cobaltstrike | 5fd0661a97763a341dff9992adab2a0bbea0dfb0ba125395fce21e0867936e97

Analysis

max time kernel
141s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-09-2024 09:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

be5df2582264ed7682534c3cf46cfb85
SHA1

db1d9f693cca0c4569e4a369fdbf4543e41cf417
SHA256

5fd0661a97763a341dff9992adab2a0bbea0dfb0ba125395fce21e0867936e97
SHA512

504c205a9340282581209ac48ceb69791135ed1b17d25c02d63a002e0c92482e836321d71c1c5d76ee92d906cc1a8ddf23fa5eb24c3f1b0db6d57fcdf6e6738d
SSDEEP

98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUt:T+856utgpPF8u/7t

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00090000000234c9-5.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ce-11.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234cf-24.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d0-29.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d1-38.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d2-42.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d5-52.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d4-51.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d6-68.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d3-50.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234cd-12.dat	cobalt_reflective_dll
behavioral2/files/0x00090000000234ca-79.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d9-88.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234db-100.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234dc-109.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e0-129.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234de-133.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234dd-123.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234da-111.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d8-93.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d7-74.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/2820-0-0x00007FF689730000-0x00007FF689A84000-memory.dmp	xmrig
behavioral2/files/0x00090000000234c9-5.dat	xmrig
behavioral2/memory/4992-7-0x00007FF64B320000-0x00007FF64B674000-memory.dmp	xmrig
behavioral2/files/0x00070000000234ce-11.dat	xmrig
behavioral2/memory/2888-19-0x00007FF687180000-0x00007FF6874D4000-memory.dmp	xmrig
behavioral2/memory/4604-23-0x00007FF6B4A40000-0x00007FF6B4D94000-memory.dmp	xmrig
behavioral2/files/0x00070000000234cf-24.dat	xmrig
behavioral2/files/0x00070000000234d0-29.dat	xmrig
behavioral2/files/0x00070000000234d1-38.dat	xmrig
behavioral2/files/0x00070000000234d2-42.dat	xmrig
behavioral2/files/0x00070000000234d5-52.dat	xmrig
behavioral2/files/0x00070000000234d4-51.dat	xmrig
behavioral2/memory/848-57-0x00007FF64E2F0000-0x00007FF64E644000-memory.dmp	xmrig
behavioral2/memory/2820-66-0x00007FF689730000-0x00007FF689A84000-memory.dmp	xmrig
behavioral2/files/0x00070000000234d6-68.dat	xmrig
behavioral2/memory/3644-67-0x00007FF794E50000-0x00007FF7951A4000-memory.dmp	xmrig
behavioral2/memory/228-65-0x00007FF6CA340000-0x00007FF6CA694000-memory.dmp	xmrig
behavioral2/files/0x00070000000234d3-50.dat	xmrig
behavioral2/memory/4972-48-0x00007FF7FA100000-0x00007FF7FA454000-memory.dmp	xmrig
behavioral2/memory/1396-45-0x00007FF76F6C0000-0x00007FF76FA14000-memory.dmp	xmrig
behavioral2/memory/932-40-0x00007FF7EB0B0000-0x00007FF7EB404000-memory.dmp	xmrig
behavioral2/memory/1752-33-0x00007FF684860000-0x00007FF684BB4000-memory.dmp	xmrig
behavioral2/memory/736-26-0x00007FF63AC00000-0x00007FF63AF54000-memory.dmp	xmrig
behavioral2/files/0x00070000000234cd-12.dat	xmrig
behavioral2/files/0x00090000000234ca-79.dat	xmrig
behavioral2/memory/4060-90-0x00007FF60B680000-0x00007FF60B9D4000-memory.dmp	xmrig
behavioral2/files/0x00070000000234d9-88.dat	xmrig
behavioral2/memory/736-86-0x00007FF63AC00000-0x00007FF63AF54000-memory.dmp	xmrig
behavioral2/memory/1748-85-0x00007FF6D4860000-0x00007FF6D4BB4000-memory.dmp	xmrig
behavioral2/files/0x00070000000234db-100.dat	xmrig
behavioral2/memory/4708-101-0x00007FF64ED80000-0x00007FF64F0D4000-memory.dmp	xmrig
behavioral2/files/0x00070000000234dc-109.dat	xmrig
behavioral2/memory/3768-115-0x00007FF64B8B0000-0x00007FF64BC04000-memory.dmp	xmrig
behavioral2/memory/228-121-0x00007FF6CA340000-0x00007FF6CA694000-memory.dmp	xmrig
behavioral2/files/0x00070000000234e0-129.dat	xmrig
behavioral2/memory/2680-132-0x00007FF697140000-0x00007FF697494000-memory.dmp	xmrig
behavioral2/memory/3644-137-0x00007FF794E50000-0x00007FF7951A4000-memory.dmp	xmrig
behavioral2/files/0x00070000000234de-133.dat	xmrig
behavioral2/memory/3344-131-0x00007FF673710000-0x00007FF673A64000-memory.dmp	xmrig
behavioral2/memory/848-130-0x00007FF64E2F0000-0x00007FF64E644000-memory.dmp	xmrig
behavioral2/files/0x00070000000234dd-123.dat	xmrig
behavioral2/memory/4736-122-0x00007FF7D3E50000-0x00007FF7D41A4000-memory.dmp	xmrig
behavioral2/memory/4972-117-0x00007FF7FA100000-0x00007FF7FA454000-memory.dmp	xmrig
behavioral2/memory/1396-116-0x00007FF76F6C0000-0x00007FF76FA14000-memory.dmp	xmrig
behavioral2/files/0x00070000000234da-111.dat	xmrig
behavioral2/memory/932-110-0x00007FF7EB0B0000-0x00007FF7EB404000-memory.dmp	xmrig
behavioral2/memory/2588-107-0x00007FF740250000-0x00007FF7405A4000-memory.dmp	xmrig
behavioral2/memory/904-106-0x00007FF749A30000-0x00007FF749D84000-memory.dmp	xmrig
behavioral2/memory/1752-102-0x00007FF684860000-0x00007FF684BB4000-memory.dmp	xmrig
behavioral2/files/0x00070000000234d8-93.dat	xmrig
behavioral2/memory/1576-81-0x00007FF611940000-0x00007FF611C94000-memory.dmp	xmrig
behavioral2/files/0x00070000000234d7-74.dat	xmrig
behavioral2/memory/4992-72-0x00007FF64B320000-0x00007FF64B674000-memory.dmp	xmrig
behavioral2/memory/4060-138-0x00007FF60B680000-0x00007FF60B9D4000-memory.dmp	xmrig
behavioral2/memory/2588-140-0x00007FF740250000-0x00007FF7405A4000-memory.dmp	xmrig
behavioral2/memory/904-139-0x00007FF749A30000-0x00007FF749D84000-memory.dmp	xmrig
behavioral2/memory/3768-141-0x00007FF64B8B0000-0x00007FF64BC04000-memory.dmp	xmrig
behavioral2/memory/4736-142-0x00007FF7D3E50000-0x00007FF7D41A4000-memory.dmp	xmrig
behavioral2/memory/3344-143-0x00007FF673710000-0x00007FF673A64000-memory.dmp	xmrig
behavioral2/memory/2680-144-0x00007FF697140000-0x00007FF697494000-memory.dmp	xmrig
behavioral2/memory/4992-145-0x00007FF64B320000-0x00007FF64B674000-memory.dmp	xmrig
behavioral2/memory/2888-146-0x00007FF687180000-0x00007FF6874D4000-memory.dmp	xmrig
behavioral2/memory/4604-147-0x00007FF6B4A40000-0x00007FF6B4D94000-memory.dmp	xmrig
behavioral2/memory/736-148-0x00007FF63AC00000-0x00007FF63AF54000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4992	jFUqWnT.exe
2888	qRRbqxR.exe
4604	CresACF.exe
736	OHfvhCZ.exe
1752	psihegZ.exe
932	rZTaVyi.exe
1396	DAspioL.exe
4972	EhUcyxR.exe
848	DnysjrC.exe
228	HqlkvnO.exe
3644	GJgNgUQ.exe
1576	PscEkWD.exe
1748	ykZlafA.exe
4060	KHMMbEd.exe
4708	YByTGfm.exe
2588	sLjSnuv.exe
904	swXhNuS.exe
3768	NHexVSN.exe
4736	hKVCuYJ.exe
3344	eyiJAAN.exe
2680	SBcYtHN.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2820-0-0x00007FF689730000-0x00007FF689A84000-memory.dmp	upx
behavioral2/files/0x00090000000234c9-5.dat	upx
behavioral2/memory/4992-7-0x00007FF64B320000-0x00007FF64B674000-memory.dmp	upx
behavioral2/files/0x00070000000234ce-11.dat	upx
behavioral2/memory/2888-19-0x00007FF687180000-0x00007FF6874D4000-memory.dmp	upx
behavioral2/memory/4604-23-0x00007FF6B4A40000-0x00007FF6B4D94000-memory.dmp	upx
behavioral2/files/0x00070000000234cf-24.dat	upx
behavioral2/files/0x00070000000234d0-29.dat	upx
behavioral2/files/0x00070000000234d1-38.dat	upx
behavioral2/files/0x00070000000234d2-42.dat	upx
behavioral2/files/0x00070000000234d5-52.dat	upx
behavioral2/files/0x00070000000234d4-51.dat	upx
behavioral2/memory/848-57-0x00007FF64E2F0000-0x00007FF64E644000-memory.dmp	upx
behavioral2/memory/2820-66-0x00007FF689730000-0x00007FF689A84000-memory.dmp	upx
behavioral2/files/0x00070000000234d6-68.dat	upx
behavioral2/memory/3644-67-0x00007FF794E50000-0x00007FF7951A4000-memory.dmp	upx
behavioral2/memory/228-65-0x00007FF6CA340000-0x00007FF6CA694000-memory.dmp	upx
behavioral2/files/0x00070000000234d3-50.dat	upx
behavioral2/memory/4972-48-0x00007FF7FA100000-0x00007FF7FA454000-memory.dmp	upx
behavioral2/memory/1396-45-0x00007FF76F6C0000-0x00007FF76FA14000-memory.dmp	upx
behavioral2/memory/932-40-0x00007FF7EB0B0000-0x00007FF7EB404000-memory.dmp	upx
behavioral2/memory/1752-33-0x00007FF684860000-0x00007FF684BB4000-memory.dmp	upx
behavioral2/memory/736-26-0x00007FF63AC00000-0x00007FF63AF54000-memory.dmp	upx
behavioral2/files/0x00070000000234cd-12.dat	upx
behavioral2/files/0x00090000000234ca-79.dat	upx
behavioral2/memory/4060-90-0x00007FF60B680000-0x00007FF60B9D4000-memory.dmp	upx
behavioral2/files/0x00070000000234d9-88.dat	upx
behavioral2/memory/736-86-0x00007FF63AC00000-0x00007FF63AF54000-memory.dmp	upx
behavioral2/memory/1748-85-0x00007FF6D4860000-0x00007FF6D4BB4000-memory.dmp	upx
behavioral2/files/0x00070000000234db-100.dat	upx
behavioral2/memory/4708-101-0x00007FF64ED80000-0x00007FF64F0D4000-memory.dmp	upx
behavioral2/files/0x00070000000234dc-109.dat	upx
behavioral2/memory/3768-115-0x00007FF64B8B0000-0x00007FF64BC04000-memory.dmp	upx
behavioral2/memory/228-121-0x00007FF6CA340000-0x00007FF6CA694000-memory.dmp	upx
behavioral2/files/0x00070000000234e0-129.dat	upx
behavioral2/memory/2680-132-0x00007FF697140000-0x00007FF697494000-memory.dmp	upx
behavioral2/memory/3644-137-0x00007FF794E50000-0x00007FF7951A4000-memory.dmp	upx
behavioral2/files/0x00070000000234de-133.dat	upx
behavioral2/memory/3344-131-0x00007FF673710000-0x00007FF673A64000-memory.dmp	upx
behavioral2/memory/848-130-0x00007FF64E2F0000-0x00007FF64E644000-memory.dmp	upx
behavioral2/files/0x00070000000234dd-123.dat	upx
behavioral2/memory/4736-122-0x00007FF7D3E50000-0x00007FF7D41A4000-memory.dmp	upx
behavioral2/memory/4972-117-0x00007FF7FA100000-0x00007FF7FA454000-memory.dmp	upx
behavioral2/memory/1396-116-0x00007FF76F6C0000-0x00007FF76FA14000-memory.dmp	upx
behavioral2/files/0x00070000000234da-111.dat	upx
behavioral2/memory/932-110-0x00007FF7EB0B0000-0x00007FF7EB404000-memory.dmp	upx
behavioral2/memory/2588-107-0x00007FF740250000-0x00007FF7405A4000-memory.dmp	upx
behavioral2/memory/904-106-0x00007FF749A30000-0x00007FF749D84000-memory.dmp	upx
behavioral2/memory/1752-102-0x00007FF684860000-0x00007FF684BB4000-memory.dmp	upx
behavioral2/files/0x00070000000234d8-93.dat	upx
behavioral2/memory/1576-81-0x00007FF611940000-0x00007FF611C94000-memory.dmp	upx
behavioral2/files/0x00070000000234d7-74.dat	upx
behavioral2/memory/4992-72-0x00007FF64B320000-0x00007FF64B674000-memory.dmp	upx
behavioral2/memory/4060-138-0x00007FF60B680000-0x00007FF60B9D4000-memory.dmp	upx
behavioral2/memory/2588-140-0x00007FF740250000-0x00007FF7405A4000-memory.dmp	upx
behavioral2/memory/904-139-0x00007FF749A30000-0x00007FF749D84000-memory.dmp	upx
behavioral2/memory/3768-141-0x00007FF64B8B0000-0x00007FF64BC04000-memory.dmp	upx
behavioral2/memory/4736-142-0x00007FF7D3E50000-0x00007FF7D41A4000-memory.dmp	upx
behavioral2/memory/3344-143-0x00007FF673710000-0x00007FF673A64000-memory.dmp	upx
behavioral2/memory/2680-144-0x00007FF697140000-0x00007FF697494000-memory.dmp	upx
behavioral2/memory/4992-145-0x00007FF64B320000-0x00007FF64B674000-memory.dmp	upx
behavioral2/memory/2888-146-0x00007FF687180000-0x00007FF6874D4000-memory.dmp	upx
behavioral2/memory/4604-147-0x00007FF6B4A40000-0x00007FF6B4D94000-memory.dmp	upx
behavioral2/memory/736-148-0x00007FF63AC00000-0x00007FF63AF54000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\sLjSnuv.exe	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eyiJAAN.exe	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\swXhNuS.exe	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hKVCuYJ.exe	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CresACF.exe	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OHfvhCZ.exe	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\psihegZ.exe	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DnysjrC.exe	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KHMMbEd.exe	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YByTGfm.exe	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SBcYtHN.exe	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PscEkWD.exe	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jFUqWnT.exe	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qRRbqxR.exe	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rZTaVyi.exe	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EhUcyxR.exe	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HqlkvnO.exe	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GJgNgUQ.exe	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DAspioL.exe	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ykZlafA.exe	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NHexVSN.exe	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2820	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2820	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 4992	2820	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2820 wrote to memory of 4992	2820	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2820 wrote to memory of 2888	2820	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2820 wrote to memory of 2888	2820	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2820 wrote to memory of 4604	2820	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2820 wrote to memory of 4604	2820	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2820 wrote to memory of 736	2820	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2820 wrote to memory of 736	2820	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2820 wrote to memory of 1752	2820	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2820 wrote to memory of 1752	2820	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2820 wrote to memory of 932	2820	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2820 wrote to memory of 932	2820	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2820 wrote to memory of 1396	2820	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2820 wrote to memory of 1396	2820	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2820 wrote to memory of 4972	2820	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2820 wrote to memory of 4972	2820	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2820 wrote to memory of 848	2820	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2820 wrote to memory of 848	2820	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2820 wrote to memory of 228	2820	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2820 wrote to memory of 228	2820	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2820 wrote to memory of 3644	2820	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2820 wrote to memory of 3644	2820	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2820 wrote to memory of 1576	2820	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2820 wrote to memory of 1576	2820	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2820 wrote to memory of 1748	2820	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2820 wrote to memory of 1748	2820	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2820 wrote to memory of 4060	2820	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2820 wrote to memory of 4060	2820	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2820 wrote to memory of 4708	2820	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2820 wrote to memory of 4708	2820	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2820 wrote to memory of 2588	2820	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2820 wrote to memory of 2588	2820	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2820 wrote to memory of 904	2820	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2820 wrote to memory of 904	2820	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2820 wrote to memory of 3768	2820	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2820 wrote to memory of 3768	2820	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2820 wrote to memory of 4736	2820	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2820 wrote to memory of 4736	2820	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2820 wrote to memory of 3344	2820	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 2820 wrote to memory of 3344	2820	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 2820 wrote to memory of 2680	2820	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 2820 wrote to memory of 2680	2820	2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe	107

C:\Users\Admin\AppData\Local\Temp\2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-14_be5df2582264ed7682534c3cf46cfb85_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Windows\System\jFUqWnT.exe
  C:\Windows\System\jFUqWnT.exe
  2⤵
  - Executes dropped EXE
  PID:4992
- C:\Windows\System\qRRbqxR.exe
  C:\Windows\System\qRRbqxR.exe
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\System\CresACF.exe
  C:\Windows\System\CresACF.exe
  2⤵
  - Executes dropped EXE
  PID:4604
- C:\Windows\System\OHfvhCZ.exe
  C:\Windows\System\OHfvhCZ.exe
  2⤵
  - Executes dropped EXE
  PID:736
- C:\Windows\System\psihegZ.exe
  C:\Windows\System\psihegZ.exe
  2⤵
  - Executes dropped EXE
  PID:1752
- C:\Windows\System\rZTaVyi.exe
  C:\Windows\System\rZTaVyi.exe
  2⤵
  - Executes dropped EXE
  PID:932
- C:\Windows\System\DAspioL.exe
  C:\Windows\System\DAspioL.exe
  2⤵
  - Executes dropped EXE
  PID:1396
- C:\Windows\System\EhUcyxR.exe
  C:\Windows\System\EhUcyxR.exe
  2⤵
  - Executes dropped EXE
  PID:4972
- C:\Windows\System\DnysjrC.exe
  C:\Windows\System\DnysjrC.exe
  2⤵
  - Executes dropped EXE
  PID:848
- C:\Windows\System\HqlkvnO.exe
  C:\Windows\System\HqlkvnO.exe
  2⤵
  - Executes dropped EXE
  PID:228
- C:\Windows\System\GJgNgUQ.exe
  C:\Windows\System\GJgNgUQ.exe
  2⤵
  - Executes dropped EXE
  PID:3644
- C:\Windows\System\PscEkWD.exe
  C:\Windows\System\PscEkWD.exe
  2⤵
  - Executes dropped EXE
  PID:1576
- C:\Windows\System\ykZlafA.exe
  C:\Windows\System\ykZlafA.exe
  2⤵
  - Executes dropped EXE
  PID:1748
- C:\Windows\System\KHMMbEd.exe
  C:\Windows\System\KHMMbEd.exe
  2⤵
  - Executes dropped EXE
  PID:4060
- C:\Windows\System\YByTGfm.exe
  C:\Windows\System\YByTGfm.exe
  2⤵
  - Executes dropped EXE
  PID:4708
- C:\Windows\System\sLjSnuv.exe
  C:\Windows\System\sLjSnuv.exe
  2⤵
  - Executes dropped EXE
  PID:2588
- C:\Windows\System\swXhNuS.exe
  C:\Windows\System\swXhNuS.exe
  2⤵
  - Executes dropped EXE
  PID:904
- C:\Windows\System\NHexVSN.exe
  C:\Windows\System\NHexVSN.exe
  2⤵
  - Executes dropped EXE
  PID:3768
- C:\Windows\System\hKVCuYJ.exe
  C:\Windows\System\hKVCuYJ.exe
  2⤵
  - Executes dropped EXE
  PID:4736
- C:\Windows\System\eyiJAAN.exe
  C:\Windows\System\eyiJAAN.exe
  2⤵
  - Executes dropped EXE
  PID:3344
- C:\Windows\System\SBcYtHN.exe
  C:\Windows\System\SBcYtHN.exe
  2⤵
  - Executes dropped EXE
  PID:2680

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CresACF.exe

Filesize
5.9MB

MD5
87f25cc4dc666781949f64e2b393036b

SHA1
a42eca212df8ddd313b6b24a6c674da42975b79e

SHA256
ccf9db8c0aae58511ebcc0547cfa1f8b095a559cf4f9db7a1d0d87f4a29e6382

SHA512
4a91c1fcb112a26d35f335956853932bc68218ef4b189fad4ea92bf83af1f414f9d405390f9622f453853ef82a46cf10d331ce663b3fce00944d4f9c3624c1d9

Download Submit
C:\Windows\System\DAspioL.exe

Filesize
5.9MB

MD5
ac0add0272f13ca75940006fe475395d

SHA1
b612967308ad5de875c270d525e802860ae6b80a

SHA256
17c6c49bd0ca02ee4455673465ffad5414ac0713b698ddb1264b931694650cd9

SHA512
3f2787054b2a08662140658ec50382b0e298d91503d38a4fdbea7756eb575baefd82e7b3234f4f5396b3cd45a480e17a06dd435e8b65313973272c9e7f29636a

Download Submit
C:\Windows\System\DnysjrC.exe

Filesize
5.9MB

MD5
daa29ff40bc845f0b68e005349b2f14d

SHA1
ef6dfed95ab0e9c7509a8e0ace5a4889951a2739

SHA256
95ddaa3368886bc1001cd872d593ff77898bb35b17e40bf868e301215b37b6a0

SHA512
f2fbc21f53bae1e1a1452205327d1ace5aea471db629c804a29c7d55bfeae2b6b228c0df9970fed5af4b3e5e7d2a0a1388dc664537c836308f69a0a5d83c2607

Download Submit
C:\Windows\System\EhUcyxR.exe

Filesize
5.9MB

MD5
5884430e46d8828660e375f74cb163de

SHA1
a098c9b70e6a0dd7b87295eddbb615f6a4582b3a

SHA256
7dc029d737f90ca0f0b97b4d073a9e565435403bc79573218548b68ea967ebcf

SHA512
16f46a3a11000c8790a364a5d078c9ef068b7f4f80cbc9910d7aead5c57503bf307ec53c78544f3917b50dc1e2b73bb2617ee01c2f4f3593967ef98c028c8b6c

Download Submit
C:\Windows\System\GJgNgUQ.exe

Filesize
5.9MB

MD5
0e35d6b691d8970e875e92bdcdcdf359

SHA1
a3ad2cc6d0382fd1fea4e63ef58b08733c35b54b

SHA256
cb0903d237b3a7bbbe7feefcc15e85e79230f7138f8192b9b871ec17de84e852

SHA512
61ee710540f3230b4c4d6964d3f91aa5ac8ca06a3f974f61a99ff832a54835b096410c0f1071f259b1e611738c0f4f749f90bec05629d9c67583e823af4f1f04

Download Submit
C:\Windows\System\HqlkvnO.exe

Filesize
5.9MB

MD5
dca35b0c842a64622a4538b2ed35b0bb

SHA1
5146e5f108318cca05dd4240215d2c13afacf78b

SHA256
bd2f95aa82756a915ef2c17c47acaf467e6b5060555c497680423810537fc3f7

SHA512
04066c85dd136d95fe747c356e10ddc0e4cd34254401b486a9d508963ec375eecfad519557f8ab58876b4d13976f91086444200df280938c4d4e47ca0ab413ec

Download Submit
C:\Windows\System\KHMMbEd.exe

Filesize
5.9MB

MD5
a7a12d0c518d726c572f5bf52ad21e74

SHA1
ffb95b47a86eb0ce8599a0e95cf99ca44131c5dc

SHA256
d7e40b5deff04683adf23058d6482b95372ef0bc5112bdc3eaa9f5a2ca5f65ec

SHA512
6839ff6336480064ee7d70456a7a89ef141cc661f6c232d67cf9616f5529fd74dcc27659b0b61866c58423a36bbff71c1877e650e0ad0209a7e8a29d77bf3067

Download Submit
C:\Windows\System\NHexVSN.exe

Filesize
5.9MB

MD5
7090563fc6ebe86b1affabe5f1d8b552

SHA1
5af78aefa71ad2b85af1dff218b9608f39d02b6d

SHA256
228b3e5ab806c8041f829d704abe6e269cb814b128e070369d90fb90390abdf2

SHA512
e7198675a06db25f32d439af6999fb34f1c4e1888f6d064e92e096eb520077b18c2aa9d2a964eadf4cc157cc56830e36766b1ae03eba5e61282217faea087516

Download Submit
C:\Windows\System\OHfvhCZ.exe

Filesize
5.9MB

MD5
1665e69f09218a04ad1194f83d55131d

SHA1
77259e1b81c9b1fff7b93aeeb49f96e2994bd9c8

SHA256
32ea79aa1e6441f113f2961c2387dce45c6273fafa0882323a551efb7520daa3

SHA512
2af4eb84213d68e8eb98ddc846553dd4c3b810acdb278f0efa645a5d69d2fe5d097ae91101f91c049ccb33e3a2a1b2a6bc4705c6a14472605b597d4d59262a27

Download Submit
C:\Windows\System\PscEkWD.exe

Filesize
5.9MB

MD5
88a52646e2207296d40bedc5e2ceba3c

SHA1
4ee41f91c5b00cb0c68296bcb2ff9260718ad129

SHA256
c5b8279884a301e47c5b282299c1bebbbc1438bab9e5ffe454c791edb8c0ced2

SHA512
edfd755bbc4ba0c4e7155ee99ca0defad3b37262fcb45d466e59f0f5f685288d78bfa49af587159a79a0f1e3056ac8fc5e825375adb280d5819b5a823a54cd8b

Download Submit
C:\Windows\System\SBcYtHN.exe

Filesize
5.9MB

MD5
cc17488fb4eeacf4958c32fb4bc689d5

SHA1
fa2cd7effd41e80c8dc2af52cff6a5beec5c52dc

SHA256
b87210a472a231a39c4aea2d525d23ea3302591933eaf79d11a6f2afbf0aab4d

SHA512
0864289fbe543b016f6c8d9926bf6dd0bae7aefec73f977c242a8f1211b690a2a94a51e21fbcb87426cecffae127a154372985cd9a255f865c4bdd228f0801c8

Download Submit
C:\Windows\System\YByTGfm.exe

Filesize
5.9MB

MD5
cb98e6e0b68ee3065e737f66ea82be3f

SHA1
481fb1cc309d8caaa3c60bd8ef0a2190631c0d48

SHA256
29d98e86339e689d4ab1f349ce281c65b380df6179c3b42546cf75cd1d72347d

SHA512
919003091ccce24a6b1178033396e776939514649b1b7810762ab6468556262603ec8eb92652cec83c27c12a7746e1ba47a9e15d9dca38547e30a1c4343776d2

Download Submit
C:\Windows\System\eyiJAAN.exe

Filesize
5.9MB

MD5
9ad5b890c950d56ea9471d86e69b0243

SHA1
1abc211cc1bca337e6410bc3aa06b25198f43ec7

SHA256
02430cd5cc294979b8746d22b55a4347f68ca31c934f4ccbb90f49d197418619

SHA512
5adeb060d287784094a8564ff7ba33a76196d739faeb462f5e3b790dd515a8859e656c3ca87e2dc4760372652e84b05dc3999dce835b4e89f759e2aac6bbd61a

Download Submit
C:\Windows\System\hKVCuYJ.exe

Filesize
5.9MB

MD5
23999518a3219d1460fda951ed1c43ea

SHA1
aca26e0b1e382fa3721254abb6ea566d37d6fd2e

SHA256
d74e2ba70349998b035a5716d87810bdab38fcf886222787c220585141e47cda

SHA512
1869bb1d1a690155bfcf436acb19ba718b8f43f269a67a22ca933dd0185437aa4aeb93fbe6129527ac347b913fdca888ae8488121184036164b1ca7ffb9e8e66

Download Submit
C:\Windows\System\jFUqWnT.exe

Filesize
5.9MB

MD5
ca3a97802f7c478d07a69c912122f449

SHA1
e46b0192dd36635f1229b63d5623889a3620351c

SHA256
fba9be1372bd15d412cf1f13c8430e769af2bf3bf89e1d98c3a00adcda7bdbdd

SHA512
684dfc05918ae1ed2abdd93de0c4dfac2aaac80910ff1265f1d13c79a0ad7dc4c1755b78e856f3f9fece609cc411113ef57f87fe8ead969e777e3f5e79d2f123

Download Submit
C:\Windows\System\psihegZ.exe

Filesize
5.9MB

MD5
b36ecd36536caccd03fdda002b8f5e4a

SHA1
7d0e5c10409ee32b7fa800658f175d3c1e502d30

SHA256
1da6b071eeb1189bd6f84e0b4b716fe75e293edd66bf4601e47257501690cc87

SHA512
191b3576ed13f3ffdd6adb03dfefde8ecaf8866e0a92000622d9128b45e3dba814f1870e557be9de4b382812a50070b1c2cf6e93b3ec7115962de58fa0988eb1

Download Submit
C:\Windows\System\qRRbqxR.exe

Filesize
5.9MB

MD5
e426f889793db751db1171c44f46b921

SHA1
41f50f3e790c01048099a1cf6871638f7acfddc8

SHA256
fec57e10937f7320b989cb10d580e1ec5091d26dad864e0fed777429ad1c5840

SHA512
3ac7979256a9abb26eaa231f0292f878b16f855eba707944e8244694d956af12ae300e6e0dd36800371e1b6e5a2276d85897da84f8cc64b81fc743689f6ef7f1

Download Submit
C:\Windows\System\rZTaVyi.exe

Filesize
5.9MB

MD5
a5d65c11cf6f2de7d848908b8a832ede

SHA1
6914636edd2a1ff2d901384c0bd6eeccf733da88

SHA256
8e71b406a9252e5a31d83368705154727ba7418f60ca27dfdb97aecb01417cc0

SHA512
883b608fd62d934fed9b8029d073e8c67e9377ae48b253dac00f08c634b4eaf635177015262850e0dfc355bd0084c0885a7248b79b7c5089dcb7d5cec1043346

Download Submit
C:\Windows\System\sLjSnuv.exe

Filesize
5.9MB

MD5
8fd58cb59cdb4bbb05ca890f8603b757

SHA1
2d7636f2ae8c6c7ee3a406a52a4da2a63adb81d7

SHA256
2a43dec4b24d80006a8df913825d332df7d6d57d19e01e629a71e9b828849ba7

SHA512
2941511a268a4698de71c2bff94f7c9802395ea77021fce210316f2007547afd1bbb0391f9db68e461d1bad69a59f34b767c5c8427e9d6d76e129e5a9bb83592

Download Submit
C:\Windows\System\swXhNuS.exe

Filesize
5.9MB

MD5
9d8a03921caa06b9f1c4a79bd75ddab8

SHA1
e03ec0499c4bdef2ed0b7ee58dbd0e0605c961d7

SHA256
d8f34e157017778fbb1d2e3f9b55cfc4dddabe3c872d172110cce686fe2c3651

SHA512
cd5940bad1536ea0fb8bc10cf3177393737ddc51983741ada81655f77c5e1e25e1d986cbfcdf3282ef284ce5ceacda994a2a645776430069e0b1da3dea28b24e

Download Submit
C:\Windows\System\ykZlafA.exe

Filesize
5.9MB

MD5
1af8cc8060364e19c101388a47ef5cdd

SHA1
abf864f386624e98f3e523cc983e6ba548026a24

SHA256
ef42244f2f2927fb27210da9a59e785fc384d73c5ea8f394116cfea495a68f41

SHA512
eb3a406294155fd5a221a6094d5f8f3d1e54ac019fd1a85c092649019e7a32cd204db502ad66e3bc33844a4307a86aead2a5e558f51f9d59dbf53e3155487c94

Download Submit
memory/228-121-0x00007FF6CA340000-0x00007FF6CA694000-memory.dmp

Filesize
3.3MB

Download
memory/228-153-0x00007FF6CA340000-0x00007FF6CA694000-memory.dmp

Filesize
3.3MB

Download
memory/228-65-0x00007FF6CA340000-0x00007FF6CA694000-memory.dmp

Filesize
3.3MB

Download
memory/736-86-0x00007FF63AC00000-0x00007FF63AF54000-memory.dmp

Filesize
3.3MB

Download
memory/736-148-0x00007FF63AC00000-0x00007FF63AF54000-memory.dmp

Filesize
3.3MB

Download
memory/736-26-0x00007FF63AC00000-0x00007FF63AF54000-memory.dmp

Filesize
3.3MB

Download
memory/848-152-0x00007FF64E2F0000-0x00007FF64E644000-memory.dmp

Filesize
3.3MB

Download
memory/848-57-0x00007FF64E2F0000-0x00007FF64E644000-memory.dmp

Filesize
3.3MB

Download
memory/848-130-0x00007FF64E2F0000-0x00007FF64E644000-memory.dmp

Filesize
3.3MB

Download
memory/904-139-0x00007FF749A30000-0x00007FF749D84000-memory.dmp

Filesize
3.3MB

Download
memory/904-106-0x00007FF749A30000-0x00007FF749D84000-memory.dmp

Filesize
3.3MB

Download
memory/904-160-0x00007FF749A30000-0x00007FF749D84000-memory.dmp

Filesize
3.3MB

Download
memory/932-150-0x00007FF7EB0B0000-0x00007FF7EB404000-memory.dmp

Filesize
3.3MB

Download
memory/932-110-0x00007FF7EB0B0000-0x00007FF7EB404000-memory.dmp

Filesize
3.3MB

Download
memory/932-40-0x00007FF7EB0B0000-0x00007FF7EB404000-memory.dmp

Filesize
3.3MB

Download
memory/1396-45-0x00007FF76F6C0000-0x00007FF76FA14000-memory.dmp

Filesize
3.3MB

Download
memory/1396-116-0x00007FF76F6C0000-0x00007FF76FA14000-memory.dmp

Filesize
3.3MB

Download
memory/1396-154-0x00007FF76F6C0000-0x00007FF76FA14000-memory.dmp

Filesize
3.3MB

Download
memory/1576-156-0x00007FF611940000-0x00007FF611C94000-memory.dmp

Filesize
3.3MB

Download
memory/1576-81-0x00007FF611940000-0x00007FF611C94000-memory.dmp

Filesize
3.3MB

Download
memory/1748-157-0x00007FF6D4860000-0x00007FF6D4BB4000-memory.dmp

Filesize
3.3MB

Download
memory/1748-85-0x00007FF6D4860000-0x00007FF6D4BB4000-memory.dmp

Filesize
3.3MB

Download
memory/1752-33-0x00007FF684860000-0x00007FF684BB4000-memory.dmp

Filesize
3.3MB

Download
memory/1752-102-0x00007FF684860000-0x00007FF684BB4000-memory.dmp

Filesize
3.3MB

Download
memory/1752-149-0x00007FF684860000-0x00007FF684BB4000-memory.dmp

Filesize
3.3MB

Download
memory/2588-161-0x00007FF740250000-0x00007FF7405A4000-memory.dmp

Filesize
3.3MB

Download
memory/2588-107-0x00007FF740250000-0x00007FF7405A4000-memory.dmp

Filesize
3.3MB

Download
memory/2588-140-0x00007FF740250000-0x00007FF7405A4000-memory.dmp

Filesize
3.3MB

Download
memory/2680-144-0x00007FF697140000-0x00007FF697494000-memory.dmp

Filesize
3.3MB

Download
memory/2680-165-0x00007FF697140000-0x00007FF697494000-memory.dmp

Filesize
3.3MB

Download
memory/2680-132-0x00007FF697140000-0x00007FF697494000-memory.dmp

Filesize
3.3MB

Download
memory/2820-66-0x00007FF689730000-0x00007FF689A84000-memory.dmp

Filesize
3.3MB

Download
memory/2820-0-0x00007FF689730000-0x00007FF689A84000-memory.dmp

Filesize
3.3MB

Download
memory/2820-1-0x000002D92BE90000-0x000002D92BEA0000-memory.dmp

Filesize
64KB

Download
memory/2888-19-0x00007FF687180000-0x00007FF6874D4000-memory.dmp

Filesize
3.3MB

Download
memory/2888-146-0x00007FF687180000-0x00007FF6874D4000-memory.dmp

Filesize
3.3MB

Download
memory/3344-131-0x00007FF673710000-0x00007FF673A64000-memory.dmp

Filesize
3.3MB

Download
memory/3344-164-0x00007FF673710000-0x00007FF673A64000-memory.dmp

Filesize
3.3MB

Download
memory/3344-143-0x00007FF673710000-0x00007FF673A64000-memory.dmp

Filesize
3.3MB

Download
memory/3644-155-0x00007FF794E50000-0x00007FF7951A4000-memory.dmp

Filesize
3.3MB

Download
memory/3644-67-0x00007FF794E50000-0x00007FF7951A4000-memory.dmp

Filesize
3.3MB

Download
memory/3644-137-0x00007FF794E50000-0x00007FF7951A4000-memory.dmp

Filesize
3.3MB

Download
memory/3768-141-0x00007FF64B8B0000-0x00007FF64BC04000-memory.dmp

Filesize
3.3MB

Download
memory/3768-162-0x00007FF64B8B0000-0x00007FF64BC04000-memory.dmp

Filesize
3.3MB

Download
memory/3768-115-0x00007FF64B8B0000-0x00007FF64BC04000-memory.dmp

Filesize
3.3MB

Download
memory/4060-159-0x00007FF60B680000-0x00007FF60B9D4000-memory.dmp

Filesize
3.3MB

Download
memory/4060-90-0x00007FF60B680000-0x00007FF60B9D4000-memory.dmp

Filesize
3.3MB

Download
memory/4060-138-0x00007FF60B680000-0x00007FF60B9D4000-memory.dmp

Filesize
3.3MB

Download
memory/4604-147-0x00007FF6B4A40000-0x00007FF6B4D94000-memory.dmp

Filesize
3.3MB

Download
memory/4604-23-0x00007FF6B4A40000-0x00007FF6B4D94000-memory.dmp

Filesize
3.3MB

Download
memory/4708-101-0x00007FF64ED80000-0x00007FF64F0D4000-memory.dmp

Filesize
3.3MB

Download
memory/4708-158-0x00007FF64ED80000-0x00007FF64F0D4000-memory.dmp

Filesize
3.3MB

Download
memory/4736-163-0x00007FF7D3E50000-0x00007FF7D41A4000-memory.dmp

Filesize
3.3MB

Download
memory/4736-142-0x00007FF7D3E50000-0x00007FF7D41A4000-memory.dmp

Filesize
3.3MB

Download
memory/4736-122-0x00007FF7D3E50000-0x00007FF7D41A4000-memory.dmp

Filesize
3.3MB

Download
memory/4972-48-0x00007FF7FA100000-0x00007FF7FA454000-memory.dmp

Filesize
3.3MB

Download
memory/4972-117-0x00007FF7FA100000-0x00007FF7FA454000-memory.dmp

Filesize
3.3MB

Download
memory/4972-151-0x00007FF7FA100000-0x00007FF7FA454000-memory.dmp

Filesize
3.3MB

Download
memory/4992-72-0x00007FF64B320000-0x00007FF64B674000-memory.dmp

Filesize
3.3MB

Download
memory/4992-145-0x00007FF64B320000-0x00007FF64B674000-memory.dmp

Filesize
3.3MB

Download
memory/4992-7-0x00007FF64B320000-0x00007FF64B674000-memory.dmp

Filesize
3.3MB

Download