cobaltstrike | 84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-12-2024 12:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

44f5c432cb782e1542a69a671e3a0e00
SHA1

5b127bc08376ecd7555268ea3364cb2db6f5c93b
SHA256

84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51
SHA512

9e045d501cd9599f4ccdb76ac544f8a737562af935d5e76014ebafe381cdc806a620e8ca831b947de0607ff87959d13e1fe6c447b6956d9a090f3bde7e19f368
SSDEEP

49152:ROdWCCi7/raN56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6ll:RWWBib+56utgpPFotBER/mQ32lUR

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000b000000023c7f-6.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c99-9.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9b-28.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9a-32.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9d-39.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9f-50.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9e-52.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9c-42.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c98-15.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca0-59.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c95-65.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca1-78.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca2-76.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca6-104.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca9-118.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caa-120.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca8-115.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca7-110.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca5-105.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca4-98.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca3-95.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/3572-11-0x00007FF70CBE0000-0x00007FF70CF31000-memory.dmp	xmrig
behavioral2/memory/3328-84-0x00007FF7C1D40000-0x00007FF7C2091000-memory.dmp	xmrig
behavioral2/memory/3124-71-0x00007FF78BC00000-0x00007FF78BF51000-memory.dmp	xmrig
behavioral2/memory/3596-68-0x00007FF76D890000-0x00007FF76DBE1000-memory.dmp	xmrig
behavioral2/memory/3636-94-0x00007FF7F06E0000-0x00007FF7F0A31000-memory.dmp	xmrig
behavioral2/memory/3596-127-0x00007FF76D890000-0x00007FF76DBE1000-memory.dmp	xmrig
behavioral2/memory/5028-135-0x00007FF7FB9F0000-0x00007FF7FBD41000-memory.dmp	xmrig
behavioral2/memory/3940-136-0x00007FF750310000-0x00007FF750661000-memory.dmp	xmrig
behavioral2/memory/3084-134-0x00007FF690600000-0x00007FF690951000-memory.dmp	xmrig
behavioral2/memory/4520-137-0x00007FF6A69B0000-0x00007FF6A6D01000-memory.dmp	xmrig
behavioral2/memory/548-140-0x00007FF6CA960000-0x00007FF6CACB1000-memory.dmp	xmrig
behavioral2/memory/2112-139-0x00007FF700BF0000-0x00007FF700F41000-memory.dmp	xmrig
behavioral2/memory/3960-138-0x00007FF60ADF0000-0x00007FF60B141000-memory.dmp	xmrig
behavioral2/memory/1428-133-0x00007FF691E90000-0x00007FF6921E1000-memory.dmp	xmrig
behavioral2/memory/4056-132-0x00007FF7C9270000-0x00007FF7C95C1000-memory.dmp	xmrig
behavioral2/memory/4288-141-0x00007FF631C40000-0x00007FF631F91000-memory.dmp	xmrig
behavioral2/memory/4544-142-0x00007FF7DDAB0000-0x00007FF7DDE01000-memory.dmp	xmrig
behavioral2/memory/2936-146-0x00007FF6769E0000-0x00007FF676D31000-memory.dmp	xmrig
behavioral2/memory/808-148-0x00007FF741D50000-0x00007FF7420A1000-memory.dmp	xmrig
behavioral2/memory/3040-147-0x00007FF6A07A0000-0x00007FF6A0AF1000-memory.dmp	xmrig
behavioral2/memory/4064-145-0x00007FF6F1650000-0x00007FF6F19A1000-memory.dmp	xmrig
behavioral2/memory/1660-144-0x00007FF64A300000-0x00007FF64A651000-memory.dmp	xmrig
behavioral2/memory/4060-143-0x00007FF758830000-0x00007FF758B81000-memory.dmp	xmrig
behavioral2/memory/3596-154-0x00007FF76D890000-0x00007FF76DBE1000-memory.dmp	xmrig
behavioral2/memory/3572-209-0x00007FF70CBE0000-0x00007FF70CF31000-memory.dmp	xmrig
behavioral2/memory/3124-211-0x00007FF78BC00000-0x00007FF78BF51000-memory.dmp	xmrig
behavioral2/memory/3636-213-0x00007FF7F06E0000-0x00007FF7F0A31000-memory.dmp	xmrig
behavioral2/memory/4056-215-0x00007FF7C9270000-0x00007FF7C95C1000-memory.dmp	xmrig
behavioral2/memory/3328-217-0x00007FF7C1D40000-0x00007FF7C2091000-memory.dmp	xmrig
behavioral2/memory/1428-220-0x00007FF691E90000-0x00007FF6921E1000-memory.dmp	xmrig
behavioral2/memory/3084-222-0x00007FF690600000-0x00007FF690951000-memory.dmp	xmrig
behavioral2/memory/5028-224-0x00007FF7FB9F0000-0x00007FF7FBD41000-memory.dmp	xmrig
behavioral2/memory/3940-226-0x00007FF750310000-0x00007FF750661000-memory.dmp	xmrig
behavioral2/memory/4520-239-0x00007FF6A69B0000-0x00007FF6A6D01000-memory.dmp	xmrig
behavioral2/memory/1660-241-0x00007FF64A300000-0x00007FF64A651000-memory.dmp	xmrig
behavioral2/memory/4060-243-0x00007FF758830000-0x00007FF758B81000-memory.dmp	xmrig
behavioral2/memory/4064-245-0x00007FF6F1650000-0x00007FF6F19A1000-memory.dmp	xmrig
behavioral2/memory/2936-249-0x00007FF6769E0000-0x00007FF676D31000-memory.dmp	xmrig
behavioral2/memory/3040-248-0x00007FF6A07A0000-0x00007FF6A0AF1000-memory.dmp	xmrig
behavioral2/memory/4544-252-0x00007FF7DDAB0000-0x00007FF7DDE01000-memory.dmp	xmrig
behavioral2/memory/3960-253-0x00007FF60ADF0000-0x00007FF60B141000-memory.dmp	xmrig
behavioral2/memory/808-255-0x00007FF741D50000-0x00007FF7420A1000-memory.dmp	xmrig
behavioral2/memory/2112-259-0x00007FF700BF0000-0x00007FF700F41000-memory.dmp	xmrig
behavioral2/memory/548-258-0x00007FF6CA960000-0x00007FF6CACB1000-memory.dmp	xmrig
behavioral2/memory/4288-261-0x00007FF631C40000-0x00007FF631F91000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3572	FYRhFFn.exe
3124	hjtlGmm.exe
3636	WkHxOKj.exe
3328	KecIvRj.exe
4056	KMXCsrD.exe
1428	FqPVePj.exe
3084	TyCvWrJ.exe
5028	wiCnnJx.exe
3940	MFUFozc.exe
4520	delbSkQ.exe
4060	kRAOHiE.exe
1660	tTcExGQ.exe
4064	NVODQWu.exe
2936	PDymDpH.exe
3040	ItyQdns.exe
808	BzVPmdY.exe
4544	PnIUmAG.exe
3960	sALMxov.exe
2112	cuXatMK.exe
548	aUKZFFB.exe
4288	KNQNJVZ.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3596-0-0x00007FF76D890000-0x00007FF76DBE1000-memory.dmp	upx
behavioral2/files/0x000b000000023c7f-6.dat	upx
behavioral2/files/0x0007000000023c99-9.dat	upx
behavioral2/memory/3124-18-0x00007FF78BC00000-0x00007FF78BF51000-memory.dmp	upx
behavioral2/files/0x0007000000023c9b-28.dat	upx
behavioral2/files/0x0007000000023c9a-32.dat	upx
behavioral2/files/0x0007000000023c9d-39.dat	upx
behavioral2/files/0x0007000000023c9f-50.dat	upx
behavioral2/files/0x0007000000023c9e-52.dat	upx
behavioral2/memory/5028-54-0x00007FF7FB9F0000-0x00007FF7FBD41000-memory.dmp	upx
behavioral2/memory/3940-51-0x00007FF750310000-0x00007FF750661000-memory.dmp	upx
behavioral2/memory/3084-46-0x00007FF690600000-0x00007FF690951000-memory.dmp	upx
behavioral2/files/0x0007000000023c9c-42.dat	upx
behavioral2/memory/1428-33-0x00007FF691E90000-0x00007FF6921E1000-memory.dmp	upx
behavioral2/memory/4056-30-0x00007FF7C9270000-0x00007FF7C95C1000-memory.dmp	upx
behavioral2/memory/3636-25-0x00007FF7F06E0000-0x00007FF7F0A31000-memory.dmp	upx
behavioral2/memory/3328-24-0x00007FF7C1D40000-0x00007FF7C2091000-memory.dmp	upx
behavioral2/files/0x0007000000023c98-15.dat	upx
behavioral2/memory/3572-11-0x00007FF70CBE0000-0x00007FF70CF31000-memory.dmp	upx
behavioral2/files/0x0007000000023ca0-59.dat	upx
behavioral2/memory/4520-64-0x00007FF6A69B0000-0x00007FF6A6D01000-memory.dmp	upx
behavioral2/files/0x0008000000023c95-65.dat	upx
behavioral2/memory/3328-84-0x00007FF7C1D40000-0x00007FF7C2091000-memory.dmp	upx
behavioral2/files/0x0007000000023ca1-78.dat	upx
behavioral2/files/0x0007000000023ca2-76.dat	upx
behavioral2/memory/1660-75-0x00007FF64A300000-0x00007FF64A651000-memory.dmp	upx
behavioral2/memory/3124-71-0x00007FF78BC00000-0x00007FF78BF51000-memory.dmp	upx
behavioral2/memory/4060-69-0x00007FF758830000-0x00007FF758B81000-memory.dmp	upx
behavioral2/memory/3596-68-0x00007FF76D890000-0x00007FF76DBE1000-memory.dmp	upx
behavioral2/memory/3636-94-0x00007FF7F06E0000-0x00007FF7F0A31000-memory.dmp	upx
behavioral2/files/0x0007000000023ca6-104.dat	upx
behavioral2/files/0x0007000000023ca9-118.dat	upx
behavioral2/files/0x0007000000023caa-120.dat	upx
behavioral2/files/0x0007000000023ca8-115.dat	upx
behavioral2/files/0x0007000000023ca7-110.dat	upx
behavioral2/files/0x0007000000023ca5-105.dat	upx
behavioral2/memory/2936-103-0x00007FF6769E0000-0x00007FF676D31000-memory.dmp	upx
behavioral2/files/0x0007000000023ca4-98.dat	upx
behavioral2/files/0x0007000000023ca3-95.dat	upx
behavioral2/memory/3040-92-0x00007FF6A07A0000-0x00007FF6A0AF1000-memory.dmp	upx
behavioral2/memory/4064-89-0x00007FF6F1650000-0x00007FF6F19A1000-memory.dmp	upx
behavioral2/memory/808-126-0x00007FF741D50000-0x00007FF7420A1000-memory.dmp	upx
behavioral2/memory/3596-127-0x00007FF76D890000-0x00007FF76DBE1000-memory.dmp	upx
behavioral2/memory/5028-135-0x00007FF7FB9F0000-0x00007FF7FBD41000-memory.dmp	upx
behavioral2/memory/3940-136-0x00007FF750310000-0x00007FF750661000-memory.dmp	upx
behavioral2/memory/3084-134-0x00007FF690600000-0x00007FF690951000-memory.dmp	upx
behavioral2/memory/4520-137-0x00007FF6A69B0000-0x00007FF6A6D01000-memory.dmp	upx
behavioral2/memory/548-140-0x00007FF6CA960000-0x00007FF6CACB1000-memory.dmp	upx
behavioral2/memory/2112-139-0x00007FF700BF0000-0x00007FF700F41000-memory.dmp	upx
behavioral2/memory/3960-138-0x00007FF60ADF0000-0x00007FF60B141000-memory.dmp	upx
behavioral2/memory/1428-133-0x00007FF691E90000-0x00007FF6921E1000-memory.dmp	upx
behavioral2/memory/4056-132-0x00007FF7C9270000-0x00007FF7C95C1000-memory.dmp	upx
behavioral2/memory/4288-141-0x00007FF631C40000-0x00007FF631F91000-memory.dmp	upx
behavioral2/memory/4544-142-0x00007FF7DDAB0000-0x00007FF7DDE01000-memory.dmp	upx
behavioral2/memory/2936-146-0x00007FF6769E0000-0x00007FF676D31000-memory.dmp	upx
behavioral2/memory/808-148-0x00007FF741D50000-0x00007FF7420A1000-memory.dmp	upx
behavioral2/memory/3040-147-0x00007FF6A07A0000-0x00007FF6A0AF1000-memory.dmp	upx
behavioral2/memory/4064-145-0x00007FF6F1650000-0x00007FF6F19A1000-memory.dmp	upx
behavioral2/memory/1660-144-0x00007FF64A300000-0x00007FF64A651000-memory.dmp	upx
behavioral2/memory/4060-143-0x00007FF758830000-0x00007FF758B81000-memory.dmp	upx
behavioral2/memory/3596-154-0x00007FF76D890000-0x00007FF76DBE1000-memory.dmp	upx
behavioral2/memory/3572-209-0x00007FF70CBE0000-0x00007FF70CF31000-memory.dmp	upx
behavioral2/memory/3124-211-0x00007FF78BC00000-0x00007FF78BF51000-memory.dmp	upx
behavioral2/memory/3636-213-0x00007FF7F06E0000-0x00007FF7F0A31000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\aUKZFFB.exe	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TyCvWrJ.exe	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\delbSkQ.exe	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MFUFozc.exe	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PDymDpH.exe	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ItyQdns.exe	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WkHxOKj.exe	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KMXCsrD.exe	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FqPVePj.exe	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NVODQWu.exe	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BzVPmdY.exe	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PnIUmAG.exe	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sALMxov.exe	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hjtlGmm.exe	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KecIvRj.exe	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kRAOHiE.exe	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tTcExGQ.exe	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cuXatMK.exe	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KNQNJVZ.exe	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FYRhFFn.exe	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wiCnnJx.exe	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3596	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3596	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3596 wrote to memory of 3572	3596	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 3596 wrote to memory of 3572	3596	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 3596 wrote to memory of 3124	3596	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3596 wrote to memory of 3124	3596	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3596 wrote to memory of 3636	3596	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3596 wrote to memory of 3636	3596	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3596 wrote to memory of 3328	3596	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3596 wrote to memory of 3328	3596	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3596 wrote to memory of 4056	3596	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3596 wrote to memory of 4056	3596	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3596 wrote to memory of 1428	3596	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3596 wrote to memory of 1428	3596	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3596 wrote to memory of 3084	3596	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3596 wrote to memory of 3084	3596	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3596 wrote to memory of 5028	3596	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3596 wrote to memory of 5028	3596	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3596 wrote to memory of 3940	3596	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3596 wrote to memory of 3940	3596	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3596 wrote to memory of 4520	3596	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3596 wrote to memory of 4520	3596	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3596 wrote to memory of 4060	3596	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3596 wrote to memory of 4060	3596	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3596 wrote to memory of 1660	3596	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3596 wrote to memory of 1660	3596	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3596 wrote to memory of 4064	3596	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3596 wrote to memory of 4064	3596	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3596 wrote to memory of 2936	3596	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3596 wrote to memory of 2936	3596	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3596 wrote to memory of 3040	3596	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3596 wrote to memory of 3040	3596	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3596 wrote to memory of 808	3596	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3596 wrote to memory of 808	3596	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3596 wrote to memory of 4544	3596	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3596 wrote to memory of 4544	3596	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3596 wrote to memory of 3960	3596	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3596 wrote to memory of 3960	3596	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3596 wrote to memory of 2112	3596	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3596 wrote to memory of 2112	3596	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3596 wrote to memory of 548	3596	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3596 wrote to memory of 548	3596	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3596 wrote to memory of 4288	3596	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3596 wrote to memory of 4288	3596	2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-17_44f5c432cb782e1542a69a671e3a0e00_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3596
- C:\Windows\System\FYRhFFn.exe
  C:\Windows\System\FYRhFFn.exe
  2⤵
  - Executes dropped EXE
  PID:3572
- C:\Windows\System\hjtlGmm.exe
  C:\Windows\System\hjtlGmm.exe
  2⤵
  - Executes dropped EXE
  PID:3124
- C:\Windows\System\WkHxOKj.exe
  C:\Windows\System\WkHxOKj.exe
  2⤵
  - Executes dropped EXE
  PID:3636
- C:\Windows\System\KecIvRj.exe
  C:\Windows\System\KecIvRj.exe
  2⤵
  - Executes dropped EXE
  PID:3328
- C:\Windows\System\KMXCsrD.exe
  C:\Windows\System\KMXCsrD.exe
  2⤵
  - Executes dropped EXE
  PID:4056
- C:\Windows\System\FqPVePj.exe
  C:\Windows\System\FqPVePj.exe
  2⤵
  - Executes dropped EXE
  PID:1428
- C:\Windows\System\TyCvWrJ.exe
  C:\Windows\System\TyCvWrJ.exe
  2⤵
  - Executes dropped EXE
  PID:3084
- C:\Windows\System\wiCnnJx.exe
  C:\Windows\System\wiCnnJx.exe
  2⤵
  - Executes dropped EXE
  PID:5028
- C:\Windows\System\MFUFozc.exe
  C:\Windows\System\MFUFozc.exe
  2⤵
  - Executes dropped EXE
  PID:3940
- C:\Windows\System\delbSkQ.exe
  C:\Windows\System\delbSkQ.exe
  2⤵
  - Executes dropped EXE
  PID:4520
- C:\Windows\System\kRAOHiE.exe
  C:\Windows\System\kRAOHiE.exe
  2⤵
  - Executes dropped EXE
  PID:4060
- C:\Windows\System\tTcExGQ.exe
  C:\Windows\System\tTcExGQ.exe
  2⤵
  - Executes dropped EXE
  PID:1660
- C:\Windows\System\NVODQWu.exe
  C:\Windows\System\NVODQWu.exe
  2⤵
  - Executes dropped EXE
  PID:4064
- C:\Windows\System\PDymDpH.exe
  C:\Windows\System\PDymDpH.exe
  2⤵
  - Executes dropped EXE
  PID:2936
- C:\Windows\System\ItyQdns.exe
  C:\Windows\System\ItyQdns.exe
  2⤵
  - Executes dropped EXE
  PID:3040
- C:\Windows\System\BzVPmdY.exe
  C:\Windows\System\BzVPmdY.exe
  2⤵
  - Executes dropped EXE
  PID:808
- C:\Windows\System\PnIUmAG.exe
  C:\Windows\System\PnIUmAG.exe
  2⤵
  - Executes dropped EXE
  PID:4544
- C:\Windows\System\sALMxov.exe
  C:\Windows\System\sALMxov.exe
  2⤵
  - Executes dropped EXE
  PID:3960
- C:\Windows\System\cuXatMK.exe
  C:\Windows\System\cuXatMK.exe
  2⤵
  - Executes dropped EXE
  PID:2112
- C:\Windows\System\aUKZFFB.exe
  C:\Windows\System\aUKZFFB.exe
  2⤵
  - Executes dropped EXE
  PID:548
- C:\Windows\System\KNQNJVZ.exe
  C:\Windows\System\KNQNJVZ.exe
  2⤵
  - Executes dropped EXE
  PID:4288

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BzVPmdY.exe

Filesize
5.2MB

MD5
402532157ab57811e4bc7bf17ff87463

SHA1
9621f7b92778e2f3bff28a67b5184fa4f42f6568

SHA256
59d02433809544e26b1a29c6a94d869eab3f9e6ff7c4c7da52ede3b39b4fd36c

SHA512
d94d3e7ed0bc62a15d0a4804b22b0e865f44d1d719ad4489f4d440ff0a9590c5deba61bd6e74f42ea2509c529b362b6cc42fc59becfdc6aa63100982272a4477

Download Submit
C:\Windows\System\FYRhFFn.exe

Filesize
5.2MB

MD5
59d2146250f483db9011266675f1f4c1

SHA1
0315ccfbeddb71a386e720f7c3be188b4b41ebbc

SHA256
7f57adb8f195a6a3a1b569f5da74073ecd0f20a158691ff391210cfc12371114

SHA512
429af9776217bd1e31240b421424f259d31da04eff82e5b96d8253f1195142d99547765a3f4161bfbfed55bec5c672f5a541bc666851ccdb261ed4f67147bf87

Download Submit
C:\Windows\System\FqPVePj.exe

Filesize
5.2MB

MD5
3a37385c377971c61050435fe233b409

SHA1
364386c662b59e4940aeebb0daf1c54f68c52e9a

SHA256
3ae25a37e2c37833baa78079f01da4747f964796db4d2798c05cba866e6d95e1

SHA512
853014f525ac9dc4baffbb933082c51933261bf0985ee24c1cb1831245ce7daa5f3f3936d820a43c76838dff4baa9fbaef27e58c1c32f43d4570db3cb94d7729

Download Submit
C:\Windows\System\ItyQdns.exe

Filesize
5.2MB

MD5
81bfb43088ad156624f099e505214f89

SHA1
fe030324104382774b21f9b76a73b65097ed37a4

SHA256
55f3ede6b0255893cf7f7da6d48baeb2a8962aec91263284505c0072490ca38f

SHA512
e6147a2350d25c00adda524261aa5d7c40d2caa714fb1ef078ac2669b39ad366fe9866d1dd1dd6a9fbcf074392c61cda4fb80d205a7fb8ddf816463ece62ccbc

Download Submit
C:\Windows\System\KMXCsrD.exe

Filesize
5.2MB

MD5
3c555f95c59652e5b5cbe46644a28e06

SHA1
544482fe30cc5cdd8b65bd996f61ea3f9825a292

SHA256
9ea53f5ca80039d857279a64c4e5e1329c84d80f52563ff4155cbd03f79bfab4

SHA512
cdf1504cf29f36dcfc31d739cb715d55d1a0f3559ad65ae372eaca8df73e3583451911488544d21ce24992a17f5259642c7845a846ee903714e52344c6663ec0

Download Submit
C:\Windows\System\KNQNJVZ.exe

Filesize
5.2MB

MD5
4eb9de5179e9199d68d4ac389a541ad4

SHA1
f28c9e3be65922be0d43746c22c57f4b071ba1a2

SHA256
b46eea29b6a35ffdb2cbc6ecbd110798303206d51514820f0c8a07328153be51

SHA512
636b5e83f919febadd35a332f69ab5dfa16d3b3b865b5954451bb448388d05364f166983d786bcc275c1822992602918560cba95dcda11bf55e7892deeacb7dc

Download Submit
C:\Windows\System\KecIvRj.exe

Filesize
5.2MB

MD5
ddd714348a7a00d580713974f0ce286f

SHA1
e15214bf9a797de19a94652e7a906c77d8001cfb

SHA256
fc253aee9aa6bd71db3787c105f00d087c8b3e229bd4e0099d4768823ff4895c

SHA512
16993bbaa7052623a72da13beb26b958d47a76334dfdc02efe151a320eca43be3da85371a9a0ea755e317f21668c464c335524fd58c5da8a1ea88c07ce7e7c5b

Download Submit
C:\Windows\System\MFUFozc.exe

Filesize
5.2MB

MD5
e96ff45944cfccfd09257c3985d41c32

SHA1
591490be486a2316d47a7ecc3d53639608231d3f

SHA256
8e451c9d6cb3f2c4651d42982855ae94a3fb8d7982e5dd86583dd6cad587e2a9

SHA512
1687503fc5fdc6fba15bcb6a99fdb7a0d001f3811973585d7ac40c10683efbd3193bcd4b0863bc46ccc81553f8bc7c534a81bc32ab8462852855b2571bc9a635

Download Submit
C:\Windows\System\NVODQWu.exe

Filesize
5.2MB

MD5
f64ef1253c5abb494728947ec5008699

SHA1
ec8816449a4c6f01055f6e47bf4bcfcf46bfe2f3

SHA256
afb419ce12f47320f15c5a18e867286dc669be85ce0c58e99076d7bb45893ad5

SHA512
0902745adc8dedae840de0fd41dcfae36198b871eab75a5c680b14d098c3098968e7432688723613504c713b72fab1201329a9f75850f510396af844f2347b5c

Download Submit
C:\Windows\System\PDymDpH.exe

Filesize
5.2MB

MD5
75c6d8a4f32ac14ad1b27e57c763065a

SHA1
698dda6161f5eb9909530606fefde5af3ca89f26

SHA256
3b77bbc9a9dcaf9b87be073d6813cfc61f6c8664149371183fe4028f26b18a3b

SHA512
55efbe46e8448974dbcd680d774695bb1de37eb59b83312ac5f468262e9c955b7f1a056b6da37130e61accdd5f1a2346a226181f7d8820a4cccfecfc1d04794b

Download Submit
C:\Windows\System\PnIUmAG.exe

Filesize
5.2MB

MD5
56167f7b92d0226733886672f57215b8

SHA1
05192091e549110bbafbcdb974f3d6209245d453

SHA256
91248ca00ab8b4e749c67ac7e57201e60bb4676e88364a512f09fc6dee51cde7

SHA512
ed1b5e47c2f6c4f63046463ad433be41d4357c7536b1d94b838d08a024099f24fa14a3de510a448a4782f7e17eb14d2ac86cec9d65ccdf81c164bd09f1975fbf

Download Submit
C:\Windows\System\TyCvWrJ.exe

Filesize
5.2MB

MD5
cc5ac1c800adc787ae4942fcea3a5d30

SHA1
69a23288652ce1807c71a5abc6552f30bf08313d

SHA256
47a59fcbc1105f4e6b04dba5c0a15fc19907c3aa3789df5f8d15b1e0e35a7928

SHA512
34a8aa24f04860d03033415c97bff96a00cd7483980b79944a1e6a7ffc7e0a68903ff185634a37039d000ad4348a4cf3685a27bf20a9556722817c27c487a251

Download Submit
C:\Windows\System\WkHxOKj.exe

Filesize
5.2MB

MD5
376c8a6df1a003df6e5a903517919e03

SHA1
d73dc26ed022ed23e2a0b51e266cf440514b45ba

SHA256
5092a3a017612a0942ce72acf4ab879385f55687d1e48f3b1026b18794f17bf9

SHA512
fd8c94e31c83c63076d2bc4558a6816d8c30f02c39ffeed2c78349002cf35236190590a9dee6f4a912a0425876a67131cb83864c356488984f50c99d0a89c2e8

Download Submit
C:\Windows\System\aUKZFFB.exe

Filesize
5.2MB

MD5
ddd33c414134031e7b52f7b5d5e3161d

SHA1
3d4efa1242dace7b39b289c8c01703f9f8b4f691

SHA256
eae42c7ab36be7da792a8001b3b766f994f088aa94ea1fd3f5ebafb56796fcb0

SHA512
c593f294e2df0f633da21eafee55a3024c469ceeec5c813a478b051823529c3b0ecb91aa6e0f5e18b9cfa48d87df3e5582d6259de2dbea0ee619e1f577b7f400

Download Submit
C:\Windows\System\cuXatMK.exe

Filesize
5.2MB

MD5
69bf691f6ea0243daefeaf45c37ff6f0

SHA1
def8e13eecc67df876a9877e6214d22a278aedd6

SHA256
9d4ca190bddedecdf19669be50b4388dde7e0c22b548f1395546247cb3d66846

SHA512
96b26cec2f7d2d82ebef7d955bdcb6e01f1b7d7c34c31a3ba3da3ab7e74d0ffbe13dcc85b5a874ff00c2ee53d821bd55b663449fe6d5e9786357c08b6a895882

Download Submit
C:\Windows\System\delbSkQ.exe

Filesize
5.2MB

MD5
49e4eefe44d8840e92d85c7b3c471861

SHA1
aaad1301ac13f29356b6573f64ec7ef61d79a1bb

SHA256
ce954b963c75a0c4ed9ea2effe3ec68eb8ee51f07b04516d58e4f25e2a254184

SHA512
71083d90a6f7ed9e4d21fe85a845219731a893fec93a0fde916014f9f276a0df563b2c874a4e9fb5a8a96ca229901d5342bc862ee8b9fbf9ac5ba869dfc7265f

Download Submit
C:\Windows\System\hjtlGmm.exe

Filesize
5.2MB

MD5
c808a6cab305a06d752e5a23fb9a1e2b

SHA1
2c38180d9b4a554c7b0c239bcd89e08452590bf3

SHA256
58a69986c0fc368a6621d9c12b70fe244df1286bfa23bc1fa0d6908d814b8e13

SHA512
b65caa016c3f06e06c34a951572e2230c818ed90e98a1f5eae226d51a6c65f8e86eb9045b33480fe7d5871798f49a7af2300202928ff387f800d46489da237c1

Download Submit
C:\Windows\System\kRAOHiE.exe

Filesize
5.2MB

MD5
c8452827642dcae761f9d82676cf3245

SHA1
cdf72ae2e99a4f05a95927f03efa0df2c9e58103

SHA256
38558afdfb16e3551f82bd61d9ac7d7f86e012faee42fb215b842f6f3ad366dc

SHA512
dd8aa09a4584cd35b05c53ce631b37c6700c1cc5b3e8c45600c794fd5d547e8b44567a431fb97f694d269b43d0154f9e5746e44055a86fab9bd54bb90f08d133

Download Submit
C:\Windows\System\sALMxov.exe

Filesize
5.2MB

MD5
8067d8633dbb696ab5f2a2af0de69a92

SHA1
7b91c2e34e94397c7ae102e32c6a3cd6e887ee7c

SHA256
d2995cfdc2d24500381aeba544bf2e15df83ff2e0912ce751c1f1135d7c86516

SHA512
e80a34efbd5e8d38a0774c0d80be557780ff80ee91d9273025e35c6e8b06160b81d4256fa9d24cdb81ccc9899daa6e1612e5f9c4ddab9cd6e14b1a8faedaa492

Download Submit
C:\Windows\System\tTcExGQ.exe

Filesize
5.2MB

MD5
47d2220337bc85226269702c0c9a5bd6

SHA1
cac85193c57dcff56ad2c5e82a72602b4c576e31

SHA256
10501d835e708f013f214a9d68f2fc48d2f0c5bd3aca127377d2869a4a895202

SHA512
f1e63255a11de7ab51e0ea9aec80767d2885f0e16092ef132e7e1055579e737647f83a6949d779036000f8e04d2e7802e56aaa322c6127868dce9e2a89ac3c6c

Download Submit
C:\Windows\System\wiCnnJx.exe

Filesize
5.2MB

MD5
dc40492069a9e5f90cc18be14552b43d

SHA1
9cafeef8f60912bbf3176372e593ddee4e4171dd

SHA256
3f3e4102fa7f89b4aa425271fe908e01b35724141117977c75d1f5a23bed7bf8

SHA512
90a436efead76787dbeb9385c452910d2ede3d715f68cef0f7dc1369533cc8df0c5ccfac1cacbc1925bbfc92c394f9d292fbbd43fa8d09ad1d68b73c581e4002

Download Submit
memory/548-140-0x00007FF6CA960000-0x00007FF6CACB1000-memory.dmp

Filesize
3.3MB

Download
memory/548-258-0x00007FF6CA960000-0x00007FF6CACB1000-memory.dmp

Filesize
3.3MB

Download
memory/808-148-0x00007FF741D50000-0x00007FF7420A1000-memory.dmp

Filesize
3.3MB

Download
memory/808-126-0x00007FF741D50000-0x00007FF7420A1000-memory.dmp

Filesize
3.3MB

Download
memory/808-255-0x00007FF741D50000-0x00007FF7420A1000-memory.dmp

Filesize
3.3MB

Download
memory/1428-33-0x00007FF691E90000-0x00007FF6921E1000-memory.dmp

Filesize
3.3MB

Download
memory/1428-133-0x00007FF691E90000-0x00007FF6921E1000-memory.dmp

Filesize
3.3MB

Download
memory/1428-220-0x00007FF691E90000-0x00007FF6921E1000-memory.dmp

Filesize
3.3MB

Download
memory/1660-144-0x00007FF64A300000-0x00007FF64A651000-memory.dmp

Filesize
3.3MB

Download
memory/1660-241-0x00007FF64A300000-0x00007FF64A651000-memory.dmp

Filesize
3.3MB

Download
memory/1660-75-0x00007FF64A300000-0x00007FF64A651000-memory.dmp

Filesize
3.3MB

Download
memory/2112-259-0x00007FF700BF0000-0x00007FF700F41000-memory.dmp

Filesize
3.3MB

Download
memory/2112-139-0x00007FF700BF0000-0x00007FF700F41000-memory.dmp

Filesize
3.3MB

Download
memory/2936-249-0x00007FF6769E0000-0x00007FF676D31000-memory.dmp

Filesize
3.3MB

Download
memory/2936-103-0x00007FF6769E0000-0x00007FF676D31000-memory.dmp

Filesize
3.3MB

Download
memory/2936-146-0x00007FF6769E0000-0x00007FF676D31000-memory.dmp

Filesize
3.3MB

Download
memory/3040-147-0x00007FF6A07A0000-0x00007FF6A0AF1000-memory.dmp

Filesize
3.3MB

Download
memory/3040-92-0x00007FF6A07A0000-0x00007FF6A0AF1000-memory.dmp

Filesize
3.3MB

Download
memory/3040-248-0x00007FF6A07A0000-0x00007FF6A0AF1000-memory.dmp

Filesize
3.3MB

Download
memory/3084-134-0x00007FF690600000-0x00007FF690951000-memory.dmp

Filesize
3.3MB

Download
memory/3084-46-0x00007FF690600000-0x00007FF690951000-memory.dmp

Filesize
3.3MB

Download
memory/3084-222-0x00007FF690600000-0x00007FF690951000-memory.dmp

Filesize
3.3MB

Download
memory/3124-71-0x00007FF78BC00000-0x00007FF78BF51000-memory.dmp

Filesize
3.3MB

Download
memory/3124-18-0x00007FF78BC00000-0x00007FF78BF51000-memory.dmp

Filesize
3.3MB

Download
memory/3124-211-0x00007FF78BC00000-0x00007FF78BF51000-memory.dmp

Filesize
3.3MB

Download
memory/3328-84-0x00007FF7C1D40000-0x00007FF7C2091000-memory.dmp

Filesize
3.3MB

Download
memory/3328-24-0x00007FF7C1D40000-0x00007FF7C2091000-memory.dmp

Filesize
3.3MB

Download
memory/3328-217-0x00007FF7C1D40000-0x00007FF7C2091000-memory.dmp

Filesize
3.3MB

Download
memory/3572-11-0x00007FF70CBE0000-0x00007FF70CF31000-memory.dmp

Filesize
3.3MB

Download
memory/3572-209-0x00007FF70CBE0000-0x00007FF70CF31000-memory.dmp

Filesize
3.3MB

Download
memory/3596-68-0x00007FF76D890000-0x00007FF76DBE1000-memory.dmp

Filesize
3.3MB

Download
memory/3596-1-0x000001E5C4E50000-0x000001E5C4E60000-memory.dmp

Filesize
64KB

Download
memory/3596-0-0x00007FF76D890000-0x00007FF76DBE1000-memory.dmp

Filesize
3.3MB

Download
memory/3596-154-0x00007FF76D890000-0x00007FF76DBE1000-memory.dmp

Filesize
3.3MB

Download
memory/3596-127-0x00007FF76D890000-0x00007FF76DBE1000-memory.dmp

Filesize
3.3MB

Download
memory/3636-25-0x00007FF7F06E0000-0x00007FF7F0A31000-memory.dmp

Filesize
3.3MB

Download
memory/3636-213-0x00007FF7F06E0000-0x00007FF7F0A31000-memory.dmp

Filesize
3.3MB

Download
memory/3636-94-0x00007FF7F06E0000-0x00007FF7F0A31000-memory.dmp

Filesize
3.3MB

Download
memory/3940-136-0x00007FF750310000-0x00007FF750661000-memory.dmp

Filesize
3.3MB

Download
memory/3940-226-0x00007FF750310000-0x00007FF750661000-memory.dmp

Filesize
3.3MB

Download
memory/3940-51-0x00007FF750310000-0x00007FF750661000-memory.dmp

Filesize
3.3MB

Download
memory/3960-138-0x00007FF60ADF0000-0x00007FF60B141000-memory.dmp

Filesize
3.3MB

Download
memory/3960-253-0x00007FF60ADF0000-0x00007FF60B141000-memory.dmp

Filesize
3.3MB

Download
memory/4056-215-0x00007FF7C9270000-0x00007FF7C95C1000-memory.dmp

Filesize
3.3MB

Download
memory/4056-30-0x00007FF7C9270000-0x00007FF7C95C1000-memory.dmp

Filesize
3.3MB

Download
memory/4056-132-0x00007FF7C9270000-0x00007FF7C95C1000-memory.dmp

Filesize
3.3MB

Download
memory/4060-143-0x00007FF758830000-0x00007FF758B81000-memory.dmp

Filesize
3.3MB

Download
memory/4060-69-0x00007FF758830000-0x00007FF758B81000-memory.dmp

Filesize
3.3MB

Download
memory/4060-243-0x00007FF758830000-0x00007FF758B81000-memory.dmp

Filesize
3.3MB

Download
memory/4064-145-0x00007FF6F1650000-0x00007FF6F19A1000-memory.dmp

Filesize
3.3MB

Download
memory/4064-245-0x00007FF6F1650000-0x00007FF6F19A1000-memory.dmp

Filesize
3.3MB

Download
memory/4064-89-0x00007FF6F1650000-0x00007FF6F19A1000-memory.dmp

Filesize
3.3MB

Download
memory/4288-141-0x00007FF631C40000-0x00007FF631F91000-memory.dmp

Filesize
3.3MB

Download
memory/4288-261-0x00007FF631C40000-0x00007FF631F91000-memory.dmp

Filesize
3.3MB

Download
memory/4520-239-0x00007FF6A69B0000-0x00007FF6A6D01000-memory.dmp

Filesize
3.3MB

Download
memory/4520-64-0x00007FF6A69B0000-0x00007FF6A6D01000-memory.dmp

Filesize
3.3MB

Download
memory/4520-137-0x00007FF6A69B0000-0x00007FF6A6D01000-memory.dmp

Filesize
3.3MB

Download
memory/4544-252-0x00007FF7DDAB0000-0x00007FF7DDE01000-memory.dmp

Filesize
3.3MB

Download
memory/4544-142-0x00007FF7DDAB0000-0x00007FF7DDE01000-memory.dmp

Filesize
3.3MB

Download
memory/5028-224-0x00007FF7FB9F0000-0x00007FF7FBD41000-memory.dmp

Filesize
3.3MB

Download
memory/5028-135-0x00007FF7FB9F0000-0x00007FF7FBD41000-memory.dmp

Filesize
3.3MB

Download
memory/5028-54-0x00007FF7FB9F0000-0x00007FF7FBD41000-memory.dmp

Filesize
3.3MB

Download