cobaltstrike | 56d9f85da8c7bac86584050e6bf0b2437a14e886c29c7e5956478c1e1d9902e3

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-12-2024 12:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

8dd7d4963553e370090c419b70e5f1ba
SHA1

be293f2233f734c9ef63c3b20966c6b608167007
SHA256

56d9f85da8c7bac86584050e6bf0b2437a14e886c29c7e5956478c1e1d9902e3
SHA512

7d7d07e41e0d5ac08939aed0afc0a8cd0a013a41df44c3487d9854d696a7e093d9c479856100b2dd74dac0e85cf900aaf653578ca5b0cf4983b7c34d49fa5249
SSDEEP

49152:ROdWCCi7/raN56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lF:RWWBib+56utgpPFotBER/mQ32lUZ

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000b000000023b68-4.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6c-10.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6d-17.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6e-22.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6f-28.dat	cobalt_reflective_dll
behavioral2/files/0x0031000000023b70-41.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b69-36.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b73-51.dat	cobalt_reflective_dll
behavioral2/files/0x0031000000023b71-50.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b74-60.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b75-70.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b76-78.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b77-81.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b78-89.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b79-95.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7b-112.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7d-124.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7e-131.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7c-120.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7a-107.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7f-145.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/2108-53-0x00007FF699F10000-0x00007FF69A261000-memory.dmp	xmrig
behavioral2/memory/4156-68-0x00007FF7264D0000-0x00007FF726821000-memory.dmp	xmrig
behavioral2/memory/1636-61-0x00007FF768E10000-0x00007FF769161000-memory.dmp	xmrig
behavioral2/memory/1092-72-0x00007FF75E920000-0x00007FF75EC71000-memory.dmp	xmrig
behavioral2/memory/3188-76-0x00007FF7155C0000-0x00007FF715911000-memory.dmp	xmrig
behavioral2/memory/4020-90-0x00007FF6FFD80000-0x00007FF7000D1000-memory.dmp	xmrig
behavioral2/memory/3128-88-0x00007FF7DF620000-0x00007FF7DF971000-memory.dmp	xmrig
behavioral2/memory/2880-97-0x00007FF75B4D0000-0x00007FF75B821000-memory.dmp	xmrig
behavioral2/memory/1184-110-0x00007FF7980E0000-0x00007FF798431000-memory.dmp	xmrig
behavioral2/memory/4080-118-0x00007FF65B2C0000-0x00007FF65B611000-memory.dmp	xmrig
behavioral2/memory/3948-125-0x00007FF76B200000-0x00007FF76B551000-memory.dmp	xmrig
behavioral2/memory/2996-104-0x00007FF778040000-0x00007FF778391000-memory.dmp	xmrig
behavioral2/memory/3132-142-0x00007FF70D2A0000-0x00007FF70D5F1000-memory.dmp	xmrig
behavioral2/memory/1460-150-0x00007FF75F770000-0x00007FF75FAC1000-memory.dmp	xmrig
behavioral2/memory/1644-148-0x00007FF652FA0000-0x00007FF6532F1000-memory.dmp	xmrig
behavioral2/memory/2732-155-0x00007FF621A40000-0x00007FF621D91000-memory.dmp	xmrig
behavioral2/memory/2440-156-0x00007FF7EEA00000-0x00007FF7EED51000-memory.dmp	xmrig
behavioral2/memory/3572-159-0x00007FF615FE0000-0x00007FF616331000-memory.dmp	xmrig
behavioral2/memory/3452-162-0x00007FF7FEEA0000-0x00007FF7FF1F1000-memory.dmp	xmrig
behavioral2/memory/4836-167-0x00007FF6D9790000-0x00007FF6D9AE1000-memory.dmp	xmrig
behavioral2/memory/1168-165-0x00007FF7337A0000-0x00007FF733AF1000-memory.dmp	xmrig
behavioral2/memory/1392-166-0x00007FF79BB00000-0x00007FF79BE51000-memory.dmp	xmrig
behavioral2/memory/2108-168-0x00007FF699F10000-0x00007FF69A261000-memory.dmp	xmrig
behavioral2/memory/1460-178-0x00007FF75F770000-0x00007FF75FAC1000-memory.dmp	xmrig
behavioral2/memory/1636-219-0x00007FF768E10000-0x00007FF769161000-memory.dmp	xmrig
behavioral2/memory/4156-221-0x00007FF7264D0000-0x00007FF726821000-memory.dmp	xmrig
behavioral2/memory/1092-223-0x00007FF75E920000-0x00007FF75EC71000-memory.dmp	xmrig
behavioral2/memory/3188-225-0x00007FF7155C0000-0x00007FF715911000-memory.dmp	xmrig
behavioral2/memory/3128-234-0x00007FF7DF620000-0x00007FF7DF971000-memory.dmp	xmrig
behavioral2/memory/4020-236-0x00007FF6FFD80000-0x00007FF7000D1000-memory.dmp	xmrig
behavioral2/memory/2880-238-0x00007FF75B4D0000-0x00007FF75B821000-memory.dmp	xmrig
behavioral2/memory/1184-242-0x00007FF7980E0000-0x00007FF798431000-memory.dmp	xmrig
behavioral2/memory/2996-244-0x00007FF778040000-0x00007FF778391000-memory.dmp	xmrig
behavioral2/memory/4080-246-0x00007FF65B2C0000-0x00007FF65B611000-memory.dmp	xmrig
behavioral2/memory/3948-248-0x00007FF76B200000-0x00007FF76B551000-memory.dmp	xmrig
behavioral2/memory/3132-252-0x00007FF70D2A0000-0x00007FF70D5F1000-memory.dmp	xmrig
behavioral2/memory/1644-254-0x00007FF652FA0000-0x00007FF6532F1000-memory.dmp	xmrig
behavioral2/memory/2732-262-0x00007FF621A40000-0x00007FF621D91000-memory.dmp	xmrig
behavioral2/memory/2440-264-0x00007FF7EEA00000-0x00007FF7EED51000-memory.dmp	xmrig
behavioral2/memory/3572-267-0x00007FF615FE0000-0x00007FF616331000-memory.dmp	xmrig
behavioral2/memory/3452-268-0x00007FF7FEEA0000-0x00007FF7FF1F1000-memory.dmp	xmrig
behavioral2/memory/1168-272-0x00007FF7337A0000-0x00007FF733AF1000-memory.dmp	xmrig
behavioral2/memory/1392-271-0x00007FF79BB00000-0x00007FF79BE51000-memory.dmp	xmrig
behavioral2/memory/4836-274-0x00007FF6D9790000-0x00007FF6D9AE1000-memory.dmp	xmrig
behavioral2/memory/1460-278-0x00007FF75F770000-0x00007FF75FAC1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1636	mBdczdK.exe
4156	UwmTYvB.exe
1092	wClDSZf.exe
3188	JjZTFgs.exe
3128	WcTsGdt.exe
4020	JpJeXAN.exe
2880	tJIHLIh.exe
2996	EHYEUHE.exe
1184	DpyxSIu.exe
4080	hYnuSuR.exe
3948	AhALZpJ.exe
3132	BbMhXdm.exe
1644	igytpDd.exe
2732	jVzkbru.exe
2440	xTrrHli.exe
3572	oGJxdUf.exe
3452	ySheEfl.exe
4836	UgklUSv.exe
1168	yfFfNzJ.exe
1392	QcHeeoc.exe
1460	Nssfray.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2108-0-0x00007FF699F10000-0x00007FF69A261000-memory.dmp	upx
behavioral2/files/0x000b000000023b68-4.dat	upx
behavioral2/memory/1636-7-0x00007FF768E10000-0x00007FF769161000-memory.dmp	upx
behavioral2/files/0x000a000000023b6c-10.dat	upx
behavioral2/files/0x000a000000023b6d-17.dat	upx
behavioral2/memory/1092-18-0x00007FF75E920000-0x00007FF75EC71000-memory.dmp	upx
behavioral2/files/0x000a000000023b6e-22.dat	upx
behavioral2/memory/3188-23-0x00007FF7155C0000-0x00007FF715911000-memory.dmp	upx
behavioral2/memory/4156-16-0x00007FF7264D0000-0x00007FF726821000-memory.dmp	upx
behavioral2/files/0x000a000000023b6f-28.dat	upx
behavioral2/memory/4020-38-0x00007FF6FFD80000-0x00007FF7000D1000-memory.dmp	upx
behavioral2/files/0x0031000000023b70-41.dat	upx
behavioral2/memory/2880-42-0x00007FF75B4D0000-0x00007FF75B821000-memory.dmp	upx
behavioral2/files/0x000b000000023b69-36.dat	upx
behavioral2/memory/3128-30-0x00007FF7DF620000-0x00007FF7DF971000-memory.dmp	upx
behavioral2/files/0x000a000000023b73-51.dat	upx
behavioral2/memory/2108-53-0x00007FF699F10000-0x00007FF69A261000-memory.dmp	upx
behavioral2/memory/1184-54-0x00007FF7980E0000-0x00007FF798431000-memory.dmp	upx
behavioral2/files/0x0031000000023b71-50.dat	upx
behavioral2/memory/2996-47-0x00007FF778040000-0x00007FF778391000-memory.dmp	upx
behavioral2/files/0x000a000000023b74-60.dat	upx
behavioral2/memory/3948-69-0x00007FF76B200000-0x00007FF76B551000-memory.dmp	upx
behavioral2/files/0x000a000000023b75-70.dat	upx
behavioral2/memory/4156-68-0x00007FF7264D0000-0x00007FF726821000-memory.dmp	upx
behavioral2/memory/4080-62-0x00007FF65B2C0000-0x00007FF65B611000-memory.dmp	upx
behavioral2/memory/1636-61-0x00007FF768E10000-0x00007FF769161000-memory.dmp	upx
behavioral2/memory/1092-72-0x00007FF75E920000-0x00007FF75EC71000-memory.dmp	upx
behavioral2/memory/3188-76-0x00007FF7155C0000-0x00007FF715911000-memory.dmp	upx
behavioral2/files/0x000a000000023b76-78.dat	upx
behavioral2/files/0x000a000000023b77-81.dat	upx
behavioral2/memory/1644-82-0x00007FF652FA0000-0x00007FF6532F1000-memory.dmp	upx
behavioral2/memory/3132-77-0x00007FF70D2A0000-0x00007FF70D5F1000-memory.dmp	upx
behavioral2/files/0x000a000000023b78-89.dat	upx
behavioral2/memory/2732-94-0x00007FF621A40000-0x00007FF621D91000-memory.dmp	upx
behavioral2/memory/4020-90-0x00007FF6FFD80000-0x00007FF7000D1000-memory.dmp	upx
behavioral2/memory/3128-88-0x00007FF7DF620000-0x00007FF7DF971000-memory.dmp	upx
behavioral2/memory/2880-97-0x00007FF75B4D0000-0x00007FF75B821000-memory.dmp	upx
behavioral2/files/0x000a000000023b79-95.dat	upx
behavioral2/memory/3572-108-0x00007FF615FE0000-0x00007FF616331000-memory.dmp	upx
behavioral2/memory/1184-110-0x00007FF7980E0000-0x00007FF798431000-memory.dmp	upx
behavioral2/files/0x000a000000023b7b-112.dat	upx
behavioral2/memory/4080-118-0x00007FF65B2C0000-0x00007FF65B611000-memory.dmp	upx
behavioral2/files/0x000a000000023b7d-124.dat	upx
behavioral2/memory/1168-126-0x00007FF7337A0000-0x00007FF733AF1000-memory.dmp	upx
behavioral2/files/0x000a000000023b7e-131.dat	upx
behavioral2/memory/1392-130-0x00007FF79BB00000-0x00007FF79BE51000-memory.dmp	upx
behavioral2/memory/3948-125-0x00007FF76B200000-0x00007FF76B551000-memory.dmp	upx
behavioral2/files/0x000a000000023b7c-120.dat	upx
behavioral2/memory/4836-119-0x00007FF6D9790000-0x00007FF6D9AE1000-memory.dmp	upx
behavioral2/memory/3452-111-0x00007FF7FEEA0000-0x00007FF7FF1F1000-memory.dmp	upx
behavioral2/files/0x000a000000023b7a-107.dat	upx
behavioral2/memory/2996-104-0x00007FF778040000-0x00007FF778391000-memory.dmp	upx
behavioral2/memory/2440-98-0x00007FF7EEA00000-0x00007FF7EED51000-memory.dmp	upx
behavioral2/memory/3132-142-0x00007FF70D2A0000-0x00007FF70D5F1000-memory.dmp	upx
behavioral2/files/0x000a000000023b7f-145.dat	upx
behavioral2/memory/1460-150-0x00007FF75F770000-0x00007FF75FAC1000-memory.dmp	upx
behavioral2/memory/1644-148-0x00007FF652FA0000-0x00007FF6532F1000-memory.dmp	upx
behavioral2/memory/2732-155-0x00007FF621A40000-0x00007FF621D91000-memory.dmp	upx
behavioral2/memory/2440-156-0x00007FF7EEA00000-0x00007FF7EED51000-memory.dmp	upx
behavioral2/memory/3572-159-0x00007FF615FE0000-0x00007FF616331000-memory.dmp	upx
behavioral2/memory/3452-162-0x00007FF7FEEA0000-0x00007FF7FF1F1000-memory.dmp	upx
behavioral2/memory/4836-167-0x00007FF6D9790000-0x00007FF6D9AE1000-memory.dmp	upx
behavioral2/memory/1168-165-0x00007FF7337A0000-0x00007FF733AF1000-memory.dmp	upx
behavioral2/memory/1392-166-0x00007FF79BB00000-0x00007FF79BE51000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\wClDSZf.exe	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WcTsGdt.exe	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tJIHLIh.exe	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EHYEUHE.exe	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xTrrHli.exe	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oGJxdUf.exe	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UgklUSv.exe	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yfFfNzJ.exe	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mBdczdK.exe	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JjZTFgs.exe	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JpJeXAN.exe	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AhALZpJ.exe	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DpyxSIu.exe	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\igytpDd.exe	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jVzkbru.exe	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QcHeeoc.exe	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Nssfray.exe	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UwmTYvB.exe	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hYnuSuR.exe	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BbMhXdm.exe	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ySheEfl.exe	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2108	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2108	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 1636	2108	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 2108 wrote to memory of 1636	2108	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 2108 wrote to memory of 4156	2108	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2108 wrote to memory of 4156	2108	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2108 wrote to memory of 1092	2108	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2108 wrote to memory of 1092	2108	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2108 wrote to memory of 3188	2108	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2108 wrote to memory of 3188	2108	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2108 wrote to memory of 3128	2108	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2108 wrote to memory of 3128	2108	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2108 wrote to memory of 4020	2108	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2108 wrote to memory of 4020	2108	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2108 wrote to memory of 2880	2108	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2108 wrote to memory of 2880	2108	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2108 wrote to memory of 2996	2108	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2108 wrote to memory of 2996	2108	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2108 wrote to memory of 1184	2108	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2108 wrote to memory of 1184	2108	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2108 wrote to memory of 4080	2108	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2108 wrote to memory of 4080	2108	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2108 wrote to memory of 3948	2108	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2108 wrote to memory of 3948	2108	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2108 wrote to memory of 3132	2108	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2108 wrote to memory of 3132	2108	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2108 wrote to memory of 1644	2108	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2108 wrote to memory of 1644	2108	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2108 wrote to memory of 2732	2108	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2108 wrote to memory of 2732	2108	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2108 wrote to memory of 2440	2108	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2108 wrote to memory of 2440	2108	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2108 wrote to memory of 3572	2108	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2108 wrote to memory of 3572	2108	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2108 wrote to memory of 3452	2108	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2108 wrote to memory of 3452	2108	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2108 wrote to memory of 4836	2108	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2108 wrote to memory of 4836	2108	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2108 wrote to memory of 1168	2108	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2108 wrote to memory of 1168	2108	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2108 wrote to memory of 1392	2108	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2108 wrote to memory of 1392	2108	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2108 wrote to memory of 1460	2108	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2108 wrote to memory of 1460	2108	2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-17_8dd7d4963553e370090c419b70e5f1ba_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Windows\System\mBdczdK.exe
  C:\Windows\System\mBdczdK.exe
  2⤵
  - Executes dropped EXE
  PID:1636
- C:\Windows\System\UwmTYvB.exe
  C:\Windows\System\UwmTYvB.exe
  2⤵
  - Executes dropped EXE
  PID:4156
- C:\Windows\System\wClDSZf.exe
  C:\Windows\System\wClDSZf.exe
  2⤵
  - Executes dropped EXE
  PID:1092
- C:\Windows\System\JjZTFgs.exe
  C:\Windows\System\JjZTFgs.exe
  2⤵
  - Executes dropped EXE
  PID:3188
- C:\Windows\System\WcTsGdt.exe
  C:\Windows\System\WcTsGdt.exe
  2⤵
  - Executes dropped EXE
  PID:3128
- C:\Windows\System\JpJeXAN.exe
  C:\Windows\System\JpJeXAN.exe
  2⤵
  - Executes dropped EXE
  PID:4020
- C:\Windows\System\tJIHLIh.exe
  C:\Windows\System\tJIHLIh.exe
  2⤵
  - Executes dropped EXE
  PID:2880
- C:\Windows\System\EHYEUHE.exe
  C:\Windows\System\EHYEUHE.exe
  2⤵
  - Executes dropped EXE
  PID:2996
- C:\Windows\System\DpyxSIu.exe
  C:\Windows\System\DpyxSIu.exe
  2⤵
  - Executes dropped EXE
  PID:1184
- C:\Windows\System\hYnuSuR.exe
  C:\Windows\System\hYnuSuR.exe
  2⤵
  - Executes dropped EXE
  PID:4080
- C:\Windows\System\AhALZpJ.exe
  C:\Windows\System\AhALZpJ.exe
  2⤵
  - Executes dropped EXE
  PID:3948
- C:\Windows\System\BbMhXdm.exe
  C:\Windows\System\BbMhXdm.exe
  2⤵
  - Executes dropped EXE
  PID:3132
- C:\Windows\System\igytpDd.exe
  C:\Windows\System\igytpDd.exe
  2⤵
  - Executes dropped EXE
  PID:1644
- C:\Windows\System\jVzkbru.exe
  C:\Windows\System\jVzkbru.exe
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\Windows\System\xTrrHli.exe
  C:\Windows\System\xTrrHli.exe
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Windows\System\oGJxdUf.exe
  C:\Windows\System\oGJxdUf.exe
  2⤵
  - Executes dropped EXE
  PID:3572
- C:\Windows\System\ySheEfl.exe
  C:\Windows\System\ySheEfl.exe
  2⤵
  - Executes dropped EXE
  PID:3452
- C:\Windows\System\UgklUSv.exe
  C:\Windows\System\UgklUSv.exe
  2⤵
  - Executes dropped EXE
  PID:4836
- C:\Windows\System\yfFfNzJ.exe
  C:\Windows\System\yfFfNzJ.exe
  2⤵
  - Executes dropped EXE
  PID:1168
- C:\Windows\System\QcHeeoc.exe
  C:\Windows\System\QcHeeoc.exe
  2⤵
  - Executes dropped EXE
  PID:1392
- C:\Windows\System\Nssfray.exe
  C:\Windows\System\Nssfray.exe
  2⤵
  - Executes dropped EXE
  PID:1460

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AhALZpJ.exe

Filesize
5.2MB

MD5
8c6aab950b6503f4c378cde822d6b5a4

SHA1
f8d84a8e7ce885cc07f22bf36fbc3ca4668d76f3

SHA256
c84e243c52c1422fffd9145d13ac313f354b677bc9e6971be096f14389656656

SHA512
4f1be45ff606a450cb309133fa75b77a4cd2224724cae88ed97f2b018c9eb6b87e81b7a59f086496a1d0561eb5496a33c7da1a886a9e0d25b3d7d68d63cd6a4b

Download Submit
C:\Windows\System\BbMhXdm.exe

Filesize
5.2MB

MD5
91285708982e9208f1741cf27e6b109e

SHA1
a2b6256e74191424b15469e99706e70af9de3941

SHA256
83df4035ad00ab8a00bc036d2298500544e3da0d439231af0cd7d3c6102548b1

SHA512
5670753054ca6f34b4d5148997060c439c0c0441b2481723e1969eaaac3374120895066512b2913a7341645d30adbd7229df543e2d4d35336b8c67f922870a5b

Download Submit
C:\Windows\System\DpyxSIu.exe

Filesize
5.2MB

MD5
10f50d182b17cbd0af138d30eece5e4a

SHA1
3b9fd26a787f9a241f6b6706a84100ccc4cabd44

SHA256
180992c6d3fc0961d1efb4980d643e1b7230d6f7d2f8856c6ddc009419f1d161

SHA512
461de6e0827566139d548624a49e0eabb7b8dc253925b5d204312da129afcfb7a63b1047e3ec5e326beb45e38840f4a90bd827e2daff107dc466ee874b8c1d46

Download Submit
C:\Windows\System\EHYEUHE.exe

Filesize
5.2MB

MD5
23ade37a99adde34ae8e48bbeaf0b940

SHA1
5e4815f1d77b95954b548ecba48c5925e738d866

SHA256
0f7d9f9536aa295537c76127c9c55bcf6503b989f06ee0633c54140dbec9361f

SHA512
dfafb541579c7f8d2b3f3947885515d8ba951bf98fea0a708ade37cd6d65127179e99e5492b959fabd434a6a447dd8d1376e6bc4d7fd301bd5ab6a0388269740

Download Submit
C:\Windows\System\JjZTFgs.exe

Filesize
5.2MB

MD5
9f23b0142c3a06feb98789d7291487ac

SHA1
a1ffee8d824187e415a969ac8ce3b5c7933ac767

SHA256
932e21740429a07da4165bca3238029d14f94892f790dfde1fc413a203f5fe6d

SHA512
640e9e64ff48ce3750da57828b1c745d4c06278f7d43f5b8952a0b2963543d27fcc8a23615d8760df97af4e7604fecbdf9dd3ae7a7219d8a76ac53922538ae5f

Download Submit
C:\Windows\System\JpJeXAN.exe

Filesize
5.2MB

MD5
e14a6dd8b12036db25df4d3a39f7596c

SHA1
222153b72f35c90019d9e9abc46a98a377d3a18a

SHA256
beaafe2aa5c4287e0e9874c054f61d8a352d020e4eaec6cc0f0266d87bc7c6e3

SHA512
c7e266528ec126ebb685b8cf009766a93868f1679a3883bba0b5f7cc6307b8da5493a41aa05d0ca65f940f1242eb5d7dbf5d61884c235b7d5d6cfd96772590e6

Download Submit
C:\Windows\System\Nssfray.exe

Filesize
5.2MB

MD5
c2aaffcd193654ba02a63b0ec41ddad4

SHA1
b80873867648ccfbcaf9e4667fee2f505a32a3cb

SHA256
2e9103c6bb654fad6891636f1d64e0f28789e486a4acd73cfb5beb03eb94d9c8

SHA512
6a5d117c6d4bba7a74a552a4ff4a13b94918cd0abe66ec792873aa373918018242979cda5f766140052f83b20f6e6f4440fdde30d3d153502c50077045140471

Download Submit
C:\Windows\System\QcHeeoc.exe

Filesize
5.2MB

MD5
40dbdcc683a2f9a8128f7fa390706d29

SHA1
5950c6a47d536ffcb0baba81920f1e5a4c27d23f

SHA256
925dcfe6fdd35f3021701e90c04d527344e3d8db2901b524cf0051f39c9b529f

SHA512
47beb40c966b1e74fbf50699d4e8c316ca3018701eb36a0f5e3b930379daa53a248f4f30d6bf5aa6da4a537f73891cce46a9015e288a84f6943099a5121f9c36

Download Submit
C:\Windows\System\UgklUSv.exe

Filesize
5.2MB

MD5
fb74b3944c228273f42295cc6e5d7f0e

SHA1
47c20d143b41a2d3ff8441c26d569762780684bf

SHA256
cf3d51bc3adc99c016c2b26323d1b732344c0bc7b5c1cb558ddf7207052e2c6c

SHA512
12769537e7d7dc509a1b3cc22adfb7bdbabc4e9e8ed309c7c0b008935312c9c541210f85f14caa7809bcaeb5a87f6e6cb7cd1fe5c35171ca34bee46be5cb2fda

Download Submit
C:\Windows\System\UwmTYvB.exe

Filesize
5.2MB

MD5
228d068cc8ea123e9c88506c06f1480c

SHA1
fa7c0c9169dc7d53551724ca2f8607cea475f432

SHA256
9b493d6e7162327b7f90223d21ff84e5682610e7790678792e78d46babbbb7c2

SHA512
0471ecd11842a6445c09307fdc596b9ecc76c45ebb807478739c7bd8f29340541b924363564acda6a69de3a503d61ad7f2f1113c82630b846f0d8ff2e7dac5bf

Download Submit
C:\Windows\System\WcTsGdt.exe

Filesize
5.2MB

MD5
afe50e3404e1b60f846e0f15ff951124

SHA1
c1df297dfd05f4ab6f08488688a5fa74ef28379a

SHA256
7e2a9c87d36fc332cf5627a00c7742259f1f886d7e25da4adfb3230b902f1e49

SHA512
b24e6002c7a496489c21cfb8931bbebbfb981e9ace13f530cb3b6fca2c9bac5e379d0b117fabe32c3050277faee0786f5da91d77c5054c203803f5377920237e

Download Submit
C:\Windows\System\hYnuSuR.exe

Filesize
5.2MB

MD5
68fe491b2a5c5f2a91889b881fe8a80f

SHA1
e4453de33349c2707d79aee9cac116dfda043009

SHA256
8c18cc8cac5d04c27d38cfb11149edc4595675e9122af758c9be0d4d6b1143e4

SHA512
bb3b57d8dac0006f808db0f67a62cba354b7764cfa387a756101b753d80932d14600f64e81c8ce9bbe5adb84dc03daed741b1a95afab5da148ccf2259abcf3b9

Download Submit
C:\Windows\System\igytpDd.exe

Filesize
5.2MB

MD5
473390d094406cfac2b8611d91d3cbd6

SHA1
9d6b36a3de258e1fbb946b73725368a92313c755

SHA256
f1499f62501e761fa4fa4f3311b5d78a3896a2e2bf3d8915b7767f4334988fe1

SHA512
b23861d579b450ba0c61acc05898fc564b363f17b4e5829c470614d0286a6bd6b51618f25c0e2582ba75caba927d2626eeb7b1e34d003496a7926c2d3d0d3eeb

Download Submit
C:\Windows\System\jVzkbru.exe

Filesize
5.2MB

MD5
2f5e208675a5c2b5874b2f9c55cdce5e

SHA1
879703fb93abdd0c4784fb0987481d38e3a13caa

SHA256
10b80b4c6b8e95e2a232cd9d1e89671d7f3312e7c1c97869216077835f87e744

SHA512
dfaafd76661cc0bd2997b49b3dcbfdb5c1e662b36127bee62d5d86a229aad917b9057c6a5c5a1c46a62c9b9372eb445dc3dfa589107713f948f4e8fc43f1d77b

Download Submit
C:\Windows\System\mBdczdK.exe

Filesize
5.2MB

MD5
4c108f3ba13e559b4eedbb5805a12d31

SHA1
4260769e148fcc28d62f414310e88632bd031dfc

SHA256
14bc8c7df0efef2713ea172d8673386b7db11fd3681655b15f9ce99679248c38

SHA512
f3153b5c73bf11bcaee438a2f763461f8dd4385b823fc76e9cfb9c4538e1c6445623cde7ed2775e1261594720f9e7b09fbc738528d1b1c669ba20e8a151b6b0c

Download Submit
C:\Windows\System\oGJxdUf.exe

Filesize
5.2MB

MD5
893395113d67a2adecedbe54c65c6dda

SHA1
1ffc174811db3f6dc6a61e7c17671172d76d3dc3

SHA256
cadefeb230f7026ca6d15a98c084cfd3260a432b51c04c5bfb0c0f47c0e7e0f2

SHA512
142e88a995ea2bca932e8fef12abad2c1104200f34228f1d021dc44cfaa808c3a75e4a5f59dc02454083834cf6677ecb38fc607c020a0753dea4736bd205fd69

Download Submit
C:\Windows\System\tJIHLIh.exe

Filesize
5.2MB

MD5
fbca82b26d1f3a4c209a64ddf4e68c55

SHA1
d0cd6bdfe00b49b770ea4cf81813907aa82705e3

SHA256
dc8720a984ddf9b86e7012c162f4f3c765a247486d7510c2b4b7fd5203e9016e

SHA512
bb9f93271927f5ac88e5aa77ccdf678ff9e2998df2c035fc4c065c744026edb359243fa172b657bdc1c454cb54effe1eb5580793580370981047bad5a5143b40

Download Submit
C:\Windows\System\wClDSZf.exe

Filesize
5.2MB

MD5
e89f0e51f8e68ab301daf264dab5f388

SHA1
c3167bd0974703a86c8362a137ec5c5d470306fe

SHA256
ca86dd023bd1897d796c5764d619fa1a5c6dcdb372d7d30903e061f0269b2427

SHA512
0debbfd2f6e5abde2d800a3fcebc34521126f6f413d986cbcec6bf81d6c35831fe84a45b8e39c513fb580bf8ba7665db737a6d70be579f3725b20a38178de2a3

Download Submit
C:\Windows\System\xTrrHli.exe

Filesize
5.2MB

MD5
6533ae5a3c85aa457d4f89a66f929807

SHA1
7df75a9c5e0fcec63ba2bdc3b42843f37fb3c3f1

SHA256
ea7a03ad5878ac7758c7316b1907c1adb9e322de534a83cb8c14f033a45b375f

SHA512
ba5ce09b7161d8a644fed88d6f2396b4ac3f24e585c1e9965189f75e5fdcd1ea96062bab9c9c424a2c13b57c71a8c1f9b594b8892f1821e21420ad7e2957c6d2

Download Submit
C:\Windows\System\ySheEfl.exe

Filesize
5.2MB

MD5
b7224237b9743b1f8faddbdd7d06c0cd

SHA1
889463480893e044b2dcf0cbbd3c08703c34d126

SHA256
256a574266b887901f3a9043a27eb639c85527c5d45fc441a78c1dcd8edd55be

SHA512
f46a73e3e4a49376fd6ad50400fcfbb48de1df8367302e32fcec5a5dbb9b351957738916cd51651131d37075edfb12babd5f2a79cf9d896ab5a7e69edf9d521c

Download Submit
C:\Windows\System\yfFfNzJ.exe

Filesize
5.2MB

MD5
28e434f44c1b72ac292b41d6cb60611f

SHA1
d89fc2375ef38275f8348ef40c4e1804e97c0157

SHA256
3d9e6e64661de92f051b8073439ff22c885a3c4a7ba849e7d8a4281d1edd1802

SHA512
e7315b1dcb0de2219d2e3cbe08f6b0057446a5b70b8d5b9d7270074974d42e9fb53e04f60a178a638fb01770adc4113c63f122d28dfbd82e1d895d5b4405c65d

Download Submit
memory/1092-72-0x00007FF75E920000-0x00007FF75EC71000-memory.dmp

Filesize
3.3MB

Download
memory/1092-223-0x00007FF75E920000-0x00007FF75EC71000-memory.dmp

Filesize
3.3MB

Download
memory/1092-18-0x00007FF75E920000-0x00007FF75EC71000-memory.dmp

Filesize
3.3MB

Download
memory/1168-165-0x00007FF7337A0000-0x00007FF733AF1000-memory.dmp

Filesize
3.3MB

Download
memory/1168-272-0x00007FF7337A0000-0x00007FF733AF1000-memory.dmp

Filesize
3.3MB

Download
memory/1168-126-0x00007FF7337A0000-0x00007FF733AF1000-memory.dmp

Filesize
3.3MB

Download
memory/1184-110-0x00007FF7980E0000-0x00007FF798431000-memory.dmp

Filesize
3.3MB

Download
memory/1184-54-0x00007FF7980E0000-0x00007FF798431000-memory.dmp

Filesize
3.3MB

Download
memory/1184-242-0x00007FF7980E0000-0x00007FF798431000-memory.dmp

Filesize
3.3MB

Download
memory/1392-130-0x00007FF79BB00000-0x00007FF79BE51000-memory.dmp

Filesize
3.3MB

Download
memory/1392-166-0x00007FF79BB00000-0x00007FF79BE51000-memory.dmp

Filesize
3.3MB

Download
memory/1392-271-0x00007FF79BB00000-0x00007FF79BE51000-memory.dmp

Filesize
3.3MB

Download
memory/1460-178-0x00007FF75F770000-0x00007FF75FAC1000-memory.dmp

Filesize
3.3MB

Download
memory/1460-150-0x00007FF75F770000-0x00007FF75FAC1000-memory.dmp

Filesize
3.3MB

Download
memory/1460-278-0x00007FF75F770000-0x00007FF75FAC1000-memory.dmp

Filesize
3.3MB

Download
memory/1636-61-0x00007FF768E10000-0x00007FF769161000-memory.dmp

Filesize
3.3MB

Download
memory/1636-219-0x00007FF768E10000-0x00007FF769161000-memory.dmp

Filesize
3.3MB

Download
memory/1636-7-0x00007FF768E10000-0x00007FF769161000-memory.dmp

Filesize
3.3MB

Download
memory/1644-254-0x00007FF652FA0000-0x00007FF6532F1000-memory.dmp

Filesize
3.3MB

Download
memory/1644-82-0x00007FF652FA0000-0x00007FF6532F1000-memory.dmp

Filesize
3.3MB

Download
memory/1644-148-0x00007FF652FA0000-0x00007FF6532F1000-memory.dmp

Filesize
3.3MB

Download
memory/2108-168-0x00007FF699F10000-0x00007FF69A261000-memory.dmp

Filesize
3.3MB

Download
memory/2108-1-0x0000024889D40000-0x0000024889D50000-memory.dmp

Filesize
64KB

Download
memory/2108-0-0x00007FF699F10000-0x00007FF69A261000-memory.dmp

Filesize
3.3MB

Download
memory/2108-53-0x00007FF699F10000-0x00007FF69A261000-memory.dmp

Filesize
3.3MB

Download
memory/2440-264-0x00007FF7EEA00000-0x00007FF7EED51000-memory.dmp

Filesize
3.3MB

Download
memory/2440-98-0x00007FF7EEA00000-0x00007FF7EED51000-memory.dmp

Filesize
3.3MB

Download
memory/2440-156-0x00007FF7EEA00000-0x00007FF7EED51000-memory.dmp

Filesize
3.3MB

Download
memory/2732-262-0x00007FF621A40000-0x00007FF621D91000-memory.dmp

Filesize
3.3MB

Download
memory/2732-94-0x00007FF621A40000-0x00007FF621D91000-memory.dmp

Filesize
3.3MB

Download
memory/2732-155-0x00007FF621A40000-0x00007FF621D91000-memory.dmp

Filesize
3.3MB

Download
memory/2880-238-0x00007FF75B4D0000-0x00007FF75B821000-memory.dmp

Filesize
3.3MB

Download
memory/2880-97-0x00007FF75B4D0000-0x00007FF75B821000-memory.dmp

Filesize
3.3MB

Download
memory/2880-42-0x00007FF75B4D0000-0x00007FF75B821000-memory.dmp

Filesize
3.3MB

Download
memory/2996-104-0x00007FF778040000-0x00007FF778391000-memory.dmp

Filesize
3.3MB

Download
memory/2996-47-0x00007FF778040000-0x00007FF778391000-memory.dmp

Filesize
3.3MB

Download
memory/2996-244-0x00007FF778040000-0x00007FF778391000-memory.dmp

Filesize
3.3MB

Download
memory/3128-88-0x00007FF7DF620000-0x00007FF7DF971000-memory.dmp

Filesize
3.3MB

Download
memory/3128-30-0x00007FF7DF620000-0x00007FF7DF971000-memory.dmp

Filesize
3.3MB

Download
memory/3128-234-0x00007FF7DF620000-0x00007FF7DF971000-memory.dmp

Filesize
3.3MB

Download
memory/3132-142-0x00007FF70D2A0000-0x00007FF70D5F1000-memory.dmp

Filesize
3.3MB

Download
memory/3132-77-0x00007FF70D2A0000-0x00007FF70D5F1000-memory.dmp

Filesize
3.3MB

Download
memory/3132-252-0x00007FF70D2A0000-0x00007FF70D5F1000-memory.dmp

Filesize
3.3MB

Download
memory/3188-23-0x00007FF7155C0000-0x00007FF715911000-memory.dmp

Filesize
3.3MB

Download
memory/3188-225-0x00007FF7155C0000-0x00007FF715911000-memory.dmp

Filesize
3.3MB

Download
memory/3188-76-0x00007FF7155C0000-0x00007FF715911000-memory.dmp

Filesize
3.3MB

Download
memory/3452-268-0x00007FF7FEEA0000-0x00007FF7FF1F1000-memory.dmp

Filesize
3.3MB

Download
memory/3452-162-0x00007FF7FEEA0000-0x00007FF7FF1F1000-memory.dmp

Filesize
3.3MB

Download
memory/3452-111-0x00007FF7FEEA0000-0x00007FF7FF1F1000-memory.dmp

Filesize
3.3MB

Download
memory/3572-159-0x00007FF615FE0000-0x00007FF616331000-memory.dmp

Filesize
3.3MB

Download
memory/3572-267-0x00007FF615FE0000-0x00007FF616331000-memory.dmp

Filesize
3.3MB

Download
memory/3572-108-0x00007FF615FE0000-0x00007FF616331000-memory.dmp

Filesize
3.3MB

Download
memory/3948-248-0x00007FF76B200000-0x00007FF76B551000-memory.dmp

Filesize
3.3MB

Download
memory/3948-69-0x00007FF76B200000-0x00007FF76B551000-memory.dmp

Filesize
3.3MB

Download
memory/3948-125-0x00007FF76B200000-0x00007FF76B551000-memory.dmp

Filesize
3.3MB

Download
memory/4020-236-0x00007FF6FFD80000-0x00007FF7000D1000-memory.dmp

Filesize
3.3MB

Download
memory/4020-38-0x00007FF6FFD80000-0x00007FF7000D1000-memory.dmp

Filesize
3.3MB

Download
memory/4020-90-0x00007FF6FFD80000-0x00007FF7000D1000-memory.dmp

Filesize
3.3MB

Download
memory/4080-246-0x00007FF65B2C0000-0x00007FF65B611000-memory.dmp

Filesize
3.3MB

Download
memory/4080-62-0x00007FF65B2C0000-0x00007FF65B611000-memory.dmp

Filesize
3.3MB

Download
memory/4080-118-0x00007FF65B2C0000-0x00007FF65B611000-memory.dmp

Filesize
3.3MB

Download
memory/4156-221-0x00007FF7264D0000-0x00007FF726821000-memory.dmp

Filesize
3.3MB

Download
memory/4156-16-0x00007FF7264D0000-0x00007FF726821000-memory.dmp

Filesize
3.3MB

Download
memory/4156-68-0x00007FF7264D0000-0x00007FF726821000-memory.dmp

Filesize
3.3MB

Download
memory/4836-119-0x00007FF6D9790000-0x00007FF6D9AE1000-memory.dmp

Filesize
3.3MB

Download
memory/4836-274-0x00007FF6D9790000-0x00007FF6D9AE1000-memory.dmp

Filesize
3.3MB

Download
memory/4836-167-0x00007FF6D9790000-0x00007FF6D9AE1000-memory.dmp

Filesize
3.3MB

Download