cobaltstrike | 4232c892a082a112d2781646a6d03c45c458cf989f5ba12081a92fb7b7a217c3

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18/11/2024, 01:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

4e86ca03af626d463b0d53bb6b606176
SHA1

9566d577023a402c4d6dbb3977a8b3ab79f61129
SHA256

4232c892a082a112d2781646a6d03c45c458cf989f5ba12081a92fb7b7a217c3
SHA512

b02edcd0ed91139f73a70dc54f3d6bc5ee39feb37ea8ede727cd89d614ff99db584a0c7d9699905291db6eff607d0f6936afb565d8f20b42233446cce5077ff4
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lq:RWWBibf56utgpPFotBER/mQ32lU+

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000d000000023b83-5.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9a-11.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9d-24.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9c-25.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9e-33.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9f-38.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba0-45.dat	cobalt_reflective_dll
behavioral2/files/0x000c000000023b97-58.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba1-60.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9b-21.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba2-65.dat	cobalt_reflective_dll
behavioral2/files/0x0031000000023ba4-74.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba3-73.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba7-103.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023baa-118.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023bab-123.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba8-109.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba9-107.dat	cobalt_reflective_dll
behavioral2/files/0x0058000000023ba6-98.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba5-91.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023bac-141.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/2628-42-0x00007FF7E99F0000-0x00007FF7E9D41000-memory.dmp	xmrig
behavioral2/memory/2712-47-0x00007FF7CC670000-0x00007FF7CC9C1000-memory.dmp	xmrig
behavioral2/memory/2952-44-0x00007FF672640000-0x00007FF672991000-memory.dmp	xmrig
behavioral2/memory/2060-68-0x00007FF737350000-0x00007FF7376A1000-memory.dmp	xmrig
behavioral2/memory/5044-89-0x00007FF612270000-0x00007FF6125C1000-memory.dmp	xmrig
behavioral2/memory/1476-94-0x00007FF618430000-0x00007FF618781000-memory.dmp	xmrig
behavioral2/memory/3332-99-0x00007FF684540000-0x00007FF684891000-memory.dmp	xmrig
behavioral2/memory/1848-111-0x00007FF73FEF0000-0x00007FF740241000-memory.dmp	xmrig
behavioral2/memory/1728-121-0x00007FF628D40000-0x00007FF629091000-memory.dmp	xmrig
behavioral2/memory/2836-126-0x00007FF64EE80000-0x00007FF64F1D1000-memory.dmp	xmrig
behavioral2/memory/3652-125-0x00007FF608D50000-0x00007FF6090A1000-memory.dmp	xmrig
behavioral2/memory/4200-122-0x00007FF69E660000-0x00007FF69E9B1000-memory.dmp	xmrig
behavioral2/memory/3304-120-0x00007FF6D78C0000-0x00007FF6D7C11000-memory.dmp	xmrig
behavioral2/memory/4012-117-0x00007FF6BCC10000-0x00007FF6BCF61000-memory.dmp	xmrig
behavioral2/memory/4032-84-0x00007FF6CD710000-0x00007FF6CDA61000-memory.dmp	xmrig
behavioral2/memory/1628-78-0x00007FF64EF00000-0x00007FF64F251000-memory.dmp	xmrig
behavioral2/memory/2124-76-0x00007FF76A560000-0x00007FF76A8B1000-memory.dmp	xmrig
behavioral2/memory/1976-135-0x00007FF6C9B20000-0x00007FF6C9E71000-memory.dmp	xmrig
behavioral2/memory/776-137-0x00007FF66C800000-0x00007FF66CB51000-memory.dmp	xmrig
behavioral2/memory/3460-136-0x00007FF7428B0000-0x00007FF742C01000-memory.dmp	xmrig
behavioral2/memory/3384-132-0x00007FF71ED90000-0x00007FF71F0E1000-memory.dmp	xmrig
behavioral2/memory/3296-143-0x00007FF79EB30000-0x00007FF79EE81000-memory.dmp	xmrig
behavioral2/memory/2060-144-0x00007FF737350000-0x00007FF7376A1000-memory.dmp	xmrig
behavioral2/memory/2060-172-0x00007FF737350000-0x00007FF7376A1000-memory.dmp	xmrig
behavioral2/memory/5044-205-0x00007FF612270000-0x00007FF6125C1000-memory.dmp	xmrig
behavioral2/memory/2124-207-0x00007FF76A560000-0x00007FF76A8B1000-memory.dmp	xmrig
behavioral2/memory/3652-209-0x00007FF608D50000-0x00007FF6090A1000-memory.dmp	xmrig
behavioral2/memory/2628-213-0x00007FF7E99F0000-0x00007FF7E9D41000-memory.dmp	xmrig
behavioral2/memory/2952-212-0x00007FF672640000-0x00007FF672991000-memory.dmp	xmrig
behavioral2/memory/3384-220-0x00007FF71ED90000-0x00007FF71F0E1000-memory.dmp	xmrig
behavioral2/memory/2712-222-0x00007FF7CC670000-0x00007FF7CC9C1000-memory.dmp	xmrig
behavioral2/memory/3460-228-0x00007FF7428B0000-0x00007FF742C01000-memory.dmp	xmrig
behavioral2/memory/1976-226-0x00007FF6C9B20000-0x00007FF6C9E71000-memory.dmp	xmrig
behavioral2/memory/776-225-0x00007FF66C800000-0x00007FF66CB51000-memory.dmp	xmrig
behavioral2/memory/1628-241-0x00007FF64EF00000-0x00007FF64F251000-memory.dmp	xmrig
behavioral2/memory/4032-243-0x00007FF6CD710000-0x00007FF6CDA61000-memory.dmp	xmrig
behavioral2/memory/1476-245-0x00007FF618430000-0x00007FF618781000-memory.dmp	xmrig
behavioral2/memory/3332-247-0x00007FF684540000-0x00007FF684891000-memory.dmp	xmrig
behavioral2/memory/1848-250-0x00007FF73FEF0000-0x00007FF740241000-memory.dmp	xmrig
behavioral2/memory/4012-251-0x00007FF6BCC10000-0x00007FF6BCF61000-memory.dmp	xmrig
behavioral2/memory/3304-253-0x00007FF6D78C0000-0x00007FF6D7C11000-memory.dmp	xmrig
behavioral2/memory/4200-255-0x00007FF69E660000-0x00007FF69E9B1000-memory.dmp	xmrig
behavioral2/memory/2836-259-0x00007FF64EE80000-0x00007FF64F1D1000-memory.dmp	xmrig
behavioral2/memory/1728-258-0x00007FF628D40000-0x00007FF629091000-memory.dmp	xmrig
behavioral2/memory/3296-262-0x00007FF79EB30000-0x00007FF79EE81000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
5044	ocqyOLx.exe
2124	HjiMNrN.exe
3652	unjXUpp.exe
3384	wvOThBP.exe
2628	zNAxtQe.exe
2952	bOkExih.exe
2712	JpWRdIZ.exe
1976	jrPEKSk.exe
3460	YNenUSq.exe
776	iUDtCtK.exe
1628	fHFGaAE.exe
1476	ROXzlBt.exe
4032	mwfWtSR.exe
3332	NiZechv.exe
1848	ExWLiOo.exe
4012	GrlNjzE.exe
3304	cgZszjq.exe
4200	QwxPKRu.exe
1728	xUghGIA.exe
2836	SrDTnVN.exe
3296	DNFiyjF.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2060-0-0x00007FF737350000-0x00007FF7376A1000-memory.dmp	upx
behavioral2/files/0x000d000000023b83-5.dat	upx
behavioral2/files/0x000a000000023b9a-11.dat	upx
behavioral2/files/0x000a000000023b9d-24.dat	upx
behavioral2/files/0x000a000000023b9c-25.dat	upx
behavioral2/files/0x000a000000023b9e-33.dat	upx
behavioral2/files/0x000a000000023b9f-38.dat	upx
behavioral2/memory/2628-42-0x00007FF7E99F0000-0x00007FF7E9D41000-memory.dmp	upx
behavioral2/files/0x000a000000023ba0-45.dat	upx
behavioral2/memory/2712-47-0x00007FF7CC670000-0x00007FF7CC9C1000-memory.dmp	upx
behavioral2/files/0x000c000000023b97-58.dat	upx
behavioral2/memory/776-62-0x00007FF66C800000-0x00007FF66CB51000-memory.dmp	upx
behavioral2/files/0x000a000000023ba1-60.dat	upx
behavioral2/memory/3460-57-0x00007FF7428B0000-0x00007FF742C01000-memory.dmp	upx
behavioral2/memory/1976-52-0x00007FF6C9B20000-0x00007FF6C9E71000-memory.dmp	upx
behavioral2/memory/2952-44-0x00007FF672640000-0x00007FF672991000-memory.dmp	upx
behavioral2/memory/3384-36-0x00007FF71ED90000-0x00007FF71F0E1000-memory.dmp	upx
behavioral2/files/0x000a000000023b9b-21.dat	upx
behavioral2/memory/3652-20-0x00007FF608D50000-0x00007FF6090A1000-memory.dmp	upx
behavioral2/memory/2124-17-0x00007FF76A560000-0x00007FF76A8B1000-memory.dmp	upx
behavioral2/memory/5044-6-0x00007FF612270000-0x00007FF6125C1000-memory.dmp	upx
behavioral2/files/0x000a000000023ba2-65.dat	upx
behavioral2/files/0x0031000000023ba4-74.dat	upx
behavioral2/files/0x000a000000023ba3-73.dat	upx
behavioral2/memory/2060-68-0x00007FF737350000-0x00007FF7376A1000-memory.dmp	upx
behavioral2/memory/5044-89-0x00007FF612270000-0x00007FF6125C1000-memory.dmp	upx
behavioral2/memory/1476-94-0x00007FF618430000-0x00007FF618781000-memory.dmp	upx
behavioral2/files/0x000a000000023ba7-103.dat	upx
behavioral2/memory/3332-99-0x00007FF684540000-0x00007FF684891000-memory.dmp	upx
behavioral2/memory/1848-111-0x00007FF73FEF0000-0x00007FF740241000-memory.dmp	upx
behavioral2/files/0x000a000000023baa-118.dat	upx
behavioral2/memory/1728-121-0x00007FF628D40000-0x00007FF629091000-memory.dmp	upx
behavioral2/memory/2836-126-0x00007FF64EE80000-0x00007FF64F1D1000-memory.dmp	upx
behavioral2/memory/3652-125-0x00007FF608D50000-0x00007FF6090A1000-memory.dmp	upx
behavioral2/files/0x000a000000023bab-123.dat	upx
behavioral2/memory/4200-122-0x00007FF69E660000-0x00007FF69E9B1000-memory.dmp	upx
behavioral2/memory/3304-120-0x00007FF6D78C0000-0x00007FF6D7C11000-memory.dmp	upx
behavioral2/memory/4012-117-0x00007FF6BCC10000-0x00007FF6BCF61000-memory.dmp	upx
behavioral2/files/0x000a000000023ba8-109.dat	upx
behavioral2/files/0x000a000000023ba9-107.dat	upx
behavioral2/files/0x0058000000023ba6-98.dat	upx
behavioral2/files/0x000a000000023ba5-91.dat	upx
behavioral2/memory/4032-84-0x00007FF6CD710000-0x00007FF6CDA61000-memory.dmp	upx
behavioral2/memory/1628-78-0x00007FF64EF00000-0x00007FF64F251000-memory.dmp	upx
behavioral2/memory/2124-76-0x00007FF76A560000-0x00007FF76A8B1000-memory.dmp	upx
behavioral2/memory/1976-135-0x00007FF6C9B20000-0x00007FF6C9E71000-memory.dmp	upx
behavioral2/memory/776-137-0x00007FF66C800000-0x00007FF66CB51000-memory.dmp	upx
behavioral2/memory/3460-136-0x00007FF7428B0000-0x00007FF742C01000-memory.dmp	upx
behavioral2/files/0x000a000000023bac-141.dat	upx
behavioral2/memory/3384-132-0x00007FF71ED90000-0x00007FF71F0E1000-memory.dmp	upx
behavioral2/memory/3296-143-0x00007FF79EB30000-0x00007FF79EE81000-memory.dmp	upx
behavioral2/memory/2060-144-0x00007FF737350000-0x00007FF7376A1000-memory.dmp	upx
behavioral2/memory/2060-172-0x00007FF737350000-0x00007FF7376A1000-memory.dmp	upx
behavioral2/memory/5044-205-0x00007FF612270000-0x00007FF6125C1000-memory.dmp	upx
behavioral2/memory/2124-207-0x00007FF76A560000-0x00007FF76A8B1000-memory.dmp	upx
behavioral2/memory/3652-209-0x00007FF608D50000-0x00007FF6090A1000-memory.dmp	upx
behavioral2/memory/2628-213-0x00007FF7E99F0000-0x00007FF7E9D41000-memory.dmp	upx
behavioral2/memory/2952-212-0x00007FF672640000-0x00007FF672991000-memory.dmp	upx
behavioral2/memory/3384-220-0x00007FF71ED90000-0x00007FF71F0E1000-memory.dmp	upx
behavioral2/memory/2712-222-0x00007FF7CC670000-0x00007FF7CC9C1000-memory.dmp	upx
behavioral2/memory/3460-228-0x00007FF7428B0000-0x00007FF742C01000-memory.dmp	upx
behavioral2/memory/1976-226-0x00007FF6C9B20000-0x00007FF6C9E71000-memory.dmp	upx
behavioral2/memory/776-225-0x00007FF66C800000-0x00007FF66CB51000-memory.dmp	upx
behavioral2/memory/1628-241-0x00007FF64EF00000-0x00007FF64F251000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\wvOThBP.exe	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bOkExih.exe	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jrPEKSk.exe	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YNenUSq.exe	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GrlNjzE.exe	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QwxPKRu.exe	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SrDTnVN.exe	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ocqyOLx.exe	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zNAxtQe.exe	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iUDtCtK.exe	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fHFGaAE.exe	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NiZechv.exe	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cgZszjq.exe	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xUghGIA.exe	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\unjXUpp.exe	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mwfWtSR.exe	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DNFiyjF.exe	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ROXzlBt.exe	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JpWRdIZ.exe	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ExWLiOo.exe	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HjiMNrN.exe	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2060	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2060	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 5044	2060	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2060 wrote to memory of 5044	2060	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2060 wrote to memory of 2124	2060	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2060 wrote to memory of 2124	2060	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2060 wrote to memory of 3652	2060	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2060 wrote to memory of 3652	2060	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2060 wrote to memory of 2628	2060	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2060 wrote to memory of 2628	2060	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2060 wrote to memory of 3384	2060	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2060 wrote to memory of 3384	2060	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2060 wrote to memory of 2952	2060	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2060 wrote to memory of 2952	2060	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2060 wrote to memory of 2712	2060	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2060 wrote to memory of 2712	2060	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2060 wrote to memory of 1976	2060	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2060 wrote to memory of 1976	2060	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2060 wrote to memory of 3460	2060	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2060 wrote to memory of 3460	2060	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2060 wrote to memory of 776	2060	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2060 wrote to memory of 776	2060	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2060 wrote to memory of 1628	2060	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2060 wrote to memory of 1628	2060	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2060 wrote to memory of 1476	2060	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2060 wrote to memory of 1476	2060	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2060 wrote to memory of 4032	2060	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2060 wrote to memory of 4032	2060	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2060 wrote to memory of 3332	2060	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2060 wrote to memory of 3332	2060	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2060 wrote to memory of 1848	2060	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2060 wrote to memory of 1848	2060	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2060 wrote to memory of 4012	2060	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2060 wrote to memory of 4012	2060	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2060 wrote to memory of 3304	2060	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2060 wrote to memory of 3304	2060	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2060 wrote to memory of 4200	2060	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2060 wrote to memory of 4200	2060	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2060 wrote to memory of 1728	2060	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2060 wrote to memory of 1728	2060	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2060 wrote to memory of 2836	2060	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2060 wrote to memory of 2836	2060	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2060 wrote to memory of 3296	2060	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2060 wrote to memory of 3296	2060	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Windows\System\ocqyOLx.exe
  C:\Windows\System\ocqyOLx.exe
  2⤵
  - Executes dropped EXE
  PID:5044
- C:\Windows\System\HjiMNrN.exe
  C:\Windows\System\HjiMNrN.exe
  2⤵
  - Executes dropped EXE
  PID:2124
- C:\Windows\System\unjXUpp.exe
  C:\Windows\System\unjXUpp.exe
  2⤵
  - Executes dropped EXE
  PID:3652
- C:\Windows\System\zNAxtQe.exe
  C:\Windows\System\zNAxtQe.exe
  2⤵
  - Executes dropped EXE
  PID:2628
- C:\Windows\System\wvOThBP.exe
  C:\Windows\System\wvOThBP.exe
  2⤵
  - Executes dropped EXE
  PID:3384
- C:\Windows\System\bOkExih.exe
  C:\Windows\System\bOkExih.exe
  2⤵
  - Executes dropped EXE
  PID:2952
- C:\Windows\System\JpWRdIZ.exe
  C:\Windows\System\JpWRdIZ.exe
  2⤵
  - Executes dropped EXE
  PID:2712
- C:\Windows\System\jrPEKSk.exe
  C:\Windows\System\jrPEKSk.exe
  2⤵
  - Executes dropped EXE
  PID:1976
- C:\Windows\System\YNenUSq.exe
  C:\Windows\System\YNenUSq.exe
  2⤵
  - Executes dropped EXE
  PID:3460
- C:\Windows\System\iUDtCtK.exe
  C:\Windows\System\iUDtCtK.exe
  2⤵
  - Executes dropped EXE
  PID:776
- C:\Windows\System\fHFGaAE.exe
  C:\Windows\System\fHFGaAE.exe
  2⤵
  - Executes dropped EXE
  PID:1628
- C:\Windows\System\ROXzlBt.exe
  C:\Windows\System\ROXzlBt.exe
  2⤵
  - Executes dropped EXE
  PID:1476
- C:\Windows\System\mwfWtSR.exe
  C:\Windows\System\mwfWtSR.exe
  2⤵
  - Executes dropped EXE
  PID:4032
- C:\Windows\System\NiZechv.exe
  C:\Windows\System\NiZechv.exe
  2⤵
  - Executes dropped EXE
  PID:3332
- C:\Windows\System\ExWLiOo.exe
  C:\Windows\System\ExWLiOo.exe
  2⤵
  - Executes dropped EXE
  PID:1848
- C:\Windows\System\GrlNjzE.exe
  C:\Windows\System\GrlNjzE.exe
  2⤵
  - Executes dropped EXE
  PID:4012
- C:\Windows\System\cgZszjq.exe
  C:\Windows\System\cgZszjq.exe
  2⤵
  - Executes dropped EXE
  PID:3304
- C:\Windows\System\QwxPKRu.exe
  C:\Windows\System\QwxPKRu.exe
  2⤵
  - Executes dropped EXE
  PID:4200
- C:\Windows\System\xUghGIA.exe
  C:\Windows\System\xUghGIA.exe
  2⤵
  - Executes dropped EXE
  PID:1728
- C:\Windows\System\SrDTnVN.exe
  C:\Windows\System\SrDTnVN.exe
  2⤵
  - Executes dropped EXE
  PID:2836
- C:\Windows\System\DNFiyjF.exe
  C:\Windows\System\DNFiyjF.exe
  2⤵
  - Executes dropped EXE
  PID:3296

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\DNFiyjF.exe

Filesize
5.2MB

MD5
00aeff55419e06b823b41e19413864c7

SHA1
ab86886cdd7e441cc0a104f8ecd54b23113479a5

SHA256
a1e6ca4d343be932fab935c00634a85650f8a0dc1747f6616f9c697cb72bb299

SHA512
830991ebd904edc75649cd6c7370e40a1fd1a886fe89144a038930bcdf91d88f0a8dfb063a291e6bc01d792b63bb201f4ccd7f0cffd525ec72c83a0f8ab816c5

Download Submit
C:\Windows\System\ExWLiOo.exe

Filesize
5.2MB

MD5
acbb5a86c5056d6144681c99ad851c09

SHA1
c8b86ba79aed390651ef8427904b6c78bb2b68fd

SHA256
05d4e3284ec84c87a2a77ac49e9c290c08b8e854423e3e590933ae063630f86e

SHA512
590d3f37abe96cf4124e084f8197c53b9c18d98353590c6cf7cf2d90898081118e4b508ad2b5420834b3bc1d589d72d1380d07d453e9f6d8a8c8399f00e54bbc

Download Submit
C:\Windows\System\GrlNjzE.exe

Filesize
5.2MB

MD5
a3d55291a33b14c8064de85a92b08a37

SHA1
93a026c3cd7e2731c6e53321063728cff8b9c0e2

SHA256
a0600cd3796f4e0fab6992a5903be86d24b0993c1f467c6c54cc5dbcf4181442

SHA512
85bee7ec5291ad8064d84eb07135c91b17d5eddc4d4ad1ff85dd527d9763e8822626c614af3bd318f5fdc4931c70e021b19c56223d41ac93f7496918e58fe182

Download Submit
C:\Windows\System\HjiMNrN.exe

Filesize
5.2MB

MD5
945533691c757211d7deab391e92d23b

SHA1
3e9c05b3bc7d4cfa837b73e2089763f250050098

SHA256
9da45b6087686b3f6b6f7c7fa80466a47dcf7c74e3be7934b3c0704c271f8504

SHA512
b11bc5ce1b1005a901d3bc63e2e5bc4c4d847c12a01ef73a209ec9ecba097a81169eef45b58470f6266c9d1378e083f954dfa90365eba6501720e921e7588f1a

Download Submit
C:\Windows\System\JpWRdIZ.exe

Filesize
5.2MB

MD5
d56546cac98b2abcc76cb77be4bffcb7

SHA1
8e047be5a38e119e3eba4a1eaf94fe6f4c64b71f

SHA256
1d19ab82e83b29cec36c5cf9c4d16f167c300386abe6705aced8e7275dce88aa

SHA512
7cd50a9dd534108debe9d7ba71a21716cea5e1475fbc0c5f85d456c6ccd31a00c75638819a21c48b186e1d363d6e3c17700f92618e1604aaec7ad3c7f9987f38

Download Submit
C:\Windows\System\NiZechv.exe

Filesize
5.2MB

MD5
0f9cd4b1e2fdb204d0a116a64e7a5d3a

SHA1
e779e35c8e71d522fd7c1ac5619987e387bee5cb

SHA256
056035e2dda17e087f9d26f8b81a840a3c38e3b2a0e55af46396c0e445d41bd6

SHA512
460a73ca75330b9330195b4f9c154ed403aca6bda5aa3d6272848eb2eb00991a15d513e162174da8df0d6e35a48f65d701813d099c235894835d35d980d2809f

Download Submit
C:\Windows\System\QwxPKRu.exe

Filesize
5.2MB

MD5
c73bd34bacbe19d84f7c9fda6f902f44

SHA1
f88171055f1564a472698c5d971e5777f62fb495

SHA256
4af77552b553de89fa5e4ba70fa40f3c73d2513d15316bf839fd297e07d5332e

SHA512
165f4ddf4248650be1441a3df0cafd9aa743e4e28dc1ec7d8db16e19399113b3f965f25fb9bde85917e3cadd36ca6f2c5b58956896b2ffd60efaf609c1739820

Download Submit
C:\Windows\System\ROXzlBt.exe

Filesize
5.2MB

MD5
03b6e8ea136ae43b1e7713cc1c388a22

SHA1
440fc1a827b72d6172238d64f7400544353b3ceb

SHA256
a1d790bdd0d19bbd84579918c13ff4c347cbfdbb54dac6f7142c12c680ec3aae

SHA512
c1827cd310562ff14495df893205e989a696233e427453fe5976c9e2561b363bd5709431c2a1e59f19d42a8c1dcceedbe058b0a4e5e51a1e1c22fa25210cd876

Download Submit
C:\Windows\System\SrDTnVN.exe

Filesize
5.2MB

MD5
2186a119eb5d15daab3e1e14a50b07aa

SHA1
32ae3a5a370835f9e7205f83f23cf7df9e15ef02

SHA256
feaac26c7597a0257bdd741b7c314377c38c46d3140eda8454ab5cdaae3bcd45

SHA512
32a31c8293cef334f1c4bd42490069be61c7acd3e50eda4d3860b935c7efd846ff50f5ec60455192948b4936507c5f74ebc5498e076451480c094289a5d339f1

Download Submit
C:\Windows\System\YNenUSq.exe

Filesize
5.2MB

MD5
7b5adb238855b2bcb116a4d67b497971

SHA1
98b084778a34d419883ea910768c88d0a9cd4e17

SHA256
880721f5c308047bee2ffc00edc497ea6f2879620fd051c3dc58f5f6f6c01d79

SHA512
0e1424daa4644f3be269f72fb72d61fe02608cc091aa0711fe180d096e8baa53cad58ee9721119e23693ec5467fbb1ba5b6d26de607e881ce029c241f3ca10e0

Download Submit
C:\Windows\System\bOkExih.exe

Filesize
5.2MB

MD5
ab5470dbc2234bd428e984d3e67e944a

SHA1
b8c26248f5045572f950bc9a6b823e07ae3e5152

SHA256
ee657b18311b0710d6606615683c8efba62a8077c75319c7f2a810744d6d694f

SHA512
91b7dc32de03affab2855dc701141417ec63b327528856c8abf6d76688b9d2c31a0e5ee949ad3c6a27f9f79eeafe55c61708a802ba337c07eee53ff3ab3d3eea

Download Submit
C:\Windows\System\cgZszjq.exe

Filesize
5.2MB

MD5
87893cd10f3a66dbf01dac493176999e

SHA1
d98c5572fd974a5930445fd2bddc98e2c4eb1da6

SHA256
a5de7bfd2a96aaffe237e52e58ed04fa3e5d0fbee25aa575d5072f05f22ad01a

SHA512
ec2d120334aed4068931edae9dba385a92210d0fcae1863de8f27f06c9037a62aeec7d3e4fb493b0727b0a82148ec451b6d149b43975e76c87258ac1cb0fb0c6

Download Submit
C:\Windows\System\fHFGaAE.exe

Filesize
5.2MB

MD5
6864f1f8de47dfe70bc66211ed1ddaf1

SHA1
c3c57b4b688575a766bc1a7de71769d985a85777

SHA256
344d867efd75445ca320c1447876da9a23ef0be176d342b758a11afa175c8f36

SHA512
329313f5d62f5f8537ccc37ecea9e1a5b389b9b339e2a70be4a387477774a43d66fef677cd0eda40727c7b3cff36feb4218442c299289881a4e19142ff308aa6

Download Submit
C:\Windows\System\iUDtCtK.exe

Filesize
5.2MB

MD5
4fd725d8b297460eff20bb04b2e1de50

SHA1
04747c413d215fe0aafaa192c96f748475ef9fdf

SHA256
cd2ea9c2f3f8ade67141c487458b500ff45dcd0e10a7315cfda68cb36dbc94d9

SHA512
c58eccc53997bfce7fb3179cb464d99f8dcf0f2221a7889a51c32d8116d499e7e763ca69852cee88e0169158cbbb33da30b91189c2bfa421bb8e908c67c079f4

Download Submit
C:\Windows\System\jrPEKSk.exe

Filesize
5.2MB

MD5
9444c87b5e348c5f185ac4ff0df98133

SHA1
2d472c58edf61620d19f7a24fe963f67e397754f

SHA256
6f3a6732ac3af45a76a0c6265b54b547f52f1a0ebce33d3fb8cff75531585ab3

SHA512
ff156695dab0e4255cd32cce83b91a1519b738eb392ecd7931ea9ffd2fe1e73feeef57a167e3f0dcf980d2d23632b773bcbd9c0c1bab8ae8ac4719a49e1f2db4

Download Submit
C:\Windows\System\mwfWtSR.exe

Filesize
5.2MB

MD5
7395210c447152afd8bdb48e38d0acfd

SHA1
143241454179bff3a9f541b84d7d1a933ab975b2

SHA256
d4cae2e5cfdb38554de8bbd5a894b18af6005106f1ad48dc08c70be962bf81f9

SHA512
7cd08bbf01781c71d8680c1120785b9291f23fc7f546a3bcc135c994c0c72c7d5be55692f08de3bb73a6c9d4af69bdf931dc24ec4204dbc0892912d82a3dc791

Download Submit
C:\Windows\System\ocqyOLx.exe

Filesize
5.2MB

MD5
751193c17577216fe981b9af6e631440

SHA1
c4bed4a0989d0d64141aeaf3ac758f818342b475

SHA256
6b77166a60d5dd80721481228e8d325bc745a7233bdfaf709a499dac745ccae6

SHA512
8f0a725db676140b9fc527d166d904eb676d0d9d9b4bb1922649675eb154d0d222a22688dab197a181a24060062a92443350883f6880beb0b98aea82db3af5bd

Download Submit
C:\Windows\System\unjXUpp.exe

Filesize
5.2MB

MD5
aa86ab3a4e9dcf4781182d701e4a5474

SHA1
b7f43ef8617f8a03e84a2aefb94a989518912a5e

SHA256
a5e8359150a26060b81e51bc59fa03bf1530face273b1299dd48d291cac80c81

SHA512
5c162027eef92ae92cbb64eb97e0eec7e7cdfe07c9fd4b8a383659b43b6b02ce8e067061679498f743a300735f0f7b1b5723d70bb3c0cee1b71fcb5d68f25886

Download Submit
C:\Windows\System\wvOThBP.exe

Filesize
5.2MB

MD5
ed78406881ab0832e42f5692b91b19c7

SHA1
4bcaece55d7604149ae8c3f2246ce03e26cd9cd7

SHA256
97fdfefd791ee65fcd72089cba0c817276a77144c3f64b3c348fcaead091bb24

SHA512
ee4c0baea84a9f48f28e7cd91c503b754ec304b473a9e46637cf0c4001f0f3e3db7f1da30756d936bd1f4c96f524cd3a95fb1a9bc3c876c0d7985d7455e183bf

Download Submit
C:\Windows\System\xUghGIA.exe

Filesize
5.2MB

MD5
082e801c5349418ac9181422892b1640

SHA1
a722f113b854b5ae9ae5ee9a4c7b30a2f34cf65b

SHA256
1215e7769f08823ee7edfddef0083419a9cdbdbb5c8cae4f6da1bf07ec198277

SHA512
09b8033628cbaf7cdc3fc302e6396935eb25f2182fe4d1c6240ef11a755b63fd811325a4df555094666d9545a690819ec2ce6d08b2df1c77011832a9e6414efd

Download Submit
C:\Windows\System\zNAxtQe.exe

Filesize
5.2MB

MD5
4818f41a449ae6d5f777d6d4b2705744

SHA1
e1be89bda5a7f7625ba6bdef3484c0354768a328

SHA256
29cd532948060ccf8f157d51d7299e5e920efadda548cce5625595ccb4287e9a

SHA512
3f8e8488649dc70094f0c57d898f1504c9e6c8edb2dd901b9a81e8220acdd2792deb08b1687817d3049f53550beb7c4c30d37b6fee8ae67bfddc688c0a90b7b1

Download Submit
memory/776-62-0x00007FF66C800000-0x00007FF66CB51000-memory.dmp

Filesize
3.3MB

Download
memory/776-137-0x00007FF66C800000-0x00007FF66CB51000-memory.dmp

Filesize
3.3MB

Download
memory/776-225-0x00007FF66C800000-0x00007FF66CB51000-memory.dmp

Filesize
3.3MB

Download
memory/1476-245-0x00007FF618430000-0x00007FF618781000-memory.dmp

Filesize
3.3MB

Download
memory/1476-94-0x00007FF618430000-0x00007FF618781000-memory.dmp

Filesize
3.3MB

Download
memory/1628-78-0x00007FF64EF00000-0x00007FF64F251000-memory.dmp

Filesize
3.3MB

Download
memory/1628-241-0x00007FF64EF00000-0x00007FF64F251000-memory.dmp

Filesize
3.3MB

Download
memory/1728-121-0x00007FF628D40000-0x00007FF629091000-memory.dmp

Filesize
3.3MB

Download
memory/1728-258-0x00007FF628D40000-0x00007FF629091000-memory.dmp

Filesize
3.3MB

Download
memory/1848-250-0x00007FF73FEF0000-0x00007FF740241000-memory.dmp

Filesize
3.3MB

Download
memory/1848-111-0x00007FF73FEF0000-0x00007FF740241000-memory.dmp

Filesize
3.3MB

Download
memory/1976-226-0x00007FF6C9B20000-0x00007FF6C9E71000-memory.dmp

Filesize
3.3MB

Download
memory/1976-52-0x00007FF6C9B20000-0x00007FF6C9E71000-memory.dmp

Filesize
3.3MB

Download
memory/1976-135-0x00007FF6C9B20000-0x00007FF6C9E71000-memory.dmp

Filesize
3.3MB

Download
memory/2060-144-0x00007FF737350000-0x00007FF7376A1000-memory.dmp

Filesize
3.3MB

Download
memory/2060-68-0x00007FF737350000-0x00007FF7376A1000-memory.dmp

Filesize
3.3MB

Download
memory/2060-0-0x00007FF737350000-0x00007FF7376A1000-memory.dmp

Filesize
3.3MB

Download
memory/2060-1-0x000002194C7C0000-0x000002194C7D0000-memory.dmp

Filesize
64KB

Download
memory/2060-172-0x00007FF737350000-0x00007FF7376A1000-memory.dmp

Filesize
3.3MB

Download
memory/2124-76-0x00007FF76A560000-0x00007FF76A8B1000-memory.dmp

Filesize
3.3MB

Download
memory/2124-207-0x00007FF76A560000-0x00007FF76A8B1000-memory.dmp

Filesize
3.3MB

Download
memory/2124-17-0x00007FF76A560000-0x00007FF76A8B1000-memory.dmp

Filesize
3.3MB

Download
memory/2628-213-0x00007FF7E99F0000-0x00007FF7E9D41000-memory.dmp

Filesize
3.3MB

Download
memory/2628-42-0x00007FF7E99F0000-0x00007FF7E9D41000-memory.dmp

Filesize
3.3MB

Download
memory/2712-222-0x00007FF7CC670000-0x00007FF7CC9C1000-memory.dmp

Filesize
3.3MB

Download
memory/2712-47-0x00007FF7CC670000-0x00007FF7CC9C1000-memory.dmp

Filesize
3.3MB

Download
memory/2836-259-0x00007FF64EE80000-0x00007FF64F1D1000-memory.dmp

Filesize
3.3MB

Download
memory/2836-126-0x00007FF64EE80000-0x00007FF64F1D1000-memory.dmp

Filesize
3.3MB

Download
memory/2952-212-0x00007FF672640000-0x00007FF672991000-memory.dmp

Filesize
3.3MB

Download
memory/2952-44-0x00007FF672640000-0x00007FF672991000-memory.dmp

Filesize
3.3MB

Download
memory/3296-262-0x00007FF79EB30000-0x00007FF79EE81000-memory.dmp

Filesize
3.3MB

Download
memory/3296-143-0x00007FF79EB30000-0x00007FF79EE81000-memory.dmp

Filesize
3.3MB

Download
memory/3304-120-0x00007FF6D78C0000-0x00007FF6D7C11000-memory.dmp

Filesize
3.3MB

Download
memory/3304-253-0x00007FF6D78C0000-0x00007FF6D7C11000-memory.dmp

Filesize
3.3MB

Download
memory/3332-99-0x00007FF684540000-0x00007FF684891000-memory.dmp

Filesize
3.3MB

Download
memory/3332-247-0x00007FF684540000-0x00007FF684891000-memory.dmp

Filesize
3.3MB

Download
memory/3384-220-0x00007FF71ED90000-0x00007FF71F0E1000-memory.dmp

Filesize
3.3MB

Download
memory/3384-132-0x00007FF71ED90000-0x00007FF71F0E1000-memory.dmp

Filesize
3.3MB

Download
memory/3384-36-0x00007FF71ED90000-0x00007FF71F0E1000-memory.dmp

Filesize
3.3MB

Download
memory/3460-57-0x00007FF7428B0000-0x00007FF742C01000-memory.dmp

Filesize
3.3MB

Download
memory/3460-228-0x00007FF7428B0000-0x00007FF742C01000-memory.dmp

Filesize
3.3MB

Download
memory/3460-136-0x00007FF7428B0000-0x00007FF742C01000-memory.dmp

Filesize
3.3MB

Download
memory/3652-125-0x00007FF608D50000-0x00007FF6090A1000-memory.dmp

Filesize
3.3MB

Download
memory/3652-209-0x00007FF608D50000-0x00007FF6090A1000-memory.dmp

Filesize
3.3MB

Download
memory/3652-20-0x00007FF608D50000-0x00007FF6090A1000-memory.dmp

Filesize
3.3MB

Download
memory/4012-117-0x00007FF6BCC10000-0x00007FF6BCF61000-memory.dmp

Filesize
3.3MB

Download
memory/4012-251-0x00007FF6BCC10000-0x00007FF6BCF61000-memory.dmp

Filesize
3.3MB

Download
memory/4032-84-0x00007FF6CD710000-0x00007FF6CDA61000-memory.dmp

Filesize
3.3MB

Download
memory/4032-243-0x00007FF6CD710000-0x00007FF6CDA61000-memory.dmp

Filesize
3.3MB

Download
memory/4200-122-0x00007FF69E660000-0x00007FF69E9B1000-memory.dmp

Filesize
3.3MB

Download
memory/4200-255-0x00007FF69E660000-0x00007FF69E9B1000-memory.dmp

Filesize
3.3MB

Download
memory/5044-6-0x00007FF612270000-0x00007FF6125C1000-memory.dmp

Filesize
3.3MB

Download
memory/5044-89-0x00007FF612270000-0x00007FF6125C1000-memory.dmp

Filesize
3.3MB

Download
memory/5044-205-0x00007FF612270000-0x00007FF6125C1000-memory.dmp

Filesize
3.3MB

Download