cobaltstrike | 34501ff7a5bff0dae96761cc03cc7931710759b9adec08898a8b3a28ca0727fb

Analysis

max time kernel
140s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2024, 15:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

72114d82a4adc27f95f59fb1bea22c95
SHA1

447095e5ab980dd689d87c93c847b21354f1f738
SHA256

34501ff7a5bff0dae96761cc03cc7931710759b9adec08898a8b3a28ca0727fb
SHA512

605236e3af21ac6fb984a2b488350fff1837f01a871edff7d8a5cd24c109cabc244f116eca355cc656863e7e2b7f1c60749726c30708061f0fb746ef90375716
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l1:RWWBibf56utgpPFotBER/mQ32lUR

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0009000000023426-6.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342f-11.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342e-12.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023431-30.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023430-24.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023432-34.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023434-41.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002342b-44.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023436-60.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023437-65.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023438-85.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343c-105.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023440-116.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343f-121.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343e-120.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023441-118.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343d-112.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343b-96.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343a-91.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023439-84.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023435-54.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/2740-66-0x00007FF7D9030000-0x00007FF7D9381000-memory.dmp	xmrig
behavioral2/memory/3268-69-0x00007FF766A50000-0x00007FF766DA1000-memory.dmp	xmrig
behavioral2/memory/3592-97-0x00007FF73B750000-0x00007FF73BAA1000-memory.dmp	xmrig
behavioral2/memory/2780-109-0x00007FF6FDE80000-0x00007FF6FE1D1000-memory.dmp	xmrig
behavioral2/memory/3616-78-0x00007FF7066F0000-0x00007FF706A41000-memory.dmp	xmrig
behavioral2/memory/1228-62-0x00007FF6467C0000-0x00007FF646B11000-memory.dmp	xmrig
behavioral2/memory/4604-50-0x00007FF7A1440000-0x00007FF7A1791000-memory.dmp	xmrig
behavioral2/memory/3880-125-0x00007FF67D530000-0x00007FF67D881000-memory.dmp	xmrig
behavioral2/memory/4904-127-0x00007FF7DADA0000-0x00007FF7DB0F1000-memory.dmp	xmrig
behavioral2/memory/3904-131-0x00007FF76F670000-0x00007FF76F9C1000-memory.dmp	xmrig
behavioral2/memory/3628-132-0x00007FF7F0ED0000-0x00007FF7F1221000-memory.dmp	xmrig
behavioral2/memory/1380-130-0x00007FF7851F0000-0x00007FF785541000-memory.dmp	xmrig
behavioral2/memory/2468-129-0x00007FF66CCB0000-0x00007FF66D001000-memory.dmp	xmrig
behavioral2/memory/3528-128-0x00007FF76E300000-0x00007FF76E651000-memory.dmp	xmrig
behavioral2/memory/1424-126-0x00007FF777A80000-0x00007FF777DD1000-memory.dmp	xmrig
behavioral2/memory/4404-133-0x00007FF6218F0000-0x00007FF621C41000-memory.dmp	xmrig
behavioral2/memory/1036-134-0x00007FF754B40000-0x00007FF754E91000-memory.dmp	xmrig
behavioral2/memory/1856-136-0x00007FF633E40000-0x00007FF634191000-memory.dmp	xmrig
behavioral2/memory/1228-135-0x00007FF6467C0000-0x00007FF646B11000-memory.dmp	xmrig
behavioral2/memory/4612-150-0x00007FF69C0D0000-0x00007FF69C421000-memory.dmp	xmrig
behavioral2/memory/3384-149-0x00007FF631620000-0x00007FF631971000-memory.dmp	xmrig
behavioral2/memory/5100-147-0x00007FF78DCF0000-0x00007FF78E041000-memory.dmp	xmrig
behavioral2/memory/2552-145-0x00007FF7036A0000-0x00007FF7039F1000-memory.dmp	xmrig
behavioral2/memory/1228-158-0x00007FF6467C0000-0x00007FF646B11000-memory.dmp	xmrig
behavioral2/memory/3268-210-0x00007FF766A50000-0x00007FF766DA1000-memory.dmp	xmrig
behavioral2/memory/3616-212-0x00007FF7066F0000-0x00007FF706A41000-memory.dmp	xmrig
behavioral2/memory/3592-214-0x00007FF73B750000-0x00007FF73BAA1000-memory.dmp	xmrig
behavioral2/memory/1380-216-0x00007FF7851F0000-0x00007FF785541000-memory.dmp	xmrig
behavioral2/memory/4404-225-0x00007FF6218F0000-0x00007FF621C41000-memory.dmp	xmrig
behavioral2/memory/1036-227-0x00007FF754B40000-0x00007FF754E91000-memory.dmp	xmrig
behavioral2/memory/4604-231-0x00007FF7A1440000-0x00007FF7A1791000-memory.dmp	xmrig
behavioral2/memory/1856-229-0x00007FF633E40000-0x00007FF634191000-memory.dmp	xmrig
behavioral2/memory/2552-233-0x00007FF7036A0000-0x00007FF7039F1000-memory.dmp	xmrig
behavioral2/memory/2740-235-0x00007FF7D9030000-0x00007FF7D9381000-memory.dmp	xmrig
behavioral2/memory/5100-245-0x00007FF78DCF0000-0x00007FF78E041000-memory.dmp	xmrig
behavioral2/memory/2780-247-0x00007FF6FDE80000-0x00007FF6FE1D1000-memory.dmp	xmrig
behavioral2/memory/3384-249-0x00007FF631620000-0x00007FF631971000-memory.dmp	xmrig
behavioral2/memory/4612-255-0x00007FF69C0D0000-0x00007FF69C421000-memory.dmp	xmrig
behavioral2/memory/1424-259-0x00007FF777A80000-0x00007FF777DD1000-memory.dmp	xmrig
behavioral2/memory/4904-261-0x00007FF7DADA0000-0x00007FF7DB0F1000-memory.dmp	xmrig
behavioral2/memory/3880-257-0x00007FF67D530000-0x00007FF67D881000-memory.dmp	xmrig
behavioral2/memory/2468-254-0x00007FF66CCB0000-0x00007FF66D001000-memory.dmp	xmrig
behavioral2/memory/3628-263-0x00007FF7F0ED0000-0x00007FF7F1221000-memory.dmp	xmrig
behavioral2/memory/3528-265-0x00007FF76E300000-0x00007FF76E651000-memory.dmp	xmrig
behavioral2/memory/3904-252-0x00007FF76F670000-0x00007FF76F9C1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3268	LbaeSJt.exe
3616	nTajswV.exe
3592	JJwxZMW.exe
1380	SRYgknB.exe
4404	BRNdiYP.exe
1036	Xtltavz.exe
1856	MKidGEN.exe
4604	JRsJXcy.exe
2552	CspSLsc.exe
2740	oYRUnNt.exe
5100	AjZuYxg.exe
3384	TSiqJgo.exe
2780	NdfuHvH.exe
4612	MpBPIce.exe
3880	ICEVHcG.exe
2468	jyupKTn.exe
3904	lOWDVKz.exe
3628	XTdByrC.exe
1424	mzPaIOF.exe
4904	TsNzjDt.exe
3528	NAuALRI.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1228-0-0x00007FF6467C0000-0x00007FF646B11000-memory.dmp	upx
behavioral2/files/0x0009000000023426-6.dat	upx
behavioral2/memory/3268-7-0x00007FF766A50000-0x00007FF766DA1000-memory.dmp	upx
behavioral2/files/0x000700000002342f-11.dat	upx
behavioral2/files/0x000700000002342e-12.dat	upx
behavioral2/memory/3592-19-0x00007FF73B750000-0x00007FF73BAA1000-memory.dmp	upx
behavioral2/files/0x0007000000023431-30.dat	upx
behavioral2/memory/4404-31-0x00007FF6218F0000-0x00007FF621C41000-memory.dmp	upx
behavioral2/memory/1380-26-0x00007FF7851F0000-0x00007FF785541000-memory.dmp	upx
behavioral2/files/0x0007000000023430-24.dat	upx
behavioral2/memory/3616-14-0x00007FF7066F0000-0x00007FF706A41000-memory.dmp	upx
behavioral2/files/0x0007000000023432-34.dat	upx
behavioral2/memory/1036-36-0x00007FF754B40000-0x00007FF754E91000-memory.dmp	upx
behavioral2/files/0x0007000000023434-41.dat	upx
behavioral2/files/0x000800000002342b-44.dat	upx
behavioral2/files/0x0007000000023436-60.dat	upx
behavioral2/memory/2740-66-0x00007FF7D9030000-0x00007FF7D9381000-memory.dmp	upx
behavioral2/files/0x0007000000023437-65.dat	upx
behavioral2/memory/3268-69-0x00007FF766A50000-0x00007FF766DA1000-memory.dmp	upx
behavioral2/files/0x0007000000023438-85.dat	upx
behavioral2/memory/3592-97-0x00007FF73B750000-0x00007FF73BAA1000-memory.dmp	upx
behavioral2/files/0x000700000002343c-105.dat	upx
behavioral2/files/0x0007000000023440-116.dat	upx
behavioral2/files/0x000700000002343f-121.dat	upx
behavioral2/files/0x000700000002343e-120.dat	upx
behavioral2/files/0x0007000000023441-118.dat	upx
behavioral2/files/0x000700000002343d-112.dat	upx
behavioral2/memory/2780-109-0x00007FF6FDE80000-0x00007FF6FE1D1000-memory.dmp	upx
behavioral2/files/0x000700000002343b-96.dat	upx
behavioral2/files/0x000700000002343a-91.dat	upx
behavioral2/memory/4612-86-0x00007FF69C0D0000-0x00007FF69C421000-memory.dmp	upx
behavioral2/files/0x0007000000023439-84.dat	upx
behavioral2/memory/3384-83-0x00007FF631620000-0x00007FF631971000-memory.dmp	upx
behavioral2/memory/3616-78-0x00007FF7066F0000-0x00007FF706A41000-memory.dmp	upx
behavioral2/memory/5100-70-0x00007FF78DCF0000-0x00007FF78E041000-memory.dmp	upx
behavioral2/memory/1228-62-0x00007FF6467C0000-0x00007FF646B11000-memory.dmp	upx
behavioral2/files/0x0007000000023435-54.dat	upx
behavioral2/memory/2552-53-0x00007FF7036A0000-0x00007FF7039F1000-memory.dmp	upx
behavioral2/memory/4604-50-0x00007FF7A1440000-0x00007FF7A1791000-memory.dmp	upx
behavioral2/memory/1856-42-0x00007FF633E40000-0x00007FF634191000-memory.dmp	upx
behavioral2/memory/3880-125-0x00007FF67D530000-0x00007FF67D881000-memory.dmp	upx
behavioral2/memory/4904-127-0x00007FF7DADA0000-0x00007FF7DB0F1000-memory.dmp	upx
behavioral2/memory/3904-131-0x00007FF76F670000-0x00007FF76F9C1000-memory.dmp	upx
behavioral2/memory/3628-132-0x00007FF7F0ED0000-0x00007FF7F1221000-memory.dmp	upx
behavioral2/memory/1380-130-0x00007FF7851F0000-0x00007FF785541000-memory.dmp	upx
behavioral2/memory/2468-129-0x00007FF66CCB0000-0x00007FF66D001000-memory.dmp	upx
behavioral2/memory/3528-128-0x00007FF76E300000-0x00007FF76E651000-memory.dmp	upx
behavioral2/memory/1424-126-0x00007FF777A80000-0x00007FF777DD1000-memory.dmp	upx
behavioral2/memory/4404-133-0x00007FF6218F0000-0x00007FF621C41000-memory.dmp	upx
behavioral2/memory/1036-134-0x00007FF754B40000-0x00007FF754E91000-memory.dmp	upx
behavioral2/memory/1856-136-0x00007FF633E40000-0x00007FF634191000-memory.dmp	upx
behavioral2/memory/1228-135-0x00007FF6467C0000-0x00007FF646B11000-memory.dmp	upx
behavioral2/memory/4612-150-0x00007FF69C0D0000-0x00007FF69C421000-memory.dmp	upx
behavioral2/memory/3384-149-0x00007FF631620000-0x00007FF631971000-memory.dmp	upx
behavioral2/memory/5100-147-0x00007FF78DCF0000-0x00007FF78E041000-memory.dmp	upx
behavioral2/memory/2552-145-0x00007FF7036A0000-0x00007FF7039F1000-memory.dmp	upx
behavioral2/memory/1228-158-0x00007FF6467C0000-0x00007FF646B11000-memory.dmp	upx
behavioral2/memory/3268-210-0x00007FF766A50000-0x00007FF766DA1000-memory.dmp	upx
behavioral2/memory/3616-212-0x00007FF7066F0000-0x00007FF706A41000-memory.dmp	upx
behavioral2/memory/3592-214-0x00007FF73B750000-0x00007FF73BAA1000-memory.dmp	upx
behavioral2/memory/1380-216-0x00007FF7851F0000-0x00007FF785541000-memory.dmp	upx
behavioral2/memory/4404-225-0x00007FF6218F0000-0x00007FF621C41000-memory.dmp	upx
behavioral2/memory/1036-227-0x00007FF754B40000-0x00007FF754E91000-memory.dmp	upx
behavioral2/memory/4604-231-0x00007FF7A1440000-0x00007FF7A1791000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\MpBPIce.exe	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jyupKTn.exe	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XTdByrC.exe	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JJwxZMW.exe	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oYRUnNt.exe	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Xtltavz.exe	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MKidGEN.exe	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lOWDVKz.exe	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TsNzjDt.exe	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LbaeSJt.exe	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nTajswV.exe	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CspSLsc.exe	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AjZuYxg.exe	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ICEVHcG.exe	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mzPaIOF.exe	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SRYgknB.exe	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BRNdiYP.exe	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TSiqJgo.exe	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NAuALRI.exe	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JRsJXcy.exe	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NdfuHvH.exe	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1228	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1228	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 3268	1228	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 1228 wrote to memory of 3268	1228	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 1228 wrote to memory of 3616	1228	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1228 wrote to memory of 3616	1228	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1228 wrote to memory of 3592	1228	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1228 wrote to memory of 3592	1228	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1228 wrote to memory of 1380	1228	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1228 wrote to memory of 1380	1228	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1228 wrote to memory of 4404	1228	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1228 wrote to memory of 4404	1228	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1228 wrote to memory of 1036	1228	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1228 wrote to memory of 1036	1228	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1228 wrote to memory of 1856	1228	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1228 wrote to memory of 1856	1228	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1228 wrote to memory of 4604	1228	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1228 wrote to memory of 4604	1228	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1228 wrote to memory of 2552	1228	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1228 wrote to memory of 2552	1228	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1228 wrote to memory of 2740	1228	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1228 wrote to memory of 2740	1228	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1228 wrote to memory of 5100	1228	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1228 wrote to memory of 5100	1228	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1228 wrote to memory of 2780	1228	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1228 wrote to memory of 2780	1228	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1228 wrote to memory of 3384	1228	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1228 wrote to memory of 3384	1228	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1228 wrote to memory of 4612	1228	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1228 wrote to memory of 4612	1228	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1228 wrote to memory of 3880	1228	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1228 wrote to memory of 3880	1228	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1228 wrote to memory of 2468	1228	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1228 wrote to memory of 2468	1228	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1228 wrote to memory of 3904	1228	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1228 wrote to memory of 3904	1228	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1228 wrote to memory of 3628	1228	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1228 wrote to memory of 3628	1228	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1228 wrote to memory of 3528	1228	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1228 wrote to memory of 3528	1228	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1228 wrote to memory of 1424	1228	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1228 wrote to memory of 1424	1228	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1228 wrote to memory of 4904	1228	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1228 wrote to memory of 4904	1228	2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-20_72114d82a4adc27f95f59fb1bea22c95_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Windows\System\LbaeSJt.exe
  C:\Windows\System\LbaeSJt.exe
  2⤵
  - Executes dropped EXE
  PID:3268
- C:\Windows\System\nTajswV.exe
  C:\Windows\System\nTajswV.exe
  2⤵
  - Executes dropped EXE
  PID:3616
- C:\Windows\System\JJwxZMW.exe
  C:\Windows\System\JJwxZMW.exe
  2⤵
  - Executes dropped EXE
  PID:3592
- C:\Windows\System\SRYgknB.exe
  C:\Windows\System\SRYgknB.exe
  2⤵
  - Executes dropped EXE
  PID:1380
- C:\Windows\System\BRNdiYP.exe
  C:\Windows\System\BRNdiYP.exe
  2⤵
  - Executes dropped EXE
  PID:4404
- C:\Windows\System\Xtltavz.exe
  C:\Windows\System\Xtltavz.exe
  2⤵
  - Executes dropped EXE
  PID:1036
- C:\Windows\System\MKidGEN.exe
  C:\Windows\System\MKidGEN.exe
  2⤵
  - Executes dropped EXE
  PID:1856
- C:\Windows\System\JRsJXcy.exe
  C:\Windows\System\JRsJXcy.exe
  2⤵
  - Executes dropped EXE
  PID:4604
- C:\Windows\System\CspSLsc.exe
  C:\Windows\System\CspSLsc.exe
  2⤵
  - Executes dropped EXE
  PID:2552
- C:\Windows\System\oYRUnNt.exe
  C:\Windows\System\oYRUnNt.exe
  2⤵
  - Executes dropped EXE
  PID:2740
- C:\Windows\System\AjZuYxg.exe
  C:\Windows\System\AjZuYxg.exe
  2⤵
  - Executes dropped EXE
  PID:5100
- C:\Windows\System\NdfuHvH.exe
  C:\Windows\System\NdfuHvH.exe
  2⤵
  - Executes dropped EXE
  PID:2780
- C:\Windows\System\TSiqJgo.exe
  C:\Windows\System\TSiqJgo.exe
  2⤵
  - Executes dropped EXE
  PID:3384
- C:\Windows\System\MpBPIce.exe
  C:\Windows\System\MpBPIce.exe
  2⤵
  - Executes dropped EXE
  PID:4612
- C:\Windows\System\ICEVHcG.exe
  C:\Windows\System\ICEVHcG.exe
  2⤵
  - Executes dropped EXE
  PID:3880
- C:\Windows\System\jyupKTn.exe
  C:\Windows\System\jyupKTn.exe
  2⤵
  - Executes dropped EXE
  PID:2468
- C:\Windows\System\lOWDVKz.exe
  C:\Windows\System\lOWDVKz.exe
  2⤵
  - Executes dropped EXE
  PID:3904
- C:\Windows\System\XTdByrC.exe
  C:\Windows\System\XTdByrC.exe
  2⤵
  - Executes dropped EXE
  PID:3628
- C:\Windows\System\NAuALRI.exe
  C:\Windows\System\NAuALRI.exe
  2⤵
  - Executes dropped EXE
  PID:3528
- C:\Windows\System\mzPaIOF.exe
  C:\Windows\System\mzPaIOF.exe
  2⤵
  - Executes dropped EXE
  PID:1424
- C:\Windows\System\TsNzjDt.exe
  C:\Windows\System\TsNzjDt.exe
  2⤵
  - Executes dropped EXE
  PID:4904

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AjZuYxg.exe

Filesize
5.2MB

MD5
603f838570efc59e299172363ecf20e0

SHA1
83608096cb31125df49b12619e3b867cb94e52a6

SHA256
ab327d87c13c6ddf0e9a554f28749fd70aaacbf56018b6ee99435341a49e8e66

SHA512
5417450dde0cb34db152db009f1a4f812d166a7a40fb571173e1505edfb0b236b2b603182a0916cabce31829646e7d0c154dd89050f7ae8cfb9bdb621ec93ab5

Download Submit
C:\Windows\System\BRNdiYP.exe

Filesize
5.2MB

MD5
f4d8926b02689c09e24ab7ada2d38922

SHA1
25b58cbefbd4b4dbd7123d4ffd0f82ce94c05f49

SHA256
80c9e10378d9c5eea49fd88b9d29aa475506b33766019f22d6a3b7fdcc5ba5bf

SHA512
fa5f315a67d7989c92cddbc334f772a0d2ab01a96c864df3b0df6d9fbc3c7711921f65b8a35b0f34482168abadf82f1c740a7265e3488381981a8baa7c549f5d

Download Submit
C:\Windows\System\CspSLsc.exe

Filesize
5.2MB

MD5
bb8ae822172a96d3cf9aefebff105b80

SHA1
7d689f2e4a46bf09f85963f28d02f08998bcc3ca

SHA256
c9ad12090f8dbe6f2f5e9f17e12eeaf7bbadb851f65f457e48d454e7b637af8b

SHA512
82aed64a23a125be3bce28567b4f7fc9aaad73718336a3784544f5b5e466766f0bc5990f866ef02cd6bc43bc109b0de5466a485e31a8362417f8487b33fc7c54

Download Submit
C:\Windows\System\ICEVHcG.exe

Filesize
5.2MB

MD5
927d4893e1d1f370e9aa5e5710093742

SHA1
4e46119323e78a328744d3b0020cb6d41153d8de

SHA256
4ff86a6e6624520c290adea5e7f673fbb050947fac1308324917e495254e586a

SHA512
322adce920ca7fa83064487c22838070036f9b77555ada618a56a33c98ab6555956106f8d2b3da904839f0da9accfc59fd6cf04851d5015fb7c4cab979881679

Download Submit
C:\Windows\System\JJwxZMW.exe

Filesize
5.2MB

MD5
521399a1aa0be7642846910918df98df

SHA1
16324411d3ccbda3cd5765caf674a48a9637d1a0

SHA256
d1f337f88d174cb0a5640463681a3a45102328cb8b015eb656f07245bf781976

SHA512
dd37df99ce8a7c918705694ca3acfe9b616bfa43e639beb855e4a10975af117d3b183f79109dc7903a7f60a6f2b80ec9938f27ae8e16287065ee7a3b1e32ae7a

Download Submit
C:\Windows\System\JRsJXcy.exe

Filesize
5.2MB

MD5
694c50df98522bd0d4aee003d067ee51

SHA1
19583e45ec9e9be97dbe11f1af026d87f5bdca33

SHA256
62da780157cc1dad1d7846440e088a3840c40dd75809b24b566868f16616070f

SHA512
5b3ddc47416b211a7768f7707db06fb4fe9c6d97f4eca6e145bf7993e83a18a60eea5ce7e3e2048818b6140f70e87e31ace30807560e4a75e616574e4551eb66

Download Submit
C:\Windows\System\LbaeSJt.exe

Filesize
5.2MB

MD5
5194ef71bd732312e87e4b3e54d8f29f

SHA1
8f617b3141badd8266c94cb55607f01a5a5e3ec3

SHA256
f47f174fbfa0d0625d86ecd45257701f52483b04818fc7050681dfa7c5602db5

SHA512
7fbf5c963b7a3ac3af490d4e15ef289ee0ee4a008497131d6a4be4bf911a5a5d195d1f76e4dd1c69328f2a8420b49349802e52e42af6623d258ef6736bf39dc5

Download Submit
C:\Windows\System\MKidGEN.exe

Filesize
5.2MB

MD5
777abb78a6f78cc1452eb9f50f47fa9b

SHA1
30ddb9bedad892a4ca215b4395d70ac19f7952ed

SHA256
5d4328479e41ecd0a736d40a49c9072ab9a913062282533dfe900bcaa005d465

SHA512
b625fac075ecc6c67adb56eb7499cf54ac4e2cafbb06ce9d2eafaf3acc4d509018b2b74400faba9f6b02ddba65c65a0c77f9ba7d63a03219e2ea982249938f03

Download Submit
C:\Windows\System\MpBPIce.exe

Filesize
5.2MB

MD5
b843a37ac892ba91fe17510e94cde501

SHA1
fd62690476ee60fcd37705f5f669fea76eda8321

SHA256
6f13e17d42c957e38ffb2041cddd17eb5d20ca4ce329ad67434e9e9deaff02dd

SHA512
916f5a7977cae6ecdb56b86fe16130c838a02deed8916e006da4599766fcc47f5c68f648d7b6b709e7b0d8625ce815eb376c5e23f749bf66103f045f75e758a8

Download Submit
C:\Windows\System\NAuALRI.exe

Filesize
5.2MB

MD5
90e0becf9ab6b97d1fddc5c970389635

SHA1
70e710e9b0c2099132474c3a65da31a2be66c417

SHA256
d8506ce6cd04c694909f49c0e82386d642ef9c2454ec56265d9cf8aa3f725995

SHA512
9cff0999453e52116c30d215abdddb9434595e33107ae3fd8b6727231889213dc142951087b636b092173049486f93a6c9b1ceec251f658d877084dc517ca9b1

Download Submit
C:\Windows\System\NdfuHvH.exe

Filesize
5.2MB

MD5
e0c1d74ca8a240b9d4f699f4435167e9

SHA1
66baf666aa8569d9534fd2d847f3abdcab60ed80

SHA256
2462583e30c5647be254b9843d3923305723f1f1002f9b9128e30cd762aca831

SHA512
b36feadb4077a95d112d1d65fbcdd3cf665c9c2d96f5bf8aaf7e214785243659b3b8a27a91500338ff5558e1ecb397bdf776cb6c20ca12ad1c9b644d40b500ce

Download Submit
C:\Windows\System\SRYgknB.exe

Filesize
5.2MB

MD5
ce8cfe87bf0c22a5f8c3fcc081a2c34d

SHA1
5dc0994aa475407cd741a26cc7ddeca0d51d2526

SHA256
7f6ed1c7b735cd989d13a2ab09d05faf58ce432265e89df05b5462ec3162ca11

SHA512
0f9a3675f383d0fffb546a77d2e095d6a3739c7eb19bbf7f4b37c7c16ee9b51053a9729f7f32c34ce8cc7cc5e883398a05e1c6469329da8d92ec685658f936d9

Download Submit
C:\Windows\System\TSiqJgo.exe

Filesize
5.2MB

MD5
05d7ced8fdd68add52da67b131bf66e2

SHA1
805de2c68683e70090822c973d86500de975b2b4

SHA256
2e582723f6487290f4e0db2b6f8c3d76776d605411b09ef0e9970f461602ac91

SHA512
ee75f96285b429260c941a1a4c721674cd7109d31cf5ca513f9f3cb1e96802b60f3f15bef45ea0a079afa64f4cfa7abc928981a89ba20f9195640343d7d13e71

Download Submit
C:\Windows\System\TsNzjDt.exe

Filesize
5.2MB

MD5
702994bc7748c14438affd59b2baf7be

SHA1
b9ddf5046e74033a25eb468e306b4fccdfa7f2c9

SHA256
58fea33469a6d029e0b68b5e369f74b10571cc3a2d1993647c1a89b6bf310311

SHA512
dcebe99c64cb3382be2a7ff49647d365a072b4e4623944e95dbcc403c96019bea07001975c2d061414061ea42398161a5ba7e05c01358a58e6016170797399eb

Download Submit
C:\Windows\System\XTdByrC.exe

Filesize
5.2MB

MD5
ebae4cfa07425378b61973b80e70cce9

SHA1
a49fc67def826ad2a1baafc0d4f6f0148fbbe6f5

SHA256
135fe81d6f22fddc5f42ba3896439c06a4bf3eb1876a86da6b85a816d942f920

SHA512
aa74abc5e9bf837ba2906c1a1cd79c1c589528eefd8db4e414ac0b77d562db7cbc403af914a65d49f6b417b61004565cb6e6dc7fc5f6f66872b9d8c15d290e38

Download Submit
C:\Windows\System\Xtltavz.exe

Filesize
5.2MB

MD5
29b867979e0d44eceebcb53d11a9eddb

SHA1
5ab93d5504b0fd989b6878711f34e8e595650d44

SHA256
f4aa2d8132807d1a357a01d7321cd4f02f9bedae0ba7dc4e05791eca7bb38d99

SHA512
3c403d093f85ad2bfc1641a64e7fc4f69aa091719af42392fdc5a05a424d8c110dfe434bfae5ea83635cf7b5a81593d6f44b34a67fcef5917478972556580f92

Download Submit
C:\Windows\System\jyupKTn.exe

Filesize
5.2MB

MD5
964d61a60ef93b0e4c566455765272c8

SHA1
1dc7312145fa45ef1b27fb90c78080af633799f7

SHA256
c53f5e798b9a4979c88b42c323471512275b8b45be4d5a6448690817b912022f

SHA512
7a048c9245bfbaf3b0b09534901ee8cb17b0e5da5f668507dfea2fcb9a6fe65863c0bf80556f05db4a152046b7e2ce09e3f70f7d78f5581cc70ac076c2280bd3

Download Submit
C:\Windows\System\lOWDVKz.exe

Filesize
5.2MB

MD5
83d97f5879f5c84746164af62d46c97c

SHA1
c31661e48fba2079539d3361e2079a0c6b56254d

SHA256
56f8823bc4599d8bbc10f549f02d64b34c67f6ede918575fb55fc9cc0fe26b9c

SHA512
473bf459c1eea41c7ff866901f961dce140d023a41515f05183a68f7df5c8a9bd742c298a28680f78748ecc35ae1e7781dca17dc1d95a2f5bbc9ea5755137623

Download Submit
C:\Windows\System\mzPaIOF.exe

Filesize
5.2MB

MD5
6ce567c77c3d78a08db415f372232e94

SHA1
9b0dfc18ff5888a99af680d4cd8e45e172dfd250

SHA256
acea83e22a23e2d099c8c6ac4556f0419fcb2604062014e49611bfcdf0843b0c

SHA512
0376d355080c9c6d1f0211de507905f128698c092500b617ec7d0d05d4c68b48d1cbfef2b8e8e13adb0e53a76f0d34502a94902eed607040c434ca74cbede8ca

Download Submit
C:\Windows\System\nTajswV.exe

Filesize
5.2MB

MD5
3e22e8f11633d268df01688682ff0989

SHA1
0fe78e85bdba4df404c7c05ad133ba2d495d94ab

SHA256
fc539a6aad5db6b1602a438b812ea8372c704e70d14e75d532b73c943fee1f8b

SHA512
05b2461069f82b69725fe42239915f8ef51b401466b704bb61b5c1b86bdcc9ba3f4f937991233be19d64c7e31689d6e8851fbbbcc87c63f8f4bf29cee54829e9

Download Submit
C:\Windows\System\oYRUnNt.exe

Filesize
5.2MB

MD5
a09030b042f6ae1bbd68160e2db57aa4

SHA1
1a30b35e1b60af86a155199a7a69d1efef9b16e7

SHA256
39130948d37c8c6cbf97291b6b28895d634058a04cabe0d7e1ef7f2189ef2d1a

SHA512
1c4789646ae70f942269bb0e217058b1b0173e08ca00e5d24116d270c55fdd9663c806a7311e2c0ea3c74feb57c94b802613758ad68573e8e356466c17fc6f9c

Download Submit
memory/1036-227-0x00007FF754B40000-0x00007FF754E91000-memory.dmp

Filesize
3.3MB

Download
memory/1036-134-0x00007FF754B40000-0x00007FF754E91000-memory.dmp

Filesize
3.3MB

Download
memory/1036-36-0x00007FF754B40000-0x00007FF754E91000-memory.dmp

Filesize
3.3MB

Download
memory/1228-135-0x00007FF6467C0000-0x00007FF646B11000-memory.dmp

Filesize
3.3MB

Download
memory/1228-0-0x00007FF6467C0000-0x00007FF646B11000-memory.dmp

Filesize
3.3MB

Download
memory/1228-1-0x000002929F230000-0x000002929F240000-memory.dmp

Filesize
64KB

Download
memory/1228-62-0x00007FF6467C0000-0x00007FF646B11000-memory.dmp

Filesize
3.3MB

Download
memory/1228-158-0x00007FF6467C0000-0x00007FF646B11000-memory.dmp

Filesize
3.3MB

Download
memory/1380-26-0x00007FF7851F0000-0x00007FF785541000-memory.dmp

Filesize
3.3MB

Download
memory/1380-130-0x00007FF7851F0000-0x00007FF785541000-memory.dmp

Filesize
3.3MB

Download
memory/1380-216-0x00007FF7851F0000-0x00007FF785541000-memory.dmp

Filesize
3.3MB

Download
memory/1424-126-0x00007FF777A80000-0x00007FF777DD1000-memory.dmp

Filesize
3.3MB

Download
memory/1424-259-0x00007FF777A80000-0x00007FF777DD1000-memory.dmp

Filesize
3.3MB

Download
memory/1856-136-0x00007FF633E40000-0x00007FF634191000-memory.dmp

Filesize
3.3MB

Download
memory/1856-42-0x00007FF633E40000-0x00007FF634191000-memory.dmp

Filesize
3.3MB

Download
memory/1856-229-0x00007FF633E40000-0x00007FF634191000-memory.dmp

Filesize
3.3MB

Download
memory/2468-254-0x00007FF66CCB0000-0x00007FF66D001000-memory.dmp

Filesize
3.3MB

Download
memory/2468-129-0x00007FF66CCB0000-0x00007FF66D001000-memory.dmp

Filesize
3.3MB

Download
memory/2552-53-0x00007FF7036A0000-0x00007FF7039F1000-memory.dmp

Filesize
3.3MB

Download
memory/2552-233-0x00007FF7036A0000-0x00007FF7039F1000-memory.dmp

Filesize
3.3MB

Download
memory/2552-145-0x00007FF7036A0000-0x00007FF7039F1000-memory.dmp

Filesize
3.3MB

Download
memory/2740-235-0x00007FF7D9030000-0x00007FF7D9381000-memory.dmp

Filesize
3.3MB

Download
memory/2740-66-0x00007FF7D9030000-0x00007FF7D9381000-memory.dmp

Filesize
3.3MB

Download
memory/2780-109-0x00007FF6FDE80000-0x00007FF6FE1D1000-memory.dmp

Filesize
3.3MB

Download
memory/2780-247-0x00007FF6FDE80000-0x00007FF6FE1D1000-memory.dmp

Filesize
3.3MB

Download
memory/3268-210-0x00007FF766A50000-0x00007FF766DA1000-memory.dmp

Filesize
3.3MB

Download
memory/3268-69-0x00007FF766A50000-0x00007FF766DA1000-memory.dmp

Filesize
3.3MB

Download
memory/3268-7-0x00007FF766A50000-0x00007FF766DA1000-memory.dmp

Filesize
3.3MB

Download
memory/3384-83-0x00007FF631620000-0x00007FF631971000-memory.dmp

Filesize
3.3MB

Download
memory/3384-249-0x00007FF631620000-0x00007FF631971000-memory.dmp

Filesize
3.3MB

Download
memory/3384-149-0x00007FF631620000-0x00007FF631971000-memory.dmp

Filesize
3.3MB

Download
memory/3528-265-0x00007FF76E300000-0x00007FF76E651000-memory.dmp

Filesize
3.3MB

Download
memory/3528-128-0x00007FF76E300000-0x00007FF76E651000-memory.dmp

Filesize
3.3MB

Download
memory/3592-19-0x00007FF73B750000-0x00007FF73BAA1000-memory.dmp

Filesize
3.3MB

Download
memory/3592-214-0x00007FF73B750000-0x00007FF73BAA1000-memory.dmp

Filesize
3.3MB

Download
memory/3592-97-0x00007FF73B750000-0x00007FF73BAA1000-memory.dmp

Filesize
3.3MB

Download
memory/3616-212-0x00007FF7066F0000-0x00007FF706A41000-memory.dmp

Filesize
3.3MB

Download
memory/3616-14-0x00007FF7066F0000-0x00007FF706A41000-memory.dmp

Filesize
3.3MB

Download
memory/3616-78-0x00007FF7066F0000-0x00007FF706A41000-memory.dmp

Filesize
3.3MB

Download
memory/3628-263-0x00007FF7F0ED0000-0x00007FF7F1221000-memory.dmp

Filesize
3.3MB

Download
memory/3628-132-0x00007FF7F0ED0000-0x00007FF7F1221000-memory.dmp

Filesize
3.3MB

Download
memory/3880-257-0x00007FF67D530000-0x00007FF67D881000-memory.dmp

Filesize
3.3MB

Download
memory/3880-125-0x00007FF67D530000-0x00007FF67D881000-memory.dmp

Filesize
3.3MB

Download
memory/3904-131-0x00007FF76F670000-0x00007FF76F9C1000-memory.dmp

Filesize
3.3MB

Download
memory/3904-252-0x00007FF76F670000-0x00007FF76F9C1000-memory.dmp

Filesize
3.3MB

Download
memory/4404-225-0x00007FF6218F0000-0x00007FF621C41000-memory.dmp

Filesize
3.3MB

Download
memory/4404-31-0x00007FF6218F0000-0x00007FF621C41000-memory.dmp

Filesize
3.3MB

Download
memory/4404-133-0x00007FF6218F0000-0x00007FF621C41000-memory.dmp

Filesize
3.3MB

Download
memory/4604-231-0x00007FF7A1440000-0x00007FF7A1791000-memory.dmp

Filesize
3.3MB

Download
memory/4604-50-0x00007FF7A1440000-0x00007FF7A1791000-memory.dmp

Filesize
3.3MB

Download
memory/4612-255-0x00007FF69C0D0000-0x00007FF69C421000-memory.dmp

Filesize
3.3MB

Download
memory/4612-150-0x00007FF69C0D0000-0x00007FF69C421000-memory.dmp

Filesize
3.3MB

Download
memory/4612-86-0x00007FF69C0D0000-0x00007FF69C421000-memory.dmp

Filesize
3.3MB

Download
memory/4904-261-0x00007FF7DADA0000-0x00007FF7DB0F1000-memory.dmp

Filesize
3.3MB

Download
memory/4904-127-0x00007FF7DADA0000-0x00007FF7DB0F1000-memory.dmp

Filesize
3.3MB

Download
memory/5100-245-0x00007FF78DCF0000-0x00007FF78E041000-memory.dmp

Filesize
3.3MB

Download
memory/5100-70-0x00007FF78DCF0000-0x00007FF78E041000-memory.dmp

Filesize
3.3MB

Download
memory/5100-147-0x00007FF78DCF0000-0x00007FF78E041000-memory.dmp

Filesize
3.3MB

Download