cobaltstrike | d907e638cbf32ebc28fb0e53712e71dfecbabb7659dd01b34a9f80d79f1ec070

Analysis

max time kernel
143s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/09/2024, 15:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

978a92d526dba4bfd78830414f514281
SHA1

4b6e34f923ac8b7df41820281aa6a3c644df3462
SHA256

d907e638cbf32ebc28fb0e53712e71dfecbabb7659dd01b34a9f80d79f1ec070
SHA512

c13bb7096a5bbb2b54fd1741016298de9217abf7f741d3fd362969351493af0042ac5a7ab435e951ed9bf0cf4942943a6f9de925113f95a76f0beae1479b1f7a
SSDEEP

98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUI:T+856utgpPF8u/7I

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023430-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023435-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023434-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023436-25.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023437-27.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023438-35.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023431-43.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023439-47.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343a-52.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343c-60.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343d-66.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343e-76.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343f-75.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023442-97.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023443-108.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023441-95.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023440-94.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023444-113.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023445-129.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023447-135.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023446-127.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/2028-0-0x00007FF637210000-0x00007FF637564000-memory.dmp	xmrig
behavioral2/files/0x0008000000023430-4.dat	xmrig
behavioral2/memory/3184-8-0x00007FF761EE0000-0x00007FF762234000-memory.dmp	xmrig
behavioral2/files/0x0007000000023435-10.dat	xmrig
behavioral2/files/0x0007000000023434-11.dat	xmrig
behavioral2/files/0x0007000000023436-25.dat	xmrig
behavioral2/files/0x0007000000023437-27.dat	xmrig
behavioral2/files/0x0007000000023438-35.dat	xmrig
behavioral2/files/0x0008000000023431-43.dat	xmrig
behavioral2/memory/1664-42-0x00007FF7871B0000-0x00007FF787504000-memory.dmp	xmrig
behavioral2/memory/3656-38-0x00007FF665890000-0x00007FF665BE4000-memory.dmp	xmrig
behavioral2/memory/4580-30-0x00007FF6E7F00000-0x00007FF6E8254000-memory.dmp	xmrig
behavioral2/memory/1300-26-0x00007FF7DCA90000-0x00007FF7DCDE4000-memory.dmp	xmrig
behavioral2/memory/1616-21-0x00007FF622E80000-0x00007FF6231D4000-memory.dmp	xmrig
behavioral2/memory/3596-16-0x00007FF683FA0000-0x00007FF6842F4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023439-47.dat	xmrig
behavioral2/memory/4968-50-0x00007FF7C1410000-0x00007FF7C1764000-memory.dmp	xmrig
behavioral2/files/0x000700000002343a-52.dat	xmrig
behavioral2/memory/2260-55-0x00007FF73EAD0000-0x00007FF73EE24000-memory.dmp	xmrig
behavioral2/memory/2028-54-0x00007FF637210000-0x00007FF637564000-memory.dmp	xmrig
behavioral2/files/0x000700000002343c-60.dat	xmrig
behavioral2/memory/4932-61-0x00007FF6FDD10000-0x00007FF6FE064000-memory.dmp	xmrig
behavioral2/memory/1616-65-0x00007FF622E80000-0x00007FF6231D4000-memory.dmp	xmrig
behavioral2/files/0x000700000002343d-66.dat	xmrig
behavioral2/files/0x000700000002343e-76.dat	xmrig
behavioral2/files/0x000700000002343f-75.dat	xmrig
behavioral2/memory/2432-72-0x00007FF745F10000-0x00007FF746264000-memory.dmp	xmrig
behavioral2/memory/5072-81-0x00007FF78A9B0000-0x00007FF78AD04000-memory.dmp	xmrig
behavioral2/memory/224-87-0x00007FF70B010000-0x00007FF70B364000-memory.dmp	xmrig
behavioral2/memory/4580-90-0x00007FF6E7F00000-0x00007FF6E8254000-memory.dmp	xmrig
behavioral2/files/0x0007000000023442-97.dat	xmrig
behavioral2/memory/4652-103-0x00007FF6FB7D0000-0x00007FF6FBB24000-memory.dmp	xmrig
behavioral2/memory/2620-104-0x00007FF685C10000-0x00007FF685F64000-memory.dmp	xmrig
behavioral2/files/0x0007000000023443-108.dat	xmrig
behavioral2/memory/1664-105-0x00007FF7871B0000-0x00007FF787504000-memory.dmp	xmrig
behavioral2/memory/3656-102-0x00007FF665890000-0x00007FF665BE4000-memory.dmp	xmrig
behavioral2/memory/1628-98-0x00007FF797310000-0x00007FF797664000-memory.dmp	xmrig
behavioral2/files/0x0007000000023441-95.dat	xmrig
behavioral2/files/0x0007000000023440-94.dat	xmrig
behavioral2/memory/4424-93-0x00007FF7614C0000-0x00007FF761814000-memory.dmp	xmrig
behavioral2/memory/1300-78-0x00007FF7DCA90000-0x00007FF7DCDE4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023444-113.dat	xmrig
behavioral2/memory/1824-114-0x00007FF76C250000-0x00007FF76C5A4000-memory.dmp	xmrig
behavioral2/memory/1588-122-0x00007FF6810A0000-0x00007FF6813F4000-memory.dmp	xmrig
behavioral2/memory/4144-125-0x00007FF616D70000-0x00007FF6170C4000-memory.dmp	xmrig
behavioral2/memory/4932-124-0x00007FF6FDD10000-0x00007FF6FE064000-memory.dmp	xmrig
behavioral2/files/0x0007000000023445-129.dat	xmrig
behavioral2/files/0x0007000000023447-135.dat	xmrig
behavioral2/memory/620-134-0x00007FF7692A0000-0x00007FF7695F4000-memory.dmp	xmrig
behavioral2/memory/224-133-0x00007FF70B010000-0x00007FF70B364000-memory.dmp	xmrig
behavioral2/files/0x0007000000023446-127.dat	xmrig
behavioral2/memory/2260-120-0x00007FF73EAD0000-0x00007FF73EE24000-memory.dmp	xmrig
behavioral2/memory/4424-137-0x00007FF7614C0000-0x00007FF761814000-memory.dmp	xmrig
behavioral2/memory/4652-138-0x00007FF6FB7D0000-0x00007FF6FBB24000-memory.dmp	xmrig
behavioral2/memory/2620-139-0x00007FF685C10000-0x00007FF685F64000-memory.dmp	xmrig
behavioral2/memory/1824-140-0x00007FF76C250000-0x00007FF76C5A4000-memory.dmp	xmrig
behavioral2/memory/1588-141-0x00007FF6810A0000-0x00007FF6813F4000-memory.dmp	xmrig
behavioral2/memory/4144-142-0x00007FF616D70000-0x00007FF6170C4000-memory.dmp	xmrig
behavioral2/memory/620-143-0x00007FF7692A0000-0x00007FF7695F4000-memory.dmp	xmrig
behavioral2/memory/3184-144-0x00007FF761EE0000-0x00007FF762234000-memory.dmp	xmrig
behavioral2/memory/3596-145-0x00007FF683FA0000-0x00007FF6842F4000-memory.dmp	xmrig
behavioral2/memory/1616-146-0x00007FF622E80000-0x00007FF6231D4000-memory.dmp	xmrig
behavioral2/memory/1300-147-0x00007FF7DCA90000-0x00007FF7DCDE4000-memory.dmp	xmrig
behavioral2/memory/4580-148-0x00007FF6E7F00000-0x00007FF6E8254000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3184	KTLgDUb.exe
3596	oSqYgHu.exe
1616	RofAqNJ.exe
1300	SoHqmXh.exe
4580	BrYroGg.exe
3656	TyAhVdx.exe
1664	ZZesTuY.exe
4968	Dpsrqhb.exe
2260	IkvJhYI.exe
4932	oMstHCR.exe
2432	WdjBDqe.exe
5072	VuZDwUm.exe
224	fntKJRN.exe
4424	wtXPYsw.exe
1628	qpitENB.exe
4652	FbStWGk.exe
2620	mpVmFSS.exe
1824	BhorohP.exe
1588	yqOSfCV.exe
4144	mhesmeO.exe
620	tnFaKhk.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2028-0-0x00007FF637210000-0x00007FF637564000-memory.dmp	upx
behavioral2/files/0x0008000000023430-4.dat	upx
behavioral2/memory/3184-8-0x00007FF761EE0000-0x00007FF762234000-memory.dmp	upx
behavioral2/files/0x0007000000023435-10.dat	upx
behavioral2/files/0x0007000000023434-11.dat	upx
behavioral2/files/0x0007000000023436-25.dat	upx
behavioral2/files/0x0007000000023437-27.dat	upx
behavioral2/files/0x0007000000023438-35.dat	upx
behavioral2/files/0x0008000000023431-43.dat	upx
behavioral2/memory/1664-42-0x00007FF7871B0000-0x00007FF787504000-memory.dmp	upx
behavioral2/memory/3656-38-0x00007FF665890000-0x00007FF665BE4000-memory.dmp	upx
behavioral2/memory/4580-30-0x00007FF6E7F00000-0x00007FF6E8254000-memory.dmp	upx
behavioral2/memory/1300-26-0x00007FF7DCA90000-0x00007FF7DCDE4000-memory.dmp	upx
behavioral2/memory/1616-21-0x00007FF622E80000-0x00007FF6231D4000-memory.dmp	upx
behavioral2/memory/3596-16-0x00007FF683FA0000-0x00007FF6842F4000-memory.dmp	upx
behavioral2/files/0x0007000000023439-47.dat	upx
behavioral2/memory/4968-50-0x00007FF7C1410000-0x00007FF7C1764000-memory.dmp	upx
behavioral2/files/0x000700000002343a-52.dat	upx
behavioral2/memory/2260-55-0x00007FF73EAD0000-0x00007FF73EE24000-memory.dmp	upx
behavioral2/memory/2028-54-0x00007FF637210000-0x00007FF637564000-memory.dmp	upx
behavioral2/files/0x000700000002343c-60.dat	upx
behavioral2/memory/4932-61-0x00007FF6FDD10000-0x00007FF6FE064000-memory.dmp	upx
behavioral2/memory/1616-65-0x00007FF622E80000-0x00007FF6231D4000-memory.dmp	upx
behavioral2/files/0x000700000002343d-66.dat	upx
behavioral2/files/0x000700000002343e-76.dat	upx
behavioral2/files/0x000700000002343f-75.dat	upx
behavioral2/memory/2432-72-0x00007FF745F10000-0x00007FF746264000-memory.dmp	upx
behavioral2/memory/5072-81-0x00007FF78A9B0000-0x00007FF78AD04000-memory.dmp	upx
behavioral2/memory/224-87-0x00007FF70B010000-0x00007FF70B364000-memory.dmp	upx
behavioral2/memory/4580-90-0x00007FF6E7F00000-0x00007FF6E8254000-memory.dmp	upx
behavioral2/files/0x0007000000023442-97.dat	upx
behavioral2/memory/4652-103-0x00007FF6FB7D0000-0x00007FF6FBB24000-memory.dmp	upx
behavioral2/memory/2620-104-0x00007FF685C10000-0x00007FF685F64000-memory.dmp	upx
behavioral2/files/0x0007000000023443-108.dat	upx
behavioral2/memory/1664-105-0x00007FF7871B0000-0x00007FF787504000-memory.dmp	upx
behavioral2/memory/3656-102-0x00007FF665890000-0x00007FF665BE4000-memory.dmp	upx
behavioral2/memory/1628-98-0x00007FF797310000-0x00007FF797664000-memory.dmp	upx
behavioral2/files/0x0007000000023441-95.dat	upx
behavioral2/files/0x0007000000023440-94.dat	upx
behavioral2/memory/4424-93-0x00007FF7614C0000-0x00007FF761814000-memory.dmp	upx
behavioral2/memory/1300-78-0x00007FF7DCA90000-0x00007FF7DCDE4000-memory.dmp	upx
behavioral2/files/0x0007000000023444-113.dat	upx
behavioral2/memory/1824-114-0x00007FF76C250000-0x00007FF76C5A4000-memory.dmp	upx
behavioral2/memory/1588-122-0x00007FF6810A0000-0x00007FF6813F4000-memory.dmp	upx
behavioral2/memory/4144-125-0x00007FF616D70000-0x00007FF6170C4000-memory.dmp	upx
behavioral2/memory/4932-124-0x00007FF6FDD10000-0x00007FF6FE064000-memory.dmp	upx
behavioral2/files/0x0007000000023445-129.dat	upx
behavioral2/files/0x0007000000023447-135.dat	upx
behavioral2/memory/620-134-0x00007FF7692A0000-0x00007FF7695F4000-memory.dmp	upx
behavioral2/memory/224-133-0x00007FF70B010000-0x00007FF70B364000-memory.dmp	upx
behavioral2/files/0x0007000000023446-127.dat	upx
behavioral2/memory/2260-120-0x00007FF73EAD0000-0x00007FF73EE24000-memory.dmp	upx
behavioral2/memory/4424-137-0x00007FF7614C0000-0x00007FF761814000-memory.dmp	upx
behavioral2/memory/4652-138-0x00007FF6FB7D0000-0x00007FF6FBB24000-memory.dmp	upx
behavioral2/memory/2620-139-0x00007FF685C10000-0x00007FF685F64000-memory.dmp	upx
behavioral2/memory/1824-140-0x00007FF76C250000-0x00007FF76C5A4000-memory.dmp	upx
behavioral2/memory/1588-141-0x00007FF6810A0000-0x00007FF6813F4000-memory.dmp	upx
behavioral2/memory/4144-142-0x00007FF616D70000-0x00007FF6170C4000-memory.dmp	upx
behavioral2/memory/620-143-0x00007FF7692A0000-0x00007FF7695F4000-memory.dmp	upx
behavioral2/memory/3184-144-0x00007FF761EE0000-0x00007FF762234000-memory.dmp	upx
behavioral2/memory/3596-145-0x00007FF683FA0000-0x00007FF6842F4000-memory.dmp	upx
behavioral2/memory/1616-146-0x00007FF622E80000-0x00007FF6231D4000-memory.dmp	upx
behavioral2/memory/1300-147-0x00007FF7DCA90000-0x00007FF7DCDE4000-memory.dmp	upx
behavioral2/memory/4580-148-0x00007FF6E7F00000-0x00007FF6E8254000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\SoHqmXh.exe	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZZesTuY.exe	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oMstHCR.exe	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RofAqNJ.exe	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WdjBDqe.exe	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FbStWGk.exe	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tnFaKhk.exe	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oSqYgHu.exe	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BrYroGg.exe	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Dpsrqhb.exe	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fntKJRN.exe	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wtXPYsw.exe	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qpitENB.exe	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mpVmFSS.exe	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yqOSfCV.exe	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KTLgDUb.exe	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mhesmeO.exe	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IkvJhYI.exe	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VuZDwUm.exe	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BhorohP.exe	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TyAhVdx.exe	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2028	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2028	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 3184	2028	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 2028 wrote to memory of 3184	2028	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 2028 wrote to memory of 3596	2028	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2028 wrote to memory of 3596	2028	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2028 wrote to memory of 1616	2028	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2028 wrote to memory of 1616	2028	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2028 wrote to memory of 1300	2028	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2028 wrote to memory of 1300	2028	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2028 wrote to memory of 4580	2028	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2028 wrote to memory of 4580	2028	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2028 wrote to memory of 3656	2028	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2028 wrote to memory of 3656	2028	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2028 wrote to memory of 1664	2028	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2028 wrote to memory of 1664	2028	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2028 wrote to memory of 4968	2028	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2028 wrote to memory of 4968	2028	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2028 wrote to memory of 2260	2028	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2028 wrote to memory of 2260	2028	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2028 wrote to memory of 4932	2028	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2028 wrote to memory of 4932	2028	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2028 wrote to memory of 2432	2028	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2028 wrote to memory of 2432	2028	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2028 wrote to memory of 5072	2028	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2028 wrote to memory of 5072	2028	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2028 wrote to memory of 224	2028	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2028 wrote to memory of 224	2028	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2028 wrote to memory of 4424	2028	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2028 wrote to memory of 4424	2028	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2028 wrote to memory of 1628	2028	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2028 wrote to memory of 1628	2028	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2028 wrote to memory of 4652	2028	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2028 wrote to memory of 4652	2028	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2028 wrote to memory of 2620	2028	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2028 wrote to memory of 2620	2028	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2028 wrote to memory of 1824	2028	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2028 wrote to memory of 1824	2028	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2028 wrote to memory of 1588	2028	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2028 wrote to memory of 1588	2028	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2028 wrote to memory of 4144	2028	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2028 wrote to memory of 4144	2028	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2028 wrote to memory of 620	2028	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2028 wrote to memory of 620	2028	2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-25_978a92d526dba4bfd78830414f514281_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\System\KTLgDUb.exe
  C:\Windows\System\KTLgDUb.exe
  2⤵
  - Executes dropped EXE
  PID:3184
- C:\Windows\System\oSqYgHu.exe
  C:\Windows\System\oSqYgHu.exe
  2⤵
  - Executes dropped EXE
  PID:3596
- C:\Windows\System\RofAqNJ.exe
  C:\Windows\System\RofAqNJ.exe
  2⤵
  - Executes dropped EXE
  PID:1616
- C:\Windows\System\SoHqmXh.exe
  C:\Windows\System\SoHqmXh.exe
  2⤵
  - Executes dropped EXE
  PID:1300
- C:\Windows\System\BrYroGg.exe
  C:\Windows\System\BrYroGg.exe
  2⤵
  - Executes dropped EXE
  PID:4580
- C:\Windows\System\TyAhVdx.exe
  C:\Windows\System\TyAhVdx.exe
  2⤵
  - Executes dropped EXE
  PID:3656
- C:\Windows\System\ZZesTuY.exe
  C:\Windows\System\ZZesTuY.exe
  2⤵
  - Executes dropped EXE
  PID:1664
- C:\Windows\System\Dpsrqhb.exe
  C:\Windows\System\Dpsrqhb.exe
  2⤵
  - Executes dropped EXE
  PID:4968
- C:\Windows\System\IkvJhYI.exe
  C:\Windows\System\IkvJhYI.exe
  2⤵
  - Executes dropped EXE
  PID:2260
- C:\Windows\System\oMstHCR.exe
  C:\Windows\System\oMstHCR.exe
  2⤵
  - Executes dropped EXE
  PID:4932
- C:\Windows\System\WdjBDqe.exe
  C:\Windows\System\WdjBDqe.exe
  2⤵
  - Executes dropped EXE
  PID:2432
- C:\Windows\System\VuZDwUm.exe
  C:\Windows\System\VuZDwUm.exe
  2⤵
  - Executes dropped EXE
  PID:5072
- C:\Windows\System\fntKJRN.exe
  C:\Windows\System\fntKJRN.exe
  2⤵
  - Executes dropped EXE
  PID:224
- C:\Windows\System\wtXPYsw.exe
  C:\Windows\System\wtXPYsw.exe
  2⤵
  - Executes dropped EXE
  PID:4424
- C:\Windows\System\qpitENB.exe
  C:\Windows\System\qpitENB.exe
  2⤵
  - Executes dropped EXE
  PID:1628
- C:\Windows\System\FbStWGk.exe
  C:\Windows\System\FbStWGk.exe
  2⤵
  - Executes dropped EXE
  PID:4652
- C:\Windows\System\mpVmFSS.exe
  C:\Windows\System\mpVmFSS.exe
  2⤵
  - Executes dropped EXE
  PID:2620
- C:\Windows\System\BhorohP.exe
  C:\Windows\System\BhorohP.exe
  2⤵
  - Executes dropped EXE
  PID:1824
- C:\Windows\System\yqOSfCV.exe
  C:\Windows\System\yqOSfCV.exe
  2⤵
  - Executes dropped EXE
  PID:1588
- C:\Windows\System\mhesmeO.exe
  C:\Windows\System\mhesmeO.exe
  2⤵
  - Executes dropped EXE
  PID:4144
- C:\Windows\System\tnFaKhk.exe
  C:\Windows\System\tnFaKhk.exe
  2⤵
  - Executes dropped EXE
  PID:620

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BhorohP.exe

Filesize
5.9MB

MD5
603fea9539be13a03e225e762020c252

SHA1
7eed07891856f28001b5c1bb0958eea10ff6237a

SHA256
58f699604a17f44c5b26c5441510d7ecdd1e71d3fc2caeb830146e4c0abc318c

SHA512
e82f3b2528ea3857c52f594e6b94eff78e8668ed3731a7b3a975ac6b96335e0f88a692985d14b2cc3ac9af55f1a812318abf2633e88f4ac52ec0dc39711ac305

Download Submit
C:\Windows\System\BrYroGg.exe

Filesize
5.9MB

MD5
a0712f1120daa6584e51b9d714cdc40a

SHA1
0abc536d1d69bc0568e9a2425022090c11742fde

SHA256
c7a24269af384e66a58779e9c6aed7a0107e1b18b117e38c89478ceaba20f2b1

SHA512
4ea76cc6a024eaf14f39f123e6d10b776201388f403aea8e4c1fcf2fee63a3bdf37dc4cee4c044e9d74bfa2372d89cbae5306e2f939c66f9b6e4e1475c5e0ac4

Download Submit
C:\Windows\System\Dpsrqhb.exe

Filesize
5.9MB

MD5
a8c7ad15243606d6dfdc504e9c9127b6

SHA1
37b180941c3e03e6dc8daf41870f1f2636b54f20

SHA256
9e6690c177096859c1b25b3c5a6372ba8740c84a44faea7a6ab3fcb6b0ce271b

SHA512
e18c15366a4c60cbec70de0596bd9bab155594d463ed2d1a446fd36ccdf40c2dee293cc9e9501c1725f22a56e61bd792e00809676987c778c2803fda47e8733c

Download Submit
C:\Windows\System\FbStWGk.exe

Filesize
5.9MB

MD5
7764fc4d460a1c01cd24cae0203ee056

SHA1
fd4c64892a9fb946248797dbd6eb0e82d0b56367

SHA256
3465d028790ba1549996a1c58a8fb3fe07dbf8ca8de46ad77b63ce631191ee23

SHA512
a54682436a3f09b110ab6cf817fd040d32a0dc95b186a5d85afd6db6eca6586ed42f57c56b4d1210114995650dccc244a2278cb977e6ee81e0a74f8896321d13

Download Submit
C:\Windows\System\IkvJhYI.exe

Filesize
5.9MB

MD5
1e1a867082e932c5e30f67e1144a1d27

SHA1
8ad4ae6b793d3fac65eaa3ff824a64e794d5aede

SHA256
b4c608155629becd966b14f1a911e32df6051e5f2020b64d37896b5be5255f5b

SHA512
bcb82de58c10d1bfcde2876cd4a544b440bfbb6cb3ea2b3c3f808f65da66284af9c347bb5aec878ef6df8110e6121c2d68bffc422d41c68221a1557f887f5e35

Download Submit
C:\Windows\System\KTLgDUb.exe

Filesize
5.9MB

MD5
5542f8601e04c3e3cefa5faabe054128

SHA1
9026d787a4710fe126fcc673397625f824256429

SHA256
d51e86def1058e84b79644bbef36723956c4796c056184b0d36408d02c7d7cc3

SHA512
1c33e041ce43937d9941ab9a8d3cac46907c5b93b2cabffd6e9f4e13a8b0a404eb22b3e51318ecd8b9aa1523982f0cd17af8aaf668f536b6c0ff4a4b5a42de3f

Download Submit
C:\Windows\System\RofAqNJ.exe

Filesize
5.9MB

MD5
658847cd3e00d56a04e6e6289eca3960

SHA1
5aa8058349252e0bc2c681e32d79ec57c4571656

SHA256
e729a2dea9f820e0a26e289c72ba18186486e017dc3f276ad90d40fcd20bfd46

SHA512
6bd1ef1c47441f8325a0cc51cead39d1f6c3934c721a9c80b32d2bd97066c4c6b91b017f4363dbf0f76707822f73b0e67d19adb8e09aa38adfbb0362bd07eb03

Download Submit
C:\Windows\System\SoHqmXh.exe

Filesize
5.9MB

MD5
133faba89fc6dbd0766890cbcae58e0f

SHA1
17fce542664b3de104db66b8cfb9aa3b27f97b0d

SHA256
5db8e63c246805bab88083605f40a6be64797e1a2a4261b82beda474e9916196

SHA512
1f3b9771d0ffcb9e526e03511fd05fe7af311c52efda40c4ccef608909954ebc11c9ac2247259b064ca52884d13cde55ad192df483be3f277408f3cc6827bae6

Download Submit
C:\Windows\System\TyAhVdx.exe

Filesize
5.9MB

MD5
04ea87a97ffd57e29519ace3498b53c9

SHA1
f199d39449a92fb8ba3b935d17837d2fad89e558

SHA256
f908df03c909ac37c832805e179212ddf34116873a08e8d255dd6b160dd1804f

SHA512
c47b6b0197a534840ce6a2e4091778f25bab213f6cabc39bdf008fd64f3470df93f1ee3589e7330bfe03337ad53192f4680e94e2b8405a11e159d395188308fa

Download Submit
C:\Windows\System\VuZDwUm.exe

Filesize
5.9MB

MD5
437dc5b622e7ab323b8fc18b541801be

SHA1
92948882876859914dde1f670db9d9bdf9fd8e30

SHA256
98e9d4f1d51e18064fe4e08ea291f73cb546c7c5552256acb86ff218894011a4

SHA512
7ff0bc4c1f332de12269354c67ae7e80e269856fb240c683fa36c7a3ad61fd2fca3f38808958df6ce0975083cd24e9997f7fadc9cb1ba5b844831abb58226f70

Download Submit
C:\Windows\System\WdjBDqe.exe

Filesize
5.9MB

MD5
a3da9591f5e67f79d75d4506540c7dc9

SHA1
342913e70ee5a03a98f0a2e909b2ae345ad40b35

SHA256
4724c4b3748864854172215bad0ec6e2ddc59d518fbf5bbd5a9e8dc503dced2c

SHA512
bf478276f35d3159131ee544bf94fec77e4b28ee95f14b49c99384dbbf6f4d1bed970e425165a8743fda585c37e5a27afead5e93de8e40383e5f79488f73219f

Download Submit
C:\Windows\System\ZZesTuY.exe

Filesize
5.9MB

MD5
20505e7a2ad19cd7c10019fa557f3c5b

SHA1
bb930b4e47b3f7cd19f6f1720a2ed55d4b4243c0

SHA256
904043d2c6850e42366241cd1ff046d8dcc2fbd726c4d5785c0f965696a4b3be

SHA512
00c1d6629bed67f0a80385f7c92bb6b6341d43045444c0de19c51b34111777c015005b0694f82344552000d55c42fb40ece8af31b31302f10909849fcff69f3e

Download Submit
C:\Windows\System\fntKJRN.exe

Filesize
5.9MB

MD5
5bdec696e34bce16029076d3797fcf4f

SHA1
2a603c183a6ec690518adab482c4abc3758973dc

SHA256
bd9bf670ed5b7281691fbf317b841c81485e3e5e22ab429a36b34fb73a983148

SHA512
111cfacfe545d5b3246c7baecf3eebc3d3075f922e617516e08ad4b8e6b984c00f9f9a80ddb85f998bc127961ca8300ee62ae210629959ec2b7d7f6909bcce35

Download Submit
C:\Windows\System\mhesmeO.exe

Filesize
5.9MB

MD5
7888f98b23fa5ec435939eb1561e701a

SHA1
d7e543bc68d78182555093875e380953edce3f5d

SHA256
1c97adb5b626cb0edffcd07b306784ef0d0ff3a5937611b4a598cdc04241c411

SHA512
9b22f98b33a5d43d1bfad4407c494aa14ee26442a12607efc70c8660827d863172305f4bc1ff076e5989e853041f5516bc3459efa06b0610be3ca01f6b1b5751

Download Submit
C:\Windows\System\mpVmFSS.exe

Filesize
5.9MB

MD5
cfbdcbd7c0e6c3619fe7e65d098789b5

SHA1
79ecb58da4e321fd69d4f3433114c773ae9a1d66

SHA256
da22b909cfd87d34e561b7178b5ef20766092c2ae8b05a2b995610dbd21ecc92

SHA512
c9c51b424f3c7939f140fee7e44336816a2083f4d9c1574c0ee30b05c376740519894a65d5cce87eacf4badccfa37484eaa3f251926901b910656c571effc572

Download Submit
C:\Windows\System\oMstHCR.exe

Filesize
5.9MB

MD5
bb7a981c12a62831c1bcf4f084e18713

SHA1
eea3c1b74f43868a502213c366a5e47bb094f75f

SHA256
9976ca2c3c30b98c98b36681ed23850aeeeb01a8854240a23b60171379fa711c

SHA512
5e072a0601c0e8bba8fb1cdcb3de06ef07119a539e481727ab3ee32ea330570b281ddbf07380764fc70093140464fda7c814015204de86626b206db3c1bcf266

Download Submit
C:\Windows\System\oSqYgHu.exe

Filesize
5.9MB

MD5
c300c1ad4356d490b45f2848680ab004

SHA1
b71611f2db8641e5cd9735e61abd52e725fa3085

SHA256
cbcf7a5dea5328d924d4689d16f25c3c092f1d0f2ac0e952a793dff7dcfae059

SHA512
776a3908d2095c82e209c7e5cbd1a662a084d8ccfe10589e08ac5a24b3ab1f3c7ab16088938bc3c5cc343348d3df09e41bf38f3e8cc219d3610a245eae0ee507

Download Submit
C:\Windows\System\qpitENB.exe

Filesize
5.9MB

MD5
82e7c78b6a98fa11fd2b13495551d451

SHA1
bf35d4f93ba4c1c73293044821dd634ff8e16dcc

SHA256
5b4851473f4d6dfa0be8bf5a1306aba5d879a2b9e5d8b9da80ff16bd023ff580

SHA512
fbbdc4dce9bf4e49dab7532d80a776020ebd3520f5c479f5c4953772fd50ebbfb50105568a54a7dd8b17fbc51b881e297b6239f31f9de8257dbe77a7e36b8ba7

Download Submit
C:\Windows\System\tnFaKhk.exe

Filesize
5.9MB

MD5
1827f190728a263a3976e62dfdcc02cb

SHA1
2b2eeb580b9ea2815b7f82db4ef7e4b64507d101

SHA256
08036976c13136689dab1bc0c611144b0e7ccc010e00d2506bf2848a8d7be623

SHA512
b953c3ebb1df2c4fd8028dacde18812fc8b10214fa6c6e22f6fdae4b04f542ddec5704d693027a126e9763458ff028c2f2561479c95696312655beb7dc653d73

Download Submit
C:\Windows\System\wtXPYsw.exe

Filesize
5.9MB

MD5
056329d218c99da1521b5dd2ca8b7002

SHA1
1e2427c0aacfb219e015c9a8b18858265dde7a26

SHA256
e59c60e5891c3744cc96647e711f95e9b42dc94b969f55114368621226d12957

SHA512
c33cf280da7bd6294c62599240110d2843090d763bb2ab3fe41bd8a32faffbc8f52ee6b42ab9eddd94d0ae0db96b8e0763ef30456e154cd67dd5ebc9befe1526

Download Submit
C:\Windows\System\yqOSfCV.exe

Filesize
5.9MB

MD5
4fa99c62887ea94522f19ba598ab029b

SHA1
6d5cda898b892d6ac37a9bb6d9aee1c0fb5ff352

SHA256
c57ce2fc79ec312ba5ffe259e5b945b7756812b05c80cfdc22d6e960932c9d29

SHA512
f41092eadbe86ff043af527ba824c955ab2bcb3641e5a3391f40fb561721279e48352d2efdf063733a20a9411e1f9d7614072a1be2b92aed37436cb9f4403141

Download Submit
memory/224-87-0x00007FF70B010000-0x00007FF70B364000-memory.dmp

Filesize
3.3MB

Download
memory/224-156-0x00007FF70B010000-0x00007FF70B364000-memory.dmp

Filesize
3.3MB

Download
memory/224-133-0x00007FF70B010000-0x00007FF70B364000-memory.dmp

Filesize
3.3MB

Download
memory/620-134-0x00007FF7692A0000-0x00007FF7695F4000-memory.dmp

Filesize
3.3MB

Download
memory/620-143-0x00007FF7692A0000-0x00007FF7695F4000-memory.dmp

Filesize
3.3MB

Download
memory/620-164-0x00007FF7692A0000-0x00007FF7695F4000-memory.dmp

Filesize
3.3MB

Download
memory/1300-78-0x00007FF7DCA90000-0x00007FF7DCDE4000-memory.dmp

Filesize
3.3MB

Download
memory/1300-147-0x00007FF7DCA90000-0x00007FF7DCDE4000-memory.dmp

Filesize
3.3MB

Download
memory/1300-26-0x00007FF7DCA90000-0x00007FF7DCDE4000-memory.dmp

Filesize
3.3MB

Download
memory/1588-122-0x00007FF6810A0000-0x00007FF6813F4000-memory.dmp

Filesize
3.3MB

Download
memory/1588-141-0x00007FF6810A0000-0x00007FF6813F4000-memory.dmp

Filesize
3.3MB

Download
memory/1588-162-0x00007FF6810A0000-0x00007FF6813F4000-memory.dmp

Filesize
3.3MB

Download
memory/1616-146-0x00007FF622E80000-0x00007FF6231D4000-memory.dmp

Filesize
3.3MB

Download
memory/1616-21-0x00007FF622E80000-0x00007FF6231D4000-memory.dmp

Filesize
3.3MB

Download
memory/1616-65-0x00007FF622E80000-0x00007FF6231D4000-memory.dmp

Filesize
3.3MB

Download
memory/1628-157-0x00007FF797310000-0x00007FF797664000-memory.dmp

Filesize
3.3MB

Download
memory/1628-98-0x00007FF797310000-0x00007FF797664000-memory.dmp

Filesize
3.3MB

Download
memory/1664-105-0x00007FF7871B0000-0x00007FF787504000-memory.dmp

Filesize
3.3MB

Download
memory/1664-42-0x00007FF7871B0000-0x00007FF787504000-memory.dmp

Filesize
3.3MB

Download
memory/1664-150-0x00007FF7871B0000-0x00007FF787504000-memory.dmp

Filesize
3.3MB

Download
memory/1824-161-0x00007FF76C250000-0x00007FF76C5A4000-memory.dmp

Filesize
3.3MB

Download
memory/1824-140-0x00007FF76C250000-0x00007FF76C5A4000-memory.dmp

Filesize
3.3MB

Download
memory/1824-114-0x00007FF76C250000-0x00007FF76C5A4000-memory.dmp

Filesize
3.3MB

Download
memory/2028-54-0x00007FF637210000-0x00007FF637564000-memory.dmp

Filesize
3.3MB

Download
memory/2028-1-0x000002059A8C0000-0x000002059A8D0000-memory.dmp

Filesize
64KB

Download
memory/2028-0-0x00007FF637210000-0x00007FF637564000-memory.dmp

Filesize
3.3MB

Download
memory/2260-152-0x00007FF73EAD0000-0x00007FF73EE24000-memory.dmp

Filesize
3.3MB

Download
memory/2260-120-0x00007FF73EAD0000-0x00007FF73EE24000-memory.dmp

Filesize
3.3MB

Download
memory/2260-55-0x00007FF73EAD0000-0x00007FF73EE24000-memory.dmp

Filesize
3.3MB

Download
memory/2432-72-0x00007FF745F10000-0x00007FF746264000-memory.dmp

Filesize
3.3MB

Download
memory/2432-154-0x00007FF745F10000-0x00007FF746264000-memory.dmp

Filesize
3.3MB

Download
memory/2620-160-0x00007FF685C10000-0x00007FF685F64000-memory.dmp

Filesize
3.3MB

Download
memory/2620-104-0x00007FF685C10000-0x00007FF685F64000-memory.dmp

Filesize
3.3MB

Download
memory/2620-139-0x00007FF685C10000-0x00007FF685F64000-memory.dmp

Filesize
3.3MB

Download
memory/3184-8-0x00007FF761EE0000-0x00007FF762234000-memory.dmp

Filesize
3.3MB

Download
memory/3184-144-0x00007FF761EE0000-0x00007FF762234000-memory.dmp

Filesize
3.3MB

Download
memory/3596-16-0x00007FF683FA0000-0x00007FF6842F4000-memory.dmp

Filesize
3.3MB

Download
memory/3596-145-0x00007FF683FA0000-0x00007FF6842F4000-memory.dmp

Filesize
3.3MB

Download
memory/3656-38-0x00007FF665890000-0x00007FF665BE4000-memory.dmp

Filesize
3.3MB

Download
memory/3656-102-0x00007FF665890000-0x00007FF665BE4000-memory.dmp

Filesize
3.3MB

Download
memory/3656-149-0x00007FF665890000-0x00007FF665BE4000-memory.dmp

Filesize
3.3MB

Download
memory/4144-142-0x00007FF616D70000-0x00007FF6170C4000-memory.dmp

Filesize
3.3MB

Download
memory/4144-163-0x00007FF616D70000-0x00007FF6170C4000-memory.dmp

Filesize
3.3MB

Download
memory/4144-125-0x00007FF616D70000-0x00007FF6170C4000-memory.dmp

Filesize
3.3MB

Download
memory/4424-93-0x00007FF7614C0000-0x00007FF761814000-memory.dmp

Filesize
3.3MB

Download
memory/4424-137-0x00007FF7614C0000-0x00007FF761814000-memory.dmp

Filesize
3.3MB

Download
memory/4424-158-0x00007FF7614C0000-0x00007FF761814000-memory.dmp

Filesize
3.3MB

Download
memory/4580-90-0x00007FF6E7F00000-0x00007FF6E8254000-memory.dmp

Filesize
3.3MB

Download
memory/4580-30-0x00007FF6E7F00000-0x00007FF6E8254000-memory.dmp

Filesize
3.3MB

Download
memory/4580-148-0x00007FF6E7F00000-0x00007FF6E8254000-memory.dmp

Filesize
3.3MB

Download
memory/4652-103-0x00007FF6FB7D0000-0x00007FF6FBB24000-memory.dmp

Filesize
3.3MB

Download
memory/4652-159-0x00007FF6FB7D0000-0x00007FF6FBB24000-memory.dmp

Filesize
3.3MB

Download
memory/4652-138-0x00007FF6FB7D0000-0x00007FF6FBB24000-memory.dmp

Filesize
3.3MB

Download
memory/4932-153-0x00007FF6FDD10000-0x00007FF6FE064000-memory.dmp

Filesize
3.3MB

Download
memory/4932-61-0x00007FF6FDD10000-0x00007FF6FE064000-memory.dmp

Filesize
3.3MB

Download
memory/4932-124-0x00007FF6FDD10000-0x00007FF6FE064000-memory.dmp

Filesize
3.3MB

Download
memory/4968-151-0x00007FF7C1410000-0x00007FF7C1764000-memory.dmp

Filesize
3.3MB

Download
memory/4968-50-0x00007FF7C1410000-0x00007FF7C1764000-memory.dmp

Filesize
3.3MB

Download
memory/5072-155-0x00007FF78A9B0000-0x00007FF78AD04000-memory.dmp

Filesize
3.3MB

Download
memory/5072-81-0x00007FF78A9B0000-0x00007FF78AD04000-memory.dmp

Filesize
3.3MB

Download