cobaltstrike | 1ffdc01ad3a5f413c2a3cdf2f08431dbe30ef60052d49dcf866b19b127ec529e

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
03/02/2025, 02:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

01d2d9592258c7018b77f91d05eec946
SHA1

86ed62d47f6eebfd35745a3c02e9e70e02005318
SHA256

1ffdc01ad3a5f413c2a3cdf2f08431dbe30ef60052d49dcf866b19b127ec529e
SHA512

f146f611887a740bae3d2d90a35ccedb644d7624601c8ab59ee0e7ef93607c69cd719d75018151560273fd1f7d9581c872953124f6e6c617a2ab82fff4b12a64
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l6:RWWBibf56utgpPFotBER/mQ32lUm

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000a000000023c21-4.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023ca9-12.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cab-20.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caa-25.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caf-40.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cad-45.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb0-56.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb2-66.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb1-63.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cae-44.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cac-32.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb3-70.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023ca7-75.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb5-89.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb4-92.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb6-97.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb7-103.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb9-133.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb8-135.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cba-137.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbb-145.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/1644-68-0x00007FF7E1300000-0x00007FF7E1651000-memory.dmp	xmrig
behavioral2/memory/4440-65-0x00007FF6F2A30000-0x00007FF6F2D81000-memory.dmp	xmrig
behavioral2/memory/1720-59-0x00007FF65DBD0000-0x00007FF65DF21000-memory.dmp	xmrig
behavioral2/memory/5092-53-0x00007FF606DB0000-0x00007FF607101000-memory.dmp	xmrig
behavioral2/memory/2672-96-0x00007FF6C1D10000-0x00007FF6C2061000-memory.dmp	xmrig
behavioral2/memory/3660-106-0x00007FF624F50000-0x00007FF6252A1000-memory.dmp	xmrig
behavioral2/memory/3780-105-0x00007FF6709C0000-0x00007FF670D11000-memory.dmp	xmrig
behavioral2/memory/1804-104-0x00007FF74B180000-0x00007FF74B4D1000-memory.dmp	xmrig
behavioral2/memory/2428-95-0x00007FF7319A0000-0x00007FF731CF1000-memory.dmp	xmrig
behavioral2/memory/1060-85-0x00007FF7B7C40000-0x00007FF7B7F91000-memory.dmp	xmrig
behavioral2/memory/4876-84-0x00007FF7E4AC0000-0x00007FF7E4E11000-memory.dmp	xmrig
behavioral2/memory/4784-123-0x00007FF60F5B0000-0x00007FF60F901000-memory.dmp	xmrig
behavioral2/memory/2020-142-0x00007FF61DE70000-0x00007FF61E1C1000-memory.dmp	xmrig
behavioral2/memory/116-122-0x00007FF637B10000-0x00007FF637E61000-memory.dmp	xmrig
behavioral2/memory/2904-148-0x00007FF7AB7B0000-0x00007FF7ABB01000-memory.dmp	xmrig
behavioral2/memory/2192-147-0x00007FF7CA370000-0x00007FF7CA6C1000-memory.dmp	xmrig
behavioral2/memory/4896-149-0x00007FF742850000-0x00007FF742BA1000-memory.dmp	xmrig
behavioral2/memory/4664-154-0x00007FF665DF0000-0x00007FF666141000-memory.dmp	xmrig
behavioral2/memory/2616-155-0x00007FF69A4E0000-0x00007FF69A831000-memory.dmp	xmrig
behavioral2/memory/4876-156-0x00007FF7E4AC0000-0x00007FF7E4E11000-memory.dmp	xmrig
behavioral2/memory/2496-168-0x00007FF68B6D0000-0x00007FF68BA21000-memory.dmp	xmrig
behavioral2/memory/432-169-0x00007FF76F5C0000-0x00007FF76F911000-memory.dmp	xmrig
behavioral2/memory/4760-173-0x00007FF7B83F0000-0x00007FF7B8741000-memory.dmp	xmrig
behavioral2/memory/4876-180-0x00007FF7E4AC0000-0x00007FF7E4E11000-memory.dmp	xmrig
behavioral2/memory/1060-215-0x00007FF7B7C40000-0x00007FF7B7F91000-memory.dmp	xmrig
behavioral2/memory/2428-217-0x00007FF7319A0000-0x00007FF731CF1000-memory.dmp	xmrig
behavioral2/memory/1804-219-0x00007FF74B180000-0x00007FF74B4D1000-memory.dmp	xmrig
behavioral2/memory/3780-221-0x00007FF6709C0000-0x00007FF670D11000-memory.dmp	xmrig
behavioral2/memory/3660-224-0x00007FF624F50000-0x00007FF6252A1000-memory.dmp	xmrig
behavioral2/memory/5092-225-0x00007FF606DB0000-0x00007FF607101000-memory.dmp	xmrig
behavioral2/memory/1720-227-0x00007FF65DBD0000-0x00007FF65DF21000-memory.dmp	xmrig
behavioral2/memory/1644-235-0x00007FF7E1300000-0x00007FF7E1651000-memory.dmp	xmrig
behavioral2/memory/116-234-0x00007FF637B10000-0x00007FF637E61000-memory.dmp	xmrig
behavioral2/memory/4784-232-0x00007FF60F5B0000-0x00007FF60F901000-memory.dmp	xmrig
behavioral2/memory/4440-230-0x00007FF6F2A30000-0x00007FF6F2D81000-memory.dmp	xmrig
behavioral2/memory/2192-247-0x00007FF7CA370000-0x00007FF7CA6C1000-memory.dmp	xmrig
behavioral2/memory/2904-249-0x00007FF7AB7B0000-0x00007FF7ABB01000-memory.dmp	xmrig
behavioral2/memory/2672-251-0x00007FF6C1D10000-0x00007FF6C2061000-memory.dmp	xmrig
behavioral2/memory/4896-253-0x00007FF742850000-0x00007FF742BA1000-memory.dmp	xmrig
behavioral2/memory/4664-256-0x00007FF665DF0000-0x00007FF666141000-memory.dmp	xmrig
behavioral2/memory/2616-257-0x00007FF69A4E0000-0x00007FF69A831000-memory.dmp	xmrig
behavioral2/memory/2020-264-0x00007FF61DE70000-0x00007FF61E1C1000-memory.dmp	xmrig
behavioral2/memory/2496-266-0x00007FF68B6D0000-0x00007FF68BA21000-memory.dmp	xmrig
behavioral2/memory/432-268-0x00007FF76F5C0000-0x00007FF76F911000-memory.dmp	xmrig
behavioral2/memory/4760-270-0x00007FF7B83F0000-0x00007FF7B8741000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1060	lVWRvVM.exe
2428	RRgrQeR.exe
1804	kEZBtVy.exe
3780	MtjuNST.exe
5092	Owxlvxf.exe
3660	SzeBQIb.exe
1720	hZxrwRc.exe
4784	Daqydtw.exe
4440	BPEVeSp.exe
1644	RJrWXJd.exe
116	AnZJSue.exe
2192	fVCbWtl.exe
2904	lknMeSP.exe
4896	PQFteAx.exe
2672	nTNneJm.exe
4664	fKNjHky.exe
2616	FxdlNUR.exe
2496	cqOowlo.exe
432	mWxMokG.exe
2020	DMbQhvk.exe
4760	CFcDdKY.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4876-0-0x00007FF7E4AC0000-0x00007FF7E4E11000-memory.dmp	upx
behavioral2/files/0x000a000000023c21-4.dat	upx
behavioral2/memory/1060-9-0x00007FF7B7C40000-0x00007FF7B7F91000-memory.dmp	upx
behavioral2/files/0x0008000000023ca9-12.dat	upx
behavioral2/files/0x0007000000023cab-20.dat	upx
behavioral2/files/0x0007000000023caa-25.dat	upx
behavioral2/files/0x0007000000023caf-40.dat	upx
behavioral2/files/0x0007000000023cad-45.dat	upx
behavioral2/files/0x0007000000023cb0-56.dat	upx
behavioral2/memory/116-62-0x00007FF637B10000-0x00007FF637E61000-memory.dmp	upx
behavioral2/files/0x0007000000023cb2-66.dat	upx
behavioral2/memory/1644-68-0x00007FF7E1300000-0x00007FF7E1651000-memory.dmp	upx
behavioral2/memory/4440-65-0x00007FF6F2A30000-0x00007FF6F2D81000-memory.dmp	upx
behavioral2/files/0x0007000000023cb1-63.dat	upx
behavioral2/memory/1720-59-0x00007FF65DBD0000-0x00007FF65DF21000-memory.dmp	upx
behavioral2/memory/5092-53-0x00007FF606DB0000-0x00007FF607101000-memory.dmp	upx
behavioral2/memory/4784-47-0x00007FF60F5B0000-0x00007FF60F901000-memory.dmp	upx
behavioral2/files/0x0007000000023cae-44.dat	upx
behavioral2/memory/3660-39-0x00007FF624F50000-0x00007FF6252A1000-memory.dmp	upx
behavioral2/memory/3780-33-0x00007FF6709C0000-0x00007FF670D11000-memory.dmp	upx
behavioral2/files/0x0007000000023cac-32.dat	upx
behavioral2/memory/1804-19-0x00007FF74B180000-0x00007FF74B4D1000-memory.dmp	upx
behavioral2/memory/2428-17-0x00007FF7319A0000-0x00007FF731CF1000-memory.dmp	upx
behavioral2/files/0x0007000000023cb3-70.dat	upx
behavioral2/memory/2192-72-0x00007FF7CA370000-0x00007FF7CA6C1000-memory.dmp	upx
behavioral2/files/0x0008000000023ca7-75.dat	upx
behavioral2/files/0x0007000000023cb5-89.dat	upx
behavioral2/files/0x0007000000023cb4-92.dat	upx
behavioral2/files/0x0007000000023cb6-97.dat	upx
behavioral2/memory/2672-96-0x00007FF6C1D10000-0x00007FF6C2061000-memory.dmp	upx
behavioral2/files/0x0007000000023cb7-103.dat	upx
behavioral2/memory/2616-107-0x00007FF69A4E0000-0x00007FF69A831000-memory.dmp	upx
behavioral2/memory/3660-106-0x00007FF624F50000-0x00007FF6252A1000-memory.dmp	upx
behavioral2/memory/3780-105-0x00007FF6709C0000-0x00007FF670D11000-memory.dmp	upx
behavioral2/memory/1804-104-0x00007FF74B180000-0x00007FF74B4D1000-memory.dmp	upx
behavioral2/memory/4664-101-0x00007FF665DF0000-0x00007FF666141000-memory.dmp	upx
behavioral2/memory/2428-95-0x00007FF7319A0000-0x00007FF731CF1000-memory.dmp	upx
behavioral2/memory/4896-91-0x00007FF742850000-0x00007FF742BA1000-memory.dmp	upx
behavioral2/memory/1060-85-0x00007FF7B7C40000-0x00007FF7B7F91000-memory.dmp	upx
behavioral2/memory/4876-84-0x00007FF7E4AC0000-0x00007FF7E4E11000-memory.dmp	upx
behavioral2/memory/2904-77-0x00007FF7AB7B0000-0x00007FF7ABB01000-memory.dmp	upx
behavioral2/memory/4784-123-0x00007FF60F5B0000-0x00007FF60F901000-memory.dmp	upx
behavioral2/files/0x0007000000023cb9-133.dat	upx
behavioral2/files/0x0007000000023cb8-135.dat	upx
behavioral2/files/0x0007000000023cba-137.dat	upx
behavioral2/files/0x0007000000023cbb-145.dat	upx
behavioral2/memory/4760-144-0x00007FF7B83F0000-0x00007FF7B8741000-memory.dmp	upx
behavioral2/memory/2020-142-0x00007FF61DE70000-0x00007FF61E1C1000-memory.dmp	upx
behavioral2/memory/432-140-0x00007FF76F5C0000-0x00007FF76F911000-memory.dmp	upx
behavioral2/memory/2496-132-0x00007FF68B6D0000-0x00007FF68BA21000-memory.dmp	upx
behavioral2/memory/116-122-0x00007FF637B10000-0x00007FF637E61000-memory.dmp	upx
behavioral2/memory/2904-148-0x00007FF7AB7B0000-0x00007FF7ABB01000-memory.dmp	upx
behavioral2/memory/2192-147-0x00007FF7CA370000-0x00007FF7CA6C1000-memory.dmp	upx
behavioral2/memory/4896-149-0x00007FF742850000-0x00007FF742BA1000-memory.dmp	upx
behavioral2/memory/4664-154-0x00007FF665DF0000-0x00007FF666141000-memory.dmp	upx
behavioral2/memory/2616-155-0x00007FF69A4E0000-0x00007FF69A831000-memory.dmp	upx
behavioral2/memory/4876-156-0x00007FF7E4AC0000-0x00007FF7E4E11000-memory.dmp	upx
behavioral2/memory/2496-168-0x00007FF68B6D0000-0x00007FF68BA21000-memory.dmp	upx
behavioral2/memory/432-169-0x00007FF76F5C0000-0x00007FF76F911000-memory.dmp	upx
behavioral2/memory/4760-173-0x00007FF7B83F0000-0x00007FF7B8741000-memory.dmp	upx
behavioral2/memory/4876-180-0x00007FF7E4AC0000-0x00007FF7E4E11000-memory.dmp	upx
behavioral2/memory/1060-215-0x00007FF7B7C40000-0x00007FF7B7F91000-memory.dmp	upx
behavioral2/memory/2428-217-0x00007FF7319A0000-0x00007FF731CF1000-memory.dmp	upx
behavioral2/memory/1804-219-0x00007FF74B180000-0x00007FF74B4D1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\fKNjHky.exe	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CFcDdKY.exe	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kEZBtVy.exe	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MtjuNST.exe	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AnZJSue.exe	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Daqydtw.exe	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RJrWXJd.exe	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fVCbWtl.exe	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BPEVeSp.exe	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lknMeSP.exe	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FxdlNUR.exe	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mWxMokG.exe	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lVWRvVM.exe	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Owxlvxf.exe	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SzeBQIb.exe	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nTNneJm.exe	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cqOowlo.exe	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DMbQhvk.exe	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RRgrQeR.exe	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hZxrwRc.exe	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PQFteAx.exe	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4876	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4876	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4876 wrote to memory of 1060	4876	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4876 wrote to memory of 1060	4876	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4876 wrote to memory of 2428	4876	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4876 wrote to memory of 2428	4876	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4876 wrote to memory of 1804	4876	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4876 wrote to memory of 1804	4876	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4876 wrote to memory of 3780	4876	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4876 wrote to memory of 3780	4876	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4876 wrote to memory of 5092	4876	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4876 wrote to memory of 5092	4876	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4876 wrote to memory of 3660	4876	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4876 wrote to memory of 3660	4876	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4876 wrote to memory of 1720	4876	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4876 wrote to memory of 1720	4876	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4876 wrote to memory of 4784	4876	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4876 wrote to memory of 4784	4876	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4876 wrote to memory of 4440	4876	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4876 wrote to memory of 4440	4876	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4876 wrote to memory of 1644	4876	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4876 wrote to memory of 1644	4876	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4876 wrote to memory of 116	4876	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4876 wrote to memory of 116	4876	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4876 wrote to memory of 2192	4876	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4876 wrote to memory of 2192	4876	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4876 wrote to memory of 2904	4876	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4876 wrote to memory of 2904	4876	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4876 wrote to memory of 4896	4876	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4876 wrote to memory of 4896	4876	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4876 wrote to memory of 2672	4876	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4876 wrote to memory of 2672	4876	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4876 wrote to memory of 4664	4876	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4876 wrote to memory of 4664	4876	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4876 wrote to memory of 2616	4876	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4876 wrote to memory of 2616	4876	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4876 wrote to memory of 2496	4876	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4876 wrote to memory of 2496	4876	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4876 wrote to memory of 432	4876	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4876 wrote to memory of 432	4876	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4876 wrote to memory of 2020	4876	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 4876 wrote to memory of 2020	4876	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 4876 wrote to memory of 4760	4876	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 4876 wrote to memory of 4760	4876	2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe	107

C:\Users\Admin\AppData\Local\Temp\2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-03_01d2d9592258c7018b77f91d05eec946_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4876
- C:\Windows\System\lVWRvVM.exe
  C:\Windows\System\lVWRvVM.exe
  2⤵
  - Executes dropped EXE
  PID:1060
- C:\Windows\System\RRgrQeR.exe
  C:\Windows\System\RRgrQeR.exe
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Windows\System\kEZBtVy.exe
  C:\Windows\System\kEZBtVy.exe
  2⤵
  - Executes dropped EXE
  PID:1804
- C:\Windows\System\MtjuNST.exe
  C:\Windows\System\MtjuNST.exe
  2⤵
  - Executes dropped EXE
  PID:3780
- C:\Windows\System\Owxlvxf.exe
  C:\Windows\System\Owxlvxf.exe
  2⤵
  - Executes dropped EXE
  PID:5092
- C:\Windows\System\SzeBQIb.exe
  C:\Windows\System\SzeBQIb.exe
  2⤵
  - Executes dropped EXE
  PID:3660
- C:\Windows\System\hZxrwRc.exe
  C:\Windows\System\hZxrwRc.exe
  2⤵
  - Executes dropped EXE
  PID:1720
- C:\Windows\System\Daqydtw.exe
  C:\Windows\System\Daqydtw.exe
  2⤵
  - Executes dropped EXE
  PID:4784
- C:\Windows\System\BPEVeSp.exe
  C:\Windows\System\BPEVeSp.exe
  2⤵
  - Executes dropped EXE
  PID:4440
- C:\Windows\System\RJrWXJd.exe
  C:\Windows\System\RJrWXJd.exe
  2⤵
  - Executes dropped EXE
  PID:1644
- C:\Windows\System\AnZJSue.exe
  C:\Windows\System\AnZJSue.exe
  2⤵
  - Executes dropped EXE
  PID:116
- C:\Windows\System\fVCbWtl.exe
  C:\Windows\System\fVCbWtl.exe
  2⤵
  - Executes dropped EXE
  PID:2192
- C:\Windows\System\lknMeSP.exe
  C:\Windows\System\lknMeSP.exe
  2⤵
  - Executes dropped EXE
  PID:2904
- C:\Windows\System\PQFteAx.exe
  C:\Windows\System\PQFteAx.exe
  2⤵
  - Executes dropped EXE
  PID:4896
- C:\Windows\System\nTNneJm.exe
  C:\Windows\System\nTNneJm.exe
  2⤵
  - Executes dropped EXE
  PID:2672
- C:\Windows\System\fKNjHky.exe
  C:\Windows\System\fKNjHky.exe
  2⤵
  - Executes dropped EXE
  PID:4664
- C:\Windows\System\FxdlNUR.exe
  C:\Windows\System\FxdlNUR.exe
  2⤵
  - Executes dropped EXE
  PID:2616
- C:\Windows\System\cqOowlo.exe
  C:\Windows\System\cqOowlo.exe
  2⤵
  - Executes dropped EXE
  PID:2496
- C:\Windows\System\mWxMokG.exe
  C:\Windows\System\mWxMokG.exe
  2⤵
  - Executes dropped EXE
  PID:432
- C:\Windows\System\DMbQhvk.exe
  C:\Windows\System\DMbQhvk.exe
  2⤵
  - Executes dropped EXE
  PID:2020
- C:\Windows\System\CFcDdKY.exe
  C:\Windows\System\CFcDdKY.exe
  2⤵
  - Executes dropped EXE
  PID:4760

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AnZJSue.exe

Filesize
5.2MB

MD5
6407b4c2a6909fc42311290db16081e6

SHA1
0857038a0cb9c660241eb6475e12b29c0062095b

SHA256
a98e3ac78853047d443b285f03b9bbc829efba8ad370d19689dbb152485e9823

SHA512
66096bd9cbc6bc447586925ca6f4fe9940caa06de49230bfbf21dc8b3fd16234995d2e5d8d9a363befa0b5e31850d979852a2860ca0bef888f23f62b9f9302e3

Download Submit
C:\Windows\System\BPEVeSp.exe

Filesize
5.2MB

MD5
ffb7b7b04ed7e3d60107d0eecd11b04e

SHA1
f72aa0656c7921b148cdbe1229aac22bd68a7a73

SHA256
2ef8cc987a59d519f88fac403f3cfe9dca029f92e71dc2aa273f994b8bd937ae

SHA512
82c58b488f4040cb3d228d1a9a7aeebbf854c1d9d4e461548bd3495a4830651bc84e20173a4f64de3adcae3b023a008f5905dd7dfcd0818e95f0c1a5cadae917

Download Submit
C:\Windows\System\CFcDdKY.exe

Filesize
5.2MB

MD5
f423606c57e8b78185e6afe8c012516f

SHA1
65b049130b4517871d4d287b806e1d7bc5be84b6

SHA256
16efb3e5cf2888e15c456fceb05f1f95527003e7e74ce4165f86242c0677e78b

SHA512
fd6c7d7990d28343cc7d50694ad2a4c6f53a47740322206a8d865a6db1284abc9e71bd1796226aef19fff9d273de31064d9af2a7e1ac826b9d271a77ca79ef70

Download Submit
C:\Windows\System\DMbQhvk.exe

Filesize
5.2MB

MD5
85c595827e4c681a4ab8577574907a7e

SHA1
bb57ee5f9a8c52af09406f598d3cd0f647473764

SHA256
60287a606b2a0843faee4e18bfff261aedb4feb526105849cd407588336db463

SHA512
1f90f816ec391c616c2f261203f9aee8e8a049017ce17ed1b0e3a05c31b8ffa7c7341f941fd882112b6e94279f9c04cdae496f42283fc961a1d9550fc6ab9d8c

Download Submit
C:\Windows\System\Daqydtw.exe

Filesize
5.2MB

MD5
ea3f77e7254c487f57d96a0b021a5d33

SHA1
ba599b0d3a3ef445682ebc27a750e5d754891ff2

SHA256
198848bf042f20d1a2256188de6546d8961abfbd12822c8551941e55dc0ea29b

SHA512
646ac249319b26e07b13dbe3f21b151700414a33b55f7fb8e76b207f8024c3f71761148a44f4be9d1f60cd580d2aff440d4451489097b318bdbb58f49f32aef1

Download Submit
C:\Windows\System\FxdlNUR.exe

Filesize
5.2MB

MD5
22aadcace5b5244981cd195463a0a058

SHA1
48c864f81f2a1c8d806eb5765f69206ebaabad4c

SHA256
6a8318269a030f6970b061f4ac55740c2ddb4f43e502c33be0b8d66c2bb5084d

SHA512
27a3006a6fef2035f0638b073d550930508cfa60331226c54410bf219a4ce03ac8dbbc78479f07dbbcdcfbf9586f25ce79ceffdc8a19e255098a7f45017b97c6

Download Submit
C:\Windows\System\MtjuNST.exe

Filesize
5.2MB

MD5
3355ed0818a1cfa89093e0a467ad6220

SHA1
f3fb9579761274dd39cea786a06883fe1b9a2056

SHA256
b02eea3b0eac28281348865dd009702ba33e87bd8d31b424873a7d9c400f382f

SHA512
512c9ac37bf3e1b51b22628da49f153259d7b39753b6edb149266d277c339065e082f1f4df97ab0af1ff071d441a14ca080050a4aee1ae0fedc8d5311a916cf1

Download Submit
C:\Windows\System\Owxlvxf.exe

Filesize
5.2MB

MD5
c220005ed7093abd91f70b299aebe3f5

SHA1
1185c51cce4c75a83be7e36ad413df0242ccc476

SHA256
671d6c9af0e2744ad53bfa36672a04f435102fb16d40bcc20138e1b4b46dd397

SHA512
cc24e3e0f25541343dc3742546726ed554e70be601ee2565e23b8d5ee8495c5db2ebad173b5253f50aa48270b1b9c4ecd0087d0138b07010bdad47b50bd73c26

Download Submit
C:\Windows\System\PQFteAx.exe

Filesize
5.2MB

MD5
28312b056cd08b446eb07e46a334162e

SHA1
e3bf18c828fdb446390556ae01b4893b5db98879

SHA256
37927fda4464ea4fb350b82021eaa0208f16e815deae23153420b309c4078d77

SHA512
edc7fed065ecf94a4d566d6fe4d2e21069206df437c499faabfb51fffef4cd4d9d84eaeac7f4aa27d2b4545b3836a20be77a78f94805737f01a53a90067d77a2

Download Submit
C:\Windows\System\RJrWXJd.exe

Filesize
5.2MB

MD5
393ea1ad05c695b9ac5a2b7965f34e5e

SHA1
642863a0ea74d3cbcce4934b45df6e4b202ed93a

SHA256
3b9cfa9c19b10143d3572f27675de5f2230211df25d8c51320bcd723be1ef7bc

SHA512
775a08bcc4d23030be62dbde2125dd52fbb68c3989f6e40340b504bf1f04b892e2c1bbcdfb961eb79c46dc43c9820af849959883fc1db86850b0ba733e504ae9

Download Submit
C:\Windows\System\RRgrQeR.exe

Filesize
5.2MB

MD5
234ee9b03a3b3496621dee01264b798a

SHA1
ed6be9f4f3ad0d3fdc1aadb33f441f675050cb30

SHA256
61bf26a6f1149f53cc931414ed8cbd6d76225a2eb395d1bbfef202ee6feb6875

SHA512
b4087e46547c6e9048061a166dc135ac2edca41734759e1928b0be1d91d4ce94a51e393b2693dd0b938ecddb5becee90a95d8dba267892c6816d303e31a1bb2c

Download Submit
C:\Windows\System\SzeBQIb.exe

Filesize
5.2MB

MD5
6052b8d8d1de67b72147a4e688134fa7

SHA1
3c16216223991591de61991e71817b2ff306cf95

SHA256
f6e82c52468e0f7a696759d31bc4723c6eed0c27d4ced3db9acb25b1cb109d03

SHA512
cff2878ccd4819103e785463087588187651cd88e608061db0f5c65cd5e64b0a50db2c7699d416610e2bcc7292a295efb2571f7107971220d29b010f84af53e1

Download Submit
C:\Windows\System\cqOowlo.exe

Filesize
5.2MB

MD5
a961276aa764b6585bcbe466124d996d

SHA1
e5985737997baec66f8440848a18a09e3f74120b

SHA256
18d39e20b360ca3b8f27c9a98367eb9b5dc8f1ecad501ec40b9bf01d0944b8ce

SHA512
7a31ffd391781c2a8ddaca51d9737d5b5712481da1c2adc2040551a07fcf9a7783bc4f73755a3e13099f87cf69f2ca09ebf7cb6f2b622b1157266083d83cb4d9

Download Submit
C:\Windows\System\fKNjHky.exe

Filesize
5.2MB

MD5
36a7649048c90137b794445af012ced6

SHA1
e2e41fc33aaf18821c2e7ba1cc88ded9f76a5bac

SHA256
5aeebec8d19d916d8cd000e318273cbcb22d0c6eb2e7cc35b0d1ed6f78c2c86b

SHA512
e5882db626eba2a54b909e9ecbde59dfc364c9990d727151eabb5c54ce79b2acba8f290d0e5be3f6d1761cad07b85d41b52fd43fd98517ce3294bb86a657fe7d

Download Submit
C:\Windows\System\fVCbWtl.exe

Filesize
5.2MB

MD5
f14065049a9ee990c2a4b57185d976e8

SHA1
11bd460777436656a8012fb0941733c3b8d838e2

SHA256
d0ff61cd872887de4044799efd88017c04f21f1bfc5968892ddac8cbd83a1228

SHA512
262b2a7d89a322e77248c0db441240edcd2c99452a8f83add57df997b2510feaa4b3ad219a4bdc8bfd87f03e4ce9426eb3bea6fd3c4e6e02e1767775b8fd7e06

Download Submit
C:\Windows\System\hZxrwRc.exe

Filesize
5.2MB

MD5
37aa1d665b9e892e97bed4a2c6ac15ed

SHA1
d1355739476734c8e1dc11a9a398a8ce738282da

SHA256
b733c0d709f13c2a0fb0a814e886912e9fa7d0e2f029b863d004e4adad66800b

SHA512
464ae6afb362404cab0aa83312c704ee55e1f31e56a8e0000e80616eaa34cb083491876bc4b87c034f17c4e0e71a2bc7ca0a769c39ba9d97ca5ce9843d8bb143

Download Submit
C:\Windows\System\kEZBtVy.exe

Filesize
5.2MB

MD5
bcb8bc4d38f8374c51e0e85110aeee6b

SHA1
cd224c7d1eaff9fd9639b510eaee64000a714716

SHA256
ffa225a502229930019276896e93fa9c1f3c082f857e8ed7a698da1f7cf5c87b

SHA512
a10f2c27e697da198f648b43b5c7be0658ca11aef3031fd6470ba4264d8e6fa4ee037fc39959fe88ae574f9d5b1b483ed7a7e7ccee367cfad5068af27a6f2a79

Download Submit
C:\Windows\System\lVWRvVM.exe

Filesize
5.2MB

MD5
ac1f051f120804eb0792181a64c31509

SHA1
a9530759efcb090903a2f67698521dbdd2db977d

SHA256
347c5190fa9ed3204f0ee26f944b910c68b93dac0f02f3635a1044594a9fda94

SHA512
139e1e7ab392d1b2ca151e54e328b8471085e8e8e07ce356a782251ee982c5d4261cde961e54cf6a39cfadc276949b19913726a0ce59258f644e0c9af9a3cea9

Download Submit
C:\Windows\System\lknMeSP.exe

Filesize
5.2MB

MD5
a6f49026dd6ccc300f4e2fe3338916bd

SHA1
d70426c0dcbe5ba1ec0679ab76cca140a61bbb29

SHA256
9cfe865ada284c3c38f4f1d95d33fce059a27abff5d5f9faa4a499e9d0edbcf1

SHA512
435b44b0ca2791b56de810422b930f3046391cb57b400df8373793cc5f93e609f4c585824db1fb43ea08e8d6e70d76e4ee8ac0ef702f0c9f1a29bc4412ca7dd8

Download Submit
C:\Windows\System\mWxMokG.exe

Filesize
5.2MB

MD5
7dd133c093dd50e3b482dd195b090865

SHA1
009752d64fae3b29c47e6f66df8f0c990e87ffc2

SHA256
0c212034d4a587b92ed6d8e54ca47bb3191605ff0ec51cb31e4ebe3f14ff087c

SHA512
75dbdd6ec7fd3d9e7c1a48e5ad5fd35d5637a8b3ef0918dab809203fc76435134343b6808bbd652eb56a538cc968a441e6e97b9bcdf116944f807e70ad8a001d

Download Submit
C:\Windows\System\nTNneJm.exe

Filesize
5.2MB

MD5
afdc17464503960272d0b91ec673d0d5

SHA1
f29161292ea9598223adb3d1457ce6c130011edf

SHA256
98efd8cf9ba3cc2008a5fda6713c610db678f3ac9a4ed24bc215d2596565849c

SHA512
b1a09b14b184a9de6e39257467ce549e504959105df7cb7c6cd9fd2906d36bfee342b614ea6ecb772bc06101749dbe37958ff8d34f7e9ebe7c03e7993c193137

Download Submit
memory/116-62-0x00007FF637B10000-0x00007FF637E61000-memory.dmp

Filesize
3.3MB

Download
memory/116-234-0x00007FF637B10000-0x00007FF637E61000-memory.dmp

Filesize
3.3MB

Download
memory/116-122-0x00007FF637B10000-0x00007FF637E61000-memory.dmp

Filesize
3.3MB

Download
memory/432-169-0x00007FF76F5C0000-0x00007FF76F911000-memory.dmp

Filesize
3.3MB

Download
memory/432-140-0x00007FF76F5C0000-0x00007FF76F911000-memory.dmp

Filesize
3.3MB

Download
memory/432-268-0x00007FF76F5C0000-0x00007FF76F911000-memory.dmp

Filesize
3.3MB

Download
memory/1060-85-0x00007FF7B7C40000-0x00007FF7B7F91000-memory.dmp

Filesize
3.3MB

Download
memory/1060-215-0x00007FF7B7C40000-0x00007FF7B7F91000-memory.dmp

Filesize
3.3MB

Download
memory/1060-9-0x00007FF7B7C40000-0x00007FF7B7F91000-memory.dmp

Filesize
3.3MB

Download
memory/1644-68-0x00007FF7E1300000-0x00007FF7E1651000-memory.dmp

Filesize
3.3MB

Download
memory/1644-235-0x00007FF7E1300000-0x00007FF7E1651000-memory.dmp

Filesize
3.3MB

Download
memory/1720-59-0x00007FF65DBD0000-0x00007FF65DF21000-memory.dmp

Filesize
3.3MB

Download
memory/1720-227-0x00007FF65DBD0000-0x00007FF65DF21000-memory.dmp

Filesize
3.3MB

Download
memory/1804-19-0x00007FF74B180000-0x00007FF74B4D1000-memory.dmp

Filesize
3.3MB

Download
memory/1804-104-0x00007FF74B180000-0x00007FF74B4D1000-memory.dmp

Filesize
3.3MB

Download
memory/1804-219-0x00007FF74B180000-0x00007FF74B4D1000-memory.dmp

Filesize
3.3MB

Download
memory/2020-142-0x00007FF61DE70000-0x00007FF61E1C1000-memory.dmp

Filesize
3.3MB

Download
memory/2020-264-0x00007FF61DE70000-0x00007FF61E1C1000-memory.dmp

Filesize
3.3MB

Download
memory/2192-247-0x00007FF7CA370000-0x00007FF7CA6C1000-memory.dmp

Filesize
3.3MB

Download
memory/2192-72-0x00007FF7CA370000-0x00007FF7CA6C1000-memory.dmp

Filesize
3.3MB

Download
memory/2192-147-0x00007FF7CA370000-0x00007FF7CA6C1000-memory.dmp

Filesize
3.3MB

Download
memory/2428-95-0x00007FF7319A0000-0x00007FF731CF1000-memory.dmp

Filesize
3.3MB

Download
memory/2428-217-0x00007FF7319A0000-0x00007FF731CF1000-memory.dmp

Filesize
3.3MB

Download
memory/2428-17-0x00007FF7319A0000-0x00007FF731CF1000-memory.dmp

Filesize
3.3MB

Download
memory/2496-132-0x00007FF68B6D0000-0x00007FF68BA21000-memory.dmp

Filesize
3.3MB

Download
memory/2496-266-0x00007FF68B6D0000-0x00007FF68BA21000-memory.dmp

Filesize
3.3MB

Download
memory/2496-168-0x00007FF68B6D0000-0x00007FF68BA21000-memory.dmp

Filesize
3.3MB

Download
memory/2616-257-0x00007FF69A4E0000-0x00007FF69A831000-memory.dmp

Filesize
3.3MB

Download
memory/2616-107-0x00007FF69A4E0000-0x00007FF69A831000-memory.dmp

Filesize
3.3MB

Download
memory/2616-155-0x00007FF69A4E0000-0x00007FF69A831000-memory.dmp

Filesize
3.3MB

Download
memory/2672-251-0x00007FF6C1D10000-0x00007FF6C2061000-memory.dmp

Filesize
3.3MB

Download
memory/2672-96-0x00007FF6C1D10000-0x00007FF6C2061000-memory.dmp

Filesize
3.3MB

Download
memory/2904-249-0x00007FF7AB7B0000-0x00007FF7ABB01000-memory.dmp

Filesize
3.3MB

Download
memory/2904-77-0x00007FF7AB7B0000-0x00007FF7ABB01000-memory.dmp

Filesize
3.3MB

Download
memory/2904-148-0x00007FF7AB7B0000-0x00007FF7ABB01000-memory.dmp

Filesize
3.3MB

Download
memory/3660-39-0x00007FF624F50000-0x00007FF6252A1000-memory.dmp

Filesize
3.3MB

Download
memory/3660-106-0x00007FF624F50000-0x00007FF6252A1000-memory.dmp

Filesize
3.3MB

Download
memory/3660-224-0x00007FF624F50000-0x00007FF6252A1000-memory.dmp

Filesize
3.3MB

Download
memory/3780-33-0x00007FF6709C0000-0x00007FF670D11000-memory.dmp

Filesize
3.3MB

Download
memory/3780-221-0x00007FF6709C0000-0x00007FF670D11000-memory.dmp

Filesize
3.3MB

Download
memory/3780-105-0x00007FF6709C0000-0x00007FF670D11000-memory.dmp

Filesize
3.3MB

Download
memory/4440-230-0x00007FF6F2A30000-0x00007FF6F2D81000-memory.dmp

Filesize
3.3MB

Download
memory/4440-65-0x00007FF6F2A30000-0x00007FF6F2D81000-memory.dmp

Filesize
3.3MB

Download
memory/4664-256-0x00007FF665DF0000-0x00007FF666141000-memory.dmp

Filesize
3.3MB

Download
memory/4664-154-0x00007FF665DF0000-0x00007FF666141000-memory.dmp

Filesize
3.3MB

Download
memory/4664-101-0x00007FF665DF0000-0x00007FF666141000-memory.dmp

Filesize
3.3MB

Download
memory/4760-144-0x00007FF7B83F0000-0x00007FF7B8741000-memory.dmp

Filesize
3.3MB

Download
memory/4760-173-0x00007FF7B83F0000-0x00007FF7B8741000-memory.dmp

Filesize
3.3MB

Download
memory/4760-270-0x00007FF7B83F0000-0x00007FF7B8741000-memory.dmp

Filesize
3.3MB

Download
memory/4784-123-0x00007FF60F5B0000-0x00007FF60F901000-memory.dmp

Filesize
3.3MB

Download
memory/4784-232-0x00007FF60F5B0000-0x00007FF60F901000-memory.dmp

Filesize
3.3MB

Download
memory/4784-47-0x00007FF60F5B0000-0x00007FF60F901000-memory.dmp

Filesize
3.3MB

Download
memory/4876-84-0x00007FF7E4AC0000-0x00007FF7E4E11000-memory.dmp

Filesize
3.3MB

Download
memory/4876-0-0x00007FF7E4AC0000-0x00007FF7E4E11000-memory.dmp

Filesize
3.3MB

Download
memory/4876-156-0x00007FF7E4AC0000-0x00007FF7E4E11000-memory.dmp

Filesize
3.3MB

Download
memory/4876-180-0x00007FF7E4AC0000-0x00007FF7E4E11000-memory.dmp

Filesize
3.3MB

Download
memory/4876-1-0x0000013C033B0000-0x0000013C033C0000-memory.dmp

Filesize
64KB

Download
memory/4896-91-0x00007FF742850000-0x00007FF742BA1000-memory.dmp

Filesize
3.3MB

Download
memory/4896-253-0x00007FF742850000-0x00007FF742BA1000-memory.dmp

Filesize
3.3MB

Download
memory/4896-149-0x00007FF742850000-0x00007FF742BA1000-memory.dmp

Filesize
3.3MB

Download
memory/5092-225-0x00007FF606DB0000-0x00007FF607101000-memory.dmp

Filesize
3.3MB

Download
memory/5092-53-0x00007FF606DB0000-0x00007FF607101000-memory.dmp

Filesize
3.3MB

Download