cobaltstrike | 0f3b200e55738526ad7b9fd157f70646e688febc023d62f2e75f15fe94bffce4

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-12-2024 12:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

fa6eedf895a737ee0f34c4ec5533308c
SHA1

af5cda5f0346c151a0b9c11fd53518285b8e9552
SHA256

0f3b200e55738526ad7b9fd157f70646e688febc023d62f2e75f15fe94bffce4
SHA512

07a5dd73a6fd735847cf0792670cc1402af7a458b652fe48dae19a4afc7ee43f7a4189b59c3fcab1372ef039c5be3ac0b79137d30058fb2fdbae9e1be8664237
SSDEEP

49152:ROdWCCi7/raN56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lh:RWWBib+56utgpPFotBER/mQ32lUN

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023b19-4.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b78-10.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7c-15.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b81-42.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7f-45.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b82-68.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b86-75.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b87-89.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b89-98.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8a-102.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b79-110.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8d-126.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8c-124.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8b-122.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b88-92.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b85-84.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b84-77.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b83-64.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b80-50.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7e-27.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7d-26.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/2528-38-0x00007FF7E3160000-0x00007FF7E34B1000-memory.dmp	xmrig
behavioral2/memory/4928-119-0x00007FF7EA720000-0x00007FF7EAA71000-memory.dmp	xmrig
behavioral2/memory/4476-101-0x00007FF6DE050000-0x00007FF6DE3A1000-memory.dmp	xmrig
behavioral2/memory/748-95-0x00007FF7C2550000-0x00007FF7C28A1000-memory.dmp	xmrig
behavioral2/memory/4020-94-0x00007FF6A98B0000-0x00007FF6A9C01000-memory.dmp	xmrig
behavioral2/memory/2920-93-0x00007FF7CC000000-0x00007FF7CC351000-memory.dmp	xmrig
behavioral2/memory/384-73-0x00007FF69E210000-0x00007FF69E561000-memory.dmp	xmrig
behavioral2/memory/2968-65-0x00007FF689000000-0x00007FF689351000-memory.dmp	xmrig
behavioral2/memory/2392-129-0x00007FF6EAB60000-0x00007FF6EAEB1000-memory.dmp	xmrig
behavioral2/memory/3100-130-0x00007FF7BDE40000-0x00007FF7BE191000-memory.dmp	xmrig
behavioral2/memory/4796-132-0x00007FF6CA780000-0x00007FF6CAAD1000-memory.dmp	xmrig
behavioral2/memory/2492-131-0x00007FF71AEA0000-0x00007FF71B1F1000-memory.dmp	xmrig
behavioral2/memory/2060-133-0x00007FF744BC0000-0x00007FF744F11000-memory.dmp	xmrig
behavioral2/memory/4928-134-0x00007FF7EA720000-0x00007FF7EAA71000-memory.dmp	xmrig
behavioral2/memory/4556-143-0x00007FF6BBFC0000-0x00007FF6BC311000-memory.dmp	xmrig
behavioral2/memory/844-145-0x00007FF64E230000-0x00007FF64E581000-memory.dmp	xmrig
behavioral2/memory/3760-146-0x00007FF7B1B30000-0x00007FF7B1E81000-memory.dmp	xmrig
behavioral2/memory/4332-150-0x00007FF6455E0000-0x00007FF645931000-memory.dmp	xmrig
behavioral2/memory/2100-154-0x00007FF7DC9C0000-0x00007FF7DCD11000-memory.dmp	xmrig
behavioral2/memory/920-158-0x00007FF7F1730000-0x00007FF7F1A81000-memory.dmp	xmrig
behavioral2/memory/676-157-0x00007FF792570000-0x00007FF7928C1000-memory.dmp	xmrig
behavioral2/memory/4812-155-0x00007FF7C7A10000-0x00007FF7C7D61000-memory.dmp	xmrig
behavioral2/memory/692-156-0x00007FF75BFB0000-0x00007FF75C301000-memory.dmp	xmrig
behavioral2/memory/4928-159-0x00007FF7EA720000-0x00007FF7EAA71000-memory.dmp	xmrig
behavioral2/memory/2392-221-0x00007FF6EAB60000-0x00007FF6EAEB1000-memory.dmp	xmrig
behavioral2/memory/3100-223-0x00007FF7BDE40000-0x00007FF7BE191000-memory.dmp	xmrig
behavioral2/memory/2492-225-0x00007FF71AEA0000-0x00007FF71B1F1000-memory.dmp	xmrig
behavioral2/memory/4796-227-0x00007FF6CA780000-0x00007FF6CAAD1000-memory.dmp	xmrig
behavioral2/memory/2528-229-0x00007FF7E3160000-0x00007FF7E34B1000-memory.dmp	xmrig
behavioral2/memory/4556-231-0x00007FF6BBFC0000-0x00007FF6BC311000-memory.dmp	xmrig
behavioral2/memory/2060-233-0x00007FF744BC0000-0x00007FF744F11000-memory.dmp	xmrig
behavioral2/memory/2968-235-0x00007FF689000000-0x00007FF689351000-memory.dmp	xmrig
behavioral2/memory/384-237-0x00007FF69E210000-0x00007FF69E561000-memory.dmp	xmrig
behavioral2/memory/2920-239-0x00007FF7CC000000-0x00007FF7CC351000-memory.dmp	xmrig
behavioral2/memory/4020-241-0x00007FF6A98B0000-0x00007FF6A9C01000-memory.dmp	xmrig
behavioral2/memory/844-244-0x00007FF64E230000-0x00007FF64E581000-memory.dmp	xmrig
behavioral2/memory/4332-245-0x00007FF6455E0000-0x00007FF645931000-memory.dmp	xmrig
behavioral2/memory/748-252-0x00007FF7C2550000-0x00007FF7C28A1000-memory.dmp	xmrig
behavioral2/memory/4476-254-0x00007FF6DE050000-0x00007FF6DE3A1000-memory.dmp	xmrig
behavioral2/memory/3760-256-0x00007FF7B1B30000-0x00007FF7B1E81000-memory.dmp	xmrig
behavioral2/memory/4812-258-0x00007FF7C7A10000-0x00007FF7C7D61000-memory.dmp	xmrig
behavioral2/memory/692-260-0x00007FF75BFB0000-0x00007FF75C301000-memory.dmp	xmrig
behavioral2/memory/676-262-0x00007FF792570000-0x00007FF7928C1000-memory.dmp	xmrig
behavioral2/memory/920-264-0x00007FF7F1730000-0x00007FF7F1A81000-memory.dmp	xmrig
behavioral2/memory/2100-266-0x00007FF7DC9C0000-0x00007FF7DCD11000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2392	SejvFKF.exe
3100	wQzwilM.exe
2492	fLvqYur.exe
4796	NWEgZkX.exe
2528	gXVNJRe.exe
4556	IfsFfqg.exe
2060	aPmqfiT.exe
2968	KFgiqVL.exe
2920	hEszSFF.exe
384	HLXtVro.exe
4020	tTUblhu.exe
844	VdvZGyi.exe
4332	pXzGFXM.exe
748	QtswNHz.exe
3760	RuJyZdI.exe
4476	OUxHWnZ.exe
2100	EpHanPy.exe
4812	DDiXZSO.exe
692	CdjVUTb.exe
676	zrjzFwt.exe
920	gbcefgf.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4928-0-0x00007FF7EA720000-0x00007FF7EAA71000-memory.dmp	upx
behavioral2/files/0x000c000000023b19-4.dat	upx
behavioral2/files/0x000b000000023b78-10.dat	upx
behavioral2/files/0x000a000000023b7c-15.dat	upx
behavioral2/memory/2492-20-0x00007FF71AEA0000-0x00007FF71B1F1000-memory.dmp	upx
behavioral2/memory/4796-31-0x00007FF6CA780000-0x00007FF6CAAD1000-memory.dmp	upx
behavioral2/memory/2528-38-0x00007FF7E3160000-0x00007FF7E34B1000-memory.dmp	upx
behavioral2/files/0x000a000000023b81-42.dat	upx
behavioral2/files/0x000a000000023b7f-45.dat	upx
behavioral2/files/0x000a000000023b82-68.dat	upx
behavioral2/files/0x000a000000023b86-75.dat	upx
behavioral2/memory/4332-81-0x00007FF6455E0000-0x00007FF645931000-memory.dmp	upx
behavioral2/files/0x000a000000023b87-89.dat	upx
behavioral2/files/0x000a000000023b89-98.dat	upx
behavioral2/files/0x000a000000023b8a-102.dat	upx
behavioral2/files/0x000b000000023b79-110.dat	upx
behavioral2/memory/4928-119-0x00007FF7EA720000-0x00007FF7EAA71000-memory.dmp	upx
behavioral2/files/0x000a000000023b8d-126.dat	upx
behavioral2/files/0x000a000000023b8c-124.dat	upx
behavioral2/files/0x000a000000023b8b-122.dat	upx
behavioral2/memory/920-121-0x00007FF7F1730000-0x00007FF7F1A81000-memory.dmp	upx
behavioral2/memory/692-120-0x00007FF75BFB0000-0x00007FF75C301000-memory.dmp	upx
behavioral2/memory/676-118-0x00007FF792570000-0x00007FF7928C1000-memory.dmp	upx
behavioral2/memory/4812-114-0x00007FF7C7A10000-0x00007FF7C7D61000-memory.dmp	upx
behavioral2/memory/2100-108-0x00007FF7DC9C0000-0x00007FF7DCD11000-memory.dmp	upx
behavioral2/memory/4476-101-0x00007FF6DE050000-0x00007FF6DE3A1000-memory.dmp	upx
behavioral2/memory/748-95-0x00007FF7C2550000-0x00007FF7C28A1000-memory.dmp	upx
behavioral2/memory/4020-94-0x00007FF6A98B0000-0x00007FF6A9C01000-memory.dmp	upx
behavioral2/memory/2920-93-0x00007FF7CC000000-0x00007FF7CC351000-memory.dmp	upx
behavioral2/files/0x000a000000023b88-92.dat	upx
behavioral2/memory/3760-88-0x00007FF7B1B30000-0x00007FF7B1E81000-memory.dmp	upx
behavioral2/files/0x000a000000023b85-84.dat	upx
behavioral2/memory/844-80-0x00007FF64E230000-0x00007FF64E581000-memory.dmp	upx
behavioral2/files/0x000a000000023b84-77.dat	upx
behavioral2/memory/384-73-0x00007FF69E210000-0x00007FF69E561000-memory.dmp	upx
behavioral2/memory/2968-65-0x00007FF689000000-0x00007FF689351000-memory.dmp	upx
behavioral2/files/0x000a000000023b83-64.dat	upx
behavioral2/memory/4556-59-0x00007FF6BBFC0000-0x00007FF6BC311000-memory.dmp	upx
behavioral2/files/0x000a000000023b80-50.dat	upx
behavioral2/memory/2060-40-0x00007FF744BC0000-0x00007FF744F11000-memory.dmp	upx
behavioral2/files/0x000a000000023b7e-27.dat	upx
behavioral2/files/0x000a000000023b7d-26.dat	upx
behavioral2/memory/3100-12-0x00007FF7BDE40000-0x00007FF7BE191000-memory.dmp	upx
behavioral2/memory/2392-9-0x00007FF6EAB60000-0x00007FF6EAEB1000-memory.dmp	upx
behavioral2/memory/2392-129-0x00007FF6EAB60000-0x00007FF6EAEB1000-memory.dmp	upx
behavioral2/memory/3100-130-0x00007FF7BDE40000-0x00007FF7BE191000-memory.dmp	upx
behavioral2/memory/4796-132-0x00007FF6CA780000-0x00007FF6CAAD1000-memory.dmp	upx
behavioral2/memory/2492-131-0x00007FF71AEA0000-0x00007FF71B1F1000-memory.dmp	upx
behavioral2/memory/2060-133-0x00007FF744BC0000-0x00007FF744F11000-memory.dmp	upx
behavioral2/memory/4928-134-0x00007FF7EA720000-0x00007FF7EAA71000-memory.dmp	upx
behavioral2/memory/4556-143-0x00007FF6BBFC0000-0x00007FF6BC311000-memory.dmp	upx
behavioral2/memory/844-145-0x00007FF64E230000-0x00007FF64E581000-memory.dmp	upx
behavioral2/memory/3760-146-0x00007FF7B1B30000-0x00007FF7B1E81000-memory.dmp	upx
behavioral2/memory/4332-150-0x00007FF6455E0000-0x00007FF645931000-memory.dmp	upx
behavioral2/memory/2100-154-0x00007FF7DC9C0000-0x00007FF7DCD11000-memory.dmp	upx
behavioral2/memory/920-158-0x00007FF7F1730000-0x00007FF7F1A81000-memory.dmp	upx
behavioral2/memory/676-157-0x00007FF792570000-0x00007FF7928C1000-memory.dmp	upx
behavioral2/memory/4812-155-0x00007FF7C7A10000-0x00007FF7C7D61000-memory.dmp	upx
behavioral2/memory/692-156-0x00007FF75BFB0000-0x00007FF75C301000-memory.dmp	upx
behavioral2/memory/4928-159-0x00007FF7EA720000-0x00007FF7EAA71000-memory.dmp	upx
behavioral2/memory/2392-221-0x00007FF6EAB60000-0x00007FF6EAEB1000-memory.dmp	upx
behavioral2/memory/3100-223-0x00007FF7BDE40000-0x00007FF7BE191000-memory.dmp	upx
behavioral2/memory/2492-225-0x00007FF71AEA0000-0x00007FF71B1F1000-memory.dmp	upx
behavioral2/memory/4796-227-0x00007FF6CA780000-0x00007FF6CAAD1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\QtswNHz.exe	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OUxHWnZ.exe	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DDiXZSO.exe	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CdjVUTb.exe	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KFgiqVL.exe	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HLXtVro.exe	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EpHanPy.exe	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gbcefgf.exe	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aPmqfiT.exe	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hEszSFF.exe	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VdvZGyi.exe	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pXzGFXM.exe	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zrjzFwt.exe	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SejvFKF.exe	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fLvqYur.exe	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gXVNJRe.exe	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IfsFfqg.exe	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tTUblhu.exe	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RuJyZdI.exe	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wQzwilM.exe	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NWEgZkX.exe	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4928	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4928	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4928 wrote to memory of 2392	4928	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4928 wrote to memory of 2392	4928	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4928 wrote to memory of 3100	4928	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4928 wrote to memory of 3100	4928	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4928 wrote to memory of 2492	4928	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4928 wrote to memory of 2492	4928	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4928 wrote to memory of 4796	4928	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4928 wrote to memory of 4796	4928	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4928 wrote to memory of 2528	4928	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4928 wrote to memory of 2528	4928	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4928 wrote to memory of 4556	4928	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4928 wrote to memory of 4556	4928	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4928 wrote to memory of 2060	4928	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4928 wrote to memory of 2060	4928	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4928 wrote to memory of 2968	4928	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4928 wrote to memory of 2968	4928	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4928 wrote to memory of 2920	4928	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4928 wrote to memory of 2920	4928	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4928 wrote to memory of 384	4928	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4928 wrote to memory of 384	4928	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4928 wrote to memory of 4020	4928	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4928 wrote to memory of 4020	4928	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4928 wrote to memory of 844	4928	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4928 wrote to memory of 844	4928	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4928 wrote to memory of 4332	4928	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4928 wrote to memory of 4332	4928	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4928 wrote to memory of 748	4928	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4928 wrote to memory of 748	4928	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4928 wrote to memory of 3760	4928	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4928 wrote to memory of 3760	4928	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4928 wrote to memory of 4476	4928	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4928 wrote to memory of 4476	4928	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4928 wrote to memory of 2100	4928	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4928 wrote to memory of 2100	4928	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4928 wrote to memory of 4812	4928	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4928 wrote to memory of 4812	4928	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4928 wrote to memory of 692	4928	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4928 wrote to memory of 692	4928	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4928 wrote to memory of 676	4928	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4928 wrote to memory of 676	4928	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4928 wrote to memory of 920	4928	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4928 wrote to memory of 920	4928	2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-17_fa6eedf895a737ee0f34c4ec5533308c_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Windows\System\SejvFKF.exe
  C:\Windows\System\SejvFKF.exe
  2⤵
  - Executes dropped EXE
  PID:2392
- C:\Windows\System\wQzwilM.exe
  C:\Windows\System\wQzwilM.exe
  2⤵
  - Executes dropped EXE
  PID:3100
- C:\Windows\System\fLvqYur.exe
  C:\Windows\System\fLvqYur.exe
  2⤵
  - Executes dropped EXE
  PID:2492
- C:\Windows\System\NWEgZkX.exe
  C:\Windows\System\NWEgZkX.exe
  2⤵
  - Executes dropped EXE
  PID:4796
- C:\Windows\System\gXVNJRe.exe
  C:\Windows\System\gXVNJRe.exe
  2⤵
  - Executes dropped EXE
  PID:2528
- C:\Windows\System\IfsFfqg.exe
  C:\Windows\System\IfsFfqg.exe
  2⤵
  - Executes dropped EXE
  PID:4556
- C:\Windows\System\aPmqfiT.exe
  C:\Windows\System\aPmqfiT.exe
  2⤵
  - Executes dropped EXE
  PID:2060
- C:\Windows\System\KFgiqVL.exe
  C:\Windows\System\KFgiqVL.exe
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Windows\System\hEszSFF.exe
  C:\Windows\System\hEszSFF.exe
  2⤵
  - Executes dropped EXE
  PID:2920
- C:\Windows\System\HLXtVro.exe
  C:\Windows\System\HLXtVro.exe
  2⤵
  - Executes dropped EXE
  PID:384
- C:\Windows\System\tTUblhu.exe
  C:\Windows\System\tTUblhu.exe
  2⤵
  - Executes dropped EXE
  PID:4020
- C:\Windows\System\VdvZGyi.exe
  C:\Windows\System\VdvZGyi.exe
  2⤵
  - Executes dropped EXE
  PID:844
- C:\Windows\System\pXzGFXM.exe
  C:\Windows\System\pXzGFXM.exe
  2⤵
  - Executes dropped EXE
  PID:4332
- C:\Windows\System\QtswNHz.exe
  C:\Windows\System\QtswNHz.exe
  2⤵
  - Executes dropped EXE
  PID:748
- C:\Windows\System\RuJyZdI.exe
  C:\Windows\System\RuJyZdI.exe
  2⤵
  - Executes dropped EXE
  PID:3760
- C:\Windows\System\OUxHWnZ.exe
  C:\Windows\System\OUxHWnZ.exe
  2⤵
  - Executes dropped EXE
  PID:4476
- C:\Windows\System\EpHanPy.exe
  C:\Windows\System\EpHanPy.exe
  2⤵
  - Executes dropped EXE
  PID:2100
- C:\Windows\System\DDiXZSO.exe
  C:\Windows\System\DDiXZSO.exe
  2⤵
  - Executes dropped EXE
  PID:4812
- C:\Windows\System\CdjVUTb.exe
  C:\Windows\System\CdjVUTb.exe
  2⤵
  - Executes dropped EXE
  PID:692
- C:\Windows\System\zrjzFwt.exe
  C:\Windows\System\zrjzFwt.exe
  2⤵
  - Executes dropped EXE
  PID:676
- C:\Windows\System\gbcefgf.exe
  C:\Windows\System\gbcefgf.exe
  2⤵
  - Executes dropped EXE
  PID:920

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CdjVUTb.exe

Filesize
5.2MB

MD5
1e359f7c7500a2f642251fbe0af3f02d

SHA1
281afd2d7334a7c0ef0c4ec2ec4c2424e716012e

SHA256
ebb966640301dd621258a1089c10be667871ab54051d27de94ec6207eee1fb54

SHA512
a79f4f472d93fec12ab7324aec6cb32f4520fcbad9907cb52ca256cc9c8a2d61f0632c2655b51d0530427560e8979c85573cb3258cbf1571e04007fd26ab8e17

Download Submit
C:\Windows\System\DDiXZSO.exe

Filesize
5.2MB

MD5
ded43272864703267b3b91089db09865

SHA1
7410bffee72b487efd9e3b1c38793a28216b740d

SHA256
18cc239bb7a8c1a99de061310b0460a851ee7d9088c66476bda1717b123602bc

SHA512
d4e20df5daaa3e07b6efcf33f1e943a7139637c8b6b99e53c439abe428a60cc5fbce72a1488c000535e5b6f8e142e829df5d1285a41017a8db2c7fd9504e2ffa

Download Submit
C:\Windows\System\EpHanPy.exe

Filesize
5.2MB

MD5
80ae1176b6f6ee6acb38210578a32943

SHA1
111d24c652f31f1e23e76be47c39f528a353d68b

SHA256
58d2477c9f891cf617023eb94d29de1656f59645afa0f2f14cfbcd22cee3c56c

SHA512
75e7bfa23436911f86b488d98ae0c556266191fd54e9823d5e9271a4da5553a9331fd53d4bded84a812087b7e2f20e59340adefd32a3ff66aec6f48433ee1bcc

Download Submit
C:\Windows\System\HLXtVro.exe

Filesize
5.2MB

MD5
5baaf4dda0cb32440c2d15d151e87ccb

SHA1
2103dc9c22787a555a8a822f470b9ad80b3f1f5f

SHA256
12cd623de865875d33c54eefc2e5b34ae8b6d8073b39a3468b46ac48aef58209

SHA512
d5fc82bbfc581a6394ee68936d7b49d402abd55004c63fa13995c23869faa87ed89c0dfdcf0065a449ad24832847c9970d28681d9da82280b7efddc810e63872

Download Submit
C:\Windows\System\IfsFfqg.exe

Filesize
5.2MB

MD5
eee82ec7b9ce09e46c7fc4420a76ce87

SHA1
f7561b011b17e91cd393c65ca1f408301f6a22a4

SHA256
8666b56d5f0c36e02c02c898a85e2d25fe5d1cc80dfc1ea3383be36d54d5d0cb

SHA512
2a4fb6b0d8d8deef4cfc6d7e22406ef6cd3ad095981caa37128af3238dcd8eb36327d41d7f8d99a38e951a592ad6cbc5df48c9bfc9d34f8add6e8180d2e84a01

Download Submit
C:\Windows\System\KFgiqVL.exe

Filesize
5.2MB

MD5
6fb6769205081b36c69d0f7b409e37f2

SHA1
39bb8219f7efb59e1e82be3a35001e04a9ba187f

SHA256
5ce9c443087d35f1f2bde15a6aad2700dbf687bc6ff1e1031cd420df9b4a03fb

SHA512
41a2855fd0258bce608a84ab9b95074b6755d4446e3634fc1c15ed791b12468edf63a22c449a74660be1c3ac36acf4f40b808b2e741599ac4b4a0079f380c56b

Download Submit
C:\Windows\System\NWEgZkX.exe

Filesize
5.2MB

MD5
4ad6b014a132ce84c7dc764a5daecb9e

SHA1
4fd6218e3aad2edc8d589e7b023fbbd7fcd1caf8

SHA256
b9410192147878fbe3761fd85b92e1a256b1ffb26b0446db625cf947bfdb9959

SHA512
9db67d0aca708b3846921956dadde09cbd9e5335ca2c50e3832871c9714c330217d8ecec531eec8ebc7adc2f96358cd40e3fa0d5b973064b6015a3deb70c1c35

Download Submit
C:\Windows\System\OUxHWnZ.exe

Filesize
5.2MB

MD5
8056f9b968e441fa8ab4ef7d72f66406

SHA1
fdf7dea512d471d4f6a95adea0d624cb0dd7262d

SHA256
c453e4a3ddb4a90d2c1a8eae314b255140ffd3e279c0dc275bc72af4399e6ef5

SHA512
09d54593a24d4c4f07eddf772dc3855352954f0d726c1ee595bfd3245d0d93077b508e4cb174d8b0d2c32c41becba2c0276fc2e10f75c5ad642c51512268440a

Download Submit
C:\Windows\System\QtswNHz.exe

Filesize
5.2MB

MD5
eff5e512bc0bd81c69c3da2f57181873

SHA1
c2770c3a4957c30e408f64151326282b48c52a37

SHA256
fdb92a9a496a21020ab8251e09bb8590054dab342fc9883fcdea70ec4b0094a1

SHA512
078c09352e2398dbfefb3d3059c0fd1bd6a16478e5580320a49e28bf0ec51ce8bdca776ca40bb4458fa1102aa26aab6bfe356cb02977e7230b38abb931aaecf1

Download Submit
C:\Windows\System\RuJyZdI.exe

Filesize
5.2MB

MD5
c3ae9fd2c223ab17b693a35a1709991e

SHA1
1b0bd456141892ed6529d40fbe35aae7537817b4

SHA256
8392950aeda710550c6e50bbbc9c506dc83f02d13ab240bc9e2d16d112cc28ec

SHA512
fd253b53271aaf6d31c6f21cb5f2a1592cdb4cf9f7112413449df234750f02ec454ab21608c4d208d51d39d6bfe8a8392fc3260b4a7c63c6abf528881ef3d692

Download Submit
C:\Windows\System\SejvFKF.exe

Filesize
5.2MB

MD5
7b87529f23f644252fa5772e6d85c752

SHA1
0654fa213ae5510deb3f361673f0fc61f2c81a2b

SHA256
d8a1c0b168929ae2b5b331978f67fd1f9047881e9ede278a2fc1117314fc63ae

SHA512
1decaa4e696c31112d08dd0a1896d84e9b6de3f5fb3c0798adfd6c48515f791cabb27c85e73cd48e0cd1e4e7f89626ad6f26d69fa3f5875b18683e729ee30d86

Download Submit
C:\Windows\System\VdvZGyi.exe

Filesize
5.2MB

MD5
8ba487040a5f6c0c4bc78386767523d0

SHA1
d4170652d651d32d4fa9744bbc2faba951058023

SHA256
93dbc7badc3c8ff1db8c1a25da5f0f85bda7017b0b9b722fee2a92087bf10579

SHA512
358b8121e039cdc53bdbb0cca9a1de64aee8dae807ad50ccd8c2322be98b8ed488141ec66eba1ea3c28c0e4d784a8d0839f9e265a9dfd26ce2873ee6de0cd883

Download Submit
C:\Windows\System\aPmqfiT.exe

Filesize
5.2MB

MD5
4fda8387d24976d9dfe1b8484756df84

SHA1
2d0c39c9bf7993aaa5abe3096495aa5e8f8b220f

SHA256
c485d3ad0ca57da837a4ca49681b70a6933bfde59ad01865c7602017f66755a3

SHA512
b21c3a275fe8953b652b9954e0249d9d6bc7ebd47a86a9e027e6c1049129a33fcde1532569778c5790b255a175a37924ea1425ae8034c8c5b75d696b537fae1f

Download Submit
C:\Windows\System\fLvqYur.exe

Filesize
5.2MB

MD5
b2661c5a07b4697874738712a0dba364

SHA1
240b366ffc412d90e0aa985acecb0d29da3d7acf

SHA256
615f301226519ec9d9b8b7a7c2a876bbd192ec07912c279e22822455c4fdd1f5

SHA512
bb914e08361ba3d012b70dbb2637ad110c491c3a4f87a00c17aa146eb7ce612b9ccb424fb5cbd0bba1bad7b033e16b7a74bc65540f35cf413a6eeaf5a0d68c91

Download Submit
C:\Windows\System\gXVNJRe.exe

Filesize
5.2MB

MD5
1ce86c4ca22c25a899e1863e1351fe44

SHA1
b459fd45b57b4ca27611c44d93cee5a8413cf042

SHA256
f3d65a17c8e317b7674ee9e97e36348cf1135cc4a05af8a105eddc4c6f44b583

SHA512
9f0911e57d8439b8d537a569984e7e93441430c2fa445a20cea49cbb1b6206fe059871f140d5f6a8832245dfa810fbe3ddbb3977b968249c41f1729d22279e84

Download Submit
C:\Windows\System\gbcefgf.exe

Filesize
5.2MB

MD5
56141332c325d60cbbaf3fbe72870fff

SHA1
95207340a314af99f48a31ca3d55d85e5a959d0e

SHA256
ae1f48e3e9bf7c871ed5fa1b5522d07f6736c76b2fb30565425608974ffd7ba1

SHA512
fc2e95519994cb0d0a45342d68440120ee8189f65fabf02c79e8b06ee767e1cc70ce454e548c65a7f40d20bf8258e07125f8ff7d862d7ba001e6ab5069acb02d

Download Submit
C:\Windows\System\hEszSFF.exe

Filesize
5.2MB

MD5
e175393f3eef96027364f857a5ffdf37

SHA1
44c2301c41e6584a88d723ddd53f98fb662d6191

SHA256
848c95c2a9c9d13257ba787854213c47fca65e461662ddcd6426fc0881b380d6

SHA512
746f84bdb7cb43641f5c82ae7ee5515280c2eded3675282c2af3b86145212a8e6be8b5389fdfb996f7b8241b0fefde685af8d81b106e012147afe33ab95f040a

Download Submit
C:\Windows\System\pXzGFXM.exe

Filesize
5.2MB

MD5
d29d3b994547466024e4eb0ed01fa127

SHA1
45c95594afd09be3b54dce4c4fe00df969adb909

SHA256
919b64dc07e6a871f1145d0a10357d1bcf7b2f08cf76ff43561f35ee146ac1b0

SHA512
d897c65ef36fbdb406bcf4753b7c0956e7e204e3d149b1660c12a7a5fa6040ff544215a18ff27f098d719be2f737aff77f66944a2b1a96b130d4d2967a78bbcd

Download Submit
C:\Windows\System\tTUblhu.exe

Filesize
5.2MB

MD5
50a614943ead857c8a70f3f3d4404bf3

SHA1
850e538b5ce9264ee5942020890d9e5f02fbd589

SHA256
4029ff2d4ce19fb1b98131346bc5fa540bac904b030bd6f80cd5ccf53515aaf1

SHA512
2799ee989963abb5e0ffeba50f1e94b655ffcc80dffbea58ca299a3c1af30a2fd5d69a232ba0b221c0ccfc909bcd19edcd26ff6d58b18b5683875acd9f680a1c

Download Submit
C:\Windows\System\wQzwilM.exe

Filesize
5.2MB

MD5
f9b4d60d847b87bb228dbcb8051bad5d

SHA1
1812fa4e0b969def379534b1a8f3fad4a7dd79e5

SHA256
fe0120f6904e5494a1f35906d53aee8bc7747cdedbf62c147941bc637eeef73c

SHA512
1ca500d59bb66527ada1f5abef3161f8cfe35695a81384761c294123a6df13fad39bed2944545b1046516630af59a549d59565a7f06edc1774691a0b79a0ed07

Download Submit
C:\Windows\System\zrjzFwt.exe

Filesize
5.2MB

MD5
3a45e3c4f8446b221dac5cf43daab3ed

SHA1
6b35d8b7a205adc49f05c4e12b0680f400d40a5d

SHA256
d7c9b49c4b0f6f28d4fb484d62125f042e118a8c7d5c02a54233d304d71389b5

SHA512
2c405033c229b9b9d5c5daffe76a875ab04e9c5cde808b0687b40c65ff076ecf168a5ec763e3cd682c3ddfebdc9b27fc0a499c6b720ff34e589f75e9a81dd0da

Download Submit
memory/384-237-0x00007FF69E210000-0x00007FF69E561000-memory.dmp

Filesize
3.3MB

Download
memory/384-73-0x00007FF69E210000-0x00007FF69E561000-memory.dmp

Filesize
3.3MB

Download
memory/676-262-0x00007FF792570000-0x00007FF7928C1000-memory.dmp

Filesize
3.3MB

Download
memory/676-157-0x00007FF792570000-0x00007FF7928C1000-memory.dmp

Filesize
3.3MB

Download
memory/676-118-0x00007FF792570000-0x00007FF7928C1000-memory.dmp

Filesize
3.3MB

Download
memory/692-260-0x00007FF75BFB0000-0x00007FF75C301000-memory.dmp

Filesize
3.3MB

Download
memory/692-120-0x00007FF75BFB0000-0x00007FF75C301000-memory.dmp

Filesize
3.3MB

Download
memory/692-156-0x00007FF75BFB0000-0x00007FF75C301000-memory.dmp

Filesize
3.3MB

Download
memory/748-252-0x00007FF7C2550000-0x00007FF7C28A1000-memory.dmp

Filesize
3.3MB

Download
memory/748-95-0x00007FF7C2550000-0x00007FF7C28A1000-memory.dmp

Filesize
3.3MB

Download
memory/844-80-0x00007FF64E230000-0x00007FF64E581000-memory.dmp

Filesize
3.3MB

Download
memory/844-244-0x00007FF64E230000-0x00007FF64E581000-memory.dmp

Filesize
3.3MB

Download
memory/844-145-0x00007FF64E230000-0x00007FF64E581000-memory.dmp

Filesize
3.3MB

Download
memory/920-158-0x00007FF7F1730000-0x00007FF7F1A81000-memory.dmp

Filesize
3.3MB

Download
memory/920-121-0x00007FF7F1730000-0x00007FF7F1A81000-memory.dmp

Filesize
3.3MB

Download
memory/920-264-0x00007FF7F1730000-0x00007FF7F1A81000-memory.dmp

Filesize
3.3MB

Download
memory/2060-133-0x00007FF744BC0000-0x00007FF744F11000-memory.dmp

Filesize
3.3MB

Download
memory/2060-233-0x00007FF744BC0000-0x00007FF744F11000-memory.dmp

Filesize
3.3MB

Download
memory/2060-40-0x00007FF744BC0000-0x00007FF744F11000-memory.dmp

Filesize
3.3MB

Download
memory/2100-108-0x00007FF7DC9C0000-0x00007FF7DCD11000-memory.dmp

Filesize
3.3MB

Download
memory/2100-266-0x00007FF7DC9C0000-0x00007FF7DCD11000-memory.dmp

Filesize
3.3MB

Download
memory/2100-154-0x00007FF7DC9C0000-0x00007FF7DCD11000-memory.dmp

Filesize
3.3MB

Download
memory/2392-221-0x00007FF6EAB60000-0x00007FF6EAEB1000-memory.dmp

Filesize
3.3MB

Download
memory/2392-9-0x00007FF6EAB60000-0x00007FF6EAEB1000-memory.dmp

Filesize
3.3MB

Download
memory/2392-129-0x00007FF6EAB60000-0x00007FF6EAEB1000-memory.dmp

Filesize
3.3MB

Download
memory/2492-225-0x00007FF71AEA0000-0x00007FF71B1F1000-memory.dmp

Filesize
3.3MB

Download
memory/2492-20-0x00007FF71AEA0000-0x00007FF71B1F1000-memory.dmp

Filesize
3.3MB

Download
memory/2492-131-0x00007FF71AEA0000-0x00007FF71B1F1000-memory.dmp

Filesize
3.3MB

Download
memory/2528-229-0x00007FF7E3160000-0x00007FF7E34B1000-memory.dmp

Filesize
3.3MB

Download
memory/2528-38-0x00007FF7E3160000-0x00007FF7E34B1000-memory.dmp

Filesize
3.3MB

Download
memory/2920-93-0x00007FF7CC000000-0x00007FF7CC351000-memory.dmp

Filesize
3.3MB

Download
memory/2920-239-0x00007FF7CC000000-0x00007FF7CC351000-memory.dmp

Filesize
3.3MB

Download
memory/2968-235-0x00007FF689000000-0x00007FF689351000-memory.dmp

Filesize
3.3MB

Download
memory/2968-65-0x00007FF689000000-0x00007FF689351000-memory.dmp

Filesize
3.3MB

Download
memory/3100-12-0x00007FF7BDE40000-0x00007FF7BE191000-memory.dmp

Filesize
3.3MB

Download
memory/3100-130-0x00007FF7BDE40000-0x00007FF7BE191000-memory.dmp

Filesize
3.3MB

Download
memory/3100-223-0x00007FF7BDE40000-0x00007FF7BE191000-memory.dmp

Filesize
3.3MB

Download
memory/3760-146-0x00007FF7B1B30000-0x00007FF7B1E81000-memory.dmp

Filesize
3.3MB

Download
memory/3760-88-0x00007FF7B1B30000-0x00007FF7B1E81000-memory.dmp

Filesize
3.3MB

Download
memory/3760-256-0x00007FF7B1B30000-0x00007FF7B1E81000-memory.dmp

Filesize
3.3MB

Download
memory/4020-94-0x00007FF6A98B0000-0x00007FF6A9C01000-memory.dmp

Filesize
3.3MB

Download
memory/4020-241-0x00007FF6A98B0000-0x00007FF6A9C01000-memory.dmp

Filesize
3.3MB

Download
memory/4332-245-0x00007FF6455E0000-0x00007FF645931000-memory.dmp

Filesize
3.3MB

Download
memory/4332-150-0x00007FF6455E0000-0x00007FF645931000-memory.dmp

Filesize
3.3MB

Download
memory/4332-81-0x00007FF6455E0000-0x00007FF645931000-memory.dmp

Filesize
3.3MB

Download
memory/4476-101-0x00007FF6DE050000-0x00007FF6DE3A1000-memory.dmp

Filesize
3.3MB

Download
memory/4476-254-0x00007FF6DE050000-0x00007FF6DE3A1000-memory.dmp

Filesize
3.3MB

Download
memory/4556-59-0x00007FF6BBFC0000-0x00007FF6BC311000-memory.dmp

Filesize
3.3MB

Download
memory/4556-231-0x00007FF6BBFC0000-0x00007FF6BC311000-memory.dmp

Filesize
3.3MB

Download
memory/4556-143-0x00007FF6BBFC0000-0x00007FF6BC311000-memory.dmp

Filesize
3.3MB

Download
memory/4796-227-0x00007FF6CA780000-0x00007FF6CAAD1000-memory.dmp

Filesize
3.3MB

Download
memory/4796-132-0x00007FF6CA780000-0x00007FF6CAAD1000-memory.dmp

Filesize
3.3MB

Download
memory/4796-31-0x00007FF6CA780000-0x00007FF6CAAD1000-memory.dmp

Filesize
3.3MB

Download
memory/4812-155-0x00007FF7C7A10000-0x00007FF7C7D61000-memory.dmp

Filesize
3.3MB

Download
memory/4812-258-0x00007FF7C7A10000-0x00007FF7C7D61000-memory.dmp

Filesize
3.3MB

Download
memory/4812-114-0x00007FF7C7A10000-0x00007FF7C7D61000-memory.dmp

Filesize
3.3MB

Download
memory/4928-0-0x00007FF7EA720000-0x00007FF7EAA71000-memory.dmp

Filesize
3.3MB

Download
memory/4928-119-0x00007FF7EA720000-0x00007FF7EAA71000-memory.dmp

Filesize
3.3MB

Download
memory/4928-159-0x00007FF7EA720000-0x00007FF7EAA71000-memory.dmp

Filesize
3.3MB

Download
memory/4928-134-0x00007FF7EA720000-0x00007FF7EAA71000-memory.dmp

Filesize
3.3MB

Download
memory/4928-1-0x00000138A9A30000-0x00000138A9A40000-memory.dmp

Filesize
64KB

Download