cobaltstrike | 185278868128cc67e8354370e598a338340bce4bb460287b0335f782577d1b73

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2024, 03:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

081cc064686ae4b3d399dfd0c9d896fb
SHA1

c99457e7ed8a8096562f7dc2cb65e673de9a4c11
SHA256

185278868128cc67e8354370e598a338340bce4bb460287b0335f782577d1b73
SHA512

115bc786dc0b222ed40514e540f683bee6023968738acffb83edcf89ff83b25213ebde662fb543053f9327eacb10f3cde52820671df2b7210377198dfb7c9dfd
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l9:RWWBibf56utgpPFotBER/mQ32lUx

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000a000000023c12-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c96-12.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c97-19.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c99-31.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9a-39.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9b-41.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9c-46.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c98-25.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9d-53.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9f-63.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca2-79.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca3-82.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca4-87.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca5-104.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca1-75.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca0-73.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c93-59.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca7-115.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca8-131.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca9-128.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca6-116.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 48 IoCs

miner

resource	yara_rule
behavioral2/memory/1196-45-0x00007FF60F4D0000-0x00007FF60F821000-memory.dmp	xmrig
behavioral2/memory/4936-96-0x00007FF74F4F0000-0x00007FF74F841000-memory.dmp	xmrig
behavioral2/memory/4800-95-0x00007FF679CB0000-0x00007FF67A001000-memory.dmp	xmrig
behavioral2/memory/1780-102-0x00007FF7A9B60000-0x00007FF7A9EB1000-memory.dmp	xmrig
behavioral2/memory/708-94-0x00007FF622BB0000-0x00007FF622F01000-memory.dmp	xmrig
behavioral2/memory/4200-91-0x00007FF731D60000-0x00007FF7320B1000-memory.dmp	xmrig
behavioral2/memory/3052-90-0x00007FF6906D0000-0x00007FF690A21000-memory.dmp	xmrig
behavioral2/memory/1864-89-0x00007FF7BAD90000-0x00007FF7BB0E1000-memory.dmp	xmrig
behavioral2/memory/380-13-0x00007FF72E1A0000-0x00007FF72E4F1000-memory.dmp	xmrig
behavioral2/memory/1780-8-0x00007FF7A9B60000-0x00007FF7A9EB1000-memory.dmp	xmrig
behavioral2/memory/380-107-0x00007FF72E1A0000-0x00007FF72E4F1000-memory.dmp	xmrig
behavioral2/memory/3644-127-0x00007FF638070000-0x00007FF6383C1000-memory.dmp	xmrig
behavioral2/memory/1748-120-0x00007FF74D3F0000-0x00007FF74D741000-memory.dmp	xmrig
behavioral2/memory/2880-111-0x00007FF6C9430000-0x00007FF6C9781000-memory.dmp	xmrig
behavioral2/memory/1048-133-0x00007FF786270000-0x00007FF7865C1000-memory.dmp	xmrig
behavioral2/memory/3056-134-0x00007FF6837E0000-0x00007FF683B31000-memory.dmp	xmrig
behavioral2/memory/708-135-0x00007FF622BB0000-0x00007FF622F01000-memory.dmp	xmrig
behavioral2/memory/2556-145-0x00007FF73C720000-0x00007FF73CA71000-memory.dmp	xmrig
behavioral2/memory/4084-144-0x00007FF6A3800000-0x00007FF6A3B51000-memory.dmp	xmrig
behavioral2/memory/212-153-0x00007FF65BFA0000-0x00007FF65C2F1000-memory.dmp	xmrig
behavioral2/memory/2416-154-0x00007FF666E10000-0x00007FF667161000-memory.dmp	xmrig
behavioral2/memory/468-155-0x00007FF7814A0000-0x00007FF7817F1000-memory.dmp	xmrig
behavioral2/memory/2788-156-0x00007FF7FE0B0000-0x00007FF7FE401000-memory.dmp	xmrig
behavioral2/memory/872-157-0x00007FF605770000-0x00007FF605AC1000-memory.dmp	xmrig
behavioral2/memory/1048-163-0x00007FF786270000-0x00007FF7865C1000-memory.dmp	xmrig
behavioral2/memory/4556-162-0x00007FF65A720000-0x00007FF65AA71000-memory.dmp	xmrig
behavioral2/memory/708-164-0x00007FF622BB0000-0x00007FF622F01000-memory.dmp	xmrig
behavioral2/memory/1780-218-0x00007FF7A9B60000-0x00007FF7A9EB1000-memory.dmp	xmrig
behavioral2/memory/380-220-0x00007FF72E1A0000-0x00007FF72E4F1000-memory.dmp	xmrig
behavioral2/memory/2880-222-0x00007FF6C9430000-0x00007FF6C9781000-memory.dmp	xmrig
behavioral2/memory/1748-224-0x00007FF74D3F0000-0x00007FF74D741000-memory.dmp	xmrig
behavioral2/memory/3644-226-0x00007FF638070000-0x00007FF6383C1000-memory.dmp	xmrig
behavioral2/memory/1196-230-0x00007FF60F4D0000-0x00007FF60F821000-memory.dmp	xmrig
behavioral2/memory/4084-236-0x00007FF6A3800000-0x00007FF6A3B51000-memory.dmp	xmrig
behavioral2/memory/3056-228-0x00007FF6837E0000-0x00007FF683B31000-memory.dmp	xmrig
behavioral2/memory/4800-240-0x00007FF679CB0000-0x00007FF67A001000-memory.dmp	xmrig
behavioral2/memory/2556-238-0x00007FF73C720000-0x00007FF73CA71000-memory.dmp	xmrig
behavioral2/memory/1864-247-0x00007FF7BAD90000-0x00007FF7BB0E1000-memory.dmp	xmrig
behavioral2/memory/3052-251-0x00007FF6906D0000-0x00007FF690A21000-memory.dmp	xmrig
behavioral2/memory/4936-249-0x00007FF74F4F0000-0x00007FF74F841000-memory.dmp	xmrig
behavioral2/memory/4200-253-0x00007FF731D60000-0x00007FF7320B1000-memory.dmp	xmrig
behavioral2/memory/212-257-0x00007FF65BFA0000-0x00007FF65C2F1000-memory.dmp	xmrig
behavioral2/memory/2416-259-0x00007FF666E10000-0x00007FF667161000-memory.dmp	xmrig
behavioral2/memory/468-255-0x00007FF7814A0000-0x00007FF7817F1000-memory.dmp	xmrig
behavioral2/memory/2788-265-0x00007FF7FE0B0000-0x00007FF7FE401000-memory.dmp	xmrig
behavioral2/memory/872-267-0x00007FF605770000-0x00007FF605AC1000-memory.dmp	xmrig
behavioral2/memory/4556-271-0x00007FF65A720000-0x00007FF65AA71000-memory.dmp	xmrig
behavioral2/memory/1048-269-0x00007FF786270000-0x00007FF7865C1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1780	QJojKnO.exe
380	EIDsSBI.exe
2880	NtZftBk.exe
1748	vcnKwUf.exe
3644	QUjmZPH.exe
3056	DigKWgD.exe
1196	dOKZCrf.exe
4084	soUKpql.exe
2556	exKeGJv.exe
4800	TMSSJOo.exe
1864	lCjRnMa.exe
4936	TmFsvXf.exe
3052	ewiiqrd.exe
4200	cxdXWIM.exe
468	oMiBTkP.exe
212	WWhRPRq.exe
2416	RRwjOzF.exe
2788	hySVVcv.exe
872	qLTtUoW.exe
4556	ItlRLvB.exe
1048	abIkpDP.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/708-0-0x00007FF622BB0000-0x00007FF622F01000-memory.dmp	upx
behavioral2/files/0x000a000000023c12-4.dat	upx
behavioral2/files/0x0007000000023c96-12.dat	upx
behavioral2/files/0x0007000000023c97-19.dat	upx
behavioral2/memory/1748-24-0x00007FF74D3F0000-0x00007FF74D741000-memory.dmp	upx
behavioral2/files/0x0007000000023c99-31.dat	upx
behavioral2/files/0x0007000000023c9a-39.dat	upx
behavioral2/files/0x0007000000023c9b-41.dat	upx
behavioral2/files/0x0007000000023c9c-46.dat	upx
behavioral2/memory/4084-47-0x00007FF6A3800000-0x00007FF6A3B51000-memory.dmp	upx
behavioral2/memory/1196-45-0x00007FF60F4D0000-0x00007FF60F821000-memory.dmp	upx
behavioral2/memory/3056-44-0x00007FF6837E0000-0x00007FF683B31000-memory.dmp	upx
behavioral2/memory/3644-32-0x00007FF638070000-0x00007FF6383C1000-memory.dmp	upx
behavioral2/files/0x0007000000023c98-25.dat	upx
behavioral2/memory/2880-18-0x00007FF6C9430000-0x00007FF6C9781000-memory.dmp	upx
behavioral2/files/0x0007000000023c9d-53.dat	upx
behavioral2/files/0x0007000000023c9f-63.dat	upx
behavioral2/files/0x0007000000023ca2-79.dat	upx
behavioral2/files/0x0007000000023ca3-82.dat	upx
behavioral2/files/0x0007000000023ca4-87.dat	upx
behavioral2/memory/212-93-0x00007FF65BFA0000-0x00007FF65C2F1000-memory.dmp	upx
behavioral2/memory/4936-96-0x00007FF74F4F0000-0x00007FF74F841000-memory.dmp	upx
behavioral2/memory/4800-95-0x00007FF679CB0000-0x00007FF67A001000-memory.dmp	upx
behavioral2/files/0x0007000000023ca5-104.dat	upx
behavioral2/memory/2416-103-0x00007FF666E10000-0x00007FF667161000-memory.dmp	upx
behavioral2/memory/1780-102-0x00007FF7A9B60000-0x00007FF7A9EB1000-memory.dmp	upx
behavioral2/memory/708-94-0x00007FF622BB0000-0x00007FF622F01000-memory.dmp	upx
behavioral2/memory/468-92-0x00007FF7814A0000-0x00007FF7817F1000-memory.dmp	upx
behavioral2/memory/4200-91-0x00007FF731D60000-0x00007FF7320B1000-memory.dmp	upx
behavioral2/memory/3052-90-0x00007FF6906D0000-0x00007FF690A21000-memory.dmp	upx
behavioral2/memory/1864-89-0x00007FF7BAD90000-0x00007FF7BB0E1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca1-75.dat	upx
behavioral2/files/0x0007000000023ca0-73.dat	upx
behavioral2/memory/2556-68-0x00007FF73C720000-0x00007FF73CA71000-memory.dmp	upx
behavioral2/files/0x0008000000023c93-59.dat	upx
behavioral2/memory/380-13-0x00007FF72E1A0000-0x00007FF72E4F1000-memory.dmp	upx
behavioral2/memory/1780-8-0x00007FF7A9B60000-0x00007FF7A9EB1000-memory.dmp	upx
behavioral2/memory/380-107-0x00007FF72E1A0000-0x00007FF72E4F1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca7-115.dat	upx
behavioral2/memory/3644-127-0x00007FF638070000-0x00007FF6383C1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca8-131.dat	upx
behavioral2/memory/4556-129-0x00007FF65A720000-0x00007FF65AA71000-memory.dmp	upx
behavioral2/files/0x0007000000023ca9-128.dat	upx
behavioral2/memory/872-122-0x00007FF605770000-0x00007FF605AC1000-memory.dmp	upx
behavioral2/memory/1748-120-0x00007FF74D3F0000-0x00007FF74D741000-memory.dmp	upx
behavioral2/memory/2788-114-0x00007FF7FE0B0000-0x00007FF7FE401000-memory.dmp	upx
behavioral2/files/0x0007000000023ca6-116.dat	upx
behavioral2/memory/2880-111-0x00007FF6C9430000-0x00007FF6C9781000-memory.dmp	upx
behavioral2/memory/1048-133-0x00007FF786270000-0x00007FF7865C1000-memory.dmp	upx
behavioral2/memory/3056-134-0x00007FF6837E0000-0x00007FF683B31000-memory.dmp	upx
behavioral2/memory/708-135-0x00007FF622BB0000-0x00007FF622F01000-memory.dmp	upx
behavioral2/memory/2556-145-0x00007FF73C720000-0x00007FF73CA71000-memory.dmp	upx
behavioral2/memory/4084-144-0x00007FF6A3800000-0x00007FF6A3B51000-memory.dmp	upx
behavioral2/memory/212-153-0x00007FF65BFA0000-0x00007FF65C2F1000-memory.dmp	upx
behavioral2/memory/2416-154-0x00007FF666E10000-0x00007FF667161000-memory.dmp	upx
behavioral2/memory/468-155-0x00007FF7814A0000-0x00007FF7817F1000-memory.dmp	upx
behavioral2/memory/2788-156-0x00007FF7FE0B0000-0x00007FF7FE401000-memory.dmp	upx
behavioral2/memory/872-157-0x00007FF605770000-0x00007FF605AC1000-memory.dmp	upx
behavioral2/memory/1048-163-0x00007FF786270000-0x00007FF7865C1000-memory.dmp	upx
behavioral2/memory/4556-162-0x00007FF65A720000-0x00007FF65AA71000-memory.dmp	upx
behavioral2/memory/708-164-0x00007FF622BB0000-0x00007FF622F01000-memory.dmp	upx
behavioral2/memory/1780-218-0x00007FF7A9B60000-0x00007FF7A9EB1000-memory.dmp	upx
behavioral2/memory/380-220-0x00007FF72E1A0000-0x00007FF72E4F1000-memory.dmp	upx
behavioral2/memory/2880-222-0x00007FF6C9430000-0x00007FF6C9781000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\TmFsvXf.exe	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oMiBTkP.exe	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WWhRPRq.exe	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QJojKnO.exe	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dOKZCrf.exe	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TMSSJOo.exe	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ItlRLvB.exe	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QUjmZPH.exe	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\soUKpql.exe	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qLTtUoW.exe	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ewiiqrd.exe	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NtZftBk.exe	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vcnKwUf.exe	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\exKeGJv.exe	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cxdXWIM.exe	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RRwjOzF.exe	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hySVVcv.exe	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\abIkpDP.exe	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EIDsSBI.exe	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DigKWgD.exe	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lCjRnMa.exe	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	708	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	708	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 708 wrote to memory of 1780	708	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 708 wrote to memory of 1780	708	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 708 wrote to memory of 380	708	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 708 wrote to memory of 380	708	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 708 wrote to memory of 2880	708	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 708 wrote to memory of 2880	708	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 708 wrote to memory of 1748	708	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 708 wrote to memory of 1748	708	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 708 wrote to memory of 3644	708	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 708 wrote to memory of 3644	708	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 708 wrote to memory of 3056	708	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 708 wrote to memory of 3056	708	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 708 wrote to memory of 1196	708	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 708 wrote to memory of 1196	708	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 708 wrote to memory of 4084	708	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 708 wrote to memory of 4084	708	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 708 wrote to memory of 2556	708	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 708 wrote to memory of 2556	708	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 708 wrote to memory of 4800	708	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 708 wrote to memory of 4800	708	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 708 wrote to memory of 1864	708	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 708 wrote to memory of 1864	708	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 708 wrote to memory of 4936	708	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 708 wrote to memory of 4936	708	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 708 wrote to memory of 3052	708	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 708 wrote to memory of 3052	708	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 708 wrote to memory of 4200	708	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 708 wrote to memory of 4200	708	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 708 wrote to memory of 468	708	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 708 wrote to memory of 468	708	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 708 wrote to memory of 212	708	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 708 wrote to memory of 212	708	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 708 wrote to memory of 2416	708	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 708 wrote to memory of 2416	708	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 708 wrote to memory of 2788	708	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 708 wrote to memory of 2788	708	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 708 wrote to memory of 872	708	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 708 wrote to memory of 872	708	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 708 wrote to memory of 4556	708	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 708 wrote to memory of 4556	708	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 708 wrote to memory of 1048	708	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 708 wrote to memory of 1048	708	2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe	107

C:\Users\Admin\AppData\Local\Temp\2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-27_081cc064686ae4b3d399dfd0c9d896fb_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:708
- C:\Windows\System\QJojKnO.exe
  C:\Windows\System\QJojKnO.exe
  2⤵
  - Executes dropped EXE
  PID:1780
- C:\Windows\System\EIDsSBI.exe
  C:\Windows\System\EIDsSBI.exe
  2⤵
  - Executes dropped EXE
  PID:380
- C:\Windows\System\NtZftBk.exe
  C:\Windows\System\NtZftBk.exe
  2⤵
  - Executes dropped EXE
  PID:2880
- C:\Windows\System\vcnKwUf.exe
  C:\Windows\System\vcnKwUf.exe
  2⤵
  - Executes dropped EXE
  PID:1748
- C:\Windows\System\QUjmZPH.exe
  C:\Windows\System\QUjmZPH.exe
  2⤵
  - Executes dropped EXE
  PID:3644
- C:\Windows\System\DigKWgD.exe
  C:\Windows\System\DigKWgD.exe
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Windows\System\dOKZCrf.exe
  C:\Windows\System\dOKZCrf.exe
  2⤵
  - Executes dropped EXE
  PID:1196
- C:\Windows\System\soUKpql.exe
  C:\Windows\System\soUKpql.exe
  2⤵
  - Executes dropped EXE
  PID:4084
- C:\Windows\System\exKeGJv.exe
  C:\Windows\System\exKeGJv.exe
  2⤵
  - Executes dropped EXE
  PID:2556
- C:\Windows\System\TMSSJOo.exe
  C:\Windows\System\TMSSJOo.exe
  2⤵
  - Executes dropped EXE
  PID:4800
- C:\Windows\System\lCjRnMa.exe
  C:\Windows\System\lCjRnMa.exe
  2⤵
  - Executes dropped EXE
  PID:1864
- C:\Windows\System\TmFsvXf.exe
  C:\Windows\System\TmFsvXf.exe
  2⤵
  - Executes dropped EXE
  PID:4936
- C:\Windows\System\ewiiqrd.exe
  C:\Windows\System\ewiiqrd.exe
  2⤵
  - Executes dropped EXE
  PID:3052
- C:\Windows\System\cxdXWIM.exe
  C:\Windows\System\cxdXWIM.exe
  2⤵
  - Executes dropped EXE
  PID:4200
- C:\Windows\System\oMiBTkP.exe
  C:\Windows\System\oMiBTkP.exe
  2⤵
  - Executes dropped EXE
  PID:468
- C:\Windows\System\WWhRPRq.exe
  C:\Windows\System\WWhRPRq.exe
  2⤵
  - Executes dropped EXE
  PID:212
- C:\Windows\System\RRwjOzF.exe
  C:\Windows\System\RRwjOzF.exe
  2⤵
  - Executes dropped EXE
  PID:2416
- C:\Windows\System\hySVVcv.exe
  C:\Windows\System\hySVVcv.exe
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Windows\System\qLTtUoW.exe
  C:\Windows\System\qLTtUoW.exe
  2⤵
  - Executes dropped EXE
  PID:872
- C:\Windows\System\ItlRLvB.exe
  C:\Windows\System\ItlRLvB.exe
  2⤵
  - Executes dropped EXE
  PID:4556
- C:\Windows\System\abIkpDP.exe
  C:\Windows\System\abIkpDP.exe
  2⤵
  - Executes dropped EXE
  PID:1048

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\DigKWgD.exe

Filesize
5.2MB

MD5
d50bf787bf8fdaa5a9ccd493a4276f7f

SHA1
bf77d3071522946cf31f908cef05a8655944e100

SHA256
3fdb40a3503e2e3a343204a04518214f2bf566cc81a08765558fff57c25b6ea7

SHA512
bcb3b6eb64e78fc00fdce33f5340451ce72ba3f9fe338e92aabdef5b79b844c826646b7955c528b49680ca787ac2161fc61e79cb8ee322157b7034b3bdcc1714

Download Submit
C:\Windows\System\EIDsSBI.exe

Filesize
5.2MB

MD5
b4e04cd51389ef47b4a942b06a06a26e

SHA1
0695a1e19fd7b6c0ed9dfe871d01c1631afd112a

SHA256
3d32b220a639ddb05947eb47e04f81eab3bb24d07657a83a7564082745da8b8a

SHA512
dbd194663a67a7e94a84fd88a79bac5ca5dd4aa40b5b191a95bd12fe2f3755c1b30e7deffac5d48fc91c979902a51a62a2ce8be9964d259987cca686ae245f9a

Download Submit
C:\Windows\System\ItlRLvB.exe

Filesize
5.2MB

MD5
f98b96facda796389e0b2a97649d31b2

SHA1
1b01e682689bd71cc12ae2853ddc0ef901a0f971

SHA256
b4406cc40abdd55efb61e2c1c9a6c99c701c9d27404be60dd9f0bbdcd43a585f

SHA512
84a4edfa2b115c3cb45a3f4a790967c940ee71465b54d32d68e9b993b5cf3b8419c8d034f1db6d939543d63c398908d11194e114288fdb8a6f368126a9e263b3

Download Submit
C:\Windows\System\NtZftBk.exe

Filesize
5.2MB

MD5
abb7d9ddaaffd3c5806806e34ed03a37

SHA1
1d0969518f92ff1fe415113af5b2f4713da1be0c

SHA256
959ba7abff0a9e12cdf55511d5b3633d37694f338f55449c4ffadbe0558e6cde

SHA512
e95041c96aba8b43b52d97687a79f8370da50ec5254aeb5bf11a46e97c3e07338ec1c55af13c1e727adc2bc3900e75f864e1fb0c2d1bb6b72dcc7c563c91af86

Download Submit
C:\Windows\System\QJojKnO.exe

Filesize
5.2MB

MD5
113657239b87dbd68350863b7cffe12d

SHA1
1630c051f2105b4219d8f803ca7c9b7c0ac49b0d

SHA256
9596a4e0b5b4d2b437980587e76c3d2283e8e97443b0594f177a85ffbffaaefb

SHA512
6156138f195b831100207f46178b51878c4e884cba66060d495802d5103cca697f8d3e453d4a9b1c0b3448c83a4adbe8a1c2414f30b3d53802d5edbc7154370c

Download Submit
C:\Windows\System\QUjmZPH.exe

Filesize
5.2MB

MD5
8618c2e68a75a173780539fa58710b40

SHA1
4585d9b6cf20f9c5e3586b059cb9b3e79965cc79

SHA256
6799e9acccf6fc59a1968d7ac5018f6537905928c240357035777bbd94ac98af

SHA512
6ac6888d6c04069ef3187d534b542b66632bfe694f2d93e02d3357eda4aa07a1b0467fa1cae276bed68f623e714b0d2e15760a1e11211a54e8536f49370a8b82

Download Submit
C:\Windows\System\RRwjOzF.exe

Filesize
5.2MB

MD5
c30110b418daec600bb688767ecf2eb5

SHA1
5b8fc2b5fd81d7ca1e48e2c2072dff6843f168ad

SHA256
5907a51491dbf729f50196dbe57a8cc3f7d5f9c46b701825a1997c350b712ff6

SHA512
1e83d3c5b78ec7450016ba7bfea5666de8ec4f2e340acd8742c211b9ac8847eb3b37958aca26ae6fbe4a65d14f67f6edb89d1818c400cd1ece9018c3dc3b6ac5

Download Submit
C:\Windows\System\TMSSJOo.exe

Filesize
5.2MB

MD5
bcb181a2a10e60519e6bfb8309aadfbb

SHA1
673cd5cd43d679f18d66f3c650f111f9c7ac0dee

SHA256
eb5f212437b1d7729b42e87439e8b578b55e42d210e82774b9afabb62e65e75e

SHA512
810a1d4df73179e09fdae24c232bf429813947fd3b1c6448c1d2d2cf6aefe14667bc7af796d1524a625f952dad3850e242cf2001b59963e0ce12730b06596f3b

Download Submit
C:\Windows\System\TmFsvXf.exe

Filesize
5.2MB

MD5
3ede0d147f16eca40f1b0b0ff10b7ee4

SHA1
67055a4a13ff5e3ced0d6a7d525f1ef552896d39

SHA256
7ef880e4a4e58a131b5a9b61d4f9557523726a3517326b55fc2e3d7167e54dee

SHA512
11ca231405a752ccf9b6beccd352d6d46390d716a949300fbe09ef7b4ef96de2a2ff88ba24c2f36257a2162867f0d6b0259a3354223ee9d2f82d1a88224b39b8

Download Submit
C:\Windows\System\WWhRPRq.exe

Filesize
5.2MB

MD5
ac0919d3c92a00c0e56dd070ca812e16

SHA1
56b9a6f831a26e2ed4e5b3ed052cb5d1287ad07c

SHA256
d750a3aed877a4e7ea720afe029e5226f7b2fa43e5baf3d9804ba3a653b17e29

SHA512
c29c63852fc343cf0cfdc84f9b42934b8a937e4a620762757e0d5a9ffbfc6fa28656839ab76554be693b07bf0a05c4fa7ced9bb601672dfbe872807a677ab9d6

Download Submit
C:\Windows\System\abIkpDP.exe

Filesize
5.2MB

MD5
1db63c8ece8a78166611df161ccf06e8

SHA1
8f2eec8220a30c6e602ed718094ee4c28e409706

SHA256
fa2e4212f62bb99a8613a9f4c534712ba9239f5c4a0db013eb6476fa675076f6

SHA512
a4984222df2ffd2de9967b2f59f73ed78b08c9000d14a311696c97a90bbb5c03d90cbffabcec4fe1e0186f411f19f418e79f34b6fd62a127f79e541d0f834af8

Download Submit
C:\Windows\System\cxdXWIM.exe

Filesize
5.2MB

MD5
94e39ae1d2e526b34e847a3d0d24645d

SHA1
506ebda3f5a33a429e979fa0e56d809ac91c1106

SHA256
1f8f192a9b43e75e1e347b870a3852038674303b4343c4a4e86430fc64c504a1

SHA512
6e1ee27d7b811dbda3e2a4a27a07e893e5ebd32254f8bfa1d850ec59f67cee9b4536a5b3d4ec52cc26430d8a75b5df400b498adb7ed5e14caf38c204f65fcaa1

Download Submit
C:\Windows\System\dOKZCrf.exe

Filesize
5.2MB

MD5
ebde76a6c9ef1ba0ee701dc54e0bcfe4

SHA1
cf7a6578151015d76a4d69e96928950a152a05bc

SHA256
ea475280832ac6ada7eb3765440f8517f1163ee31d1dcc385fd58162b2fe9b1c

SHA512
d1a865c29ffb0b2226607bd3ddda8bb64f1c6135fde84eefa55ca05b785ffc1985c8a3d1dd922085925fa2c2bdc5e371c1501d8603f205de832f08cee250124e

Download Submit
C:\Windows\System\ewiiqrd.exe

Filesize
5.2MB

MD5
ab33265ee776ef5597bfb79da09067a0

SHA1
6d6b7a4f3a4a8e26de5b9303d4d34f7b7fb232b1

SHA256
d9f7594d83469596fda8c8dfc399142036d112e44b730921fc30e9c91f25cf0e

SHA512
dd24f4908da692f020089adb2198f5e4562bcd716bd4ba20b1df7343cf188dcd0db7c41c145d4225c4c81ce6331a9fff3575b920405c54ba568df741c1bf9541

Download Submit
C:\Windows\System\exKeGJv.exe

Filesize
5.2MB

MD5
f2145ce7611293dacb7cfcdc98514007

SHA1
0fa467b57dc0ecdf99fec1addc813cc87bbc0479

SHA256
58959d89069d1c706e1266154aacf46ce723a23d3af5bb47692cbc9cfb37e642

SHA512
71d2a1c1382c184e9d31565c4caa4c2dcebd7d9c07997e4ecee586c20562f2fbada6f2b488782d5c5336d9af7c588f4677c7905f6f82d9cdb09a3fec8caa53ec

Download Submit
C:\Windows\System\hySVVcv.exe

Filesize
5.2MB

MD5
a09ce73c6a5678ed5d3d1e8bebc0fb7d

SHA1
d8b8ba221ea8acf84cd67aa8cd596cd6e687148e

SHA256
0809c07efc60254160a0b5a38271de48dff9a0141ea9f0b9752b6a075a914280

SHA512
4ad16b34bbd78b6f3605700d3582226ac295067126135d1f804ee76d2a0f7598734e6152a8f358ce7a34a5ef9afd49d1cbd431b5f48806faa58db2ae63f63fd3

Download Submit
C:\Windows\System\lCjRnMa.exe

Filesize
5.2MB

MD5
e662fa88a507601db43ece446149e729

SHA1
8ce7def0e3b0101c6cea3134b1697a314aabe7bb

SHA256
991a024bbc73edfa47b3de5a8277e1fe66a5ad0729e223b659168d53154f809b

SHA512
26abc83a06b904b567d943bb062e5d77e94593128eba40989c26e90192f78cc289d8e5c0d56bbf7ef14b18f06dfd118d85b11f61b58df41f93b1bb83c7578e66

Download Submit
C:\Windows\System\oMiBTkP.exe

Filesize
5.2MB

MD5
ded087c08c0b54ec54917215da1ff28a

SHA1
7a7460e097c242f5676fc6bf5544466eb5e15ed2

SHA256
f060fd877ad22b62324ce597080befa07248a5f116d3b2f575037ca8c000b17a

SHA512
f79c5f84c720d2cc1f388370de3a0eae17ceadd03404582bdff1b290190793861ff3d73718543108927be8360a719b2a7e4f5c506e2fc1c77b88bd8f5e26cb62

Download Submit
C:\Windows\System\qLTtUoW.exe

Filesize
5.2MB

MD5
391b7e384767bef6a56830009935a405

SHA1
74ff18202fa99361a9c5b736ac0b6e7c6e641a41

SHA256
5e452f21b522c2e13cb4bcd698eda28b8b2072bdef8152a8d5f692ff0be8a044

SHA512
8a06eae4bd1cdf611b33ffd816f7e4bf32515188d3a2eee854bf2379b44dee52663e155b898e5bb7e1403ee26bcf3238fba68083431b1582d1e9b2ff6aee3542

Download Submit
C:\Windows\System\soUKpql.exe

Filesize
5.2MB

MD5
6328e0dba4c37ae89c66601c2f7318b5

SHA1
15c39618be3732032229181efae7a3cee04b3252

SHA256
e57e9996d4c3d7819cc700829d5b14440239de9294467c4c78eb0e9af2b62ae3

SHA512
f5460069ff9c4e1b2ac43996ef097803351194019b29fe23031290a164c7bab80f2411e6c9b987abc600334cbc90ccacaaff1ba10abbb679709161424fa31b34

Download Submit
C:\Windows\System\vcnKwUf.exe

Filesize
5.2MB

MD5
68b5921ebd9a0989cfe62a411f4098b9

SHA1
eb875e17354125702da72a261eaf058b0e2679c6

SHA256
5f588367269906e3962ba44623fd44b428ec8b8ef9a06fd646c3fceabfb7625b

SHA512
aabdf21b546af9891394d6e70730a7045a1fed53033746a2729d87022071b883f54f0df0cc76fb48dbf41fa351b383d2526dc028c8e030da8a7f82dde746f910

Download Submit
memory/212-257-0x00007FF65BFA0000-0x00007FF65C2F1000-memory.dmp

Filesize
3.3MB

Download
memory/212-93-0x00007FF65BFA0000-0x00007FF65C2F1000-memory.dmp

Filesize
3.3MB

Download
memory/212-153-0x00007FF65BFA0000-0x00007FF65C2F1000-memory.dmp

Filesize
3.3MB

Download
memory/380-220-0x00007FF72E1A0000-0x00007FF72E4F1000-memory.dmp

Filesize
3.3MB

Download
memory/380-107-0x00007FF72E1A0000-0x00007FF72E4F1000-memory.dmp

Filesize
3.3MB

Download
memory/380-13-0x00007FF72E1A0000-0x00007FF72E4F1000-memory.dmp

Filesize
3.3MB

Download
memory/468-255-0x00007FF7814A0000-0x00007FF7817F1000-memory.dmp

Filesize
3.3MB

Download
memory/468-155-0x00007FF7814A0000-0x00007FF7817F1000-memory.dmp

Filesize
3.3MB

Download
memory/468-92-0x00007FF7814A0000-0x00007FF7817F1000-memory.dmp

Filesize
3.3MB

Download
memory/708-1-0x00000179FE630000-0x00000179FE640000-memory.dmp

Filesize
64KB

Download
memory/708-94-0x00007FF622BB0000-0x00007FF622F01000-memory.dmp

Filesize
3.3MB

Download
memory/708-135-0x00007FF622BB0000-0x00007FF622F01000-memory.dmp

Filesize
3.3MB

Download
memory/708-0-0x00007FF622BB0000-0x00007FF622F01000-memory.dmp

Filesize
3.3MB

Download
memory/708-164-0x00007FF622BB0000-0x00007FF622F01000-memory.dmp

Filesize
3.3MB

Download
memory/872-157-0x00007FF605770000-0x00007FF605AC1000-memory.dmp

Filesize
3.3MB

Download
memory/872-122-0x00007FF605770000-0x00007FF605AC1000-memory.dmp

Filesize
3.3MB

Download
memory/872-267-0x00007FF605770000-0x00007FF605AC1000-memory.dmp

Filesize
3.3MB

Download
memory/1048-133-0x00007FF786270000-0x00007FF7865C1000-memory.dmp

Filesize
3.3MB

Download
memory/1048-163-0x00007FF786270000-0x00007FF7865C1000-memory.dmp

Filesize
3.3MB

Download
memory/1048-269-0x00007FF786270000-0x00007FF7865C1000-memory.dmp

Filesize
3.3MB

Download
memory/1196-45-0x00007FF60F4D0000-0x00007FF60F821000-memory.dmp

Filesize
3.3MB

Download
memory/1196-230-0x00007FF60F4D0000-0x00007FF60F821000-memory.dmp

Filesize
3.3MB

Download
memory/1748-224-0x00007FF74D3F0000-0x00007FF74D741000-memory.dmp

Filesize
3.3MB

Download
memory/1748-24-0x00007FF74D3F0000-0x00007FF74D741000-memory.dmp

Filesize
3.3MB

Download
memory/1748-120-0x00007FF74D3F0000-0x00007FF74D741000-memory.dmp

Filesize
3.3MB

Download
memory/1780-218-0x00007FF7A9B60000-0x00007FF7A9EB1000-memory.dmp

Filesize
3.3MB

Download
memory/1780-8-0x00007FF7A9B60000-0x00007FF7A9EB1000-memory.dmp

Filesize
3.3MB

Download
memory/1780-102-0x00007FF7A9B60000-0x00007FF7A9EB1000-memory.dmp

Filesize
3.3MB

Download
memory/1864-247-0x00007FF7BAD90000-0x00007FF7BB0E1000-memory.dmp

Filesize
3.3MB

Download
memory/1864-89-0x00007FF7BAD90000-0x00007FF7BB0E1000-memory.dmp

Filesize
3.3MB

Download
memory/2416-259-0x00007FF666E10000-0x00007FF667161000-memory.dmp

Filesize
3.3MB

Download
memory/2416-103-0x00007FF666E10000-0x00007FF667161000-memory.dmp

Filesize
3.3MB

Download
memory/2416-154-0x00007FF666E10000-0x00007FF667161000-memory.dmp

Filesize
3.3MB

Download
memory/2556-145-0x00007FF73C720000-0x00007FF73CA71000-memory.dmp

Filesize
3.3MB

Download
memory/2556-68-0x00007FF73C720000-0x00007FF73CA71000-memory.dmp

Filesize
3.3MB

Download
memory/2556-238-0x00007FF73C720000-0x00007FF73CA71000-memory.dmp

Filesize
3.3MB

Download
memory/2788-156-0x00007FF7FE0B0000-0x00007FF7FE401000-memory.dmp

Filesize
3.3MB

Download
memory/2788-265-0x00007FF7FE0B0000-0x00007FF7FE401000-memory.dmp

Filesize
3.3MB

Download
memory/2788-114-0x00007FF7FE0B0000-0x00007FF7FE401000-memory.dmp

Filesize
3.3MB

Download
memory/2880-18-0x00007FF6C9430000-0x00007FF6C9781000-memory.dmp

Filesize
3.3MB

Download
memory/2880-111-0x00007FF6C9430000-0x00007FF6C9781000-memory.dmp

Filesize
3.3MB

Download
memory/2880-222-0x00007FF6C9430000-0x00007FF6C9781000-memory.dmp

Filesize
3.3MB

Download
memory/3052-90-0x00007FF6906D0000-0x00007FF690A21000-memory.dmp

Filesize
3.3MB

Download
memory/3052-251-0x00007FF6906D0000-0x00007FF690A21000-memory.dmp

Filesize
3.3MB

Download
memory/3056-228-0x00007FF6837E0000-0x00007FF683B31000-memory.dmp

Filesize
3.3MB

Download
memory/3056-44-0x00007FF6837E0000-0x00007FF683B31000-memory.dmp

Filesize
3.3MB

Download
memory/3056-134-0x00007FF6837E0000-0x00007FF683B31000-memory.dmp

Filesize
3.3MB

Download
memory/3644-127-0x00007FF638070000-0x00007FF6383C1000-memory.dmp

Filesize
3.3MB

Download
memory/3644-32-0x00007FF638070000-0x00007FF6383C1000-memory.dmp

Filesize
3.3MB

Download
memory/3644-226-0x00007FF638070000-0x00007FF6383C1000-memory.dmp

Filesize
3.3MB

Download
memory/4084-144-0x00007FF6A3800000-0x00007FF6A3B51000-memory.dmp

Filesize
3.3MB

Download
memory/4084-236-0x00007FF6A3800000-0x00007FF6A3B51000-memory.dmp

Filesize
3.3MB

Download
memory/4084-47-0x00007FF6A3800000-0x00007FF6A3B51000-memory.dmp

Filesize
3.3MB

Download
memory/4200-253-0x00007FF731D60000-0x00007FF7320B1000-memory.dmp

Filesize
3.3MB

Download
memory/4200-91-0x00007FF731D60000-0x00007FF7320B1000-memory.dmp

Filesize
3.3MB

Download
memory/4556-129-0x00007FF65A720000-0x00007FF65AA71000-memory.dmp

Filesize
3.3MB

Download
memory/4556-271-0x00007FF65A720000-0x00007FF65AA71000-memory.dmp

Filesize
3.3MB

Download
memory/4556-162-0x00007FF65A720000-0x00007FF65AA71000-memory.dmp

Filesize
3.3MB

Download
memory/4800-240-0x00007FF679CB0000-0x00007FF67A001000-memory.dmp

Filesize
3.3MB

Download
memory/4800-95-0x00007FF679CB0000-0x00007FF67A001000-memory.dmp

Filesize
3.3MB

Download
memory/4936-249-0x00007FF74F4F0000-0x00007FF74F841000-memory.dmp

Filesize
3.3MB

Download
memory/4936-96-0x00007FF74F4F0000-0x00007FF74F841000-memory.dmp

Filesize
3.3MB

Download