cobaltstrike | 3d8fdf94494b556fe48ff4bbf20a60c2d3cd148794dbccfb24003d490fb25392

Analysis

max time kernel
140s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16-09-2024 05:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

d4de50b4feb9105554913ec3e8189bb2
SHA1

20eea061a11ba30ec85ba5a211fcce739d0a6155
SHA256

3d8fdf94494b556fe48ff4bbf20a60c2d3cd148794dbccfb24003d490fb25392
SHA512

db472f0b3b5f32afbdb3676800ffcee7869754110bbb72e83f2353d6d2003cfb288ea44b589bbdb57ac9781dde9e28349d2f4e405978a4fb1f99c41c57c5595a
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6li:RWWBibf56utgpPFotBER/mQ32lUe

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000a0000000233c2-5.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002340e-10.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002340f-14.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023410-26.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023412-37.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023416-54.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023417-65.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023418-74.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002340b-87.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023419-85.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023415-60.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023414-56.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023413-47.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023411-34.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341b-103.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341a-101.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341e-112.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341c-118.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341f-124.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023420-134.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023421-141.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/2512-68-0x00007FF7DA1C0000-0x00007FF7DA511000-memory.dmp	xmrig
behavioral2/memory/3080-91-0x00007FF694D30000-0x00007FF695081000-memory.dmp	xmrig
behavioral2/memory/1648-90-0x00007FF707630000-0x00007FF707981000-memory.dmp	xmrig
behavioral2/memory/4576-83-0x00007FF709340000-0x00007FF709691000-memory.dmp	xmrig
behavioral2/memory/3272-67-0x00007FF7B7AD0000-0x00007FF7B7E21000-memory.dmp	xmrig
behavioral2/memory/2640-59-0x00007FF6C2BC0000-0x00007FF6C2F11000-memory.dmp	xmrig
behavioral2/memory/1432-97-0x00007FF7235F0000-0x00007FF723941000-memory.dmp	xmrig
behavioral2/memory/4808-117-0x00007FF640E10000-0x00007FF641161000-memory.dmp	xmrig
behavioral2/memory/4792-116-0x00007FF6FEA10000-0x00007FF6FED61000-memory.dmp	xmrig
behavioral2/memory/4144-113-0x00007FF6C1EC0000-0x00007FF6C2211000-memory.dmp	xmrig
behavioral2/memory/3636-96-0x00007FF632BF0000-0x00007FF632F41000-memory.dmp	xmrig
behavioral2/memory/2540-138-0x00007FF6D6680000-0x00007FF6D69D1000-memory.dmp	xmrig
behavioral2/memory/3956-139-0x00007FF6BEF90000-0x00007FF6BF2E1000-memory.dmp	xmrig
behavioral2/memory/4772-132-0x00007FF794230000-0x00007FF794581000-memory.dmp	xmrig
behavioral2/memory/1236-125-0x00007FF75D9C0000-0x00007FF75DD11000-memory.dmp	xmrig
behavioral2/memory/2640-143-0x00007FF6C2BC0000-0x00007FF6C2F11000-memory.dmp	xmrig
behavioral2/memory/3216-156-0x00007FF76D3C0000-0x00007FF76D711000-memory.dmp	xmrig
behavioral2/memory/2532-159-0x00007FF78A6B0000-0x00007FF78AA01000-memory.dmp	xmrig
behavioral2/memory/3168-160-0x00007FF62F110000-0x00007FF62F461000-memory.dmp	xmrig
behavioral2/memory/2796-161-0x00007FF71EB50000-0x00007FF71EEA1000-memory.dmp	xmrig
behavioral2/memory/1220-167-0x00007FF75FD70000-0x00007FF7600C1000-memory.dmp	xmrig
behavioral2/memory/1456-168-0x00007FF6CBCE0000-0x00007FF6CC031000-memory.dmp	xmrig
behavioral2/memory/4788-169-0x00007FF792C60000-0x00007FF792FB1000-memory.dmp	xmrig
behavioral2/memory/2640-170-0x00007FF6C2BC0000-0x00007FF6C2F11000-memory.dmp	xmrig
behavioral2/memory/3272-223-0x00007FF7B7AD0000-0x00007FF7B7E21000-memory.dmp	xmrig
behavioral2/memory/2512-225-0x00007FF7DA1C0000-0x00007FF7DA511000-memory.dmp	xmrig
behavioral2/memory/4576-229-0x00007FF709340000-0x00007FF709691000-memory.dmp	xmrig
behavioral2/memory/1648-228-0x00007FF707630000-0x00007FF707981000-memory.dmp	xmrig
behavioral2/memory/3636-238-0x00007FF632BF0000-0x00007FF632F41000-memory.dmp	xmrig
behavioral2/memory/3080-240-0x00007FF694D30000-0x00007FF695081000-memory.dmp	xmrig
behavioral2/memory/4144-243-0x00007FF6C1EC0000-0x00007FF6C2211000-memory.dmp	xmrig
behavioral2/memory/1432-244-0x00007FF7235F0000-0x00007FF723941000-memory.dmp	xmrig
behavioral2/memory/4792-247-0x00007FF6FEA10000-0x00007FF6FED61000-memory.dmp	xmrig
behavioral2/memory/4808-248-0x00007FF640E10000-0x00007FF641161000-memory.dmp	xmrig
behavioral2/memory/1236-250-0x00007FF75D9C0000-0x00007FF75DD11000-memory.dmp	xmrig
behavioral2/memory/4772-252-0x00007FF794230000-0x00007FF794581000-memory.dmp	xmrig
behavioral2/memory/2540-254-0x00007FF6D6680000-0x00007FF6D69D1000-memory.dmp	xmrig
behavioral2/memory/3956-256-0x00007FF6BEF90000-0x00007FF6BF2E1000-memory.dmp	xmrig
behavioral2/memory/3216-261-0x00007FF76D3C0000-0x00007FF76D711000-memory.dmp	xmrig
behavioral2/memory/2532-263-0x00007FF78A6B0000-0x00007FF78AA01000-memory.dmp	xmrig
behavioral2/memory/3168-267-0x00007FF62F110000-0x00007FF62F461000-memory.dmp	xmrig
behavioral2/memory/2796-269-0x00007FF71EB50000-0x00007FF71EEA1000-memory.dmp	xmrig
behavioral2/memory/1220-273-0x00007FF75FD70000-0x00007FF7600C1000-memory.dmp	xmrig
behavioral2/memory/1456-275-0x00007FF6CBCE0000-0x00007FF6CC031000-memory.dmp	xmrig
behavioral2/memory/4788-278-0x00007FF792C60000-0x00007FF792FB1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3272	UKxCdNl.exe
2512	uasrTLy.exe
4576	cOSQJqe.exe
1648	ZQPyysT.exe
3080	RipIPrY.exe
3636	PowjdTG.exe
1432	SVpMZLL.exe
4144	bzVCpOz.exe
4792	WgaJmUm.exe
4808	ZNKblRE.exe
1236	rEiGvJE.exe
4772	bWghUsA.exe
2540	qsPOABL.exe
3956	ztnpKfb.exe
3216	DzcDjWn.exe
2532	phzMJmM.exe
3168	LOUpIhL.exe
2796	qEcaxtG.exe
1220	qjCOeUh.exe
1456	YTmElPx.exe
4788	CQJcLKn.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2640-0-0x00007FF6C2BC0000-0x00007FF6C2F11000-memory.dmp	upx
behavioral2/files/0x000a0000000233c2-5.dat	upx
behavioral2/memory/3272-6-0x00007FF7B7AD0000-0x00007FF7B7E21000-memory.dmp	upx
behavioral2/files/0x000700000002340e-10.dat	upx
behavioral2/files/0x000700000002340f-14.dat	upx
behavioral2/memory/4576-18-0x00007FF709340000-0x00007FF709691000-memory.dmp	upx
behavioral2/files/0x0007000000023410-26.dat	upx
behavioral2/memory/3080-33-0x00007FF694D30000-0x00007FF695081000-memory.dmp	upx
behavioral2/files/0x0007000000023412-37.dat	upx
behavioral2/files/0x0007000000023416-54.dat	upx
behavioral2/memory/4808-58-0x00007FF640E10000-0x00007FF641161000-memory.dmp	upx
behavioral2/files/0x0007000000023417-65.dat	upx
behavioral2/memory/2512-68-0x00007FF7DA1C0000-0x00007FF7DA511000-memory.dmp	upx
behavioral2/files/0x0007000000023418-74.dat	upx
behavioral2/files/0x000800000002340b-87.dat	upx
behavioral2/memory/3080-91-0x00007FF694D30000-0x00007FF695081000-memory.dmp	upx
behavioral2/memory/1648-90-0x00007FF707630000-0x00007FF707981000-memory.dmp	upx
behavioral2/memory/3956-89-0x00007FF6BEF90000-0x00007FF6BF2E1000-memory.dmp	upx
behavioral2/files/0x0007000000023419-85.dat	upx
behavioral2/memory/2540-84-0x00007FF6D6680000-0x00007FF6D69D1000-memory.dmp	upx
behavioral2/memory/4576-83-0x00007FF709340000-0x00007FF709691000-memory.dmp	upx
behavioral2/memory/4772-75-0x00007FF794230000-0x00007FF794581000-memory.dmp	upx
behavioral2/memory/1236-71-0x00007FF75D9C0000-0x00007FF75DD11000-memory.dmp	upx
behavioral2/memory/3272-67-0x00007FF7B7AD0000-0x00007FF7B7E21000-memory.dmp	upx
behavioral2/files/0x0007000000023415-60.dat	upx
behavioral2/memory/2640-59-0x00007FF6C2BC0000-0x00007FF6C2F11000-memory.dmp	upx
behavioral2/files/0x0007000000023414-56.dat	upx
behavioral2/memory/4792-55-0x00007FF6FEA10000-0x00007FF6FED61000-memory.dmp	upx
behavioral2/memory/4144-52-0x00007FF6C1EC0000-0x00007FF6C2211000-memory.dmp	upx
behavioral2/memory/1432-51-0x00007FF7235F0000-0x00007FF723941000-memory.dmp	upx
behavioral2/files/0x0007000000023413-47.dat	upx
behavioral2/memory/3636-39-0x00007FF632BF0000-0x00007FF632F41000-memory.dmp	upx
behavioral2/files/0x0007000000023411-34.dat	upx
behavioral2/memory/1648-22-0x00007FF707630000-0x00007FF707981000-memory.dmp	upx
behavioral2/memory/2512-16-0x00007FF7DA1C0000-0x00007FF7DA511000-memory.dmp	upx
behavioral2/memory/1432-97-0x00007FF7235F0000-0x00007FF723941000-memory.dmp	upx
behavioral2/files/0x000700000002341b-103.dat	upx
behavioral2/memory/2532-104-0x00007FF78A6B0000-0x00007FF78AA01000-memory.dmp	upx
behavioral2/files/0x000700000002341a-101.dat	upx
behavioral2/files/0x000700000002341e-112.dat	upx
behavioral2/memory/2796-115-0x00007FF71EB50000-0x00007FF71EEA1000-memory.dmp	upx
behavioral2/files/0x000700000002341c-118.dat	upx
behavioral2/memory/4808-117-0x00007FF640E10000-0x00007FF641161000-memory.dmp	upx
behavioral2/memory/4792-116-0x00007FF6FEA10000-0x00007FF6FED61000-memory.dmp	upx
behavioral2/memory/3168-114-0x00007FF62F110000-0x00007FF62F461000-memory.dmp	upx
behavioral2/memory/4144-113-0x00007FF6C1EC0000-0x00007FF6C2211000-memory.dmp	upx
behavioral2/memory/3216-100-0x00007FF76D3C0000-0x00007FF76D711000-memory.dmp	upx
behavioral2/memory/3636-96-0x00007FF632BF0000-0x00007FF632F41000-memory.dmp	upx
behavioral2/files/0x000700000002341f-124.dat	upx
behavioral2/memory/1220-126-0x00007FF75FD70000-0x00007FF7600C1000-memory.dmp	upx
behavioral2/files/0x0007000000023420-134.dat	upx
behavioral2/memory/2540-138-0x00007FF6D6680000-0x00007FF6D69D1000-memory.dmp	upx
behavioral2/files/0x0007000000023421-141.dat	upx
behavioral2/memory/4788-140-0x00007FF792C60000-0x00007FF792FB1000-memory.dmp	upx
behavioral2/memory/3956-139-0x00007FF6BEF90000-0x00007FF6BF2E1000-memory.dmp	upx
behavioral2/memory/1456-133-0x00007FF6CBCE0000-0x00007FF6CC031000-memory.dmp	upx
behavioral2/memory/4772-132-0x00007FF794230000-0x00007FF794581000-memory.dmp	upx
behavioral2/memory/1236-125-0x00007FF75D9C0000-0x00007FF75DD11000-memory.dmp	upx
behavioral2/memory/2640-143-0x00007FF6C2BC0000-0x00007FF6C2F11000-memory.dmp	upx
behavioral2/memory/3216-156-0x00007FF76D3C0000-0x00007FF76D711000-memory.dmp	upx
behavioral2/memory/2532-159-0x00007FF78A6B0000-0x00007FF78AA01000-memory.dmp	upx
behavioral2/memory/3168-160-0x00007FF62F110000-0x00007FF62F461000-memory.dmp	upx
behavioral2/memory/2796-161-0x00007FF71EB50000-0x00007FF71EEA1000-memory.dmp	upx
behavioral2/memory/1220-167-0x00007FF75FD70000-0x00007FF7600C1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\bzVCpOz.exe	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rEiGvJE.exe	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DzcDjWn.exe	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YTmElPx.exe	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cOSQJqe.exe	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZNKblRE.exe	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bWghUsA.exe	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LOUpIhL.exe	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SVpMZLL.exe	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WgaJmUm.exe	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qsPOABL.exe	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ztnpKfb.exe	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qjCOeUh.exe	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CQJcLKn.exe	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZQPyysT.exe	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uasrTLy.exe	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RipIPrY.exe	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PowjdTG.exe	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\phzMJmM.exe	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qEcaxtG.exe	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UKxCdNl.exe	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2640	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2640	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 3272	2640	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 2640 wrote to memory of 3272	2640	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 2640 wrote to memory of 2512	2640	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2640 wrote to memory of 2512	2640	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2640 wrote to memory of 4576	2640	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2640 wrote to memory of 4576	2640	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2640 wrote to memory of 1648	2640	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2640 wrote to memory of 1648	2640	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2640 wrote to memory of 3080	2640	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2640 wrote to memory of 3080	2640	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2640 wrote to memory of 3636	2640	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2640 wrote to memory of 3636	2640	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2640 wrote to memory of 1432	2640	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2640 wrote to memory of 1432	2640	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2640 wrote to memory of 4144	2640	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2640 wrote to memory of 4144	2640	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2640 wrote to memory of 4792	2640	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2640 wrote to memory of 4792	2640	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2640 wrote to memory of 4808	2640	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2640 wrote to memory of 4808	2640	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2640 wrote to memory of 1236	2640	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2640 wrote to memory of 1236	2640	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2640 wrote to memory of 4772	2640	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2640 wrote to memory of 4772	2640	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2640 wrote to memory of 2540	2640	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2640 wrote to memory of 2540	2640	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2640 wrote to memory of 3956	2640	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2640 wrote to memory of 3956	2640	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2640 wrote to memory of 3216	2640	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2640 wrote to memory of 3216	2640	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2640 wrote to memory of 2532	2640	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2640 wrote to memory of 2532	2640	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2640 wrote to memory of 3168	2640	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2640 wrote to memory of 3168	2640	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2640 wrote to memory of 2796	2640	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2640 wrote to memory of 2796	2640	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2640 wrote to memory of 1220	2640	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2640 wrote to memory of 1220	2640	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2640 wrote to memory of 1456	2640	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2640 wrote to memory of 1456	2640	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2640 wrote to memory of 4788	2640	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2640 wrote to memory of 4788	2640	2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-16_d4de50b4feb9105554913ec3e8189bb2_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Windows\System\UKxCdNl.exe
  C:\Windows\System\UKxCdNl.exe
  2⤵
  - Executes dropped EXE
  PID:3272
- C:\Windows\System\uasrTLy.exe
  C:\Windows\System\uasrTLy.exe
  2⤵
  - Executes dropped EXE
  PID:2512
- C:\Windows\System\cOSQJqe.exe
  C:\Windows\System\cOSQJqe.exe
  2⤵
  - Executes dropped EXE
  PID:4576
- C:\Windows\System\ZQPyysT.exe
  C:\Windows\System\ZQPyysT.exe
  2⤵
  - Executes dropped EXE
  PID:1648
- C:\Windows\System\RipIPrY.exe
  C:\Windows\System\RipIPrY.exe
  2⤵
  - Executes dropped EXE
  PID:3080
- C:\Windows\System\PowjdTG.exe
  C:\Windows\System\PowjdTG.exe
  2⤵
  - Executes dropped EXE
  PID:3636
- C:\Windows\System\SVpMZLL.exe
  C:\Windows\System\SVpMZLL.exe
  2⤵
  - Executes dropped EXE
  PID:1432
- C:\Windows\System\bzVCpOz.exe
  C:\Windows\System\bzVCpOz.exe
  2⤵
  - Executes dropped EXE
  PID:4144
- C:\Windows\System\WgaJmUm.exe
  C:\Windows\System\WgaJmUm.exe
  2⤵
  - Executes dropped EXE
  PID:4792
- C:\Windows\System\ZNKblRE.exe
  C:\Windows\System\ZNKblRE.exe
  2⤵
  - Executes dropped EXE
  PID:4808
- C:\Windows\System\rEiGvJE.exe
  C:\Windows\System\rEiGvJE.exe
  2⤵
  - Executes dropped EXE
  PID:1236
- C:\Windows\System\bWghUsA.exe
  C:\Windows\System\bWghUsA.exe
  2⤵
  - Executes dropped EXE
  PID:4772
- C:\Windows\System\qsPOABL.exe
  C:\Windows\System\qsPOABL.exe
  2⤵
  - Executes dropped EXE
  PID:2540
- C:\Windows\System\ztnpKfb.exe
  C:\Windows\System\ztnpKfb.exe
  2⤵
  - Executes dropped EXE
  PID:3956
- C:\Windows\System\DzcDjWn.exe
  C:\Windows\System\DzcDjWn.exe
  2⤵
  - Executes dropped EXE
  PID:3216
- C:\Windows\System\phzMJmM.exe
  C:\Windows\System\phzMJmM.exe
  2⤵
  - Executes dropped EXE
  PID:2532
- C:\Windows\System\LOUpIhL.exe
  C:\Windows\System\LOUpIhL.exe
  2⤵
  - Executes dropped EXE
  PID:3168
- C:\Windows\System\qEcaxtG.exe
  C:\Windows\System\qEcaxtG.exe
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Windows\System\qjCOeUh.exe
  C:\Windows\System\qjCOeUh.exe
  2⤵
  - Executes dropped EXE
  PID:1220
- C:\Windows\System\YTmElPx.exe
  C:\Windows\System\YTmElPx.exe
  2⤵
  - Executes dropped EXE
  PID:1456
- C:\Windows\System\CQJcLKn.exe
  C:\Windows\System\CQJcLKn.exe
  2⤵
  - Executes dropped EXE
  PID:4788

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CQJcLKn.exe

Filesize
5.2MB

MD5
67ed38a17f9af49b14d13765bf0c618c

SHA1
059b34e656bb3624f7dc3b5c0d0a7f607c260ac1

SHA256
279cbbf96432cacd2316e5aaff5c5fd86ef24ebad9815dfd1f24c6fb8fe5d6e4

SHA512
28ec6682576087b027fc4308ba888d735e2c629761ad56f866fc307a273f8c7577ac27fe03a7c7fc1c2bec6c4c9f677e0641e5d5ff9b3c77e7a2dddbbb68fd15

Download Submit
C:\Windows\System\DzcDjWn.exe

Filesize
5.2MB

MD5
c1566535ef39e5b4d3e7cf4816a211f2

SHA1
ca1b3b0a108f93cd7db280711bda6874a4eec5b6

SHA256
14ef575867dc09da83c588c4de3d149311d09066ebc76c51ac511c0c185b1b24

SHA512
79d99a42977cd8006023c4a4d7c1ef8489f24ac3745ea14bdadb55f617ab88043c79aa8ca90a6fea2af90796e8c57bba07daa245e00167baff2451d6dd4a9859

Download Submit
C:\Windows\System\LOUpIhL.exe

Filesize
5.2MB

MD5
5b8ca638ab4f19676c7a70ec9f298214

SHA1
7a29e04262e71d112c1ea43375726e4f94404ecb

SHA256
56b6818b336e1c176b3569dd55d7acffdfc0cc0dc8084da3cd30cd0664e45399

SHA512
ca1a2ec2e9b9a1285c488629991c31b428311e23b0287450bb15aa2332eb86721db4ef72bdca5fcd364f50433854512b746becf4bd8cd45d2644290506595ba1

Download Submit
C:\Windows\System\PowjdTG.exe

Filesize
5.2MB

MD5
06d28cbfdfbe3f3d10d0d1230a255dde

SHA1
d38a9bfda730d6d514476643be76751ff4541440

SHA256
8bd25da20e7b8958d05a816c57de585b855ff61579a0d6d5317d4b6271eb9b69

SHA512
60fac651ff84a8bde821864ab8a8b26047304a8c16b607dd94564e562a09ed8912d9a7b01456d7a0fe43fd4dde16cb24c0b4cc24dc3ba97082400490b8ec6199

Download Submit
C:\Windows\System\RipIPrY.exe

Filesize
5.2MB

MD5
c3ce98694903904ac2d07c22f6e4d01c

SHA1
9085a5872c7a7eb8785061310f5a91d7dbf7073a

SHA256
00bf279a0616c24d7778f3ee876624fab0ffdc70950abe229c37fe3f76b3674f

SHA512
6032e0ffc0c437bfb6d6ff531bd758b0936599ab72f75cc1452c09710f1a157ba07d7b37f1119dcc00a8d6647da231c9bf615b2baf5507e1e3016008ba6b18cc

Download Submit
C:\Windows\System\SVpMZLL.exe

Filesize
5.2MB

MD5
4438163c37992eccaa6d7165a8cb2e88

SHA1
68e6d5b71cedc0e3b3f595e0f5ab5db0cb3a9ed9

SHA256
488aaca20082d1ec2401aeb7f7fc13ebc2528304a143aa38c78e886c94edddda

SHA512
3f325b0e67b6df0975a036ca9b532f6fd7fa17154aecfa245062f56f858377c6772db78b1b87d50602742b3e5a6873664f100e3134c7bac0fd557ffc46335259

Download Submit
C:\Windows\System\UKxCdNl.exe

Filesize
5.2MB

MD5
ddc89b75d4d9aee3d90427429f44f8fb

SHA1
2c49c4efd7f69bc552f2202c4fb238b41fd4a473

SHA256
c21bb247e29a209a0c6e9023765512887761b919a37c40aafde5c9fabee978e6

SHA512
03a99db559adfaccc276402b7dfe1c184651f5dd8eb5f3c4c1d89da3bd5c8bc7c64ca1b676a71fa57245ea46d295a41d1dc0356bcfb25c9b8133c8d56622a58c

Download Submit
C:\Windows\System\WgaJmUm.exe

Filesize
5.2MB

MD5
8a307c06df0596161daeb2688da3c1b7

SHA1
22c20735abca92278d657f654ca25d500363569b

SHA256
206335f3c020e8eb978aacfbe0ba709446db71968a4f2a8ca5e26720ccaf8b1f

SHA512
7220661688ae1d6e5c08fcc7bdd5acd2c5403695ca3480adfcf8c009af0227b07501db00f752c955602db34309d164e2822b311604d4a5d98f5892e21fe52fac

Download Submit
C:\Windows\System\YTmElPx.exe

Filesize
5.2MB

MD5
ef82e73e15a279ec473cf261a5c460a4

SHA1
a947dc2b5197a33ffd8e706754c821d9dca69fff

SHA256
ab7ca81bbf4d6f2536b584b948670dd3c80606da505289cc4fcadcf52a54bd48

SHA512
7b4c4fee5790c4c4fcd38e78d6a7a3fe3d3466ebd80d11094abb669d3d134b2b9fd187c1fd66c00cb7dc16a7ee6d992d4cd0d2e1f83ceb6f43a6d39067603cb1

Download Submit
C:\Windows\System\ZNKblRE.exe

Filesize
5.2MB

MD5
3b3c16ea60165b3c32163fd7f12fa01e

SHA1
3d69e363171d67815bb909b0a6c0c845082e252b

SHA256
7a881ed4c57b59c5265f73371556c4341df2a0661bfa6473ca97ff45f9477564

SHA512
46ec3359c424c4752232d0c5ff7e327cf5c00a02917b75b344e1e88046f1efd401bbd61b589f4ca3bc37b9c99d0d1f83fbc94bb58a8f652b9cf078ad341ccead

Download Submit
C:\Windows\System\ZQPyysT.exe

Filesize
5.2MB

MD5
0e43414698a9bd97dd566f76d88d315f

SHA1
71be2155faa1c70462c5a1ee7a2943f9feaeb1ae

SHA256
fce3101885255195b2c6208d4e6103ba76ae95ece25b4b6394ff8f1af9ccd33a

SHA512
a6fd5eaf3673be68c6bc6c3bea19ec0e9fbd800d2588c0ade985831e9f137ebbbf6cdc7a258daba482111c7d28ac67a1add34dc86f9f0a96811c6cb9d261364e

Download Submit
C:\Windows\System\bWghUsA.exe

Filesize
5.2MB

MD5
b87ff013dde06d7588791e921b761932

SHA1
dfa602294765ddd4b6521e3f4b26404f9570d2d5

SHA256
1f995df60ff9c2959c00a39b32174638656728c8369d449fc87427392c5b89dd

SHA512
dcbe6583ab289b09fc00634c1088ccf0761f175adcc99f69b30d3c54b1510a9d300f8c3091eacb05e197863b7c867f2c0d68d94302affd5109c25d547faaf9f3

Download Submit
C:\Windows\System\bzVCpOz.exe

Filesize
5.2MB

MD5
e7ec459806633e73aa90c048be379eff

SHA1
02a7f926ca078056b9d10a2ea8c3c3694015dad8

SHA256
242c4599f5927edb89a5f03a3a665b8d6d4a12711ffc46cb7223174a759af43e

SHA512
0d284a54ff22c5628ab3af8ae53a91c8a4247681b7728f9557d3afb7dce38e9d696fc82fe82ad419920fc07cf1cccc1609691182f6973fcba03552042fd923c5

Download Submit
C:\Windows\System\cOSQJqe.exe

Filesize
5.2MB

MD5
04bdd7fa182f78643d32139cb6a51b76

SHA1
a8cc0bd62b0667645017dcae08495e4655b519c3

SHA256
467325710019f0b0fd25f17aa100c3b77ef59c10d27371ae77bdaf33d026556b

SHA512
195bfb8de0220affbc52432792299f223f07d30623b1f055459e0aa0318c1166de08b25cf94d763611e3634151b082de17efa4b61bd7b8431b41a90ac96056ae

Download Submit
C:\Windows\System\phzMJmM.exe

Filesize
5.2MB

MD5
36327df7934cb099117430ea03d95e58

SHA1
3fa33933bcafbf34ed2ba55e8243a5dd50e354e2

SHA256
3fceef005ca195ff6506c69204b395c74741b9df39f3391d68da09cc3a66984e

SHA512
ff83a0df6f0c345277e24b5a012c61de74b28c3cd6a0f1142eedcf2fe2bc3c9ee781e16b3f106ca791a8d242d4cbbfa00dc6d367e1c9f3c8a815912cce43ed55

Download Submit
C:\Windows\System\qEcaxtG.exe

Filesize
5.2MB

MD5
6fc2d0bc1fa67e8fd0ab2f4798879a02

SHA1
86251254993b49df37e57df82b98a46e7ab213d0

SHA256
61d1fede62e03cdd4d675f112fc5b6341dafd9aacfaa626e17cb651b6e502679

SHA512
9d363e11d39223c2ef1558064f263769d02bc34e49f65c0ccdc6a78bfb9e7d0618eefc4752051951174e04eaf9867f9f402e7df774f735a873d4ed683cfbbb41

Download Submit
C:\Windows\System\qjCOeUh.exe

Filesize
5.2MB

MD5
ed796aa0a733d9247fe33424df11a7ca

SHA1
82c56c29f88a9ac703d00aff239f5ed029900f54

SHA256
fa23a623501bf96ff05da0b1f33754bd9974f6ffc7c0461905e884f0299a6af1

SHA512
6aa6c34ad879b57ab678e0f6b6e37c34f86ca91ec5e18815d79b3f50c83007996772709782c45e07d144524823a96736b14762f19d8601f369bc0ee0e26be1f4

Download Submit
C:\Windows\System\qsPOABL.exe

Filesize
5.2MB

MD5
2dcc093692c6dfe98f014230e0d27ce3

SHA1
8f1dd0507776885cedc34b3e0714dc581838fa43

SHA256
ed3277cf4dd93f287b0f5460fbae1a54be9e36457d396578c413183a5aca5c6f

SHA512
1de4ee00905bef12cd39bec70f7de4a988fb3fd1a6a19735a48f4abf7fb33ccd689b353e02b1b44fd1da018913c65b6ce739994d830f853f87f6f1d2e9440c5c

Download Submit
C:\Windows\System\rEiGvJE.exe

Filesize
5.2MB

MD5
8dce01925b59a355dea198d97c61c94d

SHA1
5b6ca72d7af15d3ec296e105b925619efc9a65c0

SHA256
58a2fc89f792b278f7e638b7e382beeb5c8264ea6cfc79950a72976c33a15cb4

SHA512
f7163b03cfbacd61d2a5237f9609ca0ff2384af47ed5c3406ef81da73dd40aad58a1a22ac595330ff0a0a0c42791b743bfc9c3f1074727b519285ab916919958

Download Submit
C:\Windows\System\uasrTLy.exe

Filesize
5.2MB

MD5
93de94d1cc63a51ab508d0f785522b0e

SHA1
c54de1195896e313d9b7a517185417e768788376

SHA256
9a91b27f22c695cdb499640510a2bd13f023c5ba31b9040fa497c93b0bea474d

SHA512
4894c143c4d96bb5aee6b2a3891e669b969ee3e1817e585bca0d4f4f48055b48090e435f99b900041fade9cd8774ad6d769dec60a957670d531510d142a1354d

Download Submit
C:\Windows\System\ztnpKfb.exe

Filesize
5.2MB

MD5
b37dc9ff20b0247baa42b9ddf4f6b42d

SHA1
7878ada08305dada44a3f845584741053f820b07

SHA256
ded618e2be376eb76747e3067340f54ac93061ff39b61b1c9d778e54071da542

SHA512
4dce3f393c322e3f5e9897a65187dc59d1772733b7ece4a757ef1e14b7632e13d3b70faa32d65aaf60445ab72f30bc3d2c922909c21ab1a6094df0f595ab30a4

Download Submit
memory/1220-167-0x00007FF75FD70000-0x00007FF7600C1000-memory.dmp

Filesize
3.3MB

Download
memory/1220-273-0x00007FF75FD70000-0x00007FF7600C1000-memory.dmp

Filesize
3.3MB

Download
memory/1220-126-0x00007FF75FD70000-0x00007FF7600C1000-memory.dmp

Filesize
3.3MB

Download
memory/1236-125-0x00007FF75D9C0000-0x00007FF75DD11000-memory.dmp

Filesize
3.3MB

Download
memory/1236-71-0x00007FF75D9C0000-0x00007FF75DD11000-memory.dmp

Filesize
3.3MB

Download
memory/1236-250-0x00007FF75D9C0000-0x00007FF75DD11000-memory.dmp

Filesize
3.3MB

Download
memory/1432-51-0x00007FF7235F0000-0x00007FF723941000-memory.dmp

Filesize
3.3MB

Download
memory/1432-244-0x00007FF7235F0000-0x00007FF723941000-memory.dmp

Filesize
3.3MB

Download
memory/1432-97-0x00007FF7235F0000-0x00007FF723941000-memory.dmp

Filesize
3.3MB

Download
memory/1456-133-0x00007FF6CBCE0000-0x00007FF6CC031000-memory.dmp

Filesize
3.3MB

Download
memory/1456-168-0x00007FF6CBCE0000-0x00007FF6CC031000-memory.dmp

Filesize
3.3MB

Download
memory/1456-275-0x00007FF6CBCE0000-0x00007FF6CC031000-memory.dmp

Filesize
3.3MB

Download
memory/1648-90-0x00007FF707630000-0x00007FF707981000-memory.dmp

Filesize
3.3MB

Download
memory/1648-228-0x00007FF707630000-0x00007FF707981000-memory.dmp

Filesize
3.3MB

Download
memory/1648-22-0x00007FF707630000-0x00007FF707981000-memory.dmp

Filesize
3.3MB

Download
memory/2512-16-0x00007FF7DA1C0000-0x00007FF7DA511000-memory.dmp

Filesize
3.3MB

Download
memory/2512-68-0x00007FF7DA1C0000-0x00007FF7DA511000-memory.dmp

Filesize
3.3MB

Download
memory/2512-225-0x00007FF7DA1C0000-0x00007FF7DA511000-memory.dmp

Filesize
3.3MB

Download
memory/2532-263-0x00007FF78A6B0000-0x00007FF78AA01000-memory.dmp

Filesize
3.3MB

Download
memory/2532-159-0x00007FF78A6B0000-0x00007FF78AA01000-memory.dmp

Filesize
3.3MB

Download
memory/2532-104-0x00007FF78A6B0000-0x00007FF78AA01000-memory.dmp

Filesize
3.3MB

Download
memory/2540-138-0x00007FF6D6680000-0x00007FF6D69D1000-memory.dmp

Filesize
3.3MB

Download
memory/2540-84-0x00007FF6D6680000-0x00007FF6D69D1000-memory.dmp

Filesize
3.3MB

Download
memory/2540-254-0x00007FF6D6680000-0x00007FF6D69D1000-memory.dmp

Filesize
3.3MB

Download
memory/2640-170-0x00007FF6C2BC0000-0x00007FF6C2F11000-memory.dmp

Filesize
3.3MB

Download
memory/2640-0-0x00007FF6C2BC0000-0x00007FF6C2F11000-memory.dmp

Filesize
3.3MB

Download
memory/2640-1-0x000001E5307A0000-0x000001E5307B0000-memory.dmp

Filesize
64KB

Download
memory/2640-143-0x00007FF6C2BC0000-0x00007FF6C2F11000-memory.dmp

Filesize
3.3MB

Download
memory/2640-59-0x00007FF6C2BC0000-0x00007FF6C2F11000-memory.dmp

Filesize
3.3MB

Download
memory/2796-269-0x00007FF71EB50000-0x00007FF71EEA1000-memory.dmp

Filesize
3.3MB

Download
memory/2796-161-0x00007FF71EB50000-0x00007FF71EEA1000-memory.dmp

Filesize
3.3MB

Download
memory/2796-115-0x00007FF71EB50000-0x00007FF71EEA1000-memory.dmp

Filesize
3.3MB

Download
memory/3080-33-0x00007FF694D30000-0x00007FF695081000-memory.dmp

Filesize
3.3MB

Download
memory/3080-240-0x00007FF694D30000-0x00007FF695081000-memory.dmp

Filesize
3.3MB

Download
memory/3080-91-0x00007FF694D30000-0x00007FF695081000-memory.dmp

Filesize
3.3MB

Download
memory/3168-114-0x00007FF62F110000-0x00007FF62F461000-memory.dmp

Filesize
3.3MB

Download
memory/3168-267-0x00007FF62F110000-0x00007FF62F461000-memory.dmp

Filesize
3.3MB

Download
memory/3168-160-0x00007FF62F110000-0x00007FF62F461000-memory.dmp

Filesize
3.3MB

Download
memory/3216-261-0x00007FF76D3C0000-0x00007FF76D711000-memory.dmp

Filesize
3.3MB

Download
memory/3216-156-0x00007FF76D3C0000-0x00007FF76D711000-memory.dmp

Filesize
3.3MB

Download
memory/3216-100-0x00007FF76D3C0000-0x00007FF76D711000-memory.dmp

Filesize
3.3MB

Download
memory/3272-223-0x00007FF7B7AD0000-0x00007FF7B7E21000-memory.dmp

Filesize
3.3MB

Download
memory/3272-67-0x00007FF7B7AD0000-0x00007FF7B7E21000-memory.dmp

Filesize
3.3MB

Download
memory/3272-6-0x00007FF7B7AD0000-0x00007FF7B7E21000-memory.dmp

Filesize
3.3MB

Download
memory/3636-39-0x00007FF632BF0000-0x00007FF632F41000-memory.dmp

Filesize
3.3MB

Download
memory/3636-238-0x00007FF632BF0000-0x00007FF632F41000-memory.dmp

Filesize
3.3MB

Download
memory/3636-96-0x00007FF632BF0000-0x00007FF632F41000-memory.dmp

Filesize
3.3MB

Download
memory/3956-256-0x00007FF6BEF90000-0x00007FF6BF2E1000-memory.dmp

Filesize
3.3MB

Download
memory/3956-89-0x00007FF6BEF90000-0x00007FF6BF2E1000-memory.dmp

Filesize
3.3MB

Download
memory/3956-139-0x00007FF6BEF90000-0x00007FF6BF2E1000-memory.dmp

Filesize
3.3MB

Download
memory/4144-113-0x00007FF6C1EC0000-0x00007FF6C2211000-memory.dmp

Filesize
3.3MB

Download
memory/4144-52-0x00007FF6C1EC0000-0x00007FF6C2211000-memory.dmp

Filesize
3.3MB

Download
memory/4144-243-0x00007FF6C1EC0000-0x00007FF6C2211000-memory.dmp

Filesize
3.3MB

Download
memory/4576-83-0x00007FF709340000-0x00007FF709691000-memory.dmp

Filesize
3.3MB

Download
memory/4576-18-0x00007FF709340000-0x00007FF709691000-memory.dmp

Filesize
3.3MB

Download
memory/4576-229-0x00007FF709340000-0x00007FF709691000-memory.dmp

Filesize
3.3MB

Download
memory/4772-132-0x00007FF794230000-0x00007FF794581000-memory.dmp

Filesize
3.3MB

Download
memory/4772-75-0x00007FF794230000-0x00007FF794581000-memory.dmp

Filesize
3.3MB

Download
memory/4772-252-0x00007FF794230000-0x00007FF794581000-memory.dmp

Filesize
3.3MB

Download
memory/4788-140-0x00007FF792C60000-0x00007FF792FB1000-memory.dmp

Filesize
3.3MB

Download
memory/4788-169-0x00007FF792C60000-0x00007FF792FB1000-memory.dmp

Filesize
3.3MB

Download
memory/4788-278-0x00007FF792C60000-0x00007FF792FB1000-memory.dmp

Filesize
3.3MB

Download
memory/4792-116-0x00007FF6FEA10000-0x00007FF6FED61000-memory.dmp

Filesize
3.3MB

Download
memory/4792-55-0x00007FF6FEA10000-0x00007FF6FED61000-memory.dmp

Filesize
3.3MB

Download
memory/4792-247-0x00007FF6FEA10000-0x00007FF6FED61000-memory.dmp

Filesize
3.3MB

Download
memory/4808-117-0x00007FF640E10000-0x00007FF641161000-memory.dmp

Filesize
3.3MB

Download
memory/4808-248-0x00007FF640E10000-0x00007FF641161000-memory.dmp

Filesize
3.3MB

Download
memory/4808-58-0x00007FF640E10000-0x00007FF641161000-memory.dmp

Filesize
3.3MB

Download