cobaltstrike | f02cac56e6a05445f437af5b0dd3c72406d7aa7b6aa2f7a2d0708899586a46f8

Analysis

max time kernel
146s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/01/2025, 02:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

ddaeef91ec250e43cb48972616af54d3
SHA1

59c9278172ea56e5eda6f033cb798bc98ecb3f93
SHA256

f02cac56e6a05445f437af5b0dd3c72406d7aa7b6aa2f7a2d0708899586a46f8
SHA512

dbbcc528881779c68bc10e2912e1e4c671fc13a8b43bb9c981dac0e2ed909f11da828110c640b65a4a949d1d0abd6eb624523684c8030643b066cbb31a53be2d
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6li:RWWBibf56utgpPFotBER/mQ32lU+

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000b000000023b5f-5.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b60-10.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b63-12.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b65-27.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b64-25.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b66-35.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b69-47.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6a-54.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b68-41.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6b-61.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6d-65.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6e-73.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6f-80.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b71-103.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b72-108.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b70-93.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b74-122.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b77-140.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b75-137.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b76-133.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b73-132.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/3764-46-0x00007FF7E5710000-0x00007FF7E5A61000-memory.dmp	xmrig
behavioral2/memory/4700-52-0x00007FF704640000-0x00007FF704991000-memory.dmp	xmrig
behavioral2/memory/1732-60-0x00007FF621B40000-0x00007FF621E91000-memory.dmp	xmrig
behavioral2/memory/2204-67-0x00007FF6B9D00000-0x00007FF6BA051000-memory.dmp	xmrig
behavioral2/memory/3308-70-0x00007FF71C0D0000-0x00007FF71C421000-memory.dmp	xmrig
behavioral2/memory/2000-82-0x00007FF7B3F50000-0x00007FF7B42A1000-memory.dmp	xmrig
behavioral2/memory/856-74-0x00007FF73C6D0000-0x00007FF73CA21000-memory.dmp	xmrig
behavioral2/memory/4740-68-0x00007FF7AD9A0000-0x00007FF7ADCF1000-memory.dmp	xmrig
behavioral2/memory/2088-92-0x00007FF75C690000-0x00007FF75C9E1000-memory.dmp	xmrig
behavioral2/memory/3132-106-0x00007FF724910000-0x00007FF724C61000-memory.dmp	xmrig
behavioral2/memory/3608-116-0x00007FF75D690000-0x00007FF75D9E1000-memory.dmp	xmrig
behavioral2/memory/3616-141-0x00007FF619940000-0x00007FF619C91000-memory.dmp	xmrig
behavioral2/memory/2352-150-0x00007FF601A90000-0x00007FF601DE1000-memory.dmp	xmrig
behavioral2/memory/3192-149-0x00007FF7FF7C0000-0x00007FF7FFB11000-memory.dmp	xmrig
behavioral2/memory/1052-154-0x00007FF744FF0000-0x00007FF745341000-memory.dmp	xmrig
behavioral2/memory/3336-156-0x00007FF752DD0000-0x00007FF753121000-memory.dmp	xmrig
behavioral2/memory/4700-155-0x00007FF704640000-0x00007FF704991000-memory.dmp	xmrig
behavioral2/memory/3468-162-0x00007FF68FF90000-0x00007FF6902E1000-memory.dmp	xmrig
behavioral2/memory/1884-161-0x00007FF6B1640000-0x00007FF6B1991000-memory.dmp	xmrig
behavioral2/memory/1700-167-0x00007FF647BD0000-0x00007FF647F21000-memory.dmp	xmrig
behavioral2/memory/880-172-0x00007FF76CF70000-0x00007FF76D2C1000-memory.dmp	xmrig
behavioral2/memory/4116-173-0x00007FF701460000-0x00007FF7017B1000-memory.dmp	xmrig
behavioral2/memory/1384-171-0x00007FF68F9D0000-0x00007FF68FD21000-memory.dmp	xmrig
behavioral2/memory/4700-182-0x00007FF704640000-0x00007FF704991000-memory.dmp	xmrig
behavioral2/memory/1732-212-0x00007FF621B40000-0x00007FF621E91000-memory.dmp	xmrig
behavioral2/memory/2204-214-0x00007FF6B9D00000-0x00007FF6BA051000-memory.dmp	xmrig
behavioral2/memory/3308-219-0x00007FF71C0D0000-0x00007FF71C421000-memory.dmp	xmrig
behavioral2/memory/856-221-0x00007FF73C6D0000-0x00007FF73CA21000-memory.dmp	xmrig
behavioral2/memory/2000-223-0x00007FF7B3F50000-0x00007FF7B42A1000-memory.dmp	xmrig
behavioral2/memory/3764-233-0x00007FF7E5710000-0x00007FF7E5A61000-memory.dmp	xmrig
behavioral2/memory/2088-232-0x00007FF75C690000-0x00007FF75C9E1000-memory.dmp	xmrig
behavioral2/memory/3132-238-0x00007FF724910000-0x00007FF724C61000-memory.dmp	xmrig
behavioral2/memory/3608-239-0x00007FF75D690000-0x00007FF75D9E1000-memory.dmp	xmrig
behavioral2/memory/4740-245-0x00007FF7AD9A0000-0x00007FF7ADCF1000-memory.dmp	xmrig
behavioral2/memory/3616-247-0x00007FF619940000-0x00007FF619C91000-memory.dmp	xmrig
behavioral2/memory/3192-251-0x00007FF7FF7C0000-0x00007FF7FFB11000-memory.dmp	xmrig
behavioral2/memory/2352-250-0x00007FF601A90000-0x00007FF601DE1000-memory.dmp	xmrig
behavioral2/memory/1052-257-0x00007FF744FF0000-0x00007FF745341000-memory.dmp	xmrig
behavioral2/memory/3336-259-0x00007FF752DD0000-0x00007FF753121000-memory.dmp	xmrig
behavioral2/memory/3468-261-0x00007FF68FF90000-0x00007FF6902E1000-memory.dmp	xmrig
behavioral2/memory/1884-269-0x00007FF6B1640000-0x00007FF6B1991000-memory.dmp	xmrig
behavioral2/memory/1700-268-0x00007FF647BD0000-0x00007FF647F21000-memory.dmp	xmrig
behavioral2/memory/4116-273-0x00007FF701460000-0x00007FF7017B1000-memory.dmp	xmrig
behavioral2/memory/880-272-0x00007FF76CF70000-0x00007FF76D2C1000-memory.dmp	xmrig
behavioral2/memory/1384-275-0x00007FF68F9D0000-0x00007FF68FD21000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1732	FDpKBLU.exe
2204	eGINjjZ.exe
3308	lMeMMES.exe
856	fDpgrtj.exe
2000	EHJGqTh.exe
2088	rVTNQSN.exe
3764	qtzdCmD.exe
3132	DHhUBIW.exe
3608	RuXSXOl.exe
4740	TlCdJEL.exe
3616	oPultCE.exe
3192	cPDIAnI.exe
2352	JBhVLKb.exe
1052	hzmGxue.exe
3336	kpqTxyY.exe
3468	DtpIzgC.exe
1884	XBHXSOK.exe
1700	KbIXpjc.exe
880	ejLgUnU.exe
4116	IXBGmQa.exe
1384	sYZnBJG.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4700-0-0x00007FF704640000-0x00007FF704991000-memory.dmp	upx
behavioral2/files/0x000b000000023b5f-5.dat	upx
behavioral2/memory/1732-7-0x00007FF621B40000-0x00007FF621E91000-memory.dmp	upx
behavioral2/files/0x000b000000023b60-10.dat	upx
behavioral2/files/0x000a000000023b63-12.dat	upx
behavioral2/memory/2204-14-0x00007FF6B9D00000-0x00007FF6BA051000-memory.dmp	upx
behavioral2/memory/3308-18-0x00007FF71C0D0000-0x00007FF71C421000-memory.dmp	upx
behavioral2/files/0x000a000000023b65-27.dat	upx
behavioral2/memory/2000-29-0x00007FF7B3F50000-0x00007FF7B42A1000-memory.dmp	upx
behavioral2/files/0x000a000000023b64-25.dat	upx
behavioral2/memory/856-23-0x00007FF73C6D0000-0x00007FF73CA21000-memory.dmp	upx
behavioral2/files/0x000a000000023b66-35.dat	upx
behavioral2/memory/2088-36-0x00007FF75C690000-0x00007FF75C9E1000-memory.dmp	upx
behavioral2/files/0x000a000000023b69-47.dat	upx
behavioral2/memory/3764-46-0x00007FF7E5710000-0x00007FF7E5A61000-memory.dmp	upx
behavioral2/memory/4700-52-0x00007FF704640000-0x00007FF704991000-memory.dmp	upx
behavioral2/memory/3608-55-0x00007FF75D690000-0x00007FF75D9E1000-memory.dmp	upx
behavioral2/files/0x000a000000023b6a-54.dat	upx
behavioral2/memory/3132-48-0x00007FF724910000-0x00007FF724C61000-memory.dmp	upx
behavioral2/files/0x000a000000023b68-41.dat	upx
behavioral2/memory/1732-60-0x00007FF621B40000-0x00007FF621E91000-memory.dmp	upx
behavioral2/files/0x000a000000023b6b-61.dat	upx
behavioral2/files/0x000a000000023b6d-65.dat	upx
behavioral2/memory/2204-67-0x00007FF6B9D00000-0x00007FF6BA051000-memory.dmp	upx
behavioral2/memory/3308-70-0x00007FF71C0D0000-0x00007FF71C421000-memory.dmp	upx
behavioral2/files/0x000a000000023b6e-73.dat	upx
behavioral2/files/0x000a000000023b6f-80.dat	upx
behavioral2/memory/2352-83-0x00007FF601A90000-0x00007FF601DE1000-memory.dmp	upx
behavioral2/memory/2000-82-0x00007FF7B3F50000-0x00007FF7B42A1000-memory.dmp	upx
behavioral2/memory/3192-75-0x00007FF7FF7C0000-0x00007FF7FFB11000-memory.dmp	upx
behavioral2/memory/856-74-0x00007FF73C6D0000-0x00007FF73CA21000-memory.dmp	upx
behavioral2/memory/3616-69-0x00007FF619940000-0x00007FF619C91000-memory.dmp	upx
behavioral2/memory/4740-68-0x00007FF7AD9A0000-0x00007FF7ADCF1000-memory.dmp	upx
behavioral2/memory/2088-92-0x00007FF75C690000-0x00007FF75C9E1000-memory.dmp	upx
behavioral2/memory/1052-97-0x00007FF744FF0000-0x00007FF745341000-memory.dmp	upx
behavioral2/files/0x000a000000023b71-103.dat	upx
behavioral2/memory/3132-106-0x00007FF724910000-0x00007FF724C61000-memory.dmp	upx
behavioral2/files/0x000a000000023b72-108.dat	upx
behavioral2/memory/3468-107-0x00007FF68FF90000-0x00007FF6902E1000-memory.dmp	upx
behavioral2/memory/3336-102-0x00007FF752DD0000-0x00007FF753121000-memory.dmp	upx
behavioral2/files/0x000a000000023b70-93.dat	upx
behavioral2/memory/3608-116-0x00007FF75D690000-0x00007FF75D9E1000-memory.dmp	upx
behavioral2/files/0x000a000000023b74-122.dat	upx
behavioral2/memory/1884-124-0x00007FF6B1640000-0x00007FF6B1991000-memory.dmp	upx
behavioral2/memory/4116-136-0x00007FF701460000-0x00007FF7017B1000-memory.dmp	upx
behavioral2/files/0x000a000000023b77-140.dat	upx
behavioral2/memory/3616-141-0x00007FF619940000-0x00007FF619C91000-memory.dmp	upx
behavioral2/memory/1384-142-0x00007FF68F9D0000-0x00007FF68FD21000-memory.dmp	upx
behavioral2/files/0x000a000000023b75-137.dat	upx
behavioral2/files/0x000a000000023b76-133.dat	upx
behavioral2/memory/880-129-0x00007FF76CF70000-0x00007FF76D2C1000-memory.dmp	upx
behavioral2/memory/1700-128-0x00007FF647BD0000-0x00007FF647F21000-memory.dmp	upx
behavioral2/files/0x000a000000023b73-132.dat	upx
behavioral2/memory/2352-150-0x00007FF601A90000-0x00007FF601DE1000-memory.dmp	upx
behavioral2/memory/3192-149-0x00007FF7FF7C0000-0x00007FF7FFB11000-memory.dmp	upx
behavioral2/memory/1052-154-0x00007FF744FF0000-0x00007FF745341000-memory.dmp	upx
behavioral2/memory/3336-156-0x00007FF752DD0000-0x00007FF753121000-memory.dmp	upx
behavioral2/memory/4700-155-0x00007FF704640000-0x00007FF704991000-memory.dmp	upx
behavioral2/memory/3468-162-0x00007FF68FF90000-0x00007FF6902E1000-memory.dmp	upx
behavioral2/memory/1884-161-0x00007FF6B1640000-0x00007FF6B1991000-memory.dmp	upx
behavioral2/memory/1700-167-0x00007FF647BD0000-0x00007FF647F21000-memory.dmp	upx
behavioral2/memory/880-172-0x00007FF76CF70000-0x00007FF76D2C1000-memory.dmp	upx
behavioral2/memory/4116-173-0x00007FF701460000-0x00007FF7017B1000-memory.dmp	upx
behavioral2/memory/1384-171-0x00007FF68F9D0000-0x00007FF68FD21000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\RuXSXOl.exe	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TlCdJEL.exe	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cPDIAnI.exe	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JBhVLKb.exe	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lMeMMES.exe	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EHJGqTh.exe	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DHhUBIW.exe	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sYZnBJG.exe	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fDpgrtj.exe	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XBHXSOK.exe	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IXBGmQa.exe	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DtpIzgC.exe	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KbIXpjc.exe	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FDpKBLU.exe	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rVTNQSN.exe	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hzmGxue.exe	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kpqTxyY.exe	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ejLgUnU.exe	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eGINjjZ.exe	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qtzdCmD.exe	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oPultCE.exe	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4700	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4700	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4700 wrote to memory of 1732	4700	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4700 wrote to memory of 1732	4700	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4700 wrote to memory of 2204	4700	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4700 wrote to memory of 2204	4700	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4700 wrote to memory of 3308	4700	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4700 wrote to memory of 3308	4700	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4700 wrote to memory of 856	4700	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4700 wrote to memory of 856	4700	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4700 wrote to memory of 2000	4700	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4700 wrote to memory of 2000	4700	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4700 wrote to memory of 2088	4700	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4700 wrote to memory of 2088	4700	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4700 wrote to memory of 3764	4700	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4700 wrote to memory of 3764	4700	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4700 wrote to memory of 3132	4700	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4700 wrote to memory of 3132	4700	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4700 wrote to memory of 3608	4700	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4700 wrote to memory of 3608	4700	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4700 wrote to memory of 4740	4700	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4700 wrote to memory of 4740	4700	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4700 wrote to memory of 3616	4700	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4700 wrote to memory of 3616	4700	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4700 wrote to memory of 3192	4700	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4700 wrote to memory of 3192	4700	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4700 wrote to memory of 2352	4700	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4700 wrote to memory of 2352	4700	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4700 wrote to memory of 1052	4700	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4700 wrote to memory of 1052	4700	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4700 wrote to memory of 3336	4700	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4700 wrote to memory of 3336	4700	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4700 wrote to memory of 3468	4700	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4700 wrote to memory of 3468	4700	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4700 wrote to memory of 1884	4700	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4700 wrote to memory of 1884	4700	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4700 wrote to memory of 1700	4700	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4700 wrote to memory of 1700	4700	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4700 wrote to memory of 880	4700	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4700 wrote to memory of 880	4700	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4700 wrote to memory of 4116	4700	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4700 wrote to memory of 4116	4700	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4700 wrote to memory of 1384	4700	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4700 wrote to memory of 1384	4700	2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-21_ddaeef91ec250e43cb48972616af54d3_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4700
- C:\Windows\System\FDpKBLU.exe
  C:\Windows\System\FDpKBLU.exe
  2⤵
  - Executes dropped EXE
  PID:1732
- C:\Windows\System\eGINjjZ.exe
  C:\Windows\System\eGINjjZ.exe
  2⤵
  - Executes dropped EXE
  PID:2204
- C:\Windows\System\lMeMMES.exe
  C:\Windows\System\lMeMMES.exe
  2⤵
  - Executes dropped EXE
  PID:3308
- C:\Windows\System\fDpgrtj.exe
  C:\Windows\System\fDpgrtj.exe
  2⤵
  - Executes dropped EXE
  PID:856
- C:\Windows\System\EHJGqTh.exe
  C:\Windows\System\EHJGqTh.exe
  2⤵
  - Executes dropped EXE
  PID:2000
- C:\Windows\System\rVTNQSN.exe
  C:\Windows\System\rVTNQSN.exe
  2⤵
  - Executes dropped EXE
  PID:2088
- C:\Windows\System\qtzdCmD.exe
  C:\Windows\System\qtzdCmD.exe
  2⤵
  - Executes dropped EXE
  PID:3764
- C:\Windows\System\DHhUBIW.exe
  C:\Windows\System\DHhUBIW.exe
  2⤵
  - Executes dropped EXE
  PID:3132
- C:\Windows\System\RuXSXOl.exe
  C:\Windows\System\RuXSXOl.exe
  2⤵
  - Executes dropped EXE
  PID:3608
- C:\Windows\System\TlCdJEL.exe
  C:\Windows\System\TlCdJEL.exe
  2⤵
  - Executes dropped EXE
  PID:4740
- C:\Windows\System\oPultCE.exe
  C:\Windows\System\oPultCE.exe
  2⤵
  - Executes dropped EXE
  PID:3616
- C:\Windows\System\cPDIAnI.exe
  C:\Windows\System\cPDIAnI.exe
  2⤵
  - Executes dropped EXE
  PID:3192
- C:\Windows\System\JBhVLKb.exe
  C:\Windows\System\JBhVLKb.exe
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Windows\System\hzmGxue.exe
  C:\Windows\System\hzmGxue.exe
  2⤵
  - Executes dropped EXE
  PID:1052
- C:\Windows\System\kpqTxyY.exe
  C:\Windows\System\kpqTxyY.exe
  2⤵
  - Executes dropped EXE
  PID:3336
- C:\Windows\System\DtpIzgC.exe
  C:\Windows\System\DtpIzgC.exe
  2⤵
  - Executes dropped EXE
  PID:3468
- C:\Windows\System\XBHXSOK.exe
  C:\Windows\System\XBHXSOK.exe
  2⤵
  - Executes dropped EXE
  PID:1884
- C:\Windows\System\KbIXpjc.exe
  C:\Windows\System\KbIXpjc.exe
  2⤵
  - Executes dropped EXE
  PID:1700
- C:\Windows\System\ejLgUnU.exe
  C:\Windows\System\ejLgUnU.exe
  2⤵
  - Executes dropped EXE
  PID:880
- C:\Windows\System\IXBGmQa.exe
  C:\Windows\System\IXBGmQa.exe
  2⤵
  - Executes dropped EXE
  PID:4116
- C:\Windows\System\sYZnBJG.exe
  C:\Windows\System\sYZnBJG.exe
  2⤵
  - Executes dropped EXE
  PID:1384

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\DHhUBIW.exe

Filesize
5.2MB

MD5
6d0eb16da5641c631a457f10864ca8c6

SHA1
9a76768e095c1ac2224c0e99bd06ae204320f523

SHA256
903403c5291361f7bb9a81d267ee35819f9c4196c22b63effbbd6f0ffd4f8787

SHA512
44744e8f233299477d3de2431c818d28b9b670cc3aee01b746444aaa5430722e796e33df832c02beca556d0758cdc68d16eedfc9c1438729c62e5d968240c608

Download Submit
C:\Windows\System\DtpIzgC.exe

Filesize
5.2MB

MD5
f4355b1e77ffa696c5087008843b2d4e

SHA1
b6693a9e0c631ef326a02a33d0d19a8dc6139f4f

SHA256
5e0e46a0b2e31703d55b1a4d960e0979620fd932107c9a52139679dff85f4a3b

SHA512
f15348ffd1dac6cbe25141e53054c0b195b3e7447c1db60e69e16df2bbe2c394ad6eafe0a5874e18d31690ebef9180f8fe8b40b8ed2ca90bc36df892dbdb2b8f

Download Submit
C:\Windows\System\EHJGqTh.exe

Filesize
5.2MB

MD5
b6e7ccaf18251b846a64e377bd5b4301

SHA1
5c9d8224f1599f279975f01878494f7ac8af4137

SHA256
0c62236556265ad286f66ad6e774f92c080a8c659cf1a740a41bb41097627d3d

SHA512
14829b5f4439865c591fd06fd8c3651c7b9c93c4e83807b5c511adc5874b47b9b6fc7f573fedb798d3a934cebd29035a51c256237257bb02c3b0cc474903498d

Download Submit
C:\Windows\System\FDpKBLU.exe

Filesize
5.2MB

MD5
7d4f94806ea0195e0f0eba1d124d3ec0

SHA1
6dde040021cc2a9afb355ed8bfbfe6ff2780f4a2

SHA256
ee530b3ebd51e8a80d267efcdeafdc3bb3a1d13cf0d4ec7ff566fd7328059476

SHA512
3470be40d7730a88ef7fed7fbb284e871e9a1000e25d6a5b84a6c1246ba67c719d0b242fc5cc29181337226e654c8147837740491ab75189a7f783a7359adcd0

Download Submit
C:\Windows\System\IXBGmQa.exe

Filesize
5.2MB

MD5
5fd27628715b9a7df069ec6950d0c9f4

SHA1
b4b46b8aa94032d8c4720b68037ce18f72d7576e

SHA256
c849095e1f96cf16c9d2925d7cd7f1112c51ef39587ec3eb5bcef249c1aa6eb6

SHA512
1886f5f85708ed8216c49a4c9e2613dbdc9e0438386ff1590f1047c124049dca50b8e492c1a5af28d7404680353e2538e2c32b8a36dad562230360a532fd5931

Download Submit
C:\Windows\System\JBhVLKb.exe

Filesize
5.2MB

MD5
894d9d44002b8a21dacc1cb2cb2f09d2

SHA1
d292f9ab13736b29d4934d881431e7763adf712c

SHA256
de7405b2b96bb0db325d841381ba3bee70cfb6d9b47520ce65bb3df050e3d5cd

SHA512
67894e53bb2d9aef9fe16bef437c632b6b98b9e6e6f3e61cc92813bd6ed6028c90a2e531b2e9c52ec151c1dc6894022db5e2717ae259fc2b9b1bb3b05ec0e18d

Download Submit
C:\Windows\System\KbIXpjc.exe

Filesize
5.2MB

MD5
3d5ac9fe6cbd215cea82eb3de721de70

SHA1
24d8df0e25b7670712180fda9aa5b11bcf75173a

SHA256
807d998f7358e7a8c08acc2af121c5dd0faad059843255d66bc4788d7959424c

SHA512
83681e71542dcc928dec70fbf3c954147a182856bb0765289eb8b728b5a9d1582c4b4483661eb2e44fe9f467693fa6a4d51b2c2a2294ca7d538fe9af7d4dc4a7

Download Submit
C:\Windows\System\RuXSXOl.exe

Filesize
5.2MB

MD5
b3d0b2c3439246f8579fe7406dfc5735

SHA1
68d7d0c999ace764156be1928819c3111a58479a

SHA256
8421d1cbb6b050d2556742430132dbd772069badf1d46d3533f69e4d8a852ed3

SHA512
dd5096a3e82f30c27083fce14ecbf1abd09454b758e511c03467a76be293abf4d05ca300febbb7383ea1a51a9bbf43dd0a3ab99ba742cc44b7927bdb8be48867

Download Submit
C:\Windows\System\TlCdJEL.exe

Filesize
5.2MB

MD5
8056d94475e061c014059eb94e087c82

SHA1
38f2a35c24c3f40981543b7723642423ae921353

SHA256
a03bc2cd2a08cf67af0b648a19cc507468aac94b5facac85a101963a9fd868fc

SHA512
6caa01c1fc947c71ef7f5360ce3b418e9db759c891b7b1eaba64b9013164d8da5b7f37c8956dce4ac7edc146fc54569daa5558ed9c0560ecb065cbd284a06c28

Download Submit
C:\Windows\System\XBHXSOK.exe

Filesize
5.2MB

MD5
7f919ee613d7475b8b64438a4e29941b

SHA1
50b14e7502b440e9bc683a8fa4eab0c8775cb9cb

SHA256
7ea052b3945a5a145242574649f77aea61d50f64f3c7283d87eb033fa7a3dc26

SHA512
3dfa75e951e4e3642bdcdc23e612ed85153ea5cb132b8fa0683b85c8d31d353c7c917655b9d24785ce322de927cc3910e94d7db9c48ac0eb03e8acf0dedcc90f

Download Submit
C:\Windows\System\cPDIAnI.exe

Filesize
5.2MB

MD5
41b4d801de5cf2c48b5129daa656109b

SHA1
0d85dc975e0962c61a243cba5d165904ca48b55e

SHA256
622a1a8e26aeb5db2e6da944a5ba690b2abef05d4f52fec0665e2dea10c803f3

SHA512
f73dc0e92af48956cef9c92ddf1774b2241399db470e89da9447035fd45c131c9b41b71a7b16ca6174b5ee2a8357f9b397dae9160d58d73e55c71382ac986ff0

Download Submit
C:\Windows\System\eGINjjZ.exe

Filesize
5.2MB

MD5
f799a05939a0f1ba563f8923d950fa95

SHA1
c7f5b5015d331ebde90a274d2d9c484caad4518a

SHA256
13463d9faf55fd99229d6b984ad3b0543541649e4ee450ebd4333f004f0d6a91

SHA512
352fc0f5a57b006303d489bcad88df0e6c77a9611adc2c0f8b27d87886c4f76aad3e47f8b3fb883f735dcde76d73f2731c986525b72461fc3f8f5004ec290304

Download Submit
C:\Windows\System\ejLgUnU.exe

Filesize
5.2MB

MD5
936727cb9f55aa4ac2354e39ec415909

SHA1
30ce3a0a574273d882538447511fcaddc439e9e9

SHA256
4b218417a3f765a6c27c4298b3d815411dce699740f2d0e5c74f4c75a2e99589

SHA512
ab0b69924adc9d772d5f92b680f477e8d9b56e6a1153cc8d0c191dfac1cc670756ac0c1bfe9878f1c1b94b6058ab8de358c43fdff9ff698a3bdb4f91fcc4247e

Download Submit
C:\Windows\System\fDpgrtj.exe

Filesize
5.2MB

MD5
7c12b59da5e8b6495c0d23785c9f8947

SHA1
4aae7ee91d5cbe0ecdc0731f3fbdb1d7b2631bde

SHA256
c9cfe424db34cbda0c878393ba95c5f64df329d915267f329af2b1b5d54fcd1a

SHA512
db785025531fe4a5691e4eaff8deaebe33b0010b42142363dd6dec6ee1affd7a6ccede97859a1790ba8eb944be8199004972943ecdca7727a49aeee49764ac4b

Download Submit
C:\Windows\System\hzmGxue.exe

Filesize
5.2MB

MD5
5dd2e5afc89274a8bd8bc0cb796f3497

SHA1
329b64ebcd2e9583eeb1c6c53fe3e6c234c2ca37

SHA256
c306725ff5c58365a67eb5f415bf6112b2dfefa7b9ef539675ac5ee0f51b91d9

SHA512
e4f01c799e2ce3382d315b65f9f5be906dc11c547410ed9629f0be3ac3a203a856dba8f3b1b4ebfaa814811080bbe38ba7def494fe6c8f1930794066075d5bac

Download Submit
C:\Windows\System\kpqTxyY.exe

Filesize
5.2MB

MD5
0348c52e0f676beaad96fd1d6b1666a7

SHA1
20eb8e3d762afde02626cb0e238744b432abc498

SHA256
19b4aee61da09e7d78fd038dc30846d5acd4696392cec122acac7caba51b1715

SHA512
aa6f4f8883b4840c0e39340ea22124efdea7c48759c95cbcd43f95cab9a7bacf57f977fd7496cc61cb827580ae59e2543bb811b5632905d8057096752e067a75

Download Submit
C:\Windows\System\lMeMMES.exe

Filesize
5.2MB

MD5
cc169d47f918db5bf14800c3ce7d2188

SHA1
68951e16a372eed198db98ddecb91b325045381f

SHA256
a72482da985612f8c277cc610593e6d331e827cee975d229e9703c75c2236174

SHA512
2fc35e2af9892fc44e544b98e68a93cc69c5fd7137abcd63b2fa181e74ad79860a370c0dcc5a535463bcf86f96f28c869082ab8a5ea000adc63d95e233f05989

Download Submit
C:\Windows\System\oPultCE.exe

Filesize
5.2MB

MD5
926533533268de58fc94fa195470df8a

SHA1
dc2e8a7e9c79bf7e22cf8ae41a150ceab3aa7c29

SHA256
4b4f363da171d7d9e72061fc2caca1e4ed26fb1613e1f382ca0b379b4c57c027

SHA512
1b76aab59e00cc89a866acd4f92e146736fdcb38c997fb988c21f1c482c017606a668b95aa418ed179bee41ae24576f73d5b032c4b0d75c22a65472b2db5a9d7

Download Submit
C:\Windows\System\qtzdCmD.exe

Filesize
5.2MB

MD5
e50d50909525df6b8d2cb50480795b62

SHA1
a9a6ca6f1ec010a70d9b5367abfecd0791474601

SHA256
b2be468753fa8df6738804ea425a58ae1a6bb5096967ca80cbdf3f52c7d65467

SHA512
46f9650de6d7fd7825a2778e0fd7e94bc2a133cec90a0c0cb6fd503f05b564f99d2dc8c69683910eca1a4bce90f9085732ddf432787e885a4216aff8840b3d31

Download Submit
C:\Windows\System\rVTNQSN.exe

Filesize
5.2MB

MD5
8ab23149f93f2ec9948618eb2a06be9c

SHA1
d00a7568063ccac305d2b5420380d43a2527a57b

SHA256
f4596528e28620924989109fe23fd3c10df122ee437c01a1683a66925daa84fe

SHA512
b448bc6082f4a53015dca585ea92d2ccbca4d6daf16fa113159e035d71901e83b437c0e9bdbfcbae71fefe07619ce63c7c2a90596fd29509e14cbd16681e1d63

Download Submit
C:\Windows\System\sYZnBJG.exe

Filesize
5.2MB

MD5
8fe88742396a5a9328413406d6236e07

SHA1
0691c7a5ceb44fc5e968aeb31a55ece38a1dbac0

SHA256
6af52a0656f33b018f1b3453f56009d60a00c3e92548ac2c02923f01af7b69f0

SHA512
84d63fa8ac4d98308b5580c773757fd1c8aaa5d8e67fb6d0ee793efef7d0195758d1f8097ed3e5ac0648afb122356f55a42cfe93163a4cb01a21c0a512efcbc5

Download Submit
memory/856-74-0x00007FF73C6D0000-0x00007FF73CA21000-memory.dmp

Filesize
3.3MB

Download
memory/856-23-0x00007FF73C6D0000-0x00007FF73CA21000-memory.dmp

Filesize
3.3MB

Download
memory/856-221-0x00007FF73C6D0000-0x00007FF73CA21000-memory.dmp

Filesize
3.3MB

Download
memory/880-129-0x00007FF76CF70000-0x00007FF76D2C1000-memory.dmp

Filesize
3.3MB

Download
memory/880-272-0x00007FF76CF70000-0x00007FF76D2C1000-memory.dmp

Filesize
3.3MB

Download
memory/880-172-0x00007FF76CF70000-0x00007FF76D2C1000-memory.dmp

Filesize
3.3MB

Download
memory/1052-257-0x00007FF744FF0000-0x00007FF745341000-memory.dmp

Filesize
3.3MB

Download
memory/1052-154-0x00007FF744FF0000-0x00007FF745341000-memory.dmp

Filesize
3.3MB

Download
memory/1052-97-0x00007FF744FF0000-0x00007FF745341000-memory.dmp

Filesize
3.3MB

Download
memory/1384-171-0x00007FF68F9D0000-0x00007FF68FD21000-memory.dmp

Filesize
3.3MB

Download
memory/1384-142-0x00007FF68F9D0000-0x00007FF68FD21000-memory.dmp

Filesize
3.3MB

Download
memory/1384-275-0x00007FF68F9D0000-0x00007FF68FD21000-memory.dmp

Filesize
3.3MB

Download
memory/1700-128-0x00007FF647BD0000-0x00007FF647F21000-memory.dmp

Filesize
3.3MB

Download
memory/1700-167-0x00007FF647BD0000-0x00007FF647F21000-memory.dmp

Filesize
3.3MB

Download
memory/1700-268-0x00007FF647BD0000-0x00007FF647F21000-memory.dmp

Filesize
3.3MB

Download
memory/1732-212-0x00007FF621B40000-0x00007FF621E91000-memory.dmp

Filesize
3.3MB

Download
memory/1732-7-0x00007FF621B40000-0x00007FF621E91000-memory.dmp

Filesize
3.3MB

Download
memory/1732-60-0x00007FF621B40000-0x00007FF621E91000-memory.dmp

Filesize
3.3MB

Download
memory/1884-124-0x00007FF6B1640000-0x00007FF6B1991000-memory.dmp

Filesize
3.3MB

Download
memory/1884-161-0x00007FF6B1640000-0x00007FF6B1991000-memory.dmp

Filesize
3.3MB

Download
memory/1884-269-0x00007FF6B1640000-0x00007FF6B1991000-memory.dmp

Filesize
3.3MB

Download
memory/2000-223-0x00007FF7B3F50000-0x00007FF7B42A1000-memory.dmp

Filesize
3.3MB

Download
memory/2000-29-0x00007FF7B3F50000-0x00007FF7B42A1000-memory.dmp

Filesize
3.3MB

Download
memory/2000-82-0x00007FF7B3F50000-0x00007FF7B42A1000-memory.dmp

Filesize
3.3MB

Download
memory/2088-232-0x00007FF75C690000-0x00007FF75C9E1000-memory.dmp

Filesize
3.3MB

Download
memory/2088-92-0x00007FF75C690000-0x00007FF75C9E1000-memory.dmp

Filesize
3.3MB

Download
memory/2088-36-0x00007FF75C690000-0x00007FF75C9E1000-memory.dmp

Filesize
3.3MB

Download
memory/2204-67-0x00007FF6B9D00000-0x00007FF6BA051000-memory.dmp

Filesize
3.3MB

Download
memory/2204-14-0x00007FF6B9D00000-0x00007FF6BA051000-memory.dmp

Filesize
3.3MB

Download
memory/2204-214-0x00007FF6B9D00000-0x00007FF6BA051000-memory.dmp

Filesize
3.3MB

Download
memory/2352-150-0x00007FF601A90000-0x00007FF601DE1000-memory.dmp

Filesize
3.3MB

Download
memory/2352-83-0x00007FF601A90000-0x00007FF601DE1000-memory.dmp

Filesize
3.3MB

Download
memory/2352-250-0x00007FF601A90000-0x00007FF601DE1000-memory.dmp

Filesize
3.3MB

Download
memory/3132-106-0x00007FF724910000-0x00007FF724C61000-memory.dmp

Filesize
3.3MB

Download
memory/3132-48-0x00007FF724910000-0x00007FF724C61000-memory.dmp

Filesize
3.3MB

Download
memory/3132-238-0x00007FF724910000-0x00007FF724C61000-memory.dmp

Filesize
3.3MB

Download
memory/3192-149-0x00007FF7FF7C0000-0x00007FF7FFB11000-memory.dmp

Filesize
3.3MB

Download
memory/3192-251-0x00007FF7FF7C0000-0x00007FF7FFB11000-memory.dmp

Filesize
3.3MB

Download
memory/3192-75-0x00007FF7FF7C0000-0x00007FF7FFB11000-memory.dmp

Filesize
3.3MB

Download
memory/3308-219-0x00007FF71C0D0000-0x00007FF71C421000-memory.dmp

Filesize
3.3MB

Download
memory/3308-70-0x00007FF71C0D0000-0x00007FF71C421000-memory.dmp

Filesize
3.3MB

Download
memory/3308-18-0x00007FF71C0D0000-0x00007FF71C421000-memory.dmp

Filesize
3.3MB

Download
memory/3336-156-0x00007FF752DD0000-0x00007FF753121000-memory.dmp

Filesize
3.3MB

Download
memory/3336-259-0x00007FF752DD0000-0x00007FF753121000-memory.dmp

Filesize
3.3MB

Download
memory/3336-102-0x00007FF752DD0000-0x00007FF753121000-memory.dmp

Filesize
3.3MB

Download
memory/3468-162-0x00007FF68FF90000-0x00007FF6902E1000-memory.dmp

Filesize
3.3MB

Download
memory/3468-261-0x00007FF68FF90000-0x00007FF6902E1000-memory.dmp

Filesize
3.3MB

Download
memory/3468-107-0x00007FF68FF90000-0x00007FF6902E1000-memory.dmp

Filesize
3.3MB

Download
memory/3608-239-0x00007FF75D690000-0x00007FF75D9E1000-memory.dmp

Filesize
3.3MB

Download
memory/3608-55-0x00007FF75D690000-0x00007FF75D9E1000-memory.dmp

Filesize
3.3MB

Download
memory/3608-116-0x00007FF75D690000-0x00007FF75D9E1000-memory.dmp

Filesize
3.3MB

Download
memory/3616-247-0x00007FF619940000-0x00007FF619C91000-memory.dmp

Filesize
3.3MB

Download
memory/3616-141-0x00007FF619940000-0x00007FF619C91000-memory.dmp

Filesize
3.3MB

Download
memory/3616-69-0x00007FF619940000-0x00007FF619C91000-memory.dmp

Filesize
3.3MB

Download
memory/3764-46-0x00007FF7E5710000-0x00007FF7E5A61000-memory.dmp

Filesize
3.3MB

Download
memory/3764-233-0x00007FF7E5710000-0x00007FF7E5A61000-memory.dmp

Filesize
3.3MB

Download
memory/4116-136-0x00007FF701460000-0x00007FF7017B1000-memory.dmp

Filesize
3.3MB

Download
memory/4116-173-0x00007FF701460000-0x00007FF7017B1000-memory.dmp

Filesize
3.3MB

Download
memory/4116-273-0x00007FF701460000-0x00007FF7017B1000-memory.dmp

Filesize
3.3MB

Download
memory/4700-182-0x00007FF704640000-0x00007FF704991000-memory.dmp

Filesize
3.3MB

Download
memory/4700-1-0x000001A770E40000-0x000001A770E50000-memory.dmp

Filesize
64KB

Download
memory/4700-52-0x00007FF704640000-0x00007FF704991000-memory.dmp

Filesize
3.3MB

Download
memory/4700-155-0x00007FF704640000-0x00007FF704991000-memory.dmp

Filesize
3.3MB

Download
memory/4700-0-0x00007FF704640000-0x00007FF704991000-memory.dmp

Filesize
3.3MB

Download
memory/4740-68-0x00007FF7AD9A0000-0x00007FF7ADCF1000-memory.dmp

Filesize
3.3MB

Download
memory/4740-245-0x00007FF7AD9A0000-0x00007FF7ADCF1000-memory.dmp

Filesize
3.3MB

Download