cobaltstrike | 7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-09-2024 07:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

3e05a842ddfcf9113ab0d1b2fdecc7c8
SHA1

22b64c5520a1d286fe97e535291535aedea8ba98
SHA256

7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4
SHA512

4f3b4f1e66d3e42381d9662c35fcc45e8b08395434df9e10637bdaa749ec220d5ac8f94c4bb1b49987795b07566eb7a461f3f88e5bd4e1ca143388280107c204
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6ly:RWWBibf56utgpPFotBER/mQ32lUO

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000800000002346a-5.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346c-16.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346f-28.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023470-48.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023472-53.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023473-62.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023476-81.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023478-91.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347a-97.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347c-110.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347d-112.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347b-107.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023479-95.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023477-85.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023475-73.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023474-71.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023468-60.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023471-45.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346e-31.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346d-30.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346b-21.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/1872-38-0x00007FF7E26A0000-0x00007FF7E29F1000-memory.dmp	xmrig
behavioral2/memory/3276-114-0x00007FF751410000-0x00007FF751761000-memory.dmp	xmrig
behavioral2/memory/3052-115-0x00007FF747500000-0x00007FF747851000-memory.dmp	xmrig
behavioral2/memory/1668-116-0x00007FF646AC0000-0x00007FF646E11000-memory.dmp	xmrig
behavioral2/memory/2168-117-0x00007FF7016A0000-0x00007FF7019F1000-memory.dmp	xmrig
behavioral2/memory/4532-118-0x00007FF611660000-0x00007FF6119B1000-memory.dmp	xmrig
behavioral2/memory/3212-119-0x00007FF606A80000-0x00007FF606DD1000-memory.dmp	xmrig
behavioral2/memory/4896-120-0x00007FF6A6570000-0x00007FF6A68C1000-memory.dmp	xmrig
behavioral2/memory/540-121-0x00007FF654F70000-0x00007FF6552C1000-memory.dmp	xmrig
behavioral2/memory/880-122-0x00007FF735220000-0x00007FF735571000-memory.dmp	xmrig
behavioral2/memory/2332-124-0x00007FF76C260000-0x00007FF76C5B1000-memory.dmp	xmrig
behavioral2/memory/4768-126-0x00007FF6BE630000-0x00007FF6BE981000-memory.dmp	xmrig
behavioral2/memory/3536-127-0x00007FF6918D0000-0x00007FF691C21000-memory.dmp	xmrig
behavioral2/memory/3204-125-0x00007FF7D1240000-0x00007FF7D1591000-memory.dmp	xmrig
behavioral2/memory/4972-123-0x00007FF7EE0D0000-0x00007FF7EE421000-memory.dmp	xmrig
behavioral2/memory/3860-128-0x00007FF7DDBF0000-0x00007FF7DDF41000-memory.dmp	xmrig
behavioral2/memory/2692-129-0x00007FF694010000-0x00007FF694361000-memory.dmp	xmrig
behavioral2/memory/3996-130-0x00007FF74FA10000-0x00007FF74FD61000-memory.dmp	xmrig
behavioral2/memory/3860-131-0x00007FF7DDBF0000-0x00007FF7DDF41000-memory.dmp	xmrig
behavioral2/memory/2564-135-0x00007FF6B32F0000-0x00007FF6B3641000-memory.dmp	xmrig
behavioral2/memory/3104-136-0x00007FF78F060000-0x00007FF78F3B1000-memory.dmp	xmrig
behavioral2/memory/1212-133-0x00007FF63C390000-0x00007FF63C6E1000-memory.dmp	xmrig
behavioral2/memory/1752-132-0x00007FF658390000-0x00007FF6586E1000-memory.dmp	xmrig
behavioral2/memory/3860-151-0x00007FF7DDBF0000-0x00007FF7DDF41000-memory.dmp	xmrig
behavioral2/memory/2692-207-0x00007FF694010000-0x00007FF694361000-memory.dmp	xmrig
behavioral2/memory/3996-209-0x00007FF74FA10000-0x00007FF74FD61000-memory.dmp	xmrig
behavioral2/memory/1752-212-0x00007FF658390000-0x00007FF6586E1000-memory.dmp	xmrig
behavioral2/memory/1872-213-0x00007FF7E26A0000-0x00007FF7E29F1000-memory.dmp	xmrig
behavioral2/memory/1212-215-0x00007FF63C390000-0x00007FF63C6E1000-memory.dmp	xmrig
behavioral2/memory/3276-218-0x00007FF751410000-0x00007FF751761000-memory.dmp	xmrig
behavioral2/memory/2564-223-0x00007FF6B32F0000-0x00007FF6B3641000-memory.dmp	xmrig
behavioral2/memory/3536-222-0x00007FF6918D0000-0x00007FF691C21000-memory.dmp	xmrig
behavioral2/memory/3052-236-0x00007FF747500000-0x00007FF747851000-memory.dmp	xmrig
behavioral2/memory/3104-219-0x00007FF78F060000-0x00007FF78F3B1000-memory.dmp	xmrig
behavioral2/memory/880-240-0x00007FF735220000-0x00007FF735571000-memory.dmp	xmrig
behavioral2/memory/4972-252-0x00007FF7EE0D0000-0x00007FF7EE421000-memory.dmp	xmrig
behavioral2/memory/2332-254-0x00007FF76C260000-0x00007FF76C5B1000-memory.dmp	xmrig
behavioral2/memory/4768-258-0x00007FF6BE630000-0x00007FF6BE981000-memory.dmp	xmrig
behavioral2/memory/3204-256-0x00007FF7D1240000-0x00007FF7D1591000-memory.dmp	xmrig
behavioral2/memory/540-250-0x00007FF654F70000-0x00007FF6552C1000-memory.dmp	xmrig
behavioral2/memory/1668-248-0x00007FF646AC0000-0x00007FF646E11000-memory.dmp	xmrig
behavioral2/memory/3212-244-0x00007FF606A80000-0x00007FF606DD1000-memory.dmp	xmrig
behavioral2/memory/2168-247-0x00007FF7016A0000-0x00007FF7019F1000-memory.dmp	xmrig
behavioral2/memory/4896-242-0x00007FF6A6570000-0x00007FF6A68C1000-memory.dmp	xmrig
behavioral2/memory/4532-238-0x00007FF611660000-0x00007FF6119B1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2692	GlzWoPl.exe
3996	xYpjSSH.exe
1752	bqFAcrw.exe
1212	uBtDRPP.exe
2564	pMTuonJ.exe
1872	pdWzzyr.exe
3104	KXBrwRn.exe
3276	cjPeJsP.exe
3536	dEjPTdE.exe
3052	OYzzdqV.exe
1668	qEEItpD.exe
2168	CLdtdUs.exe
4532	iLhRzdE.exe
3212	SkhPtLw.exe
4896	TEayqcT.exe
540	TUZVtbC.exe
880	eYkhPoV.exe
4972	TqqFeLU.exe
2332	SpZKumw.exe
3204	DtEJIyo.exe
4768	apsAJlS.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3860-0-0x00007FF7DDBF0000-0x00007FF7DDF41000-memory.dmp	upx
behavioral2/files/0x000800000002346a-5.dat	upx
behavioral2/memory/2692-8-0x00007FF694010000-0x00007FF694361000-memory.dmp	upx
behavioral2/files/0x000700000002346c-16.dat	upx
behavioral2/files/0x000700000002346f-28.dat	upx
behavioral2/memory/2564-39-0x00007FF6B32F0000-0x00007FF6B3641000-memory.dmp	upx
behavioral2/files/0x0007000000023470-48.dat	upx
behavioral2/files/0x0007000000023472-53.dat	upx
behavioral2/files/0x0007000000023473-62.dat	upx
behavioral2/files/0x0007000000023476-81.dat	upx
behavioral2/files/0x0007000000023478-91.dat	upx
behavioral2/files/0x000700000002347a-97.dat	upx
behavioral2/files/0x000700000002347c-110.dat	upx
behavioral2/files/0x000700000002347d-112.dat	upx
behavioral2/files/0x000700000002347b-107.dat	upx
behavioral2/files/0x0007000000023479-95.dat	upx
behavioral2/files/0x0007000000023477-85.dat	upx
behavioral2/files/0x0007000000023475-73.dat	upx
behavioral2/files/0x0007000000023474-71.dat	upx
behavioral2/files/0x0008000000023468-60.dat	upx
behavioral2/files/0x0007000000023471-45.dat	upx
behavioral2/memory/3104-42-0x00007FF78F060000-0x00007FF78F3B1000-memory.dmp	upx
behavioral2/memory/1872-38-0x00007FF7E26A0000-0x00007FF7E29F1000-memory.dmp	upx
behavioral2/memory/1212-33-0x00007FF63C390000-0x00007FF63C6E1000-memory.dmp	upx
behavioral2/files/0x000700000002346e-31.dat	upx
behavioral2/files/0x000700000002346d-30.dat	upx
behavioral2/memory/1752-26-0x00007FF658390000-0x00007FF6586E1000-memory.dmp	upx
behavioral2/files/0x000700000002346b-21.dat	upx
behavioral2/memory/3996-17-0x00007FF74FA10000-0x00007FF74FD61000-memory.dmp	upx
behavioral2/memory/3276-114-0x00007FF751410000-0x00007FF751761000-memory.dmp	upx
behavioral2/memory/3052-115-0x00007FF747500000-0x00007FF747851000-memory.dmp	upx
behavioral2/memory/1668-116-0x00007FF646AC0000-0x00007FF646E11000-memory.dmp	upx
behavioral2/memory/2168-117-0x00007FF7016A0000-0x00007FF7019F1000-memory.dmp	upx
behavioral2/memory/4532-118-0x00007FF611660000-0x00007FF6119B1000-memory.dmp	upx
behavioral2/memory/3212-119-0x00007FF606A80000-0x00007FF606DD1000-memory.dmp	upx
behavioral2/memory/4896-120-0x00007FF6A6570000-0x00007FF6A68C1000-memory.dmp	upx
behavioral2/memory/540-121-0x00007FF654F70000-0x00007FF6552C1000-memory.dmp	upx
behavioral2/memory/880-122-0x00007FF735220000-0x00007FF735571000-memory.dmp	upx
behavioral2/memory/2332-124-0x00007FF76C260000-0x00007FF76C5B1000-memory.dmp	upx
behavioral2/memory/4768-126-0x00007FF6BE630000-0x00007FF6BE981000-memory.dmp	upx
behavioral2/memory/3536-127-0x00007FF6918D0000-0x00007FF691C21000-memory.dmp	upx
behavioral2/memory/3204-125-0x00007FF7D1240000-0x00007FF7D1591000-memory.dmp	upx
behavioral2/memory/4972-123-0x00007FF7EE0D0000-0x00007FF7EE421000-memory.dmp	upx
behavioral2/memory/3860-128-0x00007FF7DDBF0000-0x00007FF7DDF41000-memory.dmp	upx
behavioral2/memory/2692-129-0x00007FF694010000-0x00007FF694361000-memory.dmp	upx
behavioral2/memory/3996-130-0x00007FF74FA10000-0x00007FF74FD61000-memory.dmp	upx
behavioral2/memory/3860-131-0x00007FF7DDBF0000-0x00007FF7DDF41000-memory.dmp	upx
behavioral2/memory/2564-135-0x00007FF6B32F0000-0x00007FF6B3641000-memory.dmp	upx
behavioral2/memory/3104-136-0x00007FF78F060000-0x00007FF78F3B1000-memory.dmp	upx
behavioral2/memory/1212-133-0x00007FF63C390000-0x00007FF63C6E1000-memory.dmp	upx
behavioral2/memory/1752-132-0x00007FF658390000-0x00007FF6586E1000-memory.dmp	upx
behavioral2/memory/3860-151-0x00007FF7DDBF0000-0x00007FF7DDF41000-memory.dmp	upx
behavioral2/memory/2692-207-0x00007FF694010000-0x00007FF694361000-memory.dmp	upx
behavioral2/memory/3996-209-0x00007FF74FA10000-0x00007FF74FD61000-memory.dmp	upx
behavioral2/memory/1752-212-0x00007FF658390000-0x00007FF6586E1000-memory.dmp	upx
behavioral2/memory/1872-213-0x00007FF7E26A0000-0x00007FF7E29F1000-memory.dmp	upx
behavioral2/memory/1212-215-0x00007FF63C390000-0x00007FF63C6E1000-memory.dmp	upx
behavioral2/memory/3276-218-0x00007FF751410000-0x00007FF751761000-memory.dmp	upx
behavioral2/memory/2564-223-0x00007FF6B32F0000-0x00007FF6B3641000-memory.dmp	upx
behavioral2/memory/3536-222-0x00007FF6918D0000-0x00007FF691C21000-memory.dmp	upx
behavioral2/memory/3052-236-0x00007FF747500000-0x00007FF747851000-memory.dmp	upx
behavioral2/memory/3104-219-0x00007FF78F060000-0x00007FF78F3B1000-memory.dmp	upx
behavioral2/memory/880-240-0x00007FF735220000-0x00007FF735571000-memory.dmp	upx
behavioral2/memory/4972-252-0x00007FF7EE0D0000-0x00007FF7EE421000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\TEayqcT.exe	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SpZKumw.exe	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DtEJIyo.exe	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\apsAJlS.exe	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GlzWoPl.exe	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pdWzzyr.exe	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pMTuonJ.exe	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iLhRzdE.exe	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SkhPtLw.exe	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KXBrwRn.exe	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cjPeJsP.exe	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qEEItpD.exe	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eYkhPoV.exe	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xYpjSSH.exe	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OYzzdqV.exe	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TUZVtbC.exe	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CLdtdUs.exe	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TqqFeLU.exe	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bqFAcrw.exe	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uBtDRPP.exe	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dEjPTdE.exe	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3860	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3860	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3860 wrote to memory of 2692	3860	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3860 wrote to memory of 2692	3860	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3860 wrote to memory of 3996	3860	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3860 wrote to memory of 3996	3860	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3860 wrote to memory of 1752	3860	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3860 wrote to memory of 1752	3860	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3860 wrote to memory of 1212	3860	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3860 wrote to memory of 1212	3860	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3860 wrote to memory of 1872	3860	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3860 wrote to memory of 1872	3860	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3860 wrote to memory of 2564	3860	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3860 wrote to memory of 2564	3860	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3860 wrote to memory of 3104	3860	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3860 wrote to memory of 3104	3860	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3860 wrote to memory of 3276	3860	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3860 wrote to memory of 3276	3860	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3860 wrote to memory of 3536	3860	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3860 wrote to memory of 3536	3860	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3860 wrote to memory of 3052	3860	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3860 wrote to memory of 3052	3860	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3860 wrote to memory of 1668	3860	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3860 wrote to memory of 1668	3860	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3860 wrote to memory of 2168	3860	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3860 wrote to memory of 2168	3860	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3860 wrote to memory of 4532	3860	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3860 wrote to memory of 4532	3860	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3860 wrote to memory of 3212	3860	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3860 wrote to memory of 3212	3860	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3860 wrote to memory of 4896	3860	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3860 wrote to memory of 4896	3860	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3860 wrote to memory of 540	3860	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3860 wrote to memory of 540	3860	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3860 wrote to memory of 880	3860	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3860 wrote to memory of 880	3860	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3860 wrote to memory of 4972	3860	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3860 wrote to memory of 4972	3860	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3860 wrote to memory of 2332	3860	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3860 wrote to memory of 2332	3860	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3860 wrote to memory of 3204	3860	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3860 wrote to memory of 3204	3860	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3860 wrote to memory of 4768	3860	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3860 wrote to memory of 4768	3860	2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-17_3e05a842ddfcf9113ab0d1b2fdecc7c8_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3860
- C:\Windows\System\GlzWoPl.exe
  C:\Windows\System\GlzWoPl.exe
  2⤵
  - Executes dropped EXE
  PID:2692
- C:\Windows\System\xYpjSSH.exe
  C:\Windows\System\xYpjSSH.exe
  2⤵
  - Executes dropped EXE
  PID:3996
- C:\Windows\System\bqFAcrw.exe
  C:\Windows\System\bqFAcrw.exe
  2⤵
  - Executes dropped EXE
  PID:1752
- C:\Windows\System\uBtDRPP.exe
  C:\Windows\System\uBtDRPP.exe
  2⤵
  - Executes dropped EXE
  PID:1212
- C:\Windows\System\pdWzzyr.exe
  C:\Windows\System\pdWzzyr.exe
  2⤵
  - Executes dropped EXE
  PID:1872
- C:\Windows\System\pMTuonJ.exe
  C:\Windows\System\pMTuonJ.exe
  2⤵
  - Executes dropped EXE
  PID:2564
- C:\Windows\System\KXBrwRn.exe
  C:\Windows\System\KXBrwRn.exe
  2⤵
  - Executes dropped EXE
  PID:3104
- C:\Windows\System\cjPeJsP.exe
  C:\Windows\System\cjPeJsP.exe
  2⤵
  - Executes dropped EXE
  PID:3276
- C:\Windows\System\dEjPTdE.exe
  C:\Windows\System\dEjPTdE.exe
  2⤵
  - Executes dropped EXE
  PID:3536
- C:\Windows\System\OYzzdqV.exe
  C:\Windows\System\OYzzdqV.exe
  2⤵
  - Executes dropped EXE
  PID:3052
- C:\Windows\System\qEEItpD.exe
  C:\Windows\System\qEEItpD.exe
  2⤵
  - Executes dropped EXE
  PID:1668
- C:\Windows\System\CLdtdUs.exe
  C:\Windows\System\CLdtdUs.exe
  2⤵
  - Executes dropped EXE
  PID:2168
- C:\Windows\System\iLhRzdE.exe
  C:\Windows\System\iLhRzdE.exe
  2⤵
  - Executes dropped EXE
  PID:4532
- C:\Windows\System\SkhPtLw.exe
  C:\Windows\System\SkhPtLw.exe
  2⤵
  - Executes dropped EXE
  PID:3212
- C:\Windows\System\TEayqcT.exe
  C:\Windows\System\TEayqcT.exe
  2⤵
  - Executes dropped EXE
  PID:4896
- C:\Windows\System\TUZVtbC.exe
  C:\Windows\System\TUZVtbC.exe
  2⤵
  - Executes dropped EXE
  PID:540
- C:\Windows\System\eYkhPoV.exe
  C:\Windows\System\eYkhPoV.exe
  2⤵
  - Executes dropped EXE
  PID:880
- C:\Windows\System\TqqFeLU.exe
  C:\Windows\System\TqqFeLU.exe
  2⤵
  - Executes dropped EXE
  PID:4972
- C:\Windows\System\SpZKumw.exe
  C:\Windows\System\SpZKumw.exe
  2⤵
  - Executes dropped EXE
  PID:2332
- C:\Windows\System\DtEJIyo.exe
  C:\Windows\System\DtEJIyo.exe
  2⤵
  - Executes dropped EXE
  PID:3204
- C:\Windows\System\apsAJlS.exe
  C:\Windows\System\apsAJlS.exe
  2⤵
  - Executes dropped EXE
  PID:4768

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CLdtdUs.exe

Filesize
5.2MB

MD5
092dcbbaf0ec148324a213ab7caf74cc

SHA1
c53b6ca030a57d056300b13fdb82e8f2f944807e

SHA256
2e3d23cdd752138b0098b0c1ea6e8ad0dfec5df8fb84b625a4d38ecf3c540bd0

SHA512
3087d905123dda39c8c5fa1d92747f48556fe3715976b51a9ca3c8323a674853e3589228c4c4d6c79b1564c47b938c11e2e086d62b7185cd0c3d60b0f02a284e

Download Submit
C:\Windows\System\DtEJIyo.exe

Filesize
5.2MB

MD5
86bcd23c6ce7c59519460094220675ba

SHA1
c1cf62c5d97ec4eff993ebacc01d4f68c84782fe

SHA256
1ed94c087661de6fc2905164c638da40fba0dcb69fefc1631f583820acdf4463

SHA512
c2700d05c99a5c1e129497cea961e6e491b07b69d4f1b955747db73b95bb535da85dc054d6921a0af273eebd9facf1806e9fac796dc21be63d61f49260b2c95f

Download Submit
C:\Windows\System\GlzWoPl.exe

Filesize
5.2MB

MD5
34e477d98870c13df3bf3bef1ee508a9

SHA1
64117d3042bf83af7b29b3565cffd7ed606f7ee1

SHA256
11d8573272a2078f13bcc15e0e10ccee37986a098ab33a6632f2effdac62142c

SHA512
45d3bca3231ec7f66a8834357a88971a33e5c51c9fe45dc4d24c3cfcdf8549ec79251dfd20c097715209af8dbbd8957e53632c6fe25489103be313df1a94765f

Download Submit
C:\Windows\System\KXBrwRn.exe

Filesize
5.2MB

MD5
57d6692f8fa724f16e11f5a3073f0cf7

SHA1
beb755bf9a9e0046a27a7a54f559944b09869c07

SHA256
0584a1222245d8a217d1062e839f8e20037e66eb419d5606db298cdd6b502ab4

SHA512
c9832616d608daa15e7140b94b7811573e10fb593c8a87da191c41b5b2a590d94f86888484977186d89c5cab58f36296d04d3f2c1a5b48ffb5c1985c390cfe73

Download Submit
C:\Windows\System\OYzzdqV.exe

Filesize
5.2MB

MD5
ba3b3315e916cb91c84c9a6f78402de4

SHA1
042f562dc095db4e64a20d368ba1d2ed47cfc04c

SHA256
6dd3ae6fee353c4845b2a144ceaff8b9154e12ff019ec29fe566e6a1fbbe95f1

SHA512
4eed8f338ce4f7ff8d836c6755e7235fcf6320ae451352834be0bf0f44a68a8c424f3c2314cc4d2d3cb9e2fcb8deab938621a03c1ed8ef1b7b3098c57c495335

Download Submit
C:\Windows\System\SkhPtLw.exe

Filesize
5.2MB

MD5
7f366123adc9b205e4b2eeec70cf9742

SHA1
c09970443bb7a2779c37d9fd7d60e08ed1ad14a2

SHA256
abc5ea521d994947bd797469eb302ef5bf7474d93560857c5d8294181369d446

SHA512
6d4bfcdae1b7a2a0a5ba4b7bc5d7dbfd64e06dcb868f7fa5d92757905eca1b1732a5fcecb5d9aece985d9b7ee351cecbe58bf363d2ec5b62a4f76b18757e2b3a

Download Submit
C:\Windows\System\SpZKumw.exe

Filesize
5.2MB

MD5
fa2a5784ff0e709c210fec9b08ae010b

SHA1
13000578ffbade6269c2ce588ca831af4be968ba

SHA256
c99ce9e1b0a6172a86d0317e2746c19c063f42c55fda87cdb95c48032ced2ed2

SHA512
a39c73a46167593779c7e09613b320dc6d2ec6ce078f15880a90f5d87688e3c931cb2a2f668145e409fa7f8be3d938b14e3998679ce74fe4ec27621203e48de5

Download Submit
C:\Windows\System\TEayqcT.exe

Filesize
5.2MB

MD5
b7683dd529c0921fe2b3214b2056d7c1

SHA1
b23160b785eea96223a5c2af159955a1f5b8c7e2

SHA256
9dd9a3a3cf85a13450b7a8b21ed39c71c9b5d6365ee83e6a2db811554e270bcb

SHA512
11ffbeb724358825ede0488e4397522f0f2d5238330b4d90e75a84aa319ad8d1d102f15155cb782786e8a29ff962c3a5012da38f567fb606d51620c62eaa3a5c

Download Submit
C:\Windows\System\TUZVtbC.exe

Filesize
5.2MB

MD5
363268f6e0c119c54385ae7639ada121

SHA1
2c43262bb02aff7c82f349952c5f2fca6cc9c93b

SHA256
bac6d6a88409f5a5979c8000016d5ee324d5270eb4c6469544fdf74120e59da0

SHA512
d1f6404c75ef514d2739c6d492a663425ea9217f4a06c20164e5893bb38c9d21a4070e1a9c07c402bfecfefa17ba0ada8bc9e65570bf065de93ed9b7f1c1b7cf

Download Submit
C:\Windows\System\TqqFeLU.exe

Filesize
5.2MB

MD5
013c6edd3ccaadd044d4d89db48b8ed8

SHA1
8a303b06316b54eb9e040be38e8a1eb98f27796d

SHA256
ccb022b7643186fc868ca0a249663fb45b9b286fc82c09339e8e70f881932a27

SHA512
6afa406e00f9ab42d43f19a39771b8f9c6015c94a808dee402d971467aa322966270b8f01d6a8cc7c613d0b9e66a8f070bbcc0b8c03fa90e1613658c1b7133c4

Download Submit
C:\Windows\System\apsAJlS.exe

Filesize
5.2MB

MD5
c87a6d910fd870a4554b146cf6e3a0a0

SHA1
810ef40b34babc3445d0137659070e85d42af4b4

SHA256
9e6c73832c13bce0c5c235adf27fd6f6f60e0d4397442ec62efffff0ec6a74fc

SHA512
b1141a985adcc1df2ec8974adec8ef3ebdda47e6ee4b1ac1858cd8c189048ef2bf1809e139a61cfe06109f97e90f8ba1a7ca5b1e8038e2c179be0d336333ada4

Download Submit
C:\Windows\System\bqFAcrw.exe

Filesize
5.2MB

MD5
06a07b534d09f0ce8bf9899bd17f851d

SHA1
65b86e1f29464546f50c6d470347d024fc58da31

SHA256
899f837abea3be6d9dfb5ed79cae725130543a31ef7c4b06991c197afa2672c7

SHA512
556cf67ff8459f6d21dc3c92eae966895a8529803c6596735f7e423d51b2646ff59c97bdca5e7fe4d423df25a8b1ee2ee6f1d7d13748c3212192295cfd00636e

Download Submit
C:\Windows\System\cjPeJsP.exe

Filesize
5.2MB

MD5
eee92d14179d032fc8f94eba501e968b

SHA1
9edb2afdeacf1ae8f8de129d99d14a41a0e86076

SHA256
d3e3237161f81f007788b34297a9002a3d7eeec6ba9d1ee03ccb98eb4ea870e0

SHA512
4bb434e4e2414dcf3b9c5579d619579b81ddb7823ee93fb77284020e57533e46c1f93c67073562a5d13c39e138bab7d1a62a04b5584c67c4da6762e4abebcf40

Download Submit
C:\Windows\System\dEjPTdE.exe

Filesize
5.2MB

MD5
b5ec5159a5808834c8d0e1ff223a5f10

SHA1
2bbc158456622b753969ee7384f2095e4132328f

SHA256
38e1b8567f5649503d7fdc5b605b83af04b208e4b43028e0f437abaadd6b762a

SHA512
ef14d50486346703e7c36d8714ac1035d284b80a5120f40207043a621e263ff6a2f1eb557ea1b33bcc8639317ac5ee698e5e75fce41ff4d6373579eb3954de86

Download Submit
C:\Windows\System\eYkhPoV.exe

Filesize
5.2MB

MD5
151ce95d2a362494887f9727e6ea8901

SHA1
701e7008e81a5bfaac84f7de53991e7e078e1259

SHA256
deef737c5bbaca29204015fd92cd78eb2762c7656fec169642ff076d92401cd8

SHA512
73522789c61aa57516b139c0e67b117e1988f912619342416fd4a34d3a41481827942ec0128b8f6bba45a70ebff16bef9c20195b69f53339fbc0c5154fafa079

Download Submit
C:\Windows\System\iLhRzdE.exe

Filesize
5.2MB

MD5
f7462bd60de78b518b2f408aa62cee3d

SHA1
4f0a415f786434b5dc4d01f42b475ebb9a4a3f7a

SHA256
093e318e2a43dfe1b8428cb272f1cb50ce49e7b8640d527453a657b0eafb97fa

SHA512
1ebda9574e3044469a4a13feb3df1da2eca606e14eb163acf6f045e93b729aba13860036b409d97fab00c77b2b8ff2985a93ff9f55782f195b73ffddf029d7b3

Download Submit
C:\Windows\System\pMTuonJ.exe

Filesize
5.2MB

MD5
ff2ce68f9ebb54a142a6258e699b8a74

SHA1
5f1d299a4ca72f153eee11d0c8e9c9b0c7ea6eec

SHA256
6072d4ee8c25d5bfd4dd226861525452ca24146546e35a15d85c49fc00d2c491

SHA512
c695f05d84ca0f0c56790f4d6dfa2ee172a5c027155bd64f8d0849f21b456b03e4ce9fc47b1b6ec66932afb8226ffc1f48980faf8a9001c96dbce80aeb6ef7f6

Download Submit
C:\Windows\System\pdWzzyr.exe

Filesize
5.2MB

MD5
e414e34773eca2f132e7c8723894461e

SHA1
d438a32702bee0b85b4f72894223b0aa724b6f3e

SHA256
697e3e81715e682849255769fa8d7eb4100088c29771db608d67d54fed5a807d

SHA512
eceee7273679ad9ca9e55fd09efc3b9796fdcbf7e955175e3188a5cef8364a564fcb997da2f7ec953b9f677bf239782b1207eeb1e0156f196ad85adb314dd44b

Download Submit
C:\Windows\System\qEEItpD.exe

Filesize
5.2MB

MD5
4d92dcf6da59dabf9be390f3999c8425

SHA1
fee4b86a33cb93bdd644303839197f3d7b1ef551

SHA256
4853ceefacd9f08624ee18468882f5c2df210d892680ca16639f1b8525b47668

SHA512
2864dd5de183eb65d9f4fa93a2b85af531ed3437a2b2d4d00c31ebc8bfcda444b4309655c07f337662df14ada2a178ce04927f3ff545a1cc19e4fcc17a16daff

Download Submit
C:\Windows\System\uBtDRPP.exe

Filesize
5.2MB

MD5
22a963067d3e01f2e44e28a15ab0952c

SHA1
fecd490e1e22ba08b80b0c2a1b09ed6a0b885727

SHA256
4b56288d0c92fc15e6c9198f75de0230fd5a88a8435041dec370f5f624a28bdb

SHA512
6e9be3b033bce41b75b8bdbae620a98d91ea9cee7103e6745fc848ba3aeb75f5e267f7dd04146abc836201c9d6b106192d5875a7b4335606c0f771bafddc3df1

Download Submit
C:\Windows\System\xYpjSSH.exe

Filesize
5.2MB

MD5
d56198ef68637abe0366f9551286a3b9

SHA1
6fc641de55244326da835465e84c9da6a1d43edb

SHA256
7a04859c1805be6ac586fd0136dc56105f5abbbda5d67efde960ccd5ca745735

SHA512
377c30276d8b15f80bb41bcb41805fff649dcea18384d67f1ce2ebe3a61b7ac4da8145a9a9feba65d85bba6cedbcb5e9f24392982dee0db35ac12c0b7ff40a78

Download Submit
memory/540-121-0x00007FF654F70000-0x00007FF6552C1000-memory.dmp

Filesize
3.3MB

Download
memory/540-250-0x00007FF654F70000-0x00007FF6552C1000-memory.dmp

Filesize
3.3MB

Download
memory/880-122-0x00007FF735220000-0x00007FF735571000-memory.dmp

Filesize
3.3MB

Download
memory/880-240-0x00007FF735220000-0x00007FF735571000-memory.dmp

Filesize
3.3MB

Download
memory/1212-33-0x00007FF63C390000-0x00007FF63C6E1000-memory.dmp

Filesize
3.3MB

Download
memory/1212-133-0x00007FF63C390000-0x00007FF63C6E1000-memory.dmp

Filesize
3.3MB

Download
memory/1212-215-0x00007FF63C390000-0x00007FF63C6E1000-memory.dmp

Filesize
3.3MB

Download
memory/1668-248-0x00007FF646AC0000-0x00007FF646E11000-memory.dmp

Filesize
3.3MB

Download
memory/1668-116-0x00007FF646AC0000-0x00007FF646E11000-memory.dmp

Filesize
3.3MB

Download
memory/1752-26-0x00007FF658390000-0x00007FF6586E1000-memory.dmp

Filesize
3.3MB

Download
memory/1752-132-0x00007FF658390000-0x00007FF6586E1000-memory.dmp

Filesize
3.3MB

Download
memory/1752-212-0x00007FF658390000-0x00007FF6586E1000-memory.dmp

Filesize
3.3MB

Download
memory/1872-213-0x00007FF7E26A0000-0x00007FF7E29F1000-memory.dmp

Filesize
3.3MB

Download
memory/1872-38-0x00007FF7E26A0000-0x00007FF7E29F1000-memory.dmp

Filesize
3.3MB

Download
memory/2168-247-0x00007FF7016A0000-0x00007FF7019F1000-memory.dmp

Filesize
3.3MB

Download
memory/2168-117-0x00007FF7016A0000-0x00007FF7019F1000-memory.dmp

Filesize
3.3MB

Download
memory/2332-124-0x00007FF76C260000-0x00007FF76C5B1000-memory.dmp

Filesize
3.3MB

Download
memory/2332-254-0x00007FF76C260000-0x00007FF76C5B1000-memory.dmp

Filesize
3.3MB

Download
memory/2564-223-0x00007FF6B32F0000-0x00007FF6B3641000-memory.dmp

Filesize
3.3MB

Download
memory/2564-135-0x00007FF6B32F0000-0x00007FF6B3641000-memory.dmp

Filesize
3.3MB

Download
memory/2564-39-0x00007FF6B32F0000-0x00007FF6B3641000-memory.dmp

Filesize
3.3MB

Download
memory/2692-207-0x00007FF694010000-0x00007FF694361000-memory.dmp

Filesize
3.3MB

Download
memory/2692-129-0x00007FF694010000-0x00007FF694361000-memory.dmp

Filesize
3.3MB

Download
memory/2692-8-0x00007FF694010000-0x00007FF694361000-memory.dmp

Filesize
3.3MB

Download
memory/3052-236-0x00007FF747500000-0x00007FF747851000-memory.dmp

Filesize
3.3MB

Download
memory/3052-115-0x00007FF747500000-0x00007FF747851000-memory.dmp

Filesize
3.3MB

Download
memory/3104-42-0x00007FF78F060000-0x00007FF78F3B1000-memory.dmp

Filesize
3.3MB

Download
memory/3104-219-0x00007FF78F060000-0x00007FF78F3B1000-memory.dmp

Filesize
3.3MB

Download
memory/3104-136-0x00007FF78F060000-0x00007FF78F3B1000-memory.dmp

Filesize
3.3MB

Download
memory/3204-125-0x00007FF7D1240000-0x00007FF7D1591000-memory.dmp

Filesize
3.3MB

Download
memory/3204-256-0x00007FF7D1240000-0x00007FF7D1591000-memory.dmp

Filesize
3.3MB

Download
memory/3212-244-0x00007FF606A80000-0x00007FF606DD1000-memory.dmp

Filesize
3.3MB

Download
memory/3212-119-0x00007FF606A80000-0x00007FF606DD1000-memory.dmp

Filesize
3.3MB

Download
memory/3276-218-0x00007FF751410000-0x00007FF751761000-memory.dmp

Filesize
3.3MB

Download
memory/3276-114-0x00007FF751410000-0x00007FF751761000-memory.dmp

Filesize
3.3MB

Download
memory/3536-127-0x00007FF6918D0000-0x00007FF691C21000-memory.dmp

Filesize
3.3MB

Download
memory/3536-222-0x00007FF6918D0000-0x00007FF691C21000-memory.dmp

Filesize
3.3MB

Download
memory/3860-0-0x00007FF7DDBF0000-0x00007FF7DDF41000-memory.dmp

Filesize
3.3MB

Download
memory/3860-151-0x00007FF7DDBF0000-0x00007FF7DDF41000-memory.dmp

Filesize
3.3MB

Download
memory/3860-1-0x0000022CCD6D0000-0x0000022CCD6E0000-memory.dmp

Filesize
64KB

Download
memory/3860-131-0x00007FF7DDBF0000-0x00007FF7DDF41000-memory.dmp

Filesize
3.3MB

Download
memory/3860-128-0x00007FF7DDBF0000-0x00007FF7DDF41000-memory.dmp

Filesize
3.3MB

Download
memory/3996-209-0x00007FF74FA10000-0x00007FF74FD61000-memory.dmp

Filesize
3.3MB

Download
memory/3996-130-0x00007FF74FA10000-0x00007FF74FD61000-memory.dmp

Filesize
3.3MB

Download
memory/3996-17-0x00007FF74FA10000-0x00007FF74FD61000-memory.dmp

Filesize
3.3MB

Download
memory/4532-118-0x00007FF611660000-0x00007FF6119B1000-memory.dmp

Filesize
3.3MB

Download
memory/4532-238-0x00007FF611660000-0x00007FF6119B1000-memory.dmp

Filesize
3.3MB

Download
memory/4768-258-0x00007FF6BE630000-0x00007FF6BE981000-memory.dmp

Filesize
3.3MB

Download
memory/4768-126-0x00007FF6BE630000-0x00007FF6BE981000-memory.dmp

Filesize
3.3MB

Download
memory/4896-120-0x00007FF6A6570000-0x00007FF6A68C1000-memory.dmp

Filesize
3.3MB

Download
memory/4896-242-0x00007FF6A6570000-0x00007FF6A68C1000-memory.dmp

Filesize
3.3MB

Download
memory/4972-252-0x00007FF7EE0D0000-0x00007FF7EE421000-memory.dmp

Filesize
3.3MB

Download
memory/4972-123-0x00007FF7EE0D0000-0x00007FF7EE421000-memory.dmp

Filesize
3.3MB

Download