cobaltstrike | 936caf2da6a9066a7cfcfde51cdde1f7e8ac263aa2c0e6f08388ce4f959325ff

Analysis

max time kernel
142s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2024 11:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

343782730c7876569d2e942dbf286dfb
SHA1

25bd21c49ad574a5239dedb94cff65141e52dd32
SHA256

936caf2da6a9066a7cfcfde51cdde1f7e8ac263aa2c0e6f08388ce4f959325ff
SHA512

e6ad87dc3832f4f794cbbf61ffeda18e330455d4de7251045718c8e8a300ffb05a367dae015b8d04e68ecfe9ce8bc3d9552ef5cd7a0d726f49ff3070bcec3d17
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lA:RWWBibf56utgpPFotBER/mQ32lUc

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00080000000234dc-4.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234de-10.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234dd-12.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234df-23.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e0-28.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000234da-36.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e2-42.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e3-46.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e4-53.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e5-58.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e6-67.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e7-73.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e8-81.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e9-86.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ea-96.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234eb-101.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ec-109.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ed-114.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ee-124.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234f1-138.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ef-143.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/384-55-0x00007FF79D540000-0x00007FF79D891000-memory.dmp	xmrig
behavioral2/memory/4888-57-0x00007FF7D9CE0000-0x00007FF7DA031000-memory.dmp	xmrig
behavioral2/memory/564-62-0x00007FF68A4D0000-0x00007FF68A821000-memory.dmp	xmrig
behavioral2/memory/836-74-0x00007FF7453D0000-0x00007FF745721000-memory.dmp	xmrig
behavioral2/memory/3328-68-0x00007FF610480000-0x00007FF6107D1000-memory.dmp	xmrig
behavioral2/memory/336-82-0x00007FF7488D0000-0x00007FF748C21000-memory.dmp	xmrig
behavioral2/memory/1112-89-0x00007FF6B4950000-0x00007FF6B4CA1000-memory.dmp	xmrig
behavioral2/memory/1456-80-0x00007FF625F80000-0x00007FF6262D1000-memory.dmp	xmrig
behavioral2/memory/368-93-0x00007FF6C2A70000-0x00007FF6C2DC1000-memory.dmp	xmrig
behavioral2/memory/1904-97-0x00007FF7289D0000-0x00007FF728D21000-memory.dmp	xmrig
behavioral2/memory/728-121-0x00007FF671900000-0x00007FF671C51000-memory.dmp	xmrig
behavioral2/memory/4888-115-0x00007FF7D9CE0000-0x00007FF7DA031000-memory.dmp	xmrig
behavioral2/memory/4776-110-0x00007FF6358E0000-0x00007FF635C31000-memory.dmp	xmrig
behavioral2/memory/1988-135-0x00007FF7368F0000-0x00007FF736C41000-memory.dmp	xmrig
behavioral2/memory/1980-142-0x00007FF797070000-0x00007FF7973C1000-memory.dmp	xmrig
behavioral2/memory/5064-149-0x00007FF7E1440000-0x00007FF7E1791000-memory.dmp	xmrig
behavioral2/memory/4520-152-0x00007FF6F8890000-0x00007FF6F8BE1000-memory.dmp	xmrig
behavioral2/memory/5080-155-0x00007FF7FD360000-0x00007FF7FD6B1000-memory.dmp	xmrig
behavioral2/memory/1480-160-0x00007FF75A740000-0x00007FF75AA91000-memory.dmp	xmrig
behavioral2/memory/2976-161-0x00007FF625CE0000-0x00007FF626031000-memory.dmp	xmrig
behavioral2/memory/3688-167-0x00007FF76E390000-0x00007FF76E6E1000-memory.dmp	xmrig
behavioral2/memory/5072-166-0x00007FF62FD30000-0x00007FF630081000-memory.dmp	xmrig
behavioral2/memory/384-168-0x00007FF79D540000-0x00007FF79D891000-memory.dmp	xmrig
behavioral2/memory/2316-169-0x00007FF6E4DD0000-0x00007FF6E5121000-memory.dmp	xmrig
behavioral2/memory/564-221-0x00007FF68A4D0000-0x00007FF68A821000-memory.dmp	xmrig
behavioral2/memory/3328-223-0x00007FF610480000-0x00007FF6107D1000-memory.dmp	xmrig
behavioral2/memory/836-225-0x00007FF7453D0000-0x00007FF745721000-memory.dmp	xmrig
behavioral2/memory/336-227-0x00007FF7488D0000-0x00007FF748C21000-memory.dmp	xmrig
behavioral2/memory/1112-231-0x00007FF6B4950000-0x00007FF6B4CA1000-memory.dmp	xmrig
behavioral2/memory/368-233-0x00007FF6C2A70000-0x00007FF6C2DC1000-memory.dmp	xmrig
behavioral2/memory/1904-235-0x00007FF7289D0000-0x00007FF728D21000-memory.dmp	xmrig
behavioral2/memory/4776-239-0x00007FF6358E0000-0x00007FF635C31000-memory.dmp	xmrig
behavioral2/memory/4888-244-0x00007FF7D9CE0000-0x00007FF7DA031000-memory.dmp	xmrig
behavioral2/memory/728-246-0x00007FF671900000-0x00007FF671C51000-memory.dmp	xmrig
behavioral2/memory/1988-248-0x00007FF7368F0000-0x00007FF736C41000-memory.dmp	xmrig
behavioral2/memory/1456-250-0x00007FF625F80000-0x00007FF6262D1000-memory.dmp	xmrig
behavioral2/memory/1980-255-0x00007FF797070000-0x00007FF7973C1000-memory.dmp	xmrig
behavioral2/memory/5064-257-0x00007FF7E1440000-0x00007FF7E1791000-memory.dmp	xmrig
behavioral2/memory/4520-264-0x00007FF6F8890000-0x00007FF6F8BE1000-memory.dmp	xmrig
behavioral2/memory/5080-266-0x00007FF7FD360000-0x00007FF7FD6B1000-memory.dmp	xmrig
behavioral2/memory/1480-268-0x00007FF75A740000-0x00007FF75AA91000-memory.dmp	xmrig
behavioral2/memory/3688-270-0x00007FF76E390000-0x00007FF76E6E1000-memory.dmp	xmrig
behavioral2/memory/2976-272-0x00007FF625CE0000-0x00007FF626031000-memory.dmp	xmrig
behavioral2/memory/2316-276-0x00007FF6E4DD0000-0x00007FF6E5121000-memory.dmp	xmrig
behavioral2/memory/5072-278-0x00007FF62FD30000-0x00007FF630081000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
564	ZOQffvv.exe
3328	pjDzPAU.exe
836	PHYNPAg.exe
336	ejKzLYT.exe
1112	bXwVTPG.exe
368	KZdoyrJ.exe
1904	aKcuMQA.exe
4776	njVfObj.exe
4888	jaFPIQm.exe
728	hFmOeZh.exe
1988	GUkxTxY.exe
1456	XuClsnn.exe
1980	JleFhsY.exe
5064	AdPVzmt.exe
4520	JbpJKTV.exe
5080	PHebPrQ.exe
1480	SnyGCYq.exe
2976	hUJAKjd.exe
3688	TXWMdot.exe
5072	jiwCcPV.exe
2316	QmUhwOk.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/384-0-0x00007FF79D540000-0x00007FF79D891000-memory.dmp	upx
behavioral2/files/0x00080000000234dc-4.dat	upx
behavioral2/files/0x00070000000234de-10.dat	upx
behavioral2/files/0x00070000000234dd-12.dat	upx
behavioral2/memory/3328-14-0x00007FF610480000-0x00007FF6107D1000-memory.dmp	upx
behavioral2/memory/564-7-0x00007FF68A4D0000-0x00007FF68A821000-memory.dmp	upx
behavioral2/memory/836-21-0x00007FF7453D0000-0x00007FF745721000-memory.dmp	upx
behavioral2/files/0x00070000000234df-23.dat	upx
behavioral2/memory/336-26-0x00007FF7488D0000-0x00007FF748C21000-memory.dmp	upx
behavioral2/files/0x00070000000234e0-28.dat	upx
behavioral2/memory/1112-32-0x00007FF6B4950000-0x00007FF6B4CA1000-memory.dmp	upx
behavioral2/files/0x00080000000234da-36.dat	upx
behavioral2/memory/368-37-0x00007FF6C2A70000-0x00007FF6C2DC1000-memory.dmp	upx
behavioral2/memory/1904-41-0x00007FF7289D0000-0x00007FF728D21000-memory.dmp	upx
behavioral2/files/0x00070000000234e2-42.dat	upx
behavioral2/files/0x00070000000234e3-46.dat	upx
behavioral2/memory/4776-48-0x00007FF6358E0000-0x00007FF635C31000-memory.dmp	upx
behavioral2/files/0x00070000000234e4-53.dat	upx
behavioral2/memory/384-55-0x00007FF79D540000-0x00007FF79D891000-memory.dmp	upx
behavioral2/memory/4888-57-0x00007FF7D9CE0000-0x00007FF7DA031000-memory.dmp	upx
behavioral2/files/0x00070000000234e5-58.dat	upx
behavioral2/memory/564-62-0x00007FF68A4D0000-0x00007FF68A821000-memory.dmp	upx
behavioral2/memory/728-63-0x00007FF671900000-0x00007FF671C51000-memory.dmp	upx
behavioral2/files/0x00070000000234e6-67.dat	upx
behavioral2/files/0x00070000000234e7-73.dat	upx
behavioral2/memory/836-74-0x00007FF7453D0000-0x00007FF745721000-memory.dmp	upx
behavioral2/memory/1988-69-0x00007FF7368F0000-0x00007FF736C41000-memory.dmp	upx
behavioral2/memory/3328-68-0x00007FF610480000-0x00007FF6107D1000-memory.dmp	upx
behavioral2/files/0x00070000000234e8-81.dat	upx
behavioral2/memory/336-82-0x00007FF7488D0000-0x00007FF748C21000-memory.dmp	upx
behavioral2/files/0x00070000000234e9-86.dat	upx
behavioral2/memory/5064-91-0x00007FF7E1440000-0x00007FF7E1791000-memory.dmp	upx
behavioral2/memory/1112-89-0x00007FF6B4950000-0x00007FF6B4CA1000-memory.dmp	upx
behavioral2/memory/1980-85-0x00007FF797070000-0x00007FF7973C1000-memory.dmp	upx
behavioral2/memory/1456-80-0x00007FF625F80000-0x00007FF6262D1000-memory.dmp	upx
behavioral2/memory/368-93-0x00007FF6C2A70000-0x00007FF6C2DC1000-memory.dmp	upx
behavioral2/files/0x00070000000234ea-96.dat	upx
behavioral2/memory/1904-97-0x00007FF7289D0000-0x00007FF728D21000-memory.dmp	upx
behavioral2/files/0x00070000000234eb-101.dat	upx
behavioral2/files/0x00070000000234ec-109.dat	upx
behavioral2/files/0x00070000000234ed-114.dat	upx
behavioral2/memory/2976-116-0x00007FF625CE0000-0x00007FF626031000-memory.dmp	upx
behavioral2/files/0x00070000000234ee-124.dat	upx
behavioral2/memory/3688-123-0x00007FF76E390000-0x00007FF76E6E1000-memory.dmp	upx
behavioral2/memory/728-121-0x00007FF671900000-0x00007FF671C51000-memory.dmp	upx
behavioral2/memory/4888-115-0x00007FF7D9CE0000-0x00007FF7DA031000-memory.dmp	upx
behavioral2/memory/1480-111-0x00007FF75A740000-0x00007FF75AA91000-memory.dmp	upx
behavioral2/memory/4776-110-0x00007FF6358E0000-0x00007FF635C31000-memory.dmp	upx
behavioral2/memory/5080-102-0x00007FF7FD360000-0x00007FF7FD6B1000-memory.dmp	upx
behavioral2/memory/4520-100-0x00007FF6F8890000-0x00007FF6F8BE1000-memory.dmp	upx
behavioral2/memory/1988-135-0x00007FF7368F0000-0x00007FF736C41000-memory.dmp	upx
behavioral2/files/0x00070000000234f1-138.dat	upx
behavioral2/memory/5072-140-0x00007FF62FD30000-0x00007FF630081000-memory.dmp	upx
behavioral2/files/0x00070000000234ef-143.dat	upx
behavioral2/memory/1980-142-0x00007FF797070000-0x00007FF7973C1000-memory.dmp	upx
behavioral2/memory/2316-141-0x00007FF6E4DD0000-0x00007FF6E5121000-memory.dmp	upx
behavioral2/memory/5064-149-0x00007FF7E1440000-0x00007FF7E1791000-memory.dmp	upx
behavioral2/memory/4520-152-0x00007FF6F8890000-0x00007FF6F8BE1000-memory.dmp	upx
behavioral2/memory/5080-155-0x00007FF7FD360000-0x00007FF7FD6B1000-memory.dmp	upx
behavioral2/memory/1480-160-0x00007FF75A740000-0x00007FF75AA91000-memory.dmp	upx
behavioral2/memory/2976-161-0x00007FF625CE0000-0x00007FF626031000-memory.dmp	upx
behavioral2/memory/3688-167-0x00007FF76E390000-0x00007FF76E6E1000-memory.dmp	upx
behavioral2/memory/5072-166-0x00007FF62FD30000-0x00007FF630081000-memory.dmp	upx
behavioral2/memory/384-168-0x00007FF79D540000-0x00007FF79D891000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\hFmOeZh.exe	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GUkxTxY.exe	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XuClsnn.exe	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PHebPrQ.exe	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hUJAKjd.exe	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZOQffvv.exe	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jaFPIQm.exe	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KZdoyrJ.exe	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AdPVzmt.exe	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TXWMdot.exe	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PHYNPAg.exe	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ejKzLYT.exe	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aKcuMQA.exe	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\njVfObj.exe	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SnyGCYq.exe	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QmUhwOk.exe	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pjDzPAU.exe	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bXwVTPG.exe	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jiwCcPV.exe	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JleFhsY.exe	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JbpJKTV.exe	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	384	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	384	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 384 wrote to memory of 564	384	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe	82
PID 384 wrote to memory of 564	384	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe	82
PID 384 wrote to memory of 3328	384	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 384 wrote to memory of 3328	384	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 384 wrote to memory of 836	384	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 384 wrote to memory of 836	384	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 384 wrote to memory of 336	384	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 384 wrote to memory of 336	384	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 384 wrote to memory of 1112	384	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 384 wrote to memory of 1112	384	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 384 wrote to memory of 368	384	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 384 wrote to memory of 368	384	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 384 wrote to memory of 1904	384	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 384 wrote to memory of 1904	384	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 384 wrote to memory of 4776	384	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 384 wrote to memory of 4776	384	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 384 wrote to memory of 4888	384	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 384 wrote to memory of 4888	384	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 384 wrote to memory of 728	384	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 384 wrote to memory of 728	384	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 384 wrote to memory of 1988	384	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 384 wrote to memory of 1988	384	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 384 wrote to memory of 1456	384	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 384 wrote to memory of 1456	384	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 384 wrote to memory of 1980	384	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 384 wrote to memory of 1980	384	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 384 wrote to memory of 5064	384	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 384 wrote to memory of 5064	384	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 384 wrote to memory of 4520	384	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 384 wrote to memory of 4520	384	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 384 wrote to memory of 5080	384	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 384 wrote to memory of 5080	384	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 384 wrote to memory of 1480	384	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 384 wrote to memory of 1480	384	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 384 wrote to memory of 2976	384	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 384 wrote to memory of 2976	384	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 384 wrote to memory of 3688	384	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 384 wrote to memory of 3688	384	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 384 wrote to memory of 5072	384	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 384 wrote to memory of 5072	384	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 384 wrote to memory of 2316	384	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 384 wrote to memory of 2316	384	2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe	105

C:\Users\Admin\AppData\Local\Temp\2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-20_343782730c7876569d2e942dbf286dfb_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:384
- C:\Windows\System\ZOQffvv.exe
  C:\Windows\System\ZOQffvv.exe
  2⤵
  - Executes dropped EXE
  PID:564
- C:\Windows\System\pjDzPAU.exe
  C:\Windows\System\pjDzPAU.exe
  2⤵
  - Executes dropped EXE
  PID:3328
- C:\Windows\System\PHYNPAg.exe
  C:\Windows\System\PHYNPAg.exe
  2⤵
  - Executes dropped EXE
  PID:836
- C:\Windows\System\ejKzLYT.exe
  C:\Windows\System\ejKzLYT.exe
  2⤵
  - Executes dropped EXE
  PID:336
- C:\Windows\System\bXwVTPG.exe
  C:\Windows\System\bXwVTPG.exe
  2⤵
  - Executes dropped EXE
  PID:1112
- C:\Windows\System\KZdoyrJ.exe
  C:\Windows\System\KZdoyrJ.exe
  2⤵
  - Executes dropped EXE
  PID:368
- C:\Windows\System\aKcuMQA.exe
  C:\Windows\System\aKcuMQA.exe
  2⤵
  - Executes dropped EXE
  PID:1904
- C:\Windows\System\njVfObj.exe
  C:\Windows\System\njVfObj.exe
  2⤵
  - Executes dropped EXE
  PID:4776
- C:\Windows\System\jaFPIQm.exe
  C:\Windows\System\jaFPIQm.exe
  2⤵
  - Executes dropped EXE
  PID:4888
- C:\Windows\System\hFmOeZh.exe
  C:\Windows\System\hFmOeZh.exe
  2⤵
  - Executes dropped EXE
  PID:728
- C:\Windows\System\GUkxTxY.exe
  C:\Windows\System\GUkxTxY.exe
  2⤵
  - Executes dropped EXE
  PID:1988
- C:\Windows\System\XuClsnn.exe
  C:\Windows\System\XuClsnn.exe
  2⤵
  - Executes dropped EXE
  PID:1456
- C:\Windows\System\JleFhsY.exe
  C:\Windows\System\JleFhsY.exe
  2⤵
  - Executes dropped EXE
  PID:1980
- C:\Windows\System\AdPVzmt.exe
  C:\Windows\System\AdPVzmt.exe
  2⤵
  - Executes dropped EXE
  PID:5064
- C:\Windows\System\JbpJKTV.exe
  C:\Windows\System\JbpJKTV.exe
  2⤵
  - Executes dropped EXE
  PID:4520
- C:\Windows\System\PHebPrQ.exe
  C:\Windows\System\PHebPrQ.exe
  2⤵
  - Executes dropped EXE
  PID:5080
- C:\Windows\System\SnyGCYq.exe
  C:\Windows\System\SnyGCYq.exe
  2⤵
  - Executes dropped EXE
  PID:1480
- C:\Windows\System\hUJAKjd.exe
  C:\Windows\System\hUJAKjd.exe
  2⤵
  - Executes dropped EXE
  PID:2976
- C:\Windows\System\TXWMdot.exe
  C:\Windows\System\TXWMdot.exe
  2⤵
  - Executes dropped EXE
  PID:3688
- C:\Windows\System\jiwCcPV.exe
  C:\Windows\System\jiwCcPV.exe
  2⤵
  - Executes dropped EXE
  PID:5072
- C:\Windows\System\QmUhwOk.exe
  C:\Windows\System\QmUhwOk.exe
  2⤵
  - Executes dropped EXE
  PID:2316

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AdPVzmt.exe

Filesize
5.2MB

MD5
7a98525e5bdbf905a00f14e96a58aa22

SHA1
c61f4985cd0fe0783493ddac5856c81a55353346

SHA256
55ff9bfcd78499dfc5ae9c1db03202c259a79cf7e74f3b044937401100cad991

SHA512
cfd5360ce0e9727a30d1170063344e242950196237c2707429cdc8738bae14715efd8856d8b7b8aa652f31b5d0088006fd8b152703cd18bb2f0b4c2e67cf7efd

Download Submit
C:\Windows\System\GUkxTxY.exe

Filesize
5.2MB

MD5
a4fb08d313ea1f700bd168848d5be97e

SHA1
87b241fa8626a591f1994bb1aa2a81180774a6a3

SHA256
dbd3c42c9267a7c790b12f4a6a08bc4ee682174611f71a37a22296aa07ccce8b

SHA512
68c5093db41d9665f595a519924d45c9017d8a2de6f8e20420fd627c11ebd60572e7187370c2bb222ba066df5d77e174481c2379e8faafc9faf89cb5077aa4a1

Download Submit
C:\Windows\System\JbpJKTV.exe

Filesize
5.2MB

MD5
cf2b5accdc48c15a9fbd78eeb38ef7a5

SHA1
96a2c39ba2288028e650bced9eff46bb0656c26b

SHA256
228f22787e949663f0780a0380ca6de02d102c9014eab2f65e540a764f8a1d8b

SHA512
78f066ed869c8370c5b2800dc2393767855c8f35f99fa9806c4d3f1dacf8a1cc1ec1134a9f0382cd09246ab4bba98c2bf42a39375a58326a26e81f275a3204b8

Download Submit
C:\Windows\System\JleFhsY.exe

Filesize
5.2MB

MD5
11bdac8c0bd09c0bdd02cba68ae3dd83

SHA1
9db50cf6035d1d0cd6697b13fa927b86ed316b7e

SHA256
622ad5759326f66c6213d3909eb176f33084339a9c287d65fa2c1dbc34eb5df0

SHA512
fc7e4773dbc0dce63f4ed58674f74da7a25f679ebfc1f21891fe48ab781904c6addbfcc0f766a157f887b0c9904ef2f6e48ddccb733024ca721678214092e1d1

Download Submit
C:\Windows\System\KZdoyrJ.exe

Filesize
5.2MB

MD5
9185ebe8045f41ed3662ea6567f0c796

SHA1
96efe813d14a8e3f0d6b6b9a2b78326b93b987b9

SHA256
bb39356b80c833c6856d442cfafc7ce9a2882b9c4b74a9c6cb8b097ce50fb72f

SHA512
103cb79994441ba6711741288db67e8776a7d95632f4636737704fa8f411df13ebeb1bdf76c5c7777408d74d1ad41d608620a89f6958e4c6ef567141c7163c4e

Download Submit
C:\Windows\System\PHYNPAg.exe

Filesize
5.2MB

MD5
545801e7683ea0b26b0e0cc5ed1bfb1c

SHA1
7152514c7225dffe8bb1d9910d84ee3a88191603

SHA256
86e136736c91c7b1e5d59e27f8376b92b6ccb56e2b920b1b618cd857300a5f9b

SHA512
16341053f325a9be263b295c22c9f3d34d30e58d1521259132fe82c70033574fda1b7fd0c53f25a489f2487ba3ce95182bf1238da98295f5b71f41f676a26814

Download Submit
C:\Windows\System\PHebPrQ.exe

Filesize
5.2MB

MD5
31f69ba92e924abdc97d8a576ea4b158

SHA1
fabd3372e85460e389eb4d8c104940f673c78f26

SHA256
9b8a541c7c7c1e7c9c17506a75e67d309348c23ac3cd1afc6977bc7ddc940816

SHA512
bdcd547ac69df79a7184ab5b229e76e0a6e6fb91ae3fea55755e0fe85e7df451d162de26530f37dbe6aa8d5f0c0b931aa9b2ba5f41a20287988df801d216d2d8

Download Submit
C:\Windows\System\QmUhwOk.exe

Filesize
5.2MB

MD5
142c495bdb77d0a0f7cfc309ea94201b

SHA1
837c587f99e69df013b16d1686dc9edb00100d31

SHA256
9eba5c133a9ac52faf8286882d5f144f71f30cdfb1e271209407195d9364d8a0

SHA512
329c067f55ce9d9a57ab7085263a77d8ddc6d8887ac9278c5474fc7471ca5e05d36d72f72ebc9f21b04c6ecd33983b1e75db3b3b6b526ecfed53ddc7ae6fbc6a

Download Submit
C:\Windows\System\SnyGCYq.exe

Filesize
5.2MB

MD5
b3295792ba5ce5356e0b827ab57efd71

SHA1
72520074663775aa1b75e26ea79b11a757b20f98

SHA256
e8dbfa0512e7a6ea1bebcacc8f01ad4a0bcd2350bdd7c73e8476f11bac5f40d1

SHA512
7d911de08c183a486a7960835b2f006660fa277da4d0d277dfa6b092ab8974f912ec48ac71896db4f99100dc91a558dc459e1f55dd5cff548020bc4d6c2d52c4

Download Submit
C:\Windows\System\TXWMdot.exe

Filesize
5.2MB

MD5
d2cb5c95b4bd68849cb7bc24672091ae

SHA1
b5beafd79972429cbc8f52e383a0e24df3d650d5

SHA256
6d2278448ed1f68aafcd70e78f56f57fcf58024dcf9bfff7d65351e1c33b3eed

SHA512
9f1c39a44794995cc2307f59802b6e3c9981ee528a1713d67a8e48aa9ebff2bec97b219402f8d2b9cd98e67f754e95781a03fa7b990a9b63746ce9998d0d152f

Download Submit
C:\Windows\System\XuClsnn.exe

Filesize
5.2MB

MD5
1f18e9dec9afede0b86fac420557f9f7

SHA1
bc07e3ed08d5a1500f3e0f0ffef6e8ed020e422d

SHA256
428cc23f91d35969681cf687eaa9d1fb2c9f211e330a32fc7846d6fd63fe0296

SHA512
c5b011c3ed4af5dcadbedf01d5091b25492680883f2bb007dd0da9911fd94321ab8f6712c0bd60a5106d09c1bf9efc3cc8f6e0f4cbff6f62ccec0fcaad534b23

Download Submit
C:\Windows\System\ZOQffvv.exe

Filesize
5.2MB

MD5
183126edb1b9ddfb58a964ac4267e87b

SHA1
99d7a43ed32ae70007752ef23ef935b0ad529f6f

SHA256
0b9343196efca1b02318e110c35993c14cb1530e30e5465637f212e73cdaef70

SHA512
adf3d0eb6e5f0b7898ac4a7c0eaf35da9c91860af104512fc49ba9cc68c47d77e2b34309cdfbc1f56010392e1e7204216477caaad1c5bd5552aef76f65056f40

Download Submit
C:\Windows\System\aKcuMQA.exe

Filesize
5.2MB

MD5
5aa88f7d0635ca917b82eec3f75958ea

SHA1
5efabe70d3f2e05bebcbbfe234d14bff1ca93d54

SHA256
a7718e790d07be0dcdb9e0080392f3d41dbf6385da4770a874b22382c72e0ea5

SHA512
084e8c7876865271de98077e810c82f520326c176f9fd23f89e1e91d2641854ed3846edde870187ee70adb656c7db4da006cb9548513461ac4967dc6cd36e438

Download Submit
C:\Windows\System\bXwVTPG.exe

Filesize
5.2MB

MD5
8291310874124727da6d0035db93a84b

SHA1
7a2074f84bc63220ab039eed5881a4d608540b6e

SHA256
378e519c0c0aaebf6c3d394ea6eebcf02715eb1bf9e297be84c058ca63a1fb6b

SHA512
7ef0ff63ec8c36fa9843bfbb4f0f5b15c9acd32512a23558a6ea22babeeee1db48513f623f72ed0dff7b4d66a21b359372c2bcec363dbfa6a250f6e685bc6348

Download Submit
C:\Windows\System\ejKzLYT.exe

Filesize
5.2MB

MD5
3ecf5d02c3f39910022c25b04c29bef2

SHA1
5b8ce8afd1e50a73c782c4fe8225ada3f034aae0

SHA256
1015369b17f6733a342d721723370131e66016b261e849995614e603d454d17c

SHA512
830416d0ce71f8c026ccc1d2bb763bb5729a4be39161daced309401f51d3426d4b75bb31bae575af15c0a790af187761283ecf32618887a17ef0cdd9f1d4282d

Download Submit
C:\Windows\System\hFmOeZh.exe

Filesize
5.2MB

MD5
32e36a52d2004767378409c39488c122

SHA1
183facc12db060015e277c0518b578b680e74dcb

SHA256
7ad3227e5def9d930ec3149129457ec4b50edadbe98de5e0594956f2a72e3b8f

SHA512
c8892933e4079e6eef50b123a5dd554db82ab93af9052a35cd11108194f4b3ce7ee07a2baaf1af02f71584877f82aac38ec13ce51c369b09b66818eb5357d814

Download Submit
C:\Windows\System\hUJAKjd.exe

Filesize
5.2MB

MD5
939d3f695b5a4f423793f13487cc2b04

SHA1
5ee356d771b250abd1df34f59a15ac9d0fa4c5d7

SHA256
bcc62f3a31d4e643a761a4734b05773932e171fa650a41e443fee01400cd3792

SHA512
73880c77ae0690e97b5f84fecc55dbab808a11a5a2b6643c0ac6f8ebb1858eaac52d2b9c8e14fdc7c99cda757d684a87b937ff0c62344e73652b09e1fea3e2eb

Download Submit
C:\Windows\System\jaFPIQm.exe

Filesize
5.2MB

MD5
f31916e8df779b713bdb4d7390e8c289

SHA1
bb9de61ce72e8d0a384035c3d58825cc78eba5fe

SHA256
4d2f8b5c272d419c807c91377ad86d7f3661ef951569c14c26f93ed989a6bb3f

SHA512
e9fe0ff094ceb9531b2fac019ce7a6dc9b23c1334b78720c4fce73f98f15aa587e7d61b8baea2726a478d3f60adf70c5d4027f7ff058ff744e57ac4154e7f856

Download Submit
C:\Windows\System\jiwCcPV.exe

Filesize
5.2MB

MD5
a1ee46e0a774aa886501f5c9d4e57f0a

SHA1
f57996f2a739a5bd8540de59caee92e66e08161c

SHA256
3ff6aaf9c1a813584fc3c8eda760759b442b7e311d827a18de489fb01207112c

SHA512
22c07de914bc807d0191262b5dca786579666893cc2980bf98bb2c09d61d30ed930cef69f8f5e86c9dcb812b864ecb7ce2c512bb96cc11eaa7cc8f5ad66f8c12

Download Submit
C:\Windows\System\njVfObj.exe

Filesize
5.2MB

MD5
4df1b07e03a29cfab1cea1e9602d6843

SHA1
9a38fc901c2fbce1e8458f29316ac2e792954ddc

SHA256
a850d2f0bd65e45657a5e3f2d4464cbea9acf4d372c59bbd456c1a8663b36f28

SHA512
d3f21339909d795dd10c88524f6c911873352cbf84999f9b16b9378c972497f62288baeb2c7095c860d0f6720c00b87abf1bb6c273d3063ce899d0e04855cd7d

Download Submit
C:\Windows\System\pjDzPAU.exe

Filesize
5.2MB

MD5
b9c632b3491b5fbe0164035eb5e61397

SHA1
3d9d2ee00544cca88fcbfdfbed4e6ea59df541a5

SHA256
5d0e69295cf031fc91209aa5a964f2d16ee2d1ffe291bf70b62dbd2b569058b0

SHA512
190ef97dcf7514bbaef91af9c9a453c9dc576e1c0abc0577aedabf040b449e1259e54a6c223450ffa196548618820fb14d4d30e7dba91a67ef01bacce9e1361f

Download Submit
memory/336-82-0x00007FF7488D0000-0x00007FF748C21000-memory.dmp

Filesize
3.3MB

Download
memory/336-26-0x00007FF7488D0000-0x00007FF748C21000-memory.dmp

Filesize
3.3MB

Download
memory/336-227-0x00007FF7488D0000-0x00007FF748C21000-memory.dmp

Filesize
3.3MB

Download
memory/368-37-0x00007FF6C2A70000-0x00007FF6C2DC1000-memory.dmp

Filesize
3.3MB

Download
memory/368-93-0x00007FF6C2A70000-0x00007FF6C2DC1000-memory.dmp

Filesize
3.3MB

Download
memory/368-233-0x00007FF6C2A70000-0x00007FF6C2DC1000-memory.dmp

Filesize
3.3MB

Download
memory/384-55-0x00007FF79D540000-0x00007FF79D891000-memory.dmp

Filesize
3.3MB

Download
memory/384-168-0x00007FF79D540000-0x00007FF79D891000-memory.dmp

Filesize
3.3MB

Download
memory/384-1-0x00000234F9B60000-0x00000234F9B70000-memory.dmp

Filesize
64KB

Download
memory/384-0-0x00007FF79D540000-0x00007FF79D891000-memory.dmp

Filesize
3.3MB

Download
memory/564-62-0x00007FF68A4D0000-0x00007FF68A821000-memory.dmp

Filesize
3.3MB

Download
memory/564-7-0x00007FF68A4D0000-0x00007FF68A821000-memory.dmp

Filesize
3.3MB

Download
memory/564-221-0x00007FF68A4D0000-0x00007FF68A821000-memory.dmp

Filesize
3.3MB

Download
memory/728-121-0x00007FF671900000-0x00007FF671C51000-memory.dmp

Filesize
3.3MB

Download
memory/728-63-0x00007FF671900000-0x00007FF671C51000-memory.dmp

Filesize
3.3MB

Download
memory/728-246-0x00007FF671900000-0x00007FF671C51000-memory.dmp

Filesize
3.3MB

Download
memory/836-21-0x00007FF7453D0000-0x00007FF745721000-memory.dmp

Filesize
3.3MB

Download
memory/836-225-0x00007FF7453D0000-0x00007FF745721000-memory.dmp

Filesize
3.3MB

Download
memory/836-74-0x00007FF7453D0000-0x00007FF745721000-memory.dmp

Filesize
3.3MB

Download
memory/1112-89-0x00007FF6B4950000-0x00007FF6B4CA1000-memory.dmp

Filesize
3.3MB

Download
memory/1112-231-0x00007FF6B4950000-0x00007FF6B4CA1000-memory.dmp

Filesize
3.3MB

Download
memory/1112-32-0x00007FF6B4950000-0x00007FF6B4CA1000-memory.dmp

Filesize
3.3MB

Download
memory/1456-250-0x00007FF625F80000-0x00007FF6262D1000-memory.dmp

Filesize
3.3MB

Download
memory/1456-80-0x00007FF625F80000-0x00007FF6262D1000-memory.dmp

Filesize
3.3MB

Download
memory/1480-111-0x00007FF75A740000-0x00007FF75AA91000-memory.dmp

Filesize
3.3MB

Download
memory/1480-268-0x00007FF75A740000-0x00007FF75AA91000-memory.dmp

Filesize
3.3MB

Download
memory/1480-160-0x00007FF75A740000-0x00007FF75AA91000-memory.dmp

Filesize
3.3MB

Download
memory/1904-97-0x00007FF7289D0000-0x00007FF728D21000-memory.dmp

Filesize
3.3MB

Download
memory/1904-41-0x00007FF7289D0000-0x00007FF728D21000-memory.dmp

Filesize
3.3MB

Download
memory/1904-235-0x00007FF7289D0000-0x00007FF728D21000-memory.dmp

Filesize
3.3MB

Download
memory/1980-85-0x00007FF797070000-0x00007FF7973C1000-memory.dmp

Filesize
3.3MB

Download
memory/1980-255-0x00007FF797070000-0x00007FF7973C1000-memory.dmp

Filesize
3.3MB

Download
memory/1980-142-0x00007FF797070000-0x00007FF7973C1000-memory.dmp

Filesize
3.3MB

Download
memory/1988-248-0x00007FF7368F0000-0x00007FF736C41000-memory.dmp

Filesize
3.3MB

Download
memory/1988-135-0x00007FF7368F0000-0x00007FF736C41000-memory.dmp

Filesize
3.3MB

Download
memory/1988-69-0x00007FF7368F0000-0x00007FF736C41000-memory.dmp

Filesize
3.3MB

Download
memory/2316-141-0x00007FF6E4DD0000-0x00007FF6E5121000-memory.dmp

Filesize
3.3MB

Download
memory/2316-276-0x00007FF6E4DD0000-0x00007FF6E5121000-memory.dmp

Filesize
3.3MB

Download
memory/2316-169-0x00007FF6E4DD0000-0x00007FF6E5121000-memory.dmp

Filesize
3.3MB

Download
memory/2976-161-0x00007FF625CE0000-0x00007FF626031000-memory.dmp

Filesize
3.3MB

Download
memory/2976-116-0x00007FF625CE0000-0x00007FF626031000-memory.dmp

Filesize
3.3MB

Download
memory/2976-272-0x00007FF625CE0000-0x00007FF626031000-memory.dmp

Filesize
3.3MB

Download
memory/3328-14-0x00007FF610480000-0x00007FF6107D1000-memory.dmp

Filesize
3.3MB

Download
memory/3328-68-0x00007FF610480000-0x00007FF6107D1000-memory.dmp

Filesize
3.3MB

Download
memory/3328-223-0x00007FF610480000-0x00007FF6107D1000-memory.dmp

Filesize
3.3MB

Download
memory/3688-123-0x00007FF76E390000-0x00007FF76E6E1000-memory.dmp

Filesize
3.3MB

Download
memory/3688-167-0x00007FF76E390000-0x00007FF76E6E1000-memory.dmp

Filesize
3.3MB

Download
memory/3688-270-0x00007FF76E390000-0x00007FF76E6E1000-memory.dmp

Filesize
3.3MB

Download
memory/4520-152-0x00007FF6F8890000-0x00007FF6F8BE1000-memory.dmp

Filesize
3.3MB

Download
memory/4520-100-0x00007FF6F8890000-0x00007FF6F8BE1000-memory.dmp

Filesize
3.3MB

Download
memory/4520-264-0x00007FF6F8890000-0x00007FF6F8BE1000-memory.dmp

Filesize
3.3MB

Download
memory/4776-48-0x00007FF6358E0000-0x00007FF635C31000-memory.dmp

Filesize
3.3MB

Download
memory/4776-239-0x00007FF6358E0000-0x00007FF635C31000-memory.dmp

Filesize
3.3MB

Download
memory/4776-110-0x00007FF6358E0000-0x00007FF635C31000-memory.dmp

Filesize
3.3MB

Download
memory/4888-115-0x00007FF7D9CE0000-0x00007FF7DA031000-memory.dmp

Filesize
3.3MB

Download
memory/4888-57-0x00007FF7D9CE0000-0x00007FF7DA031000-memory.dmp

Filesize
3.3MB

Download
memory/4888-244-0x00007FF7D9CE0000-0x00007FF7DA031000-memory.dmp

Filesize
3.3MB

Download
memory/5064-91-0x00007FF7E1440000-0x00007FF7E1791000-memory.dmp

Filesize
3.3MB

Download
memory/5064-257-0x00007FF7E1440000-0x00007FF7E1791000-memory.dmp

Filesize
3.3MB

Download
memory/5064-149-0x00007FF7E1440000-0x00007FF7E1791000-memory.dmp

Filesize
3.3MB

Download
memory/5072-166-0x00007FF62FD30000-0x00007FF630081000-memory.dmp

Filesize
3.3MB

Download
memory/5072-140-0x00007FF62FD30000-0x00007FF630081000-memory.dmp

Filesize
3.3MB

Download
memory/5072-278-0x00007FF62FD30000-0x00007FF630081000-memory.dmp

Filesize
3.3MB

Download
memory/5080-102-0x00007FF7FD360000-0x00007FF7FD6B1000-memory.dmp

Filesize
3.3MB

Download
memory/5080-266-0x00007FF7FD360000-0x00007FF7FD6B1000-memory.dmp

Filesize
3.3MB

Download
memory/5080-155-0x00007FF7FD360000-0x00007FF7FD6B1000-memory.dmp

Filesize
3.3MB

Download