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PJZIUCe.exe	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KCjqMMf.exe	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ouvJgzF.exe	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EnZvaiE.exe	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3916	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3916	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3916 wrote to memory of 184	3916	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3916 wrote to memory of 184	3916	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3916 wrote to memory of 1440	3916	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3916 wrote to memory of 1440	3916	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3916 wrote to memory of 4676	3916	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3916 wrote to memory of 4676	3916	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3916 wrote to memory of 3932	3916	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3916 wrote to memory of 3932	3916	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3916 wrote to memory of 1716	3916	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3916 wrote to memory of 1716	3916	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3916 wrote to memory of 2284	3916	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3916 wrote to memory of 2284	3916	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3916 wrote to memory of 3652	3916	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3916 wrote to memory of 3652	3916	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3916 wrote to memory of 696	3916	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3916 wrote to memory of 696	3916	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3916 wrote to memory of 2452	3916	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3916 wrote to memory of 2452	3916	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3916 wrote to memory of 3944	3916	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3916 wrote to memory of 3944	3916	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3916 wrote to memory of 1432	3916	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3916 wrote to memory of 1432	3916	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3916 wrote to memory of 2908	3916	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3916 wrote to memory of 2908	3916	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3916 wrote to memory of 2528	3916	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3916 wrote to memory of 2528	3916	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3916 wrote to memory of 4588	3916	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3916 wrote to memory of 4588	3916	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3916 wrote to memory of 2156	3916	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3916 wrote to memory of 2156	3916	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3916 wrote to memory of 3600	3916	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3916 wrote to memory of 3600	3916	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3916 wrote to memory of 3212	3916	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3916 wrote to memory of 3212	3916	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3916 wrote to memory of 2224	3916	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 3916 wrote to memory of 2224	3916	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 3916 wrote to memory of 432	3916	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 3916 wrote to memory of 432	3916	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 3916 wrote to memory of 2844	3916	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 3916 wrote to memory of 2844	3916	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 3916 wrote to memory of 3032	3916	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 3916 wrote to memory of 3032	3916	2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe	109

C:\Users\Admin\AppData\Local\Temp\2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-16_297712cd8138dd42d5b87117a1feb336_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3916
- C:\Windows\System\TDEWDjn.exe
  C:\Windows\System\TDEWDjn.exe
  2⤵
  - Executes dropped EXE
  PID:184
- C:\Windows\System\PJZIUCe.exe
  C:\Windows\System\PJZIUCe.exe
  2⤵
  - Executes dropped EXE
  PID:1440
- C:\Windows\System\MhXIibv.exe
  C:\Windows\System\MhXIibv.exe
  2⤵
  - Executes dropped EXE
  PID:4676
- C:\Windows\System\hWnOIHF.exe
  C:\Windows\System\hWnOIHF.exe
  2⤵
  - Executes dropped EXE
  PID:3932
- C:\Windows\System\wwUUucB.exe
  C:\Windows\System\wwUUucB.exe
  2⤵
  - Executes dropped EXE
  PID:1716
- C:\Windows\System\EWHYsiu.exe
  C:\Windows\System\EWHYsiu.exe
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Windows\System\sAbVjVj.exe
  C:\Windows\System\sAbVjVj.exe
  2⤵
  - Executes dropped EXE
  PID:3652
- C:\Windows\System\eMgOXMp.exe
  C:\Windows\System\eMgOXMp.exe
  2⤵
  - Executes dropped EXE
  PID:696
- C:\Windows\System\ZuCISwe.exe
  C:\Windows\System\ZuCISwe.exe
  2⤵
  - Executes dropped EXE
  PID:2452
- C:\Windows\System\EFUpyoq.exe
  C:\Windows\System\EFUpyoq.exe
  2⤵
  - Executes dropped EXE
  PID:3944
- C:\Windows\System\KCjqMMf.exe
  C:\Windows\System\KCjqMMf.exe
  2⤵
  - Executes dropped EXE
  PID:1432
- C:\Windows\System\MFqXNnA.exe
  C:\Windows\System\MFqXNnA.exe
  2⤵
  - Executes dropped EXE
  PID:2908
- C:\Windows\System\PWxsFKq.exe
  C:\Windows\System\PWxsFKq.exe
  2⤵
  - Executes dropped EXE
  PID:2528
- C:\Windows\System\dbdnZnE.exe
  C:\Windows\System\dbdnZnE.exe
  2⤵
  - Executes dropped EXE
  PID:4588
- C:\Windows\System\ouvJgzF.exe
  C:\Windows\System\ouvJgzF.exe
  2⤵
  - Executes dropped EXE
  PID:2156
- C:\Windows\System\pNcrqXN.exe
  C:\Windows\System\pNcrqXN.exe
  2⤵
  - Executes dropped EXE
  PID:3600
- C:\Windows\System\xzhBHZl.exe
  C:\Windows\System\xzhBHZl.exe
  2⤵
  - Executes dropped EXE
  PID:3212
- C:\Windows\System\lJycTqB.exe
  C:\Windows\System\lJycTqB.exe
  2⤵
  - Executes dropped EXE
  PID:2224
- C:\Windows\System\UuuuHeN.exe
  C:\Windows\System\UuuuHeN.exe
  2⤵
  - Executes dropped EXE
  PID:432
- C:\Windows\System\EnZvaiE.exe
  C:\Windows\System\EnZvaiE.exe
  2⤵
  - Executes dropped EXE
  PID:2844
- C:\Windows\System\TrzhHGZ.exe
  C:\Windows\System\TrzhHGZ.exe
  2⤵
  - Executes dropped EXE
  PID:3032

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\EFUpyoq.exe

Filesize
5.2MB

MD5
ac442847d8fc570894eb9baf5ff3a9b0

SHA1
d14fee4c613c88009934b50db452f8d00783308d

SHA256
784e67519e1edc042bd1166b58472d7291ebe346e8ec12497d5fe6d4dbcf0930

SHA512
8a9b390a9868b6c7a0b7f19e18fc4c9de47920a9b1ffb37778290ffdb8afd3ad28a5d21fd88f81e32b9921bb6055347dd07a2f5dc336146e6d1f576b525d7c3d

Download Submit
C:\Windows\System\EWHYsiu.exe

Filesize
5.2MB

MD5
96c604b60cf1d9f697a51f71bdd12a7a

SHA1
aa55c12a64b1c0eaad73d748e8d49ac6fcbbf320

SHA256
bab49c6a3d167341e47b1b4faa07af8a699d4c2e457a7af6d00d0274d12b83f5

SHA512
1ae64a4b0712bedb59afed32eea84d2b7b92fb6936b84f48e602fab0d5056b8fdc488f8a07932141d4bdd4692db91843940bf5293234e27e7ab2df7cc916e2df

Download Submit
C:\Windows\System\EnZvaiE.exe

Filesize
5.2MB

MD5
14af4c3609aa88580c74d0d1c9638571

SHA1
31e05319dcea4a44901e1ed7278c018a8f812682

SHA256
ae6ff60dfe09b66f881b52e519a101fbdb36d380a9538dec95411a4c19039849

SHA512
b8eb9929a65c03a44fa322bc4df1d01aeeccf8a2b2100baa8c94e059356076c564efe96529e2ee7300a67f0b9bd83ec23c2496f0e89b8d72f173c88a5fdaa6fe

Download Submit
C:\Windows\System\KCjqMMf.exe

Filesize
5.2MB

MD5
26f9dfca36ad11d2e9f319062d806469

SHA1
b4b676f0bf489e46d10d958c49e9c037c4e75015

SHA256
998e86d48f714da2403f122cc07702ddb837af6bc1e533b0d98c9db7e616ecc6

SHA512
949a985b2910ccf49cb3fbf400c10e185b5081b56a0b7a5d8290ac2476956a1f9709552d46c3cd828f3d24a61c169358aa5f650a8b3fe85eaaed8e0be9e43d3c

Download Submit
C:\Windows\System\MFqXNnA.exe

Filesize
5.2MB

MD5
2b2a6ff3d9262438aef71c832fc58b27

SHA1
6366377b81fa108a61ca54afaf6ec6eb4e00e6fa

SHA256
dc06d77218f8158157c5160f30d45c7c33bde254da920c9e1628ecd6d75028b3

SHA512
29b8198b1abd3401ed780c6b7f135b805c1558ce5b9b2d29de7d43a497c6a50b1cf6e0a139b62eeae3d9aa196d14b91c05f0557f7ae7567f8e5ff8d0dac3a096

Download Submit
C:\Windows\System\MhXIibv.exe

Filesize
5.2MB

MD5
1273be32ca736067e8e0fe5b5d23ad3c

SHA1
02e90c805c01656283bfbce2ffcc59a97c8a8138

SHA256
381d5759b695571b048e98373a380876132b74c4806779a241a7e25fd15332aa

SHA512
5d2282cc0ec3dd365a43e75b2d061e8d51d075b9e91e2ceae506a26e6cf6f1e295cdb0740fc85419f2800f11c3fa3bf3b813f5390502801774481500be996958

Download Submit
C:\Windows\System\PJZIUCe.exe

Filesize
5.2MB

MD5
6c2117b97c76c20c24b51b1bb45b2e6e

SHA1
78f6aca9063ccbb4f3b3dc995912cbca4e0988fa

SHA256
2f6c92db2b9c25848a2bc8c63f7d47e8e1f2c8af0f1674e50991891fa08e9e68

SHA512
eef67eba44eb97820314446f20c61cd140d099d3e868bf34d16358b9181d6c797ef963c6774111e8429119e73af7327c63912bfd14f717ec639814050bd343e0

Download Submit
C:\Windows\System\PWxsFKq.exe

Filesize
5.2MB

MD5
3467b001d339e1628e8a2e83e7d20376

SHA1
11453d79f545eef56c8d219290998b09c2e01b4f

SHA256
c2bb3e83a50882badd28f29594f8552a58c79d07c6dd9cd9c3c63693aa437993

SHA512
cf74446cd776ceb63c0ccbf067595fd5ecd868415b92b831d1f3eaff2ba95ab63a6f45dc71007f7096465ddab11bf0c77af4ebf40d4f750f03c6802230831e93

Download Submit
C:\Windows\System\TDEWDjn.exe

Filesize
5.2MB

MD5
e3767f26746eb33ae5d9db7d2cc1eda1

SHA1
1ebbce8c635e2efcba55c325b51ad3cdda6dcee1

SHA256
7981f53b11d800b2c460ff3cbb475c3a2eb496b367cd0ba2a15c269c92b9bf33

SHA512
9dd1d9e326d95019c8a27c5fdea1cbcb1f7167d94f7e5fb40b58c9066d795f48d3708e0e4d825689635d7cb9692be0c785c94a19ee23c2571527058a0a533cc3

Download Submit
C:\Windows\System\TrzhHGZ.exe

Filesize
5.2MB

MD5
d2673c1b18d16c49a27b0c6442708542

SHA1
b2221766dd0c78fe091ab376c70f7e7c48ebb342

SHA256
c16563ffe7ba59f36bfc5f28aa1d33945f07bbc2bfa5628ae537ffe9dbb86a67

SHA512
bd3f15db9cac32db5092186f64eed6ea6ed1eb1009784f19f9de38a8b4bda2e0e906c6a222327291de0af8c323a36b82f2f57fe2141101874b473128bfc87542

Download Submit
C:\Windows\System\UuuuHeN.exe

Filesize
5.2MB

MD5
33237b8de047a6fcc9b8e29d11dfd605

SHA1
c16e0413e28d46c1b9a623c6b80c4b72851cc5c0

SHA256
a15bcce4af6428d1a469e1368880e6c8aa435730bfa1b8aded082495d1742e1b

SHA512
106f5665280d2731421c07146a398e13c962d2636b79e4210c8bf5120be6131a7b22836292468edae7ac0891f5a53377ba8fa0e39dc01ab5378bb7c54687dae2

Download Submit
C:\Windows\System\ZuCISwe.exe

Filesize
5.2MB

MD5
46e9236047aef2b86b3f7773e0419070

SHA1
6dede58adf64291bc6d93d302d0a85effc71c1c4

SHA256
b02bd7839f367d9a1a9b2914a6cdbdd493ee360e82d138f2e1bc978830537f68

SHA512
4bab0e9cae5971960960d301ce6738a6614b3d8f761f2dc5625e552b34f7293ce09083fc3592113c336237cfbf312fef63d714dcb393afb3fb57b038a62ff593

Download Submit
C:\Windows\System\dbdnZnE.exe

Filesize
5.2MB

MD5
8cab55af77a483db9ad1d9e85eee1bc5

SHA1
fca741957e2755c77580255c17e27a3683ba9b54

SHA256
cec8ab2bb8439d93d9403d9f243f6f85f6a8b7efc4fd2bced5000a98593e3bbe

SHA512
06fea6ded1c5a9725ade626e9701fd8e29514976975bea02de656646d96622f9fbb082f7b511511ef4bcc1e57d4ef20b959364fb74d5c2ae517ab5a6354b6bee

Download Submit
C:\Windows\System\eMgOXMp.exe

Filesize
5.2MB

MD5
fc148302d6e267b066fe81f0c2166f3b

SHA1
30a60e78e92d77f2868210219899afad867d61a7

SHA256
28ddb1a52ebf29ef61c796b17ed71a305413648fbf39ef5a088c2a99c7392ac1

SHA512
a2b5c25093002f642c4d1dc6e6fd413493b7f87b51e9bdda71634ff18170112c0fd35ca96609f34c3003852eeb8ce6c8fe3c69954354778bb8cc606579be2a8b

Download Submit
C:\Windows\System\hWnOIHF.exe

Filesize
5.2MB

MD5
2fa1f0ddc42dc6eda16f75d4e82867fd

SHA1
5448727196018634c6274a63643d7d7ce8a589d5

SHA256
8777bcfd019b1ec9feb38b1f74c4eca47d9ab737cc83132efbcf95af05198eef

SHA512
fa6d9ce83f08f01aa809aabdd568ba60635402072fbb2b39dbbc4e884d23d50bfaa92cfb738028d971a5fc5d97800cc48ea2458ea9727cfd209353e5caa1ff43

Download Submit
C:\Windows\System\lJycTqB.exe

Filesize
5.2MB

MD5
e0cb400e7fdca8eebc21d0ec184b4a32

SHA1
6174c67ee96bdad136fd59f8eb8ee574d69f8152

SHA256
0c6fa2ac783509ab57b11f4d7d237463148f48b8eba556a26c77ad6ece2ea4ba

SHA512
04140523b30640fc0e93daec4d19ddb97858ab80badb708fb258d3403a89d26dd7549d18439214536f16dd70b1b9bd1de81d93681393050cb77afa59a67a2341

Download Submit
C:\Windows\System\ouvJgzF.exe

Filesize
5.2MB

MD5
7e392787139468ad85b20e926d22ac96

SHA1
75722da0142c1f571960d9df0b8016b8a7a74533

SHA256
52a724af18fe77ab36636782a738a25eaf263076714752c42442b585e3c89f90

SHA512
c4174bd014851203fa4c79d74bc82bf6b0c10180a39ba31bc66da994bcf12d221ed7c22a5c30a9783ea02498c06ee39e01a6d56d29020181fdefac4f08397843

Download Submit
C:\Windows\System\pNcrqXN.exe

Filesize
5.2MB

MD5
e0065d099688120b1f4e4098f2db45e6

SHA1
822d287d86d5c8bc04eb4938f51152862e41e87d

SHA256
add00e14c9a417686920665068c6a0738ccf2b374da9e22bb1978aea360a0d4c

SHA512
6050d021fd608cc27bb2a72c29ed018d5502694339e24f627d214fd4eef8c5b5b36c7d3d5c77569915b4706cf67851523ed262810e0f16dbad1a50a29b99a189

Download Submit
C:\Windows\System\sAbVjVj.exe

Filesize
5.2MB

MD5
1ed2a8d83fbe6feea8d328f3ec1ba9a9

SHA1
214fb8643ad779e728bb9b16c4c7a397cfe4b2e8

SHA256
ca15af0a0138b03221c1aa058147f351299a7f84c0f5161c64067960682b58d7

SHA512
01c5f2eb291ea5dee8fdcf950295c901ce82a79c2a9af6b2f6fc1c5acf3e8846d37cbef3481bb182ae54d9f82ee1114a019c6dff71842f0ffdb0499de4a5f624

Download Submit
C:\Windows\System\wwUUucB.exe

Filesize
5.2MB

MD5
5569e1c63c79f171536a3168bf4b0781

SHA1
6808a0de49333f6143b6a29d727f11f6ad4d68df

SHA256
4ba292a97f3b7a4ac8dc786c247b8eab93830bb233d9520af133f30e66a25c2a

SHA512
fd29ec1b3bdc02922495a8bdbb59991e9abe6a78e3a470a78610e080bee3bad46df8641491d58a75c0c002d38f2639afdd6a088164883adc39ce69ae09f2e1c5

Download Submit
C:\Windows\System\xzhBHZl.exe

Filesize
5.2MB

MD5
1867e50c5b6a2a189e2b46ba1540c1d6

SHA1
ba4342b1c5a2c3e9c5a35ffa634da0dc968de330

SHA256
f0b5de472a56549e1c41bfc37d539fdaa8e7e1647fd1e8972950beb01af57a3b

SHA512
4c6929efecde3610d66a67390ba4b27a505a9c69d41868fdb59849b6b82b56188533b7779bca353f25a5f5b14c6b0d1ab616da0a80525fe1c82387ef5d25f7af

Download Submit
memory/184-8-0x00007FF76C0F0000-0x00007FF76C441000-memory.dmp

Filesize
3.3MB

Download
memory/184-61-0x00007FF76C0F0000-0x00007FF76C441000-memory.dmp

Filesize
3.3MB

Download
memory/184-214-0x00007FF76C0F0000-0x00007FF76C441000-memory.dmp

Filesize
3.3MB

Download
memory/432-174-0x00007FF617EB0000-0x00007FF618201000-memory.dmp

Filesize
3.3MB

Download
memory/432-272-0x00007FF617EB0000-0x00007FF618201000-memory.dmp

Filesize
3.3MB

Download
memory/432-133-0x00007FF617EB0000-0x00007FF618201000-memory.dmp

Filesize
3.3MB

Download
memory/696-237-0x00007FF720170000-0x00007FF7204C1000-memory.dmp

Filesize
3.3MB

Download
memory/696-50-0x00007FF720170000-0x00007FF7204C1000-memory.dmp

Filesize
3.3MB

Download
memory/1432-130-0x00007FF7E7E90000-0x00007FF7E81E1000-memory.dmp

Filesize
3.3MB

Download
memory/1432-72-0x00007FF7E7E90000-0x00007FF7E81E1000-memory.dmp

Filesize
3.3MB

Download
memory/1432-248-0x00007FF7E7E90000-0x00007FF7E81E1000-memory.dmp

Filesize
3.3MB

Download
memory/1440-216-0x00007FF75BC60000-0x00007FF75BFB1000-memory.dmp

Filesize
3.3MB

Download
memory/1440-16-0x00007FF75BC60000-0x00007FF75BFB1000-memory.dmp

Filesize
3.3MB

Download
memory/1440-68-0x00007FF75BC60000-0x00007FF75BFB1000-memory.dmp

Filesize
3.3MB

Download
memory/1716-81-0x00007FF7006B0000-0x00007FF700A01000-memory.dmp

Filesize
3.3MB

Download
memory/1716-227-0x00007FF7006B0000-0x00007FF700A01000-memory.dmp

Filesize
3.3MB

Download
memory/1716-28-0x00007FF7006B0000-0x00007FF700A01000-memory.dmp

Filesize
3.3MB

Download
memory/2156-157-0x00007FF6B5660000-0x00007FF6B59B1000-memory.dmp

Filesize
3.3MB

Download
memory/2156-98-0x00007FF6B5660000-0x00007FF6B59B1000-memory.dmp

Filesize
3.3MB

Download
memory/2156-258-0x00007FF6B5660000-0x00007FF6B59B1000-memory.dmp

Filesize
3.3MB

Download
memory/2224-268-0x00007FF68E4C0000-0x00007FF68E811000-memory.dmp

Filesize
3.3MB

Download
memory/2224-132-0x00007FF68E4C0000-0x00007FF68E811000-memory.dmp

Filesize
3.3MB

Download
memory/2284-231-0x00007FF646B00000-0x00007FF646E51000-memory.dmp

Filesize
3.3MB

Download
memory/2284-90-0x00007FF646B00000-0x00007FF646E51000-memory.dmp

Filesize
3.3MB

Download
memory/2284-36-0x00007FF646B00000-0x00007FF646E51000-memory.dmp

Filesize
3.3MB

Download
memory/2452-53-0x00007FF612670000-0x00007FF6129C1000-memory.dmp

Filesize
3.3MB

Download
memory/2452-239-0x00007FF612670000-0x00007FF6129C1000-memory.dmp

Filesize
3.3MB

Download
memory/2452-105-0x00007FF612670000-0x00007FF6129C1000-memory.dmp

Filesize
3.3MB

Download
memory/2528-252-0x00007FF63FA00000-0x00007FF63FD51000-memory.dmp

Filesize
3.3MB

Download
memory/2528-149-0x00007FF63FA00000-0x00007FF63FD51000-memory.dmp

Filesize
3.3MB

Download
memory/2528-84-0x00007FF63FA00000-0x00007FF63FD51000-memory.dmp

Filesize
3.3MB

Download
memory/2844-173-0x00007FF635440000-0x00007FF635791000-memory.dmp

Filesize
3.3MB

Download
memory/2844-146-0x00007FF635440000-0x00007FF635791000-memory.dmp

Filesize
3.3MB

Download
memory/2844-276-0x00007FF635440000-0x00007FF635791000-memory.dmp

Filesize
3.3MB

Download
memory/2908-250-0x00007FF798E60000-0x00007FF7991B1000-memory.dmp

Filesize
3.3MB

Download
memory/2908-138-0x00007FF798E60000-0x00007FF7991B1000-memory.dmp

Filesize
3.3MB

Download
memory/2908-76-0x00007FF798E60000-0x00007FF7991B1000-memory.dmp

Filesize
3.3MB

Download
memory/3032-274-0x00007FF6B8270000-0x00007FF6B85C1000-memory.dmp

Filesize
3.3MB

Download
memory/3032-150-0x00007FF6B8270000-0x00007FF6B85C1000-memory.dmp

Filesize
3.3MB

Download
memory/3212-160-0x00007FF6FC5D0000-0x00007FF6FC921000-memory.dmp

Filesize
3.3MB

Download
memory/3212-270-0x00007FF6FC5D0000-0x00007FF6FC921000-memory.dmp

Filesize
3.3MB

Download
memory/3212-125-0x00007FF6FC5D0000-0x00007FF6FC921000-memory.dmp

Filesize
3.3MB

Download
memory/3600-159-0x00007FF72C5C0000-0x00007FF72C911000-memory.dmp

Filesize
3.3MB

Download
memory/3600-108-0x00007FF72C5C0000-0x00007FF72C911000-memory.dmp

Filesize
3.3MB

Download
memory/3600-262-0x00007FF72C5C0000-0x00007FF72C911000-memory.dmp

Filesize
3.3MB

Download
memory/3652-235-0x00007FF67EE60000-0x00007FF67F1B1000-memory.dmp

Filesize
3.3MB

Download
memory/3652-93-0x00007FF67EE60000-0x00007FF67F1B1000-memory.dmp

Filesize
3.3MB

Download
memory/3652-42-0x00007FF67EE60000-0x00007FF67F1B1000-memory.dmp

Filesize
3.3MB

Download
memory/3916-162-0x00007FF6B5E10000-0x00007FF6B6161000-memory.dmp

Filesize
3.3MB

Download
memory/3916-1-0x000001C795DD0000-0x000001C795DE0000-memory.dmp

Filesize
64KB

Download
memory/3916-0-0x00007FF6B5E10000-0x00007FF6B6161000-memory.dmp

Filesize
3.3MB

Download
memory/3916-56-0x00007FF6B5E10000-0x00007FF6B6161000-memory.dmp

Filesize
3.3MB

Download
memory/3916-185-0x00007FF6B5E10000-0x00007FF6B6161000-memory.dmp

Filesize
3.3MB

Download
memory/3932-27-0x00007FF6F7530000-0x00007FF6F7881000-memory.dmp

Filesize
3.3MB

Download
memory/3932-229-0x00007FF6F7530000-0x00007FF6F7881000-memory.dmp

Filesize
3.3MB

Download
memory/3932-80-0x00007FF6F7530000-0x00007FF6F7881000-memory.dmp

Filesize
3.3MB

Download
memory/3944-246-0x00007FF75DCB0000-0x00007FF75E001000-memory.dmp

Filesize
3.3MB

Download
memory/3944-65-0x00007FF75DCB0000-0x00007FF75E001000-memory.dmp

Filesize
3.3MB

Download
memory/3944-129-0x00007FF75DCB0000-0x00007FF75E001000-memory.dmp

Filesize
3.3MB

Download
memory/4588-256-0x00007FF66B9D0000-0x00007FF66BD21000-memory.dmp

Filesize
3.3MB

Download
memory/4588-91-0x00007FF66B9D0000-0x00007FF66BD21000-memory.dmp

Filesize
3.3MB

Download
memory/4588-152-0x00007FF66B9D0000-0x00007FF66BD21000-memory.dmp

Filesize
3.3MB

Download
memory/4676-225-0x00007FF6A84C0000-0x00007FF6A8811000-memory.dmp

Filesize
3.3MB

Download
memory/4676-21-0x00007FF6A84C0000-0x00007FF6A8811000-memory.dmp

Filesize
3.3MB

Download
memory/4676-74-0x00007FF6A84C0000-0x00007FF6A8811000-memory.dmp

Filesize
3.3MB

Download