cobaltstrike | d0f272529021fb3e0a764960ba24d362e87679797be077febaaea6ae88129a23

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-01-2025 04:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

ac9b360e1edab1500aa806476fc93115
SHA1

437ba6d2e46bfb5b8b62961264b6ae0dca8599b4
SHA256

d0f272529021fb3e0a764960ba24d362e87679797be077febaaea6ae88129a23
SHA512

0701fffc4bf4afdd96a0e324aae0b05626b7b175d727daa7bb001dee83655e5574176b12c74b43f0b04eb2d729d5d76775dd8a177bc26da439c86caf42a32a91
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lM:RWWBibf56utgpPFotBER/mQ32lU4

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023bad-5.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023bd7-9.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bd3-15.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bd9-26.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bdc-33.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bde-38.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bdf-44.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c10-68.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c12-81.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c2c-115.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c33-121.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c32-119.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c1a-112.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c19-108.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c18-106.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c13-101.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c11-90.dat	cobalt_reflective_dll
behavioral2/files/0x000c000000023bae-78.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c0f-66.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c0e-61.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bdd-43.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 44 IoCs

miner

resource	yara_rule
behavioral2/memory/396-31-0x00007FF797670000-0x00007FF7979C1000-memory.dmp	xmrig
behavioral2/memory/3472-123-0x00007FF60A640000-0x00007FF60A991000-memory.dmp	xmrig
behavioral2/memory/1904-126-0x00007FF78EE70000-0x00007FF78F1C1000-memory.dmp	xmrig
behavioral2/memory/1816-125-0x00007FF78FC30000-0x00007FF78FF81000-memory.dmp	xmrig
behavioral2/memory/2940-118-0x00007FF6E46E0000-0x00007FF6E4A31000-memory.dmp	xmrig
behavioral2/memory/1168-117-0x00007FF6A3020000-0x00007FF6A3371000-memory.dmp	xmrig
behavioral2/memory/4600-128-0x00007FF722D60000-0x00007FF7230B1000-memory.dmp	xmrig
behavioral2/memory/2280-146-0x00007FF6F1AB0000-0x00007FF6F1E01000-memory.dmp	xmrig
behavioral2/memory/876-149-0x00007FF7A01D0000-0x00007FF7A0521000-memory.dmp	xmrig
behavioral2/memory/4020-144-0x00007FF709F40000-0x00007FF70A291000-memory.dmp	xmrig
behavioral2/memory/4156-145-0x00007FF77C180000-0x00007FF77C4D1000-memory.dmp	xmrig
behavioral2/memory/4848-143-0x00007FF74E8D0000-0x00007FF74EC21000-memory.dmp	xmrig
behavioral2/memory/2728-138-0x00007FF78AB10000-0x00007FF78AE61000-memory.dmp	xmrig
behavioral2/memory/4296-137-0x00007FF6B2CB0000-0x00007FF6B3001000-memory.dmp	xmrig
behavioral2/memory/1524-135-0x00007FF752A40000-0x00007FF752D91000-memory.dmp	xmrig
behavioral2/memory/3196-134-0x00007FF74D4F0000-0x00007FF74D841000-memory.dmp	xmrig
behavioral2/memory/432-133-0x00007FF6995A0000-0x00007FF6998F1000-memory.dmp	xmrig
behavioral2/memory/4608-132-0x00007FF784150000-0x00007FF7844A1000-memory.dmp	xmrig
behavioral2/memory/2020-129-0x00007FF7FD9E0000-0x00007FF7FDD31000-memory.dmp	xmrig
behavioral2/memory/2680-139-0x00007FF787700000-0x00007FF787A51000-memory.dmp	xmrig
behavioral2/memory/3092-136-0x00007FF706BF0000-0x00007FF706F41000-memory.dmp	xmrig
behavioral2/memory/408-130-0x00007FF6F0280000-0x00007FF6F05D1000-memory.dmp	xmrig
behavioral2/memory/4600-150-0x00007FF722D60000-0x00007FF7230B1000-memory.dmp	xmrig
behavioral2/memory/2020-210-0x00007FF7FD9E0000-0x00007FF7FDD31000-memory.dmp	xmrig
behavioral2/memory/408-212-0x00007FF6F0280000-0x00007FF6F05D1000-memory.dmp	xmrig
behavioral2/memory/396-214-0x00007FF797670000-0x00007FF7979C1000-memory.dmp	xmrig
behavioral2/memory/4608-216-0x00007FF784150000-0x00007FF7844A1000-memory.dmp	xmrig
behavioral2/memory/432-218-0x00007FF6995A0000-0x00007FF6998F1000-memory.dmp	xmrig
behavioral2/memory/3196-220-0x00007FF74D4F0000-0x00007FF74D841000-memory.dmp	xmrig
behavioral2/memory/3092-223-0x00007FF706BF0000-0x00007FF706F41000-memory.dmp	xmrig
behavioral2/memory/1524-224-0x00007FF752A40000-0x00007FF752D91000-memory.dmp	xmrig
behavioral2/memory/4296-233-0x00007FF6B2CB0000-0x00007FF6B3001000-memory.dmp	xmrig
behavioral2/memory/1168-235-0x00007FF6A3020000-0x00007FF6A3371000-memory.dmp	xmrig
behavioral2/memory/2728-237-0x00007FF78AB10000-0x00007FF78AE61000-memory.dmp	xmrig
behavioral2/memory/2940-239-0x00007FF6E46E0000-0x00007FF6E4A31000-memory.dmp	xmrig
behavioral2/memory/3472-241-0x00007FF60A640000-0x00007FF60A991000-memory.dmp	xmrig
behavioral2/memory/4848-243-0x00007FF74E8D0000-0x00007FF74EC21000-memory.dmp	xmrig
behavioral2/memory/2680-245-0x00007FF787700000-0x00007FF787A51000-memory.dmp	xmrig
behavioral2/memory/4156-251-0x00007FF77C180000-0x00007FF77C4D1000-memory.dmp	xmrig
behavioral2/memory/1904-253-0x00007FF78EE70000-0x00007FF78F1C1000-memory.dmp	xmrig
behavioral2/memory/876-255-0x00007FF7A01D0000-0x00007FF7A0521000-memory.dmp	xmrig
behavioral2/memory/2280-249-0x00007FF6F1AB0000-0x00007FF6F1E01000-memory.dmp	xmrig
behavioral2/memory/1816-248-0x00007FF78FC30000-0x00007FF78FF81000-memory.dmp	xmrig
behavioral2/memory/4020-259-0x00007FF709F40000-0x00007FF70A291000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2020	LHUQeIq.exe
408	FOcXkEN.exe
396	riAoqsl.exe
4608	NlSjibh.exe
432	tyTiCQx.exe
3196	hWpkmkq.exe
1524	RCwxHKp.exe
3092	CLTKYzK.exe
4296	EYqZRwA.exe
2728	tgNrWxC.exe
1168	nYNJTJz.exe
2940	ePtMsJy.exe
2680	IMBYWSK.exe
3472	EnbeMsW.exe
4848	jtYyzFl.exe
4020	xozxiRN.exe
4156	ZjygGxJ.exe
2280	TxXFTgK.exe
1816	vMMfmux.exe
1904	xaYAYih.exe
876	PtgcJtD.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4600-0-0x00007FF722D60000-0x00007FF7230B1000-memory.dmp	upx
behavioral2/files/0x000c000000023bad-5.dat	upx
behavioral2/memory/2020-6-0x00007FF7FD9E0000-0x00007FF7FDD31000-memory.dmp	upx
behavioral2/files/0x000e000000023bd7-9.dat	upx
behavioral2/files/0x0009000000023bd3-15.dat	upx
behavioral2/files/0x0008000000023bd9-26.dat	upx
behavioral2/memory/396-31-0x00007FF797670000-0x00007FF7979C1000-memory.dmp	upx
behavioral2/files/0x0008000000023bdc-33.dat	upx
behavioral2/files/0x0008000000023bde-38.dat	upx
behavioral2/files/0x0008000000023bdf-44.dat	upx
behavioral2/memory/3092-48-0x00007FF706BF0000-0x00007FF706F41000-memory.dmp	upx
behavioral2/files/0x0008000000023c10-68.dat	upx
behavioral2/files/0x0008000000023c12-81.dat	upx
behavioral2/memory/4156-94-0x00007FF77C180000-0x00007FF77C4D1000-memory.dmp	upx
behavioral2/files/0x0008000000023c2c-115.dat	upx
behavioral2/memory/3472-123-0x00007FF60A640000-0x00007FF60A991000-memory.dmp	upx
behavioral2/memory/1904-126-0x00007FF78EE70000-0x00007FF78F1C1000-memory.dmp	upx
behavioral2/memory/1816-125-0x00007FF78FC30000-0x00007FF78FF81000-memory.dmp	upx
behavioral2/memory/4020-124-0x00007FF709F40000-0x00007FF70A291000-memory.dmp	upx
behavioral2/files/0x0008000000023c33-121.dat	upx
behavioral2/files/0x0008000000023c32-119.dat	upx
behavioral2/memory/2940-118-0x00007FF6E46E0000-0x00007FF6E4A31000-memory.dmp	upx
behavioral2/memory/1168-117-0x00007FF6A3020000-0x00007FF6A3371000-memory.dmp	upx
behavioral2/memory/876-114-0x00007FF7A01D0000-0x00007FF7A0521000-memory.dmp	upx
behavioral2/files/0x0008000000023c1a-112.dat	upx
behavioral2/files/0x0008000000023c19-108.dat	upx
behavioral2/files/0x0008000000023c18-106.dat	upx
behavioral2/memory/2280-105-0x00007FF6F1AB0000-0x00007FF6F1E01000-memory.dmp	upx
behavioral2/files/0x0008000000023c13-101.dat	upx
behavioral2/files/0x0008000000023c11-90.dat	upx
behavioral2/memory/4848-87-0x00007FF74E8D0000-0x00007FF74EC21000-memory.dmp	upx
behavioral2/files/0x000c000000023bae-78.dat	upx
behavioral2/memory/2680-74-0x00007FF787700000-0x00007FF787A51000-memory.dmp	upx
behavioral2/memory/2728-71-0x00007FF78AB10000-0x00007FF78AE61000-memory.dmp	upx
behavioral2/memory/4296-65-0x00007FF6B2CB0000-0x00007FF6B3001000-memory.dmp	upx
behavioral2/files/0x0008000000023c0f-66.dat	upx
behavioral2/files/0x0008000000023c0e-61.dat	upx
behavioral2/memory/1524-42-0x00007FF752A40000-0x00007FF752D91000-memory.dmp	upx
behavioral2/files/0x0008000000023bdd-43.dat	upx
behavioral2/memory/3196-36-0x00007FF74D4F0000-0x00007FF74D841000-memory.dmp	upx
behavioral2/memory/432-32-0x00007FF6995A0000-0x00007FF6998F1000-memory.dmp	upx
behavioral2/memory/4608-28-0x00007FF784150000-0x00007FF7844A1000-memory.dmp	upx
behavioral2/memory/408-21-0x00007FF6F0280000-0x00007FF6F05D1000-memory.dmp	upx
behavioral2/memory/4600-128-0x00007FF722D60000-0x00007FF7230B1000-memory.dmp	upx
behavioral2/memory/2280-146-0x00007FF6F1AB0000-0x00007FF6F1E01000-memory.dmp	upx
behavioral2/memory/876-149-0x00007FF7A01D0000-0x00007FF7A0521000-memory.dmp	upx
behavioral2/memory/4020-144-0x00007FF709F40000-0x00007FF70A291000-memory.dmp	upx
behavioral2/memory/4156-145-0x00007FF77C180000-0x00007FF77C4D1000-memory.dmp	upx
behavioral2/memory/4848-143-0x00007FF74E8D0000-0x00007FF74EC21000-memory.dmp	upx
behavioral2/memory/2728-138-0x00007FF78AB10000-0x00007FF78AE61000-memory.dmp	upx
behavioral2/memory/4296-137-0x00007FF6B2CB0000-0x00007FF6B3001000-memory.dmp	upx
behavioral2/memory/1524-135-0x00007FF752A40000-0x00007FF752D91000-memory.dmp	upx
behavioral2/memory/3196-134-0x00007FF74D4F0000-0x00007FF74D841000-memory.dmp	upx
behavioral2/memory/432-133-0x00007FF6995A0000-0x00007FF6998F1000-memory.dmp	upx
behavioral2/memory/4608-132-0x00007FF784150000-0x00007FF7844A1000-memory.dmp	upx
behavioral2/memory/2020-129-0x00007FF7FD9E0000-0x00007FF7FDD31000-memory.dmp	upx
behavioral2/memory/2680-139-0x00007FF787700000-0x00007FF787A51000-memory.dmp	upx
behavioral2/memory/3092-136-0x00007FF706BF0000-0x00007FF706F41000-memory.dmp	upx
behavioral2/memory/408-130-0x00007FF6F0280000-0x00007FF6F05D1000-memory.dmp	upx
behavioral2/memory/4600-150-0x00007FF722D60000-0x00007FF7230B1000-memory.dmp	upx
behavioral2/memory/2020-210-0x00007FF7FD9E0000-0x00007FF7FDD31000-memory.dmp	upx
behavioral2/memory/408-212-0x00007FF6F0280000-0x00007FF6F05D1000-memory.dmp	upx
behavioral2/memory/396-214-0x00007FF797670000-0x00007FF7979C1000-memory.dmp	upx
behavioral2/memory/4608-216-0x00007FF784150000-0x00007FF7844A1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\RCwxHKp.exe	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jtYyzFl.exe	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TxXFTgK.exe	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\riAoqsl.exe	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NlSjibh.exe	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EYqZRwA.exe	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tgNrWxC.exe	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IMBYWSK.exe	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EnbeMsW.exe	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xozxiRN.exe	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xaYAYih.exe	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LHUQeIq.exe	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FOcXkEN.exe	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PtgcJtD.exe	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nYNJTJz.exe	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZjygGxJ.exe	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tyTiCQx.exe	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hWpkmkq.exe	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vMMfmux.exe	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CLTKYzK.exe	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ePtMsJy.exe	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4600	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4600	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4600 wrote to memory of 2020	4600	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4600 wrote to memory of 2020	4600	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4600 wrote to memory of 408	4600	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4600 wrote to memory of 408	4600	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4600 wrote to memory of 396	4600	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4600 wrote to memory of 396	4600	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4600 wrote to memory of 4608	4600	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4600 wrote to memory of 4608	4600	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4600 wrote to memory of 432	4600	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4600 wrote to memory of 432	4600	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4600 wrote to memory of 3196	4600	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4600 wrote to memory of 3196	4600	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4600 wrote to memory of 1524	4600	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4600 wrote to memory of 1524	4600	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4600 wrote to memory of 3092	4600	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4600 wrote to memory of 3092	4600	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4600 wrote to memory of 4296	4600	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4600 wrote to memory of 4296	4600	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4600 wrote to memory of 2728	4600	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4600 wrote to memory of 2728	4600	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4600 wrote to memory of 2680	4600	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4600 wrote to memory of 2680	4600	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4600 wrote to memory of 1168	4600	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4600 wrote to memory of 1168	4600	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4600 wrote to memory of 2940	4600	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4600 wrote to memory of 2940	4600	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4600 wrote to memory of 3472	4600	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4600 wrote to memory of 3472	4600	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4600 wrote to memory of 4848	4600	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4600 wrote to memory of 4848	4600	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4600 wrote to memory of 4020	4600	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4600 wrote to memory of 4020	4600	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4600 wrote to memory of 4156	4600	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4600 wrote to memory of 4156	4600	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4600 wrote to memory of 2280	4600	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4600 wrote to memory of 2280	4600	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4600 wrote to memory of 1816	4600	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4600 wrote to memory of 1816	4600	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4600 wrote to memory of 1904	4600	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4600 wrote to memory of 1904	4600	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4600 wrote to memory of 876	4600	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4600 wrote to memory of 876	4600	2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-22_ac9b360e1edab1500aa806476fc93115_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4600
- C:\Windows\System\LHUQeIq.exe
  C:\Windows\System\LHUQeIq.exe
  2⤵
  - Executes dropped EXE
  PID:2020
- C:\Windows\System\FOcXkEN.exe
  C:\Windows\System\FOcXkEN.exe
  2⤵
  - Executes dropped EXE
  PID:408
- C:\Windows\System\riAoqsl.exe
  C:\Windows\System\riAoqsl.exe
  2⤵
  - Executes dropped EXE
  PID:396
- C:\Windows\System\NlSjibh.exe
  C:\Windows\System\NlSjibh.exe
  2⤵
  - Executes dropped EXE
  PID:4608
- C:\Windows\System\tyTiCQx.exe
  C:\Windows\System\tyTiCQx.exe
  2⤵
  - Executes dropped EXE
  PID:432
- C:\Windows\System\hWpkmkq.exe
  C:\Windows\System\hWpkmkq.exe
  2⤵
  - Executes dropped EXE
  PID:3196
- C:\Windows\System\RCwxHKp.exe
  C:\Windows\System\RCwxHKp.exe
  2⤵
  - Executes dropped EXE
  PID:1524
- C:\Windows\System\CLTKYzK.exe
  C:\Windows\System\CLTKYzK.exe
  2⤵
  - Executes dropped EXE
  PID:3092
- C:\Windows\System\EYqZRwA.exe
  C:\Windows\System\EYqZRwA.exe
  2⤵
  - Executes dropped EXE
  PID:4296
- C:\Windows\System\tgNrWxC.exe
  C:\Windows\System\tgNrWxC.exe
  2⤵
  - Executes dropped EXE
  PID:2728
- C:\Windows\System\IMBYWSK.exe
  C:\Windows\System\IMBYWSK.exe
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Windows\System\nYNJTJz.exe
  C:\Windows\System\nYNJTJz.exe
  2⤵
  - Executes dropped EXE
  PID:1168
- C:\Windows\System\ePtMsJy.exe
  C:\Windows\System\ePtMsJy.exe
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\System\EnbeMsW.exe
  C:\Windows\System\EnbeMsW.exe
  2⤵
  - Executes dropped EXE
  PID:3472
- C:\Windows\System\jtYyzFl.exe
  C:\Windows\System\jtYyzFl.exe
  2⤵
  - Executes dropped EXE
  PID:4848
- C:\Windows\System\xozxiRN.exe
  C:\Windows\System\xozxiRN.exe
  2⤵
  - Executes dropped EXE
  PID:4020
- C:\Windows\System\ZjygGxJ.exe
  C:\Windows\System\ZjygGxJ.exe
  2⤵
  - Executes dropped EXE
  PID:4156
- C:\Windows\System\TxXFTgK.exe
  C:\Windows\System\TxXFTgK.exe
  2⤵
  - Executes dropped EXE
  PID:2280
- C:\Windows\System\vMMfmux.exe
  C:\Windows\System\vMMfmux.exe
  2⤵
  - Executes dropped EXE
  PID:1816
- C:\Windows\System\xaYAYih.exe
  C:\Windows\System\xaYAYih.exe
  2⤵
  - Executes dropped EXE
  PID:1904
- C:\Windows\System\PtgcJtD.exe
  C:\Windows\System\PtgcJtD.exe
  2⤵
  - Executes dropped EXE
  PID:876

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CLTKYzK.exe

Filesize
5.2MB

MD5
3df3dc9f253f8984e927faa23139d0be

SHA1
55f7c1bdc1db1e89909fa400941ade096e5001b7

SHA256
da30d7d14ca63dce4dc92f73b4b5a2997207273f87a7b3e929b5d1d7c23a60ee

SHA512
bcc9976e8576b95e937c339314604353e1f3db7b810acf7f7b23fdb00c07b2cf0811b338875e857488fe67e3ae4cc391e4eb9d862cfc569e763b49286e9b7e05

Download Submit
C:\Windows\System\EYqZRwA.exe

Filesize
5.2MB

MD5
ce7289cad7b0ec9d805664320be66fee

SHA1
abde79df0d2489bb0baceb119b3b7b047423abe6

SHA256
0dca2d14deb03350402e56666d80537034ac6441f0f496fc2f80eac3c86ef7fb

SHA512
d29f9be5e67effe4ea446284d55d943cd49c515600ea9c870702e12742a6eb08c6bd41d83757586e674ec016b1d8e02fe91e9ae193fcffeb29a62a911b76a9ab

Download Submit
C:\Windows\System\EnbeMsW.exe

Filesize
5.2MB

MD5
d712faeb197889d945d83c46733f6544

SHA1
fd131dfbe3776c4031bdba0a29b881eebba676ff

SHA256
c01ffde694cba96cb645bf5ac8d6806fc6ba0965bbf0ae5c7affaf86a33591a2

SHA512
9676e245492a278d600858af0620602ab21957fc3c9c50925b0b10ccbeed04ee89f30c96f1a8a9c883b74b805b56a1d481316b47bcd37aad67d5e258d0184381

Download Submit
C:\Windows\System\FOcXkEN.exe

Filesize
5.2MB

MD5
68dd6e957db3d3852acdfd8dda68e074

SHA1
8627984d859ce77f36d8f8288708d79a032ae5eb

SHA256
a44b1c825ce7fa13e9b048c05a141bc85a2704b3af794b7581be5d8b2ef61465

SHA512
26e61867aaa26b96c1f09db5b2b04ce3aa8f42e180220c23c177635fdc3a220015b0cf7324ddb5a6db3f8b51d832fe64fe5e36eee7fed165d814428782063d14

Download Submit
C:\Windows\System\IMBYWSK.exe

Filesize
5.2MB

MD5
bdfce505c070b3741dfad30465e600cd

SHA1
2d0368adb63d9afe8eaf71dc0c2618dab88bec6b

SHA256
857d1b24b13078e9bd2e70e3ea7f6142596d5924829d4210ac574715211855ba

SHA512
320b352792a46b3ecfa5579ed053ac68491194ff999c3b9bbc9ff5b3a89e724fced98483a682217bd542eddd173780e3c6c1521bb8531dbe1ba762894b77deda

Download Submit
C:\Windows\System\LHUQeIq.exe

Filesize
5.2MB

MD5
886bbea85952fdc1408bf71282c1d664

SHA1
91ed4b4ab073571351b25686cdb1ae0e735c6a98

SHA256
6254250d1677d8f3dc2c6f0185845f56a78271462d2244e578fd95f43e075a54

SHA512
5673ef053597999ac4aef0a8dda73e07712f977580dcb896bd4033564606498671714a02ea871b5bbbb4bef98aa0c49e51509a94c4f818f241d5e7021476ac58

Download Submit
C:\Windows\System\NlSjibh.exe

Filesize
5.2MB

MD5
57c43ea675c2bdc534909587f0803f72

SHA1
3cec5ecaee648f5aaab0f0b38de7a12685a414db

SHA256
8255b89d6cbf16e1517f6d188572766a75a3ce9306ce7f3fbea426e920b76c64

SHA512
72e7f46392f6cae8dcce18ecef087c2969ac3abd73e278dc99f2410db2a1f9e03cff5364bcd438bcb5f3f2d511d8dae69194db89ba0e0f2565f21a47adceac88

Download Submit
C:\Windows\System\PtgcJtD.exe

Filesize
5.2MB

MD5
0bb445237df4c4e4463cc42c3df9af14

SHA1
f9e7223d2f518961384b937f9760fa7aa51ee680

SHA256
8bf8dbddc0d348b46a79234d485ce25b9ffd2bc87536dce0530d8e84a8d6122b

SHA512
5df927f299b237943bef313b36a764427928ca5169ea30e937bad5ad4ca1bc1fab499f5e62be137c71c2fbacb3fecd3f44590f284de27c3bde8a2ca5b09e9077

Download Submit
C:\Windows\System\RCwxHKp.exe

Filesize
5.2MB

MD5
2cc154aeac753947865e7f089eddbdc3

SHA1
19012c260cf00f0ce9df6bdd0699c51b4e268140

SHA256
73d312f44d8a250d8553340d8e3d057c9c974d457b099a1b37ef97b7a9358100

SHA512
d79837796fe4c8e5605a99a100a57a40067de90cd222bf581a6be0b2210492a630d523d1fb427a3938a81595c551ff5e81091d5e836c9688a8a2eb7fe0f658d5

Download Submit
C:\Windows\System\TxXFTgK.exe

Filesize
5.2MB

MD5
ea72ea8220d11063cdc72b29503b517c

SHA1
267c184623ba29b86fda6c9e5ddc063cac6c04e3

SHA256
b6068779f11ff93e36fdfeba1bfec32bc1c8fcb4cc4231f0940626bfa73cdc03

SHA512
c8040d42e73181dea81dcf2485646b1859efd7afb05b740fd4ce6a00bc515ba42876cd2806eb23b6260c8b812cfaa790b3acebdc76e3e8b6d15d1211b914188d

Download Submit
C:\Windows\System\ZjygGxJ.exe

Filesize
5.2MB

MD5
e6dc32a08f7fd2ad20d2667f2ac49be6

SHA1
74f6a4e2c8a2326207b5562b5624dbddec456521

SHA256
5173121c1cfb4bf83bf0b2d81c721566d74269899f104825cdef4ed5e66956b1

SHA512
63cc85121b8914333acb7a4212e835ccde7ddcdac210f3a29cc9dd75e7415991f83ae7f67d5d6a64efc29b4e91b7bc24afa9744d614c50776f0b39e7dac52335

Download Submit
C:\Windows\System\ePtMsJy.exe

Filesize
5.2MB

MD5
12914025cb208f36260b62f9fd5534ad

SHA1
db037f669dd7b0a2dd645c722813a0ada8e83a73

SHA256
f9f09f28313c486e66f52e26b3472af46819ada01297868437fc79a14acda1c3

SHA512
a0dceb3c4cfa29a4f0678cd77fc9ab63acde566e3992de33c98c138e1cbca531ca2402f5e7dced70ef7e2067625a8f67f575baeff13c76f82e14764f21afa47a

Download Submit
C:\Windows\System\hWpkmkq.exe

Filesize
5.2MB

MD5
615cc7a20413cc9679511c21b5281fbe

SHA1
1fa1d86a655385cb782a65da8ea0980f3595c2de

SHA256
a3ad871ef22524120d2812f72650bfd8c4f999b3edc0d314af6e1b7a842b64cd

SHA512
ccd8d410fe046b4a63e382d06a57ac914861c6fa0f7a8b1b00bf1a8826906420abde987401df13654a93ae958c610cd26bfb814221ab8a6bcb0d16ba7c50fd7e

Download Submit
C:\Windows\System\jtYyzFl.exe

Filesize
5.2MB

MD5
ef40aacc986dd6334cd0cf2f82c1cdf8

SHA1
0ad90a13bcd9b5a6c5820ee6a6997ff9b33cfb8b

SHA256
626e6f304825bf057e4093988f179c12d7af00fe2760295a0345b385dd664312

SHA512
a7e422c67386bfa5c68cd03a2481a1769cce1ea80d701d4f44cf3de29f1ac83748bc5af4f0e8ef007c92111ea57887ff7603a7f39d63209daf4f49d35947bedc

Download Submit
C:\Windows\System\nYNJTJz.exe

Filesize
5.2MB

MD5
5421d4268ff3ca21f5703a36f3455189

SHA1
7d92f12651846f761b55abf876dbe81c6b83061b

SHA256
ca3e1ef9e8df1ad679749ade47ee53752d02f17bc7c53e27f7e89f78502243b4

SHA512
1cafe0d045a277c4131051f8131610b5f3aa070b5e72bdb2c3a4e5093576e3ac629c1bb7a198ae078af3ebb4ec774706aaa59e20817a832b9a309c1b2bbd94c8

Download Submit
C:\Windows\System\riAoqsl.exe

Filesize
5.2MB

MD5
07b0b20ed137340814544c0f5bf7cf26

SHA1
5ef9a800a89e58245d9222a32527f13e600490cf

SHA256
fb67abf5cdbd0f3abba13c2f36cbeff9ff738755e425459e3aeb0b21f7e563a6

SHA512
e323a1ec6a8729f920048980e33fa55a5a1a819447a203e313d121c691cdf4aa75a3c33f4ed911f0afbc7bfe79002696eebe98828314aa0551e75c9d29cdf5ee

Download Submit
C:\Windows\System\tgNrWxC.exe

Filesize
5.2MB

MD5
4a5988f467d692b783b6c25b35553ac3

SHA1
7987303cc2319870b290048330b426031baf7f97

SHA256
76c6f9b6ae855b0de7f72bd7a82a2aa5b6c359bc9044592ae2fd9a274bb67dee

SHA512
36cf0d5a2580bc4e0f078bac6f7dadd5c3ec3eabb3e0357546498fd63fd09721d750014979f09b7838b062877f20db3059f28281526d85f7c244ee784fff8d5b

Download Submit
C:\Windows\System\tyTiCQx.exe

Filesize
5.2MB

MD5
839e792e735aab93914d3f1803bb0335

SHA1
e7bdeac5ebaa47c93105c153110556111f321417

SHA256
11f0ba4bd8663d018b448a232108e9c919e619621c9ca26dbaf02ca2c1aa7ff0

SHA512
f119cd2a5da5ce91b7f8a08a9fc96528d219a84047cfed0aac120ab01b896f24a2d28c3713b2e197060ff6a3bafc0e7b7cafaf8db6defc92e7a364974af41197

Download Submit
C:\Windows\System\vMMfmux.exe

Filesize
5.2MB

MD5
557f2ebca3a16c34026a0ad4fde482e5

SHA1
fad85f3c01f95d4f8ae7e5342034c7e3e7cc4068

SHA256
b22a37254649ebac04a5511337b857bd652d18c2a46d3bcb0b886ea87f4ba808

SHA512
62105eb1f326c383a1325e52c05ad8203a941d6d7189a5c5543014d3d9989aa5452e7d6babc044945a638417633118da4e022a62def38f1fc57c3bfc10a9427a

Download Submit
C:\Windows\System\xaYAYih.exe

Filesize
5.2MB

MD5
dbb624961ce6a2aab14b605231e1fbc9

SHA1
cdba98a381844306d61f6d767c0d9c3f724b1171

SHA256
1827becf4778cf46e49411df1f43bcba757a6bc41aed3d82e7fa7d3104e391e2

SHA512
4c8f281e300b5eb0f3e8056af2cf001cbf72682db120ebf7148eb9dc1d3d9256ed392b9e649c2f7a98fdc65c259f2fbc3cbc8f6c314054c5088f0ea53dea9cdc

Download Submit
C:\Windows\System\xozxiRN.exe

Filesize
5.2MB

MD5
ba51f13df1cd6e1a283dc32922ae73da

SHA1
37754cc1496e6bafc3e464baec3e3e1d943ff9b6

SHA256
c85d3cf84ddb47da7bdb534e1d77cec646be8d779346d0c16ad02febc04f58cd

SHA512
d42a0463b2f1e9302ce6d000f2e0a74f0155174b9b28cf8d38fb9270f3edb6e6b211493fb136321e6de69a7060fbab67473ca68d83d010193f121335fb532e94

Download Submit
memory/396-214-0x00007FF797670000-0x00007FF7979C1000-memory.dmp

Filesize
3.3MB

Download
memory/396-31-0x00007FF797670000-0x00007FF7979C1000-memory.dmp

Filesize
3.3MB

Download
memory/408-21-0x00007FF6F0280000-0x00007FF6F05D1000-memory.dmp

Filesize
3.3MB

Download
memory/408-212-0x00007FF6F0280000-0x00007FF6F05D1000-memory.dmp

Filesize
3.3MB

Download
memory/408-130-0x00007FF6F0280000-0x00007FF6F05D1000-memory.dmp

Filesize
3.3MB

Download
memory/432-32-0x00007FF6995A0000-0x00007FF6998F1000-memory.dmp

Filesize
3.3MB

Download
memory/432-218-0x00007FF6995A0000-0x00007FF6998F1000-memory.dmp

Filesize
3.3MB

Download
memory/432-133-0x00007FF6995A0000-0x00007FF6998F1000-memory.dmp

Filesize
3.3MB

Download
memory/876-114-0x00007FF7A01D0000-0x00007FF7A0521000-memory.dmp

Filesize
3.3MB

Download
memory/876-149-0x00007FF7A01D0000-0x00007FF7A0521000-memory.dmp

Filesize
3.3MB

Download
memory/876-255-0x00007FF7A01D0000-0x00007FF7A0521000-memory.dmp

Filesize
3.3MB

Download
memory/1168-117-0x00007FF6A3020000-0x00007FF6A3371000-memory.dmp

Filesize
3.3MB

Download
memory/1168-235-0x00007FF6A3020000-0x00007FF6A3371000-memory.dmp

Filesize
3.3MB

Download
memory/1524-135-0x00007FF752A40000-0x00007FF752D91000-memory.dmp

Filesize
3.3MB

Download
memory/1524-224-0x00007FF752A40000-0x00007FF752D91000-memory.dmp

Filesize
3.3MB

Download
memory/1524-42-0x00007FF752A40000-0x00007FF752D91000-memory.dmp

Filesize
3.3MB

Download
memory/1816-248-0x00007FF78FC30000-0x00007FF78FF81000-memory.dmp

Filesize
3.3MB

Download
memory/1816-125-0x00007FF78FC30000-0x00007FF78FF81000-memory.dmp

Filesize
3.3MB

Download
memory/1904-126-0x00007FF78EE70000-0x00007FF78F1C1000-memory.dmp

Filesize
3.3MB

Download
memory/1904-253-0x00007FF78EE70000-0x00007FF78F1C1000-memory.dmp

Filesize
3.3MB

Download
memory/2020-210-0x00007FF7FD9E0000-0x00007FF7FDD31000-memory.dmp

Filesize
3.3MB

Download
memory/2020-129-0x00007FF7FD9E0000-0x00007FF7FDD31000-memory.dmp

Filesize
3.3MB

Download
memory/2020-6-0x00007FF7FD9E0000-0x00007FF7FDD31000-memory.dmp

Filesize
3.3MB

Download
memory/2280-146-0x00007FF6F1AB0000-0x00007FF6F1E01000-memory.dmp

Filesize
3.3MB

Download
memory/2280-249-0x00007FF6F1AB0000-0x00007FF6F1E01000-memory.dmp

Filesize
3.3MB

Download
memory/2280-105-0x00007FF6F1AB0000-0x00007FF6F1E01000-memory.dmp

Filesize
3.3MB

Download
memory/2680-245-0x00007FF787700000-0x00007FF787A51000-memory.dmp

Filesize
3.3MB

Download
memory/2680-139-0x00007FF787700000-0x00007FF787A51000-memory.dmp

Filesize
3.3MB

Download
memory/2680-74-0x00007FF787700000-0x00007FF787A51000-memory.dmp

Filesize
3.3MB

Download
memory/2728-71-0x00007FF78AB10000-0x00007FF78AE61000-memory.dmp

Filesize
3.3MB

Download
memory/2728-138-0x00007FF78AB10000-0x00007FF78AE61000-memory.dmp

Filesize
3.3MB

Download
memory/2728-237-0x00007FF78AB10000-0x00007FF78AE61000-memory.dmp

Filesize
3.3MB

Download
memory/2940-239-0x00007FF6E46E0000-0x00007FF6E4A31000-memory.dmp

Filesize
3.3MB

Download
memory/2940-118-0x00007FF6E46E0000-0x00007FF6E4A31000-memory.dmp

Filesize
3.3MB

Download
memory/3092-223-0x00007FF706BF0000-0x00007FF706F41000-memory.dmp

Filesize
3.3MB

Download
memory/3092-136-0x00007FF706BF0000-0x00007FF706F41000-memory.dmp

Filesize
3.3MB

Download
memory/3092-48-0x00007FF706BF0000-0x00007FF706F41000-memory.dmp

Filesize
3.3MB

Download
memory/3196-220-0x00007FF74D4F0000-0x00007FF74D841000-memory.dmp

Filesize
3.3MB

Download
memory/3196-134-0x00007FF74D4F0000-0x00007FF74D841000-memory.dmp

Filesize
3.3MB

Download
memory/3196-36-0x00007FF74D4F0000-0x00007FF74D841000-memory.dmp

Filesize
3.3MB

Download
memory/3472-123-0x00007FF60A640000-0x00007FF60A991000-memory.dmp

Filesize
3.3MB

Download
memory/3472-241-0x00007FF60A640000-0x00007FF60A991000-memory.dmp

Filesize
3.3MB

Download
memory/4020-124-0x00007FF709F40000-0x00007FF70A291000-memory.dmp

Filesize
3.3MB

Download
memory/4020-259-0x00007FF709F40000-0x00007FF70A291000-memory.dmp

Filesize
3.3MB

Download
memory/4020-144-0x00007FF709F40000-0x00007FF70A291000-memory.dmp

Filesize
3.3MB

Download
memory/4156-251-0x00007FF77C180000-0x00007FF77C4D1000-memory.dmp

Filesize
3.3MB

Download
memory/4156-145-0x00007FF77C180000-0x00007FF77C4D1000-memory.dmp

Filesize
3.3MB

Download
memory/4156-94-0x00007FF77C180000-0x00007FF77C4D1000-memory.dmp

Filesize
3.3MB

Download
memory/4296-137-0x00007FF6B2CB0000-0x00007FF6B3001000-memory.dmp

Filesize
3.3MB

Download
memory/4296-233-0x00007FF6B2CB0000-0x00007FF6B3001000-memory.dmp

Filesize
3.3MB

Download
memory/4296-65-0x00007FF6B2CB0000-0x00007FF6B3001000-memory.dmp

Filesize
3.3MB

Download
memory/4600-0-0x00007FF722D60000-0x00007FF7230B1000-memory.dmp

Filesize
3.3MB

Download
memory/4600-128-0x00007FF722D60000-0x00007FF7230B1000-memory.dmp

Filesize
3.3MB

Download
memory/4600-1-0x000001AEDB360000-0x000001AEDB370000-memory.dmp

Filesize
64KB

Download
memory/4600-150-0x00007FF722D60000-0x00007FF7230B1000-memory.dmp

Filesize
3.3MB

Download
memory/4608-28-0x00007FF784150000-0x00007FF7844A1000-memory.dmp

Filesize
3.3MB

Download
memory/4608-216-0x00007FF784150000-0x00007FF7844A1000-memory.dmp

Filesize
3.3MB

Download
memory/4608-132-0x00007FF784150000-0x00007FF7844A1000-memory.dmp

Filesize
3.3MB

Download
memory/4848-143-0x00007FF74E8D0000-0x00007FF74EC21000-memory.dmp

Filesize
3.3MB

Download
memory/4848-87-0x00007FF74E8D0000-0x00007FF74EC21000-memory.dmp

Filesize
3.3MB

Download
memory/4848-243-0x00007FF74E8D0000-0x00007FF74EC21000-memory.dmp

Filesize
3.3MB

Download