cobaltstrike | efc701632c12aa9811bfbe737a0ff208a8fdca3afd3583b80efd60fc68e8e1c3

Analysis

max time kernel
141s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 05:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

ff203b8e89a14c3c43210ff13d7696bc
SHA1

4abc3d2f66c326f0af3f266d984cbd32290edf9a
SHA256

efc701632c12aa9811bfbe737a0ff208a8fdca3afd3583b80efd60fc68e8e1c3
SHA512

a1c7c2d5694a2bd7970228eb9928bc92c16c9f1473c418f61450a749ffe29d2016d7f4601fff48900b7d38a958bb1e4f60d01e19dcc509af74547b42adbc3512
SSDEEP

49152:ROdWCCi7/raN56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l4:RWWBib+56utgpPFotBER/mQ32lUE

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00040000000229c7-4.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b88-12.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b89-17.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8a-22.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8b-31.dat	cobalt_reflective_dll
behavioral2/files/0x000300000001e5b3-50.dat	cobalt_reflective_dll
behavioral2/files/0x000300000001e5b4-59.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8e-87.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b90-99.dat	cobalt_reflective_dll
behavioral2/files/0x000c000000023b91-106.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b99-117.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b8f-102.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8d-85.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b85-74.dat	cobalt_reflective_dll
behavioral2/files/0x000300000001e5b5-73.dat	cobalt_reflective_dll
behavioral2/files/0x000400000001e4e1-47.dat	cobalt_reflective_dll
behavioral2/files/0x000300000001e5b2-51.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8c-36.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b9b-123.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023ba9-139.dat	cobalt_reflective_dll
behavioral2/files/0x0012000000023ba7-134.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/4024-115-0x00007FF7F6DB0000-0x00007FF7F7101000-memory.dmp	xmrig
behavioral2/memory/2812-109-0x00007FF7D1490000-0x00007FF7D17E1000-memory.dmp	xmrig
behavioral2/memory/2560-104-0x00007FF762DC0000-0x00007FF763111000-memory.dmp	xmrig
behavioral2/memory/1304-97-0x00007FF6F8200000-0x00007FF6F8551000-memory.dmp	xmrig
behavioral2/memory/4116-88-0x00007FF75AB40000-0x00007FF75AE91000-memory.dmp	xmrig
behavioral2/memory/4920-82-0x00007FF7C06C0000-0x00007FF7C0A11000-memory.dmp	xmrig
behavioral2/memory/2444-72-0x00007FF7114D0000-0x00007FF711821000-memory.dmp	xmrig
behavioral2/memory/4172-68-0x00007FF60E760000-0x00007FF60EAB1000-memory.dmp	xmrig
behavioral2/memory/796-62-0x00007FF7E86B0000-0x00007FF7E8A01000-memory.dmp	xmrig
behavioral2/memory/3328-120-0x00007FF7F7070000-0x00007FF7F73C1000-memory.dmp	xmrig
behavioral2/memory/4288-132-0x00007FF7C5150000-0x00007FF7C54A1000-memory.dmp	xmrig
behavioral2/memory/2644-131-0x00007FF7C3350000-0x00007FF7C36A1000-memory.dmp	xmrig
behavioral2/memory/2508-124-0x00007FF70CAC0000-0x00007FF70CE11000-memory.dmp	xmrig
behavioral2/memory/796-141-0x00007FF7E86B0000-0x00007FF7E8A01000-memory.dmp	xmrig
behavioral2/memory/784-148-0x00007FF761C80000-0x00007FF761FD1000-memory.dmp	xmrig
behavioral2/memory/4784-160-0x00007FF7B7710000-0x00007FF7B7A61000-memory.dmp	xmrig
behavioral2/memory/3896-159-0x00007FF671EE0000-0x00007FF672231000-memory.dmp	xmrig
behavioral2/memory/2936-158-0x00007FF736150000-0x00007FF7364A1000-memory.dmp	xmrig
behavioral2/memory/2664-157-0x00007FF6BBD40000-0x00007FF6BC091000-memory.dmp	xmrig
behavioral2/memory/636-161-0x00007FF6514F0000-0x00007FF651841000-memory.dmp	xmrig
behavioral2/memory/2480-162-0x00007FF6CAC10000-0x00007FF6CAF61000-memory.dmp	xmrig
behavioral2/memory/448-163-0x00007FF7FA660000-0x00007FF7FA9B1000-memory.dmp	xmrig
behavioral2/memory/3668-170-0x00007FF60B2E0000-0x00007FF60B631000-memory.dmp	xmrig
behavioral2/memory/796-164-0x00007FF7E86B0000-0x00007FF7E8A01000-memory.dmp	xmrig
behavioral2/memory/4172-219-0x00007FF60E760000-0x00007FF60EAB1000-memory.dmp	xmrig
behavioral2/memory/2444-221-0x00007FF7114D0000-0x00007FF711821000-memory.dmp	xmrig
behavioral2/memory/4920-229-0x00007FF7C06C0000-0x00007FF7C0A11000-memory.dmp	xmrig
behavioral2/memory/4116-231-0x00007FF75AB40000-0x00007FF75AE91000-memory.dmp	xmrig
behavioral2/memory/1304-233-0x00007FF6F8200000-0x00007FF6F8551000-memory.dmp	xmrig
behavioral2/memory/2560-235-0x00007FF762DC0000-0x00007FF763111000-memory.dmp	xmrig
behavioral2/memory/4024-237-0x00007FF7F6DB0000-0x00007FF7F7101000-memory.dmp	xmrig
behavioral2/memory/2812-239-0x00007FF7D1490000-0x00007FF7D17E1000-memory.dmp	xmrig
behavioral2/memory/3328-242-0x00007FF7F7070000-0x00007FF7F73C1000-memory.dmp	xmrig
behavioral2/memory/2644-250-0x00007FF7C3350000-0x00007FF7C36A1000-memory.dmp	xmrig
behavioral2/memory/4288-252-0x00007FF7C5150000-0x00007FF7C54A1000-memory.dmp	xmrig
behavioral2/memory/2508-254-0x00007FF70CAC0000-0x00007FF70CE11000-memory.dmp	xmrig
behavioral2/memory/784-256-0x00007FF761C80000-0x00007FF761FD1000-memory.dmp	xmrig
behavioral2/memory/4784-258-0x00007FF7B7710000-0x00007FF7B7A61000-memory.dmp	xmrig
behavioral2/memory/2664-260-0x00007FF6BBD40000-0x00007FF6BC091000-memory.dmp	xmrig
behavioral2/memory/3896-262-0x00007FF671EE0000-0x00007FF672231000-memory.dmp	xmrig
behavioral2/memory/2936-264-0x00007FF736150000-0x00007FF7364A1000-memory.dmp	xmrig
behavioral2/memory/636-266-0x00007FF6514F0000-0x00007FF651841000-memory.dmp	xmrig
behavioral2/memory/2480-271-0x00007FF6CAC10000-0x00007FF6CAF61000-memory.dmp	xmrig
behavioral2/memory/448-274-0x00007FF7FA660000-0x00007FF7FA9B1000-memory.dmp	xmrig
behavioral2/memory/3668-275-0x00007FF60B2E0000-0x00007FF60B631000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4172	DMPzQMT.exe
2444	JTUUYIx.exe
4920	cRYRMwH.exe
4116	PcsdJLb.exe
1304	KdzuCqe.exe
2560	ZuFUVAM.exe
2812	zvbExtf.exe
4024	TZnzUnA.exe
3328	xeultQr.exe
2508	tVUBfvl.exe
2644	cmUHkec.exe
4288	vMaHlZT.exe
784	IPPgbfc.exe
4784	eKiSrGM.exe
2664	pPhOJAH.exe
2936	JqjcVkP.exe
3896	cyBoplI.exe
636	RLtjhpy.exe
2480	zYQqWLz.exe
448	FkuagmT.exe
3668	kkmcdEp.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/796-0-0x00007FF7E86B0000-0x00007FF7E8A01000-memory.dmp	upx
behavioral2/files/0x00040000000229c7-4.dat	upx
behavioral2/memory/4172-8-0x00007FF60E760000-0x00007FF60EAB1000-memory.dmp	upx
behavioral2/files/0x000a000000023b88-12.dat	upx
behavioral2/files/0x000a000000023b89-17.dat	upx
behavioral2/memory/4920-18-0x00007FF7C06C0000-0x00007FF7C0A11000-memory.dmp	upx
behavioral2/files/0x000a000000023b8a-22.dat	upx
behavioral2/memory/4116-24-0x00007FF75AB40000-0x00007FF75AE91000-memory.dmp	upx
behavioral2/memory/1304-30-0x00007FF6F8200000-0x00007FF6F8551000-memory.dmp	upx
behavioral2/files/0x000a000000023b8b-31.dat	upx
behavioral2/memory/2444-14-0x00007FF7114D0000-0x00007FF711821000-memory.dmp	upx
behavioral2/memory/2812-44-0x00007FF7D1490000-0x00007FF7D17E1000-memory.dmp	upx
behavioral2/memory/4024-49-0x00007FF7F6DB0000-0x00007FF7F7101000-memory.dmp	upx
behavioral2/files/0x000300000001e5b3-50.dat	upx
behavioral2/files/0x000300000001e5b4-59.dat	upx
behavioral2/memory/4288-71-0x00007FF7C5150000-0x00007FF7C54A1000-memory.dmp	upx
behavioral2/files/0x000a000000023b8e-87.dat	upx
behavioral2/files/0x000a000000023b90-99.dat	upx
behavioral2/files/0x000c000000023b91-106.dat	upx
behavioral2/files/0x000a000000023b99-117.dat	upx
behavioral2/memory/636-116-0x00007FF6514F0000-0x00007FF651841000-memory.dmp	upx
behavioral2/memory/4024-115-0x00007FF7F6DB0000-0x00007FF7F7101000-memory.dmp	upx
behavioral2/memory/3896-110-0x00007FF671EE0000-0x00007FF672231000-memory.dmp	upx
behavioral2/memory/2812-109-0x00007FF7D1490000-0x00007FF7D17E1000-memory.dmp	upx
behavioral2/memory/2936-105-0x00007FF736150000-0x00007FF7364A1000-memory.dmp	upx
behavioral2/memory/2560-104-0x00007FF762DC0000-0x00007FF763111000-memory.dmp	upx
behavioral2/files/0x000b000000023b8f-102.dat	upx
behavioral2/memory/2664-98-0x00007FF6BBD40000-0x00007FF6BC091000-memory.dmp	upx
behavioral2/memory/1304-97-0x00007FF6F8200000-0x00007FF6F8551000-memory.dmp	upx
behavioral2/memory/4784-89-0x00007FF7B7710000-0x00007FF7B7A61000-memory.dmp	upx
behavioral2/memory/4116-88-0x00007FF75AB40000-0x00007FF75AE91000-memory.dmp	upx
behavioral2/files/0x000a000000023b8d-85.dat	upx
behavioral2/memory/784-84-0x00007FF761C80000-0x00007FF761FD1000-memory.dmp	upx
behavioral2/memory/4920-82-0x00007FF7C06C0000-0x00007FF7C0A11000-memory.dmp	upx
behavioral2/files/0x000b000000023b85-74.dat	upx
behavioral2/files/0x000300000001e5b5-73.dat	upx
behavioral2/memory/2444-72-0x00007FF7114D0000-0x00007FF711821000-memory.dmp	upx
behavioral2/memory/2644-69-0x00007FF7C3350000-0x00007FF7C36A1000-memory.dmp	upx
behavioral2/memory/4172-68-0x00007FF60E760000-0x00007FF60EAB1000-memory.dmp	upx
behavioral2/memory/2508-63-0x00007FF70CAC0000-0x00007FF70CE11000-memory.dmp	upx
behavioral2/memory/796-62-0x00007FF7E86B0000-0x00007FF7E8A01000-memory.dmp	upx
behavioral2/memory/3328-56-0x00007FF7F7070000-0x00007FF7F73C1000-memory.dmp	upx
behavioral2/files/0x000400000001e4e1-47.dat	upx
behavioral2/files/0x000300000001e5b2-51.dat	upx
behavioral2/memory/2560-37-0x00007FF762DC0000-0x00007FF763111000-memory.dmp	upx
behavioral2/files/0x000a000000023b8c-36.dat	upx
behavioral2/memory/3328-120-0x00007FF7F7070000-0x00007FF7F73C1000-memory.dmp	upx
behavioral2/files/0x000b000000023b9b-123.dat	upx
behavioral2/memory/2480-125-0x00007FF6CAC10000-0x00007FF6CAF61000-memory.dmp	upx
behavioral2/memory/4288-132-0x00007FF7C5150000-0x00007FF7C54A1000-memory.dmp	upx
behavioral2/files/0x0008000000023ba9-139.dat	upx
behavioral2/memory/3668-138-0x00007FF60B2E0000-0x00007FF60B631000-memory.dmp	upx
behavioral2/memory/448-135-0x00007FF7FA660000-0x00007FF7FA9B1000-memory.dmp	upx
behavioral2/files/0x0012000000023ba7-134.dat	upx
behavioral2/memory/2644-131-0x00007FF7C3350000-0x00007FF7C36A1000-memory.dmp	upx
behavioral2/memory/2508-124-0x00007FF70CAC0000-0x00007FF70CE11000-memory.dmp	upx
behavioral2/memory/796-141-0x00007FF7E86B0000-0x00007FF7E8A01000-memory.dmp	upx
behavioral2/memory/784-148-0x00007FF761C80000-0x00007FF761FD1000-memory.dmp	upx
behavioral2/memory/4784-160-0x00007FF7B7710000-0x00007FF7B7A61000-memory.dmp	upx
behavioral2/memory/3896-159-0x00007FF671EE0000-0x00007FF672231000-memory.dmp	upx
behavioral2/memory/2936-158-0x00007FF736150000-0x00007FF7364A1000-memory.dmp	upx
behavioral2/memory/2664-157-0x00007FF6BBD40000-0x00007FF6BC091000-memory.dmp	upx
behavioral2/memory/636-161-0x00007FF6514F0000-0x00007FF651841000-memory.dmp	upx
behavioral2/memory/2480-162-0x00007FF6CAC10000-0x00007FF6CAF61000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\tVUBfvl.exe	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eKiSrGM.exe	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pPhOJAH.exe	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cyBoplI.exe	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FkuagmT.exe	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vMaHlZT.exe	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RLtjhpy.exe	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zYQqWLz.exe	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JTUUYIx.exe	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cRYRMwH.exe	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZuFUVAM.exe	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TZnzUnA.exe	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cmUHkec.exe	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kkmcdEp.exe	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xeultQr.exe	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JqjcVkP.exe	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DMPzQMT.exe	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PcsdJLb.exe	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KdzuCqe.exe	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zvbExtf.exe	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IPPgbfc.exe	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	796	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	796	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 796 wrote to memory of 4172	796	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 796 wrote to memory of 4172	796	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 796 wrote to memory of 2444	796	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 796 wrote to memory of 2444	796	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 796 wrote to memory of 4920	796	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 796 wrote to memory of 4920	796	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 796 wrote to memory of 4116	796	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 796 wrote to memory of 4116	796	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 796 wrote to memory of 1304	796	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 796 wrote to memory of 1304	796	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 796 wrote to memory of 2560	796	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 796 wrote to memory of 2560	796	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 796 wrote to memory of 2812	796	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 796 wrote to memory of 2812	796	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 796 wrote to memory of 4024	796	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 796 wrote to memory of 4024	796	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 796 wrote to memory of 3328	796	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 796 wrote to memory of 3328	796	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 796 wrote to memory of 2508	796	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 796 wrote to memory of 2508	796	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 796 wrote to memory of 2644	796	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 796 wrote to memory of 2644	796	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 796 wrote to memory of 4288	796	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 796 wrote to memory of 4288	796	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 796 wrote to memory of 784	796	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 796 wrote to memory of 784	796	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 796 wrote to memory of 4784	796	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 796 wrote to memory of 4784	796	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 796 wrote to memory of 2664	796	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 796 wrote to memory of 2664	796	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 796 wrote to memory of 2936	796	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 796 wrote to memory of 2936	796	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 796 wrote to memory of 3896	796	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 796 wrote to memory of 3896	796	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 796 wrote to memory of 636	796	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 796 wrote to memory of 636	796	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 796 wrote to memory of 2480	796	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 796 wrote to memory of 2480	796	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 796 wrote to memory of 448	796	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 796 wrote to memory of 448	796	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 796 wrote to memory of 3668	796	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 796 wrote to memory of 3668	796	2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe	106

C:\Users\Admin\AppData\Local\Temp\2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-22_ff203b8e89a14c3c43210ff13d7696bc_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:796
- C:\Windows\System\DMPzQMT.exe
  C:\Windows\System\DMPzQMT.exe
  2⤵
  - Executes dropped EXE
  PID:4172
- C:\Windows\System\JTUUYIx.exe
  C:\Windows\System\JTUUYIx.exe
  2⤵
  - Executes dropped EXE
  PID:2444
- C:\Windows\System\cRYRMwH.exe
  C:\Windows\System\cRYRMwH.exe
  2⤵
  - Executes dropped EXE
  PID:4920
- C:\Windows\System\PcsdJLb.exe
  C:\Windows\System\PcsdJLb.exe
  2⤵
  - Executes dropped EXE
  PID:4116
- C:\Windows\System\KdzuCqe.exe
  C:\Windows\System\KdzuCqe.exe
  2⤵
  - Executes dropped EXE
  PID:1304
- C:\Windows\System\ZuFUVAM.exe
  C:\Windows\System\ZuFUVAM.exe
  2⤵
  - Executes dropped EXE
  PID:2560
- C:\Windows\System\zvbExtf.exe
  C:\Windows\System\zvbExtf.exe
  2⤵
  - Executes dropped EXE
  PID:2812
- C:\Windows\System\TZnzUnA.exe
  C:\Windows\System\TZnzUnA.exe
  2⤵
  - Executes dropped EXE
  PID:4024
- C:\Windows\System\xeultQr.exe
  C:\Windows\System\xeultQr.exe
  2⤵
  - Executes dropped EXE
  PID:3328
- C:\Windows\System\tVUBfvl.exe
  C:\Windows\System\tVUBfvl.exe
  2⤵
  - Executes dropped EXE
  PID:2508
- C:\Windows\System\cmUHkec.exe
  C:\Windows\System\cmUHkec.exe
  2⤵
  - Executes dropped EXE
  PID:2644
- C:\Windows\System\vMaHlZT.exe
  C:\Windows\System\vMaHlZT.exe
  2⤵
  - Executes dropped EXE
  PID:4288
- C:\Windows\System\IPPgbfc.exe
  C:\Windows\System\IPPgbfc.exe
  2⤵
  - Executes dropped EXE
  PID:784
- C:\Windows\System\eKiSrGM.exe
  C:\Windows\System\eKiSrGM.exe
  2⤵
  - Executes dropped EXE
  PID:4784
- C:\Windows\System\pPhOJAH.exe
  C:\Windows\System\pPhOJAH.exe
  2⤵
  - Executes dropped EXE
  PID:2664
- C:\Windows\System\JqjcVkP.exe
  C:\Windows\System\JqjcVkP.exe
  2⤵
  - Executes dropped EXE
  PID:2936
- C:\Windows\System\cyBoplI.exe
  C:\Windows\System\cyBoplI.exe
  2⤵
  - Executes dropped EXE
  PID:3896
- C:\Windows\System\RLtjhpy.exe
  C:\Windows\System\RLtjhpy.exe
  2⤵
  - Executes dropped EXE
  PID:636
- C:\Windows\System\zYQqWLz.exe
  C:\Windows\System\zYQqWLz.exe
  2⤵
  - Executes dropped EXE
  PID:2480
- C:\Windows\System\FkuagmT.exe
  C:\Windows\System\FkuagmT.exe
  2⤵
  - Executes dropped EXE
  PID:448
- C:\Windows\System\kkmcdEp.exe
  C:\Windows\System\kkmcdEp.exe
  2⤵
  - Executes dropped EXE
  PID:3668

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\DMPzQMT.exe

Filesize
5.2MB

MD5
83ee635e38645c0a62050c72c938cfd8

SHA1
3994fa4a32e8232454c51f56143dad8501f2f855

SHA256
6ef94e689a0fbd389865d1912984ac1ae85efda9b64e75e5e303104829e2fe1d

SHA512
900ef234223be460697422579af8f7666af506fa18451739e67ee14a9a0fd8783465d2595671ce8285b8e5e5580d00eede8b6f10ca3b559df8140bfe90228618

Download Submit
C:\Windows\System\FkuagmT.exe

Filesize
5.2MB

MD5
e01ec1f52b630c3080cb448f6390ba79

SHA1
2a540460974af6399506b35d9a69658ea2eaefe2

SHA256
bbe869a8696ae13b1ede957413cac30bae2d434d29b59fd3a862a0a5a3bcf15d

SHA512
7cc4a8131107314dcc0385effa9c99fc1983a02a217e9f8a73628d6543f648aa267af050c21d652905827d21c1bbbd24145229510d65268823f7c66f10f36a29

Download Submit
C:\Windows\System\IPPgbfc.exe

Filesize
5.2MB

MD5
6644a18bc73426d837d41f345e81374a

SHA1
15cc072c0465149b44835f7f52f6dbb4727e94c1

SHA256
3f97db4372b2842403e8eb37fab666bbcdbe4af7ae276be07099d307500256f3

SHA512
4c6c3e2df9b1afa50b9d9bbbb7eaef10f35d3c007058b0e1eab5c94b7df9d6a653db69bac86998d1e93a85ba208e149569ac2b3870c3623f72dd3235f45d344f

Download Submit
C:\Windows\System\JTUUYIx.exe

Filesize
5.2MB

MD5
bdbc23f97d1f133e6306971cbff28e48

SHA1
3b6ea819df776c38576b17fe714d0c47d411c0c3

SHA256
624af526a0e1cbc80b0db7e0df08d14ed57b16de22fd9c760e48545d51ad039d

SHA512
df7a99f6a0fbd7d5f7231af1dbb385cdced8d1aab027a28c0ec5b2d4b45e0c702248b20121fc8715cb57336ea3f542a07275687710f10179b44cb40ec229cf0d

Download Submit
C:\Windows\System\JqjcVkP.exe

Filesize
5.2MB

MD5
3322b64db131111019b25f12c0487cac

SHA1
34248f66218740438a9a9b638534ef1c6ffd78ff

SHA256
d76f432f0c975a550d1ee0718ecd7d992c565c6b7ece97c60c4be3c0f237ee2a

SHA512
938d7c331f0369ef3f45098ab5bc71d156b50935457761ca59b2a74e944d698d7ada1a7a4fd7620b3d26c46b354704fa21b04f63f91ca68cb3830e77af5a5415

Download Submit
C:\Windows\System\KdzuCqe.exe

Filesize
5.2MB

MD5
82062e234966973b446735c7dff0543f

SHA1
2533c22c87be0c321a3c653fe5f49e0de901422a

SHA256
bd335ed888d29914ae3aa3b5e82fa64c13d3e05d3d73b477062c8195a0126148

SHA512
669e6bd7daba5fce52f8695b6114076612b09d172b8c965dadd365c7fe97a4ba679767751a7d615ca4ea52d771a6f49fd564249b8178df5178232a53363e87d0

Download Submit
C:\Windows\System\PcsdJLb.exe

Filesize
5.2MB

MD5
fceddd5da8d19caec308afa75671c932

SHA1
52eec094d14f426556525b1a5cd2ce1806ba7802

SHA256
f1ad46b344f18351d7b8e15194e9aa9e5985eb62086b242c69725291e9b569b0

SHA512
f5dfb949974687043316b6a744f949af2f09ff45ff7f10814258627478d3aa6eeabc6febefb6364bf57bbf2e67f0fb72fc66f6f6c9d421ecd8c7e9ff35279f5f

Download Submit
C:\Windows\System\RLtjhpy.exe

Filesize
5.2MB

MD5
635322b2b2cbdedbe0275e820634feaa

SHA1
f6aa3d69494175a9fe15bf3107c2cf09fc96bccb

SHA256
e98d38a028dc2423060fae729ce321947529e8faf51ade402422cedaa5163cd1

SHA512
7a400a1a9e31def9150b260a3d85ee9c7157c8630fa33709bfd77b1d51313f425969414e75d6e263c1d9d6f7d8924eb589b9bfd9a8cf1d941a0ac585b62ca61e

Download Submit
C:\Windows\System\TZnzUnA.exe

Filesize
5.2MB

MD5
553dc60536f7c5688ea1c54e91d8d76a

SHA1
f691213e8f2f0d051cc1c9365e3bd2eaaaa2b726

SHA256
da8d0064eb94730c3ffd5fc84e7368a5bff049ad361ef6a5230b74db87b7c263

SHA512
6b70f7e2202040c7a068f28f4256468085ebf57fde0639964d75024ee7844aaa94a6f5ce74fe53ee513c22f3f61fc455c60415ca35afa6a929a06c58013a2b30

Download Submit
C:\Windows\System\ZuFUVAM.exe

Filesize
5.2MB

MD5
7d71d55be2d57580406fb73cc6e40b96

SHA1
b4623f272caf8ecfad49aa05afebaae1588b773d

SHA256
87570de001a7624371d09afbca10f9919267b0da81c1c170cdfb71bd08c7339f

SHA512
b0e9ef479e233690c9c7055f516db0a95feac5c668c226ec09596dd0fca9091e20e583f61dba1fbe1ddeb981849237254114fcb871fc7595202cb21f7bf67470

Download Submit
C:\Windows\System\cRYRMwH.exe

Filesize
5.2MB

MD5
b88635111f5f8acbb44b5906f22199da

SHA1
dc57b8434f76d37dc44a27f62cfac7ea709f00a2

SHA256
b124da781a065a34bc53ba5dd4533bea95c3c78213e67ed021f145b3a2d8393b

SHA512
2a72d3745f508e05b0115e475a367e9b0efd7ae4230d7aa51188fe85d382634abbd7bda6c3572e4353c8d89173767e221cc1d1714296425eece44227cb7588e1

Download Submit
C:\Windows\System\cmUHkec.exe

Filesize
5.2MB

MD5
eaca8abe9e4ba873da5a14e4d0c42a4f

SHA1
78dcc4c36af9e7caf3e8c996d1eb7ade2695b358

SHA256
1d03e7563c28b889f603231e1ce3aff487b26c91549d19778862ff76e449af4a

SHA512
85f06b0dfd41d5ca3c718cde0ad594d42873ae25a5cbb8c56766e7d1cc1425346c6bc9fabaf0bb3077e60e510dbb802fd6773700ad2c2777c8978c2003d4f4a8

Download Submit
C:\Windows\System\cyBoplI.exe

Filesize
5.2MB

MD5
4152efa89550827d22a014464657e163

SHA1
97b9c877bd5ed46b31810f0fcefe08f3e50a5282

SHA256
20b7affdf9cc8d44d12097016f8fff4b9bb0cb2b6f285b8dfec2e4aa4fa38b5b

SHA512
ad504a8790f2df689fcee617bcb3eaa294f23b601f9c5c1b984e58595bb766a5ec698e1a409d294340c271c7629b1ef9d6e977091b6fbcee6542b8a322b05724

Download Submit
C:\Windows\System\eKiSrGM.exe

Filesize
5.2MB

MD5
8789c5c4942f5f37b9e0ce32ad998172

SHA1
d66a00bd738b30d328a96bfa75d74493aa6a212a

SHA256
f02179245676b964fda85cecc765a85ef75efeeefcfe4bc52af642ed1663781f

SHA512
964c8a8b153df504f93af12a54c08e855c6153c266b6d0dc4fec4e2c046e0b1be7d27e1f2809e28892e2143ffd9cf8e2d1ae31e96beab43697e2943b9a716309

Download Submit
C:\Windows\System\kkmcdEp.exe

Filesize
5.2MB

MD5
d0b4bbdb06c2fba18b055fb999b58874

SHA1
b7c93f63e06b1ead9d85f26cc99495b681f93dfd

SHA256
788c015a3a366d88c0a93ab091485efebf9f0585add88e52d8fded3cce8300da

SHA512
062be67a03d934df8ea0f51fa40ad0062ffdd94ad1bb8f0cf021a6efde6cccb4ea208ddabe9ded8aaf18625cfc45f77d24260fb69ec1307f79bb6b76b708e1a7

Download Submit
C:\Windows\System\pPhOJAH.exe

Filesize
5.2MB

MD5
bff222340a7fe183dd3e7db417ba5ab6

SHA1
a0f41c02305e75cb6eff3162685e7d05d2e38b02

SHA256
4e102154b781a5f2fb8d1a1c2d5653f85e9d186e6e7c2523edcd7b6b4ed1af89

SHA512
24747223ed3323dbc860e3a68650ff567ba9521af96a154ddc7b3ce41775424eeb2c5df4fc8a18890c3fbd045031c20bc4b113ac7a5fea013bd8912e6da15ade

Download Submit
C:\Windows\System\tVUBfvl.exe

Filesize
5.2MB

MD5
f528599f44d19f546d314275a7705804

SHA1
be611118712074fd1061e5431848ac9aff732dab

SHA256
6dd24447c0dba1619bb258de8e16ec1739c27e9a44dd4835668dd75a81880409

SHA512
f7da13dfe3ce21d6ed22b8053e44c7810cb06709c83097fb3ac0dff7a3c83e7058bcfa30848997ec747b4607b6667e3e67f49fd10625116be16bf05c2ebd8925

Download Submit
C:\Windows\System\vMaHlZT.exe

Filesize
5.2MB

MD5
5c8a7b8b2f3485e3f81d68854fd206aa

SHA1
176d8097085779cc1ec48471c7815194b30a43b6

SHA256
c56fbd9707c58047b10e4e386ca36d2cb4a24875373598ef8b8eae4417b2a5ca

SHA512
7c3ec08bec6e3735a0c9f9fa41e8957fa07ae6dcb733db50d5a06c91f616dfdd869a1f51e140671eb6d90960697f6b7c715a6a0ea5b62fdf65536bc8fc05ded6

Download Submit
C:\Windows\System\xeultQr.exe

Filesize
5.2MB

MD5
aca76312715210ecbb748b53379c21b5

SHA1
d65ba0003fb6b2c81fefdab027bdb1d64ef7f426

SHA256
1b8634f51be9067e2b8d0a648041797dc6279ca2632aee89883bc96b1d0e5022

SHA512
5af0db635ae03e111966aa4ab0bdecc680f3c2e320ed3f59ec5cf74fb4932eccaf82b544cb3e12df0e7cebbba07ab98972b616df286bbbf2a85981d141311d86

Download Submit
C:\Windows\System\zYQqWLz.exe

Filesize
5.2MB

MD5
dddff5f44c6ef336e61eac454b338d17

SHA1
a6316eb1e9705976f2c1dc4335eba6e192a0d9c0

SHA256
637fb8a8b137f8d22bd526fe2b21a0337aab1001db20a1456ef1aa4b19799345

SHA512
2db749390eeb5b80dc0275c2898ca1bf892192e9d70a217a6015d2777ff4f97522a586a2f8317078d0fbbd748d9c0b74c6858a01cd2601dd2b6b4bbeab2c9dc3

Download Submit
C:\Windows\System\zvbExtf.exe

Filesize
5.2MB

MD5
bdcfe04ff2f26e1b4263c13fbcb1abe8

SHA1
577fd79dcfa482e3886bf566c38587ba42c6834b

SHA256
4e4b1382e26e9530efbf86bb61b5ca9f46643e342db240be53e16d71b5900515

SHA512
6a59fce7f823bff3ada158921c079d32cfb92ad881f76068eeda8a8fe44f077a339959164829c1b223b1b7705fefdf947740dc1aad3c8a7465eb2b1e84970cf1

Download Submit
memory/448-135-0x00007FF7FA660000-0x00007FF7FA9B1000-memory.dmp

Filesize
3.3MB

Download
memory/448-163-0x00007FF7FA660000-0x00007FF7FA9B1000-memory.dmp

Filesize
3.3MB

Download
memory/448-274-0x00007FF7FA660000-0x00007FF7FA9B1000-memory.dmp

Filesize
3.3MB

Download
memory/636-116-0x00007FF6514F0000-0x00007FF651841000-memory.dmp

Filesize
3.3MB

Download
memory/636-161-0x00007FF6514F0000-0x00007FF651841000-memory.dmp

Filesize
3.3MB

Download
memory/636-266-0x00007FF6514F0000-0x00007FF651841000-memory.dmp

Filesize
3.3MB

Download
memory/784-148-0x00007FF761C80000-0x00007FF761FD1000-memory.dmp

Filesize
3.3MB

Download
memory/784-256-0x00007FF761C80000-0x00007FF761FD1000-memory.dmp

Filesize
3.3MB

Download
memory/784-84-0x00007FF761C80000-0x00007FF761FD1000-memory.dmp

Filesize
3.3MB

Download
memory/796-164-0x00007FF7E86B0000-0x00007FF7E8A01000-memory.dmp

Filesize
3.3MB

Download
memory/796-62-0x00007FF7E86B0000-0x00007FF7E8A01000-memory.dmp

Filesize
3.3MB

Download
memory/796-1-0x000001DE08BB0000-0x000001DE08BC0000-memory.dmp

Filesize
64KB

Download
memory/796-141-0x00007FF7E86B0000-0x00007FF7E8A01000-memory.dmp

Filesize
3.3MB

Download
memory/796-0-0x00007FF7E86B0000-0x00007FF7E8A01000-memory.dmp

Filesize
3.3MB

Download
memory/1304-97-0x00007FF6F8200000-0x00007FF6F8551000-memory.dmp

Filesize
3.3MB

Download
memory/1304-30-0x00007FF6F8200000-0x00007FF6F8551000-memory.dmp

Filesize
3.3MB

Download
memory/1304-233-0x00007FF6F8200000-0x00007FF6F8551000-memory.dmp

Filesize
3.3MB

Download
memory/2444-14-0x00007FF7114D0000-0x00007FF711821000-memory.dmp

Filesize
3.3MB

Download
memory/2444-72-0x00007FF7114D0000-0x00007FF711821000-memory.dmp

Filesize
3.3MB

Download
memory/2444-221-0x00007FF7114D0000-0x00007FF711821000-memory.dmp

Filesize
3.3MB

Download
memory/2480-125-0x00007FF6CAC10000-0x00007FF6CAF61000-memory.dmp

Filesize
3.3MB

Download
memory/2480-271-0x00007FF6CAC10000-0x00007FF6CAF61000-memory.dmp

Filesize
3.3MB

Download
memory/2480-162-0x00007FF6CAC10000-0x00007FF6CAF61000-memory.dmp

Filesize
3.3MB

Download
memory/2508-124-0x00007FF70CAC0000-0x00007FF70CE11000-memory.dmp

Filesize
3.3MB

Download
memory/2508-254-0x00007FF70CAC0000-0x00007FF70CE11000-memory.dmp

Filesize
3.3MB

Download
memory/2508-63-0x00007FF70CAC0000-0x00007FF70CE11000-memory.dmp

Filesize
3.3MB

Download
memory/2560-104-0x00007FF762DC0000-0x00007FF763111000-memory.dmp

Filesize
3.3MB

Download
memory/2560-37-0x00007FF762DC0000-0x00007FF763111000-memory.dmp

Filesize
3.3MB

Download
memory/2560-235-0x00007FF762DC0000-0x00007FF763111000-memory.dmp

Filesize
3.3MB

Download
memory/2644-69-0x00007FF7C3350000-0x00007FF7C36A1000-memory.dmp

Filesize
3.3MB

Download
memory/2644-250-0x00007FF7C3350000-0x00007FF7C36A1000-memory.dmp

Filesize
3.3MB

Download
memory/2644-131-0x00007FF7C3350000-0x00007FF7C36A1000-memory.dmp

Filesize
3.3MB

Download
memory/2664-260-0x00007FF6BBD40000-0x00007FF6BC091000-memory.dmp

Filesize
3.3MB

Download
memory/2664-157-0x00007FF6BBD40000-0x00007FF6BC091000-memory.dmp

Filesize
3.3MB

Download
memory/2664-98-0x00007FF6BBD40000-0x00007FF6BC091000-memory.dmp

Filesize
3.3MB

Download
memory/2812-109-0x00007FF7D1490000-0x00007FF7D17E1000-memory.dmp

Filesize
3.3MB

Download
memory/2812-44-0x00007FF7D1490000-0x00007FF7D17E1000-memory.dmp

Filesize
3.3MB

Download
memory/2812-239-0x00007FF7D1490000-0x00007FF7D17E1000-memory.dmp

Filesize
3.3MB

Download
memory/2936-264-0x00007FF736150000-0x00007FF7364A1000-memory.dmp

Filesize
3.3MB

Download
memory/2936-105-0x00007FF736150000-0x00007FF7364A1000-memory.dmp

Filesize
3.3MB

Download
memory/2936-158-0x00007FF736150000-0x00007FF7364A1000-memory.dmp

Filesize
3.3MB

Download
memory/3328-56-0x00007FF7F7070000-0x00007FF7F73C1000-memory.dmp

Filesize
3.3MB

Download
memory/3328-120-0x00007FF7F7070000-0x00007FF7F73C1000-memory.dmp

Filesize
3.3MB

Download
memory/3328-242-0x00007FF7F7070000-0x00007FF7F73C1000-memory.dmp

Filesize
3.3MB

Download
memory/3668-138-0x00007FF60B2E0000-0x00007FF60B631000-memory.dmp

Filesize
3.3MB

Download
memory/3668-170-0x00007FF60B2E0000-0x00007FF60B631000-memory.dmp

Filesize
3.3MB

Download
memory/3668-275-0x00007FF60B2E0000-0x00007FF60B631000-memory.dmp

Filesize
3.3MB

Download
memory/3896-262-0x00007FF671EE0000-0x00007FF672231000-memory.dmp

Filesize
3.3MB

Download
memory/3896-159-0x00007FF671EE0000-0x00007FF672231000-memory.dmp

Filesize
3.3MB

Download
memory/3896-110-0x00007FF671EE0000-0x00007FF672231000-memory.dmp

Filesize
3.3MB

Download
memory/4024-237-0x00007FF7F6DB0000-0x00007FF7F7101000-memory.dmp

Filesize
3.3MB

Download
memory/4024-115-0x00007FF7F6DB0000-0x00007FF7F7101000-memory.dmp

Filesize
3.3MB

Download
memory/4024-49-0x00007FF7F6DB0000-0x00007FF7F7101000-memory.dmp

Filesize
3.3MB

Download
memory/4116-88-0x00007FF75AB40000-0x00007FF75AE91000-memory.dmp

Filesize
3.3MB

Download
memory/4116-231-0x00007FF75AB40000-0x00007FF75AE91000-memory.dmp

Filesize
3.3MB

Download
memory/4116-24-0x00007FF75AB40000-0x00007FF75AE91000-memory.dmp

Filesize
3.3MB

Download
memory/4172-68-0x00007FF60E760000-0x00007FF60EAB1000-memory.dmp

Filesize
3.3MB

Download
memory/4172-8-0x00007FF60E760000-0x00007FF60EAB1000-memory.dmp

Filesize
3.3MB

Download
memory/4172-219-0x00007FF60E760000-0x00007FF60EAB1000-memory.dmp

Filesize
3.3MB

Download
memory/4288-71-0x00007FF7C5150000-0x00007FF7C54A1000-memory.dmp

Filesize
3.3MB

Download
memory/4288-132-0x00007FF7C5150000-0x00007FF7C54A1000-memory.dmp

Filesize
3.3MB

Download
memory/4288-252-0x00007FF7C5150000-0x00007FF7C54A1000-memory.dmp

Filesize
3.3MB

Download
memory/4784-258-0x00007FF7B7710000-0x00007FF7B7A61000-memory.dmp

Filesize
3.3MB

Download
memory/4784-89-0x00007FF7B7710000-0x00007FF7B7A61000-memory.dmp

Filesize
3.3MB

Download
memory/4784-160-0x00007FF7B7710000-0x00007FF7B7A61000-memory.dmp

Filesize
3.3MB

Download
memory/4920-18-0x00007FF7C06C0000-0x00007FF7C0A11000-memory.dmp

Filesize
3.3MB

Download
memory/4920-229-0x00007FF7C06C0000-0x00007FF7C0A11000-memory.dmp

Filesize
3.3MB

Download
memory/4920-82-0x00007FF7C06C0000-0x00007FF7C0A11000-memory.dmp

Filesize
3.3MB

Download