cobaltstrike | 24595cb20d712f9871692c5a1e39f7b5f19327f9551b6f6d29873fb13e965c6a

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-01-2025 00:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

0f22040a4532916552e0a48954133d48
SHA1

b6d9bd8d34664e717964fa3815f89911ccb32e83
SHA256

24595cb20d712f9871692c5a1e39f7b5f19327f9551b6f6d29873fb13e965c6a
SHA512

bafbe736ce8f8377cddd0d56baf495c49355ecbd60d41250aa168af00b349adc22ae39f7c4bd92070d859d45a0b1a7677e14549dec15236c3435a0c8fd9875c4
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lw:RWWBibf56utgpPFotBER/mQ32lUM

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023b23-4.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7e-19.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b81-32.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7f-33.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b80-28.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b82-40.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b84-50.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b86-61.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b88-77.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b87-82.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8a-94.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8c-109.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8b-107.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b89-89.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b7a-78.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b85-65.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b83-48.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7d-12.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b90-129.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8f-127.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8d-121.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/4792-112-0x00007FF79E050000-0x00007FF79E3A1000-memory.dmp	xmrig
behavioral2/memory/2904-111-0x00007FF76ED70000-0x00007FF76F0C1000-memory.dmp	xmrig
behavioral2/memory/180-110-0x00007FF758FD0000-0x00007FF759321000-memory.dmp	xmrig
behavioral2/memory/3748-106-0x00007FF698510000-0x00007FF698861000-memory.dmp	xmrig
behavioral2/memory/4956-105-0x00007FF7DD5A0000-0x00007FF7DD8F1000-memory.dmp	xmrig
behavioral2/memory/2280-98-0x00007FF616D40000-0x00007FF617091000-memory.dmp	xmrig
behavioral2/memory/4212-83-0x00007FF6E4820000-0x00007FF6E4B71000-memory.dmp	xmrig
behavioral2/memory/2020-56-0x00007FF7CC920000-0x00007FF7CCC71000-memory.dmp	xmrig
behavioral2/memory/1796-126-0x00007FF6E66B0000-0x00007FF6E6A01000-memory.dmp	xmrig
behavioral2/memory/3796-123-0x00007FF664E50000-0x00007FF6651A1000-memory.dmp	xmrig
behavioral2/memory/2128-114-0x00007FF6BAE00000-0x00007FF6BB151000-memory.dmp	xmrig
behavioral2/memory/4976-117-0x00007FF6A7440000-0x00007FF6A7791000-memory.dmp	xmrig
behavioral2/memory/468-134-0x00007FF694380000-0x00007FF6946D1000-memory.dmp	xmrig
behavioral2/memory/5016-135-0x00007FF7645D0000-0x00007FF764921000-memory.dmp	xmrig
behavioral2/memory/1408-133-0x00007FF6E0020000-0x00007FF6E0371000-memory.dmp	xmrig
behavioral2/memory/2160-136-0x00007FF7C4180000-0x00007FF7C44D1000-memory.dmp	xmrig
behavioral2/memory/4788-137-0x00007FF6D3110000-0x00007FF6D3461000-memory.dmp	xmrig
behavioral2/memory/2780-138-0x00007FF692080000-0x00007FF6923D1000-memory.dmp	xmrig
behavioral2/memory/4212-139-0x00007FF6E4820000-0x00007FF6E4B71000-memory.dmp	xmrig
behavioral2/memory/5000-149-0x00007FF7797E0000-0x00007FF779B31000-memory.dmp	xmrig
behavioral2/memory/2432-148-0x00007FF743D30000-0x00007FF744081000-memory.dmp	xmrig
behavioral2/memory/2356-159-0x00007FF73F070000-0x00007FF73F3C1000-memory.dmp	xmrig
behavioral2/memory/1400-161-0x00007FF6C6A10000-0x00007FF6C6D61000-memory.dmp	xmrig
behavioral2/memory/4212-164-0x00007FF6E4820000-0x00007FF6E4B71000-memory.dmp	xmrig
behavioral2/memory/3748-224-0x00007FF698510000-0x00007FF698861000-memory.dmp	xmrig
behavioral2/memory/180-226-0x00007FF758FD0000-0x00007FF759321000-memory.dmp	xmrig
behavioral2/memory/4976-228-0x00007FF6A7440000-0x00007FF6A7791000-memory.dmp	xmrig
behavioral2/memory/2128-230-0x00007FF6BAE00000-0x00007FF6BB151000-memory.dmp	xmrig
behavioral2/memory/2020-236-0x00007FF7CC920000-0x00007FF7CCC71000-memory.dmp	xmrig
behavioral2/memory/468-234-0x00007FF694380000-0x00007FF6946D1000-memory.dmp	xmrig
behavioral2/memory/1408-240-0x00007FF6E0020000-0x00007FF6E0371000-memory.dmp	xmrig
behavioral2/memory/3796-239-0x00007FF664E50000-0x00007FF6651A1000-memory.dmp	xmrig
behavioral2/memory/2780-244-0x00007FF692080000-0x00007FF6923D1000-memory.dmp	xmrig
behavioral2/memory/4788-243-0x00007FF6D3110000-0x00007FF6D3461000-memory.dmp	xmrig
behavioral2/memory/2160-232-0x00007FF7C4180000-0x00007FF7C44D1000-memory.dmp	xmrig
behavioral2/memory/2280-251-0x00007FF616D40000-0x00007FF617091000-memory.dmp	xmrig
behavioral2/memory/2432-253-0x00007FF743D30000-0x00007FF744081000-memory.dmp	xmrig
behavioral2/memory/2904-257-0x00007FF76ED70000-0x00007FF76F0C1000-memory.dmp	xmrig
behavioral2/memory/4956-256-0x00007FF7DD5A0000-0x00007FF7DD8F1000-memory.dmp	xmrig
behavioral2/memory/5000-259-0x00007FF7797E0000-0x00007FF779B31000-memory.dmp	xmrig
behavioral2/memory/4792-261-0x00007FF79E050000-0x00007FF79E3A1000-memory.dmp	xmrig
behavioral2/memory/2356-263-0x00007FF73F070000-0x00007FF73F3C1000-memory.dmp	xmrig
behavioral2/memory/1796-267-0x00007FF6E66B0000-0x00007FF6E6A01000-memory.dmp	xmrig
behavioral2/memory/5016-271-0x00007FF7645D0000-0x00007FF764921000-memory.dmp	xmrig
behavioral2/memory/1400-270-0x00007FF6C6A10000-0x00007FF6C6D61000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3748	MOnabqo.exe
180	ZgyAgxD.exe
4976	EPGYDso.exe
2128	HZcrbmJ.exe
3796	XXvVIKB.exe
1408	cYMbTPn.exe
2160	mIviYBa.exe
468	jErjrtj.exe
2020	heHDjmx.exe
4788	gHyVUcD.exe
2780	juZiehl.exe
2432	rZsOxEJ.exe
2280	tAmRzMY.exe
4956	clzJZqE.exe
2904	WbHkhoo.exe
5000	TkNNKdb.exe
4792	juLPStO.exe
2356	LYJaGwz.exe
1796	xtEoboQ.exe
1400	rLAKCGw.exe
5016	NkvxPQt.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4212-0-0x00007FF6E4820000-0x00007FF6E4B71000-memory.dmp	upx
behavioral2/files/0x000c000000023b23-4.dat	upx
behavioral2/memory/3748-7-0x00007FF698510000-0x00007FF698861000-memory.dmp	upx
behavioral2/files/0x000a000000023b7e-19.dat	upx
behavioral2/memory/2128-22-0x00007FF6BAE00000-0x00007FF6BB151000-memory.dmp	upx
behavioral2/files/0x000a000000023b81-32.dat	upx
behavioral2/memory/3796-34-0x00007FF664E50000-0x00007FF6651A1000-memory.dmp	upx
behavioral2/memory/1408-35-0x00007FF6E0020000-0x00007FF6E0371000-memory.dmp	upx
behavioral2/files/0x000a000000023b7f-33.dat	upx
behavioral2/memory/4976-29-0x00007FF6A7440000-0x00007FF6A7791000-memory.dmp	upx
behavioral2/files/0x000a000000023b80-28.dat	upx
behavioral2/files/0x000a000000023b82-40.dat	upx
behavioral2/files/0x000a000000023b84-50.dat	upx
behavioral2/files/0x000a000000023b86-61.dat	upx
behavioral2/files/0x000a000000023b88-77.dat	upx
behavioral2/files/0x000a000000023b87-82.dat	upx
behavioral2/files/0x000a000000023b8a-94.dat	upx
behavioral2/files/0x000a000000023b8c-109.dat	upx
behavioral2/memory/4792-112-0x00007FF79E050000-0x00007FF79E3A1000-memory.dmp	upx
behavioral2/memory/2904-111-0x00007FF76ED70000-0x00007FF76F0C1000-memory.dmp	upx
behavioral2/memory/180-110-0x00007FF758FD0000-0x00007FF759321000-memory.dmp	upx
behavioral2/files/0x000a000000023b8b-107.dat	upx
behavioral2/memory/3748-106-0x00007FF698510000-0x00007FF698861000-memory.dmp	upx
behavioral2/memory/4956-105-0x00007FF7DD5A0000-0x00007FF7DD8F1000-memory.dmp	upx
behavioral2/memory/2356-102-0x00007FF73F070000-0x00007FF73F3C1000-memory.dmp	upx
behavioral2/memory/5000-101-0x00007FF7797E0000-0x00007FF779B31000-memory.dmp	upx
behavioral2/memory/2280-98-0x00007FF616D40000-0x00007FF617091000-memory.dmp	upx
behavioral2/memory/2432-95-0x00007FF743D30000-0x00007FF744081000-memory.dmp	upx
behavioral2/files/0x000a000000023b89-89.dat	upx
behavioral2/memory/4212-83-0x00007FF6E4820000-0x00007FF6E4B71000-memory.dmp	upx
behavioral2/files/0x000b000000023b7a-78.dat	upx
behavioral2/files/0x000a000000023b85-65.dat	upx
behavioral2/memory/2780-64-0x00007FF692080000-0x00007FF6923D1000-memory.dmp	upx
behavioral2/memory/4788-62-0x00007FF6D3110000-0x00007FF6D3461000-memory.dmp	upx
behavioral2/memory/2020-56-0x00007FF7CC920000-0x00007FF7CCC71000-memory.dmp	upx
behavioral2/memory/468-55-0x00007FF694380000-0x00007FF6946D1000-memory.dmp	upx
behavioral2/files/0x000a000000023b83-48.dat	upx
behavioral2/memory/2160-43-0x00007FF7C4180000-0x00007FF7C44D1000-memory.dmp	upx
behavioral2/memory/180-20-0x00007FF758FD0000-0x00007FF759321000-memory.dmp	upx
behavioral2/files/0x000a000000023b7d-12.dat	upx
behavioral2/memory/1796-126-0x00007FF6E66B0000-0x00007FF6E6A01000-memory.dmp	upx
behavioral2/files/0x000a000000023b90-129.dat	upx
behavioral2/files/0x000a000000023b8f-127.dat	upx
behavioral2/memory/3796-123-0x00007FF664E50000-0x00007FF6651A1000-memory.dmp	upx
behavioral2/files/0x000a000000023b8d-121.dat	upx
behavioral2/memory/2128-114-0x00007FF6BAE00000-0x00007FF6BB151000-memory.dmp	upx
behavioral2/memory/4976-117-0x00007FF6A7440000-0x00007FF6A7791000-memory.dmp	upx
behavioral2/memory/1400-132-0x00007FF6C6A10000-0x00007FF6C6D61000-memory.dmp	upx
behavioral2/memory/468-134-0x00007FF694380000-0x00007FF6946D1000-memory.dmp	upx
behavioral2/memory/5016-135-0x00007FF7645D0000-0x00007FF764921000-memory.dmp	upx
behavioral2/memory/1408-133-0x00007FF6E0020000-0x00007FF6E0371000-memory.dmp	upx
behavioral2/memory/2160-136-0x00007FF7C4180000-0x00007FF7C44D1000-memory.dmp	upx
behavioral2/memory/4788-137-0x00007FF6D3110000-0x00007FF6D3461000-memory.dmp	upx
behavioral2/memory/2780-138-0x00007FF692080000-0x00007FF6923D1000-memory.dmp	upx
behavioral2/memory/4212-139-0x00007FF6E4820000-0x00007FF6E4B71000-memory.dmp	upx
behavioral2/memory/5000-149-0x00007FF7797E0000-0x00007FF779B31000-memory.dmp	upx
behavioral2/memory/2432-148-0x00007FF743D30000-0x00007FF744081000-memory.dmp	upx
behavioral2/memory/2356-159-0x00007FF73F070000-0x00007FF73F3C1000-memory.dmp	upx
behavioral2/memory/1400-161-0x00007FF6C6A10000-0x00007FF6C6D61000-memory.dmp	upx
behavioral2/memory/4212-164-0x00007FF6E4820000-0x00007FF6E4B71000-memory.dmp	upx
behavioral2/memory/3748-224-0x00007FF698510000-0x00007FF698861000-memory.dmp	upx
behavioral2/memory/180-226-0x00007FF758FD0000-0x00007FF759321000-memory.dmp	upx
behavioral2/memory/4976-228-0x00007FF6A7440000-0x00007FF6A7791000-memory.dmp	upx
behavioral2/memory/2128-230-0x00007FF6BAE00000-0x00007FF6BB151000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\ZgyAgxD.exe	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XXvVIKB.exe	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cYMbTPn.exe	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xtEoboQ.exe	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\clzJZqE.exe	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NkvxPQt.exe	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HZcrbmJ.exe	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\heHDjmx.exe	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\juZiehl.exe	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rZsOxEJ.exe	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tAmRzMY.exe	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WbHkhoo.exe	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LYJaGwz.exe	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rLAKCGw.exe	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MOnabqo.exe	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EPGYDso.exe	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mIviYBa.exe	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jErjrtj.exe	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gHyVUcD.exe	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TkNNKdb.exe	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\juLPStO.exe	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4212	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4212	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4212 wrote to memory of 3748	4212	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4212 wrote to memory of 3748	4212	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4212 wrote to memory of 180	4212	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4212 wrote to memory of 180	4212	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4212 wrote to memory of 4976	4212	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4212 wrote to memory of 4976	4212	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4212 wrote to memory of 2128	4212	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4212 wrote to memory of 2128	4212	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4212 wrote to memory of 3796	4212	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4212 wrote to memory of 3796	4212	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4212 wrote to memory of 1408	4212	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4212 wrote to memory of 1408	4212	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4212 wrote to memory of 2160	4212	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4212 wrote to memory of 2160	4212	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4212 wrote to memory of 468	4212	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4212 wrote to memory of 468	4212	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4212 wrote to memory of 2020	4212	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4212 wrote to memory of 2020	4212	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4212 wrote to memory of 4788	4212	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4212 wrote to memory of 4788	4212	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4212 wrote to memory of 2780	4212	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4212 wrote to memory of 2780	4212	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4212 wrote to memory of 2432	4212	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4212 wrote to memory of 2432	4212	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4212 wrote to memory of 2280	4212	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4212 wrote to memory of 2280	4212	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4212 wrote to memory of 4956	4212	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4212 wrote to memory of 4956	4212	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4212 wrote to memory of 2904	4212	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4212 wrote to memory of 2904	4212	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4212 wrote to memory of 5000	4212	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4212 wrote to memory of 5000	4212	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4212 wrote to memory of 4792	4212	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4212 wrote to memory of 4792	4212	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4212 wrote to memory of 2356	4212	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4212 wrote to memory of 2356	4212	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4212 wrote to memory of 1796	4212	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4212 wrote to memory of 1796	4212	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4212 wrote to memory of 1400	4212	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4212 wrote to memory of 1400	4212	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4212 wrote to memory of 5016	4212	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4212 wrote to memory of 5016	4212	2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-03_0f22040a4532916552e0a48954133d48_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4212
- C:\Windows\System\MOnabqo.exe
  C:\Windows\System\MOnabqo.exe
  2⤵
  - Executes dropped EXE
  PID:3748
- C:\Windows\System\ZgyAgxD.exe
  C:\Windows\System\ZgyAgxD.exe
  2⤵
  - Executes dropped EXE
  PID:180
- C:\Windows\System\EPGYDso.exe
  C:\Windows\System\EPGYDso.exe
  2⤵
  - Executes dropped EXE
  PID:4976
- C:\Windows\System\HZcrbmJ.exe
  C:\Windows\System\HZcrbmJ.exe
  2⤵
  - Executes dropped EXE
  PID:2128
- C:\Windows\System\XXvVIKB.exe
  C:\Windows\System\XXvVIKB.exe
  2⤵
  - Executes dropped EXE
  PID:3796
- C:\Windows\System\cYMbTPn.exe
  C:\Windows\System\cYMbTPn.exe
  2⤵
  - Executes dropped EXE
  PID:1408
- C:\Windows\System\mIviYBa.exe
  C:\Windows\System\mIviYBa.exe
  2⤵
  - Executes dropped EXE
  PID:2160
- C:\Windows\System\jErjrtj.exe
  C:\Windows\System\jErjrtj.exe
  2⤵
  - Executes dropped EXE
  PID:468
- C:\Windows\System\heHDjmx.exe
  C:\Windows\System\heHDjmx.exe
  2⤵
  - Executes dropped EXE
  PID:2020
- C:\Windows\System\gHyVUcD.exe
  C:\Windows\System\gHyVUcD.exe
  2⤵
  - Executes dropped EXE
  PID:4788
- C:\Windows\System\juZiehl.exe
  C:\Windows\System\juZiehl.exe
  2⤵
  - Executes dropped EXE
  PID:2780
- C:\Windows\System\rZsOxEJ.exe
  C:\Windows\System\rZsOxEJ.exe
  2⤵
  - Executes dropped EXE
  PID:2432
- C:\Windows\System\tAmRzMY.exe
  C:\Windows\System\tAmRzMY.exe
  2⤵
  - Executes dropped EXE
  PID:2280
- C:\Windows\System\clzJZqE.exe
  C:\Windows\System\clzJZqE.exe
  2⤵
  - Executes dropped EXE
  PID:4956
- C:\Windows\System\WbHkhoo.exe
  C:\Windows\System\WbHkhoo.exe
  2⤵
  - Executes dropped EXE
  PID:2904
- C:\Windows\System\TkNNKdb.exe
  C:\Windows\System\TkNNKdb.exe
  2⤵
  - Executes dropped EXE
  PID:5000
- C:\Windows\System\juLPStO.exe
  C:\Windows\System\juLPStO.exe
  2⤵
  - Executes dropped EXE
  PID:4792
- C:\Windows\System\LYJaGwz.exe
  C:\Windows\System\LYJaGwz.exe
  2⤵
  - Executes dropped EXE
  PID:2356
- C:\Windows\System\xtEoboQ.exe
  C:\Windows\System\xtEoboQ.exe
  2⤵
  - Executes dropped EXE
  PID:1796
- C:\Windows\System\rLAKCGw.exe
  C:\Windows\System\rLAKCGw.exe
  2⤵
  - Executes dropped EXE
  PID:1400
- C:\Windows\System\NkvxPQt.exe
  C:\Windows\System\NkvxPQt.exe
  2⤵
  - Executes dropped EXE
  PID:5016

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\EPGYDso.exe

Filesize
5.2MB

MD5
6c8df6b5c57505b00136885d88682c04

SHA1
035ad4fa44575f76455d8e6b4b50c67f6781620e

SHA256
55abc3baf5dd39e5ad8120c37b7b61252bb0b4c3012610ec39a34cd959b261ec

SHA512
50c4f358f97ab5d1ebdb86b69e4d74e7d868ea6ee51fd4819810c3bc5c85a365568e3c8173658dbe64706c86d132102ad450e66b524c84217c4ab80b69652442

Download Submit
C:\Windows\System\HZcrbmJ.exe

Filesize
5.2MB

MD5
77200d56a774f2ff8c9904e5c30d3a84

SHA1
adda2a29b125130cdeed8b7db8c743e22c27a17c

SHA256
c4b442f51d8b65304552a2c6bc1c34095a635f0692b7943e8d480895c911a728

SHA512
21a8938743795080abe5a82b2748fb4d6c6a24c0f99d9265a04876d2a21df3bfa6a9b385fe5862737cec1dbf4ef695323beaf93c02628bf1ceb1770b0de18937

Download Submit
C:\Windows\System\LYJaGwz.exe

Filesize
5.2MB

MD5
6bef7d91268b65ca4c30a847b3d9c7fc

SHA1
7d32f3a4c08a6542541b152437ec642d571aab5f

SHA256
d8b776748dbd24c61f61b204fd7fee060e678dd1109bd45ce5aa7e8592d88ca4

SHA512
709f46770056e60460ae4d746faa5b1ef8e82d769b746164b9c640e4441142ebb133dc10ed435136298f36611782debac41c07acd325e8ff8e8403105e6e196f

Download Submit
C:\Windows\System\MOnabqo.exe

Filesize
5.2MB

MD5
810d257a7b2d83fe33b3c0e59cb04eaa

SHA1
80439d7399072f70a6820a1c06af61b1e65832c0

SHA256
84b6233fbffb9a2192aafb3377eeccf27f98f90c4b66a8698f8c610a8aa0119b

SHA512
d7b0432ad8c7e6d87697a0dcef2f142f0cae197fa7cf58908dc87b280c628d85c692a8a2aea2d343302fba7d7ab67b7852d2ada0b285c7b1212fccfb2082576e

Download Submit
C:\Windows\System\NkvxPQt.exe

Filesize
5.2MB

MD5
b7677bdbdc5788cebabc9ae3c6cbe180

SHA1
1b6a8979adde6878bbacd5d7e7d289419824e492

SHA256
80cfa4f4f44698cddd5021f2bf93989a0de570cbe5a299c360d5bb9fb443710a

SHA512
853e4a748a31993f96a2b24d3c4ca2eca3678cdce04373b807d09ed5dba8237760cb8439c1798f21086054e28d0e279be52e9f67f2fa0133c9b88a96ffe48611

Download Submit
C:\Windows\System\TkNNKdb.exe

Filesize
5.2MB

MD5
870881369bdc76079f6d1e93ca7ee429

SHA1
09a5120d4736b662e540acc439fab5d715d5de7e

SHA256
d2a39d118d6aae4ed0fc5447ec84d8e5105887ea49452c522e3195df3aa17b69

SHA512
e4579338a743bb8849807911040bf372070c0a081ed5e32a1acb36cdbbe9cdcaefb2bf26b234ed190cdd8bbf1a42f329a2a443f1c5d4b8774786863db3ba516d

Download Submit
C:\Windows\System\WbHkhoo.exe

Filesize
5.2MB

MD5
8a191f69e28e8701ff3d3611aedd3f46

SHA1
c57d211cee17be75be67cc29cbd4a9c26f6b7ddd

SHA256
182d05bdf68e3f9728a7bb318c686d0cdf826cc87d6ba6405cbd2ad189793b92

SHA512
4d6bb610e2ca8ee8bd2c583ad4ecc6f3ba91c63160f7f34365a8b7637ce54dbd9ff37c170856c1b82a32f1ecf1841ef99a45fa28d09859a9ab1061d35adcdb74

Download Submit
C:\Windows\System\XXvVIKB.exe

Filesize
5.2MB

MD5
4f0ea094021381a6a9eef604e9e7257b

SHA1
e4652b989a18fb1e0eb88bb6edcc1ead196d81f5

SHA256
48a893d72818f53a1c44cb5305baaa139298c5c180e892bbf54fd714acff07bb

SHA512
98675b905f31bd655a0ebbef2a793fe34eddcc4b05c849baab50bac157ea0e07bc868bccc1015e78b3b0a6b28257349f3119882a3c867e8072d0e1e339265c65

Download Submit
C:\Windows\System\ZgyAgxD.exe

Filesize
5.2MB

MD5
0fedbe4776f8e30c3c5e1913544fd245

SHA1
3a6175e46121028ee5700947c87f95c6dc48534a

SHA256
ba6abb3358cb6cde2528642106434ff09acc0a9c66ca2afa596a5acb5009dabc

SHA512
447959b215f23e8b91a7235f8ffba921c6e06fdbc96b783368fc3a11b31ac94680bfaefd48498503445757f6e32d3a05312a5fdc5d220befe7d5d121be69afcf

Download Submit
C:\Windows\System\cYMbTPn.exe

Filesize
5.2MB

MD5
b0a146474dc3517d2476eeb2391b8cae

SHA1
89d68d1b1864099532d3bda75d890fafab8d1b7d

SHA256
bc7391808cb42ea35ba8f809449123bee108c251ec029ea6941bce314e1d9752

SHA512
c45057aa3de957417693a72bd98e404e1c6a9e88f417d766b38f20f57e2b8872dd5a9a779df339c6bacf90e556d14d176836d09b77ff6ea5ddd025d317798397

Download Submit
C:\Windows\System\clzJZqE.exe

Filesize
5.2MB

MD5
54d71df0695467d590ca87c9a5154ecc

SHA1
c381c2445b024e050521a0a8f2106574c848edba

SHA256
8a982fff54567b9c76bd8f1bf5c9c9ea5adc9231321f071850f886f8645ecfda

SHA512
046cd11e02571916112ebc8d604107d14fa5fe885d397ea80e764a1a5a8ef01d4f048fb039e7336ffb86173b6a21c1fd94e209a816ab5ea9a163095c94fb4f07

Download Submit
C:\Windows\System\gHyVUcD.exe

Filesize
5.2MB

MD5
09ce994a516fad63b3c4f80fc0c9b672

SHA1
327d8fa0ceda8e769dfbac219a25f32dbdfe16a6

SHA256
f79c9d00693731a5eb06527b45c0c713461ff459378ed37f0e69339e2691df46

SHA512
ca478015f1aadce92a730c48fee8443679b83d68e96db040c7519e3c549db81c9bcf799e78273e326d1b87414e9851dadf478855b0ef35d3c052b90dfb490d39

Download Submit
C:\Windows\System\heHDjmx.exe

Filesize
5.2MB

MD5
fb2925a525df20586cfc8fb0c8966f47

SHA1
d3277f4a1f1f0d71725fccc4524140ae2686c77e

SHA256
d02c2ef9a4cb651c6107e19d6ddd586eb5e7fd40c5da6ec375dd59a4887feb62

SHA512
bbe011d5ecd175a2e785a2680e444beb2b21fe7b4d837534167255f833d3ce7311318286ec298b8d5994a5b5910565e0b684bc0093812c71dc2d039cf9ecafeb

Download Submit
C:\Windows\System\jErjrtj.exe

Filesize
5.2MB

MD5
28da238d662df820d8f2c6b2993b7dfc

SHA1
3716cb5d285aa4d5d654c483fa38582c4e333b86

SHA256
fa16ff905359ce6a6955a8d1c060306a01ec70e40d0429e48a221d79fc5ebcc3

SHA512
60666519b6b450bc47b5e36c2abd919fc4d9105ec479aab226913e0d73a5fbbb01f1595330bef6bf66fc98ed00994387db6e0e14c51072a7c5773160f26de53b

Download Submit
C:\Windows\System\juLPStO.exe

Filesize
5.2MB

MD5
f948ac6c892945694730ba336a9e4a5b

SHA1
f11714e2275840e8fee47023d32465ec2fa700b7

SHA256
fbefa2d43e35863a8f282e07889fdc2f4a46bea441227e8d3fc9c4d41c088be0

SHA512
0822713da21062f497f02dc5f3a0dd6c722255e565058d4cdae47a26d8df50505ddb3aa707e1afa5f8b7fa4ac651ed59f06e07b052e771968e952a5f877f9d87

Download Submit
C:\Windows\System\juZiehl.exe

Filesize
5.2MB

MD5
daeda9984dd0ec79efd686ef5924f5f1

SHA1
f4c3a2f678b0fb0c7cc8046918b82269f4b3b58d

SHA256
092a7fe68737232dc2e0ebbb6f47a825a607c6cf0282a8afa98f1f1567ab6eb1

SHA512
1a3628f2dacc63e972dd6beace8a0efaacc6d9b129d224e0c365319e1c39bf81cdecf14df4fa7272039475f9327318ee853bd0cceaf9ed79714bad2e9895b8a4

Download Submit
C:\Windows\System\mIviYBa.exe

Filesize
5.2MB

MD5
f7a02b631219ca93f3c6ff31ae7db144

SHA1
9cabc2bef28d3a9225d675571699c2bb95d2daf9

SHA256
d73437db578ef9b896059f2cf928151211e83f50205470873ac4a1f3b13149c7

SHA512
0d026feb2b2630c027f3e472c7b26e1d7ea0cab4ef168cc4d8f8aa5fdff754c05a902e8020d4c91ff29e087fd8143d4b12ee34ff430dfc4e29a4af3b63abde59

Download Submit
C:\Windows\System\rLAKCGw.exe

Filesize
5.2MB

MD5
db67e74f3b7b00fd7eec6771d5a79ba5

SHA1
ce5827c13a014b1f01c00cb2d05bf56977d425f3

SHA256
f8271ff61567f1215be96e18e9755fa5e4556a41906e06527848beb4412a8913

SHA512
9bbf90bdec837b46c67a3c3595d70896dd4570e1cafce167b62eefb1ccd3e0e27443cb0cd257fb8041f59769297f9b4bef8499f9c1d0331f9c8e887ac466a3fa

Download Submit
C:\Windows\System\rZsOxEJ.exe

Filesize
5.2MB

MD5
0973ac49d94c114cae1cc18e95d766bd

SHA1
f213770d83ed6b6795ef69577b20eba2899c455c

SHA256
c4c55ddaec21eb6e7ea32abd7e68ca4c78e68388d2282b6d7e2bcbcfad9ad418

SHA512
4b6e8acd01e3577cbfc3e7d5ace24f8895f15b46d8f961d1a367e58ed9303f90517c858eae7529dbc0f1732314882c740b3e12aa4f6a6af05c146ab9944819b7

Download Submit
C:\Windows\System\tAmRzMY.exe

Filesize
5.2MB

MD5
69652dfea3698476bb26f1d4439734cd

SHA1
f8b590305e712497eb362863f18437d137175c70

SHA256
40e00df9e5718c70f9d24f88629d0035b1c52c9bac261708090459ac4e6d218f

SHA512
800adada8160e3813246b366813b4bf2a21ccb0764213bfa1bc380cefa7d2a5bb0133b406f4f88655024e523a4dd1a5fc996bc44a807ee252235ded171eba52e

Download Submit
C:\Windows\System\xtEoboQ.exe

Filesize
5.2MB

MD5
d2a86d5a14242a8d3af456923b20b23d

SHA1
d98860b35560808485b158b102d15bbad1e74c49

SHA256
58f6219fe45c6bb9694e9e06d42e468f02fe45f88f91b368ee8c5744eaccb1a2

SHA512
804fd076ac569df33b8ae8947ed3bf7316f6ac3a41735c453039895192bf4bfb910cf0a347f5a42528b0c04c41c9dfadd8e03b08d0893aa478176073b94760f2

Download Submit
memory/180-20-0x00007FF758FD0000-0x00007FF759321000-memory.dmp

Filesize
3.3MB

Download
memory/180-110-0x00007FF758FD0000-0x00007FF759321000-memory.dmp

Filesize
3.3MB

Download
memory/180-226-0x00007FF758FD0000-0x00007FF759321000-memory.dmp

Filesize
3.3MB

Download
memory/468-55-0x00007FF694380000-0x00007FF6946D1000-memory.dmp

Filesize
3.3MB

Download
memory/468-134-0x00007FF694380000-0x00007FF6946D1000-memory.dmp

Filesize
3.3MB

Download
memory/468-234-0x00007FF694380000-0x00007FF6946D1000-memory.dmp

Filesize
3.3MB

Download
memory/1400-161-0x00007FF6C6A10000-0x00007FF6C6D61000-memory.dmp

Filesize
3.3MB

Download
memory/1400-132-0x00007FF6C6A10000-0x00007FF6C6D61000-memory.dmp

Filesize
3.3MB

Download
memory/1400-270-0x00007FF6C6A10000-0x00007FF6C6D61000-memory.dmp

Filesize
3.3MB

Download
memory/1408-35-0x00007FF6E0020000-0x00007FF6E0371000-memory.dmp

Filesize
3.3MB

Download
memory/1408-240-0x00007FF6E0020000-0x00007FF6E0371000-memory.dmp

Filesize
3.3MB

Download
memory/1408-133-0x00007FF6E0020000-0x00007FF6E0371000-memory.dmp

Filesize
3.3MB

Download
memory/1796-267-0x00007FF6E66B0000-0x00007FF6E6A01000-memory.dmp

Filesize
3.3MB

Download
memory/1796-126-0x00007FF6E66B0000-0x00007FF6E6A01000-memory.dmp

Filesize
3.3MB

Download
memory/2020-236-0x00007FF7CC920000-0x00007FF7CCC71000-memory.dmp

Filesize
3.3MB

Download
memory/2020-56-0x00007FF7CC920000-0x00007FF7CCC71000-memory.dmp

Filesize
3.3MB

Download
memory/2128-114-0x00007FF6BAE00000-0x00007FF6BB151000-memory.dmp

Filesize
3.3MB

Download
memory/2128-230-0x00007FF6BAE00000-0x00007FF6BB151000-memory.dmp

Filesize
3.3MB

Download
memory/2128-22-0x00007FF6BAE00000-0x00007FF6BB151000-memory.dmp

Filesize
3.3MB

Download
memory/2160-232-0x00007FF7C4180000-0x00007FF7C44D1000-memory.dmp

Filesize
3.3MB

Download
memory/2160-136-0x00007FF7C4180000-0x00007FF7C44D1000-memory.dmp

Filesize
3.3MB

Download
memory/2160-43-0x00007FF7C4180000-0x00007FF7C44D1000-memory.dmp

Filesize
3.3MB

Download
memory/2280-98-0x00007FF616D40000-0x00007FF617091000-memory.dmp

Filesize
3.3MB

Download
memory/2280-251-0x00007FF616D40000-0x00007FF617091000-memory.dmp

Filesize
3.3MB

Download
memory/2356-159-0x00007FF73F070000-0x00007FF73F3C1000-memory.dmp

Filesize
3.3MB

Download
memory/2356-263-0x00007FF73F070000-0x00007FF73F3C1000-memory.dmp

Filesize
3.3MB

Download
memory/2356-102-0x00007FF73F070000-0x00007FF73F3C1000-memory.dmp

Filesize
3.3MB

Download
memory/2432-253-0x00007FF743D30000-0x00007FF744081000-memory.dmp

Filesize
3.3MB

Download
memory/2432-95-0x00007FF743D30000-0x00007FF744081000-memory.dmp

Filesize
3.3MB

Download
memory/2432-148-0x00007FF743D30000-0x00007FF744081000-memory.dmp

Filesize
3.3MB

Download
memory/2780-64-0x00007FF692080000-0x00007FF6923D1000-memory.dmp

Filesize
3.3MB

Download
memory/2780-244-0x00007FF692080000-0x00007FF6923D1000-memory.dmp

Filesize
3.3MB

Download
memory/2780-138-0x00007FF692080000-0x00007FF6923D1000-memory.dmp

Filesize
3.3MB

Download
memory/2904-111-0x00007FF76ED70000-0x00007FF76F0C1000-memory.dmp

Filesize
3.3MB

Download
memory/2904-257-0x00007FF76ED70000-0x00007FF76F0C1000-memory.dmp

Filesize
3.3MB

Download
memory/3748-106-0x00007FF698510000-0x00007FF698861000-memory.dmp

Filesize
3.3MB

Download
memory/3748-7-0x00007FF698510000-0x00007FF698861000-memory.dmp

Filesize
3.3MB

Download
memory/3748-224-0x00007FF698510000-0x00007FF698861000-memory.dmp

Filesize
3.3MB

Download
memory/3796-123-0x00007FF664E50000-0x00007FF6651A1000-memory.dmp

Filesize
3.3MB

Download
memory/3796-239-0x00007FF664E50000-0x00007FF6651A1000-memory.dmp

Filesize
3.3MB

Download
memory/3796-34-0x00007FF664E50000-0x00007FF6651A1000-memory.dmp

Filesize
3.3MB

Download
memory/4212-139-0x00007FF6E4820000-0x00007FF6E4B71000-memory.dmp

Filesize
3.3MB

Download
memory/4212-83-0x00007FF6E4820000-0x00007FF6E4B71000-memory.dmp

Filesize
3.3MB

Download
memory/4212-164-0x00007FF6E4820000-0x00007FF6E4B71000-memory.dmp

Filesize
3.3MB

Download
memory/4212-1-0x0000023C67F10000-0x0000023C67F20000-memory.dmp

Filesize
64KB

Download
memory/4212-0-0x00007FF6E4820000-0x00007FF6E4B71000-memory.dmp

Filesize
3.3MB

Download
memory/4788-62-0x00007FF6D3110000-0x00007FF6D3461000-memory.dmp

Filesize
3.3MB

Download
memory/4788-137-0x00007FF6D3110000-0x00007FF6D3461000-memory.dmp

Filesize
3.3MB

Download
memory/4788-243-0x00007FF6D3110000-0x00007FF6D3461000-memory.dmp

Filesize
3.3MB

Download
memory/4792-261-0x00007FF79E050000-0x00007FF79E3A1000-memory.dmp

Filesize
3.3MB

Download
memory/4792-112-0x00007FF79E050000-0x00007FF79E3A1000-memory.dmp

Filesize
3.3MB

Download
memory/4956-105-0x00007FF7DD5A0000-0x00007FF7DD8F1000-memory.dmp

Filesize
3.3MB

Download
memory/4956-256-0x00007FF7DD5A0000-0x00007FF7DD8F1000-memory.dmp

Filesize
3.3MB

Download
memory/4976-29-0x00007FF6A7440000-0x00007FF6A7791000-memory.dmp

Filesize
3.3MB

Download
memory/4976-228-0x00007FF6A7440000-0x00007FF6A7791000-memory.dmp

Filesize
3.3MB

Download
memory/4976-117-0x00007FF6A7440000-0x00007FF6A7791000-memory.dmp

Filesize
3.3MB

Download
memory/5000-101-0x00007FF7797E0000-0x00007FF779B31000-memory.dmp

Filesize
3.3MB

Download
memory/5000-259-0x00007FF7797E0000-0x00007FF779B31000-memory.dmp

Filesize
3.3MB

Download
memory/5000-149-0x00007FF7797E0000-0x00007FF779B31000-memory.dmp

Filesize
3.3MB

Download
memory/5016-135-0x00007FF7645D0000-0x00007FF764921000-memory.dmp

Filesize
3.3MB

Download
memory/5016-271-0x00007FF7645D0000-0x00007FF764921000-memory.dmp

Filesize
3.3MB

Download