cobaltstrike | f287fd50e5adc896f4800db853b98e412c7039717c540cba3b5341484f200c99

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2024 01:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

cfaa22902717bc2e7a0d155cf64d9a32
SHA1

9878ac058f9f2e958954910d8629163f558bf530
SHA256

f287fd50e5adc896f4800db853b98e412c7039717c540cba3b5341484f200c99
SHA512

126e3f3ab47969cacd54fcf339790b0f92a0ebb9bc2804fe6881628522b1cee778fb7414347575f25afdf27b26c25e407ab69dcb5239beb088cd053b844010ce
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lX:RWWBibf56utgpPFotBER/mQ32lUz

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000e000000023b56-5.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b60-9.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b61-20.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b63-35.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b62-33.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b5f-16.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b64-41.dat	cobalt_reflective_dll
behavioral2/files/0x0032000000023b5c-47.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b67-57.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b68-63.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b69-74.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6b-81.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6a-78.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b65-58.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6c-93.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6f-121.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b70-123.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b71-129.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6e-111.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6d-104.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b72-135.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/3396-60-0x00007FF79E010000-0x00007FF79E361000-memory.dmp	xmrig
behavioral2/memory/716-86-0x00007FF6143C0000-0x00007FF614711000-memory.dmp	xmrig
behavioral2/memory/3808-88-0x00007FF71FCB0000-0x00007FF720001000-memory.dmp	xmrig
behavioral2/memory/4676-87-0x00007FF73EEF0000-0x00007FF73F241000-memory.dmp	xmrig
behavioral2/memory/3172-83-0x00007FF6DAD90000-0x00007FF6DB0E1000-memory.dmp	xmrig
behavioral2/memory/1564-82-0x00007FF6D57B0000-0x00007FF6D5B01000-memory.dmp	xmrig
behavioral2/memory/3276-90-0x00007FF6E98E0000-0x00007FF6E9C31000-memory.dmp	xmrig
behavioral2/memory/1632-89-0x00007FF63FD60000-0x00007FF6400B1000-memory.dmp	xmrig
behavioral2/memory/2584-100-0x00007FF7117D0000-0x00007FF711B21000-memory.dmp	xmrig
behavioral2/memory/4692-127-0x00007FF73FE30000-0x00007FF740181000-memory.dmp	xmrig
behavioral2/memory/868-118-0x00007FF6C1460000-0x00007FF6C17B1000-memory.dmp	xmrig
behavioral2/memory/2204-114-0x00007FF755FC0000-0x00007FF756311000-memory.dmp	xmrig
behavioral2/memory/4936-107-0x00007FF70B140000-0x00007FF70B491000-memory.dmp	xmrig
behavioral2/memory/4240-133-0x00007FF6077A0000-0x00007FF607AF1000-memory.dmp	xmrig
behavioral2/memory/4208-132-0x00007FF7583F0000-0x00007FF758741000-memory.dmp	xmrig
behavioral2/memory/3396-139-0x00007FF79E010000-0x00007FF79E361000-memory.dmp	xmrig
behavioral2/memory/1628-155-0x00007FF63CC50000-0x00007FF63CFA1000-memory.dmp	xmrig
behavioral2/memory/60-157-0x00007FF7130F0000-0x00007FF713441000-memory.dmp	xmrig
behavioral2/memory/4248-156-0x00007FF6CDC40000-0x00007FF6CDF91000-memory.dmp	xmrig
behavioral2/memory/4528-158-0x00007FF772850000-0x00007FF772BA1000-memory.dmp	xmrig
behavioral2/memory/1672-165-0x00007FF67E890000-0x00007FF67EBE1000-memory.dmp	xmrig
behavioral2/memory/8-164-0x00007FF688AD0000-0x00007FF688E21000-memory.dmp	xmrig
behavioral2/memory/3396-166-0x00007FF79E010000-0x00007FF79E361000-memory.dmp	xmrig
behavioral2/memory/4088-167-0x00007FF700D10000-0x00007FF701061000-memory.dmp	xmrig
behavioral2/memory/716-220-0x00007FF6143C0000-0x00007FF614711000-memory.dmp	xmrig
behavioral2/memory/1632-222-0x00007FF63FD60000-0x00007FF6400B1000-memory.dmp	xmrig
behavioral2/memory/3276-224-0x00007FF6E98E0000-0x00007FF6E9C31000-memory.dmp	xmrig
behavioral2/memory/2584-228-0x00007FF7117D0000-0x00007FF711B21000-memory.dmp	xmrig
behavioral2/memory/4936-227-0x00007FF70B140000-0x00007FF70B491000-memory.dmp	xmrig
behavioral2/memory/2204-230-0x00007FF755FC0000-0x00007FF756311000-memory.dmp	xmrig
behavioral2/memory/868-236-0x00007FF6C1460000-0x00007FF6C17B1000-memory.dmp	xmrig
behavioral2/memory/4692-238-0x00007FF73FE30000-0x00007FF740181000-memory.dmp	xmrig
behavioral2/memory/4208-243-0x00007FF7583F0000-0x00007FF758741000-memory.dmp	xmrig
behavioral2/memory/4676-247-0x00007FF73EEF0000-0x00007FF73F241000-memory.dmp	xmrig
behavioral2/memory/4240-248-0x00007FF6077A0000-0x00007FF607AF1000-memory.dmp	xmrig
behavioral2/memory/1564-250-0x00007FF6D57B0000-0x00007FF6D5B01000-memory.dmp	xmrig
behavioral2/memory/3172-252-0x00007FF6DAD90000-0x00007FF6DB0E1000-memory.dmp	xmrig
behavioral2/memory/3808-254-0x00007FF71FCB0000-0x00007FF720001000-memory.dmp	xmrig
behavioral2/memory/1628-261-0x00007FF63CC50000-0x00007FF63CFA1000-memory.dmp	xmrig
behavioral2/memory/4248-263-0x00007FF6CDC40000-0x00007FF6CDF91000-memory.dmp	xmrig
behavioral2/memory/60-265-0x00007FF7130F0000-0x00007FF713441000-memory.dmp	xmrig
behavioral2/memory/4528-267-0x00007FF772850000-0x00007FF772BA1000-memory.dmp	xmrig
behavioral2/memory/8-271-0x00007FF688AD0000-0x00007FF688E21000-memory.dmp	xmrig
behavioral2/memory/1672-269-0x00007FF67E890000-0x00007FF67EBE1000-memory.dmp	xmrig
behavioral2/memory/4088-275-0x00007FF700D10000-0x00007FF701061000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
716	eCBKCfY.exe
1632	HLQujIm.exe
3276	hauUzob.exe
2584	tkDgNow.exe
4936	OiMKBqC.exe
2204	ptvQbzQ.exe
868	hvUWreI.exe
4692	uWLFdsy.exe
4208	CMbEycI.exe
4240	rwrjbLm.exe
4676	PmIYrMM.exe
1564	tQhyMIo.exe
3172	mBdOTpQ.exe
3808	TVLrQYj.exe
1628	VKVtRqM.exe
4248	TMGiObd.exe
60	gSJxEzF.exe
4528	qWdxOOb.exe
8	KPBiBRd.exe
1672	xNpXfMV.exe
4088	GMKBOmg.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3396-0-0x00007FF79E010000-0x00007FF79E361000-memory.dmp	upx
behavioral2/files/0x000e000000023b56-5.dat	upx
behavioral2/files/0x000a000000023b60-9.dat	upx
behavioral2/files/0x000a000000023b61-20.dat	upx
behavioral2/memory/4936-30-0x00007FF70B140000-0x00007FF70B491000-memory.dmp	upx
behavioral2/files/0x000a000000023b63-35.dat	upx
behavioral2/memory/2204-36-0x00007FF755FC0000-0x00007FF756311000-memory.dmp	upx
behavioral2/files/0x000a000000023b62-33.dat	upx
behavioral2/memory/2584-23-0x00007FF7117D0000-0x00007FF711B21000-memory.dmp	upx
behavioral2/memory/3276-21-0x00007FF6E98E0000-0x00007FF6E9C31000-memory.dmp	upx
behavioral2/files/0x000a000000023b5f-16.dat	upx
behavioral2/memory/1632-14-0x00007FF63FD60000-0x00007FF6400B1000-memory.dmp	upx
behavioral2/memory/716-7-0x00007FF6143C0000-0x00007FF614711000-memory.dmp	upx
behavioral2/memory/868-42-0x00007FF6C1460000-0x00007FF6C17B1000-memory.dmp	upx
behavioral2/files/0x000a000000023b64-41.dat	upx
behavioral2/files/0x0032000000023b5c-47.dat	upx
behavioral2/memory/4692-48-0x00007FF73FE30000-0x00007FF740181000-memory.dmp	upx
behavioral2/files/0x000a000000023b67-57.dat	upx
behavioral2/memory/3396-60-0x00007FF79E010000-0x00007FF79E361000-memory.dmp	upx
behavioral2/files/0x000a000000023b68-63.dat	upx
behavioral2/files/0x000a000000023b69-74.dat	upx
behavioral2/files/0x000a000000023b6b-81.dat	upx
behavioral2/memory/716-86-0x00007FF6143C0000-0x00007FF614711000-memory.dmp	upx
behavioral2/memory/3808-88-0x00007FF71FCB0000-0x00007FF720001000-memory.dmp	upx
behavioral2/memory/4676-87-0x00007FF73EEF0000-0x00007FF73F241000-memory.dmp	upx
behavioral2/memory/3172-83-0x00007FF6DAD90000-0x00007FF6DB0E1000-memory.dmp	upx
behavioral2/memory/1564-82-0x00007FF6D57B0000-0x00007FF6D5B01000-memory.dmp	upx
behavioral2/memory/4240-80-0x00007FF6077A0000-0x00007FF607AF1000-memory.dmp	upx
behavioral2/files/0x000a000000023b6a-78.dat	upx
behavioral2/files/0x000a000000023b65-58.dat	upx
behavioral2/memory/4208-56-0x00007FF7583F0000-0x00007FF758741000-memory.dmp	upx
behavioral2/memory/3276-90-0x00007FF6E98E0000-0x00007FF6E9C31000-memory.dmp	upx
behavioral2/memory/1632-89-0x00007FF63FD60000-0x00007FF6400B1000-memory.dmp	upx
behavioral2/files/0x000a000000023b6c-93.dat	upx
behavioral2/memory/2584-100-0x00007FF7117D0000-0x00007FF711B21000-memory.dmp	upx
behavioral2/files/0x000a000000023b6f-121.dat	upx
behavioral2/memory/8-120-0x00007FF688AD0000-0x00007FF688E21000-memory.dmp	upx
behavioral2/files/0x000a000000023b70-123.dat	upx
behavioral2/memory/4692-127-0x00007FF73FE30000-0x00007FF740181000-memory.dmp	upx
behavioral2/files/0x000a000000023b71-129.dat	upx
behavioral2/memory/1672-128-0x00007FF67E890000-0x00007FF67EBE1000-memory.dmp	upx
behavioral2/memory/868-118-0x00007FF6C1460000-0x00007FF6C17B1000-memory.dmp	upx
behavioral2/memory/4528-116-0x00007FF772850000-0x00007FF772BA1000-memory.dmp	upx
behavioral2/memory/2204-114-0x00007FF755FC0000-0x00007FF756311000-memory.dmp	upx
behavioral2/memory/60-113-0x00007FF7130F0000-0x00007FF713441000-memory.dmp	upx
behavioral2/files/0x000a000000023b6e-111.dat	upx
behavioral2/memory/4936-107-0x00007FF70B140000-0x00007FF70B491000-memory.dmp	upx
behavioral2/files/0x000a000000023b6d-104.dat	upx
behavioral2/memory/4248-103-0x00007FF6CDC40000-0x00007FF6CDF91000-memory.dmp	upx
behavioral2/memory/1628-98-0x00007FF63CC50000-0x00007FF63CFA1000-memory.dmp	upx
behavioral2/memory/4240-133-0x00007FF6077A0000-0x00007FF607AF1000-memory.dmp	upx
behavioral2/memory/4208-132-0x00007FF7583F0000-0x00007FF758741000-memory.dmp	upx
behavioral2/files/0x000a000000023b72-135.dat	upx
behavioral2/memory/3396-139-0x00007FF79E010000-0x00007FF79E361000-memory.dmp	upx
behavioral2/memory/4088-138-0x00007FF700D10000-0x00007FF701061000-memory.dmp	upx
behavioral2/memory/1628-155-0x00007FF63CC50000-0x00007FF63CFA1000-memory.dmp	upx
behavioral2/memory/60-157-0x00007FF7130F0000-0x00007FF713441000-memory.dmp	upx
behavioral2/memory/4248-156-0x00007FF6CDC40000-0x00007FF6CDF91000-memory.dmp	upx
behavioral2/memory/4528-158-0x00007FF772850000-0x00007FF772BA1000-memory.dmp	upx
behavioral2/memory/1672-165-0x00007FF67E890000-0x00007FF67EBE1000-memory.dmp	upx
behavioral2/memory/8-164-0x00007FF688AD0000-0x00007FF688E21000-memory.dmp	upx
behavioral2/memory/3396-166-0x00007FF79E010000-0x00007FF79E361000-memory.dmp	upx
behavioral2/memory/4088-167-0x00007FF700D10000-0x00007FF701061000-memory.dmp	upx
behavioral2/memory/716-220-0x00007FF6143C0000-0x00007FF614711000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\hvUWreI.exe	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CMbEycI.exe	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rwrjbLm.exe	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eCBKCfY.exe	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OiMKBqC.exe	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mBdOTpQ.exe	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VKVtRqM.exe	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TMGiObd.exe	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xNpXfMV.exe	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HLQujIm.exe	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hauUzob.exe	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TVLrQYj.exe	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qWdxOOb.exe	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ptvQbzQ.exe	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tQhyMIo.exe	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PmIYrMM.exe	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gSJxEzF.exe	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KPBiBRd.exe	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GMKBOmg.exe	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tkDgNow.exe	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uWLFdsy.exe	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3396	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3396	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3396 wrote to memory of 716	3396	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3396 wrote to memory of 716	3396	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3396 wrote to memory of 1632	3396	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3396 wrote to memory of 1632	3396	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3396 wrote to memory of 3276	3396	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3396 wrote to memory of 3276	3396	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3396 wrote to memory of 2584	3396	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3396 wrote to memory of 2584	3396	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3396 wrote to memory of 4936	3396	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3396 wrote to memory of 4936	3396	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3396 wrote to memory of 2204	3396	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3396 wrote to memory of 2204	3396	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3396 wrote to memory of 868	3396	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3396 wrote to memory of 868	3396	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3396 wrote to memory of 4692	3396	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3396 wrote to memory of 4692	3396	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3396 wrote to memory of 4208	3396	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3396 wrote to memory of 4208	3396	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3396 wrote to memory of 4240	3396	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3396 wrote to memory of 4240	3396	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3396 wrote to memory of 4676	3396	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3396 wrote to memory of 4676	3396	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3396 wrote to memory of 1564	3396	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3396 wrote to memory of 1564	3396	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3396 wrote to memory of 3172	3396	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3396 wrote to memory of 3172	3396	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3396 wrote to memory of 3808	3396	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3396 wrote to memory of 3808	3396	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3396 wrote to memory of 1628	3396	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3396 wrote to memory of 1628	3396	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3396 wrote to memory of 4248	3396	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3396 wrote to memory of 4248	3396	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3396 wrote to memory of 60	3396	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3396 wrote to memory of 60	3396	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3396 wrote to memory of 4528	3396	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3396 wrote to memory of 4528	3396	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3396 wrote to memory of 8	3396	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3396 wrote to memory of 8	3396	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3396 wrote to memory of 1672	3396	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3396 wrote to memory of 1672	3396	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3396 wrote to memory of 4088	3396	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3396 wrote to memory of 4088	3396	2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-31_cfaa22902717bc2e7a0d155cf64d9a32_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3396
- C:\Windows\System\eCBKCfY.exe
  C:\Windows\System\eCBKCfY.exe
  2⤵
  - Executes dropped EXE
  PID:716
- C:\Windows\System\HLQujIm.exe
  C:\Windows\System\HLQujIm.exe
  2⤵
  - Executes dropped EXE
  PID:1632
- C:\Windows\System\hauUzob.exe
  C:\Windows\System\hauUzob.exe
  2⤵
  - Executes dropped EXE
  PID:3276
- C:\Windows\System\tkDgNow.exe
  C:\Windows\System\tkDgNow.exe
  2⤵
  - Executes dropped EXE
  PID:2584
- C:\Windows\System\OiMKBqC.exe
  C:\Windows\System\OiMKBqC.exe
  2⤵
  - Executes dropped EXE
  PID:4936
- C:\Windows\System\ptvQbzQ.exe
  C:\Windows\System\ptvQbzQ.exe
  2⤵
  - Executes dropped EXE
  PID:2204
- C:\Windows\System\hvUWreI.exe
  C:\Windows\System\hvUWreI.exe
  2⤵
  - Executes dropped EXE
  PID:868
- C:\Windows\System\uWLFdsy.exe
  C:\Windows\System\uWLFdsy.exe
  2⤵
  - Executes dropped EXE
  PID:4692
- C:\Windows\System\CMbEycI.exe
  C:\Windows\System\CMbEycI.exe
  2⤵
  - Executes dropped EXE
  PID:4208
- C:\Windows\System\rwrjbLm.exe
  C:\Windows\System\rwrjbLm.exe
  2⤵
  - Executes dropped EXE
  PID:4240
- C:\Windows\System\PmIYrMM.exe
  C:\Windows\System\PmIYrMM.exe
  2⤵
  - Executes dropped EXE
  PID:4676
- C:\Windows\System\tQhyMIo.exe
  C:\Windows\System\tQhyMIo.exe
  2⤵
  - Executes dropped EXE
  PID:1564
- C:\Windows\System\mBdOTpQ.exe
  C:\Windows\System\mBdOTpQ.exe
  2⤵
  - Executes dropped EXE
  PID:3172
- C:\Windows\System\TVLrQYj.exe
  C:\Windows\System\TVLrQYj.exe
  2⤵
  - Executes dropped EXE
  PID:3808
- C:\Windows\System\VKVtRqM.exe
  C:\Windows\System\VKVtRqM.exe
  2⤵
  - Executes dropped EXE
  PID:1628
- C:\Windows\System\TMGiObd.exe
  C:\Windows\System\TMGiObd.exe
  2⤵
  - Executes dropped EXE
  PID:4248
- C:\Windows\System\gSJxEzF.exe
  C:\Windows\System\gSJxEzF.exe
  2⤵
  - Executes dropped EXE
  PID:60
- C:\Windows\System\qWdxOOb.exe
  C:\Windows\System\qWdxOOb.exe
  2⤵
  - Executes dropped EXE
  PID:4528
- C:\Windows\System\KPBiBRd.exe
  C:\Windows\System\KPBiBRd.exe
  2⤵
  - Executes dropped EXE
  PID:8
- C:\Windows\System\xNpXfMV.exe
  C:\Windows\System\xNpXfMV.exe
  2⤵
  - Executes dropped EXE
  PID:1672
- C:\Windows\System\GMKBOmg.exe
  C:\Windows\System\GMKBOmg.exe
  2⤵
  - Executes dropped EXE
  PID:4088

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CMbEycI.exe

Filesize
5.2MB

MD5
b04a3d686fb88649d3de9497db70ca63

SHA1
511797923f7209579f07b84fd841f8c0ad24598e

SHA256
74de66d6473543b005c4f25f8706928ba2e34d53b106e6a8e899765c09b55b31

SHA512
c44a9ce62493ce7ba66ee4a1e2a26be6e14058da849bac9bd9b76981cc614e43faa44a5bf9ef97eef88a6b2da769abc0f4bf51a53bfe7156e36875ae5784b8b3

Download Submit
C:\Windows\System\GMKBOmg.exe

Filesize
5.2MB

MD5
9a9e5afc90983b14a52b107d19d717e3

SHA1
54b4ac80ab59e895ed1437ac0e1304d7949207ac

SHA256
66aee8d1698c859f7e97a309d780dbc0397c6c7b8ee0d2945e37cd1a4ad7ef75

SHA512
2840fe6f420fcdc944d05074b571fbb7ab22d5a4272c6bdb25f54493c904de3dc9b460b33fcceaf8f14ec41f9c055b9191e68cb08957d3482b6596e15e931a4f

Download Submit
C:\Windows\System\HLQujIm.exe

Filesize
5.2MB

MD5
3de3273df694750153d72e98395e6da9

SHA1
cc4f8e212c26f94378dc03480ee31d73031602a3

SHA256
8b81544584ec6e499d85765419b40c3a4a5c5b95d0b7d7f767857c43e38129c2

SHA512
32c13a3d6693392f1cf0c9f9a3423870c76206a94ef612546fe063f78caace25b4e6050b53fb4a2a1d797988a51f627e7196e01ee519ccf462db3f842393506e

Download Submit
C:\Windows\System\KPBiBRd.exe

Filesize
5.2MB

MD5
e557d1093c419450ce82749d55bfd472

SHA1
bce7aa3aef393f52acd5efb4b30ac3d557a1c083

SHA256
432c49d9fe2acde6f23f3413a3d423414e789090b76a81aae225a133f4d549a7

SHA512
94f140637ae8e6b534541e7d1e3e9f27ac9295232abcce8209ef35eca78a115a50de95fd36dcb97d0edff0ac601c4737979c9b30c544b0ac1c7c284002b7324a

Download Submit
C:\Windows\System\OiMKBqC.exe

Filesize
5.2MB

MD5
2a367c62985720c7a721faa8ffcca555

SHA1
e922f3ecf2aac472ef1f455fd5fb8079991f1a1b

SHA256
4af424f5c34ca227cd8e3901242c562c56475c22da547d8855023fde015d13e3

SHA512
ae3565e90b56a07e3c9aff3566f3661ffd8b1c70c2bc2f6818035ef8b529609cda8aa5e0ff5bd45768b7c8532979c6b730c87de2fb34277317aced712b263ac2

Download Submit
C:\Windows\System\PmIYrMM.exe

Filesize
5.2MB

MD5
d41e358a5b16ef57a26e40bfd16b497f

SHA1
17b1ad9a3dc931cc03968a23f18535101cb22ef1

SHA256
e9a53a87333d803b7c48a33e79f79e726ae84bdc84f8267dbe8beda01ca13702

SHA512
de9044509031086335ed22648e9fb344b75a7d100d5f7d7a4f9013a25dda3d5cce7bc1b1037f2eaf1094a0e57ce76df1ecadfb9d4773b217f668a512ab5c7307

Download Submit
C:\Windows\System\TMGiObd.exe

Filesize
5.2MB

MD5
0c4965c59790e1a94128b65020719bc9

SHA1
ba0228e0ad25b9713f0af9fbddc12cd77249a529

SHA256
f77d065a9ca9f510411fa186724dd0e0a6b2a846cf038dcb9c8df5d30f34fc25

SHA512
4df2b866d7ac18310434c67850458cec7c7674beba391ded01bc46632eaf7011cfe4d4466b7b60d68fb50fee05bc58ca280cb4e771c8ab87a7554933291b2383

Download Submit
C:\Windows\System\TVLrQYj.exe

Filesize
5.2MB

MD5
d6b64506a602bc1c340767e09139d3d0

SHA1
6db195f16115132bf77d7390787cde2cb3e4773b

SHA256
e470a953c4ce5e6a4bb560a0ae947169be43e4d43cacb27c908162b684165676

SHA512
76b9dca7cf2e26c480c63921cb15f7f9aea32dc354a0467389e6e62cf773b1a15f5614db2578e59361100e50fced06546b0ab2b553b52eca817678ba0f1b1a55

Download Submit
C:\Windows\System\VKVtRqM.exe

Filesize
5.2MB

MD5
f0f44ee00d3bef989f70d8d4188f10cf

SHA1
9ef04fcb8537a8831c9bfb9fde10f5cb6be2606a

SHA256
d03a07597858b008f1a01ac76fc01c943ae164fe0c1cb3129e5363015f57c63c

SHA512
f1537071ee16521ef5d2ad37c650929b94687bbbc0cf5178ca4a0fd37403bb7591d8dd75b77bb368e1e7af7e53ab7e0c7bdce39a25fa9e149e4bc39db98b8ae2

Download Submit
C:\Windows\System\eCBKCfY.exe

Filesize
5.2MB

MD5
acc5ab74d2f869868319afae58dc0722

SHA1
f901662974c3727c3a851602ede5c3016501f8b9

SHA256
c2875feafe14eeb4440864a39f81f7d4d6c46a713825c38503e759aa95e19818

SHA512
0c0f115d513da60c7d8a08cef1d76a2449d3af8b8623ae8cedac7f4051d9bb869258c23954ca12b65d2d2f3eb33d64a1fc0b2e5697ce23e458f961dd8eae52ef

Download Submit
C:\Windows\System\gSJxEzF.exe

Filesize
5.2MB

MD5
1fb6e52f1d4bcd8dc8ae9cb9b68ed89b

SHA1
251057e910e7dddb8499b8558d28212ed77d4c5c

SHA256
7d8bec72dcb33e979a249898a25af8a096152adaf3b47ca46215a109e8665afa

SHA512
62d64d1de2fab4c9f8767add1eef659c7f1c47d16db2933117c7e88cb9862e65bcb9b9aa2c3cba00a8ab141e6f9a4111ead9805844049ff893fd1f456d0d651b

Download Submit
C:\Windows\System\hauUzob.exe

Filesize
5.2MB

MD5
2dccd9eb835910688e7600153d26075c

SHA1
90eeec429ab8ba6222261f323312b1ccf25f968d

SHA256
93db9cb10e5141305e78438dcf2b2b08c7d868f6753859b46e1cbdcf21a0f138

SHA512
1ddfb0943103b5eb0ed721dace2e7f3dc7368af6f3c580cb851130ced4763a668bc99eaba60c14c129a74f0472fcf2c0506723d2b383de82fe6bb7df7a3180fc

Download Submit
C:\Windows\System\hvUWreI.exe

Filesize
5.2MB

MD5
1d59a56bde5e2a47c142fa6cd062b8cf

SHA1
2ae0fc9f13144a81a8eff8dea2b833fdf3a8cae0

SHA256
7b8e91c9c03d4f6c5115192c8766af1f42ec7cd93962698568016ce45fcf6163

SHA512
3f3ac401f9c50749aa363e5ae1b8efa27e11931f1ee9be33ddc49d2dc136e1b065c39d2602b12369eda863eab3f039f8b6e7b048c329d4607fac80314ddf58d4

Download Submit
C:\Windows\System\mBdOTpQ.exe

Filesize
5.2MB

MD5
ac2a2bf9886334b1baa6b0722a9fd844

SHA1
2119e720c894fffef1a38ade4494431fc232622b

SHA256
206389f53d9a4eb47e2ced511c8fbdc6ab4d3db1b1943ddf6bf62a0749bc3c3e

SHA512
6b550965dee5eb60ee2970e3a9fc348b8797bc678cac0c9af3046b1912466d9adca452ee2d8c84307976224e15494f1c219cf26d11c3e92ce6c84a3e2c4419e7

Download Submit
C:\Windows\System\ptvQbzQ.exe

Filesize
5.2MB

MD5
9e2f3587d53b561b1f2fa1540863e2d8

SHA1
d60adfadb383c35f99dc24c2c80cc1eb1b7dbd31

SHA256
d9127a54778539f067404fd13bc2160bbb600d982f85ea43edec7543cad84277

SHA512
907797b663f28a470027ce322ea7b6e1cf74c462aa1eaac37bdd52c909a4109a3dfbf282f0d4457e1e2329801edb080aa3d278309fff9545c1eed476c3e3a1e4

Download Submit
C:\Windows\System\qWdxOOb.exe

Filesize
5.2MB

MD5
45e045e340ab23dae2bf73d08ddf9b16

SHA1
d8f8fc71e2ed7e848aeea5f3efbca4c7a0a1960f

SHA256
ff00f82c5a2edc7ee2594b920c52b55bfb1d1549b0888c0dd4edcb743e4e7d56

SHA512
bcc48fc5b16eeec5d5107185f6060ffb4691615c1d8377a7a8ea0737b07ac9fbe6a6a3aabba067058d9112099d2e30587c8171e4332890cd6ed160538b10e85b

Download Submit
C:\Windows\System\rwrjbLm.exe

Filesize
5.2MB

MD5
fd49f47f4034e67cf33fd08d3db7773b

SHA1
ee9c41dd8666cd9d36f9c54b4a149375613063f3

SHA256
e43559e372499f07e86c243ccc280ab4aaea5935d9d7084eabef007069c25f2b

SHA512
ea6ca53569329b862e2237350b755d64d6165205b2a277789ec6f29ccdeef5bf92ac69b2ee63113fd2c2c24262b8b7802d0e3dddb8bc8a2b72a350e4792fdcb0

Download Submit
C:\Windows\System\tQhyMIo.exe

Filesize
5.2MB

MD5
771b2afe3beb61c88457a1f7837468c2

SHA1
d5ae01b41941280bdbe51d61087adbb1f41ab416

SHA256
df7228a516c66f82dd6705610750d6d057c7887dde2572717c0cdbba400c7fc8

SHA512
48daccd9debc55f59365085e733cf8e9e61223fc35963370669f84901c65ecaa3c214621306b4a9b2fe9df41a10c40ed02a523dccda86e833780bf5ab1e6516e

Download Submit
C:\Windows\System\tkDgNow.exe

Filesize
5.2MB

MD5
0d47ecc9ad61622c2838d836bef1a695

SHA1
ad67bebb8188940d0a1644102f212616a115cfda

SHA256
fcd7f84c95a95b26eec1ab0d78224a46725965fd77e1232e4c961f1d89a46702

SHA512
dd744094fbbfa14a306c7994eb0b53816605eb9d4b7044925b83dae0e857238668fc82b9b2b7bc8f2952400a806313828969683b1690b41e4399e7029436dce2

Download Submit
C:\Windows\System\uWLFdsy.exe

Filesize
5.2MB

MD5
532eb89efcf15e21f19863acb334e33c

SHA1
68fe9e602390a7f145716f21e0c0ed514b6571d4

SHA256
82876be339f1278f5c9c45010138d5c27f03e09940c335b50522dc4ba75c6e2d

SHA512
a3b65bd8714e6deff55fbcc00013bf088a9ed606ff32562cb3fd9df361ac2d1416a549ba021c8b3ed301ac5931e778311b0a84be49a0fd32c2d1efc9eaf47ca3

Download Submit
C:\Windows\System\xNpXfMV.exe

Filesize
5.2MB

MD5
ba70c52bde5ab11cb85ee1a11ddfe717

SHA1
468bcc3957c5f5e174ae644b4ad96da04865079c

SHA256
3cb79ee7d947dfac55bac739b7a7ffc4de3c087dfb97c4c96c6391371527d5fd

SHA512
8fbbced2aee3c45fbef787379fbf0b66c0197c670741553a29b411531c5f1554d3cc29472abaf9427bbf644abd8218c63bf0b6dfba30fb62fdb320ab7da761d7

Download Submit
memory/8-164-0x00007FF688AD0000-0x00007FF688E21000-memory.dmp

Filesize
3.3MB

Download
memory/8-271-0x00007FF688AD0000-0x00007FF688E21000-memory.dmp

Filesize
3.3MB

Download
memory/8-120-0x00007FF688AD0000-0x00007FF688E21000-memory.dmp

Filesize
3.3MB

Download
memory/60-157-0x00007FF7130F0000-0x00007FF713441000-memory.dmp

Filesize
3.3MB

Download
memory/60-113-0x00007FF7130F0000-0x00007FF713441000-memory.dmp

Filesize
3.3MB

Download
memory/60-265-0x00007FF7130F0000-0x00007FF713441000-memory.dmp

Filesize
3.3MB

Download
memory/716-7-0x00007FF6143C0000-0x00007FF614711000-memory.dmp

Filesize
3.3MB

Download
memory/716-220-0x00007FF6143C0000-0x00007FF614711000-memory.dmp

Filesize
3.3MB

Download
memory/716-86-0x00007FF6143C0000-0x00007FF614711000-memory.dmp

Filesize
3.3MB

Download
memory/868-118-0x00007FF6C1460000-0x00007FF6C17B1000-memory.dmp

Filesize
3.3MB

Download
memory/868-42-0x00007FF6C1460000-0x00007FF6C17B1000-memory.dmp

Filesize
3.3MB

Download
memory/868-236-0x00007FF6C1460000-0x00007FF6C17B1000-memory.dmp

Filesize
3.3MB

Download
memory/1564-82-0x00007FF6D57B0000-0x00007FF6D5B01000-memory.dmp

Filesize
3.3MB

Download
memory/1564-250-0x00007FF6D57B0000-0x00007FF6D5B01000-memory.dmp

Filesize
3.3MB

Download
memory/1628-98-0x00007FF63CC50000-0x00007FF63CFA1000-memory.dmp

Filesize
3.3MB

Download
memory/1628-261-0x00007FF63CC50000-0x00007FF63CFA1000-memory.dmp

Filesize
3.3MB

Download
memory/1628-155-0x00007FF63CC50000-0x00007FF63CFA1000-memory.dmp

Filesize
3.3MB

Download
memory/1632-89-0x00007FF63FD60000-0x00007FF6400B1000-memory.dmp

Filesize
3.3MB

Download
memory/1632-222-0x00007FF63FD60000-0x00007FF6400B1000-memory.dmp

Filesize
3.3MB

Download
memory/1632-14-0x00007FF63FD60000-0x00007FF6400B1000-memory.dmp

Filesize
3.3MB

Download
memory/1672-128-0x00007FF67E890000-0x00007FF67EBE1000-memory.dmp

Filesize
3.3MB

Download
memory/1672-165-0x00007FF67E890000-0x00007FF67EBE1000-memory.dmp

Filesize
3.3MB

Download
memory/1672-269-0x00007FF67E890000-0x00007FF67EBE1000-memory.dmp

Filesize
3.3MB

Download
memory/2204-114-0x00007FF755FC0000-0x00007FF756311000-memory.dmp

Filesize
3.3MB

Download
memory/2204-230-0x00007FF755FC0000-0x00007FF756311000-memory.dmp

Filesize
3.3MB

Download
memory/2204-36-0x00007FF755FC0000-0x00007FF756311000-memory.dmp

Filesize
3.3MB

Download
memory/2584-228-0x00007FF7117D0000-0x00007FF711B21000-memory.dmp

Filesize
3.3MB

Download
memory/2584-100-0x00007FF7117D0000-0x00007FF711B21000-memory.dmp

Filesize
3.3MB

Download
memory/2584-23-0x00007FF7117D0000-0x00007FF711B21000-memory.dmp

Filesize
3.3MB

Download
memory/3172-252-0x00007FF6DAD90000-0x00007FF6DB0E1000-memory.dmp

Filesize
3.3MB

Download
memory/3172-83-0x00007FF6DAD90000-0x00007FF6DB0E1000-memory.dmp

Filesize
3.3MB

Download
memory/3276-90-0x00007FF6E98E0000-0x00007FF6E9C31000-memory.dmp

Filesize
3.3MB

Download
memory/3276-224-0x00007FF6E98E0000-0x00007FF6E9C31000-memory.dmp

Filesize
3.3MB

Download
memory/3276-21-0x00007FF6E98E0000-0x00007FF6E9C31000-memory.dmp

Filesize
3.3MB

Download
memory/3396-1-0x000001ABB2A90000-0x000001ABB2AA0000-memory.dmp

Filesize
64KB

Download
memory/3396-139-0x00007FF79E010000-0x00007FF79E361000-memory.dmp

Filesize
3.3MB

Download
memory/3396-0-0x00007FF79E010000-0x00007FF79E361000-memory.dmp

Filesize
3.3MB

Download
memory/3396-166-0x00007FF79E010000-0x00007FF79E361000-memory.dmp

Filesize
3.3MB

Download
memory/3396-60-0x00007FF79E010000-0x00007FF79E361000-memory.dmp

Filesize
3.3MB

Download
memory/3808-254-0x00007FF71FCB0000-0x00007FF720001000-memory.dmp

Filesize
3.3MB

Download
memory/3808-88-0x00007FF71FCB0000-0x00007FF720001000-memory.dmp

Filesize
3.3MB

Download
memory/4088-138-0x00007FF700D10000-0x00007FF701061000-memory.dmp

Filesize
3.3MB

Download
memory/4088-275-0x00007FF700D10000-0x00007FF701061000-memory.dmp

Filesize
3.3MB

Download
memory/4088-167-0x00007FF700D10000-0x00007FF701061000-memory.dmp

Filesize
3.3MB

Download
memory/4208-132-0x00007FF7583F0000-0x00007FF758741000-memory.dmp

Filesize
3.3MB

Download
memory/4208-243-0x00007FF7583F0000-0x00007FF758741000-memory.dmp

Filesize
3.3MB

Download
memory/4208-56-0x00007FF7583F0000-0x00007FF758741000-memory.dmp

Filesize
3.3MB

Download
memory/4240-133-0x00007FF6077A0000-0x00007FF607AF1000-memory.dmp

Filesize
3.3MB

Download
memory/4240-80-0x00007FF6077A0000-0x00007FF607AF1000-memory.dmp

Filesize
3.3MB

Download
memory/4240-248-0x00007FF6077A0000-0x00007FF607AF1000-memory.dmp

Filesize
3.3MB

Download
memory/4248-103-0x00007FF6CDC40000-0x00007FF6CDF91000-memory.dmp

Filesize
3.3MB

Download
memory/4248-156-0x00007FF6CDC40000-0x00007FF6CDF91000-memory.dmp

Filesize
3.3MB

Download
memory/4248-263-0x00007FF6CDC40000-0x00007FF6CDF91000-memory.dmp

Filesize
3.3MB

Download
memory/4528-267-0x00007FF772850000-0x00007FF772BA1000-memory.dmp

Filesize
3.3MB

Download
memory/4528-158-0x00007FF772850000-0x00007FF772BA1000-memory.dmp

Filesize
3.3MB

Download
memory/4528-116-0x00007FF772850000-0x00007FF772BA1000-memory.dmp

Filesize
3.3MB

Download
memory/4676-87-0x00007FF73EEF0000-0x00007FF73F241000-memory.dmp

Filesize
3.3MB

Download
memory/4676-247-0x00007FF73EEF0000-0x00007FF73F241000-memory.dmp

Filesize
3.3MB

Download
memory/4692-48-0x00007FF73FE30000-0x00007FF740181000-memory.dmp

Filesize
3.3MB

Download
memory/4692-238-0x00007FF73FE30000-0x00007FF740181000-memory.dmp

Filesize
3.3MB

Download
memory/4692-127-0x00007FF73FE30000-0x00007FF740181000-memory.dmp

Filesize
3.3MB

Download
memory/4936-227-0x00007FF70B140000-0x00007FF70B491000-memory.dmp

Filesize
3.3MB

Download
memory/4936-30-0x00007FF70B140000-0x00007FF70B491000-memory.dmp

Filesize
3.3MB

Download
memory/4936-107-0x00007FF70B140000-0x00007FF70B491000-memory.dmp

Filesize
3.3MB

Download