cobaltstrike | 364035ae91ea0e6c89770c6b194017ce1ccb6e6dad61f2f88dcc6f4d9889f54b

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-12-2024 11:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

f0d5fdba70f25d1e35df127633a20039
SHA1

f9ff759ba76cea8c26336a74d333a476ec11fdea
SHA256

364035ae91ea0e6c89770c6b194017ce1ccb6e6dad61f2f88dcc6f4d9889f54b
SHA512

2085ab6cde348740a76ab0971000e49365634fd794515a750874d8964eceb8c6496a7fb812290e7872fec83d1b888c9f4e8caae63dcec2e13d4696ddaa4f996d
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lb:RWWBibd56utgpPFotBER/mQ32lUH

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000b000000023b7f-4.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b83-17.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b88-34.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8a-39.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8c-45.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8d-68.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b80-82.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b90-85.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023ba9-119.dat	cobalt_reflective_dll
behavioral2/files/0x0012000000023ba7-118.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b9b-117.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b99-113.dat	cobalt_reflective_dll
behavioral2/files/0x000c000000023b91-111.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8e-84.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b8f-88.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8b-67.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b87-61.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b86-50.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b89-43.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b85-42.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b84-38.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/3544-100-0x00007FF6CF3F0000-0x00007FF6CF741000-memory.dmp	xmrig
behavioral2/memory/3636-110-0x00007FF6F0D20000-0x00007FF6F1071000-memory.dmp	xmrig
behavioral2/memory/4592-123-0x00007FF6D0860000-0x00007FF6D0BB1000-memory.dmp	xmrig
behavioral2/memory/5108-120-0x00007FF753950000-0x00007FF753CA1000-memory.dmp	xmrig
behavioral2/memory/3456-116-0x00007FF75BD20000-0x00007FF75C071000-memory.dmp	xmrig
behavioral2/memory/1856-115-0x00007FF6677B0000-0x00007FF667B01000-memory.dmp	xmrig
behavioral2/memory/3840-109-0x00007FF7EB9E0000-0x00007FF7EBD31000-memory.dmp	xmrig
behavioral2/memory/3988-92-0x00007FF7052C0000-0x00007FF705611000-memory.dmp	xmrig
behavioral2/memory/2780-73-0x00007FF7301C0000-0x00007FF730511000-memory.dmp	xmrig
behavioral2/memory/2852-64-0x00007FF776AF0000-0x00007FF776E41000-memory.dmp	xmrig
behavioral2/memory/1036-131-0x00007FF6E2100000-0x00007FF6E2451000-memory.dmp	xmrig
behavioral2/memory/2640-132-0x00007FF7184C0000-0x00007FF718811000-memory.dmp	xmrig
behavioral2/memory/1028-141-0x00007FF738990000-0x00007FF738CE1000-memory.dmp	xmrig
behavioral2/memory/5028-135-0x00007FF64D980000-0x00007FF64DCD1000-memory.dmp	xmrig
behavioral2/memory/3812-134-0x00007FF66B100000-0x00007FF66B451000-memory.dmp	xmrig
behavioral2/memory/4100-130-0x00007FF6C45F0000-0x00007FF6C4941000-memory.dmp	xmrig
behavioral2/memory/872-129-0x00007FF6A44A0000-0x00007FF6A47F1000-memory.dmp	xmrig
behavioral2/memory/2384-128-0x00007FF79CCF0000-0x00007FF79D041000-memory.dmp	xmrig
behavioral2/memory/3948-149-0x00007FF62EFC0000-0x00007FF62F311000-memory.dmp	xmrig
behavioral2/memory/1368-147-0x00007FF7F11E0000-0x00007FF7F1531000-memory.dmp	xmrig
behavioral2/memory/4108-143-0x00007FF675A10000-0x00007FF675D61000-memory.dmp	xmrig
behavioral2/memory/1952-148-0x00007FF791750000-0x00007FF791AA1000-memory.dmp	xmrig
behavioral2/memory/2384-150-0x00007FF79CCF0000-0x00007FF79D041000-memory.dmp	xmrig
behavioral2/memory/2384-151-0x00007FF79CCF0000-0x00007FF79D041000-memory.dmp	xmrig
behavioral2/memory/872-205-0x00007FF6A44A0000-0x00007FF6A47F1000-memory.dmp	xmrig
behavioral2/memory/4100-207-0x00007FF6C45F0000-0x00007FF6C4941000-memory.dmp	xmrig
behavioral2/memory/2852-222-0x00007FF776AF0000-0x00007FF776E41000-memory.dmp	xmrig
behavioral2/memory/1036-224-0x00007FF6E2100000-0x00007FF6E2451000-memory.dmp	xmrig
behavioral2/memory/3544-226-0x00007FF6CF3F0000-0x00007FF6CF741000-memory.dmp	xmrig
behavioral2/memory/3840-235-0x00007FF7EB9E0000-0x00007FF7EBD31000-memory.dmp	xmrig
behavioral2/memory/2780-238-0x00007FF7301C0000-0x00007FF730511000-memory.dmp	xmrig
behavioral2/memory/3812-237-0x00007FF66B100000-0x00007FF66B451000-memory.dmp	xmrig
behavioral2/memory/3988-230-0x00007FF7052C0000-0x00007FF705611000-memory.dmp	xmrig
behavioral2/memory/5028-229-0x00007FF64D980000-0x00007FF64DCD1000-memory.dmp	xmrig
behavioral2/memory/2640-233-0x00007FF7184C0000-0x00007FF718811000-memory.dmp	xmrig
behavioral2/memory/1856-244-0x00007FF6677B0000-0x00007FF667B01000-memory.dmp	xmrig
behavioral2/memory/3636-243-0x00007FF6F0D20000-0x00007FF6F1071000-memory.dmp	xmrig
behavioral2/memory/1028-240-0x00007FF738990000-0x00007FF738CE1000-memory.dmp	xmrig
behavioral2/memory/4108-247-0x00007FF675A10000-0x00007FF675D61000-memory.dmp	xmrig
behavioral2/memory/4592-252-0x00007FF6D0860000-0x00007FF6D0BB1000-memory.dmp	xmrig
behavioral2/memory/5108-251-0x00007FF753950000-0x00007FF753CA1000-memory.dmp	xmrig
behavioral2/memory/3456-249-0x00007FF75BD20000-0x00007FF75C071000-memory.dmp	xmrig
behavioral2/memory/1368-255-0x00007FF7F11E0000-0x00007FF7F1531000-memory.dmp	xmrig
behavioral2/memory/1952-256-0x00007FF791750000-0x00007FF791AA1000-memory.dmp	xmrig
behavioral2/memory/3948-258-0x00007FF62EFC0000-0x00007FF62F311000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
872	SqTsGNW.exe
4100	nIggthD.exe
1036	lqrvPKH.exe
2640	LhNajhQ.exe
3988	RyFWHUn.exe
3812	qwngjnf.exe
5028	lKZTmRS.exe
2852	uFOEVDY.exe
2780	pwQVAQk.exe
3544	MXsrqTZ.exe
3840	kaEloCF.exe
3636	gEUZegZ.exe
1028	xCCFYxp.exe
1856	gnMlAFV.exe
4108	uQivmea.exe
3456	DmuIORd.exe
4592	hrPSXHZ.exe
5108	ffoZNRX.exe
1368	XlnKXJH.exe
1952	CevfAQh.exe
3948	oWaAVFs.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2384-0-0x00007FF79CCF0000-0x00007FF79D041000-memory.dmp	upx
behavioral2/files/0x000b000000023b7f-4.dat	upx
behavioral2/memory/872-9-0x00007FF6A44A0000-0x00007FF6A47F1000-memory.dmp	upx
behavioral2/files/0x000a000000023b83-17.dat	upx
behavioral2/files/0x000a000000023b88-34.dat	upx
behavioral2/files/0x000a000000023b8a-39.dat	upx
behavioral2/files/0x000a000000023b8c-45.dat	upx
behavioral2/files/0x000a000000023b8d-68.dat	upx
behavioral2/files/0x000b000000023b80-82.dat	upx
behavioral2/files/0x000a000000023b90-85.dat	upx
behavioral2/memory/3544-100-0x00007FF6CF3F0000-0x00007FF6CF741000-memory.dmp	upx
behavioral2/memory/3636-110-0x00007FF6F0D20000-0x00007FF6F1071000-memory.dmp	upx
behavioral2/files/0x0008000000023ba9-119.dat	upx
behavioral2/memory/1368-124-0x00007FF7F11E0000-0x00007FF7F1531000-memory.dmp	upx
behavioral2/memory/4592-123-0x00007FF6D0860000-0x00007FF6D0BB1000-memory.dmp	upx
behavioral2/memory/3948-122-0x00007FF62EFC0000-0x00007FF62F311000-memory.dmp	upx
behavioral2/memory/1952-121-0x00007FF791750000-0x00007FF791AA1000-memory.dmp	upx
behavioral2/memory/5108-120-0x00007FF753950000-0x00007FF753CA1000-memory.dmp	upx
behavioral2/files/0x0012000000023ba7-118.dat	upx
behavioral2/files/0x000b000000023b9b-117.dat	upx
behavioral2/memory/3456-116-0x00007FF75BD20000-0x00007FF75C071000-memory.dmp	upx
behavioral2/memory/1856-115-0x00007FF6677B0000-0x00007FF667B01000-memory.dmp	upx
behavioral2/files/0x000a000000023b99-113.dat	upx
behavioral2/files/0x000c000000023b91-111.dat	upx
behavioral2/memory/3840-109-0x00007FF7EB9E0000-0x00007FF7EBD31000-memory.dmp	upx
behavioral2/memory/3988-92-0x00007FF7052C0000-0x00007FF705611000-memory.dmp	upx
behavioral2/files/0x000a000000023b8e-84.dat	upx
behavioral2/memory/4108-83-0x00007FF675A10000-0x00007FF675D61000-memory.dmp	upx
behavioral2/files/0x000b000000023b8f-88.dat	upx
behavioral2/memory/1028-77-0x00007FF738990000-0x00007FF738CE1000-memory.dmp	upx
behavioral2/memory/2780-73-0x00007FF7301C0000-0x00007FF730511000-memory.dmp	upx
behavioral2/files/0x000a000000023b8b-67.dat	upx
behavioral2/memory/2852-64-0x00007FF776AF0000-0x00007FF776E41000-memory.dmp	upx
behavioral2/memory/5028-63-0x00007FF64D980000-0x00007FF64DCD1000-memory.dmp	upx
behavioral2/files/0x000a000000023b87-61.dat	upx
behavioral2/files/0x000a000000023b86-50.dat	upx
behavioral2/memory/3812-48-0x00007FF66B100000-0x00007FF66B451000-memory.dmp	upx
behavioral2/files/0x000a000000023b89-43.dat	upx
behavioral2/files/0x000a000000023b85-42.dat	upx
behavioral2/memory/2640-40-0x00007FF7184C0000-0x00007FF718811000-memory.dmp	upx
behavioral2/files/0x000a000000023b84-38.dat	upx
behavioral2/memory/4100-21-0x00007FF6C45F0000-0x00007FF6C4941000-memory.dmp	upx
behavioral2/memory/1036-27-0x00007FF6E2100000-0x00007FF6E2451000-memory.dmp	upx
behavioral2/memory/1036-131-0x00007FF6E2100000-0x00007FF6E2451000-memory.dmp	upx
behavioral2/memory/2640-132-0x00007FF7184C0000-0x00007FF718811000-memory.dmp	upx
behavioral2/memory/1028-141-0x00007FF738990000-0x00007FF738CE1000-memory.dmp	upx
behavioral2/memory/5028-135-0x00007FF64D980000-0x00007FF64DCD1000-memory.dmp	upx
behavioral2/memory/3812-134-0x00007FF66B100000-0x00007FF66B451000-memory.dmp	upx
behavioral2/memory/4100-130-0x00007FF6C45F0000-0x00007FF6C4941000-memory.dmp	upx
behavioral2/memory/872-129-0x00007FF6A44A0000-0x00007FF6A47F1000-memory.dmp	upx
behavioral2/memory/2384-128-0x00007FF79CCF0000-0x00007FF79D041000-memory.dmp	upx
behavioral2/memory/3948-149-0x00007FF62EFC0000-0x00007FF62F311000-memory.dmp	upx
behavioral2/memory/1368-147-0x00007FF7F11E0000-0x00007FF7F1531000-memory.dmp	upx
behavioral2/memory/4108-143-0x00007FF675A10000-0x00007FF675D61000-memory.dmp	upx
behavioral2/memory/1952-148-0x00007FF791750000-0x00007FF791AA1000-memory.dmp	upx
behavioral2/memory/2384-150-0x00007FF79CCF0000-0x00007FF79D041000-memory.dmp	upx
behavioral2/memory/2384-151-0x00007FF79CCF0000-0x00007FF79D041000-memory.dmp	upx
behavioral2/memory/872-205-0x00007FF6A44A0000-0x00007FF6A47F1000-memory.dmp	upx
behavioral2/memory/4100-207-0x00007FF6C45F0000-0x00007FF6C4941000-memory.dmp	upx
behavioral2/memory/2852-222-0x00007FF776AF0000-0x00007FF776E41000-memory.dmp	upx
behavioral2/memory/1036-224-0x00007FF6E2100000-0x00007FF6E2451000-memory.dmp	upx
behavioral2/memory/3544-226-0x00007FF6CF3F0000-0x00007FF6CF741000-memory.dmp	upx
behavioral2/memory/3840-235-0x00007FF7EB9E0000-0x00007FF7EBD31000-memory.dmp	upx
behavioral2/memory/2780-238-0x00007FF7301C0000-0x00007FF730511000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\RyFWHUn.exe	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CevfAQh.exe	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nIggthD.exe	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lqrvPKH.exe	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LhNajhQ.exe	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gnMlAFV.exe	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uQivmea.exe	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ffoZNRX.exe	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pwQVAQk.exe	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kaEloCF.exe	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gEUZegZ.exe	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SqTsGNW.exe	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MXsrqTZ.exe	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xCCFYxp.exe	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DmuIORd.exe	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hrPSXHZ.exe	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XlnKXJH.exe	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oWaAVFs.exe	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qwngjnf.exe	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lKZTmRS.exe	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uFOEVDY.exe	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2384	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2384	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 872	2384	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2384 wrote to memory of 872	2384	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2384 wrote to memory of 4100	2384	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2384 wrote to memory of 4100	2384	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2384 wrote to memory of 1036	2384	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2384 wrote to memory of 1036	2384	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2384 wrote to memory of 2640	2384	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2384 wrote to memory of 2640	2384	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2384 wrote to memory of 3988	2384	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2384 wrote to memory of 3988	2384	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2384 wrote to memory of 3812	2384	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2384 wrote to memory of 3812	2384	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2384 wrote to memory of 5028	2384	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2384 wrote to memory of 5028	2384	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2384 wrote to memory of 2852	2384	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2384 wrote to memory of 2852	2384	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2384 wrote to memory of 2780	2384	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2384 wrote to memory of 2780	2384	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2384 wrote to memory of 3840	2384	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2384 wrote to memory of 3840	2384	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2384 wrote to memory of 3544	2384	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2384 wrote to memory of 3544	2384	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2384 wrote to memory of 3636	2384	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2384 wrote to memory of 3636	2384	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2384 wrote to memory of 1028	2384	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2384 wrote to memory of 1028	2384	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2384 wrote to memory of 1856	2384	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2384 wrote to memory of 1856	2384	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2384 wrote to memory of 4108	2384	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2384 wrote to memory of 4108	2384	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2384 wrote to memory of 3456	2384	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2384 wrote to memory of 3456	2384	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2384 wrote to memory of 4592	2384	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2384 wrote to memory of 4592	2384	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2384 wrote to memory of 5108	2384	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2384 wrote to memory of 5108	2384	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2384 wrote to memory of 1368	2384	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2384 wrote to memory of 1368	2384	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2384 wrote to memory of 1952	2384	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2384 wrote to memory of 1952	2384	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2384 wrote to memory of 3948	2384	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2384 wrote to memory of 3948	2384	2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-12_f0d5fdba70f25d1e35df127633a20039_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\System\SqTsGNW.exe
  C:\Windows\System\SqTsGNW.exe
  2⤵
  - Executes dropped EXE
  PID:872
- C:\Windows\System\nIggthD.exe
  C:\Windows\System\nIggthD.exe
  2⤵
  - Executes dropped EXE
  PID:4100
- C:\Windows\System\lqrvPKH.exe
  C:\Windows\System\lqrvPKH.exe
  2⤵
  - Executes dropped EXE
  PID:1036
- C:\Windows\System\LhNajhQ.exe
  C:\Windows\System\LhNajhQ.exe
  2⤵
  - Executes dropped EXE
  PID:2640
- C:\Windows\System\RyFWHUn.exe
  C:\Windows\System\RyFWHUn.exe
  2⤵
  - Executes dropped EXE
  PID:3988
- C:\Windows\System\qwngjnf.exe
  C:\Windows\System\qwngjnf.exe
  2⤵
  - Executes dropped EXE
  PID:3812
- C:\Windows\System\lKZTmRS.exe
  C:\Windows\System\lKZTmRS.exe
  2⤵
  - Executes dropped EXE
  PID:5028
- C:\Windows\System\uFOEVDY.exe
  C:\Windows\System\uFOEVDY.exe
  2⤵
  - Executes dropped EXE
  PID:2852
- C:\Windows\System\pwQVAQk.exe
  C:\Windows\System\pwQVAQk.exe
  2⤵
  - Executes dropped EXE
  PID:2780
- C:\Windows\System\kaEloCF.exe
  C:\Windows\System\kaEloCF.exe
  2⤵
  - Executes dropped EXE
  PID:3840
- C:\Windows\System\MXsrqTZ.exe
  C:\Windows\System\MXsrqTZ.exe
  2⤵
  - Executes dropped EXE
  PID:3544
- C:\Windows\System\gEUZegZ.exe
  C:\Windows\System\gEUZegZ.exe
  2⤵
  - Executes dropped EXE
  PID:3636
- C:\Windows\System\xCCFYxp.exe
  C:\Windows\System\xCCFYxp.exe
  2⤵
  - Executes dropped EXE
  PID:1028
- C:\Windows\System\gnMlAFV.exe
  C:\Windows\System\gnMlAFV.exe
  2⤵
  - Executes dropped EXE
  PID:1856
- C:\Windows\System\uQivmea.exe
  C:\Windows\System\uQivmea.exe
  2⤵
  - Executes dropped EXE
  PID:4108
- C:\Windows\System\DmuIORd.exe
  C:\Windows\System\DmuIORd.exe
  2⤵
  - Executes dropped EXE
  PID:3456
- C:\Windows\System\hrPSXHZ.exe
  C:\Windows\System\hrPSXHZ.exe
  2⤵
  - Executes dropped EXE
  PID:4592
- C:\Windows\System\ffoZNRX.exe
  C:\Windows\System\ffoZNRX.exe
  2⤵
  - Executes dropped EXE
  PID:5108
- C:\Windows\System\XlnKXJH.exe
  C:\Windows\System\XlnKXJH.exe
  2⤵
  - Executes dropped EXE
  PID:1368
- C:\Windows\System\CevfAQh.exe
  C:\Windows\System\CevfAQh.exe
  2⤵
  - Executes dropped EXE
  PID:1952
- C:\Windows\System\oWaAVFs.exe
  C:\Windows\System\oWaAVFs.exe
  2⤵
  - Executes dropped EXE
  PID:3948

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CevfAQh.exe

Filesize
5.2MB

MD5
da10f860b885acf7a92e36191f8742eb

SHA1
55180d2aa34da76ff953aabbb2e8a5268da255a5

SHA256
9b5c75efa2ad4a0d2bd07fe0e8f22758a00dcdf137f3a1b0fb0ad425e4052bce

SHA512
37d79ef27c60d4d0c521751cb3b922d325aea88a8b945bedbcbb374b6202b541f2024bf5682ef4affdc84dd0aea8d6496cf2ca155fc2283d2105f930bfa293af

Download Submit
C:\Windows\System\DmuIORd.exe

Filesize
5.2MB

MD5
2b49ef94cb3c32a014e05f63ccbe547d

SHA1
3e28c9c9dcda5d4a66f7db62e0fa09e29a13e7a0

SHA256
0e35e9c8754997a8340e2d7410e00e23ed45402fe9201bac30ff6567f2925907

SHA512
29e93403ef24ad1c8e0cdd571d3146651bd96183460e39e5ec1f19d698a71f64601fffd3a450413615403dfec344f73355c851fa76802427a9567a7424cbd8a4

Download Submit
C:\Windows\System\LhNajhQ.exe

Filesize
5.2MB

MD5
56746c0e2eb50c53d964145680db5a99

SHA1
91482c203edbb9735691768c2d8f0a5e88c5c233

SHA256
069b0d2dc0e7872f5c9486515732c057043b9ab9682f515ac74a61676b29fe1e

SHA512
273c272511e26ee4febfa5f9fe5d552d17bf335540be7c71b12c7c7c7406feabd422a96809d025df16f132dbe5aa4d02e913de1dfe0dda5d40ac995943185575

Download Submit
C:\Windows\System\MXsrqTZ.exe

Filesize
5.2MB

MD5
e90e1cdef3b2cbfa8be5d6d7a846176f

SHA1
084847498a405d49cc02fb25015a02db0d3c87bc

SHA256
63510897212b1f52c8bda07e277c23963857f58404df88d3e6be8af5b193b3a3

SHA512
6fd67806dac033dc13a66a4f16cdf89b1b4c1b4d9b52f613f129a5f0e035e59802f3afdc8debee70de2259924fe6649d5cfc08e189e2910d2adc0a0512b1544f

Download Submit
C:\Windows\System\RyFWHUn.exe

Filesize
5.2MB

MD5
1e439b9eaf402400e55177c5861d71cd

SHA1
c9d1c07079230716b1a15e56ee96f9603f4bf0cc

SHA256
de5b5765f08f2b33e4ee62bc5590f05410a8b2ee356e83e8b701bea81a18602e

SHA512
adde1df4d7c4d908b72fcdf15bddd56f0ede43526552d3eb064d2b8d6bdaf77216ac2681845dc6ac4f87a09ae77ee302aa7e53d1e18ca3b537b6b1bb5d3fbc51

Download Submit
C:\Windows\System\SqTsGNW.exe

Filesize
5.2MB

MD5
bae82586cc2b689fe9e5d1d8512f7cff

SHA1
eb1d67172d73f7f1386c7a04082d1b0983c51b56

SHA256
bde6e3430d440a1e956a442180c7a4bc69912f6df4e672bf35f7fc8287dfeb58

SHA512
fa9369a2317cc9d16c6baefd8b384de0dbb4ddd976dda84670e4e0147d04e02259e68f53748382b90fb1e04e7f7e882819357490e2d9f907e864d9d51f880af6

Download Submit
C:\Windows\System\XlnKXJH.exe

Filesize
5.2MB

MD5
1d2c06838f7672447dfd1e17270a70a0

SHA1
ae334b8e6709a125df1fdb9badcfb31535d0bd15

SHA256
9f9e4a7398bd34e2927c95e1034a981588b0e635689861af8af34ceb6a152a10

SHA512
713ba210921b7315bbed92cde540939dfec784b16a2dc05e8178b1f17b8a01ff185f6661020120b20c340e41e39f7f27bd830a8680b96a62825eef7c6f132f0c

Download Submit
C:\Windows\System\ffoZNRX.exe

Filesize
5.2MB

MD5
e1b033686f5e96340d194fd160109e72

SHA1
99f0183d43e5cb6eb16d3d0cf1b3836d94d7635a

SHA256
eab8a62cb96eaaa2b91e7c2b9ee4b9d46c4eac1d4a636f2c5e10bdaaf36ab18d

SHA512
ae29d0bfc116d0f556bbf05456eda0969f3676696751bf7a577097739fad8090347a1ba8f4b55718a4298423f265be08fbed8139f330da3a0ffe646e6ad593a9

Download Submit
C:\Windows\System\gEUZegZ.exe

Filesize
5.2MB

MD5
872f9524ab4c636a0d06b18930fa4b79

SHA1
977db03fbf9e567a688d8f4ec8dad7088eaced8b

SHA256
0e610e74cddb58933ddb4c81f3171387682c96b91cf4d49f90aea97923266f09

SHA512
d04d8f52903ccaf42ad1f75fca24616349eb132fd19ccbaf29153403ea4b62a4f5d20ce6df37eb33291630a18d98c22bf77eb51b22468b7279c5a657d950cb94

Download Submit
C:\Windows\System\gnMlAFV.exe

Filesize
5.2MB

MD5
cb4e2405e7ef9eb7f44a3cdea3d05d00

SHA1
bb4c9d47958ced8ac5fac54fb8ac1b30d559621e

SHA256
4012713a7377bef993ee964a3c5c360d427abc374d799beedcf52642b6669171

SHA512
c68ebf913dca4a6de1ea466c68e65badda54099a589ddb74869175a9a7deeeb2140a1e6d26ced678b840f5a76d653ad269ac13fae975b563f76f7ae60565bb8f

Download Submit
C:\Windows\System\hrPSXHZ.exe

Filesize
5.2MB

MD5
d8fc9894b948bd8d0877136745be02bb

SHA1
693648f1158298c5f9612b223fe765231e0efa05

SHA256
7dc433774c45e39b216698a800a6fd19ecab92f6665e13e20b4bc5665153bac6

SHA512
7decaaa2709d831a31c8a52ae3259d2c3bbf8bb02bca5965b3394f374d5759cf8e5b68d38abe08253ff88b17abea20e2da2d1eb4f7d07b2b6f7e9bbe502b7bf4

Download Submit
C:\Windows\System\kaEloCF.exe

Filesize
5.2MB

MD5
b23b99ad540e8bcdecba075c38c3383b

SHA1
7e69699caf458e1b0dfa03b4eeefd03d1db1505f

SHA256
ccdddd35cb1ccd629a187fd50a5362ef008e04fed25fc5ea0f35c16df4277f5b

SHA512
c9413ea09b453f5bfd941db4ef559ae49e859664455dcd01dfd6c31827d0f73f99e00d5d1d9ad0483939bf87f46c06acdb12d475d28a78a2220349c50c036c05

Download Submit
C:\Windows\System\lKZTmRS.exe

Filesize
5.2MB

MD5
dcb62caa4a9eb0e6eaf8364422114f66

SHA1
0a1a73471d146ca88edd0172f20d4614d57205c2

SHA256
7c936786342b967636de6db55662be12513b9d776561ca10a70b93c17eebed86

SHA512
6e1293e7a179d2cf916ee2fd736829c9839085bc7d1b32027f11d7b3f947f04e469d7e19c71dc02e80c944d1a33c87947fa1c6bafa496c90d924d54f70f92f51

Download Submit
C:\Windows\System\lqrvPKH.exe

Filesize
5.2MB

MD5
422a9d72a5c9e4e87cd66fe82ef684aa

SHA1
b3b6b5664e7afbebbc25685045e3335f7f68944f

SHA256
74baf5bcc058501f5750173734a0880d1dccd97205949e7ea5cb215c2b4ccf11

SHA512
2c5dd173b249cf35e618b9a68138a5790681f57fb756a4f741a5062ab007fd1ab04cb71207b5cbfe6ab15b6ec0f01b0e4ed726364150c3730ddc206a932ac471

Download Submit
C:\Windows\System\nIggthD.exe

Filesize
5.2MB

MD5
595d00e01e2668e9b51c3be99afa3d6d

SHA1
1266f6919063b9b47d539f1db22c1abd6a847d3e

SHA256
d3845070d8e0ffb8140fbb3e7fcb18dc70a6e4a97df8f161be5c247446248e2f

SHA512
6479c03dbeecaf2f546179fbc95e57f3275df5396045124d989bfb5d355dfc0468c7a19744062d780b9ecb7f42586e1fdeb301b431c193b3f53dafc37770b5f4

Download Submit
C:\Windows\System\oWaAVFs.exe

Filesize
5.2MB

MD5
b065f4b282a9ea09e5f40b2039e9120a

SHA1
fad19a0a190dbfae13b20bb8fcabdc3115d12740

SHA256
2de71c02285101adb78e73ebb18ec0eb6c92bd7943db9550b23a8a937a888936

SHA512
162cdffdbcc1ce7a23fae184fb569e75d594724b09c008630f6af6d2559467ef16e2ac58d52c2a35239dbc3a3321f92b5c2155a11d5a31f02ac6eb8642c44e48

Download Submit
C:\Windows\System\pwQVAQk.exe

Filesize
5.2MB

MD5
b919b17e34ba1d49615c1b7d66666a4a

SHA1
0cc5c6d3c59285b7c7b2b56fe4d6929d69ef604f

SHA256
3a3ac689bcc305386f9b3245a1dbfe06b6d1a18607fcc588760c8347c00bcebb

SHA512
b7f26590adeb02b9cf6131d28f6aaba3e3c99941186c7165acaafa1f96c23a0e88386846f420c0400b66638fcdb346499a9b412cf3872157f4aa74966f7f4c8e

Download Submit
C:\Windows\System\qwngjnf.exe

Filesize
5.2MB

MD5
1cf25bdde7bbd4191d7d2ee69c9dc923

SHA1
221ad87c0fdeaef709e9e91cd20d4c3a4d5ab74c

SHA256
03a72664fb2cee2e9c471853540228a609eb5056759a8b524b4895bd3b7c0ae6

SHA512
6e178780a1cc78ecabb530c4ef8c88c72971b66f73715d783e031b5f942631ee85bb5049bcc432d0822c4131e96fd912b0b1193439e4f449b10438ea33eabb45

Download Submit
C:\Windows\System\uFOEVDY.exe

Filesize
5.2MB

MD5
63cd3ca5ea2a04f85db13a6ecaf8039b

SHA1
ecdf4496c36ae84ae56432856dc24c9b83fb90f8

SHA256
71df71224a049d8d59d9e59b1a166b85d8db2c9f47c080fe6fafc31f97f578dc

SHA512
e3c03072214ba4a4b5f304172107ada7d58ba922c4c92624484eb6fc594ddb250374bac63ad9db3ab9af3e3b6dd1541cbeaf5483232e4f878508ea6ae878ed7a

Download Submit
C:\Windows\System\uQivmea.exe

Filesize
5.2MB

MD5
a31ab5de472c3b677f7a92d6876ccc34

SHA1
848623ed34018f6250a6586beba3e28fbb672cc9

SHA256
74c05bdc17dd58cd71ce2bb8d25048cc5e43368b19c9af5b33d625e77605da28

SHA512
e79a2483b79c80cecbdd37916f389a4e305024d56b4882f17f3bc48b299784e0ad926ccb31fe968f7121059dd4cf6ab5b81d0f90f17aadb82281aebec68df96b

Download Submit
C:\Windows\System\xCCFYxp.exe

Filesize
5.2MB

MD5
163c1824f8aa61b972d98a670d5ba9fc

SHA1
8be7c9bd624b710b3acaf4d918ebf3b0adef2007

SHA256
f1f56c6dd54a2a80c68a977e7d304b7eb1e914bcf932d80842bd8bed8bc57fa2

SHA512
47f0d10b50b00d53c40d3a98df03ef5da740569d445c860ea5fb219fdc29e434a5a4a61b48379846f91f79e0df68035711f90264ad82aa6052a0128e420efd5e

Download Submit
memory/872-205-0x00007FF6A44A0000-0x00007FF6A47F1000-memory.dmp

Filesize
3.3MB

Download
memory/872-9-0x00007FF6A44A0000-0x00007FF6A47F1000-memory.dmp

Filesize
3.3MB

Download
memory/872-129-0x00007FF6A44A0000-0x00007FF6A47F1000-memory.dmp

Filesize
3.3MB

Download
memory/1028-77-0x00007FF738990000-0x00007FF738CE1000-memory.dmp

Filesize
3.3MB

Download
memory/1028-240-0x00007FF738990000-0x00007FF738CE1000-memory.dmp

Filesize
3.3MB

Download
memory/1028-141-0x00007FF738990000-0x00007FF738CE1000-memory.dmp

Filesize
3.3MB

Download
memory/1036-27-0x00007FF6E2100000-0x00007FF6E2451000-memory.dmp

Filesize
3.3MB

Download
memory/1036-224-0x00007FF6E2100000-0x00007FF6E2451000-memory.dmp

Filesize
3.3MB

Download
memory/1036-131-0x00007FF6E2100000-0x00007FF6E2451000-memory.dmp

Filesize
3.3MB

Download
memory/1368-255-0x00007FF7F11E0000-0x00007FF7F1531000-memory.dmp

Filesize
3.3MB

Download
memory/1368-124-0x00007FF7F11E0000-0x00007FF7F1531000-memory.dmp

Filesize
3.3MB

Download
memory/1368-147-0x00007FF7F11E0000-0x00007FF7F1531000-memory.dmp

Filesize
3.3MB

Download
memory/1856-115-0x00007FF6677B0000-0x00007FF667B01000-memory.dmp

Filesize
3.3MB

Download
memory/1856-244-0x00007FF6677B0000-0x00007FF667B01000-memory.dmp

Filesize
3.3MB

Download
memory/1952-256-0x00007FF791750000-0x00007FF791AA1000-memory.dmp

Filesize
3.3MB

Download
memory/1952-121-0x00007FF791750000-0x00007FF791AA1000-memory.dmp

Filesize
3.3MB

Download
memory/1952-148-0x00007FF791750000-0x00007FF791AA1000-memory.dmp

Filesize
3.3MB

Download
memory/2384-151-0x00007FF79CCF0000-0x00007FF79D041000-memory.dmp

Filesize
3.3MB

Download
memory/2384-0-0x00007FF79CCF0000-0x00007FF79D041000-memory.dmp

Filesize
3.3MB

Download
memory/2384-150-0x00007FF79CCF0000-0x00007FF79D041000-memory.dmp

Filesize
3.3MB

Download
memory/2384-1-0x0000026B16580000-0x0000026B16590000-memory.dmp

Filesize
64KB

Download
memory/2384-128-0x00007FF79CCF0000-0x00007FF79D041000-memory.dmp

Filesize
3.3MB

Download
memory/2640-233-0x00007FF7184C0000-0x00007FF718811000-memory.dmp

Filesize
3.3MB

Download
memory/2640-132-0x00007FF7184C0000-0x00007FF718811000-memory.dmp

Filesize
3.3MB

Download
memory/2640-40-0x00007FF7184C0000-0x00007FF718811000-memory.dmp

Filesize
3.3MB

Download
memory/2780-238-0x00007FF7301C0000-0x00007FF730511000-memory.dmp

Filesize
3.3MB

Download
memory/2780-73-0x00007FF7301C0000-0x00007FF730511000-memory.dmp

Filesize
3.3MB

Download
memory/2852-222-0x00007FF776AF0000-0x00007FF776E41000-memory.dmp

Filesize
3.3MB

Download
memory/2852-64-0x00007FF776AF0000-0x00007FF776E41000-memory.dmp

Filesize
3.3MB

Download
memory/3456-249-0x00007FF75BD20000-0x00007FF75C071000-memory.dmp

Filesize
3.3MB

Download
memory/3456-116-0x00007FF75BD20000-0x00007FF75C071000-memory.dmp

Filesize
3.3MB

Download
memory/3544-226-0x00007FF6CF3F0000-0x00007FF6CF741000-memory.dmp

Filesize
3.3MB

Download
memory/3544-100-0x00007FF6CF3F0000-0x00007FF6CF741000-memory.dmp

Filesize
3.3MB

Download
memory/3636-110-0x00007FF6F0D20000-0x00007FF6F1071000-memory.dmp

Filesize
3.3MB

Download
memory/3636-243-0x00007FF6F0D20000-0x00007FF6F1071000-memory.dmp

Filesize
3.3MB

Download
memory/3812-134-0x00007FF66B100000-0x00007FF66B451000-memory.dmp

Filesize
3.3MB

Download
memory/3812-48-0x00007FF66B100000-0x00007FF66B451000-memory.dmp

Filesize
3.3MB

Download
memory/3812-237-0x00007FF66B100000-0x00007FF66B451000-memory.dmp

Filesize
3.3MB

Download
memory/3840-109-0x00007FF7EB9E0000-0x00007FF7EBD31000-memory.dmp

Filesize
3.3MB

Download
memory/3840-235-0x00007FF7EB9E0000-0x00007FF7EBD31000-memory.dmp

Filesize
3.3MB

Download
memory/3948-258-0x00007FF62EFC0000-0x00007FF62F311000-memory.dmp

Filesize
3.3MB

Download
memory/3948-122-0x00007FF62EFC0000-0x00007FF62F311000-memory.dmp

Filesize
3.3MB

Download
memory/3948-149-0x00007FF62EFC0000-0x00007FF62F311000-memory.dmp

Filesize
3.3MB

Download
memory/3988-230-0x00007FF7052C0000-0x00007FF705611000-memory.dmp

Filesize
3.3MB

Download
memory/3988-92-0x00007FF7052C0000-0x00007FF705611000-memory.dmp

Filesize
3.3MB

Download
memory/4100-130-0x00007FF6C45F0000-0x00007FF6C4941000-memory.dmp

Filesize
3.3MB

Download
memory/4100-21-0x00007FF6C45F0000-0x00007FF6C4941000-memory.dmp

Filesize
3.3MB

Download
memory/4100-207-0x00007FF6C45F0000-0x00007FF6C4941000-memory.dmp

Filesize
3.3MB

Download
memory/4108-143-0x00007FF675A10000-0x00007FF675D61000-memory.dmp

Filesize
3.3MB

Download
memory/4108-83-0x00007FF675A10000-0x00007FF675D61000-memory.dmp

Filesize
3.3MB

Download
memory/4108-247-0x00007FF675A10000-0x00007FF675D61000-memory.dmp

Filesize
3.3MB

Download
memory/4592-123-0x00007FF6D0860000-0x00007FF6D0BB1000-memory.dmp

Filesize
3.3MB

Download
memory/4592-252-0x00007FF6D0860000-0x00007FF6D0BB1000-memory.dmp

Filesize
3.3MB

Download
memory/5028-135-0x00007FF64D980000-0x00007FF64DCD1000-memory.dmp

Filesize
3.3MB

Download
memory/5028-63-0x00007FF64D980000-0x00007FF64DCD1000-memory.dmp

Filesize
3.3MB

Download
memory/5028-229-0x00007FF64D980000-0x00007FF64DCD1000-memory.dmp

Filesize
3.3MB

Download
memory/5108-251-0x00007FF753950000-0x00007FF753CA1000-memory.dmp

Filesize
3.3MB

Download
memory/5108-120-0x00007FF753950000-0x00007FF753CA1000-memory.dmp

Filesize
3.3MB

Download