cobaltstrike | 5801c3c30dd9513f727eff3dfbe2deb8c720d32e9beaeb0c851c123e066706cc

Analysis

max time kernel
140s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23-09-2024 00:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

2aa920cb83299ec85f3631b2cadf8c76
SHA1

e893124e609e327a7bb49d30890ddd1fe05f70a6
SHA256

5801c3c30dd9513f727eff3dfbe2deb8c720d32e9beaeb0c851c123e066706cc
SHA512

754a76a5cbf7677cf75f1cc92836470e0dd509161a98787e860853ed149de8402b330266a1055b89e1b5284c4a6f97663e9c718d22df76657ca5dca23b4c8111
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l0:RWWBibf56utgpPFotBER/mQ32lU4

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00080000000234ba-4.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234bc-10.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234bb-11.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234bd-22.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234bf-31.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234be-32.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000234b8-46.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c2-56.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c3-69.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c4-75.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c1-59.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c0-44.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c5-88.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c9-98.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ca-118.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ce-124.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234cc-129.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234cd-125.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234cb-111.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c8-107.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c7-91.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/4712-28-0x00007FF61DC00000-0x00007FF61DF51000-memory.dmp	xmrig
behavioral2/memory/4744-73-0x00007FF72F290000-0x00007FF72F5E1000-memory.dmp	xmrig
behavioral2/memory/2780-65-0x00007FF7DEED0000-0x00007FF7DF221000-memory.dmp	xmrig
behavioral2/memory/3252-115-0x00007FF6562C0000-0x00007FF656611000-memory.dmp	xmrig
behavioral2/memory/4128-113-0x00007FF7721F0000-0x00007FF772541000-memory.dmp	xmrig
behavioral2/memory/964-112-0x00007FF686C30000-0x00007FF686F81000-memory.dmp	xmrig
behavioral2/memory/2292-84-0x00007FF75B710000-0x00007FF75BA61000-memory.dmp	xmrig
behavioral2/memory/4396-79-0x00007FF617C10000-0x00007FF617F61000-memory.dmp	xmrig
behavioral2/memory/2268-131-0x00007FF610F70000-0x00007FF6112C1000-memory.dmp	xmrig
behavioral2/memory/1992-133-0x00007FF72D660000-0x00007FF72D9B1000-memory.dmp	xmrig
behavioral2/memory/232-132-0x00007FF7BB960000-0x00007FF7BBCB1000-memory.dmp	xmrig
behavioral2/memory/4748-134-0x00007FF7FF710000-0x00007FF7FFA61000-memory.dmp	xmrig
behavioral2/memory/2780-135-0x00007FF7DEED0000-0x00007FF7DF221000-memory.dmp	xmrig
behavioral2/memory/4800-144-0x00007FF6103F0000-0x00007FF610741000-memory.dmp	xmrig
behavioral2/memory/1716-143-0x00007FF601B40000-0x00007FF601E91000-memory.dmp	xmrig
behavioral2/memory/4636-148-0x00007FF6A6EE0000-0x00007FF6A7231000-memory.dmp	xmrig
behavioral2/memory/4872-150-0x00007FF694EA0000-0x00007FF6951F1000-memory.dmp	xmrig
behavioral2/memory/1412-151-0x00007FF799A80000-0x00007FF799DD1000-memory.dmp	xmrig
behavioral2/memory/3456-149-0x00007FF6DF5E0000-0x00007FF6DF931000-memory.dmp	xmrig
behavioral2/memory/3848-152-0x00007FF6D03E0000-0x00007FF6D0731000-memory.dmp	xmrig
behavioral2/memory/4244-153-0x00007FF7E7320000-0x00007FF7E7671000-memory.dmp	xmrig
behavioral2/memory/2692-155-0x00007FF723030000-0x00007FF723381000-memory.dmp	xmrig
behavioral2/memory/3176-156-0x00007FF757E60000-0x00007FF7581B1000-memory.dmp	xmrig
behavioral2/memory/2780-160-0x00007FF7DEED0000-0x00007FF7DF221000-memory.dmp	xmrig
behavioral2/memory/4744-213-0x00007FF72F290000-0x00007FF72F5E1000-memory.dmp	xmrig
behavioral2/memory/4396-215-0x00007FF617C10000-0x00007FF617F61000-memory.dmp	xmrig
behavioral2/memory/4712-217-0x00007FF61DC00000-0x00007FF61DF51000-memory.dmp	xmrig
behavioral2/memory/2292-219-0x00007FF75B710000-0x00007FF75BA61000-memory.dmp	xmrig
behavioral2/memory/964-221-0x00007FF686C30000-0x00007FF686F81000-memory.dmp	xmrig
behavioral2/memory/4128-223-0x00007FF7721F0000-0x00007FF772541000-memory.dmp	xmrig
behavioral2/memory/4748-231-0x00007FF7FF710000-0x00007FF7FFA61000-memory.dmp	xmrig
behavioral2/memory/1716-233-0x00007FF601B40000-0x00007FF601E91000-memory.dmp	xmrig
behavioral2/memory/4800-235-0x00007FF6103F0000-0x00007FF610741000-memory.dmp	xmrig
behavioral2/memory/1412-237-0x00007FF799A80000-0x00007FF799DD1000-memory.dmp	xmrig
behavioral2/memory/4636-239-0x00007FF6A6EE0000-0x00007FF6A7231000-memory.dmp	xmrig
behavioral2/memory/3456-241-0x00007FF6DF5E0000-0x00007FF6DF931000-memory.dmp	xmrig
behavioral2/memory/4872-250-0x00007FF694EA0000-0x00007FF6951F1000-memory.dmp	xmrig
behavioral2/memory/3848-252-0x00007FF6D03E0000-0x00007FF6D0731000-memory.dmp	xmrig
behavioral2/memory/3252-258-0x00007FF6562C0000-0x00007FF656611000-memory.dmp	xmrig
behavioral2/memory/2692-259-0x00007FF723030000-0x00007FF723381000-memory.dmp	xmrig
behavioral2/memory/3176-261-0x00007FF757E60000-0x00007FF7581B1000-memory.dmp	xmrig
behavioral2/memory/4244-256-0x00007FF7E7320000-0x00007FF7E7671000-memory.dmp	xmrig
behavioral2/memory/232-265-0x00007FF7BB960000-0x00007FF7BBCB1000-memory.dmp	xmrig
behavioral2/memory/1992-263-0x00007FF72D660000-0x00007FF72D9B1000-memory.dmp	xmrig
behavioral2/memory/2268-267-0x00007FF610F70000-0x00007FF6112C1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4744	ruzRLas.exe
4396	CneEbbe.exe
2292	lbyjdkG.exe
4712	dGRtLee.exe
964	zNRNxUP.exe
4128	uWThdSs.exe
4748	SdQiKwh.exe
1716	KbzvTVn.exe
1412	YdgRzqA.exe
4800	EVMiJaJ.exe
4636	jOMNgAp.exe
3456	GczGumi.exe
4872	vveUONF.exe
3848	NCuwLdv.exe
4244	KYByiQw.exe
3252	FGTEsjr.exe
2692	fYgDUsb.exe
3176	ToRdMbV.exe
1992	CXAPfEf.exe
2268	AMojYFT.exe
232	GFKgcHr.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2780-0-0x00007FF7DEED0000-0x00007FF7DF221000-memory.dmp	upx
behavioral2/files/0x00080000000234ba-4.dat	upx
behavioral2/memory/4744-7-0x00007FF72F290000-0x00007FF72F5E1000-memory.dmp	upx
behavioral2/files/0x00070000000234bc-10.dat	upx
behavioral2/files/0x00070000000234bb-11.dat	upx
behavioral2/memory/4396-12-0x00007FF617C10000-0x00007FF617F61000-memory.dmp	upx
behavioral2/files/0x00070000000234bd-22.dat	upx
behavioral2/memory/4712-28-0x00007FF61DC00000-0x00007FF61DF51000-memory.dmp	upx
behavioral2/files/0x00070000000234bf-31.dat	upx
behavioral2/memory/964-34-0x00007FF686C30000-0x00007FF686F81000-memory.dmp	upx
behavioral2/memory/4128-37-0x00007FF7721F0000-0x00007FF772541000-memory.dmp	upx
behavioral2/files/0x00070000000234be-32.dat	upx
behavioral2/memory/2292-18-0x00007FF75B710000-0x00007FF75BA61000-memory.dmp	upx
behavioral2/files/0x00080000000234b8-46.dat	upx
behavioral2/files/0x00070000000234c2-56.dat	upx
behavioral2/memory/4800-64-0x00007FF6103F0000-0x00007FF610741000-memory.dmp	upx
behavioral2/files/0x00070000000234c3-69.dat	upx
behavioral2/memory/3456-74-0x00007FF6DF5E0000-0x00007FF6DF931000-memory.dmp	upx
behavioral2/files/0x00070000000234c4-75.dat	upx
behavioral2/memory/4744-73-0x00007FF72F290000-0x00007FF72F5E1000-memory.dmp	upx
behavioral2/memory/4636-67-0x00007FF6A6EE0000-0x00007FF6A7231000-memory.dmp	upx
behavioral2/memory/2780-65-0x00007FF7DEED0000-0x00007FF7DF221000-memory.dmp	upx
behavioral2/memory/1412-57-0x00007FF799A80000-0x00007FF799DD1000-memory.dmp	upx
behavioral2/files/0x00070000000234c1-59.dat	upx
behavioral2/memory/1716-49-0x00007FF601B40000-0x00007FF601E91000-memory.dmp	upx
behavioral2/files/0x00070000000234c0-44.dat	upx
behavioral2/memory/4748-42-0x00007FF7FF710000-0x00007FF7FFA61000-memory.dmp	upx
behavioral2/files/0x00070000000234c5-88.dat	upx
behavioral2/files/0x00070000000234c9-98.dat	upx
behavioral2/files/0x00070000000234ca-118.dat	upx
behavioral2/files/0x00070000000234ce-124.dat	upx
behavioral2/files/0x00070000000234cc-129.dat	upx
behavioral2/files/0x00070000000234cd-125.dat	upx
behavioral2/memory/3176-121-0x00007FF757E60000-0x00007FF7581B1000-memory.dmp	upx
behavioral2/memory/3252-115-0x00007FF6562C0000-0x00007FF656611000-memory.dmp	upx
behavioral2/memory/4128-113-0x00007FF7721F0000-0x00007FF772541000-memory.dmp	upx
behavioral2/memory/964-112-0x00007FF686C30000-0x00007FF686F81000-memory.dmp	upx
behavioral2/files/0x00070000000234cb-111.dat	upx
behavioral2/files/0x00070000000234c8-107.dat	upx
behavioral2/memory/2692-103-0x00007FF723030000-0x00007FF723381000-memory.dmp	upx
behavioral2/memory/4244-102-0x00007FF7E7320000-0x00007FF7E7671000-memory.dmp	upx
behavioral2/memory/4872-87-0x00007FF694EA0000-0x00007FF6951F1000-memory.dmp	upx
behavioral2/memory/3848-97-0x00007FF6D03E0000-0x00007FF6D0731000-memory.dmp	upx
behavioral2/files/0x00070000000234c7-91.dat	upx
behavioral2/memory/2292-84-0x00007FF75B710000-0x00007FF75BA61000-memory.dmp	upx
behavioral2/memory/4396-79-0x00007FF617C10000-0x00007FF617F61000-memory.dmp	upx
behavioral2/memory/2268-131-0x00007FF610F70000-0x00007FF6112C1000-memory.dmp	upx
behavioral2/memory/1992-133-0x00007FF72D660000-0x00007FF72D9B1000-memory.dmp	upx
behavioral2/memory/232-132-0x00007FF7BB960000-0x00007FF7BBCB1000-memory.dmp	upx
behavioral2/memory/4748-134-0x00007FF7FF710000-0x00007FF7FFA61000-memory.dmp	upx
behavioral2/memory/2780-135-0x00007FF7DEED0000-0x00007FF7DF221000-memory.dmp	upx
behavioral2/memory/4800-144-0x00007FF6103F0000-0x00007FF610741000-memory.dmp	upx
behavioral2/memory/1716-143-0x00007FF601B40000-0x00007FF601E91000-memory.dmp	upx
behavioral2/memory/4636-148-0x00007FF6A6EE0000-0x00007FF6A7231000-memory.dmp	upx
behavioral2/memory/4872-150-0x00007FF694EA0000-0x00007FF6951F1000-memory.dmp	upx
behavioral2/memory/1412-151-0x00007FF799A80000-0x00007FF799DD1000-memory.dmp	upx
behavioral2/memory/3456-149-0x00007FF6DF5E0000-0x00007FF6DF931000-memory.dmp	upx
behavioral2/memory/3848-152-0x00007FF6D03E0000-0x00007FF6D0731000-memory.dmp	upx
behavioral2/memory/4244-153-0x00007FF7E7320000-0x00007FF7E7671000-memory.dmp	upx
behavioral2/memory/2692-155-0x00007FF723030000-0x00007FF723381000-memory.dmp	upx
behavioral2/memory/3176-156-0x00007FF757E60000-0x00007FF7581B1000-memory.dmp	upx
behavioral2/memory/2780-160-0x00007FF7DEED0000-0x00007FF7DF221000-memory.dmp	upx
behavioral2/memory/4744-213-0x00007FF72F290000-0x00007FF72F5E1000-memory.dmp	upx
behavioral2/memory/4396-215-0x00007FF617C10000-0x00007FF617F61000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\NCuwLdv.exe	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fYgDUsb.exe	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ToRdMbV.exe	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CneEbbe.exe	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GczGumi.exe	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YdgRzqA.exe	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CXAPfEf.exe	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zNRNxUP.exe	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KbzvTVn.exe	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uWThdSs.exe	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EVMiJaJ.exe	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KYByiQw.exe	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FGTEsjr.exe	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AMojYFT.exe	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lbyjdkG.exe	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dGRtLee.exe	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jOMNgAp.exe	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vveUONF.exe	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GFKgcHr.exe	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ruzRLas.exe	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SdQiKwh.exe	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2780	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2780	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 4744	2780	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 2780 wrote to memory of 4744	2780	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 2780 wrote to memory of 4396	2780	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2780 wrote to memory of 4396	2780	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2780 wrote to memory of 2292	2780	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2780 wrote to memory of 2292	2780	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2780 wrote to memory of 4712	2780	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2780 wrote to memory of 4712	2780	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2780 wrote to memory of 964	2780	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2780 wrote to memory of 964	2780	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2780 wrote to memory of 4128	2780	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2780 wrote to memory of 4128	2780	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2780 wrote to memory of 4748	2780	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2780 wrote to memory of 4748	2780	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2780 wrote to memory of 1716	2780	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2780 wrote to memory of 1716	2780	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2780 wrote to memory of 1412	2780	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2780 wrote to memory of 1412	2780	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2780 wrote to memory of 4800	2780	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2780 wrote to memory of 4800	2780	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2780 wrote to memory of 4636	2780	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2780 wrote to memory of 4636	2780	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2780 wrote to memory of 3456	2780	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2780 wrote to memory of 3456	2780	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2780 wrote to memory of 4872	2780	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2780 wrote to memory of 4872	2780	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2780 wrote to memory of 3848	2780	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2780 wrote to memory of 3848	2780	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2780 wrote to memory of 4244	2780	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2780 wrote to memory of 4244	2780	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2780 wrote to memory of 3252	2780	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2780 wrote to memory of 3252	2780	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2780 wrote to memory of 2692	2780	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2780 wrote to memory of 2692	2780	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2780 wrote to memory of 3176	2780	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2780 wrote to memory of 3176	2780	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2780 wrote to memory of 1992	2780	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2780 wrote to memory of 1992	2780	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2780 wrote to memory of 2268	2780	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2780 wrote to memory of 2268	2780	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2780 wrote to memory of 232	2780	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2780 wrote to memory of 232	2780	2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-23_2aa920cb83299ec85f3631b2cadf8c76_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Windows\System\ruzRLas.exe
  C:\Windows\System\ruzRLas.exe
  2⤵
  - Executes dropped EXE
  PID:4744
- C:\Windows\System\CneEbbe.exe
  C:\Windows\System\CneEbbe.exe
  2⤵
  - Executes dropped EXE
  PID:4396
- C:\Windows\System\lbyjdkG.exe
  C:\Windows\System\lbyjdkG.exe
  2⤵
  - Executes dropped EXE
  PID:2292
- C:\Windows\System\dGRtLee.exe
  C:\Windows\System\dGRtLee.exe
  2⤵
  - Executes dropped EXE
  PID:4712
- C:\Windows\System\zNRNxUP.exe
  C:\Windows\System\zNRNxUP.exe
  2⤵
  - Executes dropped EXE
  PID:964
- C:\Windows\System\uWThdSs.exe
  C:\Windows\System\uWThdSs.exe
  2⤵
  - Executes dropped EXE
  PID:4128
- C:\Windows\System\SdQiKwh.exe
  C:\Windows\System\SdQiKwh.exe
  2⤵
  - Executes dropped EXE
  PID:4748
- C:\Windows\System\KbzvTVn.exe
  C:\Windows\System\KbzvTVn.exe
  2⤵
  - Executes dropped EXE
  PID:1716
- C:\Windows\System\YdgRzqA.exe
  C:\Windows\System\YdgRzqA.exe
  2⤵
  - Executes dropped EXE
  PID:1412
- C:\Windows\System\EVMiJaJ.exe
  C:\Windows\System\EVMiJaJ.exe
  2⤵
  - Executes dropped EXE
  PID:4800
- C:\Windows\System\jOMNgAp.exe
  C:\Windows\System\jOMNgAp.exe
  2⤵
  - Executes dropped EXE
  PID:4636
- C:\Windows\System\GczGumi.exe
  C:\Windows\System\GczGumi.exe
  2⤵
  - Executes dropped EXE
  PID:3456
- C:\Windows\System\vveUONF.exe
  C:\Windows\System\vveUONF.exe
  2⤵
  - Executes dropped EXE
  PID:4872
- C:\Windows\System\NCuwLdv.exe
  C:\Windows\System\NCuwLdv.exe
  2⤵
  - Executes dropped EXE
  PID:3848
- C:\Windows\System\KYByiQw.exe
  C:\Windows\System\KYByiQw.exe
  2⤵
  - Executes dropped EXE
  PID:4244
- C:\Windows\System\FGTEsjr.exe
  C:\Windows\System\FGTEsjr.exe
  2⤵
  - Executes dropped EXE
  PID:3252
- C:\Windows\System\fYgDUsb.exe
  C:\Windows\System\fYgDUsb.exe
  2⤵
  - Executes dropped EXE
  PID:2692
- C:\Windows\System\ToRdMbV.exe
  C:\Windows\System\ToRdMbV.exe
  2⤵
  - Executes dropped EXE
  PID:3176
- C:\Windows\System\CXAPfEf.exe
  C:\Windows\System\CXAPfEf.exe
  2⤵
  - Executes dropped EXE
  PID:1992
- C:\Windows\System\AMojYFT.exe
  C:\Windows\System\AMojYFT.exe
  2⤵
  - Executes dropped EXE
  PID:2268
- C:\Windows\System\GFKgcHr.exe
  C:\Windows\System\GFKgcHr.exe
  2⤵
  - Executes dropped EXE
  PID:232

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AMojYFT.exe

Filesize
5.2MB

MD5
75e1ecc176a7d31b0aa1b4976d349e61

SHA1
43653a8571e7bfa2ce6fe5e85732fc1970ad599f

SHA256
83405366fd4fd4fa3081e2b3ce937592d853f6d082b4d28f6c278f44fe4f94d7

SHA512
ff95ec9ff72fb10132cc12738277270cbb4db9b9eac4c379221fb0d8a97ab9de452217dd2043f0fae980c7a975c143b9e80994a402d2f39b05d1a19728edcb71

Download Submit
C:\Windows\System\CXAPfEf.exe

Filesize
5.2MB

MD5
c1fec42445498dcb6c15be6652e4647c

SHA1
5fde34ef7119cd82395b2cdb570a7a1f7f232d61

SHA256
28fdbe396563900abe062d5924de8886e492d0194bee66c07153bd8183842482

SHA512
82089225f223a91b1f01fe87f0c594bf3673d1b268f80157e819b03cd37d1abd6c4a4eb991447a33daec9759686d1a0a2b77ecdf21475f287280571cd48f8164

Download Submit
C:\Windows\System\CneEbbe.exe

Filesize
5.2MB

MD5
5d6952f3754fcda6c56db94a53cd638f

SHA1
a9e2e682f40d55d2d3def7c1bba027062cca0933

SHA256
5d7f4cdb492fe9747b7e22ea7f9c0fe12e96d6ffc39cb1433649f98605904a29

SHA512
fba027f242b84ce03dd4745e5c7f791818ef70b2b309931ae110e8caadc08df1afc6c70a7ad2f209083f2d83c256bf5e475c9eda10e49dd387c68212e4773c48

Download Submit
C:\Windows\System\EVMiJaJ.exe

Filesize
5.2MB

MD5
6829390252235ea6873be3f4b463a55c

SHA1
b5999ba587938ba0b0a83cb369e356ce7a39178b

SHA256
d7229ff67efde20dd57d99ba5afd32faa6554a4eb8d9f56e8fe69597220f54be

SHA512
fd8421b2737a85ffee2c08ea75abf8316cc71314035e5c42d2f415d7a4928eae5e66fa65bc8f24db55687ac919713d0d30a5607e53b4905bf48dddb431878896

Download Submit
C:\Windows\System\FGTEsjr.exe

Filesize
5.2MB

MD5
79a80ab724351850e47bbd7a15848bbf

SHA1
49f25c3292a01ea2af7cd69ba846a02ab51254f4

SHA256
6da3fb0c792de62d38e2c11a9bb1b3961c3971393ad413e80e2de094afc85a8e

SHA512
762f40c6d17991e1ec209dd20b5b2079714ca5954ad47da0ba00fdb8e77078dd653e55e184c554f47e69c30c8b563c7fe452a6509d589f6857903bbb210c2370

Download Submit
C:\Windows\System\GFKgcHr.exe

Filesize
5.2MB

MD5
9d792c05fcfd8901ce7d78e1385c5d8b

SHA1
4184b9b261d0b25a78f32e4336aee2fb47501b11

SHA256
75e3a7958445a32baaf3e8f121cb450d12d8ca0f0bd31d620408388828a80790

SHA512
194685fa1b9ba78631ba8e22111808a0caeda57a7779b1c06a6bb6ff6a1c32662da6427f0a0d8bbecf82e18fdc70413852d95f61742ba4a4049fa34ee27e6532

Download Submit
C:\Windows\System\GczGumi.exe

Filesize
5.2MB

MD5
848d7c12a68970db4e109fbad25bd170

SHA1
329cbbf0a248f76da76cc07c72e4edce0f9ebf3c

SHA256
61d044eff379327e07135c60bac52152ba9a24b41d28faadcaf2f07c19579339

SHA512
ad4013590bf241019c784bd8302bf6282ea370759802c4181c8903122c1778420f1408cc1cf3b0f1886a5b204e005a8f0afd52d051e65dd01e98731fabb274b5

Download Submit
C:\Windows\System\KYByiQw.exe

Filesize
5.2MB

MD5
6077f3c02bffc1c856946564e460d7f7

SHA1
973be9f2b9df87311a8d296a886d28748361a21b

SHA256
43f7ac94d6690059993af298781cf835fa6b00959ce584fcaa98c8357eceedc0

SHA512
d53d0462e3cd9ae2c415856a9f0404260c1b4264f2c3392f7631497f1bf39d6b2c7ff67c3123a29980db9f1af2cf8855dfebc902991f198f51bce03078d732d6

Download Submit
C:\Windows\System\KbzvTVn.exe

Filesize
5.2MB

MD5
e877c3aeb764676621cc6b89045e4648

SHA1
5e1653cad8c9510b6e7390a038a0144f330f1dc3

SHA256
f59c229db4cdc2ba749c3dba46a1037431a69c9755530e4210a7aefa0b8037d5

SHA512
d71f8a8c098fde51043ac9e32321d6bd9d6091b5a5fe6dea3c7964088a3753a4738988dea2640ed7e219642758f8cec52ad844d746e7e12324d8568d4690d478

Download Submit
C:\Windows\System\NCuwLdv.exe

Filesize
5.2MB

MD5
1b75969e8a4934e7e324bfe81ade1a7e

SHA1
c4feefd6e663c730621a5d7898e7e6ca22542274

SHA256
7fce92dbd1d4efbe1a4a006c9f68bac9a1ddc1ce3a48649e0e9ada090e099714

SHA512
591cc35574fd723276b8dbc7ef1d949d238a69f51d5393bdf0adb5e3bd9d16f6a1bc70eaa7086530e0d7d81abecb9a2bf4be2fe990d61902e8e390b10aefdb67

Download Submit
C:\Windows\System\SdQiKwh.exe

Filesize
5.2MB

MD5
ed1c82fab5c32e08eb8f910eded432ca

SHA1
65f2f876065777dfb934ba1153b610201bab69ea

SHA256
673191b8e469a0a57eb9f6ff38c9a6296a1d805419e1a6f326ac6eeab48316e3

SHA512
cbc2fe8e93c595f630ef739097cf7b0b819dbdffb646294c2f4b187ff42f256a96ff933e891414610614f2c10eb4209e7c23724811b84ff59532eaa3f4615b6c

Download Submit
C:\Windows\System\ToRdMbV.exe

Filesize
5.2MB

MD5
1a8c5daefc6f502b0aa807305653b72f

SHA1
71fa1c32e4a6c819aa8209480d41b9c0995ac6da

SHA256
2e81a5523e8b223172096d8aba172c746884523ac870f0672b3572ea74a7ae63

SHA512
386fa69a09824e5c90fa42fe034a7b26517cc5451d6ca90a93422202c9762742e4b7061aa519c73b733f4b9da650f0d1e33f286f8e3c26059bbc18b88a59e55d

Download Submit
C:\Windows\System\YdgRzqA.exe

Filesize
5.2MB

MD5
1e891f38a3dc4d38fbffbca52deab1ca

SHA1
c5f6909014d50aec88e5bc3724106b69a59d888c

SHA256
9e39bd754420be1bb680c490324ed63ec16f2c3d37fdd71778461280dee8c483

SHA512
9db7c4ee39580dfd5993fae474c4228e187233b9cb3fc1ef0ca9898b4cafb8eccbf5da769db2fbc5fca4e94698fb103c736755afe6641fc8fc99f3c92a769c06

Download Submit
C:\Windows\System\dGRtLee.exe

Filesize
5.2MB

MD5
ab320c053beec071d4133e8a9e98ec04

SHA1
1ef62127a8d47446b9e4815305da898b961206e0

SHA256
71bc88872a4d29585422637a8ef57147a230b7dfa5683ac1eba3cd28d2fd5cd0

SHA512
607bfa55c8d6d1f166ca8b398cf8f993c088aafacaf8ddefac0c2b2f4fb824c063f67ad55ef10df889e25cfe7c1ee711c760271f390c236503e2e201af65985d

Download Submit
C:\Windows\System\fYgDUsb.exe

Filesize
5.2MB

MD5
8632f85e37f5304fc1dc9534651746b8

SHA1
7728a01571bfb12e79bab91c112343af63ccf084

SHA256
78d6627fa595cc0c31ea9c8cb2b97f04c048253224fddb039bb6163604038d91

SHA512
6dd86fed8bd0ec2d03180c4fa51920127279f318ff7562986bcaa1b424b17b861cbb692d20afdaa8a5494b193c9e37f818bf2b7a7e7baaf1405a2a28a17946d5

Download Submit
C:\Windows\System\jOMNgAp.exe

Filesize
5.2MB

MD5
803b4a49b169873c311118b94cfc8f3c

SHA1
87dd2bb1b6a29bbfe5ac3ae10932b4c74dd5f1e5

SHA256
85ddf901d60ece1dfda95d539679ce3561c7a46778f43c0a5d37bf10e598d85b

SHA512
b19910e7409251be3ec86687cc6a48c503bd6bf97988c91e9c003575f17e6db580d084bde640fbf5c22140dccb0e67a9d4daed1367396b4dabd99024093fea6c

Download Submit
C:\Windows\System\lbyjdkG.exe

Filesize
5.2MB

MD5
363b8a8835939c9196f535cb9c597711

SHA1
0220f4957f3f53e9691b01ece7f1f70e364f5219

SHA256
8d694917fb1be6486974fe304c4a2c78f1aee89ee631aa0ceccdc6433ebdf482

SHA512
2853379f72f31605397cb51eef7ff9d6b4c3d87d92f5305f27181c9585f0d72fdd4eec33e5d08b8e1ccb5e8021cf13db0b06db051dfdf069fe5d97e212f197ca

Download Submit
C:\Windows\System\ruzRLas.exe

Filesize
5.2MB

MD5
37318a6683d15d197116e0a6035bed26

SHA1
3ac116a9ed0f51639e5d1ee6d83726111e8eedfe

SHA256
56942376cd434fe79471a1850b9440486b9014aafd2929be9dabd166d7932c1a

SHA512
f4d352cb7eedf71a4ae719c2fd1292a31455fedfb8cac7371cc301d2244780a9d85d8d74371e6e0243c9f1dea1e2bc6d5e75625dd038a0d02df29929f7ef7ea1

Download Submit
C:\Windows\System\uWThdSs.exe

Filesize
5.2MB

MD5
ec072b59664e3d909f7382da78d4d2b7

SHA1
4152c1124fea64a8f6de5be14d51d834357582a4

SHA256
21f3f18a3fc37d3e2ab5d6248c0658e4aa01350caa2f8c6c778f2e1fba9439c2

SHA512
94a6576237c351e83e0e33e4f70e377171068204bc4e4448425fe185aa80b1cb4c62e6033ff91712933cea1c23c57178fa4d359ee9856df2c2f7271af5f6b325

Download Submit
C:\Windows\System\vveUONF.exe

Filesize
5.2MB

MD5
ec7a04b7676c0ff29629960151fee51d

SHA1
c545e90710df187fa4efdf041137ab9470be9748

SHA256
444c63e71e1ded264dd88f4d74f29d061844d1adaf183eefb2e361bca234b531

SHA512
bc2735b473b71f95144f05232857144bb5c99ac5e669717715532aaded0b530f43d9f7b376e1bfa6fc2c928ffabc11acc7b864731c857f98ab20d3aafffd3e4b

Download Submit
C:\Windows\System\zNRNxUP.exe

Filesize
5.2MB

MD5
7ef05d236a6ce097c06de254a46168df

SHA1
c990af78d56eddcdeb555e8ae8ee936227356ab2

SHA256
cf99c6d6642b16d668cbb20880cf1d5df081e0d1111867124f62304942077d59

SHA512
8d1e693df05bba0356fd38d88534b320659ddfb5436960673c1629a3ee2adf19605ba8a0c0dbe031c04708eb84cbeeda28f25f5b2aa0e167beae9a1e1602fd76

Download Submit
memory/232-265-0x00007FF7BB960000-0x00007FF7BBCB1000-memory.dmp

Filesize
3.3MB

Download
memory/232-132-0x00007FF7BB960000-0x00007FF7BBCB1000-memory.dmp

Filesize
3.3MB

Download
memory/964-112-0x00007FF686C30000-0x00007FF686F81000-memory.dmp

Filesize
3.3MB

Download
memory/964-34-0x00007FF686C30000-0x00007FF686F81000-memory.dmp

Filesize
3.3MB

Download
memory/964-221-0x00007FF686C30000-0x00007FF686F81000-memory.dmp

Filesize
3.3MB

Download
memory/1412-57-0x00007FF799A80000-0x00007FF799DD1000-memory.dmp

Filesize
3.3MB

Download
memory/1412-237-0x00007FF799A80000-0x00007FF799DD1000-memory.dmp

Filesize
3.3MB

Download
memory/1412-151-0x00007FF799A80000-0x00007FF799DD1000-memory.dmp

Filesize
3.3MB

Download
memory/1716-233-0x00007FF601B40000-0x00007FF601E91000-memory.dmp

Filesize
3.3MB

Download
memory/1716-143-0x00007FF601B40000-0x00007FF601E91000-memory.dmp

Filesize
3.3MB

Download
memory/1716-49-0x00007FF601B40000-0x00007FF601E91000-memory.dmp

Filesize
3.3MB

Download
memory/1992-263-0x00007FF72D660000-0x00007FF72D9B1000-memory.dmp

Filesize
3.3MB

Download
memory/1992-133-0x00007FF72D660000-0x00007FF72D9B1000-memory.dmp

Filesize
3.3MB

Download
memory/2268-131-0x00007FF610F70000-0x00007FF6112C1000-memory.dmp

Filesize
3.3MB

Download
memory/2268-267-0x00007FF610F70000-0x00007FF6112C1000-memory.dmp

Filesize
3.3MB

Download
memory/2292-219-0x00007FF75B710000-0x00007FF75BA61000-memory.dmp

Filesize
3.3MB

Download
memory/2292-18-0x00007FF75B710000-0x00007FF75BA61000-memory.dmp

Filesize
3.3MB

Download
memory/2292-84-0x00007FF75B710000-0x00007FF75BA61000-memory.dmp

Filesize
3.3MB

Download
memory/2692-103-0x00007FF723030000-0x00007FF723381000-memory.dmp

Filesize
3.3MB

Download
memory/2692-259-0x00007FF723030000-0x00007FF723381000-memory.dmp

Filesize
3.3MB

Download
memory/2692-155-0x00007FF723030000-0x00007FF723381000-memory.dmp

Filesize
3.3MB

Download
memory/2780-0-0x00007FF7DEED0000-0x00007FF7DF221000-memory.dmp

Filesize
3.3MB

Download
memory/2780-1-0x00000143CA4E0000-0x00000143CA4F0000-memory.dmp

Filesize
64KB

Download
memory/2780-65-0x00007FF7DEED0000-0x00007FF7DF221000-memory.dmp

Filesize
3.3MB

Download
memory/2780-160-0x00007FF7DEED0000-0x00007FF7DF221000-memory.dmp

Filesize
3.3MB

Download
memory/2780-135-0x00007FF7DEED0000-0x00007FF7DF221000-memory.dmp

Filesize
3.3MB

Download
memory/3176-156-0x00007FF757E60000-0x00007FF7581B1000-memory.dmp

Filesize
3.3MB

Download
memory/3176-261-0x00007FF757E60000-0x00007FF7581B1000-memory.dmp

Filesize
3.3MB

Download
memory/3176-121-0x00007FF757E60000-0x00007FF7581B1000-memory.dmp

Filesize
3.3MB

Download
memory/3252-258-0x00007FF6562C0000-0x00007FF656611000-memory.dmp

Filesize
3.3MB

Download
memory/3252-115-0x00007FF6562C0000-0x00007FF656611000-memory.dmp

Filesize
3.3MB

Download
memory/3456-241-0x00007FF6DF5E0000-0x00007FF6DF931000-memory.dmp

Filesize
3.3MB

Download
memory/3456-74-0x00007FF6DF5E0000-0x00007FF6DF931000-memory.dmp

Filesize
3.3MB

Download
memory/3456-149-0x00007FF6DF5E0000-0x00007FF6DF931000-memory.dmp

Filesize
3.3MB

Download
memory/3848-97-0x00007FF6D03E0000-0x00007FF6D0731000-memory.dmp

Filesize
3.3MB

Download
memory/3848-152-0x00007FF6D03E0000-0x00007FF6D0731000-memory.dmp

Filesize
3.3MB

Download
memory/3848-252-0x00007FF6D03E0000-0x00007FF6D0731000-memory.dmp

Filesize
3.3MB

Download
memory/4128-223-0x00007FF7721F0000-0x00007FF772541000-memory.dmp

Filesize
3.3MB

Download
memory/4128-113-0x00007FF7721F0000-0x00007FF772541000-memory.dmp

Filesize
3.3MB

Download
memory/4128-37-0x00007FF7721F0000-0x00007FF772541000-memory.dmp

Filesize
3.3MB

Download
memory/4244-256-0x00007FF7E7320000-0x00007FF7E7671000-memory.dmp

Filesize
3.3MB

Download
memory/4244-153-0x00007FF7E7320000-0x00007FF7E7671000-memory.dmp

Filesize
3.3MB

Download
memory/4244-102-0x00007FF7E7320000-0x00007FF7E7671000-memory.dmp

Filesize
3.3MB

Download
memory/4396-215-0x00007FF617C10000-0x00007FF617F61000-memory.dmp

Filesize
3.3MB

Download
memory/4396-12-0x00007FF617C10000-0x00007FF617F61000-memory.dmp

Filesize
3.3MB

Download
memory/4396-79-0x00007FF617C10000-0x00007FF617F61000-memory.dmp

Filesize
3.3MB

Download
memory/4636-67-0x00007FF6A6EE0000-0x00007FF6A7231000-memory.dmp

Filesize
3.3MB

Download
memory/4636-148-0x00007FF6A6EE0000-0x00007FF6A7231000-memory.dmp

Filesize
3.3MB

Download
memory/4636-239-0x00007FF6A6EE0000-0x00007FF6A7231000-memory.dmp

Filesize
3.3MB

Download
memory/4712-217-0x00007FF61DC00000-0x00007FF61DF51000-memory.dmp

Filesize
3.3MB

Download
memory/4712-28-0x00007FF61DC00000-0x00007FF61DF51000-memory.dmp

Filesize
3.3MB

Download
memory/4744-213-0x00007FF72F290000-0x00007FF72F5E1000-memory.dmp

Filesize
3.3MB

Download
memory/4744-7-0x00007FF72F290000-0x00007FF72F5E1000-memory.dmp

Filesize
3.3MB

Download
memory/4744-73-0x00007FF72F290000-0x00007FF72F5E1000-memory.dmp

Filesize
3.3MB

Download
memory/4748-231-0x00007FF7FF710000-0x00007FF7FFA61000-memory.dmp

Filesize
3.3MB

Download
memory/4748-42-0x00007FF7FF710000-0x00007FF7FFA61000-memory.dmp

Filesize
3.3MB

Download
memory/4748-134-0x00007FF7FF710000-0x00007FF7FFA61000-memory.dmp

Filesize
3.3MB

Download
memory/4800-64-0x00007FF6103F0000-0x00007FF610741000-memory.dmp

Filesize
3.3MB

Download
memory/4800-235-0x00007FF6103F0000-0x00007FF610741000-memory.dmp

Filesize
3.3MB

Download
memory/4800-144-0x00007FF6103F0000-0x00007FF610741000-memory.dmp

Filesize
3.3MB

Download
memory/4872-87-0x00007FF694EA0000-0x00007FF6951F1000-memory.dmp

Filesize
3.3MB

Download
memory/4872-250-0x00007FF694EA0000-0x00007FF6951F1000-memory.dmp

Filesize
3.3MB

Download
memory/4872-150-0x00007FF694EA0000-0x00007FF6951F1000-memory.dmp

Filesize
3.3MB

Download