cobaltstrike | 907a43e91d9ed0b940329b3499a99ac8e3b350b371885c6260e19751bf7de1ae

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-09-2024 06:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

047ab1463a97645ec9edd9d42265cfc4
SHA1

b2da9d36a760ba36603b6ae4cec19f3600e32e43
SHA256

907a43e91d9ed0b940329b3499a99ac8e3b350b371885c6260e19751bf7de1ae
SHA512

74af565ce535c6f1688919925aa15b045eeff30ac39cf8ab06acb875e8e8ddb7a45f6bf73adce7e9c077b94e5512d5d4d1b5e0998c8f0fef77a93a265a7e356c
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lI:RWWBibf56utgpPFotBER/mQ32lUU

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000800000002343a-5.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343f-10.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343e-13.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023441-34.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023442-40.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023443-43.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023440-26.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023444-47.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023445-66.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023446-65.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002343b-54.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023447-74.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023449-88.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023448-81.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344a-95.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023375-105.dat	cobalt_reflective_dll
behavioral2/files/0x000900000002337b-109.dat	cobalt_reflective_dll
behavioral2/files/0x000c00000002337c-124.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344c-130.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344d-139.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344b-133.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/1604-57-0x00007FF6EDAA0000-0x00007FF6EDDF1000-memory.dmp	xmrig
behavioral2/memory/1184-55-0x00007FF713080000-0x00007FF7133D1000-memory.dmp	xmrig
behavioral2/memory/432-61-0x00007FF643750000-0x00007FF643AA1000-memory.dmp	xmrig
behavioral2/memory/708-68-0x00007FF787B80000-0x00007FF787ED1000-memory.dmp	xmrig
behavioral2/memory/4880-78-0x00007FF6C5100000-0x00007FF6C5451000-memory.dmp	xmrig
behavioral2/memory/2324-84-0x00007FF67C670000-0x00007FF67C9C1000-memory.dmp	xmrig
behavioral2/memory/964-87-0x00007FF7BCEE0000-0x00007FF7BD231000-memory.dmp	xmrig
behavioral2/memory/1212-77-0x00007FF6DA140000-0x00007FF6DA491000-memory.dmp	xmrig
behavioral2/memory/2128-92-0x00007FF65E6E0000-0x00007FF65EA31000-memory.dmp	xmrig
behavioral2/memory/4724-97-0x00007FF7F7C20000-0x00007FF7F7F71000-memory.dmp	xmrig
behavioral2/memory/3152-110-0x00007FF6CF9F0000-0x00007FF6CFD41000-memory.dmp	xmrig
behavioral2/memory/4212-136-0x00007FF618470000-0x00007FF6187C1000-memory.dmp	xmrig
behavioral2/memory/4004-137-0x00007FF7630E0000-0x00007FF763431000-memory.dmp	xmrig
behavioral2/memory/2880-128-0x00007FF6F24D0000-0x00007FF6F2821000-memory.dmp	xmrig
behavioral2/memory/1604-119-0x00007FF6EDAA0000-0x00007FF6EDDF1000-memory.dmp	xmrig
behavioral2/memory/1184-140-0x00007FF713080000-0x00007FF7133D1000-memory.dmp	xmrig
behavioral2/memory/3388-150-0x00007FF73B1F0000-0x00007FF73B541000-memory.dmp	xmrig
behavioral2/memory/4948-157-0x00007FF6D1660000-0x00007FF6D19B1000-memory.dmp	xmrig
behavioral2/memory/2896-158-0x00007FF6FD180000-0x00007FF6FD4D1000-memory.dmp	xmrig
behavioral2/memory/4160-159-0x00007FF63D6D0000-0x00007FF63DA21000-memory.dmp	xmrig
behavioral2/memory/532-164-0x00007FF771DF0000-0x00007FF772141000-memory.dmp	xmrig
behavioral2/memory/2124-166-0x00007FF7020C0000-0x00007FF702411000-memory.dmp	xmrig
behavioral2/memory/2508-168-0x00007FF64E120000-0x00007FF64E471000-memory.dmp	xmrig
behavioral2/memory/1448-167-0x00007FF6D1440000-0x00007FF6D1791000-memory.dmp	xmrig
behavioral2/memory/1184-169-0x00007FF713080000-0x00007FF7133D1000-memory.dmp	xmrig
behavioral2/memory/432-220-0x00007FF643750000-0x00007FF643AA1000-memory.dmp	xmrig
behavioral2/memory/708-222-0x00007FF787B80000-0x00007FF787ED1000-memory.dmp	xmrig
behavioral2/memory/1212-227-0x00007FF6DA140000-0x00007FF6DA491000-memory.dmp	xmrig
behavioral2/memory/4880-229-0x00007FF6C5100000-0x00007FF6C5451000-memory.dmp	xmrig
behavioral2/memory/2324-231-0x00007FF67C670000-0x00007FF67C9C1000-memory.dmp	xmrig
behavioral2/memory/2128-233-0x00007FF65E6E0000-0x00007FF65EA31000-memory.dmp	xmrig
behavioral2/memory/4724-235-0x00007FF7F7C20000-0x00007FF7F7F71000-memory.dmp	xmrig
behavioral2/memory/1604-245-0x00007FF6EDAA0000-0x00007FF6EDDF1000-memory.dmp	xmrig
behavioral2/memory/3152-243-0x00007FF6CF9F0000-0x00007FF6CFD41000-memory.dmp	xmrig
behavioral2/memory/2880-247-0x00007FF6F24D0000-0x00007FF6F2821000-memory.dmp	xmrig
behavioral2/memory/4212-249-0x00007FF618470000-0x00007FF6187C1000-memory.dmp	xmrig
behavioral2/memory/4004-252-0x00007FF7630E0000-0x00007FF763431000-memory.dmp	xmrig
behavioral2/memory/964-253-0x00007FF7BCEE0000-0x00007FF7BD231000-memory.dmp	xmrig
behavioral2/memory/3388-255-0x00007FF73B1F0000-0x00007FF73B541000-memory.dmp	xmrig
behavioral2/memory/4948-264-0x00007FF6D1660000-0x00007FF6D19B1000-memory.dmp	xmrig
behavioral2/memory/2896-266-0x00007FF6FD180000-0x00007FF6FD4D1000-memory.dmp	xmrig
behavioral2/memory/4160-268-0x00007FF63D6D0000-0x00007FF63DA21000-memory.dmp	xmrig
behavioral2/memory/1448-270-0x00007FF6D1440000-0x00007FF6D1791000-memory.dmp	xmrig
behavioral2/memory/2508-272-0x00007FF64E120000-0x00007FF64E471000-memory.dmp	xmrig
behavioral2/memory/532-274-0x00007FF771DF0000-0x00007FF772141000-memory.dmp	xmrig
behavioral2/memory/2124-277-0x00007FF7020C0000-0x00007FF702411000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
432	GagQpHX.exe
708	rYkbfJY.exe
1212	dgXkzko.exe
4880	TeNPfag.exe
2324	KObHBen.exe
2128	wmjTdSD.exe
4724	tuYRjNe.exe
3152	FDpQKru.exe
1604	asbEAOH.exe
2880	GtnTepo.exe
4212	VnpZadV.exe
4004	LkvALVR.exe
964	PIvdbtD.exe
3388	aGAkjgD.exe
4948	gZPYREH.exe
2896	NPWlPMx.exe
4160	iRHeivd.exe
1448	YRkGXEf.exe
532	nJzklcp.exe
2508	NHoNlwm.exe
2124	FknWxin.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1184-0-0x00007FF713080000-0x00007FF7133D1000-memory.dmp	upx
behavioral2/files/0x000800000002343a-5.dat	upx
behavioral2/memory/432-7-0x00007FF643750000-0x00007FF643AA1000-memory.dmp	upx
behavioral2/files/0x000700000002343f-10.dat	upx
behavioral2/memory/708-12-0x00007FF787B80000-0x00007FF787ED1000-memory.dmp	upx
behavioral2/files/0x000700000002343e-13.dat	upx
behavioral2/memory/4880-29-0x00007FF6C5100000-0x00007FF6C5451000-memory.dmp	upx
behavioral2/files/0x0007000000023441-34.dat	upx
behavioral2/files/0x0007000000023442-40.dat	upx
behavioral2/memory/4724-42-0x00007FF7F7C20000-0x00007FF7F7F71000-memory.dmp	upx
behavioral2/files/0x0007000000023443-43.dat	upx
behavioral2/memory/2128-35-0x00007FF65E6E0000-0x00007FF65EA31000-memory.dmp	upx
behavioral2/memory/2324-33-0x00007FF67C670000-0x00007FF67C9C1000-memory.dmp	upx
behavioral2/files/0x0007000000023440-26.dat	upx
behavioral2/memory/1212-18-0x00007FF6DA140000-0x00007FF6DA491000-memory.dmp	upx
behavioral2/files/0x0007000000023444-47.dat	upx
behavioral2/memory/1604-57-0x00007FF6EDAA0000-0x00007FF6EDDF1000-memory.dmp	upx
behavioral2/memory/1184-55-0x00007FF713080000-0x00007FF7133D1000-memory.dmp	upx
behavioral2/memory/2880-62-0x00007FF6F24D0000-0x00007FF6F2821000-memory.dmp	upx
behavioral2/files/0x0007000000023445-66.dat	upx
behavioral2/files/0x0007000000023446-65.dat	upx
behavioral2/memory/432-61-0x00007FF643750000-0x00007FF643AA1000-memory.dmp	upx
behavioral2/files/0x000800000002343b-54.dat	upx
behavioral2/memory/3152-49-0x00007FF6CF9F0000-0x00007FF6CFD41000-memory.dmp	upx
behavioral2/memory/708-68-0x00007FF787B80000-0x00007FF787ED1000-memory.dmp	upx
behavioral2/files/0x0007000000023447-74.dat	upx
behavioral2/memory/4212-73-0x00007FF618470000-0x00007FF6187C1000-memory.dmp	upx
behavioral2/memory/4880-78-0x00007FF6C5100000-0x00007FF6C5451000-memory.dmp	upx
behavioral2/memory/2324-84-0x00007FF67C670000-0x00007FF67C9C1000-memory.dmp	upx
behavioral2/files/0x0007000000023449-88.dat	upx
behavioral2/memory/3388-89-0x00007FF73B1F0000-0x00007FF73B541000-memory.dmp	upx
behavioral2/memory/964-87-0x00007FF7BCEE0000-0x00007FF7BD231000-memory.dmp	upx
behavioral2/memory/4004-83-0x00007FF7630E0000-0x00007FF763431000-memory.dmp	upx
behavioral2/files/0x0007000000023448-81.dat	upx
behavioral2/memory/1212-77-0x00007FF6DA140000-0x00007FF6DA491000-memory.dmp	upx
behavioral2/memory/2128-92-0x00007FF65E6E0000-0x00007FF65EA31000-memory.dmp	upx
behavioral2/files/0x000700000002344a-95.dat	upx
behavioral2/memory/4948-98-0x00007FF6D1660000-0x00007FF6D19B1000-memory.dmp	upx
behavioral2/memory/4724-97-0x00007FF7F7C20000-0x00007FF7F7F71000-memory.dmp	upx
behavioral2/memory/2896-104-0x00007FF6FD180000-0x00007FF6FD4D1000-memory.dmp	upx
behavioral2/files/0x000b000000023375-105.dat	upx
behavioral2/files/0x000900000002337b-109.dat	upx
behavioral2/memory/3152-110-0x00007FF6CF9F0000-0x00007FF6CFD41000-memory.dmp	upx
behavioral2/files/0x000c00000002337c-124.dat	upx
behavioral2/files/0x000700000002344c-130.dat	upx
behavioral2/memory/532-129-0x00007FF771DF0000-0x00007FF772141000-memory.dmp	upx
behavioral2/memory/4212-136-0x00007FF618470000-0x00007FF6187C1000-memory.dmp	upx
behavioral2/files/0x000700000002344d-139.dat	upx
behavioral2/memory/2124-138-0x00007FF7020C0000-0x00007FF702411000-memory.dmp	upx
behavioral2/memory/4004-137-0x00007FF7630E0000-0x00007FF763431000-memory.dmp	upx
behavioral2/memory/2508-134-0x00007FF64E120000-0x00007FF64E471000-memory.dmp	upx
behavioral2/files/0x000700000002344b-133.dat	upx
behavioral2/memory/2880-128-0x00007FF6F24D0000-0x00007FF6F2821000-memory.dmp	upx
behavioral2/memory/1448-120-0x00007FF6D1440000-0x00007FF6D1791000-memory.dmp	upx
behavioral2/memory/1604-119-0x00007FF6EDAA0000-0x00007FF6EDDF1000-memory.dmp	upx
behavioral2/memory/4160-111-0x00007FF63D6D0000-0x00007FF63DA21000-memory.dmp	upx
behavioral2/memory/1184-140-0x00007FF713080000-0x00007FF7133D1000-memory.dmp	upx
behavioral2/memory/3388-150-0x00007FF73B1F0000-0x00007FF73B541000-memory.dmp	upx
behavioral2/memory/4948-157-0x00007FF6D1660000-0x00007FF6D19B1000-memory.dmp	upx
behavioral2/memory/2896-158-0x00007FF6FD180000-0x00007FF6FD4D1000-memory.dmp	upx
behavioral2/memory/4160-159-0x00007FF63D6D0000-0x00007FF63DA21000-memory.dmp	upx
behavioral2/memory/532-164-0x00007FF771DF0000-0x00007FF772141000-memory.dmp	upx
behavioral2/memory/2124-166-0x00007FF7020C0000-0x00007FF702411000-memory.dmp	upx
behavioral2/memory/2508-168-0x00007FF64E120000-0x00007FF64E471000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\rYkbfJY.exe	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KObHBen.exe	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LkvALVR.exe	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gZPYREH.exe	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nJzklcp.exe	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TeNPfag.exe	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wmjTdSD.exe	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tuYRjNe.exe	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\asbEAOH.exe	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PIvdbtD.exe	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iRHeivd.exe	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dgXkzko.exe	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NPWlPMx.exe	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GagQpHX.exe	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FDpQKru.exe	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GtnTepo.exe	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VnpZadV.exe	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aGAkjgD.exe	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YRkGXEf.exe	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NHoNlwm.exe	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FknWxin.exe	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1184	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1184	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 432	1184	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1184 wrote to memory of 432	1184	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1184 wrote to memory of 708	1184	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1184 wrote to memory of 708	1184	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1184 wrote to memory of 1212	1184	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1184 wrote to memory of 1212	1184	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1184 wrote to memory of 4880	1184	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1184 wrote to memory of 4880	1184	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1184 wrote to memory of 2324	1184	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1184 wrote to memory of 2324	1184	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1184 wrote to memory of 2128	1184	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1184 wrote to memory of 2128	1184	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1184 wrote to memory of 4724	1184	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1184 wrote to memory of 4724	1184	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1184 wrote to memory of 3152	1184	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1184 wrote to memory of 3152	1184	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1184 wrote to memory of 1604	1184	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1184 wrote to memory of 1604	1184	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1184 wrote to memory of 2880	1184	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1184 wrote to memory of 2880	1184	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1184 wrote to memory of 4212	1184	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1184 wrote to memory of 4212	1184	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1184 wrote to memory of 4004	1184	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1184 wrote to memory of 4004	1184	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1184 wrote to memory of 964	1184	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1184 wrote to memory of 964	1184	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1184 wrote to memory of 3388	1184	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1184 wrote to memory of 3388	1184	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1184 wrote to memory of 4948	1184	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1184 wrote to memory of 4948	1184	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1184 wrote to memory of 2896	1184	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1184 wrote to memory of 2896	1184	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1184 wrote to memory of 4160	1184	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1184 wrote to memory of 4160	1184	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1184 wrote to memory of 1448	1184	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1184 wrote to memory of 1448	1184	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1184 wrote to memory of 532	1184	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 1184 wrote to memory of 532	1184	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 1184 wrote to memory of 2508	1184	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 1184 wrote to memory of 2508	1184	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 1184 wrote to memory of 2124	1184	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 1184 wrote to memory of 2124	1184	2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe	107

C:\Users\Admin\AppData\Local\Temp\2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-14_047ab1463a97645ec9edd9d42265cfc4_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Windows\System\GagQpHX.exe
  C:\Windows\System\GagQpHX.exe
  2⤵
  - Executes dropped EXE
  PID:432
- C:\Windows\System\rYkbfJY.exe
  C:\Windows\System\rYkbfJY.exe
  2⤵
  - Executes dropped EXE
  PID:708
- C:\Windows\System\dgXkzko.exe
  C:\Windows\System\dgXkzko.exe
  2⤵
  - Executes dropped EXE
  PID:1212
- C:\Windows\System\TeNPfag.exe
  C:\Windows\System\TeNPfag.exe
  2⤵
  - Executes dropped EXE
  PID:4880
- C:\Windows\System\KObHBen.exe
  C:\Windows\System\KObHBen.exe
  2⤵
  - Executes dropped EXE
  PID:2324
- C:\Windows\System\wmjTdSD.exe
  C:\Windows\System\wmjTdSD.exe
  2⤵
  - Executes dropped EXE
  PID:2128
- C:\Windows\System\tuYRjNe.exe
  C:\Windows\System\tuYRjNe.exe
  2⤵
  - Executes dropped EXE
  PID:4724
- C:\Windows\System\FDpQKru.exe
  C:\Windows\System\FDpQKru.exe
  2⤵
  - Executes dropped EXE
  PID:3152
- C:\Windows\System\asbEAOH.exe
  C:\Windows\System\asbEAOH.exe
  2⤵
  - Executes dropped EXE
  PID:1604
- C:\Windows\System\GtnTepo.exe
  C:\Windows\System\GtnTepo.exe
  2⤵
  - Executes dropped EXE
  PID:2880
- C:\Windows\System\VnpZadV.exe
  C:\Windows\System\VnpZadV.exe
  2⤵
  - Executes dropped EXE
  PID:4212
- C:\Windows\System\LkvALVR.exe
  C:\Windows\System\LkvALVR.exe
  2⤵
  - Executes dropped EXE
  PID:4004
- C:\Windows\System\PIvdbtD.exe
  C:\Windows\System\PIvdbtD.exe
  2⤵
  - Executes dropped EXE
  PID:964
- C:\Windows\System\aGAkjgD.exe
  C:\Windows\System\aGAkjgD.exe
  2⤵
  - Executes dropped EXE
  PID:3388
- C:\Windows\System\gZPYREH.exe
  C:\Windows\System\gZPYREH.exe
  2⤵
  - Executes dropped EXE
  PID:4948
- C:\Windows\System\NPWlPMx.exe
  C:\Windows\System\NPWlPMx.exe
  2⤵
  - Executes dropped EXE
  PID:2896
- C:\Windows\System\iRHeivd.exe
  C:\Windows\System\iRHeivd.exe
  2⤵
  - Executes dropped EXE
  PID:4160
- C:\Windows\System\YRkGXEf.exe
  C:\Windows\System\YRkGXEf.exe
  2⤵
  - Executes dropped EXE
  PID:1448
- C:\Windows\System\nJzklcp.exe
  C:\Windows\System\nJzklcp.exe
  2⤵
  - Executes dropped EXE
  PID:532
- C:\Windows\System\NHoNlwm.exe
  C:\Windows\System\NHoNlwm.exe
  2⤵
  - Executes dropped EXE
  PID:2508
- C:\Windows\System\FknWxin.exe
  C:\Windows\System\FknWxin.exe
  2⤵
  - Executes dropped EXE
  PID:2124

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\FDpQKru.exe

Filesize
5.2MB

MD5
71be12df9be67431ccee16f9cf373498

SHA1
f1e22776234a14eb5cd6d31e835ac17d349d8b39

SHA256
3af008d0230970283e84ec59382a65509006a762889005e8349714cc78d7431c

SHA512
6a18835f129c5ad231114bcc7f50f61d486167e017d7c37e7c6a9f52dec807bed146caa72ec647a4b2ec986437af7fd7e5d4b2a3ae44665cd197504e3bb43271

Download Submit
C:\Windows\System\FknWxin.exe

Filesize
5.2MB

MD5
518128c5cfba2cb297e9485ca291e1d9

SHA1
df50a8ed1c95955d28c62fbc2c7f8a1e5d724aa0

SHA256
aab9745331fae1e61b0087a5f20c2f54bd86b3dbd1f37e1084f24c9048e3c5f3

SHA512
86f3ad5d1b0bcb7ed38584ee405981c6297d450b68d3165fe5eb4c450d0c2315e458aa11d3c3312d89731cd0f5792023a34a9dd04504c26758b6af72e7fa1db0

Download Submit
C:\Windows\System\GagQpHX.exe

Filesize
5.2MB

MD5
10df618ab09c7f7ef32975eed5d0a7ef

SHA1
ff95c01e5526871f34ab2c944fb3e12b677a9e8f

SHA256
fcd59da005ddc0b3842ff58535badff13eaa0df50cf01f76ba6d1712c88e5b63

SHA512
6d314f3c1dd651e5efd07cbf0001d48d1700d8f28ab60ecfc3a2c9921b9a6514202e132696d19b587ef65123eb610ad4b11555ae9c73c4bd41a23fa78c1f823b

Download Submit
C:\Windows\System\GtnTepo.exe

Filesize
5.2MB

MD5
7b2887ab46652c1421e560aaf66dbaee

SHA1
6ed051d745935413cdba204dc81ad2bfa8865bc1

SHA256
1cb67f05987c69f909be21938f1279edbda003b4d4fee2bfa5fca5273361c6a0

SHA512
6aa97ea25c10712ea9214b48291cb65e140a8d470179fa62318acc3a80181ce28ecbc410950a57f091b7a628e2ec716493807ba10254f85fb81b03a513380201

Download Submit
C:\Windows\System\KObHBen.exe

Filesize
5.2MB

MD5
0b16afeb55b3dc291d02be2fc9f95e65

SHA1
b740d5c93e8854ab25af2a69f0452f672eadafe5

SHA256
cbbe70187270c86791fa9077eba40ba7b3118f557fa0736867213d48267dfc92

SHA512
b8497fd84ebe74ac5482be9aec3fa43a0747e1096bf59aa26d2139afd1b32145aabd44a348c9930abf65feb847c47c12a5d8bfb6bf447369238a64bcdab197a5

Download Submit
C:\Windows\System\LkvALVR.exe

Filesize
5.2MB

MD5
cd663aa3a6a725e9191a51b01f9776b5

SHA1
574120c3e04a304188f5fac80216755cbee32183

SHA256
a629282e26d309dfcb335603d11a767c509b19f6b9c789d23b94cab776aa1a89

SHA512
1a16c0c796a703a501c742dd36f74f0963da0342eda5a12de35738af00f0db7962bee0887f03f0cacd955fa87b3be1e3f951a2daf879c5ec87015c0a9c51b6ef

Download Submit
C:\Windows\System\NHoNlwm.exe

Filesize
5.2MB

MD5
3adf0e608f665b5203e45ee38121119d

SHA1
9f3ef5f9cde713e18ac8fea889e89102a76c715b

SHA256
2cff1f0cb024db6de5c22ad62e07f3022b5c2d58ba42c471785d7bbc88669b46

SHA512
743487333baa1cda24223b6236dd373738b3b22fb791127f6e09f8c56289c1e8d8eedef332a435daf1315633716c4907991a7df90a64ded04840025babd6d852

Download Submit
C:\Windows\System\NPWlPMx.exe

Filesize
5.2MB

MD5
bd9bb2b5b34410fe1fb42c9443dc92fb

SHA1
90ac77ba9ee108f66cbfa1e7eb4277aa3bc0f7eb

SHA256
8a99f7a7b453f2df56bfbf77024f1fe65d218d0bb230d792ea9312e4ecdb5968

SHA512
71f3cd50c7f37e31ec3ad63ec1163d05f45e9722ae9de557f3df7bc538a8c648bdbe389c2868eb6d90c6cec10700a86229d633ff3788b51af3fbc64fbb20acbd

Download Submit
C:\Windows\System\PIvdbtD.exe

Filesize
5.2MB

MD5
5de8bef1226bb214ec7eb616c88f8a3b

SHA1
ad832c62a4cd304a639daf33805ad4da06b20b0e

SHA256
22ee8686eecbf8ce7e1e648a93d13841f1f5f3a2e88e096b6493771bbbd16914

SHA512
f5f7f4ccb6f8524ab41dcea931bb30d50ceb09103fdf595c03051f62a19e992bf08c9fa9093a3447576f01c758a1c0e14199d48135c820f711c4f5f7bda88014

Download Submit
C:\Windows\System\TeNPfag.exe

Filesize
5.2MB

MD5
27468e8078721367c345abd131906349

SHA1
30b85cd7e826a426d26cb0d49631e7efd56cec2c

SHA256
e947a8cd50a3005c5c61be87a3c296b46fb645f27945a0fbea95ceba6984f944

SHA512
88c777338e53b5ae453b16e4668e0315e2c2c15a329169fffc753ee63fd03d9095b78a4275950de4d91e23617bcb1bba2be9171649378d770f095140815a1687

Download Submit
C:\Windows\System\VnpZadV.exe

Filesize
5.2MB

MD5
30a2424a7425f871b642ecd6f00d79b6

SHA1
4b013d2bdb8aed7663d8b9c09fb7a261749b2c27

SHA256
bef235209dc979c0dbb84462b087f7b93362b55f4b2a17cb9543a34a6ee5f74a

SHA512
2f292ec1f4538235e1344c12ea2076a73efc342d791a8fdb68c410b705dcaae821f79505987f5446469c89319e8c55ff79cbc3611e0b57ff4360496c701acf84

Download Submit
C:\Windows\System\YRkGXEf.exe

Filesize
5.2MB

MD5
cc0f76e41c0db3daff9401c7738f7116

SHA1
d6b078b730022a3819429151189a12b7e6dd82f0

SHA256
bbf9d702be2429019eac55eea764f6e354b91584c00e7dd183dbab1e60d5a021

SHA512
acd0611fe2c8745b0e3e495d3cac8e04cf22fe2b00d24b8ce4379249c5a245f73afc71861d7342ffe5e41807aba25e44ff40c67b173a7926791988b16650360e

Download Submit
C:\Windows\System\aGAkjgD.exe

Filesize
5.2MB

MD5
ae7aafefa1607eeac27721de51d6797c

SHA1
2ed16a2659048d2386a4f0ac2dd66a34179c7dc0

SHA256
6978c20eb7615740629f405361a7f3ff1732050265071ff5d238f76cdd997e18

SHA512
99b063cb58123e92317e7b81d7053a51d985b6922e02fc206e29c2cd74eff2d926016342a18b6ab899659fa8c54a191e40a89e56f22d4df0f8c99b4d5aeb1c6a

Download Submit
C:\Windows\System\asbEAOH.exe

Filesize
5.2MB

MD5
4153b0c31194a75d51e0f7eac362a49e

SHA1
04ed07278503adabca5ef1e146b7167042b7fd75

SHA256
fb557f64cdda14843ce649d1835ed9220212edf486e08348f33394b73024c983

SHA512
a484073fd01136133d98794ed6bcd2dd6a3a2446318af57a65fcd6ec52a9b586caf6355397e3985635a58bdf8b856fcc6360c83e5441752960c68019208f6e23

Download Submit
C:\Windows\System\dgXkzko.exe

Filesize
5.2MB

MD5
6d38e641fe38a1da7fe31e928f75352c

SHA1
04d4d6134d98715ed64abe39f764dc09a1fc694f

SHA256
175ebdeaf42fe773128c3cdcd57c1ee81d58d5a1602c40a6cb238c8137e467b2

SHA512
968de881300479e79dfaf4c152e891aeb69515cef4d0b182e0ec4e99c29cd3c95602db48d66b3df464d6cc20c4efd54747851a5cf148d39538c35fa1050faa5d

Download Submit
C:\Windows\System\gZPYREH.exe

Filesize
5.2MB

MD5
600acbe265150ef4dd67ad0808142dc7

SHA1
c0e3324a285b8403e247fc28b79990baa3f1c118

SHA256
a06e956e17e6683f8b0f486d5a3785e336865c8939ca3b95fc28ad5f046967f6

SHA512
29bc62fca22d966dab26108e40b0a8e03542a17ad613941e5dda1a548e28e7c0203aeab77f14acd56e73373ca7b239d56522f9f68bd6fffc6ef4cc4fc30ea4d1

Download Submit
C:\Windows\System\iRHeivd.exe

Filesize
5.2MB

MD5
10424a5dbeffd8f54cb327746f4d46f1

SHA1
65550b3ec60a1890994415fcab8a53004a117899

SHA256
befac4d71726cc0d4154674ea8d7fef405bb2faa1aec57b2957ef689157a98a6

SHA512
b5adb06569f3683e22d0e864ecd16240e73894aa8be9d7152179baa178e9abae6ef7a986045887b4fd423b10a011cb77b07c25b8378bc4c0cf69239677e0e2e7

Download Submit
C:\Windows\System\nJzklcp.exe

Filesize
5.2MB

MD5
e210cb766c5dbf94ecf282e7d9d56b22

SHA1
1ed8de41dc201207ef2441d741055bcc838fe979

SHA256
c732012692b203c159dd837d4f3e2c61431a18fbb05bd0bddbf995df4385cad8

SHA512
7338998f8d9a3bc7fe7040217d20afde3e546680a1390cc12376311dea33129930ba80308d844f4b83750f5481ea52951285311a386cd982b518152dc15921cd

Download Submit
C:\Windows\System\rYkbfJY.exe

Filesize
5.2MB

MD5
deaa69e5f76ac4ddfd03ff8a5ea51a66

SHA1
fc5b1e9893dfa7fc75c0452031270f6fc79f7498

SHA256
7b85c3f818990e5af8fb02ce6224eb084a77b0fb6988e471ed811a880a781a94

SHA512
73334e795088ed6ee7c0f861b23ed671707f8a50997c6d1465e50dd720dd44123fab12471a0103e0f9861c3ec547d655aa180dfe36b44b41733250fbbb3e4c67

Download Submit
C:\Windows\System\tuYRjNe.exe

Filesize
5.2MB

MD5
f003300009da98f42c2e73a470b42038

SHA1
e814ccb79eee5e47c7e8297a0c0bdb73660acc4b

SHA256
3691a380124b44935c77aef30217f2adaf19dfe5a13bf9eb7afcde69411af969

SHA512
f773d3a302ba3d4d97d7350736fc718609b9ff2c1129f5c18255ed77f2c596247082dba01bff5b0391c5a0a7dcffa1bbbb2a81bb6af00f0333d221b0630619c4

Download Submit
C:\Windows\System\wmjTdSD.exe

Filesize
5.2MB

MD5
9e44c611467d952d1a4b4ee811627c6b

SHA1
a6f665ec7c6fecec6ec2dd05770c6bc3612d7ea7

SHA256
c67063beead59a4af3b7b87692949e8241d9624542aed5cbd3ae22f9a5a1eda3

SHA512
2420493b8d3204fcdf93902effae6abe9d455d4e84c913c9e6193812ee07186f2cb30f1e0a5239395aaa8176194381c0a0da5e39ef4d1d36cb233e08a2dae30d

Download Submit
memory/432-220-0x00007FF643750000-0x00007FF643AA1000-memory.dmp

Filesize
3.3MB

Download
memory/432-61-0x00007FF643750000-0x00007FF643AA1000-memory.dmp

Filesize
3.3MB

Download
memory/432-7-0x00007FF643750000-0x00007FF643AA1000-memory.dmp

Filesize
3.3MB

Download
memory/532-164-0x00007FF771DF0000-0x00007FF772141000-memory.dmp

Filesize
3.3MB

Download
memory/532-129-0x00007FF771DF0000-0x00007FF772141000-memory.dmp

Filesize
3.3MB

Download
memory/532-274-0x00007FF771DF0000-0x00007FF772141000-memory.dmp

Filesize
3.3MB

Download
memory/708-68-0x00007FF787B80000-0x00007FF787ED1000-memory.dmp

Filesize
3.3MB

Download
memory/708-12-0x00007FF787B80000-0x00007FF787ED1000-memory.dmp

Filesize
3.3MB

Download
memory/708-222-0x00007FF787B80000-0x00007FF787ED1000-memory.dmp

Filesize
3.3MB

Download
memory/964-253-0x00007FF7BCEE0000-0x00007FF7BD231000-memory.dmp

Filesize
3.3MB

Download
memory/964-87-0x00007FF7BCEE0000-0x00007FF7BD231000-memory.dmp

Filesize
3.3MB

Download
memory/1184-140-0x00007FF713080000-0x00007FF7133D1000-memory.dmp

Filesize
3.3MB

Download
memory/1184-169-0x00007FF713080000-0x00007FF7133D1000-memory.dmp

Filesize
3.3MB

Download
memory/1184-55-0x00007FF713080000-0x00007FF7133D1000-memory.dmp

Filesize
3.3MB

Download
memory/1184-1-0x0000021C4A8B0000-0x0000021C4A8C0000-memory.dmp

Filesize
64KB

Download
memory/1184-0-0x00007FF713080000-0x00007FF7133D1000-memory.dmp

Filesize
3.3MB

Download
memory/1212-77-0x00007FF6DA140000-0x00007FF6DA491000-memory.dmp

Filesize
3.3MB

Download
memory/1212-18-0x00007FF6DA140000-0x00007FF6DA491000-memory.dmp

Filesize
3.3MB

Download
memory/1212-227-0x00007FF6DA140000-0x00007FF6DA491000-memory.dmp

Filesize
3.3MB

Download
memory/1448-167-0x00007FF6D1440000-0x00007FF6D1791000-memory.dmp

Filesize
3.3MB

Download
memory/1448-120-0x00007FF6D1440000-0x00007FF6D1791000-memory.dmp

Filesize
3.3MB

Download
memory/1448-270-0x00007FF6D1440000-0x00007FF6D1791000-memory.dmp

Filesize
3.3MB

Download
memory/1604-57-0x00007FF6EDAA0000-0x00007FF6EDDF1000-memory.dmp

Filesize
3.3MB

Download
memory/1604-245-0x00007FF6EDAA0000-0x00007FF6EDDF1000-memory.dmp

Filesize
3.3MB

Download
memory/1604-119-0x00007FF6EDAA0000-0x00007FF6EDDF1000-memory.dmp

Filesize
3.3MB

Download
memory/2124-138-0x00007FF7020C0000-0x00007FF702411000-memory.dmp

Filesize
3.3MB

Download
memory/2124-166-0x00007FF7020C0000-0x00007FF702411000-memory.dmp

Filesize
3.3MB

Download
memory/2124-277-0x00007FF7020C0000-0x00007FF702411000-memory.dmp

Filesize
3.3MB

Download
memory/2128-35-0x00007FF65E6E0000-0x00007FF65EA31000-memory.dmp

Filesize
3.3MB

Download
memory/2128-92-0x00007FF65E6E0000-0x00007FF65EA31000-memory.dmp

Filesize
3.3MB

Download
memory/2128-233-0x00007FF65E6E0000-0x00007FF65EA31000-memory.dmp

Filesize
3.3MB

Download
memory/2324-33-0x00007FF67C670000-0x00007FF67C9C1000-memory.dmp

Filesize
3.3MB

Download
memory/2324-231-0x00007FF67C670000-0x00007FF67C9C1000-memory.dmp

Filesize
3.3MB

Download
memory/2324-84-0x00007FF67C670000-0x00007FF67C9C1000-memory.dmp

Filesize
3.3MB

Download
memory/2508-134-0x00007FF64E120000-0x00007FF64E471000-memory.dmp

Filesize
3.3MB

Download
memory/2508-272-0x00007FF64E120000-0x00007FF64E471000-memory.dmp

Filesize
3.3MB

Download
memory/2508-168-0x00007FF64E120000-0x00007FF64E471000-memory.dmp

Filesize
3.3MB

Download
memory/2880-128-0x00007FF6F24D0000-0x00007FF6F2821000-memory.dmp

Filesize
3.3MB

Download
memory/2880-62-0x00007FF6F24D0000-0x00007FF6F2821000-memory.dmp

Filesize
3.3MB

Download
memory/2880-247-0x00007FF6F24D0000-0x00007FF6F2821000-memory.dmp

Filesize
3.3MB

Download
memory/2896-158-0x00007FF6FD180000-0x00007FF6FD4D1000-memory.dmp

Filesize
3.3MB

Download
memory/2896-266-0x00007FF6FD180000-0x00007FF6FD4D1000-memory.dmp

Filesize
3.3MB

Download
memory/2896-104-0x00007FF6FD180000-0x00007FF6FD4D1000-memory.dmp

Filesize
3.3MB

Download
memory/3152-243-0x00007FF6CF9F0000-0x00007FF6CFD41000-memory.dmp

Filesize
3.3MB

Download
memory/3152-49-0x00007FF6CF9F0000-0x00007FF6CFD41000-memory.dmp

Filesize
3.3MB

Download
memory/3152-110-0x00007FF6CF9F0000-0x00007FF6CFD41000-memory.dmp

Filesize
3.3MB

Download
memory/3388-255-0x00007FF73B1F0000-0x00007FF73B541000-memory.dmp

Filesize
3.3MB

Download
memory/3388-150-0x00007FF73B1F0000-0x00007FF73B541000-memory.dmp

Filesize
3.3MB

Download
memory/3388-89-0x00007FF73B1F0000-0x00007FF73B541000-memory.dmp

Filesize
3.3MB

Download
memory/4004-252-0x00007FF7630E0000-0x00007FF763431000-memory.dmp

Filesize
3.3MB

Download
memory/4004-83-0x00007FF7630E0000-0x00007FF763431000-memory.dmp

Filesize
3.3MB

Download
memory/4004-137-0x00007FF7630E0000-0x00007FF763431000-memory.dmp

Filesize
3.3MB

Download
memory/4160-268-0x00007FF63D6D0000-0x00007FF63DA21000-memory.dmp

Filesize
3.3MB

Download
memory/4160-111-0x00007FF63D6D0000-0x00007FF63DA21000-memory.dmp

Filesize
3.3MB

Download
memory/4160-159-0x00007FF63D6D0000-0x00007FF63DA21000-memory.dmp

Filesize
3.3MB

Download
memory/4212-249-0x00007FF618470000-0x00007FF6187C1000-memory.dmp

Filesize
3.3MB

Download
memory/4212-73-0x00007FF618470000-0x00007FF6187C1000-memory.dmp

Filesize
3.3MB

Download
memory/4212-136-0x00007FF618470000-0x00007FF6187C1000-memory.dmp

Filesize
3.3MB

Download
memory/4724-235-0x00007FF7F7C20000-0x00007FF7F7F71000-memory.dmp

Filesize
3.3MB

Download
memory/4724-97-0x00007FF7F7C20000-0x00007FF7F7F71000-memory.dmp

Filesize
3.3MB

Download
memory/4724-42-0x00007FF7F7C20000-0x00007FF7F7F71000-memory.dmp

Filesize
3.3MB

Download
memory/4880-78-0x00007FF6C5100000-0x00007FF6C5451000-memory.dmp

Filesize
3.3MB

Download
memory/4880-29-0x00007FF6C5100000-0x00007FF6C5451000-memory.dmp

Filesize
3.3MB

Download
memory/4880-229-0x00007FF6C5100000-0x00007FF6C5451000-memory.dmp

Filesize
3.3MB

Download
memory/4948-264-0x00007FF6D1660000-0x00007FF6D19B1000-memory.dmp

Filesize
3.3MB

Download
memory/4948-98-0x00007FF6D1660000-0x00007FF6D19B1000-memory.dmp

Filesize
3.3MB

Download
memory/4948-157-0x00007FF6D1660000-0x00007FF6D19B1000-memory.dmp

Filesize
3.3MB

Download