cobaltstrike | 21a4998cf5589ac985617c9a3809dbfdd0e81808e0d510f3f597464e006c5969

Analysis

max time kernel
149s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 06:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

1b150ab288b289beb6e1f41367116282
SHA1

1a3dbc4f8b46af4712c49b608fcf7b23b30f61b8
SHA256

21a4998cf5589ac985617c9a3809dbfdd0e81808e0d510f3f597464e006c5969
SHA512

903df31964b4db1711042f7f5995c001dedae2b69d6945653e673d5c13b128aab6151feaba03f93c0bb2097bb43f43e5373e5ba97c04e2cb24e5c5386ec656ae
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lm:RWWBibf56utgpPFotBER/mQ32lUK

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000a000000023bd6-4.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023be1-17.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023be0-12.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023be2-20.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c11-28.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c12-35.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c13-40.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c14-47.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c15-53.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c16-61.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c1b-65.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c1c-74.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c38-91.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c39-101.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c37-105.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c3a-107.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023c1d-136.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023c35-138.dat	cobalt_reflective_dll
behavioral2/files/0x000600000001da0e-127.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023c4f-120.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c36-85.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/3336-59-0x00007FF661A20000-0x00007FF661D71000-memory.dmp	xmrig
behavioral2/memory/2940-67-0x00007FF7F1440000-0x00007FF7F1791000-memory.dmp	xmrig
behavioral2/memory/4864-66-0x00007FF792D70000-0x00007FF7930C1000-memory.dmp	xmrig
behavioral2/memory/1552-108-0x00007FF7BF4A0000-0x00007FF7BF7F1000-memory.dmp	xmrig
behavioral2/memory/4168-123-0x00007FF6C26B0000-0x00007FF6C2A01000-memory.dmp	xmrig
behavioral2/memory/4224-131-0x00007FF6597B0000-0x00007FF659B01000-memory.dmp	xmrig
behavioral2/memory/4616-134-0x00007FF70DF20000-0x00007FF70E271000-memory.dmp	xmrig
behavioral2/memory/5104-116-0x00007FF613A20000-0x00007FF613D71000-memory.dmp	xmrig
behavioral2/memory/212-99-0x00007FF62DF70000-0x00007FF62E2C1000-memory.dmp	xmrig
behavioral2/memory/2436-92-0x00007FF7B6380000-0x00007FF7B66D1000-memory.dmp	xmrig
behavioral2/memory/1440-89-0x00007FF7D5C00000-0x00007FF7D5F51000-memory.dmp	xmrig
behavioral2/memory/4308-84-0x00007FF715580000-0x00007FF7158D1000-memory.dmp	xmrig
behavioral2/memory/1496-75-0x00007FF61A7A0000-0x00007FF61AAF1000-memory.dmp	xmrig
behavioral2/memory/3336-140-0x00007FF661A20000-0x00007FF661D71000-memory.dmp	xmrig
behavioral2/memory/1984-150-0x00007FF65A8D0000-0x00007FF65AC21000-memory.dmp	xmrig
behavioral2/memory/2324-153-0x00007FF708000000-0x00007FF708351000-memory.dmp	xmrig
behavioral2/memory/1788-154-0x00007FF784120000-0x00007FF784471000-memory.dmp	xmrig
behavioral2/memory/4944-155-0x00007FF7DF710000-0x00007FF7DFA61000-memory.dmp	xmrig
behavioral2/memory/4012-161-0x00007FF7A5A40000-0x00007FF7A5D91000-memory.dmp	xmrig
behavioral2/memory/2108-165-0x00007FF7FBC00000-0x00007FF7FBF51000-memory.dmp	xmrig
behavioral2/memory/1948-166-0x00007FF66D1E0000-0x00007FF66D531000-memory.dmp	xmrig
behavioral2/memory/5020-167-0x00007FF67F720000-0x00007FF67FA71000-memory.dmp	xmrig
behavioral2/memory/3320-164-0x00007FF76DC20000-0x00007FF76DF71000-memory.dmp	xmrig
behavioral2/memory/3336-168-0x00007FF661A20000-0x00007FF661D71000-memory.dmp	xmrig
behavioral2/memory/4864-221-0x00007FF792D70000-0x00007FF7930C1000-memory.dmp	xmrig
behavioral2/memory/2940-223-0x00007FF7F1440000-0x00007FF7F1791000-memory.dmp	xmrig
behavioral2/memory/1496-227-0x00007FF61A7A0000-0x00007FF61AAF1000-memory.dmp	xmrig
behavioral2/memory/4308-225-0x00007FF715580000-0x00007FF7158D1000-memory.dmp	xmrig
behavioral2/memory/2436-229-0x00007FF7B6380000-0x00007FF7B66D1000-memory.dmp	xmrig
behavioral2/memory/212-231-0x00007FF62DF70000-0x00007FF62E2C1000-memory.dmp	xmrig
behavioral2/memory/1552-237-0x00007FF7BF4A0000-0x00007FF7BF7F1000-memory.dmp	xmrig
behavioral2/memory/5104-239-0x00007FF613A20000-0x00007FF613D71000-memory.dmp	xmrig
behavioral2/memory/4168-243-0x00007FF6C26B0000-0x00007FF6C2A01000-memory.dmp	xmrig
behavioral2/memory/4224-241-0x00007FF6597B0000-0x00007FF659B01000-memory.dmp	xmrig
behavioral2/memory/4616-245-0x00007FF70DF20000-0x00007FF70E271000-memory.dmp	xmrig
behavioral2/memory/1984-253-0x00007FF65A8D0000-0x00007FF65AC21000-memory.dmp	xmrig
behavioral2/memory/1440-255-0x00007FF7D5C00000-0x00007FF7D5F51000-memory.dmp	xmrig
behavioral2/memory/1788-261-0x00007FF784120000-0x00007FF784471000-memory.dmp	xmrig
behavioral2/memory/4944-259-0x00007FF7DF710000-0x00007FF7DFA61000-memory.dmp	xmrig
behavioral2/memory/4012-263-0x00007FF7A5A40000-0x00007FF7A5D91000-memory.dmp	xmrig
behavioral2/memory/2324-258-0x00007FF708000000-0x00007FF708351000-memory.dmp	xmrig
behavioral2/memory/5020-269-0x00007FF67F720000-0x00007FF67FA71000-memory.dmp	xmrig
behavioral2/memory/3320-271-0x00007FF76DC20000-0x00007FF76DF71000-memory.dmp	xmrig
behavioral2/memory/1948-275-0x00007FF66D1E0000-0x00007FF66D531000-memory.dmp	xmrig
behavioral2/memory/2108-273-0x00007FF7FBC00000-0x00007FF7FBF51000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4864	mZkMhMH.exe
2940	tNXXgGz.exe
1496	LCVrFbQ.exe
4308	rsGzUNi.exe
2436	xVCbnqk.exe
212	wLMLDqx.exe
1552	VStfAKk.exe
5104	fRVaeDr.exe
4168	UvLsmSx.exe
4224	htGBmFy.exe
4616	gYpPGAv.exe
1984	HDJFAtE.exe
1440	HfPDgYt.exe
1788	qpqRvKE.exe
2324	uvdqxmc.exe
4944	dCiYzUL.exe
4012	VYTEPhZ.exe
5020	GWPGJPN.exe
3320	PSSUzEm.exe
2108	jChTjSe.exe
1948	grmDwNh.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3336-0-0x00007FF661A20000-0x00007FF661D71000-memory.dmp	upx
behavioral2/files/0x000a000000023bd6-4.dat	upx
behavioral2/files/0x0008000000023be1-17.dat	upx
behavioral2/files/0x0008000000023be0-12.dat	upx
behavioral2/files/0x0008000000023be2-20.dat	upx
behavioral2/files/0x0008000000023c11-28.dat	upx
behavioral2/memory/2436-30-0x00007FF7B6380000-0x00007FF7B66D1000-memory.dmp	upx
behavioral2/files/0x0008000000023c12-35.dat	upx
behavioral2/memory/212-36-0x00007FF62DF70000-0x00007FF62E2C1000-memory.dmp	upx
behavioral2/files/0x0008000000023c13-40.dat	upx
behavioral2/memory/1552-41-0x00007FF7BF4A0000-0x00007FF7BF7F1000-memory.dmp	upx
behavioral2/files/0x0008000000023c14-47.dat	upx
behavioral2/memory/5104-48-0x00007FF613A20000-0x00007FF613D71000-memory.dmp	upx
behavioral2/memory/4308-22-0x00007FF715580000-0x00007FF7158D1000-memory.dmp	upx
behavioral2/memory/1496-19-0x00007FF61A7A0000-0x00007FF61AAF1000-memory.dmp	upx
behavioral2/memory/2940-16-0x00007FF7F1440000-0x00007FF7F1791000-memory.dmp	upx
behavioral2/files/0x0008000000023c15-53.dat	upx
behavioral2/memory/3336-59-0x00007FF661A20000-0x00007FF661D71000-memory.dmp	upx
behavioral2/files/0x0008000000023c16-61.dat	upx
behavioral2/memory/4224-60-0x00007FF6597B0000-0x00007FF659B01000-memory.dmp	upx
behavioral2/files/0x0008000000023c1b-65.dat	upx
behavioral2/memory/4616-68-0x00007FF70DF20000-0x00007FF70E271000-memory.dmp	upx
behavioral2/memory/2940-67-0x00007FF7F1440000-0x00007FF7F1791000-memory.dmp	upx
behavioral2/memory/4864-66-0x00007FF792D70000-0x00007FF7930C1000-memory.dmp	upx
behavioral2/memory/4168-57-0x00007FF6C26B0000-0x00007FF6C2A01000-memory.dmp	upx
behavioral2/memory/4864-7-0x00007FF792D70000-0x00007FF7930C1000-memory.dmp	upx
behavioral2/files/0x0008000000023c1c-74.dat	upx
behavioral2/memory/1984-79-0x00007FF65A8D0000-0x00007FF65AC21000-memory.dmp	upx
behavioral2/files/0x0008000000023c38-91.dat	upx
behavioral2/memory/2324-94-0x00007FF708000000-0x00007FF708351000-memory.dmp	upx
behavioral2/files/0x0008000000023c39-101.dat	upx
behavioral2/files/0x0008000000023c37-105.dat	upx
behavioral2/files/0x0008000000023c3a-107.dat	upx
behavioral2/memory/4012-110-0x00007FF7A5A40000-0x00007FF7A5D91000-memory.dmp	upx
behavioral2/memory/1552-108-0x00007FF7BF4A0000-0x00007FF7BF7F1000-memory.dmp	upx
behavioral2/memory/4168-123-0x00007FF6C26B0000-0x00007FF6C2A01000-memory.dmp	upx
behavioral2/memory/4224-131-0x00007FF6597B0000-0x00007FF659B01000-memory.dmp	upx
behavioral2/files/0x0009000000023c1d-136.dat	upx
behavioral2/files/0x0009000000023c35-138.dat	upx
behavioral2/memory/1948-135-0x00007FF66D1E0000-0x00007FF66D531000-memory.dmp	upx
behavioral2/memory/4616-134-0x00007FF70DF20000-0x00007FF70E271000-memory.dmp	upx
behavioral2/memory/2108-132-0x00007FF7FBC00000-0x00007FF7FBF51000-memory.dmp	upx
behavioral2/files/0x000600000001da0e-127.dat	upx
behavioral2/memory/3320-126-0x00007FF76DC20000-0x00007FF76DF71000-memory.dmp	upx
behavioral2/files/0x000b000000023c4f-120.dat	upx
behavioral2/memory/5020-117-0x00007FF67F720000-0x00007FF67FA71000-memory.dmp	upx
behavioral2/memory/5104-116-0x00007FF613A20000-0x00007FF613D71000-memory.dmp	upx
behavioral2/memory/4944-103-0x00007FF7DF710000-0x00007FF7DFA61000-memory.dmp	upx
behavioral2/memory/212-99-0x00007FF62DF70000-0x00007FF62E2C1000-memory.dmp	upx
behavioral2/memory/1788-93-0x00007FF784120000-0x00007FF784471000-memory.dmp	upx
behavioral2/memory/2436-92-0x00007FF7B6380000-0x00007FF7B66D1000-memory.dmp	upx
behavioral2/memory/1440-89-0x00007FF7D5C00000-0x00007FF7D5F51000-memory.dmp	upx
behavioral2/files/0x0008000000023c36-85.dat	upx
behavioral2/memory/4308-84-0x00007FF715580000-0x00007FF7158D1000-memory.dmp	upx
behavioral2/memory/1496-75-0x00007FF61A7A0000-0x00007FF61AAF1000-memory.dmp	upx
behavioral2/memory/3336-140-0x00007FF661A20000-0x00007FF661D71000-memory.dmp	upx
behavioral2/memory/1984-150-0x00007FF65A8D0000-0x00007FF65AC21000-memory.dmp	upx
behavioral2/memory/2324-153-0x00007FF708000000-0x00007FF708351000-memory.dmp	upx
behavioral2/memory/1788-154-0x00007FF784120000-0x00007FF784471000-memory.dmp	upx
behavioral2/memory/4944-155-0x00007FF7DF710000-0x00007FF7DFA61000-memory.dmp	upx
behavioral2/memory/4012-161-0x00007FF7A5A40000-0x00007FF7A5D91000-memory.dmp	upx
behavioral2/memory/2108-165-0x00007FF7FBC00000-0x00007FF7FBF51000-memory.dmp	upx
behavioral2/memory/1948-166-0x00007FF66D1E0000-0x00007FF66D531000-memory.dmp	upx
behavioral2/memory/5020-167-0x00007FF67F720000-0x00007FF67FA71000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\rsGzUNi.exe	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VStfAKk.exe	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HDJFAtE.exe	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mZkMhMH.exe	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LCVrFbQ.exe	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UvLsmSx.exe	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\htGBmFy.exe	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HfPDgYt.exe	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uvdqxmc.exe	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dCiYzUL.exe	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tNXXgGz.exe	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fRVaeDr.exe	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gYpPGAv.exe	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qpqRvKE.exe	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GWPGJPN.exe	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PSSUzEm.exe	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jChTjSe.exe	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wLMLDqx.exe	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VYTEPhZ.exe	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\grmDwNh.exe	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xVCbnqk.exe	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3336	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3336	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3336 wrote to memory of 4864	3336	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3336 wrote to memory of 4864	3336	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3336 wrote to memory of 2940	3336	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3336 wrote to memory of 2940	3336	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3336 wrote to memory of 1496	3336	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3336 wrote to memory of 1496	3336	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3336 wrote to memory of 4308	3336	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3336 wrote to memory of 4308	3336	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3336 wrote to memory of 2436	3336	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3336 wrote to memory of 2436	3336	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3336 wrote to memory of 212	3336	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3336 wrote to memory of 212	3336	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3336 wrote to memory of 1552	3336	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3336 wrote to memory of 1552	3336	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3336 wrote to memory of 5104	3336	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3336 wrote to memory of 5104	3336	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3336 wrote to memory of 4168	3336	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3336 wrote to memory of 4168	3336	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3336 wrote to memory of 4224	3336	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3336 wrote to memory of 4224	3336	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3336 wrote to memory of 4616	3336	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3336 wrote to memory of 4616	3336	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3336 wrote to memory of 1984	3336	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3336 wrote to memory of 1984	3336	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3336 wrote to memory of 1440	3336	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3336 wrote to memory of 1440	3336	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3336 wrote to memory of 1788	3336	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3336 wrote to memory of 1788	3336	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3336 wrote to memory of 2324	3336	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3336 wrote to memory of 2324	3336	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3336 wrote to memory of 4944	3336	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3336 wrote to memory of 4944	3336	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3336 wrote to memory of 4012	3336	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3336 wrote to memory of 4012	3336	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3336 wrote to memory of 5020	3336	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 3336 wrote to memory of 5020	3336	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 3336 wrote to memory of 3320	3336	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 3336 wrote to memory of 3320	3336	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 3336 wrote to memory of 2108	3336	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 3336 wrote to memory of 2108	3336	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 3336 wrote to memory of 1948	3336	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 3336 wrote to memory of 1948	3336	2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe	108

C:\Users\Admin\AppData\Local\Temp\2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-19_1b150ab288b289beb6e1f41367116282_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3336
- C:\Windows\System\mZkMhMH.exe
  C:\Windows\System\mZkMhMH.exe
  2⤵
  - Executes dropped EXE
  PID:4864
- C:\Windows\System\tNXXgGz.exe
  C:\Windows\System\tNXXgGz.exe
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\System\LCVrFbQ.exe
  C:\Windows\System\LCVrFbQ.exe
  2⤵
  - Executes dropped EXE
  PID:1496
- C:\Windows\System\rsGzUNi.exe
  C:\Windows\System\rsGzUNi.exe
  2⤵
  - Executes dropped EXE
  PID:4308
- C:\Windows\System\xVCbnqk.exe
  C:\Windows\System\xVCbnqk.exe
  2⤵
  - Executes dropped EXE
  PID:2436
- C:\Windows\System\wLMLDqx.exe
  C:\Windows\System\wLMLDqx.exe
  2⤵
  - Executes dropped EXE
  PID:212
- C:\Windows\System\VStfAKk.exe
  C:\Windows\System\VStfAKk.exe
  2⤵
  - Executes dropped EXE
  PID:1552
- C:\Windows\System\fRVaeDr.exe
  C:\Windows\System\fRVaeDr.exe
  2⤵
  - Executes dropped EXE
  PID:5104
- C:\Windows\System\UvLsmSx.exe
  C:\Windows\System\UvLsmSx.exe
  2⤵
  - Executes dropped EXE
  PID:4168
- C:\Windows\System\htGBmFy.exe
  C:\Windows\System\htGBmFy.exe
  2⤵
  - Executes dropped EXE
  PID:4224
- C:\Windows\System\gYpPGAv.exe
  C:\Windows\System\gYpPGAv.exe
  2⤵
  - Executes dropped EXE
  PID:4616
- C:\Windows\System\HDJFAtE.exe
  C:\Windows\System\HDJFAtE.exe
  2⤵
  - Executes dropped EXE
  PID:1984
- C:\Windows\System\HfPDgYt.exe
  C:\Windows\System\HfPDgYt.exe
  2⤵
  - Executes dropped EXE
  PID:1440
- C:\Windows\System\qpqRvKE.exe
  C:\Windows\System\qpqRvKE.exe
  2⤵
  - Executes dropped EXE
  PID:1788
- C:\Windows\System\uvdqxmc.exe
  C:\Windows\System\uvdqxmc.exe
  2⤵
  - Executes dropped EXE
  PID:2324
- C:\Windows\System\dCiYzUL.exe
  C:\Windows\System\dCiYzUL.exe
  2⤵
  - Executes dropped EXE
  PID:4944
- C:\Windows\System\VYTEPhZ.exe
  C:\Windows\System\VYTEPhZ.exe
  2⤵
  - Executes dropped EXE
  PID:4012
- C:\Windows\System\GWPGJPN.exe
  C:\Windows\System\GWPGJPN.exe
  2⤵
  - Executes dropped EXE
  PID:5020
- C:\Windows\System\PSSUzEm.exe
  C:\Windows\System\PSSUzEm.exe
  2⤵
  - Executes dropped EXE
  PID:3320
- C:\Windows\System\jChTjSe.exe
  C:\Windows\System\jChTjSe.exe
  2⤵
  - Executes dropped EXE
  PID:2108
- C:\Windows\System\grmDwNh.exe
  C:\Windows\System\grmDwNh.exe
  2⤵
  - Executes dropped EXE
  PID:1948

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\GWPGJPN.exe

Filesize
5.2MB

MD5
6fead01c67fc635a3ba4235a8dc9fc71

SHA1
4f02ecd5fbdc165d4d4a5ae4c0364ee2e15a00df

SHA256
05c3343fe21091a8496a04b04179d591d84abf1aadda8be07b2dfb9a0bb08b40

SHA512
679233a3f9f0f9b5444c4be77fd04323b8e479ca7aa96a23a5cfbd9bc74c31d059c512b38fe501a563f2315baa7b84d1da6a35f948e4f408c4571765f8056d37

Download Submit
C:\Windows\System\HDJFAtE.exe

Filesize
5.2MB

MD5
9d1d71b0824b67e55a3a9f5d11a74bbe

SHA1
01a469177fbf4ce03283ef0b19b7113e87fa44c6

SHA256
4d489dc892edadc951851b2f76552e9e1beccb22fc8dae14ad78685b1e1cd28a

SHA512
4e58f02afe0d670f4b1d8674a5c9266f2d0fed802377d5fd8fd59f02587cf02be6ae9f68efb3ea4edc26910651e89a6e84236a30d58d6db4cda7229f2759edd1

Download Submit
C:\Windows\System\HfPDgYt.exe

Filesize
5.2MB

MD5
128bd3559bd579512927c11ac1495852

SHA1
ebdb3862dc87c70a69a679afff8ea57aafebaa88

SHA256
3c71d204bde2ce410372455973d8ce0db027f05b68c22c4dbee1047c4a26555c

SHA512
ea9a9b7a52f5d358cb3442cbb34ec6d2f770b53eb833395368ea03076c15cfe34e542a8cac5818a0a0b77b884eb20e725d83b624863e8afb53181169b132ae69

Download Submit
C:\Windows\System\LCVrFbQ.exe

Filesize
5.2MB

MD5
eebc1cf60fc93a4baccbd99478d6f28a

SHA1
34230d21da457e8e8af064bd50e4e225af4bf4f8

SHA256
0d50a3b2d1a16d03c6d91ebde1a9467b8cc03cdb08a15a915901fe54f6cdd22f

SHA512
1de0f29c3c8baf15452083be755fa84bc31907a825d95af3f9088002cf0ede2cd99481b2dd11128cd78029850e9f828473903e3981b1186e9373dd870d6d8756

Download Submit
C:\Windows\System\PSSUzEm.exe

Filesize
5.2MB

MD5
51464d552a913719a42df38c69e6c25b

SHA1
5faa7ef37569d60cb960cbc2def52e1af0841b51

SHA256
f93bce23bda3bef98e1bd93b219617fb6c45724265b64c125f7decea26cd14f5

SHA512
1f961bcec6ad08c5721bdaae5e00031ee9f51dbc9713b359ea9708922f9986729e9d087e2d78afee5af71291e1ae8ce02a176105a4e48411d889adc141c088f9

Download Submit
C:\Windows\System\UvLsmSx.exe

Filesize
5.2MB

MD5
2342b6a71e3eaeacd27feb8c6985bfec

SHA1
a5a082b32ea2e3c581a0ebf1f609b2d7dafb47da

SHA256
c56120c7c33731dd638c1c2572f0d21c16bce70d54656d88d4844dd63da2b73a

SHA512
8847e113870f00f8a97f4f6d6a623c2a100052c7c31ecf1a6078289f9789de3ed943505e866eb52c47f5cfa1a7a89c9ff66f310746c536ceed018abd6379510b

Download Submit
C:\Windows\System\VStfAKk.exe

Filesize
5.2MB

MD5
5880ba464728f089e1d5fb6c60a1f8d5

SHA1
f9a44a81fb6e9a42fad0a19aa6bc987e22ee0159

SHA256
7f45c5f3a5f9e2e32b9e9f6222ab0006ecde3825e769c33beaf22f4798f3bd6e

SHA512
8d877bcb7f5da7ea74891add06a2273f98b2298a87d150e7ea51ce9f50da8d1ef54577fa09336f410e9bc75980d118a1d2270b18eea95ee8013d04ce0f9308d1

Download Submit
C:\Windows\System\VYTEPhZ.exe

Filesize
5.2MB

MD5
d9e4b36ce6cb32cb1cf9731b1f488fb8

SHA1
4420f6471ae7b6d928f951b7eff866456700e2e8

SHA256
f4ba27a1c640e84eb6034e03fdf3d7d5536438f9c4c27fc3ff9cd9251e8dd068

SHA512
ba57b77467fea3e687fd5e5d59ca96419f907f1956b047d31292477381e2f3ba26089d77fa5872da292e4c298c0ea7b30946c78ed676d122e5fed80df23478e8

Download Submit
C:\Windows\System\dCiYzUL.exe

Filesize
5.2MB

MD5
38ed33d62243b4cc2c1e8683a71d8e6f

SHA1
218c51f77aa95e0a995322156406d6360142423d

SHA256
9b7374237a5cd419d30f3afbdbd2b6a000a0a0ea554fbb207359c543a6916e88

SHA512
2f298e2a079832746dbdb800c7904c02848bc3b11bf77fa36ae6ce941c2471737dbc31aebee63b04ffbd267cfb50067dd4d8a11925a5259af972cd1ec60cc4a8

Download Submit
C:\Windows\System\fRVaeDr.exe

Filesize
5.2MB

MD5
27ae88a3c6d2a827c6e1bc25f4eee022

SHA1
589a06970f6deb6d4b6b81b49c49261d5d150e29

SHA256
a0631a655f16f899859061a26af9d8ba90cff23dcb0ca40a78c1a0de7faeb886

SHA512
192ca4975a91158d0a87561085f97a49d48eedf16fc67fc9581ffb7170816f9aad35fb4957f30944dbcceb8628898912f6ffa54c03780cbeebeb64581e1c4e81

Download Submit
C:\Windows\System\gYpPGAv.exe

Filesize
5.2MB

MD5
e3e348871a7c54768ebed7800e2cd8f1

SHA1
e19b689cb0f5802c76b3825f1bb0fc3e85accf43

SHA256
944cb473e52849a47521523f3b810892acc18120deea35e167f3a279b5b877d4

SHA512
b66ec5fe133963a12b7380a8cc1c6023d8acb35274c71e85c0bf9844a4580197b64aca221a033b8b59955f756d5555a2bde069088f9af5043755cec6dac7c395

Download Submit
C:\Windows\System\grmDwNh.exe

Filesize
5.2MB

MD5
33551db3e45bd0197dd9aba38f885bcc

SHA1
f27dca558faa73657acd91e9143ebbd6898e6190

SHA256
6736f8c5246f78153249f85bce92b5c9b0cb6250539e200ff59b6489429fdf8a

SHA512
6743c1c6aa96bb82e17430002b024c56497da13af2b55645553d247bb4cc8f6113dbf84421bcf51950c58738a1d451ffddb57584a324a5a1d0c0e49ef48e0ded

Download Submit
C:\Windows\System\htGBmFy.exe

Filesize
5.2MB

MD5
b567bc2d9748acf09402636f77df78f6

SHA1
8063f21dba3d270c846fda85909f5b6742e9b5ef

SHA256
98e69e8f4306dec61fa3791272131931d475ad310ddca29ab2f47c82eb87eb47

SHA512
01e547ced2445456c9b27317d69e8c9367f7276a87dbbb651ce21046406b7ecd4f6cb4be78637eeea0100b1f557242bb3a8459e0102c7fa5adad7f3b35465f6a

Download Submit
C:\Windows\System\jChTjSe.exe

Filesize
5.2MB

MD5
d0a1f8da3d85948e0c7346d8c7b24d3e

SHA1
e45a1fbb8f41cf3684f390689588bb29008af243

SHA256
0b6cccdfaec44f0e0cc92d85dd644913e9a3a2b50ab454d4043eadc559883516

SHA512
b4d1ecf5fa1d551258f9c45caff34b6429c17d7be77868dda2647f7a8b55898866aba48897f37fbb283840a8116262a7bc9aa0ae28351b61455b179476e05b85

Download Submit
C:\Windows\System\mZkMhMH.exe

Filesize
5.2MB

MD5
33f94069d51a1b2900fb572115737230

SHA1
6970c997898073abedd950e9c1ccecacb2dde25b

SHA256
53192cb75a3b08a60430c593b26519589c95c2699ff88ecc6152368c887d4ea2

SHA512
565eed3be0fb7305cbe07302cecdb41c621c3b325808670bf175e99a365f06882d97cf4e22b1683a7bf18e54c1f83f742cde188837b584d3a8fdb801954d0666

Download Submit
C:\Windows\System\qpqRvKE.exe

Filesize
5.2MB

MD5
b093ce4a5d622a1b5dd45806205685a0

SHA1
c626f6aa95ebd1db351b1798617db6802a718608

SHA256
ad9103e4a2a4e0167acb6d1552c5b56df0614a79c94a41bfa803dbec5b1b318f

SHA512
7056970340917017c78aa84d93b6fa05212ee9005d125ba9cae499570b6897c1f7b8d61c5a47901ce1822be7702db8d02a4ea262bbe94a2ec0521fd720feccd6

Download Submit
C:\Windows\System\rsGzUNi.exe

Filesize
5.2MB

MD5
166b686082e58670962b33a18b5a679c

SHA1
50a0fa67042a76d87ef9f8f246d2452ee8fd6e82

SHA256
ad9f538009d77d13e7216da971f9e787d9b648f6fb04f64153db65d07f8a8578

SHA512
fc0415871a6c9705f83c4bf43fc9965cb8cf16ca67dfd88d1fcee35cb9e193f57f9bb17edb296cd8c4dcade72454fbff65c94f870cee9b2c8304441ac9949ba4

Download Submit
C:\Windows\System\tNXXgGz.exe

Filesize
5.2MB

MD5
bbdcdc1270393f90008a2671be3b8033

SHA1
69f607dd513e53b4028257490bf0a6dbfebf0093

SHA256
637bfb6462bc6344b441a34daed4f4a48ea6e31418eebf0c43971a2b387662d5

SHA512
95b4091bfcdac26730081bc350d1d765c484e689193db7237f0283d0454f807ac7a565c4bfeeee6195247e155dabe66d8e54445db6c63c1087b97ba491f8e13e

Download Submit
C:\Windows\System\uvdqxmc.exe

Filesize
5.2MB

MD5
c59802a40abbbb3f53e5ea0d207201fe

SHA1
ece9ba8cd8d64b91697df408d1cc72b7cc44d001

SHA256
07961483b5611bf3395021252184f5b4e8d3be14c6ef7711a8319345967e0832

SHA512
be5b4cd2df43af11056b3a7a6e6edb9127e2a98a194dbc7a0a4e2d6deade696fd5f8dd5bd763736b52f6668596413f621782e576428866e09de90413e16ce8ce

Download Submit
C:\Windows\System\wLMLDqx.exe

Filesize
5.2MB

MD5
bab12d34914e03e0bb58623191086321

SHA1
40b98ff3d4e9efcddad83485891f5568c83e9531

SHA256
6cac6f2652246e1aa106ce9598db76c984e1222862da0e0b56328d182fb2949b

SHA512
3641514ce4afe4d746274aa4ac81fc822cc8f5b764a52557859e6e5c04c6ccc783d9f8ba01601be59597f18a1fe01127213ca3c3a1d401c5d33c47ad3659db7e

Download Submit
C:\Windows\System\xVCbnqk.exe

Filesize
5.2MB

MD5
54f7d6ca9152146ffa329323e957301c

SHA1
d76565f6f48a522d15241be5c7e4ae2d659d7494

SHA256
5ac1a0d3dcb65826329de7f02b619eaec55a8cb06b7312ab07f0c08f549af706

SHA512
0236d9f96c3531e6ee35ad0c1f2b04c44df0c5bdc7f16dd3c3e3bb56c833618ddcad4f2ea121f7186f05aeadcaafd90e1f1c859f6c1bc88962b3ee0e79d2fb8e

Download Submit
memory/212-36-0x00007FF62DF70000-0x00007FF62E2C1000-memory.dmp

Filesize
3.3MB

Download
memory/212-99-0x00007FF62DF70000-0x00007FF62E2C1000-memory.dmp

Filesize
3.3MB

Download
memory/212-231-0x00007FF62DF70000-0x00007FF62E2C1000-memory.dmp

Filesize
3.3MB

Download
memory/1440-89-0x00007FF7D5C00000-0x00007FF7D5F51000-memory.dmp

Filesize
3.3MB

Download
memory/1440-255-0x00007FF7D5C00000-0x00007FF7D5F51000-memory.dmp

Filesize
3.3MB

Download
memory/1496-227-0x00007FF61A7A0000-0x00007FF61AAF1000-memory.dmp

Filesize
3.3MB

Download
memory/1496-19-0x00007FF61A7A0000-0x00007FF61AAF1000-memory.dmp

Filesize
3.3MB

Download
memory/1496-75-0x00007FF61A7A0000-0x00007FF61AAF1000-memory.dmp

Filesize
3.3MB

Download
memory/1552-41-0x00007FF7BF4A0000-0x00007FF7BF7F1000-memory.dmp

Filesize
3.3MB

Download
memory/1552-108-0x00007FF7BF4A0000-0x00007FF7BF7F1000-memory.dmp

Filesize
3.3MB

Download
memory/1552-237-0x00007FF7BF4A0000-0x00007FF7BF7F1000-memory.dmp

Filesize
3.3MB

Download
memory/1788-93-0x00007FF784120000-0x00007FF784471000-memory.dmp

Filesize
3.3MB

Download
memory/1788-261-0x00007FF784120000-0x00007FF784471000-memory.dmp

Filesize
3.3MB

Download
memory/1788-154-0x00007FF784120000-0x00007FF784471000-memory.dmp

Filesize
3.3MB

Download
memory/1948-135-0x00007FF66D1E0000-0x00007FF66D531000-memory.dmp

Filesize
3.3MB

Download
memory/1948-166-0x00007FF66D1E0000-0x00007FF66D531000-memory.dmp

Filesize
3.3MB

Download
memory/1948-275-0x00007FF66D1E0000-0x00007FF66D531000-memory.dmp

Filesize
3.3MB

Download
memory/1984-253-0x00007FF65A8D0000-0x00007FF65AC21000-memory.dmp

Filesize
3.3MB

Download
memory/1984-150-0x00007FF65A8D0000-0x00007FF65AC21000-memory.dmp

Filesize
3.3MB

Download
memory/1984-79-0x00007FF65A8D0000-0x00007FF65AC21000-memory.dmp

Filesize
3.3MB

Download
memory/2108-165-0x00007FF7FBC00000-0x00007FF7FBF51000-memory.dmp

Filesize
3.3MB

Download
memory/2108-132-0x00007FF7FBC00000-0x00007FF7FBF51000-memory.dmp

Filesize
3.3MB

Download
memory/2108-273-0x00007FF7FBC00000-0x00007FF7FBF51000-memory.dmp

Filesize
3.3MB

Download
memory/2324-94-0x00007FF708000000-0x00007FF708351000-memory.dmp

Filesize
3.3MB

Download
memory/2324-258-0x00007FF708000000-0x00007FF708351000-memory.dmp

Filesize
3.3MB

Download
memory/2324-153-0x00007FF708000000-0x00007FF708351000-memory.dmp

Filesize
3.3MB

Download
memory/2436-229-0x00007FF7B6380000-0x00007FF7B66D1000-memory.dmp

Filesize
3.3MB

Download
memory/2436-30-0x00007FF7B6380000-0x00007FF7B66D1000-memory.dmp

Filesize
3.3MB

Download
memory/2436-92-0x00007FF7B6380000-0x00007FF7B66D1000-memory.dmp

Filesize
3.3MB

Download
memory/2940-67-0x00007FF7F1440000-0x00007FF7F1791000-memory.dmp

Filesize
3.3MB

Download
memory/2940-16-0x00007FF7F1440000-0x00007FF7F1791000-memory.dmp

Filesize
3.3MB

Download
memory/2940-223-0x00007FF7F1440000-0x00007FF7F1791000-memory.dmp

Filesize
3.3MB

Download
memory/3320-164-0x00007FF76DC20000-0x00007FF76DF71000-memory.dmp

Filesize
3.3MB

Download
memory/3320-271-0x00007FF76DC20000-0x00007FF76DF71000-memory.dmp

Filesize
3.3MB

Download
memory/3320-126-0x00007FF76DC20000-0x00007FF76DF71000-memory.dmp

Filesize
3.3MB

Download
memory/3336-0-0x00007FF661A20000-0x00007FF661D71000-memory.dmp

Filesize
3.3MB

Download
memory/3336-140-0x00007FF661A20000-0x00007FF661D71000-memory.dmp

Filesize
3.3MB

Download
memory/3336-59-0x00007FF661A20000-0x00007FF661D71000-memory.dmp

Filesize
3.3MB

Download
memory/3336-1-0x0000020670210000-0x0000020670220000-memory.dmp

Filesize
64KB

Download
memory/3336-168-0x00007FF661A20000-0x00007FF661D71000-memory.dmp

Filesize
3.3MB

Download
memory/4012-161-0x00007FF7A5A40000-0x00007FF7A5D91000-memory.dmp

Filesize
3.3MB

Download
memory/4012-110-0x00007FF7A5A40000-0x00007FF7A5D91000-memory.dmp

Filesize
3.3MB

Download
memory/4012-263-0x00007FF7A5A40000-0x00007FF7A5D91000-memory.dmp

Filesize
3.3MB

Download
memory/4168-123-0x00007FF6C26B0000-0x00007FF6C2A01000-memory.dmp

Filesize
3.3MB

Download
memory/4168-243-0x00007FF6C26B0000-0x00007FF6C2A01000-memory.dmp

Filesize
3.3MB

Download
memory/4168-57-0x00007FF6C26B0000-0x00007FF6C2A01000-memory.dmp

Filesize
3.3MB

Download
memory/4224-60-0x00007FF6597B0000-0x00007FF659B01000-memory.dmp

Filesize
3.3MB

Download
memory/4224-241-0x00007FF6597B0000-0x00007FF659B01000-memory.dmp

Filesize
3.3MB

Download
memory/4224-131-0x00007FF6597B0000-0x00007FF659B01000-memory.dmp

Filesize
3.3MB

Download
memory/4308-22-0x00007FF715580000-0x00007FF7158D1000-memory.dmp

Filesize
3.3MB

Download
memory/4308-225-0x00007FF715580000-0x00007FF7158D1000-memory.dmp

Filesize
3.3MB

Download
memory/4308-84-0x00007FF715580000-0x00007FF7158D1000-memory.dmp

Filesize
3.3MB

Download
memory/4616-68-0x00007FF70DF20000-0x00007FF70E271000-memory.dmp

Filesize
3.3MB

Download
memory/4616-134-0x00007FF70DF20000-0x00007FF70E271000-memory.dmp

Filesize
3.3MB

Download
memory/4616-245-0x00007FF70DF20000-0x00007FF70E271000-memory.dmp

Filesize
3.3MB

Download
memory/4864-221-0x00007FF792D70000-0x00007FF7930C1000-memory.dmp

Filesize
3.3MB

Download
memory/4864-7-0x00007FF792D70000-0x00007FF7930C1000-memory.dmp

Filesize
3.3MB

Download
memory/4864-66-0x00007FF792D70000-0x00007FF7930C1000-memory.dmp

Filesize
3.3MB

Download
memory/4944-155-0x00007FF7DF710000-0x00007FF7DFA61000-memory.dmp

Filesize
3.3MB

Download
memory/4944-103-0x00007FF7DF710000-0x00007FF7DFA61000-memory.dmp

Filesize
3.3MB

Download
memory/4944-259-0x00007FF7DF710000-0x00007FF7DFA61000-memory.dmp

Filesize
3.3MB

Download
memory/5020-167-0x00007FF67F720000-0x00007FF67FA71000-memory.dmp

Filesize
3.3MB

Download
memory/5020-269-0x00007FF67F720000-0x00007FF67FA71000-memory.dmp

Filesize
3.3MB

Download
memory/5020-117-0x00007FF67F720000-0x00007FF67FA71000-memory.dmp

Filesize
3.3MB

Download
memory/5104-239-0x00007FF613A20000-0x00007FF613D71000-memory.dmp

Filesize
3.3MB

Download
memory/5104-48-0x00007FF613A20000-0x00007FF613D71000-memory.dmp

Filesize
3.3MB

Download
memory/5104-116-0x00007FF613A20000-0x00007FF613D71000-memory.dmp

Filesize
3.3MB

Download