cobaltstrike | 88290f7aa9cbafa7e2d51ce3ac7edc71d5463f9a6768398ef1bd4c82993c9a15

Analysis

max time kernel
143s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 02:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

cacd9a28601f32577e420310f8589f41
SHA1

94f5c8ab96c8e82794a0abb0e1d29b07fd53dcde
SHA256

88290f7aa9cbafa7e2d51ce3ac7edc71d5463f9a6768398ef1bd4c82993c9a15
SHA512

76f3a5b3cf5a5326a921976d9d00284511ccbe046dec70858d143e65459e5d10a40bdc00006f08c9d944053c9adb3440200d1cb58a6ead0f07cbb86f43bd0038
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lW:RWWBibf56utgpPFotBER/mQ32lUK

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023c88-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8d-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8f-29.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c90-31.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c91-41.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c92-47.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c89-57.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c93-59.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8e-33.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8c-12.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c94-72.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c95-76.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c96-83.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c97-90.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c99-105.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9a-111.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9c-123.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9d-132.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9e-138.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9b-118.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c98-104.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 47 IoCs

miner

resource	yara_rule
behavioral2/memory/3660-38-0x00007FF7C6A10000-0x00007FF7C6D61000-memory.dmp	xmrig
behavioral2/memory/3512-36-0x00007FF710C90000-0x00007FF710FE1000-memory.dmp	xmrig
behavioral2/memory/3820-74-0x00007FF6861B0000-0x00007FF686501000-memory.dmp	xmrig
behavioral2/memory/3324-70-0x00007FF72CCE0000-0x00007FF72D031000-memory.dmp	xmrig
behavioral2/memory/2948-66-0x00007FF7CCA50000-0x00007FF7CCDA1000-memory.dmp	xmrig
behavioral2/memory/3864-78-0x00007FF60E0F0000-0x00007FF60E441000-memory.dmp	xmrig
behavioral2/memory/628-89-0x00007FF6182A0000-0x00007FF6185F1000-memory.dmp	xmrig
behavioral2/memory/3660-88-0x00007FF7C6A10000-0x00007FF7C6D61000-memory.dmp	xmrig
behavioral2/memory/3512-85-0x00007FF710C90000-0x00007FF710FE1000-memory.dmp	xmrig
behavioral2/memory/3484-82-0x00007FF718D40000-0x00007FF719091000-memory.dmp	xmrig
behavioral2/memory/3928-129-0x00007FF7B0380000-0x00007FF7B06D1000-memory.dmp	xmrig
behavioral2/memory/3208-136-0x00007FF6086F0000-0x00007FF608A41000-memory.dmp	xmrig
behavioral2/memory/4904-130-0x00007FF7C96B0000-0x00007FF7C9A01000-memory.dmp	xmrig
behavioral2/memory/3388-112-0x00007FF6EE440000-0x00007FF6EE791000-memory.dmp	xmrig
behavioral2/memory/3972-100-0x00007FF7A6090000-0x00007FF7A63E1000-memory.dmp	xmrig
behavioral2/memory/3044-99-0x00007FF62EB90000-0x00007FF62EEE1000-memory.dmp	xmrig
behavioral2/memory/1864-97-0x00007FF68CB70000-0x00007FF68CEC1000-memory.dmp	xmrig
behavioral2/memory/440-143-0x00007FF7D2230000-0x00007FF7D2581000-memory.dmp	xmrig
behavioral2/memory/2948-140-0x00007FF7CCA50000-0x00007FF7CCDA1000-memory.dmp	xmrig
behavioral2/memory/4836-154-0x00007FF7C6B30000-0x00007FF7C6E81000-memory.dmp	xmrig
behavioral2/memory/3756-156-0x00007FF79CCB0000-0x00007FF79D001000-memory.dmp	xmrig
behavioral2/memory/4100-159-0x00007FF610140000-0x00007FF610491000-memory.dmp	xmrig
behavioral2/memory/4844-160-0x00007FF64A930000-0x00007FF64AC81000-memory.dmp	xmrig
behavioral2/memory/3648-165-0x00007FF65A640000-0x00007FF65A991000-memory.dmp	xmrig
behavioral2/memory/5004-166-0x00007FF684A80000-0x00007FF684DD1000-memory.dmp	xmrig
behavioral2/memory/2948-167-0x00007FF7CCA50000-0x00007FF7CCDA1000-memory.dmp	xmrig
behavioral2/memory/3324-220-0x00007FF72CCE0000-0x00007FF72D031000-memory.dmp	xmrig
behavioral2/memory/3820-222-0x00007FF6861B0000-0x00007FF686501000-memory.dmp	xmrig
behavioral2/memory/3864-224-0x00007FF60E0F0000-0x00007FF60E441000-memory.dmp	xmrig
behavioral2/memory/3660-230-0x00007FF7C6A10000-0x00007FF7C6D61000-memory.dmp	xmrig
behavioral2/memory/3484-234-0x00007FF718D40000-0x00007FF719091000-memory.dmp	xmrig
behavioral2/memory/3512-232-0x00007FF710C90000-0x00007FF710FE1000-memory.dmp	xmrig
behavioral2/memory/1864-236-0x00007FF68CB70000-0x00007FF68CEC1000-memory.dmp	xmrig
behavioral2/memory/3044-240-0x00007FF62EB90000-0x00007FF62EEE1000-memory.dmp	xmrig
behavioral2/memory/3972-239-0x00007FF7A6090000-0x00007FF7A63E1000-memory.dmp	xmrig
behavioral2/memory/3388-242-0x00007FF6EE440000-0x00007FF6EE791000-memory.dmp	xmrig
behavioral2/memory/3208-245-0x00007FF6086F0000-0x00007FF608A41000-memory.dmp	xmrig
behavioral2/memory/440-247-0x00007FF7D2230000-0x00007FF7D2581000-memory.dmp	xmrig
behavioral2/memory/628-252-0x00007FF6182A0000-0x00007FF6185F1000-memory.dmp	xmrig
behavioral2/memory/4836-254-0x00007FF7C6B30000-0x00007FF7C6E81000-memory.dmp	xmrig
behavioral2/memory/3756-262-0x00007FF79CCB0000-0x00007FF79D001000-memory.dmp	xmrig
behavioral2/memory/4100-264-0x00007FF610140000-0x00007FF610491000-memory.dmp	xmrig
behavioral2/memory/4844-266-0x00007FF64A930000-0x00007FF64AC81000-memory.dmp	xmrig
behavioral2/memory/4904-268-0x00007FF7C96B0000-0x00007FF7C9A01000-memory.dmp	xmrig
behavioral2/memory/3928-270-0x00007FF7B0380000-0x00007FF7B06D1000-memory.dmp	xmrig
behavioral2/memory/3648-272-0x00007FF65A640000-0x00007FF65A991000-memory.dmp	xmrig
behavioral2/memory/5004-274-0x00007FF684A80000-0x00007FF684DD1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3324	WzpKxHf.exe
3820	UQNynmd.exe
3864	vPsZfji.exe
3484	TFyOjCh.exe
3512	DlKHdxH.exe
3660	BEJXqTA.exe
1864	TcHtiiC.exe
3044	nESKfsb.exe
3972	IQPkJuK.exe
3388	QnWUsfc.exe
3208	JOgYxTK.exe
440	aMJwDCt.exe
628	WrSPRoS.exe
4836	FuAGjKx.exe
3756	AnhYQgv.exe
4100	OgrUxUX.exe
4844	TZfyUpW.exe
4904	qkcVoQw.exe
3928	gUlIcRb.exe
3648	BJAeWkI.exe
5004	mTyrpPW.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2948-0-0x00007FF7CCA50000-0x00007FF7CCDA1000-memory.dmp	upx
behavioral2/files/0x0008000000023c88-5.dat	upx
behavioral2/memory/3324-8-0x00007FF72CCE0000-0x00007FF72D031000-memory.dmp	upx
behavioral2/files/0x0007000000023c8d-11.dat	upx
behavioral2/memory/3864-18-0x00007FF60E0F0000-0x00007FF60E441000-memory.dmp	upx
behavioral2/files/0x0007000000023c8f-29.dat	upx
behavioral2/files/0x0007000000023c90-31.dat	upx
behavioral2/files/0x0007000000023c91-41.dat	upx
behavioral2/files/0x0007000000023c92-47.dat	upx
behavioral2/files/0x0008000000023c89-57.dat	upx
behavioral2/files/0x0007000000023c93-59.dat	upx
behavioral2/memory/3388-60-0x00007FF6EE440000-0x00007FF6EE791000-memory.dmp	upx
behavioral2/memory/3972-55-0x00007FF7A6090000-0x00007FF7A63E1000-memory.dmp	upx
behavioral2/memory/3044-51-0x00007FF62EB90000-0x00007FF62EEE1000-memory.dmp	upx
behavioral2/memory/1864-42-0x00007FF68CB70000-0x00007FF68CEC1000-memory.dmp	upx
behavioral2/memory/3660-38-0x00007FF7C6A10000-0x00007FF7C6D61000-memory.dmp	upx
behavioral2/memory/3512-36-0x00007FF710C90000-0x00007FF710FE1000-memory.dmp	upx
behavioral2/files/0x0007000000023c8e-33.dat	upx
behavioral2/memory/3484-30-0x00007FF718D40000-0x00007FF719091000-memory.dmp	upx
behavioral2/memory/3820-13-0x00007FF6861B0000-0x00007FF686501000-memory.dmp	upx
behavioral2/files/0x0007000000023c8c-12.dat	upx
behavioral2/memory/3208-67-0x00007FF6086F0000-0x00007FF608A41000-memory.dmp	upx
behavioral2/files/0x0007000000023c94-72.dat	upx
behavioral2/files/0x0007000000023c95-76.dat	upx
behavioral2/memory/440-75-0x00007FF7D2230000-0x00007FF7D2581000-memory.dmp	upx
behavioral2/memory/3820-74-0x00007FF6861B0000-0x00007FF686501000-memory.dmp	upx
behavioral2/memory/3324-70-0x00007FF72CCE0000-0x00007FF72D031000-memory.dmp	upx
behavioral2/memory/2948-66-0x00007FF7CCA50000-0x00007FF7CCDA1000-memory.dmp	upx
behavioral2/memory/3864-78-0x00007FF60E0F0000-0x00007FF60E441000-memory.dmp	upx
behavioral2/files/0x0007000000023c96-83.dat	upx
behavioral2/memory/628-89-0x00007FF6182A0000-0x00007FF6185F1000-memory.dmp	upx
behavioral2/files/0x0007000000023c97-90.dat	upx
behavioral2/memory/4836-91-0x00007FF7C6B30000-0x00007FF7C6E81000-memory.dmp	upx
behavioral2/memory/3660-88-0x00007FF7C6A10000-0x00007FF7C6D61000-memory.dmp	upx
behavioral2/memory/3512-85-0x00007FF710C90000-0x00007FF710FE1000-memory.dmp	upx
behavioral2/memory/3484-82-0x00007FF718D40000-0x00007FF719091000-memory.dmp	upx
behavioral2/memory/3756-98-0x00007FF79CCB0000-0x00007FF79D001000-memory.dmp	upx
behavioral2/files/0x0007000000023c99-105.dat	upx
behavioral2/files/0x0007000000023c9a-111.dat	upx
behavioral2/files/0x0007000000023c9c-123.dat	upx
behavioral2/memory/3928-129-0x00007FF7B0380000-0x00007FF7B06D1000-memory.dmp	upx
behavioral2/memory/3648-131-0x00007FF65A640000-0x00007FF65A991000-memory.dmp	upx
behavioral2/files/0x0007000000023c9d-132.dat	upx
behavioral2/memory/5004-137-0x00007FF684A80000-0x00007FF684DD1000-memory.dmp	upx
behavioral2/files/0x0007000000023c9e-138.dat	upx
behavioral2/memory/3208-136-0x00007FF6086F0000-0x00007FF608A41000-memory.dmp	upx
behavioral2/memory/4904-130-0x00007FF7C96B0000-0x00007FF7C9A01000-memory.dmp	upx
behavioral2/memory/4844-125-0x00007FF64A930000-0x00007FF64AC81000-memory.dmp	upx
behavioral2/files/0x0007000000023c9b-118.dat	upx
behavioral2/memory/3388-112-0x00007FF6EE440000-0x00007FF6EE791000-memory.dmp	upx
behavioral2/memory/4100-108-0x00007FF610140000-0x00007FF610491000-memory.dmp	upx
behavioral2/files/0x0007000000023c98-104.dat	upx
behavioral2/memory/3972-100-0x00007FF7A6090000-0x00007FF7A63E1000-memory.dmp	upx
behavioral2/memory/3044-99-0x00007FF62EB90000-0x00007FF62EEE1000-memory.dmp	upx
behavioral2/memory/1864-97-0x00007FF68CB70000-0x00007FF68CEC1000-memory.dmp	upx
behavioral2/memory/440-143-0x00007FF7D2230000-0x00007FF7D2581000-memory.dmp	upx
behavioral2/memory/2948-140-0x00007FF7CCA50000-0x00007FF7CCDA1000-memory.dmp	upx
behavioral2/memory/4836-154-0x00007FF7C6B30000-0x00007FF7C6E81000-memory.dmp	upx
behavioral2/memory/3756-156-0x00007FF79CCB0000-0x00007FF79D001000-memory.dmp	upx
behavioral2/memory/4100-159-0x00007FF610140000-0x00007FF610491000-memory.dmp	upx
behavioral2/memory/4844-160-0x00007FF64A930000-0x00007FF64AC81000-memory.dmp	upx
behavioral2/memory/3648-165-0x00007FF65A640000-0x00007FF65A991000-memory.dmp	upx
behavioral2/memory/5004-166-0x00007FF684A80000-0x00007FF684DD1000-memory.dmp	upx
behavioral2/memory/2948-167-0x00007FF7CCA50000-0x00007FF7CCDA1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\nESKfsb.exe	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JOgYxTK.exe	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aMJwDCt.exe	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qkcVoQw.exe	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gUlIcRb.exe	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BEJXqTA.exe	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IQPkJuK.exe	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QnWUsfc.exe	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FuAGjKx.exe	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OgrUxUX.exe	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BJAeWkI.exe	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UQNynmd.exe	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vPsZfji.exe	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DlKHdxH.exe	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TcHtiiC.exe	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WrSPRoS.exe	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AnhYQgv.exe	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WzpKxHf.exe	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TFyOjCh.exe	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TZfyUpW.exe	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mTyrpPW.exe	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2948	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2948	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 3324	2948	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2948 wrote to memory of 3324	2948	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2948 wrote to memory of 3820	2948	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2948 wrote to memory of 3820	2948	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2948 wrote to memory of 3864	2948	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2948 wrote to memory of 3864	2948	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2948 wrote to memory of 3512	2948	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2948 wrote to memory of 3512	2948	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2948 wrote to memory of 3660	2948	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2948 wrote to memory of 3660	2948	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2948 wrote to memory of 3484	2948	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2948 wrote to memory of 3484	2948	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2948 wrote to memory of 1864	2948	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2948 wrote to memory of 1864	2948	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2948 wrote to memory of 3044	2948	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2948 wrote to memory of 3044	2948	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2948 wrote to memory of 3972	2948	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2948 wrote to memory of 3972	2948	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2948 wrote to memory of 3388	2948	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2948 wrote to memory of 3388	2948	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2948 wrote to memory of 3208	2948	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2948 wrote to memory of 3208	2948	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2948 wrote to memory of 440	2948	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2948 wrote to memory of 440	2948	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2948 wrote to memory of 628	2948	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2948 wrote to memory of 628	2948	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2948 wrote to memory of 4836	2948	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2948 wrote to memory of 4836	2948	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2948 wrote to memory of 3756	2948	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2948 wrote to memory of 3756	2948	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2948 wrote to memory of 4100	2948	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2948 wrote to memory of 4100	2948	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2948 wrote to memory of 4844	2948	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2948 wrote to memory of 4844	2948	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2948 wrote to memory of 4904	2948	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2948 wrote to memory of 4904	2948	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2948 wrote to memory of 3928	2948	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2948 wrote to memory of 3928	2948	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2948 wrote to memory of 3648	2948	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2948 wrote to memory of 3648	2948	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2948 wrote to memory of 5004	2948	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2948 wrote to memory of 5004	2948	2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-22_cacd9a28601f32577e420310f8589f41_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Windows\System\WzpKxHf.exe
  C:\Windows\System\WzpKxHf.exe
  2⤵
  - Executes dropped EXE
  PID:3324
- C:\Windows\System\UQNynmd.exe
  C:\Windows\System\UQNynmd.exe
  2⤵
  - Executes dropped EXE
  PID:3820
- C:\Windows\System\vPsZfji.exe
  C:\Windows\System\vPsZfji.exe
  2⤵
  - Executes dropped EXE
  PID:3864
- C:\Windows\System\DlKHdxH.exe
  C:\Windows\System\DlKHdxH.exe
  2⤵
  - Executes dropped EXE
  PID:3512
- C:\Windows\System\BEJXqTA.exe
  C:\Windows\System\BEJXqTA.exe
  2⤵
  - Executes dropped EXE
  PID:3660
- C:\Windows\System\TFyOjCh.exe
  C:\Windows\System\TFyOjCh.exe
  2⤵
  - Executes dropped EXE
  PID:3484
- C:\Windows\System\TcHtiiC.exe
  C:\Windows\System\TcHtiiC.exe
  2⤵
  - Executes dropped EXE
  PID:1864
- C:\Windows\System\nESKfsb.exe
  C:\Windows\System\nESKfsb.exe
  2⤵
  - Executes dropped EXE
  PID:3044
- C:\Windows\System\IQPkJuK.exe
  C:\Windows\System\IQPkJuK.exe
  2⤵
  - Executes dropped EXE
  PID:3972
- C:\Windows\System\QnWUsfc.exe
  C:\Windows\System\QnWUsfc.exe
  2⤵
  - Executes dropped EXE
  PID:3388
- C:\Windows\System\JOgYxTK.exe
  C:\Windows\System\JOgYxTK.exe
  2⤵
  - Executes dropped EXE
  PID:3208
- C:\Windows\System\aMJwDCt.exe
  C:\Windows\System\aMJwDCt.exe
  2⤵
  - Executes dropped EXE
  PID:440
- C:\Windows\System\WrSPRoS.exe
  C:\Windows\System\WrSPRoS.exe
  2⤵
  - Executes dropped EXE
  PID:628
- C:\Windows\System\FuAGjKx.exe
  C:\Windows\System\FuAGjKx.exe
  2⤵
  - Executes dropped EXE
  PID:4836
- C:\Windows\System\AnhYQgv.exe
  C:\Windows\System\AnhYQgv.exe
  2⤵
  - Executes dropped EXE
  PID:3756
- C:\Windows\System\OgrUxUX.exe
  C:\Windows\System\OgrUxUX.exe
  2⤵
  - Executes dropped EXE
  PID:4100
- C:\Windows\System\TZfyUpW.exe
  C:\Windows\System\TZfyUpW.exe
  2⤵
  - Executes dropped EXE
  PID:4844
- C:\Windows\System\qkcVoQw.exe
  C:\Windows\System\qkcVoQw.exe
  2⤵
  - Executes dropped EXE
  PID:4904
- C:\Windows\System\gUlIcRb.exe
  C:\Windows\System\gUlIcRb.exe
  2⤵
  - Executes dropped EXE
  PID:3928
- C:\Windows\System\BJAeWkI.exe
  C:\Windows\System\BJAeWkI.exe
  2⤵
  - Executes dropped EXE
  PID:3648
- C:\Windows\System\mTyrpPW.exe
  C:\Windows\System\mTyrpPW.exe
  2⤵
  - Executes dropped EXE
  PID:5004

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AnhYQgv.exe

Filesize
5.2MB

MD5
bf410d32d2cbef823dccae5b95198422

SHA1
2db85fe49d2a7bcf6d195abbec2042947c363f8f

SHA256
a7a3b862d93446cba4c266e5cbd2f2c0716e7606b1310349733d3201846911d2

SHA512
18fe5f449cf1b206374af5ead588ba158fdd79839e727f2dae0f643ee70d2170f2909773505ca52fb8e803f6377e3b276368245d577d51db283ed75004969995

Download Submit
C:\Windows\System\BEJXqTA.exe

Filesize
5.2MB

MD5
6732bcef99f0a8901fc2f89af0c49328

SHA1
f80fce98133d2dfdd285c399c1e98f521b12793c

SHA256
1a243cfa79189e41ca1a06b06fc3cfdd783b55b4d6bfcd08b2c8ebe42ad0efe9

SHA512
eb28a7b4e5f78b9b0e85358b11a5b85764bf36913159654db46b42b85f83a53d4e70636f051d76ccddda3c223ac9bb367aaf3fc244a8e219b1caaea026da46ad

Download Submit
C:\Windows\System\BJAeWkI.exe

Filesize
5.2MB

MD5
db7105c568ddd9b76c2166f8c0868035

SHA1
dc765faa463deba7326021ead60d1666d38d0325

SHA256
02b9fad2501d25510c6f2033f13338fb3504cc18ea31fed36336bd3022484213

SHA512
0d272afca152a4c39381d9a1904cf5f74bd9ab112b5d253a43537edb9704737c29a33671a4f8467cadebe0d5be4aa80067ea311acba949b94580e5604b5898a1

Download Submit
C:\Windows\System\DlKHdxH.exe

Filesize
5.2MB

MD5
d8ccf480fd2961628c6a870d7511b5a8

SHA1
a60670471511424e0f0dac9783adafc3379c40ef

SHA256
47df009c450abe87d34d2fdcc3b1144727e76a5fc8421e589e820ae59c6a5366

SHA512
63c0d82d153149ddf90da0aa54dd61e77058c9067248bbb9b1d77275518b03fc93fbfb88f8d2467cfccded7cf9b71cc7fe8dfec97ab2c1f55b79ffb3a7a2a211

Download Submit
C:\Windows\System\FuAGjKx.exe

Filesize
5.2MB

MD5
0b46ee7b1cc190e2d3805471c4b77b37

SHA1
b92bbe26a3270f4f8f1285c44d118351c308e14b

SHA256
8b4bdb3867ca2e81fd2ed697c7343941e7bf94ee8351a2264907dbcdee8124b6

SHA512
cfd395dc6e28586ddbeea34b0d70f6b7a8aadefe524d6542b98fe1fd92e726d3f8e47a8ad57ff885d6ef4370726aa23dd556c4a994582f12cdf4ee3079c8b8b9

Download Submit
C:\Windows\System\IQPkJuK.exe

Filesize
5.2MB

MD5
90e33ac064d080fc4620762cb7541c31

SHA1
9eece8b1c8bc91825231583293dc9d19f22ccb16

SHA256
b03c6b0c2d580bcf180ef52f53c814165861203a386fbba7d5d2f46802927191

SHA512
99dad5229b3af261c11da6ab4ec0bbadebd59885943d86717ad910f51dba7b61f07b324bc82252b7d5886d9197b78c15e4cf76dc7d4c54461e792211e649e7eb

Download Submit
C:\Windows\System\JOgYxTK.exe

Filesize
5.2MB

MD5
f17f790a79519f2ca65b32d30dae1be7

SHA1
aa61b96b60cc4bc211f6fcfb14db81bbbbea7783

SHA256
17802d2f6c93af43ff76521874bb1297a3d5a4d4a8a3ae46f20a68796300aad7

SHA512
7606c1f1e922b247b5fb9a5264712f6461917b127ecce5d0efaeca1d887db0c0838165d1e9c485119383453e7fef9bca75fd47a9413f5996f9ee7efc9fd5a36d

Download Submit
C:\Windows\System\OgrUxUX.exe

Filesize
5.2MB

MD5
1c55dda444dcbc66381572d33abd3268

SHA1
713f94acc12dce60c70c4cec86b5d32dce2194df

SHA256
9c8b18c65802ef1ce9e1e628bf14e11728e1461ae47db4dba4d575fb0cb3c9be

SHA512
293b9ec381d11f26a3c8d74f673cfcece545ee3af23110e71ee8c5147bfa1cb86b4f7eb373e58688d339ea89c776f04adea94a799914ae1de8a53e2c26b4755c

Download Submit
C:\Windows\System\QnWUsfc.exe

Filesize
5.2MB

MD5
407a68ab10c7fc1158259b138c6ec074

SHA1
ad114bf116fb765e610e3e196b971b108ca97765

SHA256
3000bb4680cc37ded3796de368c7af717707ef9e5d58d69506e476530790a056

SHA512
7dd6e744fd6e43146034371e8445d9d8335e684eaec9dffc9f8eb7bdb59926c21d37960d07766939646bcda6a6a5ad7d62e366b35364ea440b2f172fa681d6d2

Download Submit
C:\Windows\System\TFyOjCh.exe

Filesize
5.2MB

MD5
02ed439a18b943b286003e08e9152d2b

SHA1
0d8e147995173e85975b94706d9beabf860eba3e

SHA256
f07a2535d502fe6a45397fa8319a3864f230eb9df0ba8e1640cae15ea48cddfc

SHA512
49d1efeeb107babc828d9b63ffa8fdf1b97516785a51e1f068c5ce4822dada5356413c64b241989d47123d2a5166c1e7d07770472b5ac762ead593d26fec9098

Download Submit
C:\Windows\System\TZfyUpW.exe

Filesize
5.2MB

MD5
e769f550ff13a158e7331f9c1f0fd761

SHA1
956f89ec97f9048c0ba5e21e393a2c17d742308e

SHA256
abc9c5cc7e5ecf0ed9776546aae72e1dc1cc54839168253b2d3d0896436913aa

SHA512
525afae0abf381bccba6296aeb640f171cda19c3100f6c3fcfbc5b392f8db5cd077bf11855452352bf0601b741fa4e62befaa5b80ca91faf80b429300ce46d82

Download Submit
C:\Windows\System\TcHtiiC.exe

Filesize
5.2MB

MD5
88b357329ae552c452bc53f4e17f27c2

SHA1
ab0de4f0f09d42d335030279700461579e4d82e0

SHA256
cc59109d3d59d96135a372fb6c0580b072c1c3d117fffcc97f58bb12871777a0

SHA512
481f72e2294805fe6c5eaf5c6130d177ace720a952cb451dff16d337b926cc43919cb6a7a13ef341f796f988fc61616dfaabe0dd3bbbd19842bcfabfe88a28b9

Download Submit
C:\Windows\System\UQNynmd.exe

Filesize
5.2MB

MD5
41725b4142915b725991f136764d3eae

SHA1
6314d21a1c4270cfed4bb89628cb81f32b38d749

SHA256
de4e9c09e71b2d47aa45d4e0c1b43628fad0bb419a42d47b6052bb18cc4d72b6

SHA512
5aed8b533fd7012f9f3eb6ef7e53ee41ffc66ae9e91e7852b377402a5aaa205a6e97f4a41b300cd23d4dd6805edd805bea271b7b8dc8c4f4a26d047133722be2

Download Submit
C:\Windows\System\WrSPRoS.exe

Filesize
5.2MB

MD5
c5704a8d9d4a9ac3fa3a89c590e1829c

SHA1
e8a3dea05b1c2546e6a7f41e0cbd0a0fff611767

SHA256
fdc8128d7c17143fe2edec6bc556a9cf23268ee220c21f39f347aa0b1ea0656f

SHA512
e5f19fded8bfdd89ee564e2f7e162b83b7acd45e2fb6063b6c18e46b3e327fc881accfdc7bbb210afae38503480855b5a72016123a7f1df4f56621c5b37c097a

Download Submit
C:\Windows\System\WzpKxHf.exe

Filesize
5.2MB

MD5
5d4219f6c70f3e374e3802ad3caac192

SHA1
56ca499e357cd4d3eb85ee0332a660dd8daf8bb0

SHA256
7d54bd3ae109daa9d5ec0a184f0126c87e5b461899e7c4752198a7c0f80b6046

SHA512
009ca5837d12b92cf87452f49460ed1b723db2abe14699e948034fd00c8cabecb70de0c4c8cb8d957e1ade5b77341f2cfe14d367f57599b8b8107ca03a2f9fd4

Download Submit
C:\Windows\System\aMJwDCt.exe

Filesize
5.2MB

MD5
86eaa027e54d7586355f43ba054c29a7

SHA1
ccf0bbce8811a4e0fec323f2a73ec42fbe64cf9c

SHA256
c9e9fbae16d97a0bd4834b903cbf16787c5fe54455b4cc025aa9cf9f017b5466

SHA512
f2e953434038dd2aebf4e759c6178e52c44672dfb617a423621b76886302270f3a4deb18e843ace7491e1b4fc34fed453f0a993a4616f1738b035326c2f014c1

Download Submit
C:\Windows\System\gUlIcRb.exe

Filesize
5.2MB

MD5
1129760bf870c5a97090e039900ddddb

SHA1
5450ed686046d6065588808734dc3442af283f3a

SHA256
3240b75f92cf6c96e533f9c3ea01ea1567c8a9c8e7bde9f5b2a9c0151b676b41

SHA512
2c7094f9c81518184c427c596e2cb6ff143164e0c3e39aed21a7c332a75afe6fba7c55e1a3b6e36e5431d242fc9442bc42e93f975ee6aad106b6c990a9621175

Download Submit
C:\Windows\System\mTyrpPW.exe

Filesize
5.2MB

MD5
acfff45085e25e4c4ea2d9a829aa9dce

SHA1
90421d4e4871b192509f0840709b3766e598736b

SHA256
21d8fc6fac6c403941f2b0f8a96d212bda6bb225c29701aab70ea59006dc9f31

SHA512
f62957a9b7cae2c860a2d2508f1872a324585f7a9873023e5d1e4c67c2043333dce0d569a76a77643ae7cf8731020e0e8b0941fd80feadbfd4331f9d13a1b0b9

Download Submit
C:\Windows\System\nESKfsb.exe

Filesize
5.2MB

MD5
fcf77fd369622ebdf85783fcca081e12

SHA1
89b9df5c1d65eceaccc67f39294a21f6665a7be6

SHA256
97253d414a2946b1b8376efe6d9d6e441e52ea7c2767bdf5e4df28c1b013106e

SHA512
f87a8ec26c16d599b12e4026c43bea63866fd3bccb3ffb4093b77e524f0b0f159b498a8905759fb07276599c92d25d181f9a259d0ab3060315e97deff87902b3

Download Submit
C:\Windows\System\qkcVoQw.exe

Filesize
5.2MB

MD5
b252258d33f0c8228c661cfd312bf6bb

SHA1
e2e28e12b8fd6bd21076c837d267bad2f5684965

SHA256
87a3826b5690b4e2812edfbdab216e9dcccdaa6301ba48db2192bd6f1d7df186

SHA512
6268715c53f6a31dbecfd76a3ca063bd5f81f777edec4592b75caa72fc2a3a158e0a69fcf2e81ceb79257880f98b10e562e0afdc1a9628c34d0a355fd61c4945

Download Submit
C:\Windows\System\vPsZfji.exe

Filesize
5.2MB

MD5
516b21526df02b3c0f3d1deaed6b4b92

SHA1
02db8a857e9fc11cadd586363e7f00cb06541b84

SHA256
2c0e1c21347f9234b4118fcd67abec2165882bc4ff9c4044065a25c584035882

SHA512
90dcbf66a06cbfbc09662753cf332916aa8f37eebfe20fa3b64b98fbf658068b24a42fa5a29280940bbafc551e2242512a7b2efa1dc0298c8cc61c3f7d8f5a91

Download Submit
memory/440-143-0x00007FF7D2230000-0x00007FF7D2581000-memory.dmp

Filesize
3.3MB

Download
memory/440-247-0x00007FF7D2230000-0x00007FF7D2581000-memory.dmp

Filesize
3.3MB

Download
memory/440-75-0x00007FF7D2230000-0x00007FF7D2581000-memory.dmp

Filesize
3.3MB

Download
memory/628-252-0x00007FF6182A0000-0x00007FF6185F1000-memory.dmp

Filesize
3.3MB

Download
memory/628-89-0x00007FF6182A0000-0x00007FF6185F1000-memory.dmp

Filesize
3.3MB

Download
memory/1864-97-0x00007FF68CB70000-0x00007FF68CEC1000-memory.dmp

Filesize
3.3MB

Download
memory/1864-236-0x00007FF68CB70000-0x00007FF68CEC1000-memory.dmp

Filesize
3.3MB

Download
memory/1864-42-0x00007FF68CB70000-0x00007FF68CEC1000-memory.dmp

Filesize
3.3MB

Download
memory/2948-0-0x00007FF7CCA50000-0x00007FF7CCDA1000-memory.dmp

Filesize
3.3MB

Download
memory/2948-167-0x00007FF7CCA50000-0x00007FF7CCDA1000-memory.dmp

Filesize
3.3MB

Download
memory/2948-66-0x00007FF7CCA50000-0x00007FF7CCDA1000-memory.dmp

Filesize
3.3MB

Download
memory/2948-140-0x00007FF7CCA50000-0x00007FF7CCDA1000-memory.dmp

Filesize
3.3MB

Download
memory/2948-1-0x00000228C60E0000-0x00000228C60F0000-memory.dmp

Filesize
64KB

Download
memory/3044-51-0x00007FF62EB90000-0x00007FF62EEE1000-memory.dmp

Filesize
3.3MB

Download
memory/3044-99-0x00007FF62EB90000-0x00007FF62EEE1000-memory.dmp

Filesize
3.3MB

Download
memory/3044-240-0x00007FF62EB90000-0x00007FF62EEE1000-memory.dmp

Filesize
3.3MB

Download
memory/3208-136-0x00007FF6086F0000-0x00007FF608A41000-memory.dmp

Filesize
3.3MB

Download
memory/3208-245-0x00007FF6086F0000-0x00007FF608A41000-memory.dmp

Filesize
3.3MB

Download
memory/3208-67-0x00007FF6086F0000-0x00007FF608A41000-memory.dmp

Filesize
3.3MB

Download
memory/3324-220-0x00007FF72CCE0000-0x00007FF72D031000-memory.dmp

Filesize
3.3MB

Download
memory/3324-8-0x00007FF72CCE0000-0x00007FF72D031000-memory.dmp

Filesize
3.3MB

Download
memory/3324-70-0x00007FF72CCE0000-0x00007FF72D031000-memory.dmp

Filesize
3.3MB

Download
memory/3388-242-0x00007FF6EE440000-0x00007FF6EE791000-memory.dmp

Filesize
3.3MB

Download
memory/3388-60-0x00007FF6EE440000-0x00007FF6EE791000-memory.dmp

Filesize
3.3MB

Download
memory/3388-112-0x00007FF6EE440000-0x00007FF6EE791000-memory.dmp

Filesize
3.3MB

Download
memory/3484-30-0x00007FF718D40000-0x00007FF719091000-memory.dmp

Filesize
3.3MB

Download
memory/3484-234-0x00007FF718D40000-0x00007FF719091000-memory.dmp

Filesize
3.3MB

Download
memory/3484-82-0x00007FF718D40000-0x00007FF719091000-memory.dmp

Filesize
3.3MB

Download
memory/3512-36-0x00007FF710C90000-0x00007FF710FE1000-memory.dmp

Filesize
3.3MB

Download
memory/3512-85-0x00007FF710C90000-0x00007FF710FE1000-memory.dmp

Filesize
3.3MB

Download
memory/3512-232-0x00007FF710C90000-0x00007FF710FE1000-memory.dmp

Filesize
3.3MB

Download
memory/3648-131-0x00007FF65A640000-0x00007FF65A991000-memory.dmp

Filesize
3.3MB

Download
memory/3648-272-0x00007FF65A640000-0x00007FF65A991000-memory.dmp

Filesize
3.3MB

Download
memory/3648-165-0x00007FF65A640000-0x00007FF65A991000-memory.dmp

Filesize
3.3MB

Download
memory/3660-38-0x00007FF7C6A10000-0x00007FF7C6D61000-memory.dmp

Filesize
3.3MB

Download
memory/3660-88-0x00007FF7C6A10000-0x00007FF7C6D61000-memory.dmp

Filesize
3.3MB

Download
memory/3660-230-0x00007FF7C6A10000-0x00007FF7C6D61000-memory.dmp

Filesize
3.3MB

Download
memory/3756-98-0x00007FF79CCB0000-0x00007FF79D001000-memory.dmp

Filesize
3.3MB

Download
memory/3756-262-0x00007FF79CCB0000-0x00007FF79D001000-memory.dmp

Filesize
3.3MB

Download
memory/3756-156-0x00007FF79CCB0000-0x00007FF79D001000-memory.dmp

Filesize
3.3MB

Download
memory/3820-13-0x00007FF6861B0000-0x00007FF686501000-memory.dmp

Filesize
3.3MB

Download
memory/3820-74-0x00007FF6861B0000-0x00007FF686501000-memory.dmp

Filesize
3.3MB

Download
memory/3820-222-0x00007FF6861B0000-0x00007FF686501000-memory.dmp

Filesize
3.3MB

Download
memory/3864-18-0x00007FF60E0F0000-0x00007FF60E441000-memory.dmp

Filesize
3.3MB

Download
memory/3864-224-0x00007FF60E0F0000-0x00007FF60E441000-memory.dmp

Filesize
3.3MB

Download
memory/3864-78-0x00007FF60E0F0000-0x00007FF60E441000-memory.dmp

Filesize
3.3MB

Download
memory/3928-270-0x00007FF7B0380000-0x00007FF7B06D1000-memory.dmp

Filesize
3.3MB

Download
memory/3928-129-0x00007FF7B0380000-0x00007FF7B06D1000-memory.dmp

Filesize
3.3MB

Download
memory/3972-55-0x00007FF7A6090000-0x00007FF7A63E1000-memory.dmp

Filesize
3.3MB

Download
memory/3972-239-0x00007FF7A6090000-0x00007FF7A63E1000-memory.dmp

Filesize
3.3MB

Download
memory/3972-100-0x00007FF7A6090000-0x00007FF7A63E1000-memory.dmp

Filesize
3.3MB

Download
memory/4100-108-0x00007FF610140000-0x00007FF610491000-memory.dmp

Filesize
3.3MB

Download
memory/4100-159-0x00007FF610140000-0x00007FF610491000-memory.dmp

Filesize
3.3MB

Download
memory/4100-264-0x00007FF610140000-0x00007FF610491000-memory.dmp

Filesize
3.3MB

Download
memory/4836-91-0x00007FF7C6B30000-0x00007FF7C6E81000-memory.dmp

Filesize
3.3MB

Download
memory/4836-254-0x00007FF7C6B30000-0x00007FF7C6E81000-memory.dmp

Filesize
3.3MB

Download
memory/4836-154-0x00007FF7C6B30000-0x00007FF7C6E81000-memory.dmp

Filesize
3.3MB

Download
memory/4844-125-0x00007FF64A930000-0x00007FF64AC81000-memory.dmp

Filesize
3.3MB

Download
memory/4844-266-0x00007FF64A930000-0x00007FF64AC81000-memory.dmp

Filesize
3.3MB

Download
memory/4844-160-0x00007FF64A930000-0x00007FF64AC81000-memory.dmp

Filesize
3.3MB

Download
memory/4904-130-0x00007FF7C96B0000-0x00007FF7C9A01000-memory.dmp

Filesize
3.3MB

Download
memory/4904-268-0x00007FF7C96B0000-0x00007FF7C9A01000-memory.dmp

Filesize
3.3MB

Download
memory/5004-137-0x00007FF684A80000-0x00007FF684DD1000-memory.dmp

Filesize
3.3MB

Download
memory/5004-166-0x00007FF684A80000-0x00007FF684DD1000-memory.dmp

Filesize
3.3MB

Download
memory/5004-274-0x00007FF684A80000-0x00007FF684DD1000-memory.dmp

Filesize
3.3MB

Download