cobaltstrike | 6f14d3c5e6ea26fe6945846a91afe1624552aafe9c146350b437ec3a0cc40e85

Analysis

max time kernel
144s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-01-2025 02:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

574b0618b2a739acaebddc226778e7b5
SHA1

12322fa6b9d9966c7e1a406764e6e75f0c992720
SHA256

6f14d3c5e6ea26fe6945846a91afe1624552aafe9c146350b437ec3a0cc40e85
SHA512

0cb952eea7875523a6df86d1a9fcfae528e42c1c4f7cde20fed8ee65232e8d27bd2758e4514cb2d9a988b037af7c7d31b30caaba6a1dafe4cb141df02dc21735
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6ly:RWWBibf56utgpPFotBER/mQ32lU2

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023c97-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9c-9.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9b-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9d-21.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9f-35.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca0-46.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca3-56.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c98-65.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca4-73.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca2-61.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca1-48.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9e-27.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca5-79.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca7-90.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca9-113.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caa-106.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cac-117.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cab-127.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cad-133.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca8-102.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca6-94.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/4228-68-0x00007FF7E9C80000-0x00007FF7E9FD1000-memory.dmp	xmrig
behavioral2/memory/4928-69-0x00007FF70D490000-0x00007FF70D7E1000-memory.dmp	xmrig
behavioral2/memory/4832-34-0x00007FF6B1340000-0x00007FF6B1691000-memory.dmp	xmrig
behavioral2/memory/2856-77-0x00007FF76F870000-0x00007FF76FBC1000-memory.dmp	xmrig
behavioral2/memory/784-118-0x00007FF63F4A0000-0x00007FF63F7F1000-memory.dmp	xmrig
behavioral2/memory/4004-131-0x00007FF7B9C50000-0x00007FF7B9FA1000-memory.dmp	xmrig
behavioral2/memory/3608-130-0x00007FF7275C0000-0x00007FF727911000-memory.dmp	xmrig
behavioral2/memory/4852-91-0x00007FF70ACB0000-0x00007FF70B001000-memory.dmp	xmrig
behavioral2/memory/2984-81-0x00007FF7615F0000-0x00007FF761941000-memory.dmp	xmrig
behavioral2/memory/4228-135-0x00007FF7E9C80000-0x00007FF7E9FD1000-memory.dmp	xmrig
behavioral2/memory/4460-145-0x00007FF7A9F80000-0x00007FF7AA2D1000-memory.dmp	xmrig
behavioral2/memory/4696-147-0x00007FF79EAC0000-0x00007FF79EE11000-memory.dmp	xmrig
behavioral2/memory/1640-146-0x00007FF6A40B0000-0x00007FF6A4401000-memory.dmp	xmrig
behavioral2/memory/1108-144-0x00007FF6051A0000-0x00007FF6054F1000-memory.dmp	xmrig
behavioral2/memory/544-148-0x00007FF78D590000-0x00007FF78D8E1000-memory.dmp	xmrig
behavioral2/memory/4812-143-0x00007FF6AB270000-0x00007FF6AB5C1000-memory.dmp	xmrig
behavioral2/memory/4896-153-0x00007FF79FBD0000-0x00007FF79FF21000-memory.dmp	xmrig
behavioral2/memory/2172-156-0x00007FF631A20000-0x00007FF631D71000-memory.dmp	xmrig
behavioral2/memory/4688-154-0x00007FF6115E0000-0x00007FF611931000-memory.dmp	xmrig
behavioral2/memory/1956-151-0x00007FF7C7920000-0x00007FF7C7C71000-memory.dmp	xmrig
behavioral2/memory/3664-150-0x00007FF73E140000-0x00007FF73E491000-memory.dmp	xmrig
behavioral2/memory/3896-149-0x00007FF71C5D0000-0x00007FF71C921000-memory.dmp	xmrig
behavioral2/memory/2696-152-0x00007FF732290000-0x00007FF7325E1000-memory.dmp	xmrig
behavioral2/memory/4228-157-0x00007FF7E9C80000-0x00007FF7E9FD1000-memory.dmp	xmrig
behavioral2/memory/4228-171-0x00007FF7E9C80000-0x00007FF7E9FD1000-memory.dmp	xmrig
behavioral2/memory/4928-214-0x00007FF70D490000-0x00007FF70D7E1000-memory.dmp	xmrig
behavioral2/memory/2856-216-0x00007FF76F870000-0x00007FF76FBC1000-memory.dmp	xmrig
behavioral2/memory/2984-218-0x00007FF7615F0000-0x00007FF761941000-memory.dmp	xmrig
behavioral2/memory/4832-220-0x00007FF6B1340000-0x00007FF6B1691000-memory.dmp	xmrig
behavioral2/memory/4852-222-0x00007FF70ACB0000-0x00007FF70B001000-memory.dmp	xmrig
behavioral2/memory/784-224-0x00007FF63F4A0000-0x00007FF63F7F1000-memory.dmp	xmrig
behavioral2/memory/4004-226-0x00007FF7B9C50000-0x00007FF7B9FA1000-memory.dmp	xmrig
behavioral2/memory/4812-228-0x00007FF6AB270000-0x00007FF6AB5C1000-memory.dmp	xmrig
behavioral2/memory/1640-235-0x00007FF6A40B0000-0x00007FF6A4401000-memory.dmp	xmrig
behavioral2/memory/1108-238-0x00007FF6051A0000-0x00007FF6054F1000-memory.dmp	xmrig
behavioral2/memory/4460-237-0x00007FF7A9F80000-0x00007FF7AA2D1000-memory.dmp	xmrig
behavioral2/memory/4696-233-0x00007FF79EAC0000-0x00007FF79EE11000-memory.dmp	xmrig
behavioral2/memory/544-247-0x00007FF78D590000-0x00007FF78D8E1000-memory.dmp	xmrig
behavioral2/memory/3896-249-0x00007FF71C5D0000-0x00007FF71C921000-memory.dmp	xmrig
behavioral2/memory/1956-251-0x00007FF7C7920000-0x00007FF7C7C71000-memory.dmp	xmrig
behavioral2/memory/3664-255-0x00007FF73E140000-0x00007FF73E491000-memory.dmp	xmrig
behavioral2/memory/2696-257-0x00007FF732290000-0x00007FF7325E1000-memory.dmp	xmrig
behavioral2/memory/3608-259-0x00007FF7275C0000-0x00007FF727911000-memory.dmp	xmrig
behavioral2/memory/4896-261-0x00007FF79FBD0000-0x00007FF79FF21000-memory.dmp	xmrig
behavioral2/memory/4688-263-0x00007FF6115E0000-0x00007FF611931000-memory.dmp	xmrig
behavioral2/memory/2172-265-0x00007FF631A20000-0x00007FF631D71000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4928	hHGIIZU.exe
2856	OmWPHJA.exe
2984	KSNmlmn.exe
4852	HTSMNeJ.exe
4832	poxdixc.exe
784	wrAEOVH.exe
4004	mVHqMCv.exe
4812	NHFjKGG.exe
1108	JUKhXST.exe
4460	sYscjRd.exe
1640	WEXquXl.exe
4696	fVSCLCc.exe
544	nnuvywx.exe
3896	gtPGpSF.exe
3664	izsxXCO.exe
1956	bwAFgXQ.exe
2696	YgFIUCd.exe
4896	XAsDrxk.exe
4688	bhHvRxE.exe
3608	gLjyQhC.exe
2172	OcYDFSv.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4228-0-0x00007FF7E9C80000-0x00007FF7E9FD1000-memory.dmp	upx
behavioral2/files/0x0008000000023c97-4.dat	upx
behavioral2/files/0x0007000000023c9c-9.dat	upx
behavioral2/files/0x0007000000023c9b-10.dat	upx
behavioral2/files/0x0007000000023c9d-21.dat	upx
behavioral2/files/0x0007000000023c9f-35.dat	upx
behavioral2/files/0x0007000000023ca0-46.dat	upx
behavioral2/files/0x0007000000023ca3-56.dat	upx
behavioral2/files/0x0008000000023c98-65.dat	upx
behavioral2/memory/4228-68-0x00007FF7E9C80000-0x00007FF7E9FD1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca4-73.dat	upx
behavioral2/memory/1640-70-0x00007FF6A40B0000-0x00007FF6A4401000-memory.dmp	upx
behavioral2/memory/4928-69-0x00007FF70D490000-0x00007FF70D7E1000-memory.dmp	upx
behavioral2/memory/4696-67-0x00007FF79EAC0000-0x00007FF79EE11000-memory.dmp	upx
behavioral2/memory/4460-66-0x00007FF7A9F80000-0x00007FF7AA2D1000-memory.dmp	upx
behavioral2/memory/1108-63-0x00007FF6051A0000-0x00007FF6054F1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca2-61.dat	upx
behavioral2/memory/4812-50-0x00007FF6AB270000-0x00007FF6AB5C1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca1-48.dat	upx
behavioral2/memory/4004-45-0x00007FF7B9C50000-0x00007FF7B9FA1000-memory.dmp	upx
behavioral2/memory/784-41-0x00007FF63F4A0000-0x00007FF63F7F1000-memory.dmp	upx
behavioral2/memory/4832-34-0x00007FF6B1340000-0x00007FF6B1691000-memory.dmp	upx
behavioral2/memory/4852-28-0x00007FF70ACB0000-0x00007FF70B001000-memory.dmp	upx
behavioral2/files/0x0007000000023c9e-27.dat	upx
behavioral2/memory/2984-22-0x00007FF7615F0000-0x00007FF761941000-memory.dmp	upx
behavioral2/memory/2856-17-0x00007FF76F870000-0x00007FF76FBC1000-memory.dmp	upx
behavioral2/memory/4928-11-0x00007FF70D490000-0x00007FF70D7E1000-memory.dmp	upx
behavioral2/memory/2856-77-0x00007FF76F870000-0x00007FF76FBC1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca5-79.dat	upx
behavioral2/files/0x0007000000023ca7-90.dat	upx
behavioral2/files/0x0007000000023ca9-113.dat	upx
behavioral2/memory/3664-107-0x00007FF73E140000-0x00007FF73E491000-memory.dmp	upx
behavioral2/files/0x0007000000023caa-106.dat	upx
behavioral2/memory/784-118-0x00007FF63F4A0000-0x00007FF63F7F1000-memory.dmp	upx
behavioral2/files/0x0007000000023cac-117.dat	upx
behavioral2/memory/2696-116-0x00007FF732290000-0x00007FF7325E1000-memory.dmp	upx
behavioral2/files/0x0007000000023cab-127.dat	upx
behavioral2/memory/4688-129-0x00007FF6115E0000-0x00007FF611931000-memory.dmp	upx
behavioral2/memory/4004-131-0x00007FF7B9C50000-0x00007FF7B9FA1000-memory.dmp	upx
behavioral2/files/0x0007000000023cad-133.dat	upx
behavioral2/memory/2172-132-0x00007FF631A20000-0x00007FF631D71000-memory.dmp	upx
behavioral2/memory/3608-130-0x00007FF7275C0000-0x00007FF727911000-memory.dmp	upx
behavioral2/memory/4896-124-0x00007FF79FBD0000-0x00007FF79FF21000-memory.dmp	upx
behavioral2/files/0x0007000000023ca8-102.dat	upx
behavioral2/memory/1956-100-0x00007FF7C7920000-0x00007FF7C7C71000-memory.dmp	upx
behavioral2/memory/3896-99-0x00007FF71C5D0000-0x00007FF71C921000-memory.dmp	upx
behavioral2/files/0x0007000000023ca6-94.dat	upx
behavioral2/memory/4852-91-0x00007FF70ACB0000-0x00007FF70B001000-memory.dmp	upx
behavioral2/memory/544-86-0x00007FF78D590000-0x00007FF78D8E1000-memory.dmp	upx
behavioral2/memory/2984-81-0x00007FF7615F0000-0x00007FF761941000-memory.dmp	upx
behavioral2/memory/4228-135-0x00007FF7E9C80000-0x00007FF7E9FD1000-memory.dmp	upx
behavioral2/memory/4460-145-0x00007FF7A9F80000-0x00007FF7AA2D1000-memory.dmp	upx
behavioral2/memory/4696-147-0x00007FF79EAC0000-0x00007FF79EE11000-memory.dmp	upx
behavioral2/memory/1640-146-0x00007FF6A40B0000-0x00007FF6A4401000-memory.dmp	upx
behavioral2/memory/1108-144-0x00007FF6051A0000-0x00007FF6054F1000-memory.dmp	upx
behavioral2/memory/544-148-0x00007FF78D590000-0x00007FF78D8E1000-memory.dmp	upx
behavioral2/memory/4812-143-0x00007FF6AB270000-0x00007FF6AB5C1000-memory.dmp	upx
behavioral2/memory/4896-153-0x00007FF79FBD0000-0x00007FF79FF21000-memory.dmp	upx
behavioral2/memory/2172-156-0x00007FF631A20000-0x00007FF631D71000-memory.dmp	upx
behavioral2/memory/4688-154-0x00007FF6115E0000-0x00007FF611931000-memory.dmp	upx
behavioral2/memory/1956-151-0x00007FF7C7920000-0x00007FF7C7C71000-memory.dmp	upx
behavioral2/memory/3664-150-0x00007FF73E140000-0x00007FF73E491000-memory.dmp	upx
behavioral2/memory/3896-149-0x00007FF71C5D0000-0x00007FF71C921000-memory.dmp	upx
behavioral2/memory/2696-152-0x00007FF732290000-0x00007FF7325E1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\KSNmlmn.exe	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wrAEOVH.exe	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mVHqMCv.exe	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sYscjRd.exe	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fVSCLCc.exe	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gtPGpSF.exe	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OcYDFSv.exe	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nnuvywx.exe	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XAsDrxk.exe	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bhHvRxE.exe	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hHGIIZU.exe	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NHFjKGG.exe	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WEXquXl.exe	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\izsxXCO.exe	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bwAFgXQ.exe	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YgFIUCd.exe	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gLjyQhC.exe	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OmWPHJA.exe	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HTSMNeJ.exe	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\poxdixc.exe	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JUKhXST.exe	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4228	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4228	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4228 wrote to memory of 4928	4228	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4228 wrote to memory of 4928	4228	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4228 wrote to memory of 2856	4228	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4228 wrote to memory of 2856	4228	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4228 wrote to memory of 2984	4228	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4228 wrote to memory of 2984	4228	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4228 wrote to memory of 4852	4228	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4228 wrote to memory of 4852	4228	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4228 wrote to memory of 4832	4228	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4228 wrote to memory of 4832	4228	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4228 wrote to memory of 784	4228	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4228 wrote to memory of 784	4228	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4228 wrote to memory of 4004	4228	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4228 wrote to memory of 4004	4228	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4228 wrote to memory of 4812	4228	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4228 wrote to memory of 4812	4228	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4228 wrote to memory of 1108	4228	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4228 wrote to memory of 1108	4228	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4228 wrote to memory of 4460	4228	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4228 wrote to memory of 4460	4228	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4228 wrote to memory of 1640	4228	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4228 wrote to memory of 1640	4228	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4228 wrote to memory of 4696	4228	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4228 wrote to memory of 4696	4228	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4228 wrote to memory of 544	4228	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4228 wrote to memory of 544	4228	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4228 wrote to memory of 3896	4228	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4228 wrote to memory of 3896	4228	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4228 wrote to memory of 3664	4228	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4228 wrote to memory of 3664	4228	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4228 wrote to memory of 1956	4228	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4228 wrote to memory of 1956	4228	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4228 wrote to memory of 2696	4228	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4228 wrote to memory of 2696	4228	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4228 wrote to memory of 4896	4228	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4228 wrote to memory of 4896	4228	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4228 wrote to memory of 4688	4228	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4228 wrote to memory of 4688	4228	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4228 wrote to memory of 3608	4228	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4228 wrote to memory of 3608	4228	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4228 wrote to memory of 2172	4228	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4228 wrote to memory of 2172	4228	2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-21_574b0618b2a739acaebddc226778e7b5_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4228
- C:\Windows\System\hHGIIZU.exe
  C:\Windows\System\hHGIIZU.exe
  2⤵
  - Executes dropped EXE
  PID:4928
- C:\Windows\System\OmWPHJA.exe
  C:\Windows\System\OmWPHJA.exe
  2⤵
  - Executes dropped EXE
  PID:2856
- C:\Windows\System\KSNmlmn.exe
  C:\Windows\System\KSNmlmn.exe
  2⤵
  - Executes dropped EXE
  PID:2984
- C:\Windows\System\HTSMNeJ.exe
  C:\Windows\System\HTSMNeJ.exe
  2⤵
  - Executes dropped EXE
  PID:4852
- C:\Windows\System\poxdixc.exe
  C:\Windows\System\poxdixc.exe
  2⤵
  - Executes dropped EXE
  PID:4832
- C:\Windows\System\wrAEOVH.exe
  C:\Windows\System\wrAEOVH.exe
  2⤵
  - Executes dropped EXE
  PID:784
- C:\Windows\System\mVHqMCv.exe
  C:\Windows\System\mVHqMCv.exe
  2⤵
  - Executes dropped EXE
  PID:4004
- C:\Windows\System\NHFjKGG.exe
  C:\Windows\System\NHFjKGG.exe
  2⤵
  - Executes dropped EXE
  PID:4812
- C:\Windows\System\JUKhXST.exe
  C:\Windows\System\JUKhXST.exe
  2⤵
  - Executes dropped EXE
  PID:1108
- C:\Windows\System\sYscjRd.exe
  C:\Windows\System\sYscjRd.exe
  2⤵
  - Executes dropped EXE
  PID:4460
- C:\Windows\System\WEXquXl.exe
  C:\Windows\System\WEXquXl.exe
  2⤵
  - Executes dropped EXE
  PID:1640
- C:\Windows\System\fVSCLCc.exe
  C:\Windows\System\fVSCLCc.exe
  2⤵
  - Executes dropped EXE
  PID:4696
- C:\Windows\System\nnuvywx.exe
  C:\Windows\System\nnuvywx.exe
  2⤵
  - Executes dropped EXE
  PID:544
- C:\Windows\System\gtPGpSF.exe
  C:\Windows\System\gtPGpSF.exe
  2⤵
  - Executes dropped EXE
  PID:3896
- C:\Windows\System\izsxXCO.exe
  C:\Windows\System\izsxXCO.exe
  2⤵
  - Executes dropped EXE
  PID:3664
- C:\Windows\System\bwAFgXQ.exe
  C:\Windows\System\bwAFgXQ.exe
  2⤵
  - Executes dropped EXE
  PID:1956
- C:\Windows\System\YgFIUCd.exe
  C:\Windows\System\YgFIUCd.exe
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Windows\System\XAsDrxk.exe
  C:\Windows\System\XAsDrxk.exe
  2⤵
  - Executes dropped EXE
  PID:4896
- C:\Windows\System\bhHvRxE.exe
  C:\Windows\System\bhHvRxE.exe
  2⤵
  - Executes dropped EXE
  PID:4688
- C:\Windows\System\gLjyQhC.exe
  C:\Windows\System\gLjyQhC.exe
  2⤵
  - Executes dropped EXE
  PID:3608
- C:\Windows\System\OcYDFSv.exe
  C:\Windows\System\OcYDFSv.exe
  2⤵
  - Executes dropped EXE
  PID:2172

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\HTSMNeJ.exe

Filesize
5.2MB

MD5
8c4bea136184a5c14793424310eaa97c

SHA1
c72d3a3a2fa412b02a5d650dc91cd68f58a4008d

SHA256
14af52c0e3e4a84e9ebe806aed6fd0304d4dc11d65d7b58ad2144eea23bec6f9

SHA512
108f6634ee1bfbc386b11c9bebfbcfe7648b024cdce7f32ffa9ad26db83a64bd8f9cf80c9bfb5f0fa64dc183a86b520809a2dcc53e750144fd99911dd6cdc97f

Download Submit
C:\Windows\System\JUKhXST.exe

Filesize
5.2MB

MD5
2c61fc8ca503eb7260cd3eb3568ca5d9

SHA1
44fd619294b2b773bd9fc7ff88c6cb84d27653ec

SHA256
e23e39c0f0700504e14ec077bc608c12ef858e423d5f0842498656e0d2781bc2

SHA512
ed6ec7df9e6a19967b356ac5d1a2c403a04f3ae9c083648b21015fced716adeda014edd15cc98bc6d76a5316a008adfd988a89da337c590846f37b152062da89

Download Submit
C:\Windows\System\KSNmlmn.exe

Filesize
5.2MB

MD5
084ee9b0da3c7fe525953549e0e61910

SHA1
3a139064cdb22b502c3642f8a0a8798c23650aa6

SHA256
7889f9844fab86e7aec5bdf1c4300d579fe55e5ddf57be285198ad4b70b4e0e7

SHA512
071be7b339194bc7959464fe00fb777ebb80c0b55ecbcadda6407cd7e7a8d884d9e8c37818b63f927ef3f2cfe00b23bd6794ee4ffb0f135e8eb5f66cc6a77599

Download Submit
C:\Windows\System\NHFjKGG.exe

Filesize
5.2MB

MD5
93a520661e24922166f179b5b5def007

SHA1
de8e8f13a899f2209fdd8231524085047fbc34da

SHA256
e2331385434772835f951f0edd11f2cfd7d8f08dccff7633b0ad64137a7044d8

SHA512
a850393f6464d0f8e794c1d557fa1ac907990883e1984234cb22845c28c422ae499b4fce0f3b006227a127d004e8be8471a5c0ea1eac95ce52f0303d2321ba94

Download Submit
C:\Windows\System\OcYDFSv.exe

Filesize
5.2MB

MD5
161318ad4072704940c9c7af01f6e9b9

SHA1
ebc1438b5e4d6f8262d0c6992a1aadf86a7b80dc

SHA256
ed4bf49e19e6402100556ec1e2cd92e851f681f3ff3fd0ca1408640dc03afbc9

SHA512
98eb8928ddf3835e39fc322fca57e55ab32cc13207ca13ba91133a3bd321e7005096be8d85e21a80d4cdbcfe89f938e17cef620814abd7df80ac873f6d82cdd7

Download Submit
C:\Windows\System\OmWPHJA.exe

Filesize
5.2MB

MD5
a6215b80cfd2598e3a8abc4d112e22f0

SHA1
35b0ce1e694a127b873434f8d966f7b29601ce8f

SHA256
8f24ac5854eccd9dd16eb8b3661a02d8ca8659dbd32f76b75e0603ca59f3c675

SHA512
f203d23eef12f3da3dfd6e0e3fca32b5f5138acf2b74175c58154e3ba51a86f77ee85ee6006bed6e4548e3497e278f782503fbb4ff097bdc0c5e8ae3d94d088c

Download Submit
C:\Windows\System\WEXquXl.exe

Filesize
5.2MB

MD5
5ddd4b707be7403fcf777d270ba13dd0

SHA1
8e703d9958d5b093ea34d8b6856eacfa0e109e90

SHA256
3389b012dfc8ad371a26a951f8b98ea05677cefd0cbc799b6511433b05f32a5f

SHA512
d6b6b2e8627bd61ca250f9bc6e4807498589f8979801c8d7dd679d7a4d38c31eb96687f32962edfb06df72d8deb6f68064736ef5c559b46e85ab834494e2c001

Download Submit
C:\Windows\System\XAsDrxk.exe

Filesize
5.2MB

MD5
2978986c07e75083276e17c9758ee601

SHA1
12eff8595d2e05d7881d5a5153b47b92a8e55589

SHA256
2bafe0d971e6c82c097c5ef81832ed79f8cad3fbfebf5a804c6432e8eda98f03

SHA512
54cff161cb9c209f0db57aabe34d4ebe7feca3caf1c0b6782ec6c1e4e9db7e846e52bf2b2d0379f6180a739b76216959c1110e283f8c1655a7dbab2106127006

Download Submit
C:\Windows\System\YgFIUCd.exe

Filesize
5.2MB

MD5
899213387c07114b667310819a98c16e

SHA1
9da704a09734bfe20792eccff98144a68d9f45a0

SHA256
704f525c66a8e2cb70437c2fcbe41968cfed2b7c8c9a3021e6bcab1b872f0707

SHA512
63b82c830e9160ea6bd93bf34da6cbf0ae7802dbc5d5275b11b859f296e0e8d767f54e7a8dc764d16113defe7024a615df7aec0dbd23520f0779d6dbdba4e637

Download Submit
C:\Windows\System\bhHvRxE.exe

Filesize
5.2MB

MD5
28abd9fc5891e8dcf2ec43e9f8fe9227

SHA1
fc5cb7a41737bef575cd957571b721754d7a773a

SHA256
3698c34f87fc880f5d3251649c6a9fa3c285becddcb2818bd5d3bba08cc2d60b

SHA512
07b6077466d8fe2c5ee80994cb6a312f9b337383fe7d66ef8ab65dd5640db39e50a9dbe24dc506c0c0347fb46e9d349ff83fefd2928df3c2616408d0753cee6f

Download Submit
C:\Windows\System\bwAFgXQ.exe

Filesize
5.2MB

MD5
4b6a326cf15b91178cbd62561e3e1c69

SHA1
ccb799a09f2eb8e86e1e2619b2db9522ea39f112

SHA256
6a992075de0aacb4edfbef9dfc2bac99ce5daf1961d3712d5b5a68d5f28f0e57

SHA512
49bd41dc8853cb47365574f8bdd548431d95f1456128af2adbede6e55ef368dd6d498b4d9cd5f0d2599e09817e4cf5176eba9c622312c55a9c9d72528b6cd2ae

Download Submit
C:\Windows\System\fVSCLCc.exe

Filesize
5.2MB

MD5
8be98ba4017626bcc752230472add86f

SHA1
3ee486afeeeec86838e5edf5622cfe3e6a21ba73

SHA256
ea63b9b7807a34f9c6fe19686c71beae4633a8536a7e0472b41edfd43e5bb926

SHA512
5faa413449be31fc279f31c67b192b051d4764776539bab8886b1d9c30e2b6ac77c6af6fb8a5231b90e6a55cc61c94842c192312836ba1fd71d84a6d91935612

Download Submit
C:\Windows\System\gLjyQhC.exe

Filesize
5.2MB

MD5
f34dd34892481b872fc39330b4c79f36

SHA1
c4401691173187f6b52838b37018d75674da4649

SHA256
cbec283411e85cfb451af8f9b3b78f6448a9cdf1101c36a87796d345b0dc0a97

SHA512
f796eb9760c2bc918e9efe556cec449d9294d181434a6cbd16743791b60f563a0ac9831cb3ff9c85282fa142e414bbea00773e6076e8661e99e6e3095086fe53

Download Submit
C:\Windows\System\gtPGpSF.exe

Filesize
5.2MB

MD5
170d487648e093490989336468a4a38f

SHA1
04f336e9abc482df1c40aa7eceabda57f73faada

SHA256
994dbc6793f1dded0b24e9a8709ac2c873850fd4b3754f38eda7bcc5850e1991

SHA512
b229adc55077d0ff28f5f2b394dbc293a4b84d91e935e40c56c248fb5dea47d787f69d46bad5b523ea2597f51ed4e6a2b1bf7173904ebb0420ebd161fb050770

Download Submit
C:\Windows\System\hHGIIZU.exe

Filesize
5.2MB

MD5
4630263ea1821bee4990a642df4a2684

SHA1
9f46bd9aa3e05ad85e89de47a407f765e6a7d891

SHA256
b3133ea74c039c2f533a8a697c65d128315331739a5e474f64014b112bf73428

SHA512
ab49b3ec85d69a4a058086e6f6297859b09dab4f5a2d172e0311c31b3607b11e6148229d58970b5c34900f2ad551896a1f474e51de923b3d2a497235d965e651

Download Submit
C:\Windows\System\izsxXCO.exe

Filesize
5.2MB

MD5
e3d7e09eb9c163a6813a0c073a11a1ac

SHA1
545f023fb1726f033c22334490ad20d4cc64ede1

SHA256
8e27e8aefd6c7bc7a8978e97228c9fb41e0a87a5328ecb3a092722303227fe5e

SHA512
f02f8a53fe4203b18ad3f10e687001ed6f47a00e76fdcd6445104a27d7f246cbac2e78333947d780e379f1cf6ebe47fe319fc99adbc024d01b0920a2447ab690

Download Submit
C:\Windows\System\mVHqMCv.exe

Filesize
5.2MB

MD5
ee60532470951cae1d30c5d66c55eed5

SHA1
6d62d869e95097084b5ac3f73689ad31c85a7a4d

SHA256
f71568ca3e306efa72354c2bffea8e11114fdfbd9ba28b3ff82188f8dd8a52ea

SHA512
780303c8064c931407df1bb92d6b2ad7823c1952262654c3487600095620004a53935648ae503cc59f595d997dfd62a5b6cb0dfd97d3673ac0e34679fba80886

Download Submit
C:\Windows\System\nnuvywx.exe

Filesize
5.2MB

MD5
46e898815330894d9ba19c87da6ca1a4

SHA1
02634964df6547416f20c569bfa112a0c16ad592

SHA256
7dd5a3de71e227212000ba073781ffa61a8009f439eed14a944d689310990cae

SHA512
d22f462691c8487639a2cf0ac3056db05e9480d643714d37c2d7f3f4e10294b03e7cedae333bfc695ddb74b274c744e10cf684499fad76d893986623f852af7c

Download Submit
C:\Windows\System\poxdixc.exe

Filesize
5.2MB

MD5
16506025d813031b376a2fc6978ec76c

SHA1
49fd7310e5abfa5c8f3512dc6d828b14a3d9736f

SHA256
ac6cbb3d8d4d56e3cd5c7f6d5c6853fef88f67a350ced3fd5e2f135a2134fea7

SHA512
05ee9af4831ae19205b1591437e023c26f745883cdcf97ece04e19f6053c41f588349f5e565d08378a365a750476fdf5bf59ceef572ae090833dda4ecb9b7b6d

Download Submit
C:\Windows\System\sYscjRd.exe

Filesize
5.2MB

MD5
44d5645016716e610d98d79b1100e3a2

SHA1
28be58db69605a46cfdf5521db077ce7e052a80c

SHA256
a3af8fd1bfc0bc5aaf3e345ab2a186b6fecd0e7bcf07856067312d92f8e8379e

SHA512
b5927e8ecc973aba07dd31570c8d31f43f1bd6c4e97a9353f87907c27e5a0e83f63cd271f5886e51bc3960e953b6a4e6f34912ba45ce234d5f33fc3c1c5beab6

Download Submit
C:\Windows\System\wrAEOVH.exe

Filesize
5.2MB

MD5
81643d2430142ab35b16ae8b15788f51

SHA1
f876e3b0785955ecec535c883f2d71fc5915ef05

SHA256
5ba303a784a68b79d91acab94d91d132e86c8dc7847d72c22ea4d18fff4fa930

SHA512
6da6ff77b840f10264183b926c0521ca426c93100d7054d19665edcc988651988822657f7f207566ba95e143ab0189c0bd3eb7f6e7f75df5a97f302adc8c6327

Download Submit
memory/544-86-0x00007FF78D590000-0x00007FF78D8E1000-memory.dmp

Filesize
3.3MB

Download
memory/544-148-0x00007FF78D590000-0x00007FF78D8E1000-memory.dmp

Filesize
3.3MB

Download
memory/544-247-0x00007FF78D590000-0x00007FF78D8E1000-memory.dmp

Filesize
3.3MB

Download
memory/784-224-0x00007FF63F4A0000-0x00007FF63F7F1000-memory.dmp

Filesize
3.3MB

Download
memory/784-118-0x00007FF63F4A0000-0x00007FF63F7F1000-memory.dmp

Filesize
3.3MB

Download
memory/784-41-0x00007FF63F4A0000-0x00007FF63F7F1000-memory.dmp

Filesize
3.3MB

Download
memory/1108-144-0x00007FF6051A0000-0x00007FF6054F1000-memory.dmp

Filesize
3.3MB

Download
memory/1108-63-0x00007FF6051A0000-0x00007FF6054F1000-memory.dmp

Filesize
3.3MB

Download
memory/1108-238-0x00007FF6051A0000-0x00007FF6054F1000-memory.dmp

Filesize
3.3MB

Download
memory/1640-235-0x00007FF6A40B0000-0x00007FF6A4401000-memory.dmp

Filesize
3.3MB

Download
memory/1640-146-0x00007FF6A40B0000-0x00007FF6A4401000-memory.dmp

Filesize
3.3MB

Download
memory/1640-70-0x00007FF6A40B0000-0x00007FF6A4401000-memory.dmp

Filesize
3.3MB

Download
memory/1956-251-0x00007FF7C7920000-0x00007FF7C7C71000-memory.dmp

Filesize
3.3MB

Download
memory/1956-100-0x00007FF7C7920000-0x00007FF7C7C71000-memory.dmp

Filesize
3.3MB

Download
memory/1956-151-0x00007FF7C7920000-0x00007FF7C7C71000-memory.dmp

Filesize
3.3MB

Download
memory/2172-132-0x00007FF631A20000-0x00007FF631D71000-memory.dmp

Filesize
3.3MB

Download
memory/2172-265-0x00007FF631A20000-0x00007FF631D71000-memory.dmp

Filesize
3.3MB

Download
memory/2172-156-0x00007FF631A20000-0x00007FF631D71000-memory.dmp

Filesize
3.3MB

Download
memory/2696-257-0x00007FF732290000-0x00007FF7325E1000-memory.dmp

Filesize
3.3MB

Download
memory/2696-152-0x00007FF732290000-0x00007FF7325E1000-memory.dmp

Filesize
3.3MB

Download
memory/2696-116-0x00007FF732290000-0x00007FF7325E1000-memory.dmp

Filesize
3.3MB

Download
memory/2856-77-0x00007FF76F870000-0x00007FF76FBC1000-memory.dmp

Filesize
3.3MB

Download
memory/2856-17-0x00007FF76F870000-0x00007FF76FBC1000-memory.dmp

Filesize
3.3MB

Download
memory/2856-216-0x00007FF76F870000-0x00007FF76FBC1000-memory.dmp

Filesize
3.3MB

Download
memory/2984-218-0x00007FF7615F0000-0x00007FF761941000-memory.dmp

Filesize
3.3MB

Download
memory/2984-22-0x00007FF7615F0000-0x00007FF761941000-memory.dmp

Filesize
3.3MB

Download
memory/2984-81-0x00007FF7615F0000-0x00007FF761941000-memory.dmp

Filesize
3.3MB

Download
memory/3608-130-0x00007FF7275C0000-0x00007FF727911000-memory.dmp

Filesize
3.3MB

Download
memory/3608-259-0x00007FF7275C0000-0x00007FF727911000-memory.dmp

Filesize
3.3MB

Download
memory/3664-107-0x00007FF73E140000-0x00007FF73E491000-memory.dmp

Filesize
3.3MB

Download
memory/3664-255-0x00007FF73E140000-0x00007FF73E491000-memory.dmp

Filesize
3.3MB

Download
memory/3664-150-0x00007FF73E140000-0x00007FF73E491000-memory.dmp

Filesize
3.3MB

Download
memory/3896-249-0x00007FF71C5D0000-0x00007FF71C921000-memory.dmp

Filesize
3.3MB

Download
memory/3896-99-0x00007FF71C5D0000-0x00007FF71C921000-memory.dmp

Filesize
3.3MB

Download
memory/3896-149-0x00007FF71C5D0000-0x00007FF71C921000-memory.dmp

Filesize
3.3MB

Download
memory/4004-45-0x00007FF7B9C50000-0x00007FF7B9FA1000-memory.dmp

Filesize
3.3MB

Download
memory/4004-131-0x00007FF7B9C50000-0x00007FF7B9FA1000-memory.dmp

Filesize
3.3MB

Download
memory/4004-226-0x00007FF7B9C50000-0x00007FF7B9FA1000-memory.dmp

Filesize
3.3MB

Download
memory/4228-171-0x00007FF7E9C80000-0x00007FF7E9FD1000-memory.dmp

Filesize
3.3MB

Download
memory/4228-1-0x0000021269DD0000-0x0000021269DE0000-memory.dmp

Filesize
64KB

Download
memory/4228-157-0x00007FF7E9C80000-0x00007FF7E9FD1000-memory.dmp

Filesize
3.3MB

Download
memory/4228-0-0x00007FF7E9C80000-0x00007FF7E9FD1000-memory.dmp

Filesize
3.3MB

Download
memory/4228-68-0x00007FF7E9C80000-0x00007FF7E9FD1000-memory.dmp

Filesize
3.3MB

Download
memory/4228-135-0x00007FF7E9C80000-0x00007FF7E9FD1000-memory.dmp

Filesize
3.3MB

Download
memory/4460-237-0x00007FF7A9F80000-0x00007FF7AA2D1000-memory.dmp

Filesize
3.3MB

Download
memory/4460-145-0x00007FF7A9F80000-0x00007FF7AA2D1000-memory.dmp

Filesize
3.3MB

Download
memory/4460-66-0x00007FF7A9F80000-0x00007FF7AA2D1000-memory.dmp

Filesize
3.3MB

Download
memory/4688-263-0x00007FF6115E0000-0x00007FF611931000-memory.dmp

Filesize
3.3MB

Download
memory/4688-154-0x00007FF6115E0000-0x00007FF611931000-memory.dmp

Filesize
3.3MB

Download
memory/4688-129-0x00007FF6115E0000-0x00007FF611931000-memory.dmp

Filesize
3.3MB

Download
memory/4696-147-0x00007FF79EAC0000-0x00007FF79EE11000-memory.dmp

Filesize
3.3MB

Download
memory/4696-233-0x00007FF79EAC0000-0x00007FF79EE11000-memory.dmp

Filesize
3.3MB

Download
memory/4696-67-0x00007FF79EAC0000-0x00007FF79EE11000-memory.dmp

Filesize
3.3MB

Download
memory/4812-228-0x00007FF6AB270000-0x00007FF6AB5C1000-memory.dmp

Filesize
3.3MB

Download
memory/4812-143-0x00007FF6AB270000-0x00007FF6AB5C1000-memory.dmp

Filesize
3.3MB

Download
memory/4812-50-0x00007FF6AB270000-0x00007FF6AB5C1000-memory.dmp

Filesize
3.3MB

Download
memory/4832-34-0x00007FF6B1340000-0x00007FF6B1691000-memory.dmp

Filesize
3.3MB

Download
memory/4832-220-0x00007FF6B1340000-0x00007FF6B1691000-memory.dmp

Filesize
3.3MB

Download
memory/4852-222-0x00007FF70ACB0000-0x00007FF70B001000-memory.dmp

Filesize
3.3MB

Download
memory/4852-91-0x00007FF70ACB0000-0x00007FF70B001000-memory.dmp

Filesize
3.3MB

Download
memory/4852-28-0x00007FF70ACB0000-0x00007FF70B001000-memory.dmp

Filesize
3.3MB

Download
memory/4896-124-0x00007FF79FBD0000-0x00007FF79FF21000-memory.dmp

Filesize
3.3MB

Download
memory/4896-261-0x00007FF79FBD0000-0x00007FF79FF21000-memory.dmp

Filesize
3.3MB

Download
memory/4896-153-0x00007FF79FBD0000-0x00007FF79FF21000-memory.dmp

Filesize
3.3MB

Download
memory/4928-11-0x00007FF70D490000-0x00007FF70D7E1000-memory.dmp

Filesize
3.3MB

Download
memory/4928-69-0x00007FF70D490000-0x00007FF70D7E1000-memory.dmp

Filesize
3.3MB

Download
memory/4928-214-0x00007FF70D490000-0x00007FF70D7E1000-memory.dmp

Filesize
3.3MB

Download