cobaltstrike | 2efd97e745021da0e60a32a9e4712fc134239f7bc9dd7e24194345b62fa20002

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-01-2025 04:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

aeb744ec607aa7ff2c1221d94746a99a
SHA1

659a2df7f7805f19ba5d6be24fe73267a0e7f0bc
SHA256

2efd97e745021da0e60a32a9e4712fc134239f7bc9dd7e24194345b62fa20002
SHA512

8d4b0697bf0127d9f554db404a98b40f43a27c689d8ba78db9911be4ef81a8070330ecc8597d3a1df37b4a6b3de5d0812e2fc77d4b79fb2272984f00c080e0a4
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l2:RWWBibf56utgpPFotBER/mQ32lUy

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023c15-10.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c14-11.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023c10-6.dat	cobalt_reflective_dll
behavioral2/files/0x0016000000023c2b-23.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c43-53.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c45-68.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c49-81.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c48-99.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c4a-96.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c55-95.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c54-93.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c4b-92.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023c11-89.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c44-76.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c47-73.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c46-69.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c42-63.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c41-50.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c35-62.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c31-44.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023c2a-27.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/3388-109-0x00007FF610240000-0x00007FF610591000-memory.dmp	xmrig
behavioral2/memory/3012-108-0x00007FF66AD80000-0x00007FF66B0D1000-memory.dmp	xmrig
behavioral2/memory/4452-102-0x00007FF744480000-0x00007FF7447D1000-memory.dmp	xmrig
behavioral2/memory/2564-101-0x00007FF70AFB0000-0x00007FF70B301000-memory.dmp	xmrig
behavioral2/memory/4264-97-0x00007FF7891A0000-0x00007FF7894F1000-memory.dmp	xmrig
behavioral2/memory/3600-91-0x00007FF7EEB20000-0x00007FF7EEE71000-memory.dmp	xmrig
behavioral2/memory/1872-77-0x00007FF7FC5F0000-0x00007FF7FC941000-memory.dmp	xmrig
behavioral2/memory/4592-132-0x00007FF6CADA0000-0x00007FF6CB0F1000-memory.dmp	xmrig
behavioral2/memory/4688-130-0x00007FF728280000-0x00007FF7285D1000-memory.dmp	xmrig
behavioral2/memory/2520-129-0x00007FF7E1DA0000-0x00007FF7E20F1000-memory.dmp	xmrig
behavioral2/memory/4912-128-0x00007FF68A230000-0x00007FF68A581000-memory.dmp	xmrig
behavioral2/memory/4192-135-0x00007FF7F5370000-0x00007FF7F56C1000-memory.dmp	xmrig
behavioral2/memory/4120-133-0x00007FF7FED00000-0x00007FF7FF051000-memory.dmp	xmrig
behavioral2/memory/704-131-0x00007FF7323C0000-0x00007FF732711000-memory.dmp	xmrig
behavioral2/memory/2092-141-0x00007FF66A1D0000-0x00007FF66A521000-memory.dmp	xmrig
behavioral2/memory/2720-149-0x00007FF757F40000-0x00007FF758291000-memory.dmp	xmrig
behavioral2/memory/3812-147-0x00007FF779410000-0x00007FF779761000-memory.dmp	xmrig
behavioral2/memory/2840-146-0x00007FF62FBF0000-0x00007FF62FF41000-memory.dmp	xmrig
behavioral2/memory/1772-144-0x00007FF67DA90000-0x00007FF67DDE1000-memory.dmp	xmrig
behavioral2/memory/2660-148-0x00007FF6C15C0000-0x00007FF6C1911000-memory.dmp	xmrig
behavioral2/memory/4772-140-0x00007FF6CBE90000-0x00007FF6CC1E1000-memory.dmp	xmrig
behavioral2/memory/3788-145-0x00007FF629680000-0x00007FF6299D1000-memory.dmp	xmrig
behavioral2/memory/4912-150-0x00007FF68A230000-0x00007FF68A581000-memory.dmp	xmrig
behavioral2/memory/4912-151-0x00007FF68A230000-0x00007FF68A581000-memory.dmp	xmrig
behavioral2/memory/2520-204-0x00007FF7E1DA0000-0x00007FF7E20F1000-memory.dmp	xmrig
behavioral2/memory/4688-206-0x00007FF728280000-0x00007FF7285D1000-memory.dmp	xmrig
behavioral2/memory/704-208-0x00007FF7323C0000-0x00007FF732711000-memory.dmp	xmrig
behavioral2/memory/4592-224-0x00007FF6CADA0000-0x00007FF6CB0F1000-memory.dmp	xmrig
behavioral2/memory/4120-226-0x00007FF7FED00000-0x00007FF7FF051000-memory.dmp	xmrig
behavioral2/memory/1872-229-0x00007FF7FC5F0000-0x00007FF7FC941000-memory.dmp	xmrig
behavioral2/memory/3012-230-0x00007FF66AD80000-0x00007FF66B0D1000-memory.dmp	xmrig
behavioral2/memory/4264-233-0x00007FF7891A0000-0x00007FF7894F1000-memory.dmp	xmrig
behavioral2/memory/2564-239-0x00007FF70AFB0000-0x00007FF70B301000-memory.dmp	xmrig
behavioral2/memory/3600-240-0x00007FF7EEB20000-0x00007FF7EEE71000-memory.dmp	xmrig
behavioral2/memory/3388-237-0x00007FF610240000-0x00007FF610591000-memory.dmp	xmrig
behavioral2/memory/4192-235-0x00007FF7F5370000-0x00007FF7F56C1000-memory.dmp	xmrig
behavioral2/memory/4452-242-0x00007FF744480000-0x00007FF7447D1000-memory.dmp	xmrig
behavioral2/memory/3788-246-0x00007FF629680000-0x00007FF6299D1000-memory.dmp	xmrig
behavioral2/memory/2092-248-0x00007FF66A1D0000-0x00007FF66A521000-memory.dmp	xmrig
behavioral2/memory/2720-252-0x00007FF757F40000-0x00007FF758291000-memory.dmp	xmrig
behavioral2/memory/3812-256-0x00007FF779410000-0x00007FF779761000-memory.dmp	xmrig
behavioral2/memory/2840-254-0x00007FF62FBF0000-0x00007FF62FF41000-memory.dmp	xmrig
behavioral2/memory/1772-250-0x00007FF67DA90000-0x00007FF67DDE1000-memory.dmp	xmrig
behavioral2/memory/2660-245-0x00007FF6C15C0000-0x00007FF6C1911000-memory.dmp	xmrig
behavioral2/memory/4772-260-0x00007FF6CBE90000-0x00007FF6CC1E1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2520	zhchPsq.exe
4688	AwEdkuW.exe
704	MvFINqQ.exe
4592	ygfnnul.exe
4120	dmovZnm.exe
3012	rpacPMn.exe
4192	MFomqtH.exe
1872	enOXibF.exe
3600	WCmtkuy.exe
3388	IAJoLhJ.exe
4264	NnXiOKn.exe
4772	ZSYouJE.exe
2092	EfUqspb.exe
2564	EeyVzGs.exe
4452	LkMMIez.exe
1772	TnDaVkO.exe
2840	cippJxA.exe
3812	BmHBZgX.exe
2660	idNxqFc.exe
2720	RuZbcoY.exe
3788	HyPuhKt.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4912-0-0x00007FF68A230000-0x00007FF68A581000-memory.dmp	upx
behavioral2/files/0x0008000000023c15-10.dat	upx
behavioral2/files/0x0008000000023c14-11.dat	upx
behavioral2/memory/2520-9-0x00007FF7E1DA0000-0x00007FF7E20F1000-memory.dmp	upx
behavioral2/files/0x0009000000023c10-6.dat	upx
behavioral2/files/0x0016000000023c2b-23.dat	upx
behavioral2/files/0x0008000000023c43-53.dat	upx
behavioral2/files/0x0008000000023c45-68.dat	upx
behavioral2/files/0x0008000000023c49-81.dat	upx
behavioral2/memory/2092-98-0x00007FF66A1D0000-0x00007FF66A521000-memory.dmp	upx
behavioral2/memory/1772-103-0x00007FF67DA90000-0x00007FF67DDE1000-memory.dmp	upx
behavioral2/memory/3788-107-0x00007FF629680000-0x00007FF6299D1000-memory.dmp	upx
behavioral2/memory/3812-111-0x00007FF779410000-0x00007FF779761000-memory.dmp	upx
behavioral2/memory/4772-110-0x00007FF6CBE90000-0x00007FF6CC1E1000-memory.dmp	upx
behavioral2/memory/3388-109-0x00007FF610240000-0x00007FF610591000-memory.dmp	upx
behavioral2/memory/3012-108-0x00007FF66AD80000-0x00007FF66B0D1000-memory.dmp	upx
behavioral2/memory/2720-106-0x00007FF757F40000-0x00007FF758291000-memory.dmp	upx
behavioral2/memory/2660-105-0x00007FF6C15C0000-0x00007FF6C1911000-memory.dmp	upx
behavioral2/memory/2840-104-0x00007FF62FBF0000-0x00007FF62FF41000-memory.dmp	upx
behavioral2/memory/4452-102-0x00007FF744480000-0x00007FF7447D1000-memory.dmp	upx
behavioral2/memory/2564-101-0x00007FF70AFB0000-0x00007FF70B301000-memory.dmp	upx
behavioral2/files/0x0008000000023c48-99.dat	upx
behavioral2/memory/4264-97-0x00007FF7891A0000-0x00007FF7894F1000-memory.dmp	upx
behavioral2/files/0x0008000000023c4a-96.dat	upx
behavioral2/files/0x0007000000023c55-95.dat	upx
behavioral2/files/0x0007000000023c54-93.dat	upx
behavioral2/files/0x0008000000023c4b-92.dat	upx
behavioral2/memory/3600-91-0x00007FF7EEB20000-0x00007FF7EEE71000-memory.dmp	upx
behavioral2/files/0x0009000000023c11-89.dat	upx
behavioral2/memory/1872-77-0x00007FF7FC5F0000-0x00007FF7FC941000-memory.dmp	upx
behavioral2/files/0x0008000000023c44-76.dat	upx
behavioral2/files/0x0008000000023c47-73.dat	upx
behavioral2/files/0x0008000000023c46-69.dat	upx
behavioral2/memory/4192-67-0x00007FF7F5370000-0x00007FF7F56C1000-memory.dmp	upx
behavioral2/files/0x0008000000023c42-63.dat	upx
behavioral2/files/0x0008000000023c41-50.dat	upx
behavioral2/files/0x0008000000023c35-62.dat	upx
behavioral2/memory/4120-47-0x00007FF7FED00000-0x00007FF7FF051000-memory.dmp	upx
behavioral2/files/0x0008000000023c31-44.dat	upx
behavioral2/memory/4592-28-0x00007FF6CADA0000-0x00007FF6CB0F1000-memory.dmp	upx
behavioral2/files/0x000b000000023c2a-27.dat	upx
behavioral2/memory/704-20-0x00007FF7323C0000-0x00007FF732711000-memory.dmp	upx
behavioral2/memory/4688-12-0x00007FF728280000-0x00007FF7285D1000-memory.dmp	upx
behavioral2/memory/4592-132-0x00007FF6CADA0000-0x00007FF6CB0F1000-memory.dmp	upx
behavioral2/memory/4688-130-0x00007FF728280000-0x00007FF7285D1000-memory.dmp	upx
behavioral2/memory/2520-129-0x00007FF7E1DA0000-0x00007FF7E20F1000-memory.dmp	upx
behavioral2/memory/4912-128-0x00007FF68A230000-0x00007FF68A581000-memory.dmp	upx
behavioral2/memory/4192-135-0x00007FF7F5370000-0x00007FF7F56C1000-memory.dmp	upx
behavioral2/memory/4120-133-0x00007FF7FED00000-0x00007FF7FF051000-memory.dmp	upx
behavioral2/memory/704-131-0x00007FF7323C0000-0x00007FF732711000-memory.dmp	upx
behavioral2/memory/2092-141-0x00007FF66A1D0000-0x00007FF66A521000-memory.dmp	upx
behavioral2/memory/2720-149-0x00007FF757F40000-0x00007FF758291000-memory.dmp	upx
behavioral2/memory/3812-147-0x00007FF779410000-0x00007FF779761000-memory.dmp	upx
behavioral2/memory/2840-146-0x00007FF62FBF0000-0x00007FF62FF41000-memory.dmp	upx
behavioral2/memory/1772-144-0x00007FF67DA90000-0x00007FF67DDE1000-memory.dmp	upx
behavioral2/memory/2660-148-0x00007FF6C15C0000-0x00007FF6C1911000-memory.dmp	upx
behavioral2/memory/4772-140-0x00007FF6CBE90000-0x00007FF6CC1E1000-memory.dmp	upx
behavioral2/memory/3788-145-0x00007FF629680000-0x00007FF6299D1000-memory.dmp	upx
behavioral2/memory/4912-150-0x00007FF68A230000-0x00007FF68A581000-memory.dmp	upx
behavioral2/memory/4912-151-0x00007FF68A230000-0x00007FF68A581000-memory.dmp	upx
behavioral2/memory/2520-204-0x00007FF7E1DA0000-0x00007FF7E20F1000-memory.dmp	upx
behavioral2/memory/4688-206-0x00007FF728280000-0x00007FF7285D1000-memory.dmp	upx
behavioral2/memory/704-208-0x00007FF7323C0000-0x00007FF732711000-memory.dmp	upx
behavioral2/memory/4592-224-0x00007FF6CADA0000-0x00007FF6CB0F1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\ygfnnul.exe	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IAJoLhJ.exe	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LkMMIez.exe	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TnDaVkO.exe	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\idNxqFc.exe	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AwEdkuW.exe	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dmovZnm.exe	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EeyVzGs.exe	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZSYouJE.exe	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EfUqspb.exe	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zhchPsq.exe	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MvFINqQ.exe	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MFomqtH.exe	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\enOXibF.exe	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WCmtkuy.exe	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NnXiOKn.exe	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HyPuhKt.exe	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rpacPMn.exe	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cippJxA.exe	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BmHBZgX.exe	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RuZbcoY.exe	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4912	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4912	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4912 wrote to memory of 2520	4912	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4912 wrote to memory of 2520	4912	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4912 wrote to memory of 4688	4912	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4912 wrote to memory of 4688	4912	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4912 wrote to memory of 704	4912	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4912 wrote to memory of 704	4912	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4912 wrote to memory of 4592	4912	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4912 wrote to memory of 4592	4912	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4912 wrote to memory of 4120	4912	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4912 wrote to memory of 4120	4912	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4912 wrote to memory of 3012	4912	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4912 wrote to memory of 3012	4912	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4912 wrote to memory of 4192	4912	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4912 wrote to memory of 4192	4912	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4912 wrote to memory of 1872	4912	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4912 wrote to memory of 1872	4912	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4912 wrote to memory of 3600	4912	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4912 wrote to memory of 3600	4912	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4912 wrote to memory of 3388	4912	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4912 wrote to memory of 3388	4912	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4912 wrote to memory of 4264	4912	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4912 wrote to memory of 4264	4912	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4912 wrote to memory of 4772	4912	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4912 wrote to memory of 4772	4912	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4912 wrote to memory of 2092	4912	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4912 wrote to memory of 2092	4912	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4912 wrote to memory of 2564	4912	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4912 wrote to memory of 2564	4912	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4912 wrote to memory of 4452	4912	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4912 wrote to memory of 4452	4912	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4912 wrote to memory of 1772	4912	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4912 wrote to memory of 1772	4912	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4912 wrote to memory of 3788	4912	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4912 wrote to memory of 3788	4912	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4912 wrote to memory of 2840	4912	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4912 wrote to memory of 2840	4912	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4912 wrote to memory of 3812	4912	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4912 wrote to memory of 3812	4912	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4912 wrote to memory of 2660	4912	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4912 wrote to memory of 2660	4912	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4912 wrote to memory of 2720	4912	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4912 wrote to memory of 2720	4912	2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-22_aeb744ec607aa7ff2c1221d94746a99a_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4912
- C:\Windows\System\zhchPsq.exe
  C:\Windows\System\zhchPsq.exe
  2⤵
  - Executes dropped EXE
  PID:2520
- C:\Windows\System\AwEdkuW.exe
  C:\Windows\System\AwEdkuW.exe
  2⤵
  - Executes dropped EXE
  PID:4688
- C:\Windows\System\MvFINqQ.exe
  C:\Windows\System\MvFINqQ.exe
  2⤵
  - Executes dropped EXE
  PID:704
- C:\Windows\System\ygfnnul.exe
  C:\Windows\System\ygfnnul.exe
  2⤵
  - Executes dropped EXE
  PID:4592
- C:\Windows\System\dmovZnm.exe
  C:\Windows\System\dmovZnm.exe
  2⤵
  - Executes dropped EXE
  PID:4120
- C:\Windows\System\rpacPMn.exe
  C:\Windows\System\rpacPMn.exe
  2⤵
  - Executes dropped EXE
  PID:3012
- C:\Windows\System\MFomqtH.exe
  C:\Windows\System\MFomqtH.exe
  2⤵
  - Executes dropped EXE
  PID:4192
- C:\Windows\System\enOXibF.exe
  C:\Windows\System\enOXibF.exe
  2⤵
  - Executes dropped EXE
  PID:1872
- C:\Windows\System\WCmtkuy.exe
  C:\Windows\System\WCmtkuy.exe
  2⤵
  - Executes dropped EXE
  PID:3600
- C:\Windows\System\IAJoLhJ.exe
  C:\Windows\System\IAJoLhJ.exe
  2⤵
  - Executes dropped EXE
  PID:3388
- C:\Windows\System\NnXiOKn.exe
  C:\Windows\System\NnXiOKn.exe
  2⤵
  - Executes dropped EXE
  PID:4264
- C:\Windows\System\ZSYouJE.exe
  C:\Windows\System\ZSYouJE.exe
  2⤵
  - Executes dropped EXE
  PID:4772
- C:\Windows\System\EfUqspb.exe
  C:\Windows\System\EfUqspb.exe
  2⤵
  - Executes dropped EXE
  PID:2092
- C:\Windows\System\EeyVzGs.exe
  C:\Windows\System\EeyVzGs.exe
  2⤵
  - Executes dropped EXE
  PID:2564
- C:\Windows\System\LkMMIez.exe
  C:\Windows\System\LkMMIez.exe
  2⤵
  - Executes dropped EXE
  PID:4452
- C:\Windows\System\TnDaVkO.exe
  C:\Windows\System\TnDaVkO.exe
  2⤵
  - Executes dropped EXE
  PID:1772
- C:\Windows\System\HyPuhKt.exe
  C:\Windows\System\HyPuhKt.exe
  2⤵
  - Executes dropped EXE
  PID:3788
- C:\Windows\System\cippJxA.exe
  C:\Windows\System\cippJxA.exe
  2⤵
  - Executes dropped EXE
  PID:2840
- C:\Windows\System\BmHBZgX.exe
  C:\Windows\System\BmHBZgX.exe
  2⤵
  - Executes dropped EXE
  PID:3812
- C:\Windows\System\idNxqFc.exe
  C:\Windows\System\idNxqFc.exe
  2⤵
  - Executes dropped EXE
  PID:2660
- C:\Windows\System\RuZbcoY.exe
  C:\Windows\System\RuZbcoY.exe
  2⤵
  - Executes dropped EXE
  PID:2720

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AwEdkuW.exe

Filesize
5.2MB

MD5
a23cdd45007a7a2ceb7a91e19ee74329

SHA1
a705b78bc18f6f92bd0126b7459218d7acb20d99

SHA256
e07ff327bc97b4c36cb4b4ca65950c0f09ccd5376056afa1cc0fe058f7f6aefd

SHA512
b65fd8623370876afbad2b9a3884689c368c68d3e9e432d7436ffe2bd67979f11735897816213f94e14eb0985d055b56762041653dc506b777e1b81a65c74ba5

Download Submit
C:\Windows\System\BmHBZgX.exe

Filesize
5.2MB

MD5
eceb3890d1de03cb23236a039282cb1f

SHA1
bbe32de796d13fe05971280fd846033f200dc37b

SHA256
acb91cf4d52851b1ac6f3c702fe84fe35e76e36c0be286b016dbef705500e209

SHA512
3fdd3aa0c7fac32cf553e8fa7be7f6b0d09c3941f778b5f7d3fde11c87ccc8b2036e6bf32f9f187b7adbbe4c60929e8ab999fcea8a904cc17002eae47862f2bd

Download Submit
C:\Windows\System\EeyVzGs.exe

Filesize
5.2MB

MD5
20476f151c8e18edc6b6f3428566bca6

SHA1
0cee012ebc61b6d54e03ec03df7c8336626a89cd

SHA256
4b9bf2d04f0f347f94c1d43e4e2b2af0128a5e64952f6928b9ff1719af9dba0a

SHA512
0ee401c2582103f6c90d999e79dbf190322f2c7be34134bbfafe65235a93e05c4b79dd206b58cc9fa04a8f0f92daa23f6e52da99751a930546217dffbf34ff5f

Download Submit
C:\Windows\System\EfUqspb.exe

Filesize
5.2MB

MD5
6e873e026446ce28f0e9c3fa8eb8cd78

SHA1
a3df5d201571b61a9f50c8bb8556a3d4bd7bdf72

SHA256
f68e88f5d06bd162caccb5535fb4d9b7f0e463ab23fe1fb4a5bbd875b3603c53

SHA512
e461775faa4a369ad3bc2efd0177c88f7a034aae4ae7b069bd0c148f62f0e807bfcb73388a563354c61a467591b644274973dc48c694a95bf38dd1b32bb324cf

Download Submit
C:\Windows\System\HyPuhKt.exe

Filesize
5.2MB

MD5
d3ab56071af0f9761f22522b1ad2e127

SHA1
9aaf4886ba0a1b375359d5a0befa38b8ecfa47f6

SHA256
c3615ba6ec526ec401e86edbeaedf3ee02494e1970b9e48a5f198fc9e1aac2c3

SHA512
e9abfa53614de892161b6ab93c8653919bdcd4ee0edbc660bdf6abe09a5c4acd44c24a5741ac42f9ba5a8fdd4793d5422e12e5a3e7a7eb70e6f60e0330a5e2e2

Download Submit
C:\Windows\System\IAJoLhJ.exe

Filesize
5.2MB

MD5
3354d59a641eeac58c68d1dabd1bdf62

SHA1
9d63dbbf21f41ab18d62da33fe85419e6322c2f3

SHA256
ed2cef6361d94f7e22bc071f1fc8938fe62b226144c6979c7bed2ec43a487841

SHA512
bdc4b532118adf127800257248dfb6c92c450d4412a70888c74c6dd9dfaa209f70a9ab54007a501e0a8d67d7f1e51edf156b08af6521fc978b20718fcf9fd238

Download Submit
C:\Windows\System\LkMMIez.exe

Filesize
5.2MB

MD5
9454c8b378a4145905c919451a201c46

SHA1
c48a3f39e6068e725f8bc005f5f2e798d8c9f8e7

SHA256
06ab726a13f87c4345705edb7311ad332f9ff8ee87e2570db8e0f2d66608ea2d

SHA512
742942df4b4386c8b6e2dba5586968083d1e65c7dfa48ab50270d3fe4b97ea2150fbfc36d08c5356fa7a61c751653e68c2c5c365b4c94c0337b2c90d5f275ec0

Download Submit
C:\Windows\System\MFomqtH.exe

Filesize
5.2MB

MD5
7438aed6d7d47f776b2138a084831289

SHA1
c5f5a60fa1fa44785292b1a5cadf577be4277a75

SHA256
d5f738e78ecf7f412f3c159a71f3ae43d7c1e7babe1c7cf83535213a4e5bce31

SHA512
ef99e8b0628a9b7220729d3061760943babc2054ce8906c4625d5f80bdf049ab695c033522e349b04a3499cef81d90d63e25bf5a73e8f4725a11ff388fb31c60

Download Submit
C:\Windows\System\MvFINqQ.exe

Filesize
5.2MB

MD5
09cb34a778ff3dff56190f6dea660c08

SHA1
8a80eac0d943ed22ccc70cf6db0d4db81a8d6027

SHA256
bb59789afa9032aa1ec27cf9d86300a4ef61d33779cfa05e86cd9c8ed663b283

SHA512
7d05b7692e681072a918928e1927bb0dbb2ee336c19e8263fbea0250485bf8e93338297385376231a7d16949d1b588d29dc1de38ade51dd3ddb7d200da6319ca

Download Submit
C:\Windows\System\NnXiOKn.exe

Filesize
5.2MB

MD5
6d0c9ed780fbc7723805e0c124e307b6

SHA1
e3209a84d2c47dccd2d4e9530b91a681af27ed94

SHA256
f1d98e002da233f3c8066c331098224ff631ad512251f52b20a4a224e7e39012

SHA512
5d3a777015e8719893c9068801e2be340dc54ea14c4cd548e9667892e54c45d3f6e42f0b65b49dce96a5502c08ebe670052912f091df031081d738ac9b1b29a0

Download Submit
C:\Windows\System\RuZbcoY.exe

Filesize
5.2MB

MD5
2cd80dc3f602b36e2f01dc60b2418713

SHA1
d0c085e5a5d3925b40eeca894a0bfef99c7d0905

SHA256
73643564399a2acd48cb68e6436e03c949bbee2454f6027bb0511e604cf2c769

SHA512
75ff379c08ff92f488c259ed6e9bf289b8aa2144b5dbae8af912ac462ca902edf545b82538f7d65e13eab33fc97afc23ba30db9247d980396bb5c233d5e6467c

Download Submit
C:\Windows\System\TnDaVkO.exe

Filesize
5.2MB

MD5
69ac22f5646a7f69f56484872b22d6d8

SHA1
334b72822d69088745857354e9ab10437e8eb925

SHA256
65a603fa7df91a52da576179bb181dbf8226c09d07c108731d33a54848abf025

SHA512
5ea3b14609b4526b3c6552415c75fe302159cdf3ba24911b022bbb7a33d93e345776f346d6067a91623a3cdb6c6557cdde3b6380eddd55211c931c1764419483

Download Submit
C:\Windows\System\WCmtkuy.exe

Filesize
5.2MB

MD5
fed6b7bfdd53077635f04eb27c4169a8

SHA1
2947c31c0c7f5250fc20f91eaa36a9080a536aad

SHA256
e14f5afcddf25bc87005125b355948777b0b2a4a105062d11b0900b818f2aaab

SHA512
0fa6447bac0c8c0aec443670c77435dd87c2c8d8e75bbcabfb254e7859cf1c532d170c1534a9407dbabdd472d286ce2cd7f1e99777760edd8a12805a08962c58

Download Submit
C:\Windows\System\ZSYouJE.exe

Filesize
5.2MB

MD5
d1a1b544de7b1679172bce409d4e712a

SHA1
72da2f731ad25e4e47bc1c1eeb72ce0acddd1359

SHA256
6ff853fdddce924f5b7f0d31278bf6694ca5276d39e9e1827571e3aa57f9aaa0

SHA512
3aea7ecfe2d145005f063215aabe6331f107b9da9b172cb79fae29c2ac4b78d732fa67362b5f5f024489eae2ef02ae44c130d8fc7b8f86c4c3d2dd1e44fceca6

Download Submit
C:\Windows\System\cippJxA.exe

Filesize
5.2MB

MD5
539aa3e5d5437d216dbb685df3862c69

SHA1
307620e8c7063b7e2dc37e0032304de00dd900ad

SHA256
bc63ab234e61181dab5e5bf38a0013a5c419cc0c62fc4b154aad753da1a84219

SHA512
95c6ac84c24ac7d7b3b692fe5a22f4613ca3af92d754fba43ef0b6899e194697e49882ce9154bdcf299dfd9d8f9a20ff72d8d79c2f3fab37404e1394ea54325b

Download Submit
C:\Windows\System\dmovZnm.exe

Filesize
5.2MB

MD5
e97e08741b0badce6dea8cba3fe3f632

SHA1
e6aadc721bd89baf94ccc732057529c59587e7ba

SHA256
ffdf9c314364fa5921c725f81adb817a7dc60649ce04e0ae121fc049768927ef

SHA512
22ef25a341eac88bc3fef11efc6bbe4f8fe6659e5ac7cb8b05e19c213e62a1d19b8b22325594248cd3d7fa39565a7b82e75bf509b92f503ae07a8f5f788f537f

Download Submit
C:\Windows\System\enOXibF.exe

Filesize
5.2MB

MD5
4ca218f225ebd87362b530b8383aebef

SHA1
025ff7dc78ee7c7be2853a0a63894a9ca1d872f0

SHA256
9b15024ccec6197bc58745a60d5d00343f2068be4b6d4af77457f5b5f2f4de2a

SHA512
a3b84414c50838f83c7be4fc23818d56dced42d61adc11bdbba0d897aa66860381c0607253b2bcc44e8ec1dd7eb75c18becc3f785e78693cc38e5cc169ed5a12

Download Submit
C:\Windows\System\idNxqFc.exe

Filesize
5.2MB

MD5
d20c5d897948f9dcd3ddcfd364cad815

SHA1
464d700d1e1a766142298d92a1666e6c4bdded2c

SHA256
5eb22c7e1ba7c2daa2c9a633f8524824916d5e8fc863aa8678e5f318d5a1eb03

SHA512
6a336a755d5f3d611177bfc7d6d47b0a6dc211076d4248786871ae114294851b316eac9bd0ccb8a811eb7fea6ecc0e7bbce027298df1a5bf7a37e8e24ef59ed1

Download Submit
C:\Windows\System\rpacPMn.exe

Filesize
5.2MB

MD5
f40f116713a3e6cd886b0bec05031aff

SHA1
189b4172217b81f418fef5535e33353f29084c61

SHA256
98ab55b8469f87f0f2c6f37a3ea40b494170876f0c40140293472c4202101402

SHA512
049e657db613e01889738e8ebabdc422fe320eb02fed77be00f9ec04bf609bff2464a61e28f7ba1948c64d9d73aa6bf777c558dd5f1dedc81e17e6a8e1ede9b4

Download Submit
C:\Windows\System\ygfnnul.exe

Filesize
5.2MB

MD5
0e26bcf82ab583424ac2c25ac4312dd4

SHA1
1645d5524fa21bb06fe2264cc8e0bd591b8fe145

SHA256
93a3ec20c3a92bfad87623f4b24c42bc66277cba562e84b4933631cb39598f76

SHA512
5905aa1827be6940dc3ba94f19ec85d3a0bd39864c30daf7453e2dad9f60e38ebe305ebdb802e238f1bda20e44a39230c229405bdfbabec73226aca55665c726

Download Submit
C:\Windows\System\zhchPsq.exe

Filesize
5.2MB

MD5
1e3cea020d2821d4493e8a8b651354d8

SHA1
8c8140893f5254c873ce04b99fa3c8c2db1a64f8

SHA256
1b7c949211de4d229e9ddd2063bf4a0017e04db83bb462cd6bfb6fa2d775d5e8

SHA512
2ff51aaaecb5e73c2edba34c1cd56acad7d78ba8b09fe17f97ddecc3c9640c2c9863ec401438fb73b901abe3e35b6047bff1d7db7b6562504b1fee2d5d2379de

Download Submit
memory/704-208-0x00007FF7323C0000-0x00007FF732711000-memory.dmp

Filesize
3.3MB

Download
memory/704-131-0x00007FF7323C0000-0x00007FF732711000-memory.dmp

Filesize
3.3MB

Download
memory/704-20-0x00007FF7323C0000-0x00007FF732711000-memory.dmp

Filesize
3.3MB

Download
memory/1772-250-0x00007FF67DA90000-0x00007FF67DDE1000-memory.dmp

Filesize
3.3MB

Download
memory/1772-103-0x00007FF67DA90000-0x00007FF67DDE1000-memory.dmp

Filesize
3.3MB

Download
memory/1772-144-0x00007FF67DA90000-0x00007FF67DDE1000-memory.dmp

Filesize
3.3MB

Download
memory/1872-229-0x00007FF7FC5F0000-0x00007FF7FC941000-memory.dmp

Filesize
3.3MB

Download
memory/1872-77-0x00007FF7FC5F0000-0x00007FF7FC941000-memory.dmp

Filesize
3.3MB

Download
memory/2092-98-0x00007FF66A1D0000-0x00007FF66A521000-memory.dmp

Filesize
3.3MB

Download
memory/2092-248-0x00007FF66A1D0000-0x00007FF66A521000-memory.dmp

Filesize
3.3MB

Download
memory/2092-141-0x00007FF66A1D0000-0x00007FF66A521000-memory.dmp

Filesize
3.3MB

Download
memory/2520-204-0x00007FF7E1DA0000-0x00007FF7E20F1000-memory.dmp

Filesize
3.3MB

Download
memory/2520-9-0x00007FF7E1DA0000-0x00007FF7E20F1000-memory.dmp

Filesize
3.3MB

Download
memory/2520-129-0x00007FF7E1DA0000-0x00007FF7E20F1000-memory.dmp

Filesize
3.3MB

Download
memory/2564-101-0x00007FF70AFB0000-0x00007FF70B301000-memory.dmp

Filesize
3.3MB

Download
memory/2564-239-0x00007FF70AFB0000-0x00007FF70B301000-memory.dmp

Filesize
3.3MB

Download
memory/2660-105-0x00007FF6C15C0000-0x00007FF6C1911000-memory.dmp

Filesize
3.3MB

Download
memory/2660-148-0x00007FF6C15C0000-0x00007FF6C1911000-memory.dmp

Filesize
3.3MB

Download
memory/2660-245-0x00007FF6C15C0000-0x00007FF6C1911000-memory.dmp

Filesize
3.3MB

Download
memory/2720-106-0x00007FF757F40000-0x00007FF758291000-memory.dmp

Filesize
3.3MB

Download
memory/2720-252-0x00007FF757F40000-0x00007FF758291000-memory.dmp

Filesize
3.3MB

Download
memory/2720-149-0x00007FF757F40000-0x00007FF758291000-memory.dmp

Filesize
3.3MB

Download
memory/2840-104-0x00007FF62FBF0000-0x00007FF62FF41000-memory.dmp

Filesize
3.3MB

Download
memory/2840-254-0x00007FF62FBF0000-0x00007FF62FF41000-memory.dmp

Filesize
3.3MB

Download
memory/2840-146-0x00007FF62FBF0000-0x00007FF62FF41000-memory.dmp

Filesize
3.3MB

Download
memory/3012-230-0x00007FF66AD80000-0x00007FF66B0D1000-memory.dmp

Filesize
3.3MB

Download
memory/3012-108-0x00007FF66AD80000-0x00007FF66B0D1000-memory.dmp

Filesize
3.3MB

Download
memory/3388-237-0x00007FF610240000-0x00007FF610591000-memory.dmp

Filesize
3.3MB

Download
memory/3388-109-0x00007FF610240000-0x00007FF610591000-memory.dmp

Filesize
3.3MB

Download
memory/3600-91-0x00007FF7EEB20000-0x00007FF7EEE71000-memory.dmp

Filesize
3.3MB

Download
memory/3600-240-0x00007FF7EEB20000-0x00007FF7EEE71000-memory.dmp

Filesize
3.3MB

Download
memory/3788-107-0x00007FF629680000-0x00007FF6299D1000-memory.dmp

Filesize
3.3MB

Download
memory/3788-246-0x00007FF629680000-0x00007FF6299D1000-memory.dmp

Filesize
3.3MB

Download
memory/3788-145-0x00007FF629680000-0x00007FF6299D1000-memory.dmp

Filesize
3.3MB

Download
memory/3812-147-0x00007FF779410000-0x00007FF779761000-memory.dmp

Filesize
3.3MB

Download
memory/3812-111-0x00007FF779410000-0x00007FF779761000-memory.dmp

Filesize
3.3MB

Download
memory/3812-256-0x00007FF779410000-0x00007FF779761000-memory.dmp

Filesize
3.3MB

Download
memory/4120-226-0x00007FF7FED00000-0x00007FF7FF051000-memory.dmp

Filesize
3.3MB

Download
memory/4120-47-0x00007FF7FED00000-0x00007FF7FF051000-memory.dmp

Filesize
3.3MB

Download
memory/4120-133-0x00007FF7FED00000-0x00007FF7FF051000-memory.dmp

Filesize
3.3MB

Download
memory/4192-235-0x00007FF7F5370000-0x00007FF7F56C1000-memory.dmp

Filesize
3.3MB

Download
memory/4192-135-0x00007FF7F5370000-0x00007FF7F56C1000-memory.dmp

Filesize
3.3MB

Download
memory/4192-67-0x00007FF7F5370000-0x00007FF7F56C1000-memory.dmp

Filesize
3.3MB

Download
memory/4264-97-0x00007FF7891A0000-0x00007FF7894F1000-memory.dmp

Filesize
3.3MB

Download
memory/4264-233-0x00007FF7891A0000-0x00007FF7894F1000-memory.dmp

Filesize
3.3MB

Download
memory/4452-242-0x00007FF744480000-0x00007FF7447D1000-memory.dmp

Filesize
3.3MB

Download
memory/4452-102-0x00007FF744480000-0x00007FF7447D1000-memory.dmp

Filesize
3.3MB

Download
memory/4592-132-0x00007FF6CADA0000-0x00007FF6CB0F1000-memory.dmp

Filesize
3.3MB

Download
memory/4592-224-0x00007FF6CADA0000-0x00007FF6CB0F1000-memory.dmp

Filesize
3.3MB

Download
memory/4592-28-0x00007FF6CADA0000-0x00007FF6CB0F1000-memory.dmp

Filesize
3.3MB

Download
memory/4688-206-0x00007FF728280000-0x00007FF7285D1000-memory.dmp

Filesize
3.3MB

Download
memory/4688-12-0x00007FF728280000-0x00007FF7285D1000-memory.dmp

Filesize
3.3MB

Download
memory/4688-130-0x00007FF728280000-0x00007FF7285D1000-memory.dmp

Filesize
3.3MB

Download
memory/4772-110-0x00007FF6CBE90000-0x00007FF6CC1E1000-memory.dmp

Filesize
3.3MB

Download
memory/4772-140-0x00007FF6CBE90000-0x00007FF6CC1E1000-memory.dmp

Filesize
3.3MB

Download
memory/4772-260-0x00007FF6CBE90000-0x00007FF6CC1E1000-memory.dmp

Filesize
3.3MB

Download
memory/4912-0-0x00007FF68A230000-0x00007FF68A581000-memory.dmp

Filesize
3.3MB

Download
memory/4912-151-0x00007FF68A230000-0x00007FF68A581000-memory.dmp

Filesize
3.3MB

Download
memory/4912-128-0x00007FF68A230000-0x00007FF68A581000-memory.dmp

Filesize
3.3MB

Download
memory/4912-150-0x00007FF68A230000-0x00007FF68A581000-memory.dmp

Filesize
3.3MB

Download
memory/4912-1-0x0000026182B10000-0x0000026182B20000-memory.dmp

Filesize
64KB

Download