cobaltstrike | b293c76cf1a8b59efb8425375644c914386146120fda119cb8586c36369dc72d

Analysis

max time kernel
141s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-09-2024 06:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

9ac743513a75acbb7722e97395762eb4
SHA1

1a0443a607d6bd9e0356352e626ba773a64b1050
SHA256

b293c76cf1a8b59efb8425375644c914386146120fda119cb8586c36369dc72d
SHA512

1ff625c501344d7526640d42679d57c33eb5416fff5155a2bff414496b685fb813bdb2cdde5f26b8b06985d4db8a24a39f3e813309a0dade62ff58c7bba99e7f
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6ly:RWWBibf56utgpPFotBER/mQ32lUe

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00090000000233f6-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023455-17.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023456-20.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023454-12.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023457-28.dat	cobalt_reflective_dll
behavioral2/files/0x000900000002344b-34.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023459-41.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345a-47.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345b-57.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345c-62.dat	cobalt_reflective_dll
behavioral2/files/0x0003000000022aa5-77.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345d-70.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023395-96.dat	cobalt_reflective_dll
behavioral2/files/0x000d000000023397-115.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345f-127.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023460-133.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023461-135.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345e-131.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023394-106.dat	cobalt_reflective_dll
behavioral2/files/0x000a00000002338f-97.dat	cobalt_reflective_dll
behavioral2/files/0x0002000000022aa8-88.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 47 IoCs

miner

resource	yara_rule
behavioral2/memory/4408-32-0x00007FF644AB0000-0x00007FF644E01000-memory.dmp	xmrig
behavioral2/memory/3496-39-0x00007FF740910000-0x00007FF740C61000-memory.dmp	xmrig
behavioral2/memory/3688-60-0x00007FF72FF00000-0x00007FF730251000-memory.dmp	xmrig
behavioral2/memory/1616-64-0x00007FF751220000-0x00007FF751571000-memory.dmp	xmrig
behavioral2/memory/404-68-0x00007FF7D22A0000-0x00007FF7D25F1000-memory.dmp	xmrig
behavioral2/memory/940-69-0x00007FF64F6A0000-0x00007FF64F9F1000-memory.dmp	xmrig
behavioral2/memory/2752-79-0x00007FF629750000-0x00007FF629AA1000-memory.dmp	xmrig
behavioral2/memory/3560-136-0x00007FF631CF0000-0x00007FF632041000-memory.dmp	xmrig
behavioral2/memory/2832-125-0x00007FF630E20000-0x00007FF631171000-memory.dmp	xmrig
behavioral2/memory/2952-112-0x00007FF7A8E30000-0x00007FF7A9181000-memory.dmp	xmrig
behavioral2/memory/4600-100-0x00007FF622530000-0x00007FF622881000-memory.dmp	xmrig
behavioral2/memory/3496-92-0x00007FF740910000-0x00007FF740C61000-memory.dmp	xmrig
behavioral2/memory/4408-83-0x00007FF644AB0000-0x00007FF644E01000-memory.dmp	xmrig
behavioral2/memory/3688-139-0x00007FF72FF00000-0x00007FF730251000-memory.dmp	xmrig
behavioral2/memory/2652-150-0x00007FF78A070000-0x00007FF78A3C1000-memory.dmp	xmrig
behavioral2/memory/3832-152-0x00007FF740130000-0x00007FF740481000-memory.dmp	xmrig
behavioral2/memory/3816-155-0x00007FF6FE980000-0x00007FF6FECD1000-memory.dmp	xmrig
behavioral2/memory/3064-157-0x00007FF702A30000-0x00007FF702D81000-memory.dmp	xmrig
behavioral2/memory/1928-156-0x00007FF7032D0000-0x00007FF703621000-memory.dmp	xmrig
behavioral2/memory/4432-162-0x00007FF695840000-0x00007FF695B91000-memory.dmp	xmrig
behavioral2/memory/780-168-0x00007FF738520000-0x00007FF738871000-memory.dmp	xmrig
behavioral2/memory/4708-165-0x00007FF70C0D0000-0x00007FF70C421000-memory.dmp	xmrig
behavioral2/memory/4064-167-0x00007FF6EB130000-0x00007FF6EB481000-memory.dmp	xmrig
behavioral2/memory/1128-166-0x00007FF6BB870000-0x00007FF6BBBC1000-memory.dmp	xmrig
behavioral2/memory/2460-164-0x00007FF7452F0000-0x00007FF745641000-memory.dmp	xmrig
behavioral2/memory/3688-169-0x00007FF72FF00000-0x00007FF730251000-memory.dmp	xmrig
behavioral2/memory/1616-220-0x00007FF751220000-0x00007FF751571000-memory.dmp	xmrig
behavioral2/memory/404-222-0x00007FF7D22A0000-0x00007FF7D25F1000-memory.dmp	xmrig
behavioral2/memory/940-224-0x00007FF64F6A0000-0x00007FF64F9F1000-memory.dmp	xmrig
behavioral2/memory/2752-226-0x00007FF629750000-0x00007FF629AA1000-memory.dmp	xmrig
behavioral2/memory/4408-234-0x00007FF644AB0000-0x00007FF644E01000-memory.dmp	xmrig
behavioral2/memory/3496-236-0x00007FF740910000-0x00007FF740C61000-memory.dmp	xmrig
behavioral2/memory/4600-238-0x00007FF622530000-0x00007FF622881000-memory.dmp	xmrig
behavioral2/memory/2952-240-0x00007FF7A8E30000-0x00007FF7A9181000-memory.dmp	xmrig
behavioral2/memory/2832-242-0x00007FF630E20000-0x00007FF631171000-memory.dmp	xmrig
behavioral2/memory/3560-244-0x00007FF631CF0000-0x00007FF632041000-memory.dmp	xmrig
behavioral2/memory/2652-248-0x00007FF78A070000-0x00007FF78A3C1000-memory.dmp	xmrig
behavioral2/memory/3832-250-0x00007FF740130000-0x00007FF740481000-memory.dmp	xmrig
behavioral2/memory/3816-256-0x00007FF6FE980000-0x00007FF6FECD1000-memory.dmp	xmrig
behavioral2/memory/1928-258-0x00007FF7032D0000-0x00007FF703621000-memory.dmp	xmrig
behavioral2/memory/3064-264-0x00007FF702A30000-0x00007FF702D81000-memory.dmp	xmrig
behavioral2/memory/4064-266-0x00007FF6EB130000-0x00007FF6EB481000-memory.dmp	xmrig
behavioral2/memory/1128-268-0x00007FF6BB870000-0x00007FF6BBBC1000-memory.dmp	xmrig
behavioral2/memory/780-270-0x00007FF738520000-0x00007FF738871000-memory.dmp	xmrig
behavioral2/memory/4432-272-0x00007FF695840000-0x00007FF695B91000-memory.dmp	xmrig
behavioral2/memory/2460-276-0x00007FF7452F0000-0x00007FF745641000-memory.dmp	xmrig
behavioral2/memory/4708-275-0x00007FF70C0D0000-0x00007FF70C421000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1616	fPdVHPa.exe
404	RvlyIRC.exe
940	YBMVTYS.exe
2752	rEufjoj.exe
4408	qZMlocE.exe
3496	LLdhMMt.exe
4600	uiUXlQf.exe
2952	vjxPyzG.exe
2832	iwrgbsd.exe
3560	TOIIVtv.exe
2652	AdJrGse.exe
3832	xiwzJsI.exe
3816	uYSpHSg.exe
1928	wvAjoQk.exe
3064	Ijjdofe.exe
1128	NixWtbf.exe
4064	QdvVsEY.exe
4432	vxjudsp.exe
780	FLJGfvF.exe
2460	mrXKJyZ.exe
4708	ejgIweg.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3688-0-0x00007FF72FF00000-0x00007FF730251000-memory.dmp	upx
behavioral2/files/0x00090000000233f6-4.dat	upx
behavioral2/memory/1616-7-0x00007FF751220000-0x00007FF751571000-memory.dmp	upx
behavioral2/files/0x0007000000023455-17.dat	upx
behavioral2/files/0x0007000000023456-20.dat	upx
behavioral2/memory/2752-22-0x00007FF629750000-0x00007FF629AA1000-memory.dmp	upx
behavioral2/memory/940-21-0x00007FF64F6A0000-0x00007FF64F9F1000-memory.dmp	upx
behavioral2/memory/404-13-0x00007FF7D22A0000-0x00007FF7D25F1000-memory.dmp	upx
behavioral2/files/0x0007000000023454-12.dat	upx
behavioral2/files/0x0007000000023457-28.dat	upx
behavioral2/memory/4408-32-0x00007FF644AB0000-0x00007FF644E01000-memory.dmp	upx
behavioral2/files/0x000900000002344b-34.dat	upx
behavioral2/files/0x0007000000023459-41.dat	upx
behavioral2/memory/4600-43-0x00007FF622530000-0x00007FF622881000-memory.dmp	upx
behavioral2/memory/3496-39-0x00007FF740910000-0x00007FF740C61000-memory.dmp	upx
behavioral2/files/0x000700000002345a-47.dat	upx
behavioral2/memory/2952-48-0x00007FF7A8E30000-0x00007FF7A9181000-memory.dmp	upx
behavioral2/files/0x000700000002345b-57.dat	upx
behavioral2/memory/3560-61-0x00007FF631CF0000-0x00007FF632041000-memory.dmp	upx
behavioral2/files/0x000700000002345c-62.dat	upx
behavioral2/memory/3688-60-0x00007FF72FF00000-0x00007FF730251000-memory.dmp	upx
behavioral2/memory/2832-54-0x00007FF630E20000-0x00007FF631171000-memory.dmp	upx
behavioral2/memory/1616-64-0x00007FF751220000-0x00007FF751571000-memory.dmp	upx
behavioral2/memory/404-68-0x00007FF7D22A0000-0x00007FF7D25F1000-memory.dmp	upx
behavioral2/memory/3832-76-0x00007FF740130000-0x00007FF740481000-memory.dmp	upx
behavioral2/files/0x0003000000022aa5-77.dat	upx
behavioral2/memory/2652-71-0x00007FF78A070000-0x00007FF78A3C1000-memory.dmp	upx
behavioral2/files/0x000700000002345d-70.dat	upx
behavioral2/memory/940-69-0x00007FF64F6A0000-0x00007FF64F9F1000-memory.dmp	upx
behavioral2/memory/2752-79-0x00007FF629750000-0x00007FF629AA1000-memory.dmp	upx
behavioral2/memory/3816-84-0x00007FF6FE980000-0x00007FF6FECD1000-memory.dmp	upx
behavioral2/files/0x000a000000023395-96.dat	upx
behavioral2/files/0x000d000000023397-115.dat	upx
behavioral2/memory/4064-119-0x00007FF6EB130000-0x00007FF6EB481000-memory.dmp	upx
behavioral2/files/0x000700000002345f-127.dat	upx
behavioral2/files/0x0007000000023460-133.dat	upx
behavioral2/memory/4708-138-0x00007FF70C0D0000-0x00007FF70C421000-memory.dmp	upx
behavioral2/memory/3560-136-0x00007FF631CF0000-0x00007FF632041000-memory.dmp	upx
behavioral2/files/0x0007000000023461-135.dat	upx
behavioral2/files/0x000700000002345e-131.dat	upx
behavioral2/memory/2460-130-0x00007FF7452F0000-0x00007FF745641000-memory.dmp	upx
behavioral2/memory/4432-129-0x00007FF695840000-0x00007FF695B91000-memory.dmp	upx
behavioral2/memory/2832-125-0x00007FF630E20000-0x00007FF631171000-memory.dmp	upx
behavioral2/memory/780-124-0x00007FF738520000-0x00007FF738871000-memory.dmp	upx
behavioral2/memory/2952-112-0x00007FF7A8E30000-0x00007FF7A9181000-memory.dmp	upx
behavioral2/memory/1128-105-0x00007FF6BB870000-0x00007FF6BBBC1000-memory.dmp	upx
behavioral2/memory/3064-104-0x00007FF702A30000-0x00007FF702D81000-memory.dmp	upx
behavioral2/files/0x0009000000023394-106.dat	upx
behavioral2/memory/4600-100-0x00007FF622530000-0x00007FF622881000-memory.dmp	upx
behavioral2/files/0x000a00000002338f-97.dat	upx
behavioral2/memory/1928-94-0x00007FF7032D0000-0x00007FF703621000-memory.dmp	upx
behavioral2/memory/3496-92-0x00007FF740910000-0x00007FF740C61000-memory.dmp	upx
behavioral2/files/0x0002000000022aa8-88.dat	upx
behavioral2/memory/4408-83-0x00007FF644AB0000-0x00007FF644E01000-memory.dmp	upx
behavioral2/memory/3688-139-0x00007FF72FF00000-0x00007FF730251000-memory.dmp	upx
behavioral2/memory/2652-150-0x00007FF78A070000-0x00007FF78A3C1000-memory.dmp	upx
behavioral2/memory/3832-152-0x00007FF740130000-0x00007FF740481000-memory.dmp	upx
behavioral2/memory/3816-155-0x00007FF6FE980000-0x00007FF6FECD1000-memory.dmp	upx
behavioral2/memory/3064-157-0x00007FF702A30000-0x00007FF702D81000-memory.dmp	upx
behavioral2/memory/1928-156-0x00007FF7032D0000-0x00007FF703621000-memory.dmp	upx
behavioral2/memory/4432-162-0x00007FF695840000-0x00007FF695B91000-memory.dmp	upx
behavioral2/memory/780-168-0x00007FF738520000-0x00007FF738871000-memory.dmp	upx
behavioral2/memory/4708-165-0x00007FF70C0D0000-0x00007FF70C421000-memory.dmp	upx
behavioral2/memory/4064-167-0x00007FF6EB130000-0x00007FF6EB481000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\uYSpHSg.exe	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vxjudsp.exe	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RvlyIRC.exe	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LLdhMMt.exe	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Ijjdofe.exe	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mrXKJyZ.exe	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rEufjoj.exe	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iwrgbsd.exe	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xiwzJsI.exe	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NixWtbf.exe	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FLJGfvF.exe	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YBMVTYS.exe	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vjxPyzG.exe	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uiUXlQf.exe	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TOIIVtv.exe	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AdJrGse.exe	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wvAjoQk.exe	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QdvVsEY.exe	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ejgIweg.exe	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fPdVHPa.exe	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qZMlocE.exe	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3688	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3688	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3688 wrote to memory of 1616	3688	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3688 wrote to memory of 1616	3688	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3688 wrote to memory of 404	3688	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3688 wrote to memory of 404	3688	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3688 wrote to memory of 940	3688	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3688 wrote to memory of 940	3688	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3688 wrote to memory of 2752	3688	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3688 wrote to memory of 2752	3688	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3688 wrote to memory of 4408	3688	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3688 wrote to memory of 4408	3688	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3688 wrote to memory of 3496	3688	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3688 wrote to memory of 3496	3688	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3688 wrote to memory of 4600	3688	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3688 wrote to memory of 4600	3688	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3688 wrote to memory of 2952	3688	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3688 wrote to memory of 2952	3688	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3688 wrote to memory of 2832	3688	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3688 wrote to memory of 2832	3688	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3688 wrote to memory of 3560	3688	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3688 wrote to memory of 3560	3688	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3688 wrote to memory of 2652	3688	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3688 wrote to memory of 2652	3688	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3688 wrote to memory of 3832	3688	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3688 wrote to memory of 3832	3688	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3688 wrote to memory of 3816	3688	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3688 wrote to memory of 3816	3688	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3688 wrote to memory of 1928	3688	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3688 wrote to memory of 1928	3688	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3688 wrote to memory of 3064	3688	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3688 wrote to memory of 3064	3688	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3688 wrote to memory of 1128	3688	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3688 wrote to memory of 1128	3688	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3688 wrote to memory of 4064	3688	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3688 wrote to memory of 4064	3688	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3688 wrote to memory of 4432	3688	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3688 wrote to memory of 4432	3688	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3688 wrote to memory of 780	3688	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 3688 wrote to memory of 780	3688	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 3688 wrote to memory of 2460	3688	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 3688 wrote to memory of 2460	3688	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 3688 wrote to memory of 4708	3688	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 3688 wrote to memory of 4708	3688	2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe	107

C:\Users\Admin\AppData\Local\Temp\2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-14_9ac743513a75acbb7722e97395762eb4_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3688
- C:\Windows\System\fPdVHPa.exe
  C:\Windows\System\fPdVHPa.exe
  2⤵
  - Executes dropped EXE
  PID:1616
- C:\Windows\System\RvlyIRC.exe
  C:\Windows\System\RvlyIRC.exe
  2⤵
  - Executes dropped EXE
  PID:404
- C:\Windows\System\YBMVTYS.exe
  C:\Windows\System\YBMVTYS.exe
  2⤵
  - Executes dropped EXE
  PID:940
- C:\Windows\System\rEufjoj.exe
  C:\Windows\System\rEufjoj.exe
  2⤵
  - Executes dropped EXE
  PID:2752
- C:\Windows\System\qZMlocE.exe
  C:\Windows\System\qZMlocE.exe
  2⤵
  - Executes dropped EXE
  PID:4408
- C:\Windows\System\LLdhMMt.exe
  C:\Windows\System\LLdhMMt.exe
  2⤵
  - Executes dropped EXE
  PID:3496
- C:\Windows\System\uiUXlQf.exe
  C:\Windows\System\uiUXlQf.exe
  2⤵
  - Executes dropped EXE
  PID:4600
- C:\Windows\System\vjxPyzG.exe
  C:\Windows\System\vjxPyzG.exe
  2⤵
  - Executes dropped EXE
  PID:2952
- C:\Windows\System\iwrgbsd.exe
  C:\Windows\System\iwrgbsd.exe
  2⤵
  - Executes dropped EXE
  PID:2832
- C:\Windows\System\TOIIVtv.exe
  C:\Windows\System\TOIIVtv.exe
  2⤵
  - Executes dropped EXE
  PID:3560
- C:\Windows\System\AdJrGse.exe
  C:\Windows\System\AdJrGse.exe
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\System\xiwzJsI.exe
  C:\Windows\System\xiwzJsI.exe
  2⤵
  - Executes dropped EXE
  PID:3832
- C:\Windows\System\uYSpHSg.exe
  C:\Windows\System\uYSpHSg.exe
  2⤵
  - Executes dropped EXE
  PID:3816
- C:\Windows\System\wvAjoQk.exe
  C:\Windows\System\wvAjoQk.exe
  2⤵
  - Executes dropped EXE
  PID:1928
- C:\Windows\System\Ijjdofe.exe
  C:\Windows\System\Ijjdofe.exe
  2⤵
  - Executes dropped EXE
  PID:3064
- C:\Windows\System\NixWtbf.exe
  C:\Windows\System\NixWtbf.exe
  2⤵
  - Executes dropped EXE
  PID:1128
- C:\Windows\System\QdvVsEY.exe
  C:\Windows\System\QdvVsEY.exe
  2⤵
  - Executes dropped EXE
  PID:4064
- C:\Windows\System\vxjudsp.exe
  C:\Windows\System\vxjudsp.exe
  2⤵
  - Executes dropped EXE
  PID:4432
- C:\Windows\System\FLJGfvF.exe
  C:\Windows\System\FLJGfvF.exe
  2⤵
  - Executes dropped EXE
  PID:780
- C:\Windows\System\mrXKJyZ.exe
  C:\Windows\System\mrXKJyZ.exe
  2⤵
  - Executes dropped EXE
  PID:2460
- C:\Windows\System\ejgIweg.exe
  C:\Windows\System\ejgIweg.exe
  2⤵
  - Executes dropped EXE
  PID:4708

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AdJrGse.exe

Filesize
5.2MB

MD5
44a422f1fb258b4d98bd55944e821042

SHA1
1a1d76a154fa8724224ee66bdb3c2055766a3c7b

SHA256
f2f8b3f933c3a31eb0509d8fe07ef082e9cf213ba0b210eb3f583a57ce13cbe4

SHA512
0197b6918294222159ac31bbbc507655b9b6dc7a7eb739fcd989a87d41d9d72fa0528a529a9eecab9283fdeffb538294a42e3e8d3b11d3eedf98ccb83db52cff

Download Submit
C:\Windows\System\FLJGfvF.exe

Filesize
5.2MB

MD5
f797943e1bf2a2c7812589974372cf43

SHA1
c800cef8e86868a84011f33e19cc835df739cbcb

SHA256
70e4975e28b89e172a4f5a05924e8bf588c4953de05ac7c91865b69ec4e32790

SHA512
c64f1d830b8e1ceba473c8395406a9667675fc6e6e2fa52cacd2f6c77c2faf7eebbbb50b3d852e6bc829456ce1bdbbb12b8491ce4199cd53ef44618a4503eda0

Download Submit
C:\Windows\System\Ijjdofe.exe

Filesize
5.2MB

MD5
074e0ef3ea3448fe622848cb36fa5f63

SHA1
db1fbfe35e7655ca8cabeb09199d78d9dd199c7d

SHA256
0d25c6561a7b92be957aeee6ad59e2f85cee24dc7af18c01ac819c01ba2fb354

SHA512
1aa8a22bd33762c26b331f83fd19af4d540b428aa70dd2605f48938c3db1967fa171afe7c6db7ffdb42eab2fdb6a5a2bfe641db628058f70eb73f36f2fc16124

Download Submit
C:\Windows\System\LLdhMMt.exe

Filesize
5.2MB

MD5
68e9d988bf81433f519df8ac161f1a9a

SHA1
7a5932353c6d017849e1e84bbad85ab502dc893e

SHA256
ed051e9c262ba75f49c678fa10c25e94e8e5a117664d161cad6eb11407e374ec

SHA512
0869540e151e22fc7948caba8336f2983bba715bff30066f7b82607b5ec2b67d8c7c02eccdeba879c768b69098d4d800ec03a41cdc654f5c3b61652edc2d8881

Download Submit
C:\Windows\System\NixWtbf.exe

Filesize
5.2MB

MD5
6c0f0dee63e0ebd37edb576e70ffb9b8

SHA1
cd73bccf09dd9766bf0bd807c7c1b5e08cdc0177

SHA256
4675cffe0bfac80acd58df5bda06c83412e2691b6bd15b73db2a586152dee9f2

SHA512
faae50099f41d45f811324aa0189a7fce57a0ebfe209bba99c8b37ac752dcddd7c77b514ee06e8806d93ee3716e2fa4b2f1839a237153135c825a11a3d1c27a9

Download Submit
C:\Windows\System\QdvVsEY.exe

Filesize
5.2MB

MD5
9c8abc5db49db7e4d3266c74f430545f

SHA1
7109b1494071fe01fab40db904cc19c82cd666d6

SHA256
7e850b9c1c1284e80e0f49419ec60fb30d3a8f24b590716965f4be0dc54065ca

SHA512
0bd470e7c44140977af3a1790d65e58bca492d7977d3219af0a03f9beb4fdec3831c77f29dd220a4f26cd0a220c68060dd69cb5f82f20484ac5f3da06568ba82

Download Submit
C:\Windows\System\RvlyIRC.exe

Filesize
5.2MB

MD5
283eac693ff35a5e914c4de74b71120f

SHA1
e95ff73ef288a5aa4a3733445dd6ffd6c4497c12

SHA256
1d4dd5246252841503e02b1a786a5d029ff8a43f613ea8e89540199b24bf09e8

SHA512
819fe673c60a15dd5be148cea8a310dcd2498d56512fd5c72afa7781186395729bdedaf26161bbe59829f73ef81d5ee38b94fac717bc853b55a23726351b0202

Download Submit
C:\Windows\System\TOIIVtv.exe

Filesize
5.2MB

MD5
6977257c26698f52297ea5cc9edfff5d

SHA1
fd143778be9854251edba93fbf8f3bbd4a511990

SHA256
0ba1ae1267123d64dca972f5c071d4cc253129b2086ab7c6ebfad98e299adc51

SHA512
f9bdd87158f89b796d14677c531a8bbc8a7e06b0622711a22ecb8e25788b23e5da793737a6557efd15551b1a79378fbec4deecba1ed132c9988074303eb01055

Download Submit
C:\Windows\System\YBMVTYS.exe

Filesize
5.2MB

MD5
5d834d26c9fd96f20f4c9a2f75cf7238

SHA1
f982fa825a07223b429eb36d56b6578db524bfdc

SHA256
b403ff563e5ebff9bdeacf1215d453e47dae9f585278d9185d43f65221329a58

SHA512
31c78d4984ec928711bf43f0429334e3a8cba132ceb9ea73fb31acd9c6a1db4fba46e895ebf880fa1457f2f9d091fcce16daa3ad991e68c5d9513f95d86fb75b

Download Submit
C:\Windows\System\ejgIweg.exe

Filesize
5.2MB

MD5
29b5fa2ec1cc52ff03c176e0559cbc5e

SHA1
65592028a263b95289a2afde9122adf6eeeb06b8

SHA256
fe564b10e2de775b9e840eec6263e6ce1366fb2fde1e7977066db915d625faed

SHA512
26c4077f2318e100d1986d22af55e9b326fba480143ca0db25b19a71e544ea236f4b6cb7f51af42ba0907aa283c012edb23009cd8af132fca9ab765eb6f97bce

Download Submit
C:\Windows\System\fPdVHPa.exe

Filesize
5.2MB

MD5
7119ea8305134cf641f42cc6b38b26ee

SHA1
76569f06f2820ad122b22acc57def7d98d5a736b

SHA256
7ea5ed1eac8522e59b0d9ce0bae9b4942215adffa33abb3585f912f35f72bd99

SHA512
25e72062d809bb6c388d12e3e0816e2fb2f3d45693b892781e16b32fe5707637d237bde87a7df9e7da5cf55e0a8c723629f3bb57466c9f5058800380187f2146

Download Submit
C:\Windows\System\iwrgbsd.exe

Filesize
5.2MB

MD5
4f05c3277ecd0978ff020eaa4003f984

SHA1
bbe2fc3a2f0d970cf138147af904069e4d9a2fc9

SHA256
08f844a3d8fd82b093d2dce84eaa7b750d78378f2bb74fc0c1225f442746c91d

SHA512
0b6a9700a75c744d04d0a3f3e65a77f2a0c41799d378de16fe7494125f39a10c7b1e93c777d453c2d3de11bee40bd4979d416e6112acd516242c65cd312e026b

Download Submit
C:\Windows\System\mrXKJyZ.exe

Filesize
5.2MB

MD5
ac256b8c9b2c30f9701f845844d7c545

SHA1
1e6da3339b1aa5d17bcfe7a8d891ba530f5db97f

SHA256
e8269d3dc8f573dc921972161fa071117af7401ec12eb5cf67665aff46dc145d

SHA512
f27fd874df3a7c5d788a8f424d417efdafdc4c639898e4c02c54f16444a83993b2de64e2d7f8b8cf14657395e69075c0757e34a88acff0f60fd6b219339a31da

Download Submit
C:\Windows\System\qZMlocE.exe

Filesize
5.2MB

MD5
c0b4f356ff0a4e2ff449bfac7db3bc4d

SHA1
292bfcf879c10f7b69dd79c7a3ce087569f4e6c4

SHA256
8a65bedf4f15a8ad982f96264caf3fe69fbd3bffbea10b2dabf9f88841df0261

SHA512
5754075df4b8915efad4bca64ce9cd25634491588c2ab6e37499a7441f0bd4d9f54108d244914de540056ad33169a45858833eb900cf60bfdb3395cd76867b30

Download Submit
C:\Windows\System\rEufjoj.exe

Filesize
5.2MB

MD5
37bf5223e57f0efc57c45dbf0685aef9

SHA1
d85a1f5dcda17f1e9ba1dd0166a4bbbbb5da53f7

SHA256
14b4bca279ebfd52c48888b316c53f06ebd10832a4413fd33814c443ae5cbdc8

SHA512
0d8440167d0d2f405eb7dba9633fd2ae3f27f2e69649c24fb5ddb0125d057505cde2d36a9821c157f6eb8bc387a3f85988d074018cc3253f5ef10a5372682f6b

Download Submit
C:\Windows\System\uYSpHSg.exe

Filesize
5.2MB

MD5
fa2ca72fb50db4f7b36a8b725a2ef61b

SHA1
3ddca7964670ff0c67163d677fe36b3e5ce8f21d

SHA256
9abaf905eafc41ae3aeacbd4ec3a39c530484a8a317c4bc7b06ecae5c58f8b8a

SHA512
02ae826bc344206d20390afee6e20cf591e9abf6852ad23204ee3721bd648d0c155bce3cb5125f8c887875beebdba71735ccb0957eeee439776572256a41ef96

Download Submit
C:\Windows\System\uiUXlQf.exe

Filesize
5.2MB

MD5
b13210e223868fd66f028ebcc7d45b31

SHA1
eb47f4c951c6ef1a20e7cfa893dad67f9b6bfc67

SHA256
493639311a36fd8b24adf7ad89254e0942488221448696283e342a8e13647880

SHA512
2e853b69f3868cc17be1f674840fe6522a4375142b6759e9c1cb7405e31a371d8e47a58c525e7376352a69a01ad55779cc0ceea80bccd7af3152e1fce5ec7ae1

Download Submit
C:\Windows\System\vjxPyzG.exe

Filesize
5.2MB

MD5
ad3b0a94dc9d4f11ab87a4ac31a3054d

SHA1
4543c8c6fe8df4105823c34b7d3ee3371bd62d6b

SHA256
ab161c0a73164d1993c5421a0df03d1ffcd3a6740997db98a11e90f7c0390da8

SHA512
67bf3fa63b8d7358656c147d503fbf10a4216fe8b1b91835d44692dad412666d159d6bbad9df8f8899139fb4f5f00f1a7fa0e0e50e3388ac0fd570730acdfb89

Download Submit
C:\Windows\System\vxjudsp.exe

Filesize
5.2MB

MD5
4f26672176a558a91266582b355736bb

SHA1
bfa11ad4ed4ae3c807a677c40032e01ab87a728f

SHA256
7fb79f48a4d844a1bef4a23ee10a5abade5b202dde4f90739c296368275962c0

SHA512
5726e9b5c129e15e11c154ffa555b30524d142a3f2ceed597d156d86d2154f416cc1c26714b9ff6c6877fc1ef3d1a7efd6a09c31fb34bef1d4ea71ba157458df

Download Submit
C:\Windows\System\wvAjoQk.exe

Filesize
5.2MB

MD5
a824070359da8e302854e50c68bc9a1f

SHA1
21358ff0a8bb69a668be31de5d3e4e4430d11d23

SHA256
76be129cdd9613ef139e16dd2c10bb2c657e6169502f54dc9a336d074ae22fc2

SHA512
c8aa97b9be17d1e781b52369983df655ead1a3e0e13332d87b0e6178984861c95023705f91a4e2713f43e835877882a6c8592080296894e49d8f9e10cacf1021

Download Submit
C:\Windows\System\xiwzJsI.exe

Filesize
5.2MB

MD5
c1ed53e6b55cee7bcbcb81eae72159a2

SHA1
5665708f9fd685f4a636b48dfba3f5edc5db11ef

SHA256
eca32454efc5ee4a2c4fdaf5f1479e94c1ab9b58991b8fe866a43f2aff52b757

SHA512
9c082412b82c8f4e7ab3e9e60c4e2c1ffe792d24466c10a2cdc5cd9c5c1cafd9f36fa92645e29bf54756dff833bcf8b16e53c48be1fb5f53a89161ab33ed9566

Download Submit
memory/404-13-0x00007FF7D22A0000-0x00007FF7D25F1000-memory.dmp

Filesize
3.3MB

Download
memory/404-222-0x00007FF7D22A0000-0x00007FF7D25F1000-memory.dmp

Filesize
3.3MB

Download
memory/404-68-0x00007FF7D22A0000-0x00007FF7D25F1000-memory.dmp

Filesize
3.3MB

Download
memory/780-270-0x00007FF738520000-0x00007FF738871000-memory.dmp

Filesize
3.3MB

Download
memory/780-124-0x00007FF738520000-0x00007FF738871000-memory.dmp

Filesize
3.3MB

Download
memory/780-168-0x00007FF738520000-0x00007FF738871000-memory.dmp

Filesize
3.3MB

Download
memory/940-224-0x00007FF64F6A0000-0x00007FF64F9F1000-memory.dmp

Filesize
3.3MB

Download
memory/940-69-0x00007FF64F6A0000-0x00007FF64F9F1000-memory.dmp

Filesize
3.3MB

Download
memory/940-21-0x00007FF64F6A0000-0x00007FF64F9F1000-memory.dmp

Filesize
3.3MB

Download
memory/1128-105-0x00007FF6BB870000-0x00007FF6BBBC1000-memory.dmp

Filesize
3.3MB

Download
memory/1128-268-0x00007FF6BB870000-0x00007FF6BBBC1000-memory.dmp

Filesize
3.3MB

Download
memory/1128-166-0x00007FF6BB870000-0x00007FF6BBBC1000-memory.dmp

Filesize
3.3MB

Download
memory/1616-64-0x00007FF751220000-0x00007FF751571000-memory.dmp

Filesize
3.3MB

Download
memory/1616-220-0x00007FF751220000-0x00007FF751571000-memory.dmp

Filesize
3.3MB

Download
memory/1616-7-0x00007FF751220000-0x00007FF751571000-memory.dmp

Filesize
3.3MB

Download
memory/1928-258-0x00007FF7032D0000-0x00007FF703621000-memory.dmp

Filesize
3.3MB

Download
memory/1928-156-0x00007FF7032D0000-0x00007FF703621000-memory.dmp

Filesize
3.3MB

Download
memory/1928-94-0x00007FF7032D0000-0x00007FF703621000-memory.dmp

Filesize
3.3MB

Download
memory/2460-164-0x00007FF7452F0000-0x00007FF745641000-memory.dmp

Filesize
3.3MB

Download
memory/2460-276-0x00007FF7452F0000-0x00007FF745641000-memory.dmp

Filesize
3.3MB

Download
memory/2460-130-0x00007FF7452F0000-0x00007FF745641000-memory.dmp

Filesize
3.3MB

Download
memory/2652-248-0x00007FF78A070000-0x00007FF78A3C1000-memory.dmp

Filesize
3.3MB

Download
memory/2652-71-0x00007FF78A070000-0x00007FF78A3C1000-memory.dmp

Filesize
3.3MB

Download
memory/2652-150-0x00007FF78A070000-0x00007FF78A3C1000-memory.dmp

Filesize
3.3MB

Download
memory/2752-226-0x00007FF629750000-0x00007FF629AA1000-memory.dmp

Filesize
3.3MB

Download
memory/2752-22-0x00007FF629750000-0x00007FF629AA1000-memory.dmp

Filesize
3.3MB

Download
memory/2752-79-0x00007FF629750000-0x00007FF629AA1000-memory.dmp

Filesize
3.3MB

Download
memory/2832-54-0x00007FF630E20000-0x00007FF631171000-memory.dmp

Filesize
3.3MB

Download
memory/2832-242-0x00007FF630E20000-0x00007FF631171000-memory.dmp

Filesize
3.3MB

Download
memory/2832-125-0x00007FF630E20000-0x00007FF631171000-memory.dmp

Filesize
3.3MB

Download
memory/2952-112-0x00007FF7A8E30000-0x00007FF7A9181000-memory.dmp

Filesize
3.3MB

Download
memory/2952-240-0x00007FF7A8E30000-0x00007FF7A9181000-memory.dmp

Filesize
3.3MB

Download
memory/2952-48-0x00007FF7A8E30000-0x00007FF7A9181000-memory.dmp

Filesize
3.3MB

Download
memory/3064-104-0x00007FF702A30000-0x00007FF702D81000-memory.dmp

Filesize
3.3MB

Download
memory/3064-264-0x00007FF702A30000-0x00007FF702D81000-memory.dmp

Filesize
3.3MB

Download
memory/3064-157-0x00007FF702A30000-0x00007FF702D81000-memory.dmp

Filesize
3.3MB

Download
memory/3496-92-0x00007FF740910000-0x00007FF740C61000-memory.dmp

Filesize
3.3MB

Download
memory/3496-39-0x00007FF740910000-0x00007FF740C61000-memory.dmp

Filesize
3.3MB

Download
memory/3496-236-0x00007FF740910000-0x00007FF740C61000-memory.dmp

Filesize
3.3MB

Download
memory/3560-244-0x00007FF631CF0000-0x00007FF632041000-memory.dmp

Filesize
3.3MB

Download
memory/3560-136-0x00007FF631CF0000-0x00007FF632041000-memory.dmp

Filesize
3.3MB

Download
memory/3560-61-0x00007FF631CF0000-0x00007FF632041000-memory.dmp

Filesize
3.3MB

Download
memory/3688-0-0x00007FF72FF00000-0x00007FF730251000-memory.dmp

Filesize
3.3MB

Download
memory/3688-60-0x00007FF72FF00000-0x00007FF730251000-memory.dmp

Filesize
3.3MB

Download
memory/3688-1-0x000001C7B1420000-0x000001C7B1430000-memory.dmp

Filesize
64KB

Download
memory/3688-139-0x00007FF72FF00000-0x00007FF730251000-memory.dmp

Filesize
3.3MB

Download
memory/3688-169-0x00007FF72FF00000-0x00007FF730251000-memory.dmp

Filesize
3.3MB

Download
memory/3816-155-0x00007FF6FE980000-0x00007FF6FECD1000-memory.dmp

Filesize
3.3MB

Download
memory/3816-256-0x00007FF6FE980000-0x00007FF6FECD1000-memory.dmp

Filesize
3.3MB

Download
memory/3816-84-0x00007FF6FE980000-0x00007FF6FECD1000-memory.dmp

Filesize
3.3MB

Download
memory/3832-76-0x00007FF740130000-0x00007FF740481000-memory.dmp

Filesize
3.3MB

Download
memory/3832-152-0x00007FF740130000-0x00007FF740481000-memory.dmp

Filesize
3.3MB

Download
memory/3832-250-0x00007FF740130000-0x00007FF740481000-memory.dmp

Filesize
3.3MB

Download
memory/4064-119-0x00007FF6EB130000-0x00007FF6EB481000-memory.dmp

Filesize
3.3MB

Download
memory/4064-266-0x00007FF6EB130000-0x00007FF6EB481000-memory.dmp

Filesize
3.3MB

Download
memory/4064-167-0x00007FF6EB130000-0x00007FF6EB481000-memory.dmp

Filesize
3.3MB

Download
memory/4408-234-0x00007FF644AB0000-0x00007FF644E01000-memory.dmp

Filesize
3.3MB

Download
memory/4408-83-0x00007FF644AB0000-0x00007FF644E01000-memory.dmp

Filesize
3.3MB

Download
memory/4408-32-0x00007FF644AB0000-0x00007FF644E01000-memory.dmp

Filesize
3.3MB

Download
memory/4432-162-0x00007FF695840000-0x00007FF695B91000-memory.dmp

Filesize
3.3MB

Download
memory/4432-129-0x00007FF695840000-0x00007FF695B91000-memory.dmp

Filesize
3.3MB

Download
memory/4432-272-0x00007FF695840000-0x00007FF695B91000-memory.dmp

Filesize
3.3MB

Download
memory/4600-238-0x00007FF622530000-0x00007FF622881000-memory.dmp

Filesize
3.3MB

Download
memory/4600-43-0x00007FF622530000-0x00007FF622881000-memory.dmp

Filesize
3.3MB

Download
memory/4600-100-0x00007FF622530000-0x00007FF622881000-memory.dmp

Filesize
3.3MB

Download
memory/4708-138-0x00007FF70C0D0000-0x00007FF70C421000-memory.dmp

Filesize
3.3MB

Download
memory/4708-165-0x00007FF70C0D0000-0x00007FF70C421000-memory.dmp

Filesize
3.3MB

Download
memory/4708-275-0x00007FF70C0D0000-0x00007FF70C421000-memory.dmp

Filesize
3.3MB

Download