cobaltstrike | fab7475fe77305c0e95ceb58cce7c305429b0b49f878361b432fc4da86f5d2fb

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2024 09:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

b8183dcae4915aa6bee969e6018acd2f
SHA1

e914d0febeccd9ac2e1ec17763b83004d0038dc0
SHA256

fab7475fe77305c0e95ceb58cce7c305429b0b49f878361b432fc4da86f5d2fb
SHA512

3dc6139229698084c80dd0ddc381af9962c6560be393559d76233bd6ec0ac6d7eeb7cbd1706c2592c97cfa68b47ff056615a5f6c1d989aa859802aaa683a443b
SSDEEP

98304:oemTLkNdfE0pZrx56utgpPFotBER/mQ32lUJ:T+o56utgpPF8u/7J

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00080000000234d9-4.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234dd-11.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234de-18.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234df-23.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000234da-29.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e1-35.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e2-41.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e3-47.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e4-52.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e6-66.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e5-64.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e7-73.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234eb-103.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ee-120.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ef-125.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ed-116.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ec-115.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e9-97.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e8-91.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ea-102.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234f0-130.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/524-0-0x00007FF743540000-0x00007FF743894000-memory.dmp	xmrig
behavioral2/files/0x00080000000234d9-4.dat	xmrig
behavioral2/memory/2548-8-0x00007FF6FCCE0000-0x00007FF6FD034000-memory.dmp	xmrig
behavioral2/files/0x00070000000234dd-11.dat	xmrig
behavioral2/files/0x00070000000234de-18.dat	xmrig
behavioral2/memory/3424-20-0x00007FF72C850000-0x00007FF72CBA4000-memory.dmp	xmrig
behavioral2/memory/1252-14-0x00007FF60F350000-0x00007FF60F6A4000-memory.dmp	xmrig
behavioral2/files/0x00070000000234df-23.dat	xmrig
behavioral2/files/0x00080000000234da-29.dat	xmrig
behavioral2/files/0x00070000000234e1-35.dat	xmrig
behavioral2/files/0x00070000000234e2-41.dat	xmrig
behavioral2/memory/1904-42-0x00007FF74AF90000-0x00007FF74B2E4000-memory.dmp	xmrig
behavioral2/memory/4244-36-0x00007FF70C240000-0x00007FF70C594000-memory.dmp	xmrig
behavioral2/memory/4384-30-0x00007FF6C1440000-0x00007FF6C1794000-memory.dmp	xmrig
behavioral2/memory/2140-25-0x00007FF6F24F0000-0x00007FF6F2844000-memory.dmp	xmrig
behavioral2/files/0x00070000000234e3-47.dat	xmrig
behavioral2/memory/1556-50-0x00007FF674CC0000-0x00007FF675014000-memory.dmp	xmrig
behavioral2/files/0x00070000000234e4-52.dat	xmrig
behavioral2/memory/4776-54-0x00007FF69C570000-0x00007FF69C8C4000-memory.dmp	xmrig
behavioral2/memory/524-60-0x00007FF743540000-0x00007FF743894000-memory.dmp	xmrig
behavioral2/files/0x00070000000234e6-66.dat	xmrig
behavioral2/memory/3156-68-0x00007FF7AE260000-0x00007FF7AE5B4000-memory.dmp	xmrig
behavioral2/memory/2548-67-0x00007FF6FCCE0000-0x00007FF6FD034000-memory.dmp	xmrig
behavioral2/files/0x00070000000234e5-64.dat	xmrig
behavioral2/memory/644-63-0x00007FF785900000-0x00007FF785C54000-memory.dmp	xmrig
behavioral2/memory/1252-71-0x00007FF60F350000-0x00007FF60F6A4000-memory.dmp	xmrig
behavioral2/files/0x00070000000234e7-73.dat	xmrig
behavioral2/memory/828-79-0x00007FF7C3500000-0x00007FF7C3854000-memory.dmp	xmrig
behavioral2/files/0x00070000000234eb-103.dat	xmrig
behavioral2/memory/5064-106-0x00007FF771ED0000-0x00007FF772224000-memory.dmp	xmrig
behavioral2/memory/216-108-0x00007FF78A3C0000-0x00007FF78A714000-memory.dmp	xmrig
behavioral2/files/0x00070000000234ee-120.dat	xmrig
behavioral2/files/0x00070000000234ef-125.dat	xmrig
behavioral2/memory/3164-121-0x00007FF71B0B0000-0x00007FF71B404000-memory.dmp	xmrig
behavioral2/files/0x00070000000234ed-116.dat	xmrig
behavioral2/files/0x00070000000234ec-115.dat	xmrig
behavioral2/memory/4244-112-0x00007FF70C240000-0x00007FF70C594000-memory.dmp	xmrig
behavioral2/memory/2704-111-0x00007FF7A4560000-0x00007FF7A48B4000-memory.dmp	xmrig
behavioral2/memory/232-98-0x00007FF7A16F0000-0x00007FF7A1A44000-memory.dmp	xmrig
behavioral2/files/0x00070000000234e9-97.dat	xmrig
behavioral2/memory/4384-94-0x00007FF6C1440000-0x00007FF6C1794000-memory.dmp	xmrig
behavioral2/files/0x00070000000234e8-91.dat	xmrig
behavioral2/files/0x00070000000234ea-102.dat	xmrig
behavioral2/memory/2884-87-0x00007FF749B90000-0x00007FF749EE4000-memory.dmp	xmrig
behavioral2/memory/2140-86-0x00007FF6F24F0000-0x00007FF6F2844000-memory.dmp	xmrig
behavioral2/memory/3424-75-0x00007FF72C850000-0x00007FF72CBA4000-memory.dmp	xmrig
behavioral2/files/0x00070000000234f0-130.dat	xmrig
behavioral2/memory/1904-132-0x00007FF74AF90000-0x00007FF74B2E4000-memory.dmp	xmrig
behavioral2/memory/4812-133-0x00007FF677390000-0x00007FF6776E4000-memory.dmp	xmrig
behavioral2/memory/1172-134-0x00007FF6BC910000-0x00007FF6BCC64000-memory.dmp	xmrig
behavioral2/memory/4920-135-0x00007FF787560000-0x00007FF7878B4000-memory.dmp	xmrig
behavioral2/memory/4776-136-0x00007FF69C570000-0x00007FF69C8C4000-memory.dmp	xmrig
behavioral2/memory/644-137-0x00007FF785900000-0x00007FF785C54000-memory.dmp	xmrig
behavioral2/memory/3156-138-0x00007FF7AE260000-0x00007FF7AE5B4000-memory.dmp	xmrig
behavioral2/memory/828-139-0x00007FF7C3500000-0x00007FF7C3854000-memory.dmp	xmrig
behavioral2/memory/2884-140-0x00007FF749B90000-0x00007FF749EE4000-memory.dmp	xmrig
behavioral2/memory/5064-141-0x00007FF771ED0000-0x00007FF772224000-memory.dmp	xmrig
behavioral2/memory/3164-142-0x00007FF71B0B0000-0x00007FF71B404000-memory.dmp	xmrig
behavioral2/memory/232-143-0x00007FF7A16F0000-0x00007FF7A1A44000-memory.dmp	xmrig
behavioral2/memory/216-144-0x00007FF78A3C0000-0x00007FF78A714000-memory.dmp	xmrig
behavioral2/memory/2704-145-0x00007FF7A4560000-0x00007FF7A48B4000-memory.dmp	xmrig
behavioral2/memory/2548-146-0x00007FF6FCCE0000-0x00007FF6FD034000-memory.dmp	xmrig
behavioral2/memory/1252-147-0x00007FF60F350000-0x00007FF60F6A4000-memory.dmp	xmrig
behavioral2/memory/3424-148-0x00007FF72C850000-0x00007FF72CBA4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2548	UVfqVse.exe
1252	VcvlCEN.exe
3424	jqkNHrH.exe
2140	NmlcXxY.exe
4384	KRsoYSL.exe
4244	UkmAEKs.exe
1904	LFEpuew.exe
1556	IbVxlLg.exe
4776	aWMtNOW.exe
644	StaPCVU.exe
3156	NHINCOy.exe
828	ibYJvaK.exe
2884	AWOxtKi.exe
232	WMLDjDb.exe
5064	PRLOWTY.exe
3164	UubYxAk.exe
216	wDZsbdK.exe
2704	vZIvpAV.exe
4812	WwNRLNB.exe
1172	CPglSbG.exe
4920	bkaNrsY.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/524-0-0x00007FF743540000-0x00007FF743894000-memory.dmp	upx
behavioral2/files/0x00080000000234d9-4.dat	upx
behavioral2/memory/2548-8-0x00007FF6FCCE0000-0x00007FF6FD034000-memory.dmp	upx
behavioral2/files/0x00070000000234dd-11.dat	upx
behavioral2/files/0x00070000000234de-18.dat	upx
behavioral2/memory/3424-20-0x00007FF72C850000-0x00007FF72CBA4000-memory.dmp	upx
behavioral2/memory/1252-14-0x00007FF60F350000-0x00007FF60F6A4000-memory.dmp	upx
behavioral2/files/0x00070000000234df-23.dat	upx
behavioral2/files/0x00080000000234da-29.dat	upx
behavioral2/files/0x00070000000234e1-35.dat	upx
behavioral2/files/0x00070000000234e2-41.dat	upx
behavioral2/memory/1904-42-0x00007FF74AF90000-0x00007FF74B2E4000-memory.dmp	upx
behavioral2/memory/4244-36-0x00007FF70C240000-0x00007FF70C594000-memory.dmp	upx
behavioral2/memory/4384-30-0x00007FF6C1440000-0x00007FF6C1794000-memory.dmp	upx
behavioral2/memory/2140-25-0x00007FF6F24F0000-0x00007FF6F2844000-memory.dmp	upx
behavioral2/files/0x00070000000234e3-47.dat	upx
behavioral2/memory/1556-50-0x00007FF674CC0000-0x00007FF675014000-memory.dmp	upx
behavioral2/files/0x00070000000234e4-52.dat	upx
behavioral2/memory/4776-54-0x00007FF69C570000-0x00007FF69C8C4000-memory.dmp	upx
behavioral2/memory/524-60-0x00007FF743540000-0x00007FF743894000-memory.dmp	upx
behavioral2/files/0x00070000000234e6-66.dat	upx
behavioral2/memory/3156-68-0x00007FF7AE260000-0x00007FF7AE5B4000-memory.dmp	upx
behavioral2/memory/2548-67-0x00007FF6FCCE0000-0x00007FF6FD034000-memory.dmp	upx
behavioral2/files/0x00070000000234e5-64.dat	upx
behavioral2/memory/644-63-0x00007FF785900000-0x00007FF785C54000-memory.dmp	upx
behavioral2/memory/1252-71-0x00007FF60F350000-0x00007FF60F6A4000-memory.dmp	upx
behavioral2/files/0x00070000000234e7-73.dat	upx
behavioral2/memory/828-79-0x00007FF7C3500000-0x00007FF7C3854000-memory.dmp	upx
behavioral2/files/0x00070000000234eb-103.dat	upx
behavioral2/memory/5064-106-0x00007FF771ED0000-0x00007FF772224000-memory.dmp	upx
behavioral2/memory/216-108-0x00007FF78A3C0000-0x00007FF78A714000-memory.dmp	upx
behavioral2/files/0x00070000000234ee-120.dat	upx
behavioral2/files/0x00070000000234ef-125.dat	upx
behavioral2/memory/3164-121-0x00007FF71B0B0000-0x00007FF71B404000-memory.dmp	upx
behavioral2/files/0x00070000000234ed-116.dat	upx
behavioral2/files/0x00070000000234ec-115.dat	upx
behavioral2/memory/4244-112-0x00007FF70C240000-0x00007FF70C594000-memory.dmp	upx
behavioral2/memory/2704-111-0x00007FF7A4560000-0x00007FF7A48B4000-memory.dmp	upx
behavioral2/memory/232-98-0x00007FF7A16F0000-0x00007FF7A1A44000-memory.dmp	upx
behavioral2/files/0x00070000000234e9-97.dat	upx
behavioral2/memory/4384-94-0x00007FF6C1440000-0x00007FF6C1794000-memory.dmp	upx
behavioral2/files/0x00070000000234e8-91.dat	upx
behavioral2/files/0x00070000000234ea-102.dat	upx
behavioral2/memory/2884-87-0x00007FF749B90000-0x00007FF749EE4000-memory.dmp	upx
behavioral2/memory/2140-86-0x00007FF6F24F0000-0x00007FF6F2844000-memory.dmp	upx
behavioral2/memory/3424-75-0x00007FF72C850000-0x00007FF72CBA4000-memory.dmp	upx
behavioral2/files/0x00070000000234f0-130.dat	upx
behavioral2/memory/1904-132-0x00007FF74AF90000-0x00007FF74B2E4000-memory.dmp	upx
behavioral2/memory/4812-133-0x00007FF677390000-0x00007FF6776E4000-memory.dmp	upx
behavioral2/memory/1172-134-0x00007FF6BC910000-0x00007FF6BCC64000-memory.dmp	upx
behavioral2/memory/4920-135-0x00007FF787560000-0x00007FF7878B4000-memory.dmp	upx
behavioral2/memory/4776-136-0x00007FF69C570000-0x00007FF69C8C4000-memory.dmp	upx
behavioral2/memory/644-137-0x00007FF785900000-0x00007FF785C54000-memory.dmp	upx
behavioral2/memory/3156-138-0x00007FF7AE260000-0x00007FF7AE5B4000-memory.dmp	upx
behavioral2/memory/828-139-0x00007FF7C3500000-0x00007FF7C3854000-memory.dmp	upx
behavioral2/memory/2884-140-0x00007FF749B90000-0x00007FF749EE4000-memory.dmp	upx
behavioral2/memory/5064-141-0x00007FF771ED0000-0x00007FF772224000-memory.dmp	upx
behavioral2/memory/3164-142-0x00007FF71B0B0000-0x00007FF71B404000-memory.dmp	upx
behavioral2/memory/232-143-0x00007FF7A16F0000-0x00007FF7A1A44000-memory.dmp	upx
behavioral2/memory/216-144-0x00007FF78A3C0000-0x00007FF78A714000-memory.dmp	upx
behavioral2/memory/2704-145-0x00007FF7A4560000-0x00007FF7A48B4000-memory.dmp	upx
behavioral2/memory/2548-146-0x00007FF6FCCE0000-0x00007FF6FD034000-memory.dmp	upx
behavioral2/memory/1252-147-0x00007FF60F350000-0x00007FF60F6A4000-memory.dmp	upx
behavioral2/memory/3424-148-0x00007FF72C850000-0x00007FF72CBA4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\StaPCVU.exe	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ibYJvaK.exe	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AWOxtKi.exe	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PRLOWTY.exe	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UubYxAk.exe	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WwNRLNB.exe	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CPglSbG.exe	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UVfqVse.exe	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bkaNrsY.exe	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NHINCOy.exe	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WMLDjDb.exe	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vZIvpAV.exe	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KRsoYSL.exe	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IbVxlLg.exe	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VcvlCEN.exe	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NmlcXxY.exe	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UkmAEKs.exe	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LFEpuew.exe	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aWMtNOW.exe	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wDZsbdK.exe	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jqkNHrH.exe	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	524	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	524	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 524 wrote to memory of 2548	524	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 524 wrote to memory of 2548	524	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 524 wrote to memory of 1252	524	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 524 wrote to memory of 1252	524	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 524 wrote to memory of 3424	524	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 524 wrote to memory of 3424	524	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 524 wrote to memory of 2140	524	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 524 wrote to memory of 2140	524	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 524 wrote to memory of 4384	524	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 524 wrote to memory of 4384	524	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 524 wrote to memory of 4244	524	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 524 wrote to memory of 4244	524	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 524 wrote to memory of 1904	524	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 524 wrote to memory of 1904	524	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 524 wrote to memory of 1556	524	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 524 wrote to memory of 1556	524	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 524 wrote to memory of 4776	524	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 524 wrote to memory of 4776	524	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 524 wrote to memory of 644	524	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 524 wrote to memory of 644	524	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 524 wrote to memory of 3156	524	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 524 wrote to memory of 3156	524	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 524 wrote to memory of 828	524	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 524 wrote to memory of 828	524	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 524 wrote to memory of 2884	524	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 524 wrote to memory of 2884	524	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 524 wrote to memory of 232	524	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 524 wrote to memory of 232	524	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 524 wrote to memory of 5064	524	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 524 wrote to memory of 5064	524	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 524 wrote to memory of 3164	524	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 524 wrote to memory of 3164	524	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 524 wrote to memory of 216	524	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 524 wrote to memory of 216	524	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 524 wrote to memory of 2704	524	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 524 wrote to memory of 2704	524	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 524 wrote to memory of 4812	524	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 524 wrote to memory of 4812	524	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 524 wrote to memory of 1172	524	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 524 wrote to memory of 1172	524	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 524 wrote to memory of 4920	524	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 524 wrote to memory of 4920	524	2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-21_b8183dcae4915aa6bee969e6018acd2f_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:524
- C:\Windows\System\UVfqVse.exe
  C:\Windows\System\UVfqVse.exe
  2⤵
  - Executes dropped EXE
  PID:2548
- C:\Windows\System\VcvlCEN.exe
  C:\Windows\System\VcvlCEN.exe
  2⤵
  - Executes dropped EXE
  PID:1252
- C:\Windows\System\jqkNHrH.exe
  C:\Windows\System\jqkNHrH.exe
  2⤵
  - Executes dropped EXE
  PID:3424
- C:\Windows\System\NmlcXxY.exe
  C:\Windows\System\NmlcXxY.exe
  2⤵
  - Executes dropped EXE
  PID:2140
- C:\Windows\System\KRsoYSL.exe
  C:\Windows\System\KRsoYSL.exe
  2⤵
  - Executes dropped EXE
  PID:4384
- C:\Windows\System\UkmAEKs.exe
  C:\Windows\System\UkmAEKs.exe
  2⤵
  - Executes dropped EXE
  PID:4244
- C:\Windows\System\LFEpuew.exe
  C:\Windows\System\LFEpuew.exe
  2⤵
  - Executes dropped EXE
  PID:1904
- C:\Windows\System\IbVxlLg.exe
  C:\Windows\System\IbVxlLg.exe
  2⤵
  - Executes dropped EXE
  PID:1556
- C:\Windows\System\aWMtNOW.exe
  C:\Windows\System\aWMtNOW.exe
  2⤵
  - Executes dropped EXE
  PID:4776
- C:\Windows\System\StaPCVU.exe
  C:\Windows\System\StaPCVU.exe
  2⤵
  - Executes dropped EXE
  PID:644
- C:\Windows\System\NHINCOy.exe
  C:\Windows\System\NHINCOy.exe
  2⤵
  - Executes dropped EXE
  PID:3156
- C:\Windows\System\ibYJvaK.exe
  C:\Windows\System\ibYJvaK.exe
  2⤵
  - Executes dropped EXE
  PID:828
- C:\Windows\System\AWOxtKi.exe
  C:\Windows\System\AWOxtKi.exe
  2⤵
  - Executes dropped EXE
  PID:2884
- C:\Windows\System\WMLDjDb.exe
  C:\Windows\System\WMLDjDb.exe
  2⤵
  - Executes dropped EXE
  PID:232
- C:\Windows\System\PRLOWTY.exe
  C:\Windows\System\PRLOWTY.exe
  2⤵
  - Executes dropped EXE
  PID:5064
- C:\Windows\System\UubYxAk.exe
  C:\Windows\System\UubYxAk.exe
  2⤵
  - Executes dropped EXE
  PID:3164
- C:\Windows\System\wDZsbdK.exe
  C:\Windows\System\wDZsbdK.exe
  2⤵
  - Executes dropped EXE
  PID:216
- C:\Windows\System\vZIvpAV.exe
  C:\Windows\System\vZIvpAV.exe
  2⤵
  - Executes dropped EXE
  PID:2704
- C:\Windows\System\WwNRLNB.exe
  C:\Windows\System\WwNRLNB.exe
  2⤵
  - Executes dropped EXE
  PID:4812
- C:\Windows\System\CPglSbG.exe
  C:\Windows\System\CPglSbG.exe
  2⤵
  - Executes dropped EXE
  PID:1172
- C:\Windows\System\bkaNrsY.exe
  C:\Windows\System\bkaNrsY.exe
  2⤵
  - Executes dropped EXE
  PID:4920

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AWOxtKi.exe

Filesize
5.9MB

MD5
07a94417f4d2ef0d9eaf4b5af4e19e1a

SHA1
03e0002d5b17b2b0ac44827e7b46fed9266b9faf

SHA256
853472120523fafb4920eda53b02aa86192bfbf02e5428ad7246d96b6eaa2f2e

SHA512
689a23fa5bc2e39746bc35e9ed6c3522ddd01d5e5a5f76a6f8d9bbabbda77c87287a8a0d8b08c32f7d547d1bba008d592487e9206545c3fd43eb30d4b3953b73

Download Submit
C:\Windows\System\CPglSbG.exe

Filesize
5.9MB

MD5
7a7ccedbfb9d23244ccb9eccc808facd

SHA1
ce65b2646ff75eff335dafee8526fea67e032a51

SHA256
d1f88539c12b5d2bd48301c5e658e5403d104f73b1471c2c05dcaa189cc1b9d1

SHA512
5f541d749416f639edac5e57b8f4a70d593f4c0e1e5c1e52512c27c2721534a6ea9f04321352db20f98f1bff3bf28d72ee2fb850baa62ea7dc7760b068ad5aae

Download Submit
C:\Windows\System\IbVxlLg.exe

Filesize
5.9MB

MD5
a116b4a07cc73317e357914008f59e5e

SHA1
258a9d1090c76872b62b8a1850011fa91135d710

SHA256
dbc66c2cab99b60d8e3628e610b9e7db229002504a2c950456999980d7985f34

SHA512
ae4d5760e2afd6d5e834dde161392865101b1a93477959bdb35338bd7a84aff4a910af2822979f8d0b17068bdfb72548fa7acd3f55d2a4d7abb3787c37200288

Download Submit
C:\Windows\System\KRsoYSL.exe

Filesize
5.9MB

MD5
14ea508802f5eee1ed96f2628534365c

SHA1
ff8979ac0de6d01f023a0169c24166e813a22722

SHA256
766391c5e5fb95a1a3e6488c7a79a8d5723470cc130e6924ed4ca8a3b094f0fe

SHA512
5da2d8e2be559eec384802aeb1242288988291115fb1e1fcf6a8f5ff6efe15c65879df5dedb95059f856666bd6f26c3f86fb75f7814fd25b8793be9c48d4bdae

Download Submit
C:\Windows\System\LFEpuew.exe

Filesize
5.9MB

MD5
f954ddc9b93d08d35f4a1952d0a4463e

SHA1
021b0dd6a583920ece515f1c8a7d4444a08202e2

SHA256
29b41831223fa382af5bb9cba837c8432d57d16767bedf78b2082e09f407711e

SHA512
792207af158aa2c8095df5b20aa83c57a7f0a9c9fb01f30425008a26f5f28d2ad4482102e617e72975ae7d728b8af729c16efe3fb22fb34ee1cacc9d69215840

Download Submit
C:\Windows\System\NHINCOy.exe

Filesize
5.9MB

MD5
6ac59b63b3b98fc31f2f9130d0fb8e91

SHA1
dce4d770cd82d74710dd83f45d76afa90fda72f1

SHA256
7aa392e39b67b6b78f52c53fcc2261b18d245c4c37db9bea2b7ef85f7589f0bd

SHA512
b81dfaa750de0404bc4e4ab505a83626f8fbb053e97f39244a16f4afc261dc405c561640ac0f76d9ec1bf4a273eb8f58d735b0af224de92d2e0530949f2cfff3

Download Submit
C:\Windows\System\NmlcXxY.exe

Filesize
5.9MB

MD5
fde1a9830f92ea4cb5273cf1dad65b3b

SHA1
2d640ecaab63c17ded4bea521e6193214ef982f5

SHA256
3ae084120ff15a9df262091e0d302c90e3a771390c45ef7129b4ddb4a7f2cbf4

SHA512
a95b7fe9918741491e009197509d2771dbafa9f554186ab6635f76961f52ed98cdf2d77e542ff52e63d0b79797c5ca8c783c05482282028e4e4e8b0ae609e10f

Download Submit
C:\Windows\System\PRLOWTY.exe

Filesize
5.9MB

MD5
8797aa8c0a402b825b3190ac9813afd2

SHA1
9f0744bf62bfa2987a24259da3d42ae90815a4cc

SHA256
8e9222ba8136d963da5eb278f4637d4af3412f55999a8bf4202605b9f333fbb7

SHA512
2daec887894f91c0904f1c59065a21936ab3e898b753278bdf1c5d0e3296cfc8ffa8bbbb993c8d89d598512cbf115fc3c601dd653b1f20498c55ff23cd3dbab7

Download Submit
C:\Windows\System\StaPCVU.exe

Filesize
5.9MB

MD5
efe3aa8c2f4db7d050540dec6b3b4d8a

SHA1
4f89698760a7a271396dfa53483f248576952e5e

SHA256
c955fc5f6d1af1b7885eab89e86870a691fb96fbd637dbf4ba724b399b0b495b

SHA512
459b3a9b8152153fdf6126a96a973b175a30082ecc66d45c78500f258ea20db8770792082852c7f7f40c286b38c6695ab6eb396f85af1dcb04c72f5cf48afd05

Download Submit
C:\Windows\System\UVfqVse.exe

Filesize
5.9MB

MD5
9ee37dea2ace93732225719b10a94e5d

SHA1
1e296d140ee8fd8407013a4b09922ad239a0436e

SHA256
ea1ed1cbedcec259282da6ba23a4b87777544de1a5312be46b1af709a56b60f0

SHA512
c8ea03be8acfc8ad67684e3e5fb7bb1a18e82f1bcb171341c64623d93523f8e398e8e8bdf3d73b2bd15bf3ae9a67b19229a539e62ee822e92a66747e1f047fa7

Download Submit
C:\Windows\System\UkmAEKs.exe

Filesize
5.9MB

MD5
9f36bcf6fa0a5341970f3b9aef0d4d06

SHA1
c57ab3553d1cdd829b2b1954e58cd5991160daaa

SHA256
2c160621d2257b39b194200e4944629183b044f19b8a9de2391c65b121e351c4

SHA512
2c5c81a02e05d7f9b1a1da95b4f8a4860c38c54973762a0d150ae5fab47b6639958fe921c4b10e2ee4a89bfb07b3eef3b46b4680f345ed9421e0c69f6b7225a5

Download Submit
C:\Windows\System\UubYxAk.exe

Filesize
5.9MB

MD5
851ee7924601591b48cd2e0a9c2c74c6

SHA1
e77b57ca01a63938957c67d48b49ed85920904f8

SHA256
7bd10c20d51270d0f1475c5c1e58c63a1432b7f8b435db462a7345231a1c0718

SHA512
d27c00fdd549dd5796c330fedf83cdbc5a85633715386b05ed07874dc4cb4b8a27916839015126464456b622aa675f386c3e3fbb524d94bff12c7598b376d6fd

Download Submit
C:\Windows\System\VcvlCEN.exe

Filesize
5.9MB

MD5
5a0182575b17469af259690c8aabadbb

SHA1
ad7ece84e66da777c4c0a04f5942f2154c408f99

SHA256
f22edaaca672488a2deec3753af7d40e708525333d3592b8a7f07cbaf8a8da26

SHA512
bd6fe86b1f9b41f2f2f375c9b70e8844584430d34e14273dbb462abdb7fdb2848b2966eb92619e97eb0dce567d3c983bbf8f5ed8cce20d95dfd726d54ff831c4

Download Submit
C:\Windows\System\WMLDjDb.exe

Filesize
5.9MB

MD5
9b6f7d5be9729ab87464d0e0d759b63d

SHA1
2b2a6fc8b4f148c022fb6fce5a856eb3bc4191bd

SHA256
7da5af0050f5ec5fdf7f8f24b8f991a9cda8bfdb1d3e352b1acf4e7ecbe7c2e7

SHA512
4e0c93aefb2e066f6fefb44da4c12b77f1604249711efb332ec1b9b9b91b6d129f919a61337cebb3bb08550545c68acee6d7b61ae25faa33198c041766217b5e

Download Submit
C:\Windows\System\WwNRLNB.exe

Filesize
5.9MB

MD5
bb6f18abff3091e85452e423a744b24a

SHA1
51f7545c266fa5619cb1061de6c9e5f2f187d3d7

SHA256
5799c69dcbf251db9ee65b7ae649248e30d4497d9317806d0d78987199de9b86

SHA512
c75a8a1ae6b34ed3f3eb068490b10e6d71f9a40a735a2988b4ae4117fb2d04c6dd0a3253cf7521655b0173c48d85d86f1a762c1b75f96e33a496b2c9dcfa70ba

Download Submit
C:\Windows\System\aWMtNOW.exe

Filesize
5.9MB

MD5
47699b58fa35acd44b261957e523a69d

SHA1
e078c21724c2fea5fa7917396a40762f09c17e86

SHA256
907654df5ad95cd9dbddf09eebfbab24aab8df38b7ea79c8b09d15050a9d8a5c

SHA512
244d1bcb9dfc5d25c42c6cf0dc364800e8b770347670bb5b293d5997e18637159598c6714d701dfe3c8911431cd6b4a63f9a71d7b32bc26ad8b71f42435c730c

Download Submit
C:\Windows\System\bkaNrsY.exe

Filesize
5.9MB

MD5
1737787fd755f296775f66a42416f280

SHA1
45b1a0b7195bc61fdbe206b08e60973f2652450a

SHA256
4fd10c95420bcb5be69e52b0070176365d553672a4e96e2f4e0ff412c17846cb

SHA512
5bf6639ab8fc564c6eea1f988e37165afeb2f8d5bad7303bd1d9688b3351a94980cd2fa68eb05e80b228f538123dc1515c58582bdda8536b4dbdc57733bced1d

Download Submit
C:\Windows\System\ibYJvaK.exe

Filesize
5.9MB

MD5
875143da1e7dd1901f409eef712ba66f

SHA1
d606582987efd668970c8ff02dc9bacf597c412e

SHA256
1b2a21e452fc2120ea0da7fdf18788201143f382ee664a65247783baa604a652

SHA512
664d342624cca243727635ac034bfc1536e429283544e423d22140ba70e8a6b0463ccfdf02fcbd04f5f5742ebc5a564bcfb61742fd66c95ce2e0839b105a566d

Download Submit
C:\Windows\System\jqkNHrH.exe

Filesize
5.9MB

MD5
ee62640a65e67f5d69bff4914145f4fc

SHA1
8d4acaf604008cfe396afdb4d709da6596f51039

SHA256
99023c15836d6f163b78daac692509658ff2d985bda0653c20ad985730ce74b6

SHA512
d6e6e7d23689c49c8fc8176f54f0b0b137bab42bb35628cdbd212571d79c01fe041b110ef3258171d7b70daff1d9cce6c79b054cd45779ae8646a86581996673

Download Submit
C:\Windows\System\vZIvpAV.exe

Filesize
5.9MB

MD5
6a16a4f659b34a76562184b2972fbffe

SHA1
f62745945780059df32f8ef4678a715cbea582db

SHA256
e44ebd3b7be78d35774151d444bdea3e0c012e452cd66c33165286cf5adacc99

SHA512
2d8c86ce43d0f697efeb6bcc3f18aca464037a3486072b0791589889fca586102f05c95f351acd4afdbc0ee0416c9981cb28fed6d7aeca1ed1031c34de7abb77

Download Submit
C:\Windows\System\wDZsbdK.exe

Filesize
5.9MB

MD5
88bc61e820c235f8cc963c3dc2c91496

SHA1
e023b0a13c4d112436b34aabb12f149510c1bf5a

SHA256
5436051301a625e9d17d486fb3341dbcf9122094a0c4e4456f10d48ae4c741c6

SHA512
977e7e091100c70122252f0dee00b22ae2dfa402c9d695fcb96aa9c868ab26a7f3e1c1419420d05543ce21c0a27a942a20a5a202b1bddb62cb71c74a10c79463

Download Submit
memory/216-108-0x00007FF78A3C0000-0x00007FF78A714000-memory.dmp

Filesize
3.3MB

Download
memory/216-144-0x00007FF78A3C0000-0x00007FF78A714000-memory.dmp

Filesize
3.3MB

Download
memory/216-162-0x00007FF78A3C0000-0x00007FF78A714000-memory.dmp

Filesize
3.3MB

Download
memory/232-143-0x00007FF7A16F0000-0x00007FF7A1A44000-memory.dmp

Filesize
3.3MB

Download
memory/232-98-0x00007FF7A16F0000-0x00007FF7A1A44000-memory.dmp

Filesize
3.3MB

Download
memory/232-159-0x00007FF7A16F0000-0x00007FF7A1A44000-memory.dmp

Filesize
3.3MB

Download
memory/524-0-0x00007FF743540000-0x00007FF743894000-memory.dmp

Filesize
3.3MB

Download
memory/524-1-0x000001E6E3640000-0x000001E6E3650000-memory.dmp

Filesize
64KB

Download
memory/524-60-0x00007FF743540000-0x00007FF743894000-memory.dmp

Filesize
3.3MB

Download
memory/644-155-0x00007FF785900000-0x00007FF785C54000-memory.dmp

Filesize
3.3MB

Download
memory/644-137-0x00007FF785900000-0x00007FF785C54000-memory.dmp

Filesize
3.3MB

Download
memory/644-63-0x00007FF785900000-0x00007FF785C54000-memory.dmp

Filesize
3.3MB

Download
memory/828-157-0x00007FF7C3500000-0x00007FF7C3854000-memory.dmp

Filesize
3.3MB

Download
memory/828-79-0x00007FF7C3500000-0x00007FF7C3854000-memory.dmp

Filesize
3.3MB

Download
memory/828-139-0x00007FF7C3500000-0x00007FF7C3854000-memory.dmp

Filesize
3.3MB

Download
memory/1172-163-0x00007FF6BC910000-0x00007FF6BCC64000-memory.dmp

Filesize
3.3MB

Download
memory/1172-134-0x00007FF6BC910000-0x00007FF6BCC64000-memory.dmp

Filesize
3.3MB

Download
memory/1252-14-0x00007FF60F350000-0x00007FF60F6A4000-memory.dmp

Filesize
3.3MB

Download
memory/1252-147-0x00007FF60F350000-0x00007FF60F6A4000-memory.dmp

Filesize
3.3MB

Download
memory/1252-71-0x00007FF60F350000-0x00007FF60F6A4000-memory.dmp

Filesize
3.3MB

Download
memory/1556-50-0x00007FF674CC0000-0x00007FF675014000-memory.dmp

Filesize
3.3MB

Download
memory/1556-153-0x00007FF674CC0000-0x00007FF675014000-memory.dmp

Filesize
3.3MB

Download
memory/1904-152-0x00007FF74AF90000-0x00007FF74B2E4000-memory.dmp

Filesize
3.3MB

Download
memory/1904-132-0x00007FF74AF90000-0x00007FF74B2E4000-memory.dmp

Filesize
3.3MB

Download
memory/1904-42-0x00007FF74AF90000-0x00007FF74B2E4000-memory.dmp

Filesize
3.3MB

Download
memory/2140-25-0x00007FF6F24F0000-0x00007FF6F2844000-memory.dmp

Filesize
3.3MB

Download
memory/2140-86-0x00007FF6F24F0000-0x00007FF6F2844000-memory.dmp

Filesize
3.3MB

Download
memory/2140-149-0x00007FF6F24F0000-0x00007FF6F2844000-memory.dmp

Filesize
3.3MB

Download
memory/2548-8-0x00007FF6FCCE0000-0x00007FF6FD034000-memory.dmp

Filesize
3.3MB

Download
memory/2548-67-0x00007FF6FCCE0000-0x00007FF6FD034000-memory.dmp

Filesize
3.3MB

Download
memory/2548-146-0x00007FF6FCCE0000-0x00007FF6FD034000-memory.dmp

Filesize
3.3MB

Download
memory/2704-161-0x00007FF7A4560000-0x00007FF7A48B4000-memory.dmp

Filesize
3.3MB

Download
memory/2704-145-0x00007FF7A4560000-0x00007FF7A48B4000-memory.dmp

Filesize
3.3MB

Download
memory/2704-111-0x00007FF7A4560000-0x00007FF7A48B4000-memory.dmp

Filesize
3.3MB

Download
memory/2884-158-0x00007FF749B90000-0x00007FF749EE4000-memory.dmp

Filesize
3.3MB

Download
memory/2884-140-0x00007FF749B90000-0x00007FF749EE4000-memory.dmp

Filesize
3.3MB

Download
memory/2884-87-0x00007FF749B90000-0x00007FF749EE4000-memory.dmp

Filesize
3.3MB

Download
memory/3156-138-0x00007FF7AE260000-0x00007FF7AE5B4000-memory.dmp

Filesize
3.3MB

Download
memory/3156-68-0x00007FF7AE260000-0x00007FF7AE5B4000-memory.dmp

Filesize
3.3MB

Download
memory/3156-156-0x00007FF7AE260000-0x00007FF7AE5B4000-memory.dmp

Filesize
3.3MB

Download
memory/3164-165-0x00007FF71B0B0000-0x00007FF71B404000-memory.dmp

Filesize
3.3MB

Download
memory/3164-121-0x00007FF71B0B0000-0x00007FF71B404000-memory.dmp

Filesize
3.3MB

Download
memory/3164-142-0x00007FF71B0B0000-0x00007FF71B404000-memory.dmp

Filesize
3.3MB

Download
memory/3424-75-0x00007FF72C850000-0x00007FF72CBA4000-memory.dmp

Filesize
3.3MB

Download
memory/3424-148-0x00007FF72C850000-0x00007FF72CBA4000-memory.dmp

Filesize
3.3MB

Download
memory/3424-20-0x00007FF72C850000-0x00007FF72CBA4000-memory.dmp

Filesize
3.3MB

Download
memory/4244-36-0x00007FF70C240000-0x00007FF70C594000-memory.dmp

Filesize
3.3MB

Download
memory/4244-112-0x00007FF70C240000-0x00007FF70C594000-memory.dmp

Filesize
3.3MB

Download
memory/4244-151-0x00007FF70C240000-0x00007FF70C594000-memory.dmp

Filesize
3.3MB

Download
memory/4384-30-0x00007FF6C1440000-0x00007FF6C1794000-memory.dmp

Filesize
3.3MB

Download
memory/4384-150-0x00007FF6C1440000-0x00007FF6C1794000-memory.dmp

Filesize
3.3MB

Download
memory/4384-94-0x00007FF6C1440000-0x00007FF6C1794000-memory.dmp

Filesize
3.3MB

Download
memory/4776-154-0x00007FF69C570000-0x00007FF69C8C4000-memory.dmp

Filesize
3.3MB

Download
memory/4776-54-0x00007FF69C570000-0x00007FF69C8C4000-memory.dmp

Filesize
3.3MB

Download
memory/4776-136-0x00007FF69C570000-0x00007FF69C8C4000-memory.dmp

Filesize
3.3MB

Download
memory/4812-133-0x00007FF677390000-0x00007FF6776E4000-memory.dmp

Filesize
3.3MB

Download
memory/4812-164-0x00007FF677390000-0x00007FF6776E4000-memory.dmp

Filesize
3.3MB

Download
memory/4920-135-0x00007FF787560000-0x00007FF7878B4000-memory.dmp

Filesize
3.3MB

Download
memory/4920-166-0x00007FF787560000-0x00007FF7878B4000-memory.dmp

Filesize
3.3MB

Download
memory/5064-160-0x00007FF771ED0000-0x00007FF772224000-memory.dmp

Filesize
3.3MB

Download
memory/5064-106-0x00007FF771ED0000-0x00007FF772224000-memory.dmp

Filesize
3.3MB

Download
memory/5064-141-0x00007FF771ED0000-0x00007FF772224000-memory.dmp

Filesize
3.3MB

Download