cobaltstrike | e358300f6934b36adc1acf0f03cfd66282cfecd7402d3b21542939ad978243dc

Analysis

max time kernel
144s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 02:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

5829cffce24d914ada9fbc61241c52c8
SHA1

deaf3865b72e44d1ba5422843e5da5e3cffa6cf6
SHA256

e358300f6934b36adc1acf0f03cfd66282cfecd7402d3b21542939ad978243dc
SHA512

378b2df2d346df6206143380d2c7bf719fb38a9ff11273dcac97833250138cf7ed73c10b94543b093518d92ed18232700d5f38cb99ac04dbb3dbd3721e6b31f9
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lo:RWWBibf56utgpPFotBER/mQ32lUc

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000b000000023b92-4.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b97-16.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b99-25.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9a-34.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9e-45.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9c-46.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9b-56.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9f-65.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba2-83.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba1-79.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba0-72.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9d-51.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b98-29.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b96-30.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba3-89.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba5-101.dat	cobalt_reflective_dll
behavioral2/files/0x0058000000023ba6-109.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba7-122.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba9-132.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba8-125.dat	cobalt_reflective_dll
behavioral2/files/0x0031000000023ba4-96.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/2996-78-0x00007FF73DB60000-0x00007FF73DEB1000-memory.dmp	xmrig
behavioral2/memory/3980-86-0x00007FF7FE320000-0x00007FF7FE671000-memory.dmp	xmrig
behavioral2/memory/552-85-0x00007FF78BD20000-0x00007FF78C071000-memory.dmp	xmrig
behavioral2/memory/852-82-0x00007FF697530000-0x00007FF697881000-memory.dmp	xmrig
behavioral2/memory/1948-81-0x00007FF7F7C70000-0x00007FF7F7FC1000-memory.dmp	xmrig
behavioral2/memory/3148-76-0x00007FF685920000-0x00007FF685C71000-memory.dmp	xmrig
behavioral2/memory/212-68-0x00007FF711CF0000-0x00007FF712041000-memory.dmp	xmrig
behavioral2/memory/2344-62-0x00007FF7B0800000-0x00007FF7B0B51000-memory.dmp	xmrig
behavioral2/memory/2536-119-0x00007FF7F5DF0000-0x00007FF7F6141000-memory.dmp	xmrig
behavioral2/memory/2448-127-0x00007FF7ED780000-0x00007FF7EDAD1000-memory.dmp	xmrig
behavioral2/memory/5108-130-0x00007FF7B2D60000-0x00007FF7B30B1000-memory.dmp	xmrig
behavioral2/memory/4372-129-0x00007FF716270000-0x00007FF7165C1000-memory.dmp	xmrig
behavioral2/memory/4888-128-0x00007FF614080000-0x00007FF6143D1000-memory.dmp	xmrig
behavioral2/memory/4692-120-0x00007FF67D3C0000-0x00007FF67D711000-memory.dmp	xmrig
behavioral2/memory/4108-106-0x00007FF7E9560000-0x00007FF7E98B1000-memory.dmp	xmrig
behavioral2/memory/2204-100-0x00007FF75B4E0000-0x00007FF75B831000-memory.dmp	xmrig
behavioral2/memory/4108-134-0x00007FF7E9560000-0x00007FF7E98B1000-memory.dmp	xmrig
behavioral2/memory/2468-150-0x00007FF65C4B0000-0x00007FF65C801000-memory.dmp	xmrig
behavioral2/memory/1064-151-0x00007FF660F70000-0x00007FF6612C1000-memory.dmp	xmrig
behavioral2/memory/2348-158-0x00007FF6E7110000-0x00007FF6E7461000-memory.dmp	xmrig
behavioral2/memory/2584-156-0x00007FF774B70000-0x00007FF774EC1000-memory.dmp	xmrig
behavioral2/memory/2868-155-0x00007FF75BCE0000-0x00007FF75C031000-memory.dmp	xmrig
behavioral2/memory/1648-157-0x00007FF6EE010000-0x00007FF6EE361000-memory.dmp	xmrig
behavioral2/memory/4108-159-0x00007FF7E9560000-0x00007FF7E98B1000-memory.dmp	xmrig
behavioral2/memory/2536-215-0x00007FF7F5DF0000-0x00007FF7F6141000-memory.dmp	xmrig
behavioral2/memory/2448-217-0x00007FF7ED780000-0x00007FF7EDAD1000-memory.dmp	xmrig
behavioral2/memory/4692-219-0x00007FF67D3C0000-0x00007FF67D711000-memory.dmp	xmrig
behavioral2/memory/3148-221-0x00007FF685920000-0x00007FF685C71000-memory.dmp	xmrig
behavioral2/memory/2996-229-0x00007FF73DB60000-0x00007FF73DEB1000-memory.dmp	xmrig
behavioral2/memory/4372-231-0x00007FF716270000-0x00007FF7165C1000-memory.dmp	xmrig
behavioral2/memory/212-236-0x00007FF711CF0000-0x00007FF712041000-memory.dmp	xmrig
behavioral2/memory/1948-238-0x00007FF7F7C70000-0x00007FF7F7FC1000-memory.dmp	xmrig
behavioral2/memory/852-240-0x00007FF697530000-0x00007FF697881000-memory.dmp	xmrig
behavioral2/memory/2344-235-0x00007FF7B0800000-0x00007FF7B0B51000-memory.dmp	xmrig
behavioral2/memory/4888-233-0x00007FF614080000-0x00007FF6143D1000-memory.dmp	xmrig
behavioral2/memory/3980-242-0x00007FF7FE320000-0x00007FF7FE671000-memory.dmp	xmrig
behavioral2/memory/552-244-0x00007FF78BD20000-0x00007FF78C071000-memory.dmp	xmrig
behavioral2/memory/5108-246-0x00007FF7B2D60000-0x00007FF7B30B1000-memory.dmp	xmrig
behavioral2/memory/2468-257-0x00007FF65C4B0000-0x00007FF65C801000-memory.dmp	xmrig
behavioral2/memory/2204-256-0x00007FF75B4E0000-0x00007FF75B831000-memory.dmp	xmrig
behavioral2/memory/2348-259-0x00007FF6E7110000-0x00007FF6E7461000-memory.dmp	xmrig
behavioral2/memory/2868-261-0x00007FF75BCE0000-0x00007FF75C031000-memory.dmp	xmrig
behavioral2/memory/1064-264-0x00007FF660F70000-0x00007FF6612C1000-memory.dmp	xmrig
behavioral2/memory/1648-265-0x00007FF6EE010000-0x00007FF6EE361000-memory.dmp	xmrig
behavioral2/memory/2584-267-0x00007FF774B70000-0x00007FF774EC1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2536	hjsdtfq.exe
4692	xOdplAF.exe
2448	JUsMdvt.exe
3148	UMMwiEL.exe
4888	YoCVtuB.exe
2996	zYzrLao.exe
4372	QSAPygA.exe
2344	lghzkEd.exe
1948	oNNGjcT.exe
212	pxrPrYW.exe
852	iCGOUEd.exe
5108	OoPPQmN.exe
552	RCCiMfG.exe
3980	LXifoeE.exe
2468	EskzCDu.exe
2204	qQYJrZu.exe
1064	AlfYwJf.exe
2348	xtGQOjF.exe
2868	AAqrMaf.exe
2584	cEIYXNg.exe
1648	cYSQjzn.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4108-0-0x00007FF7E9560000-0x00007FF7E98B1000-memory.dmp	upx
behavioral2/files/0x000b000000023b92-4.dat	upx
behavioral2/memory/2536-8-0x00007FF7F5DF0000-0x00007FF7F6141000-memory.dmp	upx
behavioral2/files/0x000a000000023b97-16.dat	upx
behavioral2/files/0x000a000000023b99-25.dat	upx
behavioral2/files/0x000a000000023b9a-34.dat	upx
behavioral2/files/0x000a000000023b9e-45.dat	upx
behavioral2/files/0x000a000000023b9c-46.dat	upx
behavioral2/files/0x000a000000023b9b-56.dat	upx
behavioral2/files/0x000a000000023b9f-65.dat	upx
behavioral2/memory/5108-70-0x00007FF7B2D60000-0x00007FF7B30B1000-memory.dmp	upx
behavioral2/memory/2996-78-0x00007FF73DB60000-0x00007FF73DEB1000-memory.dmp	upx
behavioral2/files/0x000a000000023ba2-83.dat	upx
behavioral2/memory/3980-86-0x00007FF7FE320000-0x00007FF7FE671000-memory.dmp	upx
behavioral2/memory/552-85-0x00007FF78BD20000-0x00007FF78C071000-memory.dmp	upx
behavioral2/memory/852-82-0x00007FF697530000-0x00007FF697881000-memory.dmp	upx
behavioral2/memory/1948-81-0x00007FF7F7C70000-0x00007FF7F7FC1000-memory.dmp	upx
behavioral2/files/0x000a000000023ba1-79.dat	upx
behavioral2/memory/3148-76-0x00007FF685920000-0x00007FF685C71000-memory.dmp	upx
behavioral2/files/0x000a000000023ba0-72.dat	upx
behavioral2/memory/212-68-0x00007FF711CF0000-0x00007FF712041000-memory.dmp	upx
behavioral2/memory/2344-62-0x00007FF7B0800000-0x00007FF7B0B51000-memory.dmp	upx
behavioral2/memory/4372-52-0x00007FF716270000-0x00007FF7165C1000-memory.dmp	upx
behavioral2/files/0x000a000000023b9d-51.dat	upx
behavioral2/memory/4888-38-0x00007FF614080000-0x00007FF6143D1000-memory.dmp	upx
behavioral2/files/0x000a000000023b98-29.dat	upx
behavioral2/memory/2448-27-0x00007FF7ED780000-0x00007FF7EDAD1000-memory.dmp	upx
behavioral2/files/0x000a000000023b96-30.dat	upx
behavioral2/memory/4692-17-0x00007FF67D3C0000-0x00007FF67D711000-memory.dmp	upx
behavioral2/files/0x000a000000023ba3-89.dat	upx
behavioral2/files/0x000a000000023ba5-101.dat	upx
behavioral2/files/0x0058000000023ba6-109.dat	upx
behavioral2/memory/2536-119-0x00007FF7F5DF0000-0x00007FF7F6141000-memory.dmp	upx
behavioral2/files/0x000a000000023ba7-122.dat	upx
behavioral2/memory/2448-127-0x00007FF7ED780000-0x00007FF7EDAD1000-memory.dmp	upx
behavioral2/memory/5108-130-0x00007FF7B2D60000-0x00007FF7B30B1000-memory.dmp	upx
behavioral2/files/0x000a000000023ba9-132.dat	upx
behavioral2/memory/1648-131-0x00007FF6EE010000-0x00007FF6EE361000-memory.dmp	upx
behavioral2/memory/4372-129-0x00007FF716270000-0x00007FF7165C1000-memory.dmp	upx
behavioral2/memory/4888-128-0x00007FF614080000-0x00007FF6143D1000-memory.dmp	upx
behavioral2/files/0x000a000000023ba8-125.dat	upx
behavioral2/memory/2584-123-0x00007FF774B70000-0x00007FF774EC1000-memory.dmp	upx
behavioral2/memory/2868-121-0x00007FF75BCE0000-0x00007FF75C031000-memory.dmp	upx
behavioral2/memory/4692-120-0x00007FF67D3C0000-0x00007FF67D711000-memory.dmp	upx
behavioral2/memory/2348-114-0x00007FF6E7110000-0x00007FF6E7461000-memory.dmp	upx
behavioral2/memory/4108-106-0x00007FF7E9560000-0x00007FF7E98B1000-memory.dmp	upx
behavioral2/memory/1064-105-0x00007FF660F70000-0x00007FF6612C1000-memory.dmp	upx
behavioral2/memory/2204-100-0x00007FF75B4E0000-0x00007FF75B831000-memory.dmp	upx
behavioral2/files/0x0031000000023ba4-96.dat	upx
behavioral2/memory/2468-90-0x00007FF65C4B0000-0x00007FF65C801000-memory.dmp	upx
behavioral2/memory/4108-134-0x00007FF7E9560000-0x00007FF7E98B1000-memory.dmp	upx
behavioral2/memory/2468-150-0x00007FF65C4B0000-0x00007FF65C801000-memory.dmp	upx
behavioral2/memory/1064-151-0x00007FF660F70000-0x00007FF6612C1000-memory.dmp	upx
behavioral2/memory/2348-158-0x00007FF6E7110000-0x00007FF6E7461000-memory.dmp	upx
behavioral2/memory/2584-156-0x00007FF774B70000-0x00007FF774EC1000-memory.dmp	upx
behavioral2/memory/2868-155-0x00007FF75BCE0000-0x00007FF75C031000-memory.dmp	upx
behavioral2/memory/1648-157-0x00007FF6EE010000-0x00007FF6EE361000-memory.dmp	upx
behavioral2/memory/4108-159-0x00007FF7E9560000-0x00007FF7E98B1000-memory.dmp	upx
behavioral2/memory/2536-215-0x00007FF7F5DF0000-0x00007FF7F6141000-memory.dmp	upx
behavioral2/memory/2448-217-0x00007FF7ED780000-0x00007FF7EDAD1000-memory.dmp	upx
behavioral2/memory/4692-219-0x00007FF67D3C0000-0x00007FF67D711000-memory.dmp	upx
behavioral2/memory/3148-221-0x00007FF685920000-0x00007FF685C71000-memory.dmp	upx
behavioral2/memory/2996-229-0x00007FF73DB60000-0x00007FF73DEB1000-memory.dmp	upx
behavioral2/memory/4372-231-0x00007FF716270000-0x00007FF7165C1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\xOdplAF.exe	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QSAPygA.exe	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LXifoeE.exe	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AlfYwJf.exe	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AAqrMaf.exe	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cEIYXNg.exe	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JUsMdvt.exe	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lghzkEd.exe	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pxrPrYW.exe	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iCGOUEd.exe	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EskzCDu.exe	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xtGQOjF.exe	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cYSQjzn.exe	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hjsdtfq.exe	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zYzrLao.exe	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OoPPQmN.exe	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qQYJrZu.exe	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UMMwiEL.exe	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YoCVtuB.exe	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oNNGjcT.exe	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RCCiMfG.exe	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4108	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4108	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4108 wrote to memory of 2536	4108	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4108 wrote to memory of 2536	4108	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4108 wrote to memory of 4692	4108	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4108 wrote to memory of 4692	4108	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4108 wrote to memory of 2448	4108	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4108 wrote to memory of 2448	4108	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4108 wrote to memory of 3148	4108	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4108 wrote to memory of 3148	4108	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4108 wrote to memory of 4888	4108	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4108 wrote to memory of 4888	4108	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4108 wrote to memory of 2996	4108	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4108 wrote to memory of 2996	4108	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4108 wrote to memory of 4372	4108	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4108 wrote to memory of 4372	4108	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4108 wrote to memory of 2344	4108	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4108 wrote to memory of 2344	4108	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4108 wrote to memory of 212	4108	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4108 wrote to memory of 212	4108	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4108 wrote to memory of 1948	4108	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4108 wrote to memory of 1948	4108	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4108 wrote to memory of 852	4108	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4108 wrote to memory of 852	4108	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4108 wrote to memory of 5108	4108	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4108 wrote to memory of 5108	4108	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4108 wrote to memory of 552	4108	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4108 wrote to memory of 552	4108	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4108 wrote to memory of 3980	4108	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4108 wrote to memory of 3980	4108	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4108 wrote to memory of 2468	4108	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4108 wrote to memory of 2468	4108	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4108 wrote to memory of 2204	4108	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4108 wrote to memory of 2204	4108	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4108 wrote to memory of 1064	4108	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4108 wrote to memory of 1064	4108	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4108 wrote to memory of 2348	4108	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4108 wrote to memory of 2348	4108	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4108 wrote to memory of 2868	4108	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4108 wrote to memory of 2868	4108	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4108 wrote to memory of 2584	4108	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4108 wrote to memory of 2584	4108	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4108 wrote to memory of 1648	4108	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 4108 wrote to memory of 1648	4108	2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe	106

C:\Users\Admin\AppData\Local\Temp\2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-22_5829cffce24d914ada9fbc61241c52c8_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4108
- C:\Windows\System\hjsdtfq.exe
  C:\Windows\System\hjsdtfq.exe
  2⤵
  - Executes dropped EXE
  PID:2536
- C:\Windows\System\xOdplAF.exe
  C:\Windows\System\xOdplAF.exe
  2⤵
  - Executes dropped EXE
  PID:4692
- C:\Windows\System\JUsMdvt.exe
  C:\Windows\System\JUsMdvt.exe
  2⤵
  - Executes dropped EXE
  PID:2448
- C:\Windows\System\UMMwiEL.exe
  C:\Windows\System\UMMwiEL.exe
  2⤵
  - Executes dropped EXE
  PID:3148
- C:\Windows\System\YoCVtuB.exe
  C:\Windows\System\YoCVtuB.exe
  2⤵
  - Executes dropped EXE
  PID:4888
- C:\Windows\System\zYzrLao.exe
  C:\Windows\System\zYzrLao.exe
  2⤵
  - Executes dropped EXE
  PID:2996
- C:\Windows\System\QSAPygA.exe
  C:\Windows\System\QSAPygA.exe
  2⤵
  - Executes dropped EXE
  PID:4372
- C:\Windows\System\lghzkEd.exe
  C:\Windows\System\lghzkEd.exe
  2⤵
  - Executes dropped EXE
  PID:2344
- C:\Windows\System\pxrPrYW.exe
  C:\Windows\System\pxrPrYW.exe
  2⤵
  - Executes dropped EXE
  PID:212
- C:\Windows\System\oNNGjcT.exe
  C:\Windows\System\oNNGjcT.exe
  2⤵
  - Executes dropped EXE
  PID:1948
- C:\Windows\System\iCGOUEd.exe
  C:\Windows\System\iCGOUEd.exe
  2⤵
  - Executes dropped EXE
  PID:852
- C:\Windows\System\OoPPQmN.exe
  C:\Windows\System\OoPPQmN.exe
  2⤵
  - Executes dropped EXE
  PID:5108
- C:\Windows\System\RCCiMfG.exe
  C:\Windows\System\RCCiMfG.exe
  2⤵
  - Executes dropped EXE
  PID:552
- C:\Windows\System\LXifoeE.exe
  C:\Windows\System\LXifoeE.exe
  2⤵
  - Executes dropped EXE
  PID:3980
- C:\Windows\System\EskzCDu.exe
  C:\Windows\System\EskzCDu.exe
  2⤵
  - Executes dropped EXE
  PID:2468
- C:\Windows\System\qQYJrZu.exe
  C:\Windows\System\qQYJrZu.exe
  2⤵
  - Executes dropped EXE
  PID:2204
- C:\Windows\System\AlfYwJf.exe
  C:\Windows\System\AlfYwJf.exe
  2⤵
  - Executes dropped EXE
  PID:1064
- C:\Windows\System\xtGQOjF.exe
  C:\Windows\System\xtGQOjF.exe
  2⤵
  - Executes dropped EXE
  PID:2348
- C:\Windows\System\AAqrMaf.exe
  C:\Windows\System\AAqrMaf.exe
  2⤵
  - Executes dropped EXE
  PID:2868
- C:\Windows\System\cEIYXNg.exe
  C:\Windows\System\cEIYXNg.exe
  2⤵
  - Executes dropped EXE
  PID:2584
- C:\Windows\System\cYSQjzn.exe
  C:\Windows\System\cYSQjzn.exe
  2⤵
  - Executes dropped EXE
  PID:1648

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AAqrMaf.exe

Filesize
5.2MB

MD5
a3df7baf1be4575e5b4a477a41d2d76f

SHA1
2109c0a13f8556352a8aa5c31638426232e89a58

SHA256
75e60095658b48dc58260aa1bec4ed437c8e8624631939a652352efd20dbaeb2

SHA512
8584ab7d0e3c4f5e53804dad313b924d01baa3acf7b229c4ed8cccc416499eb71bfd729f5adf011ec45a18b3a1eaade709cfe6844089b9ff3d4d23facc08fc9e

Download Submit
C:\Windows\System\AlfYwJf.exe

Filesize
5.2MB

MD5
5d392c934001d6a0dc33d07f20506d10

SHA1
d8f38ee28bcf3d8d56ee9b9a016c8c0583fb5714

SHA256
e6dcfad669195896fc60cdadb32a6c2c87b421bf653ce7c9877bd9fb5029150f

SHA512
cabbf5e2083e5d05ffc0a448f1f1d2125633c3019d4402ca06238e4b3e01cf4496bc88ec5c7b19a29067c3a9a3860b05dca00078f6ce4a9f0660cc634d810b40

Download Submit
C:\Windows\System\EskzCDu.exe

Filesize
5.2MB

MD5
acff3a1a836c7c255283781ff527ef5e

SHA1
1afa788faf86dbabc7923d2f6ac28f5371f5e981

SHA256
6fb68fb51c4037c57c0f6158f034f5f07891eaa6c491d2e69b6c775a56431282

SHA512
bc268b034b3e71523658d757a97681d139841a9c19fc04f75f27f83c3da9e4b242434463fb1f4ff516406d986a8583263e7cdaae7273b464a204b23bfc31627c

Download Submit
C:\Windows\System\JUsMdvt.exe

Filesize
5.2MB

MD5
05a8d64021b9c6504e3ae4fff2a0ee8b

SHA1
01844aaa775774ca05d8479e43579f20e48ba3a6

SHA256
9a60d7838eaf1090b6a28c5c651cf8db557fd6a5734a30576c852d1933fa1680

SHA512
cad7d543780536006f02a203793548f9904cae550660f872bbc394ab6e75f3c580739f0c91e25653a83cf872758f9d07c10805a0c4ceea0df5c4843185940847

Download Submit
C:\Windows\System\LXifoeE.exe

Filesize
5.2MB

MD5
2bb9f4e7264ea96afd434bbc27137f99

SHA1
d7c1752a02207087dcd564883fe96c04a58f0117

SHA256
dc33cbd0091163c0328e96c60a4702957a46cc8830c2a73102538f0e19a31109

SHA512
6d10dab1310b73cf33dae5b080cc08f42ac911c69432352db6a00ef197ac05eb6c2300a35e70c07e4fbb107a45d34cb4342cbaeb98446d2b1afe3975d6be65d0

Download Submit
C:\Windows\System\OoPPQmN.exe

Filesize
5.2MB

MD5
533baf28b49f5ca643a427abf1086ed2

SHA1
e6326a4f4efbe5b7b211b62cacdc334a77da539d

SHA256
d908297bdeac82de81c6505743cfeef8babfcf5c2a4cff7a0a252b9fa7fc96c3

SHA512
0afd1284f21d70a80787489e697db610f5d80d5ba082d9f5d3d4c702dc6d0354aa49099b625ac0c65d7d651881e15a069963c79847ddbc878368a19000e1fdec

Download Submit
C:\Windows\System\QSAPygA.exe

Filesize
5.2MB

MD5
76948d5756c68d8b7ebe1c302b5db726

SHA1
abbb06b4e52b1286cff58a896a3ab0e87a08001f

SHA256
7c6108d00411c8d7a4dd1dcf5626d07724661f2ab82cfed5951f756f34be6165

SHA512
facb5360880198222e8ab1c5dde194755d028a7bf751f51940e472b8728c6e728ef408d37ca13bd6a0c9a2e223bcc730ef3c489a7f350fb09a128c6370a483fc

Download Submit
C:\Windows\System\RCCiMfG.exe

Filesize
5.2MB

MD5
4bc42a82af908d0b3315d1332f98a144

SHA1
d35f3277231a768e47d9c73125eb04e13882bd5b

SHA256
7af1be8e8d8f5ac70d51e7d163a2d5183ea5fd510e181bd33dbbc3c8381a2aea

SHA512
273dc2471303a13f250973c29e36c27295b270da5c6357ebc72abddfa1f059593a97ab075337cf88adfbe3f93845e1f7f353f2d605f8f925cb8eabf06df98257

Download Submit
C:\Windows\System\UMMwiEL.exe

Filesize
5.2MB

MD5
0efc1978674d8574d729428194f20545

SHA1
4580123f236576eddabc640f92eed2bd504a9446

SHA256
1ebce22344b4d213fc51978dd440d733c0e1c9a282182a08f73998529e7f02c2

SHA512
a83a5e34981348edb6cc7c005b1bd0129304120cc70510aa28264395f535b219ff152c52a947a3d9b27dbdd41f83eb20a818c15aa4762ac89443522084db1ef7

Download Submit
C:\Windows\System\YoCVtuB.exe

Filesize
5.2MB

MD5
a7d22784376c950b72ea9fd57e68c42e

SHA1
ec9627532b06b2472cfeebd3fb31c8074efaede7

SHA256
bd3fe010168e11bf99610533bcb85e4a32ab1ff3198d5284b37132d27ede4dbb

SHA512
f8c4b90b5836ca969aba3cf4d6e0e1cd4315165c4a4554f7ae3cec7b4d6d950e9605a936b31f038722d3679c4c0974afa223c295bb9cfdf2fa042fcff9ca30ab

Download Submit
C:\Windows\System\cEIYXNg.exe

Filesize
5.2MB

MD5
43ae4692ca1971ab4c2ce15e493d4f74

SHA1
238ac2221220a751dd14fe7c603a409311280fad

SHA256
8037c293ca30feb437702ecc6e1d12be675b11762ad5de99d0b7fd1994deb9d7

SHA512
81c61d4e49f97847652eea682c9b3d9794f5f7c650767c991196263bfa1799703d842bdb2eecfb71000c48e7aa5d12a785acf24bc4e55251acfbddebde62ba86

Download Submit
C:\Windows\System\cYSQjzn.exe

Filesize
5.2MB

MD5
e39706ce772d6541f94e4dece14d84a7

SHA1
63660e0f177dcc8c681ad315950720cce82db971

SHA256
c7bd7906e41eee1c06ec0a8191d9ccfd3897ad1b5acc73e1181cedf2a0df9ac5

SHA512
65fe580b71cc3538c0d58f73c5d010db90ee5a1a837a37d99174925e37d1c4a4d163e22c381244216db259943aaeb3e6bfd8b1a5a4f63557768f9da22489fd8c

Download Submit
C:\Windows\System\hjsdtfq.exe

Filesize
5.2MB

MD5
50d5f803ada3df633ae60d34495093a7

SHA1
b00fea2921164ce70f6e8b1a8c69858de9bed0ba

SHA256
b4f165710b6225c474529926681600365b757c5b980156152eb5e286877053ec

SHA512
96ee011bc1eee07f0ee8f2dce15b624cd63a05b0594530b80e24e44c7ec7e953b32e23c5c89fbe247a8f3af4249be30cc166aea1c088d5dafc9757970ba3cc35

Download Submit
C:\Windows\System\iCGOUEd.exe

Filesize
5.2MB

MD5
639e9dc1b130b4345d4e34733414fa87

SHA1
bb5d05b9ba456eb19288da237dc94164be89b580

SHA256
50d7f9af16ff93d3198240281eb8a192e7949d5738b378a7887f0b80a273dd1b

SHA512
08b7be09d5beddc05270206ad01d2e189badbc73b5c68e3e1b93d0b4e35b832e4b107482b2f8f88141fa59515c8d5a28cbf8fd06e509b5ace714deb635fa8539

Download Submit
C:\Windows\System\lghzkEd.exe

Filesize
5.2MB

MD5
fd0a6344194abb64497e7dbb29f30194

SHA1
9810b2c01b6576a8a9327471d080d5ec27073f7a

SHA256
3260703d6fdd6635f786bdc65955d52d2e343fdcabb100e5edfc1099e34f4634

SHA512
f8a75eb8d116d55d8d8857c743c63542b7f0fb7bdab199519ba88b09c36141ec79f5ea4ae14657164f2141994297e1208b6bf84d6a1962df09706d49b4d4d9f9

Download Submit
C:\Windows\System\oNNGjcT.exe

Filesize
5.2MB

MD5
aa83147532e00aa79822b2a8da48b894

SHA1
148a6d2b1ab66e595d6b9eb4d6b3ba56521d6c11

SHA256
d9d355dd8ab7f260add1407e3ec064834f5b191e51df938e8db4c6292cf4cb01

SHA512
a1fbb7bada80a052bbb986be41a51d9fc7abd63f14b832cfaa56e46ac3c513b8762a40a1960dfcf09542fc630345f6eb76be0d22cf92bb828fb375da65847c49

Download Submit
C:\Windows\System\pxrPrYW.exe

Filesize
5.2MB

MD5
a8efdb9962c399c1a4b4777361e884f0

SHA1
8925363b3d6b1fe0d34d71b456c26403988bd382

SHA256
8e44150192301295b0daaf992817d7a1d1e54676a70c741a3d2cd3a6f372ca6c

SHA512
f0398bd938d3b385b2276f5b34650e68d5df9a9cae213678a41ac17d2d6121de800867c4a012cff9328874220f66bec2e7c0376b8de5c703ea22b34b4f16f9d7

Download Submit
C:\Windows\System\qQYJrZu.exe

Filesize
5.2MB

MD5
1cfefaf404f62906e361694de247b2d9

SHA1
d15b47e582a3668380273a8d83d0532b51f384f9

SHA256
d4411083eb726a768ec4d102e260b0e9ac54615d94e08639366989a3ae0ba9db

SHA512
4874270edfc663113924b1e691edeb43e8933e09b27a70a705c6e23ecd8ac1ef2334ffbfa6d1ae815568b431d7fb8d875c3bbd93163d5e0f595a64b0dda02397

Download Submit
C:\Windows\System\xOdplAF.exe

Filesize
5.2MB

MD5
5b843cd47e4eb56dcc352ab94866b720

SHA1
3d8ba53f3b768deed95927e811bbb2987dd340d3

SHA256
256259c1ed32cc9b0095adb733821e0de4097f04bccbb88ad86745a73ee2dc25

SHA512
198e3b9e6cbafccb1b713ecd22c9c50c9753f6156cb8bde3b27b25b465b2ac714e9c58d0a59fa6ea92711a7042b9d52688d19652f79a535270caf5413e7b21ab

Download Submit
C:\Windows\System\xtGQOjF.exe

Filesize
5.2MB

MD5
a26249e0538a83a49dfc8410eb76dcd7

SHA1
36fb2ec3f0425f49915d43f92dbaa0bd7f81c5ca

SHA256
ce3a5b122e152f9fc6dfbb342165bfa6b716c1f399814183fc3a8cb9589d9332

SHA512
98966d9451911d2e0b8e08fa95a4ae2d0d8c0eefc32188eedae03773f7da523313a82b97319866d6f9e1e5c20395a2d384cb3d5c2e535a234e9e17cbd0240838

Download Submit
C:\Windows\System\zYzrLao.exe

Filesize
5.2MB

MD5
1193768986ec23ff1e60528f4e099cb4

SHA1
d3b41a3233da4e4b113d21f573b42465614422cc

SHA256
a7e4c5114fa9aa790cc121b9a9e26e554dd60f88eaec818b33571c27e81f7f8d

SHA512
1e2d4723fe7a5a9dd9ef7e4f809bddbe876ba6f65a3ff52fe944ceae3037f9ca78cf27959dd79576079ca4d6b7db88a8f7b4f8e9b36c0ede8e8eebb7a58a61bb

Download Submit
memory/212-236-0x00007FF711CF0000-0x00007FF712041000-memory.dmp

Filesize
3.3MB

Download
memory/212-68-0x00007FF711CF0000-0x00007FF712041000-memory.dmp

Filesize
3.3MB

Download
memory/552-244-0x00007FF78BD20000-0x00007FF78C071000-memory.dmp

Filesize
3.3MB

Download
memory/552-85-0x00007FF78BD20000-0x00007FF78C071000-memory.dmp

Filesize
3.3MB

Download
memory/852-240-0x00007FF697530000-0x00007FF697881000-memory.dmp

Filesize
3.3MB

Download
memory/852-82-0x00007FF697530000-0x00007FF697881000-memory.dmp

Filesize
3.3MB

Download
memory/1064-105-0x00007FF660F70000-0x00007FF6612C1000-memory.dmp

Filesize
3.3MB

Download
memory/1064-264-0x00007FF660F70000-0x00007FF6612C1000-memory.dmp

Filesize
3.3MB

Download
memory/1064-151-0x00007FF660F70000-0x00007FF6612C1000-memory.dmp

Filesize
3.3MB

Download
memory/1648-131-0x00007FF6EE010000-0x00007FF6EE361000-memory.dmp

Filesize
3.3MB

Download
memory/1648-157-0x00007FF6EE010000-0x00007FF6EE361000-memory.dmp

Filesize
3.3MB

Download
memory/1648-265-0x00007FF6EE010000-0x00007FF6EE361000-memory.dmp

Filesize
3.3MB

Download
memory/1948-81-0x00007FF7F7C70000-0x00007FF7F7FC1000-memory.dmp

Filesize
3.3MB

Download
memory/1948-238-0x00007FF7F7C70000-0x00007FF7F7FC1000-memory.dmp

Filesize
3.3MB

Download
memory/2204-256-0x00007FF75B4E0000-0x00007FF75B831000-memory.dmp

Filesize
3.3MB

Download
memory/2204-100-0x00007FF75B4E0000-0x00007FF75B831000-memory.dmp

Filesize
3.3MB

Download
memory/2344-235-0x00007FF7B0800000-0x00007FF7B0B51000-memory.dmp

Filesize
3.3MB

Download
memory/2344-62-0x00007FF7B0800000-0x00007FF7B0B51000-memory.dmp

Filesize
3.3MB

Download
memory/2348-158-0x00007FF6E7110000-0x00007FF6E7461000-memory.dmp

Filesize
3.3MB

Download
memory/2348-114-0x00007FF6E7110000-0x00007FF6E7461000-memory.dmp

Filesize
3.3MB

Download
memory/2348-259-0x00007FF6E7110000-0x00007FF6E7461000-memory.dmp

Filesize
3.3MB

Download
memory/2448-217-0x00007FF7ED780000-0x00007FF7EDAD1000-memory.dmp

Filesize
3.3MB

Download
memory/2448-127-0x00007FF7ED780000-0x00007FF7EDAD1000-memory.dmp

Filesize
3.3MB

Download
memory/2448-27-0x00007FF7ED780000-0x00007FF7EDAD1000-memory.dmp

Filesize
3.3MB

Download
memory/2468-257-0x00007FF65C4B0000-0x00007FF65C801000-memory.dmp

Filesize
3.3MB

Download
memory/2468-150-0x00007FF65C4B0000-0x00007FF65C801000-memory.dmp

Filesize
3.3MB

Download
memory/2468-90-0x00007FF65C4B0000-0x00007FF65C801000-memory.dmp

Filesize
3.3MB

Download
memory/2536-215-0x00007FF7F5DF0000-0x00007FF7F6141000-memory.dmp

Filesize
3.3MB

Download
memory/2536-119-0x00007FF7F5DF0000-0x00007FF7F6141000-memory.dmp

Filesize
3.3MB

Download
memory/2536-8-0x00007FF7F5DF0000-0x00007FF7F6141000-memory.dmp

Filesize
3.3MB

Download
memory/2584-267-0x00007FF774B70000-0x00007FF774EC1000-memory.dmp

Filesize
3.3MB

Download
memory/2584-123-0x00007FF774B70000-0x00007FF774EC1000-memory.dmp

Filesize
3.3MB

Download
memory/2584-156-0x00007FF774B70000-0x00007FF774EC1000-memory.dmp

Filesize
3.3MB

Download
memory/2868-121-0x00007FF75BCE0000-0x00007FF75C031000-memory.dmp

Filesize
3.3MB

Download
memory/2868-261-0x00007FF75BCE0000-0x00007FF75C031000-memory.dmp

Filesize
3.3MB

Download
memory/2868-155-0x00007FF75BCE0000-0x00007FF75C031000-memory.dmp

Filesize
3.3MB

Download
memory/2996-229-0x00007FF73DB60000-0x00007FF73DEB1000-memory.dmp

Filesize
3.3MB

Download
memory/2996-78-0x00007FF73DB60000-0x00007FF73DEB1000-memory.dmp

Filesize
3.3MB

Download
memory/3148-76-0x00007FF685920000-0x00007FF685C71000-memory.dmp

Filesize
3.3MB

Download
memory/3148-221-0x00007FF685920000-0x00007FF685C71000-memory.dmp

Filesize
3.3MB

Download
memory/3980-242-0x00007FF7FE320000-0x00007FF7FE671000-memory.dmp

Filesize
3.3MB

Download
memory/3980-86-0x00007FF7FE320000-0x00007FF7FE671000-memory.dmp

Filesize
3.3MB

Download
memory/4108-106-0x00007FF7E9560000-0x00007FF7E98B1000-memory.dmp

Filesize
3.3MB

Download
memory/4108-0-0x00007FF7E9560000-0x00007FF7E98B1000-memory.dmp

Filesize
3.3MB

Download
memory/4108-1-0x000001F445470000-0x000001F445480000-memory.dmp

Filesize
64KB

Download
memory/4108-159-0x00007FF7E9560000-0x00007FF7E98B1000-memory.dmp

Filesize
3.3MB

Download
memory/4108-134-0x00007FF7E9560000-0x00007FF7E98B1000-memory.dmp

Filesize
3.3MB

Download
memory/4372-129-0x00007FF716270000-0x00007FF7165C1000-memory.dmp

Filesize
3.3MB

Download
memory/4372-52-0x00007FF716270000-0x00007FF7165C1000-memory.dmp

Filesize
3.3MB

Download
memory/4372-231-0x00007FF716270000-0x00007FF7165C1000-memory.dmp

Filesize
3.3MB

Download
memory/4692-17-0x00007FF67D3C0000-0x00007FF67D711000-memory.dmp

Filesize
3.3MB

Download
memory/4692-120-0x00007FF67D3C0000-0x00007FF67D711000-memory.dmp

Filesize
3.3MB

Download
memory/4692-219-0x00007FF67D3C0000-0x00007FF67D711000-memory.dmp

Filesize
3.3MB

Download
memory/4888-128-0x00007FF614080000-0x00007FF6143D1000-memory.dmp

Filesize
3.3MB

Download
memory/4888-233-0x00007FF614080000-0x00007FF6143D1000-memory.dmp

Filesize
3.3MB

Download
memory/4888-38-0x00007FF614080000-0x00007FF6143D1000-memory.dmp

Filesize
3.3MB

Download
memory/5108-70-0x00007FF7B2D60000-0x00007FF7B30B1000-memory.dmp

Filesize
3.3MB

Download
memory/5108-130-0x00007FF7B2D60000-0x00007FF7B30B1000-memory.dmp

Filesize
3.3MB

Download
memory/5108-246-0x00007FF7B2D60000-0x00007FF7B30B1000-memory.dmp

Filesize
3.3MB

Download