cobaltstrike | 128ca15536fdeabfb2fd37bb951392815fcea7719beac00278c8eabadf7b9ca5

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 13:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

e2a6f908933933af7ac122be89443e2c
SHA1

c14750318873c7de1c273159fcc414af98d478af
SHA256

128ca15536fdeabfb2fd37bb951392815fcea7719beac00278c8eabadf7b9ca5
SHA512

65650a3a23bfc704826e785781efaaf522f2a5b8d44d2f31e1eeeb0aa5ad6afa3bbc8bf2f7dc1776e0087b7d93c18dfc0de91467ed7f3f8c536ec4125c6ecba4
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lV:RWWBibf56utgpPFotBER/mQ32lUh

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000b000000023b7f-5.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b83-11.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b84-19.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b85-22.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b86-29.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b87-39.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b88-43.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b89-58.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8a-60.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8c-69.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b90-89.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b99-112.dat	cobalt_reflective_dll
behavioral2/files/0x000c000000023b91-109.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b8f-103.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8e-101.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8d-87.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8b-85.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b80-49.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b9b-117.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023baf-133.dat	cobalt_reflective_dll
behavioral2/files/0x0012000000023ba7-129.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/4540-111-0x00007FF698270000-0x00007FF6985C1000-memory.dmp	xmrig
behavioral2/memory/5008-100-0x00007FF774490000-0x00007FF7747E1000-memory.dmp	xmrig
behavioral2/memory/3028-93-0x00007FF660A90000-0x00007FF660DE1000-memory.dmp	xmrig
behavioral2/memory/5064-114-0x00007FF784A40000-0x00007FF784D91000-memory.dmp	xmrig
behavioral2/memory/3660-131-0x00007FF6B2AD0000-0x00007FF6B2E21000-memory.dmp	xmrig
behavioral2/memory/1224-132-0x00007FF761EC0000-0x00007FF762211000-memory.dmp	xmrig
behavioral2/memory/4696-123-0x00007FF7CDB90000-0x00007FF7CDEE1000-memory.dmp	xmrig
behavioral2/memory/3988-118-0x00007FF6ABAB0000-0x00007FF6ABE01000-memory.dmp	xmrig
behavioral2/memory/2524-140-0x00007FF6AF5E0000-0x00007FF6AF931000-memory.dmp	xmrig
behavioral2/memory/3136-138-0x00007FF7E1070000-0x00007FF7E13C1000-memory.dmp	xmrig
behavioral2/memory/3028-136-0x00007FF660A90000-0x00007FF660DE1000-memory.dmp	xmrig
behavioral2/memory/1924-148-0x00007FF716090000-0x00007FF7163E1000-memory.dmp	xmrig
behavioral2/memory/1856-149-0x00007FF678E70000-0x00007FF6791C1000-memory.dmp	xmrig
behavioral2/memory/4264-156-0x00007FF61F0C0000-0x00007FF61F411000-memory.dmp	xmrig
behavioral2/memory/2616-161-0x00007FF75C410000-0x00007FF75C761000-memory.dmp	xmrig
behavioral2/memory/4940-160-0x00007FF7F07E0000-0x00007FF7F0B31000-memory.dmp	xmrig
behavioral2/memory/1636-158-0x00007FF79DFE0000-0x00007FF79E331000-memory.dmp	xmrig
behavioral2/memory/1160-157-0x00007FF6358A0000-0x00007FF635BF1000-memory.dmp	xmrig
behavioral2/memory/2396-154-0x00007FF769E50000-0x00007FF76A1A1000-memory.dmp	xmrig
behavioral2/memory/1028-151-0x00007FF77FDF0000-0x00007FF780141000-memory.dmp	xmrig
behavioral2/memory/3744-159-0x00007FF79F0A0000-0x00007FF79F3F1000-memory.dmp	xmrig
behavioral2/memory/4200-162-0x00007FF672850000-0x00007FF672BA1000-memory.dmp	xmrig
behavioral2/memory/2508-165-0x00007FF6267E0000-0x00007FF626B31000-memory.dmp	xmrig
behavioral2/memory/3028-166-0x00007FF660A90000-0x00007FF660DE1000-memory.dmp	xmrig
behavioral2/memory/5008-216-0x00007FF774490000-0x00007FF7747E1000-memory.dmp	xmrig
behavioral2/memory/4540-218-0x00007FF698270000-0x00007FF6985C1000-memory.dmp	xmrig
behavioral2/memory/5064-220-0x00007FF784A40000-0x00007FF784D91000-memory.dmp	xmrig
behavioral2/memory/3988-233-0x00007FF6ABAB0000-0x00007FF6ABE01000-memory.dmp	xmrig
behavioral2/memory/4696-235-0x00007FF7CDB90000-0x00007FF7CDEE1000-memory.dmp	xmrig
behavioral2/memory/3660-237-0x00007FF6B2AD0000-0x00007FF6B2E21000-memory.dmp	xmrig
behavioral2/memory/3136-239-0x00007FF7E1070000-0x00007FF7E13C1000-memory.dmp	xmrig
behavioral2/memory/1924-241-0x00007FF716090000-0x00007FF7163E1000-memory.dmp	xmrig
behavioral2/memory/2524-243-0x00007FF6AF5E0000-0x00007FF6AF931000-memory.dmp	xmrig
behavioral2/memory/1224-245-0x00007FF761EC0000-0x00007FF762211000-memory.dmp	xmrig
behavioral2/memory/4940-251-0x00007FF7F07E0000-0x00007FF7F0B31000-memory.dmp	xmrig
behavioral2/memory/1028-253-0x00007FF77FDF0000-0x00007FF780141000-memory.dmp	xmrig
behavioral2/memory/1856-255-0x00007FF678E70000-0x00007FF6791C1000-memory.dmp	xmrig
behavioral2/memory/1636-258-0x00007FF79DFE0000-0x00007FF79E331000-memory.dmp	xmrig
behavioral2/memory/1160-265-0x00007FF6358A0000-0x00007FF635BF1000-memory.dmp	xmrig
behavioral2/memory/2396-263-0x00007FF769E50000-0x00007FF76A1A1000-memory.dmp	xmrig
behavioral2/memory/2616-262-0x00007FF75C410000-0x00007FF75C761000-memory.dmp	xmrig
behavioral2/memory/4264-260-0x00007FF61F0C0000-0x00007FF61F411000-memory.dmp	xmrig
behavioral2/memory/3744-269-0x00007FF79F0A0000-0x00007FF79F3F1000-memory.dmp	xmrig
behavioral2/memory/4200-271-0x00007FF672850000-0x00007FF672BA1000-memory.dmp	xmrig
behavioral2/memory/2508-274-0x00007FF6267E0000-0x00007FF626B31000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
5008	AyMJqSA.exe
4540	HFKVyRN.exe
5064	WikVAnm.exe
3988	kcYAJqu.exe
4696	qbxsedO.exe
3660	RSDoaib.exe
3136	aPOfdEZ.exe
1224	yqbuQMq.exe
1924	CDXgMDZ.exe
2524	SfPBFdn.exe
4940	jShFeof.exe
1028	wKIVQDW.exe
1856	PFjUbiP.exe
2396	YpFjYVT.exe
2616	oyKkfcB.exe
4264	DPZEkNl.exe
1160	snFBFRw.exe
1636	kanSQQm.exe
3744	nzIixCa.exe
4200	gghrABq.exe
2508	LEkCPkA.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3028-0-0x00007FF660A90000-0x00007FF660DE1000-memory.dmp	upx
behavioral2/files/0x000b000000023b7f-5.dat	upx
behavioral2/files/0x000a000000023b83-11.dat	upx
behavioral2/memory/5064-18-0x00007FF784A40000-0x00007FF784D91000-memory.dmp	upx
behavioral2/files/0x000a000000023b84-19.dat	upx
behavioral2/memory/4540-14-0x00007FF698270000-0x00007FF6985C1000-memory.dmp	upx
behavioral2/memory/5008-7-0x00007FF774490000-0x00007FF7747E1000-memory.dmp	upx
behavioral2/files/0x000a000000023b85-22.dat	upx
behavioral2/memory/3988-25-0x00007FF6ABAB0000-0x00007FF6ABE01000-memory.dmp	upx
behavioral2/files/0x000a000000023b86-29.dat	upx
behavioral2/memory/4696-30-0x00007FF7CDB90000-0x00007FF7CDEE1000-memory.dmp	upx
behavioral2/files/0x000a000000023b87-39.dat	upx
behavioral2/files/0x000a000000023b88-43.dat	upx
behavioral2/files/0x000a000000023b89-58.dat	upx
behavioral2/files/0x000a000000023b8a-60.dat	upx
behavioral2/files/0x000a000000023b8c-69.dat	upx
behavioral2/memory/4940-72-0x00007FF7F07E0000-0x00007FF7F0B31000-memory.dmp	upx
behavioral2/files/0x000a000000023b90-89.dat	upx
behavioral2/memory/4264-99-0x00007FF61F0C0000-0x00007FF61F411000-memory.dmp	upx
behavioral2/memory/1160-108-0x00007FF6358A0000-0x00007FF635BF1000-memory.dmp	upx
behavioral2/files/0x000a000000023b99-112.dat	upx
behavioral2/memory/4540-111-0x00007FF698270000-0x00007FF6985C1000-memory.dmp	upx
behavioral2/files/0x000c000000023b91-109.dat	upx
behavioral2/memory/1636-107-0x00007FF79DFE0000-0x00007FF79E331000-memory.dmp	upx
behavioral2/files/0x000b000000023b8f-103.dat	upx
behavioral2/files/0x000a000000023b8e-101.dat	upx
behavioral2/memory/5008-100-0x00007FF774490000-0x00007FF7747E1000-memory.dmp	upx
behavioral2/memory/2396-95-0x00007FF769E50000-0x00007FF76A1A1000-memory.dmp	upx
behavioral2/memory/3028-93-0x00007FF660A90000-0x00007FF660DE1000-memory.dmp	upx
behavioral2/files/0x000a000000023b8d-87.dat	upx
behavioral2/memory/2616-84-0x00007FF75C410000-0x00007FF75C761000-memory.dmp	upx
behavioral2/memory/1856-76-0x00007FF678E70000-0x00007FF6791C1000-memory.dmp	upx
behavioral2/memory/1028-75-0x00007FF77FDF0000-0x00007FF780141000-memory.dmp	upx
behavioral2/files/0x000a000000023b8b-85.dat	upx
behavioral2/memory/1924-57-0x00007FF716090000-0x00007FF7163E1000-memory.dmp	upx
behavioral2/memory/2524-54-0x00007FF6AF5E0000-0x00007FF6AF931000-memory.dmp	upx
behavioral2/memory/1224-52-0x00007FF761EC0000-0x00007FF762211000-memory.dmp	upx
behavioral2/files/0x000b000000023b80-49.dat	upx
behavioral2/memory/3136-47-0x00007FF7E1070000-0x00007FF7E13C1000-memory.dmp	upx
behavioral2/memory/3660-36-0x00007FF6B2AD0000-0x00007FF6B2E21000-memory.dmp	upx
behavioral2/memory/5064-114-0x00007FF784A40000-0x00007FF784D91000-memory.dmp	upx
behavioral2/files/0x000b000000023b9b-117.dat	upx
behavioral2/memory/3744-121-0x00007FF79F0A0000-0x00007FF79F3F1000-memory.dmp	upx
behavioral2/memory/3660-131-0x00007FF6B2AD0000-0x00007FF6B2E21000-memory.dmp	upx
behavioral2/memory/2508-135-0x00007FF6267E0000-0x00007FF626B31000-memory.dmp	upx
behavioral2/files/0x0009000000023baf-133.dat	upx
behavioral2/memory/1224-132-0x00007FF761EC0000-0x00007FF762211000-memory.dmp	upx
behavioral2/memory/4200-126-0x00007FF672850000-0x00007FF672BA1000-memory.dmp	upx
behavioral2/memory/4696-123-0x00007FF7CDB90000-0x00007FF7CDEE1000-memory.dmp	upx
behavioral2/files/0x0012000000023ba7-129.dat	upx
behavioral2/memory/3988-118-0x00007FF6ABAB0000-0x00007FF6ABE01000-memory.dmp	upx
behavioral2/memory/2524-140-0x00007FF6AF5E0000-0x00007FF6AF931000-memory.dmp	upx
behavioral2/memory/3136-138-0x00007FF7E1070000-0x00007FF7E13C1000-memory.dmp	upx
behavioral2/memory/3028-136-0x00007FF660A90000-0x00007FF660DE1000-memory.dmp	upx
behavioral2/memory/1924-148-0x00007FF716090000-0x00007FF7163E1000-memory.dmp	upx
behavioral2/memory/1856-149-0x00007FF678E70000-0x00007FF6791C1000-memory.dmp	upx
behavioral2/memory/4264-156-0x00007FF61F0C0000-0x00007FF61F411000-memory.dmp	upx
behavioral2/memory/2616-161-0x00007FF75C410000-0x00007FF75C761000-memory.dmp	upx
behavioral2/memory/4940-160-0x00007FF7F07E0000-0x00007FF7F0B31000-memory.dmp	upx
behavioral2/memory/1636-158-0x00007FF79DFE0000-0x00007FF79E331000-memory.dmp	upx
behavioral2/memory/1160-157-0x00007FF6358A0000-0x00007FF635BF1000-memory.dmp	upx
behavioral2/memory/2396-154-0x00007FF769E50000-0x00007FF76A1A1000-memory.dmp	upx
behavioral2/memory/1028-151-0x00007FF77FDF0000-0x00007FF780141000-memory.dmp	upx
behavioral2/memory/3744-159-0x00007FF79F0A0000-0x00007FF79F3F1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\CDXgMDZ.exe	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oyKkfcB.exe	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AyMJqSA.exe	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aPOfdEZ.exe	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SfPBFdn.exe	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jShFeof.exe	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PFjUbiP.exe	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nzIixCa.exe	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HFKVyRN.exe	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qbxsedO.exe	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yqbuQMq.exe	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YpFjYVT.exe	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WikVAnm.exe	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RSDoaib.exe	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wKIVQDW.exe	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DPZEkNl.exe	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\snFBFRw.exe	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kanSQQm.exe	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gghrABq.exe	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LEkCPkA.exe	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kcYAJqu.exe	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3028	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3028	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 5008	3028	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3028 wrote to memory of 5008	3028	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3028 wrote to memory of 4540	3028	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3028 wrote to memory of 4540	3028	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3028 wrote to memory of 5064	3028	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3028 wrote to memory of 5064	3028	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3028 wrote to memory of 3988	3028	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3028 wrote to memory of 3988	3028	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3028 wrote to memory of 4696	3028	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3028 wrote to memory of 4696	3028	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3028 wrote to memory of 3660	3028	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3028 wrote to memory of 3660	3028	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3028 wrote to memory of 3136	3028	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3028 wrote to memory of 3136	3028	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3028 wrote to memory of 1224	3028	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3028 wrote to memory of 1224	3028	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3028 wrote to memory of 1924	3028	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3028 wrote to memory of 1924	3028	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3028 wrote to memory of 2524	3028	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3028 wrote to memory of 2524	3028	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3028 wrote to memory of 1028	3028	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3028 wrote to memory of 1028	3028	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3028 wrote to memory of 4940	3028	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3028 wrote to memory of 4940	3028	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3028 wrote to memory of 1856	3028	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3028 wrote to memory of 1856	3028	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3028 wrote to memory of 2396	3028	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3028 wrote to memory of 2396	3028	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3028 wrote to memory of 2616	3028	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3028 wrote to memory of 2616	3028	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3028 wrote to memory of 4264	3028	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3028 wrote to memory of 4264	3028	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3028 wrote to memory of 1160	3028	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3028 wrote to memory of 1160	3028	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3028 wrote to memory of 1636	3028	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3028 wrote to memory of 1636	3028	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3028 wrote to memory of 3744	3028	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3028 wrote to memory of 3744	3028	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3028 wrote to memory of 4200	3028	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3028 wrote to memory of 4200	3028	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3028 wrote to memory of 2508	3028	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3028 wrote to memory of 2508	3028	2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-23_e2a6f908933933af7ac122be89443e2c_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\System\AyMJqSA.exe
  C:\Windows\System\AyMJqSA.exe
  2⤵
  - Executes dropped EXE
  PID:5008
- C:\Windows\System\HFKVyRN.exe
  C:\Windows\System\HFKVyRN.exe
  2⤵
  - Executes dropped EXE
  PID:4540
- C:\Windows\System\WikVAnm.exe
  C:\Windows\System\WikVAnm.exe
  2⤵
  - Executes dropped EXE
  PID:5064
- C:\Windows\System\kcYAJqu.exe
  C:\Windows\System\kcYAJqu.exe
  2⤵
  - Executes dropped EXE
  PID:3988
- C:\Windows\System\qbxsedO.exe
  C:\Windows\System\qbxsedO.exe
  2⤵
  - Executes dropped EXE
  PID:4696
- C:\Windows\System\RSDoaib.exe
  C:\Windows\System\RSDoaib.exe
  2⤵
  - Executes dropped EXE
  PID:3660
- C:\Windows\System\aPOfdEZ.exe
  C:\Windows\System\aPOfdEZ.exe
  2⤵
  - Executes dropped EXE
  PID:3136
- C:\Windows\System\yqbuQMq.exe
  C:\Windows\System\yqbuQMq.exe
  2⤵
  - Executes dropped EXE
  PID:1224
- C:\Windows\System\CDXgMDZ.exe
  C:\Windows\System\CDXgMDZ.exe
  2⤵
  - Executes dropped EXE
  PID:1924
- C:\Windows\System\SfPBFdn.exe
  C:\Windows\System\SfPBFdn.exe
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Windows\System\wKIVQDW.exe
  C:\Windows\System\wKIVQDW.exe
  2⤵
  - Executes dropped EXE
  PID:1028
- C:\Windows\System\jShFeof.exe
  C:\Windows\System\jShFeof.exe
  2⤵
  - Executes dropped EXE
  PID:4940
- C:\Windows\System\PFjUbiP.exe
  C:\Windows\System\PFjUbiP.exe
  2⤵
  - Executes dropped EXE
  PID:1856
- C:\Windows\System\YpFjYVT.exe
  C:\Windows\System\YpFjYVT.exe
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\System\oyKkfcB.exe
  C:\Windows\System\oyKkfcB.exe
  2⤵
  - Executes dropped EXE
  PID:2616
- C:\Windows\System\DPZEkNl.exe
  C:\Windows\System\DPZEkNl.exe
  2⤵
  - Executes dropped EXE
  PID:4264
- C:\Windows\System\snFBFRw.exe
  C:\Windows\System\snFBFRw.exe
  2⤵
  - Executes dropped EXE
  PID:1160
- C:\Windows\System\kanSQQm.exe
  C:\Windows\System\kanSQQm.exe
  2⤵
  - Executes dropped EXE
  PID:1636
- C:\Windows\System\nzIixCa.exe
  C:\Windows\System\nzIixCa.exe
  2⤵
  - Executes dropped EXE
  PID:3744
- C:\Windows\System\gghrABq.exe
  C:\Windows\System\gghrABq.exe
  2⤵
  - Executes dropped EXE
  PID:4200
- C:\Windows\System\LEkCPkA.exe
  C:\Windows\System\LEkCPkA.exe
  2⤵
  - Executes dropped EXE
  PID:2508

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AyMJqSA.exe

Filesize
5.2MB

MD5
03cdd7e9ea75a56a3d0fc30fe19f5e1f

SHA1
d013b5e52e71924dbd93f7b5e34966ab03ae26d6

SHA256
17ef3b4e6d4ce3afff19ef7414850f634c3a57cf45ec0f9cb5845e12a386b0b6

SHA512
e03fc7f071d02f13ccede1400bdc810b77505e40a5e4f0b295adf9bda12d27ff62db0d8e6f4f8ffc150f85e9c639c1dc2a0008e280f3698ebf72a9b8914e5a2f

Download Submit
C:\Windows\System\CDXgMDZ.exe

Filesize
5.2MB

MD5
f018618b977974f34108280448c82ce8

SHA1
0c80c13149907ada6cb55714d15100f400f452f4

SHA256
45862d4a7f940e037721c8cdc78ac167f4bcf3495ed24992af6686587bda0cb7

SHA512
61d09a1206596317f494273d304f37c9506b8cb6410c93de5ffae3b0f264067c9946eacc70bfec400ffa02ed1acbcc0bec6c7a413c8f342d2c71726c0d844a1d

Download Submit
C:\Windows\System\DPZEkNl.exe

Filesize
5.2MB

MD5
1abf72e22b74ea7bb1d042f807740582

SHA1
87fec8836efe77ae046aea3daf4ccb7e0cde4872

SHA256
fb7f4a60ee508f8a6a16e35ab8bdd645280c71e5a7074c706f8c356eafe12047

SHA512
7c36f4608308a65024c0f6b8ca2ae39b33c3c9cb8edad684ed81d46a1398fe399f66069379b82012992879d8bf5cd97b1ab02c930470076618faa1ecb74b2757

Download Submit
C:\Windows\System\HFKVyRN.exe

Filesize
5.2MB

MD5
ea5262cc52585ad04e715e25825391f2

SHA1
0b9a8ff987f613ef47bbafb2718d49a82f9e3751

SHA256
46cb800f845af674894a04b867bc9ba6d1c137d5b9cd4d2e51ed6d8344130747

SHA512
1e3ebf8f70e01568a50f20b574c844c392d138b4251c271bb49c4e8902f50cbfe7a18d10dcb5796b2f391ef8ed9d0d7359e3d7eed3b1bbc5ff3f690d6c5f605b

Download Submit
C:\Windows\System\LEkCPkA.exe

Filesize
5.2MB

MD5
d8140b96c59f1849f6d8a38b2a2c2fc3

SHA1
631d8f8affede58b039201b814c37cc64078b6f7

SHA256
e78ded5aec1be5843d8ee2146c191a6d925c19f902745cc5fb3e524cd34ba4ef

SHA512
3f2b3c63d50634fa13d1e73e44a8064cb97adc0f53de61a8b9810dedc8178492b21c3ff536af8aeb2191959c2236b5626b5c8ebe8b3267b22fa45433c38f7ec1

Download Submit
C:\Windows\System\PFjUbiP.exe

Filesize
5.2MB

MD5
0dda649b07d647912dca1bc010d9768e

SHA1
8e98a573a095f28064aef9259f023112f20a0ebe

SHA256
e2180b5297e78d8a3035cfee6a6d90fb3118fca5752e5be2361d2d48193fb1ba

SHA512
7309446d374c4ce1f5255e44aadd3b0c51cc91d0c67f11e0374292223d72f5560ff60cb34c50798df30df544b449263354f15fde24a3cf5448492b8275c5f879

Download Submit
C:\Windows\System\RSDoaib.exe

Filesize
5.2MB

MD5
6b3d1b141d00d36d8fb10303dbf27621

SHA1
f79a0895108ce474349387ee5825f88cc803e690

SHA256
4daf1bee1b80477a09b4abbb217a51886812513df837177f7048adeb0d1d3900

SHA512
b953b6c08432515a769410399df561f7d4b7b3b43c8aafe61b328e41b5e29fcf0a996d6212f36b038af6abdcf59a20a89afddb599ed0b36a20a71ce39e67d064

Download Submit
C:\Windows\System\SfPBFdn.exe

Filesize
5.2MB

MD5
05f955c1381ae0f81e610fcd192e777d

SHA1
9422267686feb665e2a705d523c0c13c65376838

SHA256
9c999e30b4edf9654f51d14743df258f50faad7693dd2c4e5f5ab36b00b9e67a

SHA512
b82ca4fbd4111d8f4701d0053dc9ef93468e1303dcdf1340382e668db598331b1743fdb433412f787e28c660b3e318db3912c9a7997d63d1a2483861008876e5

Download Submit
C:\Windows\System\WikVAnm.exe

Filesize
5.2MB

MD5
21df8487885a67fd1b5189d9289888b8

SHA1
b49e9d6cf5e4bebdd1bda7cf330582d38e1a80c8

SHA256
bbcf4c1802d48cfd233fc0d8a51d1b48c16b25ccc0c8728dd64e40d472cc4b3b

SHA512
4aa679e2c8c132b8847c2e27853d48f4b93cc66c810e91c18bb599fb3afa40f5fc810189ce9d50404dfa90f5c00abc448b0d56a6e80a2629743831852b760020

Download Submit
C:\Windows\System\YpFjYVT.exe

Filesize
5.2MB

MD5
ad9c562d70974c48bed53314d53b2123

SHA1
00a2fc8424f291056fbad329c7619c6cb1c99eff

SHA256
65242acb14562ae85dba1a3846346b88fc88b04ffb423e7acd40a3f67c3df218

SHA512
d177ab7bf7e57bf6626cbecb999d0ae4b3563a2f0ead0b1cf5d5306916e9b2b19a2db34e011bb9920371e75a3d959871e39408f6ab230e2904a759da1e116031

Download Submit
C:\Windows\System\aPOfdEZ.exe

Filesize
5.2MB

MD5
cdff75c74b97ba1091ddce93e9b95804

SHA1
2b869b25783b9dd5531359c0505fb1de6e2b7ad8

SHA256
811b426af43e3c7f8f264b7753725ab64282b403c37e5be36a62ce069e06ffbe

SHA512
be6fa0787c9255dbb373eb94632b927c7ad51684f0be4524be812ebe2d008304ba62454e332ad1efd3257b200a1342a454edcd06901f8d7dbaf350d1e7da2854

Download Submit
C:\Windows\System\gghrABq.exe

Filesize
5.2MB

MD5
19491e48633b96865b8e8b1ecc23f071

SHA1
b7ce9362a6aca3dfc83d145cb4664c0b963fe00c

SHA256
1193c1d855f8c67c9254ddc3ccaf08b3c699ad5a2755460941c01207c44af526

SHA512
9c72c7fe62db5e3c9c1d7266a089ccc44e537e2616de2613485ae747578756e388ffdbe688a7534328fc04d864ccc1b843e6914c5fe8cb5427a7e190cac62164

Download Submit
C:\Windows\System\jShFeof.exe

Filesize
5.2MB

MD5
43699dcadd99d4e7874747ebe32b792a

SHA1
19a1f78e58557824414d33b590362d8d97e81487

SHA256
cbadd4a36164fd27d7faecea742f5e6fd92d07a5ea3b442a0e5c8a9338fd222b

SHA512
61ce1eea6f3c6c1c3507ce1e6e173d934aa3622d35d649914236fed33152d4924d4a0514ec05800acb6598d56f6a3bf26385351d7c01e5db06529501eaacae74

Download Submit
C:\Windows\System\kanSQQm.exe

Filesize
5.2MB

MD5
ed1ca28f242f3d461bb3f5ff4b4c6ed2

SHA1
6df628ac32325d34b467530f34d9950b8a7d6d65

SHA256
9df52a25b34974a7a2556505038806cf341c35cbae46a70fb1bb91dd2404dd0b

SHA512
751a40d2627c836b01012bde57a004e037ebe2eb6ebec34673b52ae078086f6cece8ac51a3419a1aa7f3e6e23c617552183796944c7b67fdf794a3308c7aba6b

Download Submit
C:\Windows\System\kcYAJqu.exe

Filesize
5.2MB

MD5
fa5690bd116e57aa3d8be3f639fa580b

SHA1
a95c937048448cc350d7449e35bb3b206ab5b400

SHA256
dc6726363185b692a54a0419721a3088df6a0c7b17c39f134d9325395e9efcb9

SHA512
4e229b0165dbb4924c33b1e437d53b099cc3967e36a114492eed9950c4079fa497c88d0397c191996eca6c5443b143eae639dd3f12407eeea4cb0cf2d16885c2

Download Submit
C:\Windows\System\nzIixCa.exe

Filesize
5.2MB

MD5
64ed0636ea798096c214ba98037d0322

SHA1
43b7e7ebea3639cb02b2414ecc8eb56d642974dc

SHA256
647c3556ca1e8de140c8f48c2c9bb3f0c675c4b397bebc82b0f162e8d4d88ea1

SHA512
73f444e954d170fa56f62b3c9b8e23297ff59d2daded0661187036c21aa81d1409821506f83e7ff589cc701bd0a22e113c93fad94b10cf5613baed0d71a97cdd

Download Submit
C:\Windows\System\oyKkfcB.exe

Filesize
5.2MB

MD5
9b32571989be530237a7a3a4e847812c

SHA1
d297a652243d97f2b0bd412f354e01154066be9f

SHA256
db79b96e4dbd23bf4ea361caa79bbdf0e64527b236c8fa55ded12e578133cd49

SHA512
843088c1ac5bbfc870e45f3a1cf02a905eb13de79eb3d5bc80bfc83c788a67ffc8d620eaccf1087f7dda3f7f4b268f6f554da923c3cb9a66314868d62f37f1ce

Download Submit
C:\Windows\System\qbxsedO.exe

Filesize
5.2MB

MD5
1d632ecd3b2b29413c7df95d0762089b

SHA1
8e7f469d3488c8d96a32fc46a2c68e08670c394e

SHA256
5690df61c6472c78dcf9fe17e7e7a1d8cb37ae90dcf328f1b4816dee5d955d34

SHA512
1eed34da6f45c0b615cf632fd1d60b73d6e38056c175109cd4530c420c63873f9f172f28b409b843cd8aa0848b5049a83d44b36bbcc8783e7f544e4511007c8f

Download Submit
C:\Windows\System\snFBFRw.exe

Filesize
5.2MB

MD5
db0636f853c96fb1ae5411a455d7e3b1

SHA1
8901749a2b9bc75a2da8153e4706b70da10b8e17

SHA256
56c595267c07d852623db9d7d9aac6d029f477b3e778026eafc9232073d4d5c9

SHA512
43c3712486bd7b8e0768625dbbbf93aea2a0214e3634905017c4c3c36e2f3d48d5ce989ee89cb3069fc1788f35ce5721afc4aa7b0fbb1819d96374f796dac37f

Download Submit
C:\Windows\System\wKIVQDW.exe

Filesize
5.2MB

MD5
f184a0897141d50179022f09268efa35

SHA1
f54838b7c3410998cc5f4373ee8a82a0825f52fd

SHA256
001ea1163da9cb296946d6ff601fd31b4b00375324584cf8d54e46d5febaafdf

SHA512
6ab365c380008b688b0c4d72795c0ca96c1ee389a5cd4eaaaad6a3c70410d4fc3e9df05a34b3449471292d96787a93df5562c7290cebbfcf84084a5223a50947

Download Submit
C:\Windows\System\yqbuQMq.exe

Filesize
5.2MB

MD5
a84033ae4fe45a313823a5147f79aa6c

SHA1
926863502546f53f6710a61bd3d021dca331862b

SHA256
3e3a2b5ba328015c7dfb9c487ad4d2645234dbb96f065110fb8652e81ca0d277

SHA512
b4726f17cd283ed497c57c36e9a6da5ff96578e96b80d5e09b898e43645fdd887e08ee646935e4ba84f0e6349d3a34ee9e0283325884a65a295cf0dc2a28f7c2

Download Submit
memory/1028-75-0x00007FF77FDF0000-0x00007FF780141000-memory.dmp

Filesize
3.3MB

Download
memory/1028-253-0x00007FF77FDF0000-0x00007FF780141000-memory.dmp

Filesize
3.3MB

Download
memory/1028-151-0x00007FF77FDF0000-0x00007FF780141000-memory.dmp

Filesize
3.3MB

Download
memory/1160-157-0x00007FF6358A0000-0x00007FF635BF1000-memory.dmp

Filesize
3.3MB

Download
memory/1160-108-0x00007FF6358A0000-0x00007FF635BF1000-memory.dmp

Filesize
3.3MB

Download
memory/1160-265-0x00007FF6358A0000-0x00007FF635BF1000-memory.dmp

Filesize
3.3MB

Download
memory/1224-245-0x00007FF761EC0000-0x00007FF762211000-memory.dmp

Filesize
3.3MB

Download
memory/1224-132-0x00007FF761EC0000-0x00007FF762211000-memory.dmp

Filesize
3.3MB

Download
memory/1224-52-0x00007FF761EC0000-0x00007FF762211000-memory.dmp

Filesize
3.3MB

Download
memory/1636-258-0x00007FF79DFE0000-0x00007FF79E331000-memory.dmp

Filesize
3.3MB

Download
memory/1636-107-0x00007FF79DFE0000-0x00007FF79E331000-memory.dmp

Filesize
3.3MB

Download
memory/1636-158-0x00007FF79DFE0000-0x00007FF79E331000-memory.dmp

Filesize
3.3MB

Download
memory/1856-76-0x00007FF678E70000-0x00007FF6791C1000-memory.dmp

Filesize
3.3MB

Download
memory/1856-149-0x00007FF678E70000-0x00007FF6791C1000-memory.dmp

Filesize
3.3MB

Download
memory/1856-255-0x00007FF678E70000-0x00007FF6791C1000-memory.dmp

Filesize
3.3MB

Download
memory/1924-241-0x00007FF716090000-0x00007FF7163E1000-memory.dmp

Filesize
3.3MB

Download
memory/1924-148-0x00007FF716090000-0x00007FF7163E1000-memory.dmp

Filesize
3.3MB

Download
memory/1924-57-0x00007FF716090000-0x00007FF7163E1000-memory.dmp

Filesize
3.3MB

Download
memory/2396-95-0x00007FF769E50000-0x00007FF76A1A1000-memory.dmp

Filesize
3.3MB

Download
memory/2396-154-0x00007FF769E50000-0x00007FF76A1A1000-memory.dmp

Filesize
3.3MB

Download
memory/2396-263-0x00007FF769E50000-0x00007FF76A1A1000-memory.dmp

Filesize
3.3MB

Download
memory/2508-135-0x00007FF6267E0000-0x00007FF626B31000-memory.dmp

Filesize
3.3MB

Download
memory/2508-165-0x00007FF6267E0000-0x00007FF626B31000-memory.dmp

Filesize
3.3MB

Download
memory/2508-274-0x00007FF6267E0000-0x00007FF626B31000-memory.dmp

Filesize
3.3MB

Download
memory/2524-54-0x00007FF6AF5E0000-0x00007FF6AF931000-memory.dmp

Filesize
3.3MB

Download
memory/2524-140-0x00007FF6AF5E0000-0x00007FF6AF931000-memory.dmp

Filesize
3.3MB

Download
memory/2524-243-0x00007FF6AF5E0000-0x00007FF6AF931000-memory.dmp

Filesize
3.3MB

Download
memory/2616-84-0x00007FF75C410000-0x00007FF75C761000-memory.dmp

Filesize
3.3MB

Download
memory/2616-161-0x00007FF75C410000-0x00007FF75C761000-memory.dmp

Filesize
3.3MB

Download
memory/2616-262-0x00007FF75C410000-0x00007FF75C761000-memory.dmp

Filesize
3.3MB

Download
memory/3028-166-0x00007FF660A90000-0x00007FF660DE1000-memory.dmp

Filesize
3.3MB

Download
memory/3028-0-0x00007FF660A90000-0x00007FF660DE1000-memory.dmp

Filesize
3.3MB

Download
memory/3028-1-0x00000272EA0D0000-0x00000272EA0E0000-memory.dmp

Filesize
64KB

Download
memory/3028-136-0x00007FF660A90000-0x00007FF660DE1000-memory.dmp

Filesize
3.3MB

Download
memory/3028-93-0x00007FF660A90000-0x00007FF660DE1000-memory.dmp

Filesize
3.3MB

Download
memory/3136-138-0x00007FF7E1070000-0x00007FF7E13C1000-memory.dmp

Filesize
3.3MB

Download
memory/3136-239-0x00007FF7E1070000-0x00007FF7E13C1000-memory.dmp

Filesize
3.3MB

Download
memory/3136-47-0x00007FF7E1070000-0x00007FF7E13C1000-memory.dmp

Filesize
3.3MB

Download
memory/3660-36-0x00007FF6B2AD0000-0x00007FF6B2E21000-memory.dmp

Filesize
3.3MB

Download
memory/3660-237-0x00007FF6B2AD0000-0x00007FF6B2E21000-memory.dmp

Filesize
3.3MB

Download
memory/3660-131-0x00007FF6B2AD0000-0x00007FF6B2E21000-memory.dmp

Filesize
3.3MB

Download
memory/3744-121-0x00007FF79F0A0000-0x00007FF79F3F1000-memory.dmp

Filesize
3.3MB

Download
memory/3744-159-0x00007FF79F0A0000-0x00007FF79F3F1000-memory.dmp

Filesize
3.3MB

Download
memory/3744-269-0x00007FF79F0A0000-0x00007FF79F3F1000-memory.dmp

Filesize
3.3MB

Download
memory/3988-118-0x00007FF6ABAB0000-0x00007FF6ABE01000-memory.dmp

Filesize
3.3MB

Download
memory/3988-25-0x00007FF6ABAB0000-0x00007FF6ABE01000-memory.dmp

Filesize
3.3MB

Download
memory/3988-233-0x00007FF6ABAB0000-0x00007FF6ABE01000-memory.dmp

Filesize
3.3MB

Download
memory/4200-271-0x00007FF672850000-0x00007FF672BA1000-memory.dmp

Filesize
3.3MB

Download
memory/4200-126-0x00007FF672850000-0x00007FF672BA1000-memory.dmp

Filesize
3.3MB

Download
memory/4200-162-0x00007FF672850000-0x00007FF672BA1000-memory.dmp

Filesize
3.3MB

Download
memory/4264-156-0x00007FF61F0C0000-0x00007FF61F411000-memory.dmp

Filesize
3.3MB

Download
memory/4264-260-0x00007FF61F0C0000-0x00007FF61F411000-memory.dmp

Filesize
3.3MB

Download
memory/4264-99-0x00007FF61F0C0000-0x00007FF61F411000-memory.dmp

Filesize
3.3MB

Download
memory/4540-218-0x00007FF698270000-0x00007FF6985C1000-memory.dmp

Filesize
3.3MB

Download
memory/4540-111-0x00007FF698270000-0x00007FF6985C1000-memory.dmp

Filesize
3.3MB

Download
memory/4540-14-0x00007FF698270000-0x00007FF6985C1000-memory.dmp

Filesize
3.3MB

Download
memory/4696-30-0x00007FF7CDB90000-0x00007FF7CDEE1000-memory.dmp

Filesize
3.3MB

Download
memory/4696-235-0x00007FF7CDB90000-0x00007FF7CDEE1000-memory.dmp

Filesize
3.3MB

Download
memory/4696-123-0x00007FF7CDB90000-0x00007FF7CDEE1000-memory.dmp

Filesize
3.3MB

Download
memory/4940-160-0x00007FF7F07E0000-0x00007FF7F0B31000-memory.dmp

Filesize
3.3MB

Download
memory/4940-72-0x00007FF7F07E0000-0x00007FF7F0B31000-memory.dmp

Filesize
3.3MB

Download
memory/4940-251-0x00007FF7F07E0000-0x00007FF7F0B31000-memory.dmp

Filesize
3.3MB

Download
memory/5008-7-0x00007FF774490000-0x00007FF7747E1000-memory.dmp

Filesize
3.3MB

Download
memory/5008-216-0x00007FF774490000-0x00007FF7747E1000-memory.dmp

Filesize
3.3MB

Download
memory/5008-100-0x00007FF774490000-0x00007FF7747E1000-memory.dmp

Filesize
3.3MB

Download
memory/5064-114-0x00007FF784A40000-0x00007FF784D91000-memory.dmp

Filesize
3.3MB

Download
memory/5064-18-0x00007FF784A40000-0x00007FF784D91000-memory.dmp

Filesize
3.3MB

Download
memory/5064-220-0x00007FF784A40000-0x00007FF784D91000-memory.dmp

Filesize
3.3MB

Download