cobaltstrike | c69e4ee68ae6f3a2a1603a3260097b12f48600bbddc37cf27de7ae7156e3817c

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/12/2024, 04:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

c430ba7c5174404123fceb313e8683c7
SHA1

61d38632295a7442ddcbbbab9ac073026c7fdf03
SHA256

c69e4ee68ae6f3a2a1603a3260097b12f48600bbddc37cf27de7ae7156e3817c
SHA512

2b5e9b757c125d41e8285187ed86405252683a09918afe814a0d157cf276c229514992421908259d73c15b8d66e905eaed2bdfcc7615cab44eff85cb0ae4d369
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l/:RWWBibd56utgpPFotBER/mQ32lUb

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023b27-5.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7e-9.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7f-18.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b82-33.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b81-50.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b84-60.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b85-64.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b86-67.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b80-47.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b83-42.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b7a-15.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b87-71.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b89-78.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8a-82.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8b-87.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8c-94.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8d-113.dat	cobalt_reflective_dll
behavioral2/files/0x000300000001e764-116.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8e-133.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b90-145.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8f-138.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/3988-52-0x00007FF62D100000-0x00007FF62D451000-memory.dmp	xmrig
behavioral2/memory/4448-58-0x00007FF735910000-0x00007FF735C61000-memory.dmp	xmrig
behavioral2/memory/3312-43-0x00007FF6B29F0000-0x00007FF6B2D41000-memory.dmp	xmrig
behavioral2/memory/3224-95-0x00007FF7A7A40000-0x00007FF7A7D91000-memory.dmp	xmrig
behavioral2/memory/3220-92-0x00007FF739750000-0x00007FF739AA1000-memory.dmp	xmrig
behavioral2/memory/1260-89-0x00007FF701350000-0x00007FF7016A1000-memory.dmp	xmrig
behavioral2/memory/1552-100-0x00007FF643980000-0x00007FF643CD1000-memory.dmp	xmrig
behavioral2/memory/1932-105-0x00007FF62AB80000-0x00007FF62AED1000-memory.dmp	xmrig
behavioral2/memory/468-107-0x00007FF77DBB0000-0x00007FF77DF01000-memory.dmp	xmrig
behavioral2/memory/2160-112-0x00007FF763BF0000-0x00007FF763F41000-memory.dmp	xmrig
behavioral2/memory/812-104-0x00007FF685020000-0x00007FF685371000-memory.dmp	xmrig
behavioral2/memory/3944-103-0x00007FF74E500000-0x00007FF74E851000-memory.dmp	xmrig
behavioral2/memory/3580-99-0x00007FF627440000-0x00007FF627791000-memory.dmp	xmrig
behavioral2/memory/1228-144-0x00007FF679910000-0x00007FF679C61000-memory.dmp	xmrig
behavioral2/memory/4080-147-0x00007FF660940000-0x00007FF660C91000-memory.dmp	xmrig
behavioral2/memory/1496-139-0x00007FF719440000-0x00007FF719791000-memory.dmp	xmrig
behavioral2/memory/2912-140-0x00007FF7F5D10000-0x00007FF7F6061000-memory.dmp	xmrig
behavioral2/memory/2596-131-0x00007FF68C020000-0x00007FF68C371000-memory.dmp	xmrig
behavioral2/memory/2932-151-0x00007FF64AD10000-0x00007FF64B061000-memory.dmp	xmrig
behavioral2/memory/3256-156-0x00007FF723910000-0x00007FF723C61000-memory.dmp	xmrig
behavioral2/memory/3220-157-0x00007FF739750000-0x00007FF739AA1000-memory.dmp	xmrig
behavioral2/memory/2840-161-0x00007FF736790000-0x00007FF736AE1000-memory.dmp	xmrig
behavioral2/memory/1992-175-0x00007FF6AF9C0000-0x00007FF6AFD11000-memory.dmp	xmrig
behavioral2/memory/3220-182-0x00007FF739750000-0x00007FF739AA1000-memory.dmp	xmrig
behavioral2/memory/3580-221-0x00007FF627440000-0x00007FF627791000-memory.dmp	xmrig
behavioral2/memory/1552-223-0x00007FF643980000-0x00007FF643CD1000-memory.dmp	xmrig
behavioral2/memory/3312-226-0x00007FF6B29F0000-0x00007FF6B2D41000-memory.dmp	xmrig
behavioral2/memory/468-227-0x00007FF77DBB0000-0x00007FF77DF01000-memory.dmp	xmrig
behavioral2/memory/3944-231-0x00007FF74E500000-0x00007FF74E851000-memory.dmp	xmrig
behavioral2/memory/4448-235-0x00007FF735910000-0x00007FF735C61000-memory.dmp	xmrig
behavioral2/memory/3988-234-0x00007FF62D100000-0x00007FF62D451000-memory.dmp	xmrig
behavioral2/memory/812-232-0x00007FF685020000-0x00007FF685371000-memory.dmp	xmrig
behavioral2/memory/2912-239-0x00007FF7F5D10000-0x00007FF7F6061000-memory.dmp	xmrig
behavioral2/memory/2160-241-0x00007FF763BF0000-0x00007FF763F41000-memory.dmp	xmrig
behavioral2/memory/2596-238-0x00007FF68C020000-0x00007FF68C371000-memory.dmp	xmrig
behavioral2/memory/1496-246-0x00007FF719440000-0x00007FF719791000-memory.dmp	xmrig
behavioral2/memory/4080-248-0x00007FF660940000-0x00007FF660C91000-memory.dmp	xmrig
behavioral2/memory/1260-250-0x00007FF701350000-0x00007FF7016A1000-memory.dmp	xmrig
behavioral2/memory/1932-254-0x00007FF62AB80000-0x00007FF62AED1000-memory.dmp	xmrig
behavioral2/memory/3224-255-0x00007FF7A7A40000-0x00007FF7A7D91000-memory.dmp	xmrig
behavioral2/memory/2932-260-0x00007FF64AD10000-0x00007FF64B061000-memory.dmp	xmrig
behavioral2/memory/3256-262-0x00007FF723910000-0x00007FF723C61000-memory.dmp	xmrig
behavioral2/memory/1228-267-0x00007FF679910000-0x00007FF679C61000-memory.dmp	xmrig
behavioral2/memory/1992-271-0x00007FF6AF9C0000-0x00007FF6AFD11000-memory.dmp	xmrig
behavioral2/memory/2840-270-0x00007FF736790000-0x00007FF736AE1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3580	gaMNNbT.exe
1552	dTPKUYd.exe
3312	MVMTqcB.exe
468	AudrYuC.exe
3944	tZTEQlx.exe
3988	SHtAlPo.exe
812	FJGfGgj.exe
4448	ePvOumP.exe
2160	nVEFcRU.exe
2596	HyNVZWw.exe
2912	yUhukfQ.exe
1496	irEzcpe.exe
4080	ZrrvJbN.exe
1260	PbwwgPj.exe
3224	XHtsdWC.exe
1932	GPDRLUa.exe
2932	QoXsJNx.exe
3256	iBZUuJe.exe
2840	tuCUJyq.exe
1228	nKzKSbh.exe
1992	jRrbnUs.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3220-0-0x00007FF739750000-0x00007FF739AA1000-memory.dmp	upx
behavioral2/files/0x000c000000023b27-5.dat	upx
behavioral2/files/0x000a000000023b7e-9.dat	upx
behavioral2/files/0x000a000000023b7f-18.dat	upx
behavioral2/memory/1552-26-0x00007FF643980000-0x00007FF643CD1000-memory.dmp	upx
behavioral2/files/0x000a000000023b82-33.dat	upx
behavioral2/memory/3944-34-0x00007FF74E500000-0x00007FF74E851000-memory.dmp	upx
behavioral2/files/0x000a000000023b81-50.dat	upx
behavioral2/memory/3988-52-0x00007FF62D100000-0x00007FF62D451000-memory.dmp	upx
behavioral2/files/0x000a000000023b84-60.dat	upx
behavioral2/files/0x000a000000023b85-64.dat	upx
behavioral2/files/0x000a000000023b86-67.dat	upx
behavioral2/memory/2912-66-0x00007FF7F5D10000-0x00007FF7F6061000-memory.dmp	upx
behavioral2/memory/2596-63-0x00007FF68C020000-0x00007FF68C371000-memory.dmp	upx
behavioral2/memory/2160-62-0x00007FF763BF0000-0x00007FF763F41000-memory.dmp	upx
behavioral2/memory/4448-58-0x00007FF735910000-0x00007FF735C61000-memory.dmp	upx
behavioral2/files/0x000a000000023b80-47.dat	upx
behavioral2/memory/3312-43-0x00007FF6B29F0000-0x00007FF6B2D41000-memory.dmp	upx
behavioral2/files/0x000a000000023b83-42.dat	upx
behavioral2/memory/812-39-0x00007FF685020000-0x00007FF685371000-memory.dmp	upx
behavioral2/memory/468-27-0x00007FF77DBB0000-0x00007FF77DF01000-memory.dmp	upx
behavioral2/files/0x000b000000023b7a-15.dat	upx
behavioral2/memory/3580-7-0x00007FF627440000-0x00007FF627791000-memory.dmp	upx
behavioral2/files/0x000a000000023b87-71.dat	upx
behavioral2/memory/1496-72-0x00007FF719440000-0x00007FF719791000-memory.dmp	upx
behavioral2/files/0x000a000000023b89-78.dat	upx
behavioral2/files/0x000a000000023b8a-82.dat	upx
behavioral2/memory/4080-85-0x00007FF660940000-0x00007FF660C91000-memory.dmp	upx
behavioral2/files/0x000a000000023b8b-87.dat	upx
behavioral2/files/0x000a000000023b8c-94.dat	upx
behavioral2/memory/3224-95-0x00007FF7A7A40000-0x00007FF7A7D91000-memory.dmp	upx
behavioral2/memory/3220-92-0x00007FF739750000-0x00007FF739AA1000-memory.dmp	upx
behavioral2/memory/1260-89-0x00007FF701350000-0x00007FF7016A1000-memory.dmp	upx
behavioral2/memory/1552-100-0x00007FF643980000-0x00007FF643CD1000-memory.dmp	upx
behavioral2/memory/1932-105-0x00007FF62AB80000-0x00007FF62AED1000-memory.dmp	upx
behavioral2/memory/468-107-0x00007FF77DBB0000-0x00007FF77DF01000-memory.dmp	upx
behavioral2/memory/2932-111-0x00007FF64AD10000-0x00007FF64B061000-memory.dmp	upx
behavioral2/files/0x000a000000023b8d-113.dat	upx
behavioral2/files/0x000300000001e764-116.dat	upx
behavioral2/memory/3256-115-0x00007FF723910000-0x00007FF723C61000-memory.dmp	upx
behavioral2/memory/2160-112-0x00007FF763BF0000-0x00007FF763F41000-memory.dmp	upx
behavioral2/memory/812-104-0x00007FF685020000-0x00007FF685371000-memory.dmp	upx
behavioral2/memory/3944-103-0x00007FF74E500000-0x00007FF74E851000-memory.dmp	upx
behavioral2/memory/3580-99-0x00007FF627440000-0x00007FF627791000-memory.dmp	upx
behavioral2/files/0x000a000000023b8e-133.dat	upx
behavioral2/files/0x000a000000023b90-145.dat	upx
behavioral2/memory/1228-144-0x00007FF679910000-0x00007FF679C61000-memory.dmp	upx
behavioral2/memory/1992-148-0x00007FF6AF9C0000-0x00007FF6AFD11000-memory.dmp	upx
behavioral2/memory/4080-147-0x00007FF660940000-0x00007FF660C91000-memory.dmp	upx
behavioral2/memory/2840-143-0x00007FF736790000-0x00007FF736AE1000-memory.dmp	upx
behavioral2/memory/1496-139-0x00007FF719440000-0x00007FF719791000-memory.dmp	upx
behavioral2/files/0x000a000000023b8f-138.dat	upx
behavioral2/memory/2912-140-0x00007FF7F5D10000-0x00007FF7F6061000-memory.dmp	upx
behavioral2/memory/2596-131-0x00007FF68C020000-0x00007FF68C371000-memory.dmp	upx
behavioral2/memory/2932-151-0x00007FF64AD10000-0x00007FF64B061000-memory.dmp	upx
behavioral2/memory/3256-156-0x00007FF723910000-0x00007FF723C61000-memory.dmp	upx
behavioral2/memory/3220-157-0x00007FF739750000-0x00007FF739AA1000-memory.dmp	upx
behavioral2/memory/2840-161-0x00007FF736790000-0x00007FF736AE1000-memory.dmp	upx
behavioral2/memory/1992-175-0x00007FF6AF9C0000-0x00007FF6AFD11000-memory.dmp	upx
behavioral2/memory/3220-182-0x00007FF739750000-0x00007FF739AA1000-memory.dmp	upx
behavioral2/memory/3580-221-0x00007FF627440000-0x00007FF627791000-memory.dmp	upx
behavioral2/memory/1552-223-0x00007FF643980000-0x00007FF643CD1000-memory.dmp	upx
behavioral2/memory/3312-226-0x00007FF6B29F0000-0x00007FF6B2D41000-memory.dmp	upx
behavioral2/memory/468-227-0x00007FF77DBB0000-0x00007FF77DF01000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\ZrrvJbN.exe	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PbwwgPj.exe	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GPDRLUa.exe	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MVMTqcB.exe	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FJGfGgj.exe	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nVEFcRU.exe	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\irEzcpe.exe	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iBZUuJe.exe	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tZTEQlx.exe	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ePvOumP.exe	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yUhukfQ.exe	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XHtsdWC.exe	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dTPKUYd.exe	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SHtAlPo.exe	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HyNVZWw.exe	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tuCUJyq.exe	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nKzKSbh.exe	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jRrbnUs.exe	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gaMNNbT.exe	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AudrYuC.exe	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QoXsJNx.exe	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3220	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3220	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3220 wrote to memory of 3580	3220	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 3220 wrote to memory of 3580	3220	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 3220 wrote to memory of 1552	3220	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3220 wrote to memory of 1552	3220	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3220 wrote to memory of 3312	3220	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3220 wrote to memory of 3312	3220	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3220 wrote to memory of 468	3220	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3220 wrote to memory of 468	3220	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3220 wrote to memory of 3944	3220	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3220 wrote to memory of 3944	3220	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3220 wrote to memory of 3988	3220	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3220 wrote to memory of 3988	3220	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3220 wrote to memory of 812	3220	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3220 wrote to memory of 812	3220	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3220 wrote to memory of 4448	3220	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3220 wrote to memory of 4448	3220	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3220 wrote to memory of 2160	3220	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3220 wrote to memory of 2160	3220	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3220 wrote to memory of 2596	3220	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3220 wrote to memory of 2596	3220	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3220 wrote to memory of 2912	3220	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3220 wrote to memory of 2912	3220	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3220 wrote to memory of 1496	3220	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3220 wrote to memory of 1496	3220	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3220 wrote to memory of 4080	3220	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3220 wrote to memory of 4080	3220	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3220 wrote to memory of 1260	3220	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3220 wrote to memory of 1260	3220	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3220 wrote to memory of 3224	3220	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3220 wrote to memory of 3224	3220	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3220 wrote to memory of 1932	3220	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3220 wrote to memory of 1932	3220	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3220 wrote to memory of 2932	3220	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3220 wrote to memory of 2932	3220	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3220 wrote to memory of 3256	3220	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3220 wrote to memory of 3256	3220	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3220 wrote to memory of 2840	3220	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3220 wrote to memory of 2840	3220	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3220 wrote to memory of 1228	3220	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3220 wrote to memory of 1228	3220	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3220 wrote to memory of 1992	3220	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3220 wrote to memory of 1992	3220	2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-19_c430ba7c5174404123fceb313e8683c7_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3220
- C:\Windows\System\gaMNNbT.exe
  C:\Windows\System\gaMNNbT.exe
  2⤵
  - Executes dropped EXE
  PID:3580
- C:\Windows\System\dTPKUYd.exe
  C:\Windows\System\dTPKUYd.exe
  2⤵
  - Executes dropped EXE
  PID:1552
- C:\Windows\System\MVMTqcB.exe
  C:\Windows\System\MVMTqcB.exe
  2⤵
  - Executes dropped EXE
  PID:3312
- C:\Windows\System\AudrYuC.exe
  C:\Windows\System\AudrYuC.exe
  2⤵
  - Executes dropped EXE
  PID:468
- C:\Windows\System\tZTEQlx.exe
  C:\Windows\System\tZTEQlx.exe
  2⤵
  - Executes dropped EXE
  PID:3944
- C:\Windows\System\SHtAlPo.exe
  C:\Windows\System\SHtAlPo.exe
  2⤵
  - Executes dropped EXE
  PID:3988
- C:\Windows\System\FJGfGgj.exe
  C:\Windows\System\FJGfGgj.exe
  2⤵
  - Executes dropped EXE
  PID:812
- C:\Windows\System\ePvOumP.exe
  C:\Windows\System\ePvOumP.exe
  2⤵
  - Executes dropped EXE
  PID:4448
- C:\Windows\System\nVEFcRU.exe
  C:\Windows\System\nVEFcRU.exe
  2⤵
  - Executes dropped EXE
  PID:2160
- C:\Windows\System\HyNVZWw.exe
  C:\Windows\System\HyNVZWw.exe
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\System\yUhukfQ.exe
  C:\Windows\System\yUhukfQ.exe
  2⤵
  - Executes dropped EXE
  PID:2912
- C:\Windows\System\irEzcpe.exe
  C:\Windows\System\irEzcpe.exe
  2⤵
  - Executes dropped EXE
  PID:1496
- C:\Windows\System\ZrrvJbN.exe
  C:\Windows\System\ZrrvJbN.exe
  2⤵
  - Executes dropped EXE
  PID:4080
- C:\Windows\System\PbwwgPj.exe
  C:\Windows\System\PbwwgPj.exe
  2⤵
  - Executes dropped EXE
  PID:1260
- C:\Windows\System\XHtsdWC.exe
  C:\Windows\System\XHtsdWC.exe
  2⤵
  - Executes dropped EXE
  PID:3224
- C:\Windows\System\GPDRLUa.exe
  C:\Windows\System\GPDRLUa.exe
  2⤵
  - Executes dropped EXE
  PID:1932
- C:\Windows\System\QoXsJNx.exe
  C:\Windows\System\QoXsJNx.exe
  2⤵
  - Executes dropped EXE
  PID:2932
- C:\Windows\System\iBZUuJe.exe
  C:\Windows\System\iBZUuJe.exe
  2⤵
  - Executes dropped EXE
  PID:3256
- C:\Windows\System\tuCUJyq.exe
  C:\Windows\System\tuCUJyq.exe
  2⤵
  - Executes dropped EXE
  PID:2840
- C:\Windows\System\nKzKSbh.exe
  C:\Windows\System\nKzKSbh.exe
  2⤵
  - Executes dropped EXE
  PID:1228
- C:\Windows\System\jRrbnUs.exe
  C:\Windows\System\jRrbnUs.exe
  2⤵
  - Executes dropped EXE
  PID:1992

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AudrYuC.exe

Filesize
5.2MB

MD5
0f2db6500cc1fa5838843594d6323e05

SHA1
6a083439cf1a3a08d03e39fcbf63125415a7bf66

SHA256
f8ed1ea8635168b350c60f25521fd398874dce1d0301cbd493c141e52592dc3d

SHA512
9cc8e79efcbc5ca9fdb3dce11ca3593cc1291695deb43e89d439e653258b86149c4ee182d640b91ddd6a98981cd742a8f374344331c0d4025cc6b55d84ee82fa

Download Submit
C:\Windows\System\FJGfGgj.exe

Filesize
5.2MB

MD5
7671b53e3c63e8b5c7129718cb8b3ebb

SHA1
e89ff7e5414426d61da7bf00f1cf029ee6bf3f76

SHA256
5014f654e1c8c3db60ec19803908bfa1456c2696e254e61ed38fb01812a91218

SHA512
22b2fc40351eb101205c53dab84636c1a868cafb115679f21e4fa451246179a9e5c6212eafdd26ecdedc2a538e1dc884e8df2888d7ba37bc7723ee695209437a

Download Submit
C:\Windows\System\GPDRLUa.exe

Filesize
5.2MB

MD5
dc875cf9c4ec02129b20364df45632f7

SHA1
98251d05dac839449aeac99d6e5e2bcac3e54798

SHA256
10630dd6245e3048d476fc57079ea38e424fb46686bcbc1935913c27e550a311

SHA512
edeb4f66b25b6f4723faf56de97e3dc252e5f90b4c8110c3786771c1459df8c48093fffca11cdf3363b0830bac132ef28618dabf65abc2830d6263ee8d01ec9f

Download Submit
C:\Windows\System\HyNVZWw.exe

Filesize
5.2MB

MD5
8f56291f48a2d846feb51c24153ee2ac

SHA1
66b4d09d3221267662463337b5d30b1f5ea85b7e

SHA256
cbc6dd3f7c429de218ef79924ad206aaf191168c9245c4b0aa59498aab850661

SHA512
752cf3b8b9d7bbd943279c500b253fb17cc218549461f764a8ac5ba19168104b35627fea6ffadcf4c0a16029093eea16dc4b9e5b2a6b25c50abcf5c26c48a482

Download Submit
C:\Windows\System\MVMTqcB.exe

Filesize
5.2MB

MD5
6110451ea45fc4e6baf5f78ec9841ba2

SHA1
42915e4b830837d7a3bc04885594cd1797e8a00d

SHA256
12b602e7fbcff8d2d2fadaac08ced98b51112e68ec9f4c997d0a03e7fa8135c7

SHA512
0755249d0e658454799e204b3b1397ccbd85ab7bfb34df6575f5685ac0ef73d7eac4e92887608839ac7c9b4715c25aa8a485df527adb5b013d96220ef9b36785

Download Submit
C:\Windows\System\PbwwgPj.exe

Filesize
5.2MB

MD5
0d510a41e28f84ac75170156db0ea0a2

SHA1
f5359dfa96cbd239cc50e39d04f0a1660358a6a3

SHA256
6b7fb35ddf2322b6441886368ec75a5e3a50e9dbdd1b728b5414b7a92f3e4190

SHA512
7ad7aa36d0786ab8375cf9461141de39ef49138aed2c8a5da9db25b5607ae67cc16bbfdc6ed2cc2b55810eb3457bd6422e39543ca88722a57bef4c8c4f133b20

Download Submit
C:\Windows\System\QoXsJNx.exe

Filesize
5.2MB

MD5
bc4762a72129405138f0ad8fa60d44b5

SHA1
9d3b25026ec1815475861b52ec8757955e825114

SHA256
5b19bf59a91c87e34bce826b9b468388544ce7247507a476bf37c9769ce64478

SHA512
cae37922323c7407544d89b3f73070fbe7dbef2576285b296921424c9fc8101445f5a75322ae36440404db29debb95cc671b9ce65025f4f0f1c60457a4cd411d

Download Submit
C:\Windows\System\SHtAlPo.exe

Filesize
5.2MB

MD5
474fff295d77e866f8d98cfe77e915e7

SHA1
6b27324502b15f821b7b5c34c32e5a1ad0347bf7

SHA256
00a9c30121f9279ee9a49515cab7905a9bcfdea27708f97658babab694dc8e25

SHA512
4995b187503c340250eaec0eb3ce92da181b9037987aa529d2daec1180b4b75ab90e604eecbbbf2f96b043a5bdf0887ae2ce9d52f9fd2172ac2d24363782372b

Download Submit
C:\Windows\System\XHtsdWC.exe

Filesize
5.2MB

MD5
2aa6927f45ab5a3c77929eaf3d8d401c

SHA1
0b77d3ce28ca4bf7423cf7500da259fe4df80d18

SHA256
8f11eccadc5c9049e7c66899f44f7a6357a911d34343f0cac63b5f4a0e24d88c

SHA512
353ebd1087a882f5dd95bbecf031bafa79f657c9300477fb8af6f45372bfd4a5e6d4efdddd5d350832fc3dab7853cb26b5e8b7f6b5644f745e5822e5ab69cfbc

Download Submit
C:\Windows\System\ZrrvJbN.exe

Filesize
5.2MB

MD5
f2626097a01269f090a9034950a014f0

SHA1
4f24d0c34e3ad8db45924b1c14025064b3cf75c8

SHA256
19de5785027d3756e98aaff016b3f5ca874601593026e0dcc54cfe5cb338f33f

SHA512
02fb13ba295e2742f8df939c20e040935a3706286ecfe495a68c536632e575d1816d5e3549920e238fa118e789afb7c5c07fe2588c449acf288071cbfdb52b1e

Download Submit
C:\Windows\System\dTPKUYd.exe

Filesize
5.2MB

MD5
66872c658fe83053519c7e52db7fabd8

SHA1
40cd39e8bc5d62d8f1680f4062335075e2e146cb

SHA256
3d1d3d433c32ffba5dcecf4be7adb88cd2785527c72a4487a7a6c9c7c32f8736

SHA512
877cc6da2ac5d61e07ab82189b8952118ae02f4eb56be4ee2d92315721d1c5cdc156d6aa304bfe47d1b0b5f451ff0e214c846fa196d0db5194a465ce552cfbf1

Download Submit
C:\Windows\System\ePvOumP.exe

Filesize
5.2MB

MD5
3c33eae4725953bea267abbeaef5af04

SHA1
efacbfc67910972d2c4c61cab199e508e256fbab

SHA256
c0019a18a47295fef3348f054e11155228879ee429127f24317a376aac2a8b9d

SHA512
3fcb60340944c32587813e3b56319907f851b5565661dcf11d82c33400d2a69ea51f079f07a7199d8b7e7c0635aeecc82b5a5b86045962639a601bbae2f4b3f3

Download Submit
C:\Windows\System\gaMNNbT.exe

Filesize
5.2MB

MD5
e1f2877cfbcbf86f25536a6a252fa02f

SHA1
097a7d988c33719e43746b837df599800383a454

SHA256
e12757c13a4795cde7603fc23cba52d69609685d9a090d75608aaf019914133f

SHA512
087f48adad5b9f283ec8fa59f79f80fa50a6bf781de60765eafd02513e2fdf523e7c9317ae6df4240f63908df28c1586d09f32a23b6315b0e343dde982ed7433

Download Submit
C:\Windows\System\iBZUuJe.exe

Filesize
5.2MB

MD5
5f45defaf2b374f2f21f28e36a3c35ef

SHA1
0cbde1f204288497dd985731fe4652baa414b00a

SHA256
0014a13caba54fcecf776811680231f0e290dbb3cea20ae22336e77d6515c67f

SHA512
93ded887c924621e7811f00ee1dd7e8b3fcc9378402d81482404c76745d32537b1d794d95ae0a8a24337fa48d4e84b0dc87586cecdc210421bc91664817859be

Download Submit
C:\Windows\System\irEzcpe.exe

Filesize
5.2MB

MD5
4be44be2775f21658f5cf4772c810778

SHA1
30ba1aa2bb5bef626581783ce038bd401015d0ee

SHA256
465b8a1bdf27ac99abc168b7ba64b172e79ed326966b4aadd91ec645613434ec

SHA512
9bcc061b89a966d1482ec0113d90ba51c8420229ce27d09a70b2f342428852ff35e6d8d4b05ffdfab08e66800280954f269aae6bdf05f7f2a8368371b7f4153e

Download Submit
C:\Windows\System\jRrbnUs.exe

Filesize
5.2MB

MD5
4343fb6c8529662aac59cc91a161f02f

SHA1
2dd651044d670e299b8946ca75698c5c336e0299

SHA256
76be34563503dd4c1f58ae850791e18b5079422180eeffdf1fe6ce451efa8103

SHA512
6100e56ba897a8a2af926a271a49db98d4b4e77735aa2240d888be29f581deba6bae0c885ae6ae50459bb08d1ce94b465b640f9124246efbf44850a84dc261f2

Download Submit
C:\Windows\System\nKzKSbh.exe

Filesize
5.2MB

MD5
798f0e9d723ce6ff3ff9b036bbee7a4c

SHA1
0b92b4470270d747fa2afa15c4ea73d174223604

SHA256
bb0b43dc73da2f26041043e01fe90dccaf961e4f48cd4f107e362f15d359d19f

SHA512
c38966df9956b51d011d24e2ce8e8bd3889f2f3708d8da8c794ca28a94b605c943ad053e809d11cf4bf4aef19cb4a38d987caf0a5f41a4fee504c6bae4e4ebf0

Download Submit
C:\Windows\System\nVEFcRU.exe

Filesize
5.2MB

MD5
3218a9baadf939db525720dc15e42f5e

SHA1
6dae6be9130b18d1aaa4cd7e7cdaca0a3489d94e

SHA256
0ee7049621dc377cd7024e92525bc38b06e951e524395009f0d7f501cb924a27

SHA512
bb1a6729736188b722251f45a49d74fdb498013844ac647ca1e23dfec0a2cbef16388f35e30cc34bf84f0f560c80d7af478e09afbeee52f9e66116b5a5c5e4c2

Download Submit
C:\Windows\System\tZTEQlx.exe

Filesize
5.2MB

MD5
32e2cd6449c28966857bc60440ebadbc

SHA1
825a00b91868d0c025a4a5d0eaafd016d28a0341

SHA256
88746921abe836707dbeb796035236e357db221451e7403d30e61085ae0d9950

SHA512
7f787ffdcab825d9fcb4515bd55621897317cabf0c71b37dce70e2e08a9ec8f775f64e0f996b1e35f289292f2b1ed843da22003bb5b93ab57055fc7993ccbaa4

Download Submit
C:\Windows\System\tuCUJyq.exe

Filesize
5.2MB

MD5
33b276f97ea5e13e163d5d5a5557a1bc

SHA1
74fe029b8766546faf7d57f7292572775c72554a

SHA256
07c20d92f6c20d9db6df2946a021e7e76f3cb5ef9ccdd0f206eec7717d5f7242

SHA512
738aa3f33fb47c421aa911efdb33e3d9ee5b621f8f9c41da838ef1e97a38f1fe7f3c2566c9730cf5b6fd848459da7242909dc438982e21ad4f56a572bebb8466

Download Submit
C:\Windows\System\yUhukfQ.exe

Filesize
5.2MB

MD5
8dc610d26c92c3f065b1c53284fe521b

SHA1
8b9eb01bcb1bbf4c8f92605e081ce717ea9ade35

SHA256
c222cee477c77d3b27b6f6016484908ace8ec644ad106eee9c7d84623fd11269

SHA512
2bc6ff104cf1cf4445987695fd943b998106fcff37c2fc4b91f5d77cb7dd0ca5b3d06b17251465bb42e2733521261fc872e4e59e46a540556165be087270598f

Download Submit
memory/468-27-0x00007FF77DBB0000-0x00007FF77DF01000-memory.dmp

Filesize
3.3MB

Download
memory/468-227-0x00007FF77DBB0000-0x00007FF77DF01000-memory.dmp

Filesize
3.3MB

Download
memory/468-107-0x00007FF77DBB0000-0x00007FF77DF01000-memory.dmp

Filesize
3.3MB

Download
memory/812-232-0x00007FF685020000-0x00007FF685371000-memory.dmp

Filesize
3.3MB

Download
memory/812-104-0x00007FF685020000-0x00007FF685371000-memory.dmp

Filesize
3.3MB

Download
memory/812-39-0x00007FF685020000-0x00007FF685371000-memory.dmp

Filesize
3.3MB

Download
memory/1228-144-0x00007FF679910000-0x00007FF679C61000-memory.dmp

Filesize
3.3MB

Download
memory/1228-267-0x00007FF679910000-0x00007FF679C61000-memory.dmp

Filesize
3.3MB

Download
memory/1260-89-0x00007FF701350000-0x00007FF7016A1000-memory.dmp

Filesize
3.3MB

Download
memory/1260-250-0x00007FF701350000-0x00007FF7016A1000-memory.dmp

Filesize
3.3MB

Download
memory/1496-72-0x00007FF719440000-0x00007FF719791000-memory.dmp

Filesize
3.3MB

Download
memory/1496-139-0x00007FF719440000-0x00007FF719791000-memory.dmp

Filesize
3.3MB

Download
memory/1496-246-0x00007FF719440000-0x00007FF719791000-memory.dmp

Filesize
3.3MB

Download
memory/1552-100-0x00007FF643980000-0x00007FF643CD1000-memory.dmp

Filesize
3.3MB

Download
memory/1552-223-0x00007FF643980000-0x00007FF643CD1000-memory.dmp

Filesize
3.3MB

Download
memory/1552-26-0x00007FF643980000-0x00007FF643CD1000-memory.dmp

Filesize
3.3MB

Download
memory/1932-105-0x00007FF62AB80000-0x00007FF62AED1000-memory.dmp

Filesize
3.3MB

Download
memory/1932-254-0x00007FF62AB80000-0x00007FF62AED1000-memory.dmp

Filesize
3.3MB

Download
memory/1992-148-0x00007FF6AF9C0000-0x00007FF6AFD11000-memory.dmp

Filesize
3.3MB

Download
memory/1992-175-0x00007FF6AF9C0000-0x00007FF6AFD11000-memory.dmp

Filesize
3.3MB

Download
memory/1992-271-0x00007FF6AF9C0000-0x00007FF6AFD11000-memory.dmp

Filesize
3.3MB

Download
memory/2160-112-0x00007FF763BF0000-0x00007FF763F41000-memory.dmp

Filesize
3.3MB

Download
memory/2160-62-0x00007FF763BF0000-0x00007FF763F41000-memory.dmp

Filesize
3.3MB

Download
memory/2160-241-0x00007FF763BF0000-0x00007FF763F41000-memory.dmp

Filesize
3.3MB

Download
memory/2596-63-0x00007FF68C020000-0x00007FF68C371000-memory.dmp

Filesize
3.3MB

Download
memory/2596-131-0x00007FF68C020000-0x00007FF68C371000-memory.dmp

Filesize
3.3MB

Download
memory/2596-238-0x00007FF68C020000-0x00007FF68C371000-memory.dmp

Filesize
3.3MB

Download
memory/2840-270-0x00007FF736790000-0x00007FF736AE1000-memory.dmp

Filesize
3.3MB

Download
memory/2840-161-0x00007FF736790000-0x00007FF736AE1000-memory.dmp

Filesize
3.3MB

Download
memory/2840-143-0x00007FF736790000-0x00007FF736AE1000-memory.dmp

Filesize
3.3MB

Download
memory/2912-239-0x00007FF7F5D10000-0x00007FF7F6061000-memory.dmp

Filesize
3.3MB

Download
memory/2912-66-0x00007FF7F5D10000-0x00007FF7F6061000-memory.dmp

Filesize
3.3MB

Download
memory/2912-140-0x00007FF7F5D10000-0x00007FF7F6061000-memory.dmp

Filesize
3.3MB

Download
memory/2932-111-0x00007FF64AD10000-0x00007FF64B061000-memory.dmp

Filesize
3.3MB

Download
memory/2932-151-0x00007FF64AD10000-0x00007FF64B061000-memory.dmp

Filesize
3.3MB

Download
memory/2932-260-0x00007FF64AD10000-0x00007FF64B061000-memory.dmp

Filesize
3.3MB

Download
memory/3220-1-0x000001BBEA7D0000-0x000001BBEA7E0000-memory.dmp

Filesize
64KB

Download
memory/3220-157-0x00007FF739750000-0x00007FF739AA1000-memory.dmp

Filesize
3.3MB

Download
memory/3220-182-0x00007FF739750000-0x00007FF739AA1000-memory.dmp

Filesize
3.3MB

Download
memory/3220-92-0x00007FF739750000-0x00007FF739AA1000-memory.dmp

Filesize
3.3MB

Download
memory/3220-0-0x00007FF739750000-0x00007FF739AA1000-memory.dmp

Filesize
3.3MB

Download
memory/3224-255-0x00007FF7A7A40000-0x00007FF7A7D91000-memory.dmp

Filesize
3.3MB

Download
memory/3224-95-0x00007FF7A7A40000-0x00007FF7A7D91000-memory.dmp

Filesize
3.3MB

Download
memory/3256-156-0x00007FF723910000-0x00007FF723C61000-memory.dmp

Filesize
3.3MB

Download
memory/3256-262-0x00007FF723910000-0x00007FF723C61000-memory.dmp

Filesize
3.3MB

Download
memory/3256-115-0x00007FF723910000-0x00007FF723C61000-memory.dmp

Filesize
3.3MB

Download
memory/3312-43-0x00007FF6B29F0000-0x00007FF6B2D41000-memory.dmp

Filesize
3.3MB

Download
memory/3312-226-0x00007FF6B29F0000-0x00007FF6B2D41000-memory.dmp

Filesize
3.3MB

Download
memory/3580-221-0x00007FF627440000-0x00007FF627791000-memory.dmp

Filesize
3.3MB

Download
memory/3580-7-0x00007FF627440000-0x00007FF627791000-memory.dmp

Filesize
3.3MB

Download
memory/3580-99-0x00007FF627440000-0x00007FF627791000-memory.dmp

Filesize
3.3MB

Download
memory/3944-231-0x00007FF74E500000-0x00007FF74E851000-memory.dmp

Filesize
3.3MB

Download
memory/3944-103-0x00007FF74E500000-0x00007FF74E851000-memory.dmp

Filesize
3.3MB

Download
memory/3944-34-0x00007FF74E500000-0x00007FF74E851000-memory.dmp

Filesize
3.3MB

Download
memory/3988-234-0x00007FF62D100000-0x00007FF62D451000-memory.dmp

Filesize
3.3MB

Download
memory/3988-52-0x00007FF62D100000-0x00007FF62D451000-memory.dmp

Filesize
3.3MB

Download
memory/4080-248-0x00007FF660940000-0x00007FF660C91000-memory.dmp

Filesize
3.3MB

Download
memory/4080-85-0x00007FF660940000-0x00007FF660C91000-memory.dmp

Filesize
3.3MB

Download
memory/4080-147-0x00007FF660940000-0x00007FF660C91000-memory.dmp

Filesize
3.3MB

Download
memory/4448-235-0x00007FF735910000-0x00007FF735C61000-memory.dmp

Filesize
3.3MB

Download
memory/4448-58-0x00007FF735910000-0x00007FF735C61000-memory.dmp

Filesize
3.3MB

Download