cobaltstrike | 2f279143f622cf7bdb5d5e8a41c71ff128464eba2102aeb6f0283e518f61a49e

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2024, 09:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

7123140f22d960fef6b78d163671644b
SHA1

5bf289ecf509847ce798ccbde8119a2ae6e547cf
SHA256

2f279143f622cf7bdb5d5e8a41c71ff128464eba2102aeb6f0283e518f61a49e
SHA512

e1a47a07ebe704fe2977179fde80ae8d580a150381524e25ea7c0d82c5806b3b9c8d0885c01285f81b8da276bebc66d16fa74a910038b29fefcd895f8f1b102b
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l1:RWWBibf56utgpPFotBER/mQ32lUJ

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000a000000023396-4.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000233a2-20.dat	cobalt_reflective_dll
behavioral2/files/0x000c0000000233a9-26.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000233a1-23.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002339f-12.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023462-44.dat	cobalt_reflective_dll
behavioral2/files/0x000900000002339b-55.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000233ac-52.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000233aa-38.dat	cobalt_reflective_dll
behavioral2/files/0x000400000001db75-59.dat	cobalt_reflective_dll
behavioral2/files/0x000400000001db76-68.dat	cobalt_reflective_dll
behavioral2/files/0x000200000001e6a5-80.dat	cobalt_reflective_dll
behavioral2/files/0x000400000001db77-75.dat	cobalt_reflective_dll
behavioral2/files/0x000200000001e6a7-88.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023465-95.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023466-102.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023467-108.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023468-116.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023469-120.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346a-130.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346b-134.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/2408-41-0x00007FF792FE0000-0x00007FF793331000-memory.dmp	xmrig
behavioral2/memory/4136-66-0x00007FF750280000-0x00007FF7505D1000-memory.dmp	xmrig
behavioral2/memory/3564-65-0x00007FF6ECB90000-0x00007FF6ECEE1000-memory.dmp	xmrig
behavioral2/memory/2856-70-0x00007FF71CEF0000-0x00007FF71D241000-memory.dmp	xmrig
behavioral2/memory/4124-74-0x00007FF76C7A0000-0x00007FF76CAF1000-memory.dmp	xmrig
behavioral2/memory/4560-82-0x00007FF639700000-0x00007FF639A51000-memory.dmp	xmrig
behavioral2/memory/3152-84-0x00007FF7CC6D0000-0x00007FF7CCA21000-memory.dmp	xmrig
behavioral2/memory/4200-85-0x00007FF7FF4C0000-0x00007FF7FF811000-memory.dmp	xmrig
behavioral2/memory/4932-79-0x00007FF733970000-0x00007FF733CC1000-memory.dmp	xmrig
behavioral2/memory/2728-89-0x00007FF6440C0000-0x00007FF644411000-memory.dmp	xmrig
behavioral2/memory/4976-98-0x00007FF62D410000-0x00007FF62D761000-memory.dmp	xmrig
behavioral2/memory/5060-99-0x00007FF666240000-0x00007FF666591000-memory.dmp	xmrig
behavioral2/memory/5068-106-0x00007FF786510000-0x00007FF786861000-memory.dmp	xmrig
behavioral2/memory/1228-104-0x00007FF611240000-0x00007FF611591000-memory.dmp	xmrig
behavioral2/memory/4068-110-0x00007FF7B7AD0000-0x00007FF7B7E21000-memory.dmp	xmrig
behavioral2/memory/844-115-0x00007FF779880000-0x00007FF779BD1000-memory.dmp	xmrig
behavioral2/memory/4752-123-0x00007FF6998F0000-0x00007FF699C41000-memory.dmp	xmrig
behavioral2/memory/4136-138-0x00007FF750280000-0x00007FF7505D1000-memory.dmp	xmrig
behavioral2/memory/4876-151-0x00007FF7CE9E0000-0x00007FF7CED31000-memory.dmp	xmrig
behavioral2/memory/1076-155-0x00007FF711DF0000-0x00007FF712141000-memory.dmp	xmrig
behavioral2/memory/1540-158-0x00007FF69C960000-0x00007FF69CCB1000-memory.dmp	xmrig
behavioral2/memory/1628-162-0x00007FF6FB360000-0x00007FF6FB6B1000-memory.dmp	xmrig
behavioral2/memory/3060-163-0x00007FF6E0A70000-0x00007FF6E0DC1000-memory.dmp	xmrig
behavioral2/memory/4136-164-0x00007FF750280000-0x00007FF7505D1000-memory.dmp	xmrig
behavioral2/memory/2856-212-0x00007FF71CEF0000-0x00007FF71D241000-memory.dmp	xmrig
behavioral2/memory/4124-223-0x00007FF76C7A0000-0x00007FF76CAF1000-memory.dmp	xmrig
behavioral2/memory/4932-225-0x00007FF733970000-0x00007FF733CC1000-memory.dmp	xmrig
behavioral2/memory/2728-228-0x00007FF6440C0000-0x00007FF644411000-memory.dmp	xmrig
behavioral2/memory/3152-229-0x00007FF7CC6D0000-0x00007FF7CCA21000-memory.dmp	xmrig
behavioral2/memory/2408-231-0x00007FF792FE0000-0x00007FF793331000-memory.dmp	xmrig
behavioral2/memory/4976-235-0x00007FF62D410000-0x00007FF62D761000-memory.dmp	xmrig
behavioral2/memory/1228-234-0x00007FF611240000-0x00007FF611591000-memory.dmp	xmrig
behavioral2/memory/4752-238-0x00007FF6998F0000-0x00007FF699C41000-memory.dmp	xmrig
behavioral2/memory/5068-240-0x00007FF786510000-0x00007FF786861000-memory.dmp	xmrig
behavioral2/memory/3564-242-0x00007FF6ECB90000-0x00007FF6ECEE1000-memory.dmp	xmrig
behavioral2/memory/4560-246-0x00007FF639700000-0x00007FF639A51000-memory.dmp	xmrig
behavioral2/memory/4200-248-0x00007FF7FF4C0000-0x00007FF7FF811000-memory.dmp	xmrig
behavioral2/memory/4876-252-0x00007FF7CE9E0000-0x00007FF7CED31000-memory.dmp	xmrig
behavioral2/memory/5060-254-0x00007FF666240000-0x00007FF666591000-memory.dmp	xmrig
behavioral2/memory/4068-261-0x00007FF7B7AD0000-0x00007FF7B7E21000-memory.dmp	xmrig
behavioral2/memory/844-263-0x00007FF779880000-0x00007FF779BD1000-memory.dmp	xmrig
behavioral2/memory/1076-265-0x00007FF711DF0000-0x00007FF712141000-memory.dmp	xmrig
behavioral2/memory/1540-267-0x00007FF69C960000-0x00007FF69CCB1000-memory.dmp	xmrig
behavioral2/memory/3060-269-0x00007FF6E0A70000-0x00007FF6E0DC1000-memory.dmp	xmrig
behavioral2/memory/1628-271-0x00007FF6FB360000-0x00007FF6FB6B1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2856	fTKacBc.exe
4124	LzsqqvX.exe
4932	XdScmtq.exe
3152	MJGQCHM.exe
2728	PnLyYRE.exe
2408	NsebqEu.exe
1228	fLVufpC.exe
4976	KjrQAYa.exe
5068	ewaught.exe
3564	pkfsCoU.exe
4752	zGnYNis.exe
4560	NzAOeAJ.exe
4200	VZInsZH.exe
4876	MJMJqKl.exe
5060	DVcATeR.exe
4068	gTGEYRc.exe
844	yNuTFiy.exe
1076	JmfyXBP.exe
1540	xIevWqp.exe
3060	TxlIFce.exe
1628	uCXqRgC.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4136-0-0x00007FF750280000-0x00007FF7505D1000-memory.dmp	upx
behavioral2/files/0x000a000000023396-4.dat	upx
behavioral2/memory/2856-8-0x00007FF71CEF0000-0x00007FF71D241000-memory.dmp	upx
behavioral2/files/0x00080000000233a2-20.dat	upx
behavioral2/files/0x000c0000000233a9-26.dat	upx
behavioral2/memory/3152-27-0x00007FF7CC6D0000-0x00007FF7CCA21000-memory.dmp	upx
behavioral2/memory/2728-28-0x00007FF6440C0000-0x00007FF644411000-memory.dmp	upx
behavioral2/memory/4932-24-0x00007FF733970000-0x00007FF733CC1000-memory.dmp	upx
behavioral2/files/0x00080000000233a1-23.dat	upx
behavioral2/memory/4124-16-0x00007FF76C7A0000-0x00007FF76CAF1000-memory.dmp	upx
behavioral2/files/0x000800000002339f-12.dat	upx
behavioral2/files/0x0009000000023462-44.dat	upx
behavioral2/memory/4976-49-0x00007FF62D410000-0x00007FF62D761000-memory.dmp	upx
behavioral2/files/0x000900000002339b-55.dat	upx
behavioral2/files/0x00080000000233ac-52.dat	upx
behavioral2/memory/1228-45-0x00007FF611240000-0x00007FF611591000-memory.dmp	upx
behavioral2/memory/2408-41-0x00007FF792FE0000-0x00007FF793331000-memory.dmp	upx
behavioral2/files/0x00080000000233aa-38.dat	upx
behavioral2/files/0x000400000001db75-59.dat	upx
behavioral2/memory/5068-63-0x00007FF786510000-0x00007FF786861000-memory.dmp	upx
behavioral2/memory/4136-66-0x00007FF750280000-0x00007FF7505D1000-memory.dmp	upx
behavioral2/files/0x000400000001db76-68.dat	upx
behavioral2/memory/4752-67-0x00007FF6998F0000-0x00007FF699C41000-memory.dmp	upx
behavioral2/memory/3564-65-0x00007FF6ECB90000-0x00007FF6ECEE1000-memory.dmp	upx
behavioral2/memory/2856-70-0x00007FF71CEF0000-0x00007FF71D241000-memory.dmp	upx
behavioral2/memory/4124-74-0x00007FF76C7A0000-0x00007FF76CAF1000-memory.dmp	upx
behavioral2/files/0x000200000001e6a5-80.dat	upx
behavioral2/memory/4560-82-0x00007FF639700000-0x00007FF639A51000-memory.dmp	upx
behavioral2/memory/3152-84-0x00007FF7CC6D0000-0x00007FF7CCA21000-memory.dmp	upx
behavioral2/memory/4200-85-0x00007FF7FF4C0000-0x00007FF7FF811000-memory.dmp	upx
behavioral2/memory/4932-79-0x00007FF733970000-0x00007FF733CC1000-memory.dmp	upx
behavioral2/files/0x000400000001db77-75.dat	upx
behavioral2/files/0x000200000001e6a7-88.dat	upx
behavioral2/memory/4876-91-0x00007FF7CE9E0000-0x00007FF7CED31000-memory.dmp	upx
behavioral2/memory/2728-89-0x00007FF6440C0000-0x00007FF644411000-memory.dmp	upx
behavioral2/files/0x0008000000023465-95.dat	upx
behavioral2/memory/4976-98-0x00007FF62D410000-0x00007FF62D761000-memory.dmp	upx
behavioral2/memory/5060-99-0x00007FF666240000-0x00007FF666591000-memory.dmp	upx
behavioral2/files/0x0007000000023466-102.dat	upx
behavioral2/files/0x0007000000023467-108.dat	upx
behavioral2/memory/5068-106-0x00007FF786510000-0x00007FF786861000-memory.dmp	upx
behavioral2/memory/1228-104-0x00007FF611240000-0x00007FF611591000-memory.dmp	upx
behavioral2/memory/4068-110-0x00007FF7B7AD0000-0x00007FF7B7E21000-memory.dmp	upx
behavioral2/memory/844-115-0x00007FF779880000-0x00007FF779BD1000-memory.dmp	upx
behavioral2/files/0x0007000000023468-116.dat	upx
behavioral2/memory/1076-117-0x00007FF711DF0000-0x00007FF712141000-memory.dmp	upx
behavioral2/files/0x0007000000023469-120.dat	upx
behavioral2/memory/1540-124-0x00007FF69C960000-0x00007FF69CCB1000-memory.dmp	upx
behavioral2/files/0x000700000002346a-130.dat	upx
behavioral2/files/0x000700000002346b-134.dat	upx
behavioral2/memory/1628-135-0x00007FF6FB360000-0x00007FF6FB6B1000-memory.dmp	upx
behavioral2/memory/3060-132-0x00007FF6E0A70000-0x00007FF6E0DC1000-memory.dmp	upx
behavioral2/memory/4752-123-0x00007FF6998F0000-0x00007FF699C41000-memory.dmp	upx
behavioral2/memory/4136-138-0x00007FF750280000-0x00007FF7505D1000-memory.dmp	upx
behavioral2/memory/4876-151-0x00007FF7CE9E0000-0x00007FF7CED31000-memory.dmp	upx
behavioral2/memory/1076-155-0x00007FF711DF0000-0x00007FF712141000-memory.dmp	upx
behavioral2/memory/1540-158-0x00007FF69C960000-0x00007FF69CCB1000-memory.dmp	upx
behavioral2/memory/1628-162-0x00007FF6FB360000-0x00007FF6FB6B1000-memory.dmp	upx
behavioral2/memory/3060-163-0x00007FF6E0A70000-0x00007FF6E0DC1000-memory.dmp	upx
behavioral2/memory/4136-164-0x00007FF750280000-0x00007FF7505D1000-memory.dmp	upx
behavioral2/memory/2856-212-0x00007FF71CEF0000-0x00007FF71D241000-memory.dmp	upx
behavioral2/memory/4124-223-0x00007FF76C7A0000-0x00007FF76CAF1000-memory.dmp	upx
behavioral2/memory/4932-225-0x00007FF733970000-0x00007FF733CC1000-memory.dmp	upx
behavioral2/memory/2728-228-0x00007FF6440C0000-0x00007FF644411000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\pkfsCoU.exe	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KjrQAYa.exe	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XdScmtq.exe	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PnLyYRE.exe	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VZInsZH.exe	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MJMJqKl.exe	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yNuTFiy.exe	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JmfyXBP.exe	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fTKacBc.exe	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fLVufpC.exe	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NzAOeAJ.exe	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gTGEYRc.exe	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uCXqRgC.exe	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MJGQCHM.exe	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NsebqEu.exe	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ewaught.exe	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zGnYNis.exe	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DVcATeR.exe	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xIevWqp.exe	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TxlIFce.exe	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LzsqqvX.exe	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4136	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4136	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4136 wrote to memory of 2856	4136	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4136 wrote to memory of 2856	4136	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4136 wrote to memory of 4124	4136	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4136 wrote to memory of 4124	4136	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4136 wrote to memory of 4932	4136	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4136 wrote to memory of 4932	4136	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4136 wrote to memory of 3152	4136	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4136 wrote to memory of 3152	4136	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4136 wrote to memory of 2728	4136	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4136 wrote to memory of 2728	4136	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4136 wrote to memory of 2408	4136	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4136 wrote to memory of 2408	4136	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4136 wrote to memory of 1228	4136	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4136 wrote to memory of 1228	4136	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4136 wrote to memory of 4976	4136	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4136 wrote to memory of 4976	4136	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4136 wrote to memory of 5068	4136	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4136 wrote to memory of 5068	4136	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4136 wrote to memory of 3564	4136	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4136 wrote to memory of 3564	4136	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4136 wrote to memory of 4752	4136	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4136 wrote to memory of 4752	4136	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4136 wrote to memory of 4560	4136	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4136 wrote to memory of 4560	4136	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4136 wrote to memory of 4200	4136	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4136 wrote to memory of 4200	4136	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4136 wrote to memory of 4876	4136	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4136 wrote to memory of 4876	4136	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4136 wrote to memory of 5060	4136	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4136 wrote to memory of 5060	4136	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4136 wrote to memory of 4068	4136	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4136 wrote to memory of 4068	4136	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4136 wrote to memory of 844	4136	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4136 wrote to memory of 844	4136	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4136 wrote to memory of 1076	4136	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4136 wrote to memory of 1076	4136	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4136 wrote to memory of 1540	4136	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4136 wrote to memory of 1540	4136	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4136 wrote to memory of 3060	4136	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4136 wrote to memory of 3060	4136	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4136 wrote to memory of 1628	4136	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4136 wrote to memory of 1628	4136	2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe	105

C:\Users\Admin\AppData\Local\Temp\2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-02_7123140f22d960fef6b78d163671644b_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4136
- C:\Windows\System\fTKacBc.exe
  C:\Windows\System\fTKacBc.exe
  2⤵
  - Executes dropped EXE
  PID:2856
- C:\Windows\System\LzsqqvX.exe
  C:\Windows\System\LzsqqvX.exe
  2⤵
  - Executes dropped EXE
  PID:4124
- C:\Windows\System\XdScmtq.exe
  C:\Windows\System\XdScmtq.exe
  2⤵
  - Executes dropped EXE
  PID:4932
- C:\Windows\System\MJGQCHM.exe
  C:\Windows\System\MJGQCHM.exe
  2⤵
  - Executes dropped EXE
  PID:3152
- C:\Windows\System\PnLyYRE.exe
  C:\Windows\System\PnLyYRE.exe
  2⤵
  - Executes dropped EXE
  PID:2728
- C:\Windows\System\NsebqEu.exe
  C:\Windows\System\NsebqEu.exe
  2⤵
  - Executes dropped EXE
  PID:2408
- C:\Windows\System\fLVufpC.exe
  C:\Windows\System\fLVufpC.exe
  2⤵
  - Executes dropped EXE
  PID:1228
- C:\Windows\System\KjrQAYa.exe
  C:\Windows\System\KjrQAYa.exe
  2⤵
  - Executes dropped EXE
  PID:4976
- C:\Windows\System\ewaught.exe
  C:\Windows\System\ewaught.exe
  2⤵
  - Executes dropped EXE
  PID:5068
- C:\Windows\System\pkfsCoU.exe
  C:\Windows\System\pkfsCoU.exe
  2⤵
  - Executes dropped EXE
  PID:3564
- C:\Windows\System\zGnYNis.exe
  C:\Windows\System\zGnYNis.exe
  2⤵
  - Executes dropped EXE
  PID:4752
- C:\Windows\System\NzAOeAJ.exe
  C:\Windows\System\NzAOeAJ.exe
  2⤵
  - Executes dropped EXE
  PID:4560
- C:\Windows\System\VZInsZH.exe
  C:\Windows\System\VZInsZH.exe
  2⤵
  - Executes dropped EXE
  PID:4200
- C:\Windows\System\MJMJqKl.exe
  C:\Windows\System\MJMJqKl.exe
  2⤵
  - Executes dropped EXE
  PID:4876
- C:\Windows\System\DVcATeR.exe
  C:\Windows\System\DVcATeR.exe
  2⤵
  - Executes dropped EXE
  PID:5060
- C:\Windows\System\gTGEYRc.exe
  C:\Windows\System\gTGEYRc.exe
  2⤵
  - Executes dropped EXE
  PID:4068
- C:\Windows\System\yNuTFiy.exe
  C:\Windows\System\yNuTFiy.exe
  2⤵
  - Executes dropped EXE
  PID:844
- C:\Windows\System\JmfyXBP.exe
  C:\Windows\System\JmfyXBP.exe
  2⤵
  - Executes dropped EXE
  PID:1076
- C:\Windows\System\xIevWqp.exe
  C:\Windows\System\xIevWqp.exe
  2⤵
  - Executes dropped EXE
  PID:1540
- C:\Windows\System\TxlIFce.exe
  C:\Windows\System\TxlIFce.exe
  2⤵
  - Executes dropped EXE
  PID:3060
- C:\Windows\System\uCXqRgC.exe
  C:\Windows\System\uCXqRgC.exe
  2⤵
  - Executes dropped EXE
  PID:1628

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\DVcATeR.exe

Filesize
5.2MB

MD5
c0c49fedba774b245e0c96bf3a2bb66c

SHA1
97bad7385730a91702e3c133e1307a019b03cd06

SHA256
5416d5f5731b92a04bb49b8f5806d94e9f2e17aa409e3e03374c0801af1257c1

SHA512
6196812a8f236fa7babb09ec622ae4a348bdfd2bf2eb03ecb077ac90b4832c998a35df8c19259310598fbffca642f2a810ac55b8c3e6bf98a7c526a62b05aeb0

Download Submit
C:\Windows\System\JmfyXBP.exe

Filesize
5.2MB

MD5
f6ebac49c1e605a1686c131657482164

SHA1
8c8bc874635180f423c88e6c52fd7ebb994a1d4d

SHA256
4f5a1e9ef9d4f23fea75663002cb6734f349b1a0abba669ee40536a0034040ec

SHA512
f104e05878baa26f490465ec9a9ec53f2a8f3d71ab76cb530604d2fa2ede745ca1830d58d61b93b58337a822d925fedc6104c5cb2be93a4eeec090c0d8a34a18

Download Submit
C:\Windows\System\KjrQAYa.exe

Filesize
5.2MB

MD5
ff06470a4a4086a3febbaa60b890c689

SHA1
d4b2aa373c3bce9f3b9ce702052bfdde2a53dcc3

SHA256
33996860915b406b512c226288e4f17a6d525e5e6fc3c516b8d0422fc4fbd559

SHA512
e284a035b9a2e4c60ae55d8bb9c07f08a9445d83bb1ae05bc5159d4641ccf1266eed4ad3cccca6273d717517cab86b4cee5cbc96d2154e9c2e6d4f38ee13afcf

Download Submit
C:\Windows\System\LzsqqvX.exe

Filesize
5.2MB

MD5
a209acca57e5aabd06f63e51de1cfab1

SHA1
a74b74fed9dbf24e47bf61eb5319c560823cb278

SHA256
916773482c320f4c094c49da13c222c9c45728e8d7bc98564b1ebfd7ca47d0d3

SHA512
98188c500491408ee34b4600718685a00c1a8e2f57c3e19ec6d44e005b77ec36700b9ea5a3087d200a48e8c311c0326e971ce0554486990c09ff06b9a2b1db01

Download Submit
C:\Windows\System\MJGQCHM.exe

Filesize
5.2MB

MD5
236df6a00c6102b267188becb3058fd6

SHA1
17958a474b45790d571aa2ddf1d2882eaaf6acac

SHA256
ca2dace1324cfb9bf05d562852284ca85ab17d65e5036f1e2bcef10db8527250

SHA512
61460974c765890e810d602e29e646e6376d52c51b62c31ff8d292f4c69ce646dc44f5b0cf9eb6cb84529f1f0148b06e5368797c1dc7df3d475f7392bad2ac89

Download Submit
C:\Windows\System\MJMJqKl.exe

Filesize
5.2MB

MD5
f91cf7d92e1e46ea4dbae865ae5e15d7

SHA1
2697643f852aa3adcb9100d0b6832617c78e26d3

SHA256
c4b8199ea78e3da52485473c76c9bb946e7b09d49337b0aa0d4534844f03f61d

SHA512
ce7bfc1d3b568786fdba6cb6e001e1fd41f0b739639b9237702a5373c8e8571145ede2438baf5fcd7eea1f5cc77438db577be5124cefaf948ee3b2c218c512cd

Download Submit
C:\Windows\System\NsebqEu.exe

Filesize
5.2MB

MD5
5d808d33db5a20bafd3e08e684b180d1

SHA1
d2accda11e7381394417fb0a02456712eeb996a7

SHA256
8d81b9e4fa9f5bc915eb2c46242cbc539fae7a5b725a5880f59d91d582455142

SHA512
297f6512a8ab8990c48830efe925bf9da16060b8ac2799918b313743e27629ccfb67c306b79d144de1cbf72dc3c14cfd31034c8068444db731f3829b67297f99

Download Submit
C:\Windows\System\NzAOeAJ.exe

Filesize
5.2MB

MD5
344876d3e540080e371926ddf9757716

SHA1
ec38d8586a1d60d7b739854bac25e3ac68c80ff6

SHA256
ad078d299d395a71e21c4066b7142f9e28af0cc2a7cc6d94b4089429d9e47612

SHA512
26333ff718ea6e933e3710fb1bc5a247ed8570cb44a64b3f9ac292d9c2b827a57af5c5edcd4e48684caf7b75bfff5a992ea92dc3b91ff9bfac4e275a55681c55

Download Submit
C:\Windows\System\PnLyYRE.exe

Filesize
5.2MB

MD5
378c82c182694237a53a6015e1cea36d

SHA1
6f4402120a29a01927790a8bd3c8408992f1415a

SHA256
36634f0f0a5c6c6fa7788f58864ee61e847ba8cac4f13edb7016000915047e9b

SHA512
3b6c6319eed760d8da65799e01ec376cf6060ce5613618e64847ca28a79e1f04f3ab5ed407bd0b0f67570edd2ce5b13f629fd610332c0a65c2744db12840e2f2

Download Submit
C:\Windows\System\TxlIFce.exe

Filesize
5.2MB

MD5
72c3f0845831f25d71050151cde3dfc6

SHA1
08db421aec7b48ae84fad1702c423e02886d0c5c

SHA256
4034e8d785b24379125f862025c50e738c266cd80e674e234f7076110977c174

SHA512
50ad44279c8eaef4d2cffe626c2610970acea79d1d2cf65f99639f28cab863ee674b22c6d819ba65d34b058fb10d26b714c5f4be0fd4648a4e3b1976b38fa499

Download Submit
C:\Windows\System\VZInsZH.exe

Filesize
5.2MB

MD5
3f648bb437ef741041e6720bd6279f8f

SHA1
1d03e1ad816044d690d3400a4378aca949ea23be

SHA256
0ce5b57e6dd705124ac1a55b158e153c3550133a46a6f261763c8277aaa6cf8d

SHA512
7385b228a1dda501eed14d641f299054acb65ee8d4fb7395cd30a32d3a452a805d26e6052c39fbbcc908f7b094e0e9facadd11716864c8667ef45fbfea6a30fd

Download Submit
C:\Windows\System\XdScmtq.exe

Filesize
5.2MB

MD5
55abbb1a378c0f8151959f99d592e8ca

SHA1
8846ef9cdf3a1bc4c0b6b1e70684950a7709f25f

SHA256
a0812156e3caf1f47032accd175d73ba472e68d11614f0426eb3d81f09eb87b8

SHA512
3a2df9c94f8c79f22b102cbadd2898f1cf0b35907632a74519217fc68fcb1f62a87d7ed004f75a70dcfc0f44a69ec8539a3dd39d9be7a88eee53d89b18e83a7f

Download Submit
C:\Windows\System\ewaught.exe

Filesize
5.2MB

MD5
5c6b20231cd875ec9a5a6632ec655683

SHA1
0f5bb5131fa69eca22c60029065a725bdd23ba59

SHA256
d2ac177661ac9e9b6317ede4006d5f1f762f2c3df2a3efcba1c2074fb1486ec2

SHA512
a0162a1c5650bccdfbc9fc5345615a848e60e6a8ff08e6c02439a724b3d069c93386585a4997b7b4521f5f28f294f25b3a594e79db94536a8ecbcac4d0d37669

Download Submit
C:\Windows\System\fLVufpC.exe

Filesize
5.2MB

MD5
32c23273da57349629872b6c6d5a4e04

SHA1
968e9500eb0d32c66d1a104eccc8f44a3479e5c4

SHA256
fbbe47e9638cbac11b78295a2eda107e59f93e66f2bcc550c3cef476494f18d1

SHA512
96a49e4791f28ee6b5abf04634b97aecb05c52da73d8eb607307262a01600982c7ee9b7351b1811fb8426b11af999b199c9edf208a703191e7c9e180d4bb42b6

Download Submit
C:\Windows\System\fTKacBc.exe

Filesize
5.2MB

MD5
0a320cee9fc0ba78729614b4bf2f145e

SHA1
68ffa3fabc9caa9877e79c4e3d72342b54172f3e

SHA256
8ccdd4bd83a010ef78203e657d4918f2e8bc7c5bd582367f0609188e34e392af

SHA512
0c6925844496bf29d2f0360819469013102be949af088bfb63e6abde147ec338f4480e4a72ce75c69aab6b0edb631d1df3d7657d829d0b4ced1ff095d3cb1cc4

Download Submit
C:\Windows\System\gTGEYRc.exe

Filesize
5.2MB

MD5
0f56f8a009e6e409d3f43d3fe3ab3fc8

SHA1
6d3f02739d11492b7d287711942f1271ed1a00e8

SHA256
f8b0f0ceabcec52e5d31cae0e2ed58d88f2dacef80a6ad604a0374a54febec35

SHA512
34535b6a1fc1643c1f63ac89856f0dd9b0315e03fa35e6ab9fc047d7e5fe0bc53fd94bf9931e3d7de6937d6a7ef3090c6e599d621613bdcab2a538ba22b4a852

Download Submit
C:\Windows\System\pkfsCoU.exe

Filesize
5.2MB

MD5
90fa42e573fa17503cbb6b5696969eb6

SHA1
09f334b96ca845f164cf0a7ac18e841c90671736

SHA256
6d148f1952fc06f8114f4de39334b0579ee2db49336c3cded854b235300a1971

SHA512
0637bf2bf55748a45fe2dce153e158c2c73a0ccfd69a1666c16203e31adff3eb8234deb95ed8cd68f55c2718e1df853c0210feec910cab30b578b78eea36a703

Download Submit
C:\Windows\System\uCXqRgC.exe

Filesize
5.2MB

MD5
a7ed2ca19740d34d577af61c565a2aa2

SHA1
96c45cea589e6ba81218aa82ae14a8cea42ed2bc

SHA256
b70eff68671e00e135fe8cd0d604669c8800109049984c1531d7a71e3ab587da

SHA512
066c849b0225aa616a18a1a638649585f7018b188ad503e3647bfe3a700fc6f3a432ae76cb5f0f9894e22f37f3c700ad78f13b70f8ab61f5e79017247fb4c4f1

Download Submit
C:\Windows\System\xIevWqp.exe

Filesize
5.2MB

MD5
b84850dc526cb3f76d29162da801085b

SHA1
b205b9010cdcfc456111ff86d10a26c116c167dc

SHA256
e5ecc53779e334bd98c2de0caa7745f6fc518ea52eefc82d62eb79e23e971ead

SHA512
046a55293a823f8f25ec7816a1657be7bfe392c92ad8ee3a0aa96bbfabeed76144d3b11547df0011b278634bee454a7f435264a8550920e2c38f1d362776e312

Download Submit
C:\Windows\System\yNuTFiy.exe

Filesize
5.2MB

MD5
87fe4fe26a56221b10a61b5f3b23d42e

SHA1
bac66ac9aa446c63edde6bd37b889045366daf6c

SHA256
12089fd46f47318691f179cd6a52ff6a5af3a880130ee86484c8d4c1dbe0b0b5

SHA512
8f42f1f4417050f0de7ad522ec175ff959fee8fc51f7c30b722de84b71d7554c5fe6cdebca289ea7ea605711392947be0b7dba6e04271bdf059bf1191fe4d262

Download Submit
C:\Windows\System\zGnYNis.exe

Filesize
5.2MB

MD5
c2e3e492d63c800247970b4424ecc4e2

SHA1
dd512ff114939742410552889590b5d121fe9931

SHA256
49255714548afc4895527f654127fd154d9d1c4eb524404420b56204313b002d

SHA512
30078a1f9b41b1a2cd7502f26f1803b095c1064c82a3edf05ad9a14cf3af8e06a098b0545d9b788baf1193c4fd58f37520f373fb92cd6b3c5bc7c6dd0507daf0

Download Submit
memory/844-263-0x00007FF779880000-0x00007FF779BD1000-memory.dmp

Filesize
3.3MB

Download
memory/844-115-0x00007FF779880000-0x00007FF779BD1000-memory.dmp

Filesize
3.3MB

Download
memory/1076-155-0x00007FF711DF0000-0x00007FF712141000-memory.dmp

Filesize
3.3MB

Download
memory/1076-265-0x00007FF711DF0000-0x00007FF712141000-memory.dmp

Filesize
3.3MB

Download
memory/1076-117-0x00007FF711DF0000-0x00007FF712141000-memory.dmp

Filesize
3.3MB

Download
memory/1228-45-0x00007FF611240000-0x00007FF611591000-memory.dmp

Filesize
3.3MB

Download
memory/1228-234-0x00007FF611240000-0x00007FF611591000-memory.dmp

Filesize
3.3MB

Download
memory/1228-104-0x00007FF611240000-0x00007FF611591000-memory.dmp

Filesize
3.3MB

Download
memory/1540-267-0x00007FF69C960000-0x00007FF69CCB1000-memory.dmp

Filesize
3.3MB

Download
memory/1540-158-0x00007FF69C960000-0x00007FF69CCB1000-memory.dmp

Filesize
3.3MB

Download
memory/1540-124-0x00007FF69C960000-0x00007FF69CCB1000-memory.dmp

Filesize
3.3MB

Download
memory/1628-135-0x00007FF6FB360000-0x00007FF6FB6B1000-memory.dmp

Filesize
3.3MB

Download
memory/1628-271-0x00007FF6FB360000-0x00007FF6FB6B1000-memory.dmp

Filesize
3.3MB

Download
memory/1628-162-0x00007FF6FB360000-0x00007FF6FB6B1000-memory.dmp

Filesize
3.3MB

Download
memory/2408-231-0x00007FF792FE0000-0x00007FF793331000-memory.dmp

Filesize
3.3MB

Download
memory/2408-41-0x00007FF792FE0000-0x00007FF793331000-memory.dmp

Filesize
3.3MB

Download
memory/2728-89-0x00007FF6440C0000-0x00007FF644411000-memory.dmp

Filesize
3.3MB

Download
memory/2728-28-0x00007FF6440C0000-0x00007FF644411000-memory.dmp

Filesize
3.3MB

Download
memory/2728-228-0x00007FF6440C0000-0x00007FF644411000-memory.dmp

Filesize
3.3MB

Download
memory/2856-8-0x00007FF71CEF0000-0x00007FF71D241000-memory.dmp

Filesize
3.3MB

Download
memory/2856-70-0x00007FF71CEF0000-0x00007FF71D241000-memory.dmp

Filesize
3.3MB

Download
memory/2856-212-0x00007FF71CEF0000-0x00007FF71D241000-memory.dmp

Filesize
3.3MB

Download
memory/3060-163-0x00007FF6E0A70000-0x00007FF6E0DC1000-memory.dmp

Filesize
3.3MB

Download
memory/3060-269-0x00007FF6E0A70000-0x00007FF6E0DC1000-memory.dmp

Filesize
3.3MB

Download
memory/3060-132-0x00007FF6E0A70000-0x00007FF6E0DC1000-memory.dmp

Filesize
3.3MB

Download
memory/3152-27-0x00007FF7CC6D0000-0x00007FF7CCA21000-memory.dmp

Filesize
3.3MB

Download
memory/3152-229-0x00007FF7CC6D0000-0x00007FF7CCA21000-memory.dmp

Filesize
3.3MB

Download
memory/3152-84-0x00007FF7CC6D0000-0x00007FF7CCA21000-memory.dmp

Filesize
3.3MB

Download
memory/3564-65-0x00007FF6ECB90000-0x00007FF6ECEE1000-memory.dmp

Filesize
3.3MB

Download
memory/3564-242-0x00007FF6ECB90000-0x00007FF6ECEE1000-memory.dmp

Filesize
3.3MB

Download
memory/4068-261-0x00007FF7B7AD0000-0x00007FF7B7E21000-memory.dmp

Filesize
3.3MB

Download
memory/4068-110-0x00007FF7B7AD0000-0x00007FF7B7E21000-memory.dmp

Filesize
3.3MB

Download
memory/4124-223-0x00007FF76C7A0000-0x00007FF76CAF1000-memory.dmp

Filesize
3.3MB

Download
memory/4124-74-0x00007FF76C7A0000-0x00007FF76CAF1000-memory.dmp

Filesize
3.3MB

Download
memory/4124-16-0x00007FF76C7A0000-0x00007FF76CAF1000-memory.dmp

Filesize
3.3MB

Download
memory/4136-66-0x00007FF750280000-0x00007FF7505D1000-memory.dmp

Filesize
3.3MB

Download
memory/4136-1-0x0000024FA7E60000-0x0000024FA7E70000-memory.dmp

Filesize
64KB

Download
memory/4136-0-0x00007FF750280000-0x00007FF7505D1000-memory.dmp

Filesize
3.3MB

Download
memory/4136-164-0x00007FF750280000-0x00007FF7505D1000-memory.dmp

Filesize
3.3MB

Download
memory/4136-138-0x00007FF750280000-0x00007FF7505D1000-memory.dmp

Filesize
3.3MB

Download
memory/4200-248-0x00007FF7FF4C0000-0x00007FF7FF811000-memory.dmp

Filesize
3.3MB

Download
memory/4200-85-0x00007FF7FF4C0000-0x00007FF7FF811000-memory.dmp

Filesize
3.3MB

Download
memory/4560-246-0x00007FF639700000-0x00007FF639A51000-memory.dmp

Filesize
3.3MB

Download
memory/4560-82-0x00007FF639700000-0x00007FF639A51000-memory.dmp

Filesize
3.3MB

Download
memory/4752-238-0x00007FF6998F0000-0x00007FF699C41000-memory.dmp

Filesize
3.3MB

Download
memory/4752-67-0x00007FF6998F0000-0x00007FF699C41000-memory.dmp

Filesize
3.3MB

Download
memory/4752-123-0x00007FF6998F0000-0x00007FF699C41000-memory.dmp

Filesize
3.3MB

Download
memory/4876-252-0x00007FF7CE9E0000-0x00007FF7CED31000-memory.dmp

Filesize
3.3MB

Download
memory/4876-151-0x00007FF7CE9E0000-0x00007FF7CED31000-memory.dmp

Filesize
3.3MB

Download
memory/4876-91-0x00007FF7CE9E0000-0x00007FF7CED31000-memory.dmp

Filesize
3.3MB

Download
memory/4932-79-0x00007FF733970000-0x00007FF733CC1000-memory.dmp

Filesize
3.3MB

Download
memory/4932-24-0x00007FF733970000-0x00007FF733CC1000-memory.dmp

Filesize
3.3MB

Download
memory/4932-225-0x00007FF733970000-0x00007FF733CC1000-memory.dmp

Filesize
3.3MB

Download
memory/4976-49-0x00007FF62D410000-0x00007FF62D761000-memory.dmp

Filesize
3.3MB

Download
memory/4976-98-0x00007FF62D410000-0x00007FF62D761000-memory.dmp

Filesize
3.3MB

Download
memory/4976-235-0x00007FF62D410000-0x00007FF62D761000-memory.dmp

Filesize
3.3MB

Download
memory/5060-254-0x00007FF666240000-0x00007FF666591000-memory.dmp

Filesize
3.3MB

Download
memory/5060-99-0x00007FF666240000-0x00007FF666591000-memory.dmp

Filesize
3.3MB

Download
memory/5068-240-0x00007FF786510000-0x00007FF786861000-memory.dmp

Filesize
3.3MB

Download
memory/5068-106-0x00007FF786510000-0x00007FF786861000-memory.dmp

Filesize
3.3MB

Download
memory/5068-63-0x00007FF786510000-0x00007FF786861000-memory.dmp

Filesize
3.3MB

Download