cobaltstrike | 45c2cea9e2e9e40fed577f1a747e6292a56966e78b4607e2398c98669fca66eb

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-01-2025 03:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

2704a3f5558bf8c21d51b359b0f46e93
SHA1

c6a516d62193b5962c0b1793154bd616ff39a17c
SHA256

45c2cea9e2e9e40fed577f1a747e6292a56966e78b4607e2398c98669fca66eb
SHA512

305cc9d1d4b7c59257c5cf1be89847dc10c65cf144b47006943c81d63a528c78cec1bcdc8034e040bd99a8a0e1f1c56f7515556299b22cd24da9af6de4d8d569
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lp:RWWBibf56utgpPFotBER/mQ32lUd

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023b94-5.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9e-9.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9d-11.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9f-25.dat	cobalt_reflective_dll
behavioral2/files/0x000c000000023b99-28.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba1-36.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba2-41.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023ba3-46.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023ba4-53.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023ba5-57.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023bad-68.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023bb4-78.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bbd-81.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bc4-100.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023bc8-105.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bca-112.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bcd-116.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bcf-126.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bce-123.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bc3-92.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bc2-87.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/4156-54-0x00007FF7AE210000-0x00007FF7AE561000-memory.dmp	xmrig
behavioral2/memory/2320-64-0x00007FF6F1340000-0x00007FF6F1691000-memory.dmp	xmrig
behavioral2/memory/3008-63-0x00007FF7D0090000-0x00007FF7D03E1000-memory.dmp	xmrig
behavioral2/memory/2796-65-0x00007FF63E260000-0x00007FF63E5B1000-memory.dmp	xmrig
behavioral2/memory/4796-69-0x00007FF6FAEA0000-0x00007FF6FB1F1000-memory.dmp	xmrig
behavioral2/memory/3816-101-0x00007FF7C8350000-0x00007FF7C86A1000-memory.dmp	xmrig
behavioral2/memory/4756-98-0x00007FF7B9290000-0x00007FF7B95E1000-memory.dmp	xmrig
behavioral2/memory/2120-96-0x00007FF67E560000-0x00007FF67E8B1000-memory.dmp	xmrig
behavioral2/memory/1160-79-0x00007FF6644F0000-0x00007FF664841000-memory.dmp	xmrig
behavioral2/memory/4156-129-0x00007FF7AE210000-0x00007FF7AE561000-memory.dmp	xmrig
behavioral2/memory/2772-135-0x00007FF6B90F0000-0x00007FF6B9441000-memory.dmp	xmrig
behavioral2/memory/832-128-0x00007FF65F580000-0x00007FF65F8D1000-memory.dmp	xmrig
behavioral2/memory/3496-138-0x00007FF69FC10000-0x00007FF69FF61000-memory.dmp	xmrig
behavioral2/memory/4892-137-0x00007FF72D460000-0x00007FF72D7B1000-memory.dmp	xmrig
behavioral2/memory/868-136-0x00007FF68C1A0000-0x00007FF68C4F1000-memory.dmp	xmrig
behavioral2/memory/5044-140-0x00007FF6445F0000-0x00007FF644941000-memory.dmp	xmrig
behavioral2/memory/4300-139-0x00007FF62E9E0000-0x00007FF62ED31000-memory.dmp	xmrig
behavioral2/memory/2396-141-0x00007FF73A080000-0x00007FF73A3D1000-memory.dmp	xmrig
behavioral2/memory/4992-145-0x00007FF744600000-0x00007FF744951000-memory.dmp	xmrig
behavioral2/memory/1840-147-0x00007FF6F4720000-0x00007FF6F4A71000-memory.dmp	xmrig
behavioral2/memory/1172-148-0x00007FF676320000-0x00007FF676671000-memory.dmp	xmrig
behavioral2/memory/1980-149-0x00007FF742770000-0x00007FF742AC1000-memory.dmp	xmrig
behavioral2/memory/5096-150-0x00007FF7217B0000-0x00007FF721B01000-memory.dmp	xmrig
behavioral2/memory/4156-159-0x00007FF7AE210000-0x00007FF7AE561000-memory.dmp	xmrig
behavioral2/memory/3008-209-0x00007FF7D0090000-0x00007FF7D03E1000-memory.dmp	xmrig
behavioral2/memory/2796-211-0x00007FF63E260000-0x00007FF63E5B1000-memory.dmp	xmrig
behavioral2/memory/4796-213-0x00007FF6FAEA0000-0x00007FF6FB1F1000-memory.dmp	xmrig
behavioral2/memory/1160-216-0x00007FF6644F0000-0x00007FF664841000-memory.dmp	xmrig
behavioral2/memory/4756-222-0x00007FF7B9290000-0x00007FF7B95E1000-memory.dmp	xmrig
behavioral2/memory/832-224-0x00007FF65F580000-0x00007FF65F8D1000-memory.dmp	xmrig
behavioral2/memory/2396-228-0x00007FF73A080000-0x00007FF73A3D1000-memory.dmp	xmrig
behavioral2/memory/1172-230-0x00007FF676320000-0x00007FF676671000-memory.dmp	xmrig
behavioral2/memory/4992-234-0x00007FF744600000-0x00007FF744951000-memory.dmp	xmrig
behavioral2/memory/2320-233-0x00007FF6F1340000-0x00007FF6F1691000-memory.dmp	xmrig
behavioral2/memory/1840-241-0x00007FF6F4720000-0x00007FF6F4A71000-memory.dmp	xmrig
behavioral2/memory/1980-243-0x00007FF742770000-0x00007FF742AC1000-memory.dmp	xmrig
behavioral2/memory/2120-245-0x00007FF67E560000-0x00007FF67E8B1000-memory.dmp	xmrig
behavioral2/memory/5096-247-0x00007FF7217B0000-0x00007FF721B01000-memory.dmp	xmrig
behavioral2/memory/3816-249-0x00007FF7C8350000-0x00007FF7C86A1000-memory.dmp	xmrig
behavioral2/memory/2772-256-0x00007FF6B90F0000-0x00007FF6B9441000-memory.dmp	xmrig
behavioral2/memory/5044-258-0x00007FF6445F0000-0x00007FF644941000-memory.dmp	xmrig
behavioral2/memory/868-262-0x00007FF68C1A0000-0x00007FF68C4F1000-memory.dmp	xmrig
behavioral2/memory/4892-261-0x00007FF72D460000-0x00007FF72D7B1000-memory.dmp	xmrig
behavioral2/memory/4300-264-0x00007FF62E9E0000-0x00007FF62ED31000-memory.dmp	xmrig
behavioral2/memory/3496-266-0x00007FF69FC10000-0x00007FF69FF61000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3008	trezKxA.exe
2796	mJCgZHq.exe
4796	xJMBpec.exe
1160	YDYWYAP.exe
4756	tbihyex.exe
832	MmjTlCz.exe
2396	GVsjHIS.exe
1172	JdxcrPt.exe
4992	EqyOmSy.exe
2320	OYdOmxa.exe
1840	tWrggQG.exe
1980	JfxdjGA.exe
5096	uJULSYq.exe
2120	BcXEMVj.exe
3816	BodTqvZ.exe
2772	qmDmTMq.exe
5044	LJxibgV.exe
868	KDnAcbv.exe
4892	SZFFucK.exe
3496	fFXsFne.exe
4300	vFyPtZr.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4156-0-0x00007FF7AE210000-0x00007FF7AE561000-memory.dmp	upx
behavioral2/files/0x000c000000023b94-5.dat	upx
behavioral2/files/0x000a000000023b9e-9.dat	upx
behavioral2/files/0x000a000000023b9d-11.dat	upx
behavioral2/memory/2796-12-0x00007FF63E260000-0x00007FF63E5B1000-memory.dmp	upx
behavioral2/memory/4796-18-0x00007FF6FAEA0000-0x00007FF6FB1F1000-memory.dmp	upx
behavioral2/memory/3008-7-0x00007FF7D0090000-0x00007FF7D03E1000-memory.dmp	upx
behavioral2/files/0x000a000000023b9f-25.dat	upx
behavioral2/memory/1160-24-0x00007FF6644F0000-0x00007FF664841000-memory.dmp	upx
behavioral2/files/0x000c000000023b99-28.dat	upx
behavioral2/memory/4756-31-0x00007FF7B9290000-0x00007FF7B95E1000-memory.dmp	upx
behavioral2/files/0x000a000000023ba1-36.dat	upx
behavioral2/files/0x000a000000023ba2-41.dat	upx
behavioral2/memory/1172-47-0x00007FF676320000-0x00007FF676671000-memory.dmp	upx
behavioral2/files/0x000b000000023ba3-46.dat	upx
behavioral2/memory/4156-54-0x00007FF7AE210000-0x00007FF7AE561000-memory.dmp	upx
behavioral2/files/0x000b000000023ba4-53.dat	upx
behavioral2/memory/2396-43-0x00007FF73A080000-0x00007FF73A3D1000-memory.dmp	upx
behavioral2/memory/832-40-0x00007FF65F580000-0x00007FF65F8D1000-memory.dmp	upx
behavioral2/files/0x000b000000023ba5-57.dat	upx
behavioral2/memory/2320-64-0x00007FF6F1340000-0x00007FF6F1691000-memory.dmp	upx
behavioral2/memory/3008-63-0x00007FF7D0090000-0x00007FF7D03E1000-memory.dmp	upx
behavioral2/memory/4992-55-0x00007FF744600000-0x00007FF744951000-memory.dmp	upx
behavioral2/memory/2796-65-0x00007FF63E260000-0x00007FF63E5B1000-memory.dmp	upx
behavioral2/files/0x000a000000023bad-68.dat	upx
behavioral2/memory/4796-69-0x00007FF6FAEA0000-0x00007FF6FB1F1000-memory.dmp	upx
behavioral2/memory/1840-74-0x00007FF6F4720000-0x00007FF6F4A71000-memory.dmp	upx
behavioral2/files/0x000e000000023bb4-78.dat	upx
behavioral2/memory/1980-80-0x00007FF742770000-0x00007FF742AC1000-memory.dmp	upx
behavioral2/files/0x0008000000023bbd-81.dat	upx
behavioral2/files/0x0009000000023bc4-100.dat	upx
behavioral2/files/0x000e000000023bc8-105.dat	upx
behavioral2/memory/3816-101-0x00007FF7C8350000-0x00007FF7C86A1000-memory.dmp	upx
behavioral2/memory/4756-98-0x00007FF7B9290000-0x00007FF7B95E1000-memory.dmp	upx
behavioral2/files/0x0008000000023bca-112.dat	upx
behavioral2/files/0x0008000000023bcd-116.dat	upx
behavioral2/files/0x0008000000023bcf-126.dat	upx
behavioral2/files/0x0008000000023bce-123.dat	upx
behavioral2/memory/2120-96-0x00007FF67E560000-0x00007FF67E8B1000-memory.dmp	upx
behavioral2/files/0x0009000000023bc3-92.dat	upx
behavioral2/files/0x0009000000023bc2-87.dat	upx
behavioral2/memory/5096-86-0x00007FF7217B0000-0x00007FF721B01000-memory.dmp	upx
behavioral2/memory/1160-79-0x00007FF6644F0000-0x00007FF664841000-memory.dmp	upx
behavioral2/memory/4156-129-0x00007FF7AE210000-0x00007FF7AE561000-memory.dmp	upx
behavioral2/memory/2772-135-0x00007FF6B90F0000-0x00007FF6B9441000-memory.dmp	upx
behavioral2/memory/832-128-0x00007FF65F580000-0x00007FF65F8D1000-memory.dmp	upx
behavioral2/memory/3496-138-0x00007FF69FC10000-0x00007FF69FF61000-memory.dmp	upx
behavioral2/memory/4892-137-0x00007FF72D460000-0x00007FF72D7B1000-memory.dmp	upx
behavioral2/memory/868-136-0x00007FF68C1A0000-0x00007FF68C4F1000-memory.dmp	upx
behavioral2/memory/5044-140-0x00007FF6445F0000-0x00007FF644941000-memory.dmp	upx
behavioral2/memory/4300-139-0x00007FF62E9E0000-0x00007FF62ED31000-memory.dmp	upx
behavioral2/memory/2396-141-0x00007FF73A080000-0x00007FF73A3D1000-memory.dmp	upx
behavioral2/memory/4992-145-0x00007FF744600000-0x00007FF744951000-memory.dmp	upx
behavioral2/memory/1840-147-0x00007FF6F4720000-0x00007FF6F4A71000-memory.dmp	upx
behavioral2/memory/1172-148-0x00007FF676320000-0x00007FF676671000-memory.dmp	upx
behavioral2/memory/1980-149-0x00007FF742770000-0x00007FF742AC1000-memory.dmp	upx
behavioral2/memory/5096-150-0x00007FF7217B0000-0x00007FF721B01000-memory.dmp	upx
behavioral2/memory/4156-159-0x00007FF7AE210000-0x00007FF7AE561000-memory.dmp	upx
behavioral2/memory/3008-209-0x00007FF7D0090000-0x00007FF7D03E1000-memory.dmp	upx
behavioral2/memory/2796-211-0x00007FF63E260000-0x00007FF63E5B1000-memory.dmp	upx
behavioral2/memory/4796-213-0x00007FF6FAEA0000-0x00007FF6FB1F1000-memory.dmp	upx
behavioral2/memory/1160-216-0x00007FF6644F0000-0x00007FF664841000-memory.dmp	upx
behavioral2/memory/4756-222-0x00007FF7B9290000-0x00007FF7B95E1000-memory.dmp	upx
behavioral2/memory/832-224-0x00007FF65F580000-0x00007FF65F8D1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\vFyPtZr.exe	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xJMBpec.exe	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YDYWYAP.exe	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JdxcrPt.exe	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JfxdjGA.exe	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uJULSYq.exe	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MmjTlCz.exe	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GVsjHIS.exe	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OYdOmxa.exe	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BodTqvZ.exe	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fFXsFne.exe	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\trezKxA.exe	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EqyOmSy.exe	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BcXEMVj.exe	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qmDmTMq.exe	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SZFFucK.exe	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mJCgZHq.exe	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tbihyex.exe	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tWrggQG.exe	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LJxibgV.exe	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KDnAcbv.exe	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4156	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4156	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4156 wrote to memory of 3008	4156	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4156 wrote to memory of 3008	4156	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4156 wrote to memory of 2796	4156	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4156 wrote to memory of 2796	4156	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4156 wrote to memory of 4796	4156	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4156 wrote to memory of 4796	4156	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4156 wrote to memory of 1160	4156	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4156 wrote to memory of 1160	4156	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4156 wrote to memory of 4756	4156	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4156 wrote to memory of 4756	4156	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4156 wrote to memory of 832	4156	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4156 wrote to memory of 832	4156	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4156 wrote to memory of 2396	4156	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4156 wrote to memory of 2396	4156	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4156 wrote to memory of 1172	4156	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4156 wrote to memory of 1172	4156	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4156 wrote to memory of 4992	4156	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4156 wrote to memory of 4992	4156	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4156 wrote to memory of 2320	4156	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4156 wrote to memory of 2320	4156	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4156 wrote to memory of 1840	4156	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4156 wrote to memory of 1840	4156	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4156 wrote to memory of 1980	4156	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4156 wrote to memory of 1980	4156	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4156 wrote to memory of 5096	4156	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4156 wrote to memory of 5096	4156	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4156 wrote to memory of 2120	4156	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4156 wrote to memory of 2120	4156	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4156 wrote to memory of 3816	4156	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4156 wrote to memory of 3816	4156	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4156 wrote to memory of 2772	4156	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4156 wrote to memory of 2772	4156	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4156 wrote to memory of 5044	4156	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4156 wrote to memory of 5044	4156	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4156 wrote to memory of 868	4156	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4156 wrote to memory of 868	4156	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4156 wrote to memory of 4892	4156	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4156 wrote to memory of 4892	4156	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4156 wrote to memory of 3496	4156	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4156 wrote to memory of 3496	4156	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4156 wrote to memory of 4300	4156	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4156 wrote to memory of 4300	4156	2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-04_2704a3f5558bf8c21d51b359b0f46e93_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4156
- C:\Windows\System\trezKxA.exe
  C:\Windows\System\trezKxA.exe
  2⤵
  - Executes dropped EXE
  PID:3008
- C:\Windows\System\mJCgZHq.exe
  C:\Windows\System\mJCgZHq.exe
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Windows\System\xJMBpec.exe
  C:\Windows\System\xJMBpec.exe
  2⤵
  - Executes dropped EXE
  PID:4796
- C:\Windows\System\YDYWYAP.exe
  C:\Windows\System\YDYWYAP.exe
  2⤵
  - Executes dropped EXE
  PID:1160
- C:\Windows\System\tbihyex.exe
  C:\Windows\System\tbihyex.exe
  2⤵
  - Executes dropped EXE
  PID:4756
- C:\Windows\System\MmjTlCz.exe
  C:\Windows\System\MmjTlCz.exe
  2⤵
  - Executes dropped EXE
  PID:832
- C:\Windows\System\GVsjHIS.exe
  C:\Windows\System\GVsjHIS.exe
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\System\JdxcrPt.exe
  C:\Windows\System\JdxcrPt.exe
  2⤵
  - Executes dropped EXE
  PID:1172
- C:\Windows\System\EqyOmSy.exe
  C:\Windows\System\EqyOmSy.exe
  2⤵
  - Executes dropped EXE
  PID:4992
- C:\Windows\System\OYdOmxa.exe
  C:\Windows\System\OYdOmxa.exe
  2⤵
  - Executes dropped EXE
  PID:2320
- C:\Windows\System\tWrggQG.exe
  C:\Windows\System\tWrggQG.exe
  2⤵
  - Executes dropped EXE
  PID:1840
- C:\Windows\System\JfxdjGA.exe
  C:\Windows\System\JfxdjGA.exe
  2⤵
  - Executes dropped EXE
  PID:1980
- C:\Windows\System\uJULSYq.exe
  C:\Windows\System\uJULSYq.exe
  2⤵
  - Executes dropped EXE
  PID:5096
- C:\Windows\System\BcXEMVj.exe
  C:\Windows\System\BcXEMVj.exe
  2⤵
  - Executes dropped EXE
  PID:2120
- C:\Windows\System\BodTqvZ.exe
  C:\Windows\System\BodTqvZ.exe
  2⤵
  - Executes dropped EXE
  PID:3816
- C:\Windows\System\qmDmTMq.exe
  C:\Windows\System\qmDmTMq.exe
  2⤵
  - Executes dropped EXE
  PID:2772
- C:\Windows\System\LJxibgV.exe
  C:\Windows\System\LJxibgV.exe
  2⤵
  - Executes dropped EXE
  PID:5044
- C:\Windows\System\KDnAcbv.exe
  C:\Windows\System\KDnAcbv.exe
  2⤵
  - Executes dropped EXE
  PID:868
- C:\Windows\System\SZFFucK.exe
  C:\Windows\System\SZFFucK.exe
  2⤵
  - Executes dropped EXE
  PID:4892
- C:\Windows\System\fFXsFne.exe
  C:\Windows\System\fFXsFne.exe
  2⤵
  - Executes dropped EXE
  PID:3496
- C:\Windows\System\vFyPtZr.exe
  C:\Windows\System\vFyPtZr.exe
  2⤵
  - Executes dropped EXE
  PID:4300

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BcXEMVj.exe

Filesize
5.2MB

MD5
5d808332942ff158fe1ac5b964fca355

SHA1
748296e9a19aae37000f2aa0cb6401c572aa4406

SHA256
741c82e784aa6f9d2c2dc762e4b05a1d12ee559829d29d956040cb4755fc019c

SHA512
c74db020ca73738422b7bc85901cf889d093d3efe3bdcf462948b81a82917a82bc1dcb1a6f8f94d126a42623550384b842117a7b056a45fbe171223497228342

Download Submit
C:\Windows\System\BodTqvZ.exe

Filesize
5.2MB

MD5
c99f5edc0c8baa2afeee86d5db91f03d

SHA1
29059216506fa2a6e1044adc344fbf2915740f16

SHA256
fa141f86a651bc9ea6fba3487bc0fca7a26c49ce8b010588b481772642c8e8b0

SHA512
e706bbe66d0950cc10c294aa70344c46e97b5dcb1c43d92ff5913488c84f0cb96f01c2da9b0eeee59c1872fc9dadc89f70f4137ec51adc27536ec8babd6d6e26

Download Submit
C:\Windows\System\EqyOmSy.exe

Filesize
5.2MB

MD5
da689ab2d0acd63ffdfc5c04555ebac3

SHA1
4215f38df1a0d7e43f18b3dd97a9e51432df19f7

SHA256
41f3ce51ef1dda74b4a770efa26a31db8af256cd55e8bdee43e6181057481f56

SHA512
65038429e4ae386af3c148efae0b5648eea880748245d3966b77033656a14de9360e4bde7bd361419728c3dfc69818880b535641b2d5044deebfc6d99606e50f

Download Submit
C:\Windows\System\GVsjHIS.exe

Filesize
5.2MB

MD5
a4358aecd6ff646496b92ec3bebd8d99

SHA1
a5d4344a46ecea58752dcca3995fac3a100c665e

SHA256
2598e1782d5dd19bc8e8e39768a4ec0c3a8f1a774ae62a3a2fe2384c78624eec

SHA512
2666af7ab01948c1d53c19ce24d3e9aacfbed8d6281a91d3d9b8035a2aee6d71807ef4e0f99268d89b166b711acd8634ce0ed22154b89e341e11126b4a5c649a

Download Submit
C:\Windows\System\JdxcrPt.exe

Filesize
5.2MB

MD5
67c73fbe89f592dd45f2e1e87057f510

SHA1
f7bf4e2dcf447cac985339fab5cd3018a2121a75

SHA256
b11e60ad2a41d98204ddc82265d9f3ed765c695a090248552c9a91990ab2c61f

SHA512
3f7683370e155a528a405b36f087fa6c35f116fa170943b7f645045b2ba3c348101bd37b671ee61e35a1232c8fce6d68877cf5dc0a1f8518eb07f1f5e74b6af8

Download Submit
C:\Windows\System\JfxdjGA.exe

Filesize
5.2MB

MD5
bb139732d3caea7e99f3ee721729fa23

SHA1
7efed716ca6d15a435ce49c2fabec13a2b499fa7

SHA256
c8082971911fd577c1912607ce3c88297f72c8cbb438e230f9770823bf9c4f14

SHA512
f17842fa3215c4b58d68ef876b9d606a42229b34c1a258ab1f53cb684d1e221d8bfaecb7624d345dedb67d6eb8848ace33b68b5eacbe4a35503f336acb7d456b

Download Submit
C:\Windows\System\KDnAcbv.exe

Filesize
5.2MB

MD5
a74c43b9eccb958f9aac2514f288bb86

SHA1
c763d4ab95495063683e12b3e5cde54d8f2a6001

SHA256
fa15e23827de046f9739550b5c1d079e568fd61c0521b38c3374abe650d95414

SHA512
459172f536d3228072410c7820324e9595595f93b5d1f351643cdbd9ae6b096ac76a77b14740ef1521bbb48e680e8c594a7dbf9d665f306ce8aab1476899470f

Download Submit
C:\Windows\System\LJxibgV.exe

Filesize
5.2MB

MD5
d4a23c84d241d371b610d2b52d7025c8

SHA1
cfdc06e08b9577596442726a60caafb0c1d1bfc0

SHA256
878d80fe38c9fc76ec41b0f9eb044f2ed0bafbdf12318ac5b97825a12aac5a3a

SHA512
82cd6698c28e78eda7c84824c4f5543870f1b072c7dae80674e405defb06a7fd9f2b29a7a60973a073272abff726df4dc4020b12b95f6529391671a982651639

Download Submit
C:\Windows\System\MmjTlCz.exe

Filesize
5.2MB

MD5
51474cef7bec71c5e363dc43b8321b7a

SHA1
36c9bc9d8f8197270909dc84741193701b09261e

SHA256
39370bde50666acdc880b887ac893b20e9391b0ec885d52db2f4cda052207cc8

SHA512
b7b7ac2296f481dde89633c6a50fd3810c1c2a47e03f75d1217ebc927941c682720d69259f76f315b6321df8bbed44ff5df97b119a1727b998e0b63db0d48882

Download Submit
C:\Windows\System\OYdOmxa.exe

Filesize
5.2MB

MD5
f59552b55afa98d06fe23997bf97550a

SHA1
cb379266155951036e2c6abe75b9c739581eba98

SHA256
7f66faee22e0381610083519649d57cece30c476983f1120375555a4c5dd79fd

SHA512
9c5e4be75f24e8ab370da0d7eb404aa6282326c551099c3e45f657036453d4780e784077e8f41f6a3ae4a4d0e3e46de881047714c623527dbd89fb1e590f0f5b

Download Submit
C:\Windows\System\SZFFucK.exe

Filesize
5.2MB

MD5
52a11baf5fba2101fd0dff17c53bbc58

SHA1
b2ce7ecf7f385d92ea5d83f72c011976689e64e4

SHA256
943a72630a91864ebb355196262a3124336af779c494dd0d8ba28590b4a5df31

SHA512
bfbc69ebf8de7d21effa971dfae2d2bbbe1b4e40ff5ee3f1b43ab529dd6625fba68d41e5767db38f4a34595f0c3da51f16ab69c1d6dea84a0f9daa912fefab25

Download Submit
C:\Windows\System\YDYWYAP.exe

Filesize
5.2MB

MD5
7544df8122d4acf6068d1e52ff10b205

SHA1
9d6b6ea5dfbf0ca1856e0c7a6f2f86a1c125e55e

SHA256
6394aa3d3b78cd9c336cddb2da8dc889606ad009b634dbffd742a55faa979f89

SHA512
cfb083507b537c8adc17ee7a4ac0346cf0225965e82e816bae118c81955785578e1c4730fa6fe79690362b153a51e9a0d1db28e98711dcaddf70cc537eb02236

Download Submit
C:\Windows\System\fFXsFne.exe

Filesize
5.2MB

MD5
9172c43d041d090897d37b7b1104ddad

SHA1
6f4dc32afd4de60ddec64860ed5667bdecaa3968

SHA256
8ed79f8810462e30ad97a3dcb411d515e6546682bb471174c094537f8ad5730c

SHA512
fd547b8ec92b142bff995a3117bbf5542831ae4e06266c888ea8dac27c5f6be3c0924bcdc444d1bfbc2b66c1b49cfb31f73a49b770cf7e1ea4993f5c1cf7743d

Download Submit
C:\Windows\System\mJCgZHq.exe

Filesize
5.2MB

MD5
9f1a4ef09bf702dd8adf5e2f539526f8

SHA1
5a9f18487667df2f2fe0a0e507b628f14a86c969

SHA256
553543f4cc3cb9445ee02c227faa25d8be126ed49c14fcb1b6783766060c4a45

SHA512
9887796df265490ce65bf0e0392e3c6610b42e700d2e5010493bdb88634207d43468c1e6fd8ab9348b030e748dc130c6d7c37a08825599f469105d9a418dece7

Download Submit
C:\Windows\System\qmDmTMq.exe

Filesize
5.2MB

MD5
fe5a88bb4f14a2f8b0ebfbae3e184e1e

SHA1
40a0cdf1d8120572400fc61dfb0a06dd25e9d86c

SHA256
71cf1f25d23de52046b991501785bda80e30a12d75c3ac021ec40562f5724aed

SHA512
3a4de8fd9c47bf4f16d9e50b6f6a12024ee6ab07c6eb1842b99badfe38bbec7db01668a00ee3abe189a77f7d21eeb8f485506fe2e79a0abe1f55de31fd35af8c

Download Submit
C:\Windows\System\tWrggQG.exe

Filesize
5.2MB

MD5
383d13a103a98b4398f7e8fa23b29ad0

SHA1
12ec9017809b577312a8efb85684bb28fc828411

SHA256
3a3ff33e1884705d32ea21571b506a42282dce13b29a237f1b3503af2554292d

SHA512
7f0c50891bd92825ed187999ef2dab2bcf78c962aff030713ca1491adaea2eeea32e26e398569dabc09c693a07e425b2806b3365ddbf82933401269f4892248c

Download Submit
C:\Windows\System\tbihyex.exe

Filesize
5.2MB

MD5
9b1b08bf1bbdfaf90546b5df66d72e88

SHA1
5825176a7e308a6be66b6a88175c8e7959074945

SHA256
b8efa4175c920668dad777057a6a405ac6d66d05174f1887670e690e64a7669b

SHA512
428834a4c116ca6d786171820dcc1e968e8fad66bbcd37c75a248652df90e5dfd5ebcc7cadc205aca9a9efb969ecd2757cf925940c359ec5b5e930c598cb271a

Download Submit
C:\Windows\System\trezKxA.exe

Filesize
5.2MB

MD5
c1fc764c94141530b3829f0e3384c00e

SHA1
784e6d4fc376ace2b55c76feb642eb4653d7da40

SHA256
31823d1c66ef1c3f4e329e0296cf3b3837adb6be7b6aa6a5cd76ad30648943f2

SHA512
1e4f26c875ee24ee571dd5a86d9aeff00047e35d3935297ea775894c3d91ab2f225fd410c732bd503706063736fd8964ccdfb9ea9335f26b5d74b65aa8785d87

Download Submit
C:\Windows\System\uJULSYq.exe

Filesize
5.2MB

MD5
9e169172a8c69d4c1c5c684b8b75d66b

SHA1
ff2b446f55943cbd8c251e9ced8a3445e4e0927b

SHA256
a4670b7f34d22ed99638b7266a67afeecab7f49f51128102507678bb63fd75ad

SHA512
a96d6456dfb6debec505f6912b3a0a0cef9ca0dcb9339aea7e3eee418ec2e37f4d293f2e98adbb098c34e1fbec4f58f09ddce0b8878d869c11f845815dfe90b7

Download Submit
C:\Windows\System\vFyPtZr.exe

Filesize
5.2MB

MD5
ec7f526cffec970d9f2ec3e486220785

SHA1
bb6b8d4c9c6c65a1e7982ad3a33611dd9d4b6298

SHA256
cb6ea885dada62201e6ba64abc7735d8948619ac6e3282fee3cbec559dd97ec2

SHA512
e8b6e0786e4c25e6bbd090550b62f1aecd23c28297f5d7bf198ab0cd7a4dba95cdcc8d3de8f68186272434116ab0118236b3ebfd404bbf90a7ec1a5eda5e1caf

Download Submit
C:\Windows\System\xJMBpec.exe

Filesize
5.2MB

MD5
d6a4380c680c3d83668f2086ae1df80d

SHA1
d7f20cfc717d2d366b7a61b3a07316c07bffe2e3

SHA256
993de40303d2cf5b174e748e0fac90a7c266b5eddddae2c282d36f97cd3a0c24

SHA512
45310bd5cbb234704f8d507a23ac20800bbf6d4f7c98ad01c4420ca5b5f6c69deaa05523bdded34d9b4b3015cb94b995e56ea03fd129d835f48a2ef9676c9699

Download Submit
memory/832-40-0x00007FF65F580000-0x00007FF65F8D1000-memory.dmp

Filesize
3.3MB

Download
memory/832-224-0x00007FF65F580000-0x00007FF65F8D1000-memory.dmp

Filesize
3.3MB

Download
memory/832-128-0x00007FF65F580000-0x00007FF65F8D1000-memory.dmp

Filesize
3.3MB

Download
memory/868-262-0x00007FF68C1A0000-0x00007FF68C4F1000-memory.dmp

Filesize
3.3MB

Download
memory/868-136-0x00007FF68C1A0000-0x00007FF68C4F1000-memory.dmp

Filesize
3.3MB

Download
memory/1160-79-0x00007FF6644F0000-0x00007FF664841000-memory.dmp

Filesize
3.3MB

Download
memory/1160-216-0x00007FF6644F0000-0x00007FF664841000-memory.dmp

Filesize
3.3MB

Download
memory/1160-24-0x00007FF6644F0000-0x00007FF664841000-memory.dmp

Filesize
3.3MB

Download
memory/1172-47-0x00007FF676320000-0x00007FF676671000-memory.dmp

Filesize
3.3MB

Download
memory/1172-148-0x00007FF676320000-0x00007FF676671000-memory.dmp

Filesize
3.3MB

Download
memory/1172-230-0x00007FF676320000-0x00007FF676671000-memory.dmp

Filesize
3.3MB

Download
memory/1840-147-0x00007FF6F4720000-0x00007FF6F4A71000-memory.dmp

Filesize
3.3MB

Download
memory/1840-241-0x00007FF6F4720000-0x00007FF6F4A71000-memory.dmp

Filesize
3.3MB

Download
memory/1840-74-0x00007FF6F4720000-0x00007FF6F4A71000-memory.dmp

Filesize
3.3MB

Download
memory/1980-243-0x00007FF742770000-0x00007FF742AC1000-memory.dmp

Filesize
3.3MB

Download
memory/1980-149-0x00007FF742770000-0x00007FF742AC1000-memory.dmp

Filesize
3.3MB

Download
memory/1980-80-0x00007FF742770000-0x00007FF742AC1000-memory.dmp

Filesize
3.3MB

Download
memory/2120-96-0x00007FF67E560000-0x00007FF67E8B1000-memory.dmp

Filesize
3.3MB

Download
memory/2120-245-0x00007FF67E560000-0x00007FF67E8B1000-memory.dmp

Filesize
3.3MB

Download
memory/2320-233-0x00007FF6F1340000-0x00007FF6F1691000-memory.dmp

Filesize
3.3MB

Download
memory/2320-64-0x00007FF6F1340000-0x00007FF6F1691000-memory.dmp

Filesize
3.3MB

Download
memory/2396-228-0x00007FF73A080000-0x00007FF73A3D1000-memory.dmp

Filesize
3.3MB

Download
memory/2396-141-0x00007FF73A080000-0x00007FF73A3D1000-memory.dmp

Filesize
3.3MB

Download
memory/2396-43-0x00007FF73A080000-0x00007FF73A3D1000-memory.dmp

Filesize
3.3MB

Download
memory/2772-135-0x00007FF6B90F0000-0x00007FF6B9441000-memory.dmp

Filesize
3.3MB

Download
memory/2772-256-0x00007FF6B90F0000-0x00007FF6B9441000-memory.dmp

Filesize
3.3MB

Download
memory/2796-211-0x00007FF63E260000-0x00007FF63E5B1000-memory.dmp

Filesize
3.3MB

Download
memory/2796-12-0x00007FF63E260000-0x00007FF63E5B1000-memory.dmp

Filesize
3.3MB

Download
memory/2796-65-0x00007FF63E260000-0x00007FF63E5B1000-memory.dmp

Filesize
3.3MB

Download
memory/3008-7-0x00007FF7D0090000-0x00007FF7D03E1000-memory.dmp

Filesize
3.3MB

Download
memory/3008-209-0x00007FF7D0090000-0x00007FF7D03E1000-memory.dmp

Filesize
3.3MB

Download
memory/3008-63-0x00007FF7D0090000-0x00007FF7D03E1000-memory.dmp

Filesize
3.3MB

Download
memory/3496-266-0x00007FF69FC10000-0x00007FF69FF61000-memory.dmp

Filesize
3.3MB

Download
memory/3496-138-0x00007FF69FC10000-0x00007FF69FF61000-memory.dmp

Filesize
3.3MB

Download
memory/3816-249-0x00007FF7C8350000-0x00007FF7C86A1000-memory.dmp

Filesize
3.3MB

Download
memory/3816-101-0x00007FF7C8350000-0x00007FF7C86A1000-memory.dmp

Filesize
3.3MB

Download
memory/4156-159-0x00007FF7AE210000-0x00007FF7AE561000-memory.dmp

Filesize
3.3MB

Download
memory/4156-129-0x00007FF7AE210000-0x00007FF7AE561000-memory.dmp

Filesize
3.3MB

Download
memory/4156-0-0x00007FF7AE210000-0x00007FF7AE561000-memory.dmp

Filesize
3.3MB

Download
memory/4156-54-0x00007FF7AE210000-0x00007FF7AE561000-memory.dmp

Filesize
3.3MB

Download
memory/4156-1-0x000002154B220000-0x000002154B230000-memory.dmp

Filesize
64KB

Download
memory/4300-264-0x00007FF62E9E0000-0x00007FF62ED31000-memory.dmp

Filesize
3.3MB

Download
memory/4300-139-0x00007FF62E9E0000-0x00007FF62ED31000-memory.dmp

Filesize
3.3MB

Download
memory/4756-98-0x00007FF7B9290000-0x00007FF7B95E1000-memory.dmp

Filesize
3.3MB

Download
memory/4756-222-0x00007FF7B9290000-0x00007FF7B95E1000-memory.dmp

Filesize
3.3MB

Download
memory/4756-31-0x00007FF7B9290000-0x00007FF7B95E1000-memory.dmp

Filesize
3.3MB

Download
memory/4796-69-0x00007FF6FAEA0000-0x00007FF6FB1F1000-memory.dmp

Filesize
3.3MB

Download
memory/4796-213-0x00007FF6FAEA0000-0x00007FF6FB1F1000-memory.dmp

Filesize
3.3MB

Download
memory/4796-18-0x00007FF6FAEA0000-0x00007FF6FB1F1000-memory.dmp

Filesize
3.3MB

Download
memory/4892-137-0x00007FF72D460000-0x00007FF72D7B1000-memory.dmp

Filesize
3.3MB

Download
memory/4892-261-0x00007FF72D460000-0x00007FF72D7B1000-memory.dmp

Filesize
3.3MB

Download
memory/4992-234-0x00007FF744600000-0x00007FF744951000-memory.dmp

Filesize
3.3MB

Download
memory/4992-145-0x00007FF744600000-0x00007FF744951000-memory.dmp

Filesize
3.3MB

Download
memory/4992-55-0x00007FF744600000-0x00007FF744951000-memory.dmp

Filesize
3.3MB

Download
memory/5044-258-0x00007FF6445F0000-0x00007FF644941000-memory.dmp

Filesize
3.3MB

Download
memory/5044-140-0x00007FF6445F0000-0x00007FF644941000-memory.dmp

Filesize
3.3MB

Download
memory/5096-86-0x00007FF7217B0000-0x00007FF721B01000-memory.dmp

Filesize
3.3MB

Download
memory/5096-247-0x00007FF7217B0000-0x00007FF721B01000-memory.dmp

Filesize
3.3MB

Download
memory/5096-150-0x00007FF7217B0000-0x00007FF721B01000-memory.dmp

Filesize
3.3MB

Download