cobaltstrike | 5b39308d2d47e69304a1a2e2fc116aab2fd6d389022e578f73c0c8887f42a37a

Analysis

max time kernel
141s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2024 01:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

ce538d1b99223d8314e0a30c29a9d501
SHA1

df320819169ad039d86b87bd552ff596054dfc84
SHA256

5b39308d2d47e69304a1a2e2fc116aab2fd6d389022e578f73c0c8887f42a37a
SHA512

919199f8e08c3512d2956bbb1e18134cb0137430616e34d4d37ccac25881fcca9aa3d69567f5b17ed9c30dc217501a63edb888e08220d0f9d0d53f41f99fb896
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l/:RWWBibf56utgpPFotBER/mQ32lUT

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000a000000023cad-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb5-12.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbe-67.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc1-87.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc2-95.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023cb2-101.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc5-121.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc6-125.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc7-136.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc4-119.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc3-109.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc0-81.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbf-77.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbd-62.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbc-58.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbb-47.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cba-42.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb9-36.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb8-30.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb7-24.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb6-17.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/3772-53-0x00007FF681780000-0x00007FF681AD1000-memory.dmp	xmrig
behavioral2/memory/3836-96-0x00007FF772550000-0x00007FF7728A1000-memory.dmp	xmrig
behavioral2/memory/4412-108-0x00007FF6B61D0000-0x00007FF6B6521000-memory.dmp	xmrig
behavioral2/memory/2172-114-0x00007FF6C5F00000-0x00007FF6C6251000-memory.dmp	xmrig
behavioral2/memory/1372-134-0x00007FF64C230000-0x00007FF64C581000-memory.dmp	xmrig
behavioral2/memory/1212-127-0x00007FF6067A0000-0x00007FF606AF1000-memory.dmp	xmrig
behavioral2/memory/1428-122-0x00007FF6EFB40000-0x00007FF6EFE91000-memory.dmp	xmrig
behavioral2/memory/2604-111-0x00007FF62DEE0000-0x00007FF62E231000-memory.dmp	xmrig
behavioral2/memory/668-104-0x00007FF64BBE0000-0x00007FF64BF31000-memory.dmp	xmrig
behavioral2/memory/3564-88-0x00007FF7E2590000-0x00007FF7E28E1000-memory.dmp	xmrig
behavioral2/memory/436-86-0x00007FF7404A0000-0x00007FF7407F1000-memory.dmp	xmrig
behavioral2/memory/2496-85-0x00007FF62A1D0000-0x00007FF62A521000-memory.dmp	xmrig
behavioral2/memory/3140-80-0x00007FF7D5C00000-0x00007FF7D5F51000-memory.dmp	xmrig
behavioral2/memory/4488-70-0x00007FF75FD50000-0x00007FF7600A1000-memory.dmp	xmrig
behavioral2/memory/3976-59-0x00007FF604600000-0x00007FF604951000-memory.dmp	xmrig
behavioral2/memory/3164-139-0x00007FF78BB50000-0x00007FF78BEA1000-memory.dmp	xmrig
behavioral2/memory/3076-138-0x00007FF796FF0000-0x00007FF797341000-memory.dmp	xmrig
behavioral2/memory/3976-140-0x00007FF604600000-0x00007FF604951000-memory.dmp	xmrig
behavioral2/memory/4612-157-0x00007FF6F5C00000-0x00007FF6F5F51000-memory.dmp	xmrig
behavioral2/memory/556-155-0x00007FF732080000-0x00007FF7323D1000-memory.dmp	xmrig
behavioral2/memory/628-161-0x00007FF7D6EE0000-0x00007FF7D7231000-memory.dmp	xmrig
behavioral2/memory/3404-160-0x00007FF6766F0000-0x00007FF676A41000-memory.dmp	xmrig
behavioral2/memory/1884-159-0x00007FF657830000-0x00007FF657B81000-memory.dmp	xmrig
behavioral2/memory/3976-163-0x00007FF604600000-0x00007FF604951000-memory.dmp	xmrig
behavioral2/memory/4488-224-0x00007FF75FD50000-0x00007FF7600A1000-memory.dmp	xmrig
behavioral2/memory/436-228-0x00007FF7404A0000-0x00007FF7407F1000-memory.dmp	xmrig
behavioral2/memory/3140-226-0x00007FF7D5C00000-0x00007FF7D5F51000-memory.dmp	xmrig
behavioral2/memory/3836-232-0x00007FF772550000-0x00007FF7728A1000-memory.dmp	xmrig
behavioral2/memory/3564-231-0x00007FF7E2590000-0x00007FF7E28E1000-memory.dmp	xmrig
behavioral2/memory/4412-236-0x00007FF6B61D0000-0x00007FF6B6521000-memory.dmp	xmrig
behavioral2/memory/668-235-0x00007FF64BBE0000-0x00007FF64BF31000-memory.dmp	xmrig
behavioral2/memory/3772-238-0x00007FF681780000-0x00007FF681AD1000-memory.dmp	xmrig
behavioral2/memory/1428-242-0x00007FF6EFB40000-0x00007FF6EFE91000-memory.dmp	xmrig
behavioral2/memory/1212-241-0x00007FF6067A0000-0x00007FF606AF1000-memory.dmp	xmrig
behavioral2/memory/1372-244-0x00007FF64C230000-0x00007FF64C581000-memory.dmp	xmrig
behavioral2/memory/3076-257-0x00007FF796FF0000-0x00007FF797341000-memory.dmp	xmrig
behavioral2/memory/2604-260-0x00007FF62DEE0000-0x00007FF62E231000-memory.dmp	xmrig
behavioral2/memory/556-258-0x00007FF732080000-0x00007FF7323D1000-memory.dmp	xmrig
behavioral2/memory/2496-254-0x00007FF62A1D0000-0x00007FF62A521000-memory.dmp	xmrig
behavioral2/memory/4612-252-0x00007FF6F5C00000-0x00007FF6F5F51000-memory.dmp	xmrig
behavioral2/memory/2172-262-0x00007FF6C5F00000-0x00007FF6C6251000-memory.dmp	xmrig
behavioral2/memory/628-267-0x00007FF7D6EE0000-0x00007FF7D7231000-memory.dmp	xmrig
behavioral2/memory/1884-270-0x00007FF657830000-0x00007FF657B81000-memory.dmp	xmrig
behavioral2/memory/3404-269-0x00007FF6766F0000-0x00007FF676A41000-memory.dmp	xmrig
behavioral2/memory/3164-264-0x00007FF78BB50000-0x00007FF78BEA1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4488	wwMdQxP.exe
3140	xgYMOdo.exe
436	pYwzDGZ.exe
3564	NZkFdyi.exe
3836	iIZBeJo.exe
668	RndairI.exe
4412	ZrpqKcB.exe
3772	HDvNAeA.exe
1428	XUulESy.exe
1212	cxtdFxE.exe
1372	dqFrFWe.exe
3076	xWCOega.exe
2496	RRSgccK.exe
4612	jpzOWHq.exe
556	mNZEpIW.exe
2604	GXFwhsh.exe
2172	iWrYcjf.exe
1884	RRkHAAC.exe
3404	dMyEmKo.exe
628	HbZYhlY.exe
3164	xwXgAeG.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3976-0-0x00007FF604600000-0x00007FF604951000-memory.dmp	upx
behavioral2/files/0x000a000000023cad-5.dat	upx
behavioral2/files/0x0007000000023cb5-12.dat	upx
behavioral2/memory/3564-25-0x00007FF7E2590000-0x00007FF7E28E1000-memory.dmp	upx
behavioral2/memory/4412-49-0x00007FF6B61D0000-0x00007FF6B6521000-memory.dmp	upx
behavioral2/memory/3772-53-0x00007FF681780000-0x00007FF681AD1000-memory.dmp	upx
behavioral2/files/0x0007000000023cbe-67.dat	upx
behavioral2/memory/1372-73-0x00007FF64C230000-0x00007FF64C581000-memory.dmp	upx
behavioral2/files/0x0007000000023cc1-87.dat	upx
behavioral2/memory/3836-96-0x00007FF772550000-0x00007FF7728A1000-memory.dmp	upx
behavioral2/memory/556-98-0x00007FF732080000-0x00007FF7323D1000-memory.dmp	upx
behavioral2/files/0x0007000000023cc2-95.dat	upx
behavioral2/files/0x0009000000023cb2-101.dat	upx
behavioral2/memory/4412-108-0x00007FF6B61D0000-0x00007FF6B6521000-memory.dmp	upx
behavioral2/memory/2172-114-0x00007FF6C5F00000-0x00007FF6C6251000-memory.dmp	upx
behavioral2/files/0x0007000000023cc5-121.dat	upx
behavioral2/files/0x0007000000023cc6-125.dat	upx
behavioral2/files/0x0007000000023cc7-136.dat	upx
behavioral2/memory/1372-134-0x00007FF64C230000-0x00007FF64C581000-memory.dmp	upx
behavioral2/memory/628-128-0x00007FF7D6EE0000-0x00007FF7D7231000-memory.dmp	upx
behavioral2/memory/1212-127-0x00007FF6067A0000-0x00007FF606AF1000-memory.dmp	upx
behavioral2/memory/3404-126-0x00007FF6766F0000-0x00007FF676A41000-memory.dmp	upx
behavioral2/memory/1428-122-0x00007FF6EFB40000-0x00007FF6EFE91000-memory.dmp	upx
behavioral2/files/0x0007000000023cc4-119.dat	upx
behavioral2/memory/1884-116-0x00007FF657830000-0x00007FF657B81000-memory.dmp	upx
behavioral2/memory/2604-111-0x00007FF62DEE0000-0x00007FF62E231000-memory.dmp	upx
behavioral2/files/0x0007000000023cc3-109.dat	upx
behavioral2/memory/668-104-0x00007FF64BBE0000-0x00007FF64BF31000-memory.dmp	upx
behavioral2/memory/4612-89-0x00007FF6F5C00000-0x00007FF6F5F51000-memory.dmp	upx
behavioral2/memory/3564-88-0x00007FF7E2590000-0x00007FF7E28E1000-memory.dmp	upx
behavioral2/memory/436-86-0x00007FF7404A0000-0x00007FF7407F1000-memory.dmp	upx
behavioral2/memory/2496-85-0x00007FF62A1D0000-0x00007FF62A521000-memory.dmp	upx
behavioral2/files/0x0007000000023cc0-81.dat	upx
behavioral2/memory/3140-80-0x00007FF7D5C00000-0x00007FF7D5F51000-memory.dmp	upx
behavioral2/files/0x0007000000023cbf-77.dat	upx
behavioral2/memory/3076-76-0x00007FF796FF0000-0x00007FF797341000-memory.dmp	upx
behavioral2/memory/4488-70-0x00007FF75FD50000-0x00007FF7600A1000-memory.dmp	upx
behavioral2/memory/1212-66-0x00007FF6067A0000-0x00007FF606AF1000-memory.dmp	upx
behavioral2/files/0x0007000000023cbd-62.dat	upx
behavioral2/memory/3976-59-0x00007FF604600000-0x00007FF604951000-memory.dmp	upx
behavioral2/files/0x0007000000023cbc-58.dat	upx
behavioral2/memory/1428-54-0x00007FF6EFB40000-0x00007FF6EFE91000-memory.dmp	upx
behavioral2/files/0x0007000000023cbb-47.dat	upx
behavioral2/files/0x0007000000023cba-42.dat	upx
behavioral2/memory/668-38-0x00007FF64BBE0000-0x00007FF64BF31000-memory.dmp	upx
behavioral2/files/0x0007000000023cb9-36.dat	upx
behavioral2/memory/3836-32-0x00007FF772550000-0x00007FF7728A1000-memory.dmp	upx
behavioral2/files/0x0007000000023cb8-30.dat	upx
behavioral2/files/0x0007000000023cb7-24.dat	upx
behavioral2/memory/3164-139-0x00007FF78BB50000-0x00007FF78BEA1000-memory.dmp	upx
behavioral2/memory/3076-138-0x00007FF796FF0000-0x00007FF797341000-memory.dmp	upx
behavioral2/memory/436-20-0x00007FF7404A0000-0x00007FF7407F1000-memory.dmp	upx
behavioral2/files/0x0007000000023cb6-17.dat	upx
behavioral2/memory/3140-13-0x00007FF7D5C00000-0x00007FF7D5F51000-memory.dmp	upx
behavioral2/memory/4488-7-0x00007FF75FD50000-0x00007FF7600A1000-memory.dmp	upx
behavioral2/memory/3976-140-0x00007FF604600000-0x00007FF604951000-memory.dmp	upx
behavioral2/memory/4612-157-0x00007FF6F5C00000-0x00007FF6F5F51000-memory.dmp	upx
behavioral2/memory/556-155-0x00007FF732080000-0x00007FF7323D1000-memory.dmp	upx
behavioral2/memory/628-161-0x00007FF7D6EE0000-0x00007FF7D7231000-memory.dmp	upx
behavioral2/memory/3404-160-0x00007FF6766F0000-0x00007FF676A41000-memory.dmp	upx
behavioral2/memory/1884-159-0x00007FF657830000-0x00007FF657B81000-memory.dmp	upx
behavioral2/memory/3976-163-0x00007FF604600000-0x00007FF604951000-memory.dmp	upx
behavioral2/memory/4488-224-0x00007FF75FD50000-0x00007FF7600A1000-memory.dmp	upx
behavioral2/memory/436-228-0x00007FF7404A0000-0x00007FF7407F1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\NZkFdyi.exe	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XUulESy.exe	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RRSgccK.exe	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RRkHAAC.exe	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xwXgAeG.exe	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wwMdQxP.exe	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cxtdFxE.exe	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mNZEpIW.exe	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GXFwhsh.exe	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iWrYcjf.exe	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xgYMOdo.exe	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pYwzDGZ.exe	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RndairI.exe	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HDvNAeA.exe	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jpzOWHq.exe	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dMyEmKo.exe	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iIZBeJo.exe	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZrpqKcB.exe	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dqFrFWe.exe	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xWCOega.exe	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HbZYhlY.exe	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3976	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3976	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3976 wrote to memory of 4488	3976	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3976 wrote to memory of 4488	3976	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3976 wrote to memory of 3140	3976	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3976 wrote to memory of 3140	3976	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3976 wrote to memory of 436	3976	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3976 wrote to memory of 436	3976	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3976 wrote to memory of 3564	3976	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3976 wrote to memory of 3564	3976	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3976 wrote to memory of 3836	3976	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3976 wrote to memory of 3836	3976	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3976 wrote to memory of 668	3976	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3976 wrote to memory of 668	3976	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3976 wrote to memory of 4412	3976	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3976 wrote to memory of 4412	3976	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3976 wrote to memory of 3772	3976	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3976 wrote to memory of 3772	3976	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3976 wrote to memory of 1428	3976	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3976 wrote to memory of 1428	3976	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3976 wrote to memory of 1212	3976	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3976 wrote to memory of 1212	3976	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3976 wrote to memory of 1372	3976	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3976 wrote to memory of 1372	3976	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3976 wrote to memory of 3076	3976	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3976 wrote to memory of 3076	3976	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3976 wrote to memory of 2496	3976	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3976 wrote to memory of 2496	3976	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3976 wrote to memory of 4612	3976	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3976 wrote to memory of 4612	3976	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3976 wrote to memory of 556	3976	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3976 wrote to memory of 556	3976	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3976 wrote to memory of 2604	3976	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3976 wrote to memory of 2604	3976	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3976 wrote to memory of 2172	3976	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3976 wrote to memory of 2172	3976	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3976 wrote to memory of 1884	3976	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3976 wrote to memory of 1884	3976	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3976 wrote to memory of 3404	3976	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3976 wrote to memory of 3404	3976	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3976 wrote to memory of 628	3976	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3976 wrote to memory of 628	3976	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3976 wrote to memory of 3164	3976	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3976 wrote to memory of 3164	3976	2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-31_ce538d1b99223d8314e0a30c29a9d501_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3976
- C:\Windows\System\wwMdQxP.exe
  C:\Windows\System\wwMdQxP.exe
  2⤵
  - Executes dropped EXE
  PID:4488
- C:\Windows\System\xgYMOdo.exe
  C:\Windows\System\xgYMOdo.exe
  2⤵
  - Executes dropped EXE
  PID:3140
- C:\Windows\System\pYwzDGZ.exe
  C:\Windows\System\pYwzDGZ.exe
  2⤵
  - Executes dropped EXE
  PID:436
- C:\Windows\System\NZkFdyi.exe
  C:\Windows\System\NZkFdyi.exe
  2⤵
  - Executes dropped EXE
  PID:3564
- C:\Windows\System\iIZBeJo.exe
  C:\Windows\System\iIZBeJo.exe
  2⤵
  - Executes dropped EXE
  PID:3836
- C:\Windows\System\RndairI.exe
  C:\Windows\System\RndairI.exe
  2⤵
  - Executes dropped EXE
  PID:668
- C:\Windows\System\ZrpqKcB.exe
  C:\Windows\System\ZrpqKcB.exe
  2⤵
  - Executes dropped EXE
  PID:4412
- C:\Windows\System\HDvNAeA.exe
  C:\Windows\System\HDvNAeA.exe
  2⤵
  - Executes dropped EXE
  PID:3772
- C:\Windows\System\XUulESy.exe
  C:\Windows\System\XUulESy.exe
  2⤵
  - Executes dropped EXE
  PID:1428
- C:\Windows\System\cxtdFxE.exe
  C:\Windows\System\cxtdFxE.exe
  2⤵
  - Executes dropped EXE
  PID:1212
- C:\Windows\System\dqFrFWe.exe
  C:\Windows\System\dqFrFWe.exe
  2⤵
  - Executes dropped EXE
  PID:1372
- C:\Windows\System\xWCOega.exe
  C:\Windows\System\xWCOega.exe
  2⤵
  - Executes dropped EXE
  PID:3076
- C:\Windows\System\RRSgccK.exe
  C:\Windows\System\RRSgccK.exe
  2⤵
  - Executes dropped EXE
  PID:2496
- C:\Windows\System\jpzOWHq.exe
  C:\Windows\System\jpzOWHq.exe
  2⤵
  - Executes dropped EXE
  PID:4612
- C:\Windows\System\mNZEpIW.exe
  C:\Windows\System\mNZEpIW.exe
  2⤵
  - Executes dropped EXE
  PID:556
- C:\Windows\System\GXFwhsh.exe
  C:\Windows\System\GXFwhsh.exe
  2⤵
  - Executes dropped EXE
  PID:2604
- C:\Windows\System\iWrYcjf.exe
  C:\Windows\System\iWrYcjf.exe
  2⤵
  - Executes dropped EXE
  PID:2172
- C:\Windows\System\RRkHAAC.exe
  C:\Windows\System\RRkHAAC.exe
  2⤵
  - Executes dropped EXE
  PID:1884
- C:\Windows\System\dMyEmKo.exe
  C:\Windows\System\dMyEmKo.exe
  2⤵
  - Executes dropped EXE
  PID:3404
- C:\Windows\System\HbZYhlY.exe
  C:\Windows\System\HbZYhlY.exe
  2⤵
  - Executes dropped EXE
  PID:628
- C:\Windows\System\xwXgAeG.exe
  C:\Windows\System\xwXgAeG.exe
  2⤵
  - Executes dropped EXE
  PID:3164

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\GXFwhsh.exe

Filesize
5.2MB

MD5
a1444c5f703bda0d6c307f218531d715

SHA1
196dad2c0fc07fe19d7f19be4ff9d3e7bfd1d965

SHA256
52e3c0da5e46b5340bfab8634d41c918ae9397a508252d6b4d6fc50a597150fd

SHA512
61e72c420dcf43c75635cd7af0330158a2d54228ba22c8651a51ca93de57741116ca1e8232cbc8815a77be563779d5864e3f266e6e7aca64179281a0e507995b

Download Submit
C:\Windows\System\HDvNAeA.exe

Filesize
5.2MB

MD5
bfc2892e018a46d4a1039bf8b782886c

SHA1
f658d83a46191864049871f908a14f7d970ab391

SHA256
568e280244754e9cb32c08154c5447cd8e85ca22393d194aafda225615258a74

SHA512
29ec27a9f5caacfe40e709dbae230dd3162a0c963f0a746dadb20295d687b9ff3a771700b3f6da4c3560940ed2ca03ef088db747eae7c88cf51091e749882082

Download Submit
C:\Windows\System\HbZYhlY.exe

Filesize
5.2MB

MD5
2478d207173bb8054fe7acacab0199cb

SHA1
4b6f6e5c0c672d044216b85287cc7088a6d89d12

SHA256
0ba521de7bd09281372e43a03e3c82d13fd4bd2633889ebd5a5525d9e4ca9a0e

SHA512
47f62fec6a57be005e0da68c9095f0313b1a4c7ae8e8544fc6f0735e2c2cc326ca723c6776ae743409d8d16a1906a898e73c5d4536d3c5ae2e5f13362b1f9e0f

Download Submit
C:\Windows\System\NZkFdyi.exe

Filesize
5.2MB

MD5
5ce7c4a45fbae1d6ff1bc61013a93731

SHA1
449a6f02ab65cea42c39e49c98e2dd2df56eee2b

SHA256
7965f1f1f7cea68f8d8b55fbbe40ada5353757a47c2e093bfac31e1c263eb177

SHA512
20336e11fb03ec0335ed48ff598620aa274322f214dfab5a7de9aa459064af5e91838474716c77a5278728e305d759a4707993f07fa69a9c0d5ba10eb2f2f325

Download Submit
C:\Windows\System\RRSgccK.exe

Filesize
5.2MB

MD5
19acadb11ebbdc00fe4836b9a9aa2ded

SHA1
86704b8b3bf99c02a66df75a96447a5e14bffb95

SHA256
1acc17ac0a4e763d1861e20f4a4c93a7a785b7a81d4dd920b34a87d86cf568d1

SHA512
aa9784c0435374dd3f3179b7c2ca29201e9a7626910d313543250af53ea590b0f51d280dfbb0a10632927976d13db73499bc123ae34d5ea5ed01450e32d8ff8a

Download Submit
C:\Windows\System\RRkHAAC.exe

Filesize
5.2MB

MD5
98496752fabfa452d87f6c595ade2fb8

SHA1
67df05be1a8933fe3239e9eed61786ce3015927e

SHA256
621328243b96f349e811b45db5ea69206547c34579389806cc53175fd2232384

SHA512
045ef075e5ddc24479a2946970fe35d1e72731c7720dbb0b5dc6e43864990076abdf9092659c8b0c50f7597ad47ee14052b4bddb106261a1939c2622cd16ffee

Download Submit
C:\Windows\System\RndairI.exe

Filesize
5.2MB

MD5
6cc8dea3b1c84c154eced3fea72a0ce7

SHA1
84d3178aa6ca8de45a55e3461d58e716a83b7303

SHA256
6d80cf1ea48b99ecd102429ea09de026a8acc2fb66aff915fe73ed70207dfca4

SHA512
072641a575893e16311dc64c8c9301d7bbeba8b3ee73086ec21e097b77425feb0a61a8cfc809479fbd605b1c37327f824f6d130361d0af01a7674dfeaf165274

Download Submit
C:\Windows\System\XUulESy.exe

Filesize
5.2MB

MD5
dbcf802e487b9c1c453e07e226a2f09e

SHA1
6d7e17b1db62e72e283fd2a91fae15aca8f196a5

SHA256
1d4c5cf85e67352d355ee7d880f377f2ee6bb7019d20bca4f420be56f6b5245c

SHA512
e7378c01c019354ad56d1a1e6408691cee4db94192dfd6b537e813d7e2572c16465d8934fdb853316ea02dba474359ec8ad0c46727c012807c93a14642ec2a0b

Download Submit
C:\Windows\System\ZrpqKcB.exe

Filesize
5.2MB

MD5
462a44e4ef36a10d71e42adbb86a6112

SHA1
ce4c85c2c3bb7fd757552b24ed361f20898e556b

SHA256
72afee0cf6660f81342222c6bb17d54a6e6b8f2ceb402139937b1c2e94668c68

SHA512
ef04da65a5f09ebc719ed7e5f96ac5d2b2b42616efe1a4a62084a70e15e98effb97078b80b60bd25c70153e3d1a2dacaacdd50d764c0a7c0e2d414c49b412464

Download Submit
C:\Windows\System\cxtdFxE.exe

Filesize
5.2MB

MD5
fe3e2977debc7b853dc807c9bf50f658

SHA1
1015acb1785d98575ee7ef9d61bae435964d4987

SHA256
ae02873042509f70c99a3d74557bfd0ff7dc0d294b060c39e172386e27761145

SHA512
50376e5b58e6bc78b84e3b51e1a18a845b30003c580beb3ecf7ebd798230f255dcabef2fdee0d2b886fc0b50bcf52e860da62ee72aced0f18c40151263b284a4

Download Submit
C:\Windows\System\dMyEmKo.exe

Filesize
5.2MB

MD5
651280f08f84c4b08b26401effc928f7

SHA1
2be2b9fddc6ea97a538b8b02088069c82e2f54e6

SHA256
0fb98a74e10cde9a7c1e7afb7c71d7c13d7f45cd118c541abaa2564c977df9ce

SHA512
9039a83438cdc9ebc2305f370e6617edceadd8115e7b43916371e79c5035c82a70e759fa0a31b5637f93be214f0950fe0e88fbe759a0ec853cb87674fbd9346b

Download Submit
C:\Windows\System\dqFrFWe.exe

Filesize
5.2MB

MD5
ae34e8767be4303b3939479120882816

SHA1
7a5426a7fae9238c7dd330758934b63b30c26787

SHA256
3784f69de43cd47e8b2a52e20fdb575fd1b713de7d9b3bf2e98cf2cd02b8bb5b

SHA512
78a34aa544abdbb915cebb955fa53db32f669ca62559c38e9666ea8737e24d42153f19ddc1d114db8db9e58d7b87f8c603b0b112e8d76ca63997adfc79f92d7b

Download Submit
C:\Windows\System\iIZBeJo.exe

Filesize
5.2MB

MD5
22c88166f7d2a2ea73791f43a44bd0f7

SHA1
859d0e6f5c2673d7445e1794c45c60686cbe7cbc

SHA256
deac7261b92d3a7b9b9b85992d36732f30d701c2e6429ac9400d3be2e48c16b1

SHA512
2daee26091a967cc0d0f5af9ed9b51401fb11f644c1bffd9ae46548136f7608dd6569bf523f1bd668b023309cb7fa4cb9a3dc1972cc001c6bfcd662b03eca980

Download Submit
C:\Windows\System\iWrYcjf.exe

Filesize
5.2MB

MD5
a90c5d55bf74e7a5e45e714cec76bc60

SHA1
0c02ac385ac4ba2c7317af63ef223fccfbeb734f

SHA256
7c96c57bc60dd88c9be086c496c513a0fb95aa59091244b2500466961acbfa15

SHA512
ca71581ec4b42fe8ce70fc14ffd6c9ad95ecf0297e7212ebdf331a4ac9f438e5ebd9babc507509272c692abed3fd3dee4fd7ed5d67c34ef97a839bdeff15a25a

Download Submit
C:\Windows\System\jpzOWHq.exe

Filesize
5.2MB

MD5
27900c0f9fa22a1f2886a58fa9ed5ae0

SHA1
24a3f166f9114c28e6a8f7b2685bccc37a58ece9

SHA256
b643433b5ded6bab3fc1e487e495a1a2d4bfd53ec7ac17ee45a48f27810df13e

SHA512
82ae68279897153e673ac2eb7679cbc7bb85fd35b39e156a0492d9601b798b15e62dbca88c90d343ba298bce54ac09582d974d57fca7665d425b024ab683c477

Download Submit
C:\Windows\System\mNZEpIW.exe

Filesize
5.2MB

MD5
fb13c64a57df319f524201926f09f326

SHA1
9a6cb8c79374012b0d2e70af1d2ab9209d5eb5b7

SHA256
b88565b6755cd736dfa08d12ce5f2c15ca2ab37dfb45e16971f5a60c8413a116

SHA512
45bca7ebf34c16fa8a347cdf5c3115da974863d234411ea48deaaf34e214729fc16d071ba8b419bf51e1b537f77e95099c5a1ebb08b3b13003c699b4ecc44923

Download Submit
C:\Windows\System\pYwzDGZ.exe

Filesize
5.2MB

MD5
8cf3b18028c4443abe8e3603296c97e1

SHA1
75a794fdc3a06ec4cc1cb1bcbeea39c585814d8f

SHA256
afd995565bd253caa86ab6fb8a6487c34b1aa82fabc9ec0159309e74b806315f

SHA512
1e1c0b3c827f9580f37a0b9699a84b77acf55199be63190c5d2b60b7c5c00fa925aabf30157b516929c009caff14776966c36d49e6f1b2b664163a9adaaea606

Download Submit
C:\Windows\System\wwMdQxP.exe

Filesize
5.2MB

MD5
7e71a103833eb749047728ccceea5ac5

SHA1
778cf86c528cc937fc4b8cf43d7424efa0a45f84

SHA256
52f210729d48127669849416c6d90478f73a82ec4f4379926becb1fff51e614c

SHA512
e8fd1aec725d8d01a82a7f0e0e391e5d6565ca1fec8933d41ba5b021c3d04a103b78de0fc183b632e68a34d30ae5c22b1b22820a37b15f08b2294cb928ec2960

Download Submit
C:\Windows\System\xWCOega.exe

Filesize
5.2MB

MD5
5d4a7be3808b04e94633710ca698071f

SHA1
57630cd42104b8506504a3acc8f29220a5329ccd

SHA256
1fc57e5e127c9d4dbd1790291f216d51fac7695c4d41798d7c9d7c815f23e6e2

SHA512
8d537a02431f6a17d8ef9632a080bb04e273ab0534096f8f31cb374ea9850cb39ebdd1eb451daf75ed8a535ded96195cfad263ec0c1e8c49a0140f1078c66b35

Download Submit
C:\Windows\System\xgYMOdo.exe

Filesize
5.2MB

MD5
f388537b1b06b0d22b9d9dded16a20a3

SHA1
6dcf2bfebb7fab027345de5d04a9a498f3454e5e

SHA256
fdf1f09b0ea61c69f501c4fbc17e967d1f7172eee4edbac937cc4cd5b84c7961

SHA512
c52ba9a063db2076f618dcef92fff27ed82605aed6604d59e8ffdd2529f99c645e9534c64dc64b4187dd562b0c2f290b1308e7e03cb78d287a17da580122c4b3

Download Submit
C:\Windows\System\xwXgAeG.exe

Filesize
5.2MB

MD5
aa61cc288712b44cca3a5d9e53a9a1a9

SHA1
c8818185c18aee0aabdfa540ef3fab5aca263476

SHA256
c5b9ac00b58e305411e304120c252f88195e98157b4e8158259f812e5f3296fc

SHA512
14d5bbb3be2e40ed61d77ce01aeb05c69904548d82c19354729e45afaf2120af286ad34c3ad72d42549c6e57625229af62fe67e12310bf77918fe22e120379f9

Download Submit
memory/436-228-0x00007FF7404A0000-0x00007FF7407F1000-memory.dmp

Filesize
3.3MB

Download
memory/436-20-0x00007FF7404A0000-0x00007FF7407F1000-memory.dmp

Filesize
3.3MB

Download
memory/436-86-0x00007FF7404A0000-0x00007FF7407F1000-memory.dmp

Filesize
3.3MB

Download
memory/556-258-0x00007FF732080000-0x00007FF7323D1000-memory.dmp

Filesize
3.3MB

Download
memory/556-155-0x00007FF732080000-0x00007FF7323D1000-memory.dmp

Filesize
3.3MB

Download
memory/556-98-0x00007FF732080000-0x00007FF7323D1000-memory.dmp

Filesize
3.3MB

Download
memory/628-128-0x00007FF7D6EE0000-0x00007FF7D7231000-memory.dmp

Filesize
3.3MB

Download
memory/628-267-0x00007FF7D6EE0000-0x00007FF7D7231000-memory.dmp

Filesize
3.3MB

Download
memory/628-161-0x00007FF7D6EE0000-0x00007FF7D7231000-memory.dmp

Filesize
3.3MB

Download
memory/668-104-0x00007FF64BBE0000-0x00007FF64BF31000-memory.dmp

Filesize
3.3MB

Download
memory/668-38-0x00007FF64BBE0000-0x00007FF64BF31000-memory.dmp

Filesize
3.3MB

Download
memory/668-235-0x00007FF64BBE0000-0x00007FF64BF31000-memory.dmp

Filesize
3.3MB

Download
memory/1212-241-0x00007FF6067A0000-0x00007FF606AF1000-memory.dmp

Filesize
3.3MB

Download
memory/1212-127-0x00007FF6067A0000-0x00007FF606AF1000-memory.dmp

Filesize
3.3MB

Download
memory/1212-66-0x00007FF6067A0000-0x00007FF606AF1000-memory.dmp

Filesize
3.3MB

Download
memory/1372-134-0x00007FF64C230000-0x00007FF64C581000-memory.dmp

Filesize
3.3MB

Download
memory/1372-73-0x00007FF64C230000-0x00007FF64C581000-memory.dmp

Filesize
3.3MB

Download
memory/1372-244-0x00007FF64C230000-0x00007FF64C581000-memory.dmp

Filesize
3.3MB

Download
memory/1428-122-0x00007FF6EFB40000-0x00007FF6EFE91000-memory.dmp

Filesize
3.3MB

Download
memory/1428-54-0x00007FF6EFB40000-0x00007FF6EFE91000-memory.dmp

Filesize
3.3MB

Download
memory/1428-242-0x00007FF6EFB40000-0x00007FF6EFE91000-memory.dmp

Filesize
3.3MB

Download
memory/1884-159-0x00007FF657830000-0x00007FF657B81000-memory.dmp

Filesize
3.3MB

Download
memory/1884-270-0x00007FF657830000-0x00007FF657B81000-memory.dmp

Filesize
3.3MB

Download
memory/1884-116-0x00007FF657830000-0x00007FF657B81000-memory.dmp

Filesize
3.3MB

Download
memory/2172-114-0x00007FF6C5F00000-0x00007FF6C6251000-memory.dmp

Filesize
3.3MB

Download
memory/2172-262-0x00007FF6C5F00000-0x00007FF6C6251000-memory.dmp

Filesize
3.3MB

Download
memory/2496-85-0x00007FF62A1D0000-0x00007FF62A521000-memory.dmp

Filesize
3.3MB

Download
memory/2496-254-0x00007FF62A1D0000-0x00007FF62A521000-memory.dmp

Filesize
3.3MB

Download
memory/2604-111-0x00007FF62DEE0000-0x00007FF62E231000-memory.dmp

Filesize
3.3MB

Download
memory/2604-260-0x00007FF62DEE0000-0x00007FF62E231000-memory.dmp

Filesize
3.3MB

Download
memory/3076-257-0x00007FF796FF0000-0x00007FF797341000-memory.dmp

Filesize
3.3MB

Download
memory/3076-138-0x00007FF796FF0000-0x00007FF797341000-memory.dmp

Filesize
3.3MB

Download
memory/3076-76-0x00007FF796FF0000-0x00007FF797341000-memory.dmp

Filesize
3.3MB

Download
memory/3140-80-0x00007FF7D5C00000-0x00007FF7D5F51000-memory.dmp

Filesize
3.3MB

Download
memory/3140-226-0x00007FF7D5C00000-0x00007FF7D5F51000-memory.dmp

Filesize
3.3MB

Download
memory/3140-13-0x00007FF7D5C00000-0x00007FF7D5F51000-memory.dmp

Filesize
3.3MB

Download
memory/3164-139-0x00007FF78BB50000-0x00007FF78BEA1000-memory.dmp

Filesize
3.3MB

Download
memory/3164-264-0x00007FF78BB50000-0x00007FF78BEA1000-memory.dmp

Filesize
3.3MB

Download
memory/3404-269-0x00007FF6766F0000-0x00007FF676A41000-memory.dmp

Filesize
3.3MB

Download
memory/3404-126-0x00007FF6766F0000-0x00007FF676A41000-memory.dmp

Filesize
3.3MB

Download
memory/3404-160-0x00007FF6766F0000-0x00007FF676A41000-memory.dmp

Filesize
3.3MB

Download
memory/3564-88-0x00007FF7E2590000-0x00007FF7E28E1000-memory.dmp

Filesize
3.3MB

Download
memory/3564-25-0x00007FF7E2590000-0x00007FF7E28E1000-memory.dmp

Filesize
3.3MB

Download
memory/3564-231-0x00007FF7E2590000-0x00007FF7E28E1000-memory.dmp

Filesize
3.3MB

Download
memory/3772-53-0x00007FF681780000-0x00007FF681AD1000-memory.dmp

Filesize
3.3MB

Download
memory/3772-238-0x00007FF681780000-0x00007FF681AD1000-memory.dmp

Filesize
3.3MB

Download
memory/3836-32-0x00007FF772550000-0x00007FF7728A1000-memory.dmp

Filesize
3.3MB

Download
memory/3836-232-0x00007FF772550000-0x00007FF7728A1000-memory.dmp

Filesize
3.3MB

Download
memory/3836-96-0x00007FF772550000-0x00007FF7728A1000-memory.dmp

Filesize
3.3MB

Download
memory/3976-0-0x00007FF604600000-0x00007FF604951000-memory.dmp

Filesize
3.3MB

Download
memory/3976-140-0x00007FF604600000-0x00007FF604951000-memory.dmp

Filesize
3.3MB

Download
memory/3976-1-0x000001C574C20000-0x000001C574C30000-memory.dmp

Filesize
64KB

Download
memory/3976-59-0x00007FF604600000-0x00007FF604951000-memory.dmp

Filesize
3.3MB

Download
memory/3976-163-0x00007FF604600000-0x00007FF604951000-memory.dmp

Filesize
3.3MB

Download
memory/4412-236-0x00007FF6B61D0000-0x00007FF6B6521000-memory.dmp

Filesize
3.3MB

Download
memory/4412-49-0x00007FF6B61D0000-0x00007FF6B6521000-memory.dmp

Filesize
3.3MB

Download
memory/4412-108-0x00007FF6B61D0000-0x00007FF6B6521000-memory.dmp

Filesize
3.3MB

Download
memory/4488-7-0x00007FF75FD50000-0x00007FF7600A1000-memory.dmp

Filesize
3.3MB

Download
memory/4488-224-0x00007FF75FD50000-0x00007FF7600A1000-memory.dmp

Filesize
3.3MB

Download
memory/4488-70-0x00007FF75FD50000-0x00007FF7600A1000-memory.dmp

Filesize
3.3MB

Download
memory/4612-157-0x00007FF6F5C00000-0x00007FF6F5F51000-memory.dmp

Filesize
3.3MB

Download
memory/4612-252-0x00007FF6F5C00000-0x00007FF6F5F51000-memory.dmp

Filesize
3.3MB

Download
memory/4612-89-0x00007FF6F5C00000-0x00007FF6F5F51000-memory.dmp

Filesize
3.3MB

Download