cobaltstrike | 371dad4a401af27bf5a2892f82b7188dd6cb6699eab4d52f4a63488f057c257a

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2024, 21:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

1e704c5a02c28daf09f6b372a21b8b0a
SHA1

4bf1d901a18d71211f3a9d58f30220f7def73998
SHA256

371dad4a401af27bf5a2892f82b7188dd6cb6699eab4d52f4a63488f057c257a
SHA512

a942d73362a0c76583c2ffa1a9aec29847a753dd21e26197459c32f2f4e22aeaaa128ab5ab0d849f517839814837ec5fd65c1a3a308f8d3d619da6c049712ccb
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lc:RWWBibf56utgpPFotBER/mQ32lUQ

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0007000000023462-9.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023463-23.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023461-16.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002345d-6.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023464-29.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023466-40.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023465-43.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023469-52.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002345e-69.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346d-90.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346e-99.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023470-105.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346f-101.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346c-80.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346b-79.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023467-76.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023468-67.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346a-56.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023471-115.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023472-120.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023473-126.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/4168-32-0x00007FF6B2EB0000-0x00007FF6B3201000-memory.dmp	xmrig
behavioral2/memory/4052-84-0x00007FF684350000-0x00007FF6846A1000-memory.dmp	xmrig
behavioral2/memory/4812-103-0x00007FF708560000-0x00007FF7088B1000-memory.dmp	xmrig
behavioral2/memory/328-108-0x00007FF720260000-0x00007FF7205B1000-memory.dmp	xmrig
behavioral2/memory/2008-109-0x00007FF680B00000-0x00007FF680E51000-memory.dmp	xmrig
behavioral2/memory/2812-107-0x00007FF6FA6D0000-0x00007FF6FAA21000-memory.dmp	xmrig
behavioral2/memory/2872-104-0x00007FF7ED570000-0x00007FF7ED8C1000-memory.dmp	xmrig
behavioral2/memory/752-97-0x00007FF7EA170000-0x00007FF7EA4C1000-memory.dmp	xmrig
behavioral2/memory/244-96-0x00007FF7FCF90000-0x00007FF7FD2E1000-memory.dmp	xmrig
behavioral2/memory/3880-47-0x00007FF7CD2D0000-0x00007FF7CD621000-memory.dmp	xmrig
behavioral2/memory/684-27-0x00007FF647470000-0x00007FF6477C1000-memory.dmp	xmrig
behavioral2/memory/2700-111-0x00007FF793760000-0x00007FF793AB1000-memory.dmp	xmrig
behavioral2/memory/3444-124-0x00007FF690B50000-0x00007FF690EA1000-memory.dmp	xmrig
behavioral2/memory/2864-128-0x00007FF6F0A90000-0x00007FF6F0DE1000-memory.dmp	xmrig
behavioral2/memory/1716-130-0x00007FF7463F0000-0x00007FF746741000-memory.dmp	xmrig
behavioral2/memory/2308-129-0x00007FF751800000-0x00007FF751B51000-memory.dmp	xmrig
behavioral2/memory/2700-131-0x00007FF793760000-0x00007FF793AB1000-memory.dmp	xmrig
behavioral2/memory/2720-144-0x00007FF722C60000-0x00007FF722FB1000-memory.dmp	xmrig
behavioral2/memory/3152-139-0x00007FF62D050000-0x00007FF62D3A1000-memory.dmp	xmrig
behavioral2/memory/2652-141-0x00007FF74AB40000-0x00007FF74AE91000-memory.dmp	xmrig
behavioral2/memory/1964-138-0x00007FF74E3F0000-0x00007FF74E741000-memory.dmp	xmrig
behavioral2/memory/3552-146-0x00007FF77E3F0000-0x00007FF77E741000-memory.dmp	xmrig
behavioral2/memory/3024-151-0x00007FF777A00000-0x00007FF777D51000-memory.dmp	xmrig
behavioral2/memory/2700-155-0x00007FF793760000-0x00007FF793AB1000-memory.dmp	xmrig
behavioral2/memory/3444-210-0x00007FF690B50000-0x00007FF690EA1000-memory.dmp	xmrig
behavioral2/memory/1716-214-0x00007FF7463F0000-0x00007FF746741000-memory.dmp	xmrig
behavioral2/memory/4168-216-0x00007FF6B2EB0000-0x00007FF6B3201000-memory.dmp	xmrig
behavioral2/memory/684-212-0x00007FF647470000-0x00007FF6477C1000-memory.dmp	xmrig
behavioral2/memory/3880-218-0x00007FF7CD2D0000-0x00007FF7CD621000-memory.dmp	xmrig
behavioral2/memory/3552-229-0x00007FF77E3F0000-0x00007FF77E741000-memory.dmp	xmrig
behavioral2/memory/4052-231-0x00007FF684350000-0x00007FF6846A1000-memory.dmp	xmrig
behavioral2/memory/1964-233-0x00007FF74E3F0000-0x00007FF74E741000-memory.dmp	xmrig
behavioral2/memory/752-235-0x00007FF7EA170000-0x00007FF7EA4C1000-memory.dmp	xmrig
behavioral2/memory/2652-237-0x00007FF74AB40000-0x00007FF74AE91000-memory.dmp	xmrig
behavioral2/memory/3152-239-0x00007FF62D050000-0x00007FF62D3A1000-memory.dmp	xmrig
behavioral2/memory/244-241-0x00007FF7FCF90000-0x00007FF7FD2E1000-memory.dmp	xmrig
behavioral2/memory/2720-245-0x00007FF722C60000-0x00007FF722FB1000-memory.dmp	xmrig
behavioral2/memory/4812-243-0x00007FF708560000-0x00007FF7088B1000-memory.dmp	xmrig
behavioral2/memory/2872-247-0x00007FF7ED570000-0x00007FF7ED8C1000-memory.dmp	xmrig
behavioral2/memory/2812-249-0x00007FF6FA6D0000-0x00007FF6FAA21000-memory.dmp	xmrig
behavioral2/memory/328-251-0x00007FF720260000-0x00007FF7205B1000-memory.dmp	xmrig
behavioral2/memory/2008-253-0x00007FF680B00000-0x00007FF680E51000-memory.dmp	xmrig
behavioral2/memory/3024-258-0x00007FF777A00000-0x00007FF777D51000-memory.dmp	xmrig
behavioral2/memory/2308-262-0x00007FF751800000-0x00007FF751B51000-memory.dmp	xmrig
behavioral2/memory/2864-260-0x00007FF6F0A90000-0x00007FF6F0DE1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3444	sObvQJG.exe
1716	rfHrhNd.exe
684	EVcxaOj.exe
4168	jleRTjt.exe
3880	CAJNudg.exe
3552	omkSKYP.exe
1964	soAGJQY.exe
752	ypRRlpN.exe
3152	igtfgYq.exe
2652	YRQtefS.exe
4052	dIrRSpC.exe
4812	hDsNXdN.exe
2720	lPYWcYS.exe
244	UrWDjRc.exe
2872	lXjqhJC.exe
2812	NUNKyMf.exe
328	mjAKQbc.exe
2008	uCRSzlo.exe
3024	PGsHFrq.exe
2864	bPuREFd.exe
2308	MMdYAyW.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2700-0-0x00007FF793760000-0x00007FF793AB1000-memory.dmp	upx
behavioral2/files/0x0007000000023462-9.dat	upx
behavioral2/memory/3444-7-0x00007FF690B50000-0x00007FF690EA1000-memory.dmp	upx
behavioral2/files/0x0007000000023463-23.dat	upx
behavioral2/files/0x0007000000023461-16.dat	upx
behavioral2/memory/1716-13-0x00007FF7463F0000-0x00007FF746741000-memory.dmp	upx
behavioral2/files/0x000800000002345d-6.dat	upx
behavioral2/files/0x0007000000023464-29.dat	upx
behavioral2/files/0x0007000000023466-40.dat	upx
behavioral2/memory/3552-33-0x00007FF77E3F0000-0x00007FF77E741000-memory.dmp	upx
behavioral2/memory/4168-32-0x00007FF6B2EB0000-0x00007FF6B3201000-memory.dmp	upx
behavioral2/files/0x0007000000023465-43.dat	upx
behavioral2/files/0x0007000000023469-52.dat	upx
behavioral2/files/0x000800000002345e-69.dat	upx
behavioral2/memory/2652-75-0x00007FF74AB40000-0x00007FF74AE91000-memory.dmp	upx
behavioral2/memory/4052-84-0x00007FF684350000-0x00007FF6846A1000-memory.dmp	upx
behavioral2/files/0x000700000002346d-90.dat	upx
behavioral2/files/0x000700000002346e-99.dat	upx
behavioral2/memory/4812-103-0x00007FF708560000-0x00007FF7088B1000-memory.dmp	upx
behavioral2/memory/328-108-0x00007FF720260000-0x00007FF7205B1000-memory.dmp	upx
behavioral2/memory/2008-109-0x00007FF680B00000-0x00007FF680E51000-memory.dmp	upx
behavioral2/memory/2812-107-0x00007FF6FA6D0000-0x00007FF6FAA21000-memory.dmp	upx
behavioral2/files/0x0007000000023470-105.dat	upx
behavioral2/memory/2872-104-0x00007FF7ED570000-0x00007FF7ED8C1000-memory.dmp	upx
behavioral2/files/0x000700000002346f-101.dat	upx
behavioral2/memory/752-97-0x00007FF7EA170000-0x00007FF7EA4C1000-memory.dmp	upx
behavioral2/memory/244-96-0x00007FF7FCF90000-0x00007FF7FD2E1000-memory.dmp	upx
behavioral2/memory/2720-85-0x00007FF722C60000-0x00007FF722FB1000-memory.dmp	upx
behavioral2/files/0x000700000002346c-80.dat	upx
behavioral2/files/0x000700000002346b-79.dat	upx
behavioral2/files/0x0007000000023467-76.dat	upx
behavioral2/memory/3152-70-0x00007FF62D050000-0x00007FF62D3A1000-memory.dmp	upx
behavioral2/files/0x0007000000023468-67.dat	upx
behavioral2/memory/1964-61-0x00007FF74E3F0000-0x00007FF74E741000-memory.dmp	upx
behavioral2/files/0x000700000002346a-56.dat	upx
behavioral2/memory/3880-47-0x00007FF7CD2D0000-0x00007FF7CD621000-memory.dmp	upx
behavioral2/memory/684-27-0x00007FF647470000-0x00007FF6477C1000-memory.dmp	upx
behavioral2/memory/2700-111-0x00007FF793760000-0x00007FF793AB1000-memory.dmp	upx
behavioral2/files/0x0007000000023471-115.dat	upx
behavioral2/files/0x0007000000023472-120.dat	upx
behavioral2/memory/3024-119-0x00007FF777A00000-0x00007FF777D51000-memory.dmp	upx
behavioral2/memory/3444-124-0x00007FF690B50000-0x00007FF690EA1000-memory.dmp	upx
behavioral2/files/0x0007000000023473-126.dat	upx
behavioral2/memory/2864-128-0x00007FF6F0A90000-0x00007FF6F0DE1000-memory.dmp	upx
behavioral2/memory/1716-130-0x00007FF7463F0000-0x00007FF746741000-memory.dmp	upx
behavioral2/memory/2308-129-0x00007FF751800000-0x00007FF751B51000-memory.dmp	upx
behavioral2/memory/2700-131-0x00007FF793760000-0x00007FF793AB1000-memory.dmp	upx
behavioral2/memory/2720-144-0x00007FF722C60000-0x00007FF722FB1000-memory.dmp	upx
behavioral2/memory/3152-139-0x00007FF62D050000-0x00007FF62D3A1000-memory.dmp	upx
behavioral2/memory/2652-141-0x00007FF74AB40000-0x00007FF74AE91000-memory.dmp	upx
behavioral2/memory/1964-138-0x00007FF74E3F0000-0x00007FF74E741000-memory.dmp	upx
behavioral2/memory/3552-146-0x00007FF77E3F0000-0x00007FF77E741000-memory.dmp	upx
behavioral2/memory/3024-151-0x00007FF777A00000-0x00007FF777D51000-memory.dmp	upx
behavioral2/memory/2700-155-0x00007FF793760000-0x00007FF793AB1000-memory.dmp	upx
behavioral2/memory/3444-210-0x00007FF690B50000-0x00007FF690EA1000-memory.dmp	upx
behavioral2/memory/1716-214-0x00007FF7463F0000-0x00007FF746741000-memory.dmp	upx
behavioral2/memory/4168-216-0x00007FF6B2EB0000-0x00007FF6B3201000-memory.dmp	upx
behavioral2/memory/684-212-0x00007FF647470000-0x00007FF6477C1000-memory.dmp	upx
behavioral2/memory/3880-218-0x00007FF7CD2D0000-0x00007FF7CD621000-memory.dmp	upx
behavioral2/memory/3552-229-0x00007FF77E3F0000-0x00007FF77E741000-memory.dmp	upx
behavioral2/memory/4052-231-0x00007FF684350000-0x00007FF6846A1000-memory.dmp	upx
behavioral2/memory/1964-233-0x00007FF74E3F0000-0x00007FF74E741000-memory.dmp	upx
behavioral2/memory/752-235-0x00007FF7EA170000-0x00007FF7EA4C1000-memory.dmp	upx
behavioral2/memory/2652-237-0x00007FF74AB40000-0x00007FF74AE91000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\mjAKQbc.exe	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uCRSzlo.exe	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rfHrhNd.exe	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\soAGJQY.exe	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\igtfgYq.exe	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ypRRlpN.exe	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lPYWcYS.exe	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lXjqhJC.exe	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bPuREFd.exe	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sObvQJG.exe	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EVcxaOj.exe	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CAJNudg.exe	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\omkSKYP.exe	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UrWDjRc.exe	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NUNKyMf.exe	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jleRTjt.exe	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YRQtefS.exe	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dIrRSpC.exe	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hDsNXdN.exe	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PGsHFrq.exe	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MMdYAyW.exe	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2700	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2700	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 3444	2700	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 2700 wrote to memory of 3444	2700	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 2700 wrote to memory of 1716	2700	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2700 wrote to memory of 1716	2700	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2700 wrote to memory of 684	2700	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2700 wrote to memory of 684	2700	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2700 wrote to memory of 4168	2700	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2700 wrote to memory of 4168	2700	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2700 wrote to memory of 3880	2700	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2700 wrote to memory of 3880	2700	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2700 wrote to memory of 3552	2700	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2700 wrote to memory of 3552	2700	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2700 wrote to memory of 1964	2700	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2700 wrote to memory of 1964	2700	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2700 wrote to memory of 3152	2700	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2700 wrote to memory of 3152	2700	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2700 wrote to memory of 752	2700	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2700 wrote to memory of 752	2700	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2700 wrote to memory of 2652	2700	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2700 wrote to memory of 2652	2700	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2700 wrote to memory of 4052	2700	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2700 wrote to memory of 4052	2700	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2700 wrote to memory of 4812	2700	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2700 wrote to memory of 4812	2700	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2700 wrote to memory of 2720	2700	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2700 wrote to memory of 2720	2700	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2700 wrote to memory of 244	2700	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2700 wrote to memory of 244	2700	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2700 wrote to memory of 2872	2700	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2700 wrote to memory of 2872	2700	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2700 wrote to memory of 2812	2700	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2700 wrote to memory of 2812	2700	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2700 wrote to memory of 328	2700	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2700 wrote to memory of 328	2700	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2700 wrote to memory of 2008	2700	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2700 wrote to memory of 2008	2700	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2700 wrote to memory of 3024	2700	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2700 wrote to memory of 3024	2700	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2700 wrote to memory of 2864	2700	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2700 wrote to memory of 2864	2700	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2700 wrote to memory of 2308	2700	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2700 wrote to memory of 2308	2700	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\System\sObvQJG.exe
  C:\Windows\System\sObvQJG.exe
  2⤵
  - Executes dropped EXE
  PID:3444
- C:\Windows\System\rfHrhNd.exe
  C:\Windows\System\rfHrhNd.exe
  2⤵
  - Executes dropped EXE
  PID:1716
- C:\Windows\System\EVcxaOj.exe
  C:\Windows\System\EVcxaOj.exe
  2⤵
  - Executes dropped EXE
  PID:684
- C:\Windows\System\jleRTjt.exe
  C:\Windows\System\jleRTjt.exe
  2⤵
  - Executes dropped EXE
  PID:4168
- C:\Windows\System\CAJNudg.exe
  C:\Windows\System\CAJNudg.exe
  2⤵
  - Executes dropped EXE
  PID:3880
- C:\Windows\System\omkSKYP.exe
  C:\Windows\System\omkSKYP.exe
  2⤵
  - Executes dropped EXE
  PID:3552
- C:\Windows\System\soAGJQY.exe
  C:\Windows\System\soAGJQY.exe
  2⤵
  - Executes dropped EXE
  PID:1964
- C:\Windows\System\igtfgYq.exe
  C:\Windows\System\igtfgYq.exe
  2⤵
  - Executes dropped EXE
  PID:3152
- C:\Windows\System\ypRRlpN.exe
  C:\Windows\System\ypRRlpN.exe
  2⤵
  - Executes dropped EXE
  PID:752
- C:\Windows\System\YRQtefS.exe
  C:\Windows\System\YRQtefS.exe
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\System\dIrRSpC.exe
  C:\Windows\System\dIrRSpC.exe
  2⤵
  - Executes dropped EXE
  PID:4052
- C:\Windows\System\hDsNXdN.exe
  C:\Windows\System\hDsNXdN.exe
  2⤵
  - Executes dropped EXE
  PID:4812
- C:\Windows\System\lPYWcYS.exe
  C:\Windows\System\lPYWcYS.exe
  2⤵
  - Executes dropped EXE
  PID:2720
- C:\Windows\System\UrWDjRc.exe
  C:\Windows\System\UrWDjRc.exe
  2⤵
  - Executes dropped EXE
  PID:244
- C:\Windows\System\lXjqhJC.exe
  C:\Windows\System\lXjqhJC.exe
  2⤵
  - Executes dropped EXE
  PID:2872
- C:\Windows\System\NUNKyMf.exe
  C:\Windows\System\NUNKyMf.exe
  2⤵
  - Executes dropped EXE
  PID:2812
- C:\Windows\System\mjAKQbc.exe
  C:\Windows\System\mjAKQbc.exe
  2⤵
  - Executes dropped EXE
  PID:328
- C:\Windows\System\uCRSzlo.exe
  C:\Windows\System\uCRSzlo.exe
  2⤵
  - Executes dropped EXE
  PID:2008
- C:\Windows\System\PGsHFrq.exe
  C:\Windows\System\PGsHFrq.exe
  2⤵
  - Executes dropped EXE
  PID:3024
- C:\Windows\System\bPuREFd.exe
  C:\Windows\System\bPuREFd.exe
  2⤵
  - Executes dropped EXE
  PID:2864
- C:\Windows\System\MMdYAyW.exe
  C:\Windows\System\MMdYAyW.exe
  2⤵
  - Executes dropped EXE
  PID:2308

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CAJNudg.exe

Filesize
5.2MB

MD5
7da21c36aa1290020ab0d78914a9fce4

SHA1
59e8ab283a63eb17859d8bcf755b0a39387d022b

SHA256
15967319378c51eeef7c765a44cdb4d262a7aebfcd1bf70ce2b371ea1dda42e9

SHA512
5b5a130210e83a3bf923be1e40fca8180cb9c0929411e25a55ea23052dd46e187f2cc15b5c426a555c1da06620d9d306b7f09016f0275ebd26bf1c681e076f02

Download Submit
C:\Windows\System\EVcxaOj.exe

Filesize
5.2MB

MD5
ffb1249de3e7a131069b6728e1de07f6

SHA1
29d6a808a096657604d3c2008c50c03b2791563a

SHA256
9d72ec9baa9a3b3feaed930691a3d72af16e2090057a16ebe2fa79483acbdd41

SHA512
1b2d287faf107a9b43519158e5452d83aede55329394ef4cda3b031ccb44ca9c4583df8683019474521ef8ab5c7fc4fcd5200c4d8df74592497dd90536d7d6d6

Download Submit
C:\Windows\System\MMdYAyW.exe

Filesize
5.2MB

MD5
0e4a10bbbd4b6eb56c5c72cb54209511

SHA1
65c05211bf8a833dd3b3bee44a93bb929b96a40b

SHA256
1fae44e4ad68fd32a662b027a794df66f7a2cfe2c26cd0106bc371a2401cfb0c

SHA512
429bfc1aa552bde1a52f14151153f38180ea55428061b83153be43f80851b033848b5da6010396e8e2aa9a6a51214f532b0e44b6f15f495666e7943d6146cb32

Download Submit
C:\Windows\System\NUNKyMf.exe

Filesize
5.2MB

MD5
36c60676d900fac5ff74887602f0fd76

SHA1
4051df57662c278e2940c44e72d99ace6ffd7fab

SHA256
66fc9c480401c4da650842a778342b58981cc2f037dbf0e0befa080158746186

SHA512
c90560cbb73c94da16ba93a44464328b0676654419669c3cf579c59a85ad5f3d98fca55b1c9dd5872ea047a19d6dd4356e49adbb3aa4e63a789aea0edc4c1395

Download Submit
C:\Windows\System\PGsHFrq.exe

Filesize
5.2MB

MD5
1ec510b88a621a3d1cd77f7eef43640b

SHA1
96b9ab7656322748e608f2c48009cd36f63967dc

SHA256
2666e52f1f86db962fdbe9c0aa9256e0eb5d79e3a36f8234a2275a71b751230b

SHA512
ccc53bee5ae26d469b5db4ffdd1469b3d0226490bc3496aa2e1bfce6211f5874a5fd4cb16fc660c9116c7f9d95bc21baee6bc65a78e12ea5d732e6653bd45c67

Download Submit
C:\Windows\System\UrWDjRc.exe

Filesize
5.2MB

MD5
a12fff004a5de632db8d001122bc3b52

SHA1
197047a85eb8b0963c44bb4033673590f3db1202

SHA256
ae87b668ce938b81b020bacbccaa2eae458fe3133fd187b0b9c8a84073186af3

SHA512
e045530cceba39c9aa73d9daa621a09a0bdb2276b77a05202beee709d8d8314d11e09fbd7b286c51c7dda62e680a883021564c806735f6e2b75f9be48c745558

Download Submit
C:\Windows\System\YRQtefS.exe

Filesize
5.2MB

MD5
c80eca0cb37529a6e8e96628e7287874

SHA1
67d290df4182ec91303bc41a58fc95f3cc438a81

SHA256
e701f7a81a2fd3962d5521120797283086060e096c74d4d46d477e6e7907c87b

SHA512
0f270d5f35c1c9b44d3adf079cc3aed1e22dd8fab98a674b26f8a05a6797579d9f72f8038f8412130497d2439dab47b29f5719d7eb4b356ca624ce0d17fd7356

Download Submit
C:\Windows\System\bPuREFd.exe

Filesize
5.2MB

MD5
ce79c2a754457fe5315aefc3d1f336a0

SHA1
a881be315d8b4d69dbd9dfa3be16f9e0a233cc74

SHA256
80c7da224a2b5eb40b2cf7e609345392e1a3cd9c6016913b0a10bdf92fc146ea

SHA512
a3a422405f5fdf0a4c4f98aeeaabdff2e3c2736d8722adf44e8543d3a0fd0f79918f45b595fcd62ff29d4b0ab40da94d78d2b3775fa301994995d925d4d77816

Download Submit
C:\Windows\System\dIrRSpC.exe

Filesize
5.2MB

MD5
de970e7fb4d03ca6bcf7f0df3ef93a33

SHA1
df7669c602a8e7f6703f1043ef5d712fc4723fbf

SHA256
3c689e2418f93387ca89a010a908cf3a571a83fb57c1f930be94c28bad8e6445

SHA512
56826abbb7036d6da3a77ee62176cdfaae9ae7ce6c2b59dbe13904017ace4b1ee609168777b23b5cd6753a4cddcd73ee94722b22045af96ddcf0aa9c6d31166e

Download Submit
C:\Windows\System\hDsNXdN.exe

Filesize
5.2MB

MD5
fe8faa717fd4edc701a7c9a5de8437df

SHA1
af8ac99bb3f8ac2470b837c5ca9c58e2cfbe2fa5

SHA256
8d6d3715493e9051a2b1c3e6eb721f9bd80b99dbea2b3f93505221adc4a32dac

SHA512
71f3005758237d8145407c50b8493de9f11662c7f382a2f615718029f1e5e5bbd05c2d14cfbad9b9bafce34fe1fdeb3de5a70875e4311d44120152c541679c3f

Download Submit
C:\Windows\System\igtfgYq.exe

Filesize
5.2MB

MD5
5ec639f7ca8bfbc9125775affd536853

SHA1
e0bd905662e18f247792ae622982da883e50f211

SHA256
94c3a341d2b7885811360335be7f5bdf4fcb421e36cca871eb8365ec4eeb071f

SHA512
ca3e7fd75093b179458aff9a350dbceb5615bc886881ac1fa18db35edc27aaa3349828cbd95e6261874d34e84f5c0150df7b96f8df81e725db4d56119a982279

Download Submit
C:\Windows\System\jleRTjt.exe

Filesize
5.2MB

MD5
6d95b84c8fa02c4879c19960b6de5807

SHA1
cb0d5cc1dd51a9a4f6fbb6575f782d4617eceb3b

SHA256
dc6376ae8f7b4b4dda03a59267b0445f75ba50e87964ced371c80eb14352c080

SHA512
a832187d19e684f8fd3ea8f2c491ee47a6f4ae20dd041e725f4a840864c9938b4ce7ed0b8ea6f7e31d078dfc5f4a62c7c22bccbe05a498dcbe7df897edf9adc3

Download Submit
C:\Windows\System\lPYWcYS.exe

Filesize
5.2MB

MD5
8fd5119acb9b040842c4849e8c250ebe

SHA1
d74d73213ec9bdea16a545750c5a9c9193dfdddc

SHA256
69651762572f603eb736a1eb46242987a00437eb7b7445a39f9fbe64bdacdb93

SHA512
8dd2e7ed9343917e10263a9cd64da5dc3a82a49bf361e5a93bd8aeb79dba61b23c9e80ce6f6b0302815fb8faf8691c945d4513ad5e367d5efed7b0330e95be55

Download Submit
C:\Windows\System\lXjqhJC.exe

Filesize
5.2MB

MD5
746289c6a641f91611092c51c8dca565

SHA1
1f65aac4c7f50f2c4abc1d379d7460ba3ba651c6

SHA256
cf53dd798731ed383c1a1932775bfa6800b09988a27a4b7c9daf631cd137ef4f

SHA512
8897f7644dd42325d691f0d2ab78f9987188f885a1c0c4bd702544fa1e9ea008c4fdf4cf9ab338b3a182e797fd363ba21407a73a76b7fc2f6db28e8ee210bd9d

Download Submit
C:\Windows\System\mjAKQbc.exe

Filesize
5.2MB

MD5
9f2d6de56614079023b1543182f76f1b

SHA1
b7881e5dc234cdf1d896e8a3a72b0894e99dc5c8

SHA256
d205e98a12bb41c9bcac0b9205da3bfe1988d9916902a62f7a4a9d3f5df67cd3

SHA512
521c770dd70714fb3c1c1fa0a27c3de994cb506c10d6b7787eece4be5ceb57e3a2f3f43606a9bf76c3b7b3d8137ef42eec3db205cc2dc8a7a8674219ee04a2bc

Download Submit
C:\Windows\System\omkSKYP.exe

Filesize
5.2MB

MD5
d591ad2550276169c3d8f9fd0b114634

SHA1
c9fd6a565f9276de050ff81634d5b13857a43b44

SHA256
ab4ed547e725de5193ce4594f8d22931c8e6a5b643382a92781632328160d24c

SHA512
0447852c284c2e46f82fd5ba3594f90e93f3161e1281efb180ab860063009e058d8eb3c59db215b1b84ce9a1a24bb1209d690281d6b25580f0cc336542cc503d

Download Submit
C:\Windows\System\rfHrhNd.exe

Filesize
5.2MB

MD5
d2fdba93e8a90c995c775fb9dd2aafba

SHA1
3da2eb4a6e11519d1988aeb815179e1167e1be77

SHA256
95502941f90991effde48f77d561c8d5815c2d64434b391baf9e3d2c69fafeca

SHA512
cf6b543ca3648413aac93386a3a1fbe01950022af0c6931aba6f93665e3be8db8dc8c1f0cf3a0ad417d4e98a40e83231452477c363654170d29298c81a4cfb15

Download Submit
C:\Windows\System\sObvQJG.exe

Filesize
5.2MB

MD5
c97e0d03a971aa5ce05ea3eadc286646

SHA1
80f6e7a66a533d3fde52330be121bd8b47918adc

SHA256
eaaa61fc41c0fd759ffa4ed600b20f80e3487e7e3b39694564f0bc78b8d54f8f

SHA512
6cd5364aef2fb83021cae1ec586e015d5f3de51991eba1e28539694391ae98d4fa69417e89fd3a03ce3070bf7c987daf593c8aca1dc3e1ec28cbd7a90af5a520

Download Submit
C:\Windows\System\soAGJQY.exe

Filesize
5.2MB

MD5
de64bd087cab8ed71b8832fb078d3d61

SHA1
6b0b792d8233458eb02d8cf8dd310bb19cff24ce

SHA256
8ed47a284de4ea5a9a7c30a985b7f6546bfeb380e81c72561177ed7cf7a8a79f

SHA512
b7db3d12e286ff0306d17f2c0ec1910c5ad7b5636ce66265ba0ec33d49e49907825a80257bf0fc85432ae30044942c54922ba87415e4d4edb81fe928dbbdaf8d

Download Submit
C:\Windows\System\uCRSzlo.exe

Filesize
5.2MB

MD5
e26fb9c6c8cb2ed4b83e641862833bef

SHA1
3580fbbb2ac20d2b6f677e5321994ab16e69e707

SHA256
4dcf85ae7a79548268f637e88b165042037a655e968d7689ceccbdf69c662444

SHA512
b661766c16235edb4ec697a85719784963a7efc129348e3aa301eb7dabb3314c401ed17134d3884d28a08a9bd390cd59f2bb64342f346ed4c69013f49e6ff7ae

Download Submit
C:\Windows\System\ypRRlpN.exe

Filesize
5.2MB

MD5
64450ad37449af22fd7a88a5c43a5bc8

SHA1
6b209e8c0a7c351f4e64f23c2532abffeb04e0bc

SHA256
1e1e0d768cfafb67957f08ccae47877ad94a4ae84df650dbe87176b77b017679

SHA512
777d994a8518713b64b6a79e63fce472ba94f14f8f1e566ef21020b061a132511264f69fc535d24c5cb4b8e84394179c119370fd8216501d44bbf101840aae60

Download Submit
memory/244-241-0x00007FF7FCF90000-0x00007FF7FD2E1000-memory.dmp

Filesize
3.3MB

Download
memory/244-96-0x00007FF7FCF90000-0x00007FF7FD2E1000-memory.dmp

Filesize
3.3MB

Download
memory/328-108-0x00007FF720260000-0x00007FF7205B1000-memory.dmp

Filesize
3.3MB

Download
memory/328-251-0x00007FF720260000-0x00007FF7205B1000-memory.dmp

Filesize
3.3MB

Download
memory/684-27-0x00007FF647470000-0x00007FF6477C1000-memory.dmp

Filesize
3.3MB

Download
memory/684-212-0x00007FF647470000-0x00007FF6477C1000-memory.dmp

Filesize
3.3MB

Download
memory/752-235-0x00007FF7EA170000-0x00007FF7EA4C1000-memory.dmp

Filesize
3.3MB

Download
memory/752-97-0x00007FF7EA170000-0x00007FF7EA4C1000-memory.dmp

Filesize
3.3MB

Download
memory/1716-13-0x00007FF7463F0000-0x00007FF746741000-memory.dmp

Filesize
3.3MB

Download
memory/1716-214-0x00007FF7463F0000-0x00007FF746741000-memory.dmp

Filesize
3.3MB

Download
memory/1716-130-0x00007FF7463F0000-0x00007FF746741000-memory.dmp

Filesize
3.3MB

Download
memory/1964-233-0x00007FF74E3F0000-0x00007FF74E741000-memory.dmp

Filesize
3.3MB

Download
memory/1964-61-0x00007FF74E3F0000-0x00007FF74E741000-memory.dmp

Filesize
3.3MB

Download
memory/1964-138-0x00007FF74E3F0000-0x00007FF74E741000-memory.dmp

Filesize
3.3MB

Download
memory/2008-253-0x00007FF680B00000-0x00007FF680E51000-memory.dmp

Filesize
3.3MB

Download
memory/2008-109-0x00007FF680B00000-0x00007FF680E51000-memory.dmp

Filesize
3.3MB

Download
memory/2308-262-0x00007FF751800000-0x00007FF751B51000-memory.dmp

Filesize
3.3MB

Download
memory/2308-129-0x00007FF751800000-0x00007FF751B51000-memory.dmp

Filesize
3.3MB

Download
memory/2652-141-0x00007FF74AB40000-0x00007FF74AE91000-memory.dmp

Filesize
3.3MB

Download
memory/2652-237-0x00007FF74AB40000-0x00007FF74AE91000-memory.dmp

Filesize
3.3MB

Download
memory/2652-75-0x00007FF74AB40000-0x00007FF74AE91000-memory.dmp

Filesize
3.3MB

Download
memory/2700-131-0x00007FF793760000-0x00007FF793AB1000-memory.dmp

Filesize
3.3MB

Download
memory/2700-155-0x00007FF793760000-0x00007FF793AB1000-memory.dmp

Filesize
3.3MB

Download
memory/2700-1-0x000001F0DDB20000-0x000001F0DDB30000-memory.dmp

Filesize
64KB

Download
memory/2700-111-0x00007FF793760000-0x00007FF793AB1000-memory.dmp

Filesize
3.3MB

Download
memory/2700-0-0x00007FF793760000-0x00007FF793AB1000-memory.dmp

Filesize
3.3MB

Download
memory/2720-144-0x00007FF722C60000-0x00007FF722FB1000-memory.dmp

Filesize
3.3MB

Download
memory/2720-85-0x00007FF722C60000-0x00007FF722FB1000-memory.dmp

Filesize
3.3MB

Download
memory/2720-245-0x00007FF722C60000-0x00007FF722FB1000-memory.dmp

Filesize
3.3MB

Download
memory/2812-107-0x00007FF6FA6D0000-0x00007FF6FAA21000-memory.dmp

Filesize
3.3MB

Download
memory/2812-249-0x00007FF6FA6D0000-0x00007FF6FAA21000-memory.dmp

Filesize
3.3MB

Download
memory/2864-128-0x00007FF6F0A90000-0x00007FF6F0DE1000-memory.dmp

Filesize
3.3MB

Download
memory/2864-260-0x00007FF6F0A90000-0x00007FF6F0DE1000-memory.dmp

Filesize
3.3MB

Download
memory/2872-104-0x00007FF7ED570000-0x00007FF7ED8C1000-memory.dmp

Filesize
3.3MB

Download
memory/2872-247-0x00007FF7ED570000-0x00007FF7ED8C1000-memory.dmp

Filesize
3.3MB

Download
memory/3024-258-0x00007FF777A00000-0x00007FF777D51000-memory.dmp

Filesize
3.3MB

Download
memory/3024-151-0x00007FF777A00000-0x00007FF777D51000-memory.dmp

Filesize
3.3MB

Download
memory/3024-119-0x00007FF777A00000-0x00007FF777D51000-memory.dmp

Filesize
3.3MB

Download
memory/3152-139-0x00007FF62D050000-0x00007FF62D3A1000-memory.dmp

Filesize
3.3MB

Download
memory/3152-70-0x00007FF62D050000-0x00007FF62D3A1000-memory.dmp

Filesize
3.3MB

Download
memory/3152-239-0x00007FF62D050000-0x00007FF62D3A1000-memory.dmp

Filesize
3.3MB

Download
memory/3444-210-0x00007FF690B50000-0x00007FF690EA1000-memory.dmp

Filesize
3.3MB

Download
memory/3444-124-0x00007FF690B50000-0x00007FF690EA1000-memory.dmp

Filesize
3.3MB

Download
memory/3444-7-0x00007FF690B50000-0x00007FF690EA1000-memory.dmp

Filesize
3.3MB

Download
memory/3552-33-0x00007FF77E3F0000-0x00007FF77E741000-memory.dmp

Filesize
3.3MB

Download
memory/3552-229-0x00007FF77E3F0000-0x00007FF77E741000-memory.dmp

Filesize
3.3MB

Download
memory/3552-146-0x00007FF77E3F0000-0x00007FF77E741000-memory.dmp

Filesize
3.3MB

Download
memory/3880-47-0x00007FF7CD2D0000-0x00007FF7CD621000-memory.dmp

Filesize
3.3MB

Download
memory/3880-218-0x00007FF7CD2D0000-0x00007FF7CD621000-memory.dmp

Filesize
3.3MB

Download
memory/4052-84-0x00007FF684350000-0x00007FF6846A1000-memory.dmp

Filesize
3.3MB

Download
memory/4052-231-0x00007FF684350000-0x00007FF6846A1000-memory.dmp

Filesize
3.3MB

Download
memory/4168-216-0x00007FF6B2EB0000-0x00007FF6B3201000-memory.dmp

Filesize
3.3MB

Download
memory/4168-32-0x00007FF6B2EB0000-0x00007FF6B3201000-memory.dmp

Filesize
3.3MB

Download
memory/4812-243-0x00007FF708560000-0x00007FF7088B1000-memory.dmp

Filesize
3.3MB

Download
memory/4812-103-0x00007FF708560000-0x00007FF7088B1000-memory.dmp

Filesize
3.3MB

Download