cobaltstrike | 96f36ffd77540aaef0dd017c87ae44e5a52c7a61fe2d093859e81b5f5c87058a

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/01/2025, 02:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

5d9b93d2265f1b7a2deac8a0448b97fc
SHA1

e446a3ed9b7a15b5573d90f8a7cc294f037c11cd
SHA256

96f36ffd77540aaef0dd017c87ae44e5a52c7a61fe2d093859e81b5f5c87058a
SHA512

8821c21b03dfe9cc44d77f05cfdc10a9834d8a0891568ae99b0a744d8f18e00dabe893cbfc222fe442a2a8aaeabf2f49aab04240dfa77f67e62aba87b5ad7d9a
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lt:RWWBibf56utgpPFotBER/mQ32lUR

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000b000000023b5b-4.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b5f-10.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b60-23.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b62-25.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b65-38.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b66-51.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6a-94.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6e-92.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b5c-98.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6c-96.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6d-91.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b69-85.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6b-84.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b67-75.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b68-67.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b64-53.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b63-47.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b61-35.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b71-124.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b70-118.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6f-115.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/208-68-0x00007FF61E720000-0x00007FF61EA71000-memory.dmp	xmrig
behavioral2/memory/3372-78-0x00007FF6DFFF0000-0x00007FF6E0341000-memory.dmp	xmrig
behavioral2/memory/1980-121-0x00007FF64E3B0000-0x00007FF64E701000-memory.dmp	xmrig
behavioral2/memory/2688-127-0x00007FF744600000-0x00007FF744951000-memory.dmp	xmrig
behavioral2/memory/1904-126-0x00007FF689390000-0x00007FF6896E1000-memory.dmp	xmrig
behavioral2/memory/1976-123-0x00007FF6A6000000-0x00007FF6A6351000-memory.dmp	xmrig
behavioral2/memory/3408-122-0x00007FF7A2D80000-0x00007FF7A30D1000-memory.dmp	xmrig
behavioral2/memory/4836-120-0x00007FF69ED00000-0x00007FF69F051000-memory.dmp	xmrig
behavioral2/memory/3640-113-0x00007FF664BF0000-0x00007FF664F41000-memory.dmp	xmrig
behavioral2/memory/4068-110-0x00007FF6571F0000-0x00007FF657541000-memory.dmp	xmrig
behavioral2/memory/3948-128-0x00007FF6EC820000-0x00007FF6ECB71000-memory.dmp	xmrig
behavioral2/memory/3948-129-0x00007FF6EC820000-0x00007FF6ECB71000-memory.dmp	xmrig
behavioral2/memory/3760-133-0x00007FF786990000-0x00007FF786CE1000-memory.dmp	xmrig
behavioral2/memory/4568-134-0x00007FF62DB70000-0x00007FF62DEC1000-memory.dmp	xmrig
behavioral2/memory/2684-131-0x00007FF70B0B0000-0x00007FF70B401000-memory.dmp	xmrig
behavioral2/memory/2744-139-0x00007FF645340000-0x00007FF645691000-memory.dmp	xmrig
behavioral2/memory/1616-140-0x00007FF686A60000-0x00007FF686DB1000-memory.dmp	xmrig
behavioral2/memory/4684-146-0x00007FF61A910000-0x00007FF61AC61000-memory.dmp	xmrig
behavioral2/memory/3768-150-0x00007FF7F7DA0000-0x00007FF7F80F1000-memory.dmp	xmrig
behavioral2/memory/4580-137-0x00007FF65B380000-0x00007FF65B6D1000-memory.dmp	xmrig
behavioral2/memory/4868-136-0x00007FF77B650000-0x00007FF77B9A1000-memory.dmp	xmrig
behavioral2/memory/1056-145-0x00007FF746230000-0x00007FF746581000-memory.dmp	xmrig
behavioral2/memory/4832-135-0x00007FF7BCC80000-0x00007FF7BCFD1000-memory.dmp	xmrig
behavioral2/memory/3948-153-0x00007FF6EC820000-0x00007FF6ECB71000-memory.dmp	xmrig
behavioral2/memory/3760-214-0x00007FF786990000-0x00007FF786CE1000-memory.dmp	xmrig
behavioral2/memory/2684-216-0x00007FF70B0B0000-0x00007FF70B401000-memory.dmp	xmrig
behavioral2/memory/4568-218-0x00007FF62DB70000-0x00007FF62DEC1000-memory.dmp	xmrig
behavioral2/memory/4832-220-0x00007FF7BCC80000-0x00007FF7BCFD1000-memory.dmp	xmrig
behavioral2/memory/4868-222-0x00007FF77B650000-0x00007FF77B9A1000-memory.dmp	xmrig
behavioral2/memory/4580-224-0x00007FF65B380000-0x00007FF65B6D1000-memory.dmp	xmrig
behavioral2/memory/2744-228-0x00007FF645340000-0x00007FF645691000-memory.dmp	xmrig
behavioral2/memory/208-227-0x00007FF61E720000-0x00007FF61EA71000-memory.dmp	xmrig
behavioral2/memory/4836-237-0x00007FF69ED00000-0x00007FF69F051000-memory.dmp	xmrig
behavioral2/memory/3372-238-0x00007FF6DFFF0000-0x00007FF6E0341000-memory.dmp	xmrig
behavioral2/memory/1616-240-0x00007FF686A60000-0x00007FF686DB1000-memory.dmp	xmrig
behavioral2/memory/1056-243-0x00007FF746230000-0x00007FF746581000-memory.dmp	xmrig
behavioral2/memory/1980-244-0x00007FF64E3B0000-0x00007FF64E701000-memory.dmp	xmrig
behavioral2/memory/4684-248-0x00007FF61A910000-0x00007FF61AC61000-memory.dmp	xmrig
behavioral2/memory/3408-250-0x00007FF7A2D80000-0x00007FF7A30D1000-memory.dmp	xmrig
behavioral2/memory/4068-247-0x00007FF6571F0000-0x00007FF657541000-memory.dmp	xmrig
behavioral2/memory/3640-257-0x00007FF664BF0000-0x00007FF664F41000-memory.dmp	xmrig
behavioral2/memory/3768-260-0x00007FF7F7DA0000-0x00007FF7F80F1000-memory.dmp	xmrig
behavioral2/memory/1904-258-0x00007FF689390000-0x00007FF6896E1000-memory.dmp	xmrig
behavioral2/memory/2688-255-0x00007FF744600000-0x00007FF744951000-memory.dmp	xmrig
behavioral2/memory/1976-253-0x00007FF6A6000000-0x00007FF6A6351000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3760	LdbCkgk.exe
2684	MqchaNK.exe
4568	bkcdZJe.exe
4832	NeHckse.exe
4868	EXmqkxv.exe
4580	RfnOtEC.exe
2744	ZKdfyTq.exe
208	kwpmAOs.exe
1616	mkscdKb.exe
4836	nxZawTi.exe
3372	loBGlTQ.exe
1980	ixBvFwI.exe
1056	fMWDdMc.exe
3408	DOhZNMJ.exe
4684	aXwxEWc.exe
4068	fNUvFXJ.exe
1976	EcRrRxY.exe
3640	zIGtxuD.exe
3768	XKKNhlb.exe
1904	HFZcZTv.exe
2688	UyEBTgE.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3948-0-0x00007FF6EC820000-0x00007FF6ECB71000-memory.dmp	upx
behavioral2/files/0x000b000000023b5b-4.dat	upx
behavioral2/files/0x000a000000023b5f-10.dat	upx
behavioral2/files/0x000a000000023b60-23.dat	upx
behavioral2/files/0x000a000000023b62-25.dat	upx
behavioral2/files/0x000a000000023b65-38.dat	upx
behavioral2/files/0x000a000000023b66-51.dat	upx
behavioral2/memory/208-68-0x00007FF61E720000-0x00007FF61EA71000-memory.dmp	upx
behavioral2/files/0x000a000000023b6a-94.dat	upx
behavioral2/files/0x000a000000023b6e-92.dat	upx
behavioral2/memory/4684-102-0x00007FF61A910000-0x00007FF61AC61000-memory.dmp	upx
behavioral2/files/0x000b000000023b5c-98.dat	upx
behavioral2/files/0x000a000000023b6c-96.dat	upx
behavioral2/files/0x000a000000023b6d-91.dat	upx
behavioral2/memory/1056-90-0x00007FF746230000-0x00007FF746581000-memory.dmp	upx
behavioral2/files/0x000a000000023b69-85.dat	upx
behavioral2/files/0x000a000000023b6b-84.dat	upx
behavioral2/memory/3372-78-0x00007FF6DFFF0000-0x00007FF6E0341000-memory.dmp	upx
behavioral2/files/0x000a000000023b67-75.dat	upx
behavioral2/files/0x000a000000023b68-67.dat	upx
behavioral2/files/0x000a000000023b64-53.dat	upx
behavioral2/memory/2744-63-0x00007FF645340000-0x00007FF645691000-memory.dmp	upx
behavioral2/memory/1616-52-0x00007FF686A60000-0x00007FF686DB1000-memory.dmp	upx
behavioral2/memory/4580-42-0x00007FF65B380000-0x00007FF65B6D1000-memory.dmp	upx
behavioral2/files/0x000a000000023b63-47.dat	upx
behavioral2/files/0x000a000000023b61-35.dat	upx
behavioral2/memory/4832-34-0x00007FF7BCC80000-0x00007FF7BCFD1000-memory.dmp	upx
behavioral2/memory/4868-32-0x00007FF77B650000-0x00007FF77B9A1000-memory.dmp	upx
behavioral2/memory/4568-26-0x00007FF62DB70000-0x00007FF62DEC1000-memory.dmp	upx
behavioral2/memory/2684-18-0x00007FF70B0B0000-0x00007FF70B401000-memory.dmp	upx
behavioral2/memory/3760-7-0x00007FF786990000-0x00007FF786CE1000-memory.dmp	upx
behavioral2/memory/3768-114-0x00007FF7F7DA0000-0x00007FF7F80F1000-memory.dmp	upx
behavioral2/memory/1980-121-0x00007FF64E3B0000-0x00007FF64E701000-memory.dmp	upx
behavioral2/memory/2688-127-0x00007FF744600000-0x00007FF744951000-memory.dmp	upx
behavioral2/memory/1904-126-0x00007FF689390000-0x00007FF6896E1000-memory.dmp	upx
behavioral2/files/0x000a000000023b71-124.dat	upx
behavioral2/memory/1976-123-0x00007FF6A6000000-0x00007FF6A6351000-memory.dmp	upx
behavioral2/memory/3408-122-0x00007FF7A2D80000-0x00007FF7A30D1000-memory.dmp	upx
behavioral2/memory/4836-120-0x00007FF69ED00000-0x00007FF69F051000-memory.dmp	upx
behavioral2/files/0x000a000000023b70-118.dat	upx
behavioral2/files/0x000a000000023b6f-115.dat	upx
behavioral2/memory/3640-113-0x00007FF664BF0000-0x00007FF664F41000-memory.dmp	upx
behavioral2/memory/4068-110-0x00007FF6571F0000-0x00007FF657541000-memory.dmp	upx
behavioral2/memory/3948-128-0x00007FF6EC820000-0x00007FF6ECB71000-memory.dmp	upx
behavioral2/memory/3948-129-0x00007FF6EC820000-0x00007FF6ECB71000-memory.dmp	upx
behavioral2/memory/3760-133-0x00007FF786990000-0x00007FF786CE1000-memory.dmp	upx
behavioral2/memory/4568-134-0x00007FF62DB70000-0x00007FF62DEC1000-memory.dmp	upx
behavioral2/memory/2684-131-0x00007FF70B0B0000-0x00007FF70B401000-memory.dmp	upx
behavioral2/memory/2744-139-0x00007FF645340000-0x00007FF645691000-memory.dmp	upx
behavioral2/memory/1616-140-0x00007FF686A60000-0x00007FF686DB1000-memory.dmp	upx
behavioral2/memory/4684-146-0x00007FF61A910000-0x00007FF61AC61000-memory.dmp	upx
behavioral2/memory/3768-150-0x00007FF7F7DA0000-0x00007FF7F80F1000-memory.dmp	upx
behavioral2/memory/4580-137-0x00007FF65B380000-0x00007FF65B6D1000-memory.dmp	upx
behavioral2/memory/4868-136-0x00007FF77B650000-0x00007FF77B9A1000-memory.dmp	upx
behavioral2/memory/1056-145-0x00007FF746230000-0x00007FF746581000-memory.dmp	upx
behavioral2/memory/4832-135-0x00007FF7BCC80000-0x00007FF7BCFD1000-memory.dmp	upx
behavioral2/memory/3948-153-0x00007FF6EC820000-0x00007FF6ECB71000-memory.dmp	upx
behavioral2/memory/3760-214-0x00007FF786990000-0x00007FF786CE1000-memory.dmp	upx
behavioral2/memory/2684-216-0x00007FF70B0B0000-0x00007FF70B401000-memory.dmp	upx
behavioral2/memory/4568-218-0x00007FF62DB70000-0x00007FF62DEC1000-memory.dmp	upx
behavioral2/memory/4832-220-0x00007FF7BCC80000-0x00007FF7BCFD1000-memory.dmp	upx
behavioral2/memory/4868-222-0x00007FF77B650000-0x00007FF77B9A1000-memory.dmp	upx
behavioral2/memory/4580-224-0x00007FF65B380000-0x00007FF65B6D1000-memory.dmp	upx
behavioral2/memory/2744-228-0x00007FF645340000-0x00007FF645691000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\HFZcZTv.exe	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MqchaNK.exe	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bkcdZJe.exe	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ixBvFwI.exe	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fNUvFXJ.exe	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EcRrRxY.exe	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zIGtxuD.exe	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UyEBTgE.exe	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RfnOtEC.exe	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kwpmAOs.exe	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZKdfyTq.exe	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\loBGlTQ.exe	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aXwxEWc.exe	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LdbCkgk.exe	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NeHckse.exe	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DOhZNMJ.exe	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fMWDdMc.exe	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XKKNhlb.exe	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EXmqkxv.exe	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mkscdKb.exe	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nxZawTi.exe	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3948	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3948	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3948 wrote to memory of 3760	3948	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 3948 wrote to memory of 3760	3948	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 3948 wrote to memory of 2684	3948	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3948 wrote to memory of 2684	3948	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3948 wrote to memory of 4568	3948	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3948 wrote to memory of 4568	3948	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3948 wrote to memory of 4832	3948	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3948 wrote to memory of 4832	3948	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3948 wrote to memory of 4868	3948	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3948 wrote to memory of 4868	3948	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3948 wrote to memory of 4580	3948	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3948 wrote to memory of 4580	3948	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3948 wrote to memory of 208	3948	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3948 wrote to memory of 208	3948	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3948 wrote to memory of 2744	3948	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3948 wrote to memory of 2744	3948	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3948 wrote to memory of 1616	3948	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3948 wrote to memory of 1616	3948	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3948 wrote to memory of 4836	3948	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3948 wrote to memory of 4836	3948	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3948 wrote to memory of 3372	3948	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3948 wrote to memory of 3372	3948	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3948 wrote to memory of 1980	3948	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3948 wrote to memory of 1980	3948	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3948 wrote to memory of 3408	3948	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3948 wrote to memory of 3408	3948	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3948 wrote to memory of 1056	3948	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3948 wrote to memory of 1056	3948	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3948 wrote to memory of 4684	3948	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3948 wrote to memory of 4684	3948	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3948 wrote to memory of 4068	3948	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3948 wrote to memory of 4068	3948	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3948 wrote to memory of 1976	3948	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3948 wrote to memory of 1976	3948	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3948 wrote to memory of 3640	3948	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3948 wrote to memory of 3640	3948	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3948 wrote to memory of 3768	3948	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3948 wrote to memory of 3768	3948	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3948 wrote to memory of 1904	3948	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3948 wrote to memory of 1904	3948	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3948 wrote to memory of 2688	3948	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3948 wrote to memory of 2688	3948	2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-21_5d9b93d2265f1b7a2deac8a0448b97fc_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3948
- C:\Windows\System\LdbCkgk.exe
  C:\Windows\System\LdbCkgk.exe
  2⤵
  - Executes dropped EXE
  PID:3760
- C:\Windows\System\MqchaNK.exe
  C:\Windows\System\MqchaNK.exe
  2⤵
  - Executes dropped EXE
  PID:2684
- C:\Windows\System\bkcdZJe.exe
  C:\Windows\System\bkcdZJe.exe
  2⤵
  - Executes dropped EXE
  PID:4568
- C:\Windows\System\NeHckse.exe
  C:\Windows\System\NeHckse.exe
  2⤵
  - Executes dropped EXE
  PID:4832
- C:\Windows\System\EXmqkxv.exe
  C:\Windows\System\EXmqkxv.exe
  2⤵
  - Executes dropped EXE
  PID:4868
- C:\Windows\System\RfnOtEC.exe
  C:\Windows\System\RfnOtEC.exe
  2⤵
  - Executes dropped EXE
  PID:4580
- C:\Windows\System\kwpmAOs.exe
  C:\Windows\System\kwpmAOs.exe
  2⤵
  - Executes dropped EXE
  PID:208
- C:\Windows\System\ZKdfyTq.exe
  C:\Windows\System\ZKdfyTq.exe
  2⤵
  - Executes dropped EXE
  PID:2744
- C:\Windows\System\mkscdKb.exe
  C:\Windows\System\mkscdKb.exe
  2⤵
  - Executes dropped EXE
  PID:1616
- C:\Windows\System\nxZawTi.exe
  C:\Windows\System\nxZawTi.exe
  2⤵
  - Executes dropped EXE
  PID:4836
- C:\Windows\System\loBGlTQ.exe
  C:\Windows\System\loBGlTQ.exe
  2⤵
  - Executes dropped EXE
  PID:3372
- C:\Windows\System\ixBvFwI.exe
  C:\Windows\System\ixBvFwI.exe
  2⤵
  - Executes dropped EXE
  PID:1980
- C:\Windows\System\DOhZNMJ.exe
  C:\Windows\System\DOhZNMJ.exe
  2⤵
  - Executes dropped EXE
  PID:3408
- C:\Windows\System\fMWDdMc.exe
  C:\Windows\System\fMWDdMc.exe
  2⤵
  - Executes dropped EXE
  PID:1056
- C:\Windows\System\aXwxEWc.exe
  C:\Windows\System\aXwxEWc.exe
  2⤵
  - Executes dropped EXE
  PID:4684
- C:\Windows\System\fNUvFXJ.exe
  C:\Windows\System\fNUvFXJ.exe
  2⤵
  - Executes dropped EXE
  PID:4068
- C:\Windows\System\EcRrRxY.exe
  C:\Windows\System\EcRrRxY.exe
  2⤵
  - Executes dropped EXE
  PID:1976
- C:\Windows\System\zIGtxuD.exe
  C:\Windows\System\zIGtxuD.exe
  2⤵
  - Executes dropped EXE
  PID:3640
- C:\Windows\System\XKKNhlb.exe
  C:\Windows\System\XKKNhlb.exe
  2⤵
  - Executes dropped EXE
  PID:3768
- C:\Windows\System\HFZcZTv.exe
  C:\Windows\System\HFZcZTv.exe
  2⤵
  - Executes dropped EXE
  PID:1904
- C:\Windows\System\UyEBTgE.exe
  C:\Windows\System\UyEBTgE.exe
  2⤵
  - Executes dropped EXE
  PID:2688

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\DOhZNMJ.exe

Filesize
5.2MB

MD5
5f0ee2437ee54dfc65f123f45595a1ad

SHA1
5db47d21a02a32b18fe52ebefe74d7420e2a15fa

SHA256
dfc47236a0ed160ee0a645fded16f158bba5c1d1c0759b8038312669bb158b4e

SHA512
ce3cdc46ef8c8f4fe2dafb00adce58b709635ffdca9f1cac3e7d6978a8f02a415d835e00a86d9bd48c87ceedaf48a6e84b06c0d67c0360d1c6fda83c9f60d45e

Download Submit
C:\Windows\System\EXmqkxv.exe

Filesize
5.2MB

MD5
e03b75996ddc4a4e18686a376fbe031c

SHA1
4a5e6cc9fa516d77928bd065bee659e8a954172d

SHA256
bfc8ed572a1251f6872f3254a185390fdd59f63f489f0af0b3d752e8fbe1733e

SHA512
beb975565621114a6eb48f54ac4b366428e1db17cbfdd8683fe3ed45cdc1447c50f7e747effe53b684809393aa2dee39edb7cefba2a870d31d01bb2f52da71fe

Download Submit
C:\Windows\System\EcRrRxY.exe

Filesize
5.2MB

MD5
d58d3d7043d5da6b883bab9dbba21aed

SHA1
cd236e852fb20004d1b7760bc76b67f0e37669d5

SHA256
318009fa83158ce1bd620d3c06fc8aa71bbbbaf3603c85bd09258c12f79e5160

SHA512
1aa212466723514c2e9b7253e17616191a2976a1798240935de2a8e6de4561d275b888c46daf0a73d1b3fdb72dfe80a716bef459243a66a27a12073dd2f55268

Download Submit
C:\Windows\System\HFZcZTv.exe

Filesize
5.2MB

MD5
0cdb5f5a9939a11ca08023408bafc870

SHA1
62c65a061d1ff5be541374a51d252529b011c657

SHA256
0b429e15fc3f8d9b001328d0a693ae9581aa18e005acdb44aff360714413e96f

SHA512
e54c59dbc20c2a770b6a85574c59123b54fbceb07cce01d98f7d9ff9ebfabe72708823f2172dd886fc6b5cc55c4da72cbd3fba78da89963af06bb52a3e249b05

Download Submit
C:\Windows\System\LdbCkgk.exe

Filesize
5.2MB

MD5
c2e96b1a8a86844c872fe5ad69de4ddd

SHA1
194d9ef5ea925bd3dd0c0e4e5fcba4fe3c9f2562

SHA256
688cb3975be2df52f818fb3a87ed3414afd4eb4248642b882c787efbdbc22e33

SHA512
72ddbd82866a5a46bf702163ab35b71d10a28836efb823a1176a79792796954e6e3e4a6fec1081d1f20a7d011e6d48a47f298f29106d3be917776fd57c827d01

Download Submit
C:\Windows\System\MqchaNK.exe

Filesize
5.2MB

MD5
6893121c075632f8ff9e45cf55143a5d

SHA1
15c99e9cdbe632c8b770a3327314ba197266f6d0

SHA256
4b35f52a03c4548bbfb2c0be799ce6c16c0005e0ef476f374e5e05e0fc82b08e

SHA512
4fae20a49781b7d3ef0aee8a3c0f57626535e6d6843d924e5ccf40e3e301fe91b40794d07a0652d75e5f1fef365e3688c758e488a6977c675a081ee2d4d197fc

Download Submit
C:\Windows\System\NeHckse.exe

Filesize
5.2MB

MD5
64a448c3f32c5dbdbb046bdfea20d345

SHA1
5590c20c97bbd45b67a115d41214b505c94eb93b

SHA256
087f75ca23c612d891bd77ee0d85676c6dd941181d1fce6ed0dc4757084f864a

SHA512
8a532e343526363833edeb80392f5f7cf26e4e8eca3eafc023378dbbd7c06902cf2369f87112ccc4570a0c851536f6648d1671d329eb4567f8a2a24762c267f7

Download Submit
C:\Windows\System\RfnOtEC.exe

Filesize
5.2MB

MD5
a6b8af922ee4eb63b0a302d2f612511c

SHA1
e3a490793baa21cff0c26c669ac5ba56fc412123

SHA256
a950acddb24ca707eba247ca93987f7a63f01c7d4c12c5c658a96429951c5930

SHA512
8fe18d3bd50d643593b6787be53b07171586869fe62edb7e83374b37f6b6a63aef8b808708e41d01ccad184d1858a323a1766289652515b1d5fb69df6e763031

Download Submit
C:\Windows\System\UyEBTgE.exe

Filesize
5.2MB

MD5
405a3157166f920f6f6aff3ac59a701b

SHA1
3f01f452871143c657bd98301c247f70fbee2231

SHA256
c74e1eb4ff09428f6b65622ee056d143591f9593cb7b3ff3aeb7c698eee0ba68

SHA512
f1a8dbd41f66a28450979664587faec7f287d4af8a62366a42d80a994d9dcc0cccc82f68d8ce5cf02067b26008d4083c3f6a5053404bd1794e6c6b2a735eb507

Download Submit
C:\Windows\System\XKKNhlb.exe

Filesize
5.2MB

MD5
05b62f52a10ea743b38e57f955af141d

SHA1
90359c1728fefe701b81ad90e2957cb337f6b808

SHA256
323fa89b7caf67b3e4f9f75d0af9070a4131e1233b498392dae66d5669d32973

SHA512
7991b21dcad9a37e6d664377e012ff0422c3095e5fea6b6ede40bc621d46f5da12d332d13bd228b2109ceae2b6d3c646ddff787a69f805cde76e1867d537003c

Download Submit
C:\Windows\System\ZKdfyTq.exe

Filesize
5.2MB

MD5
3a4dea77a574349625eeeb3c93a65982

SHA1
2bf5e26c21a22136d3956f290d0ceb3a920d4787

SHA256
ac9e1cdced784bc3819ada8e4b85e55bd0bb0469b24ce73e52c3ff0387102c16

SHA512
a2e864869f501916dceeebc169b4c1827a86719099d1f11c10696b782f24d260b24312da0863e62de24341c6013247569b577ed4b100cff38324580dbfc11eca

Download Submit
C:\Windows\System\aXwxEWc.exe

Filesize
5.2MB

MD5
3e8bd91169418d2d643525b5a9211f9a

SHA1
cd98482ebc7ec2554cc3ce481c2d0b486768f2c6

SHA256
4dedf4f76fe1b52adc844d9708a49fe913d61b8fd398b0245b0d402f030e45bc

SHA512
e00fe370ee8e09165d2a051d44f5541981ccf4e8d88bd58fac6c440dd38bc91d9a3996d7c2eea6d959e02e2b17041dcfca4415d93734058fb127e2cb9983c570

Download Submit
C:\Windows\System\bkcdZJe.exe

Filesize
5.2MB

MD5
076a4c74b2aa50d111d2ffa5d046e885

SHA1
baf9c0d7c648881a068f427ee5daa50404742ed9

SHA256
c53b42e716769e75a394c3ae512456fe01a6e4e506fa89c271a7ced764920e97

SHA512
540eae62fd7b37bd4e42a301020ffd7177f0eb32794056cb7c934c72dbb05d54b49ccf7a3bca8556cc92e42fc0cd50cdbb4d1860db1239acbfa8e9b7dadec4db

Download Submit
C:\Windows\System\fMWDdMc.exe

Filesize
5.2MB

MD5
53e8afe5e4eec1f1cefd200d5362e027

SHA1
a7f615643300b36ef59c60508f7c9555f77232c0

SHA256
89247538b68063e139bf9ad73f74be6fda4c5560a3054bda9aa4347112588722

SHA512
a875c2168fcaf77076c5751137ddd4d7a88ac14a25ebea859eb5482ab37f7cab097634f7ab7ced53c12bfa3aaec3c322dff3f6103a765f5e42c5c6ceb3b74077

Download Submit
C:\Windows\System\fNUvFXJ.exe

Filesize
5.2MB

MD5
58b2043a6a660841762f6c4d5230d6d6

SHA1
d6c47b537afefc649a2613ecd15b073b708f68bc

SHA256
480dba9a45d6702b408ab2cb4b478ae4e4e716e4afb4f16a91b571fa88b6e917

SHA512
d1a3f9bc2620119e5b1c34a9725d2d9dcec1393c06bedb6c80a9d2d2e7cc735d5ae0cc679953228fa7aac534af4defd0594cffbe45428f6be219ee5e4adac850

Download Submit
C:\Windows\System\ixBvFwI.exe

Filesize
5.2MB

MD5
cdcc83c478857714ebb3aca71313c5b1

SHA1
469e091c941f1910f6de93a4225b2b6b941b9a4a

SHA256
56bec235fbbe369a3498eb74c0c2caa9f92896216b8a87b1bd559116474a281a

SHA512
38832407c2a64dedc05d0c9f3746adab4589b35359953a7610c68a357ed6e25555e09106e1002223bd3b9c22668a0742cc9fecf6892b3605cd86da5893718dec

Download Submit
C:\Windows\System\kwpmAOs.exe

Filesize
5.2MB

MD5
1d222733ddbf6285430519f52ef84351

SHA1
f18f12fb387fc7dd67148674223225965c96fb04

SHA256
f1fa9bb748aed60e27c8a310fd7f93d6a8e3cb935d5e10446cddf959bc21964c

SHA512
cf2bf03cc858d73979a80f4cf81b3dd584e2095b944357e2e59018c6dd5a5ec8d62d7fda49d2b555756ba28ca30f5cd8859b4361ef1101f07a22fe3c32e9a5f5

Download Submit
C:\Windows\System\loBGlTQ.exe

Filesize
5.2MB

MD5
9d27d581aa5685094e7a8240c5fd2f3d

SHA1
f2aabcecaeb381fa2cf778f58b6882b04528c238

SHA256
5e3b4bf021e68e0408eb8a0fb266e4f8643a5fb5121f7fb7a2915488b3ccc5b0

SHA512
780a704a2b21587168490914327af24381bf8e03c60448a00e72ced8c083e8f8b2093afabaec34918dded586114068a6b4826e0af5ed3817d108a7e2b98827bd

Download Submit
C:\Windows\System\mkscdKb.exe

Filesize
5.2MB

MD5
a342869035ac40c40cf8e9063487dc2c

SHA1
ff041b8448a0cc53a96b4a85ffff214131c1ab98

SHA256
8ecd62d9f4b1132162e46103ae9b2a8c19954cc2c2d9f3f67d88e89076366044

SHA512
3ee6ac283abc502204ab62ddb6a4a51a4ad08605c5e5e4f604afd26c406a1e21eea77c79a9f467a97ba1355f722ba3e02fcabb7feb378cbb14e37fcde43864cd

Download Submit
C:\Windows\System\nxZawTi.exe

Filesize
5.2MB

MD5
cbc1751a28c494e92b3c5be6943b9056

SHA1
44a60904b606d9ab316b542440eaefca6a9ab5dd

SHA256
d61e787ec5cbcd184836183e1d5587ce464f88ecd7dd9bc6f2e83df007924077

SHA512
3e33b4759a2df01314a729f46bd10952c1dda31bb59449686cde5df42b1ccff49db4d6a7d4e281a03844ebc8963b9dec661e2fe59c00fc58c28536b76aff0308

Download Submit
C:\Windows\System\zIGtxuD.exe

Filesize
5.2MB

MD5
ce22a7fc37b84e3d6d77e04d278ccaef

SHA1
89baa790557870c802f56b6c1e461633f94d0796

SHA256
99f4b929f8244006acf2cee684c0ad18f4dd68a3d6e85363780bb7d5b800b6ba

SHA512
e48a472ac2c33fc61249380552209c7a1c4017ff34ff88d76e812447b2effdf925d1c137744c0bd5925189b7dc00937d279735926981d1ad2c8e0d401f20fc7b

Download Submit
memory/208-227-0x00007FF61E720000-0x00007FF61EA71000-memory.dmp

Filesize
3.3MB

Download
memory/208-68-0x00007FF61E720000-0x00007FF61EA71000-memory.dmp

Filesize
3.3MB

Download
memory/1056-90-0x00007FF746230000-0x00007FF746581000-memory.dmp

Filesize
3.3MB

Download
memory/1056-145-0x00007FF746230000-0x00007FF746581000-memory.dmp

Filesize
3.3MB

Download
memory/1056-243-0x00007FF746230000-0x00007FF746581000-memory.dmp

Filesize
3.3MB

Download
memory/1616-140-0x00007FF686A60000-0x00007FF686DB1000-memory.dmp

Filesize
3.3MB

Download
memory/1616-240-0x00007FF686A60000-0x00007FF686DB1000-memory.dmp

Filesize
3.3MB

Download
memory/1616-52-0x00007FF686A60000-0x00007FF686DB1000-memory.dmp

Filesize
3.3MB

Download
memory/1904-258-0x00007FF689390000-0x00007FF6896E1000-memory.dmp

Filesize
3.3MB

Download
memory/1904-126-0x00007FF689390000-0x00007FF6896E1000-memory.dmp

Filesize
3.3MB

Download
memory/1976-253-0x00007FF6A6000000-0x00007FF6A6351000-memory.dmp

Filesize
3.3MB

Download
memory/1976-123-0x00007FF6A6000000-0x00007FF6A6351000-memory.dmp

Filesize
3.3MB

Download
memory/1980-244-0x00007FF64E3B0000-0x00007FF64E701000-memory.dmp

Filesize
3.3MB

Download
memory/1980-121-0x00007FF64E3B0000-0x00007FF64E701000-memory.dmp

Filesize
3.3MB

Download
memory/2684-18-0x00007FF70B0B0000-0x00007FF70B401000-memory.dmp

Filesize
3.3MB

Download
memory/2684-216-0x00007FF70B0B0000-0x00007FF70B401000-memory.dmp

Filesize
3.3MB

Download
memory/2684-131-0x00007FF70B0B0000-0x00007FF70B401000-memory.dmp

Filesize
3.3MB

Download
memory/2688-255-0x00007FF744600000-0x00007FF744951000-memory.dmp

Filesize
3.3MB

Download
memory/2688-127-0x00007FF744600000-0x00007FF744951000-memory.dmp

Filesize
3.3MB

Download
memory/2744-228-0x00007FF645340000-0x00007FF645691000-memory.dmp

Filesize
3.3MB

Download
memory/2744-63-0x00007FF645340000-0x00007FF645691000-memory.dmp

Filesize
3.3MB

Download
memory/2744-139-0x00007FF645340000-0x00007FF645691000-memory.dmp

Filesize
3.3MB

Download
memory/3372-238-0x00007FF6DFFF0000-0x00007FF6E0341000-memory.dmp

Filesize
3.3MB

Download
memory/3372-78-0x00007FF6DFFF0000-0x00007FF6E0341000-memory.dmp

Filesize
3.3MB

Download
memory/3408-122-0x00007FF7A2D80000-0x00007FF7A30D1000-memory.dmp

Filesize
3.3MB

Download
memory/3408-250-0x00007FF7A2D80000-0x00007FF7A30D1000-memory.dmp

Filesize
3.3MB

Download
memory/3640-257-0x00007FF664BF0000-0x00007FF664F41000-memory.dmp

Filesize
3.3MB

Download
memory/3640-113-0x00007FF664BF0000-0x00007FF664F41000-memory.dmp

Filesize
3.3MB

Download
memory/3760-214-0x00007FF786990000-0x00007FF786CE1000-memory.dmp

Filesize
3.3MB

Download
memory/3760-7-0x00007FF786990000-0x00007FF786CE1000-memory.dmp

Filesize
3.3MB

Download
memory/3760-133-0x00007FF786990000-0x00007FF786CE1000-memory.dmp

Filesize
3.3MB

Download
memory/3768-260-0x00007FF7F7DA0000-0x00007FF7F80F1000-memory.dmp

Filesize
3.3MB

Download
memory/3768-150-0x00007FF7F7DA0000-0x00007FF7F80F1000-memory.dmp

Filesize
3.3MB

Download
memory/3768-114-0x00007FF7F7DA0000-0x00007FF7F80F1000-memory.dmp

Filesize
3.3MB

Download
memory/3948-128-0x00007FF6EC820000-0x00007FF6ECB71000-memory.dmp

Filesize
3.3MB

Download
memory/3948-129-0x00007FF6EC820000-0x00007FF6ECB71000-memory.dmp

Filesize
3.3MB

Download
memory/3948-0-0x00007FF6EC820000-0x00007FF6ECB71000-memory.dmp

Filesize
3.3MB

Download
memory/3948-153-0x00007FF6EC820000-0x00007FF6ECB71000-memory.dmp

Filesize
3.3MB

Download
memory/3948-1-0x000002CD41420000-0x000002CD41430000-memory.dmp

Filesize
64KB

Download
memory/4068-247-0x00007FF6571F0000-0x00007FF657541000-memory.dmp

Filesize
3.3MB

Download
memory/4068-110-0x00007FF6571F0000-0x00007FF657541000-memory.dmp

Filesize
3.3MB

Download
memory/4568-26-0x00007FF62DB70000-0x00007FF62DEC1000-memory.dmp

Filesize
3.3MB

Download
memory/4568-134-0x00007FF62DB70000-0x00007FF62DEC1000-memory.dmp

Filesize
3.3MB

Download
memory/4568-218-0x00007FF62DB70000-0x00007FF62DEC1000-memory.dmp

Filesize
3.3MB

Download
memory/4580-137-0x00007FF65B380000-0x00007FF65B6D1000-memory.dmp

Filesize
3.3MB

Download
memory/4580-224-0x00007FF65B380000-0x00007FF65B6D1000-memory.dmp

Filesize
3.3MB

Download
memory/4580-42-0x00007FF65B380000-0x00007FF65B6D1000-memory.dmp

Filesize
3.3MB

Download
memory/4684-102-0x00007FF61A910000-0x00007FF61AC61000-memory.dmp

Filesize
3.3MB

Download
memory/4684-248-0x00007FF61A910000-0x00007FF61AC61000-memory.dmp

Filesize
3.3MB

Download
memory/4684-146-0x00007FF61A910000-0x00007FF61AC61000-memory.dmp

Filesize
3.3MB

Download
memory/4832-220-0x00007FF7BCC80000-0x00007FF7BCFD1000-memory.dmp

Filesize
3.3MB

Download
memory/4832-34-0x00007FF7BCC80000-0x00007FF7BCFD1000-memory.dmp

Filesize
3.3MB

Download
memory/4832-135-0x00007FF7BCC80000-0x00007FF7BCFD1000-memory.dmp

Filesize
3.3MB

Download
memory/4836-237-0x00007FF69ED00000-0x00007FF69F051000-memory.dmp

Filesize
3.3MB

Download
memory/4836-120-0x00007FF69ED00000-0x00007FF69F051000-memory.dmp

Filesize
3.3MB

Download
memory/4868-136-0x00007FF77B650000-0x00007FF77B9A1000-memory.dmp

Filesize
3.3MB

Download
memory/4868-32-0x00007FF77B650000-0x00007FF77B9A1000-memory.dmp

Filesize
3.3MB

Download
memory/4868-222-0x00007FF77B650000-0x00007FF77B9A1000-memory.dmp

Filesize
3.3MB

Download