cobaltstrike | 2c23c98ac83c66ea7ad7c2ce191c37026c2f7c6ce0880045a964db7be2856bbe

Analysis

max time kernel
141s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-09-2024 12:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

0b7fa775d690756e95f59dc09444e521
SHA1

8250fd3fe1cf79bf12830e11bbb2d5f6f1b94e11
SHA256

2c23c98ac83c66ea7ad7c2ce191c37026c2f7c6ce0880045a964db7be2856bbe
SHA512

5b07bcb2a20a4ff19c84ea816717c5c882d697bff07683c104140049cd10238a60f2da46180f02b67e9f5abcf0dc00cdf1e5256c6f8bf0dc502a5d930b3168ef
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l3:RWWBibf56utgpPFotBER/mQ32lUD

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000700000002342b-10.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342c-16.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342d-28.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342e-27.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023427-8.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023430-43.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023431-51.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023432-52.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023433-58.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023434-69.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342f-41.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023435-74.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023436-81.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023437-87.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023439-99.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023438-103.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343a-107.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343b-119.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343c-130.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343e-133.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343d-134.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/4304-67-0x00007FF6B8330000-0x00007FF6B8681000-memory.dmp	xmrig
behavioral2/memory/208-62-0x00007FF71E8A0000-0x00007FF71EBF1000-memory.dmp	xmrig
behavioral2/memory/3700-71-0x00007FF768230000-0x00007FF768581000-memory.dmp	xmrig
behavioral2/memory/2208-82-0x00007FF711FD0000-0x00007FF712321000-memory.dmp	xmrig
behavioral2/memory/2656-76-0x00007FF6C53F0000-0x00007FF6C5741000-memory.dmp	xmrig
behavioral2/memory/4220-108-0x00007FF6273B0000-0x00007FF627701000-memory.dmp	xmrig
behavioral2/memory/4532-101-0x00007FF7E74D0000-0x00007FF7E7821000-memory.dmp	xmrig
behavioral2/memory/3620-100-0x00007FF634EF0000-0x00007FF635241000-memory.dmp	xmrig
behavioral2/memory/2436-95-0x00007FF669190000-0x00007FF6694E1000-memory.dmp	xmrig
behavioral2/memory/2432-94-0x00007FF730880000-0x00007FF730BD1000-memory.dmp	xmrig
behavioral2/memory/3864-115-0x00007FF6B5F40000-0x00007FF6B6291000-memory.dmp	xmrig
behavioral2/memory/1324-114-0x00007FF635B00000-0x00007FF635E51000-memory.dmp	xmrig
behavioral2/memory/436-121-0x00007FF60E680000-0x00007FF60E9D1000-memory.dmp	xmrig
behavioral2/memory/1668-125-0x00007FF7FE000000-0x00007FF7FE351000-memory.dmp	xmrig
behavioral2/memory/3616-137-0x00007FF6C1090000-0x00007FF6C13E1000-memory.dmp	xmrig
behavioral2/memory/208-141-0x00007FF71E8A0000-0x00007FF71EBF1000-memory.dmp	xmrig
behavioral2/memory/4040-154-0x00007FF7B6E50000-0x00007FF7B71A1000-memory.dmp	xmrig
behavioral2/memory/3604-155-0x00007FF782450000-0x00007FF7827A1000-memory.dmp	xmrig
behavioral2/memory/4920-156-0x00007FF739E00000-0x00007FF73A151000-memory.dmp	xmrig
behavioral2/memory/5032-157-0x00007FF60EA20000-0x00007FF60ED71000-memory.dmp	xmrig
behavioral2/memory/436-163-0x00007FF60E680000-0x00007FF60E9D1000-memory.dmp	xmrig
behavioral2/memory/3532-164-0x00007FF7C6A20000-0x00007FF7C6D71000-memory.dmp	xmrig
behavioral2/memory/3512-167-0x00007FF6D7740000-0x00007FF6D7A91000-memory.dmp	xmrig
behavioral2/memory/208-168-0x00007FF71E8A0000-0x00007FF71EBF1000-memory.dmp	xmrig
behavioral2/memory/1960-179-0x00007FF71CFF0000-0x00007FF71D341000-memory.dmp	xmrig
behavioral2/memory/4304-228-0x00007FF6B8330000-0x00007FF6B8681000-memory.dmp	xmrig
behavioral2/memory/3700-230-0x00007FF768230000-0x00007FF768581000-memory.dmp	xmrig
behavioral2/memory/2656-232-0x00007FF6C53F0000-0x00007FF6C5741000-memory.dmp	xmrig
behavioral2/memory/2208-234-0x00007FF711FD0000-0x00007FF712321000-memory.dmp	xmrig
behavioral2/memory/2432-236-0x00007FF730880000-0x00007FF730BD1000-memory.dmp	xmrig
behavioral2/memory/4532-238-0x00007FF7E74D0000-0x00007FF7E7821000-memory.dmp	xmrig
behavioral2/memory/3620-240-0x00007FF634EF0000-0x00007FF635241000-memory.dmp	xmrig
behavioral2/memory/1324-244-0x00007FF635B00000-0x00007FF635E51000-memory.dmp	xmrig
behavioral2/memory/4220-245-0x00007FF6273B0000-0x00007FF627701000-memory.dmp	xmrig
behavioral2/memory/3864-247-0x00007FF6B5F40000-0x00007FF6B6291000-memory.dmp	xmrig
behavioral2/memory/1668-249-0x00007FF7FE000000-0x00007FF7FE351000-memory.dmp	xmrig
behavioral2/memory/3616-254-0x00007FF6C1090000-0x00007FF6C13E1000-memory.dmp	xmrig
behavioral2/memory/4040-256-0x00007FF7B6E50000-0x00007FF7B71A1000-memory.dmp	xmrig
behavioral2/memory/2436-260-0x00007FF669190000-0x00007FF6694E1000-memory.dmp	xmrig
behavioral2/memory/3604-262-0x00007FF782450000-0x00007FF7827A1000-memory.dmp	xmrig
behavioral2/memory/4920-265-0x00007FF739E00000-0x00007FF73A151000-memory.dmp	xmrig
behavioral2/memory/5032-266-0x00007FF60EA20000-0x00007FF60ED71000-memory.dmp	xmrig
behavioral2/memory/436-273-0x00007FF60E680000-0x00007FF60E9D1000-memory.dmp	xmrig
behavioral2/memory/3532-275-0x00007FF7C6A20000-0x00007FF7C6D71000-memory.dmp	xmrig
behavioral2/memory/3512-277-0x00007FF6D7740000-0x00007FF6D7A91000-memory.dmp	xmrig
behavioral2/memory/1960-279-0x00007FF71CFF0000-0x00007FF71D341000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4304	NQGDatJ.exe
3700	BHqNWtr.exe
2656	iySEtuW.exe
2208	KqhoaWO.exe
2432	fbujstA.exe
3620	qvqhXSy.exe
4532	blUBnqf.exe
4220	jFmDBhp.exe
1324	IeuSZDS.exe
3864	BccfVde.exe
1668	IYbVRSz.exe
3616	azJeOLm.exe
4040	hhTApBq.exe
2436	vNYqotg.exe
3604	dwacXVX.exe
4920	MpIUbPE.exe
5032	cvWCLdq.exe
436	NQIeJIf.exe
3532	EFXUVzv.exe
3512	oRqUvjJ.exe
1960	HAhbvvK.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/208-0-0x00007FF71E8A0000-0x00007FF71EBF1000-memory.dmp	upx
behavioral2/memory/4304-9-0x00007FF6B8330000-0x00007FF6B8681000-memory.dmp	upx
behavioral2/files/0x000700000002342b-10.dat	upx
behavioral2/files/0x000700000002342c-16.dat	upx
behavioral2/files/0x000700000002342d-28.dat	upx
behavioral2/memory/2432-30-0x00007FF730880000-0x00007FF730BD1000-memory.dmp	upx
behavioral2/files/0x000700000002342e-27.dat	upx
behavioral2/memory/2208-26-0x00007FF711FD0000-0x00007FF712321000-memory.dmp	upx
behavioral2/memory/2656-18-0x00007FF6C53F0000-0x00007FF6C5741000-memory.dmp	upx
behavioral2/memory/3700-12-0x00007FF768230000-0x00007FF768581000-memory.dmp	upx
behavioral2/files/0x0008000000023427-8.dat	upx
behavioral2/memory/3620-39-0x00007FF634EF0000-0x00007FF635241000-memory.dmp	upx
behavioral2/files/0x0007000000023430-43.dat	upx
behavioral2/memory/4220-48-0x00007FF6273B0000-0x00007FF627701000-memory.dmp	upx
behavioral2/files/0x0007000000023431-51.dat	upx
behavioral2/files/0x0007000000023432-52.dat	upx
behavioral2/files/0x0007000000023433-58.dat	upx
behavioral2/memory/3864-64-0x00007FF6B5F40000-0x00007FF6B6291000-memory.dmp	upx
behavioral2/memory/4304-67-0x00007FF6B8330000-0x00007FF6B8681000-memory.dmp	upx
behavioral2/files/0x0007000000023434-69.dat	upx
behavioral2/memory/1668-68-0x00007FF7FE000000-0x00007FF7FE351000-memory.dmp	upx
behavioral2/memory/208-62-0x00007FF71E8A0000-0x00007FF71EBF1000-memory.dmp	upx
behavioral2/memory/1324-55-0x00007FF635B00000-0x00007FF635E51000-memory.dmp	upx
behavioral2/files/0x000700000002342f-41.dat	upx
behavioral2/memory/4532-40-0x00007FF7E74D0000-0x00007FF7E7821000-memory.dmp	upx
behavioral2/memory/3700-71-0x00007FF768230000-0x00007FF768581000-memory.dmp	upx
behavioral2/files/0x0007000000023435-74.dat	upx
behavioral2/files/0x0007000000023436-81.dat	upx
behavioral2/memory/2208-82-0x00007FF711FD0000-0x00007FF712321000-memory.dmp	upx
behavioral2/memory/3616-77-0x00007FF6C1090000-0x00007FF6C13E1000-memory.dmp	upx
behavioral2/memory/2656-76-0x00007FF6C53F0000-0x00007FF6C5741000-memory.dmp	upx
behavioral2/memory/4040-83-0x00007FF7B6E50000-0x00007FF7B71A1000-memory.dmp	upx
behavioral2/files/0x0007000000023437-87.dat	upx
behavioral2/files/0x0007000000023439-99.dat	upx
behavioral2/files/0x0007000000023438-103.dat	upx
behavioral2/files/0x000700000002343a-107.dat	upx
behavioral2/memory/5032-109-0x00007FF60EA20000-0x00007FF60ED71000-memory.dmp	upx
behavioral2/memory/4220-108-0x00007FF6273B0000-0x00007FF627701000-memory.dmp	upx
behavioral2/memory/4920-102-0x00007FF739E00000-0x00007FF73A151000-memory.dmp	upx
behavioral2/memory/4532-101-0x00007FF7E74D0000-0x00007FF7E7821000-memory.dmp	upx
behavioral2/memory/3620-100-0x00007FF634EF0000-0x00007FF635241000-memory.dmp	upx
behavioral2/memory/3604-96-0x00007FF782450000-0x00007FF7827A1000-memory.dmp	upx
behavioral2/memory/2436-95-0x00007FF669190000-0x00007FF6694E1000-memory.dmp	upx
behavioral2/memory/2432-94-0x00007FF730880000-0x00007FF730BD1000-memory.dmp	upx
behavioral2/memory/3864-115-0x00007FF6B5F40000-0x00007FF6B6291000-memory.dmp	upx
behavioral2/memory/1324-114-0x00007FF635B00000-0x00007FF635E51000-memory.dmp	upx
behavioral2/files/0x000700000002343b-119.dat	upx
behavioral2/memory/436-121-0x00007FF60E680000-0x00007FF60E9D1000-memory.dmp	upx
behavioral2/memory/1668-125-0x00007FF7FE000000-0x00007FF7FE351000-memory.dmp	upx
behavioral2/memory/3532-128-0x00007FF7C6A20000-0x00007FF7C6D71000-memory.dmp	upx
behavioral2/files/0x000700000002343c-130.dat	upx
behavioral2/files/0x000700000002343e-133.dat	upx
behavioral2/memory/1960-138-0x00007FF71CFF0000-0x00007FF71D341000-memory.dmp	upx
behavioral2/memory/3616-137-0x00007FF6C1090000-0x00007FF6C13E1000-memory.dmp	upx
behavioral2/memory/3512-135-0x00007FF6D7740000-0x00007FF6D7A91000-memory.dmp	upx
behavioral2/files/0x000700000002343d-134.dat	upx
behavioral2/memory/208-141-0x00007FF71E8A0000-0x00007FF71EBF1000-memory.dmp	upx
behavioral2/memory/4040-154-0x00007FF7B6E50000-0x00007FF7B71A1000-memory.dmp	upx
behavioral2/memory/3604-155-0x00007FF782450000-0x00007FF7827A1000-memory.dmp	upx
behavioral2/memory/4920-156-0x00007FF739E00000-0x00007FF73A151000-memory.dmp	upx
behavioral2/memory/5032-157-0x00007FF60EA20000-0x00007FF60ED71000-memory.dmp	upx
behavioral2/memory/436-163-0x00007FF60E680000-0x00007FF60E9D1000-memory.dmp	upx
behavioral2/memory/3532-164-0x00007FF7C6A20000-0x00007FF7C6D71000-memory.dmp	upx
behavioral2/memory/3512-167-0x00007FF6D7740000-0x00007FF6D7A91000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\hhTApBq.exe	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NQGDatJ.exe	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BHqNWtr.exe	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iySEtuW.exe	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fbujstA.exe	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\blUBnqf.exe	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IeuSZDS.exe	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\azJeOLm.exe	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EFXUVzv.exe	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qvqhXSy.exe	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BccfVde.exe	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oRqUvjJ.exe	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KqhoaWO.exe	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jFmDBhp.exe	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vNYqotg.exe	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cvWCLdq.exe	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NQIeJIf.exe	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IYbVRSz.exe	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dwacXVX.exe	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MpIUbPE.exe	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HAhbvvK.exe	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	208	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	208	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 208 wrote to memory of 4304	208	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 208 wrote to memory of 4304	208	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 208 wrote to memory of 3700	208	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 208 wrote to memory of 3700	208	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 208 wrote to memory of 2656	208	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 208 wrote to memory of 2656	208	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 208 wrote to memory of 2208	208	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 208 wrote to memory of 2208	208	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 208 wrote to memory of 2432	208	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 208 wrote to memory of 2432	208	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 208 wrote to memory of 3620	208	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 208 wrote to memory of 3620	208	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 208 wrote to memory of 4532	208	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 208 wrote to memory of 4532	208	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 208 wrote to memory of 4220	208	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 208 wrote to memory of 4220	208	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 208 wrote to memory of 1324	208	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 208 wrote to memory of 1324	208	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 208 wrote to memory of 3864	208	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 208 wrote to memory of 3864	208	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 208 wrote to memory of 1668	208	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 208 wrote to memory of 1668	208	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 208 wrote to memory of 3616	208	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 208 wrote to memory of 3616	208	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 208 wrote to memory of 4040	208	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 208 wrote to memory of 4040	208	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 208 wrote to memory of 2436	208	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 208 wrote to memory of 2436	208	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 208 wrote to memory of 3604	208	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 208 wrote to memory of 3604	208	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 208 wrote to memory of 4920	208	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 208 wrote to memory of 4920	208	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 208 wrote to memory of 5032	208	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 208 wrote to memory of 5032	208	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 208 wrote to memory of 436	208	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 208 wrote to memory of 436	208	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 208 wrote to memory of 3532	208	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 208 wrote to memory of 3532	208	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 208 wrote to memory of 3512	208	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 208 wrote to memory of 3512	208	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 208 wrote to memory of 1960	208	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 208 wrote to memory of 1960	208	2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe	109

C:\Users\Admin\AppData\Local\Temp\2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-14_0b7fa775d690756e95f59dc09444e521_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:208
- C:\Windows\System\NQGDatJ.exe
  C:\Windows\System\NQGDatJ.exe
  2⤵
  - Executes dropped EXE
  PID:4304
- C:\Windows\System\BHqNWtr.exe
  C:\Windows\System\BHqNWtr.exe
  2⤵
  - Executes dropped EXE
  PID:3700
- C:\Windows\System\iySEtuW.exe
  C:\Windows\System\iySEtuW.exe
  2⤵
  - Executes dropped EXE
  PID:2656
- C:\Windows\System\KqhoaWO.exe
  C:\Windows\System\KqhoaWO.exe
  2⤵
  - Executes dropped EXE
  PID:2208
- C:\Windows\System\fbujstA.exe
  C:\Windows\System\fbujstA.exe
  2⤵
  - Executes dropped EXE
  PID:2432
- C:\Windows\System\qvqhXSy.exe
  C:\Windows\System\qvqhXSy.exe
  2⤵
  - Executes dropped EXE
  PID:3620
- C:\Windows\System\blUBnqf.exe
  C:\Windows\System\blUBnqf.exe
  2⤵
  - Executes dropped EXE
  PID:4532
- C:\Windows\System\jFmDBhp.exe
  C:\Windows\System\jFmDBhp.exe
  2⤵
  - Executes dropped EXE
  PID:4220
- C:\Windows\System\IeuSZDS.exe
  C:\Windows\System\IeuSZDS.exe
  2⤵
  - Executes dropped EXE
  PID:1324
- C:\Windows\System\BccfVde.exe
  C:\Windows\System\BccfVde.exe
  2⤵
  - Executes dropped EXE
  PID:3864
- C:\Windows\System\IYbVRSz.exe
  C:\Windows\System\IYbVRSz.exe
  2⤵
  - Executes dropped EXE
  PID:1668
- C:\Windows\System\azJeOLm.exe
  C:\Windows\System\azJeOLm.exe
  2⤵
  - Executes dropped EXE
  PID:3616
- C:\Windows\System\hhTApBq.exe
  C:\Windows\System\hhTApBq.exe
  2⤵
  - Executes dropped EXE
  PID:4040
- C:\Windows\System\vNYqotg.exe
  C:\Windows\System\vNYqotg.exe
  2⤵
  - Executes dropped EXE
  PID:2436
- C:\Windows\System\dwacXVX.exe
  C:\Windows\System\dwacXVX.exe
  2⤵
  - Executes dropped EXE
  PID:3604
- C:\Windows\System\MpIUbPE.exe
  C:\Windows\System\MpIUbPE.exe
  2⤵
  - Executes dropped EXE
  PID:4920
- C:\Windows\System\cvWCLdq.exe
  C:\Windows\System\cvWCLdq.exe
  2⤵
  - Executes dropped EXE
  PID:5032
- C:\Windows\System\NQIeJIf.exe
  C:\Windows\System\NQIeJIf.exe
  2⤵
  - Executes dropped EXE
  PID:436
- C:\Windows\System\EFXUVzv.exe
  C:\Windows\System\EFXUVzv.exe
  2⤵
  - Executes dropped EXE
  PID:3532
- C:\Windows\System\oRqUvjJ.exe
  C:\Windows\System\oRqUvjJ.exe
  2⤵
  - Executes dropped EXE
  PID:3512
- C:\Windows\System\HAhbvvK.exe
  C:\Windows\System\HAhbvvK.exe
  2⤵
  - Executes dropped EXE
  PID:1960

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BHqNWtr.exe

Filesize
5.2MB

MD5
7e85bc98e7cf6fabe55ce9f881db42d3

SHA1
d64bde3ba83e5c6fc16a2323a0e2232e97d12e18

SHA256
c682337ca6e6e55b7c98c7df8495c45d3b39d0209854a2abb2edfc114d4d89f9

SHA512
301db612e6813dede668bbed30ccd9f5c73e2f19f9024b5b407d349f939b76d0a1cf1c07820d70a6a67cb926fa0b6b14b4290fa84a4444bfdce6386063b2cbef

Download Submit
C:\Windows\System\BccfVde.exe

Filesize
5.2MB

MD5
89cf62731d8a8977a0e21c96b04f86ea

SHA1
b028ed498da9de5e1078193e3e378979f1ecb26d

SHA256
fb9a8eea5304906270cc952739804d7b672cce6f8738fb2dde9ce787d188b870

SHA512
a96936edaf382bef685433dc8eab7369d2b383f42882b57625e1612c1f08171d52f72222d44b270a2462bcebc06bbe646bb68cd5d377162eccf32497cc9fdc47

Download Submit
C:\Windows\System\EFXUVzv.exe

Filesize
5.2MB

MD5
87b02ffaf469c81fc6f395e57c5aab04

SHA1
e185f1392382b1713ea669a9a8021de272aa8121

SHA256
3688d03581636afbbeea8bc2c6796cd6b9f037cdb24126c2384f6440d57e1b10

SHA512
67543c1759258dc7bab98a87a0ae079d95bd818f920afb27242e514cc37a6231e37c629f2e9b42c351b350bd35dfad8411cbbbf0441b6351b9e877479a09e647

Download Submit
C:\Windows\System\HAhbvvK.exe

Filesize
5.2MB

MD5
2dffa3b71e16fc49cccbcd0bb0635ed0

SHA1
b181b959cf14928ee1a5b50baca4ca99a0b24d50

SHA256
ad360e75f6f6f0eae809e6887202c123f6fda21923e09ca841f6b8b79ba6a58f

SHA512
6567c5c1d4c42642e4a3a39156d821ee6aec98b5c270d42103622a597d774b80d12a4ddf2e7d16af7855f0a9e34d981fe6af432ff7793830040c2c330ca761ca

Download Submit
C:\Windows\System\IYbVRSz.exe

Filesize
5.2MB

MD5
94a7b4f57c186d24fbc0964198151be9

SHA1
fac4cbc322a29c8e3f3a2fdfc24b469816825b1c

SHA256
31dd5ce1002227a7d47ef3232fda069f10125637bf32cc86c6d3a29ae6d6d921

SHA512
9c645617e4a1df7ef40dcf5f5809d843dc84d9eaade16aa155306fdba8edeec46a99379a291428570b0eadf014156f1e2137e9721eae473a33fd11b0189ed3bd

Download Submit
C:\Windows\System\IeuSZDS.exe

Filesize
5.2MB

MD5
0389abcea7c2f11273efbd82eb769ff0

SHA1
88a8065b5ef24cacdeac41edc9c0cb6fc99eb1ce

SHA256
5dafa57254f3c3e94d8dc30b2a1c3e7912684a97fe70b982173702c840bc20a3

SHA512
cc24f90eaad411f01331ad5b3ab14ed19960028987e8c2e106671f2ef7a9f83bf43f4a3c4144e840f0b717e9df68deca1067c742261cc1ccec51686f0f57c859

Download Submit
C:\Windows\System\KqhoaWO.exe

Filesize
5.2MB

MD5
d6271314b19d21a9650f02efd7963406

SHA1
ad287b5ac55a9bf5f040f3512bd63479851a7e87

SHA256
97e88566a26274d81f42fee349fcc3a3e382e753b104d6c6d4a7a51d503fd9fe

SHA512
d648b11e68b665187a4b9267c5a4480fbfd08100ab777e3885614566ab6b618a960635fd7488b6c319714b6a5ca9733715ae0016f0f1d94e3be59e6758879d84

Download Submit
C:\Windows\System\MpIUbPE.exe

Filesize
5.2MB

MD5
ab8d50870d3b9d91f21e65d11baed544

SHA1
24023d560610d6d91e9edc9ff6d27fcc4c908bac

SHA256
1ee4827e43830e9490b0f02c6cb696080d4518d53df4cd884a889636658061d0

SHA512
4396613012b77adedb485c9d62a7203e90feae5b1b3bb69ced5f8c72af4a8b4a0553afa19e6be3c366fec0f35899cb6d2f27696ab1dc0c0a24f08bbcd53c45c4

Download Submit
C:\Windows\System\NQGDatJ.exe

Filesize
5.2MB

MD5
8d5e8d6ed39a47987f2c23d6f5f5d6c5

SHA1
c1a8e776a21fc98b7ce91ce916391b75f221273a

SHA256
471943a4c5e42c7be758b6db0511d6af1e2adad583f0c264b10bb5e92c4adf2b

SHA512
1001852d690e4c94403feed1a3e7d6facdb208100ce8ba9d5a7bad46a9b9be25938a9fd3987d0a4dbfac24a26a1402eb3afcffd9dce2c3c8e15e29e57be3e13d

Download Submit
C:\Windows\System\NQIeJIf.exe

Filesize
5.2MB

MD5
f7ce9e01bd374014c0ec5e6f452a1bde

SHA1
111a99298a0570dd5b3f72be954581b3869c8c91

SHA256
69bb4e51626059bbf8fd6e71e10ae3b43210473825c55e3cfdb2b286a7da4b31

SHA512
16c1d8678e8f6d1a651f8b71d8471c94e56282e3189cd8e7913b5b0cf2bd26c09db39d25afd8f20b4c8d2ba7c5dc72d7ea83c9504d6201a3b6474c3ffac79118

Download Submit
C:\Windows\System\azJeOLm.exe

Filesize
5.2MB

MD5
bd566f2b8c3e2a797272de1208856c66

SHA1
2c702728a811ac98408be2a418c6a81ab317e88a

SHA256
d3921c06171b6cbd3fa98138ff904418f8e0c408e61ce013266d0239709666cf

SHA512
c06c3d0ebac0026dc18be48b8c845d5874b55231f77b15241e8e185a56b316eed60d05b487a7e2c4e553c5d3a3b74925ad5c79a49b601e80b9fee3ec2757a2a4

Download Submit
C:\Windows\System\blUBnqf.exe

Filesize
5.2MB

MD5
71dae1ca306ef729e4df316e45915a1e

SHA1
5e11016c5144f05baacab95f06c1456299c35a8f

SHA256
0e3485e3621edae6fc3761b704f096393db8f30925e9912b4e6341df97719a24

SHA512
02b07d15729eed09b4b46c8c06893a7e18ea3388cf2ad53e2744725fdc3b69a66be4e740d1e5a089ef2224945d9b1d6fb8effd62e3d5695818b093d3ef9ca5ea

Download Submit
C:\Windows\System\cvWCLdq.exe

Filesize
5.2MB

MD5
8343c7b8698f9a24c2d5dfa3b0d4a741

SHA1
3776a7d2383ef1fed969c35fb574dcf439d16b3f

SHA256
e18830d870e6a0e4a9359e6fd06e7254f6ab8c23ab82c5d46962ca2880b562e4

SHA512
d6e67abef93734fc927de4e83843924abafcae763007b23dbeb785068864d185cb201db8116e2bd8fc396e099f568bcbea5e4d85fc625af461a234b2b31cb24f

Download Submit
C:\Windows\System\dwacXVX.exe

Filesize
5.2MB

MD5
9ac1ccb77e997014fe503e0fa503b95b

SHA1
6590dcc5f249d62eb9b3d7aa7327b5c26ada0c78

SHA256
1abcdeabce8e896d5ad85f4dab2faba1dfe4f569512640d71ee9d72f6f9a6ac3

SHA512
18557a9494d0b9157fa5a36fb2d23bffcb171236935b2c18b113fe8cb68074d00531a51cf76fc7be0a285d74869dae0087a69593dadf245b1120b0ddbc25a610

Download Submit
C:\Windows\System\fbujstA.exe

Filesize
5.2MB

MD5
bb366a6a7438602f4c1042b35058f580

SHA1
bb014a31e4c9392d960c71736cdc4718911c8f06

SHA256
b7a600fa97b945e7954b30dd9e90104f3b512887d260bd31352a56c7c0d105f5

SHA512
b14440fc486d9f46e1e54226eae109a41e5ac64859a79c751b9dc39000fc2a558c333f686769aae3c82dca0fc18347d4589567c3257d5d300c5e7c7f8df9c04a

Download Submit
C:\Windows\System\hhTApBq.exe

Filesize
5.2MB

MD5
ff01e7498fdb028081b0563e712a40d0

SHA1
ff892fa1c6cfc80502b03a8f6aabd5c7b07d246b

SHA256
b072c358d226767deef49ee4ea642cb3a43e34169b3716bb1fee15e1e1b322eb

SHA512
e789ca1da2f9121fef1e6c9710fed1aab6c610c3b01de75ed9056c899e14e7ee2bbd2ac5a9b5c9caa3ea7f6c50f1344d355885406493bfb8e9ae09991eff4a07

Download Submit
C:\Windows\System\iySEtuW.exe

Filesize
5.2MB

MD5
d5e20d87b31ef4b5ac5e7d68c3294841

SHA1
c02595d89052b95ef2976acacbecb49e05f0cf1e

SHA256
8cdaa0657ad33c0829232b877690f29ad1112268de2fb57cc7320210dede88c4

SHA512
4492a16cc910e7a2c091512afea4fe8ec4520a9f349619fe8d46a35fa50e3a192d2a14a35c8dda9d91ec7fa34a5074df8bc4d29a61e02a9d82ae109643fa5e99

Download Submit
C:\Windows\System\jFmDBhp.exe

Filesize
5.2MB

MD5
0161c03fde3aec449a6a221f1d0cecfe

SHA1
6e7eaa30c6a038ec110a5e19e3a699f8dff485b8

SHA256
4e6ea31da5d2d5d2db07af80fad9a4516656cef376114bec484cb53d99910695

SHA512
e138addb49a414a2749bead2cbd524323572e592dbecc9e588f65b74ca9a41c539333e2a686037928efdec5462391011742d0b253e8f663d593f380c914e815c

Download Submit
C:\Windows\System\oRqUvjJ.exe

Filesize
5.2MB

MD5
1c75a3106eb9138368dc09023ad69fb5

SHA1
0fa272bd1e1b7a9b97af3c9fe10f019fe720833e

SHA256
0b830233c6d306554dec9a4ad593dfed3d6508fe7ac45393cae0d852d113e12c

SHA512
63af188994078ecbc64df31a3a653714ce37f1203b9750ae686876b4fb0b2fd992897f31a00ae3f2457cd35792645303a3718f6d3cbf45588b2bbbc18d7312c2

Download Submit
C:\Windows\System\qvqhXSy.exe

Filesize
5.2MB

MD5
10d17e1ddfa933b9642d632bf06a58d1

SHA1
74396487ddf70619932ba66560de78a7104d1055

SHA256
8b092bc1f60f6965d22b5465410ca59eb7667d9c0737cb82531664a028c514fd

SHA512
379e4f5e9bf69e226dab233ef70fd532ea290fe063a70c7be95f2006f3400b8ea5fd67138b35a7fd8fb8c63b8fee5e6403b01762c0041507d156c453625c78f1

Download Submit
C:\Windows\System\vNYqotg.exe

Filesize
5.2MB

MD5
e2881e883d210c7afa223befa62460a2

SHA1
b61d9cb9243ecd27b9ecb98d1a0aba4b07baa9b0

SHA256
c5620212fdae16ad1f9cc6e8bd08626fcb242693b994ee6847cba1955964b674

SHA512
b8a5a0056c1b1d01006724b885e57f5e7149c27421151876044605f0b801e30f9b8f1ade9331ba297b9dbdb982abb95ead553dd71636cef78aea95ef2c0b6393

Download Submit
memory/208-1-0x00000260E24E0000-0x00000260E24F0000-memory.dmp

Filesize
64KB

Download
memory/208-62-0x00007FF71E8A0000-0x00007FF71EBF1000-memory.dmp

Filesize
3.3MB

Download
memory/208-141-0x00007FF71E8A0000-0x00007FF71EBF1000-memory.dmp

Filesize
3.3MB

Download
memory/208-168-0x00007FF71E8A0000-0x00007FF71EBF1000-memory.dmp

Filesize
3.3MB

Download
memory/208-0-0x00007FF71E8A0000-0x00007FF71EBF1000-memory.dmp

Filesize
3.3MB

Download
memory/436-121-0x00007FF60E680000-0x00007FF60E9D1000-memory.dmp

Filesize
3.3MB

Download
memory/436-163-0x00007FF60E680000-0x00007FF60E9D1000-memory.dmp

Filesize
3.3MB

Download
memory/436-273-0x00007FF60E680000-0x00007FF60E9D1000-memory.dmp

Filesize
3.3MB

Download
memory/1324-55-0x00007FF635B00000-0x00007FF635E51000-memory.dmp

Filesize
3.3MB

Download
memory/1324-114-0x00007FF635B00000-0x00007FF635E51000-memory.dmp

Filesize
3.3MB

Download
memory/1324-244-0x00007FF635B00000-0x00007FF635E51000-memory.dmp

Filesize
3.3MB

Download
memory/1668-249-0x00007FF7FE000000-0x00007FF7FE351000-memory.dmp

Filesize
3.3MB

Download
memory/1668-125-0x00007FF7FE000000-0x00007FF7FE351000-memory.dmp

Filesize
3.3MB

Download
memory/1668-68-0x00007FF7FE000000-0x00007FF7FE351000-memory.dmp

Filesize
3.3MB

Download
memory/1960-179-0x00007FF71CFF0000-0x00007FF71D341000-memory.dmp

Filesize
3.3MB

Download
memory/1960-279-0x00007FF71CFF0000-0x00007FF71D341000-memory.dmp

Filesize
3.3MB

Download
memory/1960-138-0x00007FF71CFF0000-0x00007FF71D341000-memory.dmp

Filesize
3.3MB

Download
memory/2208-82-0x00007FF711FD0000-0x00007FF712321000-memory.dmp

Filesize
3.3MB

Download
memory/2208-234-0x00007FF711FD0000-0x00007FF712321000-memory.dmp

Filesize
3.3MB

Download
memory/2208-26-0x00007FF711FD0000-0x00007FF712321000-memory.dmp

Filesize
3.3MB

Download
memory/2432-94-0x00007FF730880000-0x00007FF730BD1000-memory.dmp

Filesize
3.3MB

Download
memory/2432-236-0x00007FF730880000-0x00007FF730BD1000-memory.dmp

Filesize
3.3MB

Download
memory/2432-30-0x00007FF730880000-0x00007FF730BD1000-memory.dmp

Filesize
3.3MB

Download
memory/2436-260-0x00007FF669190000-0x00007FF6694E1000-memory.dmp

Filesize
3.3MB

Download
memory/2436-95-0x00007FF669190000-0x00007FF6694E1000-memory.dmp

Filesize
3.3MB

Download
memory/2656-18-0x00007FF6C53F0000-0x00007FF6C5741000-memory.dmp

Filesize
3.3MB

Download
memory/2656-232-0x00007FF6C53F0000-0x00007FF6C5741000-memory.dmp

Filesize
3.3MB

Download
memory/2656-76-0x00007FF6C53F0000-0x00007FF6C5741000-memory.dmp

Filesize
3.3MB

Download
memory/3512-167-0x00007FF6D7740000-0x00007FF6D7A91000-memory.dmp

Filesize
3.3MB

Download
memory/3512-135-0x00007FF6D7740000-0x00007FF6D7A91000-memory.dmp

Filesize
3.3MB

Download
memory/3512-277-0x00007FF6D7740000-0x00007FF6D7A91000-memory.dmp

Filesize
3.3MB

Download
memory/3532-164-0x00007FF7C6A20000-0x00007FF7C6D71000-memory.dmp

Filesize
3.3MB

Download
memory/3532-128-0x00007FF7C6A20000-0x00007FF7C6D71000-memory.dmp

Filesize
3.3MB

Download
memory/3532-275-0x00007FF7C6A20000-0x00007FF7C6D71000-memory.dmp

Filesize
3.3MB

Download
memory/3604-96-0x00007FF782450000-0x00007FF7827A1000-memory.dmp

Filesize
3.3MB

Download
memory/3604-155-0x00007FF782450000-0x00007FF7827A1000-memory.dmp

Filesize
3.3MB

Download
memory/3604-262-0x00007FF782450000-0x00007FF7827A1000-memory.dmp

Filesize
3.3MB

Download
memory/3616-137-0x00007FF6C1090000-0x00007FF6C13E1000-memory.dmp

Filesize
3.3MB

Download
memory/3616-77-0x00007FF6C1090000-0x00007FF6C13E1000-memory.dmp

Filesize
3.3MB

Download
memory/3616-254-0x00007FF6C1090000-0x00007FF6C13E1000-memory.dmp

Filesize
3.3MB

Download
memory/3620-39-0x00007FF634EF0000-0x00007FF635241000-memory.dmp

Filesize
3.3MB

Download
memory/3620-240-0x00007FF634EF0000-0x00007FF635241000-memory.dmp

Filesize
3.3MB

Download
memory/3620-100-0x00007FF634EF0000-0x00007FF635241000-memory.dmp

Filesize
3.3MB

Download
memory/3700-230-0x00007FF768230000-0x00007FF768581000-memory.dmp

Filesize
3.3MB

Download
memory/3700-12-0x00007FF768230000-0x00007FF768581000-memory.dmp

Filesize
3.3MB

Download
memory/3700-71-0x00007FF768230000-0x00007FF768581000-memory.dmp

Filesize
3.3MB

Download
memory/3864-247-0x00007FF6B5F40000-0x00007FF6B6291000-memory.dmp

Filesize
3.3MB

Download
memory/3864-64-0x00007FF6B5F40000-0x00007FF6B6291000-memory.dmp

Filesize
3.3MB

Download
memory/3864-115-0x00007FF6B5F40000-0x00007FF6B6291000-memory.dmp

Filesize
3.3MB

Download
memory/4040-154-0x00007FF7B6E50000-0x00007FF7B71A1000-memory.dmp

Filesize
3.3MB

Download
memory/4040-256-0x00007FF7B6E50000-0x00007FF7B71A1000-memory.dmp

Filesize
3.3MB

Download
memory/4040-83-0x00007FF7B6E50000-0x00007FF7B71A1000-memory.dmp

Filesize
3.3MB

Download
memory/4220-48-0x00007FF6273B0000-0x00007FF627701000-memory.dmp

Filesize
3.3MB

Download
memory/4220-108-0x00007FF6273B0000-0x00007FF627701000-memory.dmp

Filesize
3.3MB

Download
memory/4220-245-0x00007FF6273B0000-0x00007FF627701000-memory.dmp

Filesize
3.3MB

Download
memory/4304-67-0x00007FF6B8330000-0x00007FF6B8681000-memory.dmp

Filesize
3.3MB

Download
memory/4304-9-0x00007FF6B8330000-0x00007FF6B8681000-memory.dmp

Filesize
3.3MB

Download
memory/4304-228-0x00007FF6B8330000-0x00007FF6B8681000-memory.dmp

Filesize
3.3MB

Download
memory/4532-40-0x00007FF7E74D0000-0x00007FF7E7821000-memory.dmp

Filesize
3.3MB

Download
memory/4532-238-0x00007FF7E74D0000-0x00007FF7E7821000-memory.dmp

Filesize
3.3MB

Download
memory/4532-101-0x00007FF7E74D0000-0x00007FF7E7821000-memory.dmp

Filesize
3.3MB

Download
memory/4920-102-0x00007FF739E00000-0x00007FF73A151000-memory.dmp

Filesize
3.3MB

Download
memory/4920-265-0x00007FF739E00000-0x00007FF73A151000-memory.dmp

Filesize
3.3MB

Download
memory/4920-156-0x00007FF739E00000-0x00007FF73A151000-memory.dmp

Filesize
3.3MB

Download
memory/5032-266-0x00007FF60EA20000-0x00007FF60ED71000-memory.dmp

Filesize
3.3MB

Download
memory/5032-157-0x00007FF60EA20000-0x00007FF60ED71000-memory.dmp

Filesize
3.3MB

Download
memory/5032-109-0x00007FF60EA20000-0x00007FF60ED71000-memory.dmp

Filesize
3.3MB

Download