cobaltstrike | e62c25526e88b79ef4786f1e67e5d94b1b5bb649200af8f8988aa5f51aec6d57

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2024 12:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

10e5054ad25f73f984b83d70247c3437
SHA1

2a0652dd3aa84ade7a57c410654ec156c924bece
SHA256

e62c25526e88b79ef4786f1e67e5d94b1b5bb649200af8f8988aa5f51aec6d57
SHA512

a3bd988d812e6788729abc7c11dc4cf3bbfad4b8de41190d3e1bc36bc121a7cfcf2344259e029166db000bb8a598ff30c245582db81628c889510110df0f649c
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l2:RWWBibd56utgpPFotBER/mQ32lU6

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023616-5.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002361a-10.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002361b-11.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002361c-23.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023617-30.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002361e-44.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002361f-46.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002361d-38.dat	cobalt_reflective_dll
behavioral2/files/0x000a0000000233bb-86.dat	cobalt_reflective_dll
behavioral2/files/0x00090000000233b8-97.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023622-100.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023623-105.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023627-138.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023626-133.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023625-127.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023624-122.dat	cobalt_reflective_dll
behavioral2/files/0x000a0000000233b9-92.dat	cobalt_reflective_dll
behavioral2/files/0x000b0000000233b3-82.dat	cobalt_reflective_dll
behavioral2/files/0x00060000000226c6-75.dat	cobalt_reflective_dll
behavioral2/files/0x00030000000226ca-72.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023620-61.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/4616-20-0x00007FF6FF130000-0x00007FF6FF481000-memory.dmp	xmrig
behavioral2/memory/3992-33-0x00007FF7B55F0000-0x00007FF7B5941000-memory.dmp	xmrig
behavioral2/memory/2440-51-0x00007FF72B0E0000-0x00007FF72B431000-memory.dmp	xmrig
behavioral2/memory/2320-57-0x00007FF7A09B0000-0x00007FF7A0D01000-memory.dmp	xmrig
behavioral2/memory/4700-113-0x00007FF75A990000-0x00007FF75ACE1000-memory.dmp	xmrig
behavioral2/memory/3780-136-0x00007FF6AF840000-0x00007FF6AFB91000-memory.dmp	xmrig
behavioral2/memory/3180-135-0x00007FF76BDE0000-0x00007FF76C131000-memory.dmp	xmrig
behavioral2/memory/224-131-0x00007FF6C2020000-0x00007FF6C2371000-memory.dmp	xmrig
behavioral2/memory/1776-130-0x00007FF71DAE0000-0x00007FF71DE31000-memory.dmp	xmrig
behavioral2/memory/1848-120-0x00007FF66E7B0000-0x00007FF66EB01000-memory.dmp	xmrig
behavioral2/memory/2244-103-0x00007FF7914B0000-0x00007FF791801000-memory.dmp	xmrig
behavioral2/memory/3992-91-0x00007FF7B55F0000-0x00007FF7B5941000-memory.dmp	xmrig
behavioral2/memory/3588-88-0x00007FF745230000-0x00007FF745581000-memory.dmp	xmrig
behavioral2/memory/2156-67-0x00007FF7A0CA0000-0x00007FF7A0FF1000-memory.dmp	xmrig
behavioral2/memory/1220-153-0x00007FF722D10000-0x00007FF723061000-memory.dmp	xmrig
behavioral2/memory/4304-156-0x00007FF781230000-0x00007FF781581000-memory.dmp	xmrig
behavioral2/memory/4936-155-0x00007FF651840000-0x00007FF651B91000-memory.dmp	xmrig
behavioral2/memory/868-154-0x00007FF7410A0000-0x00007FF7413F1000-memory.dmp	xmrig
behavioral2/memory/2440-140-0x00007FF72B0E0000-0x00007FF72B431000-memory.dmp	xmrig
behavioral2/memory/2888-158-0x00007FF66AA40000-0x00007FF66AD91000-memory.dmp	xmrig
behavioral2/memory/3100-161-0x00007FF6A6040000-0x00007FF6A6391000-memory.dmp	xmrig
behavioral2/memory/4264-160-0x00007FF77E5F0000-0x00007FF77E941000-memory.dmp	xmrig
behavioral2/memory/4556-159-0x00007FF7A5BC0000-0x00007FF7A5F11000-memory.dmp	xmrig
behavioral2/memory/3916-157-0x00007FF7D0D40000-0x00007FF7D1091000-memory.dmp	xmrig
behavioral2/memory/2440-162-0x00007FF72B0E0000-0x00007FF72B431000-memory.dmp	xmrig
behavioral2/memory/2320-211-0x00007FF7A09B0000-0x00007FF7A0D01000-memory.dmp	xmrig
behavioral2/memory/2156-213-0x00007FF7A0CA0000-0x00007FF7A0FF1000-memory.dmp	xmrig
behavioral2/memory/4616-219-0x00007FF6FF130000-0x00007FF6FF481000-memory.dmp	xmrig
behavioral2/memory/3588-221-0x00007FF745230000-0x00007FF745581000-memory.dmp	xmrig
behavioral2/memory/3992-223-0x00007FF7B55F0000-0x00007FF7B5941000-memory.dmp	xmrig
behavioral2/memory/2244-227-0x00007FF7914B0000-0x00007FF791801000-memory.dmp	xmrig
behavioral2/memory/4700-229-0x00007FF75A990000-0x00007FF75ACE1000-memory.dmp	xmrig
behavioral2/memory/1848-231-0x00007FF66E7B0000-0x00007FF66EB01000-memory.dmp	xmrig
behavioral2/memory/1776-245-0x00007FF71DAE0000-0x00007FF71DE31000-memory.dmp	xmrig
behavioral2/memory/224-247-0x00007FF6C2020000-0x00007FF6C2371000-memory.dmp	xmrig
behavioral2/memory/3180-249-0x00007FF76BDE0000-0x00007FF76C131000-memory.dmp	xmrig
behavioral2/memory/4936-252-0x00007FF651840000-0x00007FF651B91000-memory.dmp	xmrig
behavioral2/memory/3780-253-0x00007FF6AF840000-0x00007FF6AFB91000-memory.dmp	xmrig
behavioral2/memory/1220-255-0x00007FF722D10000-0x00007FF723061000-memory.dmp	xmrig
behavioral2/memory/868-257-0x00007FF7410A0000-0x00007FF7413F1000-memory.dmp	xmrig
behavioral2/memory/4304-259-0x00007FF781230000-0x00007FF781581000-memory.dmp	xmrig
behavioral2/memory/2888-261-0x00007FF66AA40000-0x00007FF66AD91000-memory.dmp	xmrig
behavioral2/memory/3100-264-0x00007FF6A6040000-0x00007FF6A6391000-memory.dmp	xmrig
behavioral2/memory/4556-269-0x00007FF7A5BC0000-0x00007FF7A5F11000-memory.dmp	xmrig
behavioral2/memory/3916-266-0x00007FF7D0D40000-0x00007FF7D1091000-memory.dmp	xmrig
behavioral2/memory/4264-268-0x00007FF77E5F0000-0x00007FF77E941000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2320	BLWugSf.exe
2156	grBGNZv.exe
4616	LpgXsuf.exe
3588	ihGIKtf.exe
3992	cCeOGAX.exe
2244	dlseXMe.exe
4700	AUqFbCb.exe
1848	nLpAOrG.exe
1776	IoRrggU.exe
3180	cBOEPpw.exe
224	azNkfNC.exe
3780	hMwzKej.exe
1220	edGYjaq.exe
868	AkAVDXa.exe
4936	XXTmHWh.exe
4304	tZpdExc.exe
3916	LMsAcNp.exe
2888	qBBYFUm.exe
4556	wMbDZqS.exe
4264	MquUtQg.exe
3100	mnufASL.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2440-0-0x00007FF72B0E0000-0x00007FF72B431000-memory.dmp	upx
behavioral2/files/0x0008000000023616-5.dat	upx
behavioral2/memory/2320-7-0x00007FF7A09B0000-0x00007FF7A0D01000-memory.dmp	upx
behavioral2/files/0x000700000002361a-10.dat	upx
behavioral2/files/0x000700000002361b-11.dat	upx
behavioral2/memory/2156-12-0x00007FF7A0CA0000-0x00007FF7A0FF1000-memory.dmp	upx
behavioral2/memory/4616-20-0x00007FF6FF130000-0x00007FF6FF481000-memory.dmp	upx
behavioral2/files/0x000700000002361c-23.dat	upx
behavioral2/files/0x0008000000023617-30.dat	upx
behavioral2/memory/3992-33-0x00007FF7B55F0000-0x00007FF7B5941000-memory.dmp	upx
behavioral2/memory/2244-36-0x00007FF7914B0000-0x00007FF791801000-memory.dmp	upx
behavioral2/files/0x000700000002361e-44.dat	upx
behavioral2/files/0x000700000002361f-46.dat	upx
behavioral2/memory/1848-48-0x00007FF66E7B0000-0x00007FF66EB01000-memory.dmp	upx
behavioral2/memory/4700-41-0x00007FF75A990000-0x00007FF75ACE1000-memory.dmp	upx
behavioral2/files/0x000700000002361d-38.dat	upx
behavioral2/memory/3588-25-0x00007FF745230000-0x00007FF745581000-memory.dmp	upx
behavioral2/memory/2440-51-0x00007FF72B0E0000-0x00007FF72B431000-memory.dmp	upx
behavioral2/memory/2320-57-0x00007FF7A09B0000-0x00007FF7A0D01000-memory.dmp	upx
behavioral2/memory/1776-58-0x00007FF71DAE0000-0x00007FF71DE31000-memory.dmp	upx
behavioral2/memory/3180-68-0x00007FF76BDE0000-0x00007FF76C131000-memory.dmp	upx
behavioral2/memory/224-73-0x00007FF6C2020000-0x00007FF6C2371000-memory.dmp	upx
behavioral2/memory/1220-81-0x00007FF722D10000-0x00007FF723061000-memory.dmp	upx
behavioral2/files/0x000a0000000233bb-86.dat	upx
behavioral2/files/0x00090000000233b8-97.dat	upx
behavioral2/files/0x0007000000023622-100.dat	upx
behavioral2/files/0x0007000000023623-105.dat	upx
behavioral2/memory/4700-113-0x00007FF75A990000-0x00007FF75ACE1000-memory.dmp	upx
behavioral2/memory/2888-119-0x00007FF66AA40000-0x00007FF66AD91000-memory.dmp	upx
behavioral2/memory/4264-125-0x00007FF77E5F0000-0x00007FF77E941000-memory.dmp	upx
behavioral2/memory/3780-136-0x00007FF6AF840000-0x00007FF6AFB91000-memory.dmp	upx
behavioral2/files/0x0007000000023627-138.dat	upx
behavioral2/memory/3100-137-0x00007FF6A6040000-0x00007FF6A6391000-memory.dmp	upx
behavioral2/memory/3180-135-0x00007FF76BDE0000-0x00007FF76C131000-memory.dmp	upx
behavioral2/files/0x0007000000023626-133.dat	upx
behavioral2/memory/224-131-0x00007FF6C2020000-0x00007FF6C2371000-memory.dmp	upx
behavioral2/memory/1776-130-0x00007FF71DAE0000-0x00007FF71DE31000-memory.dmp	upx
behavioral2/files/0x0007000000023625-127.dat	upx
behavioral2/memory/4556-124-0x00007FF7A5BC0000-0x00007FF7A5F11000-memory.dmp	upx
behavioral2/files/0x0007000000023624-122.dat	upx
behavioral2/memory/1848-120-0x00007FF66E7B0000-0x00007FF66EB01000-memory.dmp	upx
behavioral2/memory/3916-114-0x00007FF7D0D40000-0x00007FF7D1091000-memory.dmp	upx
behavioral2/memory/4304-104-0x00007FF781230000-0x00007FF781581000-memory.dmp	upx
behavioral2/memory/2244-103-0x00007FF7914B0000-0x00007FF791801000-memory.dmp	upx
behavioral2/files/0x000a0000000233b9-92.dat	upx
behavioral2/memory/3992-91-0x00007FF7B55F0000-0x00007FF7B5941000-memory.dmp	upx
behavioral2/memory/4936-90-0x00007FF651840000-0x00007FF651B91000-memory.dmp	upx
behavioral2/memory/868-89-0x00007FF7410A0000-0x00007FF7413F1000-memory.dmp	upx
behavioral2/memory/3588-88-0x00007FF745230000-0x00007FF745581000-memory.dmp	upx
behavioral2/files/0x000b0000000233b3-82.dat	upx
behavioral2/memory/3780-78-0x00007FF6AF840000-0x00007FF6AFB91000-memory.dmp	upx
behavioral2/files/0x00060000000226c6-75.dat	upx
behavioral2/files/0x00030000000226ca-72.dat	upx
behavioral2/memory/2156-67-0x00007FF7A0CA0000-0x00007FF7A0FF1000-memory.dmp	upx
behavioral2/files/0x0007000000023620-61.dat	upx
behavioral2/memory/1220-153-0x00007FF722D10000-0x00007FF723061000-memory.dmp	upx
behavioral2/memory/4304-156-0x00007FF781230000-0x00007FF781581000-memory.dmp	upx
behavioral2/memory/4936-155-0x00007FF651840000-0x00007FF651B91000-memory.dmp	upx
behavioral2/memory/868-154-0x00007FF7410A0000-0x00007FF7413F1000-memory.dmp	upx
behavioral2/memory/2440-140-0x00007FF72B0E0000-0x00007FF72B431000-memory.dmp	upx
behavioral2/memory/2888-158-0x00007FF66AA40000-0x00007FF66AD91000-memory.dmp	upx
behavioral2/memory/3100-161-0x00007FF6A6040000-0x00007FF6A6391000-memory.dmp	upx
behavioral2/memory/4264-160-0x00007FF77E5F0000-0x00007FF77E941000-memory.dmp	upx
behavioral2/memory/4556-159-0x00007FF7A5BC0000-0x00007FF7A5F11000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\LMsAcNp.exe	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MquUtQg.exe	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ihGIKtf.exe	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hMwzKej.exe	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AkAVDXa.exe	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XXTmHWh.exe	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\edGYjaq.exe	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tZpdExc.exe	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BLWugSf.exe	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LpgXsuf.exe	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dlseXMe.exe	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IoRrggU.exe	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\azNkfNC.exe	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\grBGNZv.exe	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cCeOGAX.exe	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nLpAOrG.exe	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cBOEPpw.exe	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AUqFbCb.exe	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qBBYFUm.exe	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wMbDZqS.exe	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mnufASL.exe	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2440	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2440	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 2320	2440	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2440 wrote to memory of 2320	2440	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2440 wrote to memory of 2156	2440	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2440 wrote to memory of 2156	2440	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2440 wrote to memory of 4616	2440	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2440 wrote to memory of 4616	2440	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2440 wrote to memory of 3588	2440	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2440 wrote to memory of 3588	2440	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2440 wrote to memory of 3992	2440	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2440 wrote to memory of 3992	2440	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2440 wrote to memory of 2244	2440	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2440 wrote to memory of 2244	2440	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2440 wrote to memory of 4700	2440	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2440 wrote to memory of 4700	2440	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2440 wrote to memory of 1848	2440	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2440 wrote to memory of 1848	2440	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2440 wrote to memory of 1776	2440	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2440 wrote to memory of 1776	2440	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2440 wrote to memory of 3180	2440	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2440 wrote to memory of 3180	2440	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2440 wrote to memory of 224	2440	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 2440 wrote to memory of 224	2440	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 2440 wrote to memory of 3780	2440	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 2440 wrote to memory of 3780	2440	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 2440 wrote to memory of 1220	2440	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 2440 wrote to memory of 1220	2440	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 2440 wrote to memory of 868	2440	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 2440 wrote to memory of 868	2440	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 2440 wrote to memory of 4936	2440	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe	110
PID 2440 wrote to memory of 4936	2440	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe	110
PID 2440 wrote to memory of 4304	2440	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe	111
PID 2440 wrote to memory of 4304	2440	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe	111
PID 2440 wrote to memory of 3916	2440	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe	112
PID 2440 wrote to memory of 3916	2440	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe	112
PID 2440 wrote to memory of 2888	2440	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe	113
PID 2440 wrote to memory of 2888	2440	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe	113
PID 2440 wrote to memory of 4556	2440	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe	114
PID 2440 wrote to memory of 4556	2440	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe	114
PID 2440 wrote to memory of 4264	2440	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe	115
PID 2440 wrote to memory of 4264	2440	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe	115
PID 2440 wrote to memory of 3100	2440	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe	116
PID 2440 wrote to memory of 3100	2440	2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe	116

C:\Users\Admin\AppData\Local\Temp\2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-13_10e5054ad25f73f984b83d70247c3437_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Windows\System\BLWugSf.exe
  C:\Windows\System\BLWugSf.exe
  2⤵
  - Executes dropped EXE
  PID:2320
- C:\Windows\System\grBGNZv.exe
  C:\Windows\System\grBGNZv.exe
  2⤵
  - Executes dropped EXE
  PID:2156
- C:\Windows\System\LpgXsuf.exe
  C:\Windows\System\LpgXsuf.exe
  2⤵
  - Executes dropped EXE
  PID:4616
- C:\Windows\System\ihGIKtf.exe
  C:\Windows\System\ihGIKtf.exe
  2⤵
  - Executes dropped EXE
  PID:3588
- C:\Windows\System\cCeOGAX.exe
  C:\Windows\System\cCeOGAX.exe
  2⤵
  - Executes dropped EXE
  PID:3992
- C:\Windows\System\dlseXMe.exe
  C:\Windows\System\dlseXMe.exe
  2⤵
  - Executes dropped EXE
  PID:2244
- C:\Windows\System\AUqFbCb.exe
  C:\Windows\System\AUqFbCb.exe
  2⤵
  - Executes dropped EXE
  PID:4700
- C:\Windows\System\nLpAOrG.exe
  C:\Windows\System\nLpAOrG.exe
  2⤵
  - Executes dropped EXE
  PID:1848
- C:\Windows\System\IoRrggU.exe
  C:\Windows\System\IoRrggU.exe
  2⤵
  - Executes dropped EXE
  PID:1776
- C:\Windows\System\cBOEPpw.exe
  C:\Windows\System\cBOEPpw.exe
  2⤵
  - Executes dropped EXE
  PID:3180
- C:\Windows\System\azNkfNC.exe
  C:\Windows\System\azNkfNC.exe
  2⤵
  - Executes dropped EXE
  PID:224
- C:\Windows\System\hMwzKej.exe
  C:\Windows\System\hMwzKej.exe
  2⤵
  - Executes dropped EXE
  PID:3780
- C:\Windows\System\edGYjaq.exe
  C:\Windows\System\edGYjaq.exe
  2⤵
  - Executes dropped EXE
  PID:1220
- C:\Windows\System\AkAVDXa.exe
  C:\Windows\System\AkAVDXa.exe
  2⤵
  - Executes dropped EXE
  PID:868
- C:\Windows\System\XXTmHWh.exe
  C:\Windows\System\XXTmHWh.exe
  2⤵
  - Executes dropped EXE
  PID:4936
- C:\Windows\System\tZpdExc.exe
  C:\Windows\System\tZpdExc.exe
  2⤵
  - Executes dropped EXE
  PID:4304
- C:\Windows\System\LMsAcNp.exe
  C:\Windows\System\LMsAcNp.exe
  2⤵
  - Executes dropped EXE
  PID:3916
- C:\Windows\System\qBBYFUm.exe
  C:\Windows\System\qBBYFUm.exe
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\System\wMbDZqS.exe
  C:\Windows\System\wMbDZqS.exe
  2⤵
  - Executes dropped EXE
  PID:4556
- C:\Windows\System\MquUtQg.exe
  C:\Windows\System\MquUtQg.exe
  2⤵
  - Executes dropped EXE
  PID:4264
- C:\Windows\System\mnufASL.exe
  C:\Windows\System\mnufASL.exe
  2⤵
  - Executes dropped EXE
  PID:3100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4236,i,10369132178352108590,11047993562598554317,262144 --variations-seed-version --mojo-platform-channel-handle=3760 /prefetch:8
1⤵
PID:4828

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AUqFbCb.exe

Filesize
5.2MB

MD5
f4c0650d6f8eb0a9628e613441ada388

SHA1
8034114aed29cfd2820f1107c85ef146ff159ca0

SHA256
d29a92abdafa62cc95e6bf90357024da992f396f3e90ff615ed7dc34075453a6

SHA512
3b3ef2f4c8d04560b4f0f190d8370b9e757d3950e0fb012b3b04bfac1b02fe39a2c3c95a0b78f14ac0360db676c9429756c954cbc5082f2072a303c38289b3fd

Download Submit
C:\Windows\System\AkAVDXa.exe

Filesize
5.2MB

MD5
e95d438ca422adb2a5e67e1fbc9c39c0

SHA1
8227a306a3810dfd7805242a554f8c37fa98d75d

SHA256
70f0aa310dc59dd476df1106c5cf44aaff59106991e69650e8ac58abd48f9833

SHA512
717e5ab697a10b1318b0e4b1216e36cb1823d1fc93e72dc0aba22e0261c947611f32d968dedb2b00dbb7d2afdf8172344bbafbe88ddaa9e063930b84a6a5f76a

Download Submit
C:\Windows\System\BLWugSf.exe

Filesize
5.2MB

MD5
d5156678e4789eb3e9ffbacc92b76bbc

SHA1
0c342638b7bce4d03b97986929be775afec44498

SHA256
3915d01142e9084fd6b1bb3173816070ea06452663eebce6d4342baab249a7ca

SHA512
d8a7def194e4a71e3b139d6ced133f80b20f5db0622aa54336b6b6941170515d03d1d99be242f4e1f6031ceabc1567d2d586093c08951621aeb91e5b889df4c9

Download Submit
C:\Windows\System\IoRrggU.exe

Filesize
5.2MB

MD5
49ab5b1804d75ee08346e61191a4a36c

SHA1
5f15a9dfd8e88002dae161b437340a35cacdf512

SHA256
c0988270216d8c9a91ffbf973022c5ec5ae0d4ee3ce185b20633734a433f72e2

SHA512
d92d23fee7074628d244206ebd226a8d5843085026ea637b1079b29eedf2eff0f35fa13742686ebfe44c5c734d9e787f264bb093f124dde811809909684e133d

Download Submit
C:\Windows\System\LMsAcNp.exe

Filesize
5.2MB

MD5
0e38ed5e45dc0bca70cd2fb9f871a729

SHA1
b3149b703fc86cc6c82e740cd1e6b742c9a187d0

SHA256
e7a3c349554653808b5af1ca7384e75561240401147123cb79eaaea8867da68e

SHA512
f6a8ef8a52f17cefd9317a35c8ea791a9951e816f6df1fe3a433411580a5e531776fb59677376bf35b14c72fb2e8e27119e5d2272051ddb76b981c1d9dc832bf

Download Submit
C:\Windows\System\LpgXsuf.exe

Filesize
5.2MB

MD5
470cb34e8e34cf638bc67d5c3afb5b9d

SHA1
3b4cef3705bd109539e7f8dfb11f959ede8c7ef2

SHA256
11c2816845134ea81d68313904c66d5a5d5f4a2fc1f049aad9e0957b1e240c26

SHA512
f7a9fc28e736e3894e44a1f607f3d74711e122c78f68e5e91a67511bf0ebd71287e2f82ecaa78bba9fb069583d09cb6b2657e6f29f4f709f9d2743e87a804d65

Download Submit
C:\Windows\System\MquUtQg.exe

Filesize
5.2MB

MD5
b1811b802540e293662b194c4bf4a145

SHA1
456761b57cef90f6b50f20d968c27f0b480ce097

SHA256
a266a8c8beb4ef2c2a11a5600f69c253a1044ab0fdaa017e6be283f9ca02a66d

SHA512
12aa9d5bbb2a9028414ca210d70994cf5e23d8a2e62a039c9a25601adfce8a514fc1b61edc839c77f79e04f866d3ea1a766e11235b948ec57f8fcbe2db046100

Download Submit
C:\Windows\System\XXTmHWh.exe

Filesize
5.2MB

MD5
e0e0597b8e01192a61e28d65654b5812

SHA1
4e95ccc4d598260a9c94237a34c6cf21ab779394

SHA256
1d672d49a4cfa137df53f795d9beff22c10ba28617de940015059cbaad9fa8f9

SHA512
e9d98e151a0000296ea0d51b65078aca77e6d4902317391361677bb61cd4d0f0f7dbe492e580856ff53ca82900b0d914c6497aa623f3f0c0ec9f4593e4983809

Download Submit
C:\Windows\System\azNkfNC.exe

Filesize
5.2MB

MD5
e7af8fe36b4abafa9d426655eaebe270

SHA1
70ad19587308ff4bb5a9fef60052aab5ef601c5f

SHA256
8a72df08c083bacc1ed1ba70bd566a61bc8ca30dc184a784576352265b49e0ab

SHA512
2acbdf7e84f573d2d8073fdfe6695c9e6459d58aa9d3fe00189e8731e0e7327e86faf495f2f90a864b2999a550ffa6e1de672ea192a9d2ca2d3b356a97515a60

Download Submit
C:\Windows\System\cBOEPpw.exe

Filesize
5.2MB

MD5
384db16f250427a5c22dc32116615aba

SHA1
67d185880f252c6c10aa69eb3e95a2928817c176

SHA256
c90fb28c9baa5c54f7df4fa4cc1a5ea2b4fbfaf2e07e9bfdde9887d2500f5c00

SHA512
e2b9f072b36834e163bb118558115780ffdbe9d09cf9ea13a4d59cebd26571e392335d781bc38cfd3e3b45d47671ee6dfca3a1148ca2613e6318464004a11c43

Download Submit
C:\Windows\System\cCeOGAX.exe

Filesize
5.2MB

MD5
d72947f87cf7971d55e063d466b8cb4e

SHA1
63fcfae9a65f9b6e68ace412a0f9d3ce15aec173

SHA256
68a69907ae3d0cc8d3233582a6663bb24bbce3facab98028deda1498980f6ee1

SHA512
abc4536a9962ca8ece94c143124ba5632095ccc9a8dcd6f665a6a27230f17f33d5ed18d65957bc0b461e6ecde5b54966bdadfb98074045b12711ac631a71a942

Download Submit
C:\Windows\System\dlseXMe.exe

Filesize
5.2MB

MD5
4b6ebfbea80900103cf32e32ca3a733e

SHA1
2c6754aafc8289d4cc6b88c55201b7c2f41e7571

SHA256
9ee2e18a6e251b98379f1eeeb93f044072749dc224d8dac91063031e0d9872c5

SHA512
2afd3f497ac74247a9ca50d8ee2b23b0a65d60c72e83c62b7aaa89b6dcb55a86a815d726a61479d65edba1fb9c6f55d627519b808001cf0c44ea57ec5fa87e72

Download Submit
C:\Windows\System\edGYjaq.exe

Filesize
5.2MB

MD5
d735b4072bb6508f07bd5097bef0dd2e

SHA1
7bbb3ce1df0576940b6808febdddbce2e11e8915

SHA256
8c9e37d5fd3401846c422f70d58fe542aefb2304aa52f6f68e350472fb91cb70

SHA512
376cfbfdfb1dda4b60231fd009175c7d4ad35bbdb6dd1e8c6a8ac8965e3dd5a0e695b56d037b799a83accd00256e625a21cb4c3b522182a12b5b0f77a9ec189b

Download Submit
C:\Windows\System\grBGNZv.exe

Filesize
5.2MB

MD5
511d21094124d87c98ce7072bafd2944

SHA1
91d88a9fcd58320bc9e6e659e8707a70c098ff38

SHA256
aa62849e738dde7773f8cbb0c850212b69eae9107b452ffe08ef09f6dc811205

SHA512
8d780af9cbb82bcfb6d6efa5e18633ff7587b8bd47071b09a8a0e93ff09503b866e754ea74d1211f3068d78b5fa6b4051b954d70b9eaa431c1fa4d5a11cdbee2

Download Submit
C:\Windows\System\hMwzKej.exe

Filesize
5.2MB

MD5
6be490592cca91e54c8e1ee28b1a88b8

SHA1
3b55e49f90d50f1b607280af90eec18ff444ab7d

SHA256
cf1d530388ce0271fa5a2d182cb88b92aa55f45b75351ddcf5da62955cad5976

SHA512
d7f564f888c5809dff026cc2ed116c1210ab6a9fc265806ff2598aca56935d85395b5c4d6532d86011c6ec760c884c5acde51c2a64444cf375edab31b704723b

Download Submit
C:\Windows\System\ihGIKtf.exe

Filesize
5.2MB

MD5
90432a0277b544b2df81591889aa271c

SHA1
e609e5c2175dc2321a3645bec772365593103556

SHA256
8a897026e2547336bd9a009a3234edbfd89b4319df41dbb702a0d9048444a8c4

SHA512
d4019ac5f871dee0f652f78dbde8be4ed02e9f1276aebaf02da6409d7859ebb65396e3a6937434b9123d5e5f317357125f843b97525688f59432f6c3a12a7eda

Download Submit
C:\Windows\System\mnufASL.exe

Filesize
5.2MB

MD5
1833fd57ebb91b145bcdeaef11a28d64

SHA1
c8af1bc8f9fee0ed82683a40026ba0ea07a1b76a

SHA256
7a79e407864a4f15e11f55246d3640c39a2e93a48078e7d824108cac9aa5d380

SHA512
e1da52443447805e97dd594cb287e1baec77f11420fe039167f867c6f1aa28ec14464561187fe5e3dd058c5506cb3bd5ce477abece9a7725d43570f37d3d587a

Download Submit
C:\Windows\System\nLpAOrG.exe

Filesize
5.2MB

MD5
71131e430eece468609f980c1a9cda48

SHA1
a7258df9a00a7ce5592206b745aacd2387ada794

SHA256
0cf0087d875e6eee01eb97bb734f007cf665fea46ca51960db6679845f622f1d

SHA512
69e7903653777abe5f3b854a7ee2858de6960f09b03a7cdad26d465c0f41da1b900b1ecf41a313b89e95663267861b40e6b5af951e96bad68052908f2f5d0d00

Download Submit
C:\Windows\System\qBBYFUm.exe

Filesize
5.2MB

MD5
dc665108e957406bc56f6e7376338ea7

SHA1
0635f42200492e79c83ed08845b790a7a427c555

SHA256
6dbf1cd41f01bbfc209893222c656d3e25cd7486fc51e2859dad135d74d00f87

SHA512
27d4540b7b1ae9b2c43c67ac918cac45402956ec2c4a11296e42e7a7c631242833c625ae4c89b6d032a1ba6860a4660a366be9270c9c79f7042fd76651f44a9d

Download Submit
C:\Windows\System\tZpdExc.exe

Filesize
5.2MB

MD5
f1f366abea1382d0d5c01f45b2c93e5c

SHA1
d4c9604dbf8cc2ead0a80aa54c634146ea2067bc

SHA256
dd1221723b5ea818932d4d9879a1e47d4a4dae2d871570800ea0cb8d120d670f

SHA512
19e2b7d3e157164a11985eb24c083bafcfc07480c35d5ad2004ac0a984aac5d4b7c1d4a45ba157916f29cb0952a24102c735e89a57f4c88efda521a575069541

Download Submit
C:\Windows\System\wMbDZqS.exe

Filesize
5.2MB

MD5
0dadf567b6a3bcad99466235c9080b68

SHA1
8a089832aa2cc5fa6eda9f959be76a8e226b75e1

SHA256
b3957b1c7f3e1e251e384298849249b49ae2f8e64ce8c88e4572df07aa26b92a

SHA512
e2ad15e162838b811682a3696a5788b9ca874aed09ce6148bd0dacf76cc4ee50c23c960fc770419a5c87d8944b7f6ad7db0ada7642727f26df7116ac71af6fdf

Download Submit
memory/224-247-0x00007FF6C2020000-0x00007FF6C2371000-memory.dmp

Filesize
3.3MB

Download
memory/224-131-0x00007FF6C2020000-0x00007FF6C2371000-memory.dmp

Filesize
3.3MB

Download
memory/224-73-0x00007FF6C2020000-0x00007FF6C2371000-memory.dmp

Filesize
3.3MB

Download
memory/868-154-0x00007FF7410A0000-0x00007FF7413F1000-memory.dmp

Filesize
3.3MB

Download
memory/868-257-0x00007FF7410A0000-0x00007FF7413F1000-memory.dmp

Filesize
3.3MB

Download
memory/868-89-0x00007FF7410A0000-0x00007FF7413F1000-memory.dmp

Filesize
3.3MB

Download
memory/1220-255-0x00007FF722D10000-0x00007FF723061000-memory.dmp

Filesize
3.3MB

Download
memory/1220-81-0x00007FF722D10000-0x00007FF723061000-memory.dmp

Filesize
3.3MB

Download
memory/1220-153-0x00007FF722D10000-0x00007FF723061000-memory.dmp

Filesize
3.3MB

Download
memory/1776-130-0x00007FF71DAE0000-0x00007FF71DE31000-memory.dmp

Filesize
3.3MB

Download
memory/1776-58-0x00007FF71DAE0000-0x00007FF71DE31000-memory.dmp

Filesize
3.3MB

Download
memory/1776-245-0x00007FF71DAE0000-0x00007FF71DE31000-memory.dmp

Filesize
3.3MB

Download
memory/1848-120-0x00007FF66E7B0000-0x00007FF66EB01000-memory.dmp

Filesize
3.3MB

Download
memory/1848-231-0x00007FF66E7B0000-0x00007FF66EB01000-memory.dmp

Filesize
3.3MB

Download
memory/1848-48-0x00007FF66E7B0000-0x00007FF66EB01000-memory.dmp

Filesize
3.3MB

Download
memory/2156-12-0x00007FF7A0CA0000-0x00007FF7A0FF1000-memory.dmp

Filesize
3.3MB

Download
memory/2156-67-0x00007FF7A0CA0000-0x00007FF7A0FF1000-memory.dmp

Filesize
3.3MB

Download
memory/2156-213-0x00007FF7A0CA0000-0x00007FF7A0FF1000-memory.dmp

Filesize
3.3MB

Download
memory/2244-103-0x00007FF7914B0000-0x00007FF791801000-memory.dmp

Filesize
3.3MB

Download
memory/2244-227-0x00007FF7914B0000-0x00007FF791801000-memory.dmp

Filesize
3.3MB

Download
memory/2244-36-0x00007FF7914B0000-0x00007FF791801000-memory.dmp

Filesize
3.3MB

Download
memory/2320-211-0x00007FF7A09B0000-0x00007FF7A0D01000-memory.dmp

Filesize
3.3MB

Download
memory/2320-7-0x00007FF7A09B0000-0x00007FF7A0D01000-memory.dmp

Filesize
3.3MB

Download
memory/2320-57-0x00007FF7A09B0000-0x00007FF7A0D01000-memory.dmp

Filesize
3.3MB

Download
memory/2440-0-0x00007FF72B0E0000-0x00007FF72B431000-memory.dmp

Filesize
3.3MB

Download
memory/2440-1-0x000001F500330000-0x000001F500340000-memory.dmp

Filesize
64KB

Download
memory/2440-162-0x00007FF72B0E0000-0x00007FF72B431000-memory.dmp

Filesize
3.3MB

Download
memory/2440-140-0x00007FF72B0E0000-0x00007FF72B431000-memory.dmp

Filesize
3.3MB

Download
memory/2440-51-0x00007FF72B0E0000-0x00007FF72B431000-memory.dmp

Filesize
3.3MB

Download
memory/2888-261-0x00007FF66AA40000-0x00007FF66AD91000-memory.dmp

Filesize
3.3MB

Download
memory/2888-158-0x00007FF66AA40000-0x00007FF66AD91000-memory.dmp

Filesize
3.3MB

Download
memory/2888-119-0x00007FF66AA40000-0x00007FF66AD91000-memory.dmp

Filesize
3.3MB

Download
memory/3100-264-0x00007FF6A6040000-0x00007FF6A6391000-memory.dmp

Filesize
3.3MB

Download
memory/3100-137-0x00007FF6A6040000-0x00007FF6A6391000-memory.dmp

Filesize
3.3MB

Download
memory/3100-161-0x00007FF6A6040000-0x00007FF6A6391000-memory.dmp

Filesize
3.3MB

Download
memory/3180-68-0x00007FF76BDE0000-0x00007FF76C131000-memory.dmp

Filesize
3.3MB

Download
memory/3180-135-0x00007FF76BDE0000-0x00007FF76C131000-memory.dmp

Filesize
3.3MB

Download
memory/3180-249-0x00007FF76BDE0000-0x00007FF76C131000-memory.dmp

Filesize
3.3MB

Download
memory/3588-25-0x00007FF745230000-0x00007FF745581000-memory.dmp

Filesize
3.3MB

Download
memory/3588-88-0x00007FF745230000-0x00007FF745581000-memory.dmp

Filesize
3.3MB

Download
memory/3588-221-0x00007FF745230000-0x00007FF745581000-memory.dmp

Filesize
3.3MB

Download
memory/3780-253-0x00007FF6AF840000-0x00007FF6AFB91000-memory.dmp

Filesize
3.3MB

Download
memory/3780-136-0x00007FF6AF840000-0x00007FF6AFB91000-memory.dmp

Filesize
3.3MB

Download
memory/3780-78-0x00007FF6AF840000-0x00007FF6AFB91000-memory.dmp

Filesize
3.3MB

Download
memory/3916-266-0x00007FF7D0D40000-0x00007FF7D1091000-memory.dmp

Filesize
3.3MB

Download
memory/3916-157-0x00007FF7D0D40000-0x00007FF7D1091000-memory.dmp

Filesize
3.3MB

Download
memory/3916-114-0x00007FF7D0D40000-0x00007FF7D1091000-memory.dmp

Filesize
3.3MB

Download
memory/3992-223-0x00007FF7B55F0000-0x00007FF7B5941000-memory.dmp

Filesize
3.3MB

Download
memory/3992-91-0x00007FF7B55F0000-0x00007FF7B5941000-memory.dmp

Filesize
3.3MB

Download
memory/3992-33-0x00007FF7B55F0000-0x00007FF7B5941000-memory.dmp

Filesize
3.3MB

Download
memory/4264-160-0x00007FF77E5F0000-0x00007FF77E941000-memory.dmp

Filesize
3.3MB

Download
memory/4264-125-0x00007FF77E5F0000-0x00007FF77E941000-memory.dmp

Filesize
3.3MB

Download
memory/4264-268-0x00007FF77E5F0000-0x00007FF77E941000-memory.dmp

Filesize
3.3MB

Download
memory/4304-259-0x00007FF781230000-0x00007FF781581000-memory.dmp

Filesize
3.3MB

Download
memory/4304-104-0x00007FF781230000-0x00007FF781581000-memory.dmp

Filesize
3.3MB

Download
memory/4304-156-0x00007FF781230000-0x00007FF781581000-memory.dmp

Filesize
3.3MB

Download
memory/4556-159-0x00007FF7A5BC0000-0x00007FF7A5F11000-memory.dmp

Filesize
3.3MB

Download
memory/4556-124-0x00007FF7A5BC0000-0x00007FF7A5F11000-memory.dmp

Filesize
3.3MB

Download
memory/4556-269-0x00007FF7A5BC0000-0x00007FF7A5F11000-memory.dmp

Filesize
3.3MB

Download
memory/4616-20-0x00007FF6FF130000-0x00007FF6FF481000-memory.dmp

Filesize
3.3MB

Download
memory/4616-219-0x00007FF6FF130000-0x00007FF6FF481000-memory.dmp

Filesize
3.3MB

Download
memory/4700-229-0x00007FF75A990000-0x00007FF75ACE1000-memory.dmp

Filesize
3.3MB

Download
memory/4700-41-0x00007FF75A990000-0x00007FF75ACE1000-memory.dmp

Filesize
3.3MB

Download
memory/4700-113-0x00007FF75A990000-0x00007FF75ACE1000-memory.dmp

Filesize
3.3MB

Download
memory/4936-252-0x00007FF651840000-0x00007FF651B91000-memory.dmp

Filesize
3.3MB

Download
memory/4936-155-0x00007FF651840000-0x00007FF651B91000-memory.dmp

Filesize
3.3MB

Download
memory/4936-90-0x00007FF651840000-0x00007FF651B91000-memory.dmp

Filesize
3.3MB

Download