cobaltstrike | d989b7b6d94dad502b40057fc710b98d5a1dc077b2df6eb372e882a80198c505

Analysis

max time kernel
141s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01-10-2024 15:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

fe5d65f58c7210392793f51c90019aab
SHA1

f3865d8ed85a9f4ac9fd67af9eb8699e27cb7a12
SHA256

d989b7b6d94dad502b40057fc710b98d5a1dc077b2df6eb372e882a80198c505
SHA512

a2a5451f06ef81853233f9e95eed7fbeee939ffcbb75d331e01f3b739cd933d8d1a289e6459db2b20b2941f6e8ce31e5868b150dab9a4c9f91c51196456575b7
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6le:RWWBibd56utgpPFotBER/mQ32lU6

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023584-4.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002358a-16.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002358b-22.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002358d-48.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002358e-57.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023591-64.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023594-83.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023593-93.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023599-119.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002359a-126.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023598-117.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023597-113.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023596-111.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023595-109.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023592-91.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023585-81.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002358f-63.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023590-61.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002358c-41.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023589-29.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023588-18.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/2120-122-0x00007FF722A80000-0x00007FF722DD1000-memory.dmp	xmrig
behavioral2/memory/1712-121-0x00007FF6339D0000-0x00007FF633D21000-memory.dmp	xmrig
behavioral2/memory/1640-70-0x00007FF766870000-0x00007FF766BC1000-memory.dmp	xmrig
behavioral2/memory/5000-66-0x00007FF60B0F0000-0x00007FF60B441000-memory.dmp	xmrig
behavioral2/memory/2108-60-0x00007FF7BF4C0000-0x00007FF7BF811000-memory.dmp	xmrig
behavioral2/memory/3380-131-0x00007FF75B600000-0x00007FF75B951000-memory.dmp	xmrig
behavioral2/memory/2920-133-0x00007FF766E90000-0x00007FF7671E1000-memory.dmp	xmrig
behavioral2/memory/1620-146-0x00007FF73ED90000-0x00007FF73F0E1000-memory.dmp	xmrig
behavioral2/memory/2924-149-0x00007FF66C890000-0x00007FF66CBE1000-memory.dmp	xmrig
behavioral2/memory/3684-148-0x00007FF72DC60000-0x00007FF72DFB1000-memory.dmp	xmrig
behavioral2/memory/1872-145-0x00007FF62C4C0000-0x00007FF62C811000-memory.dmp	xmrig
behavioral2/memory/3068-142-0x00007FF63BCE0000-0x00007FF63C031000-memory.dmp	xmrig
behavioral2/memory/2376-140-0x00007FF747340000-0x00007FF747691000-memory.dmp	xmrig
behavioral2/memory/228-139-0x00007FF738660000-0x00007FF7389B1000-memory.dmp	xmrig
behavioral2/memory/4600-136-0x00007FF667790000-0x00007FF667AE1000-memory.dmp	xmrig
behavioral2/memory/3188-132-0x00007FF657120000-0x00007FF657471000-memory.dmp	xmrig
behavioral2/memory/5016-130-0x00007FF7EFB40000-0x00007FF7EFE91000-memory.dmp	xmrig
behavioral2/memory/3640-129-0x00007FF733820000-0x00007FF733B71000-memory.dmp	xmrig
behavioral2/memory/1644-143-0x00007FF6FB600000-0x00007FF6FB951000-memory.dmp	xmrig
behavioral2/memory/4604-141-0x00007FF7F35C0000-0x00007FF7F3911000-memory.dmp	xmrig
behavioral2/memory/4040-128-0x00007FF74F970000-0x00007FF74FCC1000-memory.dmp	xmrig
behavioral2/memory/1776-138-0x00007FF751BC0000-0x00007FF751F11000-memory.dmp	xmrig
behavioral2/memory/4040-150-0x00007FF74F970000-0x00007FF74FCC1000-memory.dmp	xmrig
behavioral2/memory/4040-151-0x00007FF74F970000-0x00007FF74FCC1000-memory.dmp	xmrig
behavioral2/memory/3640-205-0x00007FF733820000-0x00007FF733B71000-memory.dmp	xmrig
behavioral2/memory/5016-207-0x00007FF7EFB40000-0x00007FF7EFE91000-memory.dmp	xmrig
behavioral2/memory/3380-209-0x00007FF75B600000-0x00007FF75B951000-memory.dmp	xmrig
behavioral2/memory/5000-227-0x00007FF60B0F0000-0x00007FF60B441000-memory.dmp	xmrig
behavioral2/memory/2108-229-0x00007FF7BF4C0000-0x00007FF7BF811000-memory.dmp	xmrig
behavioral2/memory/2920-225-0x00007FF766E90000-0x00007FF7671E1000-memory.dmp	xmrig
behavioral2/memory/3188-223-0x00007FF657120000-0x00007FF657471000-memory.dmp	xmrig
behavioral2/memory/1776-237-0x00007FF751BC0000-0x00007FF751F11000-memory.dmp	xmrig
behavioral2/memory/228-234-0x00007FF738660000-0x00007FF7389B1000-memory.dmp	xmrig
behavioral2/memory/4604-232-0x00007FF7F35C0000-0x00007FF7F3911000-memory.dmp	xmrig
behavioral2/memory/1640-236-0x00007FF766870000-0x00007FF766BC1000-memory.dmp	xmrig
behavioral2/memory/2376-241-0x00007FF747340000-0x00007FF747691000-memory.dmp	xmrig
behavioral2/memory/3068-243-0x00007FF63BCE0000-0x00007FF63C031000-memory.dmp	xmrig
behavioral2/memory/4600-240-0x00007FF667790000-0x00007FF667AE1000-memory.dmp	xmrig
behavioral2/memory/1620-253-0x00007FF73ED90000-0x00007FF73F0E1000-memory.dmp	xmrig
behavioral2/memory/1712-256-0x00007FF6339D0000-0x00007FF633D21000-memory.dmp	xmrig
behavioral2/memory/1644-258-0x00007FF6FB600000-0x00007FF6FB951000-memory.dmp	xmrig
behavioral2/memory/1872-255-0x00007FF62C4C0000-0x00007FF62C811000-memory.dmp	xmrig
behavioral2/memory/3684-251-0x00007FF72DC60000-0x00007FF72DFB1000-memory.dmp	xmrig
behavioral2/memory/2924-248-0x00007FF66C890000-0x00007FF66CBE1000-memory.dmp	xmrig
behavioral2/memory/2120-247-0x00007FF722A80000-0x00007FF722DD1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3640	xdtrvJb.exe
5016	BhYsWfV.exe
3380	Arznhmx.exe
3188	wmaxYKU.exe
2920	CQIvmrN.exe
2108	bqSpVyK.exe
5000	VzsePDR.exe
4600	ZzyHUnq.exe
1640	OwATjcc.exe
1776	daWcgFb.exe
228	pstAXyD.exe
4604	KpdvXeu.exe
2376	PMSXTbx.exe
3068	MMtQcMI.exe
1644	axVRHiQ.exe
1712	EjZkfEx.exe
1872	LDgIpIs.exe
1620	qVmeXGg.exe
2120	auJrthU.exe
3684	GJaTwSB.exe
2924	ydkGUeY.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4040-0-0x00007FF74F970000-0x00007FF74FCC1000-memory.dmp	upx
behavioral2/files/0x0008000000023584-4.dat	upx
behavioral2/memory/3640-7-0x00007FF733820000-0x00007FF733B71000-memory.dmp	upx
behavioral2/files/0x000700000002358a-16.dat	upx
behavioral2/files/0x000700000002358b-22.dat	upx
behavioral2/memory/3188-24-0x00007FF657120000-0x00007FF657471000-memory.dmp	upx
behavioral2/files/0x000700000002358d-48.dat	upx
behavioral2/files/0x000700000002358e-57.dat	upx
behavioral2/files/0x0007000000023591-64.dat	upx
behavioral2/files/0x0007000000023594-83.dat	upx
behavioral2/files/0x0007000000023593-93.dat	upx
behavioral2/memory/1872-108-0x00007FF62C4C0000-0x00007FF62C811000-memory.dmp	upx
behavioral2/files/0x0007000000023599-119.dat	upx
behavioral2/files/0x000700000002359a-126.dat	upx
behavioral2/memory/2924-125-0x00007FF66C890000-0x00007FF66CBE1000-memory.dmp	upx
behavioral2/memory/2120-122-0x00007FF722A80000-0x00007FF722DD1000-memory.dmp	upx
behavioral2/memory/1712-121-0x00007FF6339D0000-0x00007FF633D21000-memory.dmp	upx
behavioral2/files/0x0007000000023598-117.dat	upx
behavioral2/memory/3684-116-0x00007FF72DC60000-0x00007FF72DFB1000-memory.dmp	upx
behavioral2/memory/1620-115-0x00007FF73ED90000-0x00007FF73F0E1000-memory.dmp	upx
behavioral2/files/0x0007000000023597-113.dat	upx
behavioral2/files/0x0007000000023596-111.dat	upx
behavioral2/files/0x0007000000023595-109.dat	upx
behavioral2/memory/1644-103-0x00007FF6FB600000-0x00007FF6FB951000-memory.dmp	upx
behavioral2/memory/2376-102-0x00007FF747340000-0x00007FF747691000-memory.dmp	upx
behavioral2/files/0x0007000000023592-91.dat	upx
behavioral2/memory/3068-88-0x00007FF63BCE0000-0x00007FF63C031000-memory.dmp	upx
behavioral2/memory/4604-80-0x00007FF7F35C0000-0x00007FF7F3911000-memory.dmp	upx
behavioral2/files/0x0008000000023585-81.dat	upx
behavioral2/memory/1640-70-0x00007FF766870000-0x00007FF766BC1000-memory.dmp	upx
behavioral2/memory/5000-66-0x00007FF60B0F0000-0x00007FF60B441000-memory.dmp	upx
behavioral2/files/0x000700000002358f-63.dat	upx
behavioral2/files/0x0007000000023590-61.dat	upx
behavioral2/memory/2108-60-0x00007FF7BF4C0000-0x00007FF7BF811000-memory.dmp	upx
behavioral2/memory/228-59-0x00007FF738660000-0x00007FF7389B1000-memory.dmp	upx
behavioral2/memory/1776-56-0x00007FF751BC0000-0x00007FF751F11000-memory.dmp	upx
behavioral2/memory/4600-55-0x00007FF667790000-0x00007FF667AE1000-memory.dmp	upx
behavioral2/memory/2920-44-0x00007FF766E90000-0x00007FF7671E1000-memory.dmp	upx
behavioral2/files/0x000700000002358c-41.dat	upx
behavioral2/memory/3380-35-0x00007FF75B600000-0x00007FF75B951000-memory.dmp	upx
behavioral2/files/0x0007000000023589-29.dat	upx
behavioral2/memory/5016-19-0x00007FF7EFB40000-0x00007FF7EFE91000-memory.dmp	upx
behavioral2/files/0x0007000000023588-18.dat	upx
behavioral2/memory/3380-131-0x00007FF75B600000-0x00007FF75B951000-memory.dmp	upx
behavioral2/memory/2920-133-0x00007FF766E90000-0x00007FF7671E1000-memory.dmp	upx
behavioral2/memory/1620-146-0x00007FF73ED90000-0x00007FF73F0E1000-memory.dmp	upx
behavioral2/memory/2924-149-0x00007FF66C890000-0x00007FF66CBE1000-memory.dmp	upx
behavioral2/memory/3684-148-0x00007FF72DC60000-0x00007FF72DFB1000-memory.dmp	upx
behavioral2/memory/1872-145-0x00007FF62C4C0000-0x00007FF62C811000-memory.dmp	upx
behavioral2/memory/3068-142-0x00007FF63BCE0000-0x00007FF63C031000-memory.dmp	upx
behavioral2/memory/2376-140-0x00007FF747340000-0x00007FF747691000-memory.dmp	upx
behavioral2/memory/228-139-0x00007FF738660000-0x00007FF7389B1000-memory.dmp	upx
behavioral2/memory/4600-136-0x00007FF667790000-0x00007FF667AE1000-memory.dmp	upx
behavioral2/memory/3188-132-0x00007FF657120000-0x00007FF657471000-memory.dmp	upx
behavioral2/memory/5016-130-0x00007FF7EFB40000-0x00007FF7EFE91000-memory.dmp	upx
behavioral2/memory/3640-129-0x00007FF733820000-0x00007FF733B71000-memory.dmp	upx
behavioral2/memory/1644-143-0x00007FF6FB600000-0x00007FF6FB951000-memory.dmp	upx
behavioral2/memory/4604-141-0x00007FF7F35C0000-0x00007FF7F3911000-memory.dmp	upx
behavioral2/memory/4040-128-0x00007FF74F970000-0x00007FF74FCC1000-memory.dmp	upx
behavioral2/memory/1776-138-0x00007FF751BC0000-0x00007FF751F11000-memory.dmp	upx
behavioral2/memory/4040-150-0x00007FF74F970000-0x00007FF74FCC1000-memory.dmp	upx
behavioral2/memory/4040-151-0x00007FF74F970000-0x00007FF74FCC1000-memory.dmp	upx
behavioral2/memory/3640-205-0x00007FF733820000-0x00007FF733B71000-memory.dmp	upx
behavioral2/memory/5016-207-0x00007FF7EFB40000-0x00007FF7EFE91000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\ZzyHUnq.exe	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LDgIpIs.exe	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\auJrthU.exe	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wmaxYKU.exe	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CQIvmrN.exe	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VzsePDR.exe	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EjZkfEx.exe	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pstAXyD.exe	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MMtQcMI.exe	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\axVRHiQ.exe	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Arznhmx.exe	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bqSpVyK.exe	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\daWcgFb.exe	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PMSXTbx.exe	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KpdvXeu.exe	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qVmeXGg.exe	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GJaTwSB.exe	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xdtrvJb.exe	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BhYsWfV.exe	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OwATjcc.exe	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ydkGUeY.exe	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4040	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4040	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4040 wrote to memory of 3640	4040	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4040 wrote to memory of 3640	4040	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4040 wrote to memory of 5016	4040	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4040 wrote to memory of 5016	4040	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4040 wrote to memory of 3380	4040	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4040 wrote to memory of 3380	4040	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4040 wrote to memory of 3188	4040	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4040 wrote to memory of 3188	4040	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4040 wrote to memory of 2920	4040	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4040 wrote to memory of 2920	4040	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4040 wrote to memory of 2108	4040	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4040 wrote to memory of 2108	4040	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4040 wrote to memory of 5000	4040	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4040 wrote to memory of 5000	4040	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4040 wrote to memory of 4600	4040	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4040 wrote to memory of 4600	4040	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4040 wrote to memory of 1640	4040	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4040 wrote to memory of 1640	4040	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4040 wrote to memory of 1776	4040	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4040 wrote to memory of 1776	4040	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4040 wrote to memory of 228	4040	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4040 wrote to memory of 228	4040	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4040 wrote to memory of 2376	4040	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4040 wrote to memory of 2376	4040	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4040 wrote to memory of 4604	4040	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4040 wrote to memory of 4604	4040	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4040 wrote to memory of 3068	4040	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4040 wrote to memory of 3068	4040	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4040 wrote to memory of 1644	4040	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4040 wrote to memory of 1644	4040	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4040 wrote to memory of 1712	4040	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4040 wrote to memory of 1712	4040	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4040 wrote to memory of 1872	4040	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 4040 wrote to memory of 1872	4040	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 4040 wrote to memory of 1620	4040	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 4040 wrote to memory of 1620	4040	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 4040 wrote to memory of 2120	4040	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 4040 wrote to memory of 2120	4040	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 4040 wrote to memory of 3684	4040	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 4040 wrote to memory of 3684	4040	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 4040 wrote to memory of 2924	4040	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe	110
PID 4040 wrote to memory of 2924	4040	2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe	110

C:\Users\Admin\AppData\Local\Temp\2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-01_fe5d65f58c7210392793f51c90019aab_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4040
- C:\Windows\System\xdtrvJb.exe
  C:\Windows\System\xdtrvJb.exe
  2⤵
  - Executes dropped EXE
  PID:3640
- C:\Windows\System\BhYsWfV.exe
  C:\Windows\System\BhYsWfV.exe
  2⤵
  - Executes dropped EXE
  PID:5016
- C:\Windows\System\Arznhmx.exe
  C:\Windows\System\Arznhmx.exe
  2⤵
  - Executes dropped EXE
  PID:3380
- C:\Windows\System\wmaxYKU.exe
  C:\Windows\System\wmaxYKU.exe
  2⤵
  - Executes dropped EXE
  PID:3188
- C:\Windows\System\CQIvmrN.exe
  C:\Windows\System\CQIvmrN.exe
  2⤵
  - Executes dropped EXE
  PID:2920
- C:\Windows\System\bqSpVyK.exe
  C:\Windows\System\bqSpVyK.exe
  2⤵
  - Executes dropped EXE
  PID:2108
- C:\Windows\System\VzsePDR.exe
  C:\Windows\System\VzsePDR.exe
  2⤵
  - Executes dropped EXE
  PID:5000
- C:\Windows\System\ZzyHUnq.exe
  C:\Windows\System\ZzyHUnq.exe
  2⤵
  - Executes dropped EXE
  PID:4600
- C:\Windows\System\OwATjcc.exe
  C:\Windows\System\OwATjcc.exe
  2⤵
  - Executes dropped EXE
  PID:1640
- C:\Windows\System\daWcgFb.exe
  C:\Windows\System\daWcgFb.exe
  2⤵
  - Executes dropped EXE
  PID:1776
- C:\Windows\System\pstAXyD.exe
  C:\Windows\System\pstAXyD.exe
  2⤵
  - Executes dropped EXE
  PID:228
- C:\Windows\System\PMSXTbx.exe
  C:\Windows\System\PMSXTbx.exe
  2⤵
  - Executes dropped EXE
  PID:2376
- C:\Windows\System\KpdvXeu.exe
  C:\Windows\System\KpdvXeu.exe
  2⤵
  - Executes dropped EXE
  PID:4604
- C:\Windows\System\MMtQcMI.exe
  C:\Windows\System\MMtQcMI.exe
  2⤵
  - Executes dropped EXE
  PID:3068
- C:\Windows\System\axVRHiQ.exe
  C:\Windows\System\axVRHiQ.exe
  2⤵
  - Executes dropped EXE
  PID:1644
- C:\Windows\System\EjZkfEx.exe
  C:\Windows\System\EjZkfEx.exe
  2⤵
  - Executes dropped EXE
  PID:1712
- C:\Windows\System\LDgIpIs.exe
  C:\Windows\System\LDgIpIs.exe
  2⤵
  - Executes dropped EXE
  PID:1872
- C:\Windows\System\qVmeXGg.exe
  C:\Windows\System\qVmeXGg.exe
  2⤵
  - Executes dropped EXE
  PID:1620
- C:\Windows\System\auJrthU.exe
  C:\Windows\System\auJrthU.exe
  2⤵
  - Executes dropped EXE
  PID:2120
- C:\Windows\System\GJaTwSB.exe
  C:\Windows\System\GJaTwSB.exe
  2⤵
  - Executes dropped EXE
  PID:3684
- C:\Windows\System\ydkGUeY.exe
  C:\Windows\System\ydkGUeY.exe
  2⤵
  - Executes dropped EXE
  PID:2924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4548,i,16315016104747277319,5510969007830467313,262144 --variations-seed-version --mojo-platform-channel-handle=4508 /prefetch:8
1⤵
PID:4856

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\Arznhmx.exe

Filesize
5.2MB

MD5
8775081213cc71442198b71b8fdb2782

SHA1
91c5a7413ba6ee4e10e3607312a8793c646c8d72

SHA256
967d6870c1a4a8adadecdfb0a6dd48d39c2395259a669c86cd545330fe491e3e

SHA512
7619fa35d9e6d66113cc1bfacf9cc09da2e179858b4f303f2c2f8b8bcdb821246f1d4e2c074b1484715a0a66ceec33a81ebd188a7cf05d134e297d9d9a206260

Download Submit
C:\Windows\System\BhYsWfV.exe

Filesize
5.2MB

MD5
ace7477c7186b3f1b44778388208fd2c

SHA1
a32616fa723da65e97f68662daf1f5ee7162e4d5

SHA256
804064886f78471031f51c80ccb3d74068fea8e33c0e59bdc41f52e0cdee6a11

SHA512
4dbc31024ff85808a8a4cd043156d16f52deb44d3d192a72390dfaa85918db548846195ae4212dccb254cd1804562a9fd5faa0b438951e6de6fc62139bbd76aa

Download Submit
C:\Windows\System\CQIvmrN.exe

Filesize
5.2MB

MD5
3ff99c395cf6ffc842d4e69b7c0c743a

SHA1
b11b34eff8d174e3e86a2ffca3210b6f9f30ca1f

SHA256
c981cdcb8264f26ddf762d75e6331183b4dc01d9ce20c50ad1f8447795982c88

SHA512
5f637a78aaecd004ecdb387ea38ff0922f5ed63bcc2c9571a604c5f3e7f2bfd5c2995cd359f02e1ee382171381a91b33214139c376b927583de7ddc6c7cea79e

Download Submit
C:\Windows\System\EjZkfEx.exe

Filesize
5.2MB

MD5
94a136c70cc02e7a622d9c7d3346e5ca

SHA1
ac06935dcb7f7c8e1b38f18de5c1116bea57b4e5

SHA256
f83682f6e10fa63b20f35ebf02c24c3977ca0fb694c8ea6a28692e96e4175c88

SHA512
c5cedf1f695af830a7ca4fd985d55540aad323e760084ce917b03831fa565b42f00a035d6347cc1d1da794009e3f65f86b9ab22fdfdbb001fd29ebe969a15766

Download Submit
C:\Windows\System\GJaTwSB.exe

Filesize
5.2MB

MD5
514587e639575854f3f5e7e5ffd0eeec

SHA1
52a319215b0d2b4f178c70020268c9c07be77ad8

SHA256
2044c129f78576c9335c7fce1bb68d301a99c935ddcdc29170344fe12cac6863

SHA512
b5ffb4f8c969c79b88daaac09243a5382ef5b2de4ee914348a00181ce78e8619b3af7bd07261ff29e7670abdfe5bdbc21d73d2f51ce6db0148ab2c2d4109ad4e

Download Submit
C:\Windows\System\KpdvXeu.exe

Filesize
5.2MB

MD5
d09436ec4713d45e303a8b31473dbde1

SHA1
5fc0d47823b66488aa8d4d98f317e4a29afc1c07

SHA256
489670169c940b31ee03f854e35e4f38e3c7287acceeddc794117ce738ab113c

SHA512
ce8b31ef3912fde81d822b9a3654ea810a9becbc887b2027be7129b85626f5d834b7331ab824727e2c4b478b634e7f3894095ff08cb965c47465582dc5cbafa1

Download Submit
C:\Windows\System\LDgIpIs.exe

Filesize
5.2MB

MD5
7ea1475abd509216ebb1b01b37e9ba29

SHA1
87b24826e9d7f23d4f41ee9b84c96d31a2489166

SHA256
e1b5c80838b55b32e56b24967190de1cead45649d694d6f520ecbd7c6ed6d687

SHA512
1cc804219d0eeec9b0ccc2bc0a5d628b033054b02c44408aca6280039e01e79e558a0b09f1c862ad0e7008639c528131ab96b9c2ac27cc612e5ed127053db38e

Download Submit
C:\Windows\System\MMtQcMI.exe

Filesize
5.2MB

MD5
cdbb445ffe9643b6953b63d5e516ba53

SHA1
fb3047d97d4004d97e7e7409081af1770cd6b987

SHA256
658ffac36a6e0d9097830b5bda5ee092db8c3c159f0e36a43051fa9bb5257eeb

SHA512
da7e2bd2c3e3e017acc9dda4b7665c75ffe6ee416fcb885b4316ececac03a0113d257886b6219ec53e263a32bebe0c6016d591599018d9f054cb2a5988019c4f

Download Submit
C:\Windows\System\OwATjcc.exe

Filesize
5.2MB

MD5
f9db43b97d7e4b5929adfcac8c541368

SHA1
cfaeed9a9818484a3807b64036796d48e182cde1

SHA256
368ca76ca7c66f8219dc90ad90c66fa2f8947bb65d49c07e346efd7b1d3014f4

SHA512
881574c6925b6db94f80f20cc0228d4dabe0ff6dba03847fc3d6ec59a4d3973181e6baa3ad85c548f307267f4591da04a3adf1a0b3546801468f4c7455fb46a5

Download Submit
C:\Windows\System\PMSXTbx.exe

Filesize
5.2MB

MD5
359a88ce6141b36eaab532d3b1701018

SHA1
6117d4361164317879568131802168ed71ca8910

SHA256
73ce3ffb0d5e836ca05f12f3e7450643c20b479fd33f6b73bb38657a4d7b5776

SHA512
2406a9a5e17c9e871207af40c7360713f47e2c04756ef0ce2223aadca6388cbaf4e50456c43accb481f60487c9f7c1fba2f07873b45310f9b6ddb0663a477fdc

Download Submit
C:\Windows\System\VzsePDR.exe

Filesize
5.2MB

MD5
2c74d05d6fd099b662524cef791ed8e3

SHA1
7bf06e8001dc6b81e9cea4bb01da053a6c77d2f4

SHA256
3c2070caa0fed8f64dcfa0ea573e34f5cf30af18a9ca9532dbabe2c14a21332a

SHA512
c5d080e1b53a9096f902c3ab9c21cd1b23c4a2d3dce54990a27fc5b1306a5b4325707fd62de58dc523ff59dc88905f352ae75b93adf5095dd6af2343a89e22b1

Download Submit
C:\Windows\System\ZzyHUnq.exe

Filesize
5.2MB

MD5
75c473da28a53fe50b25dcaa1bcf5bc0

SHA1
74e185958722558cde875804c49d3cebad4d6828

SHA256
1a57b66f4a7a93ee9d3506e494f62eda8f70d37c691a55bcd7d84841e5f5a5be

SHA512
ce16704276da99de245b08cced6f225419fc927ab4632beeec48e3cac9d9855d9d9050eabd589ff236ef4bc63643c9708ed2cf4e6d2ca8f2b675501839872fa8

Download Submit
C:\Windows\System\auJrthU.exe

Filesize
5.2MB

MD5
ffde56169ec144ad4f0c7703302c2ed4

SHA1
3be03bb033934ae68a78546a51870b9ff369e268

SHA256
c9e7492953c44b85afa885b6d9a3e6453067e9640de772802c593afaa2d0b8d1

SHA512
2504e99c56eeeeb6492f3bd93e61be97ea9172529b58d2e0af9bf875afbcdae2184036b8ba02c962c80c9de549311e119442d056bf9df5a0f18263f2c51b9814

Download Submit
C:\Windows\System\axVRHiQ.exe

Filesize
5.2MB

MD5
566545fb55763cf9b261036c43f5ec74

SHA1
e8e42804861b82a97cc5ee5208bf83b9b55de68e

SHA256
e779b76b48787ea0d22ca98a10f3b121eee6014ba1a17e5dcad23488aceb8a43

SHA512
77eb9c8922d89bcd36a0cb7f69a931c851bb3285623f95bcae64d2a91012b0f270618137834ca81b9a528a1229d1fe891dadcfacc6c6702f1a0b3e68fa009c69

Download Submit
C:\Windows\System\bqSpVyK.exe

Filesize
5.2MB

MD5
4480d9c17411b792c452011897559634

SHA1
ed141e471f62432bb6e4e933c274d6370635d5f2

SHA256
d30314d2b2fdbebc9595c18c02dfadb2ab1ec5bb1c63a344a92f80f1feadf47d

SHA512
7d702fb1785c0e258d74c6dd76a989534bbf15b5efbe42531cc7f6b71e85ac47b92ddb7497e8114a0439bfee44793320f9711044fa5206f43bd380514e9fafb3

Download Submit
C:\Windows\System\daWcgFb.exe

Filesize
5.2MB

MD5
795b8252bfd3667ff67de4fcb57ed05a

SHA1
55b2f72a507f075b58548e6cbebf16f57d7a0cf1

SHA256
3a6e5844376658d51539c5ec925279c6ad456ba3c4ecb7d301d79e3136bb1de2

SHA512
8f89315b5df8e019bc3f2061604aa58c9874a29f062760fd3e532a475f0a9c12f14472926b4292274d182475df0bb57456a5ed16f8f7e20a3083669d6cae7ddb

Download Submit
C:\Windows\System\pstAXyD.exe

Filesize
5.2MB

MD5
43d1dd597e78c925ade67475aff03623

SHA1
4b353fae96e31fc65fefffd52db2f3fcabcb16e2

SHA256
ef28190227d9d75942ffaaff3972c11ffee32e88be17e03f1e2df3c9999f8421

SHA512
6b78f2bb88d9ec733fc86d246c0aaa6f320bcfbfc0011b5a24701e4406d5669ccad8d3cbef2d289fde9aabe6c0beb7434e93038b233bfedb52c8f14c22b4cf2e

Download Submit
C:\Windows\System\qVmeXGg.exe

Filesize
5.2MB

MD5
2c311a67bf5b779feabce738c5a67f69

SHA1
1d051de4369feefc2ee94e65205b8d9a7143b013

SHA256
632106ae257ed234740a7fe4940513580dd4482bff825f920153d3f44e8d1170

SHA512
53003ddbe486e6201cb9b817edfd2abcb506475ed92c8e7d90559c89713887d09f6744109c24b0bcae419bd7f19319f5e76ae36b9e8197a57f623e64ff770171

Download Submit
C:\Windows\System\wmaxYKU.exe

Filesize
5.2MB

MD5
d1f6f5b75e54111a10cbe680c5ec15f1

SHA1
debf75266fbbe74a69e980612fb2be9d4d01ff20

SHA256
e5ee20b6d2a2895b0b8f867e245d499848da1842f0dd9654b17dd70b357db1b9

SHA512
2fb1d3e8dac41a81044162e9d201008141627dc6928d92b7cb4ab6ed99eee6fab91fd6b52769db3826c4e83bbee58497ad7ca751d0f39b0a31570f5d75e4a3af

Download Submit
C:\Windows\System\xdtrvJb.exe

Filesize
5.2MB

MD5
c1310a7e8c5c7d08d83aea4c1801d245

SHA1
bc753de03348500ed38cd23e03e481c118796335

SHA256
8b2511bf7bf3cfc63c0ca7e983c7125b0e5ca4840425c38a80b814f68b3fb861

SHA512
a1ca3d7c748f63ebd9e18e5de1411fd4b9e81fdad2c3b1445f916bcdc90bf4603a3ac2fe07263049686f9b0c939594d70c70af56d603cb65f6d4ab641474085d

Download Submit
C:\Windows\System\ydkGUeY.exe

Filesize
5.2MB

MD5
57626a20c25eac9dbe09f5ee26701843

SHA1
b482cb3e046f1d0bc62f4b371546953f1e022ba6

SHA256
5cf6f7e01e1a09a48b0177b27907b0d15dd2354ffe7c5595cf0bc4972a41dfa7

SHA512
78f513a5088b87e93b050a883354ffb64130083d3a358165211a8242bba985025afc31446c07edbe9507942844559af865c484973ea8846d36d6da90f6c2e46e

Download Submit
memory/228-139-0x00007FF738660000-0x00007FF7389B1000-memory.dmp

Filesize
3.3MB

Download
memory/228-59-0x00007FF738660000-0x00007FF7389B1000-memory.dmp

Filesize
3.3MB

Download
memory/228-234-0x00007FF738660000-0x00007FF7389B1000-memory.dmp

Filesize
3.3MB

Download
memory/1620-115-0x00007FF73ED90000-0x00007FF73F0E1000-memory.dmp

Filesize
3.3MB

Download
memory/1620-146-0x00007FF73ED90000-0x00007FF73F0E1000-memory.dmp

Filesize
3.3MB

Download
memory/1620-253-0x00007FF73ED90000-0x00007FF73F0E1000-memory.dmp

Filesize
3.3MB

Download
memory/1640-70-0x00007FF766870000-0x00007FF766BC1000-memory.dmp

Filesize
3.3MB

Download
memory/1640-236-0x00007FF766870000-0x00007FF766BC1000-memory.dmp

Filesize
3.3MB

Download
memory/1644-103-0x00007FF6FB600000-0x00007FF6FB951000-memory.dmp

Filesize
3.3MB

Download
memory/1644-143-0x00007FF6FB600000-0x00007FF6FB951000-memory.dmp

Filesize
3.3MB

Download
memory/1644-258-0x00007FF6FB600000-0x00007FF6FB951000-memory.dmp

Filesize
3.3MB

Download
memory/1712-256-0x00007FF6339D0000-0x00007FF633D21000-memory.dmp

Filesize
3.3MB

Download
memory/1712-121-0x00007FF6339D0000-0x00007FF633D21000-memory.dmp

Filesize
3.3MB

Download
memory/1776-237-0x00007FF751BC0000-0x00007FF751F11000-memory.dmp

Filesize
3.3MB

Download
memory/1776-56-0x00007FF751BC0000-0x00007FF751F11000-memory.dmp

Filesize
3.3MB

Download
memory/1776-138-0x00007FF751BC0000-0x00007FF751F11000-memory.dmp

Filesize
3.3MB

Download
memory/1872-108-0x00007FF62C4C0000-0x00007FF62C811000-memory.dmp

Filesize
3.3MB

Download
memory/1872-255-0x00007FF62C4C0000-0x00007FF62C811000-memory.dmp

Filesize
3.3MB

Download
memory/1872-145-0x00007FF62C4C0000-0x00007FF62C811000-memory.dmp

Filesize
3.3MB

Download
memory/2108-60-0x00007FF7BF4C0000-0x00007FF7BF811000-memory.dmp

Filesize
3.3MB

Download
memory/2108-229-0x00007FF7BF4C0000-0x00007FF7BF811000-memory.dmp

Filesize
3.3MB

Download
memory/2120-122-0x00007FF722A80000-0x00007FF722DD1000-memory.dmp

Filesize
3.3MB

Download
memory/2120-247-0x00007FF722A80000-0x00007FF722DD1000-memory.dmp

Filesize
3.3MB

Download
memory/2376-140-0x00007FF747340000-0x00007FF747691000-memory.dmp

Filesize
3.3MB

Download
memory/2376-102-0x00007FF747340000-0x00007FF747691000-memory.dmp

Filesize
3.3MB

Download
memory/2376-241-0x00007FF747340000-0x00007FF747691000-memory.dmp

Filesize
3.3MB

Download
memory/2920-133-0x00007FF766E90000-0x00007FF7671E1000-memory.dmp

Filesize
3.3MB

Download
memory/2920-44-0x00007FF766E90000-0x00007FF7671E1000-memory.dmp

Filesize
3.3MB

Download
memory/2920-225-0x00007FF766E90000-0x00007FF7671E1000-memory.dmp

Filesize
3.3MB

Download
memory/2924-149-0x00007FF66C890000-0x00007FF66CBE1000-memory.dmp

Filesize
3.3MB

Download
memory/2924-248-0x00007FF66C890000-0x00007FF66CBE1000-memory.dmp

Filesize
3.3MB

Download
memory/2924-125-0x00007FF66C890000-0x00007FF66CBE1000-memory.dmp

Filesize
3.3MB

Download
memory/3068-88-0x00007FF63BCE0000-0x00007FF63C031000-memory.dmp

Filesize
3.3MB

Download
memory/3068-243-0x00007FF63BCE0000-0x00007FF63C031000-memory.dmp

Filesize
3.3MB

Download
memory/3068-142-0x00007FF63BCE0000-0x00007FF63C031000-memory.dmp

Filesize
3.3MB

Download
memory/3188-132-0x00007FF657120000-0x00007FF657471000-memory.dmp

Filesize
3.3MB

Download
memory/3188-24-0x00007FF657120000-0x00007FF657471000-memory.dmp

Filesize
3.3MB

Download
memory/3188-223-0x00007FF657120000-0x00007FF657471000-memory.dmp

Filesize
3.3MB

Download
memory/3380-35-0x00007FF75B600000-0x00007FF75B951000-memory.dmp

Filesize
3.3MB

Download
memory/3380-131-0x00007FF75B600000-0x00007FF75B951000-memory.dmp

Filesize
3.3MB

Download
memory/3380-209-0x00007FF75B600000-0x00007FF75B951000-memory.dmp

Filesize
3.3MB

Download
memory/3640-205-0x00007FF733820000-0x00007FF733B71000-memory.dmp

Filesize
3.3MB

Download
memory/3640-7-0x00007FF733820000-0x00007FF733B71000-memory.dmp

Filesize
3.3MB

Download
memory/3640-129-0x00007FF733820000-0x00007FF733B71000-memory.dmp

Filesize
3.3MB

Download
memory/3684-251-0x00007FF72DC60000-0x00007FF72DFB1000-memory.dmp

Filesize
3.3MB

Download
memory/3684-148-0x00007FF72DC60000-0x00007FF72DFB1000-memory.dmp

Filesize
3.3MB

Download
memory/3684-116-0x00007FF72DC60000-0x00007FF72DFB1000-memory.dmp

Filesize
3.3MB

Download
memory/4040-128-0x00007FF74F970000-0x00007FF74FCC1000-memory.dmp

Filesize
3.3MB

Download
memory/4040-150-0x00007FF74F970000-0x00007FF74FCC1000-memory.dmp

Filesize
3.3MB

Download
memory/4040-0-0x00007FF74F970000-0x00007FF74FCC1000-memory.dmp

Filesize
3.3MB

Download
memory/4040-1-0x000001EEC8690000-0x000001EEC86A0000-memory.dmp

Filesize
64KB

Download
memory/4040-151-0x00007FF74F970000-0x00007FF74FCC1000-memory.dmp

Filesize
3.3MB

Download
memory/4600-55-0x00007FF667790000-0x00007FF667AE1000-memory.dmp

Filesize
3.3MB

Download
memory/4600-240-0x00007FF667790000-0x00007FF667AE1000-memory.dmp

Filesize
3.3MB

Download
memory/4600-136-0x00007FF667790000-0x00007FF667AE1000-memory.dmp

Filesize
3.3MB

Download
memory/4604-80-0x00007FF7F35C0000-0x00007FF7F3911000-memory.dmp

Filesize
3.3MB

Download
memory/4604-232-0x00007FF7F35C0000-0x00007FF7F3911000-memory.dmp

Filesize
3.3MB

Download
memory/4604-141-0x00007FF7F35C0000-0x00007FF7F3911000-memory.dmp

Filesize
3.3MB

Download
memory/5000-66-0x00007FF60B0F0000-0x00007FF60B441000-memory.dmp

Filesize
3.3MB

Download
memory/5000-227-0x00007FF60B0F0000-0x00007FF60B441000-memory.dmp

Filesize
3.3MB

Download
memory/5016-130-0x00007FF7EFB40000-0x00007FF7EFE91000-memory.dmp

Filesize
3.3MB

Download
memory/5016-19-0x00007FF7EFB40000-0x00007FF7EFE91000-memory.dmp

Filesize
3.3MB

Download
memory/5016-207-0x00007FF7EFB40000-0x00007FF7EFE91000-memory.dmp

Filesize
3.3MB

Download