cobaltstrike | fa6d35e74910c923590e2a8ebb57b4e16124d1008f15f1bba8c530058443f5c2

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10-08-2024 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

086775e666296019c0756759f3064ae6
SHA1

f849bdfa6a1738ae42494881c501966197e8c78c
SHA256

fa6d35e74910c923590e2a8ebb57b4e16124d1008f15f1bba8c530058443f5c2
SHA512

0feba5504b51fc2ea4c2a1546732b0ac20ea4b7f80efb3f353d4fb6948467e40ba8ca53d8dcfae1cf8bd7e744fcf44dd5829171a1805d98d078db2f6b25a9d27
SSDEEP

49152:ROdWCCi7/raA56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lH:RWWBibj56utgpPFotBER/mQ32lUj

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023463-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023468-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023467-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023469-33.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346a-40.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346d-49.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346f-58.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023474-88.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023477-118.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023479-125.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023478-121.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023476-116.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023475-106.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023473-95.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023472-98.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023470-90.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023471-83.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346e-62.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346b-52.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346c-60.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023464-27.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/936-14-0x00007FF665C70000-0x00007FF665FC1000-memory.dmp	xmrig
behavioral2/memory/1104-23-0x00007FF60C5C0000-0x00007FF60C911000-memory.dmp	xmrig
behavioral2/memory/2396-111-0x00007FF61C880000-0x00007FF61CBD1000-memory.dmp	xmrig
behavioral2/memory/2744-94-0x00007FF6C84C0000-0x00007FF6C8811000-memory.dmp	xmrig
behavioral2/memory/4764-78-0x00007FF78D990000-0x00007FF78DCE1000-memory.dmp	xmrig
behavioral2/memory/2292-72-0x00007FF751FC0000-0x00007FF752311000-memory.dmp	xmrig
behavioral2/memory/3416-128-0x00007FF7D6320000-0x00007FF7D6671000-memory.dmp	xmrig
behavioral2/memory/2432-127-0x00007FF6B0B20000-0x00007FF6B0E71000-memory.dmp	xmrig
behavioral2/memory/1104-132-0x00007FF60C5C0000-0x00007FF60C911000-memory.dmp	xmrig
behavioral2/memory/4456-134-0x00007FF6D83E0000-0x00007FF6D8731000-memory.dmp	xmrig
behavioral2/memory/2232-148-0x00007FF67A690000-0x00007FF67A9E1000-memory.dmp	xmrig
behavioral2/memory/3424-149-0x00007FF7C8FC0000-0x00007FF7C9311000-memory.dmp	xmrig
behavioral2/memory/2200-147-0x00007FF72FAA0000-0x00007FF72FDF1000-memory.dmp	xmrig
behavioral2/memory/4692-145-0x00007FF668FF0000-0x00007FF669341000-memory.dmp	xmrig
behavioral2/memory/472-144-0x00007FF741CE0000-0x00007FF742031000-memory.dmp	xmrig
behavioral2/memory/3196-141-0x00007FF7B7BB0000-0x00007FF7B7F01000-memory.dmp	xmrig
behavioral2/memory/224-140-0x00007FF6D9BB0000-0x00007FF6D9F01000-memory.dmp	xmrig
behavioral2/memory/4460-138-0x00007FF656000000-0x00007FF656351000-memory.dmp	xmrig
behavioral2/memory/1832-136-0x00007FF6EEE90000-0x00007FF6EF1E1000-memory.dmp	xmrig
behavioral2/memory/2364-135-0x00007FF692250000-0x00007FF6925A1000-memory.dmp	xmrig
behavioral2/memory/1760-133-0x00007FF6B8920000-0x00007FF6B8C71000-memory.dmp	xmrig
behavioral2/memory/3276-143-0x00007FF745AA0000-0x00007FF745DF1000-memory.dmp	xmrig
behavioral2/memory/4688-130-0x00007FF75ED50000-0x00007FF75F0A1000-memory.dmp	xmrig
behavioral2/memory/2432-129-0x00007FF6B0B20000-0x00007FF6B0E71000-memory.dmp	xmrig
behavioral2/memory/2432-151-0x00007FF6B0B20000-0x00007FF6B0E71000-memory.dmp	xmrig
behavioral2/memory/4688-199-0x00007FF75ED50000-0x00007FF75F0A1000-memory.dmp	xmrig
behavioral2/memory/936-201-0x00007FF665C70000-0x00007FF665FC1000-memory.dmp	xmrig
behavioral2/memory/1104-203-0x00007FF60C5C0000-0x00007FF60C911000-memory.dmp	xmrig
behavioral2/memory/1760-205-0x00007FF6B8920000-0x00007FF6B8C71000-memory.dmp	xmrig
behavioral2/memory/4456-207-0x00007FF6D83E0000-0x00007FF6D8731000-memory.dmp	xmrig
behavioral2/memory/2364-209-0x00007FF692250000-0x00007FF6925A1000-memory.dmp	xmrig
behavioral2/memory/1832-211-0x00007FF6EEE90000-0x00007FF6EF1E1000-memory.dmp	xmrig
behavioral2/memory/2292-213-0x00007FF751FC0000-0x00007FF752311000-memory.dmp	xmrig
behavioral2/memory/4764-215-0x00007FF78D990000-0x00007FF78DCE1000-memory.dmp	xmrig
behavioral2/memory/4460-217-0x00007FF656000000-0x00007FF656351000-memory.dmp	xmrig
behavioral2/memory/224-219-0x00007FF6D9BB0000-0x00007FF6D9F01000-memory.dmp	xmrig
behavioral2/memory/2744-221-0x00007FF6C84C0000-0x00007FF6C8811000-memory.dmp	xmrig
behavioral2/memory/3196-223-0x00007FF7B7BB0000-0x00007FF7B7F01000-memory.dmp	xmrig
behavioral2/memory/4692-226-0x00007FF668FF0000-0x00007FF669341000-memory.dmp	xmrig
behavioral2/memory/3276-229-0x00007FF745AA0000-0x00007FF745DF1000-memory.dmp	xmrig
behavioral2/memory/2396-228-0x00007FF61C880000-0x00007FF61CBD1000-memory.dmp	xmrig
behavioral2/memory/472-231-0x00007FF741CE0000-0x00007FF742031000-memory.dmp	xmrig
behavioral2/memory/2200-241-0x00007FF72FAA0000-0x00007FF72FDF1000-memory.dmp	xmrig
behavioral2/memory/2232-240-0x00007FF67A690000-0x00007FF67A9E1000-memory.dmp	xmrig
behavioral2/memory/3424-238-0x00007FF7C8FC0000-0x00007FF7C9311000-memory.dmp	xmrig
behavioral2/memory/3416-243-0x00007FF7D6320000-0x00007FF7D6671000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4688	vkUgtVi.exe
936	ejVXKxh.exe
1104	itYJxgM.exe
1760	hpItOAr.exe
4456	ezlZgEL.exe
2364	VxAwViV.exe
2292	yNPzylg.exe
1832	jpuhNTP.exe
4460	sADbYkN.exe
4764	ntOzTjG.exe
224	qwScRrb.exe
3196	JCiFCkK.exe
2744	WurYGhq.exe
472	WtgLAaM.exe
3276	jkmUACQ.exe
4692	vKvuOrG.exe
2396	GpibKcV.exe
2200	ODsOPtz.exe
2232	FwBswar.exe
3424	mbOgEcr.exe
3416	cwGbHFj.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2432-0-0x00007FF6B0B20000-0x00007FF6B0E71000-memory.dmp	upx
behavioral2/files/0x0008000000023463-5.dat	upx
behavioral2/memory/4688-8-0x00007FF75ED50000-0x00007FF75F0A1000-memory.dmp	upx
behavioral2/files/0x0007000000023468-10.dat	upx
behavioral2/files/0x0007000000023467-11.dat	upx
behavioral2/memory/936-14-0x00007FF665C70000-0x00007FF665FC1000-memory.dmp	upx
behavioral2/memory/1104-23-0x00007FF60C5C0000-0x00007FF60C911000-memory.dmp	upx
behavioral2/memory/1760-29-0x00007FF6B8920000-0x00007FF6B8C71000-memory.dmp	upx
behavioral2/files/0x0007000000023469-33.dat	upx
behavioral2/files/0x000700000002346a-40.dat	upx
behavioral2/files/0x000700000002346d-49.dat	upx
behavioral2/files/0x000700000002346f-58.dat	upx
behavioral2/files/0x0007000000023474-88.dat	upx
behavioral2/memory/4692-93-0x00007FF668FF0000-0x00007FF669341000-memory.dmp	upx
behavioral2/memory/2232-112-0x00007FF67A690000-0x00007FF67A9E1000-memory.dmp	upx
behavioral2/files/0x0007000000023477-118.dat	upx
behavioral2/files/0x0007000000023479-125.dat	upx
behavioral2/files/0x0007000000023478-121.dat	upx
behavioral2/memory/3424-120-0x00007FF7C8FC0000-0x00007FF7C9311000-memory.dmp	upx
behavioral2/files/0x0007000000023476-116.dat	upx
behavioral2/memory/2200-115-0x00007FF72FAA0000-0x00007FF72FDF1000-memory.dmp	upx
behavioral2/memory/2396-111-0x00007FF61C880000-0x00007FF61CBD1000-memory.dmp	upx
behavioral2/files/0x0007000000023475-106.dat	upx
behavioral2/memory/472-103-0x00007FF741CE0000-0x00007FF742031000-memory.dmp	upx
behavioral2/files/0x0007000000023473-95.dat	upx
behavioral2/memory/2744-94-0x00007FF6C84C0000-0x00007FF6C8811000-memory.dmp	upx
behavioral2/files/0x0007000000023472-98.dat	upx
behavioral2/files/0x0007000000023470-90.dat	upx
behavioral2/memory/3276-89-0x00007FF745AA0000-0x00007FF745DF1000-memory.dmp	upx
behavioral2/files/0x0007000000023471-83.dat	upx
behavioral2/memory/3196-80-0x00007FF7B7BB0000-0x00007FF7B7F01000-memory.dmp	upx
behavioral2/memory/4764-78-0x00007FF78D990000-0x00007FF78DCE1000-memory.dmp	upx
behavioral2/memory/2292-72-0x00007FF751FC0000-0x00007FF752311000-memory.dmp	upx
behavioral2/memory/224-71-0x00007FF6D9BB0000-0x00007FF6D9F01000-memory.dmp	upx
behavioral2/files/0x000700000002346e-62.dat	upx
behavioral2/memory/4460-59-0x00007FF656000000-0x00007FF656351000-memory.dmp	upx
behavioral2/files/0x000700000002346b-52.dat	upx
behavioral2/files/0x000700000002346c-60.dat	upx
behavioral2/memory/1832-50-0x00007FF6EEE90000-0x00007FF6EF1E1000-memory.dmp	upx
behavioral2/memory/2364-42-0x00007FF692250000-0x00007FF6925A1000-memory.dmp	upx
behavioral2/memory/4456-34-0x00007FF6D83E0000-0x00007FF6D8731000-memory.dmp	upx
behavioral2/files/0x0008000000023464-27.dat	upx
behavioral2/memory/3416-128-0x00007FF7D6320000-0x00007FF7D6671000-memory.dmp	upx
behavioral2/memory/2432-127-0x00007FF6B0B20000-0x00007FF6B0E71000-memory.dmp	upx
behavioral2/memory/1104-132-0x00007FF60C5C0000-0x00007FF60C911000-memory.dmp	upx
behavioral2/memory/4456-134-0x00007FF6D83E0000-0x00007FF6D8731000-memory.dmp	upx
behavioral2/memory/2232-148-0x00007FF67A690000-0x00007FF67A9E1000-memory.dmp	upx
behavioral2/memory/3424-149-0x00007FF7C8FC0000-0x00007FF7C9311000-memory.dmp	upx
behavioral2/memory/2200-147-0x00007FF72FAA0000-0x00007FF72FDF1000-memory.dmp	upx
behavioral2/memory/4692-145-0x00007FF668FF0000-0x00007FF669341000-memory.dmp	upx
behavioral2/memory/472-144-0x00007FF741CE0000-0x00007FF742031000-memory.dmp	upx
behavioral2/memory/3196-141-0x00007FF7B7BB0000-0x00007FF7B7F01000-memory.dmp	upx
behavioral2/memory/224-140-0x00007FF6D9BB0000-0x00007FF6D9F01000-memory.dmp	upx
behavioral2/memory/4460-138-0x00007FF656000000-0x00007FF656351000-memory.dmp	upx
behavioral2/memory/1832-136-0x00007FF6EEE90000-0x00007FF6EF1E1000-memory.dmp	upx
behavioral2/memory/2364-135-0x00007FF692250000-0x00007FF6925A1000-memory.dmp	upx
behavioral2/memory/1760-133-0x00007FF6B8920000-0x00007FF6B8C71000-memory.dmp	upx
behavioral2/memory/3276-143-0x00007FF745AA0000-0x00007FF745DF1000-memory.dmp	upx
behavioral2/memory/4688-130-0x00007FF75ED50000-0x00007FF75F0A1000-memory.dmp	upx
behavioral2/memory/2432-129-0x00007FF6B0B20000-0x00007FF6B0E71000-memory.dmp	upx
behavioral2/memory/2432-151-0x00007FF6B0B20000-0x00007FF6B0E71000-memory.dmp	upx
behavioral2/memory/4688-199-0x00007FF75ED50000-0x00007FF75F0A1000-memory.dmp	upx
behavioral2/memory/936-201-0x00007FF665C70000-0x00007FF665FC1000-memory.dmp	upx
behavioral2/memory/1104-203-0x00007FF60C5C0000-0x00007FF60C911000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\vKvuOrG.exe	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vkUgtVi.exe	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hpItOAr.exe	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VxAwViV.exe	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jpuhNTP.exe	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qwScRrb.exe	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JCiFCkK.exe	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WtgLAaM.exe	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ezlZgEL.exe	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GpibKcV.exe	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cwGbHFj.exe	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ejVXKxh.exe	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yNPzylg.exe	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sADbYkN.exe	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ODsOPtz.exe	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FwBswar.exe	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mbOgEcr.exe	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\itYJxgM.exe	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ntOzTjG.exe	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WurYGhq.exe	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jkmUACQ.exe	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2432	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2432	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 4688	2432	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2432 wrote to memory of 4688	2432	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2432 wrote to memory of 936	2432	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2432 wrote to memory of 936	2432	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2432 wrote to memory of 1104	2432	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2432 wrote to memory of 1104	2432	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2432 wrote to memory of 1760	2432	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2432 wrote to memory of 1760	2432	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2432 wrote to memory of 4456	2432	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2432 wrote to memory of 4456	2432	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2432 wrote to memory of 2364	2432	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2432 wrote to memory of 2364	2432	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2432 wrote to memory of 1832	2432	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2432 wrote to memory of 1832	2432	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2432 wrote to memory of 2292	2432	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2432 wrote to memory of 2292	2432	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2432 wrote to memory of 4460	2432	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2432 wrote to memory of 4460	2432	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2432 wrote to memory of 4764	2432	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2432 wrote to memory of 4764	2432	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2432 wrote to memory of 224	2432	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2432 wrote to memory of 224	2432	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2432 wrote to memory of 3196	2432	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2432 wrote to memory of 3196	2432	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2432 wrote to memory of 2744	2432	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2432 wrote to memory of 2744	2432	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2432 wrote to memory of 3276	2432	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2432 wrote to memory of 3276	2432	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2432 wrote to memory of 472	2432	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2432 wrote to memory of 472	2432	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2432 wrote to memory of 4692	2432	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 2432 wrote to memory of 4692	2432	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 2432 wrote to memory of 2396	2432	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 2432 wrote to memory of 2396	2432	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 2432 wrote to memory of 2200	2432	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 2432 wrote to memory of 2200	2432	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 2432 wrote to memory of 2232	2432	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 2432 wrote to memory of 2232	2432	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 2432 wrote to memory of 3424	2432	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 2432 wrote to memory of 3424	2432	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 2432 wrote to memory of 3416	2432	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe	110
PID 2432 wrote to memory of 3416	2432	2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe	110

C:\Users\Admin\AppData\Local\Temp\2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-10_086775e666296019c0756759f3064ae6_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Windows\System\vkUgtVi.exe
  C:\Windows\System\vkUgtVi.exe
  2⤵
  - Executes dropped EXE
  PID:4688
- C:\Windows\System\ejVXKxh.exe
  C:\Windows\System\ejVXKxh.exe
  2⤵
  - Executes dropped EXE
  PID:936
- C:\Windows\System\itYJxgM.exe
  C:\Windows\System\itYJxgM.exe
  2⤵
  - Executes dropped EXE
  PID:1104
- C:\Windows\System\hpItOAr.exe
  C:\Windows\System\hpItOAr.exe
  2⤵
  - Executes dropped EXE
  PID:1760
- C:\Windows\System\ezlZgEL.exe
  C:\Windows\System\ezlZgEL.exe
  2⤵
  - Executes dropped EXE
  PID:4456
- C:\Windows\System\VxAwViV.exe
  C:\Windows\System\VxAwViV.exe
  2⤵
  - Executes dropped EXE
  PID:2364
- C:\Windows\System\jpuhNTP.exe
  C:\Windows\System\jpuhNTP.exe
  2⤵
  - Executes dropped EXE
  PID:1832
- C:\Windows\System\yNPzylg.exe
  C:\Windows\System\yNPzylg.exe
  2⤵
  - Executes dropped EXE
  PID:2292
- C:\Windows\System\sADbYkN.exe
  C:\Windows\System\sADbYkN.exe
  2⤵
  - Executes dropped EXE
  PID:4460
- C:\Windows\System\ntOzTjG.exe
  C:\Windows\System\ntOzTjG.exe
  2⤵
  - Executes dropped EXE
  PID:4764
- C:\Windows\System\qwScRrb.exe
  C:\Windows\System\qwScRrb.exe
  2⤵
  - Executes dropped EXE
  PID:224
- C:\Windows\System\JCiFCkK.exe
  C:\Windows\System\JCiFCkK.exe
  2⤵
  - Executes dropped EXE
  PID:3196
- C:\Windows\System\WurYGhq.exe
  C:\Windows\System\WurYGhq.exe
  2⤵
  - Executes dropped EXE
  PID:2744
- C:\Windows\System\jkmUACQ.exe
  C:\Windows\System\jkmUACQ.exe
  2⤵
  - Executes dropped EXE
  PID:3276
- C:\Windows\System\WtgLAaM.exe
  C:\Windows\System\WtgLAaM.exe
  2⤵
  - Executes dropped EXE
  PID:472
- C:\Windows\System\vKvuOrG.exe
  C:\Windows\System\vKvuOrG.exe
  2⤵
  - Executes dropped EXE
  PID:4692
- C:\Windows\System\GpibKcV.exe
  C:\Windows\System\GpibKcV.exe
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\System\ODsOPtz.exe
  C:\Windows\System\ODsOPtz.exe
  2⤵
  - Executes dropped EXE
  PID:2200
- C:\Windows\System\FwBswar.exe
  C:\Windows\System\FwBswar.exe
  2⤵
  - Executes dropped EXE
  PID:2232
- C:\Windows\System\mbOgEcr.exe
  C:\Windows\System\mbOgEcr.exe
  2⤵
  - Executes dropped EXE
  PID:3424
- C:\Windows\System\cwGbHFj.exe
  C:\Windows\System\cwGbHFj.exe
  2⤵
  - Executes dropped EXE
  PID:3416

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\FwBswar.exe

Filesize
5.2MB

MD5
6ecf65b9e2082b2e7f820439eb323834

SHA1
877c0d47fd8b4e104c56e3cfce15d92f32d340c6

SHA256
af2d0ac2450134cef9c32fa4f59e0a6a322e384e8c16bf0ed30d6a4965b9f950

SHA512
5e871a04bcb45518d3d2fff49c20beb097503a2ed1c38de67d9d2d8fbab1019ea7932cf503e6225ab4f08b7148a595f8480c556e846420267b346574153220be

Download Submit
C:\Windows\System\GpibKcV.exe

Filesize
5.2MB

MD5
b06384d37c03db209bd9ddb351a2af47

SHA1
4b2a0ec1beb5495fe478b0cee8f3ed040d22d2a0

SHA256
af49035f24bfc6744e601fc9377b3cd36a5c7611f9c2f821c18026e03949cd6f

SHA512
6cdde893c399e4f4f9d5cc1290b7cc0bea18064da94b8c6b12f4c0aae683c7fdeff7f1cac2ff4b091ca0cd3af3a3115a73ecc466166b5f7ec6d2b2ff0f6a08b1

Download Submit
C:\Windows\System\JCiFCkK.exe

Filesize
5.2MB

MD5
40e5b800ca0af051b5a89370de9a2047

SHA1
70ea875c852aa3eb11a5ebf1bc15c43fa3df68a5

SHA256
15fc0e67df0f671f5ba3db10f1b48f6b5034ed6bf8ea254ae918ac1bc5572710

SHA512
b3178df4786f431b52ea41aa99f5c0850e47bbaafb22e71a2b499d86337b6c00d2040c5bf8e642d7b6de25813fcae66315fce263e3e237388ff9cfe1fb4fcc26

Download Submit
C:\Windows\System\ODsOPtz.exe

Filesize
5.2MB

MD5
590466f78a863d9d2f404f7f6bfbc1a4

SHA1
cbf6c587498771735519619b6037c80c9ecbcbce

SHA256
83269e37618919f28d7c69544ac2795cc35e0989bef36858e8f65012aa4b035b

SHA512
33206913148b426ca9407aa133395cc07d73015a38c7bc8a6c0e44219f118f41bbef6b14318a0912e63b7893796df71f7dbab41ec35e3943e241c141c79952ef

Download Submit
C:\Windows\System\VxAwViV.exe

Filesize
5.2MB

MD5
22c948d69e662e2824a0517e680ba64f

SHA1
5430e79343742552c4c489bc8aa37c14de1819e2

SHA256
1c8bed57cdaa0cb17869ceace241c23fdc5306bbb24c632a850e57ec50de87e1

SHA512
21e519614a8726d49ce0897cefe4e3044371ed52b4370393c885f5a413e7aa091e75c5314c43d36e0da605789f53a4ce57aa84396577ca702f087e7cbd04c759

Download Submit
C:\Windows\System\WtgLAaM.exe

Filesize
5.2MB

MD5
aae3ac930aee80e2ef28272fd1b5682b

SHA1
32ac2f62596bc9194e909d186c0d10456ecd1126

SHA256
f46fe02c93b365ca2191af8b45983f2028d1a805ceb4a565c155aea00a65cadc

SHA512
b111680fb7278af8d43d16c664c962b3b60f53312bb9529bac497ff6fc82be3dac768c24df44f48797f785c349358d2fe03c8de4c598b2809f5797acf5486dd9

Download Submit
C:\Windows\System\WurYGhq.exe

Filesize
5.2MB

MD5
1a5204647c017baed8023a90d9a02cbd

SHA1
49fa8a1fbb9c52ff8c8769fbf86b614c521b44d6

SHA256
e258d7cca44ddc5e58bd329afc8aaa0ce6374b64c4d5bc27410eb47480353424

SHA512
b71828c2d490f203cb464f8a902587d2d1972e84ef9100a1e46f423203468f2e1230a5e0cbd611fde52e418a02ead9228538b9d360a3017b44c4066056cb40dc

Download Submit
C:\Windows\System\cwGbHFj.exe

Filesize
5.2MB

MD5
102528740b26d36392c1fdf4d7adb33e

SHA1
cfd519d654dfb205112e8022edbb49dc0fa5d8a7

SHA256
b5f3dda5ddf4cd2f48873738ee541446295f15290bbfbdb161ce046fe509c6f7

SHA512
b466a9431eef4203de65981282d0651d4d2c8ebfe12cd5257c66dcd43d060f297ec200e0693c4070f7832678ce978cbc635401a64f3d78551ac9c73124ddbb08

Download Submit
C:\Windows\System\ejVXKxh.exe

Filesize
5.2MB

MD5
5392f7ce365e236744ee4e81c8dc57c2

SHA1
b609736ad406a5c95e59fc9eed38a15f7111c489

SHA256
e676e25d54318e84d6985db80310c3b90e674c5f2d678834d8aa5659b489afa5

SHA512
efed286eab2d6cb001b0d39d3d52b3efea9e26bcd50b0746f8e2f82b432d28be355c3b70b9d21e7cee9b3c2522094472c98ee1f3a1cc813b7a66a7ee64e26db5

Download Submit
C:\Windows\System\ezlZgEL.exe

Filesize
5.2MB

MD5
38057e38bb9ef1bb7b33c29cb550ff30

SHA1
72136473ba8eba7f973d83a951aab55defd5dec8

SHA256
80b0a410bba2b333590a6949dea08771d352d379fa40d2b810a228a0e9917cd7

SHA512
1cc260bcfbe6747bf8fba0af37c77df02a1dbec20938d8a2f124971b9b3752f883b6a6de66c21e69e7c5c818a3d1f15707fcf33664f8a88bdfee4b2bbb9ccbef

Download Submit
C:\Windows\System\hpItOAr.exe

Filesize
5.2MB

MD5
001287bc93c6328497252ccebe781c90

SHA1
74e4eab1647624265b3ecdc10e6d6c956aea084a

SHA256
dedc12571116c5e80761f26282ad28cd39df292744f6acca67d9e741bc471123

SHA512
6113f49b39c4d54744e5e522105ea1cf9244cad862409bf0d309ae83eaeff84781af53cff224a5f849500ca0b5d1339735f3cc87b33770c38973545f01549488

Download Submit
C:\Windows\System\itYJxgM.exe

Filesize
5.2MB

MD5
342b3bd79bedda20ef3b3f767646a4e7

SHA1
7af33f936c5bb590695b4ce5e29bd0959d58a6d1

SHA256
7d28a04b90f905700d35f7539fcdcff359f9ffe3e48d745a95d6c2f29837fd2c

SHA512
5285bc2415946b58fa64a826bec511076de5e60f84073950aac40e18165ec5eedbd2e10118e50e8353ad786617001e3c1b6907b5b33b2379fe7da405493911b0

Download Submit
C:\Windows\System\jkmUACQ.exe

Filesize
5.2MB

MD5
cc4bb560df414d56cac24b8b23e1311a

SHA1
6ce38fc9545f7a49e94c2698207b89055e94034d

SHA256
e49c276317c59e37eec24409b9e9d497fc241658f2d03278be22d65d257cf063

SHA512
ff04feabb0e297c183723351a8f38aebc5ca1a4e2eaf3f67bbe28e97deef97247a2cc607b5d03ab9a768944316d26f7ddd72fa667ac6c1e0726c3e8460d8f886

Download Submit
C:\Windows\System\jpuhNTP.exe

Filesize
5.2MB

MD5
1ffea97a9ddf4f42be30f1adead324fd

SHA1
86f58847fb08ad166ad5deb2db3836a41b39bbc3

SHA256
5a6dd2f87f7da0d3003549c521c0959ade64c0215da3849b6f45dec9d97ad15d

SHA512
0a3cc33b090921449c58b1c60f40e2bc2a381378f03432b6ac0be73b2f11753adc96c7b7da0d761fe27ac13ec5cae7e8dc08e0a5174a3908c02f26d4fe4ae12b

Download Submit
C:\Windows\System\mbOgEcr.exe

Filesize
5.2MB

MD5
e6b8753eb13e3c1b2155b82d49e706f2

SHA1
afa54345c607d190b0753187b66927271f91dfd5

SHA256
6c2bcb3f666acaa556052183daf6bf0b432b2b2ad48343ed038bde294b22c556

SHA512
468017ee7355a87ae11c05ff37203c057a3283332fe6e5b12be6cd84d024cae78b1c9d87e21921a27150f809a8d79ce7aadca0ae819a50ead5a48a73efa88b7f

Download Submit
C:\Windows\System\ntOzTjG.exe

Filesize
5.2MB

MD5
30b126137591489029a3141e0b33fc5b

SHA1
4e48613edfc60b05cfda8c546a1b7fa6db1bfdfa

SHA256
5dbabb9200e8cf04dc542165c2e0d393b81fc3380bfdad5955b8530538a82527

SHA512
b22d43270721d5baf616160282881ab15e6a229e92f3e7fa44d1ec0f92bd907aa44ab725675502205f2849b5aac1c946f56bfecd4b4786f065311e0c3cb449e8

Download Submit
C:\Windows\System\qwScRrb.exe

Filesize
5.2MB

MD5
aabd0c836a31a017e924e728736fbef8

SHA1
af4e59dbb08d17704f4c9c469d8f45d0d3e1b40d

SHA256
445ce6d08d84eaf66fc3f7235dab7219a12f601f44f62442c0ad21302e682996

SHA512
71efc3a4bb27c187cf169a623b5967b035384c4b5466740d256a655673089e3c74d5ab76a0c5ada899c4195dea87f607c92fadfa124fa2c25cafd54aebf4d885

Download Submit
C:\Windows\System\sADbYkN.exe

Filesize
5.2MB

MD5
3db42eb4d02b427e0d53d984929fabff

SHA1
927a8452f9ef4d80b4c2daaa9c637301510604a4

SHA256
0a0be6840634f12971d71306b1e9f92ad1786ebefa25ca0a747933b4e33b8423

SHA512
d4f7d5433793de4b623d1b5b9c6b91aeafbce14d93b853c20b7e335cada366b654acb25edfe66cf0d07962f0d307bb3602b3735dfd78f96eddca1d0daca0475d

Download Submit
C:\Windows\System\vKvuOrG.exe

Filesize
5.2MB

MD5
10fc3d27e267edb9e6010115927ec227

SHA1
1f4dd6a5c93da916a007707ba16986e0df290a7a

SHA256
786da65329a37af0b21c08ead1009caba5929785e0e6fb5d7f4610410c636c87

SHA512
dedcbd0e0735982cdc7ff13253e38fc502887a750140eeb49c89bb1cc25bcb03fdb85838acd85952c482ca69d6d800f81dde88d2f948b2a4ea36fdf6a2dddcc1

Download Submit
C:\Windows\System\vkUgtVi.exe

Filesize
5.2MB

MD5
6a78a2944dcf0327f979a22f7bcbf086

SHA1
7e053fbc0b02d7f46c2d256c5fedcd6c6a7a8c04

SHA256
704024e7909b60443eaa61a37cd2c56f248312e738450f335fc60c7b7ba9dbf1

SHA512
28e2b2f317d38a9d6ec348a7cf0d920cb269bcfd5a6c599337a561efeb5d6100e77407593f5f313c743286c8fe1c1cc175b0f76c333f40cfa4cbebbdbf8ecef3

Download Submit
C:\Windows\System\yNPzylg.exe

Filesize
5.2MB

MD5
2e315d1ea6a5dd4cfbd25395a141043a

SHA1
eaa2e2d99f8b22574afe9d1e498a0e58f52ad482

SHA256
c8f685afd77222aa1f889cb5acb9433c76e2d8202c31b93c3218a24f57fd6bf9

SHA512
a23ba24e0175e44ae1993d3bd9476b66d799b247544c8923d1a9715bca2d52fa81ef3c2532548c5dfd58d354ef0d253b00aeffd563a09180a5425307dd5812ad

Download Submit
memory/224-140-0x00007FF6D9BB0000-0x00007FF6D9F01000-memory.dmp

Filesize
3.3MB

Download
memory/224-219-0x00007FF6D9BB0000-0x00007FF6D9F01000-memory.dmp

Filesize
3.3MB

Download
memory/224-71-0x00007FF6D9BB0000-0x00007FF6D9F01000-memory.dmp

Filesize
3.3MB

Download
memory/472-103-0x00007FF741CE0000-0x00007FF742031000-memory.dmp

Filesize
3.3MB

Download
memory/472-144-0x00007FF741CE0000-0x00007FF742031000-memory.dmp

Filesize
3.3MB

Download
memory/472-231-0x00007FF741CE0000-0x00007FF742031000-memory.dmp

Filesize
3.3MB

Download
memory/936-201-0x00007FF665C70000-0x00007FF665FC1000-memory.dmp

Filesize
3.3MB

Download
memory/936-14-0x00007FF665C70000-0x00007FF665FC1000-memory.dmp

Filesize
3.3MB

Download
memory/1104-23-0x00007FF60C5C0000-0x00007FF60C911000-memory.dmp

Filesize
3.3MB

Download
memory/1104-132-0x00007FF60C5C0000-0x00007FF60C911000-memory.dmp

Filesize
3.3MB

Download
memory/1104-203-0x00007FF60C5C0000-0x00007FF60C911000-memory.dmp

Filesize
3.3MB

Download
memory/1760-133-0x00007FF6B8920000-0x00007FF6B8C71000-memory.dmp

Filesize
3.3MB

Download
memory/1760-205-0x00007FF6B8920000-0x00007FF6B8C71000-memory.dmp

Filesize
3.3MB

Download
memory/1760-29-0x00007FF6B8920000-0x00007FF6B8C71000-memory.dmp

Filesize
3.3MB

Download
memory/1832-211-0x00007FF6EEE90000-0x00007FF6EF1E1000-memory.dmp

Filesize
3.3MB

Download
memory/1832-50-0x00007FF6EEE90000-0x00007FF6EF1E1000-memory.dmp

Filesize
3.3MB

Download
memory/1832-136-0x00007FF6EEE90000-0x00007FF6EF1E1000-memory.dmp

Filesize
3.3MB

Download
memory/2200-241-0x00007FF72FAA0000-0x00007FF72FDF1000-memory.dmp

Filesize
3.3MB

Download
memory/2200-115-0x00007FF72FAA0000-0x00007FF72FDF1000-memory.dmp

Filesize
3.3MB

Download
memory/2200-147-0x00007FF72FAA0000-0x00007FF72FDF1000-memory.dmp

Filesize
3.3MB

Download
memory/2232-112-0x00007FF67A690000-0x00007FF67A9E1000-memory.dmp

Filesize
3.3MB

Download
memory/2232-240-0x00007FF67A690000-0x00007FF67A9E1000-memory.dmp

Filesize
3.3MB

Download
memory/2232-148-0x00007FF67A690000-0x00007FF67A9E1000-memory.dmp

Filesize
3.3MB

Download
memory/2292-213-0x00007FF751FC0000-0x00007FF752311000-memory.dmp

Filesize
3.3MB

Download
memory/2292-72-0x00007FF751FC0000-0x00007FF752311000-memory.dmp

Filesize
3.3MB

Download
memory/2364-42-0x00007FF692250000-0x00007FF6925A1000-memory.dmp

Filesize
3.3MB

Download
memory/2364-209-0x00007FF692250000-0x00007FF6925A1000-memory.dmp

Filesize
3.3MB

Download
memory/2364-135-0x00007FF692250000-0x00007FF6925A1000-memory.dmp

Filesize
3.3MB

Download
memory/2396-228-0x00007FF61C880000-0x00007FF61CBD1000-memory.dmp

Filesize
3.3MB

Download
memory/2396-111-0x00007FF61C880000-0x00007FF61CBD1000-memory.dmp

Filesize
3.3MB

Download
memory/2432-129-0x00007FF6B0B20000-0x00007FF6B0E71000-memory.dmp

Filesize
3.3MB

Download
memory/2432-1-0x0000024E3FC20000-0x0000024E3FC30000-memory.dmp

Filesize
64KB

Download
memory/2432-127-0x00007FF6B0B20000-0x00007FF6B0E71000-memory.dmp

Filesize
3.3MB

Download
memory/2432-0-0x00007FF6B0B20000-0x00007FF6B0E71000-memory.dmp

Filesize
3.3MB

Download
memory/2432-151-0x00007FF6B0B20000-0x00007FF6B0E71000-memory.dmp

Filesize
3.3MB

Download
memory/2744-221-0x00007FF6C84C0000-0x00007FF6C8811000-memory.dmp

Filesize
3.3MB

Download
memory/2744-94-0x00007FF6C84C0000-0x00007FF6C8811000-memory.dmp

Filesize
3.3MB

Download
memory/3196-223-0x00007FF7B7BB0000-0x00007FF7B7F01000-memory.dmp

Filesize
3.3MB

Download
memory/3196-141-0x00007FF7B7BB0000-0x00007FF7B7F01000-memory.dmp

Filesize
3.3MB

Download
memory/3196-80-0x00007FF7B7BB0000-0x00007FF7B7F01000-memory.dmp

Filesize
3.3MB

Download
memory/3276-229-0x00007FF745AA0000-0x00007FF745DF1000-memory.dmp

Filesize
3.3MB

Download
memory/3276-143-0x00007FF745AA0000-0x00007FF745DF1000-memory.dmp

Filesize
3.3MB

Download
memory/3276-89-0x00007FF745AA0000-0x00007FF745DF1000-memory.dmp

Filesize
3.3MB

Download
memory/3416-243-0x00007FF7D6320000-0x00007FF7D6671000-memory.dmp

Filesize
3.3MB

Download
memory/3416-128-0x00007FF7D6320000-0x00007FF7D6671000-memory.dmp

Filesize
3.3MB

Download
memory/3424-238-0x00007FF7C8FC0000-0x00007FF7C9311000-memory.dmp

Filesize
3.3MB

Download
memory/3424-149-0x00007FF7C8FC0000-0x00007FF7C9311000-memory.dmp

Filesize
3.3MB

Download
memory/3424-120-0x00007FF7C8FC0000-0x00007FF7C9311000-memory.dmp

Filesize
3.3MB

Download
memory/4456-207-0x00007FF6D83E0000-0x00007FF6D8731000-memory.dmp

Filesize
3.3MB

Download
memory/4456-34-0x00007FF6D83E0000-0x00007FF6D8731000-memory.dmp

Filesize
3.3MB

Download
memory/4456-134-0x00007FF6D83E0000-0x00007FF6D8731000-memory.dmp

Filesize
3.3MB

Download
memory/4460-217-0x00007FF656000000-0x00007FF656351000-memory.dmp

Filesize
3.3MB

Download
memory/4460-138-0x00007FF656000000-0x00007FF656351000-memory.dmp

Filesize
3.3MB

Download
memory/4460-59-0x00007FF656000000-0x00007FF656351000-memory.dmp

Filesize
3.3MB

Download
memory/4688-130-0x00007FF75ED50000-0x00007FF75F0A1000-memory.dmp

Filesize
3.3MB

Download
memory/4688-8-0x00007FF75ED50000-0x00007FF75F0A1000-memory.dmp

Filesize
3.3MB

Download
memory/4688-199-0x00007FF75ED50000-0x00007FF75F0A1000-memory.dmp

Filesize
3.3MB

Download
memory/4692-226-0x00007FF668FF0000-0x00007FF669341000-memory.dmp

Filesize
3.3MB

Download
memory/4692-145-0x00007FF668FF0000-0x00007FF669341000-memory.dmp

Filesize
3.3MB

Download
memory/4692-93-0x00007FF668FF0000-0x00007FF669341000-memory.dmp

Filesize
3.3MB

Download
memory/4764-215-0x00007FF78D990000-0x00007FF78DCE1000-memory.dmp

Filesize
3.3MB

Download
memory/4764-78-0x00007FF78D990000-0x00007FF78DCE1000-memory.dmp

Filesize
3.3MB

Download