cobaltstrike | c7a65151f0f06acc930e802108eaba95151ed5f57e6b9ec9cc7c8b30d0304654

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2024 08:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

2f04e9b651cfbef50874f51bc03fe742
SHA1

693477201650474916775d8f4f7bf7535be0e709
SHA256

c7a65151f0f06acc930e802108eaba95151ed5f57e6b9ec9cc7c8b30d0304654
SHA512

5433cb97a904465daaa9718abdb798ac374f629a71147b91ebba5b0c60733e190d9880ec2f0da4768bcf52f14ea134b30e25cf0fd08191374940d41ebfe5c180
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lz:RWWBibd56utgpPFotBER/mQ32lUP

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023456-5.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345d-15.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345f-19.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345e-18.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023460-35.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023461-34.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023462-41.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023466-65.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002345a-71.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023467-81.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023465-61.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023463-59.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023464-53.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023468-87.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346d-111.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346e-124.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023470-136.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346f-134.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346c-114.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346b-106.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346a-92.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/5068-77-0x00007FF667F40000-0x00007FF668291000-memory.dmp	xmrig
behavioral2/memory/4440-73-0x00007FF6958E0000-0x00007FF695C31000-memory.dmp	xmrig
behavioral2/memory/2192-57-0x00007FF7B8B30000-0x00007FF7B8E81000-memory.dmp	xmrig
behavioral2/memory/2688-102-0x00007FF632C90000-0x00007FF632FE1000-memory.dmp	xmrig
behavioral2/memory/1440-105-0x00007FF69B5F0000-0x00007FF69B941000-memory.dmp	xmrig
behavioral2/memory/2184-118-0x00007FF620200000-0x00007FF620551000-memory.dmp	xmrig
behavioral2/memory/1160-131-0x00007FF6ED470000-0x00007FF6ED7C1000-memory.dmp	xmrig
behavioral2/memory/732-138-0x00007FF6C9E50000-0x00007FF6CA1A1000-memory.dmp	xmrig
behavioral2/memory/3044-119-0x00007FF7ECF80000-0x00007FF7ED2D1000-memory.dmp	xmrig
behavioral2/memory/4792-110-0x00007FF731220000-0x00007FF731571000-memory.dmp	xmrig
behavioral2/memory/60-109-0x00007FF7AEF40000-0x00007FF7AF291000-memory.dmp	xmrig
behavioral2/memory/4212-94-0x00007FF737DE0000-0x00007FF738131000-memory.dmp	xmrig
behavioral2/memory/5036-90-0x00007FF69CF80000-0x00007FF69D2D1000-memory.dmp	xmrig
behavioral2/memory/4800-86-0x00007FF78D9B0000-0x00007FF78DD01000-memory.dmp	xmrig
behavioral2/memory/4900-83-0x00007FF6232A0000-0x00007FF6235F1000-memory.dmp	xmrig
behavioral2/memory/3660-139-0x00007FF727460000-0x00007FF7277B1000-memory.dmp	xmrig
behavioral2/memory/4768-143-0x00007FF6162B0000-0x00007FF616601000-memory.dmp	xmrig
behavioral2/memory/4440-140-0x00007FF6958E0000-0x00007FF695C31000-memory.dmp	xmrig
behavioral2/memory/3584-155-0x00007FF71CFC0000-0x00007FF71D311000-memory.dmp	xmrig
behavioral2/memory/2688-157-0x00007FF632C90000-0x00007FF632FE1000-memory.dmp	xmrig
behavioral2/memory/2528-158-0x00007FF6DB3D0000-0x00007FF6DB721000-memory.dmp	xmrig
behavioral2/memory/4824-163-0x00007FF777F80000-0x00007FF7782D1000-memory.dmp	xmrig
behavioral2/memory/4732-164-0x00007FF6895E0000-0x00007FF689931000-memory.dmp	xmrig
behavioral2/memory/5060-165-0x00007FF682190000-0x00007FF6824E1000-memory.dmp	xmrig
behavioral2/memory/4440-166-0x00007FF6958E0000-0x00007FF695C31000-memory.dmp	xmrig
behavioral2/memory/5068-219-0x00007FF667F40000-0x00007FF668291000-memory.dmp	xmrig
behavioral2/memory/4900-221-0x00007FF6232A0000-0x00007FF6235F1000-memory.dmp	xmrig
behavioral2/memory/5036-223-0x00007FF69CF80000-0x00007FF69D2D1000-memory.dmp	xmrig
behavioral2/memory/4800-225-0x00007FF78D9B0000-0x00007FF78DD01000-memory.dmp	xmrig
behavioral2/memory/4212-236-0x00007FF737DE0000-0x00007FF738131000-memory.dmp	xmrig
behavioral2/memory/1440-235-0x00007FF69B5F0000-0x00007FF69B941000-memory.dmp	xmrig
behavioral2/memory/60-239-0x00007FF7AEF40000-0x00007FF7AF291000-memory.dmp	xmrig
behavioral2/memory/2192-240-0x00007FF7B8B30000-0x00007FF7B8E81000-memory.dmp	xmrig
behavioral2/memory/732-243-0x00007FF6C9E50000-0x00007FF6CA1A1000-memory.dmp	xmrig
behavioral2/memory/1160-245-0x00007FF6ED470000-0x00007FF6ED7C1000-memory.dmp	xmrig
behavioral2/memory/2184-246-0x00007FF620200000-0x00007FF620551000-memory.dmp	xmrig
behavioral2/memory/4768-248-0x00007FF6162B0000-0x00007FF616601000-memory.dmp	xmrig
behavioral2/memory/3660-250-0x00007FF727460000-0x00007FF7277B1000-memory.dmp	xmrig
behavioral2/memory/3584-260-0x00007FF71CFC0000-0x00007FF71D311000-memory.dmp	xmrig
behavioral2/memory/2688-261-0x00007FF632C90000-0x00007FF632FE1000-memory.dmp	xmrig
behavioral2/memory/4792-263-0x00007FF731220000-0x00007FF731571000-memory.dmp	xmrig
behavioral2/memory/2528-265-0x00007FF6DB3D0000-0x00007FF6DB721000-memory.dmp	xmrig
behavioral2/memory/3044-267-0x00007FF7ECF80000-0x00007FF7ED2D1000-memory.dmp	xmrig
behavioral2/memory/4824-269-0x00007FF777F80000-0x00007FF7782D1000-memory.dmp	xmrig
behavioral2/memory/4732-271-0x00007FF6895E0000-0x00007FF689931000-memory.dmp	xmrig
behavioral2/memory/5060-273-0x00007FF682190000-0x00007FF6824E1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
5068	NrPSCcW.exe
4900	NrtBhWo.exe
5036	VRlAFej.exe
4800	gyaAfdO.exe
4212	eNElYwm.exe
1440	IYKpZyM.exe
60	TBsNYRO.exe
2184	DDUqgjt.exe
2192	UUEpzEr.exe
1160	uTVZyHX.exe
732	NtVxqPF.exe
3660	HMVUoxS.exe
4768	ZcHUjVF.exe
3584	dqwznsG.exe
2688	BMPoHwI.exe
4792	NpwhURo.exe
2528	bUtoldk.exe
3044	wjxOdLY.exe
4824	ZEoVlXx.exe
4732	PWHWIVr.exe
5060	qoQOSCX.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4440-0-0x00007FF6958E0000-0x00007FF695C31000-memory.dmp	upx
behavioral2/files/0x0008000000023456-5.dat	upx
behavioral2/memory/5068-8-0x00007FF667F40000-0x00007FF668291000-memory.dmp	upx
behavioral2/files/0x000700000002345d-15.dat	upx
behavioral2/files/0x000700000002345f-19.dat	upx
behavioral2/memory/5036-21-0x00007FF69CF80000-0x00007FF69D2D1000-memory.dmp	upx
behavioral2/files/0x000700000002345e-18.dat	upx
behavioral2/memory/4900-14-0x00007FF6232A0000-0x00007FF6235F1000-memory.dmp	upx
behavioral2/files/0x0007000000023460-35.dat	upx
behavioral2/files/0x0007000000023461-34.dat	upx
behavioral2/files/0x0007000000023462-41.dat	upx
behavioral2/memory/2184-56-0x00007FF620200000-0x00007FF620551000-memory.dmp	upx
behavioral2/memory/1160-58-0x00007FF6ED470000-0x00007FF6ED7C1000-memory.dmp	upx
behavioral2/files/0x0007000000023466-65.dat	upx
behavioral2/files/0x000800000002345a-71.dat	upx
behavioral2/memory/3660-75-0x00007FF727460000-0x00007FF7277B1000-memory.dmp	upx
behavioral2/files/0x0007000000023467-81.dat	upx
behavioral2/memory/4768-80-0x00007FF6162B0000-0x00007FF616601000-memory.dmp	upx
behavioral2/memory/5068-77-0x00007FF667F40000-0x00007FF668291000-memory.dmp	upx
behavioral2/memory/4440-73-0x00007FF6958E0000-0x00007FF695C31000-memory.dmp	upx
behavioral2/memory/732-66-0x00007FF6C9E50000-0x00007FF6CA1A1000-memory.dmp	upx
behavioral2/files/0x0007000000023465-61.dat	upx
behavioral2/files/0x0007000000023463-59.dat	upx
behavioral2/memory/2192-57-0x00007FF7B8B30000-0x00007FF7B8E81000-memory.dmp	upx
behavioral2/files/0x0007000000023464-53.dat	upx
behavioral2/memory/60-42-0x00007FF7AEF40000-0x00007FF7AF291000-memory.dmp	upx
behavioral2/memory/1440-40-0x00007FF69B5F0000-0x00007FF69B941000-memory.dmp	upx
behavioral2/memory/4212-32-0x00007FF737DE0000-0x00007FF738131000-memory.dmp	upx
behavioral2/memory/4800-24-0x00007FF78D9B0000-0x00007FF78DD01000-memory.dmp	upx
behavioral2/files/0x0007000000023468-87.dat	upx
behavioral2/memory/2688-102-0x00007FF632C90000-0x00007FF632FE1000-memory.dmp	upx
behavioral2/memory/1440-105-0x00007FF69B5F0000-0x00007FF69B941000-memory.dmp	upx
behavioral2/files/0x000700000002346d-111.dat	upx
behavioral2/memory/2184-118-0x00007FF620200000-0x00007FF620551000-memory.dmp	upx
behavioral2/files/0x000700000002346e-124.dat	upx
behavioral2/memory/1160-131-0x00007FF6ED470000-0x00007FF6ED7C1000-memory.dmp	upx
behavioral2/memory/732-138-0x00007FF6C9E50000-0x00007FF6CA1A1000-memory.dmp	upx
behavioral2/files/0x0007000000023470-136.dat	upx
behavioral2/files/0x000700000002346f-134.dat	upx
behavioral2/memory/5060-133-0x00007FF682190000-0x00007FF6824E1000-memory.dmp	upx
behavioral2/memory/4732-132-0x00007FF6895E0000-0x00007FF689931000-memory.dmp	upx
behavioral2/memory/4824-123-0x00007FF777F80000-0x00007FF7782D1000-memory.dmp	upx
behavioral2/memory/3044-119-0x00007FF7ECF80000-0x00007FF7ED2D1000-memory.dmp	upx
behavioral2/memory/2528-116-0x00007FF6DB3D0000-0x00007FF6DB721000-memory.dmp	upx
behavioral2/files/0x000700000002346c-114.dat	upx
behavioral2/memory/4792-110-0x00007FF731220000-0x00007FF731571000-memory.dmp	upx
behavioral2/memory/60-109-0x00007FF7AEF40000-0x00007FF7AF291000-memory.dmp	upx
behavioral2/files/0x000700000002346b-106.dat	upx
behavioral2/files/0x000700000002346a-92.dat	upx
behavioral2/memory/4212-94-0x00007FF737DE0000-0x00007FF738131000-memory.dmp	upx
behavioral2/memory/5036-90-0x00007FF69CF80000-0x00007FF69D2D1000-memory.dmp	upx
behavioral2/memory/3584-93-0x00007FF71CFC0000-0x00007FF71D311000-memory.dmp	upx
behavioral2/memory/4800-86-0x00007FF78D9B0000-0x00007FF78DD01000-memory.dmp	upx
behavioral2/memory/4900-83-0x00007FF6232A0000-0x00007FF6235F1000-memory.dmp	upx
behavioral2/memory/3660-139-0x00007FF727460000-0x00007FF7277B1000-memory.dmp	upx
behavioral2/memory/4768-143-0x00007FF6162B0000-0x00007FF616601000-memory.dmp	upx
behavioral2/memory/4440-140-0x00007FF6958E0000-0x00007FF695C31000-memory.dmp	upx
behavioral2/memory/3584-155-0x00007FF71CFC0000-0x00007FF71D311000-memory.dmp	upx
behavioral2/memory/2688-157-0x00007FF632C90000-0x00007FF632FE1000-memory.dmp	upx
behavioral2/memory/2528-158-0x00007FF6DB3D0000-0x00007FF6DB721000-memory.dmp	upx
behavioral2/memory/4824-163-0x00007FF777F80000-0x00007FF7782D1000-memory.dmp	upx
behavioral2/memory/4732-164-0x00007FF6895E0000-0x00007FF689931000-memory.dmp	upx
behavioral2/memory/5060-165-0x00007FF682190000-0x00007FF6824E1000-memory.dmp	upx
behavioral2/memory/4440-166-0x00007FF6958E0000-0x00007FF695C31000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\uTVZyHX.exe	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZEoVlXx.exe	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NrtBhWo.exe	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VRlAFej.exe	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TBsNYRO.exe	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DDUqgjt.exe	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZcHUjVF.exe	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NpwhURo.exe	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qoQOSCX.exe	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NrPSCcW.exe	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gyaAfdO.exe	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eNElYwm.exe	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UUEpzEr.exe	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HMVUoxS.exe	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dqwznsG.exe	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bUtoldk.exe	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wjxOdLY.exe	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IYKpZyM.exe	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NtVxqPF.exe	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BMPoHwI.exe	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PWHWIVr.exe	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4440	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4440	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4440 wrote to memory of 5068	4440	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4440 wrote to memory of 5068	4440	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4440 wrote to memory of 4900	4440	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4440 wrote to memory of 4900	4440	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4440 wrote to memory of 5036	4440	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4440 wrote to memory of 5036	4440	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4440 wrote to memory of 4800	4440	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4440 wrote to memory of 4800	4440	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4440 wrote to memory of 4212	4440	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4440 wrote to memory of 4212	4440	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4440 wrote to memory of 1440	4440	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4440 wrote to memory of 1440	4440	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4440 wrote to memory of 60	4440	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4440 wrote to memory of 60	4440	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4440 wrote to memory of 2184	4440	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4440 wrote to memory of 2184	4440	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4440 wrote to memory of 2192	4440	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4440 wrote to memory of 2192	4440	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4440 wrote to memory of 1160	4440	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4440 wrote to memory of 1160	4440	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4440 wrote to memory of 732	4440	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4440 wrote to memory of 732	4440	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4440 wrote to memory of 3660	4440	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4440 wrote to memory of 3660	4440	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4440 wrote to memory of 4768	4440	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4440 wrote to memory of 4768	4440	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4440 wrote to memory of 3584	4440	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4440 wrote to memory of 3584	4440	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4440 wrote to memory of 2688	4440	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4440 wrote to memory of 2688	4440	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4440 wrote to memory of 4792	4440	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4440 wrote to memory of 4792	4440	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4440 wrote to memory of 2528	4440	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4440 wrote to memory of 2528	4440	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4440 wrote to memory of 3044	4440	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4440 wrote to memory of 3044	4440	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4440 wrote to memory of 4824	4440	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4440 wrote to memory of 4824	4440	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4440 wrote to memory of 4732	4440	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 4440 wrote to memory of 4732	4440	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 4440 wrote to memory of 5060	4440	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 4440 wrote to memory of 5060	4440	2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe	107

C:\Users\Admin\AppData\Local\Temp\2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-13_2f04e9b651cfbef50874f51bc03fe742_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4440
- C:\Windows\System\NrPSCcW.exe
  C:\Windows\System\NrPSCcW.exe
  2⤵
  - Executes dropped EXE
  PID:5068
- C:\Windows\System\NrtBhWo.exe
  C:\Windows\System\NrtBhWo.exe
  2⤵
  - Executes dropped EXE
  PID:4900
- C:\Windows\System\VRlAFej.exe
  C:\Windows\System\VRlAFej.exe
  2⤵
  - Executes dropped EXE
  PID:5036
- C:\Windows\System\gyaAfdO.exe
  C:\Windows\System\gyaAfdO.exe
  2⤵
  - Executes dropped EXE
  PID:4800
- C:\Windows\System\eNElYwm.exe
  C:\Windows\System\eNElYwm.exe
  2⤵
  - Executes dropped EXE
  PID:4212
- C:\Windows\System\IYKpZyM.exe
  C:\Windows\System\IYKpZyM.exe
  2⤵
  - Executes dropped EXE
  PID:1440
- C:\Windows\System\TBsNYRO.exe
  C:\Windows\System\TBsNYRO.exe
  2⤵
  - Executes dropped EXE
  PID:60
- C:\Windows\System\DDUqgjt.exe
  C:\Windows\System\DDUqgjt.exe
  2⤵
  - Executes dropped EXE
  PID:2184
- C:\Windows\System\UUEpzEr.exe
  C:\Windows\System\UUEpzEr.exe
  2⤵
  - Executes dropped EXE
  PID:2192
- C:\Windows\System\uTVZyHX.exe
  C:\Windows\System\uTVZyHX.exe
  2⤵
  - Executes dropped EXE
  PID:1160
- C:\Windows\System\NtVxqPF.exe
  C:\Windows\System\NtVxqPF.exe
  2⤵
  - Executes dropped EXE
  PID:732
- C:\Windows\System\HMVUoxS.exe
  C:\Windows\System\HMVUoxS.exe
  2⤵
  - Executes dropped EXE
  PID:3660
- C:\Windows\System\ZcHUjVF.exe
  C:\Windows\System\ZcHUjVF.exe
  2⤵
  - Executes dropped EXE
  PID:4768
- C:\Windows\System\dqwznsG.exe
  C:\Windows\System\dqwznsG.exe
  2⤵
  - Executes dropped EXE
  PID:3584
- C:\Windows\System\BMPoHwI.exe
  C:\Windows\System\BMPoHwI.exe
  2⤵
  - Executes dropped EXE
  PID:2688
- C:\Windows\System\NpwhURo.exe
  C:\Windows\System\NpwhURo.exe
  2⤵
  - Executes dropped EXE
  PID:4792
- C:\Windows\System\bUtoldk.exe
  C:\Windows\System\bUtoldk.exe
  2⤵
  - Executes dropped EXE
  PID:2528
- C:\Windows\System\wjxOdLY.exe
  C:\Windows\System\wjxOdLY.exe
  2⤵
  - Executes dropped EXE
  PID:3044
- C:\Windows\System\ZEoVlXx.exe
  C:\Windows\System\ZEoVlXx.exe
  2⤵
  - Executes dropped EXE
  PID:4824
- C:\Windows\System\PWHWIVr.exe
  C:\Windows\System\PWHWIVr.exe
  2⤵
  - Executes dropped EXE
  PID:4732
- C:\Windows\System\qoQOSCX.exe
  C:\Windows\System\qoQOSCX.exe
  2⤵
  - Executes dropped EXE
  PID:5060

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BMPoHwI.exe

Filesize
5.2MB

MD5
dd6970b1fd91a45e6a297ad945e76871

SHA1
ba4e76a6291994718551c02ccf825c4b4f281d26

SHA256
586938d395fb06319b8987890ce32721dade0cccc0091686ebc47a5d2a82c535

SHA512
88a7afb31c87eadaf57cb963ffc0f666c1c76dda8c1d01bbb46729ff6602c62cdfb0a2dffc08019963761c2a8c08cb844e7a97a0fd1fe029ece9cc450de6de73

Download Submit
C:\Windows\System\DDUqgjt.exe

Filesize
5.2MB

MD5
0eacd6ec93ccbc54f86dabf8e2cb75f8

SHA1
ae21d1fa16f71c27b0242a178729d07e75755260

SHA256
bc7e769d3a5e3e7559b8db8af15903f80e5164c6b1f36a7b69b3809a128c0441

SHA512
2df414add6b12470c23015f98bcaf9f274399ac82ad36a2d118f41f02ced06eca90aa7a2eeed668a436d50c5eb10a2a85e519fbc1e9d530762685331f76553e7

Download Submit
C:\Windows\System\HMVUoxS.exe

Filesize
5.2MB

MD5
ef93b94d02b42d04361911cbde99eb3a

SHA1
ca57e5431bcd644d8406c69cc28f6359cba86cc3

SHA256
b7381e4526b2efae7dfe54eb1fd501d771a993942d826aa889523f848674ea26

SHA512
97001fad5831dcbff1d55e7e4620465547e0fe28f445c0f97b1ff006f0464a607f3cf021ad34d685a0cff9c63d074d1921a1d1a06d0ad420b2fc4c5524e808b9

Download Submit
C:\Windows\System\IYKpZyM.exe

Filesize
5.2MB

MD5
815af0acbfa92b94424bed341a4e91aa

SHA1
6c4da46bd0e699deef833ee33bcbf31e37e875d1

SHA256
df3c582c0dce8c9baf76c82958ec84e4abecd19e5253b2e88292c08edd9cd6e9

SHA512
fc205b577479279c3c396d2fa5d67553ba3de10355bcafa1f35a5a7e76dd6bcfcb878826f9d8d4475b0f03cb36f5856bf72affcbbf269cbbcd3c0be7f7bc02bd

Download Submit
C:\Windows\System\NpwhURo.exe

Filesize
5.2MB

MD5
7d6ba4538eb3e354efa0b6f22ba968c9

SHA1
885650546d0cb5784b614a5efcc4a7c4446f18a9

SHA256
68f704c0e0a59072ae9becccf7af7c35e28a8bb6eae4d8f56abd516c08be7792

SHA512
c26d8cb52895c4e77c7b169ba2aa46f46d327e367ebdbb4ba70fb062070ae17c777b9096fe77cbb581198a1aefc95339eb81ecdddddfc43030f5ba55425b6af5

Download Submit
C:\Windows\System\NrPSCcW.exe

Filesize
5.2MB

MD5
293bcaeecfc6c3d545f81739705dfc2d

SHA1
0a408256c2aa7ee1d3faa9f405cb80c736b4503f

SHA256
eb602981c9576afe834411323b132597065ea90ff4dea9cf1be022ab7bb03e82

SHA512
71d61e961087ff4f9ef7dbd6f8f98211cfb2d1b258b21f472c7910beb7d772e51683d30bd189afa43b19266725edcf353ed9639e163a1f789d6b48d98da89bf2

Download Submit
C:\Windows\System\NrtBhWo.exe

Filesize
5.2MB

MD5
06a241468bd726ae40ae6c67d24d81b8

SHA1
7ebabad9e7158405f379f3220f478d6c1a540809

SHA256
94e69a01c7fa5a0917a1292a193576795d8950690cf5aba6a37331efc0201666

SHA512
a7ccb6cafa30e9ec80e993e579535f3843e08396458f26267b9561907de984391486c399b87d2852ae3f43393b8c1721dc626ab1fe810ed9a2a9f0a2ca5439a7

Download Submit
C:\Windows\System\NtVxqPF.exe

Filesize
5.2MB

MD5
7287cd40f315ed36d86ab0c337d522b8

SHA1
4da4c6ac0fbf8601e1a976ccc1e8b3e3fdaea0a0

SHA256
3c129970e687eaafcba211e1859ba4e8b46d93f36b66f2dbf59816ded8849beb

SHA512
6d4cf2c3fee4c58a56202cd5e1400122b735af180399731a77eb3d67fb213f43e5c7db70c54097bf0ee0819ce73f12e49f1158aeec92bc08dfb2c497c070ea60

Download Submit
C:\Windows\System\PWHWIVr.exe

Filesize
5.2MB

MD5
7495315c086e30f31bfb81de5bf48c9c

SHA1
dd3ad87d9490233d61ae431080d602bd92752b88

SHA256
8ecef0115f482f812b52a7b40d2ac0b4cbeb9e4cdd076ca88c04eb73f365ef42

SHA512
7df324259555c58c54779e6659d4c1fad1e9245d415c2246db9cc6fda8039edccdd09f4d1b31fb17d962c8298190032836230ef3386bb61c8ed7d5cb5f4df9af

Download Submit
C:\Windows\System\TBsNYRO.exe

Filesize
5.2MB

MD5
bc94624807b2a7c001e424a75462e7c6

SHA1
06de291e077614c0f2664e12aa5ad80b8171aabf

SHA256
1d9f738a12eec3f467459d4109e0ef4af3fae69af31a8adbf33f82aa501fe9a3

SHA512
dc5fffa489043ae078c94672eb05edc11de561cf0014bddfa0b7c17df170a334dec48c7bd3510c60bef50460c9b41a9c13a858c2f26015d350707a17e940d718

Download Submit
C:\Windows\System\UUEpzEr.exe

Filesize
5.2MB

MD5
a0e47f3a12f36d621d3cf3c35e8baeb7

SHA1
823bc4273947c68c8d79bd4c221f2ec026665f27

SHA256
31a36d8e98e5e1e7caf2321a71e6b1cd9fc5c98c27eb4424f042387b57bea3bf

SHA512
84b948e44c0ff3851c02717eb029640523ba5db0db4f8a0ba925780773efdc84a125bdc4c83bba428f420cc873a7863a55a83eba7f4a5f8786d3cc0c0e01b285

Download Submit
C:\Windows\System\VRlAFej.exe

Filesize
5.2MB

MD5
f2389c005225408a2709a5da511fbbaa

SHA1
0f5696cdc3eed1e3f7655034c0cea610abf249a3

SHA256
3350c36311bad0d74f35282998156f64d2d26878987f411ef4ccd78b575864ae

SHA512
6042d89880c9492a9b10247678c27cf5da597a0e24174ff63992443b27b7e42db3ed10bf3c1ee24d24bb86f3365703f04657de0209fc71016f065fcaf3d6f9f2

Download Submit
C:\Windows\System\ZEoVlXx.exe

Filesize
5.2MB

MD5
9dd627e25bf7022e88fa93692b5f6b3b

SHA1
efce224984aeaacfb7b4c72eee8b962c83e55409

SHA256
7084def3e5032da1c144a023e266db2064d120ef16bcdc224f41725c6cbd9dc0

SHA512
f4b4e80fd291584026e78a7c6c96b10bdd3682131c80814848065d191e808b133532ded83a787aadb6af5e672b7e3caa2494ca1565f03b6b0bcfee6eacfa1eb0

Download Submit
C:\Windows\System\ZcHUjVF.exe

Filesize
5.2MB

MD5
f83cbe06526cf6d313612bdbfab53911

SHA1
65f673b531f3c0347ccbe90493cc30f118944bc3

SHA256
e9015e30a870777717d85b6e98729163bcf39b62223b383c62e76023fed71fda

SHA512
43b9e7f659a2f8bfaa7fa837cdf5af288fc5141fe06d1def0df6fad4186c04c0e4d87ca195c26a31701a7ce54c2a6e28d88f58f8f5d2347422e88d710cddd3f5

Download Submit
C:\Windows\System\bUtoldk.exe

Filesize
5.2MB

MD5
5b3cfd0af0e7330ab54bac0cbdce3489

SHA1
8c42b83e387f01e273a4682017575d67cb2a33b1

SHA256
a055f21116051649d2f9398c6ad76d98082bf700f7aa1787c54b8564f673bfda

SHA512
ff49140092ba2909b07814947a725070447ca1363b3dca1bebb521f641b1bf61690da7610745213d0c267308973bfedad784df36b247c3f0401ac949d98cfc26

Download Submit
C:\Windows\System\dqwznsG.exe

Filesize
5.2MB

MD5
0e32e7e4a811de14e9d770c82ef1e366

SHA1
fafea512c1a9a7e52fa1bad8b4c52056540cf824

SHA256
a59c7737f7faf0b0aaacb4eb937883f5249a0a41bbba81125e20b073654db115

SHA512
5aadde32f0ad52522006aceba81d69d1cf1876f5bc088ec2b0cd211653d3885e41cc22cdf0b43c6a11fac8d866b5cd50b70a8b7d0a15afe70709ea685f7f1a95

Download Submit
C:\Windows\System\eNElYwm.exe

Filesize
5.2MB

MD5
d37872f058bbba812f68dc28635fd474

SHA1
562d9a842e4b885da2a7ea8fb4cae70c69f1207b

SHA256
ccff470f3ab32320b2d19c51b37bb8b8c19f61dc7cddb6f2ffb5659e74093b48

SHA512
f4a3eda9bcb1766836b6d5680eba775da860ca5a489b9f252c86524b0d7eb9d08a644e621358e11a4dd0068925b693fb4447f6230296cb5798f0d0d566d0a1b4

Download Submit
C:\Windows\System\gyaAfdO.exe

Filesize
5.2MB

MD5
e172cf2399ea32ededf019d2c13ca21c

SHA1
e8aac055a8ce06899660b6d8b5c27cd38a35276a

SHA256
591661d257b634053bfe6cb29c8a84baff6f9ec8e358679758246b17b026baf1

SHA512
4e704c8e847091302aec58444d2c6c90a77852c9b7a44be5dafdf65d876af96ffb081dc15a20d5564e3c769467282c004c55aab9368d16cbc78335f76411723f

Download Submit
C:\Windows\System\qoQOSCX.exe

Filesize
5.2MB

MD5
5cdc4183ced6626f7da840ee5e31c1d1

SHA1
7c9379b081452dc01410dbe216786e56aecc7472

SHA256
d1e78ae3f09c77c41156d2a5681969ffadf8e3793c3dce7ba9e244cb9ce512af

SHA512
7c7d09553f4f9c03d24cdaa065ba118a9c3d4ffe1ec830872efaa71f9f780f69a3a99dedb536154cec8032758610f19c7dbdbb489c5ee6bbb04530abc018ad65

Download Submit
C:\Windows\System\uTVZyHX.exe

Filesize
5.2MB

MD5
2784372493171b96023ea72ae0a5b828

SHA1
f2f11caef301f851507a860543ed720fce903099

SHA256
d4854916134993d9ce0f899beabaf693d2a163959a529f27525e1040123158a7

SHA512
569d0072edcc32ec5f55d6fc9b9cfdc0076f0019e8e3b38b7b5f9f8cb396ded48848bc15e106e212644be8f0b5a0692da69d15c82e303f4ef9db5482825b3f38

Download Submit
C:\Windows\System\wjxOdLY.exe

Filesize
5.2MB

MD5
f42bbdca4ffb83e9f6b7b1f1ba733921

SHA1
75eed41db9a2311e8245570e042d4278963d8275

SHA256
63156fd87650c2499eded7b05eb752013681b26a8fb447ed9992741a46d06726

SHA512
7043894520142a4b00ed1556aece78aa2871ed0ecdf71c5780d9b7670a17ba268e144a75f5da13551f52673a3638e629814435206f3ebbff4734d93cb9ba600f

Download Submit
memory/60-109-0x00007FF7AEF40000-0x00007FF7AF291000-memory.dmp

Filesize
3.3MB

Download
memory/60-239-0x00007FF7AEF40000-0x00007FF7AF291000-memory.dmp

Filesize
3.3MB

Download
memory/60-42-0x00007FF7AEF40000-0x00007FF7AF291000-memory.dmp

Filesize
3.3MB

Download
memory/732-138-0x00007FF6C9E50000-0x00007FF6CA1A1000-memory.dmp

Filesize
3.3MB

Download
memory/732-243-0x00007FF6C9E50000-0x00007FF6CA1A1000-memory.dmp

Filesize
3.3MB

Download
memory/732-66-0x00007FF6C9E50000-0x00007FF6CA1A1000-memory.dmp

Filesize
3.3MB

Download
memory/1160-245-0x00007FF6ED470000-0x00007FF6ED7C1000-memory.dmp

Filesize
3.3MB

Download
memory/1160-131-0x00007FF6ED470000-0x00007FF6ED7C1000-memory.dmp

Filesize
3.3MB

Download
memory/1160-58-0x00007FF6ED470000-0x00007FF6ED7C1000-memory.dmp

Filesize
3.3MB

Download
memory/1440-40-0x00007FF69B5F0000-0x00007FF69B941000-memory.dmp

Filesize
3.3MB

Download
memory/1440-235-0x00007FF69B5F0000-0x00007FF69B941000-memory.dmp

Filesize
3.3MB

Download
memory/1440-105-0x00007FF69B5F0000-0x00007FF69B941000-memory.dmp

Filesize
3.3MB

Download
memory/2184-246-0x00007FF620200000-0x00007FF620551000-memory.dmp

Filesize
3.3MB

Download
memory/2184-118-0x00007FF620200000-0x00007FF620551000-memory.dmp

Filesize
3.3MB

Download
memory/2184-56-0x00007FF620200000-0x00007FF620551000-memory.dmp

Filesize
3.3MB

Download
memory/2192-240-0x00007FF7B8B30000-0x00007FF7B8E81000-memory.dmp

Filesize
3.3MB

Download
memory/2192-57-0x00007FF7B8B30000-0x00007FF7B8E81000-memory.dmp

Filesize
3.3MB

Download
memory/2528-158-0x00007FF6DB3D0000-0x00007FF6DB721000-memory.dmp

Filesize
3.3MB

Download
memory/2528-265-0x00007FF6DB3D0000-0x00007FF6DB721000-memory.dmp

Filesize
3.3MB

Download
memory/2528-116-0x00007FF6DB3D0000-0x00007FF6DB721000-memory.dmp

Filesize
3.3MB

Download
memory/2688-102-0x00007FF632C90000-0x00007FF632FE1000-memory.dmp

Filesize
3.3MB

Download
memory/2688-157-0x00007FF632C90000-0x00007FF632FE1000-memory.dmp

Filesize
3.3MB

Download
memory/2688-261-0x00007FF632C90000-0x00007FF632FE1000-memory.dmp

Filesize
3.3MB

Download
memory/3044-267-0x00007FF7ECF80000-0x00007FF7ED2D1000-memory.dmp

Filesize
3.3MB

Download
memory/3044-119-0x00007FF7ECF80000-0x00007FF7ED2D1000-memory.dmp

Filesize
3.3MB

Download
memory/3584-93-0x00007FF71CFC0000-0x00007FF71D311000-memory.dmp

Filesize
3.3MB

Download
memory/3584-260-0x00007FF71CFC0000-0x00007FF71D311000-memory.dmp

Filesize
3.3MB

Download
memory/3584-155-0x00007FF71CFC0000-0x00007FF71D311000-memory.dmp

Filesize
3.3MB

Download
memory/3660-139-0x00007FF727460000-0x00007FF7277B1000-memory.dmp

Filesize
3.3MB

Download
memory/3660-250-0x00007FF727460000-0x00007FF7277B1000-memory.dmp

Filesize
3.3MB

Download
memory/3660-75-0x00007FF727460000-0x00007FF7277B1000-memory.dmp

Filesize
3.3MB

Download
memory/4212-32-0x00007FF737DE0000-0x00007FF738131000-memory.dmp

Filesize
3.3MB

Download
memory/4212-94-0x00007FF737DE0000-0x00007FF738131000-memory.dmp

Filesize
3.3MB

Download
memory/4212-236-0x00007FF737DE0000-0x00007FF738131000-memory.dmp

Filesize
3.3MB

Download
memory/4440-1-0x0000021E3AB70000-0x0000021E3AB80000-memory.dmp

Filesize
64KB

Download
memory/4440-166-0x00007FF6958E0000-0x00007FF695C31000-memory.dmp

Filesize
3.3MB

Download
memory/4440-140-0x00007FF6958E0000-0x00007FF695C31000-memory.dmp

Filesize
3.3MB

Download
memory/4440-73-0x00007FF6958E0000-0x00007FF695C31000-memory.dmp

Filesize
3.3MB

Download
memory/4440-0-0x00007FF6958E0000-0x00007FF695C31000-memory.dmp

Filesize
3.3MB

Download
memory/4732-132-0x00007FF6895E0000-0x00007FF689931000-memory.dmp

Filesize
3.3MB

Download
memory/4732-164-0x00007FF6895E0000-0x00007FF689931000-memory.dmp

Filesize
3.3MB

Download
memory/4732-271-0x00007FF6895E0000-0x00007FF689931000-memory.dmp

Filesize
3.3MB

Download
memory/4768-80-0x00007FF6162B0000-0x00007FF616601000-memory.dmp

Filesize
3.3MB

Download
memory/4768-143-0x00007FF6162B0000-0x00007FF616601000-memory.dmp

Filesize
3.3MB

Download
memory/4768-248-0x00007FF6162B0000-0x00007FF616601000-memory.dmp

Filesize
3.3MB

Download
memory/4792-110-0x00007FF731220000-0x00007FF731571000-memory.dmp

Filesize
3.3MB

Download
memory/4792-263-0x00007FF731220000-0x00007FF731571000-memory.dmp

Filesize
3.3MB

Download
memory/4800-86-0x00007FF78D9B0000-0x00007FF78DD01000-memory.dmp

Filesize
3.3MB

Download
memory/4800-225-0x00007FF78D9B0000-0x00007FF78DD01000-memory.dmp

Filesize
3.3MB

Download
memory/4800-24-0x00007FF78D9B0000-0x00007FF78DD01000-memory.dmp

Filesize
3.3MB

Download
memory/4824-163-0x00007FF777F80000-0x00007FF7782D1000-memory.dmp

Filesize
3.3MB

Download
memory/4824-269-0x00007FF777F80000-0x00007FF7782D1000-memory.dmp

Filesize
3.3MB

Download
memory/4824-123-0x00007FF777F80000-0x00007FF7782D1000-memory.dmp

Filesize
3.3MB

Download
memory/4900-14-0x00007FF6232A0000-0x00007FF6235F1000-memory.dmp

Filesize
3.3MB

Download
memory/4900-83-0x00007FF6232A0000-0x00007FF6235F1000-memory.dmp

Filesize
3.3MB

Download
memory/4900-221-0x00007FF6232A0000-0x00007FF6235F1000-memory.dmp

Filesize
3.3MB

Download
memory/5036-90-0x00007FF69CF80000-0x00007FF69D2D1000-memory.dmp

Filesize
3.3MB

Download
memory/5036-223-0x00007FF69CF80000-0x00007FF69D2D1000-memory.dmp

Filesize
3.3MB

Download
memory/5036-21-0x00007FF69CF80000-0x00007FF69D2D1000-memory.dmp

Filesize
3.3MB

Download
memory/5060-133-0x00007FF682190000-0x00007FF6824E1000-memory.dmp

Filesize
3.3MB

Download
memory/5060-165-0x00007FF682190000-0x00007FF6824E1000-memory.dmp

Filesize
3.3MB

Download
memory/5060-273-0x00007FF682190000-0x00007FF6824E1000-memory.dmp

Filesize
3.3MB

Download
memory/5068-77-0x00007FF667F40000-0x00007FF668291000-memory.dmp

Filesize
3.3MB

Download
memory/5068-8-0x00007FF667F40000-0x00007FF668291000-memory.dmp

Filesize
3.3MB

Download
memory/5068-219-0x00007FF667F40000-0x00007FF668291000-memory.dmp

Filesize
3.3MB

Download