cobaltstrike | 3c3eec6a8a56558b265eb377c823d16369592f43300132047ec1ce413514e64e

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-01-2025 00:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

285c576fc1e49906d1fdacd185d0ba3f
SHA1

210c551e05b236ca2b61ea44c226ddfd39d6f060
SHA256

3c3eec6a8a56558b265eb377c823d16369592f43300132047ec1ce413514e64e
SHA512

5dea789dc71c6323fb5ec98787ce91e332e8b07d61d2f4305dc8fa59bb426847c00d15ffaf41c17365f0265e769690a7305c3e53f729486b9df3d14f46fefa10
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lZ:RWWBibf56utgpPFotBER/mQ32lUV

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000d000000023b99-5.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9d-15.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9f-23.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba0-26.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023ba5-53.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023bb4-61.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bbd-73.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bc2-82.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023bad-65.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023ba3-63.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba2-56.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023ba4-52.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba1-35.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9e-29.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b9a-89.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bc4-94.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bcd-120.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bce-124.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bcf-132.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bca-107.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023bc8-101.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/4780-78-0x00007FF7CCC50000-0x00007FF7CCFA1000-memory.dmp	xmrig
behavioral2/memory/4540-85-0x00007FF7A5A10000-0x00007FF7A5D61000-memory.dmp	xmrig
behavioral2/memory/1832-84-0x00007FF7CDD80000-0x00007FF7CE0D1000-memory.dmp	xmrig
behavioral2/memory/2700-79-0x00007FF60E730000-0x00007FF60EA81000-memory.dmp	xmrig
behavioral2/memory/1308-77-0x00007FF63E040000-0x00007FF63E391000-memory.dmp	xmrig
behavioral2/memory/856-59-0x00007FF65FD20000-0x00007FF660071000-memory.dmp	xmrig
behavioral2/memory/4608-49-0x00007FF696BD0000-0x00007FF696F21000-memory.dmp	xmrig
behavioral2/memory/1496-97-0x00007FF6510F0000-0x00007FF651441000-memory.dmp	xmrig
behavioral2/memory/992-110-0x00007FF6649C0000-0x00007FF664D11000-memory.dmp	xmrig
behavioral2/memory/4612-128-0x00007FF6D3CE0000-0x00007FF6D4031000-memory.dmp	xmrig
behavioral2/memory/972-129-0x00007FF78ED60000-0x00007FF78F0B1000-memory.dmp	xmrig
behavioral2/memory/816-127-0x00007FF69D350000-0x00007FF69D6A1000-memory.dmp	xmrig
behavioral2/memory/2408-126-0x00007FF796850000-0x00007FF796BA1000-memory.dmp	xmrig
behavioral2/memory/1708-125-0x00007FF7D6540000-0x00007FF7D6891000-memory.dmp	xmrig
behavioral2/memory/2096-121-0x00007FF6C1D80000-0x00007FF6C20D1000-memory.dmp	xmrig
behavioral2/memory/1644-113-0x00007FF666100000-0x00007FF666451000-memory.dmp	xmrig
behavioral2/memory/1116-103-0x00007FF601AB0000-0x00007FF601E01000-memory.dmp	xmrig
behavioral2/memory/1644-134-0x00007FF666100000-0x00007FF666451000-memory.dmp	xmrig
behavioral2/memory/3488-143-0x00007FF7D57D0000-0x00007FF7D5B21000-memory.dmp	xmrig
behavioral2/memory/1496-150-0x00007FF6510F0000-0x00007FF651441000-memory.dmp	xmrig
behavioral2/memory/4872-155-0x00007FF7955F0000-0x00007FF795941000-memory.dmp	xmrig
behavioral2/memory/3380-154-0x00007FF722410000-0x00007FF722761000-memory.dmp	xmrig
behavioral2/memory/4100-156-0x00007FF7A5820000-0x00007FF7A5B71000-memory.dmp	xmrig
behavioral2/memory/1644-158-0x00007FF666100000-0x00007FF666451000-memory.dmp	xmrig
behavioral2/memory/4164-157-0x00007FF7B9710000-0x00007FF7B9A61000-memory.dmp	xmrig
behavioral2/memory/2408-218-0x00007FF796850000-0x00007FF796BA1000-memory.dmp	xmrig
behavioral2/memory/2096-220-0x00007FF6C1D80000-0x00007FF6C20D1000-memory.dmp	xmrig
behavioral2/memory/816-222-0x00007FF69D350000-0x00007FF69D6A1000-memory.dmp	xmrig
behavioral2/memory/1708-226-0x00007FF7D6540000-0x00007FF7D6891000-memory.dmp	xmrig
behavioral2/memory/4612-225-0x00007FF6D3CE0000-0x00007FF6D4031000-memory.dmp	xmrig
behavioral2/memory/4608-228-0x00007FF696BD0000-0x00007FF696F21000-memory.dmp	xmrig
behavioral2/memory/856-230-0x00007FF65FD20000-0x00007FF660071000-memory.dmp	xmrig
behavioral2/memory/2700-232-0x00007FF60E730000-0x00007FF60EA81000-memory.dmp	xmrig
behavioral2/memory/3488-234-0x00007FF7D57D0000-0x00007FF7D5B21000-memory.dmp	xmrig
behavioral2/memory/972-238-0x00007FF78ED60000-0x00007FF78F0B1000-memory.dmp	xmrig
behavioral2/memory/4780-237-0x00007FF7CCC50000-0x00007FF7CCFA1000-memory.dmp	xmrig
behavioral2/memory/4540-242-0x00007FF7A5A10000-0x00007FF7A5D61000-memory.dmp	xmrig
behavioral2/memory/1832-244-0x00007FF7CDD80000-0x00007FF7CE0D1000-memory.dmp	xmrig
behavioral2/memory/1308-241-0x00007FF63E040000-0x00007FF63E391000-memory.dmp	xmrig
behavioral2/memory/1496-253-0x00007FF6510F0000-0x00007FF651441000-memory.dmp	xmrig
behavioral2/memory/1116-255-0x00007FF601AB0000-0x00007FF601E01000-memory.dmp	xmrig
behavioral2/memory/992-257-0x00007FF6649C0000-0x00007FF664D11000-memory.dmp	xmrig
behavioral2/memory/3380-259-0x00007FF722410000-0x00007FF722761000-memory.dmp	xmrig
behavioral2/memory/4100-263-0x00007FF7A5820000-0x00007FF7A5B71000-memory.dmp	xmrig
behavioral2/memory/4164-264-0x00007FF7B9710000-0x00007FF7B9A61000-memory.dmp	xmrig
behavioral2/memory/4872-266-0x00007FF7955F0000-0x00007FF795941000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2096	LBxFdcn.exe
2408	IvPSdTg.exe
816	kusdlbq.exe
1708	YvZWnRX.exe
4612	fcqGenk.exe
4608	yBLisCB.exe
856	mhSYPLA.exe
3488	ADWShud.exe
2700	yxHfpHE.exe
972	SRpJaML.exe
1308	oOcGLrF.exe
1832	ADqPFmv.exe
4780	VNgMJTp.exe
4540	iFhKtIH.exe
1496	OFAFTWJ.exe
1116	COCovJV.exe
992	nCQItHG.exe
3380	bNjNbfP.exe
4872	UlTMlSs.exe
4100	dxhrMvf.exe
4164	MWIHXls.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1644-0-0x00007FF666100000-0x00007FF666451000-memory.dmp	upx
behavioral2/files/0x000d000000023b99-5.dat	upx
behavioral2/memory/2096-6-0x00007FF6C1D80000-0x00007FF6C20D1000-memory.dmp	upx
behavioral2/files/0x000a000000023b9d-15.dat	upx
behavioral2/files/0x000a000000023b9f-23.dat	upx
behavioral2/files/0x000a000000023ba0-26.dat	upx
behavioral2/files/0x000b000000023ba5-53.dat	upx
behavioral2/files/0x000e000000023bb4-61.dat	upx
behavioral2/files/0x0008000000023bbd-73.dat	upx
behavioral2/memory/4780-78-0x00007FF7CCC50000-0x00007FF7CCFA1000-memory.dmp	upx
behavioral2/files/0x0009000000023bc2-82.dat	upx
behavioral2/memory/4540-85-0x00007FF7A5A10000-0x00007FF7A5D61000-memory.dmp	upx
behavioral2/memory/1832-84-0x00007FF7CDD80000-0x00007FF7CE0D1000-memory.dmp	upx
behavioral2/memory/2700-79-0x00007FF60E730000-0x00007FF60EA81000-memory.dmp	upx
behavioral2/memory/1308-77-0x00007FF63E040000-0x00007FF63E391000-memory.dmp	upx
behavioral2/memory/972-76-0x00007FF78ED60000-0x00007FF78F0B1000-memory.dmp	upx
behavioral2/memory/3488-69-0x00007FF7D57D0000-0x00007FF7D5B21000-memory.dmp	upx
behavioral2/files/0x000a000000023bad-65.dat	upx
behavioral2/files/0x000b000000023ba3-63.dat	upx
behavioral2/memory/856-59-0x00007FF65FD20000-0x00007FF660071000-memory.dmp	upx
behavioral2/files/0x000a000000023ba2-56.dat	upx
behavioral2/files/0x000b000000023ba4-52.dat	upx
behavioral2/memory/4608-49-0x00007FF696BD0000-0x00007FF696F21000-memory.dmp	upx
behavioral2/memory/4612-47-0x00007FF6D3CE0000-0x00007FF6D4031000-memory.dmp	upx
behavioral2/memory/1708-36-0x00007FF7D6540000-0x00007FF7D6891000-memory.dmp	upx
behavioral2/files/0x000a000000023ba1-35.dat	upx
behavioral2/files/0x000a000000023b9e-29.dat	upx
behavioral2/memory/816-27-0x00007FF69D350000-0x00007FF69D6A1000-memory.dmp	upx
behavioral2/memory/2408-16-0x00007FF796850000-0x00007FF796BA1000-memory.dmp	upx
behavioral2/files/0x000b000000023b9a-89.dat	upx
behavioral2/files/0x0009000000023bc4-94.dat	upx
behavioral2/memory/1496-97-0x00007FF6510F0000-0x00007FF651441000-memory.dmp	upx
behavioral2/memory/992-110-0x00007FF6649C0000-0x00007FF664D11000-memory.dmp	upx
behavioral2/files/0x0008000000023bcd-120.dat	upx
behavioral2/memory/4872-118-0x00007FF7955F0000-0x00007FF795941000-memory.dmp	upx
behavioral2/files/0x0008000000023bce-124.dat	upx
behavioral2/memory/4612-128-0x00007FF6D3CE0000-0x00007FF6D4031000-memory.dmp	upx
behavioral2/files/0x0008000000023bcf-132.dat	upx
behavioral2/memory/4164-130-0x00007FF7B9710000-0x00007FF7B9A61000-memory.dmp	upx
behavioral2/memory/972-129-0x00007FF78ED60000-0x00007FF78F0B1000-memory.dmp	upx
behavioral2/memory/816-127-0x00007FF69D350000-0x00007FF69D6A1000-memory.dmp	upx
behavioral2/memory/2408-126-0x00007FF796850000-0x00007FF796BA1000-memory.dmp	upx
behavioral2/memory/1708-125-0x00007FF7D6540000-0x00007FF7D6891000-memory.dmp	upx
behavioral2/memory/4100-122-0x00007FF7A5820000-0x00007FF7A5B71000-memory.dmp	upx
behavioral2/memory/2096-121-0x00007FF6C1D80000-0x00007FF6C20D1000-memory.dmp	upx
behavioral2/memory/3380-117-0x00007FF722410000-0x00007FF722761000-memory.dmp	upx
behavioral2/memory/1644-113-0x00007FF666100000-0x00007FF666451000-memory.dmp	upx
behavioral2/files/0x0008000000023bca-107.dat	upx
behavioral2/memory/1116-103-0x00007FF601AB0000-0x00007FF601E01000-memory.dmp	upx
behavioral2/files/0x000e000000023bc8-101.dat	upx
behavioral2/memory/1644-134-0x00007FF666100000-0x00007FF666451000-memory.dmp	upx
behavioral2/memory/3488-143-0x00007FF7D57D0000-0x00007FF7D5B21000-memory.dmp	upx
behavioral2/memory/1496-150-0x00007FF6510F0000-0x00007FF651441000-memory.dmp	upx
behavioral2/memory/4872-155-0x00007FF7955F0000-0x00007FF795941000-memory.dmp	upx
behavioral2/memory/3380-154-0x00007FF722410000-0x00007FF722761000-memory.dmp	upx
behavioral2/memory/4100-156-0x00007FF7A5820000-0x00007FF7A5B71000-memory.dmp	upx
behavioral2/memory/1644-158-0x00007FF666100000-0x00007FF666451000-memory.dmp	upx
behavioral2/memory/4164-157-0x00007FF7B9710000-0x00007FF7B9A61000-memory.dmp	upx
behavioral2/memory/2408-218-0x00007FF796850000-0x00007FF796BA1000-memory.dmp	upx
behavioral2/memory/2096-220-0x00007FF6C1D80000-0x00007FF6C20D1000-memory.dmp	upx
behavioral2/memory/816-222-0x00007FF69D350000-0x00007FF69D6A1000-memory.dmp	upx
behavioral2/memory/1708-226-0x00007FF7D6540000-0x00007FF7D6891000-memory.dmp	upx
behavioral2/memory/4612-225-0x00007FF6D3CE0000-0x00007FF6D4031000-memory.dmp	upx
behavioral2/memory/4608-228-0x00007FF696BD0000-0x00007FF696F21000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\mhSYPLA.exe	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SRpJaML.exe	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oOcGLrF.exe	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ADqPFmv.exe	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iFhKtIH.exe	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fcqGenk.exe	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kusdlbq.exe	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VNgMJTp.exe	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\COCovJV.exe	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LBxFdcn.exe	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ADWShud.exe	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yxHfpHE.exe	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nCQItHG.exe	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bNjNbfP.exe	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dxhrMvf.exe	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MWIHXls.exe	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IvPSdTg.exe	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yBLisCB.exe	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OFAFTWJ.exe	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UlTMlSs.exe	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YvZWnRX.exe	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1644	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1644	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 2096	1644	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 1644 wrote to memory of 2096	1644	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 1644 wrote to memory of 2408	1644	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1644 wrote to memory of 2408	1644	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1644 wrote to memory of 816	1644	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1644 wrote to memory of 816	1644	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1644 wrote to memory of 1708	1644	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1644 wrote to memory of 1708	1644	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1644 wrote to memory of 4608	1644	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1644 wrote to memory of 4608	1644	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1644 wrote to memory of 4612	1644	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1644 wrote to memory of 4612	1644	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1644 wrote to memory of 856	1644	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1644 wrote to memory of 856	1644	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1644 wrote to memory of 3488	1644	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1644 wrote to memory of 3488	1644	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1644 wrote to memory of 2700	1644	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1644 wrote to memory of 2700	1644	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1644 wrote to memory of 972	1644	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1644 wrote to memory of 972	1644	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1644 wrote to memory of 1308	1644	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1644 wrote to memory of 1308	1644	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1644 wrote to memory of 1832	1644	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1644 wrote to memory of 1832	1644	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1644 wrote to memory of 4780	1644	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1644 wrote to memory of 4780	1644	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1644 wrote to memory of 4540	1644	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1644 wrote to memory of 4540	1644	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1644 wrote to memory of 1496	1644	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1644 wrote to memory of 1496	1644	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1644 wrote to memory of 1116	1644	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1644 wrote to memory of 1116	1644	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1644 wrote to memory of 992	1644	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1644 wrote to memory of 992	1644	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1644 wrote to memory of 3380	1644	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1644 wrote to memory of 3380	1644	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1644 wrote to memory of 4872	1644	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1644 wrote to memory of 4872	1644	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1644 wrote to memory of 4100	1644	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1644 wrote to memory of 4100	1644	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1644 wrote to memory of 4164	1644	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1644 wrote to memory of 4164	1644	2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-03_285c576fc1e49906d1fdacd185d0ba3f_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Windows\System\LBxFdcn.exe
  C:\Windows\System\LBxFdcn.exe
  2⤵
  - Executes dropped EXE
  PID:2096
- C:\Windows\System\IvPSdTg.exe
  C:\Windows\System\IvPSdTg.exe
  2⤵
  - Executes dropped EXE
  PID:2408
- C:\Windows\System\kusdlbq.exe
  C:\Windows\System\kusdlbq.exe
  2⤵
  - Executes dropped EXE
  PID:816
- C:\Windows\System\YvZWnRX.exe
  C:\Windows\System\YvZWnRX.exe
  2⤵
  - Executes dropped EXE
  PID:1708
- C:\Windows\System\yBLisCB.exe
  C:\Windows\System\yBLisCB.exe
  2⤵
  - Executes dropped EXE
  PID:4608
- C:\Windows\System\fcqGenk.exe
  C:\Windows\System\fcqGenk.exe
  2⤵
  - Executes dropped EXE
  PID:4612
- C:\Windows\System\mhSYPLA.exe
  C:\Windows\System\mhSYPLA.exe
  2⤵
  - Executes dropped EXE
  PID:856
- C:\Windows\System\ADWShud.exe
  C:\Windows\System\ADWShud.exe
  2⤵
  - Executes dropped EXE
  PID:3488
- C:\Windows\System\yxHfpHE.exe
  C:\Windows\System\yxHfpHE.exe
  2⤵
  - Executes dropped EXE
  PID:2700
- C:\Windows\System\SRpJaML.exe
  C:\Windows\System\SRpJaML.exe
  2⤵
  - Executes dropped EXE
  PID:972
- C:\Windows\System\oOcGLrF.exe
  C:\Windows\System\oOcGLrF.exe
  2⤵
  - Executes dropped EXE
  PID:1308
- C:\Windows\System\ADqPFmv.exe
  C:\Windows\System\ADqPFmv.exe
  2⤵
  - Executes dropped EXE
  PID:1832
- C:\Windows\System\VNgMJTp.exe
  C:\Windows\System\VNgMJTp.exe
  2⤵
  - Executes dropped EXE
  PID:4780
- C:\Windows\System\iFhKtIH.exe
  C:\Windows\System\iFhKtIH.exe
  2⤵
  - Executes dropped EXE
  PID:4540
- C:\Windows\System\OFAFTWJ.exe
  C:\Windows\System\OFAFTWJ.exe
  2⤵
  - Executes dropped EXE
  PID:1496
- C:\Windows\System\COCovJV.exe
  C:\Windows\System\COCovJV.exe
  2⤵
  - Executes dropped EXE
  PID:1116
- C:\Windows\System\nCQItHG.exe
  C:\Windows\System\nCQItHG.exe
  2⤵
  - Executes dropped EXE
  PID:992
- C:\Windows\System\bNjNbfP.exe
  C:\Windows\System\bNjNbfP.exe
  2⤵
  - Executes dropped EXE
  PID:3380
- C:\Windows\System\UlTMlSs.exe
  C:\Windows\System\UlTMlSs.exe
  2⤵
  - Executes dropped EXE
  PID:4872
- C:\Windows\System\dxhrMvf.exe
  C:\Windows\System\dxhrMvf.exe
  2⤵
  - Executes dropped EXE
  PID:4100
- C:\Windows\System\MWIHXls.exe
  C:\Windows\System\MWIHXls.exe
  2⤵
  - Executes dropped EXE
  PID:4164

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\ADWShud.exe

Filesize
5.2MB

MD5
19c004faaa023763becf71569d91c4f9

SHA1
2a63c40efb1a938ded5bd4c18d732d589182d174

SHA256
a5f3950be066b161d5b957f3eafc8f853705a5aaa0537713a59f83f0aa71f106

SHA512
983a35dc6fbfc151f85ef18ddc9170c89601ddb03b65dafc3d1a809516fbcb941ceff865ba7b2e6c7fc34170d7413d7112a565cb3c3eb4d86f95c0351fbe33b7

Download Submit
C:\Windows\System\ADqPFmv.exe

Filesize
5.2MB

MD5
ea5ee67a0dddc5c7edd055f07e01927f

SHA1
7137ef187718182c4568b509f1bc382e7e584dc3

SHA256
eb221835d07a0d6de248d728ac78eff528e45af475ce998adb01d135370a261e

SHA512
449a6c7dad81410e079d01e350fa6287ad446c04166de3d7b879188a7333e0670a8587135d425e34a4a1e0365f29847dfa44abce4206aaf4c234a08acc0c9f8e

Download Submit
C:\Windows\System\COCovJV.exe

Filesize
5.2MB

MD5
f2dd3a0b6056daba276b81bb35316dfb

SHA1
f611815c86e01e256804d9413c9a2432c3048670

SHA256
56cd40de60cfb99fd3182c4e00e8a9befc678dd393a4184fbe159419f8fe77e8

SHA512
f69f729b5b870a1ad3b3708bddd6a5c03c6ce49ec70be621fef6342929148da1dadfe1c4303f143725cf2b8b3ab638010a373614091406409abfff1beb6e1059

Download Submit
C:\Windows\System\IvPSdTg.exe

Filesize
5.2MB

MD5
6058f184a13f9cfa5b0cac0b90318385

SHA1
e3fee3f0058c157af85e3db82daa13fe0fb5efb8

SHA256
f49b98508f5089a90ab0bb1f95ba723177dd2b0aac44fa1454f3db96bd2a5477

SHA512
dac2c8983edccd3b57177eff62f51f912f3e661bc77e43787b690e4659f99913d814f187c7adfccac10fd82968700be96688cc850ef31e19cf3d8d28efbe4378

Download Submit
C:\Windows\System\LBxFdcn.exe

Filesize
5.2MB

MD5
58b31b1d47f2ccc3197e04303472fc4b

SHA1
29bad340c95bd5e7f113a831a2be8dda7fee87de

SHA256
eca053515c0ce955dfc786168f13e382ffa437164fe332ce8a68c47dc18a063f

SHA512
abf2173ce2b87189f1a25df9d52a0bc198d6c8497796578695e4451101626dbdde5f2961dfae930ae5df0a7854233a7a522577b2f6cf5fd60bbee3be4ea119bb

Download Submit
C:\Windows\System\MWIHXls.exe

Filesize
5.2MB

MD5
1dc10aef40cdef3e2cf3e82f839634e0

SHA1
9a1eef3ae298839f7513ee485ec88ec3adedb8e7

SHA256
b5d396f20db97d1aaf62874145dc89ea5ba59e5957437e95d7eb61c0f245b2cb

SHA512
8e340431b236050f328ee1adb3a5a316c8eba0c32533f67ef9e6f853aedd19bd1b772480715e1aa5376a4ee04d261cc7a3f8fc7a5dd7cdcf3b0f4b2ae8f67fa1

Download Submit
C:\Windows\System\OFAFTWJ.exe

Filesize
5.2MB

MD5
f2b467ba5637bed91fec091f9b832da7

SHA1
f2782eb2e565d71d1eed96599e5d2f5233794951

SHA256
17ab8d5c7853b1a1ee7224fdf088a72d3ea19ebd6ce297cf8948227c2991717d

SHA512
bba4b722a5a881889f7d35ab1463deb42e7bb53915f499f5f2a86c766717968118ea37161511846e32679688558eb1d6dcd19d18522ea0af558e163ee98307e9

Download Submit
C:\Windows\System\SRpJaML.exe

Filesize
5.2MB

MD5
a3f9400cabc6ba66af3d3d85854d8343

SHA1
c3330f0e73e3a65ffadf5b91718085c76c76172d

SHA256
8fc0f01d29fc49c69736f20c362d61419fec279f15e7423467c245f9b529b063

SHA512
2d5a0f110dc3149b4445a710aa26f835164dd3c405a0cf267967e8324bbfbf12602ba2518ddb0eeb4a24db82ce8dfd76dc06581b1007d7f86743fbcf6786b216

Download Submit
C:\Windows\System\UlTMlSs.exe

Filesize
5.2MB

MD5
cc997521d1b21f901ae95ec10c5b192d

SHA1
5da5d85046cd7769344c06dd60144f4a46becade

SHA256
ffde548d9f27a6704d2097541b6d3a3b93c20ec347f049e21ec1764d7cd36496

SHA512
a7ebba3ebe36284152740fead1cf142ea976e27cf4c9a4fb909f3a2a176174e92eebdca467e093a5aae09959424b05074cd92e3891397732751ef67bd800d21f

Download Submit
C:\Windows\System\VNgMJTp.exe

Filesize
5.2MB

MD5
c38bc09e9516c5f9f3dde70ff9d44cae

SHA1
a99fa9e54c85686d77c0353f9048b29a7ba05512

SHA256
d866947fd4fc8f92118cce2fa1e05dd82be29afb475736314a89f3222090bc09

SHA512
e0412867867f924c66fa874c6dc1b1313202a18b5119aefb13d1c2e5e11398e25e51ababc155fcc4f7ac65876eda5f286fd31d832d330aefa103498dd16dc205

Download Submit
C:\Windows\System\YvZWnRX.exe

Filesize
5.2MB

MD5
14468d1781368530a54d9c7c5be80d3b

SHA1
30d05e71117b5e65e8ab653c26e460a64284228f

SHA256
2a01685c25fa2e7a3e1e0af0fb490661a136a5142fe1978da581674a126dd51e

SHA512
27aeef22a2c1b4507fa285d1641accb6b98b84e56aa8eef3fdcc58288e97c00e1d22f476c4624f15a1dcf04841f63b6c4ef12937e4e7d13eb3260f0691396e58

Download Submit
C:\Windows\System\bNjNbfP.exe

Filesize
5.2MB

MD5
7cdd43918586402216f8d47c7cea3d7a

SHA1
a5cccbb5b4d0cb59f39a64fcfe7bbdaa91f077c6

SHA256
8c11d773b77d12f1e8d8a8818717795a5dc4df38c286cc2e66ffe49bb7612635

SHA512
167016e25c38c61f5919e060c33153285f1efdd56bd866aa3609d181b72d0b798edbfd84b057a81f33c926edb1bbc5334d9cf286086754760e25312253aa3975

Download Submit
C:\Windows\System\dxhrMvf.exe

Filesize
5.2MB

MD5
9f5d2633e2db6f7c8842facb4a206879

SHA1
f941391273902e56e443b71e72184aa7c0c42ed8

SHA256
3604a4e5dafdbb2e302008952e699735697520a80b6dd7fb3ab5acec3d27fc57

SHA512
c9cbc95d942f5346dd05f9890e02083ab4375733defff4af1df1469646c9b40dd673e5c4c5e10cff701344b5e06912c450f399b62285a3ec4a43cf2a87998bd0

Download Submit
C:\Windows\System\fcqGenk.exe

Filesize
5.2MB

MD5
f9afadcf839c44f35c52b39c5a302742

SHA1
5beed59b6beed080cf374b9070bf3e139bd447ca

SHA256
5c1c248aaa70494fdb706cb7058c51ad95cb58f95a91a1ca03c5514c3ce3ed3e

SHA512
0a2ab7a019113d3fcf6f10da2609e82e7191a3f6faac5ba15ba6102bd1a737f62c491325164aa3dfe872032a272bdc5cf2d71b747ca0dab84113a47489dd1487

Download Submit
C:\Windows\System\iFhKtIH.exe

Filesize
5.2MB

MD5
7fe701a4ba0e3a4c71534e97d8f2bb83

SHA1
fbab5f8ce7913f594af2e1c241b21ff5d5b5be5f

SHA256
72777be9618c41b215aa6e5426b48e207396c20b4a1f8572c2cfb851f77fc8b7

SHA512
f7db30bdf239395e5a19e0f5b585e4ec14c006d2b88db7478395fea6284705a426b8f0dbddb06858aff4de56c77f8c7765f888e75dd69378df965fcb27a6deed

Download Submit
C:\Windows\System\kusdlbq.exe

Filesize
5.2MB

MD5
ed1ac8ea793ff24bbee626ea6e212356

SHA1
e5ec47102ed29c3f2d2da6bb1692b2f8f438c622

SHA256
9feae07f7006165f6d4bb67bc39cdabfd36e251e13a8ad4e97bc0f1d5bbe3d72

SHA512
804e020596240bf5118e2d44409aaa068fc1b2cf315f54b507c062e18daf80247e3943066fb71b67b4cec7ff7cc5a236e4ee9f8157ef81780fbfbf3b1d2fa1c3

Download Submit
C:\Windows\System\mhSYPLA.exe

Filesize
5.2MB

MD5
4b797bd1026feb729ef83ad2dde82e90

SHA1
7793b6d0207ed0a10d75c4ead06067fd89a2dd9f

SHA256
1609007512a542ddbe936148825f05087443a38af28d5e5e5053b0a6fb071dac

SHA512
2cfda8d3d36f7ea80037089c2812e79ba91ed9ccdeb5eb57ce3ca53ce240608992a99320d24a6a947b0dcc9a33853d337c896b9467a6ba0b96649e49d621cb52

Download Submit
C:\Windows\System\nCQItHG.exe

Filesize
5.2MB

MD5
07daff7eff737b6bff634aee18b01413

SHA1
9a25fb4b9d36a1fa2c8176024f76417739bd47bc

SHA256
feba8e94550fd33f366e43355783457973756617d2449c12a09b43b3f4d836ba

SHA512
14f21bf8ee251d8f69e54cfadb810239587cbf60789bbb69ad44222ff680544e8e1da549190095a4a1be0d48deae7dca990831687ba673b6ac206e1da893c272

Download Submit
C:\Windows\System\oOcGLrF.exe

Filesize
5.2MB

MD5
3c83e236e358a892aee2a09dcca4c9e6

SHA1
8483c0242fcfe4b2d805283272a8ced80d1c2634

SHA256
d2843456bc562d0918ee8faf8a49e90d389a45090ee03fc9c713a1cdd82e6731

SHA512
d77b0f91a9a9b680d023a2fd3e5d1e56632b25ff0a175ca3d876e9d209257b65cf600e66c5a8f716eefc6f6afaac8dcdbfd353ecfb4eba64ec7fc4f944b1d816

Download Submit
C:\Windows\System\yBLisCB.exe

Filesize
5.2MB

MD5
958f579a4f14545c2e6f8341f1af8083

SHA1
55bb0e6c3d1eacafe3f53042131ab4ced2e0eb5c

SHA256
07df0b6b72943ac786a0af18477091310a19702fa884e6aa6f11c8057759d926

SHA512
17bf2069506b9c5dfb08f4acb3000e58d4233bd19e120ae384b6704dbaa2c881f28e6e46e6ec0c0dd81035feafa30bafa628d43016cc87b4d038a61fce475f6b

Download Submit
C:\Windows\System\yxHfpHE.exe

Filesize
5.2MB

MD5
5f1f47b5db5dbacad3e0fdae6f2b2dcb

SHA1
6c76305f768c962780e779ce14b8448bc1ee8611

SHA256
c5e4cc59c0adc535eda363669ae0bf4a13650b54baf43371c3c48ab013bd8ff9

SHA512
ffa5498d6f0903b1a30d4646bf8450fe4f9d1f90eaba63854b75a346037c7dba5f0163c651a111335c9f7919ce82756e7fad705590d1e40521781917cc1d7860

Download Submit
memory/816-127-0x00007FF69D350000-0x00007FF69D6A1000-memory.dmp

Filesize
3.3MB

Download
memory/816-222-0x00007FF69D350000-0x00007FF69D6A1000-memory.dmp

Filesize
3.3MB

Download
memory/816-27-0x00007FF69D350000-0x00007FF69D6A1000-memory.dmp

Filesize
3.3MB

Download
memory/856-59-0x00007FF65FD20000-0x00007FF660071000-memory.dmp

Filesize
3.3MB

Download
memory/856-230-0x00007FF65FD20000-0x00007FF660071000-memory.dmp

Filesize
3.3MB

Download
memory/972-129-0x00007FF78ED60000-0x00007FF78F0B1000-memory.dmp

Filesize
3.3MB

Download
memory/972-238-0x00007FF78ED60000-0x00007FF78F0B1000-memory.dmp

Filesize
3.3MB

Download
memory/972-76-0x00007FF78ED60000-0x00007FF78F0B1000-memory.dmp

Filesize
3.3MB

Download
memory/992-257-0x00007FF6649C0000-0x00007FF664D11000-memory.dmp

Filesize
3.3MB

Download
memory/992-110-0x00007FF6649C0000-0x00007FF664D11000-memory.dmp

Filesize
3.3MB

Download
memory/1116-103-0x00007FF601AB0000-0x00007FF601E01000-memory.dmp

Filesize
3.3MB

Download
memory/1116-255-0x00007FF601AB0000-0x00007FF601E01000-memory.dmp

Filesize
3.3MB

Download
memory/1308-241-0x00007FF63E040000-0x00007FF63E391000-memory.dmp

Filesize
3.3MB

Download
memory/1308-77-0x00007FF63E040000-0x00007FF63E391000-memory.dmp

Filesize
3.3MB

Download
memory/1496-253-0x00007FF6510F0000-0x00007FF651441000-memory.dmp

Filesize
3.3MB

Download
memory/1496-97-0x00007FF6510F0000-0x00007FF651441000-memory.dmp

Filesize
3.3MB

Download
memory/1496-150-0x00007FF6510F0000-0x00007FF651441000-memory.dmp

Filesize
3.3MB

Download
memory/1644-134-0x00007FF666100000-0x00007FF666451000-memory.dmp

Filesize
3.3MB

Download
memory/1644-1-0x000002AFEEF40000-0x000002AFEEF50000-memory.dmp

Filesize
64KB

Download
memory/1644-158-0x00007FF666100000-0x00007FF666451000-memory.dmp

Filesize
3.3MB

Download
memory/1644-0-0x00007FF666100000-0x00007FF666451000-memory.dmp

Filesize
3.3MB

Download
memory/1644-113-0x00007FF666100000-0x00007FF666451000-memory.dmp

Filesize
3.3MB

Download
memory/1708-36-0x00007FF7D6540000-0x00007FF7D6891000-memory.dmp

Filesize
3.3MB

Download
memory/1708-125-0x00007FF7D6540000-0x00007FF7D6891000-memory.dmp

Filesize
3.3MB

Download
memory/1708-226-0x00007FF7D6540000-0x00007FF7D6891000-memory.dmp

Filesize
3.3MB

Download
memory/1832-84-0x00007FF7CDD80000-0x00007FF7CE0D1000-memory.dmp

Filesize
3.3MB

Download
memory/1832-244-0x00007FF7CDD80000-0x00007FF7CE0D1000-memory.dmp

Filesize
3.3MB

Download
memory/2096-121-0x00007FF6C1D80000-0x00007FF6C20D1000-memory.dmp

Filesize
3.3MB

Download
memory/2096-6-0x00007FF6C1D80000-0x00007FF6C20D1000-memory.dmp

Filesize
3.3MB

Download
memory/2096-220-0x00007FF6C1D80000-0x00007FF6C20D1000-memory.dmp

Filesize
3.3MB

Download
memory/2408-126-0x00007FF796850000-0x00007FF796BA1000-memory.dmp

Filesize
3.3MB

Download
memory/2408-218-0x00007FF796850000-0x00007FF796BA1000-memory.dmp

Filesize
3.3MB

Download
memory/2408-16-0x00007FF796850000-0x00007FF796BA1000-memory.dmp

Filesize
3.3MB

Download
memory/2700-232-0x00007FF60E730000-0x00007FF60EA81000-memory.dmp

Filesize
3.3MB

Download
memory/2700-79-0x00007FF60E730000-0x00007FF60EA81000-memory.dmp

Filesize
3.3MB

Download
memory/3380-117-0x00007FF722410000-0x00007FF722761000-memory.dmp

Filesize
3.3MB

Download
memory/3380-259-0x00007FF722410000-0x00007FF722761000-memory.dmp

Filesize
3.3MB

Download
memory/3380-154-0x00007FF722410000-0x00007FF722761000-memory.dmp

Filesize
3.3MB

Download
memory/3488-69-0x00007FF7D57D0000-0x00007FF7D5B21000-memory.dmp

Filesize
3.3MB

Download
memory/3488-143-0x00007FF7D57D0000-0x00007FF7D5B21000-memory.dmp

Filesize
3.3MB

Download
memory/3488-234-0x00007FF7D57D0000-0x00007FF7D5B21000-memory.dmp

Filesize
3.3MB

Download
memory/4100-263-0x00007FF7A5820000-0x00007FF7A5B71000-memory.dmp

Filesize
3.3MB

Download
memory/4100-156-0x00007FF7A5820000-0x00007FF7A5B71000-memory.dmp

Filesize
3.3MB

Download
memory/4100-122-0x00007FF7A5820000-0x00007FF7A5B71000-memory.dmp

Filesize
3.3MB

Download
memory/4164-157-0x00007FF7B9710000-0x00007FF7B9A61000-memory.dmp

Filesize
3.3MB

Download
memory/4164-264-0x00007FF7B9710000-0x00007FF7B9A61000-memory.dmp

Filesize
3.3MB

Download
memory/4164-130-0x00007FF7B9710000-0x00007FF7B9A61000-memory.dmp

Filesize
3.3MB

Download
memory/4540-242-0x00007FF7A5A10000-0x00007FF7A5D61000-memory.dmp

Filesize
3.3MB

Download
memory/4540-85-0x00007FF7A5A10000-0x00007FF7A5D61000-memory.dmp

Filesize
3.3MB

Download
memory/4608-49-0x00007FF696BD0000-0x00007FF696F21000-memory.dmp

Filesize
3.3MB

Download
memory/4608-228-0x00007FF696BD0000-0x00007FF696F21000-memory.dmp

Filesize
3.3MB

Download
memory/4612-128-0x00007FF6D3CE0000-0x00007FF6D4031000-memory.dmp

Filesize
3.3MB

Download
memory/4612-47-0x00007FF6D3CE0000-0x00007FF6D4031000-memory.dmp

Filesize
3.3MB

Download
memory/4612-225-0x00007FF6D3CE0000-0x00007FF6D4031000-memory.dmp

Filesize
3.3MB

Download
memory/4780-237-0x00007FF7CCC50000-0x00007FF7CCFA1000-memory.dmp

Filesize
3.3MB

Download
memory/4780-78-0x00007FF7CCC50000-0x00007FF7CCFA1000-memory.dmp

Filesize
3.3MB

Download
memory/4872-118-0x00007FF7955F0000-0x00007FF795941000-memory.dmp

Filesize
3.3MB

Download
memory/4872-155-0x00007FF7955F0000-0x00007FF795941000-memory.dmp

Filesize
3.3MB

Download
memory/4872-266-0x00007FF7955F0000-0x00007FF795941000-memory.dmp

Filesize
3.3MB

Download