cobaltstrike | 91b432ce33ddad84e3a8f96f81862f9e4d2fe875c5d8eabb18cc9132b5365cf3

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/01/2025, 02:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

5af3a36508fad3ef0d0c4abd884f0899
SHA1

07ddcf3a0ec3e503ad6a414e959c70538db43907
SHA256

91b432ce33ddad84e3a8f96f81862f9e4d2fe875c5d8eabb18cc9132b5365cf3
SHA512

839c0a8b82dbd4ed36accb51b027770e09b834344b9ec4f0be9e417dceb953b2f1d39b64b2549e8094f15741b96b0f4ff98036ed636a2978a8c78694ea35395b
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lG:RWWBibf56utgpPFotBER/mQ32lUy

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000b000000023b84-5.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b89-10.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b88-13.dat	cobalt_reflective_dll
behavioral2/files/0x000600000001e4df-23.dat	cobalt_reflective_dll
behavioral2/files/0x000400000001e4e1-28.dat	cobalt_reflective_dll
behavioral2/files/0x000300000001e5b2-35.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b85-49.dat	cobalt_reflective_dll
behavioral2/files/0x000300000001e5b5-55.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8c-70.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8d-78.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8e-84.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b9b-109.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023ba9-115.dat	cobalt_reflective_dll
behavioral2/files/0x0012000000023ba7-112.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b99-104.dat	cobalt_reflective_dll
behavioral2/files/0x000c000000023b91-98.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b90-94.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b8f-89.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8b-68.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8a-64.dat	cobalt_reflective_dll
behavioral2/files/0x000300000001e5b3-53.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/2304-62-0x00007FF720790000-0x00007FF720AE1000-memory.dmp	xmrig
behavioral2/memory/3040-117-0x00007FF6C9EB0000-0x00007FF6CA201000-memory.dmp	xmrig
behavioral2/memory/552-118-0x00007FF692520000-0x00007FF692871000-memory.dmp	xmrig
behavioral2/memory/1800-119-0x00007FF6A6AD0000-0x00007FF6A6E21000-memory.dmp	xmrig
behavioral2/memory/540-120-0x00007FF706DE0000-0x00007FF707131000-memory.dmp	xmrig
behavioral2/memory/3592-121-0x00007FF68EC70000-0x00007FF68EFC1000-memory.dmp	xmrig
behavioral2/memory/4724-122-0x00007FF622C50000-0x00007FF622FA1000-memory.dmp	xmrig
behavioral2/memory/4252-123-0x00007FF6ABCE0000-0x00007FF6AC031000-memory.dmp	xmrig
behavioral2/memory/5068-124-0x00007FF68BD50000-0x00007FF68C0A1000-memory.dmp	xmrig
behavioral2/memory/3160-125-0x00007FF75E390000-0x00007FF75E6E1000-memory.dmp	xmrig
behavioral2/memory/5012-126-0x00007FF68A8D0000-0x00007FF68AC21000-memory.dmp	xmrig
behavioral2/memory/1632-129-0x00007FF684440000-0x00007FF684791000-memory.dmp	xmrig
behavioral2/memory/4940-128-0x00007FF6AD760000-0x00007FF6ADAB1000-memory.dmp	xmrig
behavioral2/memory/880-130-0x00007FF6820F0000-0x00007FF682441000-memory.dmp	xmrig
behavioral2/memory/2516-127-0x00007FF6189B0000-0x00007FF618D01000-memory.dmp	xmrig
behavioral2/memory/2304-131-0x00007FF720790000-0x00007FF720AE1000-memory.dmp	xmrig
behavioral2/memory/4164-134-0x00007FF6D0890000-0x00007FF6D0BE1000-memory.dmp	xmrig
behavioral2/memory/2764-137-0x00007FF7A56E0000-0x00007FF7A5A31000-memory.dmp	xmrig
behavioral2/memory/3460-140-0x00007FF6B5120000-0x00007FF6B5471000-memory.dmp	xmrig
behavioral2/memory/2812-138-0x00007FF749E20000-0x00007FF74A171000-memory.dmp	xmrig
behavioral2/memory/2640-136-0x00007FF65BC20000-0x00007FF65BF71000-memory.dmp	xmrig
behavioral2/memory/1204-135-0x00007FF7EAF10000-0x00007FF7EB261000-memory.dmp	xmrig
behavioral2/memory/1920-139-0x00007FF6A2E90000-0x00007FF6A31E1000-memory.dmp	xmrig
behavioral2/memory/2304-153-0x00007FF720790000-0x00007FF720AE1000-memory.dmp	xmrig
behavioral2/memory/4940-205-0x00007FF6AD760000-0x00007FF6ADAB1000-memory.dmp	xmrig
behavioral2/memory/880-207-0x00007FF6820F0000-0x00007FF682441000-memory.dmp	xmrig
behavioral2/memory/4164-209-0x00007FF6D0890000-0x00007FF6D0BE1000-memory.dmp	xmrig
behavioral2/memory/1204-211-0x00007FF7EAF10000-0x00007FF7EB261000-memory.dmp	xmrig
behavioral2/memory/2640-224-0x00007FF65BC20000-0x00007FF65BF71000-memory.dmp	xmrig
behavioral2/memory/2764-226-0x00007FF7A56E0000-0x00007FF7A5A31000-memory.dmp	xmrig
behavioral2/memory/1920-230-0x00007FF6A2E90000-0x00007FF6A31E1000-memory.dmp	xmrig
behavioral2/memory/2812-229-0x00007FF749E20000-0x00007FF74A171000-memory.dmp	xmrig
behavioral2/memory/3460-232-0x00007FF6B5120000-0x00007FF6B5471000-memory.dmp	xmrig
behavioral2/memory/3040-234-0x00007FF6C9EB0000-0x00007FF6CA201000-memory.dmp	xmrig
behavioral2/memory/1632-236-0x00007FF684440000-0x00007FF684791000-memory.dmp	xmrig
behavioral2/memory/552-248-0x00007FF692520000-0x00007FF692871000-memory.dmp	xmrig
behavioral2/memory/4724-250-0x00007FF622C50000-0x00007FF622FA1000-memory.dmp	xmrig
behavioral2/memory/4252-252-0x00007FF6ABCE0000-0x00007FF6AC031000-memory.dmp	xmrig
behavioral2/memory/5012-258-0x00007FF68A8D0000-0x00007FF68AC21000-memory.dmp	xmrig
behavioral2/memory/2516-260-0x00007FF6189B0000-0x00007FF618D01000-memory.dmp	xmrig
behavioral2/memory/5068-256-0x00007FF68BD50000-0x00007FF68C0A1000-memory.dmp	xmrig
behavioral2/memory/3160-254-0x00007FF75E390000-0x00007FF75E6E1000-memory.dmp	xmrig
behavioral2/memory/1800-246-0x00007FF6A6AD0000-0x00007FF6A6E21000-memory.dmp	xmrig
behavioral2/memory/540-245-0x00007FF706DE0000-0x00007FF707131000-memory.dmp	xmrig
behavioral2/memory/3592-242-0x00007FF68EC70000-0x00007FF68EFC1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4940	hHGIIZU.exe
880	OmWPHJA.exe
4164	KSNmlmn.exe
1204	HTSMNeJ.exe
2640	poxdixc.exe
2764	wrAEOVH.exe
2812	mVHqMCv.exe
1920	NHFjKGG.exe
3460	JUKhXST.exe
3040	sYscjRd.exe
1632	WEXquXl.exe
552	fVSCLCc.exe
1800	nnuvywx.exe
540	gtPGpSF.exe
3592	izsxXCO.exe
4724	bwAFgXQ.exe
4252	YgFIUCd.exe
5068	XAsDrxk.exe
3160	bhHvRxE.exe
5012	gLjyQhC.exe
2516	OcYDFSv.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2304-0-0x00007FF720790000-0x00007FF720AE1000-memory.dmp	upx
behavioral2/files/0x000b000000023b84-5.dat	upx
behavioral2/memory/4940-6-0x00007FF6AD760000-0x00007FF6ADAB1000-memory.dmp	upx
behavioral2/files/0x000a000000023b89-10.dat	upx
behavioral2/files/0x000a000000023b88-13.dat	upx
behavioral2/memory/880-12-0x00007FF6820F0000-0x00007FF682441000-memory.dmp	upx
behavioral2/memory/4164-20-0x00007FF6D0890000-0x00007FF6D0BE1000-memory.dmp	upx
behavioral2/files/0x000600000001e4df-23.dat	upx
behavioral2/files/0x000400000001e4e1-28.dat	upx
behavioral2/memory/2640-30-0x00007FF65BC20000-0x00007FF65BF71000-memory.dmp	upx
behavioral2/files/0x000300000001e5b2-35.dat	upx
behavioral2/memory/2764-36-0x00007FF7A56E0000-0x00007FF7A5A31000-memory.dmp	upx
behavioral2/memory/1204-24-0x00007FF7EAF10000-0x00007FF7EB261000-memory.dmp	upx
behavioral2/files/0x000b000000023b85-49.dat	upx
behavioral2/memory/3460-50-0x00007FF6B5120000-0x00007FF6B5471000-memory.dmp	upx
behavioral2/files/0x000300000001e5b5-55.dat	upx
behavioral2/files/0x000a000000023b8c-70.dat	upx
behavioral2/files/0x000a000000023b8d-78.dat	upx
behavioral2/files/0x000a000000023b8e-84.dat	upx
behavioral2/files/0x000b000000023b9b-109.dat	upx
behavioral2/files/0x0008000000023ba9-115.dat	upx
behavioral2/files/0x0012000000023ba7-112.dat	upx
behavioral2/files/0x000a000000023b99-104.dat	upx
behavioral2/files/0x000c000000023b91-98.dat	upx
behavioral2/files/0x000a000000023b90-94.dat	upx
behavioral2/files/0x000b000000023b8f-89.dat	upx
behavioral2/files/0x000a000000023b8b-68.dat	upx
behavioral2/files/0x000a000000023b8a-64.dat	upx
behavioral2/memory/2304-62-0x00007FF720790000-0x00007FF720AE1000-memory.dmp	upx
behavioral2/files/0x000300000001e5b3-53.dat	upx
behavioral2/memory/1920-46-0x00007FF6A2E90000-0x00007FF6A31E1000-memory.dmp	upx
behavioral2/memory/2812-45-0x00007FF749E20000-0x00007FF74A171000-memory.dmp	upx
behavioral2/memory/3040-117-0x00007FF6C9EB0000-0x00007FF6CA201000-memory.dmp	upx
behavioral2/memory/552-118-0x00007FF692520000-0x00007FF692871000-memory.dmp	upx
behavioral2/memory/1800-119-0x00007FF6A6AD0000-0x00007FF6A6E21000-memory.dmp	upx
behavioral2/memory/540-120-0x00007FF706DE0000-0x00007FF707131000-memory.dmp	upx
behavioral2/memory/3592-121-0x00007FF68EC70000-0x00007FF68EFC1000-memory.dmp	upx
behavioral2/memory/4724-122-0x00007FF622C50000-0x00007FF622FA1000-memory.dmp	upx
behavioral2/memory/4252-123-0x00007FF6ABCE0000-0x00007FF6AC031000-memory.dmp	upx
behavioral2/memory/5068-124-0x00007FF68BD50000-0x00007FF68C0A1000-memory.dmp	upx
behavioral2/memory/3160-125-0x00007FF75E390000-0x00007FF75E6E1000-memory.dmp	upx
behavioral2/memory/5012-126-0x00007FF68A8D0000-0x00007FF68AC21000-memory.dmp	upx
behavioral2/memory/1632-129-0x00007FF684440000-0x00007FF684791000-memory.dmp	upx
behavioral2/memory/4940-128-0x00007FF6AD760000-0x00007FF6ADAB1000-memory.dmp	upx
behavioral2/memory/880-130-0x00007FF6820F0000-0x00007FF682441000-memory.dmp	upx
behavioral2/memory/2516-127-0x00007FF6189B0000-0x00007FF618D01000-memory.dmp	upx
behavioral2/memory/2304-131-0x00007FF720790000-0x00007FF720AE1000-memory.dmp	upx
behavioral2/memory/4164-134-0x00007FF6D0890000-0x00007FF6D0BE1000-memory.dmp	upx
behavioral2/memory/2764-137-0x00007FF7A56E0000-0x00007FF7A5A31000-memory.dmp	upx
behavioral2/memory/3460-140-0x00007FF6B5120000-0x00007FF6B5471000-memory.dmp	upx
behavioral2/memory/2812-138-0x00007FF749E20000-0x00007FF74A171000-memory.dmp	upx
behavioral2/memory/2640-136-0x00007FF65BC20000-0x00007FF65BF71000-memory.dmp	upx
behavioral2/memory/1204-135-0x00007FF7EAF10000-0x00007FF7EB261000-memory.dmp	upx
behavioral2/memory/1920-139-0x00007FF6A2E90000-0x00007FF6A31E1000-memory.dmp	upx
behavioral2/memory/2304-153-0x00007FF720790000-0x00007FF720AE1000-memory.dmp	upx
behavioral2/memory/4940-205-0x00007FF6AD760000-0x00007FF6ADAB1000-memory.dmp	upx
behavioral2/memory/880-207-0x00007FF6820F0000-0x00007FF682441000-memory.dmp	upx
behavioral2/memory/4164-209-0x00007FF6D0890000-0x00007FF6D0BE1000-memory.dmp	upx
behavioral2/memory/1204-211-0x00007FF7EAF10000-0x00007FF7EB261000-memory.dmp	upx
behavioral2/memory/2640-224-0x00007FF65BC20000-0x00007FF65BF71000-memory.dmp	upx
behavioral2/memory/2764-226-0x00007FF7A56E0000-0x00007FF7A5A31000-memory.dmp	upx
behavioral2/memory/1920-230-0x00007FF6A2E90000-0x00007FF6A31E1000-memory.dmp	upx
behavioral2/memory/2812-229-0x00007FF749E20000-0x00007FF74A171000-memory.dmp	upx
behavioral2/memory/3460-232-0x00007FF6B5120000-0x00007FF6B5471000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\OmWPHJA.exe	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NHFjKGG.exe	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sYscjRd.exe	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gtPGpSF.exe	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JUKhXST.exe	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nnuvywx.exe	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\izsxXCO.exe	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gLjyQhC.exe	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XAsDrxk.exe	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hHGIIZU.exe	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KSNmlmn.exe	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HTSMNeJ.exe	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wrAEOVH.exe	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mVHqMCv.exe	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WEXquXl.exe	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fVSCLCc.exe	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\poxdixc.exe	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bwAFgXQ.exe	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YgFIUCd.exe	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bhHvRxE.exe	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OcYDFSv.exe	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2304	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2304	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 4940	2304	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2304 wrote to memory of 4940	2304	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2304 wrote to memory of 880	2304	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2304 wrote to memory of 880	2304	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2304 wrote to memory of 4164	2304	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2304 wrote to memory of 4164	2304	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2304 wrote to memory of 1204	2304	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2304 wrote to memory of 1204	2304	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2304 wrote to memory of 2640	2304	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2304 wrote to memory of 2640	2304	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2304 wrote to memory of 2764	2304	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2304 wrote to memory of 2764	2304	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2304 wrote to memory of 2812	2304	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2304 wrote to memory of 2812	2304	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2304 wrote to memory of 1920	2304	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2304 wrote to memory of 1920	2304	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2304 wrote to memory of 3460	2304	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2304 wrote to memory of 3460	2304	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2304 wrote to memory of 3040	2304	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2304 wrote to memory of 3040	2304	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2304 wrote to memory of 1632	2304	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2304 wrote to memory of 1632	2304	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2304 wrote to memory of 552	2304	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2304 wrote to memory of 552	2304	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2304 wrote to memory of 1800	2304	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2304 wrote to memory of 1800	2304	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2304 wrote to memory of 540	2304	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2304 wrote to memory of 540	2304	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2304 wrote to memory of 3592	2304	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2304 wrote to memory of 3592	2304	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2304 wrote to memory of 4724	2304	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2304 wrote to memory of 4724	2304	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2304 wrote to memory of 4252	2304	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2304 wrote to memory of 4252	2304	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2304 wrote to memory of 5068	2304	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2304 wrote to memory of 5068	2304	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2304 wrote to memory of 3160	2304	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2304 wrote to memory of 3160	2304	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2304 wrote to memory of 5012	2304	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 2304 wrote to memory of 5012	2304	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 2304 wrote to memory of 2516	2304	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 2304 wrote to memory of 2516	2304	2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe	106

C:\Users\Admin\AppData\Local\Temp\2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-21_5af3a36508fad3ef0d0c4abd884f0899_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Windows\System\hHGIIZU.exe
  C:\Windows\System\hHGIIZU.exe
  2⤵
  - Executes dropped EXE
  PID:4940
- C:\Windows\System\OmWPHJA.exe
  C:\Windows\System\OmWPHJA.exe
  2⤵
  - Executes dropped EXE
  PID:880
- C:\Windows\System\KSNmlmn.exe
  C:\Windows\System\KSNmlmn.exe
  2⤵
  - Executes dropped EXE
  PID:4164
- C:\Windows\System\HTSMNeJ.exe
  C:\Windows\System\HTSMNeJ.exe
  2⤵
  - Executes dropped EXE
  PID:1204
- C:\Windows\System\poxdixc.exe
  C:\Windows\System\poxdixc.exe
  2⤵
  - Executes dropped EXE
  PID:2640
- C:\Windows\System\wrAEOVH.exe
  C:\Windows\System\wrAEOVH.exe
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Windows\System\mVHqMCv.exe
  C:\Windows\System\mVHqMCv.exe
  2⤵
  - Executes dropped EXE
  PID:2812
- C:\Windows\System\NHFjKGG.exe
  C:\Windows\System\NHFjKGG.exe
  2⤵
  - Executes dropped EXE
  PID:1920
- C:\Windows\System\JUKhXST.exe
  C:\Windows\System\JUKhXST.exe
  2⤵
  - Executes dropped EXE
  PID:3460
- C:\Windows\System\sYscjRd.exe
  C:\Windows\System\sYscjRd.exe
  2⤵
  - Executes dropped EXE
  PID:3040
- C:\Windows\System\WEXquXl.exe
  C:\Windows\System\WEXquXl.exe
  2⤵
  - Executes dropped EXE
  PID:1632
- C:\Windows\System\fVSCLCc.exe
  C:\Windows\System\fVSCLCc.exe
  2⤵
  - Executes dropped EXE
  PID:552
- C:\Windows\System\nnuvywx.exe
  C:\Windows\System\nnuvywx.exe
  2⤵
  - Executes dropped EXE
  PID:1800
- C:\Windows\System\gtPGpSF.exe
  C:\Windows\System\gtPGpSF.exe
  2⤵
  - Executes dropped EXE
  PID:540
- C:\Windows\System\izsxXCO.exe
  C:\Windows\System\izsxXCO.exe
  2⤵
  - Executes dropped EXE
  PID:3592
- C:\Windows\System\bwAFgXQ.exe
  C:\Windows\System\bwAFgXQ.exe
  2⤵
  - Executes dropped EXE
  PID:4724
- C:\Windows\System\YgFIUCd.exe
  C:\Windows\System\YgFIUCd.exe
  2⤵
  - Executes dropped EXE
  PID:4252
- C:\Windows\System\XAsDrxk.exe
  C:\Windows\System\XAsDrxk.exe
  2⤵
  - Executes dropped EXE
  PID:5068
- C:\Windows\System\bhHvRxE.exe
  C:\Windows\System\bhHvRxE.exe
  2⤵
  - Executes dropped EXE
  PID:3160
- C:\Windows\System\gLjyQhC.exe
  C:\Windows\System\gLjyQhC.exe
  2⤵
  - Executes dropped EXE
  PID:5012
- C:\Windows\System\OcYDFSv.exe
  C:\Windows\System\OcYDFSv.exe
  2⤵
  - Executes dropped EXE
  PID:2516

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\HTSMNeJ.exe

Filesize
5.2MB

MD5
243ec5a128e897e4f9dff45db81e86c8

SHA1
84f17a8c0bbf3c3b0af30ba5db5c46d71efb829a

SHA256
e0b7c17d6f964847681479f2c2f057027f3ae8d6fe2254e3e9e628eef99c6d78

SHA512
20e38cd626b1be66ee3cca54c7ad942760977f3ccc7c8936d70ce811c705a20416bb213dea5324a5d63a7a4dfc1074ee09bdcfd42fa2c897f75b12a2fca9865b

Download Submit
C:\Windows\System\JUKhXST.exe

Filesize
5.2MB

MD5
38e2c670e9ac4d78952bf2210b57ba40

SHA1
97de229e19359d3db3cafeec16f10dea957cae5b

SHA256
c206b834437935a7d1a6cd18f845d176ed7d3f580a2bc70e72c0f2dc9d908071

SHA512
93d2430612c7d65e4490a22bf36986ac1827cc959373468c837eb222126e3639b9c63791bafb75e0a218f362bd0354019288d2ff3af63cc0308adde1f21038a4

Download Submit
C:\Windows\System\KSNmlmn.exe

Filesize
5.2MB

MD5
5ade1db6b7ef58060ed7675312c048ba

SHA1
40c8348bb974a12ab8748277253fb22eadbaeff8

SHA256
c6158b2b5d94e6b69cccda6deeb30710344c7e6bf6a6edac7ed05666b865ceea

SHA512
2dbe714bddc846927fd248f8f8b0076666d418cea2c3b0ba05d4dbab389c44c38c0b24f2f1a7dacf6eca863a24f2051f32f021da42e1cdab34754648da886f13

Download Submit
C:\Windows\System\NHFjKGG.exe

Filesize
5.2MB

MD5
4b413fe480dbfa45930aa0ad8c8046cf

SHA1
74c9a0fa8cfdc4b159bfc04110928e83ddf4cc36

SHA256
810d454c889bce30ef4ab84e85bcf1dc04bbab032084afd7ebbcb17ab24d4c15

SHA512
717c123146293454b4d564c3bd876ec49436ab8f989dcf4fd7fec9daff6eb8ec19613b257f26f1fa65b9a26304ce87e955a574d7abbb2936f1f2f08ce99c8169

Download Submit
C:\Windows\System\OcYDFSv.exe

Filesize
5.2MB

MD5
db6808cde8d9600006f9d77fc1891743

SHA1
1dabc6796ccd0e4e8da746d021f7e70b35c17157

SHA256
d4d1579d474f9346a5640b1d98a0a2f9e628630cad36e71807bd0c0dc02919e3

SHA512
43c70661181d1b646d2f15b9123f514b53d39f5dcf732f4031423b41cf4b6492d0a2e112e8782f177396a57d25294da8cd1a2c8baf096e1b65c1f9db7b3c7f77

Download Submit
C:\Windows\System\OmWPHJA.exe

Filesize
5.2MB

MD5
e147c81dbeba6aa55eeba64295ea8c11

SHA1
1d2db96f3a814b63452371efa9cd54d08d14f7a1

SHA256
2951819ddc689a67b11694643969918882fff2e1dc7967b3f8bfe193e19472d6

SHA512
1de2421d585ddacf5dafc29af98b30ebe6164607694c2274016d5972306fd79d5a97984ada2fbe28af73b01a7da7293c4f89117a5dba9e8b0d4d3e707f494206

Download Submit
C:\Windows\System\WEXquXl.exe

Filesize
5.2MB

MD5
1a90ffc84591d6dde703c40c11711f46

SHA1
077de206c59bbd56d8c1a281b61aff88c74d0872

SHA256
afe56c8e9826d1f033c51942b7e51c5caa225dd8edee3a734f5abe932cec1b96

SHA512
78b02d8c4a78f5dedbd7b4760da58b54567a888093e3cf44332f72974c9008490d14afee883927d65ead7d9d0af67d39b108046f9e1261e72db09c351eb81fe8

Download Submit
C:\Windows\System\XAsDrxk.exe

Filesize
5.2MB

MD5
f3cf388302e3fdd3fefe296d0072fc43

SHA1
e4c07f965790912b4fa397b11ea5632aa1362ea6

SHA256
e7e03082610326505ff7d2166f4e87550c6732631e34753c3b0b23d2beeb8d0f

SHA512
e469638da6f88819a033996859213955f4f4028a8341f52cff43c4e22872da8e402bd5df298b778818374907399eb732bb7895038a46079ea8e8c190d8d8ded3

Download Submit
C:\Windows\System\YgFIUCd.exe

Filesize
5.2MB

MD5
eff115a843fd1c6dd565139cb3165d15

SHA1
8ebbcbf2a56bff8c9e91d86ba9d3602912730cf1

SHA256
0dcc4620824765531c5784ce126da3c0fa2611ef0fa3d53bd9b87470aee54a99

SHA512
b93e9fa3a2c33587cdbdcdb1836e8c348e5aa39d71b1bc5d8b720df36e2b12ed3db09d60bb9ce237ba0036b8b23d581ed24603a378ec36adfb32c1b9c8e0e1c6

Download Submit
C:\Windows\System\bhHvRxE.exe

Filesize
5.2MB

MD5
f83d0fc3e2de168c3c42c2b134e6aea4

SHA1
47426796eed15303ad2b5398211aa7f8f15d5a93

SHA256
2aa48de57135c8bf3e8f8dc6e3ed0f01add7ead119a5837bc78cf76c22720a91

SHA512
2cc8df54aa1b1f34b538015913f664036cb0e8e562e38440b78b06abbb121c5e52df03674c9a1d2134796e2948740d63acf047626c726d6c0f91f99fb26dfd8e

Download Submit
C:\Windows\System\bwAFgXQ.exe

Filesize
5.2MB

MD5
3f37e28bea6209839174307a25a61819

SHA1
2bf3ebfae18c55269187a3e35977e342c100e50f

SHA256
3fc4abaf7208e74a3b90fd1149c92708c7d54df119278418f352887289819d23

SHA512
5479d7f3f0f1fe586d6fbec71c2524e68bbe85f466c81ad8122a959f79d066d4eb7363d1053da462a286d611d8639dfada10054a04dc998bdfb15b88e85d353a

Download Submit
C:\Windows\System\fVSCLCc.exe

Filesize
5.2MB

MD5
b65f0830c75286fcee825c61a1ba9acc

SHA1
019249e0403af66f46c3c2042528e40df0a6f390

SHA256
abfb0780413edd15db5b168865153c99960649883a26707489b57dbb3cb30c39

SHA512
d9e4c71e4a75b3b9882714c6f9c760d3283af9e0d9b8a7c9cafd949a5a0528e1e101c2959eaddb0d339e4725407f8e7bead595e5cf16ea9e1d9e1e274fb7f14f

Download Submit
C:\Windows\System\gLjyQhC.exe

Filesize
5.2MB

MD5
dd739b4dec47ffa2e8dda4bc4a2058d3

SHA1
3a303cc1b8e0f555fa6ca8d7c9e502b1d58041ae

SHA256
dc9539e848acf7bca011991bf32eaedc8676322f01638e5af451408aa17b207f

SHA512
e4163ef882eca56eb02baed5f2eea06b5d42bf36f0194d75fcdd78c200c2c90da9cbdfdd33c2070d8829c0717d29f9b611c37e26b83dcb2fcfade70a0abdf390

Download Submit
C:\Windows\System\gtPGpSF.exe

Filesize
5.2MB

MD5
dd6f8a0b549229edf42bb2ea751786d8

SHA1
948c737c6c9bb60ddce2a3955ae1f95df1dd38cc

SHA256
577952963e4349092329b10f2ed4bc0a719aad1cebffb6da82b987c9b5b4a7c8

SHA512
d35337eb71fe8a81bcc0d39e4df8945830bc0b50f45cb3f44e972414210d713b9f21746c8465d2e4e018da61153e8c3eeac2e2c8be874f3d749d4996c651ab00

Download Submit
C:\Windows\System\hHGIIZU.exe

Filesize
5.2MB

MD5
de31cab07604ee8cf17d026762906989

SHA1
fe5d217ffec7c5148a656277cf779e7bdbfdbcae

SHA256
bfeba8cd2c22e1281c6b05418cecb7d995cc8ecf67b5418beffefc8104a091be

SHA512
70db95bc2f969279e5b1eb85aea64feb7f99421fef68578506ce104a23f45632449d89cb69266e38f23b495db89697286fb9a92d5b6fb55e77b69f7f6e511b2d

Download Submit
C:\Windows\System\izsxXCO.exe

Filesize
5.2MB

MD5
2f1ee0156223dd365c665d7dda6e2314

SHA1
499cc19ce9acc863ade20190ae88f3297fa0ed46

SHA256
3bb96597eac411735c4e3b8882da6837b14e330c666aa838b555ff79fb5ecc46

SHA512
a13b3ce95f931f9f562c19301a0a4ae311e28c918a26bd0b1e95f92292207c53281aba8cb61f33ba6ab41ba817d3ea29826fffe50130e8193b26255748b29f05

Download Submit
C:\Windows\System\mVHqMCv.exe

Filesize
5.2MB

MD5
bc1cb5b0ef1b465e47183ac9c2a74fe4

SHA1
bbfc43c50934dc53e506a30fb5bec39948c044ba

SHA256
41f76888db41d4e5d2d0fdfb94fe5b345533e13fc8b4ad9261d025cb2c6fef6d

SHA512
b70bc3bd991a886c1f169cdb133cbae989135c56438e0c7e7cf2cb1a362d7985218ac4b033da544f36f26024d9c7661c97b2875e87fde24b78dc620ae9d9117f

Download Submit
C:\Windows\System\nnuvywx.exe

Filesize
5.2MB

MD5
b0b21d2ef509a169d1dd8fe13f1095e8

SHA1
2093f036833e87e1dbe7cb4634bd6f623d06f1da

SHA256
075cd782c92d4ff09ebd283a8048cdc21c13950700266a1e6dedf123aec14380

SHA512
a7afd675cfeced6d8ccb2d4be765a462ebc7ec59bdb045c090727bf6bd31151b0f61b5c31a5d26b6e58ebe996f2de5585512d30f99fc9759e44e8a21d680effd

Download Submit
C:\Windows\System\poxdixc.exe

Filesize
5.2MB

MD5
d27df1e7907c609f942b7f37b542abcf

SHA1
4f920eaccfecb0a71d59b5acdc6ea62f3a45dc34

SHA256
b322c71fe2ce28b0408af60e227b5a0dc0384f0bb48879b4f19964e9ad87dacb

SHA512
e59846e891c40b823dbe944e6b102d9109ed54a5e83f1fb661ce7f7b3adb28c6e4c16532ab64ccd68095df910ceaaf147edb96bda607f237e293e3d2b78ba0c6

Download Submit
C:\Windows\System\sYscjRd.exe

Filesize
5.2MB

MD5
08629a12b0e5c406da00af75cabbd952

SHA1
0e680295ca83d78e94f13adc0d59d66ffa069c91

SHA256
ab125e91df071c5e05781fb686c1b87eb3ffcfde5e9000824a40010cec2fce72

SHA512
9beacf43634a1e4ac571d35c71355b163e39ced14b678726476de56f3587a89136c45eb53e056e80240c2df52f9ac3ef922edc02296e490469e0b0fe2ba1cf9f

Download Submit
C:\Windows\System\wrAEOVH.exe

Filesize
5.2MB

MD5
33294cf867ddcaf8bab738b2e2f1422f

SHA1
ec0627bee2a59d402e3f494d9b68d7e740af11e9

SHA256
aafa9cf2a73c46d505b0f05bcf1385158d7f450019b5678acecb41f0ddc02781

SHA512
5d9c8e9ba4a8559003cb1f7d66910b2bdcb61ea0a5e918ae47dcd0ab194a85613c7e32a2a5929b283a23b07da9e0557524f0f0626b1bbe17ae25d0190853c89b

Download Submit
memory/540-245-0x00007FF706DE0000-0x00007FF707131000-memory.dmp

Filesize
3.3MB

Download
memory/540-120-0x00007FF706DE0000-0x00007FF707131000-memory.dmp

Filesize
3.3MB

Download
memory/552-248-0x00007FF692520000-0x00007FF692871000-memory.dmp

Filesize
3.3MB

Download
memory/552-118-0x00007FF692520000-0x00007FF692871000-memory.dmp

Filesize
3.3MB

Download
memory/880-130-0x00007FF6820F0000-0x00007FF682441000-memory.dmp

Filesize
3.3MB

Download
memory/880-207-0x00007FF6820F0000-0x00007FF682441000-memory.dmp

Filesize
3.3MB

Download
memory/880-12-0x00007FF6820F0000-0x00007FF682441000-memory.dmp

Filesize
3.3MB

Download
memory/1204-211-0x00007FF7EAF10000-0x00007FF7EB261000-memory.dmp

Filesize
3.3MB

Download
memory/1204-135-0x00007FF7EAF10000-0x00007FF7EB261000-memory.dmp

Filesize
3.3MB

Download
memory/1204-24-0x00007FF7EAF10000-0x00007FF7EB261000-memory.dmp

Filesize
3.3MB

Download
memory/1632-236-0x00007FF684440000-0x00007FF684791000-memory.dmp

Filesize
3.3MB

Download
memory/1632-129-0x00007FF684440000-0x00007FF684791000-memory.dmp

Filesize
3.3MB

Download
memory/1800-246-0x00007FF6A6AD0000-0x00007FF6A6E21000-memory.dmp

Filesize
3.3MB

Download
memory/1800-119-0x00007FF6A6AD0000-0x00007FF6A6E21000-memory.dmp

Filesize
3.3MB

Download
memory/1920-46-0x00007FF6A2E90000-0x00007FF6A31E1000-memory.dmp

Filesize
3.3MB

Download
memory/1920-139-0x00007FF6A2E90000-0x00007FF6A31E1000-memory.dmp

Filesize
3.3MB

Download
memory/1920-230-0x00007FF6A2E90000-0x00007FF6A31E1000-memory.dmp

Filesize
3.3MB

Download
memory/2304-62-0x00007FF720790000-0x00007FF720AE1000-memory.dmp

Filesize
3.3MB

Download
memory/2304-1-0x000001A4E85C0000-0x000001A4E85D0000-memory.dmp

Filesize
64KB

Download
memory/2304-0-0x00007FF720790000-0x00007FF720AE1000-memory.dmp

Filesize
3.3MB

Download
memory/2304-153-0x00007FF720790000-0x00007FF720AE1000-memory.dmp

Filesize
3.3MB

Download
memory/2304-131-0x00007FF720790000-0x00007FF720AE1000-memory.dmp

Filesize
3.3MB

Download
memory/2516-127-0x00007FF6189B0000-0x00007FF618D01000-memory.dmp

Filesize
3.3MB

Download
memory/2516-260-0x00007FF6189B0000-0x00007FF618D01000-memory.dmp

Filesize
3.3MB

Download
memory/2640-30-0x00007FF65BC20000-0x00007FF65BF71000-memory.dmp

Filesize
3.3MB

Download
memory/2640-136-0x00007FF65BC20000-0x00007FF65BF71000-memory.dmp

Filesize
3.3MB

Download
memory/2640-224-0x00007FF65BC20000-0x00007FF65BF71000-memory.dmp

Filesize
3.3MB

Download
memory/2764-137-0x00007FF7A56E0000-0x00007FF7A5A31000-memory.dmp

Filesize
3.3MB

Download
memory/2764-36-0x00007FF7A56E0000-0x00007FF7A5A31000-memory.dmp

Filesize
3.3MB

Download
memory/2764-226-0x00007FF7A56E0000-0x00007FF7A5A31000-memory.dmp

Filesize
3.3MB

Download
memory/2812-229-0x00007FF749E20000-0x00007FF74A171000-memory.dmp

Filesize
3.3MB

Download
memory/2812-138-0x00007FF749E20000-0x00007FF74A171000-memory.dmp

Filesize
3.3MB

Download
memory/2812-45-0x00007FF749E20000-0x00007FF74A171000-memory.dmp

Filesize
3.3MB

Download
memory/3040-234-0x00007FF6C9EB0000-0x00007FF6CA201000-memory.dmp

Filesize
3.3MB

Download
memory/3040-117-0x00007FF6C9EB0000-0x00007FF6CA201000-memory.dmp

Filesize
3.3MB

Download
memory/3160-254-0x00007FF75E390000-0x00007FF75E6E1000-memory.dmp

Filesize
3.3MB

Download
memory/3160-125-0x00007FF75E390000-0x00007FF75E6E1000-memory.dmp

Filesize
3.3MB

Download
memory/3460-140-0x00007FF6B5120000-0x00007FF6B5471000-memory.dmp

Filesize
3.3MB

Download
memory/3460-232-0x00007FF6B5120000-0x00007FF6B5471000-memory.dmp

Filesize
3.3MB

Download
memory/3460-50-0x00007FF6B5120000-0x00007FF6B5471000-memory.dmp

Filesize
3.3MB

Download
memory/3592-121-0x00007FF68EC70000-0x00007FF68EFC1000-memory.dmp

Filesize
3.3MB

Download
memory/3592-242-0x00007FF68EC70000-0x00007FF68EFC1000-memory.dmp

Filesize
3.3MB

Download
memory/4164-209-0x00007FF6D0890000-0x00007FF6D0BE1000-memory.dmp

Filesize
3.3MB

Download
memory/4164-134-0x00007FF6D0890000-0x00007FF6D0BE1000-memory.dmp

Filesize
3.3MB

Download
memory/4164-20-0x00007FF6D0890000-0x00007FF6D0BE1000-memory.dmp

Filesize
3.3MB

Download
memory/4252-123-0x00007FF6ABCE0000-0x00007FF6AC031000-memory.dmp

Filesize
3.3MB

Download
memory/4252-252-0x00007FF6ABCE0000-0x00007FF6AC031000-memory.dmp

Filesize
3.3MB

Download
memory/4724-250-0x00007FF622C50000-0x00007FF622FA1000-memory.dmp

Filesize
3.3MB

Download
memory/4724-122-0x00007FF622C50000-0x00007FF622FA1000-memory.dmp

Filesize
3.3MB

Download
memory/4940-128-0x00007FF6AD760000-0x00007FF6ADAB1000-memory.dmp

Filesize
3.3MB

Download
memory/4940-205-0x00007FF6AD760000-0x00007FF6ADAB1000-memory.dmp

Filesize
3.3MB

Download
memory/4940-6-0x00007FF6AD760000-0x00007FF6ADAB1000-memory.dmp

Filesize
3.3MB

Download
memory/5012-126-0x00007FF68A8D0000-0x00007FF68AC21000-memory.dmp

Filesize
3.3MB

Download
memory/5012-258-0x00007FF68A8D0000-0x00007FF68AC21000-memory.dmp

Filesize
3.3MB

Download
memory/5068-256-0x00007FF68BD50000-0x00007FF68C0A1000-memory.dmp

Filesize
3.3MB

Download
memory/5068-124-0x00007FF68BD50000-0x00007FF68C0A1000-memory.dmp

Filesize
3.3MB

Download