cobaltstrike | 193c4c5639254e53cb131a7d677bd05d6e6a23d7dd1b0f433417454d0811be51

Analysis

max time kernel
144s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-01-2025 02:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

775cbe5c81ab214b1237e56b04ece24b
SHA1

29e233955c835bba223d5d87397e34524a13371b
SHA256

193c4c5639254e53cb131a7d677bd05d6e6a23d7dd1b0f433417454d0811be51
SHA512

31f860d0d826ac8aa91420abf3fd188905298a82534401254712c657a72654911b84eff43dbf67a500d0c7b37bbff0285f9d767e14e4d3c9f603f1728e7535b7
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lE:RWWBibf56utgpPFotBER/mQ32lUY

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023c92-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c96-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c97-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c99-25.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9a-28.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9c-38.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9f-57.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9b-64.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9e-67.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca3-95.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca7-117.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca9-124.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca8-120.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca6-115.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca5-113.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c93-88.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca2-84.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca1-71.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca0-61.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9d-53.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c98-36.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 44 IoCs

miner

resource	yara_rule
behavioral2/memory/2788-90-0x00007FF752720000-0x00007FF752A71000-memory.dmp	xmrig
behavioral2/memory/2488-119-0x00007FF6FCAE0000-0x00007FF6FCE31000-memory.dmp	xmrig
behavioral2/memory/4900-92-0x00007FF7293A0000-0x00007FF7296F1000-memory.dmp	xmrig
behavioral2/memory/4596-91-0x00007FF6ABFA0000-0x00007FF6AC2F1000-memory.dmp	xmrig
behavioral2/memory/3348-87-0x00007FF612C60000-0x00007FF612FB1000-memory.dmp	xmrig
behavioral2/memory/380-83-0x00007FF7D8AD0000-0x00007FF7D8E21000-memory.dmp	xmrig
behavioral2/memory/1764-81-0x00007FF7863F0000-0x00007FF786741000-memory.dmp	xmrig
behavioral2/memory/4040-60-0x00007FF621070000-0x00007FF6213C1000-memory.dmp	xmrig
behavioral2/memory/232-128-0x00007FF7789F0000-0x00007FF778D41000-memory.dmp	xmrig
behavioral2/memory/4812-134-0x00007FF6E2DD0000-0x00007FF6E3121000-memory.dmp	xmrig
behavioral2/memory/2288-146-0x00007FF7D2A00000-0x00007FF7D2D51000-memory.dmp	xmrig
behavioral2/memory/408-148-0x00007FF663720000-0x00007FF663A71000-memory.dmp	xmrig
behavioral2/memory/412-147-0x00007FF72FD40000-0x00007FF730091000-memory.dmp	xmrig
behavioral2/memory/3500-144-0x00007FF6244F0000-0x00007FF624841000-memory.dmp	xmrig
behavioral2/memory/4172-142-0x00007FF78D610000-0x00007FF78D961000-memory.dmp	xmrig
behavioral2/memory/2472-149-0x00007FF735C50000-0x00007FF735FA1000-memory.dmp	xmrig
behavioral2/memory/4916-138-0x00007FF6BF7E0000-0x00007FF6BFB31000-memory.dmp	xmrig
behavioral2/memory/4236-133-0x00007FF615470000-0x00007FF6157C1000-memory.dmp	xmrig
behavioral2/memory/2320-132-0x00007FF747470000-0x00007FF7477C1000-memory.dmp	xmrig
behavioral2/memory/3280-131-0x00007FF636350000-0x00007FF6366A1000-memory.dmp	xmrig
behavioral2/memory/2168-129-0x00007FF7F66B0000-0x00007FF7F6A01000-memory.dmp	xmrig
behavioral2/memory/3452-130-0x00007FF796710000-0x00007FF796A61000-memory.dmp	xmrig
behavioral2/memory/232-150-0x00007FF7789F0000-0x00007FF778D41000-memory.dmp	xmrig
behavioral2/memory/2168-206-0x00007FF7F66B0000-0x00007FF7F6A01000-memory.dmp	xmrig
behavioral2/memory/3452-208-0x00007FF796710000-0x00007FF796A61000-memory.dmp	xmrig
behavioral2/memory/4236-210-0x00007FF615470000-0x00007FF6157C1000-memory.dmp	xmrig
behavioral2/memory/4040-213-0x00007FF621070000-0x00007FF6213C1000-memory.dmp	xmrig
behavioral2/memory/3280-216-0x00007FF636350000-0x00007FF6366A1000-memory.dmp	xmrig
behavioral2/memory/2320-214-0x00007FF747470000-0x00007FF7477C1000-memory.dmp	xmrig
behavioral2/memory/1764-228-0x00007FF7863F0000-0x00007FF786741000-memory.dmp	xmrig
behavioral2/memory/4812-234-0x00007FF6E2DD0000-0x00007FF6E3121000-memory.dmp	xmrig
behavioral2/memory/4916-236-0x00007FF6BF7E0000-0x00007FF6BFB31000-memory.dmp	xmrig
behavioral2/memory/4596-238-0x00007FF6ABFA0000-0x00007FF6AC2F1000-memory.dmp	xmrig
behavioral2/memory/2788-240-0x00007FF752720000-0x00007FF752A71000-memory.dmp	xmrig
behavioral2/memory/380-232-0x00007FF7D8AD0000-0x00007FF7D8E21000-memory.dmp	xmrig
behavioral2/memory/3348-230-0x00007FF612C60000-0x00007FF612FB1000-memory.dmp	xmrig
behavioral2/memory/4172-244-0x00007FF78D610000-0x00007FF78D961000-memory.dmp	xmrig
behavioral2/memory/4900-242-0x00007FF7293A0000-0x00007FF7296F1000-memory.dmp	xmrig
behavioral2/memory/412-250-0x00007FF72FD40000-0x00007FF730091000-memory.dmp	xmrig
behavioral2/memory/2472-257-0x00007FF735C50000-0x00007FF735FA1000-memory.dmp	xmrig
behavioral2/memory/3500-256-0x00007FF6244F0000-0x00007FF624841000-memory.dmp	xmrig
behavioral2/memory/2488-253-0x00007FF6FCAE0000-0x00007FF6FCE31000-memory.dmp	xmrig
behavioral2/memory/2288-252-0x00007FF7D2A00000-0x00007FF7D2D51000-memory.dmp	xmrig
behavioral2/memory/408-248-0x00007FF663720000-0x00007FF663A71000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2168	doZoDoH.exe
3452	IGBmTsA.exe
3280	QytclTX.exe
2320	BMFoqqV.exe
4236	eXkgbva.exe
4812	fYdiPSw.exe
4040	JkDDTBE.exe
3348	oKqUqbQ.exe
4916	YKhnGbW.exe
1764	PhBeeqi.exe
2788	gqBMISn.exe
380	NDlGzNK.exe
4596	jWdpqyp.exe
4172	pfrFuzM.exe
4900	hOIobkJ.exe
3500	wjaqBGL.exe
2488	VwbZyCm.exe
2288	CiCFNNT.exe
412	LerTcGV.exe
408	sHEsMPW.exe
2472	rLZahpf.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/232-0-0x00007FF7789F0000-0x00007FF778D41000-memory.dmp	upx
behavioral2/files/0x0008000000023c92-5.dat	upx
behavioral2/memory/2168-6-0x00007FF7F66B0000-0x00007FF7F6A01000-memory.dmp	upx
behavioral2/files/0x0007000000023c96-11.dat	upx
behavioral2/files/0x0007000000023c97-10.dat	upx
behavioral2/memory/3452-19-0x00007FF796710000-0x00007FF796A61000-memory.dmp	upx
behavioral2/files/0x0007000000023c99-25.dat	upx
behavioral2/files/0x0007000000023c9a-28.dat	upx
behavioral2/files/0x0007000000023c9c-38.dat	upx
behavioral2/files/0x0007000000023c9f-57.dat	upx
behavioral2/files/0x0007000000023c9b-64.dat	upx
behavioral2/files/0x0007000000023c9e-67.dat	upx
behavioral2/memory/4916-80-0x00007FF6BF7E0000-0x00007FF6BFB31000-memory.dmp	upx
behavioral2/memory/4172-86-0x00007FF78D610000-0x00007FF78D961000-memory.dmp	upx
behavioral2/memory/2788-90-0x00007FF752720000-0x00007FF752A71000-memory.dmp	upx
behavioral2/files/0x0007000000023ca3-95.dat	upx
behavioral2/memory/3500-107-0x00007FF6244F0000-0x00007FF624841000-memory.dmp	upx
behavioral2/files/0x0007000000023ca7-117.dat	upx
behavioral2/files/0x0007000000023ca9-124.dat	upx
behavioral2/memory/2472-125-0x00007FF735C50000-0x00007FF735FA1000-memory.dmp	upx
behavioral2/memory/408-122-0x00007FF663720000-0x00007FF663A71000-memory.dmp	upx
behavioral2/files/0x0007000000023ca8-120.dat	upx
behavioral2/memory/2488-119-0x00007FF6FCAE0000-0x00007FF6FCE31000-memory.dmp	upx
behavioral2/files/0x0007000000023ca6-115.dat	upx
behavioral2/files/0x0007000000023ca5-113.dat	upx
behavioral2/memory/412-112-0x00007FF72FD40000-0x00007FF730091000-memory.dmp	upx
behavioral2/memory/2288-108-0x00007FF7D2A00000-0x00007FF7D2D51000-memory.dmp	upx
behavioral2/memory/4900-92-0x00007FF7293A0000-0x00007FF7296F1000-memory.dmp	upx
behavioral2/memory/4596-91-0x00007FF6ABFA0000-0x00007FF6AC2F1000-memory.dmp	upx
behavioral2/files/0x0008000000023c93-88.dat	upx
behavioral2/memory/3348-87-0x00007FF612C60000-0x00007FF612FB1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca2-84.dat	upx
behavioral2/memory/380-83-0x00007FF7D8AD0000-0x00007FF7D8E21000-memory.dmp	upx
behavioral2/memory/1764-81-0x00007FF7863F0000-0x00007FF786741000-memory.dmp	upx
behavioral2/files/0x0007000000023ca1-71.dat	upx
behavioral2/files/0x0007000000023ca0-61.dat	upx
behavioral2/memory/4040-60-0x00007FF621070000-0x00007FF6213C1000-memory.dmp	upx
behavioral2/files/0x0007000000023c9d-53.dat	upx
behavioral2/memory/4812-51-0x00007FF6E2DD0000-0x00007FF6E3121000-memory.dmp	upx
behavioral2/memory/4236-41-0x00007FF615470000-0x00007FF6157C1000-memory.dmp	upx
behavioral2/files/0x0007000000023c98-36.dat	upx
behavioral2/memory/2320-31-0x00007FF747470000-0x00007FF7477C1000-memory.dmp	upx
behavioral2/memory/3280-29-0x00007FF636350000-0x00007FF6366A1000-memory.dmp	upx
behavioral2/memory/232-128-0x00007FF7789F0000-0x00007FF778D41000-memory.dmp	upx
behavioral2/memory/4812-134-0x00007FF6E2DD0000-0x00007FF6E3121000-memory.dmp	upx
behavioral2/memory/2288-146-0x00007FF7D2A00000-0x00007FF7D2D51000-memory.dmp	upx
behavioral2/memory/408-148-0x00007FF663720000-0x00007FF663A71000-memory.dmp	upx
behavioral2/memory/412-147-0x00007FF72FD40000-0x00007FF730091000-memory.dmp	upx
behavioral2/memory/3500-144-0x00007FF6244F0000-0x00007FF624841000-memory.dmp	upx
behavioral2/memory/4172-142-0x00007FF78D610000-0x00007FF78D961000-memory.dmp	upx
behavioral2/memory/2472-149-0x00007FF735C50000-0x00007FF735FA1000-memory.dmp	upx
behavioral2/memory/4916-138-0x00007FF6BF7E0000-0x00007FF6BFB31000-memory.dmp	upx
behavioral2/memory/4236-133-0x00007FF615470000-0x00007FF6157C1000-memory.dmp	upx
behavioral2/memory/2320-132-0x00007FF747470000-0x00007FF7477C1000-memory.dmp	upx
behavioral2/memory/3280-131-0x00007FF636350000-0x00007FF6366A1000-memory.dmp	upx
behavioral2/memory/2168-129-0x00007FF7F66B0000-0x00007FF7F6A01000-memory.dmp	upx
behavioral2/memory/3452-130-0x00007FF796710000-0x00007FF796A61000-memory.dmp	upx
behavioral2/memory/232-150-0x00007FF7789F0000-0x00007FF778D41000-memory.dmp	upx
behavioral2/memory/2168-206-0x00007FF7F66B0000-0x00007FF7F6A01000-memory.dmp	upx
behavioral2/memory/3452-208-0x00007FF796710000-0x00007FF796A61000-memory.dmp	upx
behavioral2/memory/4236-210-0x00007FF615470000-0x00007FF6157C1000-memory.dmp	upx
behavioral2/memory/4040-213-0x00007FF621070000-0x00007FF6213C1000-memory.dmp	upx
behavioral2/memory/3280-216-0x00007FF636350000-0x00007FF6366A1000-memory.dmp	upx
behavioral2/memory/2320-214-0x00007FF747470000-0x00007FF7477C1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\YKhnGbW.exe	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hOIobkJ.exe	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wjaqBGL.exe	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CiCFNNT.exe	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IGBmTsA.exe	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BMFoqqV.exe	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JkDDTBE.exe	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NDlGzNK.exe	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LerTcGV.exe	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sHEsMPW.exe	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VwbZyCm.exe	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QytclTX.exe	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eXkgbva.exe	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fYdiPSw.exe	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oKqUqbQ.exe	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PhBeeqi.exe	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jWdpqyp.exe	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pfrFuzM.exe	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\doZoDoH.exe	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gqBMISn.exe	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rLZahpf.exe	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	232	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	232	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 232 wrote to memory of 2168	232	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 232 wrote to memory of 2168	232	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 232 wrote to memory of 3452	232	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 232 wrote to memory of 3452	232	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 232 wrote to memory of 3280	232	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 232 wrote to memory of 3280	232	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 232 wrote to memory of 2320	232	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 232 wrote to memory of 2320	232	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 232 wrote to memory of 4236	232	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 232 wrote to memory of 4236	232	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 232 wrote to memory of 4812	232	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 232 wrote to memory of 4812	232	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 232 wrote to memory of 3348	232	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 232 wrote to memory of 3348	232	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 232 wrote to memory of 4040	232	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 232 wrote to memory of 4040	232	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 232 wrote to memory of 1764	232	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 232 wrote to memory of 1764	232	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 232 wrote to memory of 4916	232	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 232 wrote to memory of 4916	232	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 232 wrote to memory of 2788	232	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 232 wrote to memory of 2788	232	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 232 wrote to memory of 380	232	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 232 wrote to memory of 380	232	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 232 wrote to memory of 4596	232	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 232 wrote to memory of 4596	232	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 232 wrote to memory of 4172	232	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 232 wrote to memory of 4172	232	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 232 wrote to memory of 4900	232	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 232 wrote to memory of 4900	232	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 232 wrote to memory of 3500	232	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 232 wrote to memory of 3500	232	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 232 wrote to memory of 2488	232	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 232 wrote to memory of 2488	232	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 232 wrote to memory of 2288	232	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 232 wrote to memory of 2288	232	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 232 wrote to memory of 412	232	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 232 wrote to memory of 412	232	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 232 wrote to memory of 408	232	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 232 wrote to memory of 408	232	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 232 wrote to memory of 2472	232	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 232 wrote to memory of 2472	232	2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-21_775cbe5c81ab214b1237e56b04ece24b_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:232
- C:\Windows\System\doZoDoH.exe
  C:\Windows\System\doZoDoH.exe
  2⤵
  - Executes dropped EXE
  PID:2168
- C:\Windows\System\IGBmTsA.exe
  C:\Windows\System\IGBmTsA.exe
  2⤵
  - Executes dropped EXE
  PID:3452
- C:\Windows\System\QytclTX.exe
  C:\Windows\System\QytclTX.exe
  2⤵
  - Executes dropped EXE
  PID:3280
- C:\Windows\System\BMFoqqV.exe
  C:\Windows\System\BMFoqqV.exe
  2⤵
  - Executes dropped EXE
  PID:2320
- C:\Windows\System\eXkgbva.exe
  C:\Windows\System\eXkgbva.exe
  2⤵
  - Executes dropped EXE
  PID:4236
- C:\Windows\System\fYdiPSw.exe
  C:\Windows\System\fYdiPSw.exe
  2⤵
  - Executes dropped EXE
  PID:4812
- C:\Windows\System\oKqUqbQ.exe
  C:\Windows\System\oKqUqbQ.exe
  2⤵
  - Executes dropped EXE
  PID:3348
- C:\Windows\System\JkDDTBE.exe
  C:\Windows\System\JkDDTBE.exe
  2⤵
  - Executes dropped EXE
  PID:4040
- C:\Windows\System\PhBeeqi.exe
  C:\Windows\System\PhBeeqi.exe
  2⤵
  - Executes dropped EXE
  PID:1764
- C:\Windows\System\YKhnGbW.exe
  C:\Windows\System\YKhnGbW.exe
  2⤵
  - Executes dropped EXE
  PID:4916
- C:\Windows\System\gqBMISn.exe
  C:\Windows\System\gqBMISn.exe
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Windows\System\NDlGzNK.exe
  C:\Windows\System\NDlGzNK.exe
  2⤵
  - Executes dropped EXE
  PID:380
- C:\Windows\System\jWdpqyp.exe
  C:\Windows\System\jWdpqyp.exe
  2⤵
  - Executes dropped EXE
  PID:4596
- C:\Windows\System\pfrFuzM.exe
  C:\Windows\System\pfrFuzM.exe
  2⤵
  - Executes dropped EXE
  PID:4172
- C:\Windows\System\hOIobkJ.exe
  C:\Windows\System\hOIobkJ.exe
  2⤵
  - Executes dropped EXE
  PID:4900
- C:\Windows\System\wjaqBGL.exe
  C:\Windows\System\wjaqBGL.exe
  2⤵
  - Executes dropped EXE
  PID:3500
- C:\Windows\System\VwbZyCm.exe
  C:\Windows\System\VwbZyCm.exe
  2⤵
  - Executes dropped EXE
  PID:2488
- C:\Windows\System\CiCFNNT.exe
  C:\Windows\System\CiCFNNT.exe
  2⤵
  - Executes dropped EXE
  PID:2288
- C:\Windows\System\LerTcGV.exe
  C:\Windows\System\LerTcGV.exe
  2⤵
  - Executes dropped EXE
  PID:412
- C:\Windows\System\sHEsMPW.exe
  C:\Windows\System\sHEsMPW.exe
  2⤵
  - Executes dropped EXE
  PID:408
- C:\Windows\System\rLZahpf.exe
  C:\Windows\System\rLZahpf.exe
  2⤵
  - Executes dropped EXE
  PID:2472

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BMFoqqV.exe

Filesize
5.2MB

MD5
3f2e16738f99d850a4dc366c27fa6720

SHA1
9d5b4d2da75cb0150fd29837ca92347508fcfb68

SHA256
859b6e5ee4181c5d203edaf1123322b5dcc025ce7c0305a46ef2505a55f5b3a3

SHA512
ba81b657fb3419d7584c712d857b4484f7c6fd0f3e24e29dddc47e0e732e4588360c60f02a7f6ab24cd0311300d92e5df160e8c399206baa252658968faf850c

Download Submit
C:\Windows\System\CiCFNNT.exe

Filesize
5.2MB

MD5
f5ec5083a71a56a8794c04429ad0098f

SHA1
f0508fc6bb8d18b50c8a0cd921ecba648cf95451

SHA256
293559722d6379237477357e072914ab1e089a5b834114e6a71b04dd63dc91ff

SHA512
9cb5bf5cbc7d3a12169d75ca9022b3ca77affc82171772325732b46368853afd3dcd093912bdb4c3d1d0d81ba60ed12785a9db9ca26cfe341803521d11db9c8b

Download Submit
C:\Windows\System\IGBmTsA.exe

Filesize
5.2MB

MD5
1053adbb36fdf377b7d6beacbfd0bf01

SHA1
2fdb574f7adcbf25a53eb64b5c671f03c5683a7e

SHA256
71246212633942406f4b38a4b41d12e8abc6035320007bf3e6232d1cd4308e10

SHA512
e6ba101029fdd3f67a240b8907efee9cec035ce9b0467601a98a27c4b1f49f9c1c7e3a95880b00177828d57411b96694d230f42b611a9a676d8c8861f1850f25

Download Submit
C:\Windows\System\JkDDTBE.exe

Filesize
5.2MB

MD5
22d179aebdb6e3e3a206e9f8e968fb8c

SHA1
54056a69be76a9e3a17e0a7bc6358c40ba7965cb

SHA256
b407dbd323fd391d9240a6e078f19e208f5e978ae9261a7e5a6c5e19f7ad8516

SHA512
117969e96512c17baa5762d2086157a32d00e6819739122df26d3d1c687d3638cd66773ad10892cf8955b76d3c0ebb875c0c1a358f332df3a33e6c59b5f82311

Download Submit
C:\Windows\System\LerTcGV.exe

Filesize
5.2MB

MD5
40279d6ac566c2977165f630e0361a60

SHA1
e5baee874ff6cf6f55573a5089bdec7c8dfd2f7e

SHA256
653e410182be5c520296ee8694ad2f64626aa4efc82fb0b4b30c26e366abb9cf

SHA512
400f64be37be1cb52155c4004eebc48d54ea8246f6d4b82b8ff5e8d7b8a000b6d24cddf3b1f64f47044279906f9820338cc6cab5aed824eb6b3a0f22b97b1bc4

Download Submit
C:\Windows\System\NDlGzNK.exe

Filesize
5.2MB

MD5
6785c3be42c7b3e609eae841f9630ac5

SHA1
74f4982b9259d235b9190a4e0c4332f40e35605c

SHA256
76efc2bcad8e50909709b2c5b760daddd3813a5378d76edfd7c5230a7ab0f90e

SHA512
96219a4fb0c5b6ef67803b2b762b6b6ac2ed1ae920462d0e30fb0c00aaa9e87550cc163d8d31c2c3cfc61492202b0b1d1676ded3b517c4f54d66d403ed4a3326

Download Submit
C:\Windows\System\PhBeeqi.exe

Filesize
5.2MB

MD5
834de1487b4ae494f1b7c748df113916

SHA1
df7f2381d1dfe64b4ad4400512ce3ea48a337db5

SHA256
dcb16c9403ae70780bfd8cc5a2a24275a1b194947382140ecf7ca584c8ff7199

SHA512
c938436f5220fa7bd9f579487da8c25df286dcd6d7eaf5efeeae2f9a0909d8910f9ad12848d88f8bcb0ca36ead69e77db59b10e2dd81b36cf4edfa48dd464646

Download Submit
C:\Windows\System\QytclTX.exe

Filesize
5.2MB

MD5
b649cf0c013804c5b0801715eff47daa

SHA1
47886e4066fe2a59467608ec89c2e91652d42a57

SHA256
2d31487795874275b1bd7392e6552415e629870aeae24a7e7113a3d73e735288

SHA512
d1920468b519b516f075e4650b8f9213c0a35e4b633073c5524b90a2543b7aa296057c5dd01cd02ec596ac5e13b4ee4afade8519f8601722b7b1362e742cc20b

Download Submit
C:\Windows\System\VwbZyCm.exe

Filesize
5.2MB

MD5
a523de7778b1791dfc42e0558a9d4259

SHA1
780b2be096b0b724e2d98e03c26d36f74ccd3f1e

SHA256
57479812da746ef8a51138d7b3b9d62fef5738a6078756bda83977db8f8bdf0e

SHA512
6513c2c8b6ac8586bd1cc5463b194ea765a01efa2470285a06857e4c80a0d75aee061c74930c10fa1fc4e4b2be2950b216fbce1ab8d549a0fc8591d9f574ffce

Download Submit
C:\Windows\System\YKhnGbW.exe

Filesize
5.2MB

MD5
a08efec1be926c7720173c3a0b8b2266

SHA1
751f54f01ac58573d7d9ee3d79cc1f648ea291ce

SHA256
ca5c4e2257000e94a5413b8110f98bd591b8c14037ed0be47152100421867df4

SHA512
41520590276396f5fd627a7302c5c5bc907b6a7f2c3dadeb71d42438709f5752b81f9b1fb6dafc9d53451539a91298cfc5b8468e712ca7fda3c52b131f5d562c

Download Submit
C:\Windows\System\doZoDoH.exe

Filesize
5.2MB

MD5
ca34d3a27ec208968d2ff0081f693e36

SHA1
1388671769d5e9e1b63b9aa0d4f4f3acd018a247

SHA256
f577ccb5a44e6ecdb88f0339e85941506c8749759097d75cf56a7afed2c36f1f

SHA512
e878c425e5016aebe79357c871520fd0c2bef500e7ed5c96b2004b53201f2710c745f6d96ecb87aed109f7d655e5e92c6b563c0a2d2a03f1902f3c590b21d8e5

Download Submit
C:\Windows\System\eXkgbva.exe

Filesize
5.2MB

MD5
9198487b401ccbec26976a73a97df1a8

SHA1
87a1e704e8f682e39e7cd66619419ccf272c9375

SHA256
d1cf97ad38ba92539364d3e1a77e197ccf5c5bcd0b57a46f436fcd5d6f531a26

SHA512
26adc92be2dd16f095f114d095854c8a1b9f47168ad80b7105a910357ed30e454c3a2d4cf291256d77451b298671766992b6c6b6494a6a3d813c9b418dfb8570

Download Submit
C:\Windows\System\fYdiPSw.exe

Filesize
5.2MB

MD5
3494190e4a0fac2cf9fc34ac6fdbd14d

SHA1
0966aa1e8cfd647675b0bd0b2dc834ca35a4ac3f

SHA256
b9a210d4bb92e4e51368db13919d032a1f70e5ac0baa154d032f05fabf275b56

SHA512
02c9b2afce087d6ddc1dd65a10dd92f634730b324d8a42e6c0a19af0ee3892d997dbbfbf55b19e188d10c227e1cff3ba6cd9b5841f94cd6d126bb3b81e32d53c

Download Submit
C:\Windows\System\gqBMISn.exe

Filesize
5.2MB

MD5
4b9e43a86f945a24ec84ca28084e65c2

SHA1
8b5d0e975a02769caf5b942aa6fb6914201162a4

SHA256
b0d6717a2d52a8d23c52dab9904c64ae1bbbe348a12ff23579e6e9d12a686408

SHA512
d4880a1f36b892755fb8c51d06b386d92ed6b5fb5f6ecb3f94c2f142325a6e3949494567cbbe380bbed0d1a5202d4d7fd23641843fe599315f093ac09fece5a0

Download Submit
C:\Windows\System\hOIobkJ.exe

Filesize
5.2MB

MD5
4a242d187e923d218ff51f8d62ca3a35

SHA1
9b0bb365de4306958c04a90d1abd6005d5fcc4e5

SHA256
0ca4bc33ed40c1ca244e06da745e25955eab8cc3b8c3b8121102a56ea836f00f

SHA512
6ebdde7fbd0b2f3b10ed178f803c09a0eccf9f0a6a96217aa3eb18f668448f03120b427cee6d88d2add059b3900813d1531b099bffe55646d6c7894e0e2f5d28

Download Submit
C:\Windows\System\jWdpqyp.exe

Filesize
5.2MB

MD5
947cf0d295bdac898b0a8d8d6a18b91c

SHA1
2ff6018c70161569f259d863d69f8102c9fff46a

SHA256
a4e95d7efd67225b5797904abcfec3a88ef63ef50ae5934ba979017236083b3c

SHA512
81edf7a4d833a35c0ea5323e64ff2741ba202c9b76d6e84a1f1480fc029a4c16764da0c5e1376f226570dad669b92825857d0888375710bc83d1af09ae33a36e

Download Submit
C:\Windows\System\oKqUqbQ.exe

Filesize
5.2MB

MD5
b436b615be5067e0d7072a66e19ff6d0

SHA1
a47fe18a0b6cf1fe4482eb3b6e3fe4034139dd2a

SHA256
5e686df6a082a18a6192d31114e7159ca13c042e0a25f89693e00f8de735f5a9

SHA512
db1fce4b765f263e05d84d44753d4ab4e73039b62f3619b32c4cf6e3bd9327c33fb8cf48742d1883957306a52856ad4f5b58add7f723c9a78476281540c86aae

Download Submit
C:\Windows\System\pfrFuzM.exe

Filesize
5.2MB

MD5
c38e59d5c4e7ad6dd660abf840a568ec

SHA1
33423ed376d973eb678c416fa5414a9e11d7479a

SHA256
a610b40e0be31cccf6b76aeca517915709372794e815dff2ed47bc9c153238bf

SHA512
30031f725c28f3a49814044049f16acda303e57a42db7d1dc67851a8a10645f908753417837fdb6df1cfc5a57cb23e8a3360df138af18e0e2b6a98eb7f67939e

Download Submit
C:\Windows\System\rLZahpf.exe

Filesize
5.2MB

MD5
076b3b26241de47d3964226d616bd89a

SHA1
67cdc78475abb5a95903cfa53683b4bed3d1a283

SHA256
0daa3b9ead3d4b7aeccc2e8e46382879352d7ab1465608335bc1c1ed8f62f963

SHA512
ca573d30f91f0fbd9d46c1d62498cb3c56237d6ac6767db8cf8494091849b08cbae2a96339e048df09661815042827f785d268548e43a49d811c4c3703085fcd

Download Submit
C:\Windows\System\sHEsMPW.exe

Filesize
5.2MB

MD5
40a8e12f36acb3b47c0785bbb3887d41

SHA1
e7754c311aed910096a811a8b7b77db343b3fc13

SHA256
f1cfe7e3a42fcfcb48a2385b1787a4ee4553749c98f324c26a3be9b7cb0f1623

SHA512
0529cc601b8fc52a5f13fd7183c567da7d4183bdc5b274641482604dede5be5b9ebba69f68b9b9b068a3f64be7a7a863664f3196503fabcdbaa2eeb2616f1f26

Download Submit
C:\Windows\System\wjaqBGL.exe

Filesize
5.2MB

MD5
32ed4dfbca7d7841fed8c58429cd5e0b

SHA1
4274d6a36766aa74e462f291281c21eb592d376a

SHA256
98a4ff50a67f897d52c166b626e07f13d045cf63556f1d0c6c859cc250b48831

SHA512
b6e2ce1b21bbfe867f59a6e3b4014e3e8e733cbbb1dd2677e2dd73ec40bcd1934050169b98f099335e954e930509b06fd0b0922bd1de47dc603141bf3f4dd080

Download Submit
memory/232-128-0x00007FF7789F0000-0x00007FF778D41000-memory.dmp

Filesize
3.3MB

Download
memory/232-0-0x00007FF7789F0000-0x00007FF778D41000-memory.dmp

Filesize
3.3MB

Download
memory/232-150-0x00007FF7789F0000-0x00007FF778D41000-memory.dmp

Filesize
3.3MB

Download
memory/232-1-0x0000024C445F0000-0x0000024C44600000-memory.dmp

Filesize
64KB

Download
memory/380-232-0x00007FF7D8AD0000-0x00007FF7D8E21000-memory.dmp

Filesize
3.3MB

Download
memory/380-83-0x00007FF7D8AD0000-0x00007FF7D8E21000-memory.dmp

Filesize
3.3MB

Download
memory/408-122-0x00007FF663720000-0x00007FF663A71000-memory.dmp

Filesize
3.3MB

Download
memory/408-148-0x00007FF663720000-0x00007FF663A71000-memory.dmp

Filesize
3.3MB

Download
memory/408-248-0x00007FF663720000-0x00007FF663A71000-memory.dmp

Filesize
3.3MB

Download
memory/412-147-0x00007FF72FD40000-0x00007FF730091000-memory.dmp

Filesize
3.3MB

Download
memory/412-112-0x00007FF72FD40000-0x00007FF730091000-memory.dmp

Filesize
3.3MB

Download
memory/412-250-0x00007FF72FD40000-0x00007FF730091000-memory.dmp

Filesize
3.3MB

Download
memory/1764-228-0x00007FF7863F0000-0x00007FF786741000-memory.dmp

Filesize
3.3MB

Download
memory/1764-81-0x00007FF7863F0000-0x00007FF786741000-memory.dmp

Filesize
3.3MB

Download
memory/2168-206-0x00007FF7F66B0000-0x00007FF7F6A01000-memory.dmp

Filesize
3.3MB

Download
memory/2168-6-0x00007FF7F66B0000-0x00007FF7F6A01000-memory.dmp

Filesize
3.3MB

Download
memory/2168-129-0x00007FF7F66B0000-0x00007FF7F6A01000-memory.dmp

Filesize
3.3MB

Download
memory/2288-252-0x00007FF7D2A00000-0x00007FF7D2D51000-memory.dmp

Filesize
3.3MB

Download
memory/2288-108-0x00007FF7D2A00000-0x00007FF7D2D51000-memory.dmp

Filesize
3.3MB

Download
memory/2288-146-0x00007FF7D2A00000-0x00007FF7D2D51000-memory.dmp

Filesize
3.3MB

Download
memory/2320-31-0x00007FF747470000-0x00007FF7477C1000-memory.dmp

Filesize
3.3MB

Download
memory/2320-214-0x00007FF747470000-0x00007FF7477C1000-memory.dmp

Filesize
3.3MB

Download
memory/2320-132-0x00007FF747470000-0x00007FF7477C1000-memory.dmp

Filesize
3.3MB

Download
memory/2472-125-0x00007FF735C50000-0x00007FF735FA1000-memory.dmp

Filesize
3.3MB

Download
memory/2472-257-0x00007FF735C50000-0x00007FF735FA1000-memory.dmp

Filesize
3.3MB

Download
memory/2472-149-0x00007FF735C50000-0x00007FF735FA1000-memory.dmp

Filesize
3.3MB

Download
memory/2488-119-0x00007FF6FCAE0000-0x00007FF6FCE31000-memory.dmp

Filesize
3.3MB

Download
memory/2488-253-0x00007FF6FCAE0000-0x00007FF6FCE31000-memory.dmp

Filesize
3.3MB

Download
memory/2788-240-0x00007FF752720000-0x00007FF752A71000-memory.dmp

Filesize
3.3MB

Download
memory/2788-90-0x00007FF752720000-0x00007FF752A71000-memory.dmp

Filesize
3.3MB

Download
memory/3280-216-0x00007FF636350000-0x00007FF6366A1000-memory.dmp

Filesize
3.3MB

Download
memory/3280-29-0x00007FF636350000-0x00007FF6366A1000-memory.dmp

Filesize
3.3MB

Download
memory/3280-131-0x00007FF636350000-0x00007FF6366A1000-memory.dmp

Filesize
3.3MB

Download
memory/3348-87-0x00007FF612C60000-0x00007FF612FB1000-memory.dmp

Filesize
3.3MB

Download
memory/3348-230-0x00007FF612C60000-0x00007FF612FB1000-memory.dmp

Filesize
3.3MB

Download
memory/3452-208-0x00007FF796710000-0x00007FF796A61000-memory.dmp

Filesize
3.3MB

Download
memory/3452-19-0x00007FF796710000-0x00007FF796A61000-memory.dmp

Filesize
3.3MB

Download
memory/3452-130-0x00007FF796710000-0x00007FF796A61000-memory.dmp

Filesize
3.3MB

Download
memory/3500-256-0x00007FF6244F0000-0x00007FF624841000-memory.dmp

Filesize
3.3MB

Download
memory/3500-107-0x00007FF6244F0000-0x00007FF624841000-memory.dmp

Filesize
3.3MB

Download
memory/3500-144-0x00007FF6244F0000-0x00007FF624841000-memory.dmp

Filesize
3.3MB

Download
memory/4040-60-0x00007FF621070000-0x00007FF6213C1000-memory.dmp

Filesize
3.3MB

Download
memory/4040-213-0x00007FF621070000-0x00007FF6213C1000-memory.dmp

Filesize
3.3MB

Download
memory/4172-244-0x00007FF78D610000-0x00007FF78D961000-memory.dmp

Filesize
3.3MB

Download
memory/4172-86-0x00007FF78D610000-0x00007FF78D961000-memory.dmp

Filesize
3.3MB

Download
memory/4172-142-0x00007FF78D610000-0x00007FF78D961000-memory.dmp

Filesize
3.3MB

Download
memory/4236-41-0x00007FF615470000-0x00007FF6157C1000-memory.dmp

Filesize
3.3MB

Download
memory/4236-133-0x00007FF615470000-0x00007FF6157C1000-memory.dmp

Filesize
3.3MB

Download
memory/4236-210-0x00007FF615470000-0x00007FF6157C1000-memory.dmp

Filesize
3.3MB

Download
memory/4596-91-0x00007FF6ABFA0000-0x00007FF6AC2F1000-memory.dmp

Filesize
3.3MB

Download
memory/4596-238-0x00007FF6ABFA0000-0x00007FF6AC2F1000-memory.dmp

Filesize
3.3MB

Download
memory/4812-134-0x00007FF6E2DD0000-0x00007FF6E3121000-memory.dmp

Filesize
3.3MB

Download
memory/4812-51-0x00007FF6E2DD0000-0x00007FF6E3121000-memory.dmp

Filesize
3.3MB

Download
memory/4812-234-0x00007FF6E2DD0000-0x00007FF6E3121000-memory.dmp

Filesize
3.3MB

Download
memory/4900-242-0x00007FF7293A0000-0x00007FF7296F1000-memory.dmp

Filesize
3.3MB

Download
memory/4900-92-0x00007FF7293A0000-0x00007FF7296F1000-memory.dmp

Filesize
3.3MB

Download
memory/4916-138-0x00007FF6BF7E0000-0x00007FF6BFB31000-memory.dmp

Filesize
3.3MB

Download
memory/4916-236-0x00007FF6BF7E0000-0x00007FF6BFB31000-memory.dmp

Filesize
3.3MB

Download
memory/4916-80-0x00007FF6BF7E0000-0x00007FF6BFB31000-memory.dmp

Filesize
3.3MB

Download