cobaltstrike | 6f5a7baa9ce004c46c255dc79879536374fc1a016238262e15f60692ec810b63

Analysis

max time kernel
141s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23-09-2024 08:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

c1b45b8d211f568f50469a8fac074fba
SHA1

75de6c7461f87bb8320be0f4e1a962e63f5f2b78
SHA256

6f5a7baa9ce004c46c255dc79879536374fc1a016238262e15f60692ec810b63
SHA512

1e4ab3935b4106aa1acf5b73782df85fae2ec6a82085d1c21fc6f8622972f2a75682d630ae064b04a50b47462244a75ee2cc86a21990b8d237ca7c53c49dbc4b
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lv:RWWBibf56utgpPFotBER/mQ32lUz

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00080000000234a8-4.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ad-9.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ae-17.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b7-73.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b5-86.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b9-101.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b8-107.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234be-116.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234bd-115.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234bb-114.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000234a9-112.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234bc-106.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b6-89.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ba-84.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b4-79.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b3-69.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b1-56.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b2-53.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b0-39.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234af-34.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ac-18.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/5092-50-0x00007FF738650000-0x00007FF7389A1000-memory.dmp	xmrig
behavioral2/memory/1040-126-0x00007FF7748A0000-0x00007FF774BF1000-memory.dmp	xmrig
behavioral2/memory/2308-125-0x00007FF75ACD0000-0x00007FF75B021000-memory.dmp	xmrig
behavioral2/memory/5032-124-0x00007FF6E5450000-0x00007FF6E57A1000-memory.dmp	xmrig
behavioral2/memory/4596-121-0x00007FF621CB0000-0x00007FF622001000-memory.dmp	xmrig
behavioral2/memory/432-118-0x00007FF76A7B0000-0x00007FF76AB01000-memory.dmp	xmrig
behavioral2/memory/3688-117-0x00007FF79D4E0000-0x00007FF79D831000-memory.dmp	xmrig
behavioral2/memory/5064-105-0x00007FF6B86D0000-0x00007FF6B8A21000-memory.dmp	xmrig
behavioral2/memory/2296-80-0x00007FF641030000-0x00007FF641381000-memory.dmp	xmrig
behavioral2/memory/1108-128-0x00007FF746920000-0x00007FF746C71000-memory.dmp	xmrig
behavioral2/memory/1872-129-0x00007FF72C7B0000-0x00007FF72CB01000-memory.dmp	xmrig
behavioral2/memory/3644-131-0x00007FF6E7780000-0x00007FF6E7AD1000-memory.dmp	xmrig
behavioral2/memory/1468-137-0x00007FF6415E0000-0x00007FF641931000-memory.dmp	xmrig
behavioral2/memory/1700-139-0x00007FF647580000-0x00007FF6478D1000-memory.dmp	xmrig
behavioral2/memory/1228-142-0x00007FF75BA30000-0x00007FF75BD81000-memory.dmp	xmrig
behavioral2/memory/388-147-0x00007FF742480000-0x00007FF7427D1000-memory.dmp	xmrig
behavioral2/memory/3264-148-0x00007FF7C2FE0000-0x00007FF7C3331000-memory.dmp	xmrig
behavioral2/memory/2904-145-0x00007FF68A7C0000-0x00007FF68AB11000-memory.dmp	xmrig
behavioral2/memory/2316-135-0x00007FF6189A0000-0x00007FF618CF1000-memory.dmp	xmrig
behavioral2/memory/4352-133-0x00007FF788510000-0x00007FF788861000-memory.dmp	xmrig
behavioral2/memory/2704-132-0x00007FF7CD2E0000-0x00007FF7CD631000-memory.dmp	xmrig
behavioral2/memory/3320-130-0x00007FF617F20000-0x00007FF618271000-memory.dmp	xmrig
behavioral2/memory/1108-150-0x00007FF746920000-0x00007FF746C71000-memory.dmp	xmrig
behavioral2/memory/1108-151-0x00007FF746920000-0x00007FF746C71000-memory.dmp	xmrig
behavioral2/memory/1872-208-0x00007FF72C7B0000-0x00007FF72CB01000-memory.dmp	xmrig
behavioral2/memory/3320-210-0x00007FF617F20000-0x00007FF618271000-memory.dmp	xmrig
behavioral2/memory/2704-213-0x00007FF7CD2E0000-0x00007FF7CD631000-memory.dmp	xmrig
behavioral2/memory/3644-214-0x00007FF6E7780000-0x00007FF6E7AD1000-memory.dmp	xmrig
behavioral2/memory/4352-216-0x00007FF788510000-0x00007FF788861000-memory.dmp	xmrig
behavioral2/memory/5092-218-0x00007FF738650000-0x00007FF7389A1000-memory.dmp	xmrig
behavioral2/memory/3688-230-0x00007FF79D4E0000-0x00007FF79D831000-memory.dmp	xmrig
behavioral2/memory/2316-232-0x00007FF6189A0000-0x00007FF618CF1000-memory.dmp	xmrig
behavioral2/memory/1468-234-0x00007FF6415E0000-0x00007FF641931000-memory.dmp	xmrig
behavioral2/memory/2296-244-0x00007FF641030000-0x00007FF641381000-memory.dmp	xmrig
behavioral2/memory/5064-246-0x00007FF6B86D0000-0x00007FF6B8A21000-memory.dmp	xmrig
behavioral2/memory/432-243-0x00007FF76A7B0000-0x00007FF76AB01000-memory.dmp	xmrig
behavioral2/memory/1700-241-0x00007FF647580000-0x00007FF6478D1000-memory.dmp	xmrig
behavioral2/memory/4596-237-0x00007FF621CB0000-0x00007FF622001000-memory.dmp	xmrig
behavioral2/memory/5032-239-0x00007FF6E5450000-0x00007FF6E57A1000-memory.dmp	xmrig
behavioral2/memory/388-253-0x00007FF742480000-0x00007FF7427D1000-memory.dmp	xmrig
behavioral2/memory/1228-254-0x00007FF75BA30000-0x00007FF75BD81000-memory.dmp	xmrig
behavioral2/memory/2308-250-0x00007FF75ACD0000-0x00007FF75B021000-memory.dmp	xmrig
behavioral2/memory/2904-249-0x00007FF68A7C0000-0x00007FF68AB11000-memory.dmp	xmrig
behavioral2/memory/1040-256-0x00007FF7748A0000-0x00007FF774BF1000-memory.dmp	xmrig
behavioral2/memory/3264-259-0x00007FF7C2FE0000-0x00007FF7C3331000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1872	tfiyqsr.exe
3320	DCfmHsV.exe
3644	CHARrtF.exe
2704	vwoxslL.exe
4352	HcwVtLD.exe
5092	gRsRQvv.exe
2316	ZoUeYmr.exe
3688	ZRGFjUI.exe
1468	XhXsjpC.exe
432	TAbTJIU.exe
1700	YgdKbTc.exe
4596	pRcgrqf.exe
2296	hYviVsc.exe
5032	dbCMEhR.exe
2904	rWBpguR.exe
1228	nKVEbWU.exe
5064	ebUjwvD.exe
2308	YehLfGP.exe
388	BVxJyLy.exe
3264	YlbpKXd.exe
1040	jNZXAOd.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1108-0-0x00007FF746920000-0x00007FF746C71000-memory.dmp	upx
behavioral2/files/0x00080000000234a8-4.dat	upx
behavioral2/files/0x00070000000234ad-9.dat	upx
behavioral2/files/0x00070000000234ae-17.dat	upx
behavioral2/memory/2316-43-0x00007FF6189A0000-0x00007FF618CF1000-memory.dmp	upx
behavioral2/memory/5092-50-0x00007FF738650000-0x00007FF7389A1000-memory.dmp	upx
behavioral2/files/0x00070000000234b7-73.dat	upx
behavioral2/files/0x00070000000234b5-86.dat	upx
behavioral2/files/0x00070000000234b9-101.dat	upx
behavioral2/files/0x00070000000234b8-107.dat	upx
behavioral2/files/0x00070000000234be-116.dat	upx
behavioral2/memory/1040-126-0x00007FF7748A0000-0x00007FF774BF1000-memory.dmp	upx
behavioral2/memory/2308-125-0x00007FF75ACD0000-0x00007FF75B021000-memory.dmp	upx
behavioral2/memory/5032-124-0x00007FF6E5450000-0x00007FF6E57A1000-memory.dmp	upx
behavioral2/memory/4596-121-0x00007FF621CB0000-0x00007FF622001000-memory.dmp	upx
behavioral2/memory/432-118-0x00007FF76A7B0000-0x00007FF76AB01000-memory.dmp	upx
behavioral2/memory/3688-117-0x00007FF79D4E0000-0x00007FF79D831000-memory.dmp	upx
behavioral2/files/0x00070000000234bd-115.dat	upx
behavioral2/files/0x00070000000234bb-114.dat	upx
behavioral2/files/0x00080000000234a9-112.dat	upx
behavioral2/memory/3264-111-0x00007FF7C2FE0000-0x00007FF7C3331000-memory.dmp	upx
behavioral2/memory/388-110-0x00007FF742480000-0x00007FF7427D1000-memory.dmp	upx
behavioral2/memory/5064-105-0x00007FF6B86D0000-0x00007FF6B8A21000-memory.dmp	upx
behavioral2/memory/1228-104-0x00007FF75BA30000-0x00007FF75BD81000-memory.dmp	upx
behavioral2/files/0x00070000000234bc-106.dat	upx
behavioral2/memory/2904-96-0x00007FF68A7C0000-0x00007FF68AB11000-memory.dmp	upx
behavioral2/files/0x00070000000234b6-89.dat	upx
behavioral2/files/0x00070000000234ba-84.dat	upx
behavioral2/memory/2296-80-0x00007FF641030000-0x00007FF641381000-memory.dmp	upx
behavioral2/files/0x00070000000234b4-79.dat	upx
behavioral2/memory/1700-77-0x00007FF647580000-0x00007FF6478D1000-memory.dmp	upx
behavioral2/files/0x00070000000234b3-69.dat	upx
behavioral2/memory/1468-59-0x00007FF6415E0000-0x00007FF641931000-memory.dmp	upx
behavioral2/files/0x00070000000234b1-56.dat	upx
behavioral2/files/0x00070000000234b2-53.dat	upx
behavioral2/memory/4352-42-0x00007FF788510000-0x00007FF788861000-memory.dmp	upx
behavioral2/files/0x00070000000234b0-39.dat	upx
behavioral2/files/0x00070000000234af-34.dat	upx
behavioral2/memory/2704-30-0x00007FF7CD2E0000-0x00007FF7CD631000-memory.dmp	upx
behavioral2/memory/3644-26-0x00007FF6E7780000-0x00007FF6E7AD1000-memory.dmp	upx
behavioral2/memory/3320-19-0x00007FF617F20000-0x00007FF618271000-memory.dmp	upx
behavioral2/files/0x00070000000234ac-18.dat	upx
behavioral2/memory/1872-7-0x00007FF72C7B0000-0x00007FF72CB01000-memory.dmp	upx
behavioral2/memory/1108-128-0x00007FF746920000-0x00007FF746C71000-memory.dmp	upx
behavioral2/memory/1872-129-0x00007FF72C7B0000-0x00007FF72CB01000-memory.dmp	upx
behavioral2/memory/3644-131-0x00007FF6E7780000-0x00007FF6E7AD1000-memory.dmp	upx
behavioral2/memory/1468-137-0x00007FF6415E0000-0x00007FF641931000-memory.dmp	upx
behavioral2/memory/1700-139-0x00007FF647580000-0x00007FF6478D1000-memory.dmp	upx
behavioral2/memory/1228-142-0x00007FF75BA30000-0x00007FF75BD81000-memory.dmp	upx
behavioral2/memory/388-147-0x00007FF742480000-0x00007FF7427D1000-memory.dmp	upx
behavioral2/memory/3264-148-0x00007FF7C2FE0000-0x00007FF7C3331000-memory.dmp	upx
behavioral2/memory/2904-145-0x00007FF68A7C0000-0x00007FF68AB11000-memory.dmp	upx
behavioral2/memory/2316-135-0x00007FF6189A0000-0x00007FF618CF1000-memory.dmp	upx
behavioral2/memory/4352-133-0x00007FF788510000-0x00007FF788861000-memory.dmp	upx
behavioral2/memory/2704-132-0x00007FF7CD2E0000-0x00007FF7CD631000-memory.dmp	upx
behavioral2/memory/3320-130-0x00007FF617F20000-0x00007FF618271000-memory.dmp	upx
behavioral2/memory/1108-150-0x00007FF746920000-0x00007FF746C71000-memory.dmp	upx
behavioral2/memory/1108-151-0x00007FF746920000-0x00007FF746C71000-memory.dmp	upx
behavioral2/memory/1872-208-0x00007FF72C7B0000-0x00007FF72CB01000-memory.dmp	upx
behavioral2/memory/3320-210-0x00007FF617F20000-0x00007FF618271000-memory.dmp	upx
behavioral2/memory/2704-213-0x00007FF7CD2E0000-0x00007FF7CD631000-memory.dmp	upx
behavioral2/memory/3644-214-0x00007FF6E7780000-0x00007FF6E7AD1000-memory.dmp	upx
behavioral2/memory/4352-216-0x00007FF788510000-0x00007FF788861000-memory.dmp	upx
behavioral2/memory/5092-218-0x00007FF738650000-0x00007FF7389A1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\ebUjwvD.exe	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dbCMEhR.exe	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YehLfGP.exe	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CHARrtF.exe	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HcwVtLD.exe	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gRsRQvv.exe	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pRcgrqf.exe	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hYviVsc.exe	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jNZXAOd.exe	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZoUeYmr.exe	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rWBpguR.exe	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YlbpKXd.exe	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DCfmHsV.exe	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZRGFjUI.exe	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XhXsjpC.exe	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TAbTJIU.exe	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nKVEbWU.exe	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tfiyqsr.exe	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vwoxslL.exe	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YgdKbTc.exe	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BVxJyLy.exe	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1108	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1108	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1108 wrote to memory of 1872	1108	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 1108 wrote to memory of 1872	1108	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 1108 wrote to memory of 3320	1108	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1108 wrote to memory of 3320	1108	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1108 wrote to memory of 3644	1108	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1108 wrote to memory of 3644	1108	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1108 wrote to memory of 2704	1108	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1108 wrote to memory of 2704	1108	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1108 wrote to memory of 4352	1108	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1108 wrote to memory of 4352	1108	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1108 wrote to memory of 5092	1108	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1108 wrote to memory of 5092	1108	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1108 wrote to memory of 2316	1108	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1108 wrote to memory of 2316	1108	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1108 wrote to memory of 3688	1108	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1108 wrote to memory of 3688	1108	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1108 wrote to memory of 1468	1108	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1108 wrote to memory of 1468	1108	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1108 wrote to memory of 432	1108	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1108 wrote to memory of 432	1108	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1108 wrote to memory of 1700	1108	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1108 wrote to memory of 1700	1108	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1108 wrote to memory of 4596	1108	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1108 wrote to memory of 4596	1108	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1108 wrote to memory of 2296	1108	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1108 wrote to memory of 2296	1108	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1108 wrote to memory of 1228	1108	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1108 wrote to memory of 1228	1108	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1108 wrote to memory of 5064	1108	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1108 wrote to memory of 5064	1108	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1108 wrote to memory of 5032	1108	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1108 wrote to memory of 5032	1108	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1108 wrote to memory of 2904	1108	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1108 wrote to memory of 2904	1108	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1108 wrote to memory of 2308	1108	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1108 wrote to memory of 2308	1108	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1108 wrote to memory of 388	1108	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1108 wrote to memory of 388	1108	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1108 wrote to memory of 3264	1108	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1108 wrote to memory of 3264	1108	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1108 wrote to memory of 1040	1108	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1108 wrote to memory of 1040	1108	2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-23_c1b45b8d211f568f50469a8fac074fba_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1108
- C:\Windows\System\tfiyqsr.exe
  C:\Windows\System\tfiyqsr.exe
  2⤵
  - Executes dropped EXE
  PID:1872
- C:\Windows\System\DCfmHsV.exe
  C:\Windows\System\DCfmHsV.exe
  2⤵
  - Executes dropped EXE
  PID:3320
- C:\Windows\System\CHARrtF.exe
  C:\Windows\System\CHARrtF.exe
  2⤵
  - Executes dropped EXE
  PID:3644
- C:\Windows\System\vwoxslL.exe
  C:\Windows\System\vwoxslL.exe
  2⤵
  - Executes dropped EXE
  PID:2704
- C:\Windows\System\HcwVtLD.exe
  C:\Windows\System\HcwVtLD.exe
  2⤵
  - Executes dropped EXE
  PID:4352
- C:\Windows\System\gRsRQvv.exe
  C:\Windows\System\gRsRQvv.exe
  2⤵
  - Executes dropped EXE
  PID:5092
- C:\Windows\System\ZoUeYmr.exe
  C:\Windows\System\ZoUeYmr.exe
  2⤵
  - Executes dropped EXE
  PID:2316
- C:\Windows\System\ZRGFjUI.exe
  C:\Windows\System\ZRGFjUI.exe
  2⤵
  - Executes dropped EXE
  PID:3688
- C:\Windows\System\XhXsjpC.exe
  C:\Windows\System\XhXsjpC.exe
  2⤵
  - Executes dropped EXE
  PID:1468
- C:\Windows\System\TAbTJIU.exe
  C:\Windows\System\TAbTJIU.exe
  2⤵
  - Executes dropped EXE
  PID:432
- C:\Windows\System\YgdKbTc.exe
  C:\Windows\System\YgdKbTc.exe
  2⤵
  - Executes dropped EXE
  PID:1700
- C:\Windows\System\pRcgrqf.exe
  C:\Windows\System\pRcgrqf.exe
  2⤵
  - Executes dropped EXE
  PID:4596
- C:\Windows\System\hYviVsc.exe
  C:\Windows\System\hYviVsc.exe
  2⤵
  - Executes dropped EXE
  PID:2296
- C:\Windows\System\nKVEbWU.exe
  C:\Windows\System\nKVEbWU.exe
  2⤵
  - Executes dropped EXE
  PID:1228
- C:\Windows\System\ebUjwvD.exe
  C:\Windows\System\ebUjwvD.exe
  2⤵
  - Executes dropped EXE
  PID:5064
- C:\Windows\System\dbCMEhR.exe
  C:\Windows\System\dbCMEhR.exe
  2⤵
  - Executes dropped EXE
  PID:5032
- C:\Windows\System\rWBpguR.exe
  C:\Windows\System\rWBpguR.exe
  2⤵
  - Executes dropped EXE
  PID:2904
- C:\Windows\System\YehLfGP.exe
  C:\Windows\System\YehLfGP.exe
  2⤵
  - Executes dropped EXE
  PID:2308
- C:\Windows\System\BVxJyLy.exe
  C:\Windows\System\BVxJyLy.exe
  2⤵
  - Executes dropped EXE
  PID:388
- C:\Windows\System\YlbpKXd.exe
  C:\Windows\System\YlbpKXd.exe
  2⤵
  - Executes dropped EXE
  PID:3264
- C:\Windows\System\jNZXAOd.exe
  C:\Windows\System\jNZXAOd.exe
  2⤵
  - Executes dropped EXE
  PID:1040

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BVxJyLy.exe

Filesize
5.2MB

MD5
40073ed4bd0f130985a00bfbc9aeaf0f

SHA1
0cceb58eab6bfb00cdd97c66474f79153362050e

SHA256
248a10efdd6cb9058588b7d06d9a1dbf3ebc303331638f80cecbf51d1f01755e

SHA512
d2134e493f4fbbdd6949ce447ec24bfd1e9403bb4370d869ce1ef8ee3d951c10a3b24df375600ce4278cb6dc9189b044c1ff093d9bdbfcb5233f5d01c3bfeb0c

Download Submit
C:\Windows\System\CHARrtF.exe

Filesize
5.2MB

MD5
0094a5cd5aa37582c4008f94653a29df

SHA1
fecd06a4c8e6df6cd958251bbaae99fcf316f169

SHA256
f2da9805fc668a262930b4e756f09049226bd94dedbdb56ad2ac429ca8a69704

SHA512
12b70863dc5c7d409313440410236212319fde49409240872c7cc7be327e314f09b1ec844400ef701d5ba4b11f51160bd3a871d110e7aa8b8844a2e8710ef4b8

Download Submit
C:\Windows\System\DCfmHsV.exe

Filesize
5.2MB

MD5
0503f2bf2b8134fbd880cca3a8e9c5f5

SHA1
84a9568194f485ffb02ed73c09d8ede426225ec4

SHA256
b1230660ad063c440b82acc72421488fd2b5ee60192c751ae0df55df56a9282f

SHA512
aa03fe34c10bca71b4209398a7159db79c9038d6fbab0a8ac6f7765b0d616007b45ecb97bfe8358ba6e014cbfedab5cabc0bbbaa6bf6191d743572c98740d1f1

Download Submit
C:\Windows\System\HcwVtLD.exe

Filesize
5.2MB

MD5
0d71800a0feec9394917cf51e1fe9175

SHA1
bfb28836786aa04d8a8c05ba0cfe002021f89793

SHA256
578514397d3df48d8c03e1babc39faa9d510d0b83358825e0a34ff6b328fd8b2

SHA512
1afbb450036363608b04221d3ddecf6ed32086eb1f1c9940e21658b369b5f49d810ebc532fbe180284a15a794139448636ecc372c34293de94d1110cb8849a0f

Download Submit
C:\Windows\System\TAbTJIU.exe

Filesize
5.2MB

MD5
e602ca6365b179b6b46bc51875be656a

SHA1
344ce1d4bc3376b86d9f2fdf6efb19b2392d2222

SHA256
395944679e34e574942ac57348a565fab91c5efcfb89f71fc13d6a61a5130460

SHA512
41d81db454c0f636508480e65e6cfa4dd3adbc1a5133b57e5e6e3f788b9e229b6ad74180c9df170d0adccd6797bd7789c3adcc369abbcde1a10f986bdd5cad15

Download Submit
C:\Windows\System\XhXsjpC.exe

Filesize
5.2MB

MD5
11fa53579bc8cd72803f04cc3b8053c2

SHA1
dfb2b0ada2ae8b0e5c574b9b0b7befe13d6d299b

SHA256
328a2e4cb2a0d066fa4dc347ea9d28e063b3625c98e28d24653566d1c95d94fe

SHA512
7d51736295f2664e5eadd6f330b0e28d1acc8a2a910a3a67e8efc22677271b808a0d18054246595b5df654512a81596d1a803954f6505a54279694ad899181c4

Download Submit
C:\Windows\System\YehLfGP.exe

Filesize
5.2MB

MD5
fa0d4de94f4454e15391703db941283b

SHA1
bb034a9a3c40750607dac034798d481e75bda7de

SHA256
eb9ccda932378ac657bd5e1da469a5e8008c552972ebc24e937d514a80148751

SHA512
83496c060031b33e900f09cc7cb67c3d9ae75a923c8f444b4173b7d0dcdda615e0ef42519f1c95b08192e65295888620f2b9ec54e44e53ec9364e3ee158e2d5d

Download Submit
C:\Windows\System\YgdKbTc.exe

Filesize
5.2MB

MD5
2d797ddda9ae7e46ac201cd78b28b87d

SHA1
f835043ea38c8268a732fa6eea9a1cee6d38baf3

SHA256
e23719f642928b3afd6587caec2b1b22f32b26e92ef041b215a9aa5361d4b5a5

SHA512
ae801a96d2a7cddec95fb9b019265cfd7ce94efb3ff5e9aebf95ae6558df57d7ca8e9692f4bd93b62e835d60aa85e1e4c219c1539e2ba9f3818ca457f4cbeee5

Download Submit
C:\Windows\System\YlbpKXd.exe

Filesize
5.2MB

MD5
ebbd5b79d09716d6545d756ed2b356c7

SHA1
95b68b52a4f1e6dfd20eef72c27e058cf3ccb0b1

SHA256
aad155085e836046c89510d59adf86cdddb7dbe4d3028a545efd8edaf27d3454

SHA512
32534a0c13f22aee3530bd1e093c364e896d9a34f9c845510092e87f6a56f71c3dab484c3eecf4a46a0c72e9ed229b19a8c0cdf29546d4f4d33c3e4f3aed5e26

Download Submit
C:\Windows\System\ZRGFjUI.exe

Filesize
5.2MB

MD5
e8c59b130e047402d7a1b6df3d7c658e

SHA1
78fcd43e141823a70d9cf0a826a52a4488d2eb93

SHA256
2def49f2e2e207bc683f8fb143aa2d33aeab2ac298755fbaaa7dc93e54976b3c

SHA512
f3d791a636f897d75d565837590ae48c88c6e10fe83a36252d884e721e82872e44ea6859f63c567893718911c5bd31c614204a9a3fad98ffcc9c0eb9bb582bd2

Download Submit
C:\Windows\System\ZoUeYmr.exe

Filesize
5.2MB

MD5
300690fa196e38a2ed6a17659b88001d

SHA1
bb2fdb32149700980121704f0659ad20e5004d95

SHA256
d950ee800f0d2124cb2dfea47b7cbe030ec0faa42d8cd111595312461a1d9e09

SHA512
d3c6240db39d8e74d62a1620721c12d85b9daccf87ecf4176ef7b65755b6459a8afb446ea452dc1ae3c789cf7bcbaae144c15cbe82c807c9e84e1bfdee41aa91

Download Submit
C:\Windows\System\dbCMEhR.exe

Filesize
5.2MB

MD5
4c0f73ae71b2e242e13e33d1b5618aed

SHA1
f5e3663d0cc0fd34bdc7afb9eeda3ee852e252cb

SHA256
f6f7be91f96db0ca86c4c7da2a057fa87c70369c811aedf368edfe28d32e90da

SHA512
e4d73a3379d7ba207333a0ffec6d7eec9e01f13969d539aeab5ff630b636c2c8e536fcc7bf0fe8b7368c94d29bb2ff2aef1ea76be635ebb0dcc146b06899000c

Download Submit
C:\Windows\System\ebUjwvD.exe

Filesize
5.2MB

MD5
cc75db4a4a9727780d24917b3c377747

SHA1
61866d1dab6f1eccf5fbb44475a9aba405860288

SHA256
42da23cb50376fbf6c1e20ebfb4da49ee5bdc6764f7c0fcda1d4ac87f360d6ec

SHA512
0ccc67ff0526f8edf5cc70e1f63b9adff6b900681c005f0c2e1e5c4f6ce8f7b921497b7953f2f6f4fed31fce473dd42e82652ab95150f06c2cea45d8c78bdd3b

Download Submit
C:\Windows\System\gRsRQvv.exe

Filesize
5.2MB

MD5
22f77fcc3c3df5c4969bb8bce4b8c805

SHA1
29d7e3be0e68aef8803a01f4766c35aef4667bff

SHA256
ae130d9895dcd9ce96289393d42349ffb7595252c7b2c799305659c35b72a6e6

SHA512
444261ac09e65d2a16c32987f498bd7b63ec20479f04f88e40da4763fc71e6cc8913edfb34cdc6c5eedf1bcfaeacc1f8f1cf4831a4c446742f075096ce657358

Download Submit
C:\Windows\System\hYviVsc.exe

Filesize
5.2MB

MD5
f629446af541b593bd723f3b3f5574fc

SHA1
3fd5a0ba7183f5cd9c700557509ce00c966955e2

SHA256
76fa5999e02f00bab686a402e34bfa8e94f3e5b0ede1eae38c0ff12a9b139938

SHA512
83d5c0ad5eeb8d1086cf111a427ce8a0fbabbe3bce0049356e7979de38b19bbed5a532505b164e8754dddeef6edad354a9695dbb3a706868222c726f57b98c81

Download Submit
C:\Windows\System\jNZXAOd.exe

Filesize
5.2MB

MD5
a8d609cda4f3d6ce101e065bd8564274

SHA1
8143277816a3cd6a8ddda621be493d572ede3d35

SHA256
5e06c20eeea7c6436e70a980959c6e069ca9cbea788e5b2875c0b0cd038e2efb

SHA512
d26794883a0f30bef551bdabb50dc03b0d42535a0f167597aaac43ab6760e345c3b13c66543b4c2463136338195eb72dc4e8acd4b16de640534a3cec63cd6462

Download Submit
C:\Windows\System\nKVEbWU.exe

Filesize
5.2MB

MD5
2dfd543a857b7eabc6d0a6ec66aad7b1

SHA1
bf3f83b0b32eae638d4b7e9692da81b0989391da

SHA256
6c04d27c2b5711455406f0aadd3349b02d54a32486ffd596660ab25631af8244

SHA512
bf2d840bf3bb6088e729fa57c0df802afe24f470a24d1f3daddd5f9e701387179796207ab51916e69553498e137d2a2d969cf0252275733d827bb2d119b0b369

Download Submit
C:\Windows\System\pRcgrqf.exe

Filesize
5.2MB

MD5
b6cab660adead3c21903512f616372a7

SHA1
9185dd12de8384699f085913356370bdba3600ca

SHA256
e3daa8298c09700b25c3c290624ae6e12eb9a261151e8f68ba1962808e96b760

SHA512
6f49f9f9c89affd31b3c1f3b6bd16622447a3b0ff342eef924a1a713e48d5c5cb16bbf1c8333b343a21965f8a4e580ee20ed8050ff9c3cd1c547a6ca7239561c

Download Submit
C:\Windows\System\rWBpguR.exe

Filesize
5.2MB

MD5
0c47d4350ff009f92ab7e04dd9229ac1

SHA1
5b3644baaaeced490410a016a94840d0130aeb56

SHA256
55056a3267c7af372c55ce2f66de53873ae4235888b351abbe7de48ca6691756

SHA512
91495a5ab43890962fb8663bc76dbeda80f5a8441bfe1e4ae98c914ff5bbae65c610464624e33eb1f2e031334485c1ea91b13cf64c2980020631c0589c7616a2

Download Submit
C:\Windows\System\tfiyqsr.exe

Filesize
5.2MB

MD5
83f540d6462019800d282907ea1d7023

SHA1
e87a7c5e03837b080b713e361a4678f9d3c2f25e

SHA256
fa477477a5de1ae00edfc7c075976108dd6dc097d5bb5957d94e027b6d462e97

SHA512
dcb4cc27065f498a1cf38df55b30ddf611a8aaa19a1304d5098e5a80b360d9392426d426ad96f377b2b7ce9f0c0d7e788fa96732faa4f0f4766f87c168bde739

Download Submit
C:\Windows\System\vwoxslL.exe

Filesize
5.2MB

MD5
52512d8831eecd6c0e011fc704328e42

SHA1
05bd4a6681c2278237f1523c7d786ec18744eebd

SHA256
4bbcdd1a78b5e38bf0c47454d22f987f0359f0008cb509a9bc24a8135e701a63

SHA512
acbf40f4b6247ee4493029290eda81748517b1ba08702f658f412fba23d7beb3d7665c6cce318b1a6b9025e37598f527c006c96e0e01bd18dd75881ed762364c

Download Submit
memory/388-253-0x00007FF742480000-0x00007FF7427D1000-memory.dmp

Filesize
3.3MB

Download
memory/388-110-0x00007FF742480000-0x00007FF7427D1000-memory.dmp

Filesize
3.3MB

Download
memory/388-147-0x00007FF742480000-0x00007FF7427D1000-memory.dmp

Filesize
3.3MB

Download
memory/432-243-0x00007FF76A7B0000-0x00007FF76AB01000-memory.dmp

Filesize
3.3MB

Download
memory/432-118-0x00007FF76A7B0000-0x00007FF76AB01000-memory.dmp

Filesize
3.3MB

Download
memory/1040-256-0x00007FF7748A0000-0x00007FF774BF1000-memory.dmp

Filesize
3.3MB

Download
memory/1040-126-0x00007FF7748A0000-0x00007FF774BF1000-memory.dmp

Filesize
3.3MB

Download
memory/1108-0-0x00007FF746920000-0x00007FF746C71000-memory.dmp

Filesize
3.3MB

Download
memory/1108-128-0x00007FF746920000-0x00007FF746C71000-memory.dmp

Filesize
3.3MB

Download
memory/1108-150-0x00007FF746920000-0x00007FF746C71000-memory.dmp

Filesize
3.3MB

Download
memory/1108-1-0x00000278B15C0000-0x00000278B15D0000-memory.dmp

Filesize
64KB

Download
memory/1108-151-0x00007FF746920000-0x00007FF746C71000-memory.dmp

Filesize
3.3MB

Download
memory/1228-104-0x00007FF75BA30000-0x00007FF75BD81000-memory.dmp

Filesize
3.3MB

Download
memory/1228-142-0x00007FF75BA30000-0x00007FF75BD81000-memory.dmp

Filesize
3.3MB

Download
memory/1228-254-0x00007FF75BA30000-0x00007FF75BD81000-memory.dmp

Filesize
3.3MB

Download
memory/1468-59-0x00007FF6415E0000-0x00007FF641931000-memory.dmp

Filesize
3.3MB

Download
memory/1468-234-0x00007FF6415E0000-0x00007FF641931000-memory.dmp

Filesize
3.3MB

Download
memory/1468-137-0x00007FF6415E0000-0x00007FF641931000-memory.dmp

Filesize
3.3MB

Download
memory/1700-241-0x00007FF647580000-0x00007FF6478D1000-memory.dmp

Filesize
3.3MB

Download
memory/1700-139-0x00007FF647580000-0x00007FF6478D1000-memory.dmp

Filesize
3.3MB

Download
memory/1700-77-0x00007FF647580000-0x00007FF6478D1000-memory.dmp

Filesize
3.3MB

Download
memory/1872-208-0x00007FF72C7B0000-0x00007FF72CB01000-memory.dmp

Filesize
3.3MB

Download
memory/1872-7-0x00007FF72C7B0000-0x00007FF72CB01000-memory.dmp

Filesize
3.3MB

Download
memory/1872-129-0x00007FF72C7B0000-0x00007FF72CB01000-memory.dmp

Filesize
3.3MB

Download
memory/2296-80-0x00007FF641030000-0x00007FF641381000-memory.dmp

Filesize
3.3MB

Download
memory/2296-244-0x00007FF641030000-0x00007FF641381000-memory.dmp

Filesize
3.3MB

Download
memory/2308-125-0x00007FF75ACD0000-0x00007FF75B021000-memory.dmp

Filesize
3.3MB

Download
memory/2308-250-0x00007FF75ACD0000-0x00007FF75B021000-memory.dmp

Filesize
3.3MB

Download
memory/2316-135-0x00007FF6189A0000-0x00007FF618CF1000-memory.dmp

Filesize
3.3MB

Download
memory/2316-43-0x00007FF6189A0000-0x00007FF618CF1000-memory.dmp

Filesize
3.3MB

Download
memory/2316-232-0x00007FF6189A0000-0x00007FF618CF1000-memory.dmp

Filesize
3.3MB

Download
memory/2704-213-0x00007FF7CD2E0000-0x00007FF7CD631000-memory.dmp

Filesize
3.3MB

Download
memory/2704-30-0x00007FF7CD2E0000-0x00007FF7CD631000-memory.dmp

Filesize
3.3MB

Download
memory/2704-132-0x00007FF7CD2E0000-0x00007FF7CD631000-memory.dmp

Filesize
3.3MB

Download
memory/2904-249-0x00007FF68A7C0000-0x00007FF68AB11000-memory.dmp

Filesize
3.3MB

Download
memory/2904-145-0x00007FF68A7C0000-0x00007FF68AB11000-memory.dmp

Filesize
3.3MB

Download
memory/2904-96-0x00007FF68A7C0000-0x00007FF68AB11000-memory.dmp

Filesize
3.3MB

Download
memory/3264-259-0x00007FF7C2FE0000-0x00007FF7C3331000-memory.dmp

Filesize
3.3MB

Download
memory/3264-148-0x00007FF7C2FE0000-0x00007FF7C3331000-memory.dmp

Filesize
3.3MB

Download
memory/3264-111-0x00007FF7C2FE0000-0x00007FF7C3331000-memory.dmp

Filesize
3.3MB

Download
memory/3320-19-0x00007FF617F20000-0x00007FF618271000-memory.dmp

Filesize
3.3MB

Download
memory/3320-210-0x00007FF617F20000-0x00007FF618271000-memory.dmp

Filesize
3.3MB

Download
memory/3320-130-0x00007FF617F20000-0x00007FF618271000-memory.dmp

Filesize
3.3MB

Download
memory/3644-214-0x00007FF6E7780000-0x00007FF6E7AD1000-memory.dmp

Filesize
3.3MB

Download
memory/3644-131-0x00007FF6E7780000-0x00007FF6E7AD1000-memory.dmp

Filesize
3.3MB

Download
memory/3644-26-0x00007FF6E7780000-0x00007FF6E7AD1000-memory.dmp

Filesize
3.3MB

Download
memory/3688-117-0x00007FF79D4E0000-0x00007FF79D831000-memory.dmp

Filesize
3.3MB

Download
memory/3688-230-0x00007FF79D4E0000-0x00007FF79D831000-memory.dmp

Filesize
3.3MB

Download
memory/4352-42-0x00007FF788510000-0x00007FF788861000-memory.dmp

Filesize
3.3MB

Download
memory/4352-216-0x00007FF788510000-0x00007FF788861000-memory.dmp

Filesize
3.3MB

Download
memory/4352-133-0x00007FF788510000-0x00007FF788861000-memory.dmp

Filesize
3.3MB

Download
memory/4596-237-0x00007FF621CB0000-0x00007FF622001000-memory.dmp

Filesize
3.3MB

Download
memory/4596-121-0x00007FF621CB0000-0x00007FF622001000-memory.dmp

Filesize
3.3MB

Download
memory/5032-239-0x00007FF6E5450000-0x00007FF6E57A1000-memory.dmp

Filesize
3.3MB

Download
memory/5032-124-0x00007FF6E5450000-0x00007FF6E57A1000-memory.dmp

Filesize
3.3MB

Download
memory/5064-246-0x00007FF6B86D0000-0x00007FF6B8A21000-memory.dmp

Filesize
3.3MB

Download
memory/5064-105-0x00007FF6B86D0000-0x00007FF6B8A21000-memory.dmp

Filesize
3.3MB

Download
memory/5092-218-0x00007FF738650000-0x00007FF7389A1000-memory.dmp

Filesize
3.3MB

Download
memory/5092-50-0x00007FF738650000-0x00007FF7389A1000-memory.dmp

Filesize
3.3MB

Download