cobaltstrike | ae39574922e57a0bc2f12d0c089a0e10155443c14ea647aa83e112a0f74ed35e

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 04:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

599eba5b286bf2eee8aff30b1971f836
SHA1

2927ca819d1fab11565a9d6f3aa20dcef15ef6f1
SHA256

ae39574922e57a0bc2f12d0c089a0e10155443c14ea647aa83e112a0f74ed35e
SHA512

c6c7d56cf401374cbd830c4ce49cd19d57b555f4eeed5d853c5d448406d524967773592420bb3f2d030987c6d675860948916d9353c66b9964192dbcfe5f647d
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lT:RWWBibd56utgpPFotBER/mQ32lUH

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0009000000023ba9-5.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bb9-14.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bb6-20.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bbb-27.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bbd-40.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bec-43.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bee-77.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bf1-89.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bf7-98.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c10-110.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c12-120.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c11-117.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c0a-108.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bf8-104.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bf6-94.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bf0-86.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bef-75.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023baf-61.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bed-57.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bbc-38.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bba-26.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/2272-66-0x00007FF7A0070000-0x00007FF7A03C1000-memory.dmp	xmrig
behavioral2/memory/1844-73-0x00007FF6FA190000-0x00007FF6FA4E1000-memory.dmp	xmrig
behavioral2/memory/4624-72-0x00007FF759670000-0x00007FF7599C1000-memory.dmp	xmrig
behavioral2/memory/2008-67-0x00007FF7C3B50000-0x00007FF7C3EA1000-memory.dmp	xmrig
behavioral2/memory/4400-124-0x00007FF7C5E60000-0x00007FF7C61B1000-memory.dmp	xmrig
behavioral2/memory/3104-125-0x00007FF707E00000-0x00007FF708151000-memory.dmp	xmrig
behavioral2/memory/2716-126-0x00007FF67C0D0000-0x00007FF67C421000-memory.dmp	xmrig
behavioral2/memory/1760-129-0x00007FF7E3DA0000-0x00007FF7E40F1000-memory.dmp	xmrig
behavioral2/memory/3568-130-0x00007FF739DE0000-0x00007FF73A131000-memory.dmp	xmrig
behavioral2/memory/3004-128-0x00007FF7B6750000-0x00007FF7B6AA1000-memory.dmp	xmrig
behavioral2/memory/3392-131-0x00007FF668A70000-0x00007FF668DC1000-memory.dmp	xmrig
behavioral2/memory/4844-127-0x00007FF602E40000-0x00007FF603191000-memory.dmp	xmrig
behavioral2/memory/1560-123-0x00007FF67C240000-0x00007FF67C591000-memory.dmp	xmrig
behavioral2/memory/2272-132-0x00007FF7A0070000-0x00007FF7A03C1000-memory.dmp	xmrig
behavioral2/memory/212-136-0x00007FF6467B0000-0x00007FF646B01000-memory.dmp	xmrig
behavioral2/memory/3644-141-0x00007FF777E10000-0x00007FF778161000-memory.dmp	xmrig
behavioral2/memory/4116-145-0x00007FF673620000-0x00007FF673971000-memory.dmp	xmrig
behavioral2/memory/3064-144-0x00007FF715F40000-0x00007FF716291000-memory.dmp	xmrig
behavioral2/memory/3112-142-0x00007FF60A320000-0x00007FF60A671000-memory.dmp	xmrig
behavioral2/memory/3052-146-0x00007FF6281B0000-0x00007FF628501000-memory.dmp	xmrig
behavioral2/memory/4176-140-0x00007FF630C40000-0x00007FF630F91000-memory.dmp	xmrig
behavioral2/memory/1292-139-0x00007FF656CD0000-0x00007FF657021000-memory.dmp	xmrig
behavioral2/memory/3912-138-0x00007FF667150000-0x00007FF6674A1000-memory.dmp	xmrig
behavioral2/memory/2272-155-0x00007FF7A0070000-0x00007FF7A03C1000-memory.dmp	xmrig
behavioral2/memory/4624-211-0x00007FF759670000-0x00007FF7599C1000-memory.dmp	xmrig
behavioral2/memory/3568-213-0x00007FF739DE0000-0x00007FF73A131000-memory.dmp	xmrig
behavioral2/memory/1844-215-0x00007FF6FA190000-0x00007FF6FA4E1000-memory.dmp	xmrig
behavioral2/memory/212-217-0x00007FF6467B0000-0x00007FF646B01000-memory.dmp	xmrig
behavioral2/memory/3912-219-0x00007FF667150000-0x00007FF6674A1000-memory.dmp	xmrig
behavioral2/memory/1292-232-0x00007FF656CD0000-0x00007FF657021000-memory.dmp	xmrig
behavioral2/memory/4176-234-0x00007FF630C40000-0x00007FF630F91000-memory.dmp	xmrig
behavioral2/memory/3112-236-0x00007FF60A320000-0x00007FF60A671000-memory.dmp	xmrig
behavioral2/memory/3644-238-0x00007FF777E10000-0x00007FF778161000-memory.dmp	xmrig
behavioral2/memory/2008-240-0x00007FF7C3B50000-0x00007FF7C3EA1000-memory.dmp	xmrig
behavioral2/memory/3064-242-0x00007FF715F40000-0x00007FF716291000-memory.dmp	xmrig
behavioral2/memory/4116-244-0x00007FF673620000-0x00007FF673971000-memory.dmp	xmrig
behavioral2/memory/3052-250-0x00007FF6281B0000-0x00007FF628501000-memory.dmp	xmrig
behavioral2/memory/3392-254-0x00007FF668A70000-0x00007FF668DC1000-memory.dmp	xmrig
behavioral2/memory/2716-256-0x00007FF67C0D0000-0x00007FF67C421000-memory.dmp	xmrig
behavioral2/memory/3104-248-0x00007FF707E00000-0x00007FF708151000-memory.dmp	xmrig
behavioral2/memory/1560-253-0x00007FF67C240000-0x00007FF67C591000-memory.dmp	xmrig
behavioral2/memory/4400-247-0x00007FF7C5E60000-0x00007FF7C61B1000-memory.dmp	xmrig
behavioral2/memory/3004-261-0x00007FF7B6750000-0x00007FF7B6AA1000-memory.dmp	xmrig
behavioral2/memory/4844-262-0x00007FF602E40000-0x00007FF603191000-memory.dmp	xmrig
behavioral2/memory/1760-259-0x00007FF7E3DA0000-0x00007FF7E40F1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4624	fgzcwuw.exe
1844	torrCxP.exe
3568	IYogSLl.exe
212	mjBUTxw.exe
3912	SpsjhWx.exe
1292	ZZsrcxq.exe
4176	KtBJtHd.exe
3644	yRLLXQu.exe
3112	OIVpJHB.exe
2008	JZGHNxD.exe
4116	LVgJVSN.exe
3064	nnCPKYo.exe
3052	WxqakZG.exe
3392	uISxEUS.exe
1560	BYggHya.exe
4400	pFSVPwU.exe
3104	OROESuB.exe
2716	GyKfOoV.exe
4844	esPldyR.exe
3004	qyqJEHB.exe
1760	amAIYDp.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2272-0-0x00007FF7A0070000-0x00007FF7A03C1000-memory.dmp	upx
behavioral2/files/0x0009000000023ba9-5.dat	upx
behavioral2/files/0x0008000000023bb9-14.dat	upx
behavioral2/memory/3568-16-0x00007FF739DE0000-0x00007FF73A131000-memory.dmp	upx
behavioral2/files/0x0008000000023bb6-20.dat	upx
behavioral2/files/0x0008000000023bbb-27.dat	upx
behavioral2/files/0x0009000000023bbd-40.dat	upx
behavioral2/files/0x0008000000023bec-43.dat	upx
behavioral2/memory/4176-46-0x00007FF630C40000-0x00007FF630F91000-memory.dmp	upx
behavioral2/memory/2272-66-0x00007FF7A0070000-0x00007FF7A03C1000-memory.dmp	upx
behavioral2/memory/1844-73-0x00007FF6FA190000-0x00007FF6FA4E1000-memory.dmp	upx
behavioral2/files/0x0008000000023bee-77.dat	upx
behavioral2/files/0x0008000000023bf1-89.dat	upx
behavioral2/files/0x0008000000023bf7-98.dat	upx
behavioral2/files/0x0008000000023c10-110.dat	upx
behavioral2/files/0x0008000000023c12-120.dat	upx
behavioral2/files/0x0008000000023c11-117.dat	upx
behavioral2/files/0x0008000000023c0a-108.dat	upx
behavioral2/files/0x0008000000023bf8-104.dat	upx
behavioral2/files/0x0008000000023bf6-94.dat	upx
behavioral2/files/0x0008000000023bf0-86.dat	upx
behavioral2/memory/3064-82-0x00007FF715F40000-0x00007FF716291000-memory.dmp	upx
behavioral2/files/0x0008000000023bef-75.dat	upx
behavioral2/memory/4116-74-0x00007FF673620000-0x00007FF673971000-memory.dmp	upx
behavioral2/memory/4624-72-0x00007FF759670000-0x00007FF7599C1000-memory.dmp	upx
behavioral2/memory/2008-67-0x00007FF7C3B50000-0x00007FF7C3EA1000-memory.dmp	upx
behavioral2/memory/3112-62-0x00007FF60A320000-0x00007FF60A671000-memory.dmp	upx
behavioral2/files/0x000a000000023baf-61.dat	upx
behavioral2/files/0x0008000000023bed-57.dat	upx
behavioral2/memory/3644-48-0x00007FF777E10000-0x00007FF778161000-memory.dmp	upx
behavioral2/files/0x0008000000023bbc-38.dat	upx
behavioral2/memory/1292-37-0x00007FF656CD0000-0x00007FF657021000-memory.dmp	upx
behavioral2/memory/3912-29-0x00007FF667150000-0x00007FF6674A1000-memory.dmp	upx
behavioral2/files/0x0008000000023bba-26.dat	upx
behavioral2/memory/212-24-0x00007FF6467B0000-0x00007FF646B01000-memory.dmp	upx
behavioral2/memory/1844-15-0x00007FF6FA190000-0x00007FF6FA4E1000-memory.dmp	upx
behavioral2/memory/4624-6-0x00007FF759670000-0x00007FF7599C1000-memory.dmp	upx
behavioral2/memory/4400-124-0x00007FF7C5E60000-0x00007FF7C61B1000-memory.dmp	upx
behavioral2/memory/3104-125-0x00007FF707E00000-0x00007FF708151000-memory.dmp	upx
behavioral2/memory/2716-126-0x00007FF67C0D0000-0x00007FF67C421000-memory.dmp	upx
behavioral2/memory/1760-129-0x00007FF7E3DA0000-0x00007FF7E40F1000-memory.dmp	upx
behavioral2/memory/3568-130-0x00007FF739DE0000-0x00007FF73A131000-memory.dmp	upx
behavioral2/memory/3004-128-0x00007FF7B6750000-0x00007FF7B6AA1000-memory.dmp	upx
behavioral2/memory/3392-131-0x00007FF668A70000-0x00007FF668DC1000-memory.dmp	upx
behavioral2/memory/4844-127-0x00007FF602E40000-0x00007FF603191000-memory.dmp	upx
behavioral2/memory/1560-123-0x00007FF67C240000-0x00007FF67C591000-memory.dmp	upx
behavioral2/memory/3052-122-0x00007FF6281B0000-0x00007FF628501000-memory.dmp	upx
behavioral2/memory/2272-132-0x00007FF7A0070000-0x00007FF7A03C1000-memory.dmp	upx
behavioral2/memory/212-136-0x00007FF6467B0000-0x00007FF646B01000-memory.dmp	upx
behavioral2/memory/3644-141-0x00007FF777E10000-0x00007FF778161000-memory.dmp	upx
behavioral2/memory/4116-145-0x00007FF673620000-0x00007FF673971000-memory.dmp	upx
behavioral2/memory/3064-144-0x00007FF715F40000-0x00007FF716291000-memory.dmp	upx
behavioral2/memory/3112-142-0x00007FF60A320000-0x00007FF60A671000-memory.dmp	upx
behavioral2/memory/3052-146-0x00007FF6281B0000-0x00007FF628501000-memory.dmp	upx
behavioral2/memory/4176-140-0x00007FF630C40000-0x00007FF630F91000-memory.dmp	upx
behavioral2/memory/1292-139-0x00007FF656CD0000-0x00007FF657021000-memory.dmp	upx
behavioral2/memory/3912-138-0x00007FF667150000-0x00007FF6674A1000-memory.dmp	upx
behavioral2/memory/2272-155-0x00007FF7A0070000-0x00007FF7A03C1000-memory.dmp	upx
behavioral2/memory/4624-211-0x00007FF759670000-0x00007FF7599C1000-memory.dmp	upx
behavioral2/memory/3568-213-0x00007FF739DE0000-0x00007FF73A131000-memory.dmp	upx
behavioral2/memory/1844-215-0x00007FF6FA190000-0x00007FF6FA4E1000-memory.dmp	upx
behavioral2/memory/212-217-0x00007FF6467B0000-0x00007FF646B01000-memory.dmp	upx
behavioral2/memory/3912-219-0x00007FF667150000-0x00007FF6674A1000-memory.dmp	upx
behavioral2/memory/1292-232-0x00007FF656CD0000-0x00007FF657021000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\SpsjhWx.exe	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yRLLXQu.exe	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OIVpJHB.exe	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\esPldyR.exe	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nnCPKYo.exe	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WxqakZG.exe	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BYggHya.exe	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GyKfOoV.exe	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\amAIYDp.exe	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fgzcwuw.exe	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IYogSLl.exe	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mjBUTxw.exe	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LVgJVSN.exe	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uISxEUS.exe	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pFSVPwU.exe	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OROESuB.exe	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qyqJEHB.exe	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\torrCxP.exe	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZZsrcxq.exe	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KtBJtHd.exe	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JZGHNxD.exe	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2272	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2272	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 4624	2272	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2272 wrote to memory of 4624	2272	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2272 wrote to memory of 1844	2272	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2272 wrote to memory of 1844	2272	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2272 wrote to memory of 3568	2272	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2272 wrote to memory of 3568	2272	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2272 wrote to memory of 212	2272	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2272 wrote to memory of 212	2272	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2272 wrote to memory of 3912	2272	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2272 wrote to memory of 3912	2272	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2272 wrote to memory of 1292	2272	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2272 wrote to memory of 1292	2272	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2272 wrote to memory of 4176	2272	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2272 wrote to memory of 4176	2272	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2272 wrote to memory of 3644	2272	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2272 wrote to memory of 3644	2272	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2272 wrote to memory of 3112	2272	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2272 wrote to memory of 3112	2272	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2272 wrote to memory of 2008	2272	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2272 wrote to memory of 2008	2272	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2272 wrote to memory of 3064	2272	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2272 wrote to memory of 3064	2272	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2272 wrote to memory of 4116	2272	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2272 wrote to memory of 4116	2272	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2272 wrote to memory of 3052	2272	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2272 wrote to memory of 3052	2272	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2272 wrote to memory of 3392	2272	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2272 wrote to memory of 3392	2272	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2272 wrote to memory of 1560	2272	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2272 wrote to memory of 1560	2272	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2272 wrote to memory of 4400	2272	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2272 wrote to memory of 4400	2272	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2272 wrote to memory of 3104	2272	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2272 wrote to memory of 3104	2272	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2272 wrote to memory of 2716	2272	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2272 wrote to memory of 2716	2272	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2272 wrote to memory of 4844	2272	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2272 wrote to memory of 4844	2272	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2272 wrote to memory of 3004	2272	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2272 wrote to memory of 3004	2272	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2272 wrote to memory of 1760	2272	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2272 wrote to memory of 1760	2272	2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-19_599eba5b286bf2eee8aff30b1971f836_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\System\fgzcwuw.exe
  C:\Windows\System\fgzcwuw.exe
  2⤵
  - Executes dropped EXE
  PID:4624
- C:\Windows\System\torrCxP.exe
  C:\Windows\System\torrCxP.exe
  2⤵
  - Executes dropped EXE
  PID:1844
- C:\Windows\System\IYogSLl.exe
  C:\Windows\System\IYogSLl.exe
  2⤵
  - Executes dropped EXE
  PID:3568
- C:\Windows\System\mjBUTxw.exe
  C:\Windows\System\mjBUTxw.exe
  2⤵
  - Executes dropped EXE
  PID:212
- C:\Windows\System\SpsjhWx.exe
  C:\Windows\System\SpsjhWx.exe
  2⤵
  - Executes dropped EXE
  PID:3912
- C:\Windows\System\ZZsrcxq.exe
  C:\Windows\System\ZZsrcxq.exe
  2⤵
  - Executes dropped EXE
  PID:1292
- C:\Windows\System\KtBJtHd.exe
  C:\Windows\System\KtBJtHd.exe
  2⤵
  - Executes dropped EXE
  PID:4176
- C:\Windows\System\yRLLXQu.exe
  C:\Windows\System\yRLLXQu.exe
  2⤵
  - Executes dropped EXE
  PID:3644
- C:\Windows\System\OIVpJHB.exe
  C:\Windows\System\OIVpJHB.exe
  2⤵
  - Executes dropped EXE
  PID:3112
- C:\Windows\System\JZGHNxD.exe
  C:\Windows\System\JZGHNxD.exe
  2⤵
  - Executes dropped EXE
  PID:2008
- C:\Windows\System\nnCPKYo.exe
  C:\Windows\System\nnCPKYo.exe
  2⤵
  - Executes dropped EXE
  PID:3064
- C:\Windows\System\LVgJVSN.exe
  C:\Windows\System\LVgJVSN.exe
  2⤵
  - Executes dropped EXE
  PID:4116
- C:\Windows\System\WxqakZG.exe
  C:\Windows\System\WxqakZG.exe
  2⤵
  - Executes dropped EXE
  PID:3052
- C:\Windows\System\uISxEUS.exe
  C:\Windows\System\uISxEUS.exe
  2⤵
  - Executes dropped EXE
  PID:3392
- C:\Windows\System\BYggHya.exe
  C:\Windows\System\BYggHya.exe
  2⤵
  - Executes dropped EXE
  PID:1560
- C:\Windows\System\pFSVPwU.exe
  C:\Windows\System\pFSVPwU.exe
  2⤵
  - Executes dropped EXE
  PID:4400
- C:\Windows\System\OROESuB.exe
  C:\Windows\System\OROESuB.exe
  2⤵
  - Executes dropped EXE
  PID:3104
- C:\Windows\System\GyKfOoV.exe
  C:\Windows\System\GyKfOoV.exe
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Windows\System\esPldyR.exe
  C:\Windows\System\esPldyR.exe
  2⤵
  - Executes dropped EXE
  PID:4844
- C:\Windows\System\qyqJEHB.exe
  C:\Windows\System\qyqJEHB.exe
  2⤵
  - Executes dropped EXE
  PID:3004
- C:\Windows\System\amAIYDp.exe
  C:\Windows\System\amAIYDp.exe
  2⤵
  - Executes dropped EXE
  PID:1760

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BYggHya.exe

Filesize
5.2MB

MD5
10209a3e67473e3bed3905812bc71753

SHA1
609adb91b1f5abe855fce4e29e2e4fd0b9f7cff0

SHA256
90c62a6c7a70820dd9fd2043898c30a1623e09ae78b860845bbe7cc255ba7012

SHA512
92c58ec8eef526933369c90e3de34f4b234e7423c98809dcee14e90e985c1bdc887c1384b1d7a44a269a458cc1d7bde451484774af51f859524db160286966d3

Download Submit
C:\Windows\System\GyKfOoV.exe

Filesize
5.2MB

MD5
3877c4f70fd9638a8503a537fd22db9e

SHA1
211645e3822142e5464654212985d26ef90e3e7f

SHA256
1f8e14a82b406c7dabf4f91afc840d72cede5e2d8d8832b5164e028e5a7c323f

SHA512
e873914315686ecc4ce8a96227330cb983ed982b44eef6bd1238cf48f330af961a69767790e256eec701f257a5257c3ccbbd29c4ba55e2421714cde07bd4bc16

Download Submit
C:\Windows\System\IYogSLl.exe

Filesize
5.2MB

MD5
5e2ae85f84c4cdcc61b1ddd4cc1989e0

SHA1
9425f5620e49edf2a506d72dc747036d2c2d6330

SHA256
be57f0e09e248e42f5c75d1f9742ef7366e05feb1f12c2452b6b2f5bfa5fdc51

SHA512
ad1b30017ff09327208dc3d8c9b4049ff85456b85cb5e8acca7f9c439a4f0aef5e48c933b427493d525b2f698658035b148b7b61d681add4580a2f556789f5a0

Download Submit
C:\Windows\System\JZGHNxD.exe

Filesize
5.2MB

MD5
344fa32ef2a02f6243933f8977db1c60

SHA1
cddd5384cdf36a78ab00a46ea5a71ac4a5194811

SHA256
4c0ac91995be6e24d698def5b904a3f3e6c5c31d1ff5fc607a8f1715a518f67f

SHA512
56c52e6431e6f43612bd843ff99043e6c1a009707e7fff8f15595d33fcfed9f2f2de96a068d197ddbf17f95d4530578a523c0e87576f05b4a5b26a22251293eb

Download Submit
C:\Windows\System\KtBJtHd.exe

Filesize
5.2MB

MD5
741a1fc8e376c2c32acfb62811eda914

SHA1
b05f038567cdb0aedc8adcefce203c69a1285289

SHA256
8ae882d42d0c73bbaa77548088d275239adcd5c3fffe2d470c6602869a416d78

SHA512
72620b9e2bfa8ae6a44c5f02760fe80025855806ae80bbbd479a2c4e858e551af3b95046f84866b1cb5091fe60abb74df4da68dd2e1dbd56b6afde29e844db38

Download Submit
C:\Windows\System\LVgJVSN.exe

Filesize
5.2MB

MD5
f6460efae57e1a4bece95c0fbf4789da

SHA1
d2848502fd17c2d42efdb4d5f75732b4ae55aa2a

SHA256
3ae5ef986f10a1da4520d34d8aa2ef89b4a352ae9f2599a099e7c101ea14e222

SHA512
769bcf472e93ebcc89f0824cc8d6c1c2d030cadcad5f827a760f70a7e1d867da85ef5bf12d7a2a5d317c6e54129e63a378c807a01d65dc9a1babdb43b55e25e6

Download Submit
C:\Windows\System\OIVpJHB.exe

Filesize
5.2MB

MD5
bf69e8a55002d11fb1ad3b079ffbae8f

SHA1
c4bec9f8265ac887ccfa1123a53a697817a2e8c0

SHA256
1d9f2264ed37e2ecadc7accdbf73f6c4074029ca49a36c23db648d8de16a5752

SHA512
dd4749cbcd4e6d412771a893a2c05c7842768ec3d7f28652de1e4dfb2a27e0b22ada6f417da2a23cd7064bb8f5dbbae85292214993993c6aa0ec993ce91ab393

Download Submit
C:\Windows\System\OROESuB.exe

Filesize
5.2MB

MD5
8ba0c80a92eb7b5a571af8145975c0a9

SHA1
84616103c12d7a17f6e84c32cc611062b9d271b6

SHA256
3bd849bfa48e230bafb9432ca0ae82e319a04809fcebebaadda57d997d33966c

SHA512
1f3da74925305a7bc7c3634e77193bde238272920bec0b21228d7eae71cbd4f4cec086da8505fba3136e0f6391b0df24b52645dd68f854959d5cef319cd63872

Download Submit
C:\Windows\System\SpsjhWx.exe

Filesize
5.2MB

MD5
6f01b11f189659b50704194c3eeeb471

SHA1
63e774cf177a7ae0618ea115096e75a688d16d10

SHA256
40e70d776cbabc35189f44adc63073ad9c55f8d9e57ee18cdf419a61a5a8d31e

SHA512
7e0fbc1c9315eadb1b545b4a9823a7a3c218075ee0bafda0f63516558d4c29970c238c0d7d3d1f16fab394276cc9a92270e022fd90d89b4a3a5133b59a9b0af2

Download Submit
C:\Windows\System\WxqakZG.exe

Filesize
5.2MB

MD5
97feb1272aa9418babbc65487df213bd

SHA1
fe77430d2607406712a05e33d22400a1a28872fa

SHA256
14221b62e184beddc082703b956d48d8fc1beb0a0fa454ed6caea72227a2b8a0

SHA512
01896498dd3afd3907341b17e4ea9d748ceeb9a42479a92b933877691f3ce4916aea053cf140e5220c00b20aed1f3b7ff2531f3d5c64b6a10316196a817e3ed6

Download Submit
C:\Windows\System\ZZsrcxq.exe

Filesize
5.2MB

MD5
6b55b2d55526b9ed1cbb2d4ab9c0ca6a

SHA1
260de194b8dcdb0d083321f4ac2de941f447dca3

SHA256
add43afab3132833c9487a8e75a5c27dad4565568cc0ef16cf5af844f8fafd30

SHA512
fdbc6772c014a497b3ba2ee96e7a2b07d4b914fb739955f2325b1a18f2555f0de277ba92808548394c2368942d2f5885033a34b7a83e693cd473a93be9e448df

Download Submit
C:\Windows\System\amAIYDp.exe

Filesize
5.2MB

MD5
f1a8808a4d86ad31af6f6141976c06be

SHA1
e05b2d8695f7caba23c0e00fff2a1d055f6b27b6

SHA256
3eae21124a01dac774f5c44a8fe7ddd0bf65e015c9e3596f59be8a48a9664749

SHA512
b10c4f89edfe3bbd60a11fe2dfcd3ad58614ab7e29e9cb89524729d3e3bfeea8b78ab2f2797c7891de7a6188b2b61544a09772a4f4559e6992d98df5930babb2

Download Submit
C:\Windows\System\esPldyR.exe

Filesize
5.2MB

MD5
5d8b50f000fa1dc2faaecb8fd1330059

SHA1
cb1848d3fb03f801761328b724ae73d575aa8eed

SHA256
c89f6de7b19db0f496fedf945a04887010ae3c50ddfd693a53672f621ba3b492

SHA512
db75ec020eafe45013028212de0db6c20ee7126668a5d1170c906400969e9e332462d788ac12ba224782cad105a7d4b18ad2b386febaf85da75491959477131f

Download Submit
C:\Windows\System\fgzcwuw.exe

Filesize
5.2MB

MD5
6e098d2a162eb944301339e352190d94

SHA1
65997db35dbbdb4abd47a730cfdbd9a55ca71a1a

SHA256
3e21d5b33ae6d0a897069341654f64fe32141bcee272419c13455af935f2e6fb

SHA512
2cc944f202eeb87fc2192d50b2a4117bbdc0b1d956ab874200dfba2dae9605eba20575190593fc80ea92258d30c1bcb2e3b603aa242518ba86567514662e8ea3

Download Submit
C:\Windows\System\mjBUTxw.exe

Filesize
5.2MB

MD5
44e8beca326da95087e5b4debddd66aa

SHA1
4b9b8470a12ab1091aaa51c832b2fae73ed58c46

SHA256
b04a571e4f93f6c5f2fa33fa3bc2ad4fe844601b70f5b9c739aa717b798103e8

SHA512
5b538fb853cf681a50f42bc0a59823875ae5adff213a22f259a4aae6ad8fc41112c72e05ba7b2fd91b474734f6fc39def40ca8f34afe94379073963a681255b8

Download Submit
C:\Windows\System\nnCPKYo.exe

Filesize
5.2MB

MD5
132db157c5f63080ab04d3ec6fdf8d80

SHA1
7bf8940c9d86c402d8864827412b709f89abc58f

SHA256
7a3b25ed6a8b7062669bbbfa9ec8f65475237ef63a756b1442d7a355d55ed5a2

SHA512
3b7aa02bcd8175ec9071872e96f9e7992f08ea3e2e37b834888c4834fbbe2626072465e9f6a3d2a8e1662eb1bf9c3e626ef724669574170a83b1a5b66b17e14b

Download Submit
C:\Windows\System\pFSVPwU.exe

Filesize
5.2MB

MD5
10c09e7a732973a2d07680e49d15ed5a

SHA1
10c5121b53f92a673e95b0da62cd306179e3dc72

SHA256
fa6a8401eff0150a5a040c333b21d3b7d47c867d95354575a503fb3824dd8ea8

SHA512
5a3ff3bf2a0ec22c3918c4de27764fcd34f8e08562ca8fff1847e82ab21bcb7867b128017f879e64c5590975e0594b73eb8901dee007cc4adba3b147dfdccd21

Download Submit
C:\Windows\System\qyqJEHB.exe

Filesize
5.2MB

MD5
40f5fdd94f0bba997f7003d6103ef03b

SHA1
9aaefb9631857cb310ec72ed7c9ba7f4c6cf067a

SHA256
a58987a426c188441a98e0863e428343ec0756311f0dc26b08df84c756532111

SHA512
9fda66a8d92b6daad8e78b3b65da9724f9d42b92dd6079522d68cfb818ef583b58d8a2772303ee6b355f3c22f25c37479ad23b6b72e1bdb18006ffb078619e6a

Download Submit
C:\Windows\System\torrCxP.exe

Filesize
5.2MB

MD5
ad0ee393017ab5e917c5bc732a800173

SHA1
96ad1047bde721c8d502d7eb578598fa1ed167e0

SHA256
39b6891b593f0d80df5ed19812abfba05a2965834fcb8084732e5089fba93b4f

SHA512
398d76b8aa814cec4a28f2f016a64f417340af133630905e29e4374260038cc112538e0ac2ef7eb0af6a3cecd2b40715c2ba7c24d0aa2ea7f93f1b6e4c63663c

Download Submit
C:\Windows\System\uISxEUS.exe

Filesize
5.2MB

MD5
b4616d79e141cae94aa3484061272f11

SHA1
a09cbb491adc0168834fd85f696c1fd426b5ef8c

SHA256
102ecbf477553a049b51dacf0a4739e70238fd070ab63da4447fb8c039a84640

SHA512
b7bfd2de3ddced1f1c6c1be2230eba897d224a1c4b89bffa3d3e0e1592760d709b4ff7159d4d233a3e4760a83a2e2033044c5786444c77b15474e727eac8b029

Download Submit
C:\Windows\System\yRLLXQu.exe

Filesize
5.2MB

MD5
9f1b449583a8cd0efd960c9838e5d6b7

SHA1
2330b255d03090f6d9814d599e250a36f9d2168b

SHA256
6a29865a21e3e567ef6c29faa26a0384d7700db16e8f65cfb8d7adf54e4a5fc3

SHA512
49d18d5dd9153cb07003e8e61d2d527ec88721fc9606bf6ac15318fbe06869705af0fe3b32c9c0c6566ddf3a773a24c2b94417f5be641c3db821b2bf96d9fa8a

Download Submit
memory/212-136-0x00007FF6467B0000-0x00007FF646B01000-memory.dmp

Filesize
3.3MB

Download
memory/212-217-0x00007FF6467B0000-0x00007FF646B01000-memory.dmp

Filesize
3.3MB

Download
memory/212-24-0x00007FF6467B0000-0x00007FF646B01000-memory.dmp

Filesize
3.3MB

Download
memory/1292-139-0x00007FF656CD0000-0x00007FF657021000-memory.dmp

Filesize
3.3MB

Download
memory/1292-37-0x00007FF656CD0000-0x00007FF657021000-memory.dmp

Filesize
3.3MB

Download
memory/1292-232-0x00007FF656CD0000-0x00007FF657021000-memory.dmp

Filesize
3.3MB

Download
memory/1560-253-0x00007FF67C240000-0x00007FF67C591000-memory.dmp

Filesize
3.3MB

Download
memory/1560-123-0x00007FF67C240000-0x00007FF67C591000-memory.dmp

Filesize
3.3MB

Download
memory/1760-129-0x00007FF7E3DA0000-0x00007FF7E40F1000-memory.dmp

Filesize
3.3MB

Download
memory/1760-259-0x00007FF7E3DA0000-0x00007FF7E40F1000-memory.dmp

Filesize
3.3MB

Download
memory/1844-215-0x00007FF6FA190000-0x00007FF6FA4E1000-memory.dmp

Filesize
3.3MB

Download
memory/1844-73-0x00007FF6FA190000-0x00007FF6FA4E1000-memory.dmp

Filesize
3.3MB

Download
memory/1844-15-0x00007FF6FA190000-0x00007FF6FA4E1000-memory.dmp

Filesize
3.3MB

Download
memory/2008-67-0x00007FF7C3B50000-0x00007FF7C3EA1000-memory.dmp

Filesize
3.3MB

Download
memory/2008-240-0x00007FF7C3B50000-0x00007FF7C3EA1000-memory.dmp

Filesize
3.3MB

Download
memory/2272-66-0x00007FF7A0070000-0x00007FF7A03C1000-memory.dmp

Filesize
3.3MB

Download
memory/2272-155-0x00007FF7A0070000-0x00007FF7A03C1000-memory.dmp

Filesize
3.3MB

Download
memory/2272-132-0x00007FF7A0070000-0x00007FF7A03C1000-memory.dmp

Filesize
3.3MB

Download
memory/2272-1-0x000001F223EE0000-0x000001F223EF0000-memory.dmp

Filesize
64KB

Download
memory/2272-0-0x00007FF7A0070000-0x00007FF7A03C1000-memory.dmp

Filesize
3.3MB

Download
memory/2716-126-0x00007FF67C0D0000-0x00007FF67C421000-memory.dmp

Filesize
3.3MB

Download
memory/2716-256-0x00007FF67C0D0000-0x00007FF67C421000-memory.dmp

Filesize
3.3MB

Download
memory/3004-128-0x00007FF7B6750000-0x00007FF7B6AA1000-memory.dmp

Filesize
3.3MB

Download
memory/3004-261-0x00007FF7B6750000-0x00007FF7B6AA1000-memory.dmp

Filesize
3.3MB

Download
memory/3052-250-0x00007FF6281B0000-0x00007FF628501000-memory.dmp

Filesize
3.3MB

Download
memory/3052-122-0x00007FF6281B0000-0x00007FF628501000-memory.dmp

Filesize
3.3MB

Download
memory/3052-146-0x00007FF6281B0000-0x00007FF628501000-memory.dmp

Filesize
3.3MB

Download
memory/3064-82-0x00007FF715F40000-0x00007FF716291000-memory.dmp

Filesize
3.3MB

Download
memory/3064-242-0x00007FF715F40000-0x00007FF716291000-memory.dmp

Filesize
3.3MB

Download
memory/3064-144-0x00007FF715F40000-0x00007FF716291000-memory.dmp

Filesize
3.3MB

Download
memory/3104-125-0x00007FF707E00000-0x00007FF708151000-memory.dmp

Filesize
3.3MB

Download
memory/3104-248-0x00007FF707E00000-0x00007FF708151000-memory.dmp

Filesize
3.3MB

Download
memory/3112-142-0x00007FF60A320000-0x00007FF60A671000-memory.dmp

Filesize
3.3MB

Download
memory/3112-62-0x00007FF60A320000-0x00007FF60A671000-memory.dmp

Filesize
3.3MB

Download
memory/3112-236-0x00007FF60A320000-0x00007FF60A671000-memory.dmp

Filesize
3.3MB

Download
memory/3392-254-0x00007FF668A70000-0x00007FF668DC1000-memory.dmp

Filesize
3.3MB

Download
memory/3392-131-0x00007FF668A70000-0x00007FF668DC1000-memory.dmp

Filesize
3.3MB

Download
memory/3568-213-0x00007FF739DE0000-0x00007FF73A131000-memory.dmp

Filesize
3.3MB

Download
memory/3568-130-0x00007FF739DE0000-0x00007FF73A131000-memory.dmp

Filesize
3.3MB

Download
memory/3568-16-0x00007FF739DE0000-0x00007FF73A131000-memory.dmp

Filesize
3.3MB

Download
memory/3644-48-0x00007FF777E10000-0x00007FF778161000-memory.dmp

Filesize
3.3MB

Download
memory/3644-141-0x00007FF777E10000-0x00007FF778161000-memory.dmp

Filesize
3.3MB

Download
memory/3644-238-0x00007FF777E10000-0x00007FF778161000-memory.dmp

Filesize
3.3MB

Download
memory/3912-219-0x00007FF667150000-0x00007FF6674A1000-memory.dmp

Filesize
3.3MB

Download
memory/3912-138-0x00007FF667150000-0x00007FF6674A1000-memory.dmp

Filesize
3.3MB

Download
memory/3912-29-0x00007FF667150000-0x00007FF6674A1000-memory.dmp

Filesize
3.3MB

Download
memory/4116-244-0x00007FF673620000-0x00007FF673971000-memory.dmp

Filesize
3.3MB

Download
memory/4116-74-0x00007FF673620000-0x00007FF673971000-memory.dmp

Filesize
3.3MB

Download
memory/4116-145-0x00007FF673620000-0x00007FF673971000-memory.dmp

Filesize
3.3MB

Download
memory/4176-140-0x00007FF630C40000-0x00007FF630F91000-memory.dmp

Filesize
3.3MB

Download
memory/4176-234-0x00007FF630C40000-0x00007FF630F91000-memory.dmp

Filesize
3.3MB

Download
memory/4176-46-0x00007FF630C40000-0x00007FF630F91000-memory.dmp

Filesize
3.3MB

Download
memory/4400-124-0x00007FF7C5E60000-0x00007FF7C61B1000-memory.dmp

Filesize
3.3MB

Download
memory/4400-247-0x00007FF7C5E60000-0x00007FF7C61B1000-memory.dmp

Filesize
3.3MB

Download
memory/4624-211-0x00007FF759670000-0x00007FF7599C1000-memory.dmp

Filesize
3.3MB

Download
memory/4624-6-0x00007FF759670000-0x00007FF7599C1000-memory.dmp

Filesize
3.3MB

Download
memory/4624-72-0x00007FF759670000-0x00007FF7599C1000-memory.dmp

Filesize
3.3MB

Download
memory/4844-127-0x00007FF602E40000-0x00007FF603191000-memory.dmp

Filesize
3.3MB

Download
memory/4844-262-0x00007FF602E40000-0x00007FF603191000-memory.dmp

Filesize
3.3MB

Download