cobaltstrike | 718c8366faa8561539cc06a4984793307e8184fb4393d4ace483f79ba504c165

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16/09/2024, 06:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

fa362e07e41eb20f8c15f7cfbfcbafa9
SHA1

4c22e4f9d3bdacc5e1f37294d51c59f2781399f9
SHA256

718c8366faa8561539cc06a4984793307e8184fb4393d4ace483f79ba504c165
SHA512

e915d7ce3671532349e6ff62f5a09e0c19658d20d2647562ca38d79a48b0f7c1fd621d5a56f62b891a68c77d5badc5f7982b1912b9527cc761c512af2fcaa347
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lj:RWWBibf56utgpPFotBER/mQ32lUn

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000900000002342d-5.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023490-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023494-25.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023495-30.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023499-43.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002349d-68.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002349f-81.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023491-98.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234a0-93.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002349e-80.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002349c-74.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002349b-64.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002349a-60.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023498-59.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023497-42.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023496-33.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234a1-103.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234a5-114.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234a7-123.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234a6-129.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234a4-119.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/1776-72-0x00007FF6C27E0000-0x00007FF6C2B31000-memory.dmp	xmrig
behavioral2/memory/2576-90-0x00007FF7286F0000-0x00007FF728A41000-memory.dmp	xmrig
behavioral2/memory/3572-97-0x00007FF7C68F0000-0x00007FF7C6C41000-memory.dmp	xmrig
behavioral2/memory/4844-48-0x00007FF7F8CD0000-0x00007FF7F9021000-memory.dmp	xmrig
behavioral2/memory/616-37-0x00007FF74B330000-0x00007FF74B681000-memory.dmp	xmrig
behavioral2/memory/3428-13-0x00007FF643470000-0x00007FF6437C1000-memory.dmp	xmrig
behavioral2/memory/2508-110-0x00007FF6BB7E0000-0x00007FF6BBB31000-memory.dmp	xmrig
behavioral2/memory/1208-127-0x00007FF7AB610000-0x00007FF7AB961000-memory.dmp	xmrig
behavioral2/memory/4404-126-0x00007FF68F400000-0x00007FF68F751000-memory.dmp	xmrig
behavioral2/memory/3296-125-0x00007FF6C9CC0000-0x00007FF6CA011000-memory.dmp	xmrig
behavioral2/memory/2340-124-0x00007FF787DE0000-0x00007FF788131000-memory.dmp	xmrig
behavioral2/memory/1324-121-0x00007FF761520000-0x00007FF761871000-memory.dmp	xmrig
behavioral2/memory/3968-106-0x00007FF6D5FD0000-0x00007FF6D6321000-memory.dmp	xmrig
behavioral2/memory/908-108-0x00007FF64D4F0000-0x00007FF64D841000-memory.dmp	xmrig
behavioral2/memory/2576-134-0x00007FF7286F0000-0x00007FF728A41000-memory.dmp	xmrig
behavioral2/memory/3764-143-0x00007FF619C40000-0x00007FF619F91000-memory.dmp	xmrig
behavioral2/memory/836-144-0x00007FF775FF0000-0x00007FF776341000-memory.dmp	xmrig
behavioral2/memory/1536-151-0x00007FF76EA70000-0x00007FF76EDC1000-memory.dmp	xmrig
behavioral2/memory/3156-152-0x00007FF6869C0000-0x00007FF686D11000-memory.dmp	xmrig
behavioral2/memory/4712-150-0x00007FF74E210000-0x00007FF74E561000-memory.dmp	xmrig
behavioral2/memory/2932-149-0x00007FF73F870000-0x00007FF73FBC1000-memory.dmp	xmrig
behavioral2/memory/5072-147-0x00007FF7C46A0000-0x00007FF7C49F1000-memory.dmp	xmrig
behavioral2/memory/216-157-0x00007FF7E7470000-0x00007FF7E77C1000-memory.dmp	xmrig
behavioral2/memory/2576-158-0x00007FF7286F0000-0x00007FF728A41000-memory.dmp	xmrig
behavioral2/memory/3428-218-0x00007FF643470000-0x00007FF6437C1000-memory.dmp	xmrig
behavioral2/memory/3572-220-0x00007FF7C68F0000-0x00007FF7C6C41000-memory.dmp	xmrig
behavioral2/memory/3968-222-0x00007FF6D5FD0000-0x00007FF6D6321000-memory.dmp	xmrig
behavioral2/memory/908-224-0x00007FF64D4F0000-0x00007FF64D841000-memory.dmp	xmrig
behavioral2/memory/616-226-0x00007FF74B330000-0x00007FF74B681000-memory.dmp	xmrig
behavioral2/memory/4844-228-0x00007FF7F8CD0000-0x00007FF7F9021000-memory.dmp	xmrig
behavioral2/memory/1324-230-0x00007FF761520000-0x00007FF761871000-memory.dmp	xmrig
behavioral2/memory/1208-234-0x00007FF7AB610000-0x00007FF7AB961000-memory.dmp	xmrig
behavioral2/memory/1776-233-0x00007FF6C27E0000-0x00007FF6C2B31000-memory.dmp	xmrig
behavioral2/memory/2340-236-0x00007FF787DE0000-0x00007FF788131000-memory.dmp	xmrig
behavioral2/memory/2932-241-0x00007FF73F870000-0x00007FF73FBC1000-memory.dmp	xmrig
behavioral2/memory/5072-244-0x00007FF7C46A0000-0x00007FF7C49F1000-memory.dmp	xmrig
behavioral2/memory/4712-248-0x00007FF74E210000-0x00007FF74E561000-memory.dmp	xmrig
behavioral2/memory/1536-247-0x00007FF76EA70000-0x00007FF76EDC1000-memory.dmp	xmrig
behavioral2/memory/3764-242-0x00007FF619C40000-0x00007FF619F91000-memory.dmp	xmrig
behavioral2/memory/3156-250-0x00007FF6869C0000-0x00007FF686D11000-memory.dmp	xmrig
behavioral2/memory/2508-257-0x00007FF6BB7E0000-0x00007FF6BBB31000-memory.dmp	xmrig
behavioral2/memory/4404-259-0x00007FF68F400000-0x00007FF68F751000-memory.dmp	xmrig
behavioral2/memory/3296-261-0x00007FF6C9CC0000-0x00007FF6CA011000-memory.dmp	xmrig
behavioral2/memory/216-264-0x00007FF7E7470000-0x00007FF7E77C1000-memory.dmp	xmrig
behavioral2/memory/836-265-0x00007FF775FF0000-0x00007FF776341000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3428	AZgzlyE.exe
3572	urwhuxd.exe
3968	VzxSpjc.exe
908	XJOLEEZ.exe
616	FKMWxaC.exe
1324	FPTFoHd.exe
1208	ELcbYqu.exe
4844	eyhNagg.exe
1776	raSxTty.exe
2340	GCBVPsp.exe
5072	TTBtaoa.exe
3764	TmoSIZj.exe
2932	WVfeaUO.exe
4712	Tvgmvhz.exe
1536	VzJlNVX.exe
3156	ScMstrB.exe
2508	StSARXL.exe
3296	tQhjMsy.exe
4404	tLCJelF.exe
216	LphbUUX.exe
836	wktPvUM.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2576-0-0x00007FF7286F0000-0x00007FF728A41000-memory.dmp	upx
behavioral2/files/0x000900000002342d-5.dat	upx
behavioral2/files/0x0008000000023490-10.dat	upx
behavioral2/memory/3572-17-0x00007FF7C68F0000-0x00007FF7C6C41000-memory.dmp	upx
behavioral2/files/0x0007000000023494-25.dat	upx
behavioral2/files/0x0007000000023495-30.dat	upx
behavioral2/memory/908-36-0x00007FF64D4F0000-0x00007FF64D841000-memory.dmp	upx
behavioral2/files/0x0007000000023499-43.dat	upx
behavioral2/memory/1208-54-0x00007FF7AB610000-0x00007FF7AB961000-memory.dmp	upx
behavioral2/files/0x000700000002349d-68.dat	upx
behavioral2/memory/1776-72-0x00007FF6C27E0000-0x00007FF6C2B31000-memory.dmp	upx
behavioral2/memory/2932-79-0x00007FF73F870000-0x00007FF73FBC1000-memory.dmp	upx
behavioral2/files/0x000700000002349f-81.dat	upx
behavioral2/memory/2576-90-0x00007FF7286F0000-0x00007FF728A41000-memory.dmp	upx
behavioral2/memory/3156-96-0x00007FF6869C0000-0x00007FF686D11000-memory.dmp	upx
behavioral2/files/0x0008000000023491-98.dat	upx
behavioral2/memory/3572-97-0x00007FF7C68F0000-0x00007FF7C6C41000-memory.dmp	upx
behavioral2/files/0x00070000000234a0-93.dat	upx
behavioral2/memory/1536-92-0x00007FF76EA70000-0x00007FF76EDC1000-memory.dmp	upx
behavioral2/memory/4712-89-0x00007FF74E210000-0x00007FF74E561000-memory.dmp	upx
behavioral2/files/0x000700000002349e-80.dat	upx
behavioral2/files/0x000700000002349c-74.dat	upx
behavioral2/memory/5072-73-0x00007FF7C46A0000-0x00007FF7C49F1000-memory.dmp	upx
behavioral2/memory/3764-70-0x00007FF619C40000-0x00007FF619F91000-memory.dmp	upx
behavioral2/memory/2340-69-0x00007FF787DE0000-0x00007FF788131000-memory.dmp	upx
behavioral2/files/0x000700000002349b-64.dat	upx
behavioral2/files/0x000700000002349a-60.dat	upx
behavioral2/files/0x0007000000023498-59.dat	upx
behavioral2/memory/4844-48-0x00007FF7F8CD0000-0x00007FF7F9021000-memory.dmp	upx
behavioral2/files/0x0007000000023497-42.dat	upx
behavioral2/memory/1324-39-0x00007FF761520000-0x00007FF761871000-memory.dmp	upx
behavioral2/memory/616-37-0x00007FF74B330000-0x00007FF74B681000-memory.dmp	upx
behavioral2/files/0x0007000000023496-33.dat	upx
behavioral2/memory/3968-20-0x00007FF6D5FD0000-0x00007FF6D6321000-memory.dmp	upx
behavioral2/memory/3428-13-0x00007FF643470000-0x00007FF6437C1000-memory.dmp	upx
behavioral2/files/0x00070000000234a1-103.dat	upx
behavioral2/memory/2508-110-0x00007FF6BB7E0000-0x00007FF6BBB31000-memory.dmp	upx
behavioral2/files/0x00070000000234a5-114.dat	upx
behavioral2/files/0x00070000000234a7-123.dat	upx
behavioral2/memory/1208-127-0x00007FF7AB610000-0x00007FF7AB961000-memory.dmp	upx
behavioral2/files/0x00070000000234a6-129.dat	upx
behavioral2/memory/4404-126-0x00007FF68F400000-0x00007FF68F751000-memory.dmp	upx
behavioral2/memory/3296-125-0x00007FF6C9CC0000-0x00007FF6CA011000-memory.dmp	upx
behavioral2/memory/2340-124-0x00007FF787DE0000-0x00007FF788131000-memory.dmp	upx
behavioral2/memory/1324-121-0x00007FF761520000-0x00007FF761871000-memory.dmp	upx
behavioral2/files/0x00070000000234a4-119.dat	upx
behavioral2/memory/3968-106-0x00007FF6D5FD0000-0x00007FF6D6321000-memory.dmp	upx
behavioral2/memory/908-108-0x00007FF64D4F0000-0x00007FF64D841000-memory.dmp	upx
behavioral2/memory/216-133-0x00007FF7E7470000-0x00007FF7E77C1000-memory.dmp	upx
behavioral2/memory/2576-134-0x00007FF7286F0000-0x00007FF728A41000-memory.dmp	upx
behavioral2/memory/3764-143-0x00007FF619C40000-0x00007FF619F91000-memory.dmp	upx
behavioral2/memory/836-144-0x00007FF775FF0000-0x00007FF776341000-memory.dmp	upx
behavioral2/memory/1536-151-0x00007FF76EA70000-0x00007FF76EDC1000-memory.dmp	upx
behavioral2/memory/3156-152-0x00007FF6869C0000-0x00007FF686D11000-memory.dmp	upx
behavioral2/memory/4712-150-0x00007FF74E210000-0x00007FF74E561000-memory.dmp	upx
behavioral2/memory/2932-149-0x00007FF73F870000-0x00007FF73FBC1000-memory.dmp	upx
behavioral2/memory/5072-147-0x00007FF7C46A0000-0x00007FF7C49F1000-memory.dmp	upx
behavioral2/memory/216-157-0x00007FF7E7470000-0x00007FF7E77C1000-memory.dmp	upx
behavioral2/memory/2576-158-0x00007FF7286F0000-0x00007FF728A41000-memory.dmp	upx
behavioral2/memory/3428-218-0x00007FF643470000-0x00007FF6437C1000-memory.dmp	upx
behavioral2/memory/3572-220-0x00007FF7C68F0000-0x00007FF7C6C41000-memory.dmp	upx
behavioral2/memory/3968-222-0x00007FF6D5FD0000-0x00007FF6D6321000-memory.dmp	upx
behavioral2/memory/908-224-0x00007FF64D4F0000-0x00007FF64D841000-memory.dmp	upx
behavioral2/memory/616-226-0x00007FF74B330000-0x00007FF74B681000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\WVfeaUO.exe	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VzJlNVX.exe	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tQhjMsy.exe	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tLCJelF.exe	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ScMstrB.exe	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\StSARXL.exe	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wktPvUM.exe	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LphbUUX.exe	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AZgzlyE.exe	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FKMWxaC.exe	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\raSxTty.exe	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TmoSIZj.exe	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XJOLEEZ.exe	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eyhNagg.exe	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GCBVPsp.exe	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TTBtaoa.exe	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Tvgmvhz.exe	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\urwhuxd.exe	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VzxSpjc.exe	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FPTFoHd.exe	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ELcbYqu.exe	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2576	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2576	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2576 wrote to memory of 3428	2576	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 2576 wrote to memory of 3428	2576	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 2576 wrote to memory of 3572	2576	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2576 wrote to memory of 3572	2576	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2576 wrote to memory of 3968	2576	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2576 wrote to memory of 3968	2576	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2576 wrote to memory of 908	2576	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2576 wrote to memory of 908	2576	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2576 wrote to memory of 616	2576	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2576 wrote to memory of 616	2576	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2576 wrote to memory of 1324	2576	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2576 wrote to memory of 1324	2576	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2576 wrote to memory of 1208	2576	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2576 wrote to memory of 1208	2576	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2576 wrote to memory of 4844	2576	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2576 wrote to memory of 4844	2576	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2576 wrote to memory of 1776	2576	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2576 wrote to memory of 1776	2576	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2576 wrote to memory of 2340	2576	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2576 wrote to memory of 2340	2576	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2576 wrote to memory of 5072	2576	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2576 wrote to memory of 5072	2576	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2576 wrote to memory of 3764	2576	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2576 wrote to memory of 3764	2576	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2576 wrote to memory of 2932	2576	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2576 wrote to memory of 2932	2576	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2576 wrote to memory of 4712	2576	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2576 wrote to memory of 4712	2576	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2576 wrote to memory of 1536	2576	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2576 wrote to memory of 1536	2576	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2576 wrote to memory of 3156	2576	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2576 wrote to memory of 3156	2576	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2576 wrote to memory of 2508	2576	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2576 wrote to memory of 2508	2576	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2576 wrote to memory of 3296	2576	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2576 wrote to memory of 3296	2576	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2576 wrote to memory of 4404	2576	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2576 wrote to memory of 4404	2576	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2576 wrote to memory of 836	2576	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2576 wrote to memory of 836	2576	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2576 wrote to memory of 216	2576	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2576 wrote to memory of 216	2576	2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-16_fa362e07e41eb20f8c15f7cfbfcbafa9_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Windows\System\AZgzlyE.exe
  C:\Windows\System\AZgzlyE.exe
  2⤵
  - Executes dropped EXE
  PID:3428
- C:\Windows\System\urwhuxd.exe
  C:\Windows\System\urwhuxd.exe
  2⤵
  - Executes dropped EXE
  PID:3572
- C:\Windows\System\VzxSpjc.exe
  C:\Windows\System\VzxSpjc.exe
  2⤵
  - Executes dropped EXE
  PID:3968
- C:\Windows\System\XJOLEEZ.exe
  C:\Windows\System\XJOLEEZ.exe
  2⤵
  - Executes dropped EXE
  PID:908
- C:\Windows\System\FKMWxaC.exe
  C:\Windows\System\FKMWxaC.exe
  2⤵
  - Executes dropped EXE
  PID:616
- C:\Windows\System\FPTFoHd.exe
  C:\Windows\System\FPTFoHd.exe
  2⤵
  - Executes dropped EXE
  PID:1324
- C:\Windows\System\ELcbYqu.exe
  C:\Windows\System\ELcbYqu.exe
  2⤵
  - Executes dropped EXE
  PID:1208
- C:\Windows\System\eyhNagg.exe
  C:\Windows\System\eyhNagg.exe
  2⤵
  - Executes dropped EXE
  PID:4844
- C:\Windows\System\raSxTty.exe
  C:\Windows\System\raSxTty.exe
  2⤵
  - Executes dropped EXE
  PID:1776
- C:\Windows\System\GCBVPsp.exe
  C:\Windows\System\GCBVPsp.exe
  2⤵
  - Executes dropped EXE
  PID:2340
- C:\Windows\System\TTBtaoa.exe
  C:\Windows\System\TTBtaoa.exe
  2⤵
  - Executes dropped EXE
  PID:5072
- C:\Windows\System\TmoSIZj.exe
  C:\Windows\System\TmoSIZj.exe
  2⤵
  - Executes dropped EXE
  PID:3764
- C:\Windows\System\WVfeaUO.exe
  C:\Windows\System\WVfeaUO.exe
  2⤵
  - Executes dropped EXE
  PID:2932
- C:\Windows\System\Tvgmvhz.exe
  C:\Windows\System\Tvgmvhz.exe
  2⤵
  - Executes dropped EXE
  PID:4712
- C:\Windows\System\VzJlNVX.exe
  C:\Windows\System\VzJlNVX.exe
  2⤵
  - Executes dropped EXE
  PID:1536
- C:\Windows\System\ScMstrB.exe
  C:\Windows\System\ScMstrB.exe
  2⤵
  - Executes dropped EXE
  PID:3156
- C:\Windows\System\StSARXL.exe
  C:\Windows\System\StSARXL.exe
  2⤵
  - Executes dropped EXE
  PID:2508
- C:\Windows\System\tQhjMsy.exe
  C:\Windows\System\tQhjMsy.exe
  2⤵
  - Executes dropped EXE
  PID:3296
- C:\Windows\System\tLCJelF.exe
  C:\Windows\System\tLCJelF.exe
  2⤵
  - Executes dropped EXE
  PID:4404
- C:\Windows\System\wktPvUM.exe
  C:\Windows\System\wktPvUM.exe
  2⤵
  - Executes dropped EXE
  PID:836
- C:\Windows\System\LphbUUX.exe
  C:\Windows\System\LphbUUX.exe
  2⤵
  - Executes dropped EXE
  PID:216

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AZgzlyE.exe

Filesize
5.2MB

MD5
28ee840e2f79a3531ade024d7e6a17d7

SHA1
05f1f8fd1091135a5f9c7b3f871221eecabf193f

SHA256
a0c31249e7c61acbbdd9622d91ecb345e89362f443676ebb7ae03d20ff683f04

SHA512
35deb7f395329abfcfb790fe8ba735f55a168278b4d8e13ca0e26b97b0759f46829ec02c1ecf3a72affc9cdec117bee7733d5d2b379c6b8da76db93353ba8f8b

Download Submit
C:\Windows\System\ELcbYqu.exe

Filesize
5.2MB

MD5
72f1e95ea9fd1b32b5d725658f7cd920

SHA1
9b79a504728a2a818dc7dcd833c26e20718bbd76

SHA256
8e691896f21bb6f202c5b8fcc6e40c38711d28fe12cef7c66a4576d824ea2bdb

SHA512
f5fd95ef558f25584fea711ad05e1c2d1c941f63c006ed0d463387178bd703998f489df42c2df1c2d7088ba1bc48935a8fb269555b1735bb82278d3b6bc21702

Download Submit
C:\Windows\System\FKMWxaC.exe

Filesize
5.2MB

MD5
e705dca8d6c11ee383c5d5edf051f706

SHA1
1b5bf86d77aae7bbc634a3f2e482289ab5ba9a77

SHA256
a44bb8a0358f54ad98c2edf14c3e578db95067ec7507794cd8b53b0c64d9161b

SHA512
1affc2cbeb9f1ec1cbf988e71ade2e0186bb774e9b0e6a78490cf5595594c235bcf902b772f8f620cdfa97bb1e44a796865635a3ee05326a4c2825b220eb9292

Download Submit
C:\Windows\System\FPTFoHd.exe

Filesize
5.2MB

MD5
54c7e283b3ec67174495ea2da0c41e8c

SHA1
b4dac9f530115098facb328d366084ff50bda06c

SHA256
5daa744ef3a0227e675a0e58f4956124070c7f05305aebbe3c871018fe7105ad

SHA512
69f785b3e7d2ede7e64cbe4a245b4b1c023f9b7747a1d8a8e959e8594a4039e4fbf75a2bab95be8afb9919486503a2ed1538cabb0d919f6b5f7dbb15a1fd0f93

Download Submit
C:\Windows\System\GCBVPsp.exe

Filesize
5.2MB

MD5
1efa7aef636b21aace10aca07e47d833

SHA1
bb974b0f69c31e697b522c298aaca05024db94d5

SHA256
d9252bdfecc4528cca993a20c1041f675858dbcdef45fe45190e4ce8cef79c4d

SHA512
680e927499cd1da6ef6c454224f7d2b8aa99760010f9f263c4b1f5435977b9a9ae04bab747fdc860424e90bda3ff2893060d8e6bb43b9fb5bd7547a4bee9de0c

Download Submit
C:\Windows\System\LphbUUX.exe

Filesize
5.2MB

MD5
407134c14844d973a28e86979c65378e

SHA1
264bcebdf4ed62e7ff285ac1c8ab5243d39f9ee7

SHA256
fe2051089ea269f60da13fc8fe53ab91c4455f6520187c9ff8ae23a9492faa7d

SHA512
b38e3071815f1e007d7334308526c863411cb0c20e52ebc4e5606e2e2f701f67706db97b7293cb2cc20dda4fcd82332e50cda06a7320683e55cd8b4f89a69d98

Download Submit
C:\Windows\System\ScMstrB.exe

Filesize
5.2MB

MD5
4cfdc596d145c0dc311dedc487e8b37d

SHA1
ecfd699ce2cc43577ea2cac133b6cb358c0e0365

SHA256
2191b35819ddfaba62f7975e33920c8e60768b56c9c72ddaeb2e9b4e3714155c

SHA512
dbe3d7b5169cbadd18de3149f90c1632205284e7b83a32463018d62e0cdd15e6b5bd3c8733ee208e2796aa5fc5da4e74d4490a4d26cb76a33d35e90ca4efcce6

Download Submit
C:\Windows\System\StSARXL.exe

Filesize
5.2MB

MD5
06177eccd9e134835e810eea93c64b6f

SHA1
f79189eaa9fd98ffad5208d82e1846803ea06bd2

SHA256
825e0fc0fc62255670a716d0775f05ac6a2a91a1d4b281a3b9fc1904370313d0

SHA512
621f816b8a69c47281265743911da16eed93686624554a3a6806defd8c2372f61f80cfd11dbbbe58c7f05799b38126db458472696d087ad7327deb71f1be6022

Download Submit
C:\Windows\System\TTBtaoa.exe

Filesize
5.2MB

MD5
d35ff67f43c54e559cfa7f4474a9a878

SHA1
c3ecae4f230e03a8263a53347f856b42ee6140d7

SHA256
c0d115a0fd808a90b9168bb6f082a98141bde59b8cab4739074d084a20758eaf

SHA512
d9d4f065611e39485245d5d41ebef313f02a92342dcf9e88cf098b9f771beb9a2e703e4bb576798f9876e989694c92ae20e464a15e7fa891197aca1ab3a374a9

Download Submit
C:\Windows\System\TmoSIZj.exe

Filesize
5.2MB

MD5
c363cfb14254dc42315c1ba4903a215a

SHA1
9764eac3a09e61ee1bab8183c48364e6eb08b104

SHA256
ecdf1d5d4be9adab1236662126df673c7de1c4c4745c302b7ea10664319303d1

SHA512
2994c526b1424344c2110792b406bad2da3547eaee1ddd675bafb328e130a9678995ea771a75a2ace3ea29c9086e147a8cc288901149016bf519a339a8d0d233

Download Submit
C:\Windows\System\Tvgmvhz.exe

Filesize
5.2MB

MD5
5bf61fec302b1a1d72068f26d4147795

SHA1
7a04ba7058b9b38eb8098b4909a84afb6acd33ea

SHA256
53074dc736ce1016e7efcd24955b3cfa4df2df67c14f999f39f8f014d3068928

SHA512
b5472609de56ca07c9e9bc12230a3177e9928956dd51e4d509791c9846e89d87043f9c6ee652b6479eb62fc95b3c97cd23be00d1a1ebaf446b4c6ca23f8b78e6

Download Submit
C:\Windows\System\VzJlNVX.exe

Filesize
5.2MB

MD5
934acf535e991ea5c07b38ea0611a85c

SHA1
c069756504f81da7b6cb4ef857a5d07c209d4463

SHA256
365533af1e208edd1968c11c5896405ef82e5b5221b61df958db18d2219c8b2a

SHA512
fe86eac3602ac72da80d273eb3241916237f1e0d3947ed9ba69d96b8d69cf248c669073b3eef1f24f10ca443752966acaebfda238fe7e2e1b0fe530eb8fc2e4e

Download Submit
C:\Windows\System\VzxSpjc.exe

Filesize
5.2MB

MD5
66658c2783d5d3ed0ba311281851c0f3

SHA1
35639804825673c80fee7beb6eb6ae0e0cb8c8ca

SHA256
f7babcaab0ef9ffa84c992c46657be9dfc210c9d77eba8c3ed5eb1401f0c08f1

SHA512
f2d3671710431240952f8d9373af767d52d024483e034e4bcd37569a0193f58a680cf31455c63f7f9706beb8471adcae6cca90d47e473ab2495abda71c919b88

Download Submit
C:\Windows\System\WVfeaUO.exe

Filesize
5.2MB

MD5
b41937d1aae9014e185be8e2ce7424c7

SHA1
db91c83e1edebd4c8195a8b14836a14b7af294db

SHA256
f587b3c9781c4c330f5f9fda7a840a26315af92904d1adbea177f28783695ae8

SHA512
eac0508083fbfd4d7ce66a5a6e9290e752c13b7280a4e586d674e678897846895aade4c8b7971e866a5a15a20323704f34434b0d1d1897ffb2119841844e8e97

Download Submit
C:\Windows\System\XJOLEEZ.exe

Filesize
5.2MB

MD5
2302f84929ae86cd854c4b473734c15e

SHA1
f39eb0b3dc1ab9a4a02a3841ce2bef2e2f055c13

SHA256
8921629d445510d3dfd067929ea918ef27dc9aaee6ac95eb1b54407b63a24093

SHA512
c34d80c1d1399db5588aa3e6e39efd18d1400dcfaaca2b8b8f5cbba776ea464369a394ca587b6ec8b23aa4d588960cc4a14ca6b0ba96342d8212e27650fdf88d

Download Submit
C:\Windows\System\eyhNagg.exe

Filesize
5.2MB

MD5
ed651e088b010a46df61c0b2c60d7d95

SHA1
2ed02be76f95b6e451e676e569369c573bdad0df

SHA256
348bfa2d92563526a756172e1cf3088708e5b84909681a0638afbbb889462060

SHA512
34850028b6030a0b0e0fbfdd63f7b7bde4b69a18f898f735fcd625dacce4c80e243d2dc9af4d8f2ce5096633065786870537763766844c0c81f6b22b5520dfef

Download Submit
C:\Windows\System\raSxTty.exe

Filesize
5.2MB

MD5
e6c26978c35a4cbf88950528044bba83

SHA1
8a44679b5ae628ceda8c463484934c1c25b1fe66

SHA256
b5150723c08ef178a05439a5b57d0c0549ad9e63c921f23febb19ac5bf948a17

SHA512
4f6b395801f7aa14ee05180b394d9f2f5ea6def54b0d0cc30489f9ee287a908631b81dcbbc1f4784344fe5f76dadfd1d586f9d7734d23ed8464e2e68ff0ee0ea

Download Submit
C:\Windows\System\tLCJelF.exe

Filesize
5.2MB

MD5
01b8e8910532fe4d28218c8bdfcb2fe4

SHA1
3d131cef537983159504f5990ba49701261a65fd

SHA256
6da62e7d295dab20e21de6cdbdde7a0127b61692b62094095103936a221016d4

SHA512
cc43aa99e26d72918863e2bb94a8875dab0d288c4d798c78d81df479597465db7864c586cd4d73106ff90924eecbaccb89b96d305a90cdd5cfc407c1bfe4a13c

Download Submit
C:\Windows\System\tQhjMsy.exe

Filesize
5.2MB

MD5
c599bcae33ac86cc3b59310b4841dc5e

SHA1
87a3fa1fe6eaef9176111984c1d1dc82bb5317ca

SHA256
cb31e5b82cb645ef5cdd573cee0ebc69cda5a375c46ec88ff745659a259cac09

SHA512
106cc4ea7fe9c6eedd525e6b75f69fd1728a28cac38b183fcc66476909040db8cc88c7eb937e4472f2677a5b103c2a8964bc060c029e3a2d4281ca5e9bb679da

Download Submit
C:\Windows\System\urwhuxd.exe

Filesize
5.2MB

MD5
86852c0e846be36a8422222873872099

SHA1
0af5f2dc96b1cf5d27993e24330ea0c83b852411

SHA256
730b73ad1834b69859d11d009071d26ae266edb48398ae038c593342563e9f1c

SHA512
f15a06f0ce621ffc80304067eeed3657ca399e655395a65dc36b7b6e732f1dd4922abd7344889c331aed2e534db94192979b270e9d9ce71caf463ee67654e901

Download Submit
C:\Windows\System\wktPvUM.exe

Filesize
5.2MB

MD5
a8a485cda400cc2da678cc11f9b9bc0d

SHA1
b3ff35a071f72b49ee9d2a17bf31605bb754cd37

SHA256
397690f5487667fe955eefada6528f3c8b659d2c47c230a5eb96b069c48f4d7d

SHA512
1c44836b20aed2fc649f17f643f218ad1c3de906ca80385e2ad7d02bd04022ee65f8e395f15bbc492c78ea212af631b372073a63945d0885d4048473998490d8

Download Submit
memory/216-264-0x00007FF7E7470000-0x00007FF7E77C1000-memory.dmp

Filesize
3.3MB

Download
memory/216-133-0x00007FF7E7470000-0x00007FF7E77C1000-memory.dmp

Filesize
3.3MB

Download
memory/216-157-0x00007FF7E7470000-0x00007FF7E77C1000-memory.dmp

Filesize
3.3MB

Download
memory/616-37-0x00007FF74B330000-0x00007FF74B681000-memory.dmp

Filesize
3.3MB

Download
memory/616-226-0x00007FF74B330000-0x00007FF74B681000-memory.dmp

Filesize
3.3MB

Download
memory/836-144-0x00007FF775FF0000-0x00007FF776341000-memory.dmp

Filesize
3.3MB

Download
memory/836-265-0x00007FF775FF0000-0x00007FF776341000-memory.dmp

Filesize
3.3MB

Download
memory/908-108-0x00007FF64D4F0000-0x00007FF64D841000-memory.dmp

Filesize
3.3MB

Download
memory/908-36-0x00007FF64D4F0000-0x00007FF64D841000-memory.dmp

Filesize
3.3MB

Download
memory/908-224-0x00007FF64D4F0000-0x00007FF64D841000-memory.dmp

Filesize
3.3MB

Download
memory/1208-234-0x00007FF7AB610000-0x00007FF7AB961000-memory.dmp

Filesize
3.3MB

Download
memory/1208-54-0x00007FF7AB610000-0x00007FF7AB961000-memory.dmp

Filesize
3.3MB

Download
memory/1208-127-0x00007FF7AB610000-0x00007FF7AB961000-memory.dmp

Filesize
3.3MB

Download
memory/1324-121-0x00007FF761520000-0x00007FF761871000-memory.dmp

Filesize
3.3MB

Download
memory/1324-230-0x00007FF761520000-0x00007FF761871000-memory.dmp

Filesize
3.3MB

Download
memory/1324-39-0x00007FF761520000-0x00007FF761871000-memory.dmp

Filesize
3.3MB

Download
memory/1536-92-0x00007FF76EA70000-0x00007FF76EDC1000-memory.dmp

Filesize
3.3MB

Download
memory/1536-247-0x00007FF76EA70000-0x00007FF76EDC1000-memory.dmp

Filesize
3.3MB

Download
memory/1536-151-0x00007FF76EA70000-0x00007FF76EDC1000-memory.dmp

Filesize
3.3MB

Download
memory/1776-72-0x00007FF6C27E0000-0x00007FF6C2B31000-memory.dmp

Filesize
3.3MB

Download
memory/1776-233-0x00007FF6C27E0000-0x00007FF6C2B31000-memory.dmp

Filesize
3.3MB

Download
memory/2340-124-0x00007FF787DE0000-0x00007FF788131000-memory.dmp

Filesize
3.3MB

Download
memory/2340-69-0x00007FF787DE0000-0x00007FF788131000-memory.dmp

Filesize
3.3MB

Download
memory/2340-236-0x00007FF787DE0000-0x00007FF788131000-memory.dmp

Filesize
3.3MB

Download
memory/2508-110-0x00007FF6BB7E0000-0x00007FF6BBB31000-memory.dmp

Filesize
3.3MB

Download
memory/2508-257-0x00007FF6BB7E0000-0x00007FF6BBB31000-memory.dmp

Filesize
3.3MB

Download
memory/2576-134-0x00007FF7286F0000-0x00007FF728A41000-memory.dmp

Filesize
3.3MB

Download
memory/2576-1-0x0000021414610000-0x0000021414620000-memory.dmp

Filesize
64KB

Download
memory/2576-90-0x00007FF7286F0000-0x00007FF728A41000-memory.dmp

Filesize
3.3MB

Download
memory/2576-158-0x00007FF7286F0000-0x00007FF728A41000-memory.dmp

Filesize
3.3MB

Download
memory/2576-0-0x00007FF7286F0000-0x00007FF728A41000-memory.dmp

Filesize
3.3MB

Download
memory/2932-79-0x00007FF73F870000-0x00007FF73FBC1000-memory.dmp

Filesize
3.3MB

Download
memory/2932-149-0x00007FF73F870000-0x00007FF73FBC1000-memory.dmp

Filesize
3.3MB

Download
memory/2932-241-0x00007FF73F870000-0x00007FF73FBC1000-memory.dmp

Filesize
3.3MB

Download
memory/3156-152-0x00007FF6869C0000-0x00007FF686D11000-memory.dmp

Filesize
3.3MB

Download
memory/3156-96-0x00007FF6869C0000-0x00007FF686D11000-memory.dmp

Filesize
3.3MB

Download
memory/3156-250-0x00007FF6869C0000-0x00007FF686D11000-memory.dmp

Filesize
3.3MB

Download
memory/3296-261-0x00007FF6C9CC0000-0x00007FF6CA011000-memory.dmp

Filesize
3.3MB

Download
memory/3296-125-0x00007FF6C9CC0000-0x00007FF6CA011000-memory.dmp

Filesize
3.3MB

Download
memory/3428-13-0x00007FF643470000-0x00007FF6437C1000-memory.dmp

Filesize
3.3MB

Download
memory/3428-218-0x00007FF643470000-0x00007FF6437C1000-memory.dmp

Filesize
3.3MB

Download
memory/3572-97-0x00007FF7C68F0000-0x00007FF7C6C41000-memory.dmp

Filesize
3.3MB

Download
memory/3572-220-0x00007FF7C68F0000-0x00007FF7C6C41000-memory.dmp

Filesize
3.3MB

Download
memory/3572-17-0x00007FF7C68F0000-0x00007FF7C6C41000-memory.dmp

Filesize
3.3MB

Download
memory/3764-143-0x00007FF619C40000-0x00007FF619F91000-memory.dmp

Filesize
3.3MB

Download
memory/3764-70-0x00007FF619C40000-0x00007FF619F91000-memory.dmp

Filesize
3.3MB

Download
memory/3764-242-0x00007FF619C40000-0x00007FF619F91000-memory.dmp

Filesize
3.3MB

Download
memory/3968-106-0x00007FF6D5FD0000-0x00007FF6D6321000-memory.dmp

Filesize
3.3MB

Download
memory/3968-20-0x00007FF6D5FD0000-0x00007FF6D6321000-memory.dmp

Filesize
3.3MB

Download
memory/3968-222-0x00007FF6D5FD0000-0x00007FF6D6321000-memory.dmp

Filesize
3.3MB

Download
memory/4404-259-0x00007FF68F400000-0x00007FF68F751000-memory.dmp

Filesize
3.3MB

Download
memory/4404-126-0x00007FF68F400000-0x00007FF68F751000-memory.dmp

Filesize
3.3MB

Download
memory/4712-150-0x00007FF74E210000-0x00007FF74E561000-memory.dmp

Filesize
3.3MB

Download
memory/4712-248-0x00007FF74E210000-0x00007FF74E561000-memory.dmp

Filesize
3.3MB

Download
memory/4712-89-0x00007FF74E210000-0x00007FF74E561000-memory.dmp

Filesize
3.3MB

Download
memory/4844-48-0x00007FF7F8CD0000-0x00007FF7F9021000-memory.dmp

Filesize
3.3MB

Download
memory/4844-228-0x00007FF7F8CD0000-0x00007FF7F9021000-memory.dmp

Filesize
3.3MB

Download
memory/5072-244-0x00007FF7C46A0000-0x00007FF7C49F1000-memory.dmp

Filesize
3.3MB

Download
memory/5072-73-0x00007FF7C46A0000-0x00007FF7C49F1000-memory.dmp

Filesize
3.3MB

Download
memory/5072-147-0x00007FF7C46A0000-0x00007FF7C49F1000-memory.dmp

Filesize
3.3MB

Download