cobaltstrike | e11c5182a5edb8ab859977c3e53b7e283ab147b333dde76303a07829dc5a0795

Analysis

max time kernel
140s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-12-2024 03:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

f1da04412b209f601ffab62349cbc506
SHA1

1f220fee8ad03e515388ff072738d917ff5fc92a
SHA256

e11c5182a5edb8ab859977c3e53b7e283ab147b333dde76303a07829dc5a0795
SHA512

470da31e145b3354f20f1bf6613533242f317e0927276f56b4bc304ff2148766b93283f52a28deca73973c2c38b3ea1e249d80a2d92153c1ef841de280602e0b
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6li:RWWBibd56utgpPFotBER/mQ32lUu

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023baa-4.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bc3-12.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bc8-11.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bc9-22.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bca-34.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023bce-37.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bd0-40.dat	cobalt_reflective_dll
behavioral2/files/0x000c000000023bab-53.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bd5-63.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bd4-67.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bd6-73.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bd3-48.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c06-80.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c07-90.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c08-94.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c09-101.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c0a-105.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c0f-121.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c10-124.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c11-131.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c23-134.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/5028-44-0x00007FF6415C0000-0x00007FF641911000-memory.dmp	xmrig
behavioral2/memory/3776-65-0x00007FF7605E0000-0x00007FF760931000-memory.dmp	xmrig
behavioral2/memory/4456-60-0x00007FF6C5AF0000-0x00007FF6C5E41000-memory.dmp	xmrig
behavioral2/memory/2888-74-0x00007FF7A8470000-0x00007FF7A87C1000-memory.dmp	xmrig
behavioral2/memory/5088-59-0x00007FF614760000-0x00007FF614AB1000-memory.dmp	xmrig
behavioral2/memory/3704-82-0x00007FF63CF10000-0x00007FF63D261000-memory.dmp	xmrig
behavioral2/memory/1700-95-0x00007FF60C010000-0x00007FF60C361000-memory.dmp	xmrig
behavioral2/memory/1836-81-0x00007FF6A6380000-0x00007FF6A66D1000-memory.dmp	xmrig
behavioral2/memory/1844-112-0x00007FF769320000-0x00007FF769671000-memory.dmp	xmrig
behavioral2/memory/3192-116-0x00007FF7681F0000-0x00007FF768541000-memory.dmp	xmrig
behavioral2/memory/2432-128-0x00007FF637370000-0x00007FF6376C1000-memory.dmp	xmrig
behavioral2/memory/5028-115-0x00007FF6415C0000-0x00007FF641911000-memory.dmp	xmrig
behavioral2/memory/2028-114-0x00007FF7C3150000-0x00007FF7C34A1000-memory.dmp	xmrig
behavioral2/memory/3016-111-0x00007FF6A4290000-0x00007FF6A45E1000-memory.dmp	xmrig
behavioral2/memory/4728-108-0x00007FF7E5380000-0x00007FF7E56D1000-memory.dmp	xmrig
behavioral2/memory/3560-139-0x00007FF7B7C90000-0x00007FF7B7FE1000-memory.dmp	xmrig
behavioral2/memory/2356-138-0x00007FF61B450000-0x00007FF61B7A1000-memory.dmp	xmrig
behavioral2/memory/4372-140-0x00007FF697250000-0x00007FF6975A1000-memory.dmp	xmrig
behavioral2/memory/4696-141-0x00007FF6F3FD0000-0x00007FF6F4321000-memory.dmp	xmrig
behavioral2/memory/4456-142-0x00007FF6C5AF0000-0x00007FF6C5E41000-memory.dmp	xmrig
behavioral2/memory/3676-155-0x00007FF7EC190000-0x00007FF7EC4E1000-memory.dmp	xmrig
behavioral2/memory/1388-162-0x00007FF662BA0000-0x00007FF662EF1000-memory.dmp	xmrig
behavioral2/memory/1140-166-0x00007FF64A970000-0x00007FF64ACC1000-memory.dmp	xmrig
behavioral2/memory/4092-165-0x00007FF60D6C0000-0x00007FF60DA11000-memory.dmp	xmrig
behavioral2/memory/4456-167-0x00007FF6C5AF0000-0x00007FF6C5E41000-memory.dmp	xmrig
behavioral2/memory/3776-220-0x00007FF7605E0000-0x00007FF760931000-memory.dmp	xmrig
behavioral2/memory/2888-222-0x00007FF7A8470000-0x00007FF7A87C1000-memory.dmp	xmrig
behavioral2/memory/1836-224-0x00007FF6A6380000-0x00007FF6A66D1000-memory.dmp	xmrig
behavioral2/memory/3704-226-0x00007FF63CF10000-0x00007FF63D261000-memory.dmp	xmrig
behavioral2/memory/1700-228-0x00007FF60C010000-0x00007FF60C361000-memory.dmp	xmrig
behavioral2/memory/3016-230-0x00007FF6A4290000-0x00007FF6A45E1000-memory.dmp	xmrig
behavioral2/memory/5028-237-0x00007FF6415C0000-0x00007FF641911000-memory.dmp	xmrig
behavioral2/memory/3192-239-0x00007FF7681F0000-0x00007FF768541000-memory.dmp	xmrig
behavioral2/memory/5088-241-0x00007FF614760000-0x00007FF614AB1000-memory.dmp	xmrig
behavioral2/memory/2432-243-0x00007FF637370000-0x00007FF6376C1000-memory.dmp	xmrig
behavioral2/memory/2356-245-0x00007FF61B450000-0x00007FF61B7A1000-memory.dmp	xmrig
behavioral2/memory/3560-247-0x00007FF7B7C90000-0x00007FF7B7FE1000-memory.dmp	xmrig
behavioral2/memory/4372-252-0x00007FF697250000-0x00007FF6975A1000-memory.dmp	xmrig
behavioral2/memory/4696-254-0x00007FF6F3FD0000-0x00007FF6F4321000-memory.dmp	xmrig
behavioral2/memory/4728-259-0x00007FF7E5380000-0x00007FF7E56D1000-memory.dmp	xmrig
behavioral2/memory/1844-261-0x00007FF769320000-0x00007FF769671000-memory.dmp	xmrig
behavioral2/memory/2028-263-0x00007FF7C3150000-0x00007FF7C34A1000-memory.dmp	xmrig
behavioral2/memory/3676-268-0x00007FF7EC190000-0x00007FF7EC4E1000-memory.dmp	xmrig
behavioral2/memory/1388-270-0x00007FF662BA0000-0x00007FF662EF1000-memory.dmp	xmrig
behavioral2/memory/1140-272-0x00007FF64A970000-0x00007FF64ACC1000-memory.dmp	xmrig
behavioral2/memory/4092-274-0x00007FF60D6C0000-0x00007FF60DA11000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3776	yaRwWUw.exe
2888	JNYBYWH.exe
1836	mKfDyaR.exe
3704	kiAzfOR.exe
1700	XLZJncd.exe
3016	GruLwZO.exe
5028	ixKoKJw.exe
3192	zHwZtHs.exe
5088	AqZTWOE.exe
2432	ZCAitNG.exe
2356	Tcqzssq.exe
3560	sojtpuf.exe
4372	gpnfXxp.exe
4696	CunTFiF.exe
4728	QCnSGmt.exe
1844	XjhJosY.exe
2028	wUVSKFC.exe
3676	yjpCURy.exe
1388	LpEggcJ.exe
1140	fynjOCN.exe
4092	UCeAMdW.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4456-0-0x00007FF6C5AF0000-0x00007FF6C5E41000-memory.dmp	upx
behavioral2/files/0x000c000000023baa-4.dat	upx
behavioral2/memory/3776-8-0x00007FF7605E0000-0x00007FF760931000-memory.dmp	upx
behavioral2/files/0x0008000000023bc3-12.dat	upx
behavioral2/files/0x0009000000023bc8-11.dat	upx
behavioral2/files/0x0009000000023bc9-22.dat	upx
behavioral2/memory/3704-28-0x00007FF63CF10000-0x00007FF63D261000-memory.dmp	upx
behavioral2/memory/1700-32-0x00007FF60C010000-0x00007FF60C361000-memory.dmp	upx
behavioral2/files/0x0009000000023bca-34.dat	upx
behavioral2/files/0x000e000000023bce-37.dat	upx
behavioral2/memory/3016-36-0x00007FF6A4290000-0x00007FF6A45E1000-memory.dmp	upx
behavioral2/memory/1836-18-0x00007FF6A6380000-0x00007FF6A66D1000-memory.dmp	upx
behavioral2/memory/2888-14-0x00007FF7A8470000-0x00007FF7A87C1000-memory.dmp	upx
behavioral2/files/0x0008000000023bd0-40.dat	upx
behavioral2/memory/5028-44-0x00007FF6415C0000-0x00007FF641911000-memory.dmp	upx
behavioral2/memory/3192-54-0x00007FF7681F0000-0x00007FF768541000-memory.dmp	upx
behavioral2/files/0x000c000000023bab-53.dat	upx
behavioral2/files/0x0008000000023bd5-63.dat	upx
behavioral2/files/0x0008000000023bd4-67.dat	upx
behavioral2/memory/2356-66-0x00007FF61B450000-0x00007FF61B7A1000-memory.dmp	upx
behavioral2/memory/3776-65-0x00007FF7605E0000-0x00007FF760931000-memory.dmp	upx
behavioral2/memory/2432-64-0x00007FF637370000-0x00007FF6376C1000-memory.dmp	upx
behavioral2/memory/4456-60-0x00007FF6C5AF0000-0x00007FF6C5E41000-memory.dmp	upx
behavioral2/files/0x0008000000023bd6-73.dat	upx
behavioral2/memory/3560-75-0x00007FF7B7C90000-0x00007FF7B7FE1000-memory.dmp	upx
behavioral2/memory/2888-74-0x00007FF7A8470000-0x00007FF7A87C1000-memory.dmp	upx
behavioral2/memory/5088-59-0x00007FF614760000-0x00007FF614AB1000-memory.dmp	upx
behavioral2/files/0x0008000000023bd3-48.dat	upx
behavioral2/files/0x0008000000023c06-80.dat	upx
behavioral2/memory/3704-82-0x00007FF63CF10000-0x00007FF63D261000-memory.dmp	upx
behavioral2/memory/4696-89-0x00007FF6F3FD0000-0x00007FF6F4321000-memory.dmp	upx
behavioral2/files/0x0008000000023c07-90.dat	upx
behavioral2/files/0x0008000000023c08-94.dat	upx
behavioral2/memory/1700-95-0x00007FF60C010000-0x00007FF60C361000-memory.dmp	upx
behavioral2/memory/4372-83-0x00007FF697250000-0x00007FF6975A1000-memory.dmp	upx
behavioral2/memory/1836-81-0x00007FF6A6380000-0x00007FF6A66D1000-memory.dmp	upx
behavioral2/files/0x0008000000023c09-101.dat	upx
behavioral2/files/0x0008000000023c0a-105.dat	upx
behavioral2/memory/1844-112-0x00007FF769320000-0x00007FF769671000-memory.dmp	upx
behavioral2/memory/3192-116-0x00007FF7681F0000-0x00007FF768541000-memory.dmp	upx
behavioral2/files/0x0008000000023c0f-121.dat	upx
behavioral2/memory/1388-123-0x00007FF662BA0000-0x00007FF662EF1000-memory.dmp	upx
behavioral2/files/0x0008000000023c10-124.dat	upx
behavioral2/memory/3676-119-0x00007FF7EC190000-0x00007FF7EC4E1000-memory.dmp	upx
behavioral2/files/0x0008000000023c11-131.dat	upx
behavioral2/memory/1140-129-0x00007FF64A970000-0x00007FF64ACC1000-memory.dmp	upx
behavioral2/memory/2432-128-0x00007FF637370000-0x00007FF6376C1000-memory.dmp	upx
behavioral2/memory/5028-115-0x00007FF6415C0000-0x00007FF641911000-memory.dmp	upx
behavioral2/memory/2028-114-0x00007FF7C3150000-0x00007FF7C34A1000-memory.dmp	upx
behavioral2/files/0x0008000000023c23-134.dat	upx
behavioral2/memory/4092-135-0x00007FF60D6C0000-0x00007FF60DA11000-memory.dmp	upx
behavioral2/memory/3016-111-0x00007FF6A4290000-0x00007FF6A45E1000-memory.dmp	upx
behavioral2/memory/4728-108-0x00007FF7E5380000-0x00007FF7E56D1000-memory.dmp	upx
behavioral2/memory/3560-139-0x00007FF7B7C90000-0x00007FF7B7FE1000-memory.dmp	upx
behavioral2/memory/2356-138-0x00007FF61B450000-0x00007FF61B7A1000-memory.dmp	upx
behavioral2/memory/4372-140-0x00007FF697250000-0x00007FF6975A1000-memory.dmp	upx
behavioral2/memory/4696-141-0x00007FF6F3FD0000-0x00007FF6F4321000-memory.dmp	upx
behavioral2/memory/4456-142-0x00007FF6C5AF0000-0x00007FF6C5E41000-memory.dmp	upx
behavioral2/memory/3676-155-0x00007FF7EC190000-0x00007FF7EC4E1000-memory.dmp	upx
behavioral2/memory/1388-162-0x00007FF662BA0000-0x00007FF662EF1000-memory.dmp	upx
behavioral2/memory/1140-166-0x00007FF64A970000-0x00007FF64ACC1000-memory.dmp	upx
behavioral2/memory/4092-165-0x00007FF60D6C0000-0x00007FF60DA11000-memory.dmp	upx
behavioral2/memory/4456-167-0x00007FF6C5AF0000-0x00007FF6C5E41000-memory.dmp	upx
behavioral2/memory/3776-220-0x00007FF7605E0000-0x00007FF760931000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\wUVSKFC.exe	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yjpCURy.exe	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fynjOCN.exe	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mKfDyaR.exe	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ixKoKJw.exe	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sojtpuf.exe	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gpnfXxp.exe	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CunTFiF.exe	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yaRwWUw.exe	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zHwZtHs.exe	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QCnSGmt.exe	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JNYBYWH.exe	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kiAzfOR.exe	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XLZJncd.exe	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LpEggcJ.exe	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UCeAMdW.exe	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GruLwZO.exe	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AqZTWOE.exe	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZCAitNG.exe	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Tcqzssq.exe	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XjhJosY.exe	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4456	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4456	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4456 wrote to memory of 3776	4456	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4456 wrote to memory of 3776	4456	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4456 wrote to memory of 2888	4456	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4456 wrote to memory of 2888	4456	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4456 wrote to memory of 1836	4456	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4456 wrote to memory of 1836	4456	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4456 wrote to memory of 3704	4456	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4456 wrote to memory of 3704	4456	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4456 wrote to memory of 1700	4456	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4456 wrote to memory of 1700	4456	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4456 wrote to memory of 3016	4456	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4456 wrote to memory of 3016	4456	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4456 wrote to memory of 5028	4456	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4456 wrote to memory of 5028	4456	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4456 wrote to memory of 3192	4456	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4456 wrote to memory of 3192	4456	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4456 wrote to memory of 5088	4456	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4456 wrote to memory of 5088	4456	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4456 wrote to memory of 2432	4456	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4456 wrote to memory of 2432	4456	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4456 wrote to memory of 2356	4456	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4456 wrote to memory of 2356	4456	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4456 wrote to memory of 3560	4456	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4456 wrote to memory of 3560	4456	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4456 wrote to memory of 4372	4456	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4456 wrote to memory of 4372	4456	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4456 wrote to memory of 4696	4456	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4456 wrote to memory of 4696	4456	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4456 wrote to memory of 4728	4456	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4456 wrote to memory of 4728	4456	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4456 wrote to memory of 1844	4456	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4456 wrote to memory of 1844	4456	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4456 wrote to memory of 2028	4456	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4456 wrote to memory of 2028	4456	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4456 wrote to memory of 3676	4456	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4456 wrote to memory of 3676	4456	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4456 wrote to memory of 1388	4456	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4456 wrote to memory of 1388	4456	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4456 wrote to memory of 1140	4456	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4456 wrote to memory of 1140	4456	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4456 wrote to memory of 4092	4456	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4456 wrote to memory of 4092	4456	2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe	105

C:\Users\Admin\AppData\Local\Temp\2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-14_f1da04412b209f601ffab62349cbc506_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4456
- C:\Windows\System\yaRwWUw.exe
  C:\Windows\System\yaRwWUw.exe
  2⤵
  - Executes dropped EXE
  PID:3776
- C:\Windows\System\JNYBYWH.exe
  C:\Windows\System\JNYBYWH.exe
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\System\mKfDyaR.exe
  C:\Windows\System\mKfDyaR.exe
  2⤵
  - Executes dropped EXE
  PID:1836
- C:\Windows\System\kiAzfOR.exe
  C:\Windows\System\kiAzfOR.exe
  2⤵
  - Executes dropped EXE
  PID:3704
- C:\Windows\System\XLZJncd.exe
  C:\Windows\System\XLZJncd.exe
  2⤵
  - Executes dropped EXE
  PID:1700
- C:\Windows\System\GruLwZO.exe
  C:\Windows\System\GruLwZO.exe
  2⤵
  - Executes dropped EXE
  PID:3016
- C:\Windows\System\ixKoKJw.exe
  C:\Windows\System\ixKoKJw.exe
  2⤵
  - Executes dropped EXE
  PID:5028
- C:\Windows\System\zHwZtHs.exe
  C:\Windows\System\zHwZtHs.exe
  2⤵
  - Executes dropped EXE
  PID:3192
- C:\Windows\System\AqZTWOE.exe
  C:\Windows\System\AqZTWOE.exe
  2⤵
  - Executes dropped EXE
  PID:5088
- C:\Windows\System\ZCAitNG.exe
  C:\Windows\System\ZCAitNG.exe
  2⤵
  - Executes dropped EXE
  PID:2432
- C:\Windows\System\Tcqzssq.exe
  C:\Windows\System\Tcqzssq.exe
  2⤵
  - Executes dropped EXE
  PID:2356
- C:\Windows\System\sojtpuf.exe
  C:\Windows\System\sojtpuf.exe
  2⤵
  - Executes dropped EXE
  PID:3560
- C:\Windows\System\gpnfXxp.exe
  C:\Windows\System\gpnfXxp.exe
  2⤵
  - Executes dropped EXE
  PID:4372
- C:\Windows\System\CunTFiF.exe
  C:\Windows\System\CunTFiF.exe
  2⤵
  - Executes dropped EXE
  PID:4696
- C:\Windows\System\QCnSGmt.exe
  C:\Windows\System\QCnSGmt.exe
  2⤵
  - Executes dropped EXE
  PID:4728
- C:\Windows\System\XjhJosY.exe
  C:\Windows\System\XjhJosY.exe
  2⤵
  - Executes dropped EXE
  PID:1844
- C:\Windows\System\wUVSKFC.exe
  C:\Windows\System\wUVSKFC.exe
  2⤵
  - Executes dropped EXE
  PID:2028
- C:\Windows\System\yjpCURy.exe
  C:\Windows\System\yjpCURy.exe
  2⤵
  - Executes dropped EXE
  PID:3676
- C:\Windows\System\LpEggcJ.exe
  C:\Windows\System\LpEggcJ.exe
  2⤵
  - Executes dropped EXE
  PID:1388
- C:\Windows\System\fynjOCN.exe
  C:\Windows\System\fynjOCN.exe
  2⤵
  - Executes dropped EXE
  PID:1140
- C:\Windows\System\UCeAMdW.exe
  C:\Windows\System\UCeAMdW.exe
  2⤵
  - Executes dropped EXE
  PID:4092

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AqZTWOE.exe

Filesize
5.2MB

MD5
1031da7bd4a2cba48472bcc92f38b354

SHA1
0818cb1852b6fe161d1ef6e5c1710346c7cae76d

SHA256
cc095fc4b323232595fea72c68b47c8fabce73a9506b1f73f43a3940e361903e

SHA512
dc306b86272d3f29a5b2b2351d902ae9e457b2496cd8e787d4bce43f87b92d03438b2620897a37fe5f0edde3b5230bb06450ffce9e25306d8735f93d2fe77e6c

Download Submit
C:\Windows\System\CunTFiF.exe

Filesize
5.2MB

MD5
96437b6486f67d2dd178eb2a072f44cd

SHA1
15f819723faae217cca055325b602c9c92f6ac23

SHA256
0b66f5506f143437df64cc0274bef8c4129b485d1f9739d352d2f79456e290b9

SHA512
315445cfb9f6507a42f95bc0476325af11d5c22f79946cd72a37e9d1725a745699ac035283fab8b9f6f8440cccd477178505ee019a9491a027a29179f2cce815

Download Submit
C:\Windows\System\GruLwZO.exe

Filesize
5.2MB

MD5
56d394520f88d9bb64ca456ee8999452

SHA1
3a0204e9252c3e71cb3e1757a537bef6572b2488

SHA256
bb14156d5b472228cb1cb5e2387fe0a87b46ed84a1bff127168bf57e6487636c

SHA512
c02087374f6b93d04eda59822b82017aa0d83888038ca03b1c4488392a1534ae798b741ded453e2c052d63336fcbfc9f0c4d0b2abe367b27acffd9fc0a3f9988

Download Submit
C:\Windows\System\JNYBYWH.exe

Filesize
5.2MB

MD5
daf6f3d8461c14cab65acdec815ad27e

SHA1
71aef0044e11aa04a4ed2a2f070c731265713fa2

SHA256
88096c15e6ea3f73894526fd6f9b44891499923e41e34dae245f52fbf8ba8af3

SHA512
df9a26ceb9a48d0882cf2e46c99aa665b95d9afe10ddb7b187c317e1aafaa0b597471b52e1c5fa416547ec37eb87aa4b979aa8c30dc9c0cfe19238f6b6b0474e

Download Submit
C:\Windows\System\LpEggcJ.exe

Filesize
5.2MB

MD5
737bbacd4b93c98c8613ea9ba32b17f1

SHA1
c1f439bc1942f084096a14adb74a2f27dff5c384

SHA256
27067586eda6ca2bcf3eb7370f41feda9a2530c650470cc55367410c03ea1ec4

SHA512
5c9d7c2447ec1e95be9c44508488f1ed1fb82905adbda255320da251605fa34e5c122c0580c2773ae44fbd972430ffba1ee04dee9d7f8430a6dc8780843adc48

Download Submit
C:\Windows\System\QCnSGmt.exe

Filesize
5.2MB

MD5
5a18cca90163a69582d70926b99a57a3

SHA1
06052bd8676c9d1896d4c26081045d12e45a88d5

SHA256
123fc850964a68e56eb94165db363b0a2530d36362682d4a4364e715923032e2

SHA512
f58796763adde642b48d7a2f2fadf79531fa2e123c2d46cb9aef09bee809d57ee02dbbd4da9ba53bcf152cc61dc374ef541e8b85d56be0a7bc6fb5d870ebcb81

Download Submit
C:\Windows\System\Tcqzssq.exe

Filesize
5.2MB

MD5
973d891bf095d7e87877466f43b5aa0f

SHA1
da130cd106cab7ed7a2c8850972f4b5e2844c5e3

SHA256
5ea0e802634a2e2060a5fa20bf6effe9b112b7d0aa6417b31e472a330bcbd55d

SHA512
34c1ee2a7180b3a856ea7e81880a783e9a2fab1ba67ce8ba71efbdcc9f4289f2ee3e63ac79e8e8ed05ca9f95d5659fb80f448480a1b7816b3ac632af251e90b3

Download Submit
C:\Windows\System\UCeAMdW.exe

Filesize
5.2MB

MD5
a34e841bf8b34e9e29f9d4371b559b34

SHA1
93edd100da2370edb69221b43b25b90ce5bed26d

SHA256
1422a8aa352e62935b69c40ca9d824b4db21f7c0b2182b5cd548913003e82a7c

SHA512
d139c6563dbbec7d8ad9bfb3e73b115c70791f7581f0bafaf5322c2041537e0c490745844e4151b203fae390923ecab41e0368a9d1f91482d2f1f27587ab515d

Download Submit
C:\Windows\System\XLZJncd.exe

Filesize
5.2MB

MD5
ba373b2f14909b1e652855abec06c328

SHA1
c3d57bb4802f74924394d05f56651fd00b280bbb

SHA256
c602f0e712f5ce2b14c9ffcae99acda66e44259ed7c9fcd4274b9f4a092b6615

SHA512
6e53394a636687fe0340cf9eb862306cf046bdca18efd734248b98520fccc71c58bdb8851791c9cb95b07b25e3e3598738d89e5a5620c63881b6a08f4e7ccd34

Download Submit
C:\Windows\System\XjhJosY.exe

Filesize
5.2MB

MD5
71e36a5272b6939f8540f51155b09a38

SHA1
f282c5310ad668171afb0044a0bddbfa381564c3

SHA256
d4ec0c1edcac603320369b6b34499a429032845d22d79eb68fac471df29a791a

SHA512
7a14fc05267e55128711b4c4a7abc2d30fd00fb9519988ea4396f88daed1ccb7e5ec6ef60a3bcf7a01cbffc098934e53d4a18d636cd09165d1660e3a4875f998

Download Submit
C:\Windows\System\ZCAitNG.exe

Filesize
5.2MB

MD5
eb2c577649793f3f51ce73bd3535e419

SHA1
0fb850da3e97cf5a61c793cccca9848f7eab410f

SHA256
58963df40ab13c89bba6c61d510802a9e1213d4ecd381bc278468db5225c3253

SHA512
71f8a0d84ded0c7b31376b97d753ba2b1e224e7230de4bcb3cb7a8a9d12de5b530064a26617ec16a3391c63f67df3ef9a60077a3cf7b943f2c274f8334b36116

Download Submit
C:\Windows\System\fynjOCN.exe

Filesize
5.2MB

MD5
78f1689ee5d4aff51346f1bad63c6e5d

SHA1
c3d6ddd19fcd536727fa0d6d93db97833cbc3164

SHA256
7b46305b40ffd29168c648a1bdae04ea4c9ffa8996529bf274dfd606e1373779

SHA512
0677da79a4d619ab9d8c0f4d071b834b52d4428314fdbdba98eda13fe3eedfe4f871ede36123901dfa3f37a74d371916fbe5557e138ea2c2d4785edfe49b6248

Download Submit
C:\Windows\System\gpnfXxp.exe

Filesize
5.2MB

MD5
25a7fdbfb77f70e555c5010b2d4540d4

SHA1
f7136d1e014e283df41e2638d82809d37d05e16b

SHA256
23abe497ef927e3a83be19f19205df9eefb5678551943e9d263a0eade8a0c499

SHA512
45006b40507e463a3c23ed201e20921ea45d828746da0837ce23aec7e251ce7a30941af90c85d85bec4af5e583454050c50d0751e6601a000b50b6d3eca62af2

Download Submit
C:\Windows\System\ixKoKJw.exe

Filesize
5.2MB

MD5
04aee94796006b51f204f4f140eebaaf

SHA1
055cbb6487b1c4d48d8a3b0ba0c8a2d56fcb000f

SHA256
aa6751fd39ada16d7cf0d46fb52d3421a595a6b1aa18304517488d6f5fdbda37

SHA512
9c32112fb5989ab3564e42dff091d12006106128fb945ed85b04e04f0cbd23a1ed3baa66c97c38bb1442557c37ebbe02420aa507cc0929e08017f2dd21c8ff4e

Download Submit
C:\Windows\System\kiAzfOR.exe

Filesize
5.2MB

MD5
178f2ebec7ef435bdc75c105b2b58445

SHA1
79656b49f352c665f748a4204a1e11471bc275bf

SHA256
8987f6f9d3fc3255b38bb0456b0dd1e6238727939c8fa080ed9263756dd50143

SHA512
dab54dbfb259b2bb990c048a117ba08c2e1cc7322d9b7e5dd5556073f98695ba68db09bd515d25f7b613c3485900476ac167eed2d7b30db3aa4dabaefedd9075

Download Submit
C:\Windows\System\mKfDyaR.exe

Filesize
5.2MB

MD5
1f24966eb29331c183406f5373850cd4

SHA1
7126e334c0bc8302dc43684d9a62c2bb19c4bade

SHA256
37a3c8b25101ffc76b40afad6acc0c739db2ba476232ddd3cd2f527f80ebc867

SHA512
c85e431ff539989e5cc164793a5960eeacb20b68f6fde23512407168d61d11dd1304458837430beeb1c51d7d108214bbd0348113896c8bbb58d528aa53829388

Download Submit
C:\Windows\System\sojtpuf.exe

Filesize
5.2MB

MD5
644131d1d231b828f531fea00cbfd995

SHA1
b1fabc160eaa1f6fc646fea3e50020f8faddb69f

SHA256
451cc62765487463badd4f3a64b29cc0a76435e51c68475979a10e526203d008

SHA512
054896dc3776799532058c38abc2c720e13359f59fd7e3916323449d0eb978141dc2fd868047cd4efb1712fecbca4cdab1f423d620962b929ea6a9f67d79b8a7

Download Submit
C:\Windows\System\wUVSKFC.exe

Filesize
5.2MB

MD5
02da44f67122b6794089143375426453

SHA1
eff5ae667fd4abe7adb25ccffe4275c98ca7e4c9

SHA256
2d8920c4ec41e46e24989b6330fddf84f939ec370561896cf4a96c76b8e68647

SHA512
b8aee5bb07648cec21640de2ec4a2e14a4b25e86f56a535099a2c84c10544f054e324c5db52e670d233bdcc36c0565b85bc466c1b42fca2c11fac69b1080ff96

Download Submit
C:\Windows\System\yaRwWUw.exe

Filesize
5.2MB

MD5
40986a3467233bde3e9df07efb2cf4c2

SHA1
253cc0caea63306b46e7238c1c8361245f305b65

SHA256
31c0bb43941c9588267656539a0c8fd65610aa7860850629529bac0d871eda40

SHA512
eaaf1ec51c34f039bf61905f298d527404f53d20c0e773572f69cf4af5d9ff750319db0e7c3f75db9f2a2586d0e374a304561605fb15bfacad9597b077b12fe9

Download Submit
C:\Windows\System\yjpCURy.exe

Filesize
5.2MB

MD5
d4676491ac9f2eece816cf706e90aaaa

SHA1
9cef10dd28b7852520d2d0e5faf090bf83818c12

SHA256
d7a966ed7d24adbed1fdc21e6b830b43fc045154361a487205ec4058a83ea15d

SHA512
798d7814bf778f2e8b05a29e856f5b1d34cf29a643940820c65fe37827df3e933e13ff0b34f9f856df209186a8b3207f27ab46d40fb0f51cf5cf4256ff986cce

Download Submit
C:\Windows\System\zHwZtHs.exe

Filesize
5.2MB

MD5
838c120f6b7835107fb87098eee436e7

SHA1
212766879aeb2d440e213cb114ff848d0f3a7eb0

SHA256
eca624c9b72d31cef0a7204966ff73dd64e7883b372a38fef7dad4e8bb1b1e24

SHA512
8c46af751a234a917e42b8eabaa4043025e0366e0b338e16a81920ab3649515a832904b9f354bc08ac01a4023167927fb89cb07b6a8e7f961157944315eaeab3

Download Submit
memory/1140-129-0x00007FF64A970000-0x00007FF64ACC1000-memory.dmp

Filesize
3.3MB

Download
memory/1140-166-0x00007FF64A970000-0x00007FF64ACC1000-memory.dmp

Filesize
3.3MB

Download
memory/1140-272-0x00007FF64A970000-0x00007FF64ACC1000-memory.dmp

Filesize
3.3MB

Download
memory/1388-162-0x00007FF662BA0000-0x00007FF662EF1000-memory.dmp

Filesize
3.3MB

Download
memory/1388-123-0x00007FF662BA0000-0x00007FF662EF1000-memory.dmp

Filesize
3.3MB

Download
memory/1388-270-0x00007FF662BA0000-0x00007FF662EF1000-memory.dmp

Filesize
3.3MB

Download
memory/1700-32-0x00007FF60C010000-0x00007FF60C361000-memory.dmp

Filesize
3.3MB

Download
memory/1700-228-0x00007FF60C010000-0x00007FF60C361000-memory.dmp

Filesize
3.3MB

Download
memory/1700-95-0x00007FF60C010000-0x00007FF60C361000-memory.dmp

Filesize
3.3MB

Download
memory/1836-81-0x00007FF6A6380000-0x00007FF6A66D1000-memory.dmp

Filesize
3.3MB

Download
memory/1836-18-0x00007FF6A6380000-0x00007FF6A66D1000-memory.dmp

Filesize
3.3MB

Download
memory/1836-224-0x00007FF6A6380000-0x00007FF6A66D1000-memory.dmp

Filesize
3.3MB

Download
memory/1844-261-0x00007FF769320000-0x00007FF769671000-memory.dmp

Filesize
3.3MB

Download
memory/1844-112-0x00007FF769320000-0x00007FF769671000-memory.dmp

Filesize
3.3MB

Download
memory/2028-263-0x00007FF7C3150000-0x00007FF7C34A1000-memory.dmp

Filesize
3.3MB

Download
memory/2028-114-0x00007FF7C3150000-0x00007FF7C34A1000-memory.dmp

Filesize
3.3MB

Download
memory/2356-138-0x00007FF61B450000-0x00007FF61B7A1000-memory.dmp

Filesize
3.3MB

Download
memory/2356-66-0x00007FF61B450000-0x00007FF61B7A1000-memory.dmp

Filesize
3.3MB

Download
memory/2356-245-0x00007FF61B450000-0x00007FF61B7A1000-memory.dmp

Filesize
3.3MB

Download
memory/2432-64-0x00007FF637370000-0x00007FF6376C1000-memory.dmp

Filesize
3.3MB

Download
memory/2432-128-0x00007FF637370000-0x00007FF6376C1000-memory.dmp

Filesize
3.3MB

Download
memory/2432-243-0x00007FF637370000-0x00007FF6376C1000-memory.dmp

Filesize
3.3MB

Download
memory/2888-14-0x00007FF7A8470000-0x00007FF7A87C1000-memory.dmp

Filesize
3.3MB

Download
memory/2888-222-0x00007FF7A8470000-0x00007FF7A87C1000-memory.dmp

Filesize
3.3MB

Download
memory/2888-74-0x00007FF7A8470000-0x00007FF7A87C1000-memory.dmp

Filesize
3.3MB

Download
memory/3016-111-0x00007FF6A4290000-0x00007FF6A45E1000-memory.dmp

Filesize
3.3MB

Download
memory/3016-36-0x00007FF6A4290000-0x00007FF6A45E1000-memory.dmp

Filesize
3.3MB

Download
memory/3016-230-0x00007FF6A4290000-0x00007FF6A45E1000-memory.dmp

Filesize
3.3MB

Download
memory/3192-116-0x00007FF7681F0000-0x00007FF768541000-memory.dmp

Filesize
3.3MB

Download
memory/3192-239-0x00007FF7681F0000-0x00007FF768541000-memory.dmp

Filesize
3.3MB

Download
memory/3192-54-0x00007FF7681F0000-0x00007FF768541000-memory.dmp

Filesize
3.3MB

Download
memory/3560-247-0x00007FF7B7C90000-0x00007FF7B7FE1000-memory.dmp

Filesize
3.3MB

Download
memory/3560-75-0x00007FF7B7C90000-0x00007FF7B7FE1000-memory.dmp

Filesize
3.3MB

Download
memory/3560-139-0x00007FF7B7C90000-0x00007FF7B7FE1000-memory.dmp

Filesize
3.3MB

Download
memory/3676-268-0x00007FF7EC190000-0x00007FF7EC4E1000-memory.dmp

Filesize
3.3MB

Download
memory/3676-119-0x00007FF7EC190000-0x00007FF7EC4E1000-memory.dmp

Filesize
3.3MB

Download
memory/3676-155-0x00007FF7EC190000-0x00007FF7EC4E1000-memory.dmp

Filesize
3.3MB

Download
memory/3704-28-0x00007FF63CF10000-0x00007FF63D261000-memory.dmp

Filesize
3.3MB

Download
memory/3704-82-0x00007FF63CF10000-0x00007FF63D261000-memory.dmp

Filesize
3.3MB

Download
memory/3704-226-0x00007FF63CF10000-0x00007FF63D261000-memory.dmp

Filesize
3.3MB

Download
memory/3776-65-0x00007FF7605E0000-0x00007FF760931000-memory.dmp

Filesize
3.3MB

Download
memory/3776-220-0x00007FF7605E0000-0x00007FF760931000-memory.dmp

Filesize
3.3MB

Download
memory/3776-8-0x00007FF7605E0000-0x00007FF760931000-memory.dmp

Filesize
3.3MB

Download
memory/4092-165-0x00007FF60D6C0000-0x00007FF60DA11000-memory.dmp

Filesize
3.3MB

Download
memory/4092-274-0x00007FF60D6C0000-0x00007FF60DA11000-memory.dmp

Filesize
3.3MB

Download
memory/4092-135-0x00007FF60D6C0000-0x00007FF60DA11000-memory.dmp

Filesize
3.3MB

Download
memory/4372-140-0x00007FF697250000-0x00007FF6975A1000-memory.dmp

Filesize
3.3MB

Download
memory/4372-83-0x00007FF697250000-0x00007FF6975A1000-memory.dmp

Filesize
3.3MB

Download
memory/4372-252-0x00007FF697250000-0x00007FF6975A1000-memory.dmp

Filesize
3.3MB

Download
memory/4456-0-0x00007FF6C5AF0000-0x00007FF6C5E41000-memory.dmp

Filesize
3.3MB

Download
memory/4456-1-0x00000214701C0000-0x00000214701D0000-memory.dmp

Filesize
64KB

Download
memory/4456-142-0x00007FF6C5AF0000-0x00007FF6C5E41000-memory.dmp

Filesize
3.3MB

Download
memory/4456-167-0x00007FF6C5AF0000-0x00007FF6C5E41000-memory.dmp

Filesize
3.3MB

Download
memory/4456-60-0x00007FF6C5AF0000-0x00007FF6C5E41000-memory.dmp

Filesize
3.3MB

Download
memory/4696-89-0x00007FF6F3FD0000-0x00007FF6F4321000-memory.dmp

Filesize
3.3MB

Download
memory/4696-254-0x00007FF6F3FD0000-0x00007FF6F4321000-memory.dmp

Filesize
3.3MB

Download
memory/4696-141-0x00007FF6F3FD0000-0x00007FF6F4321000-memory.dmp

Filesize
3.3MB

Download
memory/4728-259-0x00007FF7E5380000-0x00007FF7E56D1000-memory.dmp

Filesize
3.3MB

Download
memory/4728-108-0x00007FF7E5380000-0x00007FF7E56D1000-memory.dmp

Filesize
3.3MB

Download
memory/5028-44-0x00007FF6415C0000-0x00007FF641911000-memory.dmp

Filesize
3.3MB

Download
memory/5028-237-0x00007FF6415C0000-0x00007FF641911000-memory.dmp

Filesize
3.3MB

Download
memory/5028-115-0x00007FF6415C0000-0x00007FF641911000-memory.dmp

Filesize
3.3MB

Download
memory/5088-241-0x00007FF614760000-0x00007FF614AB1000-memory.dmp

Filesize
3.3MB

Download
memory/5088-59-0x00007FF614760000-0x00007FF614AB1000-memory.dmp

Filesize
3.3MB

Download