cobaltstrike | 285537e506b3cfd1e3eee158c3359a3c36dd106ae6a41a4d1cfead4d8ef0affe

Analysis

max time kernel
140s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-12-2024 03:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

60ae59c2ff9203224752c549e133ce97
SHA1

65ce97a5a24b1b210c1bed4d5747f8e59eb4a571
SHA256

285537e506b3cfd1e3eee158c3359a3c36dd106ae6a41a4d1cfead4d8ef0affe
SHA512

a0a8ff4d66c364693e803e708e05618c43346bd87f857e6865c9df1c12fd202c6e7a045990db7f2c067572b729d69f4f95e1d41a15fe7708aa369554c3d07254
SSDEEP

49152:ROdWCCi7/raA56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lB:RWWBibj56utgpPFotBER/mQ32lUd

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0009000000023c33-4.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c46-9.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c45-11.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c48-26.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c49-30.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c58-64.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c59-75.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c5c-87.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c5f-125.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023c37-123.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c5e-115.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c5b-107.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c5d-98.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c5a-93.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c4d-85.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c56-74.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c57-84.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c4b-69.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c4c-66.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c4a-43.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c47-29.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/2928-59-0x00007FF704A90000-0x00007FF704DE1000-memory.dmp	xmrig
behavioral2/memory/3700-118-0x00007FF732BF0000-0x00007FF732F41000-memory.dmp	xmrig
behavioral2/memory/1076-121-0x00007FF6FB580000-0x00007FF6FB8D1000-memory.dmp	xmrig
behavioral2/memory/4928-120-0x00007FF61F610000-0x00007FF61F961000-memory.dmp	xmrig
behavioral2/memory/1140-119-0x00007FF65B580000-0x00007FF65B8D1000-memory.dmp	xmrig
behavioral2/memory/3984-117-0x00007FF7E3940000-0x00007FF7E3C91000-memory.dmp	xmrig
behavioral2/memory/4892-128-0x00007FF7F47B0000-0x00007FF7F4B01000-memory.dmp	xmrig
behavioral2/memory/3420-140-0x00007FF7EAEE0000-0x00007FF7EB231000-memory.dmp	xmrig
behavioral2/memory/3928-139-0x00007FF6186E0000-0x00007FF618A31000-memory.dmp	xmrig
behavioral2/memory/3452-135-0x00007FF65F340000-0x00007FF65F691000-memory.dmp	xmrig
behavioral2/memory/1996-142-0x00007FF7FF0B0000-0x00007FF7FF401000-memory.dmp	xmrig
behavioral2/memory/2576-134-0x00007FF7BC880000-0x00007FF7BCBD1000-memory.dmp	xmrig
behavioral2/memory/2940-132-0x00007FF778810000-0x00007FF778B61000-memory.dmp	xmrig
behavioral2/memory/3900-131-0x00007FF75C060000-0x00007FF75C3B1000-memory.dmp	xmrig
behavioral2/memory/3604-130-0x00007FF68E4C0000-0x00007FF68E811000-memory.dmp	xmrig
behavioral2/memory/3472-138-0x00007FF64C440000-0x00007FF64C791000-memory.dmp	xmrig
behavioral2/memory/2000-133-0x00007FF6A20F0000-0x00007FF6A2441000-memory.dmp	xmrig
behavioral2/memory/4892-129-0x00007FF7F47B0000-0x00007FF7F4B01000-memory.dmp	xmrig
behavioral2/memory/4772-149-0x00007FF608FC0000-0x00007FF609311000-memory.dmp	xmrig
behavioral2/memory/1500-150-0x00007FF6E3740000-0x00007FF6E3A91000-memory.dmp	xmrig
behavioral2/memory/3632-148-0x00007FF680900000-0x00007FF680C51000-memory.dmp	xmrig
behavioral2/memory/4012-145-0x00007FF666340000-0x00007FF666691000-memory.dmp	xmrig
behavioral2/memory/5016-146-0x00007FF6B3C00000-0x00007FF6B3F51000-memory.dmp	xmrig
behavioral2/memory/4892-151-0x00007FF7F47B0000-0x00007FF7F4B01000-memory.dmp	xmrig
behavioral2/memory/3604-201-0x00007FF68E4C0000-0x00007FF68E811000-memory.dmp	xmrig
behavioral2/memory/3900-220-0x00007FF75C060000-0x00007FF75C3B1000-memory.dmp	xmrig
behavioral2/memory/2940-222-0x00007FF778810000-0x00007FF778B61000-memory.dmp	xmrig
behavioral2/memory/2000-224-0x00007FF6A20F0000-0x00007FF6A2441000-memory.dmp	xmrig
behavioral2/memory/3452-226-0x00007FF65F340000-0x00007FF65F691000-memory.dmp	xmrig
behavioral2/memory/2928-228-0x00007FF704A90000-0x00007FF704DE1000-memory.dmp	xmrig
behavioral2/memory/2576-230-0x00007FF7BC880000-0x00007FF7BCBD1000-memory.dmp	xmrig
behavioral2/memory/3472-234-0x00007FF64C440000-0x00007FF64C791000-memory.dmp	xmrig
behavioral2/memory/3984-232-0x00007FF7E3940000-0x00007FF7E3C91000-memory.dmp	xmrig
behavioral2/memory/3420-236-0x00007FF7EAEE0000-0x00007FF7EB231000-memory.dmp	xmrig
behavioral2/memory/4928-238-0x00007FF61F610000-0x00007FF61F961000-memory.dmp	xmrig
behavioral2/memory/3700-240-0x00007FF732BF0000-0x00007FF732F41000-memory.dmp	xmrig
behavioral2/memory/1076-245-0x00007FF6FB580000-0x00007FF6FB8D1000-memory.dmp	xmrig
behavioral2/memory/3928-246-0x00007FF6186E0000-0x00007FF618A31000-memory.dmp	xmrig
behavioral2/memory/4012-248-0x00007FF666340000-0x00007FF666691000-memory.dmp	xmrig
behavioral2/memory/5016-250-0x00007FF6B3C00000-0x00007FF6B3F51000-memory.dmp	xmrig
behavioral2/memory/1140-244-0x00007FF65B580000-0x00007FF65B8D1000-memory.dmp	xmrig
behavioral2/memory/1500-252-0x00007FF6E3740000-0x00007FF6E3A91000-memory.dmp	xmrig
behavioral2/memory/3632-256-0x00007FF680900000-0x00007FF680C51000-memory.dmp	xmrig
behavioral2/memory/4772-255-0x00007FF608FC0000-0x00007FF609311000-memory.dmp	xmrig
behavioral2/memory/1996-258-0x00007FF7FF0B0000-0x00007FF7FF401000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3604	AlDuReY.exe
3900	uCkRYjq.exe
2940	OrdkwIz.exe
2000	LdfdZbc.exe
2576	ULOUAbK.exe
3452	BtwFiaw.exe
2928	JtteAQJ.exe
3984	ywqzmuX.exe
3472	gtYColz.exe
3928	igaxiSE.exe
3420	zHXLGrp.exe
3700	aGUlZmu.exe
1996	LMDIShQ.exe
1140	KGRCakQ.exe
4928	rJZKKLj.exe
4012	OeVyvQr.exe
5016	CkSCLaN.exe
1076	kNPRFBN.exe
3632	EtPDZcR.exe
4772	hzgMbMY.exe
1500	INqFqAE.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4892-0-0x00007FF7F47B0000-0x00007FF7F4B01000-memory.dmp	upx
behavioral2/files/0x0009000000023c33-4.dat	upx
behavioral2/files/0x0008000000023c46-9.dat	upx
behavioral2/memory/3604-10-0x00007FF68E4C0000-0x00007FF68E811000-memory.dmp	upx
behavioral2/files/0x0008000000023c45-11.dat	upx
behavioral2/memory/2940-20-0x00007FF778810000-0x00007FF778B61000-memory.dmp	upx
behavioral2/files/0x0008000000023c48-26.dat	upx
behavioral2/files/0x0008000000023c49-30.dat	upx
behavioral2/memory/2928-59-0x00007FF704A90000-0x00007FF704DE1000-memory.dmp	upx
behavioral2/files/0x0007000000023c58-64.dat	upx
behavioral2/files/0x0007000000023c59-75.dat	upx
behavioral2/files/0x0007000000023c5c-87.dat	upx
behavioral2/memory/5016-106-0x00007FF6B3C00000-0x00007FF6B3F51000-memory.dmp	upx
behavioral2/memory/3632-113-0x00007FF680900000-0x00007FF680C51000-memory.dmp	upx
behavioral2/memory/3700-118-0x00007FF732BF0000-0x00007FF732F41000-memory.dmp	upx
behavioral2/files/0x0007000000023c5f-125.dat	upx
behavioral2/files/0x0009000000023c37-123.dat	upx
behavioral2/memory/4772-122-0x00007FF608FC0000-0x00007FF609311000-memory.dmp	upx
behavioral2/memory/1076-121-0x00007FF6FB580000-0x00007FF6FB8D1000-memory.dmp	upx
behavioral2/memory/4928-120-0x00007FF61F610000-0x00007FF61F961000-memory.dmp	upx
behavioral2/memory/1140-119-0x00007FF65B580000-0x00007FF65B8D1000-memory.dmp	upx
behavioral2/memory/3984-117-0x00007FF7E3940000-0x00007FF7E3C91000-memory.dmp	upx
behavioral2/files/0x0007000000023c5e-115.dat	upx
behavioral2/memory/1500-114-0x00007FF6E3740000-0x00007FF6E3A91000-memory.dmp	upx
behavioral2/files/0x0007000000023c5b-107.dat	upx
behavioral2/files/0x0007000000023c5d-98.dat	upx
behavioral2/files/0x0007000000023c5a-93.dat	upx
behavioral2/memory/4012-92-0x00007FF666340000-0x00007FF666691000-memory.dmp	upx
behavioral2/memory/1996-91-0x00007FF7FF0B0000-0x00007FF7FF401000-memory.dmp	upx
behavioral2/files/0x0008000000023c4d-85.dat	upx
behavioral2/memory/3420-79-0x00007FF7EAEE0000-0x00007FF7EB231000-memory.dmp	upx
behavioral2/memory/3928-77-0x00007FF6186E0000-0x00007FF618A31000-memory.dmp	upx
behavioral2/files/0x0007000000023c56-74.dat	upx
behavioral2/files/0x0007000000023c57-84.dat	upx
behavioral2/files/0x0008000000023c4b-69.dat	upx
behavioral2/memory/3472-65-0x00007FF64C440000-0x00007FF64C791000-memory.dmp	upx
behavioral2/files/0x0008000000023c4c-66.dat	upx
behavioral2/memory/2576-56-0x00007FF7BC880000-0x00007FF7BCBD1000-memory.dmp	upx
behavioral2/files/0x0008000000023c4a-43.dat	upx
behavioral2/memory/3452-39-0x00007FF65F340000-0x00007FF65F691000-memory.dmp	upx
behavioral2/memory/2000-32-0x00007FF6A20F0000-0x00007FF6A2441000-memory.dmp	upx
behavioral2/files/0x0008000000023c47-29.dat	upx
behavioral2/memory/3900-12-0x00007FF75C060000-0x00007FF75C3B1000-memory.dmp	upx
behavioral2/memory/4892-128-0x00007FF7F47B0000-0x00007FF7F4B01000-memory.dmp	upx
behavioral2/memory/3420-140-0x00007FF7EAEE0000-0x00007FF7EB231000-memory.dmp	upx
behavioral2/memory/3928-139-0x00007FF6186E0000-0x00007FF618A31000-memory.dmp	upx
behavioral2/memory/3452-135-0x00007FF65F340000-0x00007FF65F691000-memory.dmp	upx
behavioral2/memory/1996-142-0x00007FF7FF0B0000-0x00007FF7FF401000-memory.dmp	upx
behavioral2/memory/2576-134-0x00007FF7BC880000-0x00007FF7BCBD1000-memory.dmp	upx
behavioral2/memory/2940-132-0x00007FF778810000-0x00007FF778B61000-memory.dmp	upx
behavioral2/memory/3900-131-0x00007FF75C060000-0x00007FF75C3B1000-memory.dmp	upx
behavioral2/memory/3604-130-0x00007FF68E4C0000-0x00007FF68E811000-memory.dmp	upx
behavioral2/memory/3472-138-0x00007FF64C440000-0x00007FF64C791000-memory.dmp	upx
behavioral2/memory/2000-133-0x00007FF6A20F0000-0x00007FF6A2441000-memory.dmp	upx
behavioral2/memory/4892-129-0x00007FF7F47B0000-0x00007FF7F4B01000-memory.dmp	upx
behavioral2/memory/4772-149-0x00007FF608FC0000-0x00007FF609311000-memory.dmp	upx
behavioral2/memory/1500-150-0x00007FF6E3740000-0x00007FF6E3A91000-memory.dmp	upx
behavioral2/memory/3632-148-0x00007FF680900000-0x00007FF680C51000-memory.dmp	upx
behavioral2/memory/4012-145-0x00007FF666340000-0x00007FF666691000-memory.dmp	upx
behavioral2/memory/5016-146-0x00007FF6B3C00000-0x00007FF6B3F51000-memory.dmp	upx
behavioral2/memory/4892-151-0x00007FF7F47B0000-0x00007FF7F4B01000-memory.dmp	upx
behavioral2/memory/3604-201-0x00007FF68E4C0000-0x00007FF68E811000-memory.dmp	upx
behavioral2/memory/3900-220-0x00007FF75C060000-0x00007FF75C3B1000-memory.dmp	upx
behavioral2/memory/2940-222-0x00007FF778810000-0x00007FF778B61000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\ULOUAbK.exe	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KGRCakQ.exe	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AlDuReY.exe	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OrdkwIz.exe	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LdfdZbc.exe	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JtteAQJ.exe	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ywqzmuX.exe	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aGUlZmu.exe	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hzgMbMY.exe	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gtYColz.exe	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\igaxiSE.exe	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LMDIShQ.exe	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rJZKKLj.exe	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OeVyvQr.exe	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CkSCLaN.exe	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kNPRFBN.exe	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EtPDZcR.exe	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\INqFqAE.exe	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uCkRYjq.exe	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BtwFiaw.exe	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zHXLGrp.exe	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4892	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4892	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4892 wrote to memory of 3604	4892	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4892 wrote to memory of 3604	4892	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4892 wrote to memory of 3900	4892	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4892 wrote to memory of 3900	4892	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4892 wrote to memory of 2940	4892	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4892 wrote to memory of 2940	4892	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4892 wrote to memory of 2000	4892	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4892 wrote to memory of 2000	4892	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4892 wrote to memory of 2576	4892	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4892 wrote to memory of 2576	4892	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4892 wrote to memory of 3452	4892	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4892 wrote to memory of 3452	4892	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4892 wrote to memory of 2928	4892	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4892 wrote to memory of 2928	4892	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4892 wrote to memory of 3984	4892	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4892 wrote to memory of 3984	4892	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4892 wrote to memory of 3472	4892	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4892 wrote to memory of 3472	4892	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4892 wrote to memory of 3928	4892	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4892 wrote to memory of 3928	4892	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4892 wrote to memory of 3420	4892	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4892 wrote to memory of 3420	4892	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4892 wrote to memory of 3700	4892	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4892 wrote to memory of 3700	4892	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4892 wrote to memory of 1996	4892	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4892 wrote to memory of 1996	4892	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4892 wrote to memory of 1140	4892	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4892 wrote to memory of 1140	4892	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4892 wrote to memory of 4928	4892	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4892 wrote to memory of 4928	4892	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4892 wrote to memory of 4012	4892	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4892 wrote to memory of 4012	4892	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4892 wrote to memory of 5016	4892	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4892 wrote to memory of 5016	4892	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4892 wrote to memory of 1076	4892	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4892 wrote to memory of 1076	4892	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4892 wrote to memory of 3632	4892	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4892 wrote to memory of 3632	4892	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4892 wrote to memory of 4772	4892	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4892 wrote to memory of 4772	4892	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4892 wrote to memory of 1500	4892	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4892 wrote to memory of 1500	4892	2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-27_60ae59c2ff9203224752c549e133ce97_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Windows\System\AlDuReY.exe
  C:\Windows\System\AlDuReY.exe
  2⤵
  - Executes dropped EXE
  PID:3604
- C:\Windows\System\uCkRYjq.exe
  C:\Windows\System\uCkRYjq.exe
  2⤵
  - Executes dropped EXE
  PID:3900
- C:\Windows\System\OrdkwIz.exe
  C:\Windows\System\OrdkwIz.exe
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\System\LdfdZbc.exe
  C:\Windows\System\LdfdZbc.exe
  2⤵
  - Executes dropped EXE
  PID:2000
- C:\Windows\System\ULOUAbK.exe
  C:\Windows\System\ULOUAbK.exe
  2⤵
  - Executes dropped EXE
  PID:2576
- C:\Windows\System\BtwFiaw.exe
  C:\Windows\System\BtwFiaw.exe
  2⤵
  - Executes dropped EXE
  PID:3452
- C:\Windows\System\JtteAQJ.exe
  C:\Windows\System\JtteAQJ.exe
  2⤵
  - Executes dropped EXE
  PID:2928
- C:\Windows\System\ywqzmuX.exe
  C:\Windows\System\ywqzmuX.exe
  2⤵
  - Executes dropped EXE
  PID:3984
- C:\Windows\System\gtYColz.exe
  C:\Windows\System\gtYColz.exe
  2⤵
  - Executes dropped EXE
  PID:3472
- C:\Windows\System\igaxiSE.exe
  C:\Windows\System\igaxiSE.exe
  2⤵
  - Executes dropped EXE
  PID:3928
- C:\Windows\System\zHXLGrp.exe
  C:\Windows\System\zHXLGrp.exe
  2⤵
  - Executes dropped EXE
  PID:3420
- C:\Windows\System\aGUlZmu.exe
  C:\Windows\System\aGUlZmu.exe
  2⤵
  - Executes dropped EXE
  PID:3700
- C:\Windows\System\LMDIShQ.exe
  C:\Windows\System\LMDIShQ.exe
  2⤵
  - Executes dropped EXE
  PID:1996
- C:\Windows\System\KGRCakQ.exe
  C:\Windows\System\KGRCakQ.exe
  2⤵
  - Executes dropped EXE
  PID:1140
- C:\Windows\System\rJZKKLj.exe
  C:\Windows\System\rJZKKLj.exe
  2⤵
  - Executes dropped EXE
  PID:4928
- C:\Windows\System\OeVyvQr.exe
  C:\Windows\System\OeVyvQr.exe
  2⤵
  - Executes dropped EXE
  PID:4012
- C:\Windows\System\CkSCLaN.exe
  C:\Windows\System\CkSCLaN.exe
  2⤵
  - Executes dropped EXE
  PID:5016
- C:\Windows\System\kNPRFBN.exe
  C:\Windows\System\kNPRFBN.exe
  2⤵
  - Executes dropped EXE
  PID:1076
- C:\Windows\System\EtPDZcR.exe
  C:\Windows\System\EtPDZcR.exe
  2⤵
  - Executes dropped EXE
  PID:3632
- C:\Windows\System\hzgMbMY.exe
  C:\Windows\System\hzgMbMY.exe
  2⤵
  - Executes dropped EXE
  PID:4772
- C:\Windows\System\INqFqAE.exe
  C:\Windows\System\INqFqAE.exe
  2⤵
  - Executes dropped EXE
  PID:1500

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AlDuReY.exe

Filesize
5.2MB

MD5
d5ed3cf98639445de4dc4e6378e4a18a

SHA1
fc15972e4f08dd55f985b6eba10a794d98c33674

SHA256
71e7e435eb32da27f152f6d32878580284dce65c9f33a8dd1cd84c81ab1e8ee8

SHA512
50d9ed8b6e0d81f70dfbf7943e910ff654e55d3973d90d20ad5fa139bc37d5e189313159c8e01308ef00ac10db70533d05f05ca868a35319b4bc2330ad47e594

Download Submit
C:\Windows\System\BtwFiaw.exe

Filesize
5.2MB

MD5
e7c90e4dfb491d4f86aa46afd43ec633

SHA1
474d6115c7fb9a28fd33cb62bfd8a818af2d6496

SHA256
77a72728b7721e7a2203912c057085c8a38310f7aca76562a5e0a39a4c55834d

SHA512
516e20d7a0c14700d476b20a24723f0eee621876c4854eccc4c832759d7a003fc2a009b85611d8400a29d4ab5acff6ab75d539a1fcc364bc86b0377633eb1ba0

Download Submit
C:\Windows\System\CkSCLaN.exe

Filesize
5.2MB

MD5
2b7e3881113edc25a959070295f670d1

SHA1
fb419f34828ac377fc036842a88471cd01b8fb53

SHA256
cd7de2acacf1376f496c75e81418be856c89a24c16a1d01e896e66d87caa4630

SHA512
0b549837825ab6c72adfc2fff7fc5151bbffb27c563af3267ca38d5da69bedd5dc7f88a3543ef722a667ef9ad8a6a9adec4b7da820b63266958e9082b758f85f

Download Submit
C:\Windows\System\EtPDZcR.exe

Filesize
5.2MB

MD5
777e1946208b9f02b4ddfffc29a6ab08

SHA1
7352d7155726d68aec06c91c13163dc55a168f4d

SHA256
d6709306d3df5c3df6d48c98edeb64e9b6ca346ba8b72220d2c0baf0359dfad2

SHA512
69c175c36540ebcb4519f47215c3d8e82fcbe532578e0b62e697145754ef4905dc82a6b52b4a0989bd043577842f597c0591196c985f3475c579c0621da3d028

Download Submit
C:\Windows\System\INqFqAE.exe

Filesize
5.2MB

MD5
ffb72e15877fa5bf32c8f799ec9e5784

SHA1
7be894c1f13001aa2932db57e47d1e61452efb59

SHA256
70fae88b45b7c81ceec51e30c04e3f1ec778cbf3cbd9c2e05994cb83c54937ef

SHA512
b47c0661a101c29c27cec6e3b190a14e642fc1b3bb976771f6e9b0bf2b56b5969c1c0012ac5de91c3a016a91d880668d5caffb8415650c336592221b1dd7bd88

Download Submit
C:\Windows\System\JtteAQJ.exe

Filesize
5.2MB

MD5
3ae54df8bb8da6f411b8734402df8683

SHA1
6f5649bd582f62b8d86e6db844f4b1225f9f6de1

SHA256
2dc52bd2f599e0c53b0b4ee536f810daa6616692fd1dcd8618d194d5838100e1

SHA512
9ee7b92809733d8f84480fb7340fa17ea688540f2fc029bf2b6e2823308f92b0e8fc9c659f89827b33b7883d7a1bcc825ced5e6382b2ff551961d879dd82eebc

Download Submit
C:\Windows\System\KGRCakQ.exe

Filesize
5.2MB

MD5
02c5996fc702899d32630afef9726a98

SHA1
4b49cd72dafb02899d4ff964bfa60cd2db3c9907

SHA256
cf64f86ebcda9a19c9c68c8f5f7d55251005ed173637eaa2e7426491ed348afe

SHA512
21724058404c2b786e0703e4be18484583920c3e7eb08c1dec30be435623d0b27ccdc6c09889392f5839ded17b548d50f02edc00b62e4fe11441d065274853e4

Download Submit
C:\Windows\System\LMDIShQ.exe

Filesize
5.2MB

MD5
f253c87d6437a21492a5a5903c07b1bd

SHA1
3e60537b26e04f8635caa22ab51cc9982e84affc

SHA256
98a3955ec626fc1ce2e8a7d66de23c2b3e98640dd9233aa8d07a829fdceab28d

SHA512
4dfbb7f25d888196a3e2060f72f59223c6aa5d11d5ee95facf863fd2eeead19c0e69644009d72cab48da15c743b532576f41607596c49f6b01b8b45d5e51e509

Download Submit
C:\Windows\System\LdfdZbc.exe

Filesize
5.2MB

MD5
ad1d3edadbc5a09639109ba77a928fb3

SHA1
9693ba7476fd894b8aee4f07d6db10e23664d217

SHA256
e47551721bd7d051a4cb354b01abfe4065c0121d721b87db023c0d3e1069b63a

SHA512
fc6e5987963c3870f833fe8962fbf6ed4b504bc8f24e1dce48930455b08e80917fc0b9c283dc5217c8b4db8865a34fa7d29fc4ca33db28b1f7ce7e2991cf3864

Download Submit
C:\Windows\System\OeVyvQr.exe

Filesize
5.2MB

MD5
ae604da29367fde9db32ce6323a82243

SHA1
c48f0176bd61791331579ec3e6bf6bfb065dc753

SHA256
c057b65ff8f1a1ed7645519921a97a2c41bb97343811a4eefdcfb48dae463f39

SHA512
57ff7bf791ab560fa6960243dcf66401c82b1827abc1c5d14d2b61f46a330f64dda7a294a23ada4e8db6722902a4a6bd8a1e25efaa9eed2203455a96991b0555

Download Submit
C:\Windows\System\OrdkwIz.exe

Filesize
5.2MB

MD5
a7543497300796267847216c59c14d11

SHA1
5f02205ec522dacceb91a398462dba36b7cb5ed6

SHA256
f504919d4d3e45412b53129f8f4234ad7ff91dfa636f246e69610ccbd9aab7f9

SHA512
631719ad8a04da02be95e93d84c2ee09de4ce011cdc793181488a3b6d3b867901fcd334d9e632cc68f52a19fc8d932ceebc7494705edf15f2fcabc25db1f845b

Download Submit
C:\Windows\System\ULOUAbK.exe

Filesize
5.2MB

MD5
324a884ba57039ab340316001c3eb02a

SHA1
4c5c5293e4c12ee6ac9dbf47ae6438c15d13bd0b

SHA256
cc05775be8282d23ebbbb0b70becfe3acf3292925896a7b09977578e8ca3018e

SHA512
d78d7acc0c4642af76b462b5fe74dbbaac5a96301ba785a8186a0a3acd2ed70c8146dad37c523f8f11671604e206fe7d391f5bdaf9f2ef9de759127254f5f53d

Download Submit
C:\Windows\System\aGUlZmu.exe

Filesize
5.2MB

MD5
c8fc3b418298d86a8e57d1509edd4207

SHA1
f8ccfcf1f2d665e43f5e80fc6386b00647143870

SHA256
6e67e43259c79dd4d203dad3a83662d86f298700f7eb571a011e1dc536857102

SHA512
a5220c6648632d614c59034b31dfc5e8f902f6dcf6c2e299a41e328cadabb50d0af64c92c40a1e1b18d068580deb0cf810df6cd774946c7c629f1780238d6a3f

Download Submit
C:\Windows\System\gtYColz.exe

Filesize
5.2MB

MD5
7d972527638e5ad7d06283adc4025d7b

SHA1
eb6281c828992e6b3b2a295f27116094f9ff9167

SHA256
819492af8acf64bcbc124aae1e126af5f45254ade5329760dbeebcd546c2b1cf

SHA512
4efc6835ea8e277499188c78ecbbd4bcceaff157eb90c187fb9725b741c66256028bb1cacff8dd6cf20326be14aeb10f0aa358710b6de01f21738e509671c746

Download Submit
C:\Windows\System\hzgMbMY.exe

Filesize
5.2MB

MD5
4149cd4addcef3a738bce42b37b2636e

SHA1
b912557bbe0f80811b767c86a353f9d26f6502ea

SHA256
e7bc7f5108908d66c3adcd0c3934b83ee5c601624e0fc7882acb198bed8ceae7

SHA512
9641b3bb854dba74608d30731c923a478a1d3c875221db073d9863744f30e5510b20b6f1fa8fb8b1c5d13335b1e479f28d3d7e3bcbe212ca5e352d2b6183a9cc

Download Submit
C:\Windows\System\igaxiSE.exe

Filesize
5.2MB

MD5
6ed82ebbffa3a5e2b676f591e31efeec

SHA1
a7e02907ecb21578981f6f295f467c844c77543a

SHA256
b29992f4f7e837f205db8ae3f1c452af78ce4db68cd942c9afceaa81188bd750

SHA512
8bf87c907fb7c14e987c1e2a5814b8a1b29bd73f6d6b52b1514cbfb901256513d178d7e46127cb336e4d83be11b86f27174eea6139dcae413868132e92d667cd

Download Submit
C:\Windows\System\kNPRFBN.exe

Filesize
5.2MB

MD5
733cc1b0500df68bccfb8c17bd731c32

SHA1
922d6dcdacd98f8d58f4ebac46d5bb0bc60e8eb4

SHA256
d268b4f2613af167e17deb6f713b7812347f107afa3c53fca9636e27adceb5e1

SHA512
57fea570a34204d82a698a0f417f773962761b880772cd6111aabaf82f63771e557291a6fa6e02f1c7960895bfd3aa4db4971c9edc07b5fa3ba47faedce78950

Download Submit
C:\Windows\System\rJZKKLj.exe

Filesize
5.2MB

MD5
b03dfb094ac0defb9cf87e15bec491a5

SHA1
a8f65c40fcf2150b038fb065cc632aa64e3d4a1c

SHA256
f619dea77fdb38b0cf1bcde4d5f937f22f2df040c0f38daa5026e9b88c64f80c

SHA512
31b09abeb0ad2c881860fc4ee7edc9d2b1f1508554e5319242fb07afc77fc351b0631979b6ba163f862ffbfadc007df738300e3aba22491b43b693a904fe2e9a

Download Submit
C:\Windows\System\uCkRYjq.exe

Filesize
5.2MB

MD5
0abcf1fdff922c1fa3e8ad549a3486c9

SHA1
b0d43277f63313fa254aa4cb50f46087eb8a98a8

SHA256
b6c6644f1bfbfe059d320383a0ad8608eb007c864b8c868db8733bf53b4012ec

SHA512
9a1d3e2d61a171fe38e01011c97d6280acdb07f113a5ba153b8ca80590766701ed0781401031cd3b5ed68057dd5b377bcbc23b7b834237018e56832f21703978

Download Submit
C:\Windows\System\ywqzmuX.exe

Filesize
5.2MB

MD5
a00e33072c493321a8cc8a9eb9188c86

SHA1
e19762590d62044a92946a28b1575bed2339c196

SHA256
f3369963935380fe96602cfcbe6d211adaac3ac5cf3f21a5f2115ac7b4462041

SHA512
11458040f2065df108feb719348e8854b9d4839210f92c1bc38fe859bf9843d694140cd52bdfaaea82f366cd52cfc3b2de2863c4e58ce94d9dbf45b5c55bb887

Download Submit
C:\Windows\System\zHXLGrp.exe

Filesize
5.2MB

MD5
97c12ef0bd645a5c5a95497f5aa0020d

SHA1
826db1bdb8d3d1906310399ab5cfc570c4f0dcda

SHA256
bafb9b29458f7b13adce86f781392359a589eb852f6384f9238c2db054eb93b9

SHA512
fe06e578de7b29df47af78aea1a058927cdcabad6226b47d46984331111cbbcc87518d4210a3ba167850d8cf6acbb6af17e20e828d2cef26caf48ef913790a7f

Download Submit
memory/1076-245-0x00007FF6FB580000-0x00007FF6FB8D1000-memory.dmp

Filesize
3.3MB

Download
memory/1076-121-0x00007FF6FB580000-0x00007FF6FB8D1000-memory.dmp

Filesize
3.3MB

Download
memory/1140-119-0x00007FF65B580000-0x00007FF65B8D1000-memory.dmp

Filesize
3.3MB

Download
memory/1140-244-0x00007FF65B580000-0x00007FF65B8D1000-memory.dmp

Filesize
3.3MB

Download
memory/1500-114-0x00007FF6E3740000-0x00007FF6E3A91000-memory.dmp

Filesize
3.3MB

Download
memory/1500-150-0x00007FF6E3740000-0x00007FF6E3A91000-memory.dmp

Filesize
3.3MB

Download
memory/1500-252-0x00007FF6E3740000-0x00007FF6E3A91000-memory.dmp

Filesize
3.3MB

Download
memory/1996-142-0x00007FF7FF0B0000-0x00007FF7FF401000-memory.dmp

Filesize
3.3MB

Download
memory/1996-91-0x00007FF7FF0B0000-0x00007FF7FF401000-memory.dmp

Filesize
3.3MB

Download
memory/1996-258-0x00007FF7FF0B0000-0x00007FF7FF401000-memory.dmp

Filesize
3.3MB

Download
memory/2000-32-0x00007FF6A20F0000-0x00007FF6A2441000-memory.dmp

Filesize
3.3MB

Download
memory/2000-224-0x00007FF6A20F0000-0x00007FF6A2441000-memory.dmp

Filesize
3.3MB

Download
memory/2000-133-0x00007FF6A20F0000-0x00007FF6A2441000-memory.dmp

Filesize
3.3MB

Download
memory/2576-134-0x00007FF7BC880000-0x00007FF7BCBD1000-memory.dmp

Filesize
3.3MB

Download
memory/2576-230-0x00007FF7BC880000-0x00007FF7BCBD1000-memory.dmp

Filesize
3.3MB

Download
memory/2576-56-0x00007FF7BC880000-0x00007FF7BCBD1000-memory.dmp

Filesize
3.3MB

Download
memory/2928-59-0x00007FF704A90000-0x00007FF704DE1000-memory.dmp

Filesize
3.3MB

Download
memory/2928-228-0x00007FF704A90000-0x00007FF704DE1000-memory.dmp

Filesize
3.3MB

Download
memory/2940-132-0x00007FF778810000-0x00007FF778B61000-memory.dmp

Filesize
3.3MB

Download
memory/2940-222-0x00007FF778810000-0x00007FF778B61000-memory.dmp

Filesize
3.3MB

Download
memory/2940-20-0x00007FF778810000-0x00007FF778B61000-memory.dmp

Filesize
3.3MB

Download
memory/3420-79-0x00007FF7EAEE0000-0x00007FF7EB231000-memory.dmp

Filesize
3.3MB

Download
memory/3420-236-0x00007FF7EAEE0000-0x00007FF7EB231000-memory.dmp

Filesize
3.3MB

Download
memory/3420-140-0x00007FF7EAEE0000-0x00007FF7EB231000-memory.dmp

Filesize
3.3MB

Download
memory/3452-39-0x00007FF65F340000-0x00007FF65F691000-memory.dmp

Filesize
3.3MB

Download
memory/3452-135-0x00007FF65F340000-0x00007FF65F691000-memory.dmp

Filesize
3.3MB

Download
memory/3452-226-0x00007FF65F340000-0x00007FF65F691000-memory.dmp

Filesize
3.3MB

Download
memory/3472-234-0x00007FF64C440000-0x00007FF64C791000-memory.dmp

Filesize
3.3MB

Download
memory/3472-65-0x00007FF64C440000-0x00007FF64C791000-memory.dmp

Filesize
3.3MB

Download
memory/3472-138-0x00007FF64C440000-0x00007FF64C791000-memory.dmp

Filesize
3.3MB

Download
memory/3604-130-0x00007FF68E4C0000-0x00007FF68E811000-memory.dmp

Filesize
3.3MB

Download
memory/3604-10-0x00007FF68E4C0000-0x00007FF68E811000-memory.dmp

Filesize
3.3MB

Download
memory/3604-201-0x00007FF68E4C0000-0x00007FF68E811000-memory.dmp

Filesize
3.3MB

Download
memory/3632-256-0x00007FF680900000-0x00007FF680C51000-memory.dmp

Filesize
3.3MB

Download
memory/3632-113-0x00007FF680900000-0x00007FF680C51000-memory.dmp

Filesize
3.3MB

Download
memory/3632-148-0x00007FF680900000-0x00007FF680C51000-memory.dmp

Filesize
3.3MB

Download
memory/3700-118-0x00007FF732BF0000-0x00007FF732F41000-memory.dmp

Filesize
3.3MB

Download
memory/3700-240-0x00007FF732BF0000-0x00007FF732F41000-memory.dmp

Filesize
3.3MB

Download
memory/3900-12-0x00007FF75C060000-0x00007FF75C3B1000-memory.dmp

Filesize
3.3MB

Download
memory/3900-131-0x00007FF75C060000-0x00007FF75C3B1000-memory.dmp

Filesize
3.3MB

Download
memory/3900-220-0x00007FF75C060000-0x00007FF75C3B1000-memory.dmp

Filesize
3.3MB

Download
memory/3928-246-0x00007FF6186E0000-0x00007FF618A31000-memory.dmp

Filesize
3.3MB

Download
memory/3928-77-0x00007FF6186E0000-0x00007FF618A31000-memory.dmp

Filesize
3.3MB

Download
memory/3928-139-0x00007FF6186E0000-0x00007FF618A31000-memory.dmp

Filesize
3.3MB

Download
memory/3984-232-0x00007FF7E3940000-0x00007FF7E3C91000-memory.dmp

Filesize
3.3MB

Download
memory/3984-117-0x00007FF7E3940000-0x00007FF7E3C91000-memory.dmp

Filesize
3.3MB

Download
memory/4012-145-0x00007FF666340000-0x00007FF666691000-memory.dmp

Filesize
3.3MB

Download
memory/4012-92-0x00007FF666340000-0x00007FF666691000-memory.dmp

Filesize
3.3MB

Download
memory/4012-248-0x00007FF666340000-0x00007FF666691000-memory.dmp

Filesize
3.3MB

Download
memory/4772-149-0x00007FF608FC0000-0x00007FF609311000-memory.dmp

Filesize
3.3MB

Download
memory/4772-255-0x00007FF608FC0000-0x00007FF609311000-memory.dmp

Filesize
3.3MB

Download
memory/4772-122-0x00007FF608FC0000-0x00007FF609311000-memory.dmp

Filesize
3.3MB

Download
memory/4892-129-0x00007FF7F47B0000-0x00007FF7F4B01000-memory.dmp

Filesize
3.3MB

Download
memory/4892-1-0x0000014C26970000-0x0000014C26980000-memory.dmp

Filesize
64KB

Download
memory/4892-128-0x00007FF7F47B0000-0x00007FF7F4B01000-memory.dmp

Filesize
3.3MB

Download
memory/4892-0-0x00007FF7F47B0000-0x00007FF7F4B01000-memory.dmp

Filesize
3.3MB

Download
memory/4892-151-0x00007FF7F47B0000-0x00007FF7F4B01000-memory.dmp

Filesize
3.3MB

Download
memory/4928-120-0x00007FF61F610000-0x00007FF61F961000-memory.dmp

Filesize
3.3MB

Download
memory/4928-238-0x00007FF61F610000-0x00007FF61F961000-memory.dmp

Filesize
3.3MB

Download
memory/5016-250-0x00007FF6B3C00000-0x00007FF6B3F51000-memory.dmp

Filesize
3.3MB

Download
memory/5016-146-0x00007FF6B3C00000-0x00007FF6B3F51000-memory.dmp

Filesize
3.3MB

Download
memory/5016-106-0x00007FF6B3C00000-0x00007FF6B3F51000-memory.dmp

Filesize
3.3MB

Download