cobaltstrike | cd494af506fd175801b727f1b31cb3631378f7fd0878464535a4e915bee1b670

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27-09-2024 14:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

92de82323ef620a8f702036f8866cc71
SHA1

9579ecb24fb9d9913be35bb1ddc19919d5ec1488
SHA256

cd494af506fd175801b727f1b31cb3631378f7fd0878464535a4e915bee1b670
SHA512

b91a65bf7c4ec13649316e30ee37676c67bea82306faef48d985e3f160ed1c7409b8f802feea2030317dc24cfeb92311f07733f85a0468af104ecc30f3cb2c5e
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lY:RWWBibf56utgpPFotBER/mQ32lU0

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0009000000023426-6.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023479-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023485-12.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023486-25.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023487-28.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023481-35.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023489-44.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348a-47.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348b-57.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348c-61.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348d-68.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348e-74.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348f-81.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023490-90.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023491-95.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023492-104.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023493-110.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023494-115.dat	cobalt_reflective_dll
behavioral2/files/0x000200000001e456-122.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023497-137.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023496-132.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 47 IoCs

miner

resource	yara_rule
behavioral2/memory/1404-14-0x00007FF7778F0000-0x00007FF777C41000-memory.dmp	xmrig
behavioral2/memory/4640-53-0x00007FF7E4A70000-0x00007FF7E4DC1000-memory.dmp	xmrig
behavioral2/memory/1508-55-0x00007FF654B70000-0x00007FF654EC1000-memory.dmp	xmrig
behavioral2/memory/5096-67-0x00007FF696F80000-0x00007FF6972D1000-memory.dmp	xmrig
behavioral2/memory/2816-77-0x00007FF65C7D0000-0x00007FF65CB21000-memory.dmp	xmrig
behavioral2/memory/2392-80-0x00007FF6B5100000-0x00007FF6B5451000-memory.dmp	xmrig
behavioral2/memory/3236-88-0x00007FF7B61E0000-0x00007FF7B6531000-memory.dmp	xmrig
behavioral2/memory/1276-69-0x00007FF676CD0000-0x00007FF677021000-memory.dmp	xmrig
behavioral2/memory/1404-64-0x00007FF7778F0000-0x00007FF777C41000-memory.dmp	xmrig
behavioral2/memory/4836-93-0x00007FF764150000-0x00007FF7644A1000-memory.dmp	xmrig
behavioral2/memory/4296-98-0x00007FF770500000-0x00007FF770851000-memory.dmp	xmrig
behavioral2/memory/4904-97-0x00007FF6CA600000-0x00007FF6CA951000-memory.dmp	xmrig
behavioral2/memory/3944-117-0x00007FF6206A0000-0x00007FF6209F1000-memory.dmp	xmrig
behavioral2/memory/2392-136-0x00007FF6B5100000-0x00007FF6B5451000-memory.dmp	xmrig
behavioral2/memory/3208-123-0x00007FF61AB90000-0x00007FF61AEE1000-memory.dmp	xmrig
behavioral2/memory/4640-140-0x00007FF7E4A70000-0x00007FF7E4DC1000-memory.dmp	xmrig
behavioral2/memory/1252-145-0x00007FF78FB00000-0x00007FF78FE51000-memory.dmp	xmrig
behavioral2/memory/4280-151-0x00007FF6CA3F0000-0x00007FF6CA741000-memory.dmp	xmrig
behavioral2/memory/1644-152-0x00007FF7C4C80000-0x00007FF7C4FD1000-memory.dmp	xmrig
behavioral2/memory/5040-158-0x00007FF6262F0000-0x00007FF626641000-memory.dmp	xmrig
behavioral2/memory/3340-159-0x00007FF6B71B0000-0x00007FF6B7501000-memory.dmp	xmrig
behavioral2/memory/4112-164-0x00007FF614290000-0x00007FF6145E1000-memory.dmp	xmrig
behavioral2/memory/1884-166-0x00007FF6A33E0000-0x00007FF6A3731000-memory.dmp	xmrig
behavioral2/memory/4848-165-0x00007FF73D1C0000-0x00007FF73D511000-memory.dmp	xmrig
behavioral2/memory/3456-167-0x00007FF65F820000-0x00007FF65FB71000-memory.dmp	xmrig
behavioral2/memory/4640-168-0x00007FF7E4A70000-0x00007FF7E4DC1000-memory.dmp	xmrig
behavioral2/memory/1508-216-0x00007FF654B70000-0x00007FF654EC1000-memory.dmp	xmrig
behavioral2/memory/1404-220-0x00007FF7778F0000-0x00007FF777C41000-memory.dmp	xmrig
behavioral2/memory/1276-222-0x00007FF676CD0000-0x00007FF677021000-memory.dmp	xmrig
behavioral2/memory/2816-224-0x00007FF65C7D0000-0x00007FF65CB21000-memory.dmp	xmrig
behavioral2/memory/3236-231-0x00007FF7B61E0000-0x00007FF7B6531000-memory.dmp	xmrig
behavioral2/memory/4836-233-0x00007FF764150000-0x00007FF7644A1000-memory.dmp	xmrig
behavioral2/memory/4904-235-0x00007FF6CA600000-0x00007FF6CA951000-memory.dmp	xmrig
behavioral2/memory/4296-237-0x00007FF770500000-0x00007FF770851000-memory.dmp	xmrig
behavioral2/memory/3944-240-0x00007FF6206A0000-0x00007FF6209F1000-memory.dmp	xmrig
behavioral2/memory/5096-246-0x00007FF696F80000-0x00007FF6972D1000-memory.dmp	xmrig
behavioral2/memory/3208-248-0x00007FF61AB90000-0x00007FF61AEE1000-memory.dmp	xmrig
behavioral2/memory/2392-250-0x00007FF6B5100000-0x00007FF6B5451000-memory.dmp	xmrig
behavioral2/memory/1252-252-0x00007FF78FB00000-0x00007FF78FE51000-memory.dmp	xmrig
behavioral2/memory/4280-254-0x00007FF6CA3F0000-0x00007FF6CA741000-memory.dmp	xmrig
behavioral2/memory/1644-260-0x00007FF7C4C80000-0x00007FF7C4FD1000-memory.dmp	xmrig
behavioral2/memory/5040-262-0x00007FF6262F0000-0x00007FF626641000-memory.dmp	xmrig
behavioral2/memory/3340-264-0x00007FF6B71B0000-0x00007FF6B7501000-memory.dmp	xmrig
behavioral2/memory/4112-269-0x00007FF614290000-0x00007FF6145E1000-memory.dmp	xmrig
behavioral2/memory/4848-271-0x00007FF73D1C0000-0x00007FF73D511000-memory.dmp	xmrig
behavioral2/memory/1884-273-0x00007FF6A33E0000-0x00007FF6A3731000-memory.dmp	xmrig
behavioral2/memory/3456-275-0x00007FF65F820000-0x00007FF65FB71000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1508	hWKJurt.exe
1404	vvcaibJ.exe
1276	oCKxOVK.exe
2816	ZeFvlAG.exe
3236	BoMkFQF.exe
4836	NpHZDoe.exe
4904	BrcMqrB.exe
4296	GJduNtI.exe
3944	VsnBjnr.exe
5096	hNhxwAB.exe
3208	SsTzVku.exe
2392	ocLrzPh.exe
1252	XsrErwg.exe
4280	GkUaoNj.exe
1644	YuGCbjg.exe
5040	YKpJBVP.exe
3340	CZYygRw.exe
4112	KfwjzTA.exe
4848	AsQxttu.exe
1884	xZhpvqw.exe
3456	wzRsgKF.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4640-0-0x00007FF7E4A70000-0x00007FF7E4DC1000-memory.dmp	upx
behavioral2/files/0x0009000000023426-6.dat	upx
behavioral2/memory/1508-7-0x00007FF654B70000-0x00007FF654EC1000-memory.dmp	upx
behavioral2/files/0x000b000000023479-10.dat	upx
behavioral2/memory/1404-14-0x00007FF7778F0000-0x00007FF777C41000-memory.dmp	upx
behavioral2/files/0x0007000000023485-12.dat	upx
behavioral2/memory/1276-20-0x00007FF676CD0000-0x00007FF677021000-memory.dmp	upx
behavioral2/files/0x0007000000023486-25.dat	upx
behavioral2/memory/2816-24-0x00007FF65C7D0000-0x00007FF65CB21000-memory.dmp	upx
behavioral2/files/0x0007000000023487-28.dat	upx
behavioral2/memory/3236-32-0x00007FF7B61E0000-0x00007FF7B6531000-memory.dmp	upx
behavioral2/files/0x0008000000023481-35.dat	upx
behavioral2/files/0x0007000000023489-44.dat	upx
behavioral2/memory/4904-45-0x00007FF6CA600000-0x00007FF6CA951000-memory.dmp	upx
behavioral2/files/0x000700000002348a-47.dat	upx
behavioral2/memory/4296-46-0x00007FF770500000-0x00007FF770851000-memory.dmp	upx
behavioral2/memory/4836-36-0x00007FF764150000-0x00007FF7644A1000-memory.dmp	upx
behavioral2/memory/4640-53-0x00007FF7E4A70000-0x00007FF7E4DC1000-memory.dmp	upx
behavioral2/memory/1508-55-0x00007FF654B70000-0x00007FF654EC1000-memory.dmp	upx
behavioral2/memory/3944-56-0x00007FF6206A0000-0x00007FF6209F1000-memory.dmp	upx
behavioral2/files/0x000700000002348b-57.dat	upx
behavioral2/files/0x000700000002348c-61.dat	upx
behavioral2/files/0x000700000002348d-68.dat	upx
behavioral2/memory/5096-67-0x00007FF696F80000-0x00007FF6972D1000-memory.dmp	upx
behavioral2/files/0x000700000002348e-74.dat	upx
behavioral2/memory/2816-77-0x00007FF65C7D0000-0x00007FF65CB21000-memory.dmp	upx
behavioral2/files/0x000700000002348f-81.dat	upx
behavioral2/memory/1252-82-0x00007FF78FB00000-0x00007FF78FE51000-memory.dmp	upx
behavioral2/memory/2392-80-0x00007FF6B5100000-0x00007FF6B5451000-memory.dmp	upx
behavioral2/memory/3208-75-0x00007FF61AB90000-0x00007FF61AEE1000-memory.dmp	upx
behavioral2/memory/3236-88-0x00007FF7B61E0000-0x00007FF7B6531000-memory.dmp	upx
behavioral2/files/0x0007000000023490-90.dat	upx
behavioral2/memory/4280-89-0x00007FF6CA3F0000-0x00007FF6CA741000-memory.dmp	upx
behavioral2/memory/1276-69-0x00007FF676CD0000-0x00007FF677021000-memory.dmp	upx
behavioral2/memory/1404-64-0x00007FF7778F0000-0x00007FF777C41000-memory.dmp	upx
behavioral2/memory/4836-93-0x00007FF764150000-0x00007FF7644A1000-memory.dmp	upx
behavioral2/files/0x0007000000023491-95.dat	upx
behavioral2/memory/4296-98-0x00007FF770500000-0x00007FF770851000-memory.dmp	upx
behavioral2/memory/4904-97-0x00007FF6CA600000-0x00007FF6CA951000-memory.dmp	upx
behavioral2/files/0x0007000000023492-104.dat	upx
behavioral2/memory/5040-105-0x00007FF6262F0000-0x00007FF626641000-memory.dmp	upx
behavioral2/memory/1644-103-0x00007FF7C4C80000-0x00007FF7C4FD1000-memory.dmp	upx
behavioral2/files/0x0007000000023493-110.dat	upx
behavioral2/memory/3340-111-0x00007FF6B71B0000-0x00007FF6B7501000-memory.dmp	upx
behavioral2/files/0x0007000000023494-115.dat	upx
behavioral2/memory/3944-117-0x00007FF6206A0000-0x00007FF6209F1000-memory.dmp	upx
behavioral2/files/0x000200000001e456-122.dat	upx
behavioral2/memory/4848-124-0x00007FF73D1C0000-0x00007FF73D511000-memory.dmp	upx
behavioral2/memory/4112-119-0x00007FF614290000-0x00007FF6145E1000-memory.dmp	upx
behavioral2/memory/2392-136-0x00007FF6B5100000-0x00007FF6B5451000-memory.dmp	upx
behavioral2/files/0x0007000000023497-137.dat	upx
behavioral2/memory/1884-131-0x00007FF6A33E0000-0x00007FF6A3731000-memory.dmp	upx
behavioral2/files/0x0007000000023496-132.dat	upx
behavioral2/memory/3208-123-0x00007FF61AB90000-0x00007FF61AEE1000-memory.dmp	upx
behavioral2/memory/4640-140-0x00007FF7E4A70000-0x00007FF7E4DC1000-memory.dmp	upx
behavioral2/memory/3456-139-0x00007FF65F820000-0x00007FF65FB71000-memory.dmp	upx
behavioral2/memory/1252-145-0x00007FF78FB00000-0x00007FF78FE51000-memory.dmp	upx
behavioral2/memory/4280-151-0x00007FF6CA3F0000-0x00007FF6CA741000-memory.dmp	upx
behavioral2/memory/1644-152-0x00007FF7C4C80000-0x00007FF7C4FD1000-memory.dmp	upx
behavioral2/memory/5040-158-0x00007FF6262F0000-0x00007FF626641000-memory.dmp	upx
behavioral2/memory/3340-159-0x00007FF6B71B0000-0x00007FF6B7501000-memory.dmp	upx
behavioral2/memory/4112-164-0x00007FF614290000-0x00007FF6145E1000-memory.dmp	upx
behavioral2/memory/1884-166-0x00007FF6A33E0000-0x00007FF6A3731000-memory.dmp	upx
behavioral2/memory/4848-165-0x00007FF73D1C0000-0x00007FF73D511000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\YuGCbjg.exe	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YKpJBVP.exe	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CZYygRw.exe	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ocLrzPh.exe	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XsrErwg.exe	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wzRsgKF.exe	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZeFvlAG.exe	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BoMkFQF.exe	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NpHZDoe.exe	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BrcMqrB.exe	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hWKJurt.exe	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vvcaibJ.exe	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VsnBjnr.exe	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hNhxwAB.exe	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SsTzVku.exe	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GkUaoNj.exe	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KfwjzTA.exe	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AsQxttu.exe	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oCKxOVK.exe	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GJduNtI.exe	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xZhpvqw.exe	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4640	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4640	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4640 wrote to memory of 1508	4640	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4640 wrote to memory of 1508	4640	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4640 wrote to memory of 1404	4640	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4640 wrote to memory of 1404	4640	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4640 wrote to memory of 1276	4640	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4640 wrote to memory of 1276	4640	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4640 wrote to memory of 2816	4640	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4640 wrote to memory of 2816	4640	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4640 wrote to memory of 3236	4640	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4640 wrote to memory of 3236	4640	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4640 wrote to memory of 4836	4640	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4640 wrote to memory of 4836	4640	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4640 wrote to memory of 4296	4640	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4640 wrote to memory of 4296	4640	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4640 wrote to memory of 4904	4640	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4640 wrote to memory of 4904	4640	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4640 wrote to memory of 3944	4640	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4640 wrote to memory of 3944	4640	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4640 wrote to memory of 5096	4640	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4640 wrote to memory of 5096	4640	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4640 wrote to memory of 3208	4640	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4640 wrote to memory of 3208	4640	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4640 wrote to memory of 2392	4640	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4640 wrote to memory of 2392	4640	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4640 wrote to memory of 1252	4640	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4640 wrote to memory of 1252	4640	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4640 wrote to memory of 4280	4640	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4640 wrote to memory of 4280	4640	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4640 wrote to memory of 1644	4640	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4640 wrote to memory of 1644	4640	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4640 wrote to memory of 5040	4640	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4640 wrote to memory of 5040	4640	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4640 wrote to memory of 3340	4640	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4640 wrote to memory of 3340	4640	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4640 wrote to memory of 4112	4640	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4640 wrote to memory of 4112	4640	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4640 wrote to memory of 4848	4640	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4640 wrote to memory of 4848	4640	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4640 wrote to memory of 1884	4640	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4640 wrote to memory of 1884	4640	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4640 wrote to memory of 3456	4640	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4640 wrote to memory of 3456	4640	2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-27_92de82323ef620a8f702036f8866cc71_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4640
- C:\Windows\System\hWKJurt.exe
  C:\Windows\System\hWKJurt.exe
  2⤵
  - Executes dropped EXE
  PID:1508
- C:\Windows\System\vvcaibJ.exe
  C:\Windows\System\vvcaibJ.exe
  2⤵
  - Executes dropped EXE
  PID:1404
- C:\Windows\System\oCKxOVK.exe
  C:\Windows\System\oCKxOVK.exe
  2⤵
  - Executes dropped EXE
  PID:1276
- C:\Windows\System\ZeFvlAG.exe
  C:\Windows\System\ZeFvlAG.exe
  2⤵
  - Executes dropped EXE
  PID:2816
- C:\Windows\System\BoMkFQF.exe
  C:\Windows\System\BoMkFQF.exe
  2⤵
  - Executes dropped EXE
  PID:3236
- C:\Windows\System\NpHZDoe.exe
  C:\Windows\System\NpHZDoe.exe
  2⤵
  - Executes dropped EXE
  PID:4836
- C:\Windows\System\GJduNtI.exe
  C:\Windows\System\GJduNtI.exe
  2⤵
  - Executes dropped EXE
  PID:4296
- C:\Windows\System\BrcMqrB.exe
  C:\Windows\System\BrcMqrB.exe
  2⤵
  - Executes dropped EXE
  PID:4904
- C:\Windows\System\VsnBjnr.exe
  C:\Windows\System\VsnBjnr.exe
  2⤵
  - Executes dropped EXE
  PID:3944
- C:\Windows\System\hNhxwAB.exe
  C:\Windows\System\hNhxwAB.exe
  2⤵
  - Executes dropped EXE
  PID:5096
- C:\Windows\System\SsTzVku.exe
  C:\Windows\System\SsTzVku.exe
  2⤵
  - Executes dropped EXE
  PID:3208
- C:\Windows\System\ocLrzPh.exe
  C:\Windows\System\ocLrzPh.exe
  2⤵
  - Executes dropped EXE
  PID:2392
- C:\Windows\System\XsrErwg.exe
  C:\Windows\System\XsrErwg.exe
  2⤵
  - Executes dropped EXE
  PID:1252
- C:\Windows\System\GkUaoNj.exe
  C:\Windows\System\GkUaoNj.exe
  2⤵
  - Executes dropped EXE
  PID:4280
- C:\Windows\System\YuGCbjg.exe
  C:\Windows\System\YuGCbjg.exe
  2⤵
  - Executes dropped EXE
  PID:1644
- C:\Windows\System\YKpJBVP.exe
  C:\Windows\System\YKpJBVP.exe
  2⤵
  - Executes dropped EXE
  PID:5040
- C:\Windows\System\CZYygRw.exe
  C:\Windows\System\CZYygRw.exe
  2⤵
  - Executes dropped EXE
  PID:3340
- C:\Windows\System\KfwjzTA.exe
  C:\Windows\System\KfwjzTA.exe
  2⤵
  - Executes dropped EXE
  PID:4112
- C:\Windows\System\AsQxttu.exe
  C:\Windows\System\AsQxttu.exe
  2⤵
  - Executes dropped EXE
  PID:4848
- C:\Windows\System\xZhpvqw.exe
  C:\Windows\System\xZhpvqw.exe
  2⤵
  - Executes dropped EXE
  PID:1884
- C:\Windows\System\wzRsgKF.exe
  C:\Windows\System\wzRsgKF.exe
  2⤵
  - Executes dropped EXE
  PID:3456

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AsQxttu.exe

Filesize
5.2MB

MD5
ecc7278ca3b7862dd655de904d47fdfa

SHA1
cde294b20a2932e81e528fb25dd5d17828101cca

SHA256
9082ba4478d14d420476bbc535b463540a9a31a5ac35d3b602b943abc2ee84ab

SHA512
ee27b6d5915a89835eefcdb97582a3c2359285cba12164c823eb4665215520786a2bbd5a0a6a68f9b83a6bd105a3a9390e1f55b96bfcc9a03e99dca22a98182d

Download Submit
C:\Windows\System\BoMkFQF.exe

Filesize
5.2MB

MD5
55b63a55a0748710d815863588972329

SHA1
ebe7b7fb81a8a536311da2d8afcbce2b64873e52

SHA256
c03590105dce0a65e40e8dc2781ab1d40671e64cafaa3003f3e2cf3fd1014689

SHA512
98f9a548a4d8b6c365075692585a4364b0cc154ec4513ea4fa279a77ecd42e902a925b66deaa4f108b7a2f4b47f7b586053270f096c1ecce42aa5d46fbe27559

Download Submit
C:\Windows\System\BrcMqrB.exe

Filesize
5.2MB

MD5
b36cabb2957fe92b127ea32b33a85b1b

SHA1
97474259ed8ad6cae0b175522b439bf07a4d06d0

SHA256
51e3adcea7b4881bb7e7177a0593da6d2477c3d42333ec6da8611213b2ed3d7a

SHA512
36d3196ea9b76a72ff4c465d6cd408f09ce1a71b32a4c8c9a8ad0777c6ae50b20b8177aff0142e7d0f08f52580a1382202979fe0f1becce3386e4288ed05fb23

Download Submit
C:\Windows\System\CZYygRw.exe

Filesize
5.2MB

MD5
f537636dfa14d56ec832a510ed2d83a2

SHA1
89adb962eb2ddb91dd73ba4c4d210122409cb03e

SHA256
fb6380c94b844ef63b5f154f6f2b0a0ea7b8fc4ace6f1640fe81e6681881c044

SHA512
af4d115b9d791e4128b4c248f6f53df86b61aa31cb64bf80f4317384eafb8ce8b91fbde9fe4e6568c15c0322e3d5730204899b10591fb5e7878e159e2e79871b

Download Submit
C:\Windows\System\GJduNtI.exe

Filesize
5.2MB

MD5
c65c19944928637faa3db969a7acbabe

SHA1
8c7c21254ed573ef3173727bc4d5fd4e004915de

SHA256
a387faa89a996d15d68a5089e912fd567dc37b1caea03cc40257a2143fa1e67d

SHA512
904123dc27c93d0cc2f9352c33074c8a903860a9c650e933a91eae8c0d9e0cd8e9b2ac48356aff71f46868829af18924961a1e359bae2aca2acc141715c05125

Download Submit
C:\Windows\System\GkUaoNj.exe

Filesize
5.2MB

MD5
7b18f84bcd889a6e7d506b4b5afc305c

SHA1
0c651e7a20a8e77e9e44fe13e081d3a559310c42

SHA256
7c7b5432aaf071b36e89c3fcd6bb3d1b40e95f56d49f6f1aeae4158477cda481

SHA512
75014b3f670914615893096d55540c769421aaaf9bacfae883a0f03a39a00b80d5484d910fd4dc33c140b4a611c4fdb35903d8884611d1dfe51bca604f148c62

Download Submit
C:\Windows\System\KfwjzTA.exe

Filesize
5.2MB

MD5
c1dcbd274918fe4a545d0296fd2dfec1

SHA1
c31b834c86a0fdd28d9dee8840ecae0709042e1c

SHA256
5d3ee4094d3b229df507ee4f3d1952d83e358cbee89e1c37189c302c433cd214

SHA512
700b8ec9cab7dc1dd66b95d698b9b8147b467a0b6e21e55ea728eb5603f846cbc8454d4498705d4d3a182e60d30836cda888cc439d7f34392235fba558b40900

Download Submit
C:\Windows\System\NpHZDoe.exe

Filesize
5.2MB

MD5
b3295eafa622590944b65ee557ce9017

SHA1
e63803f1b834948822378ae405dfd8b1be495b76

SHA256
91951d81aaa9b472af2e387738a50d66e83e7544524e6dd7512e3cae223bda96

SHA512
08cbf9c327cbef0951bf5fff1d85566ded886daf535770ec1abe97b9209936e70fe5d0ec107cfb014c8f9852a41f063edf749ba18f686e56f2d27a9b92772b61

Download Submit
C:\Windows\System\SsTzVku.exe

Filesize
5.2MB

MD5
bb10dc177805e8207edb522873c5a455

SHA1
cacb79d98298be8db079a7a542cd6f52a4f72d4c

SHA256
8aa53a15547f0afe873fa5f5e79f8bba37b2ea4d953c945d304f6c8cec34f1ff

SHA512
9dd2a8229b840f824b5e8339485ef9ff77c1edb6363b33033b047d36cfbc731a13732424f697aa9096bd2bae53e812769b8f259b057cb3a608cd528bdc4728a7

Download Submit
C:\Windows\System\VsnBjnr.exe

Filesize
5.2MB

MD5
89fa1601c6e4c5e0d2bdf900a85b5dcf

SHA1
2988f34e161d99daca812e79ade3a87d6e8c87ce

SHA256
22a9f5c66442516160388254d35116594e4354b65f43fc0151574b6d23929074

SHA512
66954e99543b7cc981dd5309c98bbf6c5b89bbe187a61f3ee6d472b02bfce098c5287c772f4981fc5c59c93b96dfc0b8f21c342a3bc53c8cd44f9e7aaf6750de

Download Submit
C:\Windows\System\XsrErwg.exe

Filesize
5.2MB

MD5
2bbbafda86fd3939825402cd837de8c0

SHA1
9093c40b0db81fd3791bd840c2d808d2fec2de85

SHA256
2ca3fea697d8585e667afdecf4ceec5bd3eac83d3333f8fabaf69b3c248f5223

SHA512
a8b94a124180d65fee7c3934692609867bee357857bfd09b0e638db253209fd7d76a0c4fdaf62528e2f2eac2c36d5a815453fd6abd99911ce78d851f8014e0a7

Download Submit
C:\Windows\System\YKpJBVP.exe

Filesize
5.2MB

MD5
76062df78c9926b30df6fe45672a92ec

SHA1
2baa02ec46abe5cafceae7075464562fed39b08c

SHA256
9e4acdd94028ee7053450334148d5f33314ad48ded6de107cdc6bb003bd251ee

SHA512
f221c49b1feb2bc683e597678b4f77e6f22ee704188823ed72abca94c96778f213a27e997916769805a56010c6d9e3b9c8dda1f072eba59791dc7f59d53b09c2

Download Submit
C:\Windows\System\YuGCbjg.exe

Filesize
5.2MB

MD5
1974991739fd9f3454aeb390bcf22133

SHA1
a4553435f28c512affd9c0b4351f325849d5f606

SHA256
f9f947ed2a13c1d2ffa880928d67139118d148a178f522b1baefa9525966ba84

SHA512
04ebb3aebd0601ea592f6ad8e731031387b65d99a9505e4bfbc8018732bc03b62002e296e810df632f9ff13d4a8f4c11a1ba1122c22466fdf8f288ab3477efb0

Download Submit
C:\Windows\System\ZeFvlAG.exe

Filesize
5.2MB

MD5
3a1148028645824352a4f2b87e6c6b6f

SHA1
7947a8da6e252fffb27acf46d821beff4b2a93dd

SHA256
42e7365678797f7880b0ff0e1c295b51f0c6eb0181af37a77255449280d7a049

SHA512
005d5ee0ef4dac490b5be88a668be71b2a7a71a3f7d050c6857a59df3efa61330620e072935b5602dd32b5bbfd92fd46a6a0ace62f2e55a75bead623126d4c71

Download Submit
C:\Windows\System\hNhxwAB.exe

Filesize
5.2MB

MD5
49441fcfe2b44a6a3cef94f4e7626621

SHA1
4c5ca69f1cd1baee2b017cd5b5459641ab711361

SHA256
d9dc6c953dfc72c72003399b118908ea7fe9d44a57a579ff139a1b9b86267de4

SHA512
7191ed25aed5dd3966a7e6cb55cf7bc4ff58bb21bddad1983b3ce947d57f9f67b42ff024f923804f443ea7b93ca628c6fe45b658723371fecb2832bd81f39585

Download Submit
C:\Windows\System\hWKJurt.exe

Filesize
5.2MB

MD5
772e3fda532f9e8b9076406fba6cd76f

SHA1
751674a418bdebcfe77486ae20d01fc399580b20

SHA256
e067c8ff144a8e6896002c87272b231235666fee98668840eeca548e357c433b

SHA512
2f2e899e18acbcc389d8f192133c21e916c97dbc8e921df348c99e7de87473fd8df00104fef8a0e1dd467230f5b94d063b3f656e9258a510836de5805d6a073d

Download Submit
C:\Windows\System\oCKxOVK.exe

Filesize
5.2MB

MD5
1f2e1a703ca2a85eaa7126c13e33020d

SHA1
b02fd247f8e3efacb45c1e418a49f583061fef34

SHA256
22f11d4bf221865ae69df82e143a1daf375b48c571f59cca66ddece3b2006fa7

SHA512
a85965ae1c6ccb839a4b17d6757f836a48fb61cb8c57ffdcc6bca990713d566be5b3d2760b798c35cf70350de8d35517e1092904b81eedd9d1185007d420e3eb

Download Submit
C:\Windows\System\ocLrzPh.exe

Filesize
5.2MB

MD5
58ea4191c0887d0161abcd5632791e76

SHA1
e9ab5567bf765b9c3104b880d892ec20f93c9278

SHA256
c39dbb33318b6b0e30625f3ade98d750f65ea39736b1f1bfc0f2a6af996d8293

SHA512
7539b66df6e02c315f3283d2fc601202801df86c843c5cc73aa0366843b9f431349e4ccc1d55b25d23631da3ee6143f1fdd1f85d7942346fb5a50373426c0a16

Download Submit
C:\Windows\System\vvcaibJ.exe

Filesize
5.2MB

MD5
8f89b602e86cb86379c41f7d8469fcc6

SHA1
3e20e06994e2c8e34db98c05171bf38038f8773c

SHA256
dfb41ad54dffb78299b9eb96e3fe2d8a6e3c824d6f16d20c863d3e6beaa01e45

SHA512
2d43c08a4e9461d4127996bd5068f0380ff10b6ce9f03ad383e548e331f38152e9a1b8d9e2bff09fe2e0542e962dc4b459da1a9ce9de930efce8b691e14a4679

Download Submit
C:\Windows\System\wzRsgKF.exe

Filesize
5.2MB

MD5
3f20843924a12783302aeb6ccc728528

SHA1
a694a146523407ecadb4c237fbb31c55aa12361e

SHA256
b2cff490e7aa6181655c1ea09826eefde6ad90ab113d4fb0c717fab5748ce3ee

SHA512
ecc2975b05523347359794c52479e4d53d17214ad2c2578a865bfc8957de05e33b0cbaa0a508ab92d0c5a42386c152f50c3a558272f1244b2566a549e8e723ef

Download Submit
C:\Windows\System\xZhpvqw.exe

Filesize
5.2MB

MD5
56db8dfcb9d829ec055aeb65edd0a952

SHA1
ed9b7e0403c4ab3362f2f918ed18a681a49a2180

SHA256
d3f11e4650e45cf3cce60d0e57717b9bc31857f3322a49637651bcf0e954f7c7

SHA512
c3852d8030bc1de47c8043b0827f0c739d3e2438a7972ca467bb4a6062230cbf08d595b1c87c1f777bb243476482604d91ab13d25c31bf1cf12ad0fa609e51fd

Download Submit
memory/1252-82-0x00007FF78FB00000-0x00007FF78FE51000-memory.dmp

Filesize
3.3MB

Download
memory/1252-252-0x00007FF78FB00000-0x00007FF78FE51000-memory.dmp

Filesize
3.3MB

Download
memory/1252-145-0x00007FF78FB00000-0x00007FF78FE51000-memory.dmp

Filesize
3.3MB

Download
memory/1276-222-0x00007FF676CD0000-0x00007FF677021000-memory.dmp

Filesize
3.3MB

Download
memory/1276-69-0x00007FF676CD0000-0x00007FF677021000-memory.dmp

Filesize
3.3MB

Download
memory/1276-20-0x00007FF676CD0000-0x00007FF677021000-memory.dmp

Filesize
3.3MB

Download
memory/1404-220-0x00007FF7778F0000-0x00007FF777C41000-memory.dmp

Filesize
3.3MB

Download
memory/1404-64-0x00007FF7778F0000-0x00007FF777C41000-memory.dmp

Filesize
3.3MB

Download
memory/1404-14-0x00007FF7778F0000-0x00007FF777C41000-memory.dmp

Filesize
3.3MB

Download
memory/1508-216-0x00007FF654B70000-0x00007FF654EC1000-memory.dmp

Filesize
3.3MB

Download
memory/1508-55-0x00007FF654B70000-0x00007FF654EC1000-memory.dmp

Filesize
3.3MB

Download
memory/1508-7-0x00007FF654B70000-0x00007FF654EC1000-memory.dmp

Filesize
3.3MB

Download
memory/1644-152-0x00007FF7C4C80000-0x00007FF7C4FD1000-memory.dmp

Filesize
3.3MB

Download
memory/1644-260-0x00007FF7C4C80000-0x00007FF7C4FD1000-memory.dmp

Filesize
3.3MB

Download
memory/1644-103-0x00007FF7C4C80000-0x00007FF7C4FD1000-memory.dmp

Filesize
3.3MB

Download
memory/1884-131-0x00007FF6A33E0000-0x00007FF6A3731000-memory.dmp

Filesize
3.3MB

Download
memory/1884-166-0x00007FF6A33E0000-0x00007FF6A3731000-memory.dmp

Filesize
3.3MB

Download
memory/1884-273-0x00007FF6A33E0000-0x00007FF6A3731000-memory.dmp

Filesize
3.3MB

Download
memory/2392-80-0x00007FF6B5100000-0x00007FF6B5451000-memory.dmp

Filesize
3.3MB

Download
memory/2392-250-0x00007FF6B5100000-0x00007FF6B5451000-memory.dmp

Filesize
3.3MB

Download
memory/2392-136-0x00007FF6B5100000-0x00007FF6B5451000-memory.dmp

Filesize
3.3MB

Download
memory/2816-224-0x00007FF65C7D0000-0x00007FF65CB21000-memory.dmp

Filesize
3.3MB

Download
memory/2816-24-0x00007FF65C7D0000-0x00007FF65CB21000-memory.dmp

Filesize
3.3MB

Download
memory/2816-77-0x00007FF65C7D0000-0x00007FF65CB21000-memory.dmp

Filesize
3.3MB

Download
memory/3208-248-0x00007FF61AB90000-0x00007FF61AEE1000-memory.dmp

Filesize
3.3MB

Download
memory/3208-123-0x00007FF61AB90000-0x00007FF61AEE1000-memory.dmp

Filesize
3.3MB

Download
memory/3208-75-0x00007FF61AB90000-0x00007FF61AEE1000-memory.dmp

Filesize
3.3MB

Download
memory/3236-32-0x00007FF7B61E0000-0x00007FF7B6531000-memory.dmp

Filesize
3.3MB

Download
memory/3236-231-0x00007FF7B61E0000-0x00007FF7B6531000-memory.dmp

Filesize
3.3MB

Download
memory/3236-88-0x00007FF7B61E0000-0x00007FF7B6531000-memory.dmp

Filesize
3.3MB

Download
memory/3340-159-0x00007FF6B71B0000-0x00007FF6B7501000-memory.dmp

Filesize
3.3MB

Download
memory/3340-264-0x00007FF6B71B0000-0x00007FF6B7501000-memory.dmp

Filesize
3.3MB

Download
memory/3340-111-0x00007FF6B71B0000-0x00007FF6B7501000-memory.dmp

Filesize
3.3MB

Download
memory/3456-275-0x00007FF65F820000-0x00007FF65FB71000-memory.dmp

Filesize
3.3MB

Download
memory/3456-167-0x00007FF65F820000-0x00007FF65FB71000-memory.dmp

Filesize
3.3MB

Download
memory/3456-139-0x00007FF65F820000-0x00007FF65FB71000-memory.dmp

Filesize
3.3MB

Download
memory/3944-240-0x00007FF6206A0000-0x00007FF6209F1000-memory.dmp

Filesize
3.3MB

Download
memory/3944-117-0x00007FF6206A0000-0x00007FF6209F1000-memory.dmp

Filesize
3.3MB

Download
memory/3944-56-0x00007FF6206A0000-0x00007FF6209F1000-memory.dmp

Filesize
3.3MB

Download
memory/4112-119-0x00007FF614290000-0x00007FF6145E1000-memory.dmp

Filesize
3.3MB

Download
memory/4112-269-0x00007FF614290000-0x00007FF6145E1000-memory.dmp

Filesize
3.3MB

Download
memory/4112-164-0x00007FF614290000-0x00007FF6145E1000-memory.dmp

Filesize
3.3MB

Download
memory/4280-151-0x00007FF6CA3F0000-0x00007FF6CA741000-memory.dmp

Filesize
3.3MB

Download
memory/4280-89-0x00007FF6CA3F0000-0x00007FF6CA741000-memory.dmp

Filesize
3.3MB

Download
memory/4280-254-0x00007FF6CA3F0000-0x00007FF6CA741000-memory.dmp

Filesize
3.3MB

Download
memory/4296-98-0x00007FF770500000-0x00007FF770851000-memory.dmp

Filesize
3.3MB

Download
memory/4296-237-0x00007FF770500000-0x00007FF770851000-memory.dmp

Filesize
3.3MB

Download
memory/4296-46-0x00007FF770500000-0x00007FF770851000-memory.dmp

Filesize
3.3MB

Download
memory/4640-1-0x000002108E1F0000-0x000002108E200000-memory.dmp

Filesize
64KB

Download
memory/4640-140-0x00007FF7E4A70000-0x00007FF7E4DC1000-memory.dmp

Filesize
3.3MB

Download
memory/4640-53-0x00007FF7E4A70000-0x00007FF7E4DC1000-memory.dmp

Filesize
3.3MB

Download
memory/4640-168-0x00007FF7E4A70000-0x00007FF7E4DC1000-memory.dmp

Filesize
3.3MB

Download
memory/4640-0-0x00007FF7E4A70000-0x00007FF7E4DC1000-memory.dmp

Filesize
3.3MB

Download
memory/4836-36-0x00007FF764150000-0x00007FF7644A1000-memory.dmp

Filesize
3.3MB

Download
memory/4836-233-0x00007FF764150000-0x00007FF7644A1000-memory.dmp

Filesize
3.3MB

Download
memory/4836-93-0x00007FF764150000-0x00007FF7644A1000-memory.dmp

Filesize
3.3MB

Download
memory/4848-165-0x00007FF73D1C0000-0x00007FF73D511000-memory.dmp

Filesize
3.3MB

Download
memory/4848-124-0x00007FF73D1C0000-0x00007FF73D511000-memory.dmp

Filesize
3.3MB

Download
memory/4848-271-0x00007FF73D1C0000-0x00007FF73D511000-memory.dmp

Filesize
3.3MB

Download
memory/4904-235-0x00007FF6CA600000-0x00007FF6CA951000-memory.dmp

Filesize
3.3MB

Download
memory/4904-97-0x00007FF6CA600000-0x00007FF6CA951000-memory.dmp

Filesize
3.3MB

Download
memory/4904-45-0x00007FF6CA600000-0x00007FF6CA951000-memory.dmp

Filesize
3.3MB

Download
memory/5040-262-0x00007FF6262F0000-0x00007FF626641000-memory.dmp

Filesize
3.3MB

Download
memory/5040-158-0x00007FF6262F0000-0x00007FF626641000-memory.dmp

Filesize
3.3MB

Download
memory/5040-105-0x00007FF6262F0000-0x00007FF626641000-memory.dmp

Filesize
3.3MB

Download
memory/5096-67-0x00007FF696F80000-0x00007FF6972D1000-memory.dmp

Filesize
3.3MB

Download
memory/5096-246-0x00007FF696F80000-0x00007FF6972D1000-memory.dmp

Filesize
3.3MB

Download