cobaltstrike | 1021699ee73d77efe342e940ad76b4b886482eedb7a88a301799d41a199a3699

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 12:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

3fa681447b31acb2526fd782b98ce0f3
SHA1

543941d48fc32e8098349136e3b5c57e8262dfe0
SHA256

1021699ee73d77efe342e940ad76b4b886482eedb7a88a301799d41a199a3699
SHA512

e460d8226eebe4c7a8f06d3ab810fae1c29fc7bd9dd011afcd6ef6a53108d6fa3ff8d19aa8e460d6247f57a00fc69eba2fb3c3e53a220da43bfd7ce822a991a0
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lz:RWWBibf56utgpPFotBER/mQ32lUv

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023ca1-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cab-32.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca9-65.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb1-85.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb2-90.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023ca2-95.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb6-117.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb7-121.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb5-112.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb4-110.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb3-108.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb0-83.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caf-81.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cad-64.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cac-60.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caa-52.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cae-48.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca8-42.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca6-40.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca7-35.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca5-19.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/1388-74-0x00007FF6A1C40000-0x00007FF6A1F91000-memory.dmp	xmrig
behavioral2/memory/1844-92-0x00007FF65C720000-0x00007FF65CA71000-memory.dmp	xmrig
behavioral2/memory/1380-89-0x00007FF647170000-0x00007FF6474C1000-memory.dmp	xmrig
behavioral2/memory/5064-88-0x00007FF686080000-0x00007FF6863D1000-memory.dmp	xmrig
behavioral2/memory/3364-87-0x00007FF6C2D80000-0x00007FF6C30D1000-memory.dmp	xmrig
behavioral2/memory/2760-73-0x00007FF71D2A0000-0x00007FF71D5F1000-memory.dmp	xmrig
behavioral2/memory/4996-124-0x00007FF61D280000-0x00007FF61D5D1000-memory.dmp	xmrig
behavioral2/memory/3880-130-0x00007FF7FD910000-0x00007FF7FDC61000-memory.dmp	xmrig
behavioral2/memory/1216-129-0x00007FF752910000-0x00007FF752C61000-memory.dmp	xmrig
behavioral2/memory/3876-136-0x00007FF7DFEE0000-0x00007FF7E0231000-memory.dmp	xmrig
behavioral2/memory/760-139-0x00007FF718030000-0x00007FF718381000-memory.dmp	xmrig
behavioral2/memory/3872-141-0x00007FF65A870000-0x00007FF65ABC1000-memory.dmp	xmrig
behavioral2/memory/1084-138-0x00007FF6DE420000-0x00007FF6DE771000-memory.dmp	xmrig
behavioral2/memory/3360-135-0x00007FF7A9C50000-0x00007FF7A9FA1000-memory.dmp	xmrig
behavioral2/memory/3692-131-0x00007FF723400000-0x00007FF723751000-memory.dmp	xmrig
behavioral2/memory/2152-128-0x00007FF61AF00000-0x00007FF61B251000-memory.dmp	xmrig
behavioral2/memory/2832-127-0x00007FF6F84E0000-0x00007FF6F8831000-memory.dmp	xmrig
behavioral2/memory/3476-125-0x00007FF638F60000-0x00007FF6392B1000-memory.dmp	xmrig
behavioral2/memory/4292-123-0x00007FF7DC1F0000-0x00007FF7DC541000-memory.dmp	xmrig
behavioral2/memory/3552-140-0x00007FF642970000-0x00007FF642CC1000-memory.dmp	xmrig
behavioral2/memory/4576-144-0x00007FF736E40000-0x00007FF737191000-memory.dmp	xmrig
behavioral2/memory/2276-142-0x00007FF668500000-0x00007FF668851000-memory.dmp	xmrig
behavioral2/memory/4292-150-0x00007FF7DC1F0000-0x00007FF7DC541000-memory.dmp	xmrig
behavioral2/memory/4292-151-0x00007FF7DC1F0000-0x00007FF7DC541000-memory.dmp	xmrig
behavioral2/memory/4996-205-0x00007FF61D280000-0x00007FF61D5D1000-memory.dmp	xmrig
behavioral2/memory/3476-207-0x00007FF638F60000-0x00007FF6392B1000-memory.dmp	xmrig
behavioral2/memory/3364-222-0x00007FF6C2D80000-0x00007FF6C30D1000-memory.dmp	xmrig
behavioral2/memory/2832-221-0x00007FF6F84E0000-0x00007FF6F8831000-memory.dmp	xmrig
behavioral2/memory/1388-224-0x00007FF6A1C40000-0x00007FF6A1F91000-memory.dmp	xmrig
behavioral2/memory/3552-226-0x00007FF642970000-0x00007FF642CC1000-memory.dmp	xmrig
behavioral2/memory/3692-233-0x00007FF723400000-0x00007FF723751000-memory.dmp	xmrig
behavioral2/memory/3880-240-0x00007FF7FD910000-0x00007FF7FDC61000-memory.dmp	xmrig
behavioral2/memory/2276-242-0x00007FF668500000-0x00007FF668851000-memory.dmp	xmrig
behavioral2/memory/2152-239-0x00007FF61AF00000-0x00007FF61B251000-memory.dmp	xmrig
behavioral2/memory/5064-237-0x00007FF686080000-0x00007FF6863D1000-memory.dmp	xmrig
behavioral2/memory/2760-235-0x00007FF71D2A0000-0x00007FF71D5F1000-memory.dmp	xmrig
behavioral2/memory/1216-231-0x00007FF752910000-0x00007FF752C61000-memory.dmp	xmrig
behavioral2/memory/1380-229-0x00007FF647170000-0x00007FF6474C1000-memory.dmp	xmrig
behavioral2/memory/3876-247-0x00007FF7DFEE0000-0x00007FF7E0231000-memory.dmp	xmrig
behavioral2/memory/3360-258-0x00007FF7A9C50000-0x00007FF7A9FA1000-memory.dmp	xmrig
behavioral2/memory/3872-257-0x00007FF65A870000-0x00007FF65ABC1000-memory.dmp	xmrig
behavioral2/memory/1084-254-0x00007FF6DE420000-0x00007FF6DE771000-memory.dmp	xmrig
behavioral2/memory/760-252-0x00007FF718030000-0x00007FF718381000-memory.dmp	xmrig
behavioral2/memory/1844-251-0x00007FF65C720000-0x00007FF65CA71000-memory.dmp	xmrig
behavioral2/memory/4576-248-0x00007FF736E40000-0x00007FF737191000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4996	ZzCfQiD.exe
3476	gcrRoXE.exe
2832	EqfTPyX.exe
2152	WfkBDfV.exe
3364	bcEBcms.exe
3880	MgfgLyg.exe
3692	dtwmziZ.exe
1216	hkFHmQR.exe
5064	DivCjfl.exe
2760	qyaverU.exe
1388	PAQaJZk.exe
1380	oUFXbVc.exe
3552	pGQPtFr.exe
2276	YESbWOm.exe
1844	kGOPhFI.exe
4576	YaFEeWB.exe
3872	UdNzuwB.exe
3360	EdEHGLq.exe
3876	HpXIOam.exe
1084	QkVaSXJ.exe
760	pIkaMsL.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4292-0-0x00007FF7DC1F0000-0x00007FF7DC541000-memory.dmp	upx
behavioral2/files/0x0008000000023ca1-5.dat	upx
behavioral2/memory/3476-18-0x00007FF638F60000-0x00007FF6392B1000-memory.dmp	upx
behavioral2/files/0x0007000000023cab-32.dat	upx
behavioral2/files/0x0007000000023ca9-65.dat	upx
behavioral2/memory/1388-74-0x00007FF6A1C40000-0x00007FF6A1F91000-memory.dmp	upx
behavioral2/files/0x0007000000023cb1-85.dat	upx
behavioral2/files/0x0007000000023cb2-90.dat	upx
behavioral2/files/0x0008000000023ca2-95.dat	upx
behavioral2/files/0x0007000000023cb6-117.dat	upx
behavioral2/files/0x0007000000023cb7-121.dat	upx
behavioral2/files/0x0007000000023cb5-112.dat	upx
behavioral2/files/0x0007000000023cb4-110.dat	upx
behavioral2/files/0x0007000000023cb3-108.dat	upx
behavioral2/memory/4576-101-0x00007FF736E40000-0x00007FF737191000-memory.dmp	upx
behavioral2/memory/1844-92-0x00007FF65C720000-0x00007FF65CA71000-memory.dmp	upx
behavioral2/memory/1380-89-0x00007FF647170000-0x00007FF6474C1000-memory.dmp	upx
behavioral2/memory/5064-88-0x00007FF686080000-0x00007FF6863D1000-memory.dmp	upx
behavioral2/memory/3364-87-0x00007FF6C2D80000-0x00007FF6C30D1000-memory.dmp	upx
behavioral2/files/0x0007000000023cb0-83.dat	upx
behavioral2/files/0x0007000000023caf-81.dat	upx
behavioral2/memory/2276-79-0x00007FF668500000-0x00007FF668851000-memory.dmp	upx
behavioral2/memory/3552-78-0x00007FF642970000-0x00007FF642CC1000-memory.dmp	upx
behavioral2/memory/2760-73-0x00007FF71D2A0000-0x00007FF71D5F1000-memory.dmp	upx
behavioral2/memory/1216-72-0x00007FF752910000-0x00007FF752C61000-memory.dmp	upx
behavioral2/files/0x0007000000023cad-64.dat	upx
behavioral2/files/0x0007000000023cac-60.dat	upx
behavioral2/memory/3692-59-0x00007FF723400000-0x00007FF723751000-memory.dmp	upx
behavioral2/files/0x0007000000023caa-52.dat	upx
behavioral2/memory/3880-49-0x00007FF7FD910000-0x00007FF7FDC61000-memory.dmp	upx
behavioral2/files/0x0007000000023cae-48.dat	upx
behavioral2/files/0x0007000000023ca8-42.dat	upx
behavioral2/files/0x0007000000023ca6-40.dat	upx
behavioral2/memory/2832-37-0x00007FF6F84E0000-0x00007FF6F8831000-memory.dmp	upx
behavioral2/files/0x0007000000023ca7-35.dat	upx
behavioral2/memory/2152-27-0x00007FF61AF00000-0x00007FF61B251000-memory.dmp	upx
behavioral2/files/0x0007000000023ca5-19.dat	upx
behavioral2/memory/4996-6-0x00007FF61D280000-0x00007FF61D5D1000-memory.dmp	upx
behavioral2/memory/4996-124-0x00007FF61D280000-0x00007FF61D5D1000-memory.dmp	upx
behavioral2/memory/3880-130-0x00007FF7FD910000-0x00007FF7FDC61000-memory.dmp	upx
behavioral2/memory/1216-129-0x00007FF752910000-0x00007FF752C61000-memory.dmp	upx
behavioral2/memory/3876-136-0x00007FF7DFEE0000-0x00007FF7E0231000-memory.dmp	upx
behavioral2/memory/760-139-0x00007FF718030000-0x00007FF718381000-memory.dmp	upx
behavioral2/memory/3872-141-0x00007FF65A870000-0x00007FF65ABC1000-memory.dmp	upx
behavioral2/memory/1084-138-0x00007FF6DE420000-0x00007FF6DE771000-memory.dmp	upx
behavioral2/memory/3360-135-0x00007FF7A9C50000-0x00007FF7A9FA1000-memory.dmp	upx
behavioral2/memory/3692-131-0x00007FF723400000-0x00007FF723751000-memory.dmp	upx
behavioral2/memory/2152-128-0x00007FF61AF00000-0x00007FF61B251000-memory.dmp	upx
behavioral2/memory/2832-127-0x00007FF6F84E0000-0x00007FF6F8831000-memory.dmp	upx
behavioral2/memory/3476-125-0x00007FF638F60000-0x00007FF6392B1000-memory.dmp	upx
behavioral2/memory/4292-123-0x00007FF7DC1F0000-0x00007FF7DC541000-memory.dmp	upx
behavioral2/memory/3552-140-0x00007FF642970000-0x00007FF642CC1000-memory.dmp	upx
behavioral2/memory/4576-144-0x00007FF736E40000-0x00007FF737191000-memory.dmp	upx
behavioral2/memory/2276-142-0x00007FF668500000-0x00007FF668851000-memory.dmp	upx
behavioral2/memory/4292-150-0x00007FF7DC1F0000-0x00007FF7DC541000-memory.dmp	upx
behavioral2/memory/4292-151-0x00007FF7DC1F0000-0x00007FF7DC541000-memory.dmp	upx
behavioral2/memory/4996-205-0x00007FF61D280000-0x00007FF61D5D1000-memory.dmp	upx
behavioral2/memory/3476-207-0x00007FF638F60000-0x00007FF6392B1000-memory.dmp	upx
behavioral2/memory/3364-222-0x00007FF6C2D80000-0x00007FF6C30D1000-memory.dmp	upx
behavioral2/memory/2832-221-0x00007FF6F84E0000-0x00007FF6F8831000-memory.dmp	upx
behavioral2/memory/1388-224-0x00007FF6A1C40000-0x00007FF6A1F91000-memory.dmp	upx
behavioral2/memory/3552-226-0x00007FF642970000-0x00007FF642CC1000-memory.dmp	upx
behavioral2/memory/3692-233-0x00007FF723400000-0x00007FF723751000-memory.dmp	upx
behavioral2/memory/3880-240-0x00007FF7FD910000-0x00007FF7FDC61000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\WfkBDfV.exe	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DivCjfl.exe	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PAQaJZk.exe	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oUFXbVc.exe	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pGQPtFr.exe	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YESbWOm.exe	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EdEHGLq.exe	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZzCfQiD.exe	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QkVaSXJ.exe	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HpXIOam.exe	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kGOPhFI.exe	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YaFEeWB.exe	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pIkaMsL.exe	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EqfTPyX.exe	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bcEBcms.exe	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hkFHmQR.exe	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MgfgLyg.exe	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dtwmziZ.exe	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qyaverU.exe	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UdNzuwB.exe	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gcrRoXE.exe	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4292	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4292	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4292 wrote to memory of 4996	4292	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4292 wrote to memory of 4996	4292	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4292 wrote to memory of 3476	4292	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4292 wrote to memory of 3476	4292	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4292 wrote to memory of 3364	4292	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4292 wrote to memory of 3364	4292	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4292 wrote to memory of 2832	4292	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4292 wrote to memory of 2832	4292	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4292 wrote to memory of 2152	4292	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4292 wrote to memory of 2152	4292	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4292 wrote to memory of 1216	4292	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4292 wrote to memory of 1216	4292	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4292 wrote to memory of 3880	4292	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4292 wrote to memory of 3880	4292	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4292 wrote to memory of 3692	4292	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4292 wrote to memory of 3692	4292	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4292 wrote to memory of 5064	4292	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4292 wrote to memory of 5064	4292	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4292 wrote to memory of 2760	4292	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4292 wrote to memory of 2760	4292	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4292 wrote to memory of 1388	4292	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4292 wrote to memory of 1388	4292	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4292 wrote to memory of 1380	4292	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4292 wrote to memory of 1380	4292	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4292 wrote to memory of 3552	4292	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4292 wrote to memory of 3552	4292	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4292 wrote to memory of 2276	4292	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4292 wrote to memory of 2276	4292	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4292 wrote to memory of 1844	4292	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4292 wrote to memory of 1844	4292	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4292 wrote to memory of 4576	4292	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4292 wrote to memory of 4576	4292	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4292 wrote to memory of 3872	4292	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4292 wrote to memory of 3872	4292	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4292 wrote to memory of 3360	4292	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4292 wrote to memory of 3360	4292	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4292 wrote to memory of 3876	4292	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4292 wrote to memory of 3876	4292	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4292 wrote to memory of 1084	4292	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4292 wrote to memory of 1084	4292	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4292 wrote to memory of 760	4292	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4292 wrote to memory of 760	4292	2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-23_3fa681447b31acb2526fd782b98ce0f3_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4292
- C:\Windows\System\ZzCfQiD.exe
  C:\Windows\System\ZzCfQiD.exe
  2⤵
  - Executes dropped EXE
  PID:4996
- C:\Windows\System\gcrRoXE.exe
  C:\Windows\System\gcrRoXE.exe
  2⤵
  - Executes dropped EXE
  PID:3476
- C:\Windows\System\bcEBcms.exe
  C:\Windows\System\bcEBcms.exe
  2⤵
  - Executes dropped EXE
  PID:3364
- C:\Windows\System\EqfTPyX.exe
  C:\Windows\System\EqfTPyX.exe
  2⤵
  - Executes dropped EXE
  PID:2832
- C:\Windows\System\WfkBDfV.exe
  C:\Windows\System\WfkBDfV.exe
  2⤵
  - Executes dropped EXE
  PID:2152
- C:\Windows\System\hkFHmQR.exe
  C:\Windows\System\hkFHmQR.exe
  2⤵
  - Executes dropped EXE
  PID:1216
- C:\Windows\System\MgfgLyg.exe
  C:\Windows\System\MgfgLyg.exe
  2⤵
  - Executes dropped EXE
  PID:3880
- C:\Windows\System\dtwmziZ.exe
  C:\Windows\System\dtwmziZ.exe
  2⤵
  - Executes dropped EXE
  PID:3692
- C:\Windows\System\DivCjfl.exe
  C:\Windows\System\DivCjfl.exe
  2⤵
  - Executes dropped EXE
  PID:5064
- C:\Windows\System\qyaverU.exe
  C:\Windows\System\qyaverU.exe
  2⤵
  - Executes dropped EXE
  PID:2760
- C:\Windows\System\PAQaJZk.exe
  C:\Windows\System\PAQaJZk.exe
  2⤵
  - Executes dropped EXE
  PID:1388
- C:\Windows\System\oUFXbVc.exe
  C:\Windows\System\oUFXbVc.exe
  2⤵
  - Executes dropped EXE
  PID:1380
- C:\Windows\System\pGQPtFr.exe
  C:\Windows\System\pGQPtFr.exe
  2⤵
  - Executes dropped EXE
  PID:3552
- C:\Windows\System\YESbWOm.exe
  C:\Windows\System\YESbWOm.exe
  2⤵
  - Executes dropped EXE
  PID:2276
- C:\Windows\System\kGOPhFI.exe
  C:\Windows\System\kGOPhFI.exe
  2⤵
  - Executes dropped EXE
  PID:1844
- C:\Windows\System\YaFEeWB.exe
  C:\Windows\System\YaFEeWB.exe
  2⤵
  - Executes dropped EXE
  PID:4576
- C:\Windows\System\UdNzuwB.exe
  C:\Windows\System\UdNzuwB.exe
  2⤵
  - Executes dropped EXE
  PID:3872
- C:\Windows\System\EdEHGLq.exe
  C:\Windows\System\EdEHGLq.exe
  2⤵
  - Executes dropped EXE
  PID:3360
- C:\Windows\System\HpXIOam.exe
  C:\Windows\System\HpXIOam.exe
  2⤵
  - Executes dropped EXE
  PID:3876
- C:\Windows\System\QkVaSXJ.exe
  C:\Windows\System\QkVaSXJ.exe
  2⤵
  - Executes dropped EXE
  PID:1084
- C:\Windows\System\pIkaMsL.exe
  C:\Windows\System\pIkaMsL.exe
  2⤵
  - Executes dropped EXE
  PID:760

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\DivCjfl.exe

Filesize
5.2MB

MD5
12c04a80e40d7e039c72fbe2bb4831d3

SHA1
922cdd2462c1b0457557a399e183cbe7efa65625

SHA256
5935af6b8e648b909562aaac663d2c03166f88451a318cd14fb2bcc4711137b3

SHA512
deaded31a6aa0fbfbbd9037d6ef314bf14be5a96ca6c4b3f2143b49bcccb4affa03931bdfa8ee226079824d55c43d6123806d2f14c471cc3cd884a1ce90044c3

Download Submit
C:\Windows\System\EdEHGLq.exe

Filesize
5.2MB

MD5
cf12c660770593b7ffe8a154a3ce13a0

SHA1
efff8bd8c342ba112a43ece2093cf2af8409334d

SHA256
bef689f9b49192b9968e53c0a95669abff632a866f179856e07373cdf9a631ad

SHA512
c9eabf95bf5301bdfc89e5af25852daa07000b8bcb252aa0ea643ea590bd1d9bee62dc3c813bf5b5fa9a44a0da71d238e0703a85ddf62653ddf64a4302a43824

Download Submit
C:\Windows\System\EqfTPyX.exe

Filesize
5.2MB

MD5
1e1bf498492b48a2e724678dccc88afe

SHA1
b5c0655c2f44d61ab2b8f113b72f638571a0a8ed

SHA256
f17e88d88934aaf0bb93a890e965dd96862b6a668ad59196fc14b776a2f0f375

SHA512
5a2c94ac1acec3095c733147badfa6ce30ff129858092102dba4c879ee53ddbfc3340047ca18e6dac58e4b6623db0fd606a78980771d72de3370f68aea7334a5

Download Submit
C:\Windows\System\HpXIOam.exe

Filesize
5.2MB

MD5
2dfec3886fdc349f1d83d08df4773efe

SHA1
c1d22fd245159c442e2a43fb18c30e717caf559f

SHA256
fe7db4696c123d837ecd6e359cb3c0ddd9ac53b07c8ab6388d51b0697d7cc5ee

SHA512
9eb507a53cf283b43d92a51a0b339a1f62f76aae99953aa21ed76580c530ebb185b5e73532b0b3c7a9afb9d8c76f43aa761f16f9f92cb146677f12e533263033

Download Submit
C:\Windows\System\MgfgLyg.exe

Filesize
5.2MB

MD5
f0a921d49a09cd7833c77822a7833381

SHA1
a6e8b60aa160200668389c246488caf723697a32

SHA256
17214dd1247f26c5c076597aaceb951b04bf0bd0bc2b747870ab90e3aadb639c

SHA512
b4a2eed1e56d4ace9b4c0b3192f09fb41094a203e823c64a66f469071bb6a5316595412066c447c0460ce573e009056345865d4b12fd82285d97493fb1dfec9e

Download Submit
C:\Windows\System\PAQaJZk.exe

Filesize
5.2MB

MD5
3b4760524a8ea03819cd208f36d39346

SHA1
7e0af8aaaa478cd6e24bd8eea897ec17780d7ba7

SHA256
36634ee362cb7250532d91ebe2fefdb15adf5777ae2d265a195809d7f1f208c5

SHA512
9deafe5e7222de37db4e18cccfa20fea4c58d0f318e900676017c1b609656d2a4d21cc4e4a5a84d9f3ed7e2d65d63540f367de5bc286c3a9b626386229bc31d0

Download Submit
C:\Windows\System\QkVaSXJ.exe

Filesize
5.2MB

MD5
8c8809cc1d6a2cc0b0f4d383fc5abae1

SHA1
a95ae622a3e5c44b01be8239d6812e018316ef32

SHA256
0ad6de948d3ef88d8876cdd500de43c942d4f9c56542a885fd89719f34ffce59

SHA512
7683e4b1a6aa7f04433db198f13a8ed056f903bb4b0b7de44ec110e27466dcc2c642a49b16c60c931a0dc459aa068cf250a104d3b4bff62f4b1c9f37d7a66bd0

Download Submit
C:\Windows\System\UdNzuwB.exe

Filesize
5.2MB

MD5
af70a695d3d20ea1091ec98e94fbef91

SHA1
487e6f18051a22e1b60139869b58e7b5fa5b99d0

SHA256
57060973a173ebeb52a7eb1be622ad7a7ad6695daa90979c2ad4cc50bdd9b627

SHA512
44361ba271a7895cadfb91d861a1a96bcab3871edb113bf69b0ab715c9a86d7f4b13f52ad29796350d1dca9a707f67e916a4593e45e5109e75bff489fb7382c6

Download Submit
C:\Windows\System\WfkBDfV.exe

Filesize
5.2MB

MD5
66e2db236e6ed5634cce613fbef53717

SHA1
26b1993c249d963bec8e524df95008145908391c

SHA256
121c44809e5e068129cd8a1c739e6fc9090289d05ff73c604402aa6cd137186e

SHA512
2ac13e51ecf539ffbb0d582cfbde9bf6fb769ce7227843a2753e977d97f86bba8ff8434a840a48ce92f7a85ebc296cfe502d8499e398eb18cfecae88d8fc82d2

Download Submit
C:\Windows\System\YESbWOm.exe

Filesize
5.2MB

MD5
0ac24e593a3158e4442500ae25d2a110

SHA1
060569c8d6e22a870dc09853c36378202f701e62

SHA256
fbd72f72127b8f747570cba4ab245da63f50bcbdc0f199b9d1f61d0f61982e8b

SHA512
e1ee05f77b2bb941330b612f200089616cd4c31b2a590ac528b2bd05e1e19e8cfa1f294167678e1b3b9c19ab6d78ea4179ade73e3b1e494b07196864928137e0

Download Submit
C:\Windows\System\YaFEeWB.exe

Filesize
5.2MB

MD5
cf8c7d2f0812f737b04bbdb8bf9342e3

SHA1
f6a36a341e0bb5db39a681e2c8000ed5d9626cfd

SHA256
f573336c4b11277ed2b9c8ac4972ab67864568398c35f908893cab3b6b9122ba

SHA512
f39345e209a1959567044a7215fe49280869b155553eb1208cfb195d94f16b7461c163fd3c39e3e559ba026bf8b1e361761d34c9fef505154429f620c08a8266

Download Submit
C:\Windows\System\ZzCfQiD.exe

Filesize
5.2MB

MD5
df24d5a0223bdcc851a958213241e20f

SHA1
78d4bd8b94506341c79692953265faaa2a9aa1c7

SHA256
394da285e5fd708158396194de1fe539326c34595a0ac080881397f8e8fab218

SHA512
d01e0049186828224c95cbac8aba706c89750fbb1928017ac3ea2bba616935fad2540d3019fe4a133ec7414131e802a44e45f01c41f1d2c729b8fd5051f1796c

Download Submit
C:\Windows\System\bcEBcms.exe

Filesize
5.2MB

MD5
93a70bc9c62050a5159031fdfb6be4a4

SHA1
82f5c656c0bdfaca95f787c12c1abbc114a0023d

SHA256
2b8adfc4e31a083518d52473c1265dba840db29bc5e396d41accfcc9e9596cb6

SHA512
4bcd73d47bea99d439199f8ed0b365b936c7458f6930fa206db12736e2b663c37a3b2892cbebcb24348a0af497495ab223cfb0a13f2854aefc1a31d7d374fd40

Download Submit
C:\Windows\System\dtwmziZ.exe

Filesize
5.2MB

MD5
1cb00acad2d0d7d0e2319af044ad5a79

SHA1
20e314155c282b953359d6889cccf4d466129a75

SHA256
2ee08e03c86f87d1398d7dfe95a23e9c63d9352d58342f5b1df9e6428a43da37

SHA512
80f6e0a60245c630f00f8d9af5ff5db408b737df8337f28cfe2e164a248fef75cec1adbf5691ddc17d8da712677b1e3c74dddd8c50e536c1a416b4ef21a8ccf3

Download Submit
C:\Windows\System\gcrRoXE.exe

Filesize
5.2MB

MD5
d5cfa0f9da5500e97dd8d55acd86a5a5

SHA1
1f46b4be5c1e7fcbb6feb26a3dc5824bde022298

SHA256
278d8e5640d01e69a4216841a3937a812c4ac123405f4e38155c797399fb7ff2

SHA512
1f3dfdce0ef5fc9eea897befbf6ecb3564182a725e60595724eb182ac56fbea4552a9c30612c5d65e66ad97bf619bf4463b44ffc0ab1a3839c9066a0fb8f9354

Download Submit
C:\Windows\System\hkFHmQR.exe

Filesize
5.2MB

MD5
4bc328b0a06b4fa64137019b3448f1c4

SHA1
cd67ed5e2bb3e68e7dc0f64268a5740bf3346d32

SHA256
8ef22d432c8e23f1a5f1bbc0dfc4d0040b34cc6e6900d67520ae3f3fe9914fb7

SHA512
552dd655e167ebcaf255075ce78f48b489bd187f250474b9e4bcf7066ec657fb0ea6c5424b7adff5b3a0c586a72c0906956b591c65727771b5d4dbebc07db93e

Download Submit
C:\Windows\System\kGOPhFI.exe

Filesize
5.2MB

MD5
b2bb407f18147c6b926f38c183a0c250

SHA1
a05f1288ae25f37e0bc0856f33531dcd0b647810

SHA256
13926b6bf20de37f7065ef7d84a58bb8b1eae5ae0c5fef47e17aa106a6148193

SHA512
c1606d2cbf0c97ffecf3206db23028dfdf40bc0741781174c8983b7ccca89580b09feeb5a9fe1d301ceefb69e9e0d148548f51de8e72fc0d7bbd00445854891e

Download Submit
C:\Windows\System\oUFXbVc.exe

Filesize
5.2MB

MD5
253799f9be597dcb11fabbc8e3ef2b9a

SHA1
9e5f16f439977594ef446dfd6d4fb452e276cb10

SHA256
4a7d52ac7cd0a133d576c3d96ec43aa62a9dbf35a861c9f74588504818eebefd

SHA512
64fa56a45614e2f36fb1b1027ab76d8657ecf8efe2b1d3b7706a0cf11e711ee30f74055d8f7677e683ebb9fa73cc6935f992e3949c5cd9c3b7f7fa736ec61bad

Download Submit
C:\Windows\System\pGQPtFr.exe

Filesize
5.2MB

MD5
e217a12896bc97b4856bed5c4ce5cf2b

SHA1
ccc939c41dae016041f99e9782c5ea7e67900625

SHA256
ee196775ca6b1cf7b5a4b1a2fb78a2ed1481307e6b9aac5e5d9f070c930b1bf0

SHA512
a96ef57f1e19ed8aa71a970c1706d6a433b04d05811abf763a0e07f97e51b2c2b758542acf562ffc444496dd4b764d2cb0d4337213d5705195966c175d3e71d7

Download Submit
C:\Windows\System\pIkaMsL.exe

Filesize
5.2MB

MD5
b8189eb308f9d64fb7ef01699ed9a3dc

SHA1
e2209532a2b1c201d66368ac893cbec28a17a643

SHA256
aa57b3e05c909b3be051accb47c2a3d20bf11aca743590ea2ca2fe527f5e7c7b

SHA512
0b424c709557bfd99435f8a78a2e94c090ebdb12c3338509bf4fff4ef25b6eef246279ea63eb808b255afb90a8682ea623f6b237bd37e33fa87bad8a612d6645

Download Submit
C:\Windows\System\qyaverU.exe

Filesize
5.2MB

MD5
f9eddf47720bf0e992d6b88f0bf056f2

SHA1
975d113717dba535736f9db516d7ae0502fe4d47

SHA256
01488b1d47b99f596aef4cc84a43cd2459b90588ef2f9c41e5672b258cd13714

SHA512
5b4340a72c8c9b9f919f0eea35db4504d05ce34c9c3a16b43e0037912e9592291da3ab8a67673bab4fe3e6f86f7be9e282d3bf84809d2af2887ee0cef321f4fd

Download Submit
memory/760-252-0x00007FF718030000-0x00007FF718381000-memory.dmp

Filesize
3.3MB

Download
memory/760-139-0x00007FF718030000-0x00007FF718381000-memory.dmp

Filesize
3.3MB

Download
memory/1084-254-0x00007FF6DE420000-0x00007FF6DE771000-memory.dmp

Filesize
3.3MB

Download
memory/1084-138-0x00007FF6DE420000-0x00007FF6DE771000-memory.dmp

Filesize
3.3MB

Download
memory/1216-129-0x00007FF752910000-0x00007FF752C61000-memory.dmp

Filesize
3.3MB

Download
memory/1216-72-0x00007FF752910000-0x00007FF752C61000-memory.dmp

Filesize
3.3MB

Download
memory/1216-231-0x00007FF752910000-0x00007FF752C61000-memory.dmp

Filesize
3.3MB

Download
memory/1380-89-0x00007FF647170000-0x00007FF6474C1000-memory.dmp

Filesize
3.3MB

Download
memory/1380-229-0x00007FF647170000-0x00007FF6474C1000-memory.dmp

Filesize
3.3MB

Download
memory/1388-224-0x00007FF6A1C40000-0x00007FF6A1F91000-memory.dmp

Filesize
3.3MB

Download
memory/1388-74-0x00007FF6A1C40000-0x00007FF6A1F91000-memory.dmp

Filesize
3.3MB

Download
memory/1844-251-0x00007FF65C720000-0x00007FF65CA71000-memory.dmp

Filesize
3.3MB

Download
memory/1844-92-0x00007FF65C720000-0x00007FF65CA71000-memory.dmp

Filesize
3.3MB

Download
memory/2152-239-0x00007FF61AF00000-0x00007FF61B251000-memory.dmp

Filesize
3.3MB

Download
memory/2152-27-0x00007FF61AF00000-0x00007FF61B251000-memory.dmp

Filesize
3.3MB

Download
memory/2152-128-0x00007FF61AF00000-0x00007FF61B251000-memory.dmp

Filesize
3.3MB

Download
memory/2276-79-0x00007FF668500000-0x00007FF668851000-memory.dmp

Filesize
3.3MB

Download
memory/2276-242-0x00007FF668500000-0x00007FF668851000-memory.dmp

Filesize
3.3MB

Download
memory/2276-142-0x00007FF668500000-0x00007FF668851000-memory.dmp

Filesize
3.3MB

Download
memory/2760-235-0x00007FF71D2A0000-0x00007FF71D5F1000-memory.dmp

Filesize
3.3MB

Download
memory/2760-73-0x00007FF71D2A0000-0x00007FF71D5F1000-memory.dmp

Filesize
3.3MB

Download
memory/2832-221-0x00007FF6F84E0000-0x00007FF6F8831000-memory.dmp

Filesize
3.3MB

Download
memory/2832-127-0x00007FF6F84E0000-0x00007FF6F8831000-memory.dmp

Filesize
3.3MB

Download
memory/2832-37-0x00007FF6F84E0000-0x00007FF6F8831000-memory.dmp

Filesize
3.3MB

Download
memory/3360-258-0x00007FF7A9C50000-0x00007FF7A9FA1000-memory.dmp

Filesize
3.3MB

Download
memory/3360-135-0x00007FF7A9C50000-0x00007FF7A9FA1000-memory.dmp

Filesize
3.3MB

Download
memory/3364-222-0x00007FF6C2D80000-0x00007FF6C30D1000-memory.dmp

Filesize
3.3MB

Download
memory/3364-87-0x00007FF6C2D80000-0x00007FF6C30D1000-memory.dmp

Filesize
3.3MB

Download
memory/3476-18-0x00007FF638F60000-0x00007FF6392B1000-memory.dmp

Filesize
3.3MB

Download
memory/3476-125-0x00007FF638F60000-0x00007FF6392B1000-memory.dmp

Filesize
3.3MB

Download
memory/3476-207-0x00007FF638F60000-0x00007FF6392B1000-memory.dmp

Filesize
3.3MB

Download
memory/3552-140-0x00007FF642970000-0x00007FF642CC1000-memory.dmp

Filesize
3.3MB

Download
memory/3552-226-0x00007FF642970000-0x00007FF642CC1000-memory.dmp

Filesize
3.3MB

Download
memory/3552-78-0x00007FF642970000-0x00007FF642CC1000-memory.dmp

Filesize
3.3MB

Download
memory/3692-131-0x00007FF723400000-0x00007FF723751000-memory.dmp

Filesize
3.3MB

Download
memory/3692-59-0x00007FF723400000-0x00007FF723751000-memory.dmp

Filesize
3.3MB

Download
memory/3692-233-0x00007FF723400000-0x00007FF723751000-memory.dmp

Filesize
3.3MB

Download
memory/3872-141-0x00007FF65A870000-0x00007FF65ABC1000-memory.dmp

Filesize
3.3MB

Download
memory/3872-257-0x00007FF65A870000-0x00007FF65ABC1000-memory.dmp

Filesize
3.3MB

Download
memory/3876-247-0x00007FF7DFEE0000-0x00007FF7E0231000-memory.dmp

Filesize
3.3MB

Download
memory/3876-136-0x00007FF7DFEE0000-0x00007FF7E0231000-memory.dmp

Filesize
3.3MB

Download
memory/3880-130-0x00007FF7FD910000-0x00007FF7FDC61000-memory.dmp

Filesize
3.3MB

Download
memory/3880-49-0x00007FF7FD910000-0x00007FF7FDC61000-memory.dmp

Filesize
3.3MB

Download
memory/3880-240-0x00007FF7FD910000-0x00007FF7FDC61000-memory.dmp

Filesize
3.3MB

Download
memory/4292-151-0x00007FF7DC1F0000-0x00007FF7DC541000-memory.dmp

Filesize
3.3MB

Download
memory/4292-0-0x00007FF7DC1F0000-0x00007FF7DC541000-memory.dmp

Filesize
3.3MB

Download
memory/4292-150-0x00007FF7DC1F0000-0x00007FF7DC541000-memory.dmp

Filesize
3.3MB

Download
memory/4292-123-0x00007FF7DC1F0000-0x00007FF7DC541000-memory.dmp

Filesize
3.3MB

Download
memory/4292-1-0x00000257461B0000-0x00000257461C0000-memory.dmp

Filesize
64KB

Download
memory/4576-144-0x00007FF736E40000-0x00007FF737191000-memory.dmp

Filesize
3.3MB

Download
memory/4576-101-0x00007FF736E40000-0x00007FF737191000-memory.dmp

Filesize
3.3MB

Download
memory/4576-248-0x00007FF736E40000-0x00007FF737191000-memory.dmp

Filesize
3.3MB

Download
memory/4996-205-0x00007FF61D280000-0x00007FF61D5D1000-memory.dmp

Filesize
3.3MB

Download
memory/4996-124-0x00007FF61D280000-0x00007FF61D5D1000-memory.dmp

Filesize
3.3MB

Download
memory/4996-6-0x00007FF61D280000-0x00007FF61D5D1000-memory.dmp

Filesize
3.3MB

Download
memory/5064-237-0x00007FF686080000-0x00007FF6863D1000-memory.dmp

Filesize
3.3MB

Download
memory/5064-88-0x00007FF686080000-0x00007FF6863D1000-memory.dmp

Filesize
3.3MB

Download