cobaltstrike | bd958eb8a8b4b1b8ae30c6867ad0aed5968a03f9b2fe87d5a6db805803531e8d

Analysis

max time kernel
140s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2024 11:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

113f0afa7543fedaf6d3caded1ec5e25
SHA1

a505509ca766c49e73433f60b5f57460270a0680
SHA256

bd958eb8a8b4b1b8ae30c6867ad0aed5968a03f9b2fe87d5a6db805803531e8d
SHA512

bc31c9e2b289945adbf4bd495071619445ac5c4c8432ca5640a4a73316d61a62ea4230091a19f85a5f932259ee3235dded684ef7f93993ee5f60d5b073fc58f5
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6la:RWWBibf56utgpPFotBER/mQ32lUO

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000800000002347f-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023480-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023481-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023482-22.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023483-33.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023484-34.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023485-39.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023486-47.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023487-53.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023489-59.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002347d-66.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348a-76.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348b-82.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348c-87.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348d-95.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348e-102.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348f-111.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023490-117.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023491-123.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023493-137.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023492-136.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/3400-67-0x00007FF7E5DD0000-0x00007FF7E6121000-memory.dmp	xmrig
behavioral2/memory/3612-60-0x00007FF71C400000-0x00007FF71C751000-memory.dmp	xmrig
behavioral2/memory/2544-84-0x00007FF68D620000-0x00007FF68D971000-memory.dmp	xmrig
behavioral2/memory/3924-89-0x00007FF74BD20000-0x00007FF74C071000-memory.dmp	xmrig
behavioral2/memory/3752-96-0x00007FF78ACA0000-0x00007FF78AFF1000-memory.dmp	xmrig
behavioral2/memory/436-103-0x00007FF74F3D0000-0x00007FF74F721000-memory.dmp	xmrig
behavioral2/memory/4436-88-0x00007FF7638F0000-0x00007FF763C41000-memory.dmp	xmrig
behavioral2/memory/2188-75-0x00007FF70BF40000-0x00007FF70C291000-memory.dmp	xmrig
behavioral2/memory/720-71-0x00007FF6DA8E0000-0x00007FF6DAC31000-memory.dmp	xmrig
behavioral2/memory/2676-107-0x00007FF66E110000-0x00007FF66E461000-memory.dmp	xmrig
behavioral2/memory/796-118-0x00007FF723AB0000-0x00007FF723E01000-memory.dmp	xmrig
behavioral2/memory/3172-115-0x00007FF747410000-0x00007FF747761000-memory.dmp	xmrig
behavioral2/memory/4588-112-0x00007FF75C5D0000-0x00007FF75C921000-memory.dmp	xmrig
behavioral2/memory/1676-134-0x00007FF719770000-0x00007FF719AC1000-memory.dmp	xmrig
behavioral2/memory/1944-126-0x00007FF66D790000-0x00007FF66DAE1000-memory.dmp	xmrig
behavioral2/memory/2064-141-0x00007FF62A6B0000-0x00007FF62AA01000-memory.dmp	xmrig
behavioral2/memory/3612-142-0x00007FF71C400000-0x00007FF71C751000-memory.dmp	xmrig
behavioral2/memory/2000-143-0x00007FF6E3D40000-0x00007FF6E4091000-memory.dmp	xmrig
behavioral2/memory/548-155-0x00007FF62C460000-0x00007FF62C7B1000-memory.dmp	xmrig
behavioral2/memory/1132-161-0x00007FF632C70000-0x00007FF632FC1000-memory.dmp	xmrig
behavioral2/memory/1544-165-0x00007FF7C21D0000-0x00007FF7C2521000-memory.dmp	xmrig
behavioral2/memory/2532-167-0x00007FF6F5B10000-0x00007FF6F5E61000-memory.dmp	xmrig
behavioral2/memory/3144-166-0x00007FF703E00000-0x00007FF704151000-memory.dmp	xmrig
behavioral2/memory/3612-168-0x00007FF71C400000-0x00007FF71C751000-memory.dmp	xmrig
behavioral2/memory/3400-221-0x00007FF7E5DD0000-0x00007FF7E6121000-memory.dmp	xmrig
behavioral2/memory/720-223-0x00007FF6DA8E0000-0x00007FF6DAC31000-memory.dmp	xmrig
behavioral2/memory/2188-225-0x00007FF70BF40000-0x00007FF70C291000-memory.dmp	xmrig
behavioral2/memory/2544-227-0x00007FF68D620000-0x00007FF68D971000-memory.dmp	xmrig
behavioral2/memory/3752-234-0x00007FF78ACA0000-0x00007FF78AFF1000-memory.dmp	xmrig
behavioral2/memory/3924-236-0x00007FF74BD20000-0x00007FF74C071000-memory.dmp	xmrig
behavioral2/memory/436-239-0x00007FF74F3D0000-0x00007FF74F721000-memory.dmp	xmrig
behavioral2/memory/2676-240-0x00007FF66E110000-0x00007FF66E461000-memory.dmp	xmrig
behavioral2/memory/4588-243-0x00007FF75C5D0000-0x00007FF75C921000-memory.dmp	xmrig
behavioral2/memory/796-244-0x00007FF723AB0000-0x00007FF723E01000-memory.dmp	xmrig
behavioral2/memory/1944-246-0x00007FF66D790000-0x00007FF66DAE1000-memory.dmp	xmrig
behavioral2/memory/1676-252-0x00007FF719770000-0x00007FF719AC1000-memory.dmp	xmrig
behavioral2/memory/4436-254-0x00007FF7638F0000-0x00007FF763C41000-memory.dmp	xmrig
behavioral2/memory/2064-256-0x00007FF62A6B0000-0x00007FF62AA01000-memory.dmp	xmrig
behavioral2/memory/548-260-0x00007FF62C460000-0x00007FF62C7B1000-memory.dmp	xmrig
behavioral2/memory/2000-259-0x00007FF6E3D40000-0x00007FF6E4091000-memory.dmp	xmrig
behavioral2/memory/3172-264-0x00007FF747410000-0x00007FF747761000-memory.dmp	xmrig
behavioral2/memory/1132-269-0x00007FF632C70000-0x00007FF632FC1000-memory.dmp	xmrig
behavioral2/memory/1544-271-0x00007FF7C21D0000-0x00007FF7C2521000-memory.dmp	xmrig
behavioral2/memory/2532-273-0x00007FF6F5B10000-0x00007FF6F5E61000-memory.dmp	xmrig
behavioral2/memory/3144-275-0x00007FF703E00000-0x00007FF704151000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3400	uOgdPxq.exe
720	HtCXFiO.exe
2188	KuTzXwj.exe
2544	ZsEwpmU.exe
3924	sEazqRE.exe
3752	wKRVbJY.exe
436	PxNJHPF.exe
2676	aMGSjKo.exe
4588	gkzMjag.exe
796	SDHPSsP.exe
1944	bbKGwaM.exe
1676	HIpkDgz.exe
4436	cxJNkbA.exe
2064	gDXqiLE.exe
2000	HUfglrf.exe
548	AZaFDaW.exe
3172	zhFRLjm.exe
1132	cehiaoN.exe
1544	XkBmngd.exe
3144	EiRLOSU.exe
2532	LgMFVql.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3612-0-0x00007FF71C400000-0x00007FF71C751000-memory.dmp	upx
behavioral2/files/0x000800000002347f-4.dat	upx
behavioral2/memory/3400-8-0x00007FF7E5DD0000-0x00007FF7E6121000-memory.dmp	upx
behavioral2/files/0x0007000000023480-11.dat	upx
behavioral2/files/0x0007000000023481-10.dat	upx
behavioral2/memory/720-13-0x00007FF6DA8E0000-0x00007FF6DAC31000-memory.dmp	upx
behavioral2/files/0x0007000000023482-22.dat	upx
behavioral2/memory/2544-23-0x00007FF68D620000-0x00007FF68D971000-memory.dmp	upx
behavioral2/memory/3924-30-0x00007FF74BD20000-0x00007FF74C071000-memory.dmp	upx
behavioral2/files/0x0007000000023483-33.dat	upx
behavioral2/files/0x0007000000023484-34.dat	upx
behavioral2/files/0x0007000000023485-39.dat	upx
behavioral2/memory/2676-48-0x00007FF66E110000-0x00007FF66E461000-memory.dmp	upx
behavioral2/files/0x0007000000023486-47.dat	upx
behavioral2/memory/436-44-0x00007FF74F3D0000-0x00007FF74F721000-memory.dmp	upx
behavioral2/files/0x0007000000023487-53.dat	upx
behavioral2/files/0x0007000000023489-59.dat	upx
behavioral2/memory/796-61-0x00007FF723AB0000-0x00007FF723E01000-memory.dmp	upx
behavioral2/files/0x000800000002347d-66.dat	upx
behavioral2/memory/1944-68-0x00007FF66D790000-0x00007FF66DAE1000-memory.dmp	upx
behavioral2/memory/3400-67-0x00007FF7E5DD0000-0x00007FF7E6121000-memory.dmp	upx
behavioral2/memory/3612-60-0x00007FF71C400000-0x00007FF71C751000-memory.dmp	upx
behavioral2/memory/4588-54-0x00007FF75C5D0000-0x00007FF75C921000-memory.dmp	upx
behavioral2/memory/3752-35-0x00007FF78ACA0000-0x00007FF78AFF1000-memory.dmp	upx
behavioral2/memory/2188-18-0x00007FF70BF40000-0x00007FF70C291000-memory.dmp	upx
behavioral2/files/0x000700000002348a-76.dat	upx
behavioral2/files/0x000700000002348b-82.dat	upx
behavioral2/files/0x000700000002348c-87.dat	upx
behavioral2/memory/1676-81-0x00007FF719770000-0x00007FF719AC1000-memory.dmp	upx
behavioral2/memory/2544-84-0x00007FF68D620000-0x00007FF68D971000-memory.dmp	upx
behavioral2/memory/3924-89-0x00007FF74BD20000-0x00007FF74C071000-memory.dmp	upx
behavioral2/memory/3752-96-0x00007FF78ACA0000-0x00007FF78AFF1000-memory.dmp	upx
behavioral2/files/0x000700000002348d-95.dat	upx
behavioral2/files/0x000700000002348e-102.dat	upx
behavioral2/memory/548-104-0x00007FF62C460000-0x00007FF62C7B1000-memory.dmp	upx
behavioral2/memory/436-103-0x00007FF74F3D0000-0x00007FF74F721000-memory.dmp	upx
behavioral2/memory/2000-97-0x00007FF6E3D40000-0x00007FF6E4091000-memory.dmp	upx
behavioral2/memory/2064-90-0x00007FF62A6B0000-0x00007FF62AA01000-memory.dmp	upx
behavioral2/memory/4436-88-0x00007FF7638F0000-0x00007FF763C41000-memory.dmp	upx
behavioral2/memory/2188-75-0x00007FF70BF40000-0x00007FF70C291000-memory.dmp	upx
behavioral2/memory/720-71-0x00007FF6DA8E0000-0x00007FF6DAC31000-memory.dmp	upx
behavioral2/memory/2676-107-0x00007FF66E110000-0x00007FF66E461000-memory.dmp	upx
behavioral2/files/0x000700000002348f-111.dat	upx
behavioral2/files/0x0007000000023490-117.dat	upx
behavioral2/memory/1132-119-0x00007FF632C70000-0x00007FF632FC1000-memory.dmp	upx
behavioral2/memory/796-118-0x00007FF723AB0000-0x00007FF723E01000-memory.dmp	upx
behavioral2/memory/3172-115-0x00007FF747410000-0x00007FF747761000-memory.dmp	upx
behavioral2/memory/4588-112-0x00007FF75C5D0000-0x00007FF75C921000-memory.dmp	upx
behavioral2/files/0x0007000000023491-123.dat	upx
behavioral2/memory/1676-134-0x00007FF719770000-0x00007FF719AC1000-memory.dmp	upx
behavioral2/memory/3144-135-0x00007FF703E00000-0x00007FF704151000-memory.dmp	upx
behavioral2/memory/2532-140-0x00007FF6F5B10000-0x00007FF6F5E61000-memory.dmp	upx
behavioral2/files/0x0007000000023493-137.dat	upx
behavioral2/files/0x0007000000023492-136.dat	upx
behavioral2/memory/1544-127-0x00007FF7C21D0000-0x00007FF7C2521000-memory.dmp	upx
behavioral2/memory/1944-126-0x00007FF66D790000-0x00007FF66DAE1000-memory.dmp	upx
behavioral2/memory/2064-141-0x00007FF62A6B0000-0x00007FF62AA01000-memory.dmp	upx
behavioral2/memory/3612-142-0x00007FF71C400000-0x00007FF71C751000-memory.dmp	upx
behavioral2/memory/2000-143-0x00007FF6E3D40000-0x00007FF6E4091000-memory.dmp	upx
behavioral2/memory/548-155-0x00007FF62C460000-0x00007FF62C7B1000-memory.dmp	upx
behavioral2/memory/1132-161-0x00007FF632C70000-0x00007FF632FC1000-memory.dmp	upx
behavioral2/memory/1544-165-0x00007FF7C21D0000-0x00007FF7C2521000-memory.dmp	upx
behavioral2/memory/2532-167-0x00007FF6F5B10000-0x00007FF6F5E61000-memory.dmp	upx
behavioral2/memory/3144-166-0x00007FF703E00000-0x00007FF704151000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\LgMFVql.exe	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uOgdPxq.exe	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SDHPSsP.exe	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HIpkDgz.exe	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XkBmngd.exe	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HtCXFiO.exe	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZsEwpmU.exe	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aMGSjKo.exe	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gkzMjag.exe	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bbKGwaM.exe	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gDXqiLE.exe	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AZaFDaW.exe	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cehiaoN.exe	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KuTzXwj.exe	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sEazqRE.exe	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wKRVbJY.exe	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zhFRLjm.exe	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EiRLOSU.exe	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PxNJHPF.exe	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cxJNkbA.exe	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HUfglrf.exe	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3612	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3612	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3612 wrote to memory of 3400	3612	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 3612 wrote to memory of 3400	3612	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 3612 wrote to memory of 720	3612	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3612 wrote to memory of 720	3612	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3612 wrote to memory of 2188	3612	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3612 wrote to memory of 2188	3612	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3612 wrote to memory of 2544	3612	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3612 wrote to memory of 2544	3612	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3612 wrote to memory of 3924	3612	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3612 wrote to memory of 3924	3612	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3612 wrote to memory of 3752	3612	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3612 wrote to memory of 3752	3612	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3612 wrote to memory of 436	3612	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3612 wrote to memory of 436	3612	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3612 wrote to memory of 2676	3612	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3612 wrote to memory of 2676	3612	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3612 wrote to memory of 4588	3612	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3612 wrote to memory of 4588	3612	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3612 wrote to memory of 796	3612	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3612 wrote to memory of 796	3612	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3612 wrote to memory of 1944	3612	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3612 wrote to memory of 1944	3612	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3612 wrote to memory of 1676	3612	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3612 wrote to memory of 1676	3612	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3612 wrote to memory of 4436	3612	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3612 wrote to memory of 4436	3612	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3612 wrote to memory of 2064	3612	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3612 wrote to memory of 2064	3612	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3612 wrote to memory of 2000	3612	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3612 wrote to memory of 2000	3612	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3612 wrote to memory of 548	3612	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3612 wrote to memory of 548	3612	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3612 wrote to memory of 3172	3612	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3612 wrote to memory of 3172	3612	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3612 wrote to memory of 1132	3612	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3612 wrote to memory of 1132	3612	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3612 wrote to memory of 1544	3612	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3612 wrote to memory of 1544	3612	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3612 wrote to memory of 3144	3612	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3612 wrote to memory of 3144	3612	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3612 wrote to memory of 2532	3612	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3612 wrote to memory of 2532	3612	2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-20_113f0afa7543fedaf6d3caded1ec5e25_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3612
- C:\Windows\System\uOgdPxq.exe
  C:\Windows\System\uOgdPxq.exe
  2⤵
  - Executes dropped EXE
  PID:3400
- C:\Windows\System\HtCXFiO.exe
  C:\Windows\System\HtCXFiO.exe
  2⤵
  - Executes dropped EXE
  PID:720
- C:\Windows\System\KuTzXwj.exe
  C:\Windows\System\KuTzXwj.exe
  2⤵
  - Executes dropped EXE
  PID:2188
- C:\Windows\System\ZsEwpmU.exe
  C:\Windows\System\ZsEwpmU.exe
  2⤵
  - Executes dropped EXE
  PID:2544
- C:\Windows\System\sEazqRE.exe
  C:\Windows\System\sEazqRE.exe
  2⤵
  - Executes dropped EXE
  PID:3924
- C:\Windows\System\wKRVbJY.exe
  C:\Windows\System\wKRVbJY.exe
  2⤵
  - Executes dropped EXE
  PID:3752
- C:\Windows\System\PxNJHPF.exe
  C:\Windows\System\PxNJHPF.exe
  2⤵
  - Executes dropped EXE
  PID:436
- C:\Windows\System\aMGSjKo.exe
  C:\Windows\System\aMGSjKo.exe
  2⤵
  - Executes dropped EXE
  PID:2676
- C:\Windows\System\gkzMjag.exe
  C:\Windows\System\gkzMjag.exe
  2⤵
  - Executes dropped EXE
  PID:4588
- C:\Windows\System\SDHPSsP.exe
  C:\Windows\System\SDHPSsP.exe
  2⤵
  - Executes dropped EXE
  PID:796
- C:\Windows\System\bbKGwaM.exe
  C:\Windows\System\bbKGwaM.exe
  2⤵
  - Executes dropped EXE
  PID:1944
- C:\Windows\System\HIpkDgz.exe
  C:\Windows\System\HIpkDgz.exe
  2⤵
  - Executes dropped EXE
  PID:1676
- C:\Windows\System\cxJNkbA.exe
  C:\Windows\System\cxJNkbA.exe
  2⤵
  - Executes dropped EXE
  PID:4436
- C:\Windows\System\gDXqiLE.exe
  C:\Windows\System\gDXqiLE.exe
  2⤵
  - Executes dropped EXE
  PID:2064
- C:\Windows\System\HUfglrf.exe
  C:\Windows\System\HUfglrf.exe
  2⤵
  - Executes dropped EXE
  PID:2000
- C:\Windows\System\AZaFDaW.exe
  C:\Windows\System\AZaFDaW.exe
  2⤵
  - Executes dropped EXE
  PID:548
- C:\Windows\System\zhFRLjm.exe
  C:\Windows\System\zhFRLjm.exe
  2⤵
  - Executes dropped EXE
  PID:3172
- C:\Windows\System\cehiaoN.exe
  C:\Windows\System\cehiaoN.exe
  2⤵
  - Executes dropped EXE
  PID:1132
- C:\Windows\System\XkBmngd.exe
  C:\Windows\System\XkBmngd.exe
  2⤵
  - Executes dropped EXE
  PID:1544
- C:\Windows\System\EiRLOSU.exe
  C:\Windows\System\EiRLOSU.exe
  2⤵
  - Executes dropped EXE
  PID:3144
- C:\Windows\System\LgMFVql.exe
  C:\Windows\System\LgMFVql.exe
  2⤵
  - Executes dropped EXE
  PID:2532

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AZaFDaW.exe

Filesize
5.2MB

MD5
1fe9efcb686a306389b006456ab58ff6

SHA1
598319b1b0a9fb9a0f5554944b7619a84c498dcc

SHA256
5a5c646d6c22086e49fafc68ea3540b443a759f53123ddcc348b8bbcaf22f43b

SHA512
aeaa7916877a0defb811004dbd15798eff61ed73cc0019cfe8e953d70a63bd442cbd6ca0536b01eb468f3605c9ebe5fc004f792c010f2248c5b12bbcdb7dc662

Download Submit
C:\Windows\System\EiRLOSU.exe

Filesize
5.2MB

MD5
ded7dbf58a5bf722380567c778c4dfc5

SHA1
be9005a52397a5cb9d9066cb1709785df037bdd7

SHA256
7d0c261075ef31477e25beca11f6ed4c033e66c1511ba941ab75eab6a08018e2

SHA512
f4f4c12b3e0090b105f0c38a508e987def213a10096a1e6e9881cdd4015c0df878b4b6e74650821d79e3c228ac6382b1c35ebb004e311c40fec20cbfa4581331

Download Submit
C:\Windows\System\HIpkDgz.exe

Filesize
5.2MB

MD5
faf9ec362daf849e492a8c8143e7e57a

SHA1
aad3f198d33ca927fc777e5fea01f86587563999

SHA256
5f2a53e5fdb58e1fe7e8a0767b2d1dc2aba29d5425af38dafe0ebcf9a68c973c

SHA512
83f6dc28a75bd08f77f78a99f8a48561ccaa25bf778bc748e948ba705d3936ceb2935a86551a18be56ccda662c77f09b5a71d371f818f666c113a0716cced54f

Download Submit
C:\Windows\System\HUfglrf.exe

Filesize
5.2MB

MD5
8103c4841b0c895209726c6c216640da

SHA1
7d3084da1923c73599d345170044a55d929af5a0

SHA256
94e1f5a9c0218f26c6e5649e3f565ac73f8c2fde9a0cbae177a7fd46bda25b22

SHA512
bd66979f3086d3aed5cae44a566f3e0c94217136400541b70c3bcaf366420e28e2e7bb09bb8353324de41754e68196a5cee0a012a2ff53ce706d80cc7a07d695

Download Submit
C:\Windows\System\HtCXFiO.exe

Filesize
5.2MB

MD5
058090eb28ec55e8ef3ec8231d08809e

SHA1
32a500f8b1a1ee1f70f91a726940bf449c8eb17f

SHA256
076d2f4ca7fe52eeb39d4e9c2ea11f66bee9393a2a3d9163553496cb6cca310e

SHA512
e64914ae97bfb45e7e68b25e90122a4ae0b3d348078b0c07e9ff9cf910a320e4e3f25748bf2e4cf4e5c488d0c48c4279ed3a6cfbde8ee303bc2d48209ecc1b28

Download Submit
C:\Windows\System\KuTzXwj.exe

Filesize
5.2MB

MD5
76371794a8718c5ce26828e422abed6a

SHA1
865182b3e3e28d695d872186586e62d2baac2821

SHA256
2c10b511e8ced589253a4861f3bdce9094484f7f77403056c9dacf308dc31175

SHA512
535d5d8e642f04c2626797e486bb0e76660eac24c57d2e998280c97c5190ff7d451c718cb1aed2bea5a2ad0008b67bf19471f64dbefbe2e13473c5e4df2a507d

Download Submit
C:\Windows\System\LgMFVql.exe

Filesize
5.2MB

MD5
053a4ab771367c06848663301993e0c9

SHA1
7c893c123a423545fac892e1b7b815ed3d316731

SHA256
09c143ea22474dadbc75b086a7a6a70316b6908da1828587e4a7cdf3bf808a32

SHA512
60dab8af09527da4dabab73b43ee699b51be1f8dd39c2291d539c644073b91b880e38fa252b835cf99fbae7d2ba425dfed8ecbba094ecb3d0861c79113c9a040

Download Submit
C:\Windows\System\PxNJHPF.exe

Filesize
5.2MB

MD5
4bb31ec102a71bca7ae9a4b62b03d037

SHA1
4d6ae6b1beeb9532f29d7a54b554645ede56a4a7

SHA256
3a3fba54a3fcae29b815cb40fc9afd0b9ecd4cfcf894f78e6c9c8ed1484e72b8

SHA512
e82dfb194f3f79f113cfe78e3e42cb769eedb0d8eb21a6376b0733f62e6d9c640ebbec09616d6ce1f67a95a3a598d29877607fe05091447fa1ba17078ee794f2

Download Submit
C:\Windows\System\SDHPSsP.exe

Filesize
5.2MB

MD5
bb12111f7f91eca03e12ac7d1cfbaa43

SHA1
67e3075eb9d8938d3ebe6700e7c5367348c9b2a8

SHA256
37bd5a6a93940044708a95ae890bf708c52df810b899a46780209c3ae71b4bd3

SHA512
7d5b54d7c12d4c992072da95c8ee91e126294a437bb0d0dc55a3d792aecaa8c100aaaf0e11d50c12c4ac2625890e2bc6054e1605114419bbeb46a32efb274c1e

Download Submit
C:\Windows\System\XkBmngd.exe

Filesize
5.2MB

MD5
b7de30241a1ac76104b35c021744f00e

SHA1
c3565810d5776fc41481e8630111c1d4cc4f52d4

SHA256
6dc0deef612e871db1daa46adb4df8a11dc2744b21817f4c9af5a9aec5b5c994

SHA512
f7263bb31a9871db0fd0028591bbe3da552918953fd112c1546c1fb25c5a0c8f7d4d68d7c054a98cb9015a155f2e235fa89b22b7015a470b491b41019a1df255

Download Submit
C:\Windows\System\ZsEwpmU.exe

Filesize
5.2MB

MD5
0a887c4dcbb2294081dd2d56d0c4a121

SHA1
58d9768f6b340374f7c1459e32e48a823849c504

SHA256
3aa8b5bcf37dafff35a38284fde9eeaaf38421eaae9cdd2b64d9c574521a9f0b

SHA512
dc5239b179f3ac56f883033bd6cf1f5ee9d3097b437002ef5d2b11dd49ec4f7a4d054b257f39efa68ae87cb7160623c62d11c09a2912f78bc2f4524db63417a4

Download Submit
C:\Windows\System\aMGSjKo.exe

Filesize
5.2MB

MD5
517b02efcf9df3a6b0117db2bb92c226

SHA1
65f047cc9250d1a8e8f37dae8216692322e1b465

SHA256
3fef88c0568a0b06d46131fc022928730d6bba9d513168b9128f1dbbe9111a14

SHA512
491bbfb1b4dbbedfc647b266ab61511fa23316f89fcf282fbf2e0f8885d67bd2fe78433ca15621218f1f2639292d805f74b20912e8ddda506ec275af1bc2bf4a

Download Submit
C:\Windows\System\bbKGwaM.exe

Filesize
5.2MB

MD5
fbe5f07df3728ffa907149603c9fc149

SHA1
eafdc99b47936c1f73aca200e19e3cdcf7d54c0d

SHA256
4a8e8857384e0a411620424a68ef51ed734d6a9529fd582f1f342a33b72badcc

SHA512
005eb973c95b354b121d6a5234f850b750f06b58c46e4238549778ee2abd8ee96f03537534e39694784669b1ea56b8e3a653974ecaa5cb838f1e6f6ccb14145e

Download Submit
C:\Windows\System\cehiaoN.exe

Filesize
5.2MB

MD5
8bc250fa3f9ae0a44aa0e3185fa5ec8c

SHA1
064c59a5ea88e994f3a8fde36f3f89566676cfb2

SHA256
28c962fa12f7f7a0be1785512f57aa9c4b13d9127cfb54339204b837583df091

SHA512
3ef1dca8a81743e6a06750a5ea34b83eed8e90961e52da93efa9417775ddf8226d22da5dd9dfac1940319c8b0dd0058a61e3eb06b45c1d12f728e24137673199

Download Submit
C:\Windows\System\cxJNkbA.exe

Filesize
5.2MB

MD5
5e1520e36aea148ac23a5588e75734c5

SHA1
dcd621d3a6c2fba6031c7e1886c0b2e5750ee085

SHA256
0e82c7c9ceed3885252ba47fc29c26f46801071818e2718528bfc6dc66d3d1dd

SHA512
05208a60250bda62831715320bb2c271804b858f618e0fd012564e56ecb7cb3f377086d339114486a6e2cf6aa4b749d6c203f6810e34122551fc78ba0714f0fb

Download Submit
C:\Windows\System\gDXqiLE.exe

Filesize
5.2MB

MD5
89943172f3eed384c3a35d487504e823

SHA1
03e2ec55c1ca7115aa1827a1b1d4bdb206a43011

SHA256
6bb4f4b4b080db8aabce4859f74b893698824893602e37a0893e912491143701

SHA512
8d34df84a29ac45d4253225be0e3bd98ee0de2869a60fa17654042e38a64066613a91f6a50a384d8fc024aa1d12b9b457d551ba72a3c64213954d5a6528b78b2

Download Submit
C:\Windows\System\gkzMjag.exe

Filesize
5.2MB

MD5
7283965fcb91961c87c2f0fff24d1e83

SHA1
18d337b29886c86b0610c723e696f032f3b3cd95

SHA256
a740a619a3e20fb3b1646f36cfcb2f9f257462ac7e5a1aac3c75a5efd3a9d8d2

SHA512
41b62b7abd52d8f8157efa617d30a7bf84ad9daae9969f8f1e429f58953330c575d745b8b1289c5db26003dfca974bd294c63e04ebc6232b16bc0e9149c1fbbf

Download Submit
C:\Windows\System\sEazqRE.exe

Filesize
5.2MB

MD5
05fd465a897dcdf428511e67f1c85711

SHA1
d6f043c46902e9733538211414dccd48a3f564bb

SHA256
3fc20edb6aeecb4e0085417392fe591f86f342bab82af3c088844783197d069c

SHA512
bb0bb924c4d78e5d3b953caba7a577f24269da971ae7d4145a635b621349903efcb030394a8f446e5180ac105bfac0cd71ffbb125270518c5595a68b09225a14

Download Submit
C:\Windows\System\uOgdPxq.exe

Filesize
5.2MB

MD5
8dd73f6528ae3ee4d2ea1346144048cf

SHA1
d8531137287e0827a279c03cc6528889d5783642

SHA256
971fe9d191f94d886584bbb5c5eb4b6ede2f79130bd9cb902d4ab76a7259fe6a

SHA512
456494cc7cc0cf7a2fd598f5cd46a684e2b5a389469aac07186ef68696c6d0d20772ceb0327f0718a11bc226acc5869b9ec3dfc33dddc1b9e9c8fdf6919e210c

Download Submit
C:\Windows\System\wKRVbJY.exe

Filesize
5.2MB

MD5
d30d6cb7b32b94c4f8cb5bd3aeee2f25

SHA1
e23c3c606abefce90fea4cf6810512ab83a0c200

SHA256
8564b37a3de314bd72a8594e51763626f6dc1a026510c1f95f8f7b651f766398

SHA512
ec82191a0be3cb7e9c1bc9be6954422c02de93d1e6f1a1bf517fa1561d533aa53702c164be13849167710315d99df33608adaa167c8b9b3fe8f23bca0954185b

Download Submit
C:\Windows\System\zhFRLjm.exe

Filesize
5.2MB

MD5
3807432c5f0469c95a36b7c1ae72fe2c

SHA1
530fe8569f3fa8eaef0cd7002114c5e22d8cf57e

SHA256
2b4f7a3b189b35eb03e543bc25488fac3c9df19ad5b83174ab9c3bcee5090e94

SHA512
65c11dc919407e1827b9a5fbdbede0a7bf76556d5d7314a3631b0db27e0d6bb79c40cd9a64f3382644c0ad7c553505973b2a59ebf36190d4fb6171660272fdaf

Download Submit
memory/436-239-0x00007FF74F3D0000-0x00007FF74F721000-memory.dmp

Filesize
3.3MB

Download
memory/436-44-0x00007FF74F3D0000-0x00007FF74F721000-memory.dmp

Filesize
3.3MB

Download
memory/436-103-0x00007FF74F3D0000-0x00007FF74F721000-memory.dmp

Filesize
3.3MB

Download
memory/548-155-0x00007FF62C460000-0x00007FF62C7B1000-memory.dmp

Filesize
3.3MB

Download
memory/548-260-0x00007FF62C460000-0x00007FF62C7B1000-memory.dmp

Filesize
3.3MB

Download
memory/548-104-0x00007FF62C460000-0x00007FF62C7B1000-memory.dmp

Filesize
3.3MB

Download
memory/720-13-0x00007FF6DA8E0000-0x00007FF6DAC31000-memory.dmp

Filesize
3.3MB

Download
memory/720-71-0x00007FF6DA8E0000-0x00007FF6DAC31000-memory.dmp

Filesize
3.3MB

Download
memory/720-223-0x00007FF6DA8E0000-0x00007FF6DAC31000-memory.dmp

Filesize
3.3MB

Download
memory/796-244-0x00007FF723AB0000-0x00007FF723E01000-memory.dmp

Filesize
3.3MB

Download
memory/796-118-0x00007FF723AB0000-0x00007FF723E01000-memory.dmp

Filesize
3.3MB

Download
memory/796-61-0x00007FF723AB0000-0x00007FF723E01000-memory.dmp

Filesize
3.3MB

Download
memory/1132-161-0x00007FF632C70000-0x00007FF632FC1000-memory.dmp

Filesize
3.3MB

Download
memory/1132-119-0x00007FF632C70000-0x00007FF632FC1000-memory.dmp

Filesize
3.3MB

Download
memory/1132-269-0x00007FF632C70000-0x00007FF632FC1000-memory.dmp

Filesize
3.3MB

Download
memory/1544-165-0x00007FF7C21D0000-0x00007FF7C2521000-memory.dmp

Filesize
3.3MB

Download
memory/1544-271-0x00007FF7C21D0000-0x00007FF7C2521000-memory.dmp

Filesize
3.3MB

Download
memory/1544-127-0x00007FF7C21D0000-0x00007FF7C2521000-memory.dmp

Filesize
3.3MB

Download
memory/1676-81-0x00007FF719770000-0x00007FF719AC1000-memory.dmp

Filesize
3.3MB

Download
memory/1676-252-0x00007FF719770000-0x00007FF719AC1000-memory.dmp

Filesize
3.3MB

Download
memory/1676-134-0x00007FF719770000-0x00007FF719AC1000-memory.dmp

Filesize
3.3MB

Download
memory/1944-126-0x00007FF66D790000-0x00007FF66DAE1000-memory.dmp

Filesize
3.3MB

Download
memory/1944-68-0x00007FF66D790000-0x00007FF66DAE1000-memory.dmp

Filesize
3.3MB

Download
memory/1944-246-0x00007FF66D790000-0x00007FF66DAE1000-memory.dmp

Filesize
3.3MB

Download
memory/2000-259-0x00007FF6E3D40000-0x00007FF6E4091000-memory.dmp

Filesize
3.3MB

Download
memory/2000-97-0x00007FF6E3D40000-0x00007FF6E4091000-memory.dmp

Filesize
3.3MB

Download
memory/2000-143-0x00007FF6E3D40000-0x00007FF6E4091000-memory.dmp

Filesize
3.3MB

Download
memory/2064-256-0x00007FF62A6B0000-0x00007FF62AA01000-memory.dmp

Filesize
3.3MB

Download
memory/2064-141-0x00007FF62A6B0000-0x00007FF62AA01000-memory.dmp

Filesize
3.3MB

Download
memory/2064-90-0x00007FF62A6B0000-0x00007FF62AA01000-memory.dmp

Filesize
3.3MB

Download
memory/2188-225-0x00007FF70BF40000-0x00007FF70C291000-memory.dmp

Filesize
3.3MB

Download
memory/2188-75-0x00007FF70BF40000-0x00007FF70C291000-memory.dmp

Filesize
3.3MB

Download
memory/2188-18-0x00007FF70BF40000-0x00007FF70C291000-memory.dmp

Filesize
3.3MB

Download
memory/2532-167-0x00007FF6F5B10000-0x00007FF6F5E61000-memory.dmp

Filesize
3.3MB

Download
memory/2532-140-0x00007FF6F5B10000-0x00007FF6F5E61000-memory.dmp

Filesize
3.3MB

Download
memory/2532-273-0x00007FF6F5B10000-0x00007FF6F5E61000-memory.dmp

Filesize
3.3MB

Download
memory/2544-227-0x00007FF68D620000-0x00007FF68D971000-memory.dmp

Filesize
3.3MB

Download
memory/2544-84-0x00007FF68D620000-0x00007FF68D971000-memory.dmp

Filesize
3.3MB

Download
memory/2544-23-0x00007FF68D620000-0x00007FF68D971000-memory.dmp

Filesize
3.3MB

Download
memory/2676-48-0x00007FF66E110000-0x00007FF66E461000-memory.dmp

Filesize
3.3MB

Download
memory/2676-107-0x00007FF66E110000-0x00007FF66E461000-memory.dmp

Filesize
3.3MB

Download
memory/2676-240-0x00007FF66E110000-0x00007FF66E461000-memory.dmp

Filesize
3.3MB

Download
memory/3144-166-0x00007FF703E00000-0x00007FF704151000-memory.dmp

Filesize
3.3MB

Download
memory/3144-275-0x00007FF703E00000-0x00007FF704151000-memory.dmp

Filesize
3.3MB

Download
memory/3144-135-0x00007FF703E00000-0x00007FF704151000-memory.dmp

Filesize
3.3MB

Download
memory/3172-264-0x00007FF747410000-0x00007FF747761000-memory.dmp

Filesize
3.3MB

Download
memory/3172-115-0x00007FF747410000-0x00007FF747761000-memory.dmp

Filesize
3.3MB

Download
memory/3400-8-0x00007FF7E5DD0000-0x00007FF7E6121000-memory.dmp

Filesize
3.3MB

Download
memory/3400-221-0x00007FF7E5DD0000-0x00007FF7E6121000-memory.dmp

Filesize
3.3MB

Download
memory/3400-67-0x00007FF7E5DD0000-0x00007FF7E6121000-memory.dmp

Filesize
3.3MB

Download
memory/3612-0-0x00007FF71C400000-0x00007FF71C751000-memory.dmp

Filesize
3.3MB

Download
memory/3612-142-0x00007FF71C400000-0x00007FF71C751000-memory.dmp

Filesize
3.3MB

Download
memory/3612-1-0x00000164C67F0000-0x00000164C6800000-memory.dmp

Filesize
64KB

Download
memory/3612-60-0x00007FF71C400000-0x00007FF71C751000-memory.dmp

Filesize
3.3MB

Download
memory/3612-168-0x00007FF71C400000-0x00007FF71C751000-memory.dmp

Filesize
3.3MB

Download
memory/3752-96-0x00007FF78ACA0000-0x00007FF78AFF1000-memory.dmp

Filesize
3.3MB

Download
memory/3752-234-0x00007FF78ACA0000-0x00007FF78AFF1000-memory.dmp

Filesize
3.3MB

Download
memory/3752-35-0x00007FF78ACA0000-0x00007FF78AFF1000-memory.dmp

Filesize
3.3MB

Download
memory/3924-236-0x00007FF74BD20000-0x00007FF74C071000-memory.dmp

Filesize
3.3MB

Download
memory/3924-89-0x00007FF74BD20000-0x00007FF74C071000-memory.dmp

Filesize
3.3MB

Download
memory/3924-30-0x00007FF74BD20000-0x00007FF74C071000-memory.dmp

Filesize
3.3MB

Download
memory/4436-254-0x00007FF7638F0000-0x00007FF763C41000-memory.dmp

Filesize
3.3MB

Download
memory/4436-88-0x00007FF7638F0000-0x00007FF763C41000-memory.dmp

Filesize
3.3MB

Download
memory/4588-54-0x00007FF75C5D0000-0x00007FF75C921000-memory.dmp

Filesize
3.3MB

Download
memory/4588-243-0x00007FF75C5D0000-0x00007FF75C921000-memory.dmp

Filesize
3.3MB

Download
memory/4588-112-0x00007FF75C5D0000-0x00007FF75C921000-memory.dmp

Filesize
3.3MB

Download