cobaltstrike | a5111fa96568ac7c5b4b77b0447a0c8c0818aa2683ff677a8b9572b9eb6fb73e

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
03/02/2025, 02:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

b9566693f7256fb1fba81dabaebb1178
SHA1

223dddac7f7639f71295dcce8043d6d1d2cf9844
SHA256

a5111fa96568ac7c5b4b77b0447a0c8c0818aa2683ff677a8b9572b9eb6fb73e
SHA512

a0f786f663f3f0758853415def00ad6f01cbbd6f90c21cb5503967962ec5304449e4a995f87dd14c5aead2b01bdb36b4ee8bdf2b2d0fc9244db410448c4fad77
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lk:RWWBibf56utgpPFotBER/mQ32lUI

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0009000000023c67-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c6e-10.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c6d-15.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c6f-24.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c70-28.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c72-34.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c73-42.dat	cobalt_reflective_dll
behavioral2/files/0x000700000001da20-47.dat	cobalt_reflective_dll
behavioral2/files/0x000500000001da40-58.dat	cobalt_reflective_dll
behavioral2/files/0x000400000001da48-83.dat	cobalt_reflective_dll
behavioral2/files/0x000400000001da4e-96.dat	cobalt_reflective_dll
behavioral2/files/0x000500000001da58-101.dat	cobalt_reflective_dll
behavioral2/files/0x000400000001da92-123.dat	cobalt_reflective_dll
behavioral2/files/0x000400000001da73-119.dat	cobalt_reflective_dll
behavioral2/files/0x000400000001da70-114.dat	cobalt_reflective_dll
behavioral2/files/0x000400000001da5e-110.dat	cobalt_reflective_dll
behavioral2/files/0x000700000001da59-105.dat	cobalt_reflective_dll
behavioral2/files/0x000400000001da53-94.dat	cobalt_reflective_dll
behavioral2/files/0x000400000001da4c-89.dat	cobalt_reflective_dll
behavioral2/files/0x000400000001da45-75.dat	cobalt_reflective_dll
behavioral2/files/0x000700000001da3c-62.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/1052-51-0x00007FF7FF160000-0x00007FF7FF4B1000-memory.dmp	xmrig
behavioral2/memory/4584-88-0x00007FF649C30000-0x00007FF649F81000-memory.dmp	xmrig
behavioral2/memory/1796-120-0x00007FF795E70000-0x00007FF7961C1000-memory.dmp	xmrig
behavioral2/memory/1824-115-0x00007FF776E90000-0x00007FF7771E1000-memory.dmp	xmrig
behavioral2/memory/1408-106-0x00007FF7CE3B0000-0x00007FF7CE701000-memory.dmp	xmrig
behavioral2/memory/4816-93-0x00007FF6B8800000-0x00007FF6B8B51000-memory.dmp	xmrig
behavioral2/memory/2000-87-0x00007FF684C20000-0x00007FF684F71000-memory.dmp	xmrig
behavioral2/memory/1708-61-0x00007FF7B4760000-0x00007FF7B4AB1000-memory.dmp	xmrig
behavioral2/memory/2588-56-0x00007FF6AADD0000-0x00007FF6AB121000-memory.dmp	xmrig
behavioral2/memory/3724-55-0x00007FF7F8F10000-0x00007FF7F9261000-memory.dmp	xmrig
behavioral2/memory/3640-50-0x00007FF7B7E70000-0x00007FF7B81C1000-memory.dmp	xmrig
behavioral2/memory/3640-125-0x00007FF7B7E70000-0x00007FF7B81C1000-memory.dmp	xmrig
behavioral2/memory/3472-145-0x00007FF723530000-0x00007FF723881000-memory.dmp	xmrig
behavioral2/memory/1516-144-0x00007FF78C8C0000-0x00007FF78CC11000-memory.dmp	xmrig
behavioral2/memory/1312-153-0x00007FF748420000-0x00007FF748771000-memory.dmp	xmrig
behavioral2/memory/4080-156-0x00007FF6AE150000-0x00007FF6AE4A1000-memory.dmp	xmrig
behavioral2/memory/4748-155-0x00007FF636D70000-0x00007FF6370C1000-memory.dmp	xmrig
behavioral2/memory/4636-154-0x00007FF6DA970000-0x00007FF6DACC1000-memory.dmp	xmrig
behavioral2/memory/3508-157-0x00007FF704E60000-0x00007FF7051B1000-memory.dmp	xmrig
behavioral2/memory/1996-159-0x00007FF625050000-0x00007FF6253A1000-memory.dmp	xmrig
behavioral2/memory/224-161-0x00007FF7FA720000-0x00007FF7FAA71000-memory.dmp	xmrig
behavioral2/memory/3124-160-0x00007FF6F3280000-0x00007FF6F35D1000-memory.dmp	xmrig
behavioral2/memory/1224-158-0x00007FF6AE360000-0x00007FF6AE6B1000-memory.dmp	xmrig
behavioral2/memory/3640-162-0x00007FF7B7E70000-0x00007FF7B81C1000-memory.dmp	xmrig
behavioral2/memory/3724-213-0x00007FF7F8F10000-0x00007FF7F9261000-memory.dmp	xmrig
behavioral2/memory/2588-215-0x00007FF6AADD0000-0x00007FF6AB121000-memory.dmp	xmrig
behavioral2/memory/1708-217-0x00007FF7B4760000-0x00007FF7B4AB1000-memory.dmp	xmrig
behavioral2/memory/2000-219-0x00007FF684C20000-0x00007FF684F71000-memory.dmp	xmrig
behavioral2/memory/4816-223-0x00007FF6B8800000-0x00007FF6B8B51000-memory.dmp	xmrig
behavioral2/memory/1408-225-0x00007FF7CE3B0000-0x00007FF7CE701000-memory.dmp	xmrig
behavioral2/memory/1824-231-0x00007FF776E90000-0x00007FF7771E1000-memory.dmp	xmrig
behavioral2/memory/1052-233-0x00007FF7FF160000-0x00007FF7FF4B1000-memory.dmp	xmrig
behavioral2/memory/1796-235-0x00007FF795E70000-0x00007FF7961C1000-memory.dmp	xmrig
behavioral2/memory/1516-247-0x00007FF78C8C0000-0x00007FF78CC11000-memory.dmp	xmrig
behavioral2/memory/3472-251-0x00007FF723530000-0x00007FF723881000-memory.dmp	xmrig
behavioral2/memory/4080-253-0x00007FF6AE150000-0x00007FF6AE4A1000-memory.dmp	xmrig
behavioral2/memory/4584-250-0x00007FF649C30000-0x00007FF649F81000-memory.dmp	xmrig
behavioral2/memory/1312-255-0x00007FF748420000-0x00007FF748771000-memory.dmp	xmrig
behavioral2/memory/4636-257-0x00007FF6DA970000-0x00007FF6DACC1000-memory.dmp	xmrig
behavioral2/memory/3508-260-0x00007FF704E60000-0x00007FF7051B1000-memory.dmp	xmrig
behavioral2/memory/1224-262-0x00007FF6AE360000-0x00007FF6AE6B1000-memory.dmp	xmrig
behavioral2/memory/224-264-0x00007FF7FA720000-0x00007FF7FAA71000-memory.dmp	xmrig
behavioral2/memory/3124-270-0x00007FF6F3280000-0x00007FF6F35D1000-memory.dmp	xmrig
behavioral2/memory/1996-269-0x00007FF625050000-0x00007FF6253A1000-memory.dmp	xmrig
behavioral2/memory/4748-267-0x00007FF636D70000-0x00007FF6370C1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3724	KqsJFLo.exe
2588	qXaPtoK.exe
1708	nuryyCQ.exe
2000	XpmCjgg.exe
4816	ErBkjwE.exe
1408	DBgbBFt.exe
1824	bIfTMBD.exe
1052	LjSuPyw.exe
1796	xjLDSzW.exe
1516	ZSVydDt.exe
3472	VDSkPvb.exe
4584	wbKvRnp.exe
4080	VpHJvbg.exe
1312	wfTXfIn.exe
4636	ZxwpJlj.exe
4748	CWBLrpd.exe
3508	WeZpwKa.exe
1224	kcgqcFk.exe
1996	OkLpRXP.exe
3124	dITkJnQ.exe
224	NFVnOwX.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3640-0-0x00007FF7B7E70000-0x00007FF7B81C1000-memory.dmp	upx
behavioral2/files/0x0009000000023c67-4.dat	upx
behavioral2/memory/3724-7-0x00007FF7F8F10000-0x00007FF7F9261000-memory.dmp	upx
behavioral2/files/0x0007000000023c6e-10.dat	upx
behavioral2/files/0x0008000000023c6d-15.dat	upx
behavioral2/memory/2588-19-0x00007FF6AADD0000-0x00007FF6AB121000-memory.dmp	upx
behavioral2/memory/2000-26-0x00007FF684C20000-0x00007FF684F71000-memory.dmp	upx
behavioral2/files/0x0007000000023c6f-24.dat	upx
behavioral2/memory/1708-23-0x00007FF7B4760000-0x00007FF7B4AB1000-memory.dmp	upx
behavioral2/files/0x0007000000023c70-28.dat	upx
behavioral2/memory/4816-30-0x00007FF6B8800000-0x00007FF6B8B51000-memory.dmp	upx
behavioral2/files/0x0007000000023c72-34.dat	upx
behavioral2/memory/1408-38-0x00007FF7CE3B0000-0x00007FF7CE701000-memory.dmp	upx
behavioral2/files/0x0007000000023c73-42.dat	upx
behavioral2/files/0x000700000001da20-47.dat	upx
behavioral2/memory/1052-51-0x00007FF7FF160000-0x00007FF7FF4B1000-memory.dmp	upx
behavioral2/files/0x000500000001da40-58.dat	upx
behavioral2/memory/3472-76-0x00007FF723530000-0x00007FF723881000-memory.dmp	upx
behavioral2/files/0x000400000001da48-83.dat	upx
behavioral2/memory/4584-88-0x00007FF649C30000-0x00007FF649F81000-memory.dmp	upx
behavioral2/memory/1312-92-0x00007FF748420000-0x00007FF748771000-memory.dmp	upx
behavioral2/files/0x000400000001da4e-96.dat	upx
behavioral2/files/0x000500000001da58-101.dat	upx
behavioral2/memory/3508-107-0x00007FF704E60000-0x00007FF7051B1000-memory.dmp	upx
behavioral2/memory/1996-116-0x00007FF625050000-0x00007FF6253A1000-memory.dmp	upx
behavioral2/memory/224-124-0x00007FF7FA720000-0x00007FF7FAA71000-memory.dmp	upx
behavioral2/files/0x000400000001da92-123.dat	upx
behavioral2/memory/3124-121-0x00007FF6F3280000-0x00007FF6F35D1000-memory.dmp	upx
behavioral2/memory/1796-120-0x00007FF795E70000-0x00007FF7961C1000-memory.dmp	upx
behavioral2/files/0x000400000001da73-119.dat	upx
behavioral2/memory/1824-115-0x00007FF776E90000-0x00007FF7771E1000-memory.dmp	upx
behavioral2/files/0x000400000001da70-114.dat	upx
behavioral2/memory/1224-111-0x00007FF6AE360000-0x00007FF6AE6B1000-memory.dmp	upx
behavioral2/files/0x000400000001da5e-110.dat	upx
behavioral2/memory/1408-106-0x00007FF7CE3B0000-0x00007FF7CE701000-memory.dmp	upx
behavioral2/files/0x000700000001da59-105.dat	upx
behavioral2/memory/4748-102-0x00007FF636D70000-0x00007FF6370C1000-memory.dmp	upx
behavioral2/files/0x000400000001da53-94.dat	upx
behavioral2/memory/4816-93-0x00007FF6B8800000-0x00007FF6B8B51000-memory.dmp	upx
behavioral2/memory/4636-91-0x00007FF6DA970000-0x00007FF6DACC1000-memory.dmp	upx
behavioral2/files/0x000400000001da4c-89.dat	upx
behavioral2/memory/2000-87-0x00007FF684C20000-0x00007FF684F71000-memory.dmp	upx
behavioral2/memory/4080-81-0x00007FF6AE150000-0x00007FF6AE4A1000-memory.dmp	upx
behavioral2/files/0x000400000001da45-75.dat	upx
behavioral2/memory/1516-63-0x00007FF78C8C0000-0x00007FF78CC11000-memory.dmp	upx
behavioral2/memory/1708-61-0x00007FF7B4760000-0x00007FF7B4AB1000-memory.dmp	upx
behavioral2/memory/1796-59-0x00007FF795E70000-0x00007FF7961C1000-memory.dmp	upx
behavioral2/files/0x000700000001da3c-62.dat	upx
behavioral2/memory/2588-56-0x00007FF6AADD0000-0x00007FF6AB121000-memory.dmp	upx
behavioral2/memory/3724-55-0x00007FF7F8F10000-0x00007FF7F9261000-memory.dmp	upx
behavioral2/memory/3640-50-0x00007FF7B7E70000-0x00007FF7B81C1000-memory.dmp	upx
behavioral2/memory/1824-43-0x00007FF776E90000-0x00007FF7771E1000-memory.dmp	upx
behavioral2/memory/3640-125-0x00007FF7B7E70000-0x00007FF7B81C1000-memory.dmp	upx
behavioral2/memory/3472-145-0x00007FF723530000-0x00007FF723881000-memory.dmp	upx
behavioral2/memory/1516-144-0x00007FF78C8C0000-0x00007FF78CC11000-memory.dmp	upx
behavioral2/memory/1312-153-0x00007FF748420000-0x00007FF748771000-memory.dmp	upx
behavioral2/memory/4080-156-0x00007FF6AE150000-0x00007FF6AE4A1000-memory.dmp	upx
behavioral2/memory/4748-155-0x00007FF636D70000-0x00007FF6370C1000-memory.dmp	upx
behavioral2/memory/4636-154-0x00007FF6DA970000-0x00007FF6DACC1000-memory.dmp	upx
behavioral2/memory/3508-157-0x00007FF704E60000-0x00007FF7051B1000-memory.dmp	upx
behavioral2/memory/1996-159-0x00007FF625050000-0x00007FF6253A1000-memory.dmp	upx
behavioral2/memory/224-161-0x00007FF7FA720000-0x00007FF7FAA71000-memory.dmp	upx
behavioral2/memory/3124-160-0x00007FF6F3280000-0x00007FF6F35D1000-memory.dmp	upx
behavioral2/memory/1224-158-0x00007FF6AE360000-0x00007FF6AE6B1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\xjLDSzW.exe	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZSVydDt.exe	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VDSkPvb.exe	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kcgqcFk.exe	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XpmCjgg.exe	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LjSuPyw.exe	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WeZpwKa.exe	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dITkJnQ.exe	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qXaPtoK.exe	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wbKvRnp.exe	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bIfTMBD.exe	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZxwpJlj.exe	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KqsJFLo.exe	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nuryyCQ.exe	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VpHJvbg.exe	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wfTXfIn.exe	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CWBLrpd.exe	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OkLpRXP.exe	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NFVnOwX.exe	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ErBkjwE.exe	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DBgbBFt.exe	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3640	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3640	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3640 wrote to memory of 3724	3640	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3640 wrote to memory of 3724	3640	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3640 wrote to memory of 2588	3640	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3640 wrote to memory of 2588	3640	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3640 wrote to memory of 1708	3640	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3640 wrote to memory of 1708	3640	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3640 wrote to memory of 2000	3640	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3640 wrote to memory of 2000	3640	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3640 wrote to memory of 4816	3640	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3640 wrote to memory of 4816	3640	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3640 wrote to memory of 1408	3640	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3640 wrote to memory of 1408	3640	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3640 wrote to memory of 1824	3640	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3640 wrote to memory of 1824	3640	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3640 wrote to memory of 1052	3640	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3640 wrote to memory of 1052	3640	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3640 wrote to memory of 1796	3640	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3640 wrote to memory of 1796	3640	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3640 wrote to memory of 1516	3640	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3640 wrote to memory of 1516	3640	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3640 wrote to memory of 3472	3640	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3640 wrote to memory of 3472	3640	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3640 wrote to memory of 4584	3640	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3640 wrote to memory of 4584	3640	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3640 wrote to memory of 4080	3640	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3640 wrote to memory of 4080	3640	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3640 wrote to memory of 1312	3640	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3640 wrote to memory of 1312	3640	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3640 wrote to memory of 4636	3640	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3640 wrote to memory of 4636	3640	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3640 wrote to memory of 4748	3640	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3640 wrote to memory of 4748	3640	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3640 wrote to memory of 3508	3640	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3640 wrote to memory of 3508	3640	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3640 wrote to memory of 1224	3640	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3640 wrote to memory of 1224	3640	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3640 wrote to memory of 1996	3640	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 3640 wrote to memory of 1996	3640	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 3640 wrote to memory of 3124	3640	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 3640 wrote to memory of 3124	3640	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 3640 wrote to memory of 224	3640	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 3640 wrote to memory of 224	3640	2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe	107

C:\Users\Admin\AppData\Local\Temp\2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-03_b9566693f7256fb1fba81dabaebb1178_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3640
- C:\Windows\System\KqsJFLo.exe
  C:\Windows\System\KqsJFLo.exe
  2⤵
  - Executes dropped EXE
  PID:3724
- C:\Windows\System\qXaPtoK.exe
  C:\Windows\System\qXaPtoK.exe
  2⤵
  - Executes dropped EXE
  PID:2588
- C:\Windows\System\nuryyCQ.exe
  C:\Windows\System\nuryyCQ.exe
  2⤵
  - Executes dropped EXE
  PID:1708
- C:\Windows\System\XpmCjgg.exe
  C:\Windows\System\XpmCjgg.exe
  2⤵
  - Executes dropped EXE
  PID:2000
- C:\Windows\System\ErBkjwE.exe
  C:\Windows\System\ErBkjwE.exe
  2⤵
  - Executes dropped EXE
  PID:4816
- C:\Windows\System\DBgbBFt.exe
  C:\Windows\System\DBgbBFt.exe
  2⤵
  - Executes dropped EXE
  PID:1408
- C:\Windows\System\bIfTMBD.exe
  C:\Windows\System\bIfTMBD.exe
  2⤵
  - Executes dropped EXE
  PID:1824
- C:\Windows\System\LjSuPyw.exe
  C:\Windows\System\LjSuPyw.exe
  2⤵
  - Executes dropped EXE
  PID:1052
- C:\Windows\System\xjLDSzW.exe
  C:\Windows\System\xjLDSzW.exe
  2⤵
  - Executes dropped EXE
  PID:1796
- C:\Windows\System\ZSVydDt.exe
  C:\Windows\System\ZSVydDt.exe
  2⤵
  - Executes dropped EXE
  PID:1516
- C:\Windows\System\VDSkPvb.exe
  C:\Windows\System\VDSkPvb.exe
  2⤵
  - Executes dropped EXE
  PID:3472
- C:\Windows\System\wbKvRnp.exe
  C:\Windows\System\wbKvRnp.exe
  2⤵
  - Executes dropped EXE
  PID:4584
- C:\Windows\System\VpHJvbg.exe
  C:\Windows\System\VpHJvbg.exe
  2⤵
  - Executes dropped EXE
  PID:4080
- C:\Windows\System\wfTXfIn.exe
  C:\Windows\System\wfTXfIn.exe
  2⤵
  - Executes dropped EXE
  PID:1312
- C:\Windows\System\ZxwpJlj.exe
  C:\Windows\System\ZxwpJlj.exe
  2⤵
  - Executes dropped EXE
  PID:4636
- C:\Windows\System\CWBLrpd.exe
  C:\Windows\System\CWBLrpd.exe
  2⤵
  - Executes dropped EXE
  PID:4748
- C:\Windows\System\WeZpwKa.exe
  C:\Windows\System\WeZpwKa.exe
  2⤵
  - Executes dropped EXE
  PID:3508
- C:\Windows\System\kcgqcFk.exe
  C:\Windows\System\kcgqcFk.exe
  2⤵
  - Executes dropped EXE
  PID:1224
- C:\Windows\System\OkLpRXP.exe
  C:\Windows\System\OkLpRXP.exe
  2⤵
  - Executes dropped EXE
  PID:1996
- C:\Windows\System\dITkJnQ.exe
  C:\Windows\System\dITkJnQ.exe
  2⤵
  - Executes dropped EXE
  PID:3124
- C:\Windows\System\NFVnOwX.exe
  C:\Windows\System\NFVnOwX.exe
  2⤵
  - Executes dropped EXE
  PID:224

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CWBLrpd.exe

Filesize
5.2MB

MD5
b8dd7b7cec3032b5fc7e138f8f4f0f0a

SHA1
9b50f3134f874f40dfd853d780542abb042550c9

SHA256
8cdfbb22e550cf6a01b2b4f680d445f7aa4e2d8755bdc3cb2d92f74d099f0fa7

SHA512
6047beafac9fa388276f9b3c9b38a25ba4a938a2d54856c077c1190c90473aa67f77f91c98895cd1279b99bd536c7c02c1fc26331f5482fd122aed62c1577653

Download Submit
C:\Windows\System\DBgbBFt.exe

Filesize
5.2MB

MD5
91c56858fb93830ecd458215e8637655

SHA1
b8741f409a4e92238cc349a77d256d8d3670e10a

SHA256
f0809d2c75b0dc387ee71743e2acee5a0bde60d62d1f73ad69e60bc93b94b2c3

SHA512
5b006b0122df2fe3a96448a09f4779347a72aac970baf58700f8e553e24fe1269b3f502726e0eff0c867d85b2748671b5f91b46cb68324f043151643ab6c1ead

Download Submit
C:\Windows\System\ErBkjwE.exe

Filesize
5.2MB

MD5
e890758c110c4734456db5a75b66c559

SHA1
95b2d2b26d940aa72ac707a01ff1c2b5969421b5

SHA256
fb34db59c00fc369ea384391e310d408aff023ceb4c7a8e021f54b55711e5b8d

SHA512
d7dbbac3f53f99a2b1773c1144bd04a89feb08131c3034b7e702d9b684a84f045a1628cafac95f51ebd53870336be3678a2962a205c30d2a13a6c3bdb20568dd

Download Submit
C:\Windows\System\KqsJFLo.exe

Filesize
5.2MB

MD5
4525079a3b197d2aeb5f0f19b2c2b576

SHA1
0385aa0db5e47c41d640ddf2430a19d9a73def8d

SHA256
891837c88e40d078545bc194fe1176a9fac0a0dbc24714e266cd11ef50721993

SHA512
2a021c22fe85943d1bc008ae23fa321d0d01b344de170822f93b41acfbb9a2f56a821bb1c5e6653580a5f2abb7fef2bc6ce2e035853510fa4768e27802da6658

Download Submit
C:\Windows\System\LjSuPyw.exe

Filesize
5.2MB

MD5
82359e7995d0fd400d2f9b39889448ef

SHA1
98ba7cab6ea85b94e05bf9e72f46db42c358983b

SHA256
0c5d70c38590a46eef70ab8111e05929012e772fe1a8204d98419e7722da830e

SHA512
82af6024c6098c16fc93b774ffb7a1a28a298f6e505b2408547bef9afec22e275d7f538288cbf1296df425b85a46572517247c4a7a3327eaa3dec0f1b9d35593

Download Submit
C:\Windows\System\NFVnOwX.exe

Filesize
5.2MB

MD5
19b4dfc2eb5c3b2d3d19f750b2c90a31

SHA1
83131ef9f411d0c8b09ba2cc717d1e18b9c3550d

SHA256
31fa1b3974e5c2e2247b1fc91a99506e5d780fa8bead274beb9a79042a2a127f

SHA512
aec4b323a2b206dc6291b004a9e721a9a016a2406d61e6d8191b46787a5abf755999eb1201ed1df72d1e97a8c82e00a27562eeb81e0757fcf10e649eeab730cf

Download Submit
C:\Windows\System\OkLpRXP.exe

Filesize
5.2MB

MD5
31c9c68e7b2910383f96d1cd81d0aba0

SHA1
33f1dd87dfe633779a65c5a099f150cbe4351c32

SHA256
124b63ed2c14ed9045177568ded2762024d59d5300767fad89aeb6029a7acf61

SHA512
7d35fb70e2d21e523912c5b65c846d9936ab006154a3e0c45f86f5053231ede9e1876021978786c640338be8596189ec95aa06f8042a0021b80c1c6d3fba2970

Download Submit
C:\Windows\System\VDSkPvb.exe

Filesize
5.2MB

MD5
6d92a0bb3273954bee5bd06a603e307b

SHA1
f4eb7fe511ae10919695feb0f57c4f1f5c818125

SHA256
be2522a6ea8c51ecd81dd151a85ad2fd91e9dfba6b702a052f92c238f1b81d3a

SHA512
2af587b23fec10e77f1532e2b7d12529586e816a4327a23be93ba546c464488bdb6c2e0e66381c478709fa1c9c93f66b370ce0e90af6034b1f63d66cc629996f

Download Submit
C:\Windows\System\VpHJvbg.exe

Filesize
5.2MB

MD5
b552ce494499a2387b2cf42e8e2c5f24

SHA1
74fcf89cbb511e4cb5adc6534c5bb1c1223cb938

SHA256
1489fded50080f2e5cc33f3f2037adb38020fa7522f861b98b12efa9b06d7cd5

SHA512
4baeb79280870b0f0f6cadddf5047cc8affb8e6cb7bbd642f719ae4b6f3dc603436667957d973156b9e1a63795a27f6626aeb854522603819e6e93123076864c

Download Submit
C:\Windows\System\WeZpwKa.exe

Filesize
5.2MB

MD5
34abe40fca2f59705b88fe81047a7483

SHA1
0bfabf87bed18c0c3a089ec9c7b1d3e8060d4781

SHA256
cb7b34374b1e4ef273e3af3f040ffb4ba3f7b6ad6857c41b0ec3666825755222

SHA512
dab4e9e631c75bcc09805f90d0d388fed836aff4c706c653b5a0ba67d20691b0897243a622dc41e75f2040688a3e4cd648b30073eddc195d007f9df6b5908fd7

Download Submit
C:\Windows\System\XpmCjgg.exe

Filesize
5.2MB

MD5
bb648ea356ca7feb8ba9dd1a9b695d6d

SHA1
d0ea68310c4f9eb2c1ef27c2e76ae11fae967914

SHA256
54058d9027ec1b816c8ff1ea35766d86e1b5d9eb5ccb324fdd9b8ddc3c7adca5

SHA512
e57a8f54cbc7249f96258329bd580af61067a378c17b54bf54ae8861138ff83e5edd1b40326d4669e745b1d9982a94d72a60f2e5d9fa98fea3315d8528c4650c

Download Submit
C:\Windows\System\ZSVydDt.exe

Filesize
5.2MB

MD5
df8694cf6abeb6fa743fe58068c73209

SHA1
dd50a1d31aa9bc695ae43e743ea2f331ac3ab8aa

SHA256
734a278214830058fd2f155974ece8f9d3446dc0791c181a30a62b32f1d3fedf

SHA512
168695bb0c8677c85c11e08521be3058eeb79db313ab33989d90b85ac02036910a984fbe091987c9bd80582a7eec0a1a62c17e4aea094a4e3c6adaaea5b9a827

Download Submit
C:\Windows\System\ZxwpJlj.exe

Filesize
5.2MB

MD5
6d1136f436036b0eca06305d76109285

SHA1
01e9742a1951295b7701225b4cc3b098126fad73

SHA256
c64b184a0bf58c85a6a30c5b4d9f9c0859b504c1cd209be444220a17dfe74f36

SHA512
a3a7207099f4bfb9ed24ef6c78e85db4603595e43f1480b23c1fd5c036bc45ca8f41b986f65c40ca9505c8d7d99db58fcc83fbfc74448e3f4a0775c2507864d7

Download Submit
C:\Windows\System\bIfTMBD.exe

Filesize
5.2MB

MD5
280c2818ed105a5377903c0929cb50de

SHA1
091b1e32138c01b64cd803728e0efaf8468b14e1

SHA256
cd31b6f40e85c15573a263c8cad8bd85393bec63492a3772900a6ddb96d09d70

SHA512
2a7d864e6a4e3548ec38b52c36a7b07e5c79e2dbf71635c6a58b4ced9b51258ac6b40aebc45f155ea39263f84fab8da2179e57b9e6ef0dc4c2c675246fdbb7ec

Download Submit
C:\Windows\System\dITkJnQ.exe

Filesize
5.2MB

MD5
c4665993b562312b712e3d004505b9b3

SHA1
101fa4d0bcb372cf57d5689d2f7f44bb3161c34b

SHA256
78235bd4040594d2ca22027eb644fb3685380868f9eee8d8b14c069f9e6a42c6

SHA512
1431002c189baa5cf9d351c4887d6996402cec5129562c1f756de7046c3bff4da2887bdaaab45a2a7bfb673e73d151c65b9c89dfe50365533f9d77cc3e66e463

Download Submit
C:\Windows\System\kcgqcFk.exe

Filesize
5.2MB

MD5
e8eae2155e926086771dbc7e10322aef

SHA1
1b4990efbb2bf08f29d49b1f3c2a46518a61dfc7

SHA256
f6489dc6b395db4719b0e97fd873b27c5f1ff7762c1b3fb581f577316bd0252b

SHA512
ccb1d6062a03f4fc4e49a4c1042179a6beec01bf6fa726b3c6a9120489eb6fd47b84d7a27017a8b178b6e388c4d33f1a74097b9668c4b2dc2b6a1ef323a7aee6

Download Submit
C:\Windows\System\nuryyCQ.exe

Filesize
5.2MB

MD5
7fc0b31d316485e0f037ecbaabc2b766

SHA1
e44cb0f059410584f8147ed3d2d938482bebd957

SHA256
2ad1b1deac3e17da4158c45d1668b4e39da4cdd8db3dcd85a500a9854d5a179d

SHA512
969c0827bda98f2897a3ae3d73d4bdc2a8e52384a1b6f2245018ae71ef5e55849b79420f41ff89fd433cfb1a4684ec4b0ccdeb0d3a06433de59aa6ecae4c3077

Download Submit
C:\Windows\System\qXaPtoK.exe

Filesize
5.2MB

MD5
15b3ad85d57266cfc6462a90d131959c

SHA1
0133d70cb62ef8b8babde4795e65ee158f14a747

SHA256
ee3a0d23f5d5a599bffa37ed96cdbef23ba2377fcc469ceaba20a61aac51ab4b

SHA512
fdf58f6152d14b8e9bd352e1c03c26a09136751f367d4898f5dc02ccfa482c93c821a9e070de927f93735fa5808a46df8c6ea50797b277dd2b18861ac8e42e9e

Download Submit
C:\Windows\System\wbKvRnp.exe

Filesize
5.2MB

MD5
e72798bb093520750c7e3164d4646d89

SHA1
6a9050f15968a3bc7d07f0ea418a01555ee4b605

SHA256
7120fd3d7581b0fd489dda95680efe1f613bae6d47f8dc1e355d9b0a3bb53a50

SHA512
6eec575bfeff7e4ffdfd5b34fd177c7ae2c772df13bc84455ad0bbe494216026866c56e86587f14fcd48296c7401cf6673624102a9c0be7b111bd06f21617aa9

Download Submit
C:\Windows\System\wfTXfIn.exe

Filesize
5.2MB

MD5
456a1debacbd97aed9e4b295bd9bf425

SHA1
30db8f64e0bc188ade5f0160ca147b397474b43b

SHA256
52c18fa440e0824ecd26ce7f392683cf9cd76af5a2237227645b3b73a9f46cde

SHA512
445f412b64e901aa921bad128c13bb8efd770f141250f892306015fa5adbd2e7ec09e76ed5cc99100ee8bc638a8b63406c5107ee124f7bf29ddd8b2bf4dd5ae0

Download Submit
C:\Windows\System\xjLDSzW.exe

Filesize
5.2MB

MD5
dcbf00468240647ac04ce071ef4f77e9

SHA1
caafc7baaf8ddfa9697191dbcce490f62aeacb71

SHA256
0b81491bbdd8c2c3e025391631fad553dd1ebb7dcc440c2dfd29371f49229969

SHA512
9c5f3c3cc8e27994b95f9edf3fd669febb544327e05436facac9f086649c94b761eaedc4a72cf3a03238368b829624975af8dacc8c2f33b01c408ff1db117b04

Download Submit
memory/224-161-0x00007FF7FA720000-0x00007FF7FAA71000-memory.dmp

Filesize
3.3MB

Download
memory/224-124-0x00007FF7FA720000-0x00007FF7FAA71000-memory.dmp

Filesize
3.3MB

Download
memory/224-264-0x00007FF7FA720000-0x00007FF7FAA71000-memory.dmp

Filesize
3.3MB

Download
memory/1052-233-0x00007FF7FF160000-0x00007FF7FF4B1000-memory.dmp

Filesize
3.3MB

Download
memory/1052-51-0x00007FF7FF160000-0x00007FF7FF4B1000-memory.dmp

Filesize
3.3MB

Download
memory/1224-158-0x00007FF6AE360000-0x00007FF6AE6B1000-memory.dmp

Filesize
3.3MB

Download
memory/1224-111-0x00007FF6AE360000-0x00007FF6AE6B1000-memory.dmp

Filesize
3.3MB

Download
memory/1224-262-0x00007FF6AE360000-0x00007FF6AE6B1000-memory.dmp

Filesize
3.3MB

Download
memory/1312-92-0x00007FF748420000-0x00007FF748771000-memory.dmp

Filesize
3.3MB

Download
memory/1312-153-0x00007FF748420000-0x00007FF748771000-memory.dmp

Filesize
3.3MB

Download
memory/1312-255-0x00007FF748420000-0x00007FF748771000-memory.dmp

Filesize
3.3MB

Download
memory/1408-225-0x00007FF7CE3B0000-0x00007FF7CE701000-memory.dmp

Filesize
3.3MB

Download
memory/1408-106-0x00007FF7CE3B0000-0x00007FF7CE701000-memory.dmp

Filesize
3.3MB

Download
memory/1408-38-0x00007FF7CE3B0000-0x00007FF7CE701000-memory.dmp

Filesize
3.3MB

Download
memory/1516-247-0x00007FF78C8C0000-0x00007FF78CC11000-memory.dmp

Filesize
3.3MB

Download
memory/1516-144-0x00007FF78C8C0000-0x00007FF78CC11000-memory.dmp

Filesize
3.3MB

Download
memory/1516-63-0x00007FF78C8C0000-0x00007FF78CC11000-memory.dmp

Filesize
3.3MB

Download
memory/1708-217-0x00007FF7B4760000-0x00007FF7B4AB1000-memory.dmp

Filesize
3.3MB

Download
memory/1708-23-0x00007FF7B4760000-0x00007FF7B4AB1000-memory.dmp

Filesize
3.3MB

Download
memory/1708-61-0x00007FF7B4760000-0x00007FF7B4AB1000-memory.dmp

Filesize
3.3MB

Download
memory/1796-235-0x00007FF795E70000-0x00007FF7961C1000-memory.dmp

Filesize
3.3MB

Download
memory/1796-120-0x00007FF795E70000-0x00007FF7961C1000-memory.dmp

Filesize
3.3MB

Download
memory/1796-59-0x00007FF795E70000-0x00007FF7961C1000-memory.dmp

Filesize
3.3MB

Download
memory/1824-231-0x00007FF776E90000-0x00007FF7771E1000-memory.dmp

Filesize
3.3MB

Download
memory/1824-43-0x00007FF776E90000-0x00007FF7771E1000-memory.dmp

Filesize
3.3MB

Download
memory/1824-115-0x00007FF776E90000-0x00007FF7771E1000-memory.dmp

Filesize
3.3MB

Download
memory/1996-116-0x00007FF625050000-0x00007FF6253A1000-memory.dmp

Filesize
3.3MB

Download
memory/1996-159-0x00007FF625050000-0x00007FF6253A1000-memory.dmp

Filesize
3.3MB

Download
memory/1996-269-0x00007FF625050000-0x00007FF6253A1000-memory.dmp

Filesize
3.3MB

Download
memory/2000-219-0x00007FF684C20000-0x00007FF684F71000-memory.dmp

Filesize
3.3MB

Download
memory/2000-26-0x00007FF684C20000-0x00007FF684F71000-memory.dmp

Filesize
3.3MB

Download
memory/2000-87-0x00007FF684C20000-0x00007FF684F71000-memory.dmp

Filesize
3.3MB

Download
memory/2588-56-0x00007FF6AADD0000-0x00007FF6AB121000-memory.dmp

Filesize
3.3MB

Download
memory/2588-215-0x00007FF6AADD0000-0x00007FF6AB121000-memory.dmp

Filesize
3.3MB

Download
memory/2588-19-0x00007FF6AADD0000-0x00007FF6AB121000-memory.dmp

Filesize
3.3MB

Download
memory/3124-160-0x00007FF6F3280000-0x00007FF6F35D1000-memory.dmp

Filesize
3.3MB

Download
memory/3124-270-0x00007FF6F3280000-0x00007FF6F35D1000-memory.dmp

Filesize
3.3MB

Download
memory/3124-121-0x00007FF6F3280000-0x00007FF6F35D1000-memory.dmp

Filesize
3.3MB

Download
memory/3472-251-0x00007FF723530000-0x00007FF723881000-memory.dmp

Filesize
3.3MB

Download
memory/3472-145-0x00007FF723530000-0x00007FF723881000-memory.dmp

Filesize
3.3MB

Download
memory/3472-76-0x00007FF723530000-0x00007FF723881000-memory.dmp

Filesize
3.3MB

Download
memory/3508-157-0x00007FF704E60000-0x00007FF7051B1000-memory.dmp

Filesize
3.3MB

Download
memory/3508-107-0x00007FF704E60000-0x00007FF7051B1000-memory.dmp

Filesize
3.3MB

Download
memory/3508-260-0x00007FF704E60000-0x00007FF7051B1000-memory.dmp

Filesize
3.3MB

Download
memory/3640-162-0x00007FF7B7E70000-0x00007FF7B81C1000-memory.dmp

Filesize
3.3MB

Download
memory/3640-50-0x00007FF7B7E70000-0x00007FF7B81C1000-memory.dmp

Filesize
3.3MB

Download
memory/3640-1-0x000001C396EE0000-0x000001C396EF0000-memory.dmp

Filesize
64KB

Download
memory/3640-125-0x00007FF7B7E70000-0x00007FF7B81C1000-memory.dmp

Filesize
3.3MB

Download
memory/3640-0-0x00007FF7B7E70000-0x00007FF7B81C1000-memory.dmp

Filesize
3.3MB

Download
memory/3724-213-0x00007FF7F8F10000-0x00007FF7F9261000-memory.dmp

Filesize
3.3MB

Download
memory/3724-55-0x00007FF7F8F10000-0x00007FF7F9261000-memory.dmp

Filesize
3.3MB

Download
memory/3724-7-0x00007FF7F8F10000-0x00007FF7F9261000-memory.dmp

Filesize
3.3MB

Download
memory/4080-156-0x00007FF6AE150000-0x00007FF6AE4A1000-memory.dmp

Filesize
3.3MB

Download
memory/4080-81-0x00007FF6AE150000-0x00007FF6AE4A1000-memory.dmp

Filesize
3.3MB

Download
memory/4080-253-0x00007FF6AE150000-0x00007FF6AE4A1000-memory.dmp

Filesize
3.3MB

Download
memory/4584-250-0x00007FF649C30000-0x00007FF649F81000-memory.dmp

Filesize
3.3MB

Download
memory/4584-88-0x00007FF649C30000-0x00007FF649F81000-memory.dmp

Filesize
3.3MB

Download
memory/4636-91-0x00007FF6DA970000-0x00007FF6DACC1000-memory.dmp

Filesize
3.3MB

Download
memory/4636-257-0x00007FF6DA970000-0x00007FF6DACC1000-memory.dmp

Filesize
3.3MB

Download
memory/4636-154-0x00007FF6DA970000-0x00007FF6DACC1000-memory.dmp

Filesize
3.3MB

Download
memory/4748-102-0x00007FF636D70000-0x00007FF6370C1000-memory.dmp

Filesize
3.3MB

Download
memory/4748-155-0x00007FF636D70000-0x00007FF6370C1000-memory.dmp

Filesize
3.3MB

Download
memory/4748-267-0x00007FF636D70000-0x00007FF6370C1000-memory.dmp

Filesize
3.3MB

Download
memory/4816-93-0x00007FF6B8800000-0x00007FF6B8B51000-memory.dmp

Filesize
3.3MB

Download
memory/4816-223-0x00007FF6B8800000-0x00007FF6B8B51000-memory.dmp

Filesize
3.3MB

Download
memory/4816-30-0x00007FF6B8800000-0x00007FF6B8B51000-memory.dmp

Filesize
3.3MB

Download