cobaltstrike | e7c9461dbf00522e262dbf5e5ad7e9bd8b1cffc20123436c76be2226bb46a57d

Analysis

max time kernel
144s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/01/2025, 02:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

336d868ed5acc6b0421157ee0fd5d372
SHA1

21b5818537af00d948c7abb03109959fd732c24d
SHA256

e7c9461dbf00522e262dbf5e5ad7e9bd8b1cffc20123436c76be2226bb46a57d
SHA512

41c56474008ba358d0c7e86000d52aa600133ca61751aea1586993a9d845d2a5e0642eca03429b18272d0a358d5a16d20ee177b1d956da90c8e6c56b65ffac69
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lf:RWWBibf56utgpPFotBER/mQ32lUL

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023b6e-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c6a-29.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c69-28.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c68-34.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c71-85.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c73-91.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c72-89.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c6e-81.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c6d-71.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c6f-68.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c70-63.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c6c-59.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c6b-52.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c67-33.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c66-21.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c63-102.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c74-109.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c77-120.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c78-136.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c75-115.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c76-113.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/1592-79-0x00007FF703070000-0x00007FF7033C1000-memory.dmp	xmrig
behavioral2/memory/992-128-0x00007FF63F2B0000-0x00007FF63F601000-memory.dmp	xmrig
behavioral2/memory/4572-138-0x00007FF760230000-0x00007FF760581000-memory.dmp	xmrig
behavioral2/memory/3160-135-0x00007FF78FFF0000-0x00007FF790341000-memory.dmp	xmrig
behavioral2/memory/3976-133-0x00007FF7165C0000-0x00007FF716911000-memory.dmp	xmrig
behavioral2/memory/752-132-0x00007FF6ADF40000-0x00007FF6AE291000-memory.dmp	xmrig
behavioral2/memory/748-127-0x00007FF750430000-0x00007FF750781000-memory.dmp	xmrig
behavioral2/memory/4040-125-0x00007FF686BB0000-0x00007FF686F01000-memory.dmp	xmrig
behavioral2/memory/2036-124-0x00007FF6A91A0000-0x00007FF6A94F1000-memory.dmp	xmrig
behavioral2/memory/1276-123-0x00007FF7A6950000-0x00007FF7A6CA1000-memory.dmp	xmrig
behavioral2/memory/4304-119-0x00007FF7AFB60000-0x00007FF7AFEB1000-memory.dmp	xmrig
behavioral2/memory/4148-111-0x00007FF713120000-0x00007FF713471000-memory.dmp	xmrig
behavioral2/memory/4148-139-0x00007FF713120000-0x00007FF713471000-memory.dmp	xmrig
behavioral2/memory/2520-144-0x00007FF7B8130000-0x00007FF7B8481000-memory.dmp	xmrig
behavioral2/memory/3596-153-0x00007FF63C680000-0x00007FF63C9D1000-memory.dmp	xmrig
behavioral2/memory/3652-154-0x00007FF774DC0000-0x00007FF775111000-memory.dmp	xmrig
behavioral2/memory/4380-152-0x00007FF648B30000-0x00007FF648E81000-memory.dmp	xmrig
behavioral2/memory/1648-155-0x00007FF7F10A0000-0x00007FF7F13F1000-memory.dmp	xmrig
behavioral2/memory/2160-156-0x00007FF7780F0000-0x00007FF778441000-memory.dmp	xmrig
behavioral2/memory/1308-157-0x00007FF64BC80000-0x00007FF64BFD1000-memory.dmp	xmrig
behavioral2/memory/2532-158-0x00007FF730B90000-0x00007FF730EE1000-memory.dmp	xmrig
behavioral2/memory/1924-163-0x00007FF63F810000-0x00007FF63FB61000-memory.dmp	xmrig
behavioral2/memory/3360-164-0x00007FF707E30000-0x00007FF708181000-memory.dmp	xmrig
behavioral2/memory/4148-165-0x00007FF713120000-0x00007FF713471000-memory.dmp	xmrig
behavioral2/memory/4148-181-0x00007FF713120000-0x00007FF713471000-memory.dmp	xmrig
behavioral2/memory/4304-224-0x00007FF7AFB60000-0x00007FF7AFEB1000-memory.dmp	xmrig
behavioral2/memory/1276-226-0x00007FF7A6950000-0x00007FF7A6CA1000-memory.dmp	xmrig
behavioral2/memory/2036-228-0x00007FF6A91A0000-0x00007FF6A94F1000-memory.dmp	xmrig
behavioral2/memory/752-230-0x00007FF6ADF40000-0x00007FF6AE291000-memory.dmp	xmrig
behavioral2/memory/4040-234-0x00007FF686BB0000-0x00007FF686F01000-memory.dmp	xmrig
behavioral2/memory/3976-233-0x00007FF7165C0000-0x00007FF716911000-memory.dmp	xmrig
behavioral2/memory/4380-243-0x00007FF648B30000-0x00007FF648E81000-memory.dmp	xmrig
behavioral2/memory/2520-247-0x00007FF7B8130000-0x00007FF7B8481000-memory.dmp	xmrig
behavioral2/memory/748-250-0x00007FF750430000-0x00007FF750781000-memory.dmp	xmrig
behavioral2/memory/3596-252-0x00007FF63C680000-0x00007FF63C9D1000-memory.dmp	xmrig
behavioral2/memory/3652-254-0x00007FF774DC0000-0x00007FF775111000-memory.dmp	xmrig
behavioral2/memory/4572-248-0x00007FF760230000-0x00007FF760581000-memory.dmp	xmrig
behavioral2/memory/992-244-0x00007FF63F2B0000-0x00007FF63F601000-memory.dmp	xmrig
behavioral2/memory/3160-241-0x00007FF78FFF0000-0x00007FF790341000-memory.dmp	xmrig
behavioral2/memory/1592-239-0x00007FF703070000-0x00007FF7033C1000-memory.dmp	xmrig
behavioral2/memory/1648-262-0x00007FF7F10A0000-0x00007FF7F13F1000-memory.dmp	xmrig
behavioral2/memory/2160-264-0x00007FF7780F0000-0x00007FF778441000-memory.dmp	xmrig
behavioral2/memory/1308-266-0x00007FF64BC80000-0x00007FF64BFD1000-memory.dmp	xmrig
behavioral2/memory/2532-268-0x00007FF730B90000-0x00007FF730EE1000-memory.dmp	xmrig
behavioral2/memory/3360-271-0x00007FF707E30000-0x00007FF708181000-memory.dmp	xmrig
behavioral2/memory/1924-273-0x00007FF63F810000-0x00007FF63FB61000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4304	HywEfhf.exe
1276	sSHAKyk.exe
752	YhoGmbh.exe
2036	NygdaDQ.exe
2520	QLhiauQ.exe
3976	lxczfBz.exe
4040	APwqelW.exe
3160	rsQvwHi.exe
992	BVdtrnL.exe
748	XZEiQdm.exe
4572	TVRNQOs.exe
1592	wGNTDPs.exe
4380	lDcmzpS.exe
3596	wJiFjnU.exe
3652	bVChRKu.exe
1648	ZypOiLZ.exe
2160	otvBDLo.exe
1308	AvIIPgT.exe
2532	othHpqM.exe
1924	NiqFWZA.exe
3360	OATFONw.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4148-0-0x00007FF713120000-0x00007FF713471000-memory.dmp	upx
behavioral2/files/0x000c000000023b6e-5.dat	upx
behavioral2/memory/4304-6-0x00007FF7AFB60000-0x00007FF7AFEB1000-memory.dmp	upx
behavioral2/memory/1276-14-0x00007FF7A6950000-0x00007FF7A6CA1000-memory.dmp	upx
behavioral2/files/0x0007000000023c6a-29.dat	upx
behavioral2/files/0x0007000000023c69-28.dat	upx
behavioral2/files/0x0007000000023c68-34.dat	upx
behavioral2/memory/4040-48-0x00007FF686BB0000-0x00007FF686F01000-memory.dmp	upx
behavioral2/memory/748-57-0x00007FF750430000-0x00007FF750781000-memory.dmp	upx
behavioral2/memory/3160-67-0x00007FF78FFF0000-0x00007FF790341000-memory.dmp	upx
behavioral2/memory/4572-78-0x00007FF760230000-0x00007FF760581000-memory.dmp	upx
behavioral2/files/0x0007000000023c71-85.dat	upx
behavioral2/files/0x0007000000023c73-91.dat	upx
behavioral2/files/0x0007000000023c72-89.dat	upx
behavioral2/memory/3596-88-0x00007FF63C680000-0x00007FF63C9D1000-memory.dmp	upx
behavioral2/memory/3652-87-0x00007FF774DC0000-0x00007FF775111000-memory.dmp	upx
behavioral2/memory/4380-84-0x00007FF648B30000-0x00007FF648E81000-memory.dmp	upx
behavioral2/files/0x0007000000023c6e-81.dat	upx
behavioral2/memory/1592-79-0x00007FF703070000-0x00007FF7033C1000-memory.dmp	upx
behavioral2/files/0x0007000000023c6d-71.dat	upx
behavioral2/files/0x0007000000023c6f-68.dat	upx
behavioral2/files/0x0007000000023c70-63.dat	upx
behavioral2/files/0x0007000000023c6c-59.dat	upx
behavioral2/memory/2520-58-0x00007FF7B8130000-0x00007FF7B8481000-memory.dmp	upx
behavioral2/memory/992-49-0x00007FF63F2B0000-0x00007FF63F601000-memory.dmp	upx
behavioral2/files/0x0007000000023c6b-52.dat	upx
behavioral2/memory/3976-41-0x00007FF7165C0000-0x00007FF716911000-memory.dmp	upx
behavioral2/memory/2036-40-0x00007FF6A91A0000-0x00007FF6A94F1000-memory.dmp	upx
behavioral2/files/0x0007000000023c67-33.dat	upx
behavioral2/memory/752-25-0x00007FF6ADF40000-0x00007FF6AE291000-memory.dmp	upx
behavioral2/files/0x0007000000023c66-21.dat	upx
behavioral2/memory/1648-98-0x00007FF7F10A0000-0x00007FF7F13F1000-memory.dmp	upx
behavioral2/files/0x0008000000023c63-102.dat	upx
behavioral2/files/0x0007000000023c74-109.dat	upx
behavioral2/memory/1308-112-0x00007FF64BC80000-0x00007FF64BFD1000-memory.dmp	upx
behavioral2/files/0x0007000000023c77-120.dat	upx
behavioral2/memory/992-128-0x00007FF63F2B0000-0x00007FF63F601000-memory.dmp	upx
behavioral2/files/0x0007000000023c78-136.dat	upx
behavioral2/memory/4572-138-0x00007FF760230000-0x00007FF760581000-memory.dmp	upx
behavioral2/memory/3160-135-0x00007FF78FFF0000-0x00007FF790341000-memory.dmp	upx
behavioral2/memory/3360-134-0x00007FF707E30000-0x00007FF708181000-memory.dmp	upx
behavioral2/memory/3976-133-0x00007FF7165C0000-0x00007FF716911000-memory.dmp	upx
behavioral2/memory/752-132-0x00007FF6ADF40000-0x00007FF6AE291000-memory.dmp	upx
behavioral2/memory/1924-129-0x00007FF63F810000-0x00007FF63FB61000-memory.dmp	upx
behavioral2/memory/748-127-0x00007FF750430000-0x00007FF750781000-memory.dmp	upx
behavioral2/memory/4040-125-0x00007FF686BB0000-0x00007FF686F01000-memory.dmp	upx
behavioral2/memory/2036-124-0x00007FF6A91A0000-0x00007FF6A94F1000-memory.dmp	upx
behavioral2/memory/1276-123-0x00007FF7A6950000-0x00007FF7A6CA1000-memory.dmp	upx
behavioral2/memory/4304-119-0x00007FF7AFB60000-0x00007FF7AFEB1000-memory.dmp	upx
behavioral2/memory/2532-118-0x00007FF730B90000-0x00007FF730EE1000-memory.dmp	upx
behavioral2/files/0x0007000000023c75-115.dat	upx
behavioral2/files/0x0007000000023c76-113.dat	upx
behavioral2/memory/4148-111-0x00007FF713120000-0x00007FF713471000-memory.dmp	upx
behavioral2/memory/2160-105-0x00007FF7780F0000-0x00007FF778441000-memory.dmp	upx
behavioral2/memory/4148-139-0x00007FF713120000-0x00007FF713471000-memory.dmp	upx
behavioral2/memory/2520-144-0x00007FF7B8130000-0x00007FF7B8481000-memory.dmp	upx
behavioral2/memory/3596-153-0x00007FF63C680000-0x00007FF63C9D1000-memory.dmp	upx
behavioral2/memory/3652-154-0x00007FF774DC0000-0x00007FF775111000-memory.dmp	upx
behavioral2/memory/4380-152-0x00007FF648B30000-0x00007FF648E81000-memory.dmp	upx
behavioral2/memory/1648-155-0x00007FF7F10A0000-0x00007FF7F13F1000-memory.dmp	upx
behavioral2/memory/2160-156-0x00007FF7780F0000-0x00007FF778441000-memory.dmp	upx
behavioral2/memory/1308-157-0x00007FF64BC80000-0x00007FF64BFD1000-memory.dmp	upx
behavioral2/memory/2532-158-0x00007FF730B90000-0x00007FF730EE1000-memory.dmp	upx
behavioral2/memory/1924-163-0x00007FF63F810000-0x00007FF63FB61000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\HywEfhf.exe	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YhoGmbh.exe	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lxczfBz.exe	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lDcmzpS.exe	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bVChRKu.exe	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BVdtrnL.exe	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XZEiQdm.exe	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TVRNQOs.exe	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AvIIPgT.exe	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OATFONw.exe	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NygdaDQ.exe	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\APwqelW.exe	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wJiFjnU.exe	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\otvBDLo.exe	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sSHAKyk.exe	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QLhiauQ.exe	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rsQvwHi.exe	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wGNTDPs.exe	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZypOiLZ.exe	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\othHpqM.exe	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NiqFWZA.exe	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4148	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4148	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4148 wrote to memory of 4304	4148	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4148 wrote to memory of 4304	4148	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4148 wrote to memory of 1276	4148	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4148 wrote to memory of 1276	4148	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4148 wrote to memory of 752	4148	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4148 wrote to memory of 752	4148	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4148 wrote to memory of 2036	4148	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4148 wrote to memory of 2036	4148	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4148 wrote to memory of 2520	4148	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4148 wrote to memory of 2520	4148	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4148 wrote to memory of 3976	4148	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4148 wrote to memory of 3976	4148	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4148 wrote to memory of 4040	4148	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4148 wrote to memory of 4040	4148	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4148 wrote to memory of 3160	4148	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4148 wrote to memory of 3160	4148	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4148 wrote to memory of 992	4148	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4148 wrote to memory of 992	4148	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4148 wrote to memory of 748	4148	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4148 wrote to memory of 748	4148	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4148 wrote to memory of 4572	4148	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4148 wrote to memory of 4572	4148	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4148 wrote to memory of 1592	4148	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4148 wrote to memory of 1592	4148	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4148 wrote to memory of 4380	4148	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4148 wrote to memory of 4380	4148	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4148 wrote to memory of 3596	4148	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4148 wrote to memory of 3596	4148	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4148 wrote to memory of 3652	4148	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4148 wrote to memory of 3652	4148	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4148 wrote to memory of 1648	4148	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4148 wrote to memory of 1648	4148	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4148 wrote to memory of 2160	4148	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4148 wrote to memory of 2160	4148	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4148 wrote to memory of 2532	4148	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4148 wrote to memory of 2532	4148	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4148 wrote to memory of 1308	4148	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4148 wrote to memory of 1308	4148	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4148 wrote to memory of 1924	4148	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4148 wrote to memory of 1924	4148	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4148 wrote to memory of 3360	4148	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4148 wrote to memory of 3360	4148	2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-21_336d868ed5acc6b0421157ee0fd5d372_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4148
- C:\Windows\System\HywEfhf.exe
  C:\Windows\System\HywEfhf.exe
  2⤵
  - Executes dropped EXE
  PID:4304
- C:\Windows\System\sSHAKyk.exe
  C:\Windows\System\sSHAKyk.exe
  2⤵
  - Executes dropped EXE
  PID:1276
- C:\Windows\System\YhoGmbh.exe
  C:\Windows\System\YhoGmbh.exe
  2⤵
  - Executes dropped EXE
  PID:752
- C:\Windows\System\NygdaDQ.exe
  C:\Windows\System\NygdaDQ.exe
  2⤵
  - Executes dropped EXE
  PID:2036
- C:\Windows\System\QLhiauQ.exe
  C:\Windows\System\QLhiauQ.exe
  2⤵
  - Executes dropped EXE
  PID:2520
- C:\Windows\System\lxczfBz.exe
  C:\Windows\System\lxczfBz.exe
  2⤵
  - Executes dropped EXE
  PID:3976
- C:\Windows\System\APwqelW.exe
  C:\Windows\System\APwqelW.exe
  2⤵
  - Executes dropped EXE
  PID:4040
- C:\Windows\System\rsQvwHi.exe
  C:\Windows\System\rsQvwHi.exe
  2⤵
  - Executes dropped EXE
  PID:3160
- C:\Windows\System\BVdtrnL.exe
  C:\Windows\System\BVdtrnL.exe
  2⤵
  - Executes dropped EXE
  PID:992
- C:\Windows\System\XZEiQdm.exe
  C:\Windows\System\XZEiQdm.exe
  2⤵
  - Executes dropped EXE
  PID:748
- C:\Windows\System\TVRNQOs.exe
  C:\Windows\System\TVRNQOs.exe
  2⤵
  - Executes dropped EXE
  PID:4572
- C:\Windows\System\wGNTDPs.exe
  C:\Windows\System\wGNTDPs.exe
  2⤵
  - Executes dropped EXE
  PID:1592
- C:\Windows\System\lDcmzpS.exe
  C:\Windows\System\lDcmzpS.exe
  2⤵
  - Executes dropped EXE
  PID:4380
- C:\Windows\System\wJiFjnU.exe
  C:\Windows\System\wJiFjnU.exe
  2⤵
  - Executes dropped EXE
  PID:3596
- C:\Windows\System\bVChRKu.exe
  C:\Windows\System\bVChRKu.exe
  2⤵
  - Executes dropped EXE
  PID:3652
- C:\Windows\System\ZypOiLZ.exe
  C:\Windows\System\ZypOiLZ.exe
  2⤵
  - Executes dropped EXE
  PID:1648
- C:\Windows\System\otvBDLo.exe
  C:\Windows\System\otvBDLo.exe
  2⤵
  - Executes dropped EXE
  PID:2160
- C:\Windows\System\othHpqM.exe
  C:\Windows\System\othHpqM.exe
  2⤵
  - Executes dropped EXE
  PID:2532
- C:\Windows\System\AvIIPgT.exe
  C:\Windows\System\AvIIPgT.exe
  2⤵
  - Executes dropped EXE
  PID:1308
- C:\Windows\System\NiqFWZA.exe
  C:\Windows\System\NiqFWZA.exe
  2⤵
  - Executes dropped EXE
  PID:1924
- C:\Windows\System\OATFONw.exe
  C:\Windows\System\OATFONw.exe
  2⤵
  - Executes dropped EXE
  PID:3360

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\APwqelW.exe

Filesize
5.2MB

MD5
bfc8bd195288ec4aeb02985afe4b12ca

SHA1
d694e87c5dddc3d09dd78ecda63e6a2c2e5eb818

SHA256
b2c824f91ba616b3ed48fb00bbe476755ec360a7339ab42b5bea2325d073170f

SHA512
cbea555b37319ca4bdec5434e0ce33c038b4122c6ed8a60c8185675630c108fd2aeca5bd2835d7006cfd19cb20c768fb7da8b61b0586c94bfbbc435efb45540a

Download Submit
C:\Windows\System\AvIIPgT.exe

Filesize
5.2MB

MD5
0a8823a08013534814bdc5f1021db587

SHA1
3b49dff82f91d59e1359890deeb6accde2edefd0

SHA256
b24283c5b284d4aefdeffea7f9b511d032c7b65099422cf84fadd5d7008fe782

SHA512
1f12cae24c3a084a7548355df116dbfd5e5832d8f96b906eaa000d4fe178cbbf0d9573c9095934584a8240066836b9904c0fdf71e6441b739770eb8fd9680dea

Download Submit
C:\Windows\System\BVdtrnL.exe

Filesize
5.2MB

MD5
dc3cb6e72e562bc02596cd5110403c48

SHA1
b8f866b89a194d97fd895d47e85aaf9e26eb719f

SHA256
3f03eb48f27ae36a4ea0e27bb75b18d038ffe2d4c5eb2fe76b983d0442d14277

SHA512
27860ffa4adecc09112c8c1b852a0bd083ddfd961b32b15ae9943041eca6f26383b40b2978d47c68e63f35bf8d2c8f493b402e643eb7b45bb3d63dc576ca5190

Download Submit
C:\Windows\System\HywEfhf.exe

Filesize
5.2MB

MD5
a04980bc140fa477da43abf0820e4cce

SHA1
04f28e1573f007fa131e985b269c0af98149e1de

SHA256
4c7a29c18da533cb67071726bf8c0026a9287837103771929779f84f38f1a7ca

SHA512
604178840fb836315b566812fa2a74b896b880049b7487ff9966567f2fa1331cb3a76fe0f5c6ef576a695a2a81d47d00d4174452d1a914e9fb3423486a4f141c

Download Submit
C:\Windows\System\NiqFWZA.exe

Filesize
5.2MB

MD5
4aeca4c5e6f99c82f046ec3c9b469341

SHA1
142cbd5f3f4ffc98ddcf8315250fa8d3b6a44525

SHA256
67da4ad2042cc2e7fe4214bcdae952e75629d2eda2166333152254d6a5da7a1b

SHA512
ff9ad82b662743f176f24d83e0393d9c81a1fa9352257779688e0f3e6f2c35d9ffd9ebc7e0d3b46224f74e56635951874872c00c23bb8fcd1ae7d6d0f3e11012

Download Submit
C:\Windows\System\NygdaDQ.exe

Filesize
5.2MB

MD5
af3182631b6087c0a406043ee530e748

SHA1
1e8a3188609b47c608abf122bbed7cec949ec664

SHA256
839f80a2c6507fe1ede4fd672f5a0305129223f96a43fd76c8f848f86f7e8d4d

SHA512
a4bbcbb31c5caf13c1d133d54dcea4b735f10a7004c1e1ca2185fe159d1541291fbcd32cca3dbdff20d8083dbea0e2bc51fb9bda2366d8a7456f8af50dc0b99e

Download Submit
C:\Windows\System\OATFONw.exe

Filesize
5.2MB

MD5
f84b23f285daee06bc41cb6e0f7fa029

SHA1
bb0d3b986e4aef79b47fc03826400c77ee7cf368

SHA256
7a6d3c157c3f3fba025532941c66952c614c0f2e52347f2ae5ad67dabb80eb9c

SHA512
ef2e973b6fc8b1d697dd33f1d6ed910630eab270e22174025064af5e8679c4d2a33955970acc123216aef5817f636201a39366750d8a2b4bbc40f02074581620

Download Submit
C:\Windows\System\QLhiauQ.exe

Filesize
5.2MB

MD5
b35073b81dd773f3fec7b09cb00d55cc

SHA1
4f428e441bbd47cbe981f3a13530fa313f64e6bf

SHA256
e4cbf9dfaf3ef69ee4669ee16307ba813458b4c6e91039ea390d87955eb46d3d

SHA512
ecc376300620f7f1c1ccc58d1712961e053e0254184292e6413c7ba24e65b7bf575963ad2ecefe54fa4abb4794c07350e71414af3cc5f2a37fb70ac70caaeb01

Download Submit
C:\Windows\System\TVRNQOs.exe

Filesize
5.2MB

MD5
ef986c790ad14f22f2eb1e27ff597550

SHA1
9da1adf612d880f4646224078cb8cacf00530bef

SHA256
3b023fa137c5d25dc621f82b02043b09b50cf6d29c391b8ff8a7c2b9540f4db3

SHA512
c1e06b945b73c50ef32ff8546dca51e6f95622c4d63e3036f15525f7ff21dbebbe57c1649eaf799ee9b5bef9dfe9be512e13454c07baae2d5b257f20f884727e

Download Submit
C:\Windows\System\XZEiQdm.exe

Filesize
5.2MB

MD5
bc5f638af681fa9c06de75004221943f

SHA1
6138d8ead862e949ea782af4624b4dda8faaa91c

SHA256
188873a2a1f87e2e3f25b5ad8fd46602dbec94544a2bd5e8abf63e22a9a8bd60

SHA512
504481b669d46408f6f090d96a0252449f105ad291b1a5c3baef0a30457fcd83f98590326791afc2054d77500a79fae5642939c378f5f3e36f1e11ddba62e605

Download Submit
C:\Windows\System\YhoGmbh.exe

Filesize
5.2MB

MD5
84a657b1f5412eb663388440d084c5ab

SHA1
0a812dd5870437138c910d192c498bf722329f6f

SHA256
31b922cdedcbf826c8a67a7e856c278939c82e4eb6acde2902e798f38d01485b

SHA512
978f90cdcc99c6dca0aa1b5c5e4c21f930262ae2c418db057489876ea672cc86cee315ef6875a8fb26c130700a5ea9d1862418b7a6c0c88a29d59440fb88b079

Download Submit
C:\Windows\System\ZypOiLZ.exe

Filesize
5.2MB

MD5
3b2e3e6771f38c4dcc208cd0ecf404da

SHA1
30216766d62299632273632def4137e53e016b18

SHA256
28b7b7f7989f33d90c4405a40a3d67adf1abe2be12935a1a9f2fb0026eaea74b

SHA512
b43101212d8cee67d88b1e44dc9dc194393340d003e61e708c196a9234769f2c68071c2f7c1d7cce89c075eec928a6aa8300fbc54d57eaaccbbfc14a6b6e9e46

Download Submit
C:\Windows\System\bVChRKu.exe

Filesize
5.2MB

MD5
ed199bb59ed8da7476827287e05acff9

SHA1
b109e9e5497beaf2f026b7147400af23e344f44a

SHA256
b73b132b9ec4ea82d0ef99c30280200b76d35d59728ad59fd05589bb485d5c3d

SHA512
45ea0e888622b28a3056d0298f13bc8b09948dee1cbdf46d297df41e504f5a425fb2df28cecf9cd88bbbbacf68060734f358e3879801703d9464fe20e8d22427

Download Submit
C:\Windows\System\lDcmzpS.exe

Filesize
5.2MB

MD5
2b111ae1dce9d58d3a0801392b81d1ed

SHA1
9609e80b1c324ecd4afb1e10038f3cb9adec1240

SHA256
16d25208c95f59b8b6856a4b12e740e0a6e79de8b4c05f307e607a00c863baa1

SHA512
25cd95ddde5e3ea05e4675f2c9a40d75094cf2a325ad4f199e2b0cd1fe0e3572e3a41579c3adc434c46addd98c79307c6f4b14d1b28578ed25162e8a349ac132

Download Submit
C:\Windows\System\lxczfBz.exe

Filesize
5.2MB

MD5
bf8add78e5a7d8ab021c3d5456932a0b

SHA1
97542a0d7398764b05c08ffb077b4aef87528cc0

SHA256
77ca5434aced58fefa24643431c4873c9f77e5fe7a97acc1335583cb21772479

SHA512
0aead04750bcd3d672ef54eba1b3a01f5c4148f57635c5ff3c7f73b29f94e7bf7a76b65b6a43625d16a032e2aff38b33f795d6757582bdc0f7b736f3eb7e6556

Download Submit
C:\Windows\System\othHpqM.exe

Filesize
5.2MB

MD5
016993d49bebb12124ed8cfbc694dc01

SHA1
4350f72567aa430805b543a4cfe89908b629a864

SHA256
c0bb71bcd81ab536667bec4f3ed98128ccde52951732bab7f9a7693736c353d5

SHA512
cc6609a7de0bd58dcf5e9a39c890870883a2939b4238258bdb5aa262bc95f88802f07d00a65c3af48ab193da71b41913ebc7e025ad34a1c698ed479803e53d60

Download Submit
C:\Windows\System\otvBDLo.exe

Filesize
5.2MB

MD5
2c7a5baa7ba94e0172f75892bff1541f

SHA1
1d1cc83a375d95ce8eaabd8fdd401f5827c48206

SHA256
2da81ba510ee6fdf50e2beded8514a05cf798368539ea410a1f06eded3e50c41

SHA512
70606f793bd84032b9ae6edee33fe96f3361d4d10e2543dd37b685a369a9892d041e4bd238311f6d558d54dc67707d6265b00c2123091c22aa3a6fe964beff23

Download Submit
C:\Windows\System\rsQvwHi.exe

Filesize
5.2MB

MD5
ef36742f7b7842b3ea37ff1b378f985a

SHA1
884a816a93152bc8f080060d42b8ba37d3fde2d6

SHA256
33dfe985b4da0965e4ae6857e04c87f602f3ea99f6fe06d1451dec0f82802d87

SHA512
dc1fc2b8e6f108c9d2ff38755fae7dd1acb527f5daf5bbdff1dab0dced18f3fe9d00e25be3432e0ef61d03bf35a264f3d4c6bde10ca09f5cb54b76a9173f15ef

Download Submit
C:\Windows\System\sSHAKyk.exe

Filesize
5.2MB

MD5
a0f1e24d77d44ae0f92e984d3312b988

SHA1
9db38456618500a528c7d28549109ad92a1fd3c6

SHA256
7fafbe5f321b9e615897f89b6ca68a684eb0764a5995a12a73f4a2a73ad9c039

SHA512
a71c816f975904a619b6d7246f3b99e2adf598b9718457ded0905d1aa03fa637ebb77001cf742139a8c2d5907ecefec5e62dfd9d780fc88f2c201945dda40731

Download Submit
C:\Windows\System\wGNTDPs.exe

Filesize
5.2MB

MD5
c5f384ccd0724200f4289048e96659fd

SHA1
e130737f915af1943131ae449ba59bbf7d9645e3

SHA256
cdd175a0cd06033e687d9448e7b99e7935a2ffec0950602d266ff694dd59560f

SHA512
5cd7873dbca00d006fe6faf8a7b2b43e7227092b411c74493f557093c6114e1ddd4d924a16588bbdd26714477c2e26ccb31988b80aa9d69a3b3f21718eeab94a

Download Submit
C:\Windows\System\wJiFjnU.exe

Filesize
5.2MB

MD5
e0111d5817253bda938ea0ec53df8b99

SHA1
6c11125c6d334a370a628afa64d59ebacffc67ba

SHA256
2168337183b702f8a553bf4beca84040a3f4803a147b134308b42ba2b7c9a1fa

SHA512
77682eb4634221fe13e19751254dadd88f53dd7e66f8a2d5aa9de8fccd05c968c0a0bc6143cf6b03b6d10eb578bdb445a11c7975fb1e94162629b86c5a34fbf6

Download Submit
memory/748-57-0x00007FF750430000-0x00007FF750781000-memory.dmp

Filesize
3.3MB

Download
memory/748-127-0x00007FF750430000-0x00007FF750781000-memory.dmp

Filesize
3.3MB

Download
memory/748-250-0x00007FF750430000-0x00007FF750781000-memory.dmp

Filesize
3.3MB

Download
memory/752-132-0x00007FF6ADF40000-0x00007FF6AE291000-memory.dmp

Filesize
3.3MB

Download
memory/752-25-0x00007FF6ADF40000-0x00007FF6AE291000-memory.dmp

Filesize
3.3MB

Download
memory/752-230-0x00007FF6ADF40000-0x00007FF6AE291000-memory.dmp

Filesize
3.3MB

Download
memory/992-244-0x00007FF63F2B0000-0x00007FF63F601000-memory.dmp

Filesize
3.3MB

Download
memory/992-128-0x00007FF63F2B0000-0x00007FF63F601000-memory.dmp

Filesize
3.3MB

Download
memory/992-49-0x00007FF63F2B0000-0x00007FF63F601000-memory.dmp

Filesize
3.3MB

Download
memory/1276-226-0x00007FF7A6950000-0x00007FF7A6CA1000-memory.dmp

Filesize
3.3MB

Download
memory/1276-123-0x00007FF7A6950000-0x00007FF7A6CA1000-memory.dmp

Filesize
3.3MB

Download
memory/1276-14-0x00007FF7A6950000-0x00007FF7A6CA1000-memory.dmp

Filesize
3.3MB

Download
memory/1308-266-0x00007FF64BC80000-0x00007FF64BFD1000-memory.dmp

Filesize
3.3MB

Download
memory/1308-112-0x00007FF64BC80000-0x00007FF64BFD1000-memory.dmp

Filesize
3.3MB

Download
memory/1308-157-0x00007FF64BC80000-0x00007FF64BFD1000-memory.dmp

Filesize
3.3MB

Download
memory/1592-79-0x00007FF703070000-0x00007FF7033C1000-memory.dmp

Filesize
3.3MB

Download
memory/1592-239-0x00007FF703070000-0x00007FF7033C1000-memory.dmp

Filesize
3.3MB

Download
memory/1648-98-0x00007FF7F10A0000-0x00007FF7F13F1000-memory.dmp

Filesize
3.3MB

Download
memory/1648-155-0x00007FF7F10A0000-0x00007FF7F13F1000-memory.dmp

Filesize
3.3MB

Download
memory/1648-262-0x00007FF7F10A0000-0x00007FF7F13F1000-memory.dmp

Filesize
3.3MB

Download
memory/1924-163-0x00007FF63F810000-0x00007FF63FB61000-memory.dmp

Filesize
3.3MB

Download
memory/1924-273-0x00007FF63F810000-0x00007FF63FB61000-memory.dmp

Filesize
3.3MB

Download
memory/1924-129-0x00007FF63F810000-0x00007FF63FB61000-memory.dmp

Filesize
3.3MB

Download
memory/2036-228-0x00007FF6A91A0000-0x00007FF6A94F1000-memory.dmp

Filesize
3.3MB

Download
memory/2036-124-0x00007FF6A91A0000-0x00007FF6A94F1000-memory.dmp

Filesize
3.3MB

Download
memory/2036-40-0x00007FF6A91A0000-0x00007FF6A94F1000-memory.dmp

Filesize
3.3MB

Download
memory/2160-156-0x00007FF7780F0000-0x00007FF778441000-memory.dmp

Filesize
3.3MB

Download
memory/2160-264-0x00007FF7780F0000-0x00007FF778441000-memory.dmp

Filesize
3.3MB

Download
memory/2160-105-0x00007FF7780F0000-0x00007FF778441000-memory.dmp

Filesize
3.3MB

Download
memory/2520-144-0x00007FF7B8130000-0x00007FF7B8481000-memory.dmp

Filesize
3.3MB

Download
memory/2520-247-0x00007FF7B8130000-0x00007FF7B8481000-memory.dmp

Filesize
3.3MB

Download
memory/2520-58-0x00007FF7B8130000-0x00007FF7B8481000-memory.dmp

Filesize
3.3MB

Download
memory/2532-118-0x00007FF730B90000-0x00007FF730EE1000-memory.dmp

Filesize
3.3MB

Download
memory/2532-158-0x00007FF730B90000-0x00007FF730EE1000-memory.dmp

Filesize
3.3MB

Download
memory/2532-268-0x00007FF730B90000-0x00007FF730EE1000-memory.dmp

Filesize
3.3MB

Download
memory/3160-135-0x00007FF78FFF0000-0x00007FF790341000-memory.dmp

Filesize
3.3MB

Download
memory/3160-67-0x00007FF78FFF0000-0x00007FF790341000-memory.dmp

Filesize
3.3MB

Download
memory/3160-241-0x00007FF78FFF0000-0x00007FF790341000-memory.dmp

Filesize
3.3MB

Download
memory/3360-271-0x00007FF707E30000-0x00007FF708181000-memory.dmp

Filesize
3.3MB

Download
memory/3360-164-0x00007FF707E30000-0x00007FF708181000-memory.dmp

Filesize
3.3MB

Download
memory/3360-134-0x00007FF707E30000-0x00007FF708181000-memory.dmp

Filesize
3.3MB

Download
memory/3596-153-0x00007FF63C680000-0x00007FF63C9D1000-memory.dmp

Filesize
3.3MB

Download
memory/3596-88-0x00007FF63C680000-0x00007FF63C9D1000-memory.dmp

Filesize
3.3MB

Download
memory/3596-252-0x00007FF63C680000-0x00007FF63C9D1000-memory.dmp

Filesize
3.3MB

Download
memory/3652-154-0x00007FF774DC0000-0x00007FF775111000-memory.dmp

Filesize
3.3MB

Download
memory/3652-87-0x00007FF774DC0000-0x00007FF775111000-memory.dmp

Filesize
3.3MB

Download
memory/3652-254-0x00007FF774DC0000-0x00007FF775111000-memory.dmp

Filesize
3.3MB

Download
memory/3976-41-0x00007FF7165C0000-0x00007FF716911000-memory.dmp

Filesize
3.3MB

Download
memory/3976-133-0x00007FF7165C0000-0x00007FF716911000-memory.dmp

Filesize
3.3MB

Download
memory/3976-233-0x00007FF7165C0000-0x00007FF716911000-memory.dmp

Filesize
3.3MB

Download
memory/4040-125-0x00007FF686BB0000-0x00007FF686F01000-memory.dmp

Filesize
3.3MB

Download
memory/4040-48-0x00007FF686BB0000-0x00007FF686F01000-memory.dmp

Filesize
3.3MB

Download
memory/4040-234-0x00007FF686BB0000-0x00007FF686F01000-memory.dmp

Filesize
3.3MB

Download
memory/4148-111-0x00007FF713120000-0x00007FF713471000-memory.dmp

Filesize
3.3MB

Download
memory/4148-0-0x00007FF713120000-0x00007FF713471000-memory.dmp

Filesize
3.3MB

Download
memory/4148-1-0x000001BA71220000-0x000001BA71230000-memory.dmp

Filesize
64KB

Download
memory/4148-139-0x00007FF713120000-0x00007FF713471000-memory.dmp

Filesize
3.3MB

Download
memory/4148-165-0x00007FF713120000-0x00007FF713471000-memory.dmp

Filesize
3.3MB

Download
memory/4148-181-0x00007FF713120000-0x00007FF713471000-memory.dmp

Filesize
3.3MB

Download
memory/4304-6-0x00007FF7AFB60000-0x00007FF7AFEB1000-memory.dmp

Filesize
3.3MB

Download
memory/4304-224-0x00007FF7AFB60000-0x00007FF7AFEB1000-memory.dmp

Filesize
3.3MB

Download
memory/4304-119-0x00007FF7AFB60000-0x00007FF7AFEB1000-memory.dmp

Filesize
3.3MB

Download
memory/4380-152-0x00007FF648B30000-0x00007FF648E81000-memory.dmp

Filesize
3.3MB

Download
memory/4380-243-0x00007FF648B30000-0x00007FF648E81000-memory.dmp

Filesize
3.3MB

Download
memory/4380-84-0x00007FF648B30000-0x00007FF648E81000-memory.dmp

Filesize
3.3MB

Download
memory/4572-138-0x00007FF760230000-0x00007FF760581000-memory.dmp

Filesize
3.3MB

Download
memory/4572-78-0x00007FF760230000-0x00007FF760581000-memory.dmp

Filesize
3.3MB

Download
memory/4572-248-0x00007FF760230000-0x00007FF760581000-memory.dmp

Filesize
3.3MB

Download