cobaltstrike | 1f426f57b326ba7039b166d357e418ddb91fef2851c5257305ca22b6084f72dc

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2024 06:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

db4726897a27c26ec5c8ecc5abaa32c7
SHA1

c7e727564caa48b60d3264f2cde1e5cdfb2b469d
SHA256

1f426f57b326ba7039b166d357e418ddb91fef2851c5257305ca22b6084f72dc
SHA512

ac90f580d92b26d9f73d3583da1a39257c0740eb1b8be65398e82f17dbc9642508732b07f941250c3f19b0317fbd8d095e873bb72f2358ce90371a912bc9f469
SSDEEP

49152:ROdWCCi7/raA56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lp:RWWBibj56utgpPFotBER/mQ32lU1

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023607-4.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002360c-15.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002360b-22.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002360d-19.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023614-67.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023615-79.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023617-91.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023618-92.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002361d-126.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002361c-124.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023619-118.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002361b-116.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002361a-114.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023616-101.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023608-74.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023613-68.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023611-55.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023610-52.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023612-63.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002360f-37.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002360e-38.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/2396-44-0x00007FF656AC0000-0x00007FF656E11000-memory.dmp	xmrig
behavioral2/memory/1412-120-0x00007FF711EA0000-0x00007FF7121F1000-memory.dmp	xmrig
behavioral2/memory/2888-129-0x00007FF631770000-0x00007FF631AC1000-memory.dmp	xmrig
behavioral2/memory/2432-128-0x00007FF75A710000-0x00007FF75AA61000-memory.dmp	xmrig
behavioral2/memory/3252-123-0x00007FF651E30000-0x00007FF652181000-memory.dmp	xmrig
behavioral2/memory/3444-122-0x00007FF7E1330000-0x00007FF7E1681000-memory.dmp	xmrig
behavioral2/memory/1088-121-0x00007FF79C050000-0x00007FF79C3A1000-memory.dmp	xmrig
behavioral2/memory/1912-36-0x00007FF72B270000-0x00007FF72B5C1000-memory.dmp	xmrig
behavioral2/memory/1412-130-0x00007FF711EA0000-0x00007FF7121F1000-memory.dmp	xmrig
behavioral2/memory/3556-133-0x00007FF6ACD40000-0x00007FF6AD091000-memory.dmp	xmrig
behavioral2/memory/2336-145-0x00007FF6F5B70000-0x00007FF6F5EC1000-memory.dmp	xmrig
behavioral2/memory/1224-148-0x00007FF65B690000-0x00007FF65B9E1000-memory.dmp	xmrig
behavioral2/memory/5084-151-0x00007FF67D690000-0x00007FF67D9E1000-memory.dmp	xmrig
behavioral2/memory/2316-150-0x00007FF7E4140000-0x00007FF7E4491000-memory.dmp	xmrig
behavioral2/memory/2856-147-0x00007FF608630000-0x00007FF608981000-memory.dmp	xmrig
behavioral2/memory/3052-144-0x00007FF613790000-0x00007FF613AE1000-memory.dmp	xmrig
behavioral2/memory/1276-143-0x00007FF6A1390000-0x00007FF6A16E1000-memory.dmp	xmrig
behavioral2/memory/3528-142-0x00007FF624980000-0x00007FF624CD1000-memory.dmp	xmrig
behavioral2/memory/3620-141-0x00007FF705900000-0x00007FF705C51000-memory.dmp	xmrig
behavioral2/memory/2992-140-0x00007FF653C00000-0x00007FF653F51000-memory.dmp	xmrig
behavioral2/memory/4852-138-0x00007FF6E2B80000-0x00007FF6E2ED1000-memory.dmp	xmrig
behavioral2/memory/4640-135-0x00007FF76A7A0000-0x00007FF76AAF1000-memory.dmp	xmrig
behavioral2/memory/2448-139-0x00007FF600580000-0x00007FF6008D1000-memory.dmp	xmrig
behavioral2/memory/1412-153-0x00007FF711EA0000-0x00007FF7121F1000-memory.dmp	xmrig
behavioral2/memory/1088-213-0x00007FF79C050000-0x00007FF79C3A1000-memory.dmp	xmrig
behavioral2/memory/3556-215-0x00007FF6ACD40000-0x00007FF6AD091000-memory.dmp	xmrig
behavioral2/memory/1912-217-0x00007FF72B270000-0x00007FF72B5C1000-memory.dmp	xmrig
behavioral2/memory/2396-221-0x00007FF656AC0000-0x00007FF656E11000-memory.dmp	xmrig
behavioral2/memory/4640-223-0x00007FF76A7A0000-0x00007FF76AAF1000-memory.dmp	xmrig
behavioral2/memory/3444-220-0x00007FF7E1330000-0x00007FF7E1681000-memory.dmp	xmrig
behavioral2/memory/4852-229-0x00007FF6E2B80000-0x00007FF6E2ED1000-memory.dmp	xmrig
behavioral2/memory/2448-228-0x00007FF600580000-0x00007FF6008D1000-memory.dmp	xmrig
behavioral2/memory/2992-226-0x00007FF653C00000-0x00007FF653F51000-memory.dmp	xmrig
behavioral2/memory/2316-245-0x00007FF7E4140000-0x00007FF7E4491000-memory.dmp	xmrig
behavioral2/memory/3252-251-0x00007FF651E30000-0x00007FF652181000-memory.dmp	xmrig
behavioral2/memory/5084-258-0x00007FF67D690000-0x00007FF67D9E1000-memory.dmp	xmrig
behavioral2/memory/2888-256-0x00007FF631770000-0x00007FF631AC1000-memory.dmp	xmrig
behavioral2/memory/2336-252-0x00007FF6F5B70000-0x00007FF6F5EC1000-memory.dmp	xmrig
behavioral2/memory/2856-249-0x00007FF608630000-0x00007FF608981000-memory.dmp	xmrig
behavioral2/memory/2432-247-0x00007FF75A710000-0x00007FF75AA61000-memory.dmp	xmrig
behavioral2/memory/3528-243-0x00007FF624980000-0x00007FF624CD1000-memory.dmp	xmrig
behavioral2/memory/3620-254-0x00007FF705900000-0x00007FF705C51000-memory.dmp	xmrig
behavioral2/memory/3052-238-0x00007FF613790000-0x00007FF613AE1000-memory.dmp	xmrig
behavioral2/memory/1276-241-0x00007FF6A1390000-0x00007FF6A16E1000-memory.dmp	xmrig
behavioral2/memory/1224-262-0x00007FF65B690000-0x00007FF65B9E1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1088	fIdMBzK.exe
3556	LGRQkbE.exe
1912	rLdhhwJ.exe
4640	mWYjBiN.exe
2396	MNVItnG.exe
3444	swaZJsU.exe
4852	JPsEtFJ.exe
2448	szypwhP.exe
2992	nkNDTCz.exe
3620	ejbxVgw.exe
3528	iPmjxac.exe
1276	wFbmWQd.exe
3052	OTzcCWc.exe
2336	cVGigKC.exe
3252	VuiTGEs.exe
2856	uMeBGhI.exe
1224	rmPbsFG.exe
2432	hkSMGay.exe
2316	KuBXxRf.exe
5084	qSxAMKR.exe
2888	AFjMrVA.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1412-0-0x00007FF711EA0000-0x00007FF7121F1000-memory.dmp	upx
behavioral2/files/0x0008000000023607-4.dat	upx
behavioral2/memory/1088-9-0x00007FF79C050000-0x00007FF79C3A1000-memory.dmp	upx
behavioral2/files/0x000700000002360c-15.dat	upx
behavioral2/files/0x000700000002360b-22.dat	upx
behavioral2/memory/3556-20-0x00007FF6ACD40000-0x00007FF6AD091000-memory.dmp	upx
behavioral2/files/0x000700000002360d-19.dat	upx
behavioral2/memory/3444-30-0x00007FF7E1330000-0x00007FF7E1681000-memory.dmp	upx
behavioral2/memory/2396-44-0x00007FF656AC0000-0x00007FF656E11000-memory.dmp	upx
behavioral2/memory/2448-51-0x00007FF600580000-0x00007FF6008D1000-memory.dmp	upx
behavioral2/memory/2992-58-0x00007FF653C00000-0x00007FF653F51000-memory.dmp	upx
behavioral2/files/0x0007000000023614-67.dat	upx
behavioral2/files/0x0007000000023615-79.dat	upx
behavioral2/files/0x0007000000023617-91.dat	upx
behavioral2/files/0x0007000000023618-92.dat	upx
behavioral2/memory/2316-108-0x00007FF7E4140000-0x00007FF7E4491000-memory.dmp	upx
behavioral2/memory/1412-120-0x00007FF711EA0000-0x00007FF7121F1000-memory.dmp	upx
behavioral2/memory/2888-129-0x00007FF631770000-0x00007FF631AC1000-memory.dmp	upx
behavioral2/memory/2432-128-0x00007FF75A710000-0x00007FF75AA61000-memory.dmp	upx
behavioral2/files/0x000700000002361d-126.dat	upx
behavioral2/files/0x000700000002361c-124.dat	upx
behavioral2/memory/3252-123-0x00007FF651E30000-0x00007FF652181000-memory.dmp	upx
behavioral2/memory/3444-122-0x00007FF7E1330000-0x00007FF7E1681000-memory.dmp	upx
behavioral2/memory/1088-121-0x00007FF79C050000-0x00007FF79C3A1000-memory.dmp	upx
behavioral2/memory/5084-119-0x00007FF67D690000-0x00007FF67D9E1000-memory.dmp	upx
behavioral2/files/0x0007000000023619-118.dat	upx
behavioral2/files/0x000700000002361b-116.dat	upx
behavioral2/files/0x000700000002361a-114.dat	upx
behavioral2/memory/1224-107-0x00007FF65B690000-0x00007FF65B9E1000-memory.dmp	upx
behavioral2/files/0x0007000000023616-101.dat	upx
behavioral2/memory/2856-100-0x00007FF608630000-0x00007FF608981000-memory.dmp	upx
behavioral2/memory/2336-90-0x00007FF6F5B70000-0x00007FF6F5EC1000-memory.dmp	upx
behavioral2/memory/3052-78-0x00007FF613790000-0x00007FF613AE1000-memory.dmp	upx
behavioral2/files/0x0008000000023608-74.dat	upx
behavioral2/memory/1276-72-0x00007FF6A1390000-0x00007FF6A16E1000-memory.dmp	upx
behavioral2/files/0x0007000000023613-68.dat	upx
behavioral2/memory/3528-66-0x00007FF624980000-0x00007FF624CD1000-memory.dmp	upx
behavioral2/memory/3620-60-0x00007FF705900000-0x00007FF705C51000-memory.dmp	upx
behavioral2/files/0x0007000000023611-55.dat	upx
behavioral2/files/0x0007000000023610-52.dat	upx
behavioral2/files/0x0007000000023612-63.dat	upx
behavioral2/memory/4852-50-0x00007FF6E2B80000-0x00007FF6E2ED1000-memory.dmp	upx
behavioral2/files/0x000700000002360f-37.dat	upx
behavioral2/memory/1912-36-0x00007FF72B270000-0x00007FF72B5C1000-memory.dmp	upx
behavioral2/files/0x000700000002360e-38.dat	upx
behavioral2/memory/4640-28-0x00007FF76A7A0000-0x00007FF76AAF1000-memory.dmp	upx
behavioral2/memory/1412-130-0x00007FF711EA0000-0x00007FF7121F1000-memory.dmp	upx
behavioral2/memory/3556-133-0x00007FF6ACD40000-0x00007FF6AD091000-memory.dmp	upx
behavioral2/memory/2336-145-0x00007FF6F5B70000-0x00007FF6F5EC1000-memory.dmp	upx
behavioral2/memory/1224-148-0x00007FF65B690000-0x00007FF65B9E1000-memory.dmp	upx
behavioral2/memory/5084-151-0x00007FF67D690000-0x00007FF67D9E1000-memory.dmp	upx
behavioral2/memory/2316-150-0x00007FF7E4140000-0x00007FF7E4491000-memory.dmp	upx
behavioral2/memory/2856-147-0x00007FF608630000-0x00007FF608981000-memory.dmp	upx
behavioral2/memory/3052-144-0x00007FF613790000-0x00007FF613AE1000-memory.dmp	upx
behavioral2/memory/1276-143-0x00007FF6A1390000-0x00007FF6A16E1000-memory.dmp	upx
behavioral2/memory/3528-142-0x00007FF624980000-0x00007FF624CD1000-memory.dmp	upx
behavioral2/memory/3620-141-0x00007FF705900000-0x00007FF705C51000-memory.dmp	upx
behavioral2/memory/2992-140-0x00007FF653C00000-0x00007FF653F51000-memory.dmp	upx
behavioral2/memory/4852-138-0x00007FF6E2B80000-0x00007FF6E2ED1000-memory.dmp	upx
behavioral2/memory/4640-135-0x00007FF76A7A0000-0x00007FF76AAF1000-memory.dmp	upx
behavioral2/memory/2448-139-0x00007FF600580000-0x00007FF6008D1000-memory.dmp	upx
behavioral2/memory/1412-153-0x00007FF711EA0000-0x00007FF7121F1000-memory.dmp	upx
behavioral2/memory/1088-213-0x00007FF79C050000-0x00007FF79C3A1000-memory.dmp	upx
behavioral2/memory/3556-215-0x00007FF6ACD40000-0x00007FF6AD091000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\MNVItnG.exe	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cVGigKC.exe	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AFjMrVA.exe	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\szypwhP.exe	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rmPbsFG.exe	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hkSMGay.exe	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KuBXxRf.exe	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uMeBGhI.exe	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LGRQkbE.exe	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mWYjBiN.exe	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JPsEtFJ.exe	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ejbxVgw.exe	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iPmjxac.exe	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OTzcCWc.exe	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qSxAMKR.exe	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fIdMBzK.exe	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rLdhhwJ.exe	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\swaZJsU.exe	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nkNDTCz.exe	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wFbmWQd.exe	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VuiTGEs.exe	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1412	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1412	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1412 wrote to memory of 1088	1412	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1412 wrote to memory of 1088	1412	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1412 wrote to memory of 3556	1412	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1412 wrote to memory of 3556	1412	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1412 wrote to memory of 1912	1412	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1412 wrote to memory of 1912	1412	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1412 wrote to memory of 4640	1412	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1412 wrote to memory of 4640	1412	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1412 wrote to memory of 2396	1412	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1412 wrote to memory of 2396	1412	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1412 wrote to memory of 3444	1412	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1412 wrote to memory of 3444	1412	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1412 wrote to memory of 4852	1412	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1412 wrote to memory of 4852	1412	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1412 wrote to memory of 2448	1412	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1412 wrote to memory of 2448	1412	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1412 wrote to memory of 2992	1412	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1412 wrote to memory of 2992	1412	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1412 wrote to memory of 3620	1412	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1412 wrote to memory of 3620	1412	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1412 wrote to memory of 3528	1412	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1412 wrote to memory of 3528	1412	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1412 wrote to memory of 1276	1412	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1412 wrote to memory of 1276	1412	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1412 wrote to memory of 3052	1412	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1412 wrote to memory of 3052	1412	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1412 wrote to memory of 2336	1412	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1412 wrote to memory of 2336	1412	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1412 wrote to memory of 3252	1412	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1412 wrote to memory of 3252	1412	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1412 wrote to memory of 2856	1412	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 1412 wrote to memory of 2856	1412	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 1412 wrote to memory of 1224	1412	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 1412 wrote to memory of 1224	1412	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 1412 wrote to memory of 2432	1412	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 1412 wrote to memory of 2432	1412	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 1412 wrote to memory of 2316	1412	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 1412 wrote to memory of 2316	1412	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 1412 wrote to memory of 5084	1412	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 1412 wrote to memory of 5084	1412	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 1412 wrote to memory of 2888	1412	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe	110
PID 1412 wrote to memory of 2888	1412	2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe	110

C:\Users\Admin\AppData\Local\Temp\2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-25_db4726897a27c26ec5c8ecc5abaa32c7_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1412
- C:\Windows\System\fIdMBzK.exe
  C:\Windows\System\fIdMBzK.exe
  2⤵
  - Executes dropped EXE
  PID:1088
- C:\Windows\System\LGRQkbE.exe
  C:\Windows\System\LGRQkbE.exe
  2⤵
  - Executes dropped EXE
  PID:3556
- C:\Windows\System\rLdhhwJ.exe
  C:\Windows\System\rLdhhwJ.exe
  2⤵
  - Executes dropped EXE
  PID:1912
- C:\Windows\System\mWYjBiN.exe
  C:\Windows\System\mWYjBiN.exe
  2⤵
  - Executes dropped EXE
  PID:4640
- C:\Windows\System\MNVItnG.exe
  C:\Windows\System\MNVItnG.exe
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\System\swaZJsU.exe
  C:\Windows\System\swaZJsU.exe
  2⤵
  - Executes dropped EXE
  PID:3444
- C:\Windows\System\JPsEtFJ.exe
  C:\Windows\System\JPsEtFJ.exe
  2⤵
  - Executes dropped EXE
  PID:4852
- C:\Windows\System\szypwhP.exe
  C:\Windows\System\szypwhP.exe
  2⤵
  - Executes dropped EXE
  PID:2448
- C:\Windows\System\nkNDTCz.exe
  C:\Windows\System\nkNDTCz.exe
  2⤵
  - Executes dropped EXE
  PID:2992
- C:\Windows\System\ejbxVgw.exe
  C:\Windows\System\ejbxVgw.exe
  2⤵
  - Executes dropped EXE
  PID:3620
- C:\Windows\System\iPmjxac.exe
  C:\Windows\System\iPmjxac.exe
  2⤵
  - Executes dropped EXE
  PID:3528
- C:\Windows\System\wFbmWQd.exe
  C:\Windows\System\wFbmWQd.exe
  2⤵
  - Executes dropped EXE
  PID:1276
- C:\Windows\System\OTzcCWc.exe
  C:\Windows\System\OTzcCWc.exe
  2⤵
  - Executes dropped EXE
  PID:3052
- C:\Windows\System\cVGigKC.exe
  C:\Windows\System\cVGigKC.exe
  2⤵
  - Executes dropped EXE
  PID:2336
- C:\Windows\System\VuiTGEs.exe
  C:\Windows\System\VuiTGEs.exe
  2⤵
  - Executes dropped EXE
  PID:3252
- C:\Windows\System\uMeBGhI.exe
  C:\Windows\System\uMeBGhI.exe
  2⤵
  - Executes dropped EXE
  PID:2856
- C:\Windows\System\rmPbsFG.exe
  C:\Windows\System\rmPbsFG.exe
  2⤵
  - Executes dropped EXE
  PID:1224
- C:\Windows\System\hkSMGay.exe
  C:\Windows\System\hkSMGay.exe
  2⤵
  - Executes dropped EXE
  PID:2432
- C:\Windows\System\KuBXxRf.exe
  C:\Windows\System\KuBXxRf.exe
  2⤵
  - Executes dropped EXE
  PID:2316
- C:\Windows\System\qSxAMKR.exe
  C:\Windows\System\qSxAMKR.exe
  2⤵
  - Executes dropped EXE
  PID:5084
- C:\Windows\System\AFjMrVA.exe
  C:\Windows\System\AFjMrVA.exe
  2⤵
  - Executes dropped EXE
  PID:2888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4372,i,3861745594156495651,17595114179815238301,262144 --variations-seed-version --mojo-platform-channel-handle=1388 /prefetch:8
1⤵
PID:2764

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AFjMrVA.exe

Filesize
5.2MB

MD5
c14c9701e42d826fa030a7c76505c026

SHA1
1aea929bcc5e18914f2ed29de44b9368b996dc30

SHA256
e0dc4674c82584fca9f8fd50dcf705db0c7800d4327faae6106eacd2a7a42715

SHA512
8b29144ef781ab0151e4ad01ebac4c0daccebead84718be21603b2d0e01e515b84d5dcff187f55e62fa60de5f37b3288787bdc14c1382154ed88fec961595d1a

Download Submit
C:\Windows\System\JPsEtFJ.exe

Filesize
5.2MB

MD5
36ad4f7c1041f5735d483c4b44aee36d

SHA1
49814b664eaa9ba4166ec515501359e52e02e7b7

SHA256
84b9d8900efcb0e1c19e1038d4d602cdafd9d77e6354c2da2fde71df54bf750f

SHA512
fc999915dcf6af9c7e468d4dcd0dc5b07495d006378af2b2a9f141dd2b55af5e5c902d19a5a24a5f1e458110bc478cc92f9e973543ec38015bca2a2c941eb520

Download Submit
C:\Windows\System\KuBXxRf.exe

Filesize
5.2MB

MD5
f6234b643ce447bbc6cc053098fe526d

SHA1
68e7b76fd7e1935e8872cd49189263ec0240df5b

SHA256
8f245b4ba64bab35557d1febfb56560414ea77efcfd9921915f746492890e17f

SHA512
063d1f20b728be841a047c0f986920a57de198a4d54f4cb660f0652d0890f64acc3f9f81793adf371ddd8b39390aa4fc1dcec4ed5ceb7eac7ee63eec4cdaaa21

Download Submit
C:\Windows\System\LGRQkbE.exe

Filesize
5.2MB

MD5
15a8653f5cac3a7e6e2dbc6c3c961f3a

SHA1
430b5624dbab0aaf58895676553c3a94529f92d5

SHA256
b314358af21200e55f6627276467d682bcf23207391edcc15ba47f5714509348

SHA512
17286c021daa0b47efe005321b68453867b03091db50481544a90f058a9a587895cbb369bf0e0db60ccfc1841aa88966eacec826ec469838eab84dd6d96cbfe7

Download Submit
C:\Windows\System\MNVItnG.exe

Filesize
5.2MB

MD5
fbca24308c6eacc363d66b0b4ca7ea9d

SHA1
349be485d631babb465328cfbc8efa5602ce64b0

SHA256
e9848494aeca8fff50d3fa1a5be66a26d3e39d827ac9fde151422592a642be49

SHA512
b5113be08edea92626f4c583871d689e6a5982e3f01c749155b7308bfb4e7222010dcf658b53be97cadf05238086588e0c92513728d8ec5162bef3b677163f74

Download Submit
C:\Windows\System\OTzcCWc.exe

Filesize
5.2MB

MD5
f71e5903913833d91792ae534a0d4975

SHA1
3a66626c8fb2cd629f92fb494635906c3c5fdb9e

SHA256
d3dc9455cd7992eaf2d85ad66195c403f50bc7544fe163c66625f52e35818f0e

SHA512
5dc62fd4523c768bc49e19fb60410851f0c3ce560d61d2615019493dd7f59c647f5154ef2f3e4bd2fa11bc2b38d909e9f9ce09894557bb7ca0646c0688cf42ef

Download Submit
C:\Windows\System\VuiTGEs.exe

Filesize
5.2MB

MD5
e5f0abcc5043d02e1864d897f633fced

SHA1
983cd131fa26df560bab3aaf6c40518afff7486d

SHA256
28296985bf3e59c236b308d25d2691de5b80e10b1acd67a83ada4a066a47dce6

SHA512
abb6a8c462f16e0324aad861ec32caa7f16e162c5b0037fc4cc81ecb0e17e2b83a5144ed693fe51afd29d3d3762be5f686555bd6c6b654c9a40f0d830ff23ecb

Download Submit
C:\Windows\System\cVGigKC.exe

Filesize
5.2MB

MD5
a744f341267e65862da43951bdc26416

SHA1
d62c3b7c40f25b93b09cd31adace22f33ebef61b

SHA256
248eba4df2b60fc841e723acf2f0fffeb1d8c24fb37c3fe0a3611705f008124f

SHA512
ee3b6b0dd49e6546d3b90385c8d852002cd3ba329c106a292a34174c7127d1755dffffd9da4baa913d429a46a72b49f0e0232b3051b6b0690b8be5738894d686

Download Submit
C:\Windows\System\ejbxVgw.exe

Filesize
5.2MB

MD5
0a68814a8d22dc46f91d5bac2f483965

SHA1
7aa5bf450ca8bd6c61ef4e60c0cb97b79229870a

SHA256
49f4588873372183730e402298f7f030b0004d3fec93fdc344a8e226e3b0abb4

SHA512
bdb9f40b739896ae4a26c682d1d70666a5e67f5bc5653c675c1bc56c1a78be771f66dc16285caeaf5f891874ca1f564844c36cd15a594f490555e16bb31e6e52

Download Submit
C:\Windows\System\fIdMBzK.exe

Filesize
5.2MB

MD5
6ffac54ff5cf36a2fb64d75b579c84ed

SHA1
9af6fb7c2a6fdacef47e151c170f2b85e4ecab79

SHA256
d80ecec410fcab24d0b975575e33d280f306e54c780f2f26eeb770c7fd8facf3

SHA512
4937d3869a92b179d85568de0d282d8455ff14213ac5bebbd3f1852ce5505231c46c7a4cba098d236ba34fc5fb942c2c8be101da515e27c3a5f7d36c07edd38d

Download Submit
C:\Windows\System\hkSMGay.exe

Filesize
5.2MB

MD5
2923781e96384ec507457e1e04a0aa52

SHA1
b3c75702f8be84799ea38eef605ef8887da6e797

SHA256
a5afe35c13a469b05077e1bca3c7632a4e2a4e7a92cf73e791583a0291060ad4

SHA512
04b76039692d5b5c2646f2f8aa03f3ce489e68b6beafa7cf1625cc855cc6d7d7d3e410f3df1e2f2f753a579d9286b49cfe70417ebe474ee3ac075348dca35be3

Download Submit
C:\Windows\System\iPmjxac.exe

Filesize
5.2MB

MD5
cc22a414d948ae735dcb025e58c744c7

SHA1
96ce377fa81f8b02b3a677fe8723014e0d19d185

SHA256
9b5c32ad64e654f097e70f77c2e5378b03fa575af8ac374d2825869de9359dcd

SHA512
bd2c745c6a59e822f83bc3d8eb6bf5529cf7aa7514a5700e6f83431ca76b252eca825f7b6a1185cdb2f0cdca525f6f3b627f4c71a541816176e7e27792d9b6b4

Download Submit
C:\Windows\System\mWYjBiN.exe

Filesize
5.2MB

MD5
27239f3d3cabaa63040e6c79eeabdd12

SHA1
c492479624b3869649a405ecd73faa98c81b2840

SHA256
f9f7a9d33de7b137f04819acbdb754e587f91b6412a419261920c07a7acba4a6

SHA512
332851fa38cdeb782cfa2558418a2bc0e95d62eb6515fba43fe6de6809824a6c0d28e2411847cd6d94168a1d091987949593042f8727a687138d31172c8a281c

Download Submit
C:\Windows\System\nkNDTCz.exe

Filesize
5.2MB

MD5
d39b1f721b8497e6f745d8f6c0e04ce4

SHA1
fcb9dadb4e5c9a30272b7bd4446a7024c6e73240

SHA256
d81a5176a269d85c1565445aa5d20c8b97aa1ded5364130af50c4db88b0fa86f

SHA512
9409ed7ac983d8dc6ea43f5c906c79c3c18e48925ecc6ed1f8a70a418466f545141bb395fe1067db427fdcf3a361e7a1c1fc6590cc379c7105c7094d2675e802

Download Submit
C:\Windows\System\qSxAMKR.exe

Filesize
5.2MB

MD5
e1b0f4e0767acc33e9840bd5231986a3

SHA1
34a2e18089ae321702d27e7305a7b7725f95949a

SHA256
92211f7bcc1f0e3025f8af92a9896a61828014921c845bee2ffa9c8d8629950f

SHA512
b552e602e370e2bac16c10cad5458d65adae6e089d9e7c2faa272257852f92759965aac5fe63ccaedeceba7d29213de1e38895ef995291937084f268889c43ad

Download Submit
C:\Windows\System\rLdhhwJ.exe

Filesize
5.2MB

MD5
cb0f9e3e68d7d85cdd60ff6747b7fe09

SHA1
07d38d48dbb5a875f273b89d520623c97ee48e31

SHA256
1b8dd6f1a735bbf0076e4f7e4c6f5567af642512c86909cfb3cab2f9d944e52f

SHA512
c5caeef90f38a28e66837a6ed04cbbfef9737346393c3042816f64c206d901dbf99fed9c3ce1db9d50618a96e23588a66df3e6873e8432100a2d4a97215fffeb

Download Submit
C:\Windows\System\rmPbsFG.exe

Filesize
5.2MB

MD5
b606039e7244e2ac98c608ea8370bf8e

SHA1
b0d52bbf56a3843ca191d821ab89161722e3e5e3

SHA256
e7daeee770516330b9d2bd4421ea2f9bb0e10474c258e7547927f1e3d56d7a1c

SHA512
b0c0e3cc2a587b3174c802ab3844debb75952648402de430d68149350b61f4d5440ff354e31a1d0be742d6ec6fce2a1a7f831fabec2c3421caa526df7081527a

Download Submit
C:\Windows\System\swaZJsU.exe

Filesize
5.2MB

MD5
a1a51df9fef11d766ef3b11ddb5c10c7

SHA1
2f59575163c4d4cecd303d00d455dc3ed436272e

SHA256
a2bc7eb2ad925cd1580b8c08827ae6e1098eb24bcc20428d3e3c0da7b2ccadc2

SHA512
e8ed65b45751a0d55d4a3e226465e486f0e77c7a60921b0c120c8be7571d1e96c167743cd962e17c5039364020787abbd05c889208b1a5c0c8735ce0d88da6dd

Download Submit
C:\Windows\System\szypwhP.exe

Filesize
5.2MB

MD5
89fd478a697e82362bc0345836802a0e

SHA1
bea0ac14b338b0520f7f7da5025cfaf5c36e435d

SHA256
8a6d3a399f4f813051d98de70b986df4eb1507e7db4775a44fd37238f39777f5

SHA512
90972705381647b5a02a2091531961be385f96c5915d9f0f17ee440d8c378f59e5dfd54298f486970932fe2554406c9eca5997142ea94310300bd1cf5b2eff91

Download Submit
C:\Windows\System\uMeBGhI.exe

Filesize
5.2MB

MD5
17d7ba9bbf7751f866655808881daf37

SHA1
3afa146f11a9fde243262da65993bd7ae83f84fa

SHA256
72f02281129368bb36035c8c18ae3d4f92f885f283214a987b5b55059d525749

SHA512
1830623dcd70a88ce626f2abcf08540e1d8d78de06237b622176ba6abda91106a5aad5089812ac06f9983f7b2f9647ac2cca2d7d8a61e2a939a601b8dc3a75bf

Download Submit
C:\Windows\System\wFbmWQd.exe

Filesize
5.2MB

MD5
e3fd77e7eb676c42e077b8648bcbaf25

SHA1
afd041ba30d685e920c4ad603beebeeef18038ba

SHA256
97cfca14918705a3dffdb8604b352d48eca70909b4fabb1a0672e24f14b83fb7

SHA512
1c3aa662069ecdfa8be1131fe7f4dec1cedaeb09cd70ad849800325e52429dbc650ec41f6d1033c84d9a6b2f90a75f56f4c17f040981ca151a75c7a72bd00ec8

Download Submit
memory/1088-213-0x00007FF79C050000-0x00007FF79C3A1000-memory.dmp

Filesize
3.3MB

Download
memory/1088-9-0x00007FF79C050000-0x00007FF79C3A1000-memory.dmp

Filesize
3.3MB

Download
memory/1088-121-0x00007FF79C050000-0x00007FF79C3A1000-memory.dmp

Filesize
3.3MB

Download
memory/1224-148-0x00007FF65B690000-0x00007FF65B9E1000-memory.dmp

Filesize
3.3MB

Download
memory/1224-262-0x00007FF65B690000-0x00007FF65B9E1000-memory.dmp

Filesize
3.3MB

Download
memory/1224-107-0x00007FF65B690000-0x00007FF65B9E1000-memory.dmp

Filesize
3.3MB

Download
memory/1276-72-0x00007FF6A1390000-0x00007FF6A16E1000-memory.dmp

Filesize
3.3MB

Download
memory/1276-143-0x00007FF6A1390000-0x00007FF6A16E1000-memory.dmp

Filesize
3.3MB

Download
memory/1276-241-0x00007FF6A1390000-0x00007FF6A16E1000-memory.dmp

Filesize
3.3MB

Download
memory/1412-153-0x00007FF711EA0000-0x00007FF7121F1000-memory.dmp

Filesize
3.3MB

Download
memory/1412-0-0x00007FF711EA0000-0x00007FF7121F1000-memory.dmp

Filesize
3.3MB

Download
memory/1412-120-0x00007FF711EA0000-0x00007FF7121F1000-memory.dmp

Filesize
3.3MB

Download
memory/1412-130-0x00007FF711EA0000-0x00007FF7121F1000-memory.dmp

Filesize
3.3MB

Download
memory/1412-1-0x00000217628C0000-0x00000217628D0000-memory.dmp

Filesize
64KB

Download
memory/1912-217-0x00007FF72B270000-0x00007FF72B5C1000-memory.dmp

Filesize
3.3MB

Download
memory/1912-36-0x00007FF72B270000-0x00007FF72B5C1000-memory.dmp

Filesize
3.3MB

Download
memory/2316-108-0x00007FF7E4140000-0x00007FF7E4491000-memory.dmp

Filesize
3.3MB

Download
memory/2316-150-0x00007FF7E4140000-0x00007FF7E4491000-memory.dmp

Filesize
3.3MB

Download
memory/2316-245-0x00007FF7E4140000-0x00007FF7E4491000-memory.dmp

Filesize
3.3MB

Download
memory/2336-90-0x00007FF6F5B70000-0x00007FF6F5EC1000-memory.dmp

Filesize
3.3MB

Download
memory/2336-145-0x00007FF6F5B70000-0x00007FF6F5EC1000-memory.dmp

Filesize
3.3MB

Download
memory/2336-252-0x00007FF6F5B70000-0x00007FF6F5EC1000-memory.dmp

Filesize
3.3MB

Download
memory/2396-44-0x00007FF656AC0000-0x00007FF656E11000-memory.dmp

Filesize
3.3MB

Download
memory/2396-221-0x00007FF656AC0000-0x00007FF656E11000-memory.dmp

Filesize
3.3MB

Download
memory/2432-128-0x00007FF75A710000-0x00007FF75AA61000-memory.dmp

Filesize
3.3MB

Download
memory/2432-247-0x00007FF75A710000-0x00007FF75AA61000-memory.dmp

Filesize
3.3MB

Download
memory/2448-139-0x00007FF600580000-0x00007FF6008D1000-memory.dmp

Filesize
3.3MB

Download
memory/2448-51-0x00007FF600580000-0x00007FF6008D1000-memory.dmp

Filesize
3.3MB

Download
memory/2448-228-0x00007FF600580000-0x00007FF6008D1000-memory.dmp

Filesize
3.3MB

Download
memory/2856-249-0x00007FF608630000-0x00007FF608981000-memory.dmp

Filesize
3.3MB

Download
memory/2856-100-0x00007FF608630000-0x00007FF608981000-memory.dmp

Filesize
3.3MB

Download
memory/2856-147-0x00007FF608630000-0x00007FF608981000-memory.dmp

Filesize
3.3MB

Download
memory/2888-129-0x00007FF631770000-0x00007FF631AC1000-memory.dmp

Filesize
3.3MB

Download
memory/2888-256-0x00007FF631770000-0x00007FF631AC1000-memory.dmp

Filesize
3.3MB

Download
memory/2992-226-0x00007FF653C00000-0x00007FF653F51000-memory.dmp

Filesize
3.3MB

Download
memory/2992-58-0x00007FF653C00000-0x00007FF653F51000-memory.dmp

Filesize
3.3MB

Download
memory/2992-140-0x00007FF653C00000-0x00007FF653F51000-memory.dmp

Filesize
3.3MB

Download
memory/3052-78-0x00007FF613790000-0x00007FF613AE1000-memory.dmp

Filesize
3.3MB

Download
memory/3052-144-0x00007FF613790000-0x00007FF613AE1000-memory.dmp

Filesize
3.3MB

Download
memory/3052-238-0x00007FF613790000-0x00007FF613AE1000-memory.dmp

Filesize
3.3MB

Download
memory/3252-251-0x00007FF651E30000-0x00007FF652181000-memory.dmp

Filesize
3.3MB

Download
memory/3252-123-0x00007FF651E30000-0x00007FF652181000-memory.dmp

Filesize
3.3MB

Download
memory/3444-30-0x00007FF7E1330000-0x00007FF7E1681000-memory.dmp

Filesize
3.3MB

Download
memory/3444-122-0x00007FF7E1330000-0x00007FF7E1681000-memory.dmp

Filesize
3.3MB

Download
memory/3444-220-0x00007FF7E1330000-0x00007FF7E1681000-memory.dmp

Filesize
3.3MB

Download
memory/3528-142-0x00007FF624980000-0x00007FF624CD1000-memory.dmp

Filesize
3.3MB

Download
memory/3528-66-0x00007FF624980000-0x00007FF624CD1000-memory.dmp

Filesize
3.3MB

Download
memory/3528-243-0x00007FF624980000-0x00007FF624CD1000-memory.dmp

Filesize
3.3MB

Download
memory/3556-215-0x00007FF6ACD40000-0x00007FF6AD091000-memory.dmp

Filesize
3.3MB

Download
memory/3556-133-0x00007FF6ACD40000-0x00007FF6AD091000-memory.dmp

Filesize
3.3MB

Download
memory/3556-20-0x00007FF6ACD40000-0x00007FF6AD091000-memory.dmp

Filesize
3.3MB

Download
memory/3620-60-0x00007FF705900000-0x00007FF705C51000-memory.dmp

Filesize
3.3MB

Download
memory/3620-254-0x00007FF705900000-0x00007FF705C51000-memory.dmp

Filesize
3.3MB

Download
memory/3620-141-0x00007FF705900000-0x00007FF705C51000-memory.dmp

Filesize
3.3MB

Download
memory/4640-223-0x00007FF76A7A0000-0x00007FF76AAF1000-memory.dmp

Filesize
3.3MB

Download
memory/4640-28-0x00007FF76A7A0000-0x00007FF76AAF1000-memory.dmp

Filesize
3.3MB

Download
memory/4640-135-0x00007FF76A7A0000-0x00007FF76AAF1000-memory.dmp

Filesize
3.3MB

Download
memory/4852-50-0x00007FF6E2B80000-0x00007FF6E2ED1000-memory.dmp

Filesize
3.3MB

Download
memory/4852-138-0x00007FF6E2B80000-0x00007FF6E2ED1000-memory.dmp

Filesize
3.3MB

Download
memory/4852-229-0x00007FF6E2B80000-0x00007FF6E2ED1000-memory.dmp

Filesize
3.3MB

Download
memory/5084-151-0x00007FF67D690000-0x00007FF67D9E1000-memory.dmp

Filesize
3.3MB

Download
memory/5084-258-0x00007FF67D690000-0x00007FF67D9E1000-memory.dmp

Filesize
3.3MB

Download
memory/5084-119-0x00007FF67D690000-0x00007FF67D9E1000-memory.dmp

Filesize
3.3MB

Download