cobaltstrike | eaca714ec49c69d0d07ea0b5b6da619328df439b5317ef07ad566c8b315bef23

Analysis

max time kernel
140s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2024 21:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

9c8abc0453ea3eb688227730a489040f
SHA1

f2beda9e476cfac29d56f983f30bb0204b1a3ba7
SHA256

eaca714ec49c69d0d07ea0b5b6da619328df439b5317ef07ad566c8b315bef23
SHA512

d6741f6cd8b0c72975b56d99a50a7d3c8314815b17a730357c2167338ca29d61d9a7ccba10b4393bf77fbc48bd50c209714daba58f2036d5017af79ada127495
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lF:RWWBibf56utgpPFotBER/mQ32lU5

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023464-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023469-9.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023468-16.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346a-17.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346f-45.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346e-50.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023474-80.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023476-88.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023478-102.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347a-108.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023475-119.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023479-117.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023465-113.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023477-106.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023473-86.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023472-76.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023471-71.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023470-60.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346d-56.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346c-49.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346b-42.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/1184-26-0x00007FF783300000-0x00007FF783651000-memory.dmp	xmrig
behavioral2/memory/3484-121-0x00007FF736680000-0x00007FF7369D1000-memory.dmp	xmrig
behavioral2/memory/4760-125-0x00007FF720190000-0x00007FF7204E1000-memory.dmp	xmrig
behavioral2/memory/2112-124-0x00007FF72DAF0000-0x00007FF72DE41000-memory.dmp	xmrig
behavioral2/memory/2360-123-0x00007FF641F00000-0x00007FF642251000-memory.dmp	xmrig
behavioral2/memory/4756-105-0x00007FF652410000-0x00007FF652761000-memory.dmp	xmrig
behavioral2/memory/4136-97-0x00007FF687750000-0x00007FF687AA1000-memory.dmp	xmrig
behavioral2/memory/4444-93-0x00007FF6A6500000-0x00007FF6A6851000-memory.dmp	xmrig
behavioral2/memory/1736-81-0x00007FF739770000-0x00007FF739AC1000-memory.dmp	xmrig
behavioral2/memory/464-67-0x00007FF6C4E50000-0x00007FF6C51A1000-memory.dmp	xmrig
behavioral2/memory/1796-58-0x00007FF65DBB0000-0x00007FF65DF01000-memory.dmp	xmrig
behavioral2/memory/2892-127-0x00007FF66A970000-0x00007FF66ACC1000-memory.dmp	xmrig
behavioral2/memory/1644-131-0x00007FF779A10000-0x00007FF779D61000-memory.dmp	xmrig
behavioral2/memory/1184-130-0x00007FF783300000-0x00007FF783651000-memory.dmp	xmrig
behavioral2/memory/3268-129-0x00007FF7BCE60000-0x00007FF7BD1B1000-memory.dmp	xmrig
behavioral2/memory/3512-128-0x00007FF7BC540000-0x00007FF7BC891000-memory.dmp	xmrig
behavioral2/memory/2200-137-0x00007FF7847F0000-0x00007FF784B41000-memory.dmp	xmrig
behavioral2/memory/1532-142-0x00007FF703780000-0x00007FF703AD1000-memory.dmp	xmrig
behavioral2/memory/4964-134-0x00007FF615790000-0x00007FF615AE1000-memory.dmp	xmrig
behavioral2/memory/3564-149-0x00007FF7E6B80000-0x00007FF7E6ED1000-memory.dmp	xmrig
behavioral2/memory/4480-146-0x00007FF69A3A0000-0x00007FF69A6F1000-memory.dmp	xmrig
behavioral2/memory/4060-145-0x00007FF602440000-0x00007FF602791000-memory.dmp	xmrig
behavioral2/memory/4092-135-0x00007FF61C030000-0x00007FF61C381000-memory.dmp	xmrig
behavioral2/memory/2892-150-0x00007FF66A970000-0x00007FF66ACC1000-memory.dmp	xmrig
behavioral2/memory/2892-151-0x00007FF66A970000-0x00007FF66ACC1000-memory.dmp	xmrig
behavioral2/memory/3512-210-0x00007FF7BC540000-0x00007FF7BC891000-memory.dmp	xmrig
behavioral2/memory/3268-212-0x00007FF7BCE60000-0x00007FF7BD1B1000-memory.dmp	xmrig
behavioral2/memory/1644-216-0x00007FF779A10000-0x00007FF779D61000-memory.dmp	xmrig
behavioral2/memory/1184-215-0x00007FF783300000-0x00007FF783651000-memory.dmp	xmrig
behavioral2/memory/1796-218-0x00007FF65DBB0000-0x00007FF65DF01000-memory.dmp	xmrig
behavioral2/memory/464-220-0x00007FF6C4E50000-0x00007FF6C51A1000-memory.dmp	xmrig
behavioral2/memory/4964-222-0x00007FF615790000-0x00007FF615AE1000-memory.dmp	xmrig
behavioral2/memory/4092-224-0x00007FF61C030000-0x00007FF61C381000-memory.dmp	xmrig
behavioral2/memory/1736-226-0x00007FF739770000-0x00007FF739AC1000-memory.dmp	xmrig
behavioral2/memory/2200-236-0x00007FF7847F0000-0x00007FF784B41000-memory.dmp	xmrig
behavioral2/memory/4136-241-0x00007FF687750000-0x00007FF687AA1000-memory.dmp	xmrig
behavioral2/memory/1532-244-0x00007FF703780000-0x00007FF703AD1000-memory.dmp	xmrig
behavioral2/memory/4444-243-0x00007FF6A6500000-0x00007FF6A6851000-memory.dmp	xmrig
behavioral2/memory/4060-246-0x00007FF602440000-0x00007FF602791000-memory.dmp	xmrig
behavioral2/memory/4756-239-0x00007FF652410000-0x00007FF652761000-memory.dmp	xmrig
behavioral2/memory/4480-253-0x00007FF69A3A0000-0x00007FF69A6F1000-memory.dmp	xmrig
behavioral2/memory/2112-254-0x00007FF72DAF0000-0x00007FF72DE41000-memory.dmp	xmrig
behavioral2/memory/4760-256-0x00007FF720190000-0x00007FF7204E1000-memory.dmp	xmrig
behavioral2/memory/3484-251-0x00007FF736680000-0x00007FF7369D1000-memory.dmp	xmrig
behavioral2/memory/2360-249-0x00007FF641F00000-0x00007FF642251000-memory.dmp	xmrig
behavioral2/memory/3564-259-0x00007FF7E6B80000-0x00007FF7E6ED1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3512	VNFfwKd.exe
3268	UqtMfGS.exe
1644	hNjLuQg.exe
1184	hZjLPMc.exe
1796	NJYEbWb.exe
4964	fqSaRuy.exe
4092	bpNpgNV.exe
464	YltyMrD.exe
2200	IbnEwDH.exe
1736	nVFGPSd.exe
4444	XmyABZD.exe
4136	OXfoYPy.exe
4756	SvmQfUv.exe
1532	oEtCvkV.exe
2112	uoILjbA.exe
4760	FOqgdlk.exe
4060	pmGjHir.exe
4480	ieQfpUE.exe
3484	jPaGatq.exe
2360	vHcCoqt.exe
3564	qvUHLZW.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2892-0-0x00007FF66A970000-0x00007FF66ACC1000-memory.dmp	upx
behavioral2/files/0x0008000000023464-4.dat	upx
behavioral2/memory/3512-7-0x00007FF7BC540000-0x00007FF7BC891000-memory.dmp	upx
behavioral2/files/0x0007000000023469-9.dat	upx
behavioral2/memory/1184-26-0x00007FF783300000-0x00007FF783651000-memory.dmp	upx
behavioral2/memory/3268-23-0x00007FF7BCE60000-0x00007FF7BD1B1000-memory.dmp	upx
behavioral2/files/0x0007000000023468-16.dat	upx
behavioral2/files/0x000700000002346a-17.dat	upx
behavioral2/memory/4964-40-0x00007FF615790000-0x00007FF615AE1000-memory.dmp	upx
behavioral2/files/0x000700000002346f-45.dat	upx
behavioral2/files/0x000700000002346e-50.dat	upx
behavioral2/memory/2200-57-0x00007FF7847F0000-0x00007FF784B41000-memory.dmp	upx
behavioral2/files/0x0007000000023474-80.dat	upx
behavioral2/files/0x0007000000023476-88.dat	upx
behavioral2/files/0x0007000000023478-102.dat	upx
behavioral2/files/0x000700000002347a-108.dat	upx
behavioral2/memory/3484-121-0x00007FF736680000-0x00007FF7369D1000-memory.dmp	upx
behavioral2/memory/3564-126-0x00007FF7E6B80000-0x00007FF7E6ED1000-memory.dmp	upx
behavioral2/memory/4760-125-0x00007FF720190000-0x00007FF7204E1000-memory.dmp	upx
behavioral2/memory/2112-124-0x00007FF72DAF0000-0x00007FF72DE41000-memory.dmp	upx
behavioral2/memory/2360-123-0x00007FF641F00000-0x00007FF642251000-memory.dmp	upx
behavioral2/files/0x0007000000023475-119.dat	upx
behavioral2/files/0x0007000000023479-117.dat	upx
behavioral2/files/0x0008000000023465-113.dat	upx
behavioral2/memory/4480-110-0x00007FF69A3A0000-0x00007FF69A6F1000-memory.dmp	upx
behavioral2/files/0x0007000000023477-106.dat	upx
behavioral2/memory/4756-105-0x00007FF652410000-0x00007FF652761000-memory.dmp	upx
behavioral2/memory/4136-97-0x00007FF687750000-0x00007FF687AA1000-memory.dmp	upx
behavioral2/memory/4060-109-0x00007FF602440000-0x00007FF602791000-memory.dmp	upx
behavioral2/memory/4444-93-0x00007FF6A6500000-0x00007FF6A6851000-memory.dmp	upx
behavioral2/memory/1532-82-0x00007FF703780000-0x00007FF703AD1000-memory.dmp	upx
behavioral2/memory/1736-81-0x00007FF739770000-0x00007FF739AC1000-memory.dmp	upx
behavioral2/files/0x0007000000023473-86.dat	upx
behavioral2/files/0x0007000000023472-76.dat	upx
behavioral2/files/0x0007000000023471-71.dat	upx
behavioral2/memory/464-67-0x00007FF6C4E50000-0x00007FF6C51A1000-memory.dmp	upx
behavioral2/files/0x0007000000023470-60.dat	upx
behavioral2/memory/1796-58-0x00007FF65DBB0000-0x00007FF65DF01000-memory.dmp	upx
behavioral2/files/0x000700000002346d-56.dat	upx
behavioral2/files/0x000700000002346c-49.dat	upx
behavioral2/memory/4092-46-0x00007FF61C030000-0x00007FF61C381000-memory.dmp	upx
behavioral2/files/0x000700000002346b-42.dat	upx
behavioral2/memory/1644-37-0x00007FF779A10000-0x00007FF779D61000-memory.dmp	upx
behavioral2/memory/2892-127-0x00007FF66A970000-0x00007FF66ACC1000-memory.dmp	upx
behavioral2/memory/1644-131-0x00007FF779A10000-0x00007FF779D61000-memory.dmp	upx
behavioral2/memory/1184-130-0x00007FF783300000-0x00007FF783651000-memory.dmp	upx
behavioral2/memory/3268-129-0x00007FF7BCE60000-0x00007FF7BD1B1000-memory.dmp	upx
behavioral2/memory/3512-128-0x00007FF7BC540000-0x00007FF7BC891000-memory.dmp	upx
behavioral2/memory/2200-137-0x00007FF7847F0000-0x00007FF784B41000-memory.dmp	upx
behavioral2/memory/1532-142-0x00007FF703780000-0x00007FF703AD1000-memory.dmp	upx
behavioral2/memory/4964-134-0x00007FF615790000-0x00007FF615AE1000-memory.dmp	upx
behavioral2/memory/3564-149-0x00007FF7E6B80000-0x00007FF7E6ED1000-memory.dmp	upx
behavioral2/memory/4480-146-0x00007FF69A3A0000-0x00007FF69A6F1000-memory.dmp	upx
behavioral2/memory/4060-145-0x00007FF602440000-0x00007FF602791000-memory.dmp	upx
behavioral2/memory/4092-135-0x00007FF61C030000-0x00007FF61C381000-memory.dmp	upx
behavioral2/memory/2892-150-0x00007FF66A970000-0x00007FF66ACC1000-memory.dmp	upx
behavioral2/memory/2892-151-0x00007FF66A970000-0x00007FF66ACC1000-memory.dmp	upx
behavioral2/memory/3512-210-0x00007FF7BC540000-0x00007FF7BC891000-memory.dmp	upx
behavioral2/memory/3268-212-0x00007FF7BCE60000-0x00007FF7BD1B1000-memory.dmp	upx
behavioral2/memory/1644-216-0x00007FF779A10000-0x00007FF779D61000-memory.dmp	upx
behavioral2/memory/1184-215-0x00007FF783300000-0x00007FF783651000-memory.dmp	upx
behavioral2/memory/1796-218-0x00007FF65DBB0000-0x00007FF65DF01000-memory.dmp	upx
behavioral2/memory/464-220-0x00007FF6C4E50000-0x00007FF6C51A1000-memory.dmp	upx
behavioral2/memory/4964-222-0x00007FF615790000-0x00007FF615AE1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\OXfoYPy.exe	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bpNpgNV.exe	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IbnEwDH.exe	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fqSaRuy.exe	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YltyMrD.exe	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FOqgdlk.exe	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uoILjbA.exe	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pmGjHir.exe	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ieQfpUE.exe	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VNFfwKd.exe	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hZjLPMc.exe	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jPaGatq.exe	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oEtCvkV.exe	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UqtMfGS.exe	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NJYEbWb.exe	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XmyABZD.exe	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SvmQfUv.exe	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vHcCoqt.exe	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qvUHLZW.exe	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hNjLuQg.exe	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nVFGPSd.exe	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2892	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2892	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 3512	2892	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2892 wrote to memory of 3512	2892	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2892 wrote to memory of 3268	2892	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2892 wrote to memory of 3268	2892	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2892 wrote to memory of 1184	2892	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2892 wrote to memory of 1184	2892	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2892 wrote to memory of 1644	2892	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2892 wrote to memory of 1644	2892	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2892 wrote to memory of 1796	2892	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2892 wrote to memory of 1796	2892	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2892 wrote to memory of 4964	2892	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2892 wrote to memory of 4964	2892	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2892 wrote to memory of 4092	2892	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2892 wrote to memory of 4092	2892	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2892 wrote to memory of 464	2892	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2892 wrote to memory of 464	2892	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2892 wrote to memory of 2200	2892	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2892 wrote to memory of 2200	2892	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2892 wrote to memory of 1736	2892	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2892 wrote to memory of 1736	2892	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2892 wrote to memory of 4444	2892	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2892 wrote to memory of 4444	2892	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2892 wrote to memory of 4136	2892	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2892 wrote to memory of 4136	2892	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2892 wrote to memory of 4756	2892	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2892 wrote to memory of 4756	2892	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2892 wrote to memory of 1532	2892	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2892 wrote to memory of 1532	2892	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2892 wrote to memory of 4760	2892	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2892 wrote to memory of 4760	2892	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2892 wrote to memory of 2112	2892	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2892 wrote to memory of 2112	2892	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2892 wrote to memory of 4060	2892	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2892 wrote to memory of 4060	2892	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2892 wrote to memory of 4480	2892	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2892 wrote to memory of 4480	2892	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2892 wrote to memory of 3484	2892	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2892 wrote to memory of 3484	2892	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2892 wrote to memory of 2360	2892	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2892 wrote to memory of 2360	2892	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2892 wrote to memory of 3564	2892	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 2892 wrote to memory of 3564	2892	2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe	105

C:\Users\Admin\AppData\Local\Temp\2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-20_9c8abc0453ea3eb688227730a489040f_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Windows\System\VNFfwKd.exe
  C:\Windows\System\VNFfwKd.exe
  2⤵
  - Executes dropped EXE
  PID:3512
- C:\Windows\System\UqtMfGS.exe
  C:\Windows\System\UqtMfGS.exe
  2⤵
  - Executes dropped EXE
  PID:3268
- C:\Windows\System\hZjLPMc.exe
  C:\Windows\System\hZjLPMc.exe
  2⤵
  - Executes dropped EXE
  PID:1184
- C:\Windows\System\hNjLuQg.exe
  C:\Windows\System\hNjLuQg.exe
  2⤵
  - Executes dropped EXE
  PID:1644
- C:\Windows\System\NJYEbWb.exe
  C:\Windows\System\NJYEbWb.exe
  2⤵
  - Executes dropped EXE
  PID:1796
- C:\Windows\System\fqSaRuy.exe
  C:\Windows\System\fqSaRuy.exe
  2⤵
  - Executes dropped EXE
  PID:4964
- C:\Windows\System\bpNpgNV.exe
  C:\Windows\System\bpNpgNV.exe
  2⤵
  - Executes dropped EXE
  PID:4092
- C:\Windows\System\YltyMrD.exe
  C:\Windows\System\YltyMrD.exe
  2⤵
  - Executes dropped EXE
  PID:464
- C:\Windows\System\IbnEwDH.exe
  C:\Windows\System\IbnEwDH.exe
  2⤵
  - Executes dropped EXE
  PID:2200
- C:\Windows\System\nVFGPSd.exe
  C:\Windows\System\nVFGPSd.exe
  2⤵
  - Executes dropped EXE
  PID:1736
- C:\Windows\System\XmyABZD.exe
  C:\Windows\System\XmyABZD.exe
  2⤵
  - Executes dropped EXE
  PID:4444
- C:\Windows\System\OXfoYPy.exe
  C:\Windows\System\OXfoYPy.exe
  2⤵
  - Executes dropped EXE
  PID:4136
- C:\Windows\System\SvmQfUv.exe
  C:\Windows\System\SvmQfUv.exe
  2⤵
  - Executes dropped EXE
  PID:4756
- C:\Windows\System\oEtCvkV.exe
  C:\Windows\System\oEtCvkV.exe
  2⤵
  - Executes dropped EXE
  PID:1532
- C:\Windows\System\FOqgdlk.exe
  C:\Windows\System\FOqgdlk.exe
  2⤵
  - Executes dropped EXE
  PID:4760
- C:\Windows\System\uoILjbA.exe
  C:\Windows\System\uoILjbA.exe
  2⤵
  - Executes dropped EXE
  PID:2112
- C:\Windows\System\pmGjHir.exe
  C:\Windows\System\pmGjHir.exe
  2⤵
  - Executes dropped EXE
  PID:4060
- C:\Windows\System\ieQfpUE.exe
  C:\Windows\System\ieQfpUE.exe
  2⤵
  - Executes dropped EXE
  PID:4480
- C:\Windows\System\jPaGatq.exe
  C:\Windows\System\jPaGatq.exe
  2⤵
  - Executes dropped EXE
  PID:3484
- C:\Windows\System\vHcCoqt.exe
  C:\Windows\System\vHcCoqt.exe
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Windows\System\qvUHLZW.exe
  C:\Windows\System\qvUHLZW.exe
  2⤵
  - Executes dropped EXE
  PID:3564

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\FOqgdlk.exe

Filesize
5.2MB

MD5
e175f56f2257cfb4ed9e549af4008aa1

SHA1
cfb164f19aa5061eda5e55fb1a94a292cfa11312

SHA256
046fc94cdab4ef30db77faebfe4f764308f2f358d0f98b8b8f849728dd3b5221

SHA512
f83b8750f436ebe4293dc01a08ade16b00e6e38f6ce36b18df18c4c8a6545bfe736ed4803c0cdfaf67ec03f1f335b58474ca96636308204bfa89b9505373cf20

Download Submit
C:\Windows\System\IbnEwDH.exe

Filesize
5.2MB

MD5
fb4fe7e0b4606e9600f64fd9375b3d10

SHA1
737969883ef05f6c554751350144d06f727c6a92

SHA256
a8a9496dfd816171043d74989a4898b85bfa11015669213d75384ae5fc861ef1

SHA512
b31bf33c876549e1dd3533855e36e01e09842da26408936a5a0c40771f31d646af8fa9c07b1337415aa41f83ff8c943f2fde1cee6f7075c6f6cc2e23cd95a5bc

Download Submit
C:\Windows\System\NJYEbWb.exe

Filesize
5.2MB

MD5
c4d21cb574b1990ed36c3d1bd0b609df

SHA1
48c915ea05f523ba82eb9e66878994e920899215

SHA256
971a242f016eaf1601f427a5cf39226896cc8038d24b4bc978be911314cbca16

SHA512
2c353566fb848e9b6c06f4ad6c08fb50b1a978d64d60b07706e31233a23bab4154e509e6671dfce653ad43739b5737db68fa17f032be3bbbb5b39d5f3837dea2

Download Submit
C:\Windows\System\OXfoYPy.exe

Filesize
5.2MB

MD5
e670cffd5ef4d4f3304bf784684391a0

SHA1
590bdbf999fc6f6e3d3a77bfbb72cf0f3c0f1f53

SHA256
79f0e98bddf9496a750529e0474e1818cf6d8bf86e8ac53a3e9916efce6c43bd

SHA512
7da03db44427d444e2a6d9be57ddecf7dfe59c208bcacc59ab42018a1ebb04cdbbebe1707e3472206afc85bac3430a232f7057b1d319cbbef31cdc0512527ca2

Download Submit
C:\Windows\System\SvmQfUv.exe

Filesize
5.2MB

MD5
2579bbf5ed6dd7463503790a8e2bf7b7

SHA1
fac9187bce9190c073182420acb39fb1fa07fe0a

SHA256
75fb1282bd21c687a5938afb1c43f82a38e2760a7226ffd7d3fe93bcc45d922b

SHA512
756425a4f1b941f46c31ede164d59dfad41a68834a02030c285c61514466ccccad8e84675261d94790c026bad7101ff6c17ba7b11e96e8f4beeb4518120af916

Download Submit
C:\Windows\System\UqtMfGS.exe

Filesize
5.2MB

MD5
eb01d48cd670f1c2d1ee93f0fc53d3a0

SHA1
f55a6ac467caec5334e1378c9d0b6a3d70121abd

SHA256
c7c00093642f4da6e5eb2e4524e144768d36bf642527ac2a93171b2670c2d17d

SHA512
c4956b9a4778ffa8162b649265377549394b81b3eef025c244b2db40e90c35bc5bbec8f6278a41fdba16fdc26d32284fcce5a6023eef348e93b5818e6b41a87b

Download Submit
C:\Windows\System\VNFfwKd.exe

Filesize
5.2MB

MD5
a67cb0edbbae5ffac4493f02d48aebfc

SHA1
960c52d3c566e04dc26c7a4a40a45f585bac66ce

SHA256
f5aa1be503fdfdb0837575adb1634b7db14a4206da393eaed50a12824109b0db

SHA512
85becda6f40a00994d3b875789b5118710091e1cc5e05a499afcd2c8244fe2b75b432ad485179f3524a7e6ad941f3f60afab481f23a89f258da1483b5a556cca

Download Submit
C:\Windows\System\XmyABZD.exe

Filesize
5.2MB

MD5
27896e77bcb202004dce779e9925d6c3

SHA1
6d92466653c5a998b2b15b2dc2eeac4bd2b4d182

SHA256
70bcb0de42fbe192838104723347e95934d1235b98414c2a2ab2359a58060fdd

SHA512
c2a463df9debfcfc2a246fc02a2efb10aec2cfc1267124ded6b59c33a482e9cecfb443404f5f09fa090cbbb1ae8894935b4e8983159e75cf49bd9dd548200ebc

Download Submit
C:\Windows\System\YltyMrD.exe

Filesize
5.2MB

MD5
ce59a3c7a0e3f73c43aafb21d6c8fb3c

SHA1
c6c8f69f552b79a24732c9f8cf01fd9ccac594a2

SHA256
64d50039b1a5061fc1e890b0f7e610e8f9488493a174f181418533d66eef370f

SHA512
b7a3501493ed5007590597358d49884b9f48b6d9f3a1b6255e35db874644af7caae5b3f9bdf1070eb97aca9f80850098bd4c2a54e357c77fa56d87af73d1a75e

Download Submit
C:\Windows\System\bpNpgNV.exe

Filesize
5.2MB

MD5
78d6bd1ed487b9c7bb33e1e3065c3c68

SHA1
3dfd6c76241f3977ee50db49401ca0105bb0d1e9

SHA256
965e8038c3107116db73feb512d51ef5627100d6ed218fd16f90c3bb9541eba8

SHA512
b8f30764e74dbc1a19b25c36cec2d8bf09160c6557686c02a4ca5e503f6077f20f03b16899daf2d5d40be5a917f09089e9ec3bb04a28eb4d50f91f7a2a82f14c

Download Submit
C:\Windows\System\fqSaRuy.exe

Filesize
5.2MB

MD5
9969585b77c28b677914d769ed09598b

SHA1
72b605e60bbebeac6cb5690a13692c003d1c3080

SHA256
45b8285987be9757ebbb2df599a923b1cd20b7e1544ef23d3d6b6b57b09d5712

SHA512
1697ecdcde2ea4ac91c10d96bbd3dcfd26629ee689d31d7ae2fc81a36326fbcd4831137a70b87f125cccda8dde5113b08a60f413d6c2b19f647c795a2d6b6c61

Download Submit
C:\Windows\System\hNjLuQg.exe

Filesize
5.2MB

MD5
e736fe8a1d3a308c6efbbe95b2df8d49

SHA1
5ed476cd5e0d668e65ba90e31a28b8b31f39d62d

SHA256
29241acf8775e4eee7bfb73638e4e5839bc9c376c45cbe315ab760e014622cad

SHA512
7c02cafbb478e1053d7f7738bb3a7cc35d80e81f01126c7da0ae802cdcad314dbf0093a66ca6a76709ff4bb525150887572904351974dd34971285b26d3c2a21

Download Submit
C:\Windows\System\hZjLPMc.exe

Filesize
5.2MB

MD5
22eeadd6e6d7734c19cbcaa2d1bd3cb6

SHA1
624cc2b14d3d4d34083fe9c9823fb8cf78773bff

SHA256
222336322a17e55cada8a38141a7a7f994317f5300791fb75bb9a769aef97ef9

SHA512
0e91991ddadfed3474de71b22315e3efb2532aeee955a31c6d6fa0381e1b2ce28bfe0f71ff56341bb9d2deef01662b41b50b5a146255d5ad34565194afdd94e5

Download Submit
C:\Windows\System\ieQfpUE.exe

Filesize
5.2MB

MD5
11c678b46eb1916b4ede2a4f977d5cc3

SHA1
d7ff08ac97481190ddd8a6cb47be3cd692dd723b

SHA256
e607d444c5e9246fa00b9114e5d84b1d9e01a73e9071937d87629c275c38e2e8

SHA512
59d40afd978f17ff92996c9be46b89d78db5eb5f30f5aeda17beb07ac7bf217eab5fd7cd7162fa0699e13c39ccdc18947bb1b93ca4e82803e42d281aefb7c701

Download Submit
C:\Windows\System\jPaGatq.exe

Filesize
5.2MB

MD5
a4f32a585c638e00a0bc1949990d6fb9

SHA1
9318c2a67877ca12caf02eaa07ddc7c22517e4ba

SHA256
eaa6c4fbcdc64b14b155eebed061bde955b4c70e4beb50bf1c75385631027d54

SHA512
1b501949f092980f8d4d554e799e6ea13cbcaf611171412e0a95c5d54542e0330ee3391c6f81c7a3d230baac6e6e7f60b89508e4e1838f00e9098f48e66b28b4

Download Submit
C:\Windows\System\nVFGPSd.exe

Filesize
5.2MB

MD5
c9aa01a64f86117b7eb3e29c4459637b

SHA1
3e55616a61fa598850692b0049dfa125646a6c4d

SHA256
4fc9fb8d7905fb591bc5e1b670bc06d13cfb230aae257b5620e2a097d4db24b5

SHA512
dd6a96a142b9c4f00fca6270b98435e04388b3dfbfe69f001d4bb8777edd05d53055e2cb169cdc2f9c9b58281033d54adb3cd863d60ed56d22bd66c498900edb

Download Submit
C:\Windows\System\oEtCvkV.exe

Filesize
5.2MB

MD5
4bfdb78047478fd4b06c45982e837923

SHA1
4d22e333faa6594232a287b2de4d8972cedc940a

SHA256
27851707e86187d1aab7876268954f4ef811e7383fdf5277eb2f8ce5f598b84f

SHA512
2a808a70baa016e6b5a4189351051aa7ae7347120bfd6ef372053db1905197c9d7002e2006c132e2fdcafe2e263f0081e93ad903e102a838e8aa34ebd9d1b791

Download Submit
C:\Windows\System\pmGjHir.exe

Filesize
5.2MB

MD5
1f7e8a42db19f277ae08be6b3517ad7a

SHA1
a3cd7a26de6b84d27b501b059a139a0b15a15d38

SHA256
4c5ff2ded0f0a73ead81dc9cdf8a73bce6b74c81e7059149bc9100f481faea68

SHA512
c2ab34844fa44f28035f67c259f44794ab3b4ab8b2818d2a6e8f75ce0a49773729fe902520962ecc73335ed93ef29a35f9d1c71371bcc87f8c8b57b0bc68a8dc

Download Submit
C:\Windows\System\qvUHLZW.exe

Filesize
5.2MB

MD5
3a8dbf3d986916df6e3debf52432fe44

SHA1
3734c0c2649a06c068696f5cb23f8a46d24ce78c

SHA256
2ef60d37a06dfd423713f8c4f759f17b4eef3a054c2c1d0a22a100a73fa3a908

SHA512
ba6607e426dbedabbf41c2d2ffe63731382cb09b041f016fbe8acbd3451f29fbb0935228dfc6e782a3b1674411fbd76dc7f27f53a5c3557936bac353a87e95c2

Download Submit
C:\Windows\System\uoILjbA.exe

Filesize
5.2MB

MD5
83d59a10ecfc7a5367ab5cc5b4de7fcc

SHA1
df4e864b1623864133a49e938f4fb26abc4181ea

SHA256
4fb5f9ed19a26d4913216771f6baed58ac9f46e9660e617bcff74c5310ba5c18

SHA512
0e9717a0c284d633070eb1f59edc205cb87be39d48e3c6fc0b5932ebb467cc7845fb8783797bf4e336d3059df375433c25eb0b55ef125ca57a6cbfc45c76dffe

Download Submit
C:\Windows\System\vHcCoqt.exe

Filesize
5.2MB

MD5
686762f6b3894e326d255cac78abe260

SHA1
e36972c28035413a883606ff6a6ae750e7741890

SHA256
3a648d7c3dc143a97f59d67a992af6392288d5a427c8ec924861c79e599421fa

SHA512
0567c99053b76e560c3bebac0358217f2caadcc69788c7a9dd3e8dc2067fad771c697b4419805c9f14490ec07460fd40c6e6fc20c2ce3d236bf006ec5c3edf7e

Download Submit
memory/464-220-0x00007FF6C4E50000-0x00007FF6C51A1000-memory.dmp

Filesize
3.3MB

Download
memory/464-67-0x00007FF6C4E50000-0x00007FF6C51A1000-memory.dmp

Filesize
3.3MB

Download
memory/1184-130-0x00007FF783300000-0x00007FF783651000-memory.dmp

Filesize
3.3MB

Download
memory/1184-215-0x00007FF783300000-0x00007FF783651000-memory.dmp

Filesize
3.3MB

Download
memory/1184-26-0x00007FF783300000-0x00007FF783651000-memory.dmp

Filesize
3.3MB

Download
memory/1532-244-0x00007FF703780000-0x00007FF703AD1000-memory.dmp

Filesize
3.3MB

Download
memory/1532-142-0x00007FF703780000-0x00007FF703AD1000-memory.dmp

Filesize
3.3MB

Download
memory/1532-82-0x00007FF703780000-0x00007FF703AD1000-memory.dmp

Filesize
3.3MB

Download
memory/1644-131-0x00007FF779A10000-0x00007FF779D61000-memory.dmp

Filesize
3.3MB

Download
memory/1644-216-0x00007FF779A10000-0x00007FF779D61000-memory.dmp

Filesize
3.3MB

Download
memory/1644-37-0x00007FF779A10000-0x00007FF779D61000-memory.dmp

Filesize
3.3MB

Download
memory/1736-81-0x00007FF739770000-0x00007FF739AC1000-memory.dmp

Filesize
3.3MB

Download
memory/1736-226-0x00007FF739770000-0x00007FF739AC1000-memory.dmp

Filesize
3.3MB

Download
memory/1796-218-0x00007FF65DBB0000-0x00007FF65DF01000-memory.dmp

Filesize
3.3MB

Download
memory/1796-58-0x00007FF65DBB0000-0x00007FF65DF01000-memory.dmp

Filesize
3.3MB

Download
memory/2112-254-0x00007FF72DAF0000-0x00007FF72DE41000-memory.dmp

Filesize
3.3MB

Download
memory/2112-124-0x00007FF72DAF0000-0x00007FF72DE41000-memory.dmp

Filesize
3.3MB

Download
memory/2200-57-0x00007FF7847F0000-0x00007FF784B41000-memory.dmp

Filesize
3.3MB

Download
memory/2200-236-0x00007FF7847F0000-0x00007FF784B41000-memory.dmp

Filesize
3.3MB

Download
memory/2200-137-0x00007FF7847F0000-0x00007FF784B41000-memory.dmp

Filesize
3.3MB

Download
memory/2360-123-0x00007FF641F00000-0x00007FF642251000-memory.dmp

Filesize
3.3MB

Download
memory/2360-249-0x00007FF641F00000-0x00007FF642251000-memory.dmp

Filesize
3.3MB

Download
memory/2892-151-0x00007FF66A970000-0x00007FF66ACC1000-memory.dmp

Filesize
3.3MB

Download
memory/2892-1-0x00000172ED140000-0x00000172ED150000-memory.dmp

Filesize
64KB

Download
memory/2892-0-0x00007FF66A970000-0x00007FF66ACC1000-memory.dmp

Filesize
3.3MB

Download
memory/2892-150-0x00007FF66A970000-0x00007FF66ACC1000-memory.dmp

Filesize
3.3MB

Download
memory/2892-127-0x00007FF66A970000-0x00007FF66ACC1000-memory.dmp

Filesize
3.3MB

Download
memory/3268-129-0x00007FF7BCE60000-0x00007FF7BD1B1000-memory.dmp

Filesize
3.3MB

Download
memory/3268-212-0x00007FF7BCE60000-0x00007FF7BD1B1000-memory.dmp

Filesize
3.3MB

Download
memory/3268-23-0x00007FF7BCE60000-0x00007FF7BD1B1000-memory.dmp

Filesize
3.3MB

Download
memory/3484-251-0x00007FF736680000-0x00007FF7369D1000-memory.dmp

Filesize
3.3MB

Download
memory/3484-121-0x00007FF736680000-0x00007FF7369D1000-memory.dmp

Filesize
3.3MB

Download
memory/3512-128-0x00007FF7BC540000-0x00007FF7BC891000-memory.dmp

Filesize
3.3MB

Download
memory/3512-7-0x00007FF7BC540000-0x00007FF7BC891000-memory.dmp

Filesize
3.3MB

Download
memory/3512-210-0x00007FF7BC540000-0x00007FF7BC891000-memory.dmp

Filesize
3.3MB

Download
memory/3564-126-0x00007FF7E6B80000-0x00007FF7E6ED1000-memory.dmp

Filesize
3.3MB

Download
memory/3564-149-0x00007FF7E6B80000-0x00007FF7E6ED1000-memory.dmp

Filesize
3.3MB

Download
memory/3564-259-0x00007FF7E6B80000-0x00007FF7E6ED1000-memory.dmp

Filesize
3.3MB

Download
memory/4060-109-0x00007FF602440000-0x00007FF602791000-memory.dmp

Filesize
3.3MB

Download
memory/4060-246-0x00007FF602440000-0x00007FF602791000-memory.dmp

Filesize
3.3MB

Download
memory/4060-145-0x00007FF602440000-0x00007FF602791000-memory.dmp

Filesize
3.3MB

Download
memory/4092-135-0x00007FF61C030000-0x00007FF61C381000-memory.dmp

Filesize
3.3MB

Download
memory/4092-224-0x00007FF61C030000-0x00007FF61C381000-memory.dmp

Filesize
3.3MB

Download
memory/4092-46-0x00007FF61C030000-0x00007FF61C381000-memory.dmp

Filesize
3.3MB

Download
memory/4136-241-0x00007FF687750000-0x00007FF687AA1000-memory.dmp

Filesize
3.3MB

Download
memory/4136-97-0x00007FF687750000-0x00007FF687AA1000-memory.dmp

Filesize
3.3MB

Download
memory/4444-93-0x00007FF6A6500000-0x00007FF6A6851000-memory.dmp

Filesize
3.3MB

Download
memory/4444-243-0x00007FF6A6500000-0x00007FF6A6851000-memory.dmp

Filesize
3.3MB

Download
memory/4480-253-0x00007FF69A3A0000-0x00007FF69A6F1000-memory.dmp

Filesize
3.3MB

Download
memory/4480-110-0x00007FF69A3A0000-0x00007FF69A6F1000-memory.dmp

Filesize
3.3MB

Download
memory/4480-146-0x00007FF69A3A0000-0x00007FF69A6F1000-memory.dmp

Filesize
3.3MB

Download
memory/4756-239-0x00007FF652410000-0x00007FF652761000-memory.dmp

Filesize
3.3MB

Download
memory/4756-105-0x00007FF652410000-0x00007FF652761000-memory.dmp

Filesize
3.3MB

Download
memory/4760-256-0x00007FF720190000-0x00007FF7204E1000-memory.dmp

Filesize
3.3MB

Download
memory/4760-125-0x00007FF720190000-0x00007FF7204E1000-memory.dmp

Filesize
3.3MB

Download
memory/4964-222-0x00007FF615790000-0x00007FF615AE1000-memory.dmp

Filesize
3.3MB

Download
memory/4964-134-0x00007FF615790000-0x00007FF615AE1000-memory.dmp

Filesize
3.3MB

Download
memory/4964-40-0x00007FF615790000-0x00007FF615AE1000-memory.dmp

Filesize
3.3MB

Download