cobaltstrike | 208c9710f6607f1d0041952b5ba86f862b1d960c4a89ce227095941017d027a1

Analysis

max time kernel
141s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18/11/2024, 02:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

b9bcc6e1593df29ec0b85d97a252ad9c
SHA1

b10cb8f3875c4410c49d234801f9978d79ab6a4b
SHA256

208c9710f6607f1d0041952b5ba86f862b1d960c4a89ce227095941017d027a1
SHA512

e4c6cf3787037001ce12b857f4df320a2874092ed3f7c98a1892d9ad838f3994d450093b9ec5844ed2ecd8759c45820a6cfc6bb0279b17eb541309693f101b34
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lv:RWWBibf56utgpPFotBER/mQ32lU7

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000b000000023b8e-6.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b92-11.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b93-10.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9c-26.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b94-28.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023ba3-35.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bac-40.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bb1-46.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bb2-53.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b8f-58.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bb3-64.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023bb7-68.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bb9-81.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bbe-93.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bbd-88.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bbf-102.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bee-110.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bef-114.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bf0-122.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bf1-130.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bf2-138.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/5084-45-0x00007FF7413F0000-0x00007FF741741000-memory.dmp	xmrig
behavioral2/memory/3464-60-0x00007FF7BB780000-0x00007FF7BBAD1000-memory.dmp	xmrig
behavioral2/memory/2880-65-0x00007FF6A3230000-0x00007FF6A3581000-memory.dmp	xmrig
behavioral2/memory/2916-78-0x00007FF7B1A60000-0x00007FF7B1DB1000-memory.dmp	xmrig
behavioral2/memory/2852-73-0x00007FF7205B0000-0x00007FF720901000-memory.dmp	xmrig
behavioral2/memory/1036-86-0x00007FF6C5A10000-0x00007FF6C5D61000-memory.dmp	xmrig
behavioral2/memory/4596-95-0x00007FF63FE30000-0x00007FF640181000-memory.dmp	xmrig
behavioral2/memory/560-101-0x00007FF689F10000-0x00007FF68A261000-memory.dmp	xmrig
behavioral2/memory/2980-109-0x00007FF6BB170000-0x00007FF6BB4C1000-memory.dmp	xmrig
behavioral2/memory/2076-123-0x00007FF730760000-0x00007FF730AB1000-memory.dmp	xmrig
behavioral2/memory/4812-136-0x00007FF6DB370000-0x00007FF6DB6C1000-memory.dmp	xmrig
behavioral2/memory/4776-124-0x00007FF7724C0000-0x00007FF772811000-memory.dmp	xmrig
behavioral2/memory/456-118-0x00007FF76A830000-0x00007FF76AB81000-memory.dmp	xmrig
behavioral2/memory/4564-100-0x00007FF6B04E0000-0x00007FF6B0831000-memory.dmp	xmrig
behavioral2/memory/1744-94-0x00007FF72F390000-0x00007FF72F6E1000-memory.dmp	xmrig
behavioral2/memory/2220-85-0x00007FF72D230000-0x00007FF72D581000-memory.dmp	xmrig
behavioral2/memory/3464-140-0x00007FF7BB780000-0x00007FF7BBAD1000-memory.dmp	xmrig
behavioral2/memory/1036-145-0x00007FF6C5A10000-0x00007FF6C5D61000-memory.dmp	xmrig
behavioral2/memory/3124-155-0x00007FF7DE030000-0x00007FF7DE381000-memory.dmp	xmrig
behavioral2/memory/884-156-0x00007FF68D7F0000-0x00007FF68DB41000-memory.dmp	xmrig
behavioral2/memory/4716-160-0x00007FF61A8C0000-0x00007FF61AC11000-memory.dmp	xmrig
behavioral2/memory/2800-164-0x00007FF76FAF0000-0x00007FF76FE41000-memory.dmp	xmrig
behavioral2/memory/4784-166-0x00007FF73FF50000-0x00007FF7402A1000-memory.dmp	xmrig
behavioral2/memory/1284-165-0x00007FF74E400000-0x00007FF74E751000-memory.dmp	xmrig
behavioral2/memory/3464-167-0x00007FF7BB780000-0x00007FF7BBAD1000-memory.dmp	xmrig
behavioral2/memory/2880-220-0x00007FF6A3230000-0x00007FF6A3581000-memory.dmp	xmrig
behavioral2/memory/2852-222-0x00007FF7205B0000-0x00007FF720901000-memory.dmp	xmrig
behavioral2/memory/2916-224-0x00007FF7B1A60000-0x00007FF7B1DB1000-memory.dmp	xmrig
behavioral2/memory/2220-226-0x00007FF72D230000-0x00007FF72D581000-memory.dmp	xmrig
behavioral2/memory/1744-228-0x00007FF72F390000-0x00007FF72F6E1000-memory.dmp	xmrig
behavioral2/memory/4596-233-0x00007FF63FE30000-0x00007FF640181000-memory.dmp	xmrig
behavioral2/memory/5084-235-0x00007FF7413F0000-0x00007FF741741000-memory.dmp	xmrig
behavioral2/memory/2980-237-0x00007FF6BB170000-0x00007FF6BB4C1000-memory.dmp	xmrig
behavioral2/memory/456-239-0x00007FF76A830000-0x00007FF76AB81000-memory.dmp	xmrig
behavioral2/memory/2076-245-0x00007FF730760000-0x00007FF730AB1000-memory.dmp	xmrig
behavioral2/memory/4776-246-0x00007FF7724C0000-0x00007FF772811000-memory.dmp	xmrig
behavioral2/memory/4812-248-0x00007FF6DB370000-0x00007FF6DB6C1000-memory.dmp	xmrig
behavioral2/memory/4564-257-0x00007FF6B04E0000-0x00007FF6B0831000-memory.dmp	xmrig
behavioral2/memory/1036-258-0x00007FF6C5A10000-0x00007FF6C5D61000-memory.dmp	xmrig
behavioral2/memory/560-260-0x00007FF689F10000-0x00007FF68A261000-memory.dmp	xmrig
behavioral2/memory/3124-262-0x00007FF7DE030000-0x00007FF7DE381000-memory.dmp	xmrig
behavioral2/memory/884-264-0x00007FF68D7F0000-0x00007FF68DB41000-memory.dmp	xmrig
behavioral2/memory/4716-268-0x00007FF61A8C0000-0x00007FF61AC11000-memory.dmp	xmrig
behavioral2/memory/4784-270-0x00007FF73FF50000-0x00007FF7402A1000-memory.dmp	xmrig
behavioral2/memory/2800-272-0x00007FF76FAF0000-0x00007FF76FE41000-memory.dmp	xmrig
behavioral2/memory/1284-274-0x00007FF74E400000-0x00007FF74E751000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2880	ruvSPRw.exe
2852	hOMJwoA.exe
2916	bEJuErx.exe
2220	HkFQKUD.exe
1744	ZnqZZmc.exe
4596	YkzMzFC.exe
5084	yOpggFM.exe
2980	MVbLCra.exe
456	hiNgemO.exe
2076	YDkqMUh.exe
4776	fxgYJXr.exe
4812	KBbTFOA.exe
1036	YeegYfs.exe
4564	qGFFsem.exe
560	oYNYPgw.exe
3124	sLYWrPL.exe
884	OwiQjyD.exe
4716	fALmAmB.exe
4784	RQuONaX.exe
2800	uNzzmFN.exe
1284	vmbvlKt.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3464-0-0x00007FF7BB780000-0x00007FF7BBAD1000-memory.dmp	upx
behavioral2/files/0x000b000000023b8e-6.dat	upx
behavioral2/files/0x000b000000023b92-11.dat	upx
behavioral2/memory/2880-14-0x00007FF6A3230000-0x00007FF6A3581000-memory.dmp	upx
behavioral2/memory/2852-15-0x00007FF7205B0000-0x00007FF720901000-memory.dmp	upx
behavioral2/files/0x000b000000023b93-10.dat	upx
behavioral2/memory/2916-19-0x00007FF7B1A60000-0x00007FF7B1DB1000-memory.dmp	upx
behavioral2/files/0x000a000000023b9c-26.dat	upx
behavioral2/files/0x000b000000023b94-28.dat	upx
behavioral2/memory/1744-30-0x00007FF72F390000-0x00007FF72F6E1000-memory.dmp	upx
behavioral2/files/0x000e000000023ba3-35.dat	upx
behavioral2/memory/4596-36-0x00007FF63FE30000-0x00007FF640181000-memory.dmp	upx
behavioral2/files/0x0008000000023bac-40.dat	upx
behavioral2/memory/5084-45-0x00007FF7413F0000-0x00007FF741741000-memory.dmp	upx
behavioral2/files/0x0009000000023bb1-46.dat	upx
behavioral2/files/0x0009000000023bb2-53.dat	upx
behavioral2/memory/456-54-0x00007FF76A830000-0x00007FF76AB81000-memory.dmp	upx
behavioral2/memory/2980-48-0x00007FF6BB170000-0x00007FF6BB4C1000-memory.dmp	upx
behavioral2/memory/2220-24-0x00007FF72D230000-0x00007FF72D581000-memory.dmp	upx
behavioral2/files/0x000b000000023b8f-58.dat	upx
behavioral2/memory/3464-60-0x00007FF7BB780000-0x00007FF7BBAD1000-memory.dmp	upx
behavioral2/files/0x0009000000023bb3-64.dat	upx
behavioral2/memory/2880-65-0x00007FF6A3230000-0x00007FF6A3581000-memory.dmp	upx
behavioral2/files/0x000e000000023bb7-68.dat	upx
behavioral2/memory/4812-77-0x00007FF6DB370000-0x00007FF6DB6C1000-memory.dmp	upx
behavioral2/memory/2916-78-0x00007FF7B1A60000-0x00007FF7B1DB1000-memory.dmp	upx
behavioral2/memory/2852-73-0x00007FF7205B0000-0x00007FF720901000-memory.dmp	upx
behavioral2/memory/4776-69-0x00007FF7724C0000-0x00007FF772811000-memory.dmp	upx
behavioral2/memory/2076-66-0x00007FF730760000-0x00007FF730AB1000-memory.dmp	upx
behavioral2/files/0x0008000000023bb9-81.dat	upx
behavioral2/files/0x0008000000023bbe-93.dat	upx
behavioral2/files/0x0008000000023bbd-88.dat	upx
behavioral2/memory/1036-86-0x00007FF6C5A10000-0x00007FF6C5D61000-memory.dmp	upx
behavioral2/memory/4596-95-0x00007FF63FE30000-0x00007FF640181000-memory.dmp	upx
behavioral2/memory/560-101-0x00007FF689F10000-0x00007FF68A261000-memory.dmp	upx
behavioral2/files/0x0008000000023bbf-102.dat	upx
behavioral2/memory/2980-109-0x00007FF6BB170000-0x00007FF6BB4C1000-memory.dmp	upx
behavioral2/files/0x0008000000023bee-110.dat	upx
behavioral2/memory/884-111-0x00007FF68D7F0000-0x00007FF68DB41000-memory.dmp	upx
behavioral2/files/0x0008000000023bef-114.dat	upx
behavioral2/memory/2076-123-0x00007FF730760000-0x00007FF730AB1000-memory.dmp	upx
behavioral2/files/0x0008000000023bf0-122.dat	upx
behavioral2/files/0x0008000000023bf1-130.dat	upx
behavioral2/memory/2800-131-0x00007FF76FAF0000-0x00007FF76FE41000-memory.dmp	upx
behavioral2/files/0x0008000000023bf2-138.dat	upx
behavioral2/memory/1284-137-0x00007FF74E400000-0x00007FF74E751000-memory.dmp	upx
behavioral2/memory/4812-136-0x00007FF6DB370000-0x00007FF6DB6C1000-memory.dmp	upx
behavioral2/memory/4784-127-0x00007FF73FF50000-0x00007FF7402A1000-memory.dmp	upx
behavioral2/memory/4776-124-0x00007FF7724C0000-0x00007FF772811000-memory.dmp	upx
behavioral2/memory/4716-119-0x00007FF61A8C0000-0x00007FF61AC11000-memory.dmp	upx
behavioral2/memory/456-118-0x00007FF76A830000-0x00007FF76AB81000-memory.dmp	upx
behavioral2/memory/3124-103-0x00007FF7DE030000-0x00007FF7DE381000-memory.dmp	upx
behavioral2/memory/4564-100-0x00007FF6B04E0000-0x00007FF6B0831000-memory.dmp	upx
behavioral2/memory/1744-94-0x00007FF72F390000-0x00007FF72F6E1000-memory.dmp	upx
behavioral2/memory/2220-85-0x00007FF72D230000-0x00007FF72D581000-memory.dmp	upx
behavioral2/memory/3464-140-0x00007FF7BB780000-0x00007FF7BBAD1000-memory.dmp	upx
behavioral2/memory/1036-145-0x00007FF6C5A10000-0x00007FF6C5D61000-memory.dmp	upx
behavioral2/memory/3124-155-0x00007FF7DE030000-0x00007FF7DE381000-memory.dmp	upx
behavioral2/memory/884-156-0x00007FF68D7F0000-0x00007FF68DB41000-memory.dmp	upx
behavioral2/memory/4716-160-0x00007FF61A8C0000-0x00007FF61AC11000-memory.dmp	upx
behavioral2/memory/2800-164-0x00007FF76FAF0000-0x00007FF76FE41000-memory.dmp	upx
behavioral2/memory/4784-166-0x00007FF73FF50000-0x00007FF7402A1000-memory.dmp	upx
behavioral2/memory/1284-165-0x00007FF74E400000-0x00007FF74E751000-memory.dmp	upx
behavioral2/memory/3464-167-0x00007FF7BB780000-0x00007FF7BBAD1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\yOpggFM.exe	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hiNgemO.exe	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YeegYfs.exe	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qGFFsem.exe	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fALmAmB.exe	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ruvSPRw.exe	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YDkqMUh.exe	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oYNYPgw.exe	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sLYWrPL.exe	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vmbvlKt.exe	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hOMJwoA.exe	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bEJuErx.exe	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZnqZZmc.exe	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KBbTFOA.exe	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OwiQjyD.exe	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RQuONaX.exe	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uNzzmFN.exe	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HkFQKUD.exe	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YkzMzFC.exe	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MVbLCra.exe	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fxgYJXr.exe	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3464	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3464	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3464 wrote to memory of 2880	3464	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3464 wrote to memory of 2880	3464	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3464 wrote to memory of 2852	3464	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3464 wrote to memory of 2852	3464	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3464 wrote to memory of 2916	3464	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3464 wrote to memory of 2916	3464	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3464 wrote to memory of 2220	3464	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3464 wrote to memory of 2220	3464	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3464 wrote to memory of 1744	3464	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3464 wrote to memory of 1744	3464	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3464 wrote to memory of 4596	3464	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3464 wrote to memory of 4596	3464	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3464 wrote to memory of 5084	3464	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3464 wrote to memory of 5084	3464	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3464 wrote to memory of 2980	3464	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3464 wrote to memory of 2980	3464	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3464 wrote to memory of 456	3464	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3464 wrote to memory of 456	3464	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3464 wrote to memory of 2076	3464	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3464 wrote to memory of 2076	3464	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3464 wrote to memory of 4776	3464	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3464 wrote to memory of 4776	3464	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3464 wrote to memory of 4812	3464	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3464 wrote to memory of 4812	3464	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3464 wrote to memory of 1036	3464	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3464 wrote to memory of 1036	3464	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3464 wrote to memory of 4564	3464	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3464 wrote to memory of 4564	3464	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3464 wrote to memory of 560	3464	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3464 wrote to memory of 560	3464	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3464 wrote to memory of 3124	3464	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3464 wrote to memory of 3124	3464	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3464 wrote to memory of 884	3464	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3464 wrote to memory of 884	3464	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3464 wrote to memory of 4716	3464	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 3464 wrote to memory of 4716	3464	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 3464 wrote to memory of 4784	3464	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 3464 wrote to memory of 4784	3464	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 3464 wrote to memory of 2800	3464	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 3464 wrote to memory of 2800	3464	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 3464 wrote to memory of 1284	3464	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 3464 wrote to memory of 1284	3464	2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe	108

C:\Users\Admin\AppData\Local\Temp\2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-18_b9bcc6e1593df29ec0b85d97a252ad9c_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3464
- C:\Windows\System\ruvSPRw.exe
  C:\Windows\System\ruvSPRw.exe
  2⤵
  - Executes dropped EXE
  PID:2880
- C:\Windows\System\hOMJwoA.exe
  C:\Windows\System\hOMJwoA.exe
  2⤵
  - Executes dropped EXE
  PID:2852
- C:\Windows\System\bEJuErx.exe
  C:\Windows\System\bEJuErx.exe
  2⤵
  - Executes dropped EXE
  PID:2916
- C:\Windows\System\HkFQKUD.exe
  C:\Windows\System\HkFQKUD.exe
  2⤵
  - Executes dropped EXE
  PID:2220
- C:\Windows\System\ZnqZZmc.exe
  C:\Windows\System\ZnqZZmc.exe
  2⤵
  - Executes dropped EXE
  PID:1744
- C:\Windows\System\YkzMzFC.exe
  C:\Windows\System\YkzMzFC.exe
  2⤵
  - Executes dropped EXE
  PID:4596
- C:\Windows\System\yOpggFM.exe
  C:\Windows\System\yOpggFM.exe
  2⤵
  - Executes dropped EXE
  PID:5084
- C:\Windows\System\MVbLCra.exe
  C:\Windows\System\MVbLCra.exe
  2⤵
  - Executes dropped EXE
  PID:2980
- C:\Windows\System\hiNgemO.exe
  C:\Windows\System\hiNgemO.exe
  2⤵
  - Executes dropped EXE
  PID:456
- C:\Windows\System\YDkqMUh.exe
  C:\Windows\System\YDkqMUh.exe
  2⤵
  - Executes dropped EXE
  PID:2076
- C:\Windows\System\fxgYJXr.exe
  C:\Windows\System\fxgYJXr.exe
  2⤵
  - Executes dropped EXE
  PID:4776
- C:\Windows\System\KBbTFOA.exe
  C:\Windows\System\KBbTFOA.exe
  2⤵
  - Executes dropped EXE
  PID:4812
- C:\Windows\System\YeegYfs.exe
  C:\Windows\System\YeegYfs.exe
  2⤵
  - Executes dropped EXE
  PID:1036
- C:\Windows\System\qGFFsem.exe
  C:\Windows\System\qGFFsem.exe
  2⤵
  - Executes dropped EXE
  PID:4564
- C:\Windows\System\oYNYPgw.exe
  C:\Windows\System\oYNYPgw.exe
  2⤵
  - Executes dropped EXE
  PID:560
- C:\Windows\System\sLYWrPL.exe
  C:\Windows\System\sLYWrPL.exe
  2⤵
  - Executes dropped EXE
  PID:3124
- C:\Windows\System\OwiQjyD.exe
  C:\Windows\System\OwiQjyD.exe
  2⤵
  - Executes dropped EXE
  PID:884
- C:\Windows\System\fALmAmB.exe
  C:\Windows\System\fALmAmB.exe
  2⤵
  - Executes dropped EXE
  PID:4716
- C:\Windows\System\RQuONaX.exe
  C:\Windows\System\RQuONaX.exe
  2⤵
  - Executes dropped EXE
  PID:4784
- C:\Windows\System\uNzzmFN.exe
  C:\Windows\System\uNzzmFN.exe
  2⤵
  - Executes dropped EXE
  PID:2800
- C:\Windows\System\vmbvlKt.exe
  C:\Windows\System\vmbvlKt.exe
  2⤵
  - Executes dropped EXE
  PID:1284

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\HkFQKUD.exe

Filesize
5.2MB

MD5
045e596fed8ee2c16ea2351412790335

SHA1
7e594ee5b220b0ef3f30973d366db1a2ef3bd175

SHA256
176f6c8ffbb6e51f9596d6a19d67252d78ff982e94cbe99bc8bc02decc6cc2b6

SHA512
c9e1a5f1ab60637ab5bb2a18e64de654ed26a47f50f81190bf057b7a6ccb84a72a3d5f075df95f3ef12add68ef4db0a5df6543a47c3d3705f2398fa0d7aaf9a5

Download Submit
C:\Windows\System\KBbTFOA.exe

Filesize
5.2MB

MD5
93f0f422b6649ee532ee6303f291ccf2

SHA1
057061a1fb0009cd8369e3642780c4598ccbea1d

SHA256
29ae86025ea50855e102b5ba9b836acd667b5bb14875a6f64021ac1fa5347a8e

SHA512
235ff52a304f005f12f9b1a450b96c7dee1f654ca74398e27d8c964b0c2e3af0f8f112a2e3d6197b0893d319d3e3934599af555fabf9db552e12f57a366a4a42

Download Submit
C:\Windows\System\MVbLCra.exe

Filesize
5.2MB

MD5
023b5e71a0941bbcaf3974a3fbcc6072

SHA1
a07b1a261983f45ddc4e390acc4014390478c5a1

SHA256
900c434363bb7ea151df5102a060d2048a227b47f9e6522a56d91a0e004584b3

SHA512
e6536f8dfe7a6cb5b44a4e7e8abff9c085f2a9ee61173ba7b461c63af85582c87a6bee0b5b79c61552f89e24748704599c72f98bbd958e7cac45f2c130e04ac3

Download Submit
C:\Windows\System\OwiQjyD.exe

Filesize
5.2MB

MD5
5a715d208c7f6d5126ae7e89b0d39786

SHA1
0d39e4962bce3e4c79db4e82162ee52bf5367cfe

SHA256
397412d1e26a35b85dd430c2cc096f9f93d72fd121f8ff70ace9db4c826ae9e9

SHA512
0de47bbb503ab4e303a168cbcca7fc10bf2147fd47a2bb1a71bc2fe4a1ecdc6b82fc106dbdb51b31505cfe0e3643764273647583ed910020721c41aff16644bd

Download Submit
C:\Windows\System\RQuONaX.exe

Filesize
5.2MB

MD5
44aa6da96b0be05f832fd7ef099c08e1

SHA1
a2a902960c7649014162e9cc9a04e676b6c91163

SHA256
8c45df3285153bd216730cc9f9496e600c87a874364016dada9b97a26dca75fa

SHA512
332348c8d124b8c5fbcaf48804b6676158d59f9f4593904d48bcc413b3fa7e11f745ab94f4ceadb26183bfe50dd69953d53682f40b15e3102525653cbeb6e493

Download Submit
C:\Windows\System\YDkqMUh.exe

Filesize
5.2MB

MD5
e26832b4fd804ec4106be70ba2295793

SHA1
7826c3b6a22bfae05699128708a240901d1f762d

SHA256
9ec563e3a160e9149497d8aeaa83c5e740bb1036fc4c7b9b57e2289dcf201c38

SHA512
589679c0b86bf289598e0d88974735bdc923f68601d11ba08d822e8a03dc9dfcfaf41b6fb039b0dc0a56d3def1d4105be582c4980ee217752cc13723fce67fbb

Download Submit
C:\Windows\System\YeegYfs.exe

Filesize
5.2MB

MD5
b23e15ad9c52b519983e00ef8df88ace

SHA1
d94fdb91ccf506d350da1e4506cb2d9f7f740046

SHA256
359b395790a651603464ec77240cde497f787d9a8ceb51af42135bc3a2660f40

SHA512
354d7c6332899750ce44349761242be1ab5271a1071895502876e6bf90a958ecfe37ac5d19bda968cf7e4e87cb6e4a1da077000090e0282de51fe0e7f0adee27

Download Submit
C:\Windows\System\YkzMzFC.exe

Filesize
5.2MB

MD5
476a7918d054aaee04876da4336ce829

SHA1
103f2a84a1501c751af27d9eb5f1c72518d87092

SHA256
de130c03d6a56f0dbffa7e5f6f140b36a22d9636dfc93fc9740d29ab19a03c0d

SHA512
3683116c5b7fe36ccf785a5d16002b1409a5e49bb7b9b75ccfc4fbeb6b0d93c62bd5ee90dfd7acb95fec2b6ea8f051b27ac315102c91344d318b5c8e936d8f70

Download Submit
C:\Windows\System\ZnqZZmc.exe

Filesize
5.2MB

MD5
293a76bb24ff39a5731073ae48078e09

SHA1
fc4230c1a350fb42bd6ba5a856cf2fddd64f7293

SHA256
c813ef5ea65352d302c368dabae589b689cc3145135d173fb54c996f56a94d7d

SHA512
240f2efd280727553bb77f710bd6ebed7d9643b6527d1dac32def9412ec1d0d52f93da0c9ef699f343527fad54f404885a5d47c0aabf1e46f95025a86358d9de

Download Submit
C:\Windows\System\bEJuErx.exe

Filesize
5.2MB

MD5
a357acdd5e8303908602ffff9a13a04c

SHA1
001803c7d35190b260cbb03fc82183402a9c0080

SHA256
de7a20e25dec674fdaec135994ee5a43d004eb10932e1fa937f3682540ef332f

SHA512
1bac4cfa0556af20f61747215910065111b47ef386808978d06926636de7c7516f186ed9be8a207f6252bb908c57a28f7d56b9be0cdb5fb710fa154432831e68

Download Submit
C:\Windows\System\fALmAmB.exe

Filesize
5.2MB

MD5
24c6fe2b17effac63d70d4c92181041a

SHA1
73e93fa4a5b5e233c79a74e9a32e4231889ccb66

SHA256
e376cb9592757c657fa1eb4d7794e84217d49b9c5f7f4d64adde5c132f6a30d9

SHA512
dd2d8a01260abbecfe56536e88efca7fbb233b4d88418ead3b248af7fd6a6e50114dabe3ca378e48ee088338c6eb3452ddffa7a25267a8952d76068b944965df

Download Submit
C:\Windows\System\fxgYJXr.exe

Filesize
5.2MB

MD5
2171305233caa8a607d1460b397a6c22

SHA1
b7b79b5ba2731431e0ba367d533da77161e703b1

SHA256
dea0f87eb64c59fd71751dd81b04b8c363df2b2c7ff38179377dc8feede65e90

SHA512
05256941dc1270cf512c404b3cf68f49de467abddb9daec81e45a4a8f4406837a1c5ee66325b0c699c1a8516de24a2dccdf6acdb8ef96003078736a3ac4dc49b

Download Submit
C:\Windows\System\hOMJwoA.exe

Filesize
5.2MB

MD5
c7c201e6d718783f36e2146244078474

SHA1
31e0a43a5fcd5fa61eb942f500425e981cff1d9a

SHA256
e234edf680d7123ef35cc84c312e3c306e078b2c126777c54f8201e155bd3859

SHA512
0806e9b5dfb4b2cb16e327b706a0d1899fc245c6727539aa0b30e5293b6fb4e7f487f673312fcead9677df0d2c5f248d38d0c0060dbb6e7a5691c25033a64ba4

Download Submit
C:\Windows\System\hiNgemO.exe

Filesize
5.2MB

MD5
a339b0c9d72544f97db5628eac865ee2

SHA1
608bf5e65c100827dc1a9c7f9a00784692ae51ae

SHA256
dc3ec6431c1618aeb6d90bcf4a6175da94dd05ab3d6e1f689ee096d86b569be2

SHA512
27e2635c5324c8fdc558adf638ebdb442a75766194e8374085205cf769857b890f8ec561ea909e6f65c5c5d3bb8154774e35fe88f1fba554f3e80fc403870bcb

Download Submit
C:\Windows\System\oYNYPgw.exe

Filesize
5.2MB

MD5
7f8393171321ee20697acf7969ed5fe3

SHA1
1c1904050a807d6558181701a9ce820cb95e01f0

SHA256
36af857fcf407965e58c563e4fd05457c9e6a92688ecad75015e720f5022208f

SHA512
a578c9b6384183115178c57bbdae364d9271224296f0eeba2b69085020ace7aa37e2e88c316c1c66a5564bf2b6c2846411d07ee58d958f05b3047f66f15786a8

Download Submit
C:\Windows\System\qGFFsem.exe

Filesize
5.2MB

MD5
89ec7e5949cf3204d177f9a969b5e75f

SHA1
d25fb3d39b65d06fed47afae384b5acc742354f8

SHA256
5fb9d1ed888331fdd924810bb317cc0930da3cc351c1bc9750e90b51dd330cb4

SHA512
b3d685203cfdcd37f9888846e414189e3b616516cb5311d080105a87106bf9966b9bdf5f6199ba7a308a2fd04a3e3c8cf3370ff822249a96d125701d4fa047c7

Download Submit
C:\Windows\System\ruvSPRw.exe

Filesize
5.2MB

MD5
c90d5ae79fa0151fa3f0ca676d037d6a

SHA1
24485a71380dcd4fd3778afbac7c2313f892066d

SHA256
36f518b6322e39ac6a8b12fc1ef939f79c7dc804e16f8d20604fd366b571b364

SHA512
db623f24113a0e7ee89cfcff1948b014f46fa0421001d2987c82f716ee022e8c09552585cec9a1165899d38dd23d0c3327cf16a11ed8768a0e1af3e9d584a0fa

Download Submit
C:\Windows\System\sLYWrPL.exe

Filesize
5.2MB

MD5
f77fab445f9643aab5a079be306bdb3f

SHA1
fa6daff524ed1ded842c3ad167fd7f6590cad91c

SHA256
f6e6d4f38300b0d9f668bebe1acad1d9c05a91ca24bb5bd53d9ed37f55669e6d

SHA512
fe11c24dc931dc79e2443735445369ea7c0aa168acdca46dbb2d0ddb63974e8f8102f487ccc0dd1a5ceba84be76206094d089b8f70d4a5afef72ed010da5bf17

Download Submit
C:\Windows\System\uNzzmFN.exe

Filesize
5.2MB

MD5
3bea9afba08aaba714decd091c3e58e9

SHA1
dc0d4499decc0a320808fc08a3f51298d964b80e

SHA256
c54058680329cb1d4800fa84a5560c018b07214611991ea220a4e46d33ec0824

SHA512
4fd0bfaa52f85a5a48b3f7992a7d5babca108ea2b43c69cf8dd55515f66f8def0c8d2be91fd642484a8cc5ee43bb5d7dcb4a126570859610e2a50c5583998f32

Download Submit
C:\Windows\System\vmbvlKt.exe

Filesize
5.2MB

MD5
fc0f1d55a57acfcf7ae3fe5438978505

SHA1
9ab83c6124a524fcc41b1385602c7d690f4c846b

SHA256
093bdfc61dee518a4af4c5eda6642c2037f36d8453a1092bd27f9dd7592700d2

SHA512
75ea78b7c76fd23663b98950cf7a47e0726e3b5474400d5fd6d0eb5c3ad065664fb2ebe5e6b23afb2a08e8cc7d589aa5582b713baaf255df4c757ab9af024be0

Download Submit
C:\Windows\System\yOpggFM.exe

Filesize
5.2MB

MD5
60535c112224146c2f13ef7f5ea56450

SHA1
fa5fde63bbb615a1d57f4ce0633386cb12d5e726

SHA256
5007a27442a99d4fbaaf5e0ed61a4e51c5e27621bbc33645cecdd77ea0b4c78e

SHA512
5741a0781728773251324a8cb76fd075ebf0f46800f81aacb4dc3a072546ec481c781f4c0f379b080204b7fa0531870f84198599e53ab30fad188df9b20c9f8c

Download Submit
memory/456-54-0x00007FF76A830000-0x00007FF76AB81000-memory.dmp

Filesize
3.3MB

Download
memory/456-118-0x00007FF76A830000-0x00007FF76AB81000-memory.dmp

Filesize
3.3MB

Download
memory/456-239-0x00007FF76A830000-0x00007FF76AB81000-memory.dmp

Filesize
3.3MB

Download
memory/560-260-0x00007FF689F10000-0x00007FF68A261000-memory.dmp

Filesize
3.3MB

Download
memory/560-101-0x00007FF689F10000-0x00007FF68A261000-memory.dmp

Filesize
3.3MB

Download
memory/884-156-0x00007FF68D7F0000-0x00007FF68DB41000-memory.dmp

Filesize
3.3MB

Download
memory/884-111-0x00007FF68D7F0000-0x00007FF68DB41000-memory.dmp

Filesize
3.3MB

Download
memory/884-264-0x00007FF68D7F0000-0x00007FF68DB41000-memory.dmp

Filesize
3.3MB

Download
memory/1036-86-0x00007FF6C5A10000-0x00007FF6C5D61000-memory.dmp

Filesize
3.3MB

Download
memory/1036-258-0x00007FF6C5A10000-0x00007FF6C5D61000-memory.dmp

Filesize
3.3MB

Download
memory/1036-145-0x00007FF6C5A10000-0x00007FF6C5D61000-memory.dmp

Filesize
3.3MB

Download
memory/1284-137-0x00007FF74E400000-0x00007FF74E751000-memory.dmp

Filesize
3.3MB

Download
memory/1284-274-0x00007FF74E400000-0x00007FF74E751000-memory.dmp

Filesize
3.3MB

Download
memory/1284-165-0x00007FF74E400000-0x00007FF74E751000-memory.dmp

Filesize
3.3MB

Download
memory/1744-228-0x00007FF72F390000-0x00007FF72F6E1000-memory.dmp

Filesize
3.3MB

Download
memory/1744-94-0x00007FF72F390000-0x00007FF72F6E1000-memory.dmp

Filesize
3.3MB

Download
memory/1744-30-0x00007FF72F390000-0x00007FF72F6E1000-memory.dmp

Filesize
3.3MB

Download
memory/2076-66-0x00007FF730760000-0x00007FF730AB1000-memory.dmp

Filesize
3.3MB

Download
memory/2076-123-0x00007FF730760000-0x00007FF730AB1000-memory.dmp

Filesize
3.3MB

Download
memory/2076-245-0x00007FF730760000-0x00007FF730AB1000-memory.dmp

Filesize
3.3MB

Download
memory/2220-24-0x00007FF72D230000-0x00007FF72D581000-memory.dmp

Filesize
3.3MB

Download
memory/2220-226-0x00007FF72D230000-0x00007FF72D581000-memory.dmp

Filesize
3.3MB

Download
memory/2220-85-0x00007FF72D230000-0x00007FF72D581000-memory.dmp

Filesize
3.3MB

Download
memory/2800-272-0x00007FF76FAF0000-0x00007FF76FE41000-memory.dmp

Filesize
3.3MB

Download
memory/2800-164-0x00007FF76FAF0000-0x00007FF76FE41000-memory.dmp

Filesize
3.3MB

Download
memory/2800-131-0x00007FF76FAF0000-0x00007FF76FE41000-memory.dmp

Filesize
3.3MB

Download
memory/2852-73-0x00007FF7205B0000-0x00007FF720901000-memory.dmp

Filesize
3.3MB

Download
memory/2852-222-0x00007FF7205B0000-0x00007FF720901000-memory.dmp

Filesize
3.3MB

Download
memory/2852-15-0x00007FF7205B0000-0x00007FF720901000-memory.dmp

Filesize
3.3MB

Download
memory/2880-220-0x00007FF6A3230000-0x00007FF6A3581000-memory.dmp

Filesize
3.3MB

Download
memory/2880-14-0x00007FF6A3230000-0x00007FF6A3581000-memory.dmp

Filesize
3.3MB

Download
memory/2880-65-0x00007FF6A3230000-0x00007FF6A3581000-memory.dmp

Filesize
3.3MB

Download
memory/2916-19-0x00007FF7B1A60000-0x00007FF7B1DB1000-memory.dmp

Filesize
3.3MB

Download
memory/2916-78-0x00007FF7B1A60000-0x00007FF7B1DB1000-memory.dmp

Filesize
3.3MB

Download
memory/2916-224-0x00007FF7B1A60000-0x00007FF7B1DB1000-memory.dmp

Filesize
3.3MB

Download
memory/2980-237-0x00007FF6BB170000-0x00007FF6BB4C1000-memory.dmp

Filesize
3.3MB

Download
memory/2980-48-0x00007FF6BB170000-0x00007FF6BB4C1000-memory.dmp

Filesize
3.3MB

Download
memory/2980-109-0x00007FF6BB170000-0x00007FF6BB4C1000-memory.dmp

Filesize
3.3MB

Download
memory/3124-155-0x00007FF7DE030000-0x00007FF7DE381000-memory.dmp

Filesize
3.3MB

Download
memory/3124-262-0x00007FF7DE030000-0x00007FF7DE381000-memory.dmp

Filesize
3.3MB

Download
memory/3124-103-0x00007FF7DE030000-0x00007FF7DE381000-memory.dmp

Filesize
3.3MB

Download
memory/3464-60-0x00007FF7BB780000-0x00007FF7BBAD1000-memory.dmp

Filesize
3.3MB

Download
memory/3464-140-0x00007FF7BB780000-0x00007FF7BBAD1000-memory.dmp

Filesize
3.3MB

Download
memory/3464-167-0x00007FF7BB780000-0x00007FF7BBAD1000-memory.dmp

Filesize
3.3MB

Download
memory/3464-0-0x00007FF7BB780000-0x00007FF7BBAD1000-memory.dmp

Filesize
3.3MB

Download
memory/3464-1-0x0000020755EE0000-0x0000020755EF0000-memory.dmp

Filesize
64KB

Download
memory/4564-257-0x00007FF6B04E0000-0x00007FF6B0831000-memory.dmp

Filesize
3.3MB

Download
memory/4564-100-0x00007FF6B04E0000-0x00007FF6B0831000-memory.dmp

Filesize
3.3MB

Download
memory/4596-233-0x00007FF63FE30000-0x00007FF640181000-memory.dmp

Filesize
3.3MB

Download
memory/4596-36-0x00007FF63FE30000-0x00007FF640181000-memory.dmp

Filesize
3.3MB

Download
memory/4596-95-0x00007FF63FE30000-0x00007FF640181000-memory.dmp

Filesize
3.3MB

Download
memory/4716-160-0x00007FF61A8C0000-0x00007FF61AC11000-memory.dmp

Filesize
3.3MB

Download
memory/4716-119-0x00007FF61A8C0000-0x00007FF61AC11000-memory.dmp

Filesize
3.3MB

Download
memory/4716-268-0x00007FF61A8C0000-0x00007FF61AC11000-memory.dmp

Filesize
3.3MB

Download
memory/4776-69-0x00007FF7724C0000-0x00007FF772811000-memory.dmp

Filesize
3.3MB

Download
memory/4776-246-0x00007FF7724C0000-0x00007FF772811000-memory.dmp

Filesize
3.3MB

Download
memory/4776-124-0x00007FF7724C0000-0x00007FF772811000-memory.dmp

Filesize
3.3MB

Download
memory/4784-166-0x00007FF73FF50000-0x00007FF7402A1000-memory.dmp

Filesize
3.3MB

Download
memory/4784-127-0x00007FF73FF50000-0x00007FF7402A1000-memory.dmp

Filesize
3.3MB

Download
memory/4784-270-0x00007FF73FF50000-0x00007FF7402A1000-memory.dmp

Filesize
3.3MB

Download
memory/4812-248-0x00007FF6DB370000-0x00007FF6DB6C1000-memory.dmp

Filesize
3.3MB

Download
memory/4812-77-0x00007FF6DB370000-0x00007FF6DB6C1000-memory.dmp

Filesize
3.3MB

Download
memory/4812-136-0x00007FF6DB370000-0x00007FF6DB6C1000-memory.dmp

Filesize
3.3MB

Download
memory/5084-45-0x00007FF7413F0000-0x00007FF741741000-memory.dmp

Filesize
3.3MB

Download
memory/5084-235-0x00007FF7413F0000-0x00007FF741741000-memory.dmp

Filesize
3.3MB

Download