cobaltstrike | dd2bc2af7a7a1ecb699a0d88682af2397d7fee798ad67631deed8f51b2551d1d

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 06:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

124b1788266d35a995f0a06870a95865
SHA1

9f2e6b7b308030c3561d7b1245b6abdf4191650b
SHA256

dd2bc2af7a7a1ecb699a0d88682af2397d7fee798ad67631deed8f51b2551d1d
SHA512

7fa05ee6b938de206c05261ae5847def74424306be2337bff85a3e9c72f50366e7d9f105b8f46f90a512009c3141a7d31c6e020d75563e2417ba14118e06d90a
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lL:RWWBibf56utgpPFotBER/mQ32lUn

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00080000000233cc-5.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233d1-10.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233d0-12.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233d5-30.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233d6-38.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233d8-68.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000233cd-82.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233dd-95.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233de-97.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233dc-91.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233d9-73.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233d7-70.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233db-66.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233da-59.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233d4-44.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233d3-33.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233df-99.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233e2-117.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233e0-116.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233e3-122.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233e1-119.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/4424-86-0x00007FF6F5030000-0x00007FF6F5381000-memory.dmp	xmrig
behavioral2/memory/3104-85-0x00007FF7C1C40000-0x00007FF7C1F91000-memory.dmp	xmrig
behavioral2/memory/4884-128-0x00007FF7A3DA0000-0x00007FF7A40F1000-memory.dmp	xmrig
behavioral2/memory/324-125-0x00007FF7FCBA0000-0x00007FF7FCEF1000-memory.dmp	xmrig
behavioral2/memory/4048-113-0x00007FF7CBB50000-0x00007FF7CBEA1000-memory.dmp	xmrig
behavioral2/memory/3164-106-0x00007FF781F60000-0x00007FF7822B1000-memory.dmp	xmrig
behavioral2/memory/1200-130-0x00007FF68B0C0000-0x00007FF68B411000-memory.dmp	xmrig
behavioral2/memory/3164-131-0x00007FF781F60000-0x00007FF7822B1000-memory.dmp	xmrig
behavioral2/memory/4356-134-0x00007FF6998A0000-0x00007FF699BF1000-memory.dmp	xmrig
behavioral2/memory/2604-140-0x00007FF661C30000-0x00007FF661F81000-memory.dmp	xmrig
behavioral2/memory/5028-142-0x00007FF748E90000-0x00007FF7491E1000-memory.dmp	xmrig
behavioral2/memory/2340-147-0x00007FF68A6E0000-0x00007FF68AA31000-memory.dmp	xmrig
behavioral2/memory/4104-146-0x00007FF74F410000-0x00007FF74F761000-memory.dmp	xmrig
behavioral2/memory/3948-144-0x00007FF6AE420000-0x00007FF6AE771000-memory.dmp	xmrig
behavioral2/memory/3816-139-0x00007FF64F100000-0x00007FF64F451000-memory.dmp	xmrig
behavioral2/memory/3388-138-0x00007FF649A40000-0x00007FF649D91000-memory.dmp	xmrig
behavioral2/memory/3036-137-0x00007FF603380000-0x00007FF6036D1000-memory.dmp	xmrig
behavioral2/memory/4896-136-0x00007FF633740000-0x00007FF633A91000-memory.dmp	xmrig
behavioral2/memory/5012-145-0x00007FF794170000-0x00007FF7944C1000-memory.dmp	xmrig
behavioral2/memory/1076-148-0x00007FF7B0310000-0x00007FF7B0661000-memory.dmp	xmrig
behavioral2/memory/4220-149-0x00007FF617220000-0x00007FF617571000-memory.dmp	xmrig
behavioral2/memory/4276-150-0x00007FF673F50000-0x00007FF6742A1000-memory.dmp	xmrig
behavioral2/memory/5092-156-0x00007FF66BCD0000-0x00007FF66C021000-memory.dmp	xmrig
behavioral2/memory/3164-157-0x00007FF781F60000-0x00007FF7822B1000-memory.dmp	xmrig
behavioral2/memory/4048-210-0x00007FF7CBB50000-0x00007FF7CBEA1000-memory.dmp	xmrig
behavioral2/memory/324-212-0x00007FF7FCBA0000-0x00007FF7FCEF1000-memory.dmp	xmrig
behavioral2/memory/4356-214-0x00007FF6998A0000-0x00007FF699BF1000-memory.dmp	xmrig
behavioral2/memory/4896-225-0x00007FF633740000-0x00007FF633A91000-memory.dmp	xmrig
behavioral2/memory/3388-227-0x00007FF649A40000-0x00007FF649D91000-memory.dmp	xmrig
behavioral2/memory/3036-229-0x00007FF603380000-0x00007FF6036D1000-memory.dmp	xmrig
behavioral2/memory/3816-231-0x00007FF64F100000-0x00007FF64F451000-memory.dmp	xmrig
behavioral2/memory/4424-234-0x00007FF6F5030000-0x00007FF6F5381000-memory.dmp	xmrig
behavioral2/memory/3104-235-0x00007FF7C1C40000-0x00007FF7C1F91000-memory.dmp	xmrig
behavioral2/memory/3948-239-0x00007FF6AE420000-0x00007FF6AE771000-memory.dmp	xmrig
behavioral2/memory/2604-238-0x00007FF661C30000-0x00007FF661F81000-memory.dmp	xmrig
behavioral2/memory/5028-241-0x00007FF748E90000-0x00007FF7491E1000-memory.dmp	xmrig
behavioral2/memory/4104-245-0x00007FF74F410000-0x00007FF74F761000-memory.dmp	xmrig
behavioral2/memory/1076-247-0x00007FF7B0310000-0x00007FF7B0661000-memory.dmp	xmrig
behavioral2/memory/5012-249-0x00007FF794170000-0x00007FF7944C1000-memory.dmp	xmrig
behavioral2/memory/2340-244-0x00007FF68A6E0000-0x00007FF68AA31000-memory.dmp	xmrig
behavioral2/memory/4220-256-0x00007FF617220000-0x00007FF617571000-memory.dmp	xmrig
behavioral2/memory/4276-258-0x00007FF673F50000-0x00007FF6742A1000-memory.dmp	xmrig
behavioral2/memory/4884-260-0x00007FF7A3DA0000-0x00007FF7A40F1000-memory.dmp	xmrig
behavioral2/memory/1200-262-0x00007FF68B0C0000-0x00007FF68B411000-memory.dmp	xmrig
behavioral2/memory/5092-264-0x00007FF66BCD0000-0x00007FF66C021000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4048	uOXtHPH.exe
324	IzwbwOR.exe
4356	emLkeIN.exe
4896	TYJqhKx.exe
3036	HKYxyjC.exe
3388	iCvCQoL.exe
3816	IlpgwRP.exe
3104	RthnrXr.exe
2604	xJBhvRh.exe
5028	BWDaXdO.exe
4424	aGtfyhb.exe
3948	bwxOLBv.exe
5012	agFEvlo.exe
4104	pHUiPcd.exe
2340	HVUUPFE.exe
1076	bhOHJuT.exe
4220	mzezHDw.exe
4276	rxMKjal.exe
5092	Vmjrndr.exe
1200	NCsNzlT.exe
4884	AUMCelI.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3164-0-0x00007FF781F60000-0x00007FF7822B1000-memory.dmp	upx
behavioral2/files/0x00080000000233cc-5.dat	upx
behavioral2/files/0x00070000000233d1-10.dat	upx
behavioral2/files/0x00070000000233d0-12.dat	upx
behavioral2/memory/324-14-0x00007FF7FCBA0000-0x00007FF7FCEF1000-memory.dmp	upx
behavioral2/memory/4048-8-0x00007FF7CBB50000-0x00007FF7CBEA1000-memory.dmp	upx
behavioral2/memory/4356-19-0x00007FF6998A0000-0x00007FF699BF1000-memory.dmp	upx
behavioral2/files/0x00070000000233d5-30.dat	upx
behavioral2/files/0x00070000000233d6-38.dat	upx
behavioral2/files/0x00070000000233d8-68.dat	upx
behavioral2/files/0x00080000000233cd-82.dat	upx
behavioral2/memory/5012-87-0x00007FF794170000-0x00007FF7944C1000-memory.dmp	upx
behavioral2/memory/1076-89-0x00007FF7B0310000-0x00007FF7B0661000-memory.dmp	upx
behavioral2/files/0x00070000000233dd-95.dat	upx
behavioral2/files/0x00070000000233de-97.dat	upx
behavioral2/files/0x00070000000233dc-91.dat	upx
behavioral2/memory/4104-90-0x00007FF74F410000-0x00007FF74F761000-memory.dmp	upx
behavioral2/memory/2340-88-0x00007FF68A6E0000-0x00007FF68AA31000-memory.dmp	upx
behavioral2/memory/4424-86-0x00007FF6F5030000-0x00007FF6F5381000-memory.dmp	upx
behavioral2/memory/3104-85-0x00007FF7C1C40000-0x00007FF7C1F91000-memory.dmp	upx
behavioral2/memory/3948-79-0x00007FF6AE420000-0x00007FF6AE771000-memory.dmp	upx
behavioral2/files/0x00070000000233d9-73.dat	upx
behavioral2/files/0x00070000000233d7-70.dat	upx
behavioral2/files/0x00070000000233db-66.dat	upx
behavioral2/memory/5028-63-0x00007FF748E90000-0x00007FF7491E1000-memory.dmp	upx
behavioral2/files/0x00070000000233da-59.dat	upx
behavioral2/memory/2604-53-0x00007FF661C30000-0x00007FF661F81000-memory.dmp	upx
behavioral2/memory/3816-52-0x00007FF64F100000-0x00007FF64F451000-memory.dmp	upx
behavioral2/memory/3388-41-0x00007FF649A40000-0x00007FF649D91000-memory.dmp	upx
behavioral2/files/0x00070000000233d4-44.dat	upx
behavioral2/memory/3036-35-0x00007FF603380000-0x00007FF6036D1000-memory.dmp	upx
behavioral2/files/0x00070000000233d3-33.dat	upx
behavioral2/memory/4896-25-0x00007FF633740000-0x00007FF633A91000-memory.dmp	upx
behavioral2/files/0x00070000000233df-99.dat	upx
behavioral2/memory/4220-107-0x00007FF617220000-0x00007FF617571000-memory.dmp	upx
behavioral2/files/0x00070000000233e2-117.dat	upx
behavioral2/files/0x00070000000233e0-116.dat	upx
behavioral2/memory/4884-128-0x00007FF7A3DA0000-0x00007FF7A40F1000-memory.dmp	upx
behavioral2/memory/324-125-0x00007FF7FCBA0000-0x00007FF7FCEF1000-memory.dmp	upx
behavioral2/memory/5092-123-0x00007FF66BCD0000-0x00007FF66C021000-memory.dmp	upx
behavioral2/files/0x00070000000233e3-122.dat	upx
behavioral2/files/0x00070000000233e1-119.dat	upx
behavioral2/memory/4048-113-0x00007FF7CBB50000-0x00007FF7CBEA1000-memory.dmp	upx
behavioral2/memory/4276-112-0x00007FF673F50000-0x00007FF6742A1000-memory.dmp	upx
behavioral2/memory/3164-106-0x00007FF781F60000-0x00007FF7822B1000-memory.dmp	upx
behavioral2/memory/1200-130-0x00007FF68B0C0000-0x00007FF68B411000-memory.dmp	upx
behavioral2/memory/3164-131-0x00007FF781F60000-0x00007FF7822B1000-memory.dmp	upx
behavioral2/memory/4356-134-0x00007FF6998A0000-0x00007FF699BF1000-memory.dmp	upx
behavioral2/memory/2604-140-0x00007FF661C30000-0x00007FF661F81000-memory.dmp	upx
behavioral2/memory/5028-142-0x00007FF748E90000-0x00007FF7491E1000-memory.dmp	upx
behavioral2/memory/2340-147-0x00007FF68A6E0000-0x00007FF68AA31000-memory.dmp	upx
behavioral2/memory/4104-146-0x00007FF74F410000-0x00007FF74F761000-memory.dmp	upx
behavioral2/memory/3948-144-0x00007FF6AE420000-0x00007FF6AE771000-memory.dmp	upx
behavioral2/memory/3816-139-0x00007FF64F100000-0x00007FF64F451000-memory.dmp	upx
behavioral2/memory/3388-138-0x00007FF649A40000-0x00007FF649D91000-memory.dmp	upx
behavioral2/memory/3036-137-0x00007FF603380000-0x00007FF6036D1000-memory.dmp	upx
behavioral2/memory/4896-136-0x00007FF633740000-0x00007FF633A91000-memory.dmp	upx
behavioral2/memory/5012-145-0x00007FF794170000-0x00007FF7944C1000-memory.dmp	upx
behavioral2/memory/1076-148-0x00007FF7B0310000-0x00007FF7B0661000-memory.dmp	upx
behavioral2/memory/4220-149-0x00007FF617220000-0x00007FF617571000-memory.dmp	upx
behavioral2/memory/4276-150-0x00007FF673F50000-0x00007FF6742A1000-memory.dmp	upx
behavioral2/memory/5092-156-0x00007FF66BCD0000-0x00007FF66C021000-memory.dmp	upx
behavioral2/memory/3164-157-0x00007FF781F60000-0x00007FF7822B1000-memory.dmp	upx
behavioral2/memory/4048-210-0x00007FF7CBB50000-0x00007FF7CBEA1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\IlpgwRP.exe	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aGtfyhb.exe	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Vmjrndr.exe	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\emLkeIN.exe	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TYJqhKx.exe	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RthnrXr.exe	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bwxOLBv.exe	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pHUiPcd.exe	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bhOHJuT.exe	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HKYxyjC.exe	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iCvCQoL.exe	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\agFEvlo.exe	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mzezHDw.exe	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rxMKjal.exe	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uOXtHPH.exe	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xJBhvRh.exe	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HVUUPFE.exe	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NCsNzlT.exe	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AUMCelI.exe	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IzwbwOR.exe	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BWDaXdO.exe	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3164	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3164	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3164 wrote to memory of 4048	3164	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3164 wrote to memory of 4048	3164	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3164 wrote to memory of 324	3164	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3164 wrote to memory of 324	3164	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3164 wrote to memory of 4356	3164	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3164 wrote to memory of 4356	3164	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3164 wrote to memory of 4896	3164	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3164 wrote to memory of 4896	3164	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3164 wrote to memory of 3036	3164	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3164 wrote to memory of 3036	3164	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3164 wrote to memory of 3388	3164	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3164 wrote to memory of 3388	3164	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3164 wrote to memory of 3816	3164	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3164 wrote to memory of 3816	3164	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3164 wrote to memory of 2604	3164	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3164 wrote to memory of 2604	3164	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3164 wrote to memory of 3104	3164	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3164 wrote to memory of 3104	3164	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3164 wrote to memory of 5028	3164	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3164 wrote to memory of 5028	3164	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3164 wrote to memory of 4424	3164	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3164 wrote to memory of 4424	3164	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3164 wrote to memory of 3948	3164	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3164 wrote to memory of 3948	3164	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3164 wrote to memory of 5012	3164	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3164 wrote to memory of 5012	3164	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3164 wrote to memory of 4104	3164	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3164 wrote to memory of 4104	3164	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3164 wrote to memory of 2340	3164	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3164 wrote to memory of 2340	3164	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3164 wrote to memory of 1076	3164	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3164 wrote to memory of 1076	3164	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3164 wrote to memory of 4220	3164	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3164 wrote to memory of 4220	3164	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3164 wrote to memory of 4276	3164	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3164 wrote to memory of 4276	3164	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3164 wrote to memory of 5092	3164	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3164 wrote to memory of 5092	3164	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3164 wrote to memory of 1200	3164	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3164 wrote to memory of 1200	3164	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3164 wrote to memory of 4884	3164	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 3164 wrote to memory of 4884	3164	2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe	105

C:\Users\Admin\AppData\Local\Temp\2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-19_124b1788266d35a995f0a06870a95865_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3164
- C:\Windows\System\uOXtHPH.exe
  C:\Windows\System\uOXtHPH.exe
  2⤵
  - Executes dropped EXE
  PID:4048
- C:\Windows\System\IzwbwOR.exe
  C:\Windows\System\IzwbwOR.exe
  2⤵
  - Executes dropped EXE
  PID:324
- C:\Windows\System\emLkeIN.exe
  C:\Windows\System\emLkeIN.exe
  2⤵
  - Executes dropped EXE
  PID:4356
- C:\Windows\System\TYJqhKx.exe
  C:\Windows\System\TYJqhKx.exe
  2⤵
  - Executes dropped EXE
  PID:4896
- C:\Windows\System\HKYxyjC.exe
  C:\Windows\System\HKYxyjC.exe
  2⤵
  - Executes dropped EXE
  PID:3036
- C:\Windows\System\iCvCQoL.exe
  C:\Windows\System\iCvCQoL.exe
  2⤵
  - Executes dropped EXE
  PID:3388
- C:\Windows\System\IlpgwRP.exe
  C:\Windows\System\IlpgwRP.exe
  2⤵
  - Executes dropped EXE
  PID:3816
- C:\Windows\System\xJBhvRh.exe
  C:\Windows\System\xJBhvRh.exe
  2⤵
  - Executes dropped EXE
  PID:2604
- C:\Windows\System\RthnrXr.exe
  C:\Windows\System\RthnrXr.exe
  2⤵
  - Executes dropped EXE
  PID:3104
- C:\Windows\System\BWDaXdO.exe
  C:\Windows\System\BWDaXdO.exe
  2⤵
  - Executes dropped EXE
  PID:5028
- C:\Windows\System\aGtfyhb.exe
  C:\Windows\System\aGtfyhb.exe
  2⤵
  - Executes dropped EXE
  PID:4424
- C:\Windows\System\bwxOLBv.exe
  C:\Windows\System\bwxOLBv.exe
  2⤵
  - Executes dropped EXE
  PID:3948
- C:\Windows\System\agFEvlo.exe
  C:\Windows\System\agFEvlo.exe
  2⤵
  - Executes dropped EXE
  PID:5012
- C:\Windows\System\pHUiPcd.exe
  C:\Windows\System\pHUiPcd.exe
  2⤵
  - Executes dropped EXE
  PID:4104
- C:\Windows\System\HVUUPFE.exe
  C:\Windows\System\HVUUPFE.exe
  2⤵
  - Executes dropped EXE
  PID:2340
- C:\Windows\System\bhOHJuT.exe
  C:\Windows\System\bhOHJuT.exe
  2⤵
  - Executes dropped EXE
  PID:1076
- C:\Windows\System\mzezHDw.exe
  C:\Windows\System\mzezHDw.exe
  2⤵
  - Executes dropped EXE
  PID:4220
- C:\Windows\System\rxMKjal.exe
  C:\Windows\System\rxMKjal.exe
  2⤵
  - Executes dropped EXE
  PID:4276
- C:\Windows\System\Vmjrndr.exe
  C:\Windows\System\Vmjrndr.exe
  2⤵
  - Executes dropped EXE
  PID:5092
- C:\Windows\System\NCsNzlT.exe
  C:\Windows\System\NCsNzlT.exe
  2⤵
  - Executes dropped EXE
  PID:1200
- C:\Windows\System\AUMCelI.exe
  C:\Windows\System\AUMCelI.exe
  2⤵
  - Executes dropped EXE
  PID:4884

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AUMCelI.exe

Filesize
5.2MB

MD5
3dd945566cb321edbfd98612a499e3ea

SHA1
6dc09cd51455d30d17a140aeb59da6b2f4b8206f

SHA256
49e67ee5eff146d5f406f925005c58b1718183f338cc1f032439ce85978c3669

SHA512
815aecbce3cdd1fbfb54e71e94f26cf18e43d4cfd85edbcba2b9c4380bf151b5d4eea36f0713fc22d28c9371188a277c037a037d55fe3dd3f0cea06dcd3b322d

Download Submit
C:\Windows\System\BWDaXdO.exe

Filesize
5.2MB

MD5
7ff92a3802cd42832ede8129fd0b127d

SHA1
81ebf4e3a625d373a20d5886d1c37bbab5426a53

SHA256
01802172263f123e2e5e8169141028b4a4cc8f5a683a5f0545ab189f6d6f9d04

SHA512
777596d31cd58c74ae4798f3f1c131f8b4e72637cc33f35fb9e2a327d5d4412b7d9570e3b5d12ed140670e00eb24b1b72844691ef8cdab18c5840352ff768119

Download Submit
C:\Windows\System\HKYxyjC.exe

Filesize
5.2MB

MD5
24590230663ffa644c8b01a358955699

SHA1
dda9a17064d4f982bb73e7eee790d00e814568f6

SHA256
eacb99f8dd578385a88fe02e672311f5c11bea726cc73e25b577930aaff07107

SHA512
a6a45c531647f4fc082d23dbb18f64f0bc55e73227c3f3d24d37fa5dd50c7e9e05e62dea2b8b2097fca468824f30fd0afc282748bbb552325eba9e7c224771d2

Download Submit
C:\Windows\System\HVUUPFE.exe

Filesize
5.2MB

MD5
9060dbf154a6cf109990825fc6c13096

SHA1
764a5cfedd48147acbd99256a96fd99c5791e351

SHA256
c924e27689526e3a3b55371dd7fd818a3610ad9848f0967831c177bb11d79292

SHA512
c4f209b70c9cccf73e699a29bde3e41d566e1378ede420ab4e2977f51e78cd568003b8ab8e0768f727b14e6ad435ff24b2b0f62c1ce173da3b195204bfacf50d

Download Submit
C:\Windows\System\IlpgwRP.exe

Filesize
5.2MB

MD5
fd212969577afd18a6b38b03a206844a

SHA1
d069ccc7e62a93b45c39bb3f3f58a94d9c446976

SHA256
47d8cad0fd8378b47a2e6aaa3f6368cf74bbb6c572f0c042571ff514a094a7d6

SHA512
a9e8a86b7e525649b2970d705ce540efe6f68902a8916f8567a05d5f3c7b95c3aba5a7619c02cd1eb074b20157da3fd33ab6749528782777ce952ee35b5afbf5

Download Submit
C:\Windows\System\IzwbwOR.exe

Filesize
5.2MB

MD5
ec10e04e5657776db0b1920e7d8115b6

SHA1
97ad095d99070cb8d444eab18556d4bbe3123411

SHA256
b2c6d98c03ca4b902e81f52f0c8a225ab207d4b75dbd3e8b472adb7faba1f7a6

SHA512
39d781ffea70f9fb6b2c76b29d33f5307aaacb36dec791d0f929f4527243f734c8454c7e28ad4b8cdbf2eacbe09f97af5c5b414fdce1ae723681640006fa2897

Download Submit
C:\Windows\System\NCsNzlT.exe

Filesize
5.2MB

MD5
6e906c25ac6b0fde88d15486af669ef5

SHA1
c9e8b11e522a294cbc58935ec346d73fb033d444

SHA256
f66574e04aca7dab86b6ce3e59b53c6082802033ca81e591d10d97cff6b45470

SHA512
ee24dd244b8af560fd5b5a0d8e24c7a7d1c2541ad43631c2b00739bef47d4db4b03dd493dab6ae4c8cfa75eb35798564af7caae27b7ede43846f3112f4ebf824

Download Submit
C:\Windows\System\RthnrXr.exe

Filesize
5.2MB

MD5
5d9ed563aaee16e59b3a9d024f4a5ca8

SHA1
90666cfb8b8482ea590d6eb3091ad7564accae8d

SHA256
6dff58e33b9d00ba6582a7cc572d913692a0538a2c4f05a0c861597ad4c1abde

SHA512
94a074d5371bfbdc876706c7f61e340778e1c8b0cd9a16651cd1d2f0e9e1e1bab1eb89d79730dafd310bd6399cf5298cd0fd858509b4ebd022fe0c695ffd61e9

Download Submit
C:\Windows\System\TYJqhKx.exe

Filesize
5.2MB

MD5
f53c614b8c9d57b286998f8320c0af20

SHA1
bd05cc370c2e2d4939996ab5920d0624a50a8cf3

SHA256
dbae57cf9bc9ddfb859db0de0577f37245a98e8f065c285316cddd29c1c598f1

SHA512
64526a91f317a02a2051130e3a9d95d6eb7e7a981e3244629a93eacb1df3d42927c7a34fbe73c27086346e380062631ac9db8149ef55d11f9db4993cad7e8878

Download Submit
C:\Windows\System\Vmjrndr.exe

Filesize
5.2MB

MD5
b168333b52d5244667415cf30d4d73e3

SHA1
2d5dce24115071e27d2593b1357e9159284111f0

SHA256
4c98bc9bafba37cfad3da26520f3db1fa260444589e2ca188fbcb931982b50e2

SHA512
9d2206f8a4158e5b7ebe8f0f6049a345e1515dc4804f9d49d75b17006990ec5720656f70d4de2430ab0e0a3743a43c2011afcddcc8d02890eb01cd4c9054bccd

Download Submit
C:\Windows\System\aGtfyhb.exe

Filesize
5.2MB

MD5
bf35be83bbf409a3e88b59f47c43a06f

SHA1
1f7cf8cd19d1b0e6be67ea729f15fcdd91d9a358

SHA256
49c71e0a1a6a8dead0948c0f50f668334661011e1423aabad447df7bfb4fc3a5

SHA512
2bd890df7228483062ed985ecbbdc759161fd5c1dcd56b589ff445bc06893b3f808cbd5941e17ed204d3dccbb7adba34e885d71d664d6329af6aac23cac2c6d6

Download Submit
C:\Windows\System\agFEvlo.exe

Filesize
5.2MB

MD5
95320e94cd06e4894a83211129d1d603

SHA1
2caccb51f9460c8252d778bfa022538c6f7013a9

SHA256
d17d66bbb415123621529ee6a482feb871acd2a52539719b815b66a9f4790cc5

SHA512
8ae6b9f4820045be08104ab166ae6c8ec4c8ce28afd2d6d6c26ab5e5fbf991038f4c5c6165ba4ba8c237189dbaf3b8fa548b38192cc49bcaa7454815cc292b93

Download Submit
C:\Windows\System\bhOHJuT.exe

Filesize
5.2MB

MD5
ea719b7d82c567842cb4cbade304f4cb

SHA1
bcd975b5bd404fdc8395d5d19cc4e408c8ecf98d

SHA256
a9dc0d469a35a0c8ac5d3019f1b90de2ca6c85ef6bd8f6ccacfb2639c2eda24f

SHA512
3bb449327bcb6ad53e4dc2eba84b3836b5f178523a8430b9c630b8457715794edbbd3dce91ac1f0097c42f2d6a5c2a8a63c4619d297bd65df5c04aa6efb3b821

Download Submit
C:\Windows\System\bwxOLBv.exe

Filesize
5.2MB

MD5
1d309b0e416eaef45cafcd0980c88f6f

SHA1
94a93ff07ab5d397c0515cbdcb53ae5c49a088bf

SHA256
3f6b4821dbbcb2dcea46933adf9e632ccc8da28298fbdb1c2bbd05055ea0c056

SHA512
7bcbbb1574c4c7b1c7a8e4be5f63845204cfe41735912a4ba7adbf5e31e42d9a96fcae0444c98202b9b97c9b9efb46428c96b25f2ffe9c2aec049e2d117430fd

Download Submit
C:\Windows\System\emLkeIN.exe

Filesize
5.2MB

MD5
ee8a760fbe74441307e602bd67c9960a

SHA1
da0e3cf61aeb0e276138719e168d71db9b9e5b2f

SHA256
769949d314050f4232a1fb406a03ed73c8472974e82c44ef4789c2b5888bdf4d

SHA512
b19ca078c8c75bcb613956043a53b663be25fd939b30bf282ef85a45d8fe5dbd9943b6be2ef150da8e703689d02006a352c96379adf8e712cc98bb6b25dfd532

Download Submit
C:\Windows\System\iCvCQoL.exe

Filesize
5.2MB

MD5
78e87eaf2d21ff51f55f768bf6de9460

SHA1
078a7729de30add506c627c5a88f867e7e88cec1

SHA256
0dc998aac83b18abf6682a8f30582e7793e6dd9852c01a71dd508f79ff4bdfdc

SHA512
584dd517ca1a84b86f429ae3808f6d843dbca1a38c4b081427dda9d38e8741bd533f68002cf770b4981f8339e5a6d5fb68760731bb761fee10918f96d11e32b4

Download Submit
C:\Windows\System\mzezHDw.exe

Filesize
5.2MB

MD5
fc879e6c88fc18695280551210db7d6c

SHA1
82bf53751bba0168f7d02e01797901461567d026

SHA256
c98aef70d4181e7170edafd10a400ab5bd2dd434e828e858011b6d8d2b438bc1

SHA512
35d2b10d614e4750cea93ef7cbfc14c74d432b097b5578ac913865a3baa1274d5aa9d73d9a5f52fe67a12c12bfbaf19ffc41df8adf1b1617c750d77cd3f9c51c

Download Submit
C:\Windows\System\pHUiPcd.exe

Filesize
5.2MB

MD5
9c1fd2ad54d8f97ed9c9fd020f406655

SHA1
2bac343b6b935863f2902815a92899aba06c75ac

SHA256
79c9ba03f17fded93e61803fada59c89b9749e7b4b2f356f6db402ea3a845284

SHA512
0dc77456f7770f85cf51f90b9196d3f4b22c997f46ae7dfaa630b4ff2202b092e1340d47debf9d653c805eafdd5dc48a5a97c1b46e0455f60b6d86a497565eeb

Download Submit
C:\Windows\System\rxMKjal.exe

Filesize
5.2MB

MD5
febf6bf78e6379c4be2966c01e5468e6

SHA1
fe83cebb378987d6449eb6626370cb4fd2b950f6

SHA256
7aba7bc143bc707393f0649237fe4c428b1d685995f048b175191697895022f3

SHA512
4159e10ce6bbb51d425e9e8bdb93c0a3a1beda552ed36fd854a30bc96cea234966b069f94c36191da69c85e147c7099ac51953726cdd56266c6c3ecaf0afab17

Download Submit
C:\Windows\System\uOXtHPH.exe

Filesize
5.2MB

MD5
8ba38a515af75d990833febe0dc04602

SHA1
20c5c46996022d60336c31379ca697b2af752fca

SHA256
61b6ef0885a25c25ed20256b17c6fc237f3a70c1f8ad1cef416f2cbfc09a666a

SHA512
c18a27439043487c81621425c4bb6ba901ca5be474b7b924ef7c8cf0b79def57a9c09d97ee1b19f537c8e52f187f0d783e9403a0bbf60b69dda1256ac88b1eb1

Download Submit
C:\Windows\System\xJBhvRh.exe

Filesize
5.2MB

MD5
88e84f4fc1ffcdd39ce3df205ffdfbc4

SHA1
8556bc953948358ac00f4e94b7a772a6c607ca46

SHA256
88a994d189e7dd5f995e4169d77bf9f802bba328844beb8ce8bd10420f719c97

SHA512
df30dfd8e19fb75b44274fbd0b007da0e2255a08e691fbe480a88bfcdaa3465b506ee35e94fdedd3c525517d9aba02d939b745d8786df810e689e91760ff57f7

Download Submit
memory/324-125-0x00007FF7FCBA0000-0x00007FF7FCEF1000-memory.dmp

Filesize
3.3MB

Download
memory/324-212-0x00007FF7FCBA0000-0x00007FF7FCEF1000-memory.dmp

Filesize
3.3MB

Download
memory/324-14-0x00007FF7FCBA0000-0x00007FF7FCEF1000-memory.dmp

Filesize
3.3MB

Download
memory/1076-89-0x00007FF7B0310000-0x00007FF7B0661000-memory.dmp

Filesize
3.3MB

Download
memory/1076-148-0x00007FF7B0310000-0x00007FF7B0661000-memory.dmp

Filesize
3.3MB

Download
memory/1076-247-0x00007FF7B0310000-0x00007FF7B0661000-memory.dmp

Filesize
3.3MB

Download
memory/1200-130-0x00007FF68B0C0000-0x00007FF68B411000-memory.dmp

Filesize
3.3MB

Download
memory/1200-262-0x00007FF68B0C0000-0x00007FF68B411000-memory.dmp

Filesize
3.3MB

Download
memory/2340-88-0x00007FF68A6E0000-0x00007FF68AA31000-memory.dmp

Filesize
3.3MB

Download
memory/2340-147-0x00007FF68A6E0000-0x00007FF68AA31000-memory.dmp

Filesize
3.3MB

Download
memory/2340-244-0x00007FF68A6E0000-0x00007FF68AA31000-memory.dmp

Filesize
3.3MB

Download
memory/2604-140-0x00007FF661C30000-0x00007FF661F81000-memory.dmp

Filesize
3.3MB

Download
memory/2604-53-0x00007FF661C30000-0x00007FF661F81000-memory.dmp

Filesize
3.3MB

Download
memory/2604-238-0x00007FF661C30000-0x00007FF661F81000-memory.dmp

Filesize
3.3MB

Download
memory/3036-35-0x00007FF603380000-0x00007FF6036D1000-memory.dmp

Filesize
3.3MB

Download
memory/3036-137-0x00007FF603380000-0x00007FF6036D1000-memory.dmp

Filesize
3.3MB

Download
memory/3036-229-0x00007FF603380000-0x00007FF6036D1000-memory.dmp

Filesize
3.3MB

Download
memory/3104-85-0x00007FF7C1C40000-0x00007FF7C1F91000-memory.dmp

Filesize
3.3MB

Download
memory/3104-235-0x00007FF7C1C40000-0x00007FF7C1F91000-memory.dmp

Filesize
3.3MB

Download
memory/3164-106-0x00007FF781F60000-0x00007FF7822B1000-memory.dmp

Filesize
3.3MB

Download
memory/3164-1-0x000001AE4EC80000-0x000001AE4EC90000-memory.dmp

Filesize
64KB

Download
memory/3164-0-0x00007FF781F60000-0x00007FF7822B1000-memory.dmp

Filesize
3.3MB

Download
memory/3164-157-0x00007FF781F60000-0x00007FF7822B1000-memory.dmp

Filesize
3.3MB

Download
memory/3164-131-0x00007FF781F60000-0x00007FF7822B1000-memory.dmp

Filesize
3.3MB

Download
memory/3388-227-0x00007FF649A40000-0x00007FF649D91000-memory.dmp

Filesize
3.3MB

Download
memory/3388-41-0x00007FF649A40000-0x00007FF649D91000-memory.dmp

Filesize
3.3MB

Download
memory/3388-138-0x00007FF649A40000-0x00007FF649D91000-memory.dmp

Filesize
3.3MB

Download
memory/3816-52-0x00007FF64F100000-0x00007FF64F451000-memory.dmp

Filesize
3.3MB

Download
memory/3816-231-0x00007FF64F100000-0x00007FF64F451000-memory.dmp

Filesize
3.3MB

Download
memory/3816-139-0x00007FF64F100000-0x00007FF64F451000-memory.dmp

Filesize
3.3MB

Download
memory/3948-79-0x00007FF6AE420000-0x00007FF6AE771000-memory.dmp

Filesize
3.3MB

Download
memory/3948-144-0x00007FF6AE420000-0x00007FF6AE771000-memory.dmp

Filesize
3.3MB

Download
memory/3948-239-0x00007FF6AE420000-0x00007FF6AE771000-memory.dmp

Filesize
3.3MB

Download
memory/4048-210-0x00007FF7CBB50000-0x00007FF7CBEA1000-memory.dmp

Filesize
3.3MB

Download
memory/4048-8-0x00007FF7CBB50000-0x00007FF7CBEA1000-memory.dmp

Filesize
3.3MB

Download
memory/4048-113-0x00007FF7CBB50000-0x00007FF7CBEA1000-memory.dmp

Filesize
3.3MB

Download
memory/4104-146-0x00007FF74F410000-0x00007FF74F761000-memory.dmp

Filesize
3.3MB

Download
memory/4104-245-0x00007FF74F410000-0x00007FF74F761000-memory.dmp

Filesize
3.3MB

Download
memory/4104-90-0x00007FF74F410000-0x00007FF74F761000-memory.dmp

Filesize
3.3MB

Download
memory/4220-256-0x00007FF617220000-0x00007FF617571000-memory.dmp

Filesize
3.3MB

Download
memory/4220-107-0x00007FF617220000-0x00007FF617571000-memory.dmp

Filesize
3.3MB

Download
memory/4220-149-0x00007FF617220000-0x00007FF617571000-memory.dmp

Filesize
3.3MB

Download
memory/4276-150-0x00007FF673F50000-0x00007FF6742A1000-memory.dmp

Filesize
3.3MB

Download
memory/4276-258-0x00007FF673F50000-0x00007FF6742A1000-memory.dmp

Filesize
3.3MB

Download
memory/4276-112-0x00007FF673F50000-0x00007FF6742A1000-memory.dmp

Filesize
3.3MB

Download
memory/4356-134-0x00007FF6998A0000-0x00007FF699BF1000-memory.dmp

Filesize
3.3MB

Download
memory/4356-214-0x00007FF6998A0000-0x00007FF699BF1000-memory.dmp

Filesize
3.3MB

Download
memory/4356-19-0x00007FF6998A0000-0x00007FF699BF1000-memory.dmp

Filesize
3.3MB

Download
memory/4424-86-0x00007FF6F5030000-0x00007FF6F5381000-memory.dmp

Filesize
3.3MB

Download
memory/4424-234-0x00007FF6F5030000-0x00007FF6F5381000-memory.dmp

Filesize
3.3MB

Download
memory/4884-128-0x00007FF7A3DA0000-0x00007FF7A40F1000-memory.dmp

Filesize
3.3MB

Download
memory/4884-260-0x00007FF7A3DA0000-0x00007FF7A40F1000-memory.dmp

Filesize
3.3MB

Download
memory/4896-225-0x00007FF633740000-0x00007FF633A91000-memory.dmp

Filesize
3.3MB

Download
memory/4896-136-0x00007FF633740000-0x00007FF633A91000-memory.dmp

Filesize
3.3MB

Download
memory/4896-25-0x00007FF633740000-0x00007FF633A91000-memory.dmp

Filesize
3.3MB

Download
memory/5012-145-0x00007FF794170000-0x00007FF7944C1000-memory.dmp

Filesize
3.3MB

Download
memory/5012-249-0x00007FF794170000-0x00007FF7944C1000-memory.dmp

Filesize
3.3MB

Download
memory/5012-87-0x00007FF794170000-0x00007FF7944C1000-memory.dmp

Filesize
3.3MB

Download
memory/5028-241-0x00007FF748E90000-0x00007FF7491E1000-memory.dmp

Filesize
3.3MB

Download
memory/5028-142-0x00007FF748E90000-0x00007FF7491E1000-memory.dmp

Filesize
3.3MB

Download
memory/5028-63-0x00007FF748E90000-0x00007FF7491E1000-memory.dmp

Filesize
3.3MB

Download
memory/5092-156-0x00007FF66BCD0000-0x00007FF66C021000-memory.dmp

Filesize
3.3MB

Download
memory/5092-123-0x00007FF66BCD0000-0x00007FF66C021000-memory.dmp

Filesize
3.3MB

Download
memory/5092-264-0x00007FF66BCD0000-0x00007FF66C021000-memory.dmp

Filesize
3.3MB

Download