cobaltstrike | ad816198b9eba55beaa1eb4cd9cd72e62dbf2ef9b46dfd4a205f172e394003f2

Analysis

max time kernel
141s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2024, 12:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

be5f0936a74678535cdaac3cfa63442a
SHA1

8d3eca3512695c3600d257f17331df80c2e8df21
SHA256

ad816198b9eba55beaa1eb4cd9cd72e62dbf2ef9b46dfd4a205f172e394003f2
SHA512

b78dee0801f1e2fd62debb016216fee3eb068964582791edebc543ec9b6d3d27bfd1f41daa49428620817cb4411e8f9f3ee05c2fdee4115fac7e91f9808e615b
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lq:RWWBibf56utgpPFotBER/mQ32lUu

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0007000000023447-7.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023446-23.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023449-41.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344e-52.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344f-69.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023450-76.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023451-79.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344c-67.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344d-53.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344a-46.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023448-36.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344b-35.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023442-22.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023452-83.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023443-88.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023457-129.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023458-130.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023456-124.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023455-115.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023454-114.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023453-103.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/8-74-0x00007FF60B3F0000-0x00007FF60B741000-memory.dmp	xmrig
behavioral2/memory/2068-72-0x00007FF69EBA0000-0x00007FF69EEF1000-memory.dmp	xmrig
behavioral2/memory/3548-71-0x00007FF656630000-0x00007FF656981000-memory.dmp	xmrig
behavioral2/memory/872-54-0x00007FF74BB30000-0x00007FF74BE81000-memory.dmp	xmrig
behavioral2/memory/3436-90-0x00007FF781AF0000-0x00007FF781E41000-memory.dmp	xmrig
behavioral2/memory/4552-91-0x00007FF759300000-0x00007FF759651000-memory.dmp	xmrig
behavioral2/memory/5056-106-0x00007FF621B10000-0x00007FF621E61000-memory.dmp	xmrig
behavioral2/memory/3028-111-0x00007FF74B0F0000-0x00007FF74B441000-memory.dmp	xmrig
behavioral2/memory/872-122-0x00007FF74BB30000-0x00007FF74BE81000-memory.dmp	xmrig
behavioral2/memory/1452-134-0x00007FF6AE410000-0x00007FF6AE761000-memory.dmp	xmrig
behavioral2/memory/1884-128-0x00007FF7B9770000-0x00007FF7B9AC1000-memory.dmp	xmrig
behavioral2/memory/1132-127-0x00007FF67DFB0000-0x00007FF67E301000-memory.dmp	xmrig
behavioral2/memory/4912-120-0x00007FF625410000-0x00007FF625761000-memory.dmp	xmrig
behavioral2/memory/4728-105-0x00007FF63F2B0000-0x00007FF63F601000-memory.dmp	xmrig
behavioral2/memory/2784-92-0x00007FF755340000-0x00007FF755691000-memory.dmp	xmrig
behavioral2/memory/3436-138-0x00007FF781AF0000-0x00007FF781E41000-memory.dmp	xmrig
behavioral2/memory/828-151-0x00007FF7AF000000-0x00007FF7AF351000-memory.dmp	xmrig
behavioral2/memory/4068-152-0x00007FF6D5010000-0x00007FF6D5361000-memory.dmp	xmrig
behavioral2/memory/2168-153-0x00007FF76B5B0000-0x00007FF76B901000-memory.dmp	xmrig
behavioral2/memory/2016-154-0x00007FF701530000-0x00007FF701881000-memory.dmp	xmrig
behavioral2/memory/1224-155-0x00007FF61A990000-0x00007FF61ACE1000-memory.dmp	xmrig
behavioral2/memory/668-161-0x00007FF7F1C70000-0x00007FF7F1FC1000-memory.dmp	xmrig
behavioral2/memory/2404-162-0x00007FF62F1C0000-0x00007FF62F511000-memory.dmp	xmrig
behavioral2/memory/1736-163-0x00007FF7D14C0000-0x00007FF7D1811000-memory.dmp	xmrig
behavioral2/memory/3436-164-0x00007FF781AF0000-0x00007FF781E41000-memory.dmp	xmrig
behavioral2/memory/2784-221-0x00007FF755340000-0x00007FF755691000-memory.dmp	xmrig
behavioral2/memory/4552-223-0x00007FF759300000-0x00007FF759651000-memory.dmp	xmrig
behavioral2/memory/5056-226-0x00007FF621B10000-0x00007FF621E61000-memory.dmp	xmrig
behavioral2/memory/872-227-0x00007FF74BB30000-0x00007FF74BE81000-memory.dmp	xmrig
behavioral2/memory/3548-236-0x00007FF656630000-0x00007FF656981000-memory.dmp	xmrig
behavioral2/memory/8-244-0x00007FF60B3F0000-0x00007FF60B741000-memory.dmp	xmrig
behavioral2/memory/4912-243-0x00007FF625410000-0x00007FF625761000-memory.dmp	xmrig
behavioral2/memory/1452-246-0x00007FF6AE410000-0x00007FF6AE761000-memory.dmp	xmrig
behavioral2/memory/3028-241-0x00007FF74B0F0000-0x00007FF74B441000-memory.dmp	xmrig
behavioral2/memory/2068-239-0x00007FF69EBA0000-0x00007FF69EEF1000-memory.dmp	xmrig
behavioral2/memory/1132-235-0x00007FF67DFB0000-0x00007FF67E301000-memory.dmp	xmrig
behavioral2/memory/4728-233-0x00007FF63F2B0000-0x00007FF63F601000-memory.dmp	xmrig
behavioral2/memory/828-248-0x00007FF7AF000000-0x00007FF7AF351000-memory.dmp	xmrig
behavioral2/memory/4068-255-0x00007FF6D5010000-0x00007FF6D5361000-memory.dmp	xmrig
behavioral2/memory/2168-257-0x00007FF76B5B0000-0x00007FF76B901000-memory.dmp	xmrig
behavioral2/memory/2016-259-0x00007FF701530000-0x00007FF701881000-memory.dmp	xmrig
behavioral2/memory/1224-263-0x00007FF61A990000-0x00007FF61ACE1000-memory.dmp	xmrig
behavioral2/memory/1736-265-0x00007FF7D14C0000-0x00007FF7D1811000-memory.dmp	xmrig
behavioral2/memory/1884-267-0x00007FF7B9770000-0x00007FF7B9AC1000-memory.dmp	xmrig
behavioral2/memory/668-269-0x00007FF7F1C70000-0x00007FF7F1FC1000-memory.dmp	xmrig
behavioral2/memory/2404-272-0x00007FF62F1C0000-0x00007FF62F511000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4552	DKgjWeg.exe
2784	GyRmdUs.exe
4728	HaEQRdO.exe
5056	GADmjdc.exe
3028	CdhaRtD.exe
872	fASKaqY.exe
4912	WnOqPIs.exe
2068	QObihKg.exe
1132	mrEKSKW.exe
3548	pakvRlb.exe
8	iKokDPO.exe
1452	JtPOTGC.exe
828	KQcZeDd.exe
4068	MmJwzzt.exe
2168	ElLRdeS.exe
2016	QLPXjVo.exe
1224	irNxEwp.exe
1736	FtqPGhD.exe
1884	soACFfG.exe
668	UjRKhUZ.exe
2404	CRAvfAE.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3436-0-0x00007FF781AF0000-0x00007FF781E41000-memory.dmp	upx
behavioral2/files/0x0007000000023447-7.dat	upx
behavioral2/memory/2784-17-0x00007FF755340000-0x00007FF755691000-memory.dmp	upx
behavioral2/files/0x0007000000023446-23.dat	upx
behavioral2/memory/5056-31-0x00007FF621B10000-0x00007FF621E61000-memory.dmp	upx
behavioral2/files/0x0007000000023449-41.dat	upx
behavioral2/files/0x000700000002344e-52.dat	upx
behavioral2/files/0x000700000002344f-69.dat	upx
behavioral2/files/0x0007000000023450-76.dat	upx
behavioral2/files/0x0007000000023451-79.dat	upx
behavioral2/memory/828-78-0x00007FF7AF000000-0x00007FF7AF351000-memory.dmp	upx
behavioral2/memory/1452-75-0x00007FF6AE410000-0x00007FF6AE761000-memory.dmp	upx
behavioral2/memory/8-74-0x00007FF60B3F0000-0x00007FF60B741000-memory.dmp	upx
behavioral2/memory/2068-72-0x00007FF69EBA0000-0x00007FF69EEF1000-memory.dmp	upx
behavioral2/memory/3548-71-0x00007FF656630000-0x00007FF656981000-memory.dmp	upx
behavioral2/files/0x000700000002344c-67.dat	upx
behavioral2/memory/1132-63-0x00007FF67DFB0000-0x00007FF67E301000-memory.dmp	upx
behavioral2/memory/872-54-0x00007FF74BB30000-0x00007FF74BE81000-memory.dmp	upx
behavioral2/files/0x000700000002344d-53.dat	upx
behavioral2/files/0x000700000002344a-46.dat	upx
behavioral2/memory/4912-42-0x00007FF625410000-0x00007FF625761000-memory.dmp	upx
behavioral2/files/0x0007000000023448-36.dat	upx
behavioral2/files/0x000700000002344b-35.dat	upx
behavioral2/memory/4728-24-0x00007FF63F2B0000-0x00007FF63F601000-memory.dmp	upx
behavioral2/files/0x0008000000023442-22.dat	upx
behavioral2/memory/3028-30-0x00007FF74B0F0000-0x00007FF74B441000-memory.dmp	upx
behavioral2/memory/4552-9-0x00007FF759300000-0x00007FF759651000-memory.dmp	upx
behavioral2/files/0x0007000000023452-83.dat	upx
behavioral2/memory/4068-84-0x00007FF6D5010000-0x00007FF6D5361000-memory.dmp	upx
behavioral2/files/0x0008000000023443-88.dat	upx
behavioral2/memory/3436-90-0x00007FF781AF0000-0x00007FF781E41000-memory.dmp	upx
behavioral2/memory/4552-91-0x00007FF759300000-0x00007FF759651000-memory.dmp	upx
behavioral2/memory/5056-106-0x00007FF621B10000-0x00007FF621E61000-memory.dmp	upx
behavioral2/memory/3028-111-0x00007FF74B0F0000-0x00007FF74B441000-memory.dmp	upx
behavioral2/memory/872-122-0x00007FF74BB30000-0x00007FF74BE81000-memory.dmp	upx
behavioral2/files/0x0007000000023457-129.dat	upx
behavioral2/files/0x0007000000023458-130.dat	upx
behavioral2/memory/1452-134-0x00007FF6AE410000-0x00007FF6AE761000-memory.dmp	upx
behavioral2/memory/2404-132-0x00007FF62F1C0000-0x00007FF62F511000-memory.dmp	upx
behavioral2/memory/668-131-0x00007FF7F1C70000-0x00007FF7F1FC1000-memory.dmp	upx
behavioral2/memory/1884-128-0x00007FF7B9770000-0x00007FF7B9AC1000-memory.dmp	upx
behavioral2/memory/1132-127-0x00007FF67DFB0000-0x00007FF67E301000-memory.dmp	upx
behavioral2/files/0x0007000000023456-124.dat	upx
behavioral2/memory/4912-120-0x00007FF625410000-0x00007FF625761000-memory.dmp	upx
behavioral2/memory/1736-118-0x00007FF7D14C0000-0x00007FF7D1811000-memory.dmp	upx
behavioral2/files/0x0007000000023455-115.dat	upx
behavioral2/files/0x0007000000023454-114.dat	upx
behavioral2/memory/1224-110-0x00007FF61A990000-0x00007FF61ACE1000-memory.dmp	upx
behavioral2/memory/4728-105-0x00007FF63F2B0000-0x00007FF63F601000-memory.dmp	upx
behavioral2/files/0x0007000000023453-103.dat	upx
behavioral2/memory/2016-99-0x00007FF701530000-0x00007FF701881000-memory.dmp	upx
behavioral2/memory/2168-97-0x00007FF76B5B0000-0x00007FF76B901000-memory.dmp	upx
behavioral2/memory/2784-92-0x00007FF755340000-0x00007FF755691000-memory.dmp	upx
behavioral2/memory/3436-138-0x00007FF781AF0000-0x00007FF781E41000-memory.dmp	upx
behavioral2/memory/828-151-0x00007FF7AF000000-0x00007FF7AF351000-memory.dmp	upx
behavioral2/memory/4068-152-0x00007FF6D5010000-0x00007FF6D5361000-memory.dmp	upx
behavioral2/memory/2168-153-0x00007FF76B5B0000-0x00007FF76B901000-memory.dmp	upx
behavioral2/memory/2016-154-0x00007FF701530000-0x00007FF701881000-memory.dmp	upx
behavioral2/memory/1224-155-0x00007FF61A990000-0x00007FF61ACE1000-memory.dmp	upx
behavioral2/memory/668-161-0x00007FF7F1C70000-0x00007FF7F1FC1000-memory.dmp	upx
behavioral2/memory/2404-162-0x00007FF62F1C0000-0x00007FF62F511000-memory.dmp	upx
behavioral2/memory/1736-163-0x00007FF7D14C0000-0x00007FF7D1811000-memory.dmp	upx
behavioral2/memory/3436-164-0x00007FF781AF0000-0x00007FF781E41000-memory.dmp	upx
behavioral2/memory/2784-221-0x00007FF755340000-0x00007FF755691000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\GADmjdc.exe	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CdhaRtD.exe	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mrEKSKW.exe	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KQcZeDd.exe	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FtqPGhD.exe	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UjRKhUZ.exe	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DKgjWeg.exe	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fASKaqY.exe	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QObihKg.exe	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MmJwzzt.exe	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ElLRdeS.exe	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QLPXjVo.exe	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HaEQRdO.exe	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WnOqPIs.exe	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pakvRlb.exe	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JtPOTGC.exe	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\soACFfG.exe	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GyRmdUs.exe	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iKokDPO.exe	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\irNxEwp.exe	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CRAvfAE.exe	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3436	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3436	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3436 wrote to memory of 4552	3436	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3436 wrote to memory of 4552	3436	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3436 wrote to memory of 2784	3436	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3436 wrote to memory of 2784	3436	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3436 wrote to memory of 4728	3436	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3436 wrote to memory of 4728	3436	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3436 wrote to memory of 5056	3436	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3436 wrote to memory of 5056	3436	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3436 wrote to memory of 3028	3436	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3436 wrote to memory of 3028	3436	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3436 wrote to memory of 4912	3436	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3436 wrote to memory of 4912	3436	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3436 wrote to memory of 872	3436	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3436 wrote to memory of 872	3436	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3436 wrote to memory of 1132	3436	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3436 wrote to memory of 1132	3436	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3436 wrote to memory of 2068	3436	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3436 wrote to memory of 2068	3436	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3436 wrote to memory of 3548	3436	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3436 wrote to memory of 3548	3436	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3436 wrote to memory of 8	3436	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3436 wrote to memory of 8	3436	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3436 wrote to memory of 1452	3436	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3436 wrote to memory of 1452	3436	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3436 wrote to memory of 828	3436	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3436 wrote to memory of 828	3436	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3436 wrote to memory of 4068	3436	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3436 wrote to memory of 4068	3436	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3436 wrote to memory of 2168	3436	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3436 wrote to memory of 2168	3436	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3436 wrote to memory of 2016	3436	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3436 wrote to memory of 2016	3436	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3436 wrote to memory of 1224	3436	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3436 wrote to memory of 1224	3436	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3436 wrote to memory of 1736	3436	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3436 wrote to memory of 1736	3436	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3436 wrote to memory of 1884	3436	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3436 wrote to memory of 1884	3436	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3436 wrote to memory of 668	3436	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3436 wrote to memory of 668	3436	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3436 wrote to memory of 2404	3436	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3436 wrote to memory of 2404	3436	2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-20_be5f0936a74678535cdaac3cfa63442a_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3436
- C:\Windows\System\DKgjWeg.exe
  C:\Windows\System\DKgjWeg.exe
  2⤵
  - Executes dropped EXE
  PID:4552
- C:\Windows\System\GyRmdUs.exe
  C:\Windows\System\GyRmdUs.exe
  2⤵
  - Executes dropped EXE
  PID:2784
- C:\Windows\System\HaEQRdO.exe
  C:\Windows\System\HaEQRdO.exe
  2⤵
  - Executes dropped EXE
  PID:4728
- C:\Windows\System\GADmjdc.exe
  C:\Windows\System\GADmjdc.exe
  2⤵
  - Executes dropped EXE
  PID:5056
- C:\Windows\System\CdhaRtD.exe
  C:\Windows\System\CdhaRtD.exe
  2⤵
  - Executes dropped EXE
  PID:3028
- C:\Windows\System\WnOqPIs.exe
  C:\Windows\System\WnOqPIs.exe
  2⤵
  - Executes dropped EXE
  PID:4912
- C:\Windows\System\fASKaqY.exe
  C:\Windows\System\fASKaqY.exe
  2⤵
  - Executes dropped EXE
  PID:872
- C:\Windows\System\mrEKSKW.exe
  C:\Windows\System\mrEKSKW.exe
  2⤵
  - Executes dropped EXE
  PID:1132
- C:\Windows\System\QObihKg.exe
  C:\Windows\System\QObihKg.exe
  2⤵
  - Executes dropped EXE
  PID:2068
- C:\Windows\System\pakvRlb.exe
  C:\Windows\System\pakvRlb.exe
  2⤵
  - Executes dropped EXE
  PID:3548
- C:\Windows\System\iKokDPO.exe
  C:\Windows\System\iKokDPO.exe
  2⤵
  - Executes dropped EXE
  PID:8
- C:\Windows\System\JtPOTGC.exe
  C:\Windows\System\JtPOTGC.exe
  2⤵
  - Executes dropped EXE
  PID:1452
- C:\Windows\System\KQcZeDd.exe
  C:\Windows\System\KQcZeDd.exe
  2⤵
  - Executes dropped EXE
  PID:828
- C:\Windows\System\MmJwzzt.exe
  C:\Windows\System\MmJwzzt.exe
  2⤵
  - Executes dropped EXE
  PID:4068
- C:\Windows\System\ElLRdeS.exe
  C:\Windows\System\ElLRdeS.exe
  2⤵
  - Executes dropped EXE
  PID:2168
- C:\Windows\System\QLPXjVo.exe
  C:\Windows\System\QLPXjVo.exe
  2⤵
  - Executes dropped EXE
  PID:2016
- C:\Windows\System\irNxEwp.exe
  C:\Windows\System\irNxEwp.exe
  2⤵
  - Executes dropped EXE
  PID:1224
- C:\Windows\System\FtqPGhD.exe
  C:\Windows\System\FtqPGhD.exe
  2⤵
  - Executes dropped EXE
  PID:1736
- C:\Windows\System\soACFfG.exe
  C:\Windows\System\soACFfG.exe
  2⤵
  - Executes dropped EXE
  PID:1884
- C:\Windows\System\UjRKhUZ.exe
  C:\Windows\System\UjRKhUZ.exe
  2⤵
  - Executes dropped EXE
  PID:668
- C:\Windows\System\CRAvfAE.exe
  C:\Windows\System\CRAvfAE.exe
  2⤵
  - Executes dropped EXE
  PID:2404

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CRAvfAE.exe

Filesize
5.2MB

MD5
905647581c1756422062242870c09635

SHA1
9d2f683608fac23a2aa21b10be559f807833c6b8

SHA256
122c237aeea1895c6411c31e5bfacd08310201243a15bda223a957b914297e27

SHA512
4ab82a9d5e120120fe579d645e13bb00d739fd8cbd00b030648adedfec82bc7579981b0ee7670be8402f9df68b68093a3638111bfb24bbd8836c9cac1c8deee5

Download Submit
C:\Windows\System\CdhaRtD.exe

Filesize
5.2MB

MD5
ff4b5123f9a56ffd7f9897d938ad9649

SHA1
ab8e9a6e8441568a313d2601c39802e4c5a56fe5

SHA256
a86c0e7ca53dc59f2f8592b52e9fdaac137d5bca0ce4f8ddc3114d9b181eef51

SHA512
245a536323ecd55811e63d7216ccbd4add5fb356bb86adbed2c6eaa0ab755242665725924f542df2a7a7d8b2b3f6fd5c138328c915b87a3ee5972de1f38c0cde

Download Submit
C:\Windows\System\DKgjWeg.exe

Filesize
5.2MB

MD5
cb11f462adc760b170c6d98625c23ca3

SHA1
f996fb71a7155a2cb649a253d50a8aeea8372aea

SHA256
a4613b9c377e83f0035f11c6201bdaa432da20c5819e03468644ab9f5e20dbc9

SHA512
6e44c1870e5510ccae4d09b556f94bd309064affab90464bb424d93542f3444745064b0d7b8fc6a03799c1f7dc7a5291f38d885e7ed605eb2c48a5f1812cf99b

Download Submit
C:\Windows\System\ElLRdeS.exe

Filesize
5.2MB

MD5
80ca8dde27559b804713d3e0f099bf59

SHA1
548eee47a3f660a664244937ede42d982807e757

SHA256
b0d415a9b031766c3db378c90a07f76b0e9045f93ad325c69b2f761a6c5ecaed

SHA512
b2858ee033a46847be1851e56c2fea43c80a0eedbad3b8efeacc2ed98076b214604945cc5b2fdd9e4464b47ed080dfd05276211f83b7f51c03d0553c01d63306

Download Submit
C:\Windows\System\FtqPGhD.exe

Filesize
5.2MB

MD5
c8d356ec660a9c48f7bdd493a5cc66b4

SHA1
191f6d81407e5aaf34bd79f2f983001d5fab6b60

SHA256
963cd49509e8c612e48b685b12b223985ec9bd7de956ef19f12303488f67b466

SHA512
bfa3d7e4a33a70a2846fbf692ed9924f4d59df6f32e6f9ba28089d7db12b6490dd8edec01beee9b41236db55dc414f4015fefb5848649e69e6f94a372be1cbec

Download Submit
C:\Windows\System\GADmjdc.exe

Filesize
5.2MB

MD5
62713121c670bd394a555a9bc2da3a55

SHA1
20c899aebefbccfc20ca879b9525cd17ad3e9548

SHA256
beb89dae75ecea9d1c8b27b7bd7cc968d934de20aec963e2a73adf294ed49e0f

SHA512
0feecb62aec05b23a6114435392aa8b9394b0d1ead4c975bd1abb5a85da157916456fa82d84d5240a6cb2c663652fc2b9d4b8eb6e437ad1b50329690d4aa07a9

Download Submit
C:\Windows\System\GyRmdUs.exe

Filesize
5.2MB

MD5
6f01a958181e862e0314265fe8058ec7

SHA1
50543eb769aa68144581217a88fef34aed9bd279

SHA256
ba2032fb903330e713925f7f52ff37244e67c6d8657f87095081ea8133c29153

SHA512
f7e904880e5ce302414eba217dc7bdb856ef34320cb4d836e046e837b574575866c199a2f26657c797e341585aeddb1a814e58f7e90d623567b91f96c4def30a

Download Submit
C:\Windows\System\HaEQRdO.exe

Filesize
5.2MB

MD5
9b321f837650ef1c20589bcf408c8cd8

SHA1
fb5c64722315cb76e4f2089c6d12bf5733a09be1

SHA256
7af06d3d3dfd0e4aa8d38ab8194db135faa0b7362be5f61edbe8ba63f36889f1

SHA512
1946601fce588024f71b9df6e167c914bbe2024c269c6bb76fd3f80eff6ba5b2b30401c438751e72eec82b500968501c2430b05f5a9d0bd1833dbbbb68b0c120

Download Submit
C:\Windows\System\JtPOTGC.exe

Filesize
5.2MB

MD5
28f6933eaadadc5e1cbdeda6b001f086

SHA1
bb01c55a2bfab318c106780d3df5cb74dae6fb37

SHA256
6dca1fb67b14cb404b4c89bdb94fa738f9dbf86aa9fd7ad2730af54ba133c1a0

SHA512
2c9a87d2bdf9ee4f741d0eb85f9d13149fb450071e81bb0229908b11bf6edf34f1923d5513fa18c4781cadd5831629f23454e5cabb0cf907d48e59d26cf19ecd

Download Submit
C:\Windows\System\KQcZeDd.exe

Filesize
5.2MB

MD5
1b9d95afc2c4d7d08a56dafb318de5fa

SHA1
ac1c034d909a51b9982c64479253f47da28a756b

SHA256
c7e94cebd307250521783441296c76a4efa027b00192630d7d2829049d3e3e1c

SHA512
5c493e7b4734674f0bda3ea5fd2491724b983f2e8fc1843ad0015a4175fa6e57589471b7b7dcd5e3b19d5c5fbc68551baff5bbda3ae864a4b1e6df318cb3951c

Download Submit
C:\Windows\System\MmJwzzt.exe

Filesize
5.2MB

MD5
1b33f7197cc1eeb23e70b2201506053c

SHA1
53329251f79ef2bd92a6e4708cbd0d389a66d371

SHA256
9d953da7c8263856107b09e1c1f07188f607c57569fbe7409ed1944e9f28643b

SHA512
0c02698ab7efc2366bf475e9227787f8c69585909fa64e2473998cc537aec5a8efda47632e855914257aa6cab582722961ea6b704d8d458edf0dfcabe58d9dc5

Download Submit
C:\Windows\System\QLPXjVo.exe

Filesize
5.2MB

MD5
f92a963aebf9a3e244820b32bfc680ba

SHA1
04c467ee3d46fdfd539c7ba3015fd84fd64b1b8e

SHA256
b0a88db095b4ac795e2af554150e55141de49ae8ded2cefee7fd8373a0fe79c1

SHA512
20508a7f60e419bba25912a6fc8bd75b5179dca9f6c4241244db1177c021788e96e1cb09ca2367a385be7591ec38583aa43ece81abe6a98c6d42d3817db1b6c6

Download Submit
C:\Windows\System\QObihKg.exe

Filesize
5.2MB

MD5
465a8469f494f9e0b4bdbe70ccb5fe24

SHA1
e0d32681a6b9d28ff55f1d50d5ab15bb2b1b8be3

SHA256
b08100d70c50b55de8c6b0469518f1749838c2873dddc2621494da940d3312da

SHA512
5e18deca4dfa9251aca8b104b6a603bda42692ce976480a070788f6006f53ecd26aefe4daea28d84b7537a5ed6484f88c56301ab0837f108a193f094efe2553a

Download Submit
C:\Windows\System\UjRKhUZ.exe

Filesize
5.2MB

MD5
12ab76d538552fe737c223e9f6c8dc4f

SHA1
5d1a91f19254bb5056727f0a8dec39219a106723

SHA256
cde706d8578573f4463dab130b6826f6473e0a7cd46f23ba2f4381c37e72e857

SHA512
22fd90563eb0ddf946092c7e19a382608904cce78826b4a2ad7f16f99511830b8ea7c6644cc2fc43c3ba04ea558bc9c2659161f423aa0de81f3e1e8f4ef1c282

Download Submit
C:\Windows\System\WnOqPIs.exe

Filesize
5.2MB

MD5
3ca4fdb63ba00b1255f214171a38374e

SHA1
4c8fffb656a4bc224eaf7490988e724b2ab9fcf8

SHA256
ed6c6f785a919c3817b99d09fc4f95eaee6278dccd80313d3bcf00ae3eb7cac9

SHA512
b0963a14705ab6208d9f064edaa1285899125e570a0c70dacd1b24385859cd0255e7f3aeac99599270bbdbcca632f364ed35fad3e777aca8f5ff345fc8c9dc77

Download Submit
C:\Windows\System\fASKaqY.exe

Filesize
5.2MB

MD5
0e7c51962834c4e1594aff9090b49962

SHA1
2eb3ba0b3354540d76ab3bf4d48ac6892cd5f016

SHA256
9cd9c5deb1c73de122ad53e2390366ce8b1aada98e2fdf4528e88113a69a7c86

SHA512
5ba5d2e8fd874b73a95e2c27dbe5b5486fa0273329c1a3fc3edf009b037f2262939c41a1cb91a1c58402ce9ee49f9ae2fe0c8b5d88021b97658d528abb0986d6

Download Submit
C:\Windows\System\iKokDPO.exe

Filesize
5.2MB

MD5
eee848393d6e93404e8c6460df0c4825

SHA1
039b2e189fa99f6a7a8252b75e771c0d820bbaaf

SHA256
783803c200b9607336ec98528ce5b2a95289bad093a6453687511694491fe407

SHA512
c7a0e58d355a08099a9645c11fc28ae59b89ba185dab623d5d5a0d821becabacf91c31110802b05a120f4e1ad1d560a8c3b0ff72e11d2c67edcaff8fd52fc7d6

Download Submit
C:\Windows\System\irNxEwp.exe

Filesize
5.2MB

MD5
a1ded2cf49060d1e847cb0ab0ce1e21f

SHA1
2d28f2c6a09697f4d9f845d07baf3072ffc9f3f8

SHA256
f810c8e5768fb3868da87bf938b5a1fd5499b09e3244e7eda7d052c1b0288657

SHA512
518ac6bdcb82729c6e9bbf4d909471894184cb83dfc038bf816f8a92f4b602ab72f9a23add3a055c6a1bef5a47583be72281d563ae790ae2af35276b8988cd94

Download Submit
C:\Windows\System\mrEKSKW.exe

Filesize
5.2MB

MD5
2382cd5091841c6405ab1a97730eed68

SHA1
e3e15c64e94ec1efe568b45e1472dfd9df5e938c

SHA256
0f443818ca03d4fc6035b357d0be1e2318bebabddb690b900e124d4797c15b2f

SHA512
00f544ee83d2224de9de607e270b711329fa224e42a5b3658e0b395112acb7f3122415782bff22c56fdb79e12bdb946e713857ef0a3791faaa875a7c6a9fd168

Download Submit
C:\Windows\System\pakvRlb.exe

Filesize
5.2MB

MD5
42bdd8dd41f1bfadfb6b2f2c1cfc0cd1

SHA1
976e5907825ebe2866adc76f7b39f52b42d9995b

SHA256
326f322431d8fbfe422e0db95083371742bc7172b2fa0361819bfc53b5810876

SHA512
8b349c5d89d24f7d550ebffba4dd9bc11401860adec269d8b15fdcdc79238cb9f68bfc522a8017489ad4c5f0647097c83b4f4f1632ee1b21ae2beabf3be20272

Download Submit
C:\Windows\System\soACFfG.exe

Filesize
5.2MB

MD5
a09e322dd1863863078eaba7bc7ef74b

SHA1
f6a4e2cf96b7387c4de3c5db51e4af1245ddb0a3

SHA256
74f7184a4587b57f020f04ee94660eeb3a84b08de438cd6a1dcb4e6b69bed6ed

SHA512
4be342ceea7c1a8efe1fa1291d29d4229a13f47963c124ef36969a3cd41dc7fd22b931ad73d52ef9ca3b4d6407caa92bc1e627f3279c78f01816d01c344bc492

Download Submit
memory/8-244-0x00007FF60B3F0000-0x00007FF60B741000-memory.dmp

Filesize
3.3MB

Download
memory/8-74-0x00007FF60B3F0000-0x00007FF60B741000-memory.dmp

Filesize
3.3MB

Download
memory/668-161-0x00007FF7F1C70000-0x00007FF7F1FC1000-memory.dmp

Filesize
3.3MB

Download
memory/668-131-0x00007FF7F1C70000-0x00007FF7F1FC1000-memory.dmp

Filesize
3.3MB

Download
memory/668-269-0x00007FF7F1C70000-0x00007FF7F1FC1000-memory.dmp

Filesize
3.3MB

Download
memory/828-78-0x00007FF7AF000000-0x00007FF7AF351000-memory.dmp

Filesize
3.3MB

Download
memory/828-151-0x00007FF7AF000000-0x00007FF7AF351000-memory.dmp

Filesize
3.3MB

Download
memory/828-248-0x00007FF7AF000000-0x00007FF7AF351000-memory.dmp

Filesize
3.3MB

Download
memory/872-122-0x00007FF74BB30000-0x00007FF74BE81000-memory.dmp

Filesize
3.3MB

Download
memory/872-227-0x00007FF74BB30000-0x00007FF74BE81000-memory.dmp

Filesize
3.3MB

Download
memory/872-54-0x00007FF74BB30000-0x00007FF74BE81000-memory.dmp

Filesize
3.3MB

Download
memory/1132-127-0x00007FF67DFB0000-0x00007FF67E301000-memory.dmp

Filesize
3.3MB

Download
memory/1132-235-0x00007FF67DFB0000-0x00007FF67E301000-memory.dmp

Filesize
3.3MB

Download
memory/1132-63-0x00007FF67DFB0000-0x00007FF67E301000-memory.dmp

Filesize
3.3MB

Download
memory/1224-155-0x00007FF61A990000-0x00007FF61ACE1000-memory.dmp

Filesize
3.3MB

Download
memory/1224-110-0x00007FF61A990000-0x00007FF61ACE1000-memory.dmp

Filesize
3.3MB

Download
memory/1224-263-0x00007FF61A990000-0x00007FF61ACE1000-memory.dmp

Filesize
3.3MB

Download
memory/1452-134-0x00007FF6AE410000-0x00007FF6AE761000-memory.dmp

Filesize
3.3MB

Download
memory/1452-246-0x00007FF6AE410000-0x00007FF6AE761000-memory.dmp

Filesize
3.3MB

Download
memory/1452-75-0x00007FF6AE410000-0x00007FF6AE761000-memory.dmp

Filesize
3.3MB

Download
memory/1736-265-0x00007FF7D14C0000-0x00007FF7D1811000-memory.dmp

Filesize
3.3MB

Download
memory/1736-118-0x00007FF7D14C0000-0x00007FF7D1811000-memory.dmp

Filesize
3.3MB

Download
memory/1736-163-0x00007FF7D14C0000-0x00007FF7D1811000-memory.dmp

Filesize
3.3MB

Download
memory/1884-128-0x00007FF7B9770000-0x00007FF7B9AC1000-memory.dmp

Filesize
3.3MB

Download
memory/1884-267-0x00007FF7B9770000-0x00007FF7B9AC1000-memory.dmp

Filesize
3.3MB

Download
memory/2016-259-0x00007FF701530000-0x00007FF701881000-memory.dmp

Filesize
3.3MB

Download
memory/2016-154-0x00007FF701530000-0x00007FF701881000-memory.dmp

Filesize
3.3MB

Download
memory/2016-99-0x00007FF701530000-0x00007FF701881000-memory.dmp

Filesize
3.3MB

Download
memory/2068-239-0x00007FF69EBA0000-0x00007FF69EEF1000-memory.dmp

Filesize
3.3MB

Download
memory/2068-72-0x00007FF69EBA0000-0x00007FF69EEF1000-memory.dmp

Filesize
3.3MB

Download
memory/2168-153-0x00007FF76B5B0000-0x00007FF76B901000-memory.dmp

Filesize
3.3MB

Download
memory/2168-97-0x00007FF76B5B0000-0x00007FF76B901000-memory.dmp

Filesize
3.3MB

Download
memory/2168-257-0x00007FF76B5B0000-0x00007FF76B901000-memory.dmp

Filesize
3.3MB

Download
memory/2404-272-0x00007FF62F1C0000-0x00007FF62F511000-memory.dmp

Filesize
3.3MB

Download
memory/2404-162-0x00007FF62F1C0000-0x00007FF62F511000-memory.dmp

Filesize
3.3MB

Download
memory/2404-132-0x00007FF62F1C0000-0x00007FF62F511000-memory.dmp

Filesize
3.3MB

Download
memory/2784-92-0x00007FF755340000-0x00007FF755691000-memory.dmp

Filesize
3.3MB

Download
memory/2784-17-0x00007FF755340000-0x00007FF755691000-memory.dmp

Filesize
3.3MB

Download
memory/2784-221-0x00007FF755340000-0x00007FF755691000-memory.dmp

Filesize
3.3MB

Download
memory/3028-241-0x00007FF74B0F0000-0x00007FF74B441000-memory.dmp

Filesize
3.3MB

Download
memory/3028-111-0x00007FF74B0F0000-0x00007FF74B441000-memory.dmp

Filesize
3.3MB

Download
memory/3028-30-0x00007FF74B0F0000-0x00007FF74B441000-memory.dmp

Filesize
3.3MB

Download
memory/3436-138-0x00007FF781AF0000-0x00007FF781E41000-memory.dmp

Filesize
3.3MB

Download
memory/3436-164-0x00007FF781AF0000-0x00007FF781E41000-memory.dmp

Filesize
3.3MB

Download
memory/3436-1-0x0000028A78670000-0x0000028A78680000-memory.dmp

Filesize
64KB

Download
memory/3436-90-0x00007FF781AF0000-0x00007FF781E41000-memory.dmp

Filesize
3.3MB

Download
memory/3436-0-0x00007FF781AF0000-0x00007FF781E41000-memory.dmp

Filesize
3.3MB

Download
memory/3548-236-0x00007FF656630000-0x00007FF656981000-memory.dmp

Filesize
3.3MB

Download
memory/3548-71-0x00007FF656630000-0x00007FF656981000-memory.dmp

Filesize
3.3MB

Download
memory/4068-84-0x00007FF6D5010000-0x00007FF6D5361000-memory.dmp

Filesize
3.3MB

Download
memory/4068-152-0x00007FF6D5010000-0x00007FF6D5361000-memory.dmp

Filesize
3.3MB

Download
memory/4068-255-0x00007FF6D5010000-0x00007FF6D5361000-memory.dmp

Filesize
3.3MB

Download
memory/4552-91-0x00007FF759300000-0x00007FF759651000-memory.dmp

Filesize
3.3MB

Download
memory/4552-9-0x00007FF759300000-0x00007FF759651000-memory.dmp

Filesize
3.3MB

Download
memory/4552-223-0x00007FF759300000-0x00007FF759651000-memory.dmp

Filesize
3.3MB

Download
memory/4728-24-0x00007FF63F2B0000-0x00007FF63F601000-memory.dmp

Filesize
3.3MB

Download
memory/4728-233-0x00007FF63F2B0000-0x00007FF63F601000-memory.dmp

Filesize
3.3MB

Download
memory/4728-105-0x00007FF63F2B0000-0x00007FF63F601000-memory.dmp

Filesize
3.3MB

Download
memory/4912-243-0x00007FF625410000-0x00007FF625761000-memory.dmp

Filesize
3.3MB

Download
memory/4912-120-0x00007FF625410000-0x00007FF625761000-memory.dmp

Filesize
3.3MB

Download
memory/4912-42-0x00007FF625410000-0x00007FF625761000-memory.dmp

Filesize
3.3MB

Download
memory/5056-106-0x00007FF621B10000-0x00007FF621E61000-memory.dmp

Filesize
3.3MB

Download
memory/5056-31-0x00007FF621B10000-0x00007FF621E61000-memory.dmp

Filesize
3.3MB

Download
memory/5056-226-0x00007FF621B10000-0x00007FF621E61000-memory.dmp

Filesize
3.3MB

Download