cobaltstrike | 26599253485331f33e906e0fca2d46e9d35f9bb00d2f9d99fce04162bd608f07

Analysis

max time kernel
140s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2024 06:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

d17ec8701f6774f8f267e8e0153a28f1
SHA1

6a2292d7b93b1360544f8f977c4be4b30788fc72
SHA256

26599253485331f33e906e0fca2d46e9d35f9bb00d2f9d99fce04162bd608f07
SHA512

7205835da72db1ea90643411ab40bf4333450589783534bcbce7a2a2ed5b5181a504c21991a78d563b977f16d031b26c248b995ca2020c98559633000ec46080
SSDEEP

49152:ROdWCCi7/raA56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l0:RWWBibj56utgpPFotBER/mQ32lUo

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00090000000233bc-5.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341a-13.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341e-26.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341d-34.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023420-42.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023421-67.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023427-76.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023425-85.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023417-94.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023429-107.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342c-116.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342b-114.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342a-112.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023428-104.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023426-97.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023423-78.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023424-82.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341f-63.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023422-51.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341c-30.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341b-27.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/4076-74-0x00007FF7C5080000-0x00007FF7C53D1000-memory.dmp	xmrig
behavioral2/memory/1904-61-0x00007FF76E960000-0x00007FF76ECB1000-memory.dmp	xmrig
behavioral2/memory/3524-47-0x00007FF63ABD0000-0x00007FF63AF21000-memory.dmp	xmrig
behavioral2/memory/1432-53-0x00007FF7A1FB0000-0x00007FF7A2301000-memory.dmp	xmrig
behavioral2/memory/3136-118-0x00007FF6DB9D0000-0x00007FF6DBD21000-memory.dmp	xmrig
behavioral2/memory/2160-119-0x00007FF65CAA0000-0x00007FF65CDF1000-memory.dmp	xmrig
behavioral2/memory/4008-121-0x00007FF746800000-0x00007FF746B51000-memory.dmp	xmrig
behavioral2/memory/2088-122-0x00007FF69C6A0000-0x00007FF69C9F1000-memory.dmp	xmrig
behavioral2/memory/1840-124-0x00007FF7DC170000-0x00007FF7DC4C1000-memory.dmp	xmrig
behavioral2/memory/3192-123-0x00007FF66C540000-0x00007FF66C891000-memory.dmp	xmrig
behavioral2/memory/5052-120-0x00007FF7DD840000-0x00007FF7DDB91000-memory.dmp	xmrig
behavioral2/memory/4536-125-0x00007FF790690000-0x00007FF7909E1000-memory.dmp	xmrig
behavioral2/memory/1736-126-0x00007FF7F5FC0000-0x00007FF7F6311000-memory.dmp	xmrig
behavioral2/memory/1668-127-0x00007FF79D310000-0x00007FF79D661000-memory.dmp	xmrig
behavioral2/memory/2668-128-0x00007FF706BC0000-0x00007FF706F11000-memory.dmp	xmrig
behavioral2/memory/5024-131-0x00007FF7E3ED0000-0x00007FF7E4221000-memory.dmp	xmrig
behavioral2/memory/4076-137-0x00007FF7C5080000-0x00007FF7C53D1000-memory.dmp	xmrig
behavioral2/memory/1972-141-0x00007FF6A64B0000-0x00007FF6A6801000-memory.dmp	xmrig
behavioral2/memory/3960-130-0x00007FF7F30A0000-0x00007FF7F33F1000-memory.dmp	xmrig
behavioral2/memory/4324-139-0x00007FF6FE3B0000-0x00007FF6FE701000-memory.dmp	xmrig
behavioral2/memory/2636-129-0x00007FF6EEC20000-0x00007FF6EEF71000-memory.dmp	xmrig
behavioral2/memory/2068-144-0x00007FF7159F0000-0x00007FF715D41000-memory.dmp	xmrig
behavioral2/memory/1524-143-0x00007FF6C1AB0000-0x00007FF6C1E01000-memory.dmp	xmrig
behavioral2/memory/2668-150-0x00007FF706BC0000-0x00007FF706F11000-memory.dmp	xmrig
behavioral2/memory/2668-151-0x00007FF706BC0000-0x00007FF706F11000-memory.dmp	xmrig
behavioral2/memory/2636-201-0x00007FF6EEC20000-0x00007FF6EEF71000-memory.dmp	xmrig
behavioral2/memory/3960-220-0x00007FF7F30A0000-0x00007FF7F33F1000-memory.dmp	xmrig
behavioral2/memory/5024-222-0x00007FF7E3ED0000-0x00007FF7E4221000-memory.dmp	xmrig
behavioral2/memory/3524-224-0x00007FF63ABD0000-0x00007FF63AF21000-memory.dmp	xmrig
behavioral2/memory/1432-226-0x00007FF7A1FB0000-0x00007FF7A2301000-memory.dmp	xmrig
behavioral2/memory/2088-228-0x00007FF69C6A0000-0x00007FF69C9F1000-memory.dmp	xmrig
behavioral2/memory/1840-231-0x00007FF7DC170000-0x00007FF7DC4C1000-memory.dmp	xmrig
behavioral2/memory/1904-232-0x00007FF76E960000-0x00007FF76ECB1000-memory.dmp	xmrig
behavioral2/memory/3192-234-0x00007FF66C540000-0x00007FF66C891000-memory.dmp	xmrig
behavioral2/memory/4076-236-0x00007FF7C5080000-0x00007FF7C53D1000-memory.dmp	xmrig
behavioral2/memory/4324-238-0x00007FF6FE3B0000-0x00007FF6FE701000-memory.dmp	xmrig
behavioral2/memory/4536-240-0x00007FF790690000-0x00007FF7909E1000-memory.dmp	xmrig
behavioral2/memory/1972-242-0x00007FF6A64B0000-0x00007FF6A6801000-memory.dmp	xmrig
behavioral2/memory/1736-244-0x00007FF7F5FC0000-0x00007FF7F6311000-memory.dmp	xmrig
behavioral2/memory/2068-247-0x00007FF7159F0000-0x00007FF715D41000-memory.dmp	xmrig
behavioral2/memory/1524-250-0x00007FF6C1AB0000-0x00007FF6C1E01000-memory.dmp	xmrig
behavioral2/memory/4008-258-0x00007FF746800000-0x00007FF746B51000-memory.dmp	xmrig
behavioral2/memory/5052-256-0x00007FF7DD840000-0x00007FF7DDB91000-memory.dmp	xmrig
behavioral2/memory/2160-254-0x00007FF65CAA0000-0x00007FF65CDF1000-memory.dmp	xmrig
behavioral2/memory/3136-252-0x00007FF6DB9D0000-0x00007FF6DBD21000-memory.dmp	xmrig
behavioral2/memory/1668-249-0x00007FF79D310000-0x00007FF79D661000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2636	dQzrPVu.exe
3960	xJEbBBL.exe
5024	GIIhuvn.exe
3524	pwbgwaR.exe
1432	XRImxkI.exe
2088	yOgEUqj.exe
3192	BOdnQdX.exe
1904	xaKFUZd.exe
4076	MqfpgQu.exe
1840	YImkwtx.exe
4324	KkrZcmg.exe
4536	BSVYwOI.exe
1972	OuoTeTm.exe
1736	vtMdCOC.exe
1524	AcqAjDK.exe
2068	eVLbLKM.exe
1668	yeykhKt.exe
3136	RtMHmTb.exe
2160	yOFUXuj.exe
5052	VNfWrwH.exe
4008	bUBarzN.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2668-0-0x00007FF706BC0000-0x00007FF706F11000-memory.dmp	upx
behavioral2/files/0x00090000000233bc-5.dat	upx
behavioral2/memory/2636-11-0x00007FF6EEC20000-0x00007FF6EEF71000-memory.dmp	upx
behavioral2/files/0x000700000002341a-13.dat	upx
behavioral2/files/0x000700000002341e-26.dat	upx
behavioral2/files/0x000700000002341d-34.dat	upx
behavioral2/files/0x0007000000023420-42.dat	upx
behavioral2/files/0x0007000000023421-67.dat	upx
behavioral2/files/0x0007000000023427-76.dat	upx
behavioral2/files/0x0007000000023425-85.dat	upx
behavioral2/files/0x0008000000023417-94.dat	upx
behavioral2/files/0x0007000000023429-107.dat	upx
behavioral2/files/0x000700000002342c-116.dat	upx
behavioral2/files/0x000700000002342b-114.dat	upx
behavioral2/files/0x000700000002342a-112.dat	upx
behavioral2/files/0x0007000000023428-104.dat	upx
behavioral2/memory/2068-102-0x00007FF7159F0000-0x00007FF715D41000-memory.dmp	upx
behavioral2/files/0x0007000000023426-97.dat	upx
behavioral2/memory/1524-90-0x00007FF6C1AB0000-0x00007FF6C1E01000-memory.dmp	upx
behavioral2/memory/1972-81-0x00007FF6A64B0000-0x00007FF6A6801000-memory.dmp	upx
behavioral2/memory/4324-80-0x00007FF6FE3B0000-0x00007FF6FE701000-memory.dmp	upx
behavioral2/files/0x0007000000023423-78.dat	upx
behavioral2/files/0x0007000000023424-82.dat	upx
behavioral2/memory/4076-74-0x00007FF7C5080000-0x00007FF7C53D1000-memory.dmp	upx
behavioral2/files/0x000700000002341f-63.dat	upx
behavioral2/memory/1904-61-0x00007FF76E960000-0x00007FF76ECB1000-memory.dmp	upx
behavioral2/files/0x0007000000023422-51.dat	upx
behavioral2/memory/3524-47-0x00007FF63ABD0000-0x00007FF63AF21000-memory.dmp	upx
behavioral2/memory/1432-53-0x00007FF7A1FB0000-0x00007FF7A2301000-memory.dmp	upx
behavioral2/memory/5024-38-0x00007FF7E3ED0000-0x00007FF7E4221000-memory.dmp	upx
behavioral2/files/0x000700000002341c-30.dat	upx
behavioral2/files/0x000700000002341b-27.dat	upx
behavioral2/memory/3960-20-0x00007FF7F30A0000-0x00007FF7F33F1000-memory.dmp	upx
behavioral2/memory/3136-118-0x00007FF6DB9D0000-0x00007FF6DBD21000-memory.dmp	upx
behavioral2/memory/2160-119-0x00007FF65CAA0000-0x00007FF65CDF1000-memory.dmp	upx
behavioral2/memory/4008-121-0x00007FF746800000-0x00007FF746B51000-memory.dmp	upx
behavioral2/memory/2088-122-0x00007FF69C6A0000-0x00007FF69C9F1000-memory.dmp	upx
behavioral2/memory/1840-124-0x00007FF7DC170000-0x00007FF7DC4C1000-memory.dmp	upx
behavioral2/memory/3192-123-0x00007FF66C540000-0x00007FF66C891000-memory.dmp	upx
behavioral2/memory/5052-120-0x00007FF7DD840000-0x00007FF7DDB91000-memory.dmp	upx
behavioral2/memory/4536-125-0x00007FF790690000-0x00007FF7909E1000-memory.dmp	upx
behavioral2/memory/1736-126-0x00007FF7F5FC0000-0x00007FF7F6311000-memory.dmp	upx
behavioral2/memory/1668-127-0x00007FF79D310000-0x00007FF79D661000-memory.dmp	upx
behavioral2/memory/2668-128-0x00007FF706BC0000-0x00007FF706F11000-memory.dmp	upx
behavioral2/memory/5024-131-0x00007FF7E3ED0000-0x00007FF7E4221000-memory.dmp	upx
behavioral2/memory/4076-137-0x00007FF7C5080000-0x00007FF7C53D1000-memory.dmp	upx
behavioral2/memory/1972-141-0x00007FF6A64B0000-0x00007FF6A6801000-memory.dmp	upx
behavioral2/memory/3960-130-0x00007FF7F30A0000-0x00007FF7F33F1000-memory.dmp	upx
behavioral2/memory/4324-139-0x00007FF6FE3B0000-0x00007FF6FE701000-memory.dmp	upx
behavioral2/memory/2636-129-0x00007FF6EEC20000-0x00007FF6EEF71000-memory.dmp	upx
behavioral2/memory/2068-144-0x00007FF7159F0000-0x00007FF715D41000-memory.dmp	upx
behavioral2/memory/1524-143-0x00007FF6C1AB0000-0x00007FF6C1E01000-memory.dmp	upx
behavioral2/memory/2668-150-0x00007FF706BC0000-0x00007FF706F11000-memory.dmp	upx
behavioral2/memory/2668-151-0x00007FF706BC0000-0x00007FF706F11000-memory.dmp	upx
behavioral2/memory/2636-201-0x00007FF6EEC20000-0x00007FF6EEF71000-memory.dmp	upx
behavioral2/memory/3960-220-0x00007FF7F30A0000-0x00007FF7F33F1000-memory.dmp	upx
behavioral2/memory/5024-222-0x00007FF7E3ED0000-0x00007FF7E4221000-memory.dmp	upx
behavioral2/memory/3524-224-0x00007FF63ABD0000-0x00007FF63AF21000-memory.dmp	upx
behavioral2/memory/1432-226-0x00007FF7A1FB0000-0x00007FF7A2301000-memory.dmp	upx
behavioral2/memory/2088-228-0x00007FF69C6A0000-0x00007FF69C9F1000-memory.dmp	upx
behavioral2/memory/1840-231-0x00007FF7DC170000-0x00007FF7DC4C1000-memory.dmp	upx
behavioral2/memory/1904-232-0x00007FF76E960000-0x00007FF76ECB1000-memory.dmp	upx
behavioral2/memory/3192-234-0x00007FF66C540000-0x00007FF66C891000-memory.dmp	upx
behavioral2/memory/4076-236-0x00007FF7C5080000-0x00007FF7C53D1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\eVLbLKM.exe	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RtMHmTb.exe	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VNfWrwH.exe	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pwbgwaR.exe	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MqfpgQu.exe	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vtMdCOC.exe	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AcqAjDK.exe	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GIIhuvn.exe	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xaKFUZd.exe	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dQzrPVu.exe	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YImkwtx.exe	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yOFUXuj.exe	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bUBarzN.exe	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KkrZcmg.exe	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BSVYwOI.exe	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OuoTeTm.exe	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yeykhKt.exe	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xJEbBBL.exe	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XRImxkI.exe	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yOgEUqj.exe	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BOdnQdX.exe	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2668	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2668	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2636	2668	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 2668 wrote to memory of 2636	2668	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 2668 wrote to memory of 3960	2668	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2668 wrote to memory of 3960	2668	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2668 wrote to memory of 5024	2668	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2668 wrote to memory of 5024	2668	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2668 wrote to memory of 3524	2668	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2668 wrote to memory of 3524	2668	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2668 wrote to memory of 1432	2668	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2668 wrote to memory of 1432	2668	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2668 wrote to memory of 2088	2668	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2668 wrote to memory of 2088	2668	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2668 wrote to memory of 3192	2668	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2668 wrote to memory of 3192	2668	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2668 wrote to memory of 1904	2668	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2668 wrote to memory of 1904	2668	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2668 wrote to memory of 4076	2668	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2668 wrote to memory of 4076	2668	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2668 wrote to memory of 1840	2668	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2668 wrote to memory of 1840	2668	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2668 wrote to memory of 4324	2668	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2668 wrote to memory of 4324	2668	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2668 wrote to memory of 4536	2668	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2668 wrote to memory of 4536	2668	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2668 wrote to memory of 1972	2668	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2668 wrote to memory of 1972	2668	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2668 wrote to memory of 1736	2668	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2668 wrote to memory of 1736	2668	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2668 wrote to memory of 1524	2668	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2668 wrote to memory of 1524	2668	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2668 wrote to memory of 2068	2668	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2668 wrote to memory of 2068	2668	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2668 wrote to memory of 1668	2668	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2668 wrote to memory of 1668	2668	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2668 wrote to memory of 3136	2668	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2668 wrote to memory of 3136	2668	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2668 wrote to memory of 2160	2668	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2668 wrote to memory of 2160	2668	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2668 wrote to memory of 5052	2668	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2668 wrote to memory of 5052	2668	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2668 wrote to memory of 4008	2668	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2668 wrote to memory of 4008	2668	2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-25_d17ec8701f6774f8f267e8e0153a28f1_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Windows\System\dQzrPVu.exe
  C:\Windows\System\dQzrPVu.exe
  2⤵
  - Executes dropped EXE
  PID:2636
- C:\Windows\System\xJEbBBL.exe
  C:\Windows\System\xJEbBBL.exe
  2⤵
  - Executes dropped EXE
  PID:3960
- C:\Windows\System\GIIhuvn.exe
  C:\Windows\System\GIIhuvn.exe
  2⤵
  - Executes dropped EXE
  PID:5024
- C:\Windows\System\pwbgwaR.exe
  C:\Windows\System\pwbgwaR.exe
  2⤵
  - Executes dropped EXE
  PID:3524
- C:\Windows\System\XRImxkI.exe
  C:\Windows\System\XRImxkI.exe
  2⤵
  - Executes dropped EXE
  PID:1432
- C:\Windows\System\yOgEUqj.exe
  C:\Windows\System\yOgEUqj.exe
  2⤵
  - Executes dropped EXE
  PID:2088
- C:\Windows\System\BOdnQdX.exe
  C:\Windows\System\BOdnQdX.exe
  2⤵
  - Executes dropped EXE
  PID:3192
- C:\Windows\System\xaKFUZd.exe
  C:\Windows\System\xaKFUZd.exe
  2⤵
  - Executes dropped EXE
  PID:1904
- C:\Windows\System\MqfpgQu.exe
  C:\Windows\System\MqfpgQu.exe
  2⤵
  - Executes dropped EXE
  PID:4076
- C:\Windows\System\YImkwtx.exe
  C:\Windows\System\YImkwtx.exe
  2⤵
  - Executes dropped EXE
  PID:1840
- C:\Windows\System\KkrZcmg.exe
  C:\Windows\System\KkrZcmg.exe
  2⤵
  - Executes dropped EXE
  PID:4324
- C:\Windows\System\BSVYwOI.exe
  C:\Windows\System\BSVYwOI.exe
  2⤵
  - Executes dropped EXE
  PID:4536
- C:\Windows\System\OuoTeTm.exe
  C:\Windows\System\OuoTeTm.exe
  2⤵
  - Executes dropped EXE
  PID:1972
- C:\Windows\System\vtMdCOC.exe
  C:\Windows\System\vtMdCOC.exe
  2⤵
  - Executes dropped EXE
  PID:1736
- C:\Windows\System\AcqAjDK.exe
  C:\Windows\System\AcqAjDK.exe
  2⤵
  - Executes dropped EXE
  PID:1524
- C:\Windows\System\eVLbLKM.exe
  C:\Windows\System\eVLbLKM.exe
  2⤵
  - Executes dropped EXE
  PID:2068
- C:\Windows\System\yeykhKt.exe
  C:\Windows\System\yeykhKt.exe
  2⤵
  - Executes dropped EXE
  PID:1668
- C:\Windows\System\RtMHmTb.exe
  C:\Windows\System\RtMHmTb.exe
  2⤵
  - Executes dropped EXE
  PID:3136
- C:\Windows\System\yOFUXuj.exe
  C:\Windows\System\yOFUXuj.exe
  2⤵
  - Executes dropped EXE
  PID:2160
- C:\Windows\System\VNfWrwH.exe
  C:\Windows\System\VNfWrwH.exe
  2⤵
  - Executes dropped EXE
  PID:5052
- C:\Windows\System\bUBarzN.exe
  C:\Windows\System\bUBarzN.exe
  2⤵
  - Executes dropped EXE
  PID:4008

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AcqAjDK.exe

Filesize
5.2MB

MD5
65b202147ee9095247c70851a573b3cc

SHA1
0ba7aa77ee740facba53665bcc8c2022dafd4362

SHA256
39ef24be78e442e5db65216caa43882be7a6baa00b37ea0544555235a5eff15e

SHA512
2d0017a935504f1fab58a38c64ad5b189007d22d19a1f8965905758097f633a6c622e548b9b5c33c474d1cb05e3c6cbb4a6176379b430e62f682edb8b754276f

Download Submit
C:\Windows\System\BOdnQdX.exe

Filesize
5.2MB

MD5
e1767f3eee3ee7a5e6270900ab869f9b

SHA1
ce04801a5ad1b92ac84b2505d9fd9abe88f7b84e

SHA256
fd34a86bcb20d8752a4082093e637eee4909e03cf31f6f9337f80cbc6dc71c2b

SHA512
d45e6e6096cb745ab2e61dbdb19ddb52801f668a145b4cbf6e6ea9b4d1807a5a444ec0540787df242798ae5a5db4d2cf96f9137fd411affdbb22127bbb9a603d

Download Submit
C:\Windows\System\BSVYwOI.exe

Filesize
5.2MB

MD5
ee29dd4eb406e0e585224faf9bdc7f1b

SHA1
25381bc6e10e7fa4ebd42d726f65e03a1b18de61

SHA256
1093302c36a7f2631220dcfffc7fdfea437bfe7c19ed1a3e6d0e42acb01312fb

SHA512
9593af6d3a9fe332dd7e87ac47ad11d2e9045270c5b84e04ec90e2161224d255a1a6bc401de2c817eb9c628a530bf70b9aa578286b64bc56ca242aaefdc58bbf

Download Submit
C:\Windows\System\GIIhuvn.exe

Filesize
5.2MB

MD5
111a27cc53a88d0902e33fe5071f4048

SHA1
beafbdc04811c32ac979144e73ae1454213a7e8e

SHA256
04d6e2cc771e3a4f36974458dcc02114cb5eb0938bb42f68f7e904d0d5aa463c

SHA512
46857c04a6d7b6b5050cc82c1c17d48893d12af6c4ca16510f1e5f3972b49914f9950a84a6b88093f5cdbe7a423add3a4c130ede9111bed55c02d5baeab04252

Download Submit
C:\Windows\System\KkrZcmg.exe

Filesize
5.2MB

MD5
82603d70e702f0f172c5af4700669b9b

SHA1
59d4d6d5781dd36d7517912477c98688345c0be8

SHA256
92bad056f9de7c74711f9d6f50fa6b1ea3f6e1c15e12f0b5dfff7e0be87398dc

SHA512
a0f7aa7b65f7052f90fde9e2c2c457a37584b398fdeecd0e8dfcd11a4b4a3175c531684eaf9a40a73b2d11a53e375b532fa07756a9383d675f57bdbff057df29

Download Submit
C:\Windows\System\MqfpgQu.exe

Filesize
5.2MB

MD5
6a8dd9d9168995fdc7069f2310db77d0

SHA1
8056d74907cf795a267b20795931a27b832c67d3

SHA256
d0c44c1c1aa5172230e368b73e439f4e7cb2f837181c2af51b55668e22991898

SHA512
27457fd7ceee569ff371e63839650908e6aa86effa0b1ac8debc9c8ea7cc70cd68defd339cf0afe783c17f54d5bdcfc03e2c17f97ee2c5890b0267259549ef96

Download Submit
C:\Windows\System\OuoTeTm.exe

Filesize
5.2MB

MD5
2ede69e07353d25705c970ad8d4bd144

SHA1
cdf642602857c3705cd74ce0b2a2918f431e0a1a

SHA256
0ae299761988e794d3af10ce1df6d987d689f76d2bc00d01fc415e5a72aa4ead

SHA512
0df68c3ff7e303dd1b267f40bbd3e1f53054329b5e4e665b332c2e2ce0f67e76b566ebe89517ff2f0a270a6bcaffecaa19b0f6ccbf3ef8e295962c71261d7e63

Download Submit
C:\Windows\System\RtMHmTb.exe

Filesize
5.2MB

MD5
430d5f5fdb6a7f6dd447b8731b99cefe

SHA1
a474809fc3ead95aa918307061b7d3306792f88a

SHA256
38a2f9ca93ad7566d639129ac76ab70910e76899283c97e3207a9f616132f633

SHA512
1da81d058f8016fca772e2d364f5515cb0fb26b37b2621b956d62674ad5850d56a6a6d565a4461c9692ca11c1df47d0eb7eeac8d513a6ea62a0132f0e5b23dcd

Download Submit
C:\Windows\System\VNfWrwH.exe

Filesize
5.2MB

MD5
53f24ae271d6a10963af007467726232

SHA1
1a96905e6af0bdfd2e2352dc238fd1cb20a0b155

SHA256
2f3fca6fb50f9ace28f3ace4992fa158f65ddb644539f321ee30a26115c52696

SHA512
0eb6da686a7242e2f8cad10d0a7debafc7b9d8d7bccc942ecaf057bab03b46f7290c2e7f62eca5b56f07d49baf850a726b9a9d7ccfe00e25c74b3370ee6df931

Download Submit
C:\Windows\System\XRImxkI.exe

Filesize
5.2MB

MD5
06068a853a2446c1079c733ae6ada1ce

SHA1
3b3b65cae28b477520922605d654a7dd95b7f8b2

SHA256
af07cac2bcf71b01dc2125187f7565e950b192abea2cae38cf9e93b524f92e56

SHA512
9ee6ef267b7f95e3ad45a79e6ce4504e1548254cae707232362793ed47f95f5a9deffdd607358b219b25d69b0c0af559c45ed9c6b69a32a15df84c5066e07357

Download Submit
C:\Windows\System\YImkwtx.exe

Filesize
5.2MB

MD5
9d735bd2f627bd8e73ff9fa0c6a9ea66

SHA1
dd5b0b9b1cb74e525142be0489e3b55629c6cb21

SHA256
c78c9e679938fca55880bd636ca294ce15b739edd7aca9e07396380c02d5a993

SHA512
4ff6368c0f4fc1b3fe6976d6de60ffc463befe19bfc0b28325f2a40673a322830be7b8b7f0a4ae89740d006afe425da244ecf04b1855df2c61c727fcac246602

Download Submit
C:\Windows\System\bUBarzN.exe

Filesize
5.2MB

MD5
1e2632757b2b808d598da20c64db7a9e

SHA1
2df64d6a5ed30af4a1286b8b961349d04f7c609f

SHA256
09aa8788d4ad8c418765877f197c8c684956fb8b6806c833cedb1f7dc36dd71a

SHA512
6b81710ec7e8894d0d8ac3eab811db8004f58e47e14c839611fc1ac2b67d0cb72b8d5be38fab503010ff0ec698c4b08d8fbd0b60eda7392805d520baa6216e5a

Download Submit
C:\Windows\System\dQzrPVu.exe

Filesize
5.2MB

MD5
d5cc6423dd6c9c1f9d50eca4c2d2927a

SHA1
f3cdbdd43e58a4d67eeeff2fc73cf55f300b9daf

SHA256
b2b5b21bea48323594352d8ca0b4506c350f0b72eb51bf7c7d99a70dda51b313

SHA512
b0b09d98ca15abdb6e5e6147b362c1ad51c984e6b11347a8f4d27921fab6d68b98968b6ddb7df1a15195868b1b36845949e8dc1d3fd3b79455aae7565ebf6ca0

Download Submit
C:\Windows\System\eVLbLKM.exe

Filesize
5.2MB

MD5
967a303bb86f56180e90c2222de08e16

SHA1
ec1df071d1f27666a5d5e391b714a5ea6c9b85b3

SHA256
59266908e7c6f8af3f257f50b5f21b5056741c698ef9b402da3584e55787a96f

SHA512
af0d97f8f2cc77b475b3bc34830c22ab0ae2b6ebbd4dc4569664004e0741485a3843ad80d0bf13c74982fc9572e53a2c29fbd5e4dfb88f845a937c97ffcbf2f5

Download Submit
C:\Windows\System\pwbgwaR.exe

Filesize
5.2MB

MD5
bafaa41ace2a4d69bcc4ba113a44d258

SHA1
6ee4c3cdf712dc886d16ef3fbbed6c468ad3fa79

SHA256
c2a39298c13e05d651380f445c79fd83375e314ae81a8e99f94a74988266222c

SHA512
266fba98daecf9b44e8f0e94e2bbdaeb5779c1ec7a4fc889b0e859489c5e784f2e5ac3e222bb613e787e09fefa4b8a01544b26646e90bdc4ebb5ae9ee4006094

Download Submit
C:\Windows\System\vtMdCOC.exe

Filesize
5.2MB

MD5
74b2a3557f6ac56c404f2cecea2cef7f

SHA1
09d78a94ed53411c1575629af9a88b73f5fb775d

SHA256
ce49e16f2f6bb1a6ef68066c35d2731b8278a03b608df9ff4942ca4947419629

SHA512
c59ddb2ff3e5535faafdc0767b759f6bf5d803b133b9081e74000e707b04b0ea1c901a4b1d8e7b77a1a9fc7e7843d18aa7c213f034b3b17cf65dd04a5b143f06

Download Submit
C:\Windows\System\xJEbBBL.exe

Filesize
5.2MB

MD5
578242c13ed24da165320b83ad8c100e

SHA1
ef95c19e5b0646685c4788bdb3a5520477976a26

SHA256
8199bb98ee647de757d28cb78e6e6b076a2e002ce73f43114a998b2f697670e7

SHA512
8ac6059191e3c27f2ceee41029bfcffbb40f11294623a8ec139f8ad35073f09c8e94e32de5f5be08285a62e411581565f9076f1300127e2e37937410bfe6988c

Download Submit
C:\Windows\System\xaKFUZd.exe

Filesize
5.2MB

MD5
1abb002ebf939133321536b772540ff2

SHA1
3122b2255d422899b419da495ed4cb5f8cfc3ba1

SHA256
b7920ab5d3d325ac4ec9cbe07fb6f844be914d9018447d9932924f9affb8570c

SHA512
da4d3a6880373165eb27c810f903195415e46547fa71676e30b9c74ff361c6f57355009ad4e84f4eac7e52a2620ec03452fe73c539970fd497e698726832bc6d

Download Submit
C:\Windows\System\yOFUXuj.exe

Filesize
5.2MB

MD5
db77e4a98682d0f0130bc85d2e49fa77

SHA1
d002247bbd5a9e6a024e66adbf8f9d7ae52546fc

SHA256
db199b1bdefa10d24488e4185f8c35177a9e697b9564dcf8f6ae5ee60d29f55e

SHA512
ef716fef6bef0a7c21f4314ccc61cbef4d7acf68ca9a73d9aa6bec62956b327fe70bd93e25343d7ab85d634ed5670215984f2f7107851633d46d878e41887681

Download Submit
C:\Windows\System\yOgEUqj.exe

Filesize
5.2MB

MD5
25e4f9a8dc5111740234d2ad0aad8a21

SHA1
4d7c2019785423e48123d8ff5b0e0ee293bb6205

SHA256
f39690409ff379fac752303a2c4371560a100666aaaf5bdd450ca69238ce33a5

SHA512
f3404444b43b17f71722e7d3ca3110f56037913b33395b1cb19d9938fbe18bd680231046a3c1a51a3521885dd6f1668507137e373eed0270240149e3392b8b40

Download Submit
C:\Windows\System\yeykhKt.exe

Filesize
5.2MB

MD5
9c85a379611f943f92dc6ad73e2b8be9

SHA1
16cc9df76fdcfa4994fdbb7d9e59b229c3fd9b84

SHA256
cfbfd7c4fde1a5262a50ecdf0113e991c2034baf6887a79bce9f9f5ae332afb7

SHA512
dbc50860fab6c6431f5131cd0e6cedaae4c14c5c8d5b61b3c13347fe141a360583715ebdec943b7f1124257360e91e4e8fe9bf48259dd44eaaeeb53fffaf5289

Download Submit
memory/1432-226-0x00007FF7A1FB0000-0x00007FF7A2301000-memory.dmp

Filesize
3.3MB

Download
memory/1432-53-0x00007FF7A1FB0000-0x00007FF7A2301000-memory.dmp

Filesize
3.3MB

Download
memory/1524-143-0x00007FF6C1AB0000-0x00007FF6C1E01000-memory.dmp

Filesize
3.3MB

Download
memory/1524-90-0x00007FF6C1AB0000-0x00007FF6C1E01000-memory.dmp

Filesize
3.3MB

Download
memory/1524-250-0x00007FF6C1AB0000-0x00007FF6C1E01000-memory.dmp

Filesize
3.3MB

Download
memory/1668-249-0x00007FF79D310000-0x00007FF79D661000-memory.dmp

Filesize
3.3MB

Download
memory/1668-127-0x00007FF79D310000-0x00007FF79D661000-memory.dmp

Filesize
3.3MB

Download
memory/1736-244-0x00007FF7F5FC0000-0x00007FF7F6311000-memory.dmp

Filesize
3.3MB

Download
memory/1736-126-0x00007FF7F5FC0000-0x00007FF7F6311000-memory.dmp

Filesize
3.3MB

Download
memory/1840-124-0x00007FF7DC170000-0x00007FF7DC4C1000-memory.dmp

Filesize
3.3MB

Download
memory/1840-231-0x00007FF7DC170000-0x00007FF7DC4C1000-memory.dmp

Filesize
3.3MB

Download
memory/1904-232-0x00007FF76E960000-0x00007FF76ECB1000-memory.dmp

Filesize
3.3MB

Download
memory/1904-61-0x00007FF76E960000-0x00007FF76ECB1000-memory.dmp

Filesize
3.3MB

Download
memory/1972-242-0x00007FF6A64B0000-0x00007FF6A6801000-memory.dmp

Filesize
3.3MB

Download
memory/1972-141-0x00007FF6A64B0000-0x00007FF6A6801000-memory.dmp

Filesize
3.3MB

Download
memory/1972-81-0x00007FF6A64B0000-0x00007FF6A6801000-memory.dmp

Filesize
3.3MB

Download
memory/2068-247-0x00007FF7159F0000-0x00007FF715D41000-memory.dmp

Filesize
3.3MB

Download
memory/2068-144-0x00007FF7159F0000-0x00007FF715D41000-memory.dmp

Filesize
3.3MB

Download
memory/2068-102-0x00007FF7159F0000-0x00007FF715D41000-memory.dmp

Filesize
3.3MB

Download
memory/2088-122-0x00007FF69C6A0000-0x00007FF69C9F1000-memory.dmp

Filesize
3.3MB

Download
memory/2088-228-0x00007FF69C6A0000-0x00007FF69C9F1000-memory.dmp

Filesize
3.3MB

Download
memory/2160-254-0x00007FF65CAA0000-0x00007FF65CDF1000-memory.dmp

Filesize
3.3MB

Download
memory/2160-119-0x00007FF65CAA0000-0x00007FF65CDF1000-memory.dmp

Filesize
3.3MB

Download
memory/2636-11-0x00007FF6EEC20000-0x00007FF6EEF71000-memory.dmp

Filesize
3.3MB

Download
memory/2636-201-0x00007FF6EEC20000-0x00007FF6EEF71000-memory.dmp

Filesize
3.3MB

Download
memory/2636-129-0x00007FF6EEC20000-0x00007FF6EEF71000-memory.dmp

Filesize
3.3MB

Download
memory/2668-150-0x00007FF706BC0000-0x00007FF706F11000-memory.dmp

Filesize
3.3MB

Download
memory/2668-151-0x00007FF706BC0000-0x00007FF706F11000-memory.dmp

Filesize
3.3MB

Download
memory/2668-0-0x00007FF706BC0000-0x00007FF706F11000-memory.dmp

Filesize
3.3MB

Download
memory/2668-1-0x0000019DF7BF0000-0x0000019DF7C00000-memory.dmp

Filesize
64KB

Download
memory/2668-128-0x00007FF706BC0000-0x00007FF706F11000-memory.dmp

Filesize
3.3MB

Download
memory/3136-118-0x00007FF6DB9D0000-0x00007FF6DBD21000-memory.dmp

Filesize
3.3MB

Download
memory/3136-252-0x00007FF6DB9D0000-0x00007FF6DBD21000-memory.dmp

Filesize
3.3MB

Download
memory/3192-123-0x00007FF66C540000-0x00007FF66C891000-memory.dmp

Filesize
3.3MB

Download
memory/3192-234-0x00007FF66C540000-0x00007FF66C891000-memory.dmp

Filesize
3.3MB

Download
memory/3524-47-0x00007FF63ABD0000-0x00007FF63AF21000-memory.dmp

Filesize
3.3MB

Download
memory/3524-224-0x00007FF63ABD0000-0x00007FF63AF21000-memory.dmp

Filesize
3.3MB

Download
memory/3960-220-0x00007FF7F30A0000-0x00007FF7F33F1000-memory.dmp

Filesize
3.3MB

Download
memory/3960-130-0x00007FF7F30A0000-0x00007FF7F33F1000-memory.dmp

Filesize
3.3MB

Download
memory/3960-20-0x00007FF7F30A0000-0x00007FF7F33F1000-memory.dmp

Filesize
3.3MB

Download
memory/4008-258-0x00007FF746800000-0x00007FF746B51000-memory.dmp

Filesize
3.3MB

Download
memory/4008-121-0x00007FF746800000-0x00007FF746B51000-memory.dmp

Filesize
3.3MB

Download
memory/4076-137-0x00007FF7C5080000-0x00007FF7C53D1000-memory.dmp

Filesize
3.3MB

Download
memory/4076-236-0x00007FF7C5080000-0x00007FF7C53D1000-memory.dmp

Filesize
3.3MB

Download
memory/4076-74-0x00007FF7C5080000-0x00007FF7C53D1000-memory.dmp

Filesize
3.3MB

Download
memory/4324-238-0x00007FF6FE3B0000-0x00007FF6FE701000-memory.dmp

Filesize
3.3MB

Download
memory/4324-80-0x00007FF6FE3B0000-0x00007FF6FE701000-memory.dmp

Filesize
3.3MB

Download
memory/4324-139-0x00007FF6FE3B0000-0x00007FF6FE701000-memory.dmp

Filesize
3.3MB

Download
memory/4536-240-0x00007FF790690000-0x00007FF7909E1000-memory.dmp

Filesize
3.3MB

Download
memory/4536-125-0x00007FF790690000-0x00007FF7909E1000-memory.dmp

Filesize
3.3MB

Download
memory/5024-38-0x00007FF7E3ED0000-0x00007FF7E4221000-memory.dmp

Filesize
3.3MB

Download
memory/5024-222-0x00007FF7E3ED0000-0x00007FF7E4221000-memory.dmp

Filesize
3.3MB

Download
memory/5024-131-0x00007FF7E3ED0000-0x00007FF7E4221000-memory.dmp

Filesize
3.3MB

Download
memory/5052-256-0x00007FF7DD840000-0x00007FF7DDB91000-memory.dmp

Filesize
3.3MB

Download
memory/5052-120-0x00007FF7DD840000-0x00007FF7DDB91000-memory.dmp

Filesize
3.3MB

Download