cobaltstrike | 8b86a00b5fd464c8ef79f05dcccdd8a3de05549927747a5397cba47d67ae9544

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2024 13:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

fc4e21f663b53a2d779b53e53938f6ee
SHA1

45e7db19e4ab006f841edecf277bb0cc9ad4cb44
SHA256

8b86a00b5fd464c8ef79f05dcccdd8a3de05549927747a5397cba47d67ae9544
SHA512

197bcc791132af76a46d28f5b6a1c1d7a007da018a0ab7c39a795f92cd9a8443b30a40f4798c061fe3fb63952c6976ef1251be6503abf1fa3a5371b1a1cbe228
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lC:RWWBibd56utgpPFotBER/mQ32lUe

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00080000000235ec-4.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235f1-9.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235f0-11.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235f2-22.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235f3-30.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235f4-33.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235f6-48.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235f7-58.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235f8-60.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235f5-46.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235fd-95.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235ff-107.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023600-124.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023601-129.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023603-137.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023602-133.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235fe-111.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235fc-87.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235fa-78.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235fb-79.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235f9-69.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/2300-62-0x00007FF7DBE40000-0x00007FF7DC191000-memory.dmp	xmrig
behavioral2/memory/784-67-0x00007FF634000000-0x00007FF634351000-memory.dmp	xmrig
behavioral2/memory/3276-128-0x00007FF69E600000-0x00007FF69E951000-memory.dmp	xmrig
behavioral2/memory/4800-127-0x00007FF60CEB0000-0x00007FF60D201000-memory.dmp	xmrig
behavioral2/memory/3156-122-0x00007FF749910000-0x00007FF749C61000-memory.dmp	xmrig
behavioral2/memory/2580-113-0x00007FF630D80000-0x00007FF6310D1000-memory.dmp	xmrig
behavioral2/memory/4732-100-0x00007FF7EB190000-0x00007FF7EB4E1000-memory.dmp	xmrig
behavioral2/memory/2168-99-0x00007FF7CFFD0000-0x00007FF7D0321000-memory.dmp	xmrig
behavioral2/memory/4140-96-0x00007FF619A80000-0x00007FF619DD1000-memory.dmp	xmrig
behavioral2/memory/4032-92-0x00007FF66EDE0000-0x00007FF66F131000-memory.dmp	xmrig
behavioral2/memory/1204-91-0x00007FF6EA5B0000-0x00007FF6EA901000-memory.dmp	xmrig
behavioral2/memory/4548-86-0x00007FF76EDE0000-0x00007FF76F131000-memory.dmp	xmrig
behavioral2/memory/2520-83-0x00007FF689F20000-0x00007FF68A271000-memory.dmp	xmrig
behavioral2/memory/2092-68-0x00007FF7E21E0000-0x00007FF7E2531000-memory.dmp	xmrig
behavioral2/memory/2300-139-0x00007FF7DBE40000-0x00007FF7DC191000-memory.dmp	xmrig
behavioral2/memory/1600-150-0x00007FF698020000-0x00007FF698371000-memory.dmp	xmrig
behavioral2/memory/2520-151-0x00007FF689F20000-0x00007FF68A271000-memory.dmp	xmrig
behavioral2/memory/1860-159-0x00007FF798960000-0x00007FF798CB1000-memory.dmp	xmrig
behavioral2/memory/4872-157-0x00007FF7324D0000-0x00007FF732821000-memory.dmp	xmrig
behavioral2/memory/2096-158-0x00007FF652D90000-0x00007FF6530E1000-memory.dmp	xmrig
behavioral2/memory/1372-161-0x00007FF620B20000-0x00007FF620E71000-memory.dmp	xmrig
behavioral2/memory/512-163-0x00007FF657E40000-0x00007FF658191000-memory.dmp	xmrig
behavioral2/memory/2204-162-0x00007FF7D9900000-0x00007FF7D9C51000-memory.dmp	xmrig
behavioral2/memory/4160-160-0x00007FF7883A0000-0x00007FF7886F1000-memory.dmp	xmrig
behavioral2/memory/2300-164-0x00007FF7DBE40000-0x00007FF7DC191000-memory.dmp	xmrig
behavioral2/memory/784-215-0x00007FF634000000-0x00007FF634351000-memory.dmp	xmrig
behavioral2/memory/2092-217-0x00007FF7E21E0000-0x00007FF7E2531000-memory.dmp	xmrig
behavioral2/memory/1204-224-0x00007FF6EA5B0000-0x00007FF6EA901000-memory.dmp	xmrig
behavioral2/memory/4732-228-0x00007FF7EB190000-0x00007FF7EB4E1000-memory.dmp	xmrig
behavioral2/memory/4032-227-0x00007FF66EDE0000-0x00007FF66F131000-memory.dmp	xmrig
behavioral2/memory/3276-231-0x00007FF69E600000-0x00007FF69E951000-memory.dmp	xmrig
behavioral2/memory/2580-236-0x00007FF630D80000-0x00007FF6310D1000-memory.dmp	xmrig
behavioral2/memory/4800-235-0x00007FF60CEB0000-0x00007FF60D201000-memory.dmp	xmrig
behavioral2/memory/2168-238-0x00007FF7CFFD0000-0x00007FF7D0321000-memory.dmp	xmrig
behavioral2/memory/3156-232-0x00007FF749910000-0x00007FF749C61000-memory.dmp	xmrig
behavioral2/memory/1600-251-0x00007FF698020000-0x00007FF698371000-memory.dmp	xmrig
behavioral2/memory/4548-253-0x00007FF76EDE0000-0x00007FF76F131000-memory.dmp	xmrig
behavioral2/memory/2520-255-0x00007FF689F20000-0x00007FF68A271000-memory.dmp	xmrig
behavioral2/memory/4140-257-0x00007FF619A80000-0x00007FF619DD1000-memory.dmp	xmrig
behavioral2/memory/4872-259-0x00007FF7324D0000-0x00007FF732821000-memory.dmp	xmrig
behavioral2/memory/1860-265-0x00007FF798960000-0x00007FF798CB1000-memory.dmp	xmrig
behavioral2/memory/1372-267-0x00007FF620B20000-0x00007FF620E71000-memory.dmp	xmrig
behavioral2/memory/2096-263-0x00007FF652D90000-0x00007FF6530E1000-memory.dmp	xmrig
behavioral2/memory/4160-262-0x00007FF7883A0000-0x00007FF7886F1000-memory.dmp	xmrig
behavioral2/memory/512-271-0x00007FF657E40000-0x00007FF658191000-memory.dmp	xmrig
behavioral2/memory/2204-272-0x00007FF7D9900000-0x00007FF7D9C51000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
784	iPYDNxo.exe
2092	ZLfWkQL.exe
1204	FvzilaI.exe
4032	mwQrhVb.exe
4732	VEtWIRx.exe
2168	omaTSek.exe
3156	ullpYvB.exe
2580	mYGDyng.exe
4800	eKQIspL.exe
3276	fYldKhZ.exe
1600	bfzDxXi.exe
2520	ODYsDXi.exe
4548	YhaSfIL.exe
4140	mipCEpI.exe
1860	fgkklQE.exe
4872	rBnYJyW.exe
2096	VuklTzg.exe
4160	aHxpKRI.exe
1372	NyHZLkt.exe
2204	jNApcep.exe
512	VgzUKUq.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2300-0-0x00007FF7DBE40000-0x00007FF7DC191000-memory.dmp	upx
behavioral2/files/0x00080000000235ec-4.dat	upx
behavioral2/files/0x00070000000235f1-9.dat	upx
behavioral2/files/0x00070000000235f0-11.dat	upx
behavioral2/memory/784-7-0x00007FF634000000-0x00007FF634351000-memory.dmp	upx
behavioral2/memory/2092-12-0x00007FF7E21E0000-0x00007FF7E2531000-memory.dmp	upx
behavioral2/files/0x00070000000235f2-22.dat	upx
behavioral2/files/0x00070000000235f3-30.dat	upx
behavioral2/files/0x00070000000235f4-33.dat	upx
behavioral2/memory/2168-41-0x00007FF7CFFD0000-0x00007FF7D0321000-memory.dmp	upx
behavioral2/memory/3156-45-0x00007FF749910000-0x00007FF749C61000-memory.dmp	upx
behavioral2/files/0x00070000000235f6-48.dat	upx
behavioral2/files/0x00070000000235f7-58.dat	upx
behavioral2/files/0x00070000000235f8-60.dat	upx
behavioral2/memory/3276-57-0x00007FF69E600000-0x00007FF69E951000-memory.dmp	upx
behavioral2/memory/4800-56-0x00007FF60CEB0000-0x00007FF60D201000-memory.dmp	upx
behavioral2/files/0x00070000000235f5-46.dat	upx
behavioral2/memory/2580-42-0x00007FF630D80000-0x00007FF6310D1000-memory.dmp	upx
behavioral2/memory/4732-37-0x00007FF7EB190000-0x00007FF7EB4E1000-memory.dmp	upx
behavioral2/memory/4032-28-0x00007FF66EDE0000-0x00007FF66F131000-memory.dmp	upx
behavioral2/memory/1204-18-0x00007FF6EA5B0000-0x00007FF6EA901000-memory.dmp	upx
behavioral2/memory/2300-62-0x00007FF7DBE40000-0x00007FF7DC191000-memory.dmp	upx
behavioral2/memory/784-67-0x00007FF634000000-0x00007FF634351000-memory.dmp	upx
behavioral2/files/0x00070000000235fd-95.dat	upx
behavioral2/memory/4872-102-0x00007FF7324D0000-0x00007FF732821000-memory.dmp	upx
behavioral2/files/0x00070000000235ff-107.dat	upx
behavioral2/files/0x0007000000023600-124.dat	upx
behavioral2/files/0x0007000000023601-129.dat	upx
behavioral2/files/0x0007000000023603-137.dat	upx
behavioral2/memory/512-136-0x00007FF657E40000-0x00007FF658191000-memory.dmp	upx
behavioral2/files/0x0007000000023602-133.dat	upx
behavioral2/memory/2204-132-0x00007FF7D9900000-0x00007FF7D9C51000-memory.dmp	upx
behavioral2/memory/3276-128-0x00007FF69E600000-0x00007FF69E951000-memory.dmp	upx
behavioral2/memory/4800-127-0x00007FF60CEB0000-0x00007FF60D201000-memory.dmp	upx
behavioral2/memory/1372-126-0x00007FF620B20000-0x00007FF620E71000-memory.dmp	upx
behavioral2/memory/3156-122-0x00007FF749910000-0x00007FF749C61000-memory.dmp	upx
behavioral2/memory/4160-121-0x00007FF7883A0000-0x00007FF7886F1000-memory.dmp	upx
behavioral2/memory/2096-114-0x00007FF652D90000-0x00007FF6530E1000-memory.dmp	upx
behavioral2/memory/2580-113-0x00007FF630D80000-0x00007FF6310D1000-memory.dmp	upx
behavioral2/files/0x00070000000235fe-111.dat	upx
behavioral2/memory/4732-100-0x00007FF7EB190000-0x00007FF7EB4E1000-memory.dmp	upx
behavioral2/memory/2168-99-0x00007FF7CFFD0000-0x00007FF7D0321000-memory.dmp	upx
behavioral2/memory/1860-97-0x00007FF798960000-0x00007FF798CB1000-memory.dmp	upx
behavioral2/memory/4140-96-0x00007FF619A80000-0x00007FF619DD1000-memory.dmp	upx
behavioral2/memory/4032-92-0x00007FF66EDE0000-0x00007FF66F131000-memory.dmp	upx
behavioral2/memory/1204-91-0x00007FF6EA5B0000-0x00007FF6EA901000-memory.dmp	upx
behavioral2/files/0x00070000000235fc-87.dat	upx
behavioral2/memory/4548-86-0x00007FF76EDE0000-0x00007FF76F131000-memory.dmp	upx
behavioral2/memory/2520-83-0x00007FF689F20000-0x00007FF68A271000-memory.dmp	upx
behavioral2/files/0x00070000000235fa-78.dat	upx
behavioral2/files/0x00070000000235fb-79.dat	upx
behavioral2/memory/1600-73-0x00007FF698020000-0x00007FF698371000-memory.dmp	upx
behavioral2/files/0x00070000000235f9-69.dat	upx
behavioral2/memory/2092-68-0x00007FF7E21E0000-0x00007FF7E2531000-memory.dmp	upx
behavioral2/memory/2300-139-0x00007FF7DBE40000-0x00007FF7DC191000-memory.dmp	upx
behavioral2/memory/1600-150-0x00007FF698020000-0x00007FF698371000-memory.dmp	upx
behavioral2/memory/2520-151-0x00007FF689F20000-0x00007FF68A271000-memory.dmp	upx
behavioral2/memory/1860-159-0x00007FF798960000-0x00007FF798CB1000-memory.dmp	upx
behavioral2/memory/4872-157-0x00007FF7324D0000-0x00007FF732821000-memory.dmp	upx
behavioral2/memory/2096-158-0x00007FF652D90000-0x00007FF6530E1000-memory.dmp	upx
behavioral2/memory/1372-161-0x00007FF620B20000-0x00007FF620E71000-memory.dmp	upx
behavioral2/memory/512-163-0x00007FF657E40000-0x00007FF658191000-memory.dmp	upx
behavioral2/memory/2204-162-0x00007FF7D9900000-0x00007FF7D9C51000-memory.dmp	upx
behavioral2/memory/4160-160-0x00007FF7883A0000-0x00007FF7886F1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\fgkklQE.exe	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VgzUKUq.exe	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VEtWIRx.exe	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\omaTSek.exe	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ullpYvB.exe	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bfzDxXi.exe	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rBnYJyW.exe	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eKQIspL.exe	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fYldKhZ.exe	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mipCEpI.exe	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VuklTzg.exe	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZLfWkQL.exe	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FvzilaI.exe	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mwQrhVb.exe	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mYGDyng.exe	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jNApcep.exe	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NyHZLkt.exe	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iPYDNxo.exe	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ODYsDXi.exe	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YhaSfIL.exe	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aHxpKRI.exe	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2300	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2300	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 784	2300	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2300 wrote to memory of 784	2300	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2300 wrote to memory of 2092	2300	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2300 wrote to memory of 2092	2300	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2300 wrote to memory of 1204	2300	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2300 wrote to memory of 1204	2300	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2300 wrote to memory of 4032	2300	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2300 wrote to memory of 4032	2300	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2300 wrote to memory of 4732	2300	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2300 wrote to memory of 4732	2300	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2300 wrote to memory of 2168	2300	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2300 wrote to memory of 2168	2300	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2300 wrote to memory of 3156	2300	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2300 wrote to memory of 3156	2300	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2300 wrote to memory of 2580	2300	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2300 wrote to memory of 2580	2300	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2300 wrote to memory of 4800	2300	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2300 wrote to memory of 4800	2300	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2300 wrote to memory of 3276	2300	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2300 wrote to memory of 3276	2300	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2300 wrote to memory of 1600	2300	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2300 wrote to memory of 1600	2300	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2300 wrote to memory of 2520	2300	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 2300 wrote to memory of 2520	2300	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 2300 wrote to memory of 4548	2300	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 2300 wrote to memory of 4548	2300	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 2300 wrote to memory of 4140	2300	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 2300 wrote to memory of 4140	2300	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 2300 wrote to memory of 1860	2300	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 2300 wrote to memory of 1860	2300	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 2300 wrote to memory of 4872	2300	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 2300 wrote to memory of 4872	2300	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 2300 wrote to memory of 2096	2300	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe	110
PID 2300 wrote to memory of 2096	2300	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe	110
PID 2300 wrote to memory of 4160	2300	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe	111
PID 2300 wrote to memory of 4160	2300	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe	111
PID 2300 wrote to memory of 1372	2300	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe	112
PID 2300 wrote to memory of 1372	2300	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe	112
PID 2300 wrote to memory of 2204	2300	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe	113
PID 2300 wrote to memory of 2204	2300	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe	113
PID 2300 wrote to memory of 512	2300	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe	114
PID 2300 wrote to memory of 512	2300	2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe	114

C:\Users\Admin\AppData\Local\Temp\2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-13_fc4e21f663b53a2d779b53e53938f6ee_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\System\iPYDNxo.exe
  C:\Windows\System\iPYDNxo.exe
  2⤵
  - Executes dropped EXE
  PID:784
- C:\Windows\System\ZLfWkQL.exe
  C:\Windows\System\ZLfWkQL.exe
  2⤵
  - Executes dropped EXE
  PID:2092
- C:\Windows\System\FvzilaI.exe
  C:\Windows\System\FvzilaI.exe
  2⤵
  - Executes dropped EXE
  PID:1204
- C:\Windows\System\mwQrhVb.exe
  C:\Windows\System\mwQrhVb.exe
  2⤵
  - Executes dropped EXE
  PID:4032
- C:\Windows\System\VEtWIRx.exe
  C:\Windows\System\VEtWIRx.exe
  2⤵
  - Executes dropped EXE
  PID:4732
- C:\Windows\System\omaTSek.exe
  C:\Windows\System\omaTSek.exe
  2⤵
  - Executes dropped EXE
  PID:2168
- C:\Windows\System\ullpYvB.exe
  C:\Windows\System\ullpYvB.exe
  2⤵
  - Executes dropped EXE
  PID:3156
- C:\Windows\System\mYGDyng.exe
  C:\Windows\System\mYGDyng.exe
  2⤵
  - Executes dropped EXE
  PID:2580
- C:\Windows\System\eKQIspL.exe
  C:\Windows\System\eKQIspL.exe
  2⤵
  - Executes dropped EXE
  PID:4800
- C:\Windows\System\fYldKhZ.exe
  C:\Windows\System\fYldKhZ.exe
  2⤵
  - Executes dropped EXE
  PID:3276
- C:\Windows\System\bfzDxXi.exe
  C:\Windows\System\bfzDxXi.exe
  2⤵
  - Executes dropped EXE
  PID:1600
- C:\Windows\System\ODYsDXi.exe
  C:\Windows\System\ODYsDXi.exe
  2⤵
  - Executes dropped EXE
  PID:2520
- C:\Windows\System\YhaSfIL.exe
  C:\Windows\System\YhaSfIL.exe
  2⤵
  - Executes dropped EXE
  PID:4548
- C:\Windows\System\mipCEpI.exe
  C:\Windows\System\mipCEpI.exe
  2⤵
  - Executes dropped EXE
  PID:4140
- C:\Windows\System\fgkklQE.exe
  C:\Windows\System\fgkklQE.exe
  2⤵
  - Executes dropped EXE
  PID:1860
- C:\Windows\System\rBnYJyW.exe
  C:\Windows\System\rBnYJyW.exe
  2⤵
  - Executes dropped EXE
  PID:4872
- C:\Windows\System\VuklTzg.exe
  C:\Windows\System\VuklTzg.exe
  2⤵
  - Executes dropped EXE
  PID:2096
- C:\Windows\System\aHxpKRI.exe
  C:\Windows\System\aHxpKRI.exe
  2⤵
  - Executes dropped EXE
  PID:4160
- C:\Windows\System\NyHZLkt.exe
  C:\Windows\System\NyHZLkt.exe
  2⤵
  - Executes dropped EXE
  PID:1372
- C:\Windows\System\jNApcep.exe
  C:\Windows\System\jNApcep.exe
  2⤵
  - Executes dropped EXE
  PID:2204
- C:\Windows\System\VgzUKUq.exe
  C:\Windows\System\VgzUKUq.exe
  2⤵
  - Executes dropped EXE
  PID:512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4200,i,13995403245988825027,7033610968827661507,262144 --variations-seed-version --mojo-platform-channel-handle=3868 /prefetch:8
1⤵
PID:5080

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\FvzilaI.exe

Filesize
5.2MB

MD5
38e1b7f0a54730bc69a107c5cc391e3c

SHA1
b7fb06f120016f9c03553e4b2f41988a2a24a558

SHA256
6c5ff853168bf5b67b68c48984ad82ece7f8957255d3c2e2322e09b5fd6628b9

SHA512
991f97c971d41dc52f0cd1b53eb7efd832c50a8a153769a766a8f3414d4a12acb6bf0c013034a8bae59ec2bcf498218fbd42ba7bc8ca294b357acdce06dd887b

Download Submit
C:\Windows\System\NyHZLkt.exe

Filesize
5.2MB

MD5
a1c2fac7b8237a679e2ea60466fd08ed

SHA1
f3c2f27c3cf6a6120e66095d10f75f8ccccde880

SHA256
eb192c5816ae2678de62c784cf9ab05a9ed59a47ef954bd4c66e79e9add85fda

SHA512
5f3c34d2feb0b9c260c249a8e556c9031c420e8b27f142bd251d40bd31fb6f2acc25e627b2b576965f983bfffdf3c7748bf865c063b9222def372fd6210942b3

Download Submit
C:\Windows\System\ODYsDXi.exe

Filesize
5.2MB

MD5
d589fc0ae698f8234e5cdf32ece9bbc3

SHA1
34013502911e6937ecd38272c60e97062bdada55

SHA256
80c35190013be54cc8ca2b0b4e0719bd4866ce3fe5359785fd6fc46e7d2df050

SHA512
4599b4d43c75a50e90cc6554c4a0bfb4f94b712bdc930b570656931116a495f2dd8a7d1d417b8fd4cbea201f69d2bd03ee4f5361f8f435555b33cde9c1bc38db

Download Submit
C:\Windows\System\VEtWIRx.exe

Filesize
5.2MB

MD5
8f9c67a5a52420bf8b564e09afccb3f8

SHA1
43279f39a9069fa1602d9c50c29a5b668b038315

SHA256
7d1cba17dea46d8b1fd9df6aa4e25463074d59fff97fb656eec890a859f9b48a

SHA512
956fd0491a96b42d00d5c0071f32dab9cf22355841fb82c16e646c063cd806e8dae103ba0e13550d894328e825bb8b95f7f8f729182185a8b49369d7ca43d282

Download Submit
C:\Windows\System\VgzUKUq.exe

Filesize
5.2MB

MD5
8b318c386ec33cf271baf0a518918e70

SHA1
d9e019d629ad02279a26eee16e2313d74594f077

SHA256
d408a9c4a2a8650b61a187f35615bb0579367eb11b6e0d70e5bed1c51b4dc9bc

SHA512
0fcce03e45d2f6240d5c11aa2cef1a225998feeb7788a12ea61a7c5a3abef75db15e2435480c2f4aa7626d0a712a9c6ad09fa8c4227dd7d94e1c7e5674a36aed

Download Submit
C:\Windows\System\VuklTzg.exe

Filesize
5.2MB

MD5
b240024f2ab8de3d98391d3b94bf3e6b

SHA1
ff9386559305053fa115ad8ce197700cc90eb171

SHA256
84bbb57283c82f50009034e740bda698b7a140d39902f0e876fd9a6843b9a8b7

SHA512
9af27609686382c49e4c8b04bcebfecf6947350644c5537be1d497b70ae989d15ea94b54419d13931c89831e1115cfcfc8a6fbb5e650a7bcc1ead4925d25332f

Download Submit
C:\Windows\System\YhaSfIL.exe

Filesize
5.2MB

MD5
7ba2717fe71f461e6da33344d26aef44

SHA1
73cf9a1a806c194737af3deb7d5d8f0b670afd53

SHA256
d41551e4b759de187edcbee0dec2781617673c5ce69c32ba1e7910ac5840f0e3

SHA512
ab21f340096c1b5a1581a1c16642723ec5f516a85375989ca9ebf0737362c779bddef4b875002a11965e352b732d9c4d94e61dac038ce4fd1fc6e682a7f71279

Download Submit
C:\Windows\System\ZLfWkQL.exe

Filesize
5.2MB

MD5
4ef8420bb365b5832f07580530f22db9

SHA1
bd17d2a7898be000a0786ead77fd3ee62602f7c6

SHA256
9142f446a02e70b3603c8a99f01d88eb24cdd7f1444883540e8ed9ef5f97ee59

SHA512
e95c7b6432eb1bc28639b555063304ccaae8ce8e8cb3bd2af3d8919775981635c0190bb9ce0f19108ca73b0897cd3b1b9ec70e05736b717fd786e7ee59ea2249

Download Submit
C:\Windows\System\aHxpKRI.exe

Filesize
5.2MB

MD5
ecd83b16301375f9f629976a5d8ee531

SHA1
966a5b145cd989273cceb0002a689e50f69ec406

SHA256
4c5d240f9fed95d0f92fdf803c4e9827720ba6082d2fc9a869f695b5c63117aa

SHA512
d3adfd777986de6028a2746c02356d0778d6f17636e15259a2f1c6a0305e975533cf030a90e904c1de90ae9c6223a1fda4c1fde51405b594900713801e8ca7c9

Download Submit
C:\Windows\System\bfzDxXi.exe

Filesize
5.2MB

MD5
f5abf510ca8cb76a54da6644401e21f5

SHA1
8a64d0eb1b433faf61db146bcf6b2faa0afdfcc8

SHA256
a759e79d73f1d54252fc0de49c1b9684cd2fac284c0a9e915c9c095073940cd9

SHA512
418cbdc294624cdd7684984551b3d17d8663b7ba1ee7dc061e338828a6be5ca9a542ca22fba216d1d15fed2f7c7df1438b6322fa0e905d0df2ccd220af6c6a7a

Download Submit
C:\Windows\System\eKQIspL.exe

Filesize
5.2MB

MD5
eda0934d063c4cf669b1524ecbcba3d7

SHA1
161efa636e417c82620a7a785771c269dbdc30b6

SHA256
474d606030ad43118ac0fa0f1ed2e0aa9bc9925489a41544a526621ab3e06712

SHA512
c5cdded5c1e232aa3896eff8eaee791f6662d0c17bbcf2635a88fba287b3018cfd0f972f334312fedde82714b8de6cc8c74d1232d14a73b57de213b440876c51

Download Submit
C:\Windows\System\fYldKhZ.exe

Filesize
5.2MB

MD5
c70bc13159dc4c70b412b5a82b92a040

SHA1
4ba08ffee4664923f5f54ca54743a5f82a0d8f84

SHA256
de03eb535496218f9d57219f58fac5f8e2d4762ec152babfe4eb1fa5df8c63ba

SHA512
c4a98a1cabce3ff71ea4ccccb53c8d3e24d85cfa2ffa8984688f954d97c7824652cd4cb6167b464cc8fe52b7c88cdcc58ed2cf6aab7846e41d7bf2a7c34f11f0

Download Submit
C:\Windows\System\fgkklQE.exe

Filesize
5.2MB

MD5
bee289897dc395f3cd924f7626472ae1

SHA1
09e450485fa399dc694400731a693243c89f4d46

SHA256
6dd8e8a7fa6f993c35bf4eb2f1aa3a0a27be20bf0562a346e0fefd9da7ed2334

SHA512
38e3e28ae3424d26f412b1e349ac60363d387d9c844ae11e28eae780c2272031a22e7a1acdc90f5bf44d9dec1439bcaf9e202711a5f84de603f35245ba25d374

Download Submit
C:\Windows\System\iPYDNxo.exe

Filesize
5.2MB

MD5
cee4352c95fa2f83cef9c40f16c46f67

SHA1
3236166f39d3588e9195ee3a5f11d8333154e951

SHA256
34171f3c30c56b5c4313c9f1a2901d82f9f8500ffa41a2aba77ccb9e08aea475

SHA512
6b6464a93b2074384e5b9fa46e682b0ec838f0940d560b5dff5973dd652723ba553e9c42fa1224ef4501d1e358460a878f114f3a702a7f6c9a5fe0d5bf172ef4

Download Submit
C:\Windows\System\jNApcep.exe

Filesize
5.2MB

MD5
0c75fb696fd970e0b64a1d28439327ab

SHA1
83d4908818874c037234737e39e4e47589d6769d

SHA256
d92004e6f77c71c534b876ceb4fe65ed27623ccccdf0178b38d87b52d7be777a

SHA512
c54ce9c1d792f0337c068dddf9c1e03c50deb6bd41eafc3cd0a9fd29923a25677e02482bba29f8aeed13bdcee5436836b2e5d444d2d0d5551ae11777342a4bf7

Download Submit
C:\Windows\System\mYGDyng.exe

Filesize
5.2MB

MD5
6262b758910b7d53c491c134923be1c6

SHA1
b68427cecf27e2447828191b87bc71e76f6eb8c6

SHA256
1226c7a802b0681992bac64fa5f080381c88ff8979510f9c66a40c37a3e3d8c0

SHA512
d7998cba0b851f49b6597549974fac83cc1a282b07d0df5b5ea6409540b8d3affa3bc0858a21f9626a3436017ed7acd3c5284c690750528e0eba800f72597eed

Download Submit
C:\Windows\System\mipCEpI.exe

Filesize
5.2MB

MD5
ede7d049389f888cea1b4d98860b69da

SHA1
fcf027d6ec181f3b79f711e1f5c23956db3c6c00

SHA256
7bf637ce35cb38fbd14898055c2ec75389f910cc8cd280d7cc33a1b6f29583c1

SHA512
6dd884e3e60e51a13e520d4e5a51b333db4c64060385d6ad70e1df97dd33bc79a09ba6293ce52760908c22ee9b65af8fda3837876187ebf0b84ff5a6d4c93851

Download Submit
C:\Windows\System\mwQrhVb.exe

Filesize
5.2MB

MD5
6d3e6a133448cbb02876014778a5e485

SHA1
625d39d7ff1b4669c2c42ad9526ff2768ef8f4ff

SHA256
665052730b00abbd9de1f13a65023f8c65f409acb815647260ea23f1b8f9a0a2

SHA512
355d35539de26dfc1c276563c1174a1dea944af991706b4cb2404663c64645803ea1d178d13e63e2fac5a3ec3e1a9815fa91ac3c56ba2b314f0f57c4851ab50c

Download Submit
C:\Windows\System\omaTSek.exe

Filesize
5.2MB

MD5
91dfa597516fced2c2fa5695a9ba993b

SHA1
d8e59069b7bf7d470654890a6650374e4b68d32e

SHA256
1bd7ac5ff94886067200e2427a4a12048a26015adf474e0ff110278708a9f632

SHA512
90e3baf98e642209145b19d583b8e472223d84a866d2e2d8327b7784571d2d3146a556c02e3216c9fe1035b8e6182257550a0b17147e9f89f2e560aa542fbeb8

Download Submit
C:\Windows\System\rBnYJyW.exe

Filesize
5.2MB

MD5
9f8bcb0b8face81ce309d87712d62275

SHA1
fee387cbb16fe5d1041bff6e2797c643bf8f84cc

SHA256
13f781930ca4b8f566de226370c8db9234c7e0b1c4ee213c9060cf3f4fbf5d7d

SHA512
06a4c139b856c98b874b02a23c16b188ec62a0a3e99ad28524a21013fe8c4f38c1b143821c85670fb99d726a3fd581c1c2afbd3d38a4f5bbe9f61952eaa65fcc

Download Submit
C:\Windows\System\ullpYvB.exe

Filesize
5.2MB

MD5
1e2cef38d181b251e14e8de6b1211e9e

SHA1
b9a09af34cc9c903b976e92e3a65794b325b6d62

SHA256
5a88ae869d5cf34bc37cc2a67dc20a0e1ccbb47bc8d957e224cb28d89719a0f8

SHA512
35e8dd6561368335c3012d45e23ba92d670169d5a3735df15b4c60d181c808ff04c443c4a53f00f08c2d4ce1beeb0a138a8c7931578b558f82236a9a45d1fb0d

Download Submit
memory/512-163-0x00007FF657E40000-0x00007FF658191000-memory.dmp

Filesize
3.3MB

Download
memory/512-136-0x00007FF657E40000-0x00007FF658191000-memory.dmp

Filesize
3.3MB

Download
memory/512-271-0x00007FF657E40000-0x00007FF658191000-memory.dmp

Filesize
3.3MB

Download
memory/784-67-0x00007FF634000000-0x00007FF634351000-memory.dmp

Filesize
3.3MB

Download
memory/784-215-0x00007FF634000000-0x00007FF634351000-memory.dmp

Filesize
3.3MB

Download
memory/784-7-0x00007FF634000000-0x00007FF634351000-memory.dmp

Filesize
3.3MB

Download
memory/1204-91-0x00007FF6EA5B0000-0x00007FF6EA901000-memory.dmp

Filesize
3.3MB

Download
memory/1204-18-0x00007FF6EA5B0000-0x00007FF6EA901000-memory.dmp

Filesize
3.3MB

Download
memory/1204-224-0x00007FF6EA5B0000-0x00007FF6EA901000-memory.dmp

Filesize
3.3MB

Download
memory/1372-161-0x00007FF620B20000-0x00007FF620E71000-memory.dmp

Filesize
3.3MB

Download
memory/1372-267-0x00007FF620B20000-0x00007FF620E71000-memory.dmp

Filesize
3.3MB

Download
memory/1372-126-0x00007FF620B20000-0x00007FF620E71000-memory.dmp

Filesize
3.3MB

Download
memory/1600-150-0x00007FF698020000-0x00007FF698371000-memory.dmp

Filesize
3.3MB

Download
memory/1600-73-0x00007FF698020000-0x00007FF698371000-memory.dmp

Filesize
3.3MB

Download
memory/1600-251-0x00007FF698020000-0x00007FF698371000-memory.dmp

Filesize
3.3MB

Download
memory/1860-265-0x00007FF798960000-0x00007FF798CB1000-memory.dmp

Filesize
3.3MB

Download
memory/1860-159-0x00007FF798960000-0x00007FF798CB1000-memory.dmp

Filesize
3.3MB

Download
memory/1860-97-0x00007FF798960000-0x00007FF798CB1000-memory.dmp

Filesize
3.3MB

Download
memory/2092-217-0x00007FF7E21E0000-0x00007FF7E2531000-memory.dmp

Filesize
3.3MB

Download
memory/2092-12-0x00007FF7E21E0000-0x00007FF7E2531000-memory.dmp

Filesize
3.3MB

Download
memory/2092-68-0x00007FF7E21E0000-0x00007FF7E2531000-memory.dmp

Filesize
3.3MB

Download
memory/2096-158-0x00007FF652D90000-0x00007FF6530E1000-memory.dmp

Filesize
3.3MB

Download
memory/2096-114-0x00007FF652D90000-0x00007FF6530E1000-memory.dmp

Filesize
3.3MB

Download
memory/2096-263-0x00007FF652D90000-0x00007FF6530E1000-memory.dmp

Filesize
3.3MB

Download
memory/2168-99-0x00007FF7CFFD0000-0x00007FF7D0321000-memory.dmp

Filesize
3.3MB

Download
memory/2168-238-0x00007FF7CFFD0000-0x00007FF7D0321000-memory.dmp

Filesize
3.3MB

Download
memory/2168-41-0x00007FF7CFFD0000-0x00007FF7D0321000-memory.dmp

Filesize
3.3MB

Download
memory/2204-162-0x00007FF7D9900000-0x00007FF7D9C51000-memory.dmp

Filesize
3.3MB

Download
memory/2204-132-0x00007FF7D9900000-0x00007FF7D9C51000-memory.dmp

Filesize
3.3MB

Download
memory/2204-272-0x00007FF7D9900000-0x00007FF7D9C51000-memory.dmp

Filesize
3.3MB

Download
memory/2300-1-0x00000173BA980000-0x00000173BA990000-memory.dmp

Filesize
64KB

Download
memory/2300-62-0x00007FF7DBE40000-0x00007FF7DC191000-memory.dmp

Filesize
3.3MB

Download
memory/2300-139-0x00007FF7DBE40000-0x00007FF7DC191000-memory.dmp

Filesize
3.3MB

Download
memory/2300-164-0x00007FF7DBE40000-0x00007FF7DC191000-memory.dmp

Filesize
3.3MB

Download
memory/2300-0-0x00007FF7DBE40000-0x00007FF7DC191000-memory.dmp

Filesize
3.3MB

Download
memory/2520-255-0x00007FF689F20000-0x00007FF68A271000-memory.dmp

Filesize
3.3MB

Download
memory/2520-83-0x00007FF689F20000-0x00007FF68A271000-memory.dmp

Filesize
3.3MB

Download
memory/2520-151-0x00007FF689F20000-0x00007FF68A271000-memory.dmp

Filesize
3.3MB

Download
memory/2580-42-0x00007FF630D80000-0x00007FF6310D1000-memory.dmp

Filesize
3.3MB

Download
memory/2580-113-0x00007FF630D80000-0x00007FF6310D1000-memory.dmp

Filesize
3.3MB

Download
memory/2580-236-0x00007FF630D80000-0x00007FF6310D1000-memory.dmp

Filesize
3.3MB

Download
memory/3156-122-0x00007FF749910000-0x00007FF749C61000-memory.dmp

Filesize
3.3MB

Download
memory/3156-45-0x00007FF749910000-0x00007FF749C61000-memory.dmp

Filesize
3.3MB

Download
memory/3156-232-0x00007FF749910000-0x00007FF749C61000-memory.dmp

Filesize
3.3MB

Download
memory/3276-231-0x00007FF69E600000-0x00007FF69E951000-memory.dmp

Filesize
3.3MB

Download
memory/3276-128-0x00007FF69E600000-0x00007FF69E951000-memory.dmp

Filesize
3.3MB

Download
memory/3276-57-0x00007FF69E600000-0x00007FF69E951000-memory.dmp

Filesize
3.3MB

Download
memory/4032-92-0x00007FF66EDE0000-0x00007FF66F131000-memory.dmp

Filesize
3.3MB

Download
memory/4032-28-0x00007FF66EDE0000-0x00007FF66F131000-memory.dmp

Filesize
3.3MB

Download
memory/4032-227-0x00007FF66EDE0000-0x00007FF66F131000-memory.dmp

Filesize
3.3MB

Download
memory/4140-96-0x00007FF619A80000-0x00007FF619DD1000-memory.dmp

Filesize
3.3MB

Download
memory/4140-257-0x00007FF619A80000-0x00007FF619DD1000-memory.dmp

Filesize
3.3MB

Download
memory/4160-262-0x00007FF7883A0000-0x00007FF7886F1000-memory.dmp

Filesize
3.3MB

Download
memory/4160-160-0x00007FF7883A0000-0x00007FF7886F1000-memory.dmp

Filesize
3.3MB

Download
memory/4160-121-0x00007FF7883A0000-0x00007FF7886F1000-memory.dmp

Filesize
3.3MB

Download
memory/4548-86-0x00007FF76EDE0000-0x00007FF76F131000-memory.dmp

Filesize
3.3MB

Download
memory/4548-253-0x00007FF76EDE0000-0x00007FF76F131000-memory.dmp

Filesize
3.3MB

Download
memory/4732-228-0x00007FF7EB190000-0x00007FF7EB4E1000-memory.dmp

Filesize
3.3MB

Download
memory/4732-37-0x00007FF7EB190000-0x00007FF7EB4E1000-memory.dmp

Filesize
3.3MB

Download
memory/4732-100-0x00007FF7EB190000-0x00007FF7EB4E1000-memory.dmp

Filesize
3.3MB

Download
memory/4800-56-0x00007FF60CEB0000-0x00007FF60D201000-memory.dmp

Filesize
3.3MB

Download
memory/4800-127-0x00007FF60CEB0000-0x00007FF60D201000-memory.dmp

Filesize
3.3MB

Download
memory/4800-235-0x00007FF60CEB0000-0x00007FF60D201000-memory.dmp

Filesize
3.3MB

Download
memory/4872-259-0x00007FF7324D0000-0x00007FF732821000-memory.dmp

Filesize
3.3MB

Download
memory/4872-102-0x00007FF7324D0000-0x00007FF732821000-memory.dmp

Filesize
3.3MB

Download
memory/4872-157-0x00007FF7324D0000-0x00007FF732821000-memory.dmp

Filesize
3.3MB

Download