cobaltstrike | 00db7fe16ba046bc17654874621993135123908db5862a69502bffe886893b96

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-01-2025 04:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

fb6da05c571257dcf4ccac3fef953e5d
SHA1

3616b06d087ba06dfea65ff35ddedb8e40a6d051
SHA256

00db7fe16ba046bc17654874621993135123908db5862a69502bffe886893b96
SHA512

9a5a61a169eb15c585499d829abfe3794a1b63aaf8976a75f5cfd963851e3c787d83cdd311055d4118d7aa43d6f9f561d559d24b53be7e4e2d2e01f953911afc
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lX:RWWBibf56utgpPFotBER/mQ32lUL

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000a000000023bef-5.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c88-9.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8c-17.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8d-22.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c90-31.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c89-35.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c93-48.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c94-58.dat	cobalt_reflective_dll
behavioral2/files/0x000200000001e762-57.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c95-63.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c98-83.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c99-90.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9a-97.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9b-114.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9e-124.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9f-136.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9d-129.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9c-122.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c97-79.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c96-77.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c92-54.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/1876-73-0x00007FF71A1A0000-0x00007FF71A4F1000-memory.dmp	xmrig
behavioral2/memory/3488-87-0x00007FF722DE0000-0x00007FF723131000-memory.dmp	xmrig
behavioral2/memory/440-134-0x00007FF62D7B0000-0x00007FF62DB01000-memory.dmp	xmrig
behavioral2/memory/3696-127-0x00007FF63C2C0000-0x00007FF63C611000-memory.dmp	xmrig
behavioral2/memory/1636-126-0x00007FF7B7110000-0x00007FF7B7461000-memory.dmp	xmrig
behavioral2/memory/2768-119-0x00007FF69BDD0000-0x00007FF69C121000-memory.dmp	xmrig
behavioral2/memory/4976-112-0x00007FF7625B0000-0x00007FF762901000-memory.dmp	xmrig
behavioral2/memory/1548-106-0x00007FF67AFB0000-0x00007FF67B301000-memory.dmp	xmrig
behavioral2/memory/3128-95-0x00007FF7B3760000-0x00007FF7B3AB1000-memory.dmp	xmrig
behavioral2/memory/3820-82-0x00007FF742560000-0x00007FF7428B1000-memory.dmp	xmrig
behavioral2/memory/1476-65-0x00007FF7C67D0000-0x00007FF7C6B21000-memory.dmp	xmrig
behavioral2/memory/2948-60-0x00007FF715360000-0x00007FF7156B1000-memory.dmp	xmrig
behavioral2/memory/2948-138-0x00007FF715360000-0x00007FF7156B1000-memory.dmp	xmrig
behavioral2/memory/3952-146-0x00007FF640B30000-0x00007FF640E81000-memory.dmp	xmrig
behavioral2/memory/3520-159-0x00007FF61C790000-0x00007FF61CAE1000-memory.dmp	xmrig
behavioral2/memory/2696-157-0x00007FF642E10000-0x00007FF643161000-memory.dmp	xmrig
behavioral2/memory/4408-163-0x00007FF6B7260000-0x00007FF6B75B1000-memory.dmp	xmrig
behavioral2/memory/684-161-0x00007FF7F22C0000-0x00007FF7F2611000-memory.dmp	xmrig
behavioral2/memory/1256-160-0x00007FF644E50000-0x00007FF6451A1000-memory.dmp	xmrig
behavioral2/memory/4780-158-0x00007FF7C0D40000-0x00007FF7C1091000-memory.dmp	xmrig
behavioral2/memory/980-156-0x00007FF79B9E0000-0x00007FF79BD31000-memory.dmp	xmrig
behavioral2/memory/1032-162-0x00007FF676220000-0x00007FF676571000-memory.dmp	xmrig
behavioral2/memory/3272-154-0x00007FF637C50000-0x00007FF637FA1000-memory.dmp	xmrig
behavioral2/memory/2948-164-0x00007FF715360000-0x00007FF7156B1000-memory.dmp	xmrig
behavioral2/memory/1476-214-0x00007FF7C67D0000-0x00007FF7C6B21000-memory.dmp	xmrig
behavioral2/memory/1876-216-0x00007FF71A1A0000-0x00007FF71A4F1000-memory.dmp	xmrig
behavioral2/memory/3820-218-0x00007FF742560000-0x00007FF7428B1000-memory.dmp	xmrig
behavioral2/memory/3488-222-0x00007FF722DE0000-0x00007FF723131000-memory.dmp	xmrig
behavioral2/memory/3128-224-0x00007FF7B3760000-0x00007FF7B3AB1000-memory.dmp	xmrig
behavioral2/memory/1548-236-0x00007FF67AFB0000-0x00007FF67B301000-memory.dmp	xmrig
behavioral2/memory/2768-238-0x00007FF69BDD0000-0x00007FF69C121000-memory.dmp	xmrig
behavioral2/memory/4976-240-0x00007FF7625B0000-0x00007FF762901000-memory.dmp	xmrig
behavioral2/memory/1636-242-0x00007FF7B7110000-0x00007FF7B7461000-memory.dmp	xmrig
behavioral2/memory/440-244-0x00007FF62D7B0000-0x00007FF62DB01000-memory.dmp	xmrig
behavioral2/memory/3952-246-0x00007FF640B30000-0x00007FF640E81000-memory.dmp	xmrig
behavioral2/memory/3696-253-0x00007FF63C2C0000-0x00007FF63C611000-memory.dmp	xmrig
behavioral2/memory/1032-255-0x00007FF676220000-0x00007FF676571000-memory.dmp	xmrig
behavioral2/memory/980-257-0x00007FF79B9E0000-0x00007FF79BD31000-memory.dmp	xmrig
behavioral2/memory/4780-259-0x00007FF7C0D40000-0x00007FF7C1091000-memory.dmp	xmrig
behavioral2/memory/2696-261-0x00007FF642E10000-0x00007FF643161000-memory.dmp	xmrig
behavioral2/memory/3520-263-0x00007FF61C790000-0x00007FF61CAE1000-memory.dmp	xmrig
behavioral2/memory/1256-265-0x00007FF644E50000-0x00007FF6451A1000-memory.dmp	xmrig
behavioral2/memory/4408-268-0x00007FF6B7260000-0x00007FF6B75B1000-memory.dmp	xmrig
behavioral2/memory/684-269-0x00007FF7F22C0000-0x00007FF7F2611000-memory.dmp	xmrig
behavioral2/memory/3272-272-0x00007FF637C50000-0x00007FF637FA1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1476	ZymZjXA.exe
1876	uyeHqZD.exe
3820	mUFktiO.exe
3488	uLDXRmc.exe
3128	HYwimUa.exe
1548	lvJjufa.exe
2768	qOrBJkN.exe
4976	ZxgJavi.exe
1636	wxxQQAN.exe
3696	DeLWEXb.exe
440	FBfIscq.exe
3952	AUQQKVj.exe
3272	yOhXUxe.exe
1032	gsggaEN.exe
980	hHJgTCN.exe
2696	jxWdrsK.exe
4780	fTWXQDn.exe
3520	IMdcxHA.exe
1256	jdlRrPH.exe
684	vQZKYUk.exe
4408	GpuoBgP.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2948-0-0x00007FF715360000-0x00007FF7156B1000-memory.dmp	upx
behavioral2/files/0x000a000000023bef-5.dat	upx
behavioral2/memory/1476-6-0x00007FF7C67D0000-0x00007FF7C6B21000-memory.dmp	upx
behavioral2/files/0x0008000000023c88-9.dat	upx
behavioral2/memory/1876-16-0x00007FF71A1A0000-0x00007FF71A4F1000-memory.dmp	upx
behavioral2/files/0x0007000000023c8c-17.dat	upx
behavioral2/memory/3820-18-0x00007FF742560000-0x00007FF7428B1000-memory.dmp	upx
behavioral2/files/0x0007000000023c8d-22.dat	upx
behavioral2/files/0x0007000000023c90-31.dat	upx
behavioral2/memory/3128-30-0x00007FF7B3760000-0x00007FF7B3AB1000-memory.dmp	upx
behavioral2/memory/3488-24-0x00007FF722DE0000-0x00007FF723131000-memory.dmp	upx
behavioral2/files/0x0008000000023c89-35.dat	upx
behavioral2/memory/1548-39-0x00007FF67AFB0000-0x00007FF67B301000-memory.dmp	upx
behavioral2/memory/2768-46-0x00007FF69BDD0000-0x00007FF69C121000-memory.dmp	upx
behavioral2/files/0x0007000000023c93-48.dat	upx
behavioral2/files/0x0007000000023c94-58.dat	upx
behavioral2/files/0x000200000001e762-57.dat	upx
behavioral2/files/0x0007000000023c95-63.dat	upx
behavioral2/memory/1876-73-0x00007FF71A1A0000-0x00007FF71A4F1000-memory.dmp	upx
behavioral2/files/0x0007000000023c98-83.dat	upx
behavioral2/memory/3488-87-0x00007FF722DE0000-0x00007FF723131000-memory.dmp	upx
behavioral2/memory/1032-88-0x00007FF676220000-0x00007FF676571000-memory.dmp	upx
behavioral2/files/0x0007000000023c99-90.dat	upx
behavioral2/files/0x0007000000023c9a-97.dat	upx
behavioral2/memory/2696-105-0x00007FF642E10000-0x00007FF643161000-memory.dmp	upx
behavioral2/files/0x0007000000023c9b-114.dat	upx
behavioral2/files/0x0007000000023c9e-124.dat	upx
behavioral2/files/0x0007000000023c9f-136.dat	upx
behavioral2/memory/4408-135-0x00007FF6B7260000-0x00007FF6B75B1000-memory.dmp	upx
behavioral2/memory/440-134-0x00007FF62D7B0000-0x00007FF62DB01000-memory.dmp	upx
behavioral2/files/0x0007000000023c9d-129.dat	upx
behavioral2/memory/684-128-0x00007FF7F22C0000-0x00007FF7F2611000-memory.dmp	upx
behavioral2/memory/3696-127-0x00007FF63C2C0000-0x00007FF63C611000-memory.dmp	upx
behavioral2/memory/1636-126-0x00007FF7B7110000-0x00007FF7B7461000-memory.dmp	upx
behavioral2/files/0x0007000000023c9c-122.dat	upx
behavioral2/memory/1256-121-0x00007FF644E50000-0x00007FF6451A1000-memory.dmp	upx
behavioral2/memory/3520-120-0x00007FF61C790000-0x00007FF61CAE1000-memory.dmp	upx
behavioral2/memory/2768-119-0x00007FF69BDD0000-0x00007FF69C121000-memory.dmp	upx
behavioral2/memory/4780-113-0x00007FF7C0D40000-0x00007FF7C1091000-memory.dmp	upx
behavioral2/memory/4976-112-0x00007FF7625B0000-0x00007FF762901000-memory.dmp	upx
behavioral2/memory/1548-106-0x00007FF67AFB0000-0x00007FF67B301000-memory.dmp	upx
behavioral2/memory/980-96-0x00007FF79B9E0000-0x00007FF79BD31000-memory.dmp	upx
behavioral2/memory/3128-95-0x00007FF7B3760000-0x00007FF7B3AB1000-memory.dmp	upx
behavioral2/memory/3272-86-0x00007FF637C50000-0x00007FF637FA1000-memory.dmp	upx
behavioral2/memory/3820-82-0x00007FF742560000-0x00007FF7428B1000-memory.dmp	upx
behavioral2/files/0x0007000000023c97-79.dat	upx
behavioral2/files/0x0007000000023c96-77.dat	upx
behavioral2/memory/3952-74-0x00007FF640B30000-0x00007FF640E81000-memory.dmp	upx
behavioral2/memory/440-66-0x00007FF62D7B0000-0x00007FF62DB01000-memory.dmp	upx
behavioral2/memory/1476-65-0x00007FF7C67D0000-0x00007FF7C6B21000-memory.dmp	upx
behavioral2/memory/3696-64-0x00007FF63C2C0000-0x00007FF63C611000-memory.dmp	upx
behavioral2/memory/2948-60-0x00007FF715360000-0x00007FF7156B1000-memory.dmp	upx
behavioral2/memory/1636-56-0x00007FF7B7110000-0x00007FF7B7461000-memory.dmp	upx
behavioral2/files/0x0007000000023c92-54.dat	upx
behavioral2/memory/4976-51-0x00007FF7625B0000-0x00007FF762901000-memory.dmp	upx
behavioral2/memory/2948-138-0x00007FF715360000-0x00007FF7156B1000-memory.dmp	upx
behavioral2/memory/3952-146-0x00007FF640B30000-0x00007FF640E81000-memory.dmp	upx
behavioral2/memory/3520-159-0x00007FF61C790000-0x00007FF61CAE1000-memory.dmp	upx
behavioral2/memory/2696-157-0x00007FF642E10000-0x00007FF643161000-memory.dmp	upx
behavioral2/memory/4408-163-0x00007FF6B7260000-0x00007FF6B75B1000-memory.dmp	upx
behavioral2/memory/684-161-0x00007FF7F22C0000-0x00007FF7F2611000-memory.dmp	upx
behavioral2/memory/1256-160-0x00007FF644E50000-0x00007FF6451A1000-memory.dmp	upx
behavioral2/memory/4780-158-0x00007FF7C0D40000-0x00007FF7C1091000-memory.dmp	upx
behavioral2/memory/980-156-0x00007FF79B9E0000-0x00007FF79BD31000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\ZxgJavi.exe	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qOrBJkN.exe	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FBfIscq.exe	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZymZjXA.exe	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mUFktiO.exe	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uLDXRmc.exe	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gsggaEN.exe	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hHJgTCN.exe	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jxWdrsK.exe	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vQZKYUk.exe	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HYwimUa.exe	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lvJjufa.exe	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wxxQQAN.exe	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fTWXQDn.exe	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jdlRrPH.exe	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GpuoBgP.exe	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uyeHqZD.exe	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AUQQKVj.exe	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yOhXUxe.exe	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DeLWEXb.exe	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IMdcxHA.exe	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2948	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2948	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 1476	2948	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2948 wrote to memory of 1476	2948	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2948 wrote to memory of 1876	2948	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2948 wrote to memory of 1876	2948	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2948 wrote to memory of 3820	2948	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2948 wrote to memory of 3820	2948	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2948 wrote to memory of 3488	2948	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2948 wrote to memory of 3488	2948	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2948 wrote to memory of 3128	2948	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2948 wrote to memory of 3128	2948	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2948 wrote to memory of 1548	2948	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2948 wrote to memory of 1548	2948	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2948 wrote to memory of 4976	2948	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2948 wrote to memory of 4976	2948	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2948 wrote to memory of 2768	2948	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2948 wrote to memory of 2768	2948	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2948 wrote to memory of 1636	2948	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2948 wrote to memory of 1636	2948	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2948 wrote to memory of 3696	2948	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2948 wrote to memory of 3696	2948	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2948 wrote to memory of 440	2948	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2948 wrote to memory of 440	2948	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2948 wrote to memory of 3952	2948	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2948 wrote to memory of 3952	2948	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2948 wrote to memory of 3272	2948	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2948 wrote to memory of 3272	2948	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2948 wrote to memory of 1032	2948	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2948 wrote to memory of 1032	2948	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2948 wrote to memory of 980	2948	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2948 wrote to memory of 980	2948	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2948 wrote to memory of 2696	2948	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2948 wrote to memory of 2696	2948	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2948 wrote to memory of 4780	2948	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2948 wrote to memory of 4780	2948	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2948 wrote to memory of 3520	2948	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2948 wrote to memory of 3520	2948	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2948 wrote to memory of 1256	2948	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2948 wrote to memory of 1256	2948	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2948 wrote to memory of 684	2948	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2948 wrote to memory of 684	2948	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2948 wrote to memory of 4408	2948	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2948 wrote to memory of 4408	2948	2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-22_fb6da05c571257dcf4ccac3fef953e5d_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Windows\System\ZymZjXA.exe
  C:\Windows\System\ZymZjXA.exe
  2⤵
  - Executes dropped EXE
  PID:1476
- C:\Windows\System\uyeHqZD.exe
  C:\Windows\System\uyeHqZD.exe
  2⤵
  - Executes dropped EXE
  PID:1876
- C:\Windows\System\mUFktiO.exe
  C:\Windows\System\mUFktiO.exe
  2⤵
  - Executes dropped EXE
  PID:3820
- C:\Windows\System\uLDXRmc.exe
  C:\Windows\System\uLDXRmc.exe
  2⤵
  - Executes dropped EXE
  PID:3488
- C:\Windows\System\HYwimUa.exe
  C:\Windows\System\HYwimUa.exe
  2⤵
  - Executes dropped EXE
  PID:3128
- C:\Windows\System\lvJjufa.exe
  C:\Windows\System\lvJjufa.exe
  2⤵
  - Executes dropped EXE
  PID:1548
- C:\Windows\System\ZxgJavi.exe
  C:\Windows\System\ZxgJavi.exe
  2⤵
  - Executes dropped EXE
  PID:4976
- C:\Windows\System\qOrBJkN.exe
  C:\Windows\System\qOrBJkN.exe
  2⤵
  - Executes dropped EXE
  PID:2768
- C:\Windows\System\wxxQQAN.exe
  C:\Windows\System\wxxQQAN.exe
  2⤵
  - Executes dropped EXE
  PID:1636
- C:\Windows\System\DeLWEXb.exe
  C:\Windows\System\DeLWEXb.exe
  2⤵
  - Executes dropped EXE
  PID:3696
- C:\Windows\System\FBfIscq.exe
  C:\Windows\System\FBfIscq.exe
  2⤵
  - Executes dropped EXE
  PID:440
- C:\Windows\System\AUQQKVj.exe
  C:\Windows\System\AUQQKVj.exe
  2⤵
  - Executes dropped EXE
  PID:3952
- C:\Windows\System\yOhXUxe.exe
  C:\Windows\System\yOhXUxe.exe
  2⤵
  - Executes dropped EXE
  PID:3272
- C:\Windows\System\gsggaEN.exe
  C:\Windows\System\gsggaEN.exe
  2⤵
  - Executes dropped EXE
  PID:1032
- C:\Windows\System\hHJgTCN.exe
  C:\Windows\System\hHJgTCN.exe
  2⤵
  - Executes dropped EXE
  PID:980
- C:\Windows\System\jxWdrsK.exe
  C:\Windows\System\jxWdrsK.exe
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Windows\System\fTWXQDn.exe
  C:\Windows\System\fTWXQDn.exe
  2⤵
  - Executes dropped EXE
  PID:4780
- C:\Windows\System\IMdcxHA.exe
  C:\Windows\System\IMdcxHA.exe
  2⤵
  - Executes dropped EXE
  PID:3520
- C:\Windows\System\jdlRrPH.exe
  C:\Windows\System\jdlRrPH.exe
  2⤵
  - Executes dropped EXE
  PID:1256
- C:\Windows\System\vQZKYUk.exe
  C:\Windows\System\vQZKYUk.exe
  2⤵
  - Executes dropped EXE
  PID:684
- C:\Windows\System\GpuoBgP.exe
  C:\Windows\System\GpuoBgP.exe
  2⤵
  - Executes dropped EXE
  PID:4408

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AUQQKVj.exe

Filesize
5.2MB

MD5
260c9781ea7c86f21043e3934889115c

SHA1
7e6f7deb2f6fe63fe2f0c16521257abe450d7411

SHA256
b6b2ebdcd8d53c0fe5eac9b07bed5f714b61dcc4a2dddee470f8ff686a7e99bd

SHA512
3868763f2e5e9ff0439a40e950df9b4836a7bb9c2b59648fe0e2fd2ec8ddad406f996a48775a909c1a0707cea2ff0fbed1998efaa2dd6c89756781880bdc991d

Download Submit
C:\Windows\System\DeLWEXb.exe

Filesize
5.2MB

MD5
b9fb8feed52e2592f7c5555089d37fc8

SHA1
5c2b4a6a47f60a42a5df1c1ce29eef1c8ab2e2d5

SHA256
3bf8ea042926df61a971f56c13e8e6589dfd49a394ffd83268e352531ca13aba

SHA512
ef5bda3471d53cf5e7c6b8e7bdad8e9b6b7aa8452c76b07ddc4617782894ce768e973b5524367997b266af1522fc6b1eb5e27020c6c52a2c9955781fcc4db398

Download Submit
C:\Windows\System\FBfIscq.exe

Filesize
5.2MB

MD5
42eefb2d0c493adc13dcd58212dae655

SHA1
7c712c39a3d9e79a5b47801c5cb54e50f11b4b46

SHA256
f855f523008a22f9692d192a48bd954b66b4350ab75d5ed119cd0143179dbe21

SHA512
6c9a393bf193a013aceebd3a6a40e6cc0708405223aad9567b4aca4927a8d22fbcdc5838a1834944aa4451601889381b4c24200f5b660320431556055b45c1ba

Download Submit
C:\Windows\System\GpuoBgP.exe

Filesize
5.2MB

MD5
aee354b1b952def9c961c46af3e9b9e3

SHA1
a8a5e8b3dfc835178d6f9adbff186e3d48f40cae

SHA256
e0d7d74347902c272d040d2140ab319c560ab48b0156ec67fd73d32ec920bae6

SHA512
e85a230e71f53913b4cd1311269c472ea16dfc111e723c2f2c893a78b54a80d271b3ac688acf9405e151a58562e84c51a567bae4f973bbe72a0fc40228538545

Download Submit
C:\Windows\System\HYwimUa.exe

Filesize
5.2MB

MD5
c18713aaa264114389e5e3dc59e25fae

SHA1
2ebaf96e24400a3e6727e3f3ae2654902bf7267e

SHA256
0c1eca311e8afc341c5ec24b8d1e3d45372cee825d3a6b41961f97e996566d18

SHA512
9638cb3d75a18f19b3246646e9c0eb948d506638870e6c569ee9d247d9feed331c55c22ea23d31ea1ec599fecbca6d07ab773827792143ade770e6e998a863f5

Download Submit
C:\Windows\System\IMdcxHA.exe

Filesize
5.2MB

MD5
67d2cb1cbe126864bd8b38b147ca7508

SHA1
074e6091fe3c97e192c136b85a636795ccfd11b7

SHA256
d2d0ed2fa59b000b8ca9314e419109d582218c5e022f3e5dadf4ee14c9ac5ed0

SHA512
9a2134eb5f610532cb86363aabfc559fadfc081b0066020f143f8482cdf84eebfb3fc35466c74ff195293471158a73c8ffa29727ed93c2e8e39e286ac40546d1

Download Submit
C:\Windows\System\ZxgJavi.exe

Filesize
5.2MB

MD5
5f7ccf6231f3cec6ef6eb0839b68a0ba

SHA1
8eaa5002b2a407ef0d6b8b268b8401aaeefa04c9

SHA256
fca510f21a7264c9ef11d23ae51722bcf07e965091ecf91c18017e37e20ed2e9

SHA512
e10af0fe0efa8e574b051dadb7d599143fb78e0528b4851dfc199682514d43fdbce99bddc4ea2ed273d39859a8cbe63f62a74b9751761358238fd003ff67b0a3

Download Submit
C:\Windows\System\ZymZjXA.exe

Filesize
5.2MB

MD5
619b2ab77742ae481567a4d1eecff8fc

SHA1
4f51fd180c0cda944cf672ac5f9503805f2a7042

SHA256
2afb835de07b1f95cc53fe14dcca86aa7e57da398650ba4f948a0a3d0c6e0478

SHA512
02afc9a36e341a55bc8a921d2b715d81514327085e00383b662f48dfcadf65fd0a56e0970cc0eebb40521c8d76d3b0449f6fbf3cc50f150ee94440e92f296766

Download Submit
C:\Windows\System\fTWXQDn.exe

Filesize
5.2MB

MD5
5a36bc7b9e4e51e3f8de098d29203881

SHA1
9c8e271389d684aa93b3278946908579ff26c0d9

SHA256
c5ecc127379d57686a7266804fc7268139c7ad18597859391ad3f8ce81b610fa

SHA512
b926c06468d80316821713a354d0aee8e4393900ca7c411bb09fe7578684e07c190d0c21b8aac607dab2bd5267ce5bd51d8b8d965ad9b057652925d428fa831b

Download Submit
C:\Windows\System\gsggaEN.exe

Filesize
5.2MB

MD5
0e1d515b76119b20b56b1bdd7fed799f

SHA1
f2ac53c89333cb46e9109da356c60c81b60a1dd0

SHA256
1756f2d2cd23597f1003139531c9f19c7545a26577f307ddf79c81ae52b2842f

SHA512
434d35818700e741cadba8c01ef1b5498e141116a4e5c177fef815316f05a50c6665efe073e2d64ffce30ac634c845fda36fb7aca42d3a19b6ef8c1449627995

Download Submit
C:\Windows\System\hHJgTCN.exe

Filesize
5.2MB

MD5
9585b4a0c52177ea2969b49f2cf71b27

SHA1
1252077f58e7fe09454bdcf7f3aa62a52cad8c71

SHA256
60594e6216b9d942e6683e331b071c0e2d7d23beb95ea25598d8668b9d0c4b41

SHA512
1320972dd7138c4d0a4e89a3ecddd08c271d525de7414397271a3e1c6f331003b8559576ba411c6245d700f038b93e6ab8a191fd12efa2f7c5676966c141ea3b

Download Submit
C:\Windows\System\jdlRrPH.exe

Filesize
5.2MB

MD5
7e1404e2cd287fd475bda892d897ab54

SHA1
95e3a498a600c9f48688b7d28f062c9ea0c04380

SHA256
d9b084a2cf9a59ebdfea7231b0474def719adc7e124fbd226cd801d180bd0447

SHA512
e7c061536467446a00362787cf7a7735cbe1616d02c5c0e245640a1ee6e7dd4b3971e1d48af252acff41d3b9503a057ad05b7d00b4dc867a9a4155cefc470b84

Download Submit
C:\Windows\System\jxWdrsK.exe

Filesize
5.2MB

MD5
ec89a000bf85f926d4e72e34957cb1f0

SHA1
e3d3d374427287d016e457bb649c3eef89416e37

SHA256
7e1fc06281baa2337162e5cd9b58aad604116e6267dc626ca7c82f9fb09282ed

SHA512
a091f4791e77ced7ffe86460342fc1230e89bc7ab345057be1018955cc5fb84968ac00645d348cac0cb4571708bb8598616b69d93fce92c4460cb14e8e955daf

Download Submit
C:\Windows\System\lvJjufa.exe

Filesize
5.2MB

MD5
a38a2b341529f15106234d6eb754e18f

SHA1
aec8f896b4f595c03da0634a68ffd5d56b9264b7

SHA256
ea2c022800a27cbc0c1114e24db0e33691ea27593087f7c40f30a01e9785bc12

SHA512
e93cd1d469ab7359d5742c1c6b5272937898158aba04b6cb721963d51843497640683b2904949c546ad7a82cf6e36580a5204037de8aab35e0ee18af60dde478

Download Submit
C:\Windows\System\mUFktiO.exe

Filesize
5.2MB

MD5
ec1564a365a8f3f1649b42fd8c8bf3d4

SHA1
7f4e9490f6aacbfe15810080227ad5397684531e

SHA256
4a612c7b5548604744abd5eaef2d623135e4512179c58bd48ce5937d007ac96b

SHA512
a5d86eb9765d81dc120aa60d09c031336276bf3357d50411858bb71c35dc2dae68d5d881506916e7c2ca340f07acf84fcc384d1af866234e1525aec13bb62159

Download Submit
C:\Windows\System\qOrBJkN.exe

Filesize
5.2MB

MD5
f34d978715680ebd6c9e303f5d53f4cf

SHA1
2a2b00afb0af5552ceb40d9ffea4f9897e409cef

SHA256
09866bb2939eff813267b44d1ca79c9c7e4026d99811856fecb8397800e9d7bd

SHA512
743921273f1462b5ff77cb68e9710d4e50007ea014b37764c8ba7aab756e1c08efff10c20c16b13bd9c4d846578f6cba35987d558bf5c21e5cf6049abaa7b0c9

Download Submit
C:\Windows\System\uLDXRmc.exe

Filesize
5.2MB

MD5
28c5b83bdb0bbbcd1f72e15229d40ab2

SHA1
170d15893784a73b2267846192fb8c50d4a71a99

SHA256
02e01afc162ceb11232d0ecdd2a33c3e10bed3c861a8835b75410cb65d3b47a4

SHA512
30dd43dc2f520768337456af525c46d8fb1cf303d35bccc793da18b03b132445f4753ef75a1362ae8b9995b93046cbd1433248604a9d5a605d0f7b96385e7bdc

Download Submit
C:\Windows\System\uyeHqZD.exe

Filesize
5.2MB

MD5
af9933666d75bfc9b69ca818dfb6210a

SHA1
e09779fe0a423c03bf9d68ecbb1aac8596bd916a

SHA256
31e1ac26b44a005459ab96f1bb7f5d53de0f44a3122bf7c03dcab1fdc8379a9e

SHA512
63d2e79bbf340f19452a6b28e9fae93b18c74dee202004777b6a15f184ee65f2576e777874f69176d8ff872013ba54ba73b05b0a17c99203db66cc68fbd0b4ef

Download Submit
C:\Windows\System\vQZKYUk.exe

Filesize
5.2MB

MD5
fcf8beb0bacb0295c0b6beb2dded3c6d

SHA1
db4ae02ecc19b9ac2f7ca7b3ba7facae2fcfacc7

SHA256
8a2df5f558f11e13a4f532a69b4fd4c1f175b1a0c8781af1d9d15afcff4c244d

SHA512
ce8459b46b50a19b4c926c6c9fa620e9b8b047e436144e58aa7b96d1a2d7ab801954a10ec0c3842d45fa8b1ba9897507f7197a5a5c9432727ec8b1dd539811a8

Download Submit
C:\Windows\System\wxxQQAN.exe

Filesize
5.2MB

MD5
62f8db2768d19468747af072656dca48

SHA1
16e2a1d1b2d9acfd190cf1b45ca0872f28cecb74

SHA256
649f6bfd87afb6cfeb48e440fcb56d068a8ddec40564df94894f09d6881856c3

SHA512
10f05c6bff68fdb41ddad3b89bf548cc115d5c24874f8ba1a9200dfaf40446908468b027dd727626e60c09ab17df88a19fc5d6987a2cac302119436b723564c3

Download Submit
C:\Windows\System\yOhXUxe.exe

Filesize
5.2MB

MD5
dda1ab3991bb5c4ccf0afca451b7ee7a

SHA1
d15849b3ce92696e244ea8c10844f71f01bb5ea5

SHA256
9c730a3857223fe0eb773d56575682724b5dd0c3ab3c7625f1b24cb65fc2ae1d

SHA512
e1e6f9579a8b0967f9ff7f0eb25c5742504d39362f1887935ad2f4b214663f35102e031cf54c3656f25f3f0e2d9dbee4ded541e14690a9630d1b54e6c193b489

Download Submit
memory/440-244-0x00007FF62D7B0000-0x00007FF62DB01000-memory.dmp

Filesize
3.3MB

Download
memory/440-134-0x00007FF62D7B0000-0x00007FF62DB01000-memory.dmp

Filesize
3.3MB

Download
memory/440-66-0x00007FF62D7B0000-0x00007FF62DB01000-memory.dmp

Filesize
3.3MB

Download
memory/684-269-0x00007FF7F22C0000-0x00007FF7F2611000-memory.dmp

Filesize
3.3MB

Download
memory/684-128-0x00007FF7F22C0000-0x00007FF7F2611000-memory.dmp

Filesize
3.3MB

Download
memory/684-161-0x00007FF7F22C0000-0x00007FF7F2611000-memory.dmp

Filesize
3.3MB

Download
memory/980-96-0x00007FF79B9E0000-0x00007FF79BD31000-memory.dmp

Filesize
3.3MB

Download
memory/980-257-0x00007FF79B9E0000-0x00007FF79BD31000-memory.dmp

Filesize
3.3MB

Download
memory/980-156-0x00007FF79B9E0000-0x00007FF79BD31000-memory.dmp

Filesize
3.3MB

Download
memory/1032-255-0x00007FF676220000-0x00007FF676571000-memory.dmp

Filesize
3.3MB

Download
memory/1032-88-0x00007FF676220000-0x00007FF676571000-memory.dmp

Filesize
3.3MB

Download
memory/1032-162-0x00007FF676220000-0x00007FF676571000-memory.dmp

Filesize
3.3MB

Download
memory/1256-160-0x00007FF644E50000-0x00007FF6451A1000-memory.dmp

Filesize
3.3MB

Download
memory/1256-265-0x00007FF644E50000-0x00007FF6451A1000-memory.dmp

Filesize
3.3MB

Download
memory/1256-121-0x00007FF644E50000-0x00007FF6451A1000-memory.dmp

Filesize
3.3MB

Download
memory/1476-65-0x00007FF7C67D0000-0x00007FF7C6B21000-memory.dmp

Filesize
3.3MB

Download
memory/1476-6-0x00007FF7C67D0000-0x00007FF7C6B21000-memory.dmp

Filesize
3.3MB

Download
memory/1476-214-0x00007FF7C67D0000-0x00007FF7C6B21000-memory.dmp

Filesize
3.3MB

Download
memory/1548-39-0x00007FF67AFB0000-0x00007FF67B301000-memory.dmp

Filesize
3.3MB

Download
memory/1548-106-0x00007FF67AFB0000-0x00007FF67B301000-memory.dmp

Filesize
3.3MB

Download
memory/1548-236-0x00007FF67AFB0000-0x00007FF67B301000-memory.dmp

Filesize
3.3MB

Download
memory/1636-56-0x00007FF7B7110000-0x00007FF7B7461000-memory.dmp

Filesize
3.3MB

Download
memory/1636-126-0x00007FF7B7110000-0x00007FF7B7461000-memory.dmp

Filesize
3.3MB

Download
memory/1636-242-0x00007FF7B7110000-0x00007FF7B7461000-memory.dmp

Filesize
3.3MB

Download
memory/1876-16-0x00007FF71A1A0000-0x00007FF71A4F1000-memory.dmp

Filesize
3.3MB

Download
memory/1876-216-0x00007FF71A1A0000-0x00007FF71A4F1000-memory.dmp

Filesize
3.3MB

Download
memory/1876-73-0x00007FF71A1A0000-0x00007FF71A4F1000-memory.dmp

Filesize
3.3MB

Download
memory/2696-105-0x00007FF642E10000-0x00007FF643161000-memory.dmp

Filesize
3.3MB

Download
memory/2696-157-0x00007FF642E10000-0x00007FF643161000-memory.dmp

Filesize
3.3MB

Download
memory/2696-261-0x00007FF642E10000-0x00007FF643161000-memory.dmp

Filesize
3.3MB

Download
memory/2768-119-0x00007FF69BDD0000-0x00007FF69C121000-memory.dmp

Filesize
3.3MB

Download
memory/2768-46-0x00007FF69BDD0000-0x00007FF69C121000-memory.dmp

Filesize
3.3MB

Download
memory/2768-238-0x00007FF69BDD0000-0x00007FF69C121000-memory.dmp

Filesize
3.3MB

Download
memory/2948-164-0x00007FF715360000-0x00007FF7156B1000-memory.dmp

Filesize
3.3MB

Download
memory/2948-0-0x00007FF715360000-0x00007FF7156B1000-memory.dmp

Filesize
3.3MB

Download
memory/2948-138-0x00007FF715360000-0x00007FF7156B1000-memory.dmp

Filesize
3.3MB

Download
memory/2948-1-0x00000256023D0000-0x00000256023E0000-memory.dmp

Filesize
64KB

Download
memory/2948-60-0x00007FF715360000-0x00007FF7156B1000-memory.dmp

Filesize
3.3MB

Download
memory/3128-30-0x00007FF7B3760000-0x00007FF7B3AB1000-memory.dmp

Filesize
3.3MB

Download
memory/3128-95-0x00007FF7B3760000-0x00007FF7B3AB1000-memory.dmp

Filesize
3.3MB

Download
memory/3128-224-0x00007FF7B3760000-0x00007FF7B3AB1000-memory.dmp

Filesize
3.3MB

Download
memory/3272-272-0x00007FF637C50000-0x00007FF637FA1000-memory.dmp

Filesize
3.3MB

Download
memory/3272-86-0x00007FF637C50000-0x00007FF637FA1000-memory.dmp

Filesize
3.3MB

Download
memory/3272-154-0x00007FF637C50000-0x00007FF637FA1000-memory.dmp

Filesize
3.3MB

Download
memory/3488-24-0x00007FF722DE0000-0x00007FF723131000-memory.dmp

Filesize
3.3MB

Download
memory/3488-87-0x00007FF722DE0000-0x00007FF723131000-memory.dmp

Filesize
3.3MB

Download
memory/3488-222-0x00007FF722DE0000-0x00007FF723131000-memory.dmp

Filesize
3.3MB

Download
memory/3520-159-0x00007FF61C790000-0x00007FF61CAE1000-memory.dmp

Filesize
3.3MB

Download
memory/3520-263-0x00007FF61C790000-0x00007FF61CAE1000-memory.dmp

Filesize
3.3MB

Download
memory/3520-120-0x00007FF61C790000-0x00007FF61CAE1000-memory.dmp

Filesize
3.3MB

Download
memory/3696-253-0x00007FF63C2C0000-0x00007FF63C611000-memory.dmp

Filesize
3.3MB

Download
memory/3696-64-0x00007FF63C2C0000-0x00007FF63C611000-memory.dmp

Filesize
3.3MB

Download
memory/3696-127-0x00007FF63C2C0000-0x00007FF63C611000-memory.dmp

Filesize
3.3MB

Download
memory/3820-82-0x00007FF742560000-0x00007FF7428B1000-memory.dmp

Filesize
3.3MB

Download
memory/3820-18-0x00007FF742560000-0x00007FF7428B1000-memory.dmp

Filesize
3.3MB

Download
memory/3820-218-0x00007FF742560000-0x00007FF7428B1000-memory.dmp

Filesize
3.3MB

Download
memory/3952-74-0x00007FF640B30000-0x00007FF640E81000-memory.dmp

Filesize
3.3MB

Download
memory/3952-246-0x00007FF640B30000-0x00007FF640E81000-memory.dmp

Filesize
3.3MB

Download
memory/3952-146-0x00007FF640B30000-0x00007FF640E81000-memory.dmp

Filesize
3.3MB

Download
memory/4408-135-0x00007FF6B7260000-0x00007FF6B75B1000-memory.dmp

Filesize
3.3MB

Download
memory/4408-268-0x00007FF6B7260000-0x00007FF6B75B1000-memory.dmp

Filesize
3.3MB

Download
memory/4408-163-0x00007FF6B7260000-0x00007FF6B75B1000-memory.dmp

Filesize
3.3MB

Download
memory/4780-158-0x00007FF7C0D40000-0x00007FF7C1091000-memory.dmp

Filesize
3.3MB

Download
memory/4780-259-0x00007FF7C0D40000-0x00007FF7C1091000-memory.dmp

Filesize
3.3MB

Download
memory/4780-113-0x00007FF7C0D40000-0x00007FF7C1091000-memory.dmp

Filesize
3.3MB

Download
memory/4976-51-0x00007FF7625B0000-0x00007FF762901000-memory.dmp

Filesize
3.3MB

Download
memory/4976-112-0x00007FF7625B0000-0x00007FF762901000-memory.dmp

Filesize
3.3MB

Download
memory/4976-240-0x00007FF7625B0000-0x00007FF762901000-memory.dmp

Filesize
3.3MB

Download