cobaltstrike | 39d2e8d5e6d6b2024ab3f978a8d8e7f76a195a38085558cebba63d5f93bb1a9c

Analysis

max time kernel
145s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2024 01:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

f58e63a004039d7d24bd664375d5c550
SHA1

bd5925072c043eda2373ad32bd583a6a2e8e5ff7
SHA256

39d2e8d5e6d6b2024ab3f978a8d8e7f76a195a38085558cebba63d5f93bb1a9c
SHA512

b89147b7fad0fa4edb1411c3b2a9230da6c9511b30b6a5302c4c11ed16f6864bf04e619019c29161581a4385f16a2d1e6321e3ae4fca59b7d2e75aa422beca34
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lv:RWWBibf56utgpPFotBER/mQ32lU7

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023b4f-4.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023bb0-8.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023bb1-20.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023baf-19.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023bb2-21.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023bb7-46.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023bb3-48.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023bb9-61.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023bba-74.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023bbb-83.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023bc0-110.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023bc1-126.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023bbf-115.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023bbe-112.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023bbd-108.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023bbc-95.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023bac-93.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023bb8-69.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023bb5-54.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023bb6-60.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023bb4-50.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/4536-78-0x00007FF6661F0000-0x00007FF666541000-memory.dmp	xmrig
behavioral2/memory/3096-122-0x00007FF74BC80000-0x00007FF74BFD1000-memory.dmp	xmrig
behavioral2/memory/5036-121-0x00007FF6E8980000-0x00007FF6E8CD1000-memory.dmp	xmrig
behavioral2/memory/4232-120-0x00007FF7A5CD0000-0x00007FF7A6021000-memory.dmp	xmrig
behavioral2/memory/2748-111-0x00007FF786BF0000-0x00007FF786F41000-memory.dmp	xmrig
behavioral2/memory/2504-102-0x00007FF769640000-0x00007FF769991000-memory.dmp	xmrig
behavioral2/memory/1568-94-0x00007FF6403C0000-0x00007FF640711000-memory.dmp	xmrig
behavioral2/memory/4540-88-0x00007FF68A420000-0x00007FF68A771000-memory.dmp	xmrig
behavioral2/memory/4872-129-0x00007FF756230000-0x00007FF756581000-memory.dmp	xmrig
behavioral2/memory/3504-130-0x00007FF6F6A90000-0x00007FF6F6DE1000-memory.dmp	xmrig
behavioral2/memory/3280-138-0x00007FF739500000-0x00007FF739851000-memory.dmp	xmrig
behavioral2/memory/4176-148-0x00007FF65CD30000-0x00007FF65D081000-memory.dmp	xmrig
behavioral2/memory/4752-149-0x00007FF6A7070000-0x00007FF6A73C1000-memory.dmp	xmrig
behavioral2/memory/3448-146-0x00007FF7C85B0000-0x00007FF7C8901000-memory.dmp	xmrig
behavioral2/memory/5040-141-0x00007FF6BC1A0000-0x00007FF6BC4F1000-memory.dmp	xmrig
behavioral2/memory/4820-139-0x00007FF6C4B90000-0x00007FF6C4EE1000-memory.dmp	xmrig
behavioral2/memory/4452-137-0x00007FF76D080000-0x00007FF76D3D1000-memory.dmp	xmrig
behavioral2/memory/3192-135-0x00007FF716430000-0x00007FF716781000-memory.dmp	xmrig
behavioral2/memory/5064-133-0x00007FF6AB550000-0x00007FF6AB8A1000-memory.dmp	xmrig
behavioral2/memory/4936-132-0x00007FF7F5450000-0x00007FF7F57A1000-memory.dmp	xmrig
behavioral2/memory/212-131-0x00007FF70D3C0000-0x00007FF70D711000-memory.dmp	xmrig
behavioral2/memory/1336-128-0x00007FF6396F0000-0x00007FF639A41000-memory.dmp	xmrig
behavioral2/memory/1336-150-0x00007FF6396F0000-0x00007FF639A41000-memory.dmp	xmrig
behavioral2/memory/1336-151-0x00007FF6396F0000-0x00007FF639A41000-memory.dmp	xmrig
behavioral2/memory/4872-205-0x00007FF756230000-0x00007FF756581000-memory.dmp	xmrig
behavioral2/memory/3504-207-0x00007FF6F6A90000-0x00007FF6F6DE1000-memory.dmp	xmrig
behavioral2/memory/212-209-0x00007FF70D3C0000-0x00007FF70D711000-memory.dmp	xmrig
behavioral2/memory/4936-221-0x00007FF7F5450000-0x00007FF7F57A1000-memory.dmp	xmrig
behavioral2/memory/4536-227-0x00007FF6661F0000-0x00007FF666541000-memory.dmp	xmrig
behavioral2/memory/5064-226-0x00007FF6AB550000-0x00007FF6AB8A1000-memory.dmp	xmrig
behavioral2/memory/4540-230-0x00007FF68A420000-0x00007FF68A771000-memory.dmp	xmrig
behavioral2/memory/4452-231-0x00007FF76D080000-0x00007FF76D3D1000-memory.dmp	xmrig
behavioral2/memory/3280-237-0x00007FF739500000-0x00007FF739851000-memory.dmp	xmrig
behavioral2/memory/4820-235-0x00007FF6C4B90000-0x00007FF6C4EE1000-memory.dmp	xmrig
behavioral2/memory/1568-239-0x00007FF6403C0000-0x00007FF640711000-memory.dmp	xmrig
behavioral2/memory/3192-233-0x00007FF716430000-0x00007FF716781000-memory.dmp	xmrig
behavioral2/memory/5040-257-0x00007FF6BC1A0000-0x00007FF6BC4F1000-memory.dmp	xmrig
behavioral2/memory/4752-258-0x00007FF6A7070000-0x00007FF6A73C1000-memory.dmp	xmrig
behavioral2/memory/2504-254-0x00007FF769640000-0x00007FF769991000-memory.dmp	xmrig
behavioral2/memory/5036-253-0x00007FF6E8980000-0x00007FF6E8CD1000-memory.dmp	xmrig
behavioral2/memory/4232-250-0x00007FF7A5CD0000-0x00007FF7A6021000-memory.dmp	xmrig
behavioral2/memory/2748-249-0x00007FF786BF0000-0x00007FF786F41000-memory.dmp	xmrig
behavioral2/memory/3448-246-0x00007FF7C85B0000-0x00007FF7C8901000-memory.dmp	xmrig
behavioral2/memory/4176-245-0x00007FF65CD30000-0x00007FF65D081000-memory.dmp	xmrig
behavioral2/memory/3096-243-0x00007FF74BC80000-0x00007FF74BFD1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4872	UdYSEow.exe
3504	koKfAzR.exe
212	RCpoFwp.exe
4936	fWbZsXr.exe
5064	cOFQJSn.exe
4536	vSTPoeT.exe
3192	jrqCoRN.exe
4540	Ewbfych.exe
4452	eZwHrjR.exe
3280	RUTQFVs.exe
4820	fXcCQgi.exe
1568	MlDOoUt.exe
5040	ERbKHhR.exe
4232	eVmtcTh.exe
2504	gZVrVVo.exe
5036	cBMNsoX.exe
2748	jzICBuH.exe
3448	ZiIrzlM.exe
3096	etgCoxC.exe
4176	ZpOeoSt.exe
4752	AjKJRZU.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1336-0-0x00007FF6396F0000-0x00007FF639A41000-memory.dmp	upx
behavioral2/files/0x000c000000023b4f-4.dat	upx
behavioral2/files/0x000a000000023bb0-8.dat	upx
behavioral2/memory/4872-9-0x00007FF756230000-0x00007FF756581000-memory.dmp	upx
behavioral2/memory/212-24-0x00007FF70D3C0000-0x00007FF70D711000-memory.dmp	upx
behavioral2/files/0x000a000000023bb1-20.dat	upx
behavioral2/files/0x000a000000023baf-19.dat	upx
behavioral2/memory/3504-17-0x00007FF6F6A90000-0x00007FF6F6DE1000-memory.dmp	upx
behavioral2/files/0x000a000000023bb2-21.dat	upx
behavioral2/files/0x000a000000023bb7-46.dat	upx
behavioral2/files/0x000a000000023bb3-48.dat	upx
behavioral2/files/0x000a000000023bb9-61.dat	upx
behavioral2/files/0x000a000000023bba-74.dat	upx
behavioral2/files/0x000a000000023bbb-83.dat	upx
behavioral2/memory/4536-78-0x00007FF6661F0000-0x00007FF666541000-memory.dmp	upx
behavioral2/files/0x000a000000023bc0-110.dat	upx
behavioral2/memory/3096-122-0x00007FF74BC80000-0x00007FF74BFD1000-memory.dmp	upx
behavioral2/files/0x000a000000023bc1-126.dat	upx
behavioral2/memory/4752-125-0x00007FF6A7070000-0x00007FF6A73C1000-memory.dmp	upx
behavioral2/memory/5036-121-0x00007FF6E8980000-0x00007FF6E8CD1000-memory.dmp	upx
behavioral2/memory/4232-120-0x00007FF7A5CD0000-0x00007FF7A6021000-memory.dmp	upx
behavioral2/memory/4176-119-0x00007FF65CD30000-0x00007FF65D081000-memory.dmp	upx
behavioral2/files/0x000a000000023bbf-115.dat	upx
behavioral2/memory/3448-114-0x00007FF7C85B0000-0x00007FF7C8901000-memory.dmp	upx
behavioral2/files/0x000a000000023bbe-112.dat	upx
behavioral2/memory/2748-111-0x00007FF786BF0000-0x00007FF786F41000-memory.dmp	upx
behavioral2/files/0x000a000000023bbd-108.dat	upx
behavioral2/memory/2504-102-0x00007FF769640000-0x00007FF769991000-memory.dmp	upx
behavioral2/memory/5040-101-0x00007FF6BC1A0000-0x00007FF6BC4F1000-memory.dmp	upx
behavioral2/files/0x000a000000023bbc-95.dat	upx
behavioral2/memory/1568-94-0x00007FF6403C0000-0x00007FF640711000-memory.dmp	upx
behavioral2/memory/4540-88-0x00007FF68A420000-0x00007FF68A771000-memory.dmp	upx
behavioral2/files/0x000b000000023bac-93.dat	upx
behavioral2/memory/4820-76-0x00007FF6C4B90000-0x00007FF6C4EE1000-memory.dmp	upx
behavioral2/files/0x000a000000023bb8-69.dat	upx
behavioral2/memory/3280-65-0x00007FF739500000-0x00007FF739851000-memory.dmp	upx
behavioral2/memory/4452-59-0x00007FF76D080000-0x00007FF76D3D1000-memory.dmp	upx
behavioral2/memory/3192-57-0x00007FF716430000-0x00007FF716781000-memory.dmp	upx
behavioral2/files/0x000a000000023bb5-54.dat	upx
behavioral2/files/0x000a000000023bb6-60.dat	upx
behavioral2/files/0x000a000000023bb4-50.dat	upx
behavioral2/memory/4936-42-0x00007FF7F5450000-0x00007FF7F57A1000-memory.dmp	upx
behavioral2/memory/5064-28-0x00007FF6AB550000-0x00007FF6AB8A1000-memory.dmp	upx
behavioral2/memory/4872-129-0x00007FF756230000-0x00007FF756581000-memory.dmp	upx
behavioral2/memory/3504-130-0x00007FF6F6A90000-0x00007FF6F6DE1000-memory.dmp	upx
behavioral2/memory/3280-138-0x00007FF739500000-0x00007FF739851000-memory.dmp	upx
behavioral2/memory/4176-148-0x00007FF65CD30000-0x00007FF65D081000-memory.dmp	upx
behavioral2/memory/4752-149-0x00007FF6A7070000-0x00007FF6A73C1000-memory.dmp	upx
behavioral2/memory/3448-146-0x00007FF7C85B0000-0x00007FF7C8901000-memory.dmp	upx
behavioral2/memory/5040-141-0x00007FF6BC1A0000-0x00007FF6BC4F1000-memory.dmp	upx
behavioral2/memory/4820-139-0x00007FF6C4B90000-0x00007FF6C4EE1000-memory.dmp	upx
behavioral2/memory/4452-137-0x00007FF76D080000-0x00007FF76D3D1000-memory.dmp	upx
behavioral2/memory/3192-135-0x00007FF716430000-0x00007FF716781000-memory.dmp	upx
behavioral2/memory/5064-133-0x00007FF6AB550000-0x00007FF6AB8A1000-memory.dmp	upx
behavioral2/memory/4936-132-0x00007FF7F5450000-0x00007FF7F57A1000-memory.dmp	upx
behavioral2/memory/212-131-0x00007FF70D3C0000-0x00007FF70D711000-memory.dmp	upx
behavioral2/memory/1336-128-0x00007FF6396F0000-0x00007FF639A41000-memory.dmp	upx
behavioral2/memory/1336-150-0x00007FF6396F0000-0x00007FF639A41000-memory.dmp	upx
behavioral2/memory/1336-151-0x00007FF6396F0000-0x00007FF639A41000-memory.dmp	upx
behavioral2/memory/4872-205-0x00007FF756230000-0x00007FF756581000-memory.dmp	upx
behavioral2/memory/3504-207-0x00007FF6F6A90000-0x00007FF6F6DE1000-memory.dmp	upx
behavioral2/memory/212-209-0x00007FF70D3C0000-0x00007FF70D711000-memory.dmp	upx
behavioral2/memory/4936-221-0x00007FF7F5450000-0x00007FF7F57A1000-memory.dmp	upx
behavioral2/memory/4536-227-0x00007FF6661F0000-0x00007FF666541000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\koKfAzR.exe	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RCpoFwp.exe	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cOFQJSn.exe	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fXcCQgi.exe	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cBMNsoX.exe	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\etgCoxC.exe	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vSTPoeT.exe	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jrqCoRN.exe	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eZwHrjR.exe	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RUTQFVs.exe	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gZVrVVo.exe	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AjKJRZU.exe	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UdYSEow.exe	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Ewbfych.exe	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MlDOoUt.exe	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ERbKHhR.exe	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jzICBuH.exe	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZiIrzlM.exe	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fWbZsXr.exe	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eVmtcTh.exe	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZpOeoSt.exe	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1336	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1336	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1336 wrote to memory of 4872	1336	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1336 wrote to memory of 4872	1336	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1336 wrote to memory of 3504	1336	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1336 wrote to memory of 3504	1336	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1336 wrote to memory of 212	1336	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1336 wrote to memory of 212	1336	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1336 wrote to memory of 4936	1336	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1336 wrote to memory of 4936	1336	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1336 wrote to memory of 5064	1336	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1336 wrote to memory of 5064	1336	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1336 wrote to memory of 4536	1336	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1336 wrote to memory of 4536	1336	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1336 wrote to memory of 3192	1336	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1336 wrote to memory of 3192	1336	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1336 wrote to memory of 4540	1336	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1336 wrote to memory of 4540	1336	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1336 wrote to memory of 4452	1336	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1336 wrote to memory of 4452	1336	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1336 wrote to memory of 3280	1336	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1336 wrote to memory of 3280	1336	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1336 wrote to memory of 4820	1336	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1336 wrote to memory of 4820	1336	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1336 wrote to memory of 1568	1336	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1336 wrote to memory of 1568	1336	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1336 wrote to memory of 5040	1336	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1336 wrote to memory of 5040	1336	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1336 wrote to memory of 2504	1336	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1336 wrote to memory of 2504	1336	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1336 wrote to memory of 4232	1336	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1336 wrote to memory of 4232	1336	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1336 wrote to memory of 5036	1336	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1336 wrote to memory of 5036	1336	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1336 wrote to memory of 2748	1336	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1336 wrote to memory of 2748	1336	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1336 wrote to memory of 3448	1336	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1336 wrote to memory of 3448	1336	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1336 wrote to memory of 3096	1336	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1336 wrote to memory of 3096	1336	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1336 wrote to memory of 4176	1336	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1336 wrote to memory of 4176	1336	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1336 wrote to memory of 4752	1336	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1336 wrote to memory of 4752	1336	2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-31_f58e63a004039d7d24bd664375d5c550_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Windows\System\UdYSEow.exe
  C:\Windows\System\UdYSEow.exe
  2⤵
  - Executes dropped EXE
  PID:4872
- C:\Windows\System\koKfAzR.exe
  C:\Windows\System\koKfAzR.exe
  2⤵
  - Executes dropped EXE
  PID:3504
- C:\Windows\System\RCpoFwp.exe
  C:\Windows\System\RCpoFwp.exe
  2⤵
  - Executes dropped EXE
  PID:212
- C:\Windows\System\fWbZsXr.exe
  C:\Windows\System\fWbZsXr.exe
  2⤵
  - Executes dropped EXE
  PID:4936
- C:\Windows\System\cOFQJSn.exe
  C:\Windows\System\cOFQJSn.exe
  2⤵
  - Executes dropped EXE
  PID:5064
- C:\Windows\System\vSTPoeT.exe
  C:\Windows\System\vSTPoeT.exe
  2⤵
  - Executes dropped EXE
  PID:4536
- C:\Windows\System\jrqCoRN.exe
  C:\Windows\System\jrqCoRN.exe
  2⤵
  - Executes dropped EXE
  PID:3192
- C:\Windows\System\Ewbfych.exe
  C:\Windows\System\Ewbfych.exe
  2⤵
  - Executes dropped EXE
  PID:4540
- C:\Windows\System\eZwHrjR.exe
  C:\Windows\System\eZwHrjR.exe
  2⤵
  - Executes dropped EXE
  PID:4452
- C:\Windows\System\RUTQFVs.exe
  C:\Windows\System\RUTQFVs.exe
  2⤵
  - Executes dropped EXE
  PID:3280
- C:\Windows\System\fXcCQgi.exe
  C:\Windows\System\fXcCQgi.exe
  2⤵
  - Executes dropped EXE
  PID:4820
- C:\Windows\System\MlDOoUt.exe
  C:\Windows\System\MlDOoUt.exe
  2⤵
  - Executes dropped EXE
  PID:1568
- C:\Windows\System\ERbKHhR.exe
  C:\Windows\System\ERbKHhR.exe
  2⤵
  - Executes dropped EXE
  PID:5040
- C:\Windows\System\gZVrVVo.exe
  C:\Windows\System\gZVrVVo.exe
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Windows\System\eVmtcTh.exe
  C:\Windows\System\eVmtcTh.exe
  2⤵
  - Executes dropped EXE
  PID:4232
- C:\Windows\System\cBMNsoX.exe
  C:\Windows\System\cBMNsoX.exe
  2⤵
  - Executes dropped EXE
  PID:5036
- C:\Windows\System\jzICBuH.exe
  C:\Windows\System\jzICBuH.exe
  2⤵
  - Executes dropped EXE
  PID:2748
- C:\Windows\System\ZiIrzlM.exe
  C:\Windows\System\ZiIrzlM.exe
  2⤵
  - Executes dropped EXE
  PID:3448
- C:\Windows\System\etgCoxC.exe
  C:\Windows\System\etgCoxC.exe
  2⤵
  - Executes dropped EXE
  PID:3096
- C:\Windows\System\ZpOeoSt.exe
  C:\Windows\System\ZpOeoSt.exe
  2⤵
  - Executes dropped EXE
  PID:4176
- C:\Windows\System\AjKJRZU.exe
  C:\Windows\System\AjKJRZU.exe
  2⤵
  - Executes dropped EXE
  PID:4752

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AjKJRZU.exe

Filesize
5.2MB

MD5
7e9280388fb2ae3e147f9b250158c1d3

SHA1
95bd266c96dfbd36e4a35456c66b219107618f7b

SHA256
82951ffcc3fa1c436aec0a29e05b88051d4a54cf3bc4ad0981282844454f68e3

SHA512
c6f5a666c02ef500888dc3381626f5ef95f328368238936d16f97ed20f7759ea244c1cbcefa06d85f89a0a3a232e3762f3c16479eaf17c185bbcaad9627fd34f

Download Submit
C:\Windows\System\ERbKHhR.exe

Filesize
5.2MB

MD5
6741a47448d330089b52ba49cb1da609

SHA1
4c3ee0ca3ef7cc42366e4b32a5dbc092147bdbba

SHA256
611c41e511a9ba2d24feb81644a62931e39c97ed1613aec9ff7b9e0a7b0bf8c5

SHA512
41b715e64b32eb37bcfc21f85c7ad05961b20f8b0e22613c8b5deb4d412389affa0aba349be4f6711fbedeeb6d7ff1452a8f3a1bc0e8bb8c6f88958eb722163e

Download Submit
C:\Windows\System\Ewbfych.exe

Filesize
5.2MB

MD5
2bd93b0228cdbe0cbd6534e03a4548cf

SHA1
ac0fbd090c531296f12b72e60568545f384c7da2

SHA256
85b85bc3a0bf45d727fe17ef7a9838ceb95094ba3820daad0d7ee50c39eae20b

SHA512
be362fb7fafefcc20bdbb48b9c9aa17a4142cd0f36ce5c5439ded25fa1f2757849afe9f590dd73fe99344d3cfcc4dfc5474c9caa151d86e58c7d9a512408f10f

Download Submit
C:\Windows\System\MlDOoUt.exe

Filesize
5.2MB

MD5
d7fab6c2611b12986603f3d58d5ecd46

SHA1
98cac5617aa45e409ea98f4266e1657c58b44958

SHA256
632089fd06c21f12809ad9260413338a7eae603dac52250d011d390bc889c79e

SHA512
e89460092e98a1866ac7d07f711b733f7c0b5ccec7a184fafd19bd234616a68a89ad104485183b622e09975f974f91673a3d44fc1224a45f061d7de50567a264

Download Submit
C:\Windows\System\RCpoFwp.exe

Filesize
5.2MB

MD5
876756f072e3d1e48b6f46060dcd8b9c

SHA1
f02f16a85d634c701c8cc0df0a27ebb32c608c34

SHA256
2d790a1868b28a5a5fd807388ad212b7c6f3ca582784c1f60e87f487f356c948

SHA512
cb677c456162bbef94f4ad7815cb221743428d9059017b31bfa0232413ea53a65d734556d51d28081cd1f72aed5ba8d57e6eb15a62b66dc28cd3c3a7cdfd5e86

Download Submit
C:\Windows\System\RUTQFVs.exe

Filesize
5.2MB

MD5
df2be1fbd0c1581936d5e6c1d99f6bbb

SHA1
a765420d28da0beafa16305ec9f5c869ce97c264

SHA256
aad58e1a9067fb3a51dd7f9459e1c017151365fb3689232348f95c15a835b5ca

SHA512
167bac08156e2834c7a4466cd5524a6dd14850725b84f840f6f0fe731b4246df0d2adbac1fd9d38ea7c98223a936530ce5b6026f9504ba0fdf948a3fadd59677

Download Submit
C:\Windows\System\UdYSEow.exe

Filesize
5.2MB

MD5
7f2a8831cdbb6fd5b4292f01ae10b9ab

SHA1
dc57d3e6031b0afb7ebcbbfc79061853007be12b

SHA256
08c35a899c1e14b196c2f06995d42d9a2bcc0d373cfe19145c0c99381bc7ed77

SHA512
7f3216d4ae4506581a63c31675e59807ac72b45cab710685bd9d6e76e42269d095aefaf58b03a13e61f21a85a87c884d56315026151c8fa992c309fe99d9bcbc

Download Submit
C:\Windows\System\ZiIrzlM.exe

Filesize
5.2MB

MD5
04b07a5f2c72f64eac394a5d0513d7bf

SHA1
0b6dad613c042a38785b55c700a15a303f13efef

SHA256
d9a077ba562c33848fe0aff2be7a4361a51974241db01ce6da6caf7469da3563

SHA512
c95b912033de09442356a1d82a923c6a7cbe269f254bf35263ad676282c9df120f75e8930aea43e0aed1137faf2e9f55edbe207d80fcc9bb2ed170bc64c9dee5

Download Submit
C:\Windows\System\ZpOeoSt.exe

Filesize
5.2MB

MD5
b1d80f0bd3dc12f2a15c4b1300438782

SHA1
72e8c806724aef44901719a8e8667e43773dca81

SHA256
f02d15be8abee04d67c78f17c5a90bbbd38705821d6c5bfff95b3bdd3c70db91

SHA512
f40110f3876a1d4e7213909ac5f8132e5daca17dbf274e769272257dda13f1dd1d456ad98dc47fadebfbed2249deb321866c1afcc0d4bf20913950b61f232423

Download Submit
C:\Windows\System\cBMNsoX.exe

Filesize
5.2MB

MD5
d648fc1e68f1822c45aef96340a5bfe4

SHA1
1d1fcd64ffff93e30a5475ab2686c050734eaf2e

SHA256
e1d3d083ee66616983105bd69a9eed3f00b49739550ba0cf607ad44003a4ffb4

SHA512
662e698a6c5418135b97455d95b8c105cedba5c3f7cb93cb60cc002ee27a0be20ea23c5e18fe3eb04df13728b2ccd5e8f7cbc085174f8be03653ff8c0b057254

Download Submit
C:\Windows\System\cOFQJSn.exe

Filesize
5.2MB

MD5
58a18a12d31b0f80fda8f14bb7168d44

SHA1
24193e2f632f9105cd5c7334ae63d18e6603d1e0

SHA256
465e09bc02368741536126ec0f4462a1ae399a490b072cf3dc8bbe7afcf54781

SHA512
378b782eb60e01229a2a303247516f032c1f1d7ab9b634e2ddb5ae7fa7a856330e6c1d7d35fec1b8b99385cd758048b956c17829d3496f771f32ed428fff2e7c

Download Submit
C:\Windows\System\eVmtcTh.exe

Filesize
5.2MB

MD5
b14575dd3533049580df5e5142a5366a

SHA1
aed6ff7bb8f2e55c6ed96fa8447acb39a1c4f6b5

SHA256
bdcc065b762ebaeb623caea936677aeeb78ba541943c1d8398eace4c5bd71c43

SHA512
52a29c65386ec79af6a94f9c311223b56c7e58369ba5329897c922b5bb7bd620674fbf3396c6e6cd3b02152dfc6f39a7438e96ae01f66637025a79f883a2c724

Download Submit
C:\Windows\System\eZwHrjR.exe

Filesize
5.2MB

MD5
84a5d240291faabf066348c8be67d077

SHA1
9ee4224f16086500ff2e03a4e750aaf3cd45ad42

SHA256
0a1ee959f5f1e65b095fcb12b9dfdb791206770ae5f89d2533aaddf174c17997

SHA512
6800b61a48afe70a163b309b9b6fcdf843c769f66e3ff9b96e250e203acfde09a0ab9a9b214203d86ae85dbbe3f66727c89c958befdeeaedb1e61f65a37e5c42

Download Submit
C:\Windows\System\etgCoxC.exe

Filesize
5.2MB

MD5
9b9017f59bb64f0d6843f62eabcae73e

SHA1
93344b2812745cac4d90073047c158bb3174941c

SHA256
fb3979dbc4a8ad323d8f02edb3a381718a09f9cefacdd3ef28df101ff32804b0

SHA512
c76985b9b3326b2c817d3bc4b135b16eaa7032d56b6c27347b16895af93094b600fc5f0a6267e721b45ade7d8f95318b3e0a5923e92013f76e4818e865bf7680

Download Submit
C:\Windows\System\fWbZsXr.exe

Filesize
5.2MB

MD5
bdfabc5c6c31d2a8fce7128c25d16d34

SHA1
454ca463e81175e533a84d5f650002b092587cba

SHA256
3d1a31ab789886854b3bcfb0a6fdbc16f8c28441e593585ae7b20a0257128698

SHA512
f096c9ed5d43064815144b605cc6556c20e0580722c0ae389b0ddacdfacca573ab5bfbe5d6f92cf338ccc21ce92eafe1042f84877fe38c34eae02dc4feb70cc0

Download Submit
C:\Windows\System\fXcCQgi.exe

Filesize
5.2MB

MD5
beef3e4a28489204bb3930eb9c88d3f8

SHA1
9744f1038f4125eabf508684a42f82fc52b29947

SHA256
cfbd4650539a5646cac35c3da8b8e23aa03308657cfd61facb3dea0dc3c1068c

SHA512
d9df97874b5b0d9ee5d7a57e5c576098575690653020b491a1d1e238e2447e87beb124644508af297efbaaf24368bbbbc0429890da83bcaa72661acb81632d2d

Download Submit
C:\Windows\System\gZVrVVo.exe

Filesize
5.2MB

MD5
b14b6912e647164e2e5f485dd03b4f5e

SHA1
2ec3b0d9964ac21044bb535ecbf2edabe56a4005

SHA256
3425212940184b68a6269ab4aeeff52e74be2e28f0778c4be2e80b5791a52150

SHA512
5ff396c5377553c56997af92105f9f53d289e4cbff086aa8bea34489f9fa18522642821bb79fab66414a1db1652dea1e051336ed1761bc9c48a608b882082d87

Download Submit
C:\Windows\System\jrqCoRN.exe

Filesize
5.2MB

MD5
d8e93006329e66d83befec85818e93c2

SHA1
e2a3e418ae6fc2e87b7e0fc33f97c52d5a57422a

SHA256
44c47b5e41403072ac85bae5652c11dba5694ba52d5fa93e7063af5504602ba0

SHA512
6e15ebc3a8d7858629fcd3c6bca617ace0e9222ec5363ec3b0872d4557c5317c677193e61b6a2a1f52a8a573665fb555bee0a8c4b05fd37b3e674b48d535d653

Download Submit
C:\Windows\System\jzICBuH.exe

Filesize
5.2MB

MD5
2fc0acbefae9142d76f3a705cb48ac0e

SHA1
e96dc4b93c36ba34fb62d43fb1ea0aba875926dd

SHA256
4dc8934ecf57ee0cb370f9adbfa488d1e9a4d0d0050a2f59007f83236d46c1ea

SHA512
93f494ecd76efeac00991530a5f8b7a57f203527c35ed3c508dbefed7e4d51a2a0c004f6ba2befca66f94e35e415d067a6579d0fcb4ef95d9e986e3b28a10633

Download Submit
C:\Windows\System\koKfAzR.exe

Filesize
5.2MB

MD5
17f8ae4131ee0bd7f7c1ddf74182fab2

SHA1
9acbbb456d1fa7d858484bb99ea0c393d1bef3e6

SHA256
976e1dc17aa97f37095e6451e8845666136d4a0873c0937767be4576de43b33c

SHA512
a540061a27227dd305160d0c7f2f16cb9f71432f52cc0599c2b11ef0513e1ec689ec73c4b6cd87b81a2ab15e561bad7cd8bdb6b628fd3506b3478502665f5eb6

Download Submit
C:\Windows\System\vSTPoeT.exe

Filesize
5.2MB

MD5
41049fb1cd7d6b7c3a27dbeae7ceda22

SHA1
aaa7c777052278336c8305d98ed9e0ad7d6c17d0

SHA256
c39bb9565b3cddde01bb133b70f5b20b3463323f5f9fa1b1fc329454d9342b5c

SHA512
beeb9ab76fa2a586f33cd1cb4c24c5d80b1ca61dd90c86232eba2aee6049e65ff2d12e65302fef33dac525bd1f616c70a3e37e48dea5ce584e83ba927d484cb2

Download Submit
memory/212-209-0x00007FF70D3C0000-0x00007FF70D711000-memory.dmp

Filesize
3.3MB

Download
memory/212-131-0x00007FF70D3C0000-0x00007FF70D711000-memory.dmp

Filesize
3.3MB

Download
memory/212-24-0x00007FF70D3C0000-0x00007FF70D711000-memory.dmp

Filesize
3.3MB

Download
memory/1336-128-0x00007FF6396F0000-0x00007FF639A41000-memory.dmp

Filesize
3.3MB

Download
memory/1336-1-0x0000016CC0900000-0x0000016CC0910000-memory.dmp

Filesize
64KB

Download
memory/1336-151-0x00007FF6396F0000-0x00007FF639A41000-memory.dmp

Filesize
3.3MB

Download
memory/1336-150-0x00007FF6396F0000-0x00007FF639A41000-memory.dmp

Filesize
3.3MB

Download
memory/1336-0-0x00007FF6396F0000-0x00007FF639A41000-memory.dmp

Filesize
3.3MB

Download
memory/1568-239-0x00007FF6403C0000-0x00007FF640711000-memory.dmp

Filesize
3.3MB

Download
memory/1568-94-0x00007FF6403C0000-0x00007FF640711000-memory.dmp

Filesize
3.3MB

Download
memory/2504-102-0x00007FF769640000-0x00007FF769991000-memory.dmp

Filesize
3.3MB

Download
memory/2504-254-0x00007FF769640000-0x00007FF769991000-memory.dmp

Filesize
3.3MB

Download
memory/2748-249-0x00007FF786BF0000-0x00007FF786F41000-memory.dmp

Filesize
3.3MB

Download
memory/2748-111-0x00007FF786BF0000-0x00007FF786F41000-memory.dmp

Filesize
3.3MB

Download
memory/3096-122-0x00007FF74BC80000-0x00007FF74BFD1000-memory.dmp

Filesize
3.3MB

Download
memory/3096-243-0x00007FF74BC80000-0x00007FF74BFD1000-memory.dmp

Filesize
3.3MB

Download
memory/3192-57-0x00007FF716430000-0x00007FF716781000-memory.dmp

Filesize
3.3MB

Download
memory/3192-233-0x00007FF716430000-0x00007FF716781000-memory.dmp

Filesize
3.3MB

Download
memory/3192-135-0x00007FF716430000-0x00007FF716781000-memory.dmp

Filesize
3.3MB

Download
memory/3280-65-0x00007FF739500000-0x00007FF739851000-memory.dmp

Filesize
3.3MB

Download
memory/3280-138-0x00007FF739500000-0x00007FF739851000-memory.dmp

Filesize
3.3MB

Download
memory/3280-237-0x00007FF739500000-0x00007FF739851000-memory.dmp

Filesize
3.3MB

Download
memory/3448-246-0x00007FF7C85B0000-0x00007FF7C8901000-memory.dmp

Filesize
3.3MB

Download
memory/3448-114-0x00007FF7C85B0000-0x00007FF7C8901000-memory.dmp

Filesize
3.3MB

Download
memory/3448-146-0x00007FF7C85B0000-0x00007FF7C8901000-memory.dmp

Filesize
3.3MB

Download
memory/3504-207-0x00007FF6F6A90000-0x00007FF6F6DE1000-memory.dmp

Filesize
3.3MB

Download
memory/3504-130-0x00007FF6F6A90000-0x00007FF6F6DE1000-memory.dmp

Filesize
3.3MB

Download
memory/3504-17-0x00007FF6F6A90000-0x00007FF6F6DE1000-memory.dmp

Filesize
3.3MB

Download
memory/4176-245-0x00007FF65CD30000-0x00007FF65D081000-memory.dmp

Filesize
3.3MB

Download
memory/4176-119-0x00007FF65CD30000-0x00007FF65D081000-memory.dmp

Filesize
3.3MB

Download
memory/4176-148-0x00007FF65CD30000-0x00007FF65D081000-memory.dmp

Filesize
3.3MB

Download
memory/4232-250-0x00007FF7A5CD0000-0x00007FF7A6021000-memory.dmp

Filesize
3.3MB

Download
memory/4232-120-0x00007FF7A5CD0000-0x00007FF7A6021000-memory.dmp

Filesize
3.3MB

Download
memory/4452-137-0x00007FF76D080000-0x00007FF76D3D1000-memory.dmp

Filesize
3.3MB

Download
memory/4452-59-0x00007FF76D080000-0x00007FF76D3D1000-memory.dmp

Filesize
3.3MB

Download
memory/4452-231-0x00007FF76D080000-0x00007FF76D3D1000-memory.dmp

Filesize
3.3MB

Download
memory/4536-227-0x00007FF6661F0000-0x00007FF666541000-memory.dmp

Filesize
3.3MB

Download
memory/4536-78-0x00007FF6661F0000-0x00007FF666541000-memory.dmp

Filesize
3.3MB

Download
memory/4540-88-0x00007FF68A420000-0x00007FF68A771000-memory.dmp

Filesize
3.3MB

Download
memory/4540-230-0x00007FF68A420000-0x00007FF68A771000-memory.dmp

Filesize
3.3MB

Download
memory/4752-125-0x00007FF6A7070000-0x00007FF6A73C1000-memory.dmp

Filesize
3.3MB

Download
memory/4752-258-0x00007FF6A7070000-0x00007FF6A73C1000-memory.dmp

Filesize
3.3MB

Download
memory/4752-149-0x00007FF6A7070000-0x00007FF6A73C1000-memory.dmp

Filesize
3.3MB

Download
memory/4820-139-0x00007FF6C4B90000-0x00007FF6C4EE1000-memory.dmp

Filesize
3.3MB

Download
memory/4820-76-0x00007FF6C4B90000-0x00007FF6C4EE1000-memory.dmp

Filesize
3.3MB

Download
memory/4820-235-0x00007FF6C4B90000-0x00007FF6C4EE1000-memory.dmp

Filesize
3.3MB

Download
memory/4872-205-0x00007FF756230000-0x00007FF756581000-memory.dmp

Filesize
3.3MB

Download
memory/4872-9-0x00007FF756230000-0x00007FF756581000-memory.dmp

Filesize
3.3MB

Download
memory/4872-129-0x00007FF756230000-0x00007FF756581000-memory.dmp

Filesize
3.3MB

Download
memory/4936-221-0x00007FF7F5450000-0x00007FF7F57A1000-memory.dmp

Filesize
3.3MB

Download
memory/4936-42-0x00007FF7F5450000-0x00007FF7F57A1000-memory.dmp

Filesize
3.3MB

Download
memory/4936-132-0x00007FF7F5450000-0x00007FF7F57A1000-memory.dmp

Filesize
3.3MB

Download
memory/5036-121-0x00007FF6E8980000-0x00007FF6E8CD1000-memory.dmp

Filesize
3.3MB

Download
memory/5036-253-0x00007FF6E8980000-0x00007FF6E8CD1000-memory.dmp

Filesize
3.3MB

Download
memory/5040-257-0x00007FF6BC1A0000-0x00007FF6BC4F1000-memory.dmp

Filesize
3.3MB

Download
memory/5040-101-0x00007FF6BC1A0000-0x00007FF6BC4F1000-memory.dmp

Filesize
3.3MB

Download
memory/5040-141-0x00007FF6BC1A0000-0x00007FF6BC4F1000-memory.dmp

Filesize
3.3MB

Download
memory/5064-226-0x00007FF6AB550000-0x00007FF6AB8A1000-memory.dmp

Filesize
3.3MB

Download
memory/5064-28-0x00007FF6AB550000-0x00007FF6AB8A1000-memory.dmp

Filesize
3.3MB

Download
memory/5064-133-0x00007FF6AB550000-0x00007FF6AB8A1000-memory.dmp

Filesize
3.3MB

Download