cobaltstrike | 06d09ec1e99c4acb39c6d2af78e96f781a151396c3c128674f6419efc1e7f105

Analysis

max time kernel
140s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2024 09:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

d18ddf08792d87c20b4cac5dd6891ff7
SHA1

6061264292066c8a28a3aa7f499592d890ddcaa0
SHA256

06d09ec1e99c4acb39c6d2af78e96f781a151396c3c128674f6419efc1e7f105
SHA512

ffc65d466c2a814f7727d7bf8119f342bb21666b3e950cee367d75284766c5f1a6697024caa5d993c57e2a23cca5714e38a7f2404ea3fc479cf380b74652559e
SSDEEP

49152:ROdWCCi7/raA56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6ll:RWWBibj56utgpPFotBER/mQ32lUJ

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00080000000234a8-5.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ad-9.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ac-10.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ae-23.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234af-29.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b1-39.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b2-57.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b6-67.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000234a9-79.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b7-85.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b9-96.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b8-94.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b5-70.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b4-59.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b3-53.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b0-48.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ba-100.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234bc-107.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234bd-110.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234be-120.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234bf-124.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/4372-51-0x00007FF6D3EC0000-0x00007FF6D4211000-memory.dmp	xmrig
behavioral2/memory/2072-87-0x00007FF7BFBB0000-0x00007FF7BFF01000-memory.dmp	xmrig
behavioral2/memory/2044-42-0x00007FF6D6620000-0x00007FF6D6971000-memory.dmp	xmrig
behavioral2/memory/2628-33-0x00007FF6D7020000-0x00007FF6D7371000-memory.dmp	xmrig
behavioral2/memory/2336-104-0x00007FF788090000-0x00007FF7883E1000-memory.dmp	xmrig
behavioral2/memory/2068-116-0x00007FF696680000-0x00007FF6969D1000-memory.dmp	xmrig
behavioral2/memory/2460-126-0x00007FF66B6C0000-0x00007FF66BA11000-memory.dmp	xmrig
behavioral2/memory/2068-128-0x00007FF696680000-0x00007FF6969D1000-memory.dmp	xmrig
behavioral2/memory/1152-135-0x00007FF769540000-0x00007FF769891000-memory.dmp	xmrig
behavioral2/memory/3564-136-0x00007FF6B1CE0000-0x00007FF6B2031000-memory.dmp	xmrig
behavioral2/memory/4492-134-0x00007FF6272C0000-0x00007FF627611000-memory.dmp	xmrig
behavioral2/memory/1416-138-0x00007FF752920000-0x00007FF752C71000-memory.dmp	xmrig
behavioral2/memory/3716-133-0x00007FF7CB9F0000-0x00007FF7CBD41000-memory.dmp	xmrig
behavioral2/memory/1160-140-0x00007FF779CC0000-0x00007FF77A011000-memory.dmp	xmrig
behavioral2/memory/396-139-0x00007FF7C4860000-0x00007FF7C4BB1000-memory.dmp	xmrig
behavioral2/memory/1408-127-0x00007FF615FA0000-0x00007FF6162F1000-memory.dmp	xmrig
behavioral2/memory/2980-141-0x00007FF7D2720000-0x00007FF7D2A71000-memory.dmp	xmrig
behavioral2/memory/1456-146-0x00007FF6F0FD0000-0x00007FF6F1321000-memory.dmp	xmrig
behavioral2/memory/4508-145-0x00007FF6341E0000-0x00007FF634531000-memory.dmp	xmrig
behavioral2/memory/5008-147-0x00007FF7EE5E0000-0x00007FF7EE931000-memory.dmp	xmrig
behavioral2/memory/4924-144-0x00007FF618850000-0x00007FF618BA1000-memory.dmp	xmrig
behavioral2/memory/3800-143-0x00007FF6B4EF0000-0x00007FF6B5241000-memory.dmp	xmrig
behavioral2/memory/1068-149-0x00007FF61E620000-0x00007FF61E971000-memory.dmp	xmrig
behavioral2/memory/2068-153-0x00007FF696680000-0x00007FF6969D1000-memory.dmp	xmrig
behavioral2/memory/4492-215-0x00007FF6272C0000-0x00007FF627611000-memory.dmp	xmrig
behavioral2/memory/1408-217-0x00007FF615FA0000-0x00007FF6162F1000-memory.dmp	xmrig
behavioral2/memory/2044-219-0x00007FF6D6620000-0x00007FF6D6971000-memory.dmp	xmrig
behavioral2/memory/2628-221-0x00007FF6D7020000-0x00007FF6D7371000-memory.dmp	xmrig
behavioral2/memory/3716-223-0x00007FF7CB9F0000-0x00007FF7CBD41000-memory.dmp	xmrig
behavioral2/memory/4372-225-0x00007FF6D3EC0000-0x00007FF6D4211000-memory.dmp	xmrig
behavioral2/memory/1152-227-0x00007FF769540000-0x00007FF769891000-memory.dmp	xmrig
behavioral2/memory/2980-230-0x00007FF7D2720000-0x00007FF7D2A71000-memory.dmp	xmrig
behavioral2/memory/1416-231-0x00007FF752920000-0x00007FF752C71000-memory.dmp	xmrig
behavioral2/memory/1160-234-0x00007FF779CC0000-0x00007FF77A011000-memory.dmp	xmrig
behavioral2/memory/2072-235-0x00007FF7BFBB0000-0x00007FF7BFF01000-memory.dmp	xmrig
behavioral2/memory/4508-238-0x00007FF6341E0000-0x00007FF634531000-memory.dmp	xmrig
behavioral2/memory/3800-239-0x00007FF6B4EF0000-0x00007FF6B5241000-memory.dmp	xmrig
behavioral2/memory/4924-241-0x00007FF618850000-0x00007FF618BA1000-memory.dmp	xmrig
behavioral2/memory/1456-245-0x00007FF6F0FD0000-0x00007FF6F1321000-memory.dmp	xmrig
behavioral2/memory/5008-244-0x00007FF7EE5E0000-0x00007FF7EE931000-memory.dmp	xmrig
behavioral2/memory/2336-252-0x00007FF788090000-0x00007FF7883E1000-memory.dmp	xmrig
behavioral2/memory/2460-254-0x00007FF66B6C0000-0x00007FF66BA11000-memory.dmp	xmrig
behavioral2/memory/1068-256-0x00007FF61E620000-0x00007FF61E971000-memory.dmp	xmrig
behavioral2/memory/396-260-0x00007FF7C4860000-0x00007FF7C4BB1000-memory.dmp	xmrig
behavioral2/memory/3564-259-0x00007FF6B1CE0000-0x00007FF6B2031000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4492	YVqXdQg.exe
1408	jPgIWsH.exe
2044	BRkAKLC.exe
2628	FBnaNYc.exe
3716	QfTNgol.exe
1152	uTznHrQ.exe
4372	qoswsnK.exe
1416	ljrLxKw.exe
1160	qcVSAvG.exe
2980	uKEzGwP.exe
2072	FppWpSi.exe
3800	YjVbSVQ.exe
4924	yITpzft.exe
4508	uYTPgAO.exe
1456	USVywiD.exe
5008	aBmDzZa.exe
2336	lABJziJ.exe
1068	GeCpDFG.exe
2460	KdZRiar.exe
3564	XPoAPFB.exe
396	kPOIEuf.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2068-0-0x00007FF696680000-0x00007FF6969D1000-memory.dmp	upx
behavioral2/files/0x00080000000234a8-5.dat	upx
behavioral2/files/0x00070000000234ad-9.dat	upx
behavioral2/files/0x00070000000234ac-10.dat	upx
behavioral2/files/0x00070000000234ae-23.dat	upx
behavioral2/files/0x00070000000234af-29.dat	upx
behavioral2/files/0x00070000000234b1-39.dat	upx
behavioral2/memory/1152-46-0x00007FF769540000-0x00007FF769891000-memory.dmp	upx
behavioral2/memory/4372-51-0x00007FF6D3EC0000-0x00007FF6D4211000-memory.dmp	upx
behavioral2/files/0x00070000000234b2-57.dat	upx
behavioral2/files/0x00070000000234b6-67.dat	upx
behavioral2/files/0x00080000000234a9-79.dat	upx
behavioral2/files/0x00070000000234b7-85.dat	upx
behavioral2/files/0x00070000000234b9-96.dat	upx
behavioral2/files/0x00070000000234b8-94.dat	upx
behavioral2/memory/5008-93-0x00007FF7EE5E0000-0x00007FF7EE931000-memory.dmp	upx
behavioral2/memory/1456-90-0x00007FF6F0FD0000-0x00007FF6F1321000-memory.dmp	upx
behavioral2/memory/4924-89-0x00007FF618850000-0x00007FF618BA1000-memory.dmp	upx
behavioral2/memory/2072-87-0x00007FF7BFBB0000-0x00007FF7BFF01000-memory.dmp	upx
behavioral2/memory/4508-82-0x00007FF6341E0000-0x00007FF634531000-memory.dmp	upx
behavioral2/memory/3800-81-0x00007FF6B4EF0000-0x00007FF6B5241000-memory.dmp	upx
behavioral2/memory/1160-71-0x00007FF779CC0000-0x00007FF77A011000-memory.dmp	upx
behavioral2/files/0x00070000000234b5-70.dat	upx
behavioral2/files/0x00070000000234b4-59.dat	upx
behavioral2/memory/1416-55-0x00007FF752920000-0x00007FF752C71000-memory.dmp	upx
behavioral2/memory/2980-54-0x00007FF7D2720000-0x00007FF7D2A71000-memory.dmp	upx
behavioral2/files/0x00070000000234b3-53.dat	upx
behavioral2/files/0x00070000000234b0-48.dat	upx
behavioral2/memory/2044-42-0x00007FF6D6620000-0x00007FF6D6971000-memory.dmp	upx
behavioral2/memory/3716-37-0x00007FF7CB9F0000-0x00007FF7CBD41000-memory.dmp	upx
behavioral2/memory/2628-33-0x00007FF6D7020000-0x00007FF6D7371000-memory.dmp	upx
behavioral2/memory/1408-28-0x00007FF615FA0000-0x00007FF6162F1000-memory.dmp	upx
behavioral2/memory/4492-6-0x00007FF6272C0000-0x00007FF627611000-memory.dmp	upx
behavioral2/files/0x00070000000234ba-100.dat	upx
behavioral2/files/0x00070000000234bc-107.dat	upx
behavioral2/memory/2336-104-0x00007FF788090000-0x00007FF7883E1000-memory.dmp	upx
behavioral2/files/0x00070000000234bd-110.dat	upx
behavioral2/memory/1068-115-0x00007FF61E620000-0x00007FF61E971000-memory.dmp	upx
behavioral2/files/0x00070000000234be-120.dat	upx
behavioral2/files/0x00070000000234bf-124.dat	upx
behavioral2/memory/2068-116-0x00007FF696680000-0x00007FF6969D1000-memory.dmp	upx
behavioral2/memory/2460-126-0x00007FF66B6C0000-0x00007FF66BA11000-memory.dmp	upx
behavioral2/memory/2068-128-0x00007FF696680000-0x00007FF6969D1000-memory.dmp	upx
behavioral2/memory/1152-135-0x00007FF769540000-0x00007FF769891000-memory.dmp	upx
behavioral2/memory/3564-136-0x00007FF6B1CE0000-0x00007FF6B2031000-memory.dmp	upx
behavioral2/memory/4492-134-0x00007FF6272C0000-0x00007FF627611000-memory.dmp	upx
behavioral2/memory/1416-138-0x00007FF752920000-0x00007FF752C71000-memory.dmp	upx
behavioral2/memory/3716-133-0x00007FF7CB9F0000-0x00007FF7CBD41000-memory.dmp	upx
behavioral2/memory/1160-140-0x00007FF779CC0000-0x00007FF77A011000-memory.dmp	upx
behavioral2/memory/396-139-0x00007FF7C4860000-0x00007FF7C4BB1000-memory.dmp	upx
behavioral2/memory/1408-127-0x00007FF615FA0000-0x00007FF6162F1000-memory.dmp	upx
behavioral2/memory/2980-141-0x00007FF7D2720000-0x00007FF7D2A71000-memory.dmp	upx
behavioral2/memory/1456-146-0x00007FF6F0FD0000-0x00007FF6F1321000-memory.dmp	upx
behavioral2/memory/4508-145-0x00007FF6341E0000-0x00007FF634531000-memory.dmp	upx
behavioral2/memory/5008-147-0x00007FF7EE5E0000-0x00007FF7EE931000-memory.dmp	upx
behavioral2/memory/4924-144-0x00007FF618850000-0x00007FF618BA1000-memory.dmp	upx
behavioral2/memory/3800-143-0x00007FF6B4EF0000-0x00007FF6B5241000-memory.dmp	upx
behavioral2/memory/1068-149-0x00007FF61E620000-0x00007FF61E971000-memory.dmp	upx
behavioral2/memory/2068-153-0x00007FF696680000-0x00007FF6969D1000-memory.dmp	upx
behavioral2/memory/4492-215-0x00007FF6272C0000-0x00007FF627611000-memory.dmp	upx
behavioral2/memory/1408-217-0x00007FF615FA0000-0x00007FF6162F1000-memory.dmp	upx
behavioral2/memory/2044-219-0x00007FF6D6620000-0x00007FF6D6971000-memory.dmp	upx
behavioral2/memory/2628-221-0x00007FF6D7020000-0x00007FF6D7371000-memory.dmp	upx
behavioral2/memory/3716-223-0x00007FF7CB9F0000-0x00007FF7CBD41000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\YVqXdQg.exe	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aBmDzZa.exe	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jPgIWsH.exe	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BRkAKLC.exe	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ljrLxKw.exe	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YjVbSVQ.exe	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yITpzft.exe	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\USVywiD.exe	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kPOIEuf.exe	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FBnaNYc.exe	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uTznHrQ.exe	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GeCpDFG.exe	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KdZRiar.exe	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XPoAPFB.exe	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QfTNgol.exe	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qoswsnK.exe	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qcVSAvG.exe	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uKEzGwP.exe	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FppWpSi.exe	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uYTPgAO.exe	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lABJziJ.exe	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2068	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2068	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 4492	2068	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2068 wrote to memory of 4492	2068	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2068 wrote to memory of 1408	2068	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2068 wrote to memory of 1408	2068	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2068 wrote to memory of 2044	2068	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2068 wrote to memory of 2044	2068	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2068 wrote to memory of 2628	2068	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2068 wrote to memory of 2628	2068	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2068 wrote to memory of 3716	2068	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2068 wrote to memory of 3716	2068	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2068 wrote to memory of 1152	2068	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2068 wrote to memory of 1152	2068	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2068 wrote to memory of 4372	2068	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2068 wrote to memory of 4372	2068	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2068 wrote to memory of 1416	2068	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2068 wrote to memory of 1416	2068	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2068 wrote to memory of 1160	2068	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2068 wrote to memory of 1160	2068	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2068 wrote to memory of 2980	2068	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2068 wrote to memory of 2980	2068	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2068 wrote to memory of 2072	2068	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2068 wrote to memory of 2072	2068	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2068 wrote to memory of 3800	2068	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2068 wrote to memory of 3800	2068	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2068 wrote to memory of 4924	2068	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2068 wrote to memory of 4924	2068	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2068 wrote to memory of 4508	2068	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2068 wrote to memory of 4508	2068	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2068 wrote to memory of 1456	2068	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2068 wrote to memory of 1456	2068	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2068 wrote to memory of 5008	2068	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2068 wrote to memory of 5008	2068	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2068 wrote to memory of 2336	2068	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2068 wrote to memory of 2336	2068	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2068 wrote to memory of 1068	2068	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2068 wrote to memory of 1068	2068	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2068 wrote to memory of 2460	2068	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 2068 wrote to memory of 2460	2068	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 2068 wrote to memory of 3564	2068	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 2068 wrote to memory of 3564	2068	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 2068 wrote to memory of 396	2068	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 2068 wrote to memory of 396	2068	2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe	107

C:\Users\Admin\AppData\Local\Temp\2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-13_d18ddf08792d87c20b4cac5dd6891ff7_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Windows\System\YVqXdQg.exe
  C:\Windows\System\YVqXdQg.exe
  2⤵
  - Executes dropped EXE
  PID:4492
- C:\Windows\System\jPgIWsH.exe
  C:\Windows\System\jPgIWsH.exe
  2⤵
  - Executes dropped EXE
  PID:1408
- C:\Windows\System\BRkAKLC.exe
  C:\Windows\System\BRkAKLC.exe
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Windows\System\FBnaNYc.exe
  C:\Windows\System\FBnaNYc.exe
  2⤵
  - Executes dropped EXE
  PID:2628
- C:\Windows\System\QfTNgol.exe
  C:\Windows\System\QfTNgol.exe
  2⤵
  - Executes dropped EXE
  PID:3716
- C:\Windows\System\uTznHrQ.exe
  C:\Windows\System\uTznHrQ.exe
  2⤵
  - Executes dropped EXE
  PID:1152
- C:\Windows\System\qoswsnK.exe
  C:\Windows\System\qoswsnK.exe
  2⤵
  - Executes dropped EXE
  PID:4372
- C:\Windows\System\ljrLxKw.exe
  C:\Windows\System\ljrLxKw.exe
  2⤵
  - Executes dropped EXE
  PID:1416
- C:\Windows\System\qcVSAvG.exe
  C:\Windows\System\qcVSAvG.exe
  2⤵
  - Executes dropped EXE
  PID:1160
- C:\Windows\System\uKEzGwP.exe
  C:\Windows\System\uKEzGwP.exe
  2⤵
  - Executes dropped EXE
  PID:2980
- C:\Windows\System\FppWpSi.exe
  C:\Windows\System\FppWpSi.exe
  2⤵
  - Executes dropped EXE
  PID:2072
- C:\Windows\System\YjVbSVQ.exe
  C:\Windows\System\YjVbSVQ.exe
  2⤵
  - Executes dropped EXE
  PID:3800
- C:\Windows\System\yITpzft.exe
  C:\Windows\System\yITpzft.exe
  2⤵
  - Executes dropped EXE
  PID:4924
- C:\Windows\System\uYTPgAO.exe
  C:\Windows\System\uYTPgAO.exe
  2⤵
  - Executes dropped EXE
  PID:4508
- C:\Windows\System\USVywiD.exe
  C:\Windows\System\USVywiD.exe
  2⤵
  - Executes dropped EXE
  PID:1456
- C:\Windows\System\aBmDzZa.exe
  C:\Windows\System\aBmDzZa.exe
  2⤵
  - Executes dropped EXE
  PID:5008
- C:\Windows\System\lABJziJ.exe
  C:\Windows\System\lABJziJ.exe
  2⤵
  - Executes dropped EXE
  PID:2336
- C:\Windows\System\GeCpDFG.exe
  C:\Windows\System\GeCpDFG.exe
  2⤵
  - Executes dropped EXE
  PID:1068
- C:\Windows\System\KdZRiar.exe
  C:\Windows\System\KdZRiar.exe
  2⤵
  - Executes dropped EXE
  PID:2460
- C:\Windows\System\XPoAPFB.exe
  C:\Windows\System\XPoAPFB.exe
  2⤵
  - Executes dropped EXE
  PID:3564
- C:\Windows\System\kPOIEuf.exe
  C:\Windows\System\kPOIEuf.exe
  2⤵
  - Executes dropped EXE
  PID:396

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BRkAKLC.exe

Filesize
5.2MB

MD5
5c0ecf5d3df7b649d2556f54ed13f74e

SHA1
e45608a943a9f382e964796ba092892e7a33a816

SHA256
8460a936a271c2af74984c1029d07ab5502315900a0718441d47a2bbe33ec4b1

SHA512
662eacec2c962d2684dd01ca5acdbd749b84c788211f021befe935a97b725baa68b169c8dd52b7a54993470bcb7636c09da7e2731cd45ad7517d3341d70b2816

Download Submit
C:\Windows\System\FBnaNYc.exe

Filesize
5.2MB

MD5
6640f800769ccc40ba85f3c8f5fa949e

SHA1
af2b449226f90dd67438cb7b0a5872145d17d06b

SHA256
b5baf4bb781e5805916ba49a3c2a81240beb6e013595d8e48b723bb78b26abca

SHA512
c68b33a6132d0c1baff00b52e35a52dbac363c62b318d2f84347a1a0c25bc667c62d7fbc7cd23f72f294f0b6aabb852db953f888b7d7c8d7806d1fe087e1ec5e

Download Submit
C:\Windows\System\FppWpSi.exe

Filesize
5.2MB

MD5
9a1a9ff39fde22f2b05fd50f9fca2237

SHA1
3889e211895e27ce7d1b356cdcd30a1d41dea8fe

SHA256
11923fb5e40780d9442c470b2108ca1798117981932be258d23b21066790350c

SHA512
32e3bc83e23960d64323aa1941c6ea42a1e1d75cd937944d8c2f8dabefc61aad873c843d35b8b77b0c00cd51cb6fc1877300c77835b34ea45c8f4011ff866396

Download Submit
C:\Windows\System\GeCpDFG.exe

Filesize
5.2MB

MD5
b368112a630d21acd5f63d82ef81db37

SHA1
4350dfbdaa8c62bd59dc727b1dce2b5e44d28d25

SHA256
40967660ffb33efaa6996416e4d8cbcb722f8eac1d4953390d24376269ff0c78

SHA512
8dd0250eb19f863ae0057b3de546bb6b7f7860991c0506ba438d5033c8675e8c53287a498d2168709bac42deed8f53ed8fe6cc6f12c0f04e480d7f16b89518ac

Download Submit
C:\Windows\System\KdZRiar.exe

Filesize
5.2MB

MD5
549e870f8502d0a7679f9a409089ba06

SHA1
464f6518c8dc04ae5a95a5256fcb3917004499da

SHA256
2c174ee961db3577a8ff20ed6285906f53102bf1ea5ad56862e728550a0390f5

SHA512
dd5cf8629bfb32ab3a1fa7332b586aa1e032e5d06b7bcd8eede50525c4fe77a33dd04ca8df0d85853c13474b4a3add8316d04b98a9c02b9ad8aed8ecaf432313

Download Submit
C:\Windows\System\QfTNgol.exe

Filesize
5.2MB

MD5
a33c832fc2d6cef0bcfc2b58f2f7a1ed

SHA1
a19b957fb1370fa80ab0bcf7711d6f4d000f6fc4

SHA256
2ab76c506dc1b0cdced0fbc3d885c93d7c90fa011e7710bccbd743b6faab7003

SHA512
d73c131f0d4e89c388f4ed4ced5029f96d9c55363417a8093ef3d058bb0fef45965b0896a7f756a9d7374da51ddaf6e0b2c126ddcbd734ad2a371da3a18fada9

Download Submit
C:\Windows\System\USVywiD.exe

Filesize
5.2MB

MD5
80729842065e00e117d0b4ee05948a8a

SHA1
5565b5cf843c6e12278303ee87aef21c57e78ae2

SHA256
9ef4951f01231dbb8b88cc4d8614469324d64a31abf0374c45a08223221c8120

SHA512
adc03cec839fe75af67e74bce9e4a6a26f0e5d03f3a86490d8fb905083380b8f818244a5723e0157f2a969ddbd07c2ab6daf3ac9bc685b6a6f785b2fb8c5df7a

Download Submit
C:\Windows\System\XPoAPFB.exe

Filesize
5.2MB

MD5
1df8093957f7434644762f2d763204bd

SHA1
edd0a41642f4a9ade7194ae17f0f0e23d0d32677

SHA256
3e33f02ed4588cab5bf8ff61f0328c2cc4214a4975a45bc9e37f31722abf809e

SHA512
fdcc4a9fd78c133142392b0dceaa72397e42f944f179f816ced6bd408af229eea8bf96a13685f9b409bed8e12d1e6f94e1db9f0965b9a142af98910dcf8ca462

Download Submit
C:\Windows\System\YVqXdQg.exe

Filesize
5.2MB

MD5
5268a1aa8f5f20e4f7e2735aec8a74c6

SHA1
62967021a8a63572c5bcec93661cf9fbeccc038c

SHA256
feb57e9a4f0c7c560758ae9c298eadbd5de79b9835ab9f6ff7ceac7fe9650e9c

SHA512
01724a04fabaca54b15b8884e1a2345e7d874de172ec0b799047ca3cc789d642536ec8340eeb45f767a81591408440043b60f44f474843590c5c08fefa23f210

Download Submit
C:\Windows\System\YjVbSVQ.exe

Filesize
5.2MB

MD5
2e354f4f21fd5fdc0ed4a822adea2532

SHA1
2d6febc99e350f0552000d920709fb1ebc1e655b

SHA256
355f479ba67902e06476b0c18777d08499cd4754e1fdfb4ca3626af950a697a7

SHA512
e77f04e35d0178009aaf221e533484e9de8f8a9dd58b57ca61a8d9fb01ff6d309c05a68960e23a57f1222d615a156019a59fd5f8c0dc7009d9141b8f08707849

Download Submit
C:\Windows\System\aBmDzZa.exe

Filesize
5.2MB

MD5
28c65087dd8d2414ae8db50a14104ede

SHA1
484553bdd9c1b25b9eef898fdcee3a80f5d06fa6

SHA256
a0470a114051403f4175e68a9117c68e50f82a5f3ed48188e9d004c1d3ac7628

SHA512
e4e2e3dcce1bdd0453ec07bc8f7494f731b8679f869103e5713c7b565b3f49aeb62ed947d0c4c2e2042b4eaf70cf813873423c5f0b010f0ad1ae6d7998c2191a

Download Submit
C:\Windows\System\jPgIWsH.exe

Filesize
5.2MB

MD5
8547b565857fd2f6f5aa51fa77518620

SHA1
2b82fdf19d9a966a7e18a410ea1cb2ea836e493d

SHA256
7936390c7c62196a5c8e1c3239aec3d451eb2f80b71118a3413827aab310af5b

SHA512
6d9c43640caff3a75f732401f8b64f060ed3ee02b0add6136a63c3e75461178986862d07ec8d8ef9f3259c9263aa3d947775791bc8293f4a679df208ae582236

Download Submit
C:\Windows\System\kPOIEuf.exe

Filesize
5.2MB

MD5
1b2d3211f1462f9511ccefa27c024922

SHA1
03358939455bb1914a25fa27c4fe5e61eb864cc1

SHA256
82e0b668c4dd4d09d23dd971cdd5230a394268bf1c18a82df24e521b3509f203

SHA512
cbe9f2cac153a1c12cfb1de0928bfe5a144a416e6d050942680e9f29c49f704f20cd858337846d904478469a3191438f272bbad56ff645f7c399bb72ad7f3129

Download Submit
C:\Windows\System\lABJziJ.exe

Filesize
5.2MB

MD5
a975cf6fe6e3092119ce8abc7606156e

SHA1
ac4d8a7bef81989da807bdbdf00e77230b54d10c

SHA256
b041b8d45b1f9a7bc0f14f843bf4ecfe44e7b5858f1ddda19d856da13be2c7a2

SHA512
6f543ea6279f9b172fe9b9a1897cd4c0e44969f7a53c93520e69b1578d9b247b83382b60eb4ddad20f7a3a29fc9b96225787a069b75669cdc1219f9338eea2cf

Download Submit
C:\Windows\System\ljrLxKw.exe

Filesize
5.2MB

MD5
d3459bd12bcd2622ee9e8a11ac8ce5b1

SHA1
718dd8e734bb9efc3ac54fb227889aa2154a935c

SHA256
f8430d9a550b2a3d74bb78806093e2056d3ef74c548980d7ba1e7410ef69f49d

SHA512
3a2e10ab95321e1dc9fefb75647c412a508f3f8a0433d905acff91b343ecd1faa639eeae45b7951db01740f8ec0776c5b2b99ff5872d2bfaf5f9bfe04e3399e3

Download Submit
C:\Windows\System\qcVSAvG.exe

Filesize
5.2MB

MD5
249dce7046b62f15266b4732822f1f7e

SHA1
faa4c28fa3f53ffcaf509958571bcb5f8d8458c2

SHA256
c5afbd69794ec5d5f03daa37a41d59f9e8f054cc7565cd88790ff2d294232e2b

SHA512
757bec156f0c77b51e352687b3bb6735c95ccbbf48d2199bc1e19bfac9210f5418e4210e801cc0a67388d45782920ed8f8660cf7d4c45bf7c7beddcaa6518fef

Download Submit
C:\Windows\System\qoswsnK.exe

Filesize
5.2MB

MD5
399902db98ca296c75c0178c70c2e8bf

SHA1
433b1ada44bae36ab3c3e68aa5ec11e27e50d104

SHA256
993597bc525e68e859be94db351a387151fd91910dc4facf56bc8bf287897c47

SHA512
3a39508eebb71563c246abac02108134f1c4d775fe78bc97d8f0b0da05855f6c35f7052bb57515837a86db7ea066cb4a8a0e0a9bd351a2571e7a1023d2a15be7

Download Submit
C:\Windows\System\uKEzGwP.exe

Filesize
5.2MB

MD5
66dc53966f502e9242ebaf1b51136e83

SHA1
593a38f6b842bd21c56242eebf4e88c96fcc0990

SHA256
cb5fced8dc078727b9403191fa9e21be3e06ecbe3457f5f665f7c44a35a0c8b0

SHA512
e1299519d29ef1b03732a5fd3804080f42059994dd6f5fd6de6bdee215dca544ba8e01b84a1edbc18f96fb95613cf5acf1731e2c73694518f62c408c005e81ea

Download Submit
C:\Windows\System\uTznHrQ.exe

Filesize
5.2MB

MD5
09d8a74cc0c01083343e7713ddfa5a1e

SHA1
cd94f53522b980582d56a8856f50f702750ea8f7

SHA256
9139de776370c590bee263f45635332f79ca43909aa7bda2b920508f436467c1

SHA512
9f436df90bcb52ee4b71cf27e944b425ac4f353bc91f397559fc95d0d150e1f1d593709425caa2c67c29501782eda26aa18d1324e9110a8f9dddcb82c11cf233

Download Submit
C:\Windows\System\uYTPgAO.exe

Filesize
5.2MB

MD5
f3483d14ed8c786e15ae4c0fd71495b7

SHA1
62af65fc8aad253d89836214ccce3724921b922d

SHA256
685c21d6d01d7c609b8171ad57c76126caae6e962154ec2bdd083443c279d535

SHA512
e45554294451d8c45e313a79ef55bda009c5342947e1aa8f4f7bd14d3f94d06eb6fedc4a752c7ce8d61698410abc9ac0b6033d7b2031fa2c495ee4db7ac81c15

Download Submit
C:\Windows\System\yITpzft.exe

Filesize
5.2MB

MD5
c3619ae938c0d8e7389b37476ab0d693

SHA1
304012e1a52b1739d545f735b290cfc89a267e58

SHA256
512fd57839d0218a55cb821e8511eaffc9feb5ec5bb80d72ac52a0390e9c82ef

SHA512
c7b948b915e5f99fd717788b2e3457513fc32465b6b43756ba3d99db5b226a145ef93972a3d2e3db02572bbec751de2c94303427b48bf28bd981a9398206dcf5

Download Submit
memory/396-139-0x00007FF7C4860000-0x00007FF7C4BB1000-memory.dmp

Filesize
3.3MB

Download
memory/396-260-0x00007FF7C4860000-0x00007FF7C4BB1000-memory.dmp

Filesize
3.3MB

Download
memory/1068-149-0x00007FF61E620000-0x00007FF61E971000-memory.dmp

Filesize
3.3MB

Download
memory/1068-256-0x00007FF61E620000-0x00007FF61E971000-memory.dmp

Filesize
3.3MB

Download
memory/1068-115-0x00007FF61E620000-0x00007FF61E971000-memory.dmp

Filesize
3.3MB

Download
memory/1152-46-0x00007FF769540000-0x00007FF769891000-memory.dmp

Filesize
3.3MB

Download
memory/1152-227-0x00007FF769540000-0x00007FF769891000-memory.dmp

Filesize
3.3MB

Download
memory/1152-135-0x00007FF769540000-0x00007FF769891000-memory.dmp

Filesize
3.3MB

Download
memory/1160-71-0x00007FF779CC0000-0x00007FF77A011000-memory.dmp

Filesize
3.3MB

Download
memory/1160-140-0x00007FF779CC0000-0x00007FF77A011000-memory.dmp

Filesize
3.3MB

Download
memory/1160-234-0x00007FF779CC0000-0x00007FF77A011000-memory.dmp

Filesize
3.3MB

Download
memory/1408-28-0x00007FF615FA0000-0x00007FF6162F1000-memory.dmp

Filesize
3.3MB

Download
memory/1408-127-0x00007FF615FA0000-0x00007FF6162F1000-memory.dmp

Filesize
3.3MB

Download
memory/1408-217-0x00007FF615FA0000-0x00007FF6162F1000-memory.dmp

Filesize
3.3MB

Download
memory/1416-231-0x00007FF752920000-0x00007FF752C71000-memory.dmp

Filesize
3.3MB

Download
memory/1416-55-0x00007FF752920000-0x00007FF752C71000-memory.dmp

Filesize
3.3MB

Download
memory/1416-138-0x00007FF752920000-0x00007FF752C71000-memory.dmp

Filesize
3.3MB

Download
memory/1456-146-0x00007FF6F0FD0000-0x00007FF6F1321000-memory.dmp

Filesize
3.3MB

Download
memory/1456-90-0x00007FF6F0FD0000-0x00007FF6F1321000-memory.dmp

Filesize
3.3MB

Download
memory/1456-245-0x00007FF6F0FD0000-0x00007FF6F1321000-memory.dmp

Filesize
3.3MB

Download
memory/2044-42-0x00007FF6D6620000-0x00007FF6D6971000-memory.dmp

Filesize
3.3MB

Download
memory/2044-219-0x00007FF6D6620000-0x00007FF6D6971000-memory.dmp

Filesize
3.3MB

Download
memory/2068-153-0x00007FF696680000-0x00007FF6969D1000-memory.dmp

Filesize
3.3MB

Download
memory/2068-0-0x00007FF696680000-0x00007FF6969D1000-memory.dmp

Filesize
3.3MB

Download
memory/2068-128-0x00007FF696680000-0x00007FF6969D1000-memory.dmp

Filesize
3.3MB

Download
memory/2068-1-0x0000019290A50000-0x0000019290A60000-memory.dmp

Filesize
64KB

Download
memory/2068-116-0x00007FF696680000-0x00007FF6969D1000-memory.dmp

Filesize
3.3MB

Download
memory/2072-235-0x00007FF7BFBB0000-0x00007FF7BFF01000-memory.dmp

Filesize
3.3MB

Download
memory/2072-87-0x00007FF7BFBB0000-0x00007FF7BFF01000-memory.dmp

Filesize
3.3MB

Download
memory/2336-104-0x00007FF788090000-0x00007FF7883E1000-memory.dmp

Filesize
3.3MB

Download
memory/2336-252-0x00007FF788090000-0x00007FF7883E1000-memory.dmp

Filesize
3.3MB

Download
memory/2460-126-0x00007FF66B6C0000-0x00007FF66BA11000-memory.dmp

Filesize
3.3MB

Download
memory/2460-254-0x00007FF66B6C0000-0x00007FF66BA11000-memory.dmp

Filesize
3.3MB

Download
memory/2628-221-0x00007FF6D7020000-0x00007FF6D7371000-memory.dmp

Filesize
3.3MB

Download
memory/2628-33-0x00007FF6D7020000-0x00007FF6D7371000-memory.dmp

Filesize
3.3MB

Download
memory/2980-141-0x00007FF7D2720000-0x00007FF7D2A71000-memory.dmp

Filesize
3.3MB

Download
memory/2980-230-0x00007FF7D2720000-0x00007FF7D2A71000-memory.dmp

Filesize
3.3MB

Download
memory/2980-54-0x00007FF7D2720000-0x00007FF7D2A71000-memory.dmp

Filesize
3.3MB

Download
memory/3564-136-0x00007FF6B1CE0000-0x00007FF6B2031000-memory.dmp

Filesize
3.3MB

Download
memory/3564-259-0x00007FF6B1CE0000-0x00007FF6B2031000-memory.dmp

Filesize
3.3MB

Download
memory/3716-133-0x00007FF7CB9F0000-0x00007FF7CBD41000-memory.dmp

Filesize
3.3MB

Download
memory/3716-37-0x00007FF7CB9F0000-0x00007FF7CBD41000-memory.dmp

Filesize
3.3MB

Download
memory/3716-223-0x00007FF7CB9F0000-0x00007FF7CBD41000-memory.dmp

Filesize
3.3MB

Download
memory/3800-81-0x00007FF6B4EF0000-0x00007FF6B5241000-memory.dmp

Filesize
3.3MB

Download
memory/3800-143-0x00007FF6B4EF0000-0x00007FF6B5241000-memory.dmp

Filesize
3.3MB

Download
memory/3800-239-0x00007FF6B4EF0000-0x00007FF6B5241000-memory.dmp

Filesize
3.3MB

Download
memory/4372-225-0x00007FF6D3EC0000-0x00007FF6D4211000-memory.dmp

Filesize
3.3MB

Download
memory/4372-51-0x00007FF6D3EC0000-0x00007FF6D4211000-memory.dmp

Filesize
3.3MB

Download
memory/4492-215-0x00007FF6272C0000-0x00007FF627611000-memory.dmp

Filesize
3.3MB

Download
memory/4492-134-0x00007FF6272C0000-0x00007FF627611000-memory.dmp

Filesize
3.3MB

Download
memory/4492-6-0x00007FF6272C0000-0x00007FF627611000-memory.dmp

Filesize
3.3MB

Download
memory/4508-145-0x00007FF6341E0000-0x00007FF634531000-memory.dmp

Filesize
3.3MB

Download
memory/4508-82-0x00007FF6341E0000-0x00007FF634531000-memory.dmp

Filesize
3.3MB

Download
memory/4508-238-0x00007FF6341E0000-0x00007FF634531000-memory.dmp

Filesize
3.3MB

Download
memory/4924-89-0x00007FF618850000-0x00007FF618BA1000-memory.dmp

Filesize
3.3MB

Download
memory/4924-241-0x00007FF618850000-0x00007FF618BA1000-memory.dmp

Filesize
3.3MB

Download
memory/4924-144-0x00007FF618850000-0x00007FF618BA1000-memory.dmp

Filesize
3.3MB

Download
memory/5008-147-0x00007FF7EE5E0000-0x00007FF7EE931000-memory.dmp

Filesize
3.3MB

Download
memory/5008-244-0x00007FF7EE5E0000-0x00007FF7EE931000-memory.dmp

Filesize
3.3MB

Download
memory/5008-93-0x00007FF7EE5E0000-0x00007FF7EE931000-memory.dmp

Filesize
3.3MB

Download