cobaltstrike | 9961bfcb4fcfb8968b9e8b3b81b9e5a9e3ae038e377f5d47baeb5edb6db6059b

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 01:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

75e7bedae148d8297ba3f8081c053d7a
SHA1

ac33c851934d0455410d5b30b41d54507b0ae45a
SHA256

9961bfcb4fcfb8968b9e8b3b81b9e5a9e3ae038e377f5d47baeb5edb6db6059b
SHA512

e4ddc3dab0982b46071aa90e36a9a01993f5ca0bd22d2fef4a99c1aed25974e745819a3e78f4646c4900a5769213c3c650ed48b1687babed29ec0bed841eeb1e
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l6:RWWBibf56utgpPFotBER/mQ32lUe

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0009000000023409-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023411-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023412-17.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023413-22.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023414-28.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023415-35.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023416-41.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023418-53.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023419-59.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341a-66.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023417-48.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341b-75.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341d-84.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341c-86.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341f-102.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023420-111.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341e-95.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023421-116.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000009da0-121.dat	cobalt_reflective_dll
behavioral2/files/0x0003000000022a80-131.dat	cobalt_reflective_dll
behavioral2/files/0x0002000000022a83-135.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/3124-38-0x00007FF6A9BA0000-0x00007FF6A9EF1000-memory.dmp	xmrig
behavioral2/memory/2820-67-0x00007FF7CBBB0000-0x00007FF7CBF01000-memory.dmp	xmrig
behavioral2/memory/4920-61-0x00007FF720410000-0x00007FF720761000-memory.dmp	xmrig
behavioral2/memory/1372-54-0x00007FF77FC30000-0x00007FF77FF81000-memory.dmp	xmrig
behavioral2/memory/4484-72-0x00007FF7E3AD0000-0x00007FF7E3E21000-memory.dmp	xmrig
behavioral2/memory/1008-78-0x00007FF6330D0000-0x00007FF633421000-memory.dmp	xmrig
behavioral2/memory/4604-98-0x00007FF63A700000-0x00007FF63AA51000-memory.dmp	xmrig
behavioral2/memory/3464-108-0x00007FF6F89B0000-0x00007FF6F8D01000-memory.dmp	xmrig
behavioral2/memory/1540-109-0x00007FF676E70000-0x00007FF6771C1000-memory.dmp	xmrig
behavioral2/memory/4760-106-0x00007FF6179C0000-0x00007FF617D11000-memory.dmp	xmrig
behavioral2/memory/3456-87-0x00007FF6C2F50000-0x00007FF6C32A1000-memory.dmp	xmrig
behavioral2/memory/2860-117-0x00007FF6C9B60000-0x00007FF6C9EB1000-memory.dmp	xmrig
behavioral2/memory/2180-113-0x00007FF6DE5F0000-0x00007FF6DE941000-memory.dmp	xmrig
behavioral2/memory/1524-127-0x00007FF6E93F0000-0x00007FF6E9741000-memory.dmp	xmrig
behavioral2/memory/4788-126-0x00007FF72A520000-0x00007FF72A871000-memory.dmp	xmrig
behavioral2/memory/1572-142-0x00007FF75ED10000-0x00007FF75F061000-memory.dmp	xmrig
behavioral2/memory/1740-140-0x00007FF603BD0000-0x00007FF603F21000-memory.dmp	xmrig
behavioral2/memory/1480-136-0x00007FF769DB0000-0x00007FF76A101000-memory.dmp	xmrig
behavioral2/memory/3916-148-0x00007FF723230000-0x00007FF723581000-memory.dmp	xmrig
behavioral2/memory/2236-155-0x00007FF66B7A0000-0x00007FF66BAF1000-memory.dmp	xmrig
behavioral2/memory/3540-161-0x00007FF7B2500000-0x00007FF7B2851000-memory.dmp	xmrig
behavioral2/memory/1524-162-0x00007FF6E93F0000-0x00007FF6E9741000-memory.dmp	xmrig
behavioral2/memory/3928-164-0x00007FF61A540000-0x00007FF61A891000-memory.dmp	xmrig
behavioral2/memory/1372-165-0x00007FF77FC30000-0x00007FF77FF81000-memory.dmp	xmrig
behavioral2/memory/4920-218-0x00007FF720410000-0x00007FF720761000-memory.dmp	xmrig
behavioral2/memory/2820-220-0x00007FF7CBBB0000-0x00007FF7CBF01000-memory.dmp	xmrig
behavioral2/memory/4484-222-0x00007FF7E3AD0000-0x00007FF7E3E21000-memory.dmp	xmrig
behavioral2/memory/1008-224-0x00007FF6330D0000-0x00007FF633421000-memory.dmp	xmrig
behavioral2/memory/3456-227-0x00007FF6C2F50000-0x00007FF6C32A1000-memory.dmp	xmrig
behavioral2/memory/3124-233-0x00007FF6A9BA0000-0x00007FF6A9EF1000-memory.dmp	xmrig
behavioral2/memory/4760-235-0x00007FF6179C0000-0x00007FF617D11000-memory.dmp	xmrig
behavioral2/memory/1540-237-0x00007FF676E70000-0x00007FF6771C1000-memory.dmp	xmrig
behavioral2/memory/2180-241-0x00007FF6DE5F0000-0x00007FF6DE941000-memory.dmp	xmrig
behavioral2/memory/2860-243-0x00007FF6C9B60000-0x00007FF6C9EB1000-memory.dmp	xmrig
behavioral2/memory/4788-245-0x00007FF72A520000-0x00007FF72A871000-memory.dmp	xmrig
behavioral2/memory/1480-253-0x00007FF769DB0000-0x00007FF76A101000-memory.dmp	xmrig
behavioral2/memory/3916-256-0x00007FF723230000-0x00007FF723581000-memory.dmp	xmrig
behavioral2/memory/1572-257-0x00007FF75ED10000-0x00007FF75F061000-memory.dmp	xmrig
behavioral2/memory/4604-259-0x00007FF63A700000-0x00007FF63AA51000-memory.dmp	xmrig
behavioral2/memory/3464-261-0x00007FF6F89B0000-0x00007FF6F8D01000-memory.dmp	xmrig
behavioral2/memory/2236-263-0x00007FF66B7A0000-0x00007FF66BAF1000-memory.dmp	xmrig
behavioral2/memory/3540-266-0x00007FF7B2500000-0x00007FF7B2851000-memory.dmp	xmrig
behavioral2/memory/1524-271-0x00007FF6E93F0000-0x00007FF6E9741000-memory.dmp	xmrig
behavioral2/memory/1740-273-0x00007FF603BD0000-0x00007FF603F21000-memory.dmp	xmrig
behavioral2/memory/3928-275-0x00007FF61A540000-0x00007FF61A891000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4920	dSIDHsy.exe
2820	RxwBTxR.exe
4484	wqhugnk.exe
1008	IAwKGHG.exe
3456	NouSzEd.exe
3124	dTkGjLL.exe
4760	gDkdBdL.exe
1540	ssQrloi.exe
2180	CLokkfy.exe
2860	finEfdZ.exe
4788	QfyvOBt.exe
1480	mwdfMMz.exe
1572	YeiJuNR.exe
3916	LYWzIRY.exe
4604	eKCoUFx.exe
3464	IZYjUWD.exe
2236	kXgQyGm.exe
3540	ACYvRGG.exe
1524	SbtSqum.exe
3928	iEVuQKN.exe
1740	uogtudY.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1372-0-0x00007FF77FC30000-0x00007FF77FF81000-memory.dmp	upx
behavioral2/files/0x0009000000023409-5.dat	upx
behavioral2/files/0x0007000000023411-11.dat	upx
behavioral2/files/0x0007000000023412-17.dat	upx
behavioral2/files/0x0007000000023413-22.dat	upx
behavioral2/memory/1008-23-0x00007FF6330D0000-0x00007FF633421000-memory.dmp	upx
behavioral2/memory/4484-18-0x00007FF7E3AD0000-0x00007FF7E3E21000-memory.dmp	upx
behavioral2/memory/2820-12-0x00007FF7CBBB0000-0x00007FF7CBF01000-memory.dmp	upx
behavioral2/memory/4920-7-0x00007FF720410000-0x00007FF720761000-memory.dmp	upx
behavioral2/files/0x0007000000023414-28.dat	upx
behavioral2/memory/3456-30-0x00007FF6C2F50000-0x00007FF6C32A1000-memory.dmp	upx
behavioral2/files/0x0007000000023415-35.dat	upx
behavioral2/memory/3124-38-0x00007FF6A9BA0000-0x00007FF6A9EF1000-memory.dmp	upx
behavioral2/files/0x0007000000023416-41.dat	upx
behavioral2/memory/4760-42-0x00007FF6179C0000-0x00007FF617D11000-memory.dmp	upx
behavioral2/files/0x0007000000023418-53.dat	upx
behavioral2/memory/1540-51-0x00007FF676E70000-0x00007FF6771C1000-memory.dmp	upx
behavioral2/memory/2180-55-0x00007FF6DE5F0000-0x00007FF6DE941000-memory.dmp	upx
behavioral2/files/0x0007000000023419-59.dat	upx
behavioral2/memory/2860-62-0x00007FF6C9B60000-0x00007FF6C9EB1000-memory.dmp	upx
behavioral2/files/0x000700000002341a-66.dat	upx
behavioral2/memory/4788-69-0x00007FF72A520000-0x00007FF72A871000-memory.dmp	upx
behavioral2/memory/2820-67-0x00007FF7CBBB0000-0x00007FF7CBF01000-memory.dmp	upx
behavioral2/memory/4920-61-0x00007FF720410000-0x00007FF720761000-memory.dmp	upx
behavioral2/memory/1372-54-0x00007FF77FC30000-0x00007FF77FF81000-memory.dmp	upx
behavioral2/files/0x0007000000023417-48.dat	upx
behavioral2/memory/4484-72-0x00007FF7E3AD0000-0x00007FF7E3E21000-memory.dmp	upx
behavioral2/files/0x000700000002341b-75.dat	upx
behavioral2/memory/1008-78-0x00007FF6330D0000-0x00007FF633421000-memory.dmp	upx
behavioral2/files/0x000700000002341d-84.dat	upx
behavioral2/files/0x000700000002341c-86.dat	upx
behavioral2/memory/4604-98-0x00007FF63A700000-0x00007FF63AA51000-memory.dmp	upx
behavioral2/files/0x000700000002341f-102.dat	upx
behavioral2/memory/3464-108-0x00007FF6F89B0000-0x00007FF6F8D01000-memory.dmp	upx
behavioral2/memory/1540-109-0x00007FF676E70000-0x00007FF6771C1000-memory.dmp	upx
behavioral2/files/0x0007000000023420-111.dat	upx
behavioral2/memory/2236-110-0x00007FF66B7A0000-0x00007FF66BAF1000-memory.dmp	upx
behavioral2/memory/4760-106-0x00007FF6179C0000-0x00007FF617D11000-memory.dmp	upx
behavioral2/files/0x000700000002341e-95.dat	upx
behavioral2/memory/3916-89-0x00007FF723230000-0x00007FF723581000-memory.dmp	upx
behavioral2/memory/1572-88-0x00007FF75ED10000-0x00007FF75F061000-memory.dmp	upx
behavioral2/memory/3456-87-0x00007FF6C2F50000-0x00007FF6C32A1000-memory.dmp	upx
behavioral2/memory/1480-79-0x00007FF769DB0000-0x00007FF76A101000-memory.dmp	upx
behavioral2/files/0x0007000000023421-116.dat	upx
behavioral2/memory/2860-117-0x00007FF6C9B60000-0x00007FF6C9EB1000-memory.dmp	upx
behavioral2/memory/3540-118-0x00007FF7B2500000-0x00007FF7B2851000-memory.dmp	upx
behavioral2/memory/2180-113-0x00007FF6DE5F0000-0x00007FF6DE941000-memory.dmp	upx
behavioral2/files/0x0008000000009da0-121.dat	upx
behavioral2/memory/1524-127-0x00007FF6E93F0000-0x00007FF6E9741000-memory.dmp	upx
behavioral2/memory/4788-126-0x00007FF72A520000-0x00007FF72A871000-memory.dmp	upx
behavioral2/files/0x0003000000022a80-131.dat	upx
behavioral2/memory/1572-142-0x00007FF75ED10000-0x00007FF75F061000-memory.dmp	upx
behavioral2/memory/1740-140-0x00007FF603BD0000-0x00007FF603F21000-memory.dmp	upx
behavioral2/memory/3928-139-0x00007FF61A540000-0x00007FF61A891000-memory.dmp	upx
behavioral2/memory/1480-136-0x00007FF769DB0000-0x00007FF76A101000-memory.dmp	upx
behavioral2/files/0x0002000000022a83-135.dat	upx
behavioral2/memory/3916-148-0x00007FF723230000-0x00007FF723581000-memory.dmp	upx
behavioral2/memory/2236-155-0x00007FF66B7A0000-0x00007FF66BAF1000-memory.dmp	upx
behavioral2/memory/3540-161-0x00007FF7B2500000-0x00007FF7B2851000-memory.dmp	upx
behavioral2/memory/1524-162-0x00007FF6E93F0000-0x00007FF6E9741000-memory.dmp	upx
behavioral2/memory/3928-164-0x00007FF61A540000-0x00007FF61A891000-memory.dmp	upx
behavioral2/memory/1372-165-0x00007FF77FC30000-0x00007FF77FF81000-memory.dmp	upx
behavioral2/memory/4920-218-0x00007FF720410000-0x00007FF720761000-memory.dmp	upx
behavioral2/memory/2820-220-0x00007FF7CBBB0000-0x00007FF7CBF01000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\wqhugnk.exe	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gDkdBdL.exe	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QfyvOBt.exe	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mwdfMMz.exe	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LYWzIRY.exe	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RxwBTxR.exe	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CLokkfy.exe	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eKCoUFx.exe	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IZYjUWD.exe	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kXgQyGm.exe	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iEVuQKN.exe	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uogtudY.exe	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dSIDHsy.exe	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IAwKGHG.exe	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dTkGjLL.exe	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NouSzEd.exe	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ssQrloi.exe	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\finEfdZ.exe	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YeiJuNR.exe	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ACYvRGG.exe	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SbtSqum.exe	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1372	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1372	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1372 wrote to memory of 4920	1372	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1372 wrote to memory of 4920	1372	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1372 wrote to memory of 2820	1372	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1372 wrote to memory of 2820	1372	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1372 wrote to memory of 4484	1372	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1372 wrote to memory of 4484	1372	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1372 wrote to memory of 1008	1372	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1372 wrote to memory of 1008	1372	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1372 wrote to memory of 3456	1372	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1372 wrote to memory of 3456	1372	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1372 wrote to memory of 3124	1372	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1372 wrote to memory of 3124	1372	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1372 wrote to memory of 4760	1372	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1372 wrote to memory of 4760	1372	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1372 wrote to memory of 1540	1372	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1372 wrote to memory of 1540	1372	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1372 wrote to memory of 2180	1372	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1372 wrote to memory of 2180	1372	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1372 wrote to memory of 2860	1372	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1372 wrote to memory of 2860	1372	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1372 wrote to memory of 4788	1372	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1372 wrote to memory of 4788	1372	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1372 wrote to memory of 1480	1372	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1372 wrote to memory of 1480	1372	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1372 wrote to memory of 1572	1372	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1372 wrote to memory of 1572	1372	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1372 wrote to memory of 3916	1372	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1372 wrote to memory of 3916	1372	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1372 wrote to memory of 4604	1372	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1372 wrote to memory of 4604	1372	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1372 wrote to memory of 3464	1372	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1372 wrote to memory of 3464	1372	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1372 wrote to memory of 2236	1372	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1372 wrote to memory of 2236	1372	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1372 wrote to memory of 3540	1372	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1372 wrote to memory of 3540	1372	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1372 wrote to memory of 1524	1372	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 1372 wrote to memory of 1524	1372	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 1372 wrote to memory of 3928	1372	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 1372 wrote to memory of 3928	1372	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 1372 wrote to memory of 1740	1372	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 1372 wrote to memory of 1740	1372	2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe	108

C:\Users\Admin\AppData\Local\Temp\2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-17_75e7bedae148d8297ba3f8081c053d7a_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1372
- C:\Windows\System\dSIDHsy.exe
  C:\Windows\System\dSIDHsy.exe
  2⤵
  - Executes dropped EXE
  PID:4920
- C:\Windows\System\RxwBTxR.exe
  C:\Windows\System\RxwBTxR.exe
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Windows\System\wqhugnk.exe
  C:\Windows\System\wqhugnk.exe
  2⤵
  - Executes dropped EXE
  PID:4484
- C:\Windows\System\IAwKGHG.exe
  C:\Windows\System\IAwKGHG.exe
  2⤵
  - Executes dropped EXE
  PID:1008
- C:\Windows\System\NouSzEd.exe
  C:\Windows\System\NouSzEd.exe
  2⤵
  - Executes dropped EXE
  PID:3456
- C:\Windows\System\dTkGjLL.exe
  C:\Windows\System\dTkGjLL.exe
  2⤵
  - Executes dropped EXE
  PID:3124
- C:\Windows\System\gDkdBdL.exe
  C:\Windows\System\gDkdBdL.exe
  2⤵
  - Executes dropped EXE
  PID:4760
- C:\Windows\System\ssQrloi.exe
  C:\Windows\System\ssQrloi.exe
  2⤵
  - Executes dropped EXE
  PID:1540
- C:\Windows\System\CLokkfy.exe
  C:\Windows\System\CLokkfy.exe
  2⤵
  - Executes dropped EXE
  PID:2180
- C:\Windows\System\finEfdZ.exe
  C:\Windows\System\finEfdZ.exe
  2⤵
  - Executes dropped EXE
  PID:2860
- C:\Windows\System\QfyvOBt.exe
  C:\Windows\System\QfyvOBt.exe
  2⤵
  - Executes dropped EXE
  PID:4788
- C:\Windows\System\mwdfMMz.exe
  C:\Windows\System\mwdfMMz.exe
  2⤵
  - Executes dropped EXE
  PID:1480
- C:\Windows\System\YeiJuNR.exe
  C:\Windows\System\YeiJuNR.exe
  2⤵
  - Executes dropped EXE
  PID:1572
- C:\Windows\System\LYWzIRY.exe
  C:\Windows\System\LYWzIRY.exe
  2⤵
  - Executes dropped EXE
  PID:3916
- C:\Windows\System\eKCoUFx.exe
  C:\Windows\System\eKCoUFx.exe
  2⤵
  - Executes dropped EXE
  PID:4604
- C:\Windows\System\IZYjUWD.exe
  C:\Windows\System\IZYjUWD.exe
  2⤵
  - Executes dropped EXE
  PID:3464
- C:\Windows\System\kXgQyGm.exe
  C:\Windows\System\kXgQyGm.exe
  2⤵
  - Executes dropped EXE
  PID:2236
- C:\Windows\System\ACYvRGG.exe
  C:\Windows\System\ACYvRGG.exe
  2⤵
  - Executes dropped EXE
  PID:3540
- C:\Windows\System\SbtSqum.exe
  C:\Windows\System\SbtSqum.exe
  2⤵
  - Executes dropped EXE
  PID:1524
- C:\Windows\System\iEVuQKN.exe
  C:\Windows\System\iEVuQKN.exe
  2⤵
  - Executes dropped EXE
  PID:3928
- C:\Windows\System\uogtudY.exe
  C:\Windows\System\uogtudY.exe
  2⤵
  - Executes dropped EXE
  PID:1740

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\ACYvRGG.exe

Filesize
5.2MB

MD5
220b28de8c1b2abc4758512a5dc27edf

SHA1
e668b23bafb842c63eb18f4375dd80ea24d80d93

SHA256
c54e2ac3e996ad60ec8d51df37ee310b17a335843762c03e6a35b873a44241ad

SHA512
9035292eab660553653143dedc1f9cd34c4c7a4fb640e9e2c426a9527c7ad348e787c6c877a15d0eb0c9e3f63ec88db367485ce418456f5b642e01a856e9ac7c

Download Submit
C:\Windows\System\CLokkfy.exe

Filesize
5.2MB

MD5
8e4cf8e14416f3f08be17cc4a616ac03

SHA1
38ade5a5c968d3d8fa731f9e3414645487229b5b

SHA256
8470fc16dd362fdd71f610725aeb6968a81b87fef06316820cf523b35e87947f

SHA512
536ef012c1e60ab65c03629cac57520309dacc69a40b1d010fe51ee39059b7fcad222d83f9b72908779c2dece1c109c5b55896095474a1c6800498af615b084e

Download Submit
C:\Windows\System\IAwKGHG.exe

Filesize
5.2MB

MD5
e1e34c4c825b3e987cbeb1876dc9593d

SHA1
6889197db7175f96b93ccce633984ebd597354ae

SHA256
6586f2b6cf56af338327e889a03606a56b9c40bf24abd1f5d75e303eae0d0242

SHA512
ebd7a4c46ebe4d46ba45b66542dc1530fa49bf6c9c14c14e9bf205b9aa9506d36172d200a62814eb3685d23520121aac2f12fa5df86e6e947a1f4935215e027a

Download Submit
C:\Windows\System\IZYjUWD.exe

Filesize
5.2MB

MD5
51292756087f35f71a211205a604aca8

SHA1
7da259714952c3038b1e707d8f74b072d4dec433

SHA256
cd486f37aa248edaa00b1b76c24b55d45e4f8b5a8a1b302d00e55994fa6b27b1

SHA512
7d629836ca7660bd5fb551f902010aa66bfb1f7ccf16291a9dd7add79547f2e5568bfbad32605ccf71d2a6283911501bbb00549d095ca453ba0912b9e3e56bf8

Download Submit
C:\Windows\System\LYWzIRY.exe

Filesize
5.2MB

MD5
beb72579e21e1a8b34faf417d87da34e

SHA1
61222a22f0c4f5fdc8efce41ee52722e626438d1

SHA256
26d1a56e402145d6e599357e648fbadf52afb5a8fbaf0e4009ecd119b05409e1

SHA512
0248dae9edcb6f585baf7015f5308a891f5741141816ac23e919e08af06cf11d6586bc574866935f243f320ca97c1ec1223bdcda00ba3248b5cdadb523436fe3

Download Submit
C:\Windows\System\NouSzEd.exe

Filesize
5.2MB

MD5
eb9088103e8f2089b8dd6b05d40ea4d2

SHA1
0365f3580a3643523ae9e198a27b5a1ecb71f6a6

SHA256
e75004fe274bf563cf56aaae7573c3a26e320c17b093639fb538c7d819912a66

SHA512
abfd881d3f8a39d80327767f4977b1a5c3bf26875adb87e28eed832a685e4376959c3020ff04a1ed4ead1cc79214349cfad68978623f5bb292d3c0ec92066863

Download Submit
C:\Windows\System\QfyvOBt.exe

Filesize
5.2MB

MD5
09f0a8f430902118d07848cf5e5806e1

SHA1
02a9c2e706c2fbf4280f793de7b2d9da7d41de36

SHA256
d91d7c1c18de307943d23bafaaf94696b90bcf84bab91e61ad0f007c02b374ef

SHA512
8a86f531b3e9cf5bb1c2f51874569a2e2f8d7bf67c45c90cff65ef5e4e83850a9127bd7a832dfbc960d73b1cefb629dd23c0b950d27e1432146ecd93cff016cb

Download Submit
C:\Windows\System\RxwBTxR.exe

Filesize
5.2MB

MD5
08d447c7f3cc08e0c833d65829ff7571

SHA1
f05419b6dc6b29881301b84d23c663b3588bfd02

SHA256
3c24e6ed1778d12276b1f0dc21004612aa4173d733fd18d0e382593559026719

SHA512
8023f4ca919df299103c6f4852f78c8380496222a61aef207ef44572a582e0734cafb32e5c9805665276f195647bc4f2eaa253eff2c3d1cb13384fb81d45791c

Download Submit
C:\Windows\System\SbtSqum.exe

Filesize
5.2MB

MD5
61a5fd45343dae33b352858ed6bc2896

SHA1
0f2e800581f7491e695e6b5cb8c7ef49eb027037

SHA256
c6274d6bf3e096ee2b626512a52237e2850ae4e8281dcc961c4ce369acedd5e6

SHA512
b2b64fb5f64efca2bee612724ca424436047e24491d75ecef947e3de7471e9029e2b76008769b9288f8c47bfefa40999e6c96d52649106448d3fe3b5a64862e3

Download Submit
C:\Windows\System\YeiJuNR.exe

Filesize
5.2MB

MD5
38974c497026c00915ca30b3c01d6d9b

SHA1
b686b3d063b78eff7bc8f67f382d1ef63506b5ea

SHA256
e661d472af8e73581d2e2675b006aedfb9eff4d7efaa996e25ad52e98c1e5f12

SHA512
5a6dc290e4e2b2ac343e31c3fd55f6a1dcd5366ddf77e87804b7ee6f956e9da34387d30ea756fd79df46d3595e66a6a956cebc46047d561f8d399affd0f81858

Download Submit
C:\Windows\System\dSIDHsy.exe

Filesize
5.2MB

MD5
656674e275175fbc031e911a6aa3704d

SHA1
86f499126fa4d3ef77197a372da3ebfbc65acbd2

SHA256
cd65774c6f98b1985932dac06a0439ec817d4ba6fed1da404f44af25b3ec23ca

SHA512
865f33f24e8d35ad661f35a23c5c9114994be75d19e9c4b5c51866c15e6381a58b888acde2e2bcd16dad8a125e85fdbcd2b50ec7dcb053b6044204f63f5d5097

Download Submit
C:\Windows\System\dTkGjLL.exe

Filesize
5.2MB

MD5
c1aa4e6ed078c08b7c588f492f9ba517

SHA1
77ec16e5470dd2a230b788fbf18e7b164485b25d

SHA256
807bc176fe5374130e7e7d50f4444eeab7ddb9c411325c39b897b75fa95e9105

SHA512
90085ca9bdcf82a995aedde517aa16a0ccff29462414676fbfe872b234762aaaf5a0db6ff65e5bfd53b8d9a2024fdcc5aeca9b9103b52ff9a478ef6b27ea4915

Download Submit
C:\Windows\System\eKCoUFx.exe

Filesize
5.2MB

MD5
ad30f2f47f272ba8962fd9eb7f354a8e

SHA1
7e0950e248d24c5b0bd5de095fd3f322a0a5e054

SHA256
a7692041f7fcbcd6c41889ee083217a784f2b5f54c5f3f4278ae7dda9d223e8e

SHA512
081680fc918c7d7471b44c5ecf3746184768bea9bae9d4d64693d7fc72e88dd9caa166ace0cdcea3253d37594dcafd1c66a2e0a37121669fca1fba2e9db566ac

Download Submit
C:\Windows\System\finEfdZ.exe

Filesize
5.2MB

MD5
87d2e0e39957c41558797d8ebd7973c9

SHA1
03d9681614dfd908f5d4c4086b6208be153fe201

SHA256
b66b8aba6543191e1476cd551f9377f3cd76e96d03c0cdcaffdca4791d5935dc

SHA512
484924bb6f32d2fc240a09c53c9b63d797dd379e28a5f26a2d0da1f43c9fbf172ec54e34f45b657b47f8955a67024fd80357b9eb475d467e3df9a2f5711cc977

Download Submit
C:\Windows\System\gDkdBdL.exe

Filesize
5.2MB

MD5
d9bba284c6a1a946419a536e89ab031a

SHA1
fec6aa992befdea61166a3512a5587b0889dc150

SHA256
b7653c0bcfc8eb5c61e7adb8337ad156e8195afafff6ffc8a65d41c4d1dbfe5e

SHA512
e2ed1f838e5168705925c6325387222d341e44954b8b764e1c46cf9443d49e3f623d285cadd55853b663977d0a2e23550ef838ce49f0861a7b5a25cfdf2825ff

Download Submit
C:\Windows\System\iEVuQKN.exe

Filesize
5.2MB

MD5
8ed8926e09f34fa42844f6811ca76b1b

SHA1
b74f658d3038b27a84b239e3544f0160ecfee29b

SHA256
6b9d8582e72d2ae73e704d2b798188ed5a3d82f200d82a6503b2e839e1519cf2

SHA512
895714215917619055ab4ca53ec664fb62465b8a4d3bae1cb8bab3fdd83ac3e246ff1dbf5399d0abec803b22f7955e678645251673fc779df1fb5b09635c0df1

Download Submit
C:\Windows\System\kXgQyGm.exe

Filesize
5.2MB

MD5
724491593271207602c30a47907324bd

SHA1
8b5640de2fad4f34869a3786c4c663801c5596e1

SHA256
b7dec18d7aedbe2495d9105824658b08791c4533628a9b2e245e0ccad8389eef

SHA512
acf01d79ed73f9f990a40618181991e488cc7b6e11d4d61f8a5c9939b6831d7bde98caa52d6934f28389c2fa0be4cf2e65082fc6f2f254dcf4d0aaa36e58f773

Download Submit
C:\Windows\System\mwdfMMz.exe

Filesize
5.2MB

MD5
ac173333e4c0f36a4495581c2034ff0c

SHA1
3268c8d752d1f3b8fa57c8cbbb2941a47b8fef43

SHA256
958bd1ef704013147a511917010ab3b5068565eb8a03f21ef834b0fa8b1e3364

SHA512
ca9b60aa83dcabe1cb39fc31e7c85d55fabbea17700773e72bffd74a3578e94cdee344311250273f360aad46f6a682ec942cfbed4693c0be39673eef90129e5d

Download Submit
C:\Windows\System\ssQrloi.exe

Filesize
5.2MB

MD5
2b14279e8af9c2388cb8a8735cb8042c

SHA1
8b82a2207113a2477e957a057e65291b05222898

SHA256
ef87b1253aa680cde144ad4a6c03e5fd7b776976999d94ac7613f4e4e995479b

SHA512
f8d26f6e72c90200e0eb7677730e302c268aeda4159ea98a51a0998b6cc0967db1f48408f42f6e48d6c0efe8f129658132f3bd3b8672ee0c13067554d969db03

Download Submit
C:\Windows\System\uogtudY.exe

Filesize
5.2MB

MD5
e3b1a1667e06a4e916c281c839fa1638

SHA1
1598b6a69471cc8b77ca82961ae79df303744982

SHA256
60d328c5ea18e3dcc01c0b504c27f2dfe549c6c9622066c94030015fbec8b626

SHA512
595351e1d88c49958011437847dba122858f3d26bbd48eb19a35f5362402c49359529e645b0e0ec082dc6b405147ecc78bc429eb491ba21ea7c54d38e9df86bd

Download Submit
C:\Windows\System\wqhugnk.exe

Filesize
5.2MB

MD5
4d7a65f62f052c647923afcc277361c7

SHA1
5989eec60e3095f7f184b72206c28ff1e5ad9fc7

SHA256
7ae3f0d6d1f41e1946a1bd19eaabd7ba0c9886ad21301de1c3d970efbbe34773

SHA512
a1718cf63f2f236f815165a3a94c1416741cb7f57fc90faa6a61490261762949dc74c96b34a38006e42674cad779b32580c7aac6a50944ef2ca7bd7ccdf46a69

Download Submit
memory/1008-23-0x00007FF6330D0000-0x00007FF633421000-memory.dmp

Filesize
3.3MB

Download
memory/1008-224-0x00007FF6330D0000-0x00007FF633421000-memory.dmp

Filesize
3.3MB

Download
memory/1008-78-0x00007FF6330D0000-0x00007FF633421000-memory.dmp

Filesize
3.3MB

Download
memory/1372-1-0x000002302CB70000-0x000002302CB80000-memory.dmp

Filesize
64KB

Download
memory/1372-0-0x00007FF77FC30000-0x00007FF77FF81000-memory.dmp

Filesize
3.3MB

Download
memory/1372-165-0x00007FF77FC30000-0x00007FF77FF81000-memory.dmp

Filesize
3.3MB

Download
memory/1372-54-0x00007FF77FC30000-0x00007FF77FF81000-memory.dmp

Filesize
3.3MB

Download
memory/1480-136-0x00007FF769DB0000-0x00007FF76A101000-memory.dmp

Filesize
3.3MB

Download
memory/1480-79-0x00007FF769DB0000-0x00007FF76A101000-memory.dmp

Filesize
3.3MB

Download
memory/1480-253-0x00007FF769DB0000-0x00007FF76A101000-memory.dmp

Filesize
3.3MB

Download
memory/1524-127-0x00007FF6E93F0000-0x00007FF6E9741000-memory.dmp

Filesize
3.3MB

Download
memory/1524-162-0x00007FF6E93F0000-0x00007FF6E9741000-memory.dmp

Filesize
3.3MB

Download
memory/1524-271-0x00007FF6E93F0000-0x00007FF6E9741000-memory.dmp

Filesize
3.3MB

Download
memory/1540-51-0x00007FF676E70000-0x00007FF6771C1000-memory.dmp

Filesize
3.3MB

Download
memory/1540-109-0x00007FF676E70000-0x00007FF6771C1000-memory.dmp

Filesize
3.3MB

Download
memory/1540-237-0x00007FF676E70000-0x00007FF6771C1000-memory.dmp

Filesize
3.3MB

Download
memory/1572-88-0x00007FF75ED10000-0x00007FF75F061000-memory.dmp

Filesize
3.3MB

Download
memory/1572-142-0x00007FF75ED10000-0x00007FF75F061000-memory.dmp

Filesize
3.3MB

Download
memory/1572-257-0x00007FF75ED10000-0x00007FF75F061000-memory.dmp

Filesize
3.3MB

Download
memory/1740-273-0x00007FF603BD0000-0x00007FF603F21000-memory.dmp

Filesize
3.3MB

Download
memory/1740-140-0x00007FF603BD0000-0x00007FF603F21000-memory.dmp

Filesize
3.3MB

Download
memory/2180-241-0x00007FF6DE5F0000-0x00007FF6DE941000-memory.dmp

Filesize
3.3MB

Download
memory/2180-55-0x00007FF6DE5F0000-0x00007FF6DE941000-memory.dmp

Filesize
3.3MB

Download
memory/2180-113-0x00007FF6DE5F0000-0x00007FF6DE941000-memory.dmp

Filesize
3.3MB

Download
memory/2236-110-0x00007FF66B7A0000-0x00007FF66BAF1000-memory.dmp

Filesize
3.3MB

Download
memory/2236-155-0x00007FF66B7A0000-0x00007FF66BAF1000-memory.dmp

Filesize
3.3MB

Download
memory/2236-263-0x00007FF66B7A0000-0x00007FF66BAF1000-memory.dmp

Filesize
3.3MB

Download
memory/2820-220-0x00007FF7CBBB0000-0x00007FF7CBF01000-memory.dmp

Filesize
3.3MB

Download
memory/2820-12-0x00007FF7CBBB0000-0x00007FF7CBF01000-memory.dmp

Filesize
3.3MB

Download
memory/2820-67-0x00007FF7CBBB0000-0x00007FF7CBF01000-memory.dmp

Filesize
3.3MB

Download
memory/2860-243-0x00007FF6C9B60000-0x00007FF6C9EB1000-memory.dmp

Filesize
3.3MB

Download
memory/2860-117-0x00007FF6C9B60000-0x00007FF6C9EB1000-memory.dmp

Filesize
3.3MB

Download
memory/2860-62-0x00007FF6C9B60000-0x00007FF6C9EB1000-memory.dmp

Filesize
3.3MB

Download
memory/3124-233-0x00007FF6A9BA0000-0x00007FF6A9EF1000-memory.dmp

Filesize
3.3MB

Download
memory/3124-38-0x00007FF6A9BA0000-0x00007FF6A9EF1000-memory.dmp

Filesize
3.3MB

Download
memory/3456-30-0x00007FF6C2F50000-0x00007FF6C32A1000-memory.dmp

Filesize
3.3MB

Download
memory/3456-87-0x00007FF6C2F50000-0x00007FF6C32A1000-memory.dmp

Filesize
3.3MB

Download
memory/3456-227-0x00007FF6C2F50000-0x00007FF6C32A1000-memory.dmp

Filesize
3.3MB

Download
memory/3464-108-0x00007FF6F89B0000-0x00007FF6F8D01000-memory.dmp

Filesize
3.3MB

Download
memory/3464-261-0x00007FF6F89B0000-0x00007FF6F8D01000-memory.dmp

Filesize
3.3MB

Download
memory/3540-161-0x00007FF7B2500000-0x00007FF7B2851000-memory.dmp

Filesize
3.3MB

Download
memory/3540-266-0x00007FF7B2500000-0x00007FF7B2851000-memory.dmp

Filesize
3.3MB

Download
memory/3540-118-0x00007FF7B2500000-0x00007FF7B2851000-memory.dmp

Filesize
3.3MB

Download
memory/3916-256-0x00007FF723230000-0x00007FF723581000-memory.dmp

Filesize
3.3MB

Download
memory/3916-148-0x00007FF723230000-0x00007FF723581000-memory.dmp

Filesize
3.3MB

Download
memory/3916-89-0x00007FF723230000-0x00007FF723581000-memory.dmp

Filesize
3.3MB

Download
memory/3928-164-0x00007FF61A540000-0x00007FF61A891000-memory.dmp

Filesize
3.3MB

Download
memory/3928-139-0x00007FF61A540000-0x00007FF61A891000-memory.dmp

Filesize
3.3MB

Download
memory/3928-275-0x00007FF61A540000-0x00007FF61A891000-memory.dmp

Filesize
3.3MB

Download
memory/4484-222-0x00007FF7E3AD0000-0x00007FF7E3E21000-memory.dmp

Filesize
3.3MB

Download
memory/4484-72-0x00007FF7E3AD0000-0x00007FF7E3E21000-memory.dmp

Filesize
3.3MB

Download
memory/4484-18-0x00007FF7E3AD0000-0x00007FF7E3E21000-memory.dmp

Filesize
3.3MB

Download
memory/4604-98-0x00007FF63A700000-0x00007FF63AA51000-memory.dmp

Filesize
3.3MB

Download
memory/4604-259-0x00007FF63A700000-0x00007FF63AA51000-memory.dmp

Filesize
3.3MB

Download
memory/4760-42-0x00007FF6179C0000-0x00007FF617D11000-memory.dmp

Filesize
3.3MB

Download
memory/4760-106-0x00007FF6179C0000-0x00007FF617D11000-memory.dmp

Filesize
3.3MB

Download
memory/4760-235-0x00007FF6179C0000-0x00007FF617D11000-memory.dmp

Filesize
3.3MB

Download
memory/4788-69-0x00007FF72A520000-0x00007FF72A871000-memory.dmp

Filesize
3.3MB

Download
memory/4788-245-0x00007FF72A520000-0x00007FF72A871000-memory.dmp

Filesize
3.3MB

Download
memory/4788-126-0x00007FF72A520000-0x00007FF72A871000-memory.dmp

Filesize
3.3MB

Download
memory/4920-218-0x00007FF720410000-0x00007FF720761000-memory.dmp

Filesize
3.3MB

Download
memory/4920-61-0x00007FF720410000-0x00007FF720761000-memory.dmp

Filesize
3.3MB

Download
memory/4920-7-0x00007FF720410000-0x00007FF720761000-memory.dmp

Filesize
3.3MB

Download