cobaltstrike | cb3249c1e4ae6229f184b6b4cb6f0a49c2a3db5f54a10a71aaa0bbd86b7f6753

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 21:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

4775b52861c72d4364dbaf393d2d33d6
SHA1

c43da631e6c63eb81af4fa4f2168ec50dd7dd03e
SHA256

cb3249c1e4ae6229f184b6b4cb6f0a49c2a3db5f54a10a71aaa0bbd86b7f6753
SHA512

62695e8a49920bd81f70849882e94c943324f04548d23bbabb5168fb099e1629cdf9959aff0de229709211a91f8022c2bdd3d830ad6761d007bb127f77a4fc66
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l2:RWWBibf56utgpPFotBER/mQ32lUy

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0009000000023c93-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9d-7.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9e-22.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9f-26.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca0-39.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca1-43.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9c-14.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca2-47.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023c95-52.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca4-64.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca5-67.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca9-91.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caa-97.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cad-117.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caf-135.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cae-131.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cac-121.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cab-114.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca8-94.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca7-84.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca6-78.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/5088-23-0x00007FF7B3960000-0x00007FF7B3CB1000-memory.dmp	xmrig
behavioral2/memory/4156-133-0x00007FF68A720000-0x00007FF68AA71000-memory.dmp	xmrig
behavioral2/memory/4092-126-0x00007FF671410000-0x00007FF671761000-memory.dmp	xmrig
behavioral2/memory/3644-116-0x00007FF76A2B0000-0x00007FF76A601000-memory.dmp	xmrig
behavioral2/memory/2328-101-0x00007FF70EAA0000-0x00007FF70EDF1000-memory.dmp	xmrig
behavioral2/memory/2608-96-0x00007FF614B20000-0x00007FF614E71000-memory.dmp	xmrig
behavioral2/memory/1652-89-0x00007FF750020000-0x00007FF750371000-memory.dmp	xmrig
behavioral2/memory/544-80-0x00007FF7ADE10000-0x00007FF7AE161000-memory.dmp	xmrig
behavioral2/memory/3400-62-0x00007FF6B5D20000-0x00007FF6B6071000-memory.dmp	xmrig
behavioral2/memory/2372-61-0x00007FF747FA0000-0x00007FF7482F1000-memory.dmp	xmrig
behavioral2/memory/4884-57-0x00007FF6290A0000-0x00007FF6293F1000-memory.dmp	xmrig
behavioral2/memory/2388-55-0x00007FF643050000-0x00007FF6433A1000-memory.dmp	xmrig
behavioral2/memory/2388-138-0x00007FF643050000-0x00007FF6433A1000-memory.dmp	xmrig
behavioral2/memory/4832-153-0x00007FF64E4B0000-0x00007FF64E801000-memory.dmp	xmrig
behavioral2/memory/1088-155-0x00007FF697890000-0x00007FF697BE1000-memory.dmp	xmrig
behavioral2/memory/1400-154-0x00007FF7FA890000-0x00007FF7FABE1000-memory.dmp	xmrig
behavioral2/memory/5036-151-0x00007FF6FB1A0000-0x00007FF6FB4F1000-memory.dmp	xmrig
behavioral2/memory/4992-150-0x00007FF6027C0000-0x00007FF602B11000-memory.dmp	xmrig
behavioral2/memory/4092-148-0x00007FF671410000-0x00007FF671761000-memory.dmp	xmrig
behavioral2/memory/2516-152-0x00007FF6D26C0000-0x00007FF6D2A11000-memory.dmp	xmrig
behavioral2/memory/1580-156-0x00007FF64EAA0000-0x00007FF64EDF1000-memory.dmp	xmrig
behavioral2/memory/3552-159-0x00007FF6C0860000-0x00007FF6C0BB1000-memory.dmp	xmrig
behavioral2/memory/1872-157-0x00007FF71D720000-0x00007FF71DA71000-memory.dmp	xmrig
behavioral2/memory/4416-158-0x00007FF605210000-0x00007FF605561000-memory.dmp	xmrig
behavioral2/memory/2388-160-0x00007FF643050000-0x00007FF6433A1000-memory.dmp	xmrig
behavioral2/memory/2372-214-0x00007FF747FA0000-0x00007FF7482F1000-memory.dmp	xmrig
behavioral2/memory/5088-216-0x00007FF7B3960000-0x00007FF7B3CB1000-memory.dmp	xmrig
behavioral2/memory/3400-218-0x00007FF6B5D20000-0x00007FF6B6071000-memory.dmp	xmrig
behavioral2/memory/544-220-0x00007FF7ADE10000-0x00007FF7AE161000-memory.dmp	xmrig
behavioral2/memory/1652-222-0x00007FF750020000-0x00007FF750371000-memory.dmp	xmrig
behavioral2/memory/2328-225-0x00007FF70EAA0000-0x00007FF70EDF1000-memory.dmp	xmrig
behavioral2/memory/2608-226-0x00007FF614B20000-0x00007FF614E71000-memory.dmp	xmrig
behavioral2/memory/3644-229-0x00007FF76A2B0000-0x00007FF76A601000-memory.dmp	xmrig
behavioral2/memory/4884-240-0x00007FF6290A0000-0x00007FF6293F1000-memory.dmp	xmrig
behavioral2/memory/4156-244-0x00007FF68A720000-0x00007FF68AA71000-memory.dmp	xmrig
behavioral2/memory/4992-246-0x00007FF6027C0000-0x00007FF602B11000-memory.dmp	xmrig
behavioral2/memory/5036-248-0x00007FF6FB1A0000-0x00007FF6FB4F1000-memory.dmp	xmrig
behavioral2/memory/2516-250-0x00007FF6D26C0000-0x00007FF6D2A11000-memory.dmp	xmrig
behavioral2/memory/4832-252-0x00007FF64E4B0000-0x00007FF64E801000-memory.dmp	xmrig
behavioral2/memory/1400-254-0x00007FF7FA890000-0x00007FF7FABE1000-memory.dmp	xmrig
behavioral2/memory/1580-259-0x00007FF64EAA0000-0x00007FF64EDF1000-memory.dmp	xmrig
behavioral2/memory/1088-263-0x00007FF697890000-0x00007FF697BE1000-memory.dmp	xmrig
behavioral2/memory/3552-265-0x00007FF6C0860000-0x00007FF6C0BB1000-memory.dmp	xmrig
behavioral2/memory/1872-258-0x00007FF71D720000-0x00007FF71DA71000-memory.dmp	xmrig
behavioral2/memory/4416-261-0x00007FF605210000-0x00007FF605561000-memory.dmp	xmrig
behavioral2/memory/4092-269-0x00007FF671410000-0x00007FF671761000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2372	kYnDKQd.exe
3400	IUgpivL.exe
5088	eiECtkR.exe
544	cRFpWbX.exe
1652	JvDGewt.exe
2608	mwtmYJm.exe
2328	YkGTnJh.exe
3644	oCfCxSu.exe
4884	GaKKeBd.exe
4092	DOVSAyX.exe
4156	FCtxrJQ.exe
4992	PxjNviM.exe
5036	MUUqSSb.exe
2516	jzBufDw.exe
4832	rlvpObX.exe
1400	HmutLsX.exe
1088	oesbBBW.exe
1580	fVVLRHE.exe
1872	FeoULuF.exe
4416	qeFdqHD.exe
3552	mCWdtnC.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2388-0-0x00007FF643050000-0x00007FF6433A1000-memory.dmp	upx
behavioral2/files/0x0009000000023c93-5.dat	upx
behavioral2/memory/2372-8-0x00007FF747FA0000-0x00007FF7482F1000-memory.dmp	upx
behavioral2/files/0x0007000000023c9d-7.dat	upx
behavioral2/files/0x0007000000023c9e-22.dat	upx
behavioral2/memory/3400-18-0x00007FF6B5D20000-0x00007FF6B6071000-memory.dmp	upx
behavioral2/files/0x0007000000023c9f-26.dat	upx
behavioral2/files/0x0007000000023ca0-39.dat	upx
behavioral2/files/0x0007000000023ca1-43.dat	upx
behavioral2/memory/2328-42-0x00007FF70EAA0000-0x00007FF70EDF1000-memory.dmp	upx
behavioral2/memory/2608-38-0x00007FF614B20000-0x00007FF614E71000-memory.dmp	upx
behavioral2/memory/1652-32-0x00007FF750020000-0x00007FF750371000-memory.dmp	upx
behavioral2/memory/544-24-0x00007FF7ADE10000-0x00007FF7AE161000-memory.dmp	upx
behavioral2/memory/5088-23-0x00007FF7B3960000-0x00007FF7B3CB1000-memory.dmp	upx
behavioral2/files/0x0007000000023c9c-14.dat	upx
behavioral2/files/0x0007000000023ca2-47.dat	upx
behavioral2/memory/3644-50-0x00007FF76A2B0000-0x00007FF76A601000-memory.dmp	upx
behavioral2/files/0x0009000000023c95-52.dat	upx
behavioral2/files/0x0007000000023ca4-64.dat	upx
behavioral2/files/0x0007000000023ca5-67.dat	upx
behavioral2/files/0x0007000000023ca9-91.dat	upx
behavioral2/files/0x0007000000023caa-97.dat	upx
behavioral2/files/0x0007000000023cad-117.dat	upx
behavioral2/files/0x0007000000023caf-135.dat	upx
behavioral2/memory/3552-134-0x00007FF6C0860000-0x00007FF6C0BB1000-memory.dmp	upx
behavioral2/memory/4156-133-0x00007FF68A720000-0x00007FF68AA71000-memory.dmp	upx
behavioral2/files/0x0007000000023cae-131.dat	upx
behavioral2/memory/4416-127-0x00007FF605210000-0x00007FF605561000-memory.dmp	upx
behavioral2/memory/4092-126-0x00007FF671410000-0x00007FF671761000-memory.dmp	upx
behavioral2/memory/1872-125-0x00007FF71D720000-0x00007FF71DA71000-memory.dmp	upx
behavioral2/files/0x0007000000023cac-121.dat	upx
behavioral2/memory/1580-120-0x00007FF64EAA0000-0x00007FF64EDF1000-memory.dmp	upx
behavioral2/memory/3644-116-0x00007FF76A2B0000-0x00007FF76A601000-memory.dmp	upx
behavioral2/files/0x0007000000023cab-114.dat	upx
behavioral2/memory/1088-110-0x00007FF697890000-0x00007FF697BE1000-memory.dmp	upx
behavioral2/memory/1400-102-0x00007FF7FA890000-0x00007FF7FABE1000-memory.dmp	upx
behavioral2/memory/2328-101-0x00007FF70EAA0000-0x00007FF70EDF1000-memory.dmp	upx
behavioral2/memory/4832-100-0x00007FF64E4B0000-0x00007FF64E801000-memory.dmp	upx
behavioral2/memory/2608-96-0x00007FF614B20000-0x00007FF614E71000-memory.dmp	upx
behavioral2/files/0x0007000000023ca8-94.dat	upx
behavioral2/memory/2516-90-0x00007FF6D26C0000-0x00007FF6D2A11000-memory.dmp	upx
behavioral2/memory/1652-89-0x00007FF750020000-0x00007FF750371000-memory.dmp	upx
behavioral2/files/0x0007000000023ca7-84.dat	upx
behavioral2/memory/5036-81-0x00007FF6FB1A0000-0x00007FF6FB4F1000-memory.dmp	upx
behavioral2/memory/544-80-0x00007FF7ADE10000-0x00007FF7AE161000-memory.dmp	upx
behavioral2/files/0x0007000000023ca6-78.dat	upx
behavioral2/memory/4992-74-0x00007FF6027C0000-0x00007FF602B11000-memory.dmp	upx
behavioral2/memory/4156-68-0x00007FF68A720000-0x00007FF68AA71000-memory.dmp	upx
behavioral2/memory/4092-63-0x00007FF671410000-0x00007FF671761000-memory.dmp	upx
behavioral2/memory/3400-62-0x00007FF6B5D20000-0x00007FF6B6071000-memory.dmp	upx
behavioral2/memory/2372-61-0x00007FF747FA0000-0x00007FF7482F1000-memory.dmp	upx
behavioral2/memory/4884-57-0x00007FF6290A0000-0x00007FF6293F1000-memory.dmp	upx
behavioral2/memory/2388-55-0x00007FF643050000-0x00007FF6433A1000-memory.dmp	upx
behavioral2/memory/2388-138-0x00007FF643050000-0x00007FF6433A1000-memory.dmp	upx
behavioral2/memory/4832-153-0x00007FF64E4B0000-0x00007FF64E801000-memory.dmp	upx
behavioral2/memory/1088-155-0x00007FF697890000-0x00007FF697BE1000-memory.dmp	upx
behavioral2/memory/1400-154-0x00007FF7FA890000-0x00007FF7FABE1000-memory.dmp	upx
behavioral2/memory/5036-151-0x00007FF6FB1A0000-0x00007FF6FB4F1000-memory.dmp	upx
behavioral2/memory/4992-150-0x00007FF6027C0000-0x00007FF602B11000-memory.dmp	upx
behavioral2/memory/4092-148-0x00007FF671410000-0x00007FF671761000-memory.dmp	upx
behavioral2/memory/2516-152-0x00007FF6D26C0000-0x00007FF6D2A11000-memory.dmp	upx
behavioral2/memory/1580-156-0x00007FF64EAA0000-0x00007FF64EDF1000-memory.dmp	upx
behavioral2/memory/3552-159-0x00007FF6C0860000-0x00007FF6C0BB1000-memory.dmp	upx
behavioral2/memory/1872-157-0x00007FF71D720000-0x00007FF71DA71000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\rlvpObX.exe	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kYnDKQd.exe	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eiECtkR.exe	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mwtmYJm.exe	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GaKKeBd.exe	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DOVSAyX.exe	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PxjNviM.exe	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jzBufDw.exe	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HmutLsX.exe	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FeoULuF.exe	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JvDGewt.exe	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YkGTnJh.exe	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mCWdtnC.exe	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IUgpivL.exe	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cRFpWbX.exe	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oesbBBW.exe	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oCfCxSu.exe	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FCtxrJQ.exe	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MUUqSSb.exe	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fVVLRHE.exe	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qeFdqHD.exe	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2388	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2388	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 2372	2388	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2388 wrote to memory of 2372	2388	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2388 wrote to memory of 3400	2388	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2388 wrote to memory of 3400	2388	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2388 wrote to memory of 5088	2388	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2388 wrote to memory of 5088	2388	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2388 wrote to memory of 544	2388	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2388 wrote to memory of 544	2388	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2388 wrote to memory of 1652	2388	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2388 wrote to memory of 1652	2388	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2388 wrote to memory of 2608	2388	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2388 wrote to memory of 2608	2388	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2388 wrote to memory of 2328	2388	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2388 wrote to memory of 2328	2388	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2388 wrote to memory of 3644	2388	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2388 wrote to memory of 3644	2388	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2388 wrote to memory of 4884	2388	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2388 wrote to memory of 4884	2388	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2388 wrote to memory of 4092	2388	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2388 wrote to memory of 4092	2388	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2388 wrote to memory of 4156	2388	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2388 wrote to memory of 4156	2388	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2388 wrote to memory of 4992	2388	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2388 wrote to memory of 4992	2388	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2388 wrote to memory of 5036	2388	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2388 wrote to memory of 5036	2388	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2388 wrote to memory of 2516	2388	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2388 wrote to memory of 2516	2388	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2388 wrote to memory of 4832	2388	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2388 wrote to memory of 4832	2388	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2388 wrote to memory of 1400	2388	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2388 wrote to memory of 1400	2388	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2388 wrote to memory of 1088	2388	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2388 wrote to memory of 1088	2388	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2388 wrote to memory of 1580	2388	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2388 wrote to memory of 1580	2388	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2388 wrote to memory of 1872	2388	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2388 wrote to memory of 1872	2388	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2388 wrote to memory of 4416	2388	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2388 wrote to memory of 4416	2388	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2388 wrote to memory of 3552	2388	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 2388 wrote to memory of 3552	2388	2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe	105

C:\Users\Admin\AppData\Local\Temp\2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-11_4775b52861c72d4364dbaf393d2d33d6_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Windows\System\kYnDKQd.exe
  C:\Windows\System\kYnDKQd.exe
  2⤵
  - Executes dropped EXE
  PID:2372
- C:\Windows\System\IUgpivL.exe
  C:\Windows\System\IUgpivL.exe
  2⤵
  - Executes dropped EXE
  PID:3400
- C:\Windows\System\eiECtkR.exe
  C:\Windows\System\eiECtkR.exe
  2⤵
  - Executes dropped EXE
  PID:5088
- C:\Windows\System\cRFpWbX.exe
  C:\Windows\System\cRFpWbX.exe
  2⤵
  - Executes dropped EXE
  PID:544
- C:\Windows\System\JvDGewt.exe
  C:\Windows\System\JvDGewt.exe
  2⤵
  - Executes dropped EXE
  PID:1652
- C:\Windows\System\mwtmYJm.exe
  C:\Windows\System\mwtmYJm.exe
  2⤵
  - Executes dropped EXE
  PID:2608
- C:\Windows\System\YkGTnJh.exe
  C:\Windows\System\YkGTnJh.exe
  2⤵
  - Executes dropped EXE
  PID:2328
- C:\Windows\System\oCfCxSu.exe
  C:\Windows\System\oCfCxSu.exe
  2⤵
  - Executes dropped EXE
  PID:3644
- C:\Windows\System\GaKKeBd.exe
  C:\Windows\System\GaKKeBd.exe
  2⤵
  - Executes dropped EXE
  PID:4884
- C:\Windows\System\DOVSAyX.exe
  C:\Windows\System\DOVSAyX.exe
  2⤵
  - Executes dropped EXE
  PID:4092
- C:\Windows\System\FCtxrJQ.exe
  C:\Windows\System\FCtxrJQ.exe
  2⤵
  - Executes dropped EXE
  PID:4156
- C:\Windows\System\PxjNviM.exe
  C:\Windows\System\PxjNviM.exe
  2⤵
  - Executes dropped EXE
  PID:4992
- C:\Windows\System\MUUqSSb.exe
  C:\Windows\System\MUUqSSb.exe
  2⤵
  - Executes dropped EXE
  PID:5036
- C:\Windows\System\jzBufDw.exe
  C:\Windows\System\jzBufDw.exe
  2⤵
  - Executes dropped EXE
  PID:2516
- C:\Windows\System\rlvpObX.exe
  C:\Windows\System\rlvpObX.exe
  2⤵
  - Executes dropped EXE
  PID:4832
- C:\Windows\System\HmutLsX.exe
  C:\Windows\System\HmutLsX.exe
  2⤵
  - Executes dropped EXE
  PID:1400
- C:\Windows\System\oesbBBW.exe
  C:\Windows\System\oesbBBW.exe
  2⤵
  - Executes dropped EXE
  PID:1088
- C:\Windows\System\fVVLRHE.exe
  C:\Windows\System\fVVLRHE.exe
  2⤵
  - Executes dropped EXE
  PID:1580
- C:\Windows\System\FeoULuF.exe
  C:\Windows\System\FeoULuF.exe
  2⤵
  - Executes dropped EXE
  PID:1872
- C:\Windows\System\qeFdqHD.exe
  C:\Windows\System\qeFdqHD.exe
  2⤵
  - Executes dropped EXE
  PID:4416
- C:\Windows\System\mCWdtnC.exe
  C:\Windows\System\mCWdtnC.exe
  2⤵
  - Executes dropped EXE
  PID:3552

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\DOVSAyX.exe

Filesize
5.2MB

MD5
ff50efcee16d9a00d33f71d556cbe064

SHA1
ba0c97ffefdbf06edbe4169e360a563e5ab202e1

SHA256
afe1a91b22d2116d06e2f2b6edfa2d7f11efdc0d626b309da292900dc1709c13

SHA512
76e4078478e7d1394967be9e78069bc58cd723540f679b35e2ccb8d4ad45c185246f9c0169c0676279fa04b3feb966766a16b1fa47b63134cd4e41445d8443c4

Download Submit
C:\Windows\System\FCtxrJQ.exe

Filesize
5.2MB

MD5
3b8cdcf610d481fed5b5b4094503c2cb

SHA1
56f5061e5ac10fa51642a0e006638bb4b981ac39

SHA256
9bd1bc6e23065c097d495d4b5f0bbd5816b602ac8ede4a40bd1523d467f65600

SHA512
2b2a2762df9f4bdd2bdcc22d501161c6b2fd38935a15b24d67fa8ae12a01038de8880f6b02f86aef530ff773ecc9795cf12f206ffac82761702d3e9122dde9bc

Download Submit
C:\Windows\System\FeoULuF.exe

Filesize
5.2MB

MD5
472d5824d96f3adcff9334ced85a9e8b

SHA1
b81e92b034c555cd581662400ea76e9f50481269

SHA256
5a01925b23c603e6368bd261fd38ebee7182ca1e9dfe3d9a93b0ae83806c4b51

SHA512
985cba0c7270219a78dd6ee70bc99de8ad4855e85cc2d6b3e5a5299a0a3d825a627ce30cc09139fd20a88be631a97d1081ef41dd6c4cfe5af8e712243e146ad8

Download Submit
C:\Windows\System\GaKKeBd.exe

Filesize
5.2MB

MD5
541428388ccb532e3275aeb0e0c56c7d

SHA1
6084deeb52e5012e5e9dcc121bd0bbf0188ce4e1

SHA256
61ed94968d67649979eaaa8d093cb768f0b59a0bbf20087ddd53d455a270da39

SHA512
93c24d04b01ac259b6ca3ed38bdbfce55588169af147885476db3b27f96869d0fd65a4a3d4fb258c21c4ff80c1a19d71fbfabd54227ac1719c0c97cbbb17acfb

Download Submit
C:\Windows\System\HmutLsX.exe

Filesize
5.2MB

MD5
e27054c36e13efb652d1ba4c19e0cf07

SHA1
ab7ec0b62619f6d6729296d48641cf6d4016ecfe

SHA256
db2729c7a550a5c9d0b30db1e85b70fad4f73d88738e25038c2ebd7197167864

SHA512
dbe22b954855f064f765ad0829d5900da5a36c90c8517a3c1a99511d9bf4b6a560dc636dffe855293f5af9020e2199ff5a2e8e253f9cfbaa818c6082d47c0b97

Download Submit
C:\Windows\System\IUgpivL.exe

Filesize
5.2MB

MD5
e15ec56f89426d071450ed7c97f16c97

SHA1
3f94325bda0b28c90c094d5a8b67650b8aec41e5

SHA256
0f53e59959a31866ce759bbb3316fd9537e5417f81b961701c0bd1030d249563

SHA512
7c0069713bde3b79afc201c4febc9ebe2a114e93e7912c9f241bfcb8969e32a12d60f03ac010ce1c1e8865b898d1358cd245bedb6157d3593f042794c45cc00a

Download Submit
C:\Windows\System\JvDGewt.exe

Filesize
5.2MB

MD5
e0361d953ba9f033d1bf28a850fe37f8

SHA1
74b41bf7e294cd1847e41bebb4547fbcdfeed677

SHA256
64635ec2fb3a417790621ab1c93f89374669bf2f3893f1af9c616a6825d775d7

SHA512
c6c3e453c70b47c4b9ed1c5f63c5bbec7c18db78dbb6c0f91f75dd5d29e2954e469f73400d0ccb6dd6275fcd48db43358d125e2a2d7d16f62bdae95ee06efcc1

Download Submit
C:\Windows\System\MUUqSSb.exe

Filesize
5.2MB

MD5
d31c16634393af3c9aa7fd793e92f59b

SHA1
8b0c3a039197fe700439db563a936af4d5c9885c

SHA256
0bcabd08cf91f31d7331458828f32d1ad1eb67d07b7498c3d3008d11890536ef

SHA512
b76c79c51638d7a0331cae69ed74e9423da8cc689d17ebe54c84d0aea63a8806bfe0ce0f64a1b0b378ecbae63b3eae7db2aff940a24536d0e050f301207f70bf

Download Submit
C:\Windows\System\PxjNviM.exe

Filesize
5.2MB

MD5
f46563eee548947fbecddc953d8c9d7b

SHA1
00c797d73f9bdc103fa4f8f4929f9e6d80a34eec

SHA256
2c27f0aa9653acec752c4439dfde73c48f69f1e6c5291ec2da0748447b07293b

SHA512
3c4f63631e49c30d261791504522429c39d29f1fd4740b38b46f07fff797394b7abf494ce06ce9ac4d582581991c5e6d3a530c915b4153f0542847a467e18b0e

Download Submit
C:\Windows\System\YkGTnJh.exe

Filesize
5.2MB

MD5
963d1b11ea2180aa5a525fe7ceebbba4

SHA1
e5a621854770c29f69eae1445337199f5651f3db

SHA256
0ca9fe5c8b5cba676578a688fa770d9cec417ea0d48da5662e9b4e48c7b4d390

SHA512
59860588abd5c14e5ce6a43f7a46954d3c77dcdb098c8e5786821ea9d4a41933d7f641b9eda0f48504a60fcc85734c887233e644183ab5ca0f2cac37d97b0d97

Download Submit
C:\Windows\System\cRFpWbX.exe

Filesize
5.2MB

MD5
4e41ee8851766251d2705b2ee6d11c26

SHA1
8de62de88a8e0f24894ffcdf66accdd345021356

SHA256
cd8b999b419d69c7109b227ad1984b2232b88fc43b9e04bab7961e16f1d64f47

SHA512
18639b3c422f92747720656b01336fe9e2f590c2311e474144fdec5496a0a79864a5f974a8e25dfd85f0a666fddcad3b4710f428279d9d7ad638ebe8ea862d3b

Download Submit
C:\Windows\System\eiECtkR.exe

Filesize
5.2MB

MD5
3932a951a5ba09f7c53c0d0335891e61

SHA1
044854b1f06cfafb6cacb61c3b9cbe1ed85a7a52

SHA256
45f6083a357f185e53fd9f47f849a926ed0f6b44b287699e07135c014a1a9f88

SHA512
bbcb786e04e62f623c8639280e2c7919d0e4d3e91836bb2787838289de0b35133db0d9aea3851d79f2534e52540970b89924a78ccf0ba50b5ec6724b7a7d10b7

Download Submit
C:\Windows\System\fVVLRHE.exe

Filesize
5.2MB

MD5
9b0ebfa75c2d6aaacc3bb42a62515915

SHA1
65b751ce6585439e033c9112059513ae7252be94

SHA256
b757764214c477127167f3de3f0dca8dbbdeb516d8be41f27299d1112cde6add

SHA512
b87eb508dff594cc6c747129a1afb2a48046031a4c73fa8e7b49ad18378eea8aaa2712a37a3e2cc7fee1b22bdc46d836c04d921251683fd01b80bf0c36a49193

Download Submit
C:\Windows\System\jzBufDw.exe

Filesize
5.2MB

MD5
af78e7581b021541faaaa246063f1751

SHA1
329e0052aee3e87926cec8357f344b9b40b1bcab

SHA256
0d3b9adb02ec23e591a2bab9da96e8a2a2475197db4a77ce41c8b1f67f17d68b

SHA512
9c84df17f1b7687bdf259944793ceeee6892641ab7b397f30ab4a61f17fb509c9c4342650ffa691271c0750d9de253afcd7a2e7521ac1ede5f94113fcf76882d

Download Submit
C:\Windows\System\kYnDKQd.exe

Filesize
5.2MB

MD5
5e2f000ada0d299aadce6fa2c36ac04c

SHA1
04c4f8a2a2343d7c44457ab8d28ecf7756843082

SHA256
bf27b555d373f65e303147bbe3aae4874886e99fb81e5f0137e0363e83d59487

SHA512
6e513c0f9e590fe527de2e12d245083fa250503e07189e6843b9bc2ab6e31493515f2abc41e375d074ba8ae6a9e7c52507a5b179e58b7588aed352bf3482c75b

Download Submit
C:\Windows\System\mCWdtnC.exe

Filesize
5.2MB

MD5
6eb8ff138369fd8bf7a4361c5a3d7d59

SHA1
56face77e21d899b704c99478b5e5528bcf7f4b8

SHA256
c05f70dd187fa3c42772a3c97e0b263937d659d86240bfa7fad3c9f8cc74577c

SHA512
b65f1810eec9a54d3be91b294e529016bc4f34a19a4253ef620888c957f58b65710afae8859657ec502d6e25030ddc641f16a9c8e5eb5b72ffe7efdd0ed4deff

Download Submit
C:\Windows\System\mwtmYJm.exe

Filesize
5.2MB

MD5
afa8e5d2302bdaae51d0f96b361d4db0

SHA1
5661b8e87381b607828099327e4e95124849e4fa

SHA256
1f740dbfe3a968a8b63df678b9e1810ecda86346fa081bda429d6db07c123c2d

SHA512
f872ccb6f8a41f0aec08cedc8d491a93a6dc4b51329edfc47af6c1941dbaa9ae00cdcb80fc6098d4e45e805fb78618a615364ebef881c34037a9a92c66c7b5e9

Download Submit
C:\Windows\System\oCfCxSu.exe

Filesize
5.2MB

MD5
1d31d15163fa8d6bd7872dca7aaedbee

SHA1
6f008939cb7fde2bfb62453db58f04a26a0790cd

SHA256
4742e6b73af87173ff3182d0e60cdb5836f3af2637452cf14eedde0fb07c16b4

SHA512
ea6de94588befbb5a0c7daa200754a468fdb81fd1a32553c072dc2c7fd7feb8fa22e02f0abcbf9c064a2292f1f3ad8591ad2a1f0bc89c077d20c9a0515bd87fa

Download Submit
C:\Windows\System\oesbBBW.exe

Filesize
5.2MB

MD5
4324dd73aa4958dbf1e28d416aa5c9bb

SHA1
3cafeabecd33c65b71bb7762b657c352b836c61a

SHA256
b5352af50606c9c076ffee282d1ec3584d0cf79bc59be333e30cbf06b0e41875

SHA512
aee4ab0347bd5581b8673356db4e9a53729334ff0ee9d4ede9969eb23bab021749d6f9d1a8a4248dcaed5d8da13074fb5402e9f7e736ce7327969fcf73f572c7

Download Submit
C:\Windows\System\qeFdqHD.exe

Filesize
5.2MB

MD5
d33167385e399c6f383132ea40381e2e

SHA1
6fbcfd01d2b666dbbc14cd0eeccec41cb17de855

SHA256
a47ef472b7a83b151215fa534b20635f6aee5e393d5aabc3bc039405e35ef1f9

SHA512
dde0074f0ec5e2e51d4ea50652e7c733d319bd1e0ac43f837ea6d4820434752752c33f28160f82a35c832f91eb65f7f51ee2d2a4c26e3a4248d988c449ad4ad2

Download Submit
C:\Windows\System\rlvpObX.exe

Filesize
5.2MB

MD5
dd17f92031ca96dca470c461f257a825

SHA1
73600fa4b631a8ebdb5cb837e3bd1f782c59fea7

SHA256
d549a0af9bc7a2275fd230138807903b83bcc209b469d003c8ab4e3122c935f9

SHA512
cc2b5979399fc1cea079f745a85b4c2cc42d0834c94ef4e39964e37e527cc23dcaf4c7d4f93a30146120ed118e0119b39e765812ece2db928d2200911c4bfdfc

Download Submit
memory/544-80-0x00007FF7ADE10000-0x00007FF7AE161000-memory.dmp

Filesize
3.3MB

Download
memory/544-220-0x00007FF7ADE10000-0x00007FF7AE161000-memory.dmp

Filesize
3.3MB

Download
memory/544-24-0x00007FF7ADE10000-0x00007FF7AE161000-memory.dmp

Filesize
3.3MB

Download
memory/1088-155-0x00007FF697890000-0x00007FF697BE1000-memory.dmp

Filesize
3.3MB

Download
memory/1088-263-0x00007FF697890000-0x00007FF697BE1000-memory.dmp

Filesize
3.3MB

Download
memory/1088-110-0x00007FF697890000-0x00007FF697BE1000-memory.dmp

Filesize
3.3MB

Download
memory/1400-154-0x00007FF7FA890000-0x00007FF7FABE1000-memory.dmp

Filesize
3.3MB

Download
memory/1400-254-0x00007FF7FA890000-0x00007FF7FABE1000-memory.dmp

Filesize
3.3MB

Download
memory/1400-102-0x00007FF7FA890000-0x00007FF7FABE1000-memory.dmp

Filesize
3.3MB

Download
memory/1580-259-0x00007FF64EAA0000-0x00007FF64EDF1000-memory.dmp

Filesize
3.3MB

Download
memory/1580-156-0x00007FF64EAA0000-0x00007FF64EDF1000-memory.dmp

Filesize
3.3MB

Download
memory/1580-120-0x00007FF64EAA0000-0x00007FF64EDF1000-memory.dmp

Filesize
3.3MB

Download
memory/1652-32-0x00007FF750020000-0x00007FF750371000-memory.dmp

Filesize
3.3MB

Download
memory/1652-222-0x00007FF750020000-0x00007FF750371000-memory.dmp

Filesize
3.3MB

Download
memory/1652-89-0x00007FF750020000-0x00007FF750371000-memory.dmp

Filesize
3.3MB

Download
memory/1872-125-0x00007FF71D720000-0x00007FF71DA71000-memory.dmp

Filesize
3.3MB

Download
memory/1872-157-0x00007FF71D720000-0x00007FF71DA71000-memory.dmp

Filesize
3.3MB

Download
memory/1872-258-0x00007FF71D720000-0x00007FF71DA71000-memory.dmp

Filesize
3.3MB

Download
memory/2328-42-0x00007FF70EAA0000-0x00007FF70EDF1000-memory.dmp

Filesize
3.3MB

Download
memory/2328-101-0x00007FF70EAA0000-0x00007FF70EDF1000-memory.dmp

Filesize
3.3MB

Download
memory/2328-225-0x00007FF70EAA0000-0x00007FF70EDF1000-memory.dmp

Filesize
3.3MB

Download
memory/2372-214-0x00007FF747FA0000-0x00007FF7482F1000-memory.dmp

Filesize
3.3MB

Download
memory/2372-61-0x00007FF747FA0000-0x00007FF7482F1000-memory.dmp

Filesize
3.3MB

Download
memory/2372-8-0x00007FF747FA0000-0x00007FF7482F1000-memory.dmp

Filesize
3.3MB

Download
memory/2388-138-0x00007FF643050000-0x00007FF6433A1000-memory.dmp

Filesize
3.3MB

Download
memory/2388-1-0x000001F4FD960000-0x000001F4FD970000-memory.dmp

Filesize
64KB

Download
memory/2388-160-0x00007FF643050000-0x00007FF6433A1000-memory.dmp

Filesize
3.3MB

Download
memory/2388-55-0x00007FF643050000-0x00007FF6433A1000-memory.dmp

Filesize
3.3MB

Download
memory/2388-0-0x00007FF643050000-0x00007FF6433A1000-memory.dmp

Filesize
3.3MB

Download
memory/2516-250-0x00007FF6D26C0000-0x00007FF6D2A11000-memory.dmp

Filesize
3.3MB

Download
memory/2516-90-0x00007FF6D26C0000-0x00007FF6D2A11000-memory.dmp

Filesize
3.3MB

Download
memory/2516-152-0x00007FF6D26C0000-0x00007FF6D2A11000-memory.dmp

Filesize
3.3MB

Download
memory/2608-38-0x00007FF614B20000-0x00007FF614E71000-memory.dmp

Filesize
3.3MB

Download
memory/2608-96-0x00007FF614B20000-0x00007FF614E71000-memory.dmp

Filesize
3.3MB

Download
memory/2608-226-0x00007FF614B20000-0x00007FF614E71000-memory.dmp

Filesize
3.3MB

Download
memory/3400-18-0x00007FF6B5D20000-0x00007FF6B6071000-memory.dmp

Filesize
3.3MB

Download
memory/3400-62-0x00007FF6B5D20000-0x00007FF6B6071000-memory.dmp

Filesize
3.3MB

Download
memory/3400-218-0x00007FF6B5D20000-0x00007FF6B6071000-memory.dmp

Filesize
3.3MB

Download
memory/3552-134-0x00007FF6C0860000-0x00007FF6C0BB1000-memory.dmp

Filesize
3.3MB

Download
memory/3552-265-0x00007FF6C0860000-0x00007FF6C0BB1000-memory.dmp

Filesize
3.3MB

Download
memory/3552-159-0x00007FF6C0860000-0x00007FF6C0BB1000-memory.dmp

Filesize
3.3MB

Download
memory/3644-50-0x00007FF76A2B0000-0x00007FF76A601000-memory.dmp

Filesize
3.3MB

Download
memory/3644-229-0x00007FF76A2B0000-0x00007FF76A601000-memory.dmp

Filesize
3.3MB

Download
memory/3644-116-0x00007FF76A2B0000-0x00007FF76A601000-memory.dmp

Filesize
3.3MB

Download
memory/4092-148-0x00007FF671410000-0x00007FF671761000-memory.dmp

Filesize
3.3MB

Download
memory/4092-126-0x00007FF671410000-0x00007FF671761000-memory.dmp

Filesize
3.3MB

Download
memory/4092-269-0x00007FF671410000-0x00007FF671761000-memory.dmp

Filesize
3.3MB

Download
memory/4092-63-0x00007FF671410000-0x00007FF671761000-memory.dmp

Filesize
3.3MB

Download
memory/4156-244-0x00007FF68A720000-0x00007FF68AA71000-memory.dmp

Filesize
3.3MB

Download
memory/4156-133-0x00007FF68A720000-0x00007FF68AA71000-memory.dmp

Filesize
3.3MB

Download
memory/4156-68-0x00007FF68A720000-0x00007FF68AA71000-memory.dmp

Filesize
3.3MB

Download
memory/4416-261-0x00007FF605210000-0x00007FF605561000-memory.dmp

Filesize
3.3MB

Download
memory/4416-158-0x00007FF605210000-0x00007FF605561000-memory.dmp

Filesize
3.3MB

Download
memory/4416-127-0x00007FF605210000-0x00007FF605561000-memory.dmp

Filesize
3.3MB

Download
memory/4832-153-0x00007FF64E4B0000-0x00007FF64E801000-memory.dmp

Filesize
3.3MB

Download
memory/4832-252-0x00007FF64E4B0000-0x00007FF64E801000-memory.dmp

Filesize
3.3MB

Download
memory/4832-100-0x00007FF64E4B0000-0x00007FF64E801000-memory.dmp

Filesize
3.3MB

Download
memory/4884-240-0x00007FF6290A0000-0x00007FF6293F1000-memory.dmp

Filesize
3.3MB

Download
memory/4884-57-0x00007FF6290A0000-0x00007FF6293F1000-memory.dmp

Filesize
3.3MB

Download
memory/4992-246-0x00007FF6027C0000-0x00007FF602B11000-memory.dmp

Filesize
3.3MB

Download
memory/4992-74-0x00007FF6027C0000-0x00007FF602B11000-memory.dmp

Filesize
3.3MB

Download
memory/4992-150-0x00007FF6027C0000-0x00007FF602B11000-memory.dmp

Filesize
3.3MB

Download
memory/5036-151-0x00007FF6FB1A0000-0x00007FF6FB4F1000-memory.dmp

Filesize
3.3MB

Download
memory/5036-248-0x00007FF6FB1A0000-0x00007FF6FB4F1000-memory.dmp

Filesize
3.3MB

Download
memory/5036-81-0x00007FF6FB1A0000-0x00007FF6FB4F1000-memory.dmp

Filesize
3.3MB

Download
memory/5088-23-0x00007FF7B3960000-0x00007FF7B3CB1000-memory.dmp

Filesize
3.3MB

Download
memory/5088-216-0x00007FF7B3960000-0x00007FF7B3CB1000-memory.dmp

Filesize
3.3MB

Download