cobaltstrike | 4767ea2d6a5e98c10054ded22c6907e50d20ee39a1dd37c69ad043ba28fbee91

Analysis

max time kernel
140s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-12-2024 11:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

ef815ed4ddc9641764fd1814990ca01a
SHA1

b6f01c27e840108460a022163a0d2edd4c953766
SHA256

4767ea2d6a5e98c10054ded22c6907e50d20ee39a1dd37c69ad043ba28fbee91
SHA512

8c91a97ca03b8a1f5638f8f70cd018e69091db88158224dfac5ea2af15b4ebaf550b6074f2f4328600cdc1a28b2fd10a92508228ed440aa999b707604bcff5aa
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l0:RWWBibd56utgpPFotBER/mQ32lUQ

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023b77-6.dat	cobalt_reflective_dll
behavioral2/files/0x0031000000023b80-18.dat	cobalt_reflective_dll
behavioral2/files/0x0031000000023b81-23.dat	cobalt_reflective_dll
behavioral2/files/0x0031000000023b7f-12.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b82-30.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b83-35.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b84-39.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b85-49.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b86-52.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b87-66.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b89-75.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8b-89.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8e-106.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8c-120.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b90-129.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b91-133.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8f-127.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8d-113.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8a-92.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b7c-85.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b88-63.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/3048-82-0x00007FF7D8470000-0x00007FF7D87C1000-memory.dmp	xmrig
behavioral2/memory/4820-131-0x00007FF7DFF40000-0x00007FF7E0291000-memory.dmp	xmrig
behavioral2/memory/4408-118-0x00007FF6A5840000-0x00007FF6A5B91000-memory.dmp	xmrig
behavioral2/memory/4764-103-0x00007FF6D5FC0000-0x00007FF6D6311000-memory.dmp	xmrig
behavioral2/memory/1488-96-0x00007FF7AB850000-0x00007FF7ABBA1000-memory.dmp	xmrig
behavioral2/memory/4780-94-0x00007FF61CE30000-0x00007FF61D181000-memory.dmp	xmrig
behavioral2/memory/1596-71-0x00007FF60D680000-0x00007FF60D9D1000-memory.dmp	xmrig
behavioral2/memory/4456-70-0x00007FF744B90000-0x00007FF744EE1000-memory.dmp	xmrig
behavioral2/memory/2996-73-0x00007FF633F70000-0x00007FF6342C1000-memory.dmp	xmrig
behavioral2/memory/4856-61-0x00007FF6E1E00000-0x00007FF6E2151000-memory.dmp	xmrig
behavioral2/memory/1052-56-0x00007FF7DC620000-0x00007FF7DC971000-memory.dmp	xmrig
behavioral2/memory/60-135-0x00007FF70FCD0000-0x00007FF710021000-memory.dmp	xmrig
behavioral2/memory/4856-136-0x00007FF6E1E00000-0x00007FF6E2151000-memory.dmp	xmrig
behavioral2/memory/3524-137-0x00007FF787B50000-0x00007FF787EA1000-memory.dmp	xmrig
behavioral2/memory/4456-138-0x00007FF744B90000-0x00007FF744EE1000-memory.dmp	xmrig
behavioral2/memory/4168-151-0x00007FF6A22B0000-0x00007FF6A2601000-memory.dmp	xmrig
behavioral2/memory/4756-154-0x00007FF716080000-0x00007FF7163D1000-memory.dmp	xmrig
behavioral2/memory/2168-153-0x00007FF6D1480000-0x00007FF6D17D1000-memory.dmp	xmrig
behavioral2/memory/4580-155-0x00007FF799100000-0x00007FF799451000-memory.dmp	xmrig
behavioral2/memory/3588-161-0x00007FF6B1360000-0x00007FF6B16B1000-memory.dmp	xmrig
behavioral2/memory/612-160-0x00007FF7C7820000-0x00007FF7C7B71000-memory.dmp	xmrig
behavioral2/memory/3536-158-0x00007FF63D150000-0x00007FF63D4A1000-memory.dmp	xmrig
behavioral2/memory/2772-159-0x00007FF6E1120000-0x00007FF6E1471000-memory.dmp	xmrig
behavioral2/memory/2760-157-0x00007FF68A630000-0x00007FF68A981000-memory.dmp	xmrig
behavioral2/memory/4456-162-0x00007FF744B90000-0x00007FF744EE1000-memory.dmp	xmrig
behavioral2/memory/2996-213-0x00007FF633F70000-0x00007FF6342C1000-memory.dmp	xmrig
behavioral2/memory/3048-215-0x00007FF7D8470000-0x00007FF7D87C1000-memory.dmp	xmrig
behavioral2/memory/4780-217-0x00007FF61CE30000-0x00007FF61D181000-memory.dmp	xmrig
behavioral2/memory/4764-219-0x00007FF6D5FC0000-0x00007FF6D6311000-memory.dmp	xmrig
behavioral2/memory/4408-236-0x00007FF6A5840000-0x00007FF6A5B91000-memory.dmp	xmrig
behavioral2/memory/4820-238-0x00007FF7DFF40000-0x00007FF7E0291000-memory.dmp	xmrig
behavioral2/memory/60-240-0x00007FF70FCD0000-0x00007FF710021000-memory.dmp	xmrig
behavioral2/memory/1052-242-0x00007FF7DC620000-0x00007FF7DC971000-memory.dmp	xmrig
behavioral2/memory/3524-245-0x00007FF787B50000-0x00007FF787EA1000-memory.dmp	xmrig
behavioral2/memory/1596-248-0x00007FF60D680000-0x00007FF60D9D1000-memory.dmp	xmrig
behavioral2/memory/4856-247-0x00007FF6E1E00000-0x00007FF6E2151000-memory.dmp	xmrig
behavioral2/memory/2168-250-0x00007FF6D1480000-0x00007FF6D17D1000-memory.dmp	xmrig
behavioral2/memory/4168-252-0x00007FF6A22B0000-0x00007FF6A2601000-memory.dmp	xmrig
behavioral2/memory/1488-254-0x00007FF7AB850000-0x00007FF7ABBA1000-memory.dmp	xmrig
behavioral2/memory/4756-256-0x00007FF716080000-0x00007FF7163D1000-memory.dmp	xmrig
behavioral2/memory/2760-260-0x00007FF68A630000-0x00007FF68A981000-memory.dmp	xmrig
behavioral2/memory/3588-263-0x00007FF6B1360000-0x00007FF6B16B1000-memory.dmp	xmrig
behavioral2/memory/4580-262-0x00007FF799100000-0x00007FF799451000-memory.dmp	xmrig
behavioral2/memory/3536-267-0x00007FF63D150000-0x00007FF63D4A1000-memory.dmp	xmrig
behavioral2/memory/2772-266-0x00007FF6E1120000-0x00007FF6E1471000-memory.dmp	xmrig
behavioral2/memory/612-269-0x00007FF7C7820000-0x00007FF7C7B71000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2996	IARMPty.exe
3048	plxxUgI.exe
4780	DrCCRSV.exe
4764	hKPtDUS.exe
4408	lRCILHZ.exe
4820	JqJjsuE.exe
60	bpzbbWz.exe
1052	mWPeIiu.exe
4856	aQUpUDo.exe
3524	FBkdVLp.exe
1596	QfzQICB.exe
2168	edWgLFr.exe
4168	dBpdVXW.exe
1488	TQvCPDN.exe
4756	sWGnaIr.exe
4580	SZTXVoc.exe
3588	myWgJua.exe
2760	VVXDAAE.exe
3536	LVlqjzv.exe
2772	hOyjmWO.exe
612	dYsjDpq.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4456-0-0x00007FF744B90000-0x00007FF744EE1000-memory.dmp	upx
behavioral2/files/0x000c000000023b77-6.dat	upx
behavioral2/memory/3048-14-0x00007FF7D8470000-0x00007FF7D87C1000-memory.dmp	upx
behavioral2/memory/4780-20-0x00007FF61CE30000-0x00007FF61D181000-memory.dmp	upx
behavioral2/files/0x0031000000023b80-18.dat	upx
behavioral2/files/0x0031000000023b81-23.dat	upx
behavioral2/memory/4764-25-0x00007FF6D5FC0000-0x00007FF6D6311000-memory.dmp	upx
behavioral2/files/0x0031000000023b7f-12.dat	upx
behavioral2/memory/2996-8-0x00007FF633F70000-0x00007FF6342C1000-memory.dmp	upx
behavioral2/memory/4408-31-0x00007FF6A5840000-0x00007FF6A5B91000-memory.dmp	upx
behavioral2/files/0x000a000000023b82-30.dat	upx
behavioral2/files/0x000a000000023b83-35.dat	upx
behavioral2/files/0x000a000000023b84-39.dat	upx
behavioral2/files/0x000a000000023b85-49.dat	upx
behavioral2/files/0x000a000000023b86-52.dat	upx
behavioral2/memory/3524-64-0x00007FF787B50000-0x00007FF787EA1000-memory.dmp	upx
behavioral2/files/0x000a000000023b87-66.dat	upx
behavioral2/memory/2168-74-0x00007FF6D1480000-0x00007FF6D17D1000-memory.dmp	upx
behavioral2/files/0x000a000000023b89-75.dat	upx
behavioral2/memory/3048-82-0x00007FF7D8470000-0x00007FF7D87C1000-memory.dmp	upx
behavioral2/files/0x000a000000023b8b-89.dat	upx
behavioral2/files/0x000a000000023b8e-106.dat	upx
behavioral2/files/0x000a000000023b8c-120.dat	upx
behavioral2/files/0x000a000000023b90-129.dat	upx
behavioral2/files/0x000a000000023b91-133.dat	upx
behavioral2/memory/612-132-0x00007FF7C7820000-0x00007FF7C7B71000-memory.dmp	upx
behavioral2/memory/4820-131-0x00007FF7DFF40000-0x00007FF7E0291000-memory.dmp	upx
behavioral2/files/0x000a000000023b8f-127.dat	upx
behavioral2/memory/3536-126-0x00007FF63D150000-0x00007FF63D4A1000-memory.dmp	upx
behavioral2/memory/2772-125-0x00007FF6E1120000-0x00007FF6E1471000-memory.dmp	upx
behavioral2/memory/2760-119-0x00007FF68A630000-0x00007FF68A981000-memory.dmp	upx
behavioral2/memory/4408-118-0x00007FF6A5840000-0x00007FF6A5B91000-memory.dmp	upx
behavioral2/files/0x000a000000023b8d-113.dat	upx
behavioral2/memory/4580-111-0x00007FF799100000-0x00007FF799451000-memory.dmp	upx
behavioral2/memory/3588-109-0x00007FF6B1360000-0x00007FF6B16B1000-memory.dmp	upx
behavioral2/memory/4764-103-0x00007FF6D5FC0000-0x00007FF6D6311000-memory.dmp	upx
behavioral2/memory/4756-102-0x00007FF716080000-0x00007FF7163D1000-memory.dmp	upx
behavioral2/memory/1488-96-0x00007FF7AB850000-0x00007FF7ABBA1000-memory.dmp	upx
behavioral2/memory/4780-94-0x00007FF61CE30000-0x00007FF61D181000-memory.dmp	upx
behavioral2/files/0x000a000000023b8a-92.dat	upx
behavioral2/files/0x000b000000023b7c-85.dat	upx
behavioral2/memory/4168-83-0x00007FF6A22B0000-0x00007FF6A2601000-memory.dmp	upx
behavioral2/memory/1596-71-0x00007FF60D680000-0x00007FF60D9D1000-memory.dmp	upx
behavioral2/memory/4456-70-0x00007FF744B90000-0x00007FF744EE1000-memory.dmp	upx
behavioral2/memory/2996-73-0x00007FF633F70000-0x00007FF6342C1000-memory.dmp	upx
behavioral2/files/0x000a000000023b88-63.dat	upx
behavioral2/memory/4856-61-0x00007FF6E1E00000-0x00007FF6E2151000-memory.dmp	upx
behavioral2/memory/1052-56-0x00007FF7DC620000-0x00007FF7DC971000-memory.dmp	upx
behavioral2/memory/60-44-0x00007FF70FCD0000-0x00007FF710021000-memory.dmp	upx
behavioral2/memory/4820-36-0x00007FF7DFF40000-0x00007FF7E0291000-memory.dmp	upx
behavioral2/memory/60-135-0x00007FF70FCD0000-0x00007FF710021000-memory.dmp	upx
behavioral2/memory/4856-136-0x00007FF6E1E00000-0x00007FF6E2151000-memory.dmp	upx
behavioral2/memory/3524-137-0x00007FF787B50000-0x00007FF787EA1000-memory.dmp	upx
behavioral2/memory/4456-138-0x00007FF744B90000-0x00007FF744EE1000-memory.dmp	upx
behavioral2/memory/4168-151-0x00007FF6A22B0000-0x00007FF6A2601000-memory.dmp	upx
behavioral2/memory/4756-154-0x00007FF716080000-0x00007FF7163D1000-memory.dmp	upx
behavioral2/memory/2168-153-0x00007FF6D1480000-0x00007FF6D17D1000-memory.dmp	upx
behavioral2/memory/4580-155-0x00007FF799100000-0x00007FF799451000-memory.dmp	upx
behavioral2/memory/3588-161-0x00007FF6B1360000-0x00007FF6B16B1000-memory.dmp	upx
behavioral2/memory/612-160-0x00007FF7C7820000-0x00007FF7C7B71000-memory.dmp	upx
behavioral2/memory/3536-158-0x00007FF63D150000-0x00007FF63D4A1000-memory.dmp	upx
behavioral2/memory/2772-159-0x00007FF6E1120000-0x00007FF6E1471000-memory.dmp	upx
behavioral2/memory/2760-157-0x00007FF68A630000-0x00007FF68A981000-memory.dmp	upx
behavioral2/memory/4456-162-0x00007FF744B90000-0x00007FF744EE1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\SZTXVoc.exe	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VVXDAAE.exe	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JqJjsuE.exe	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FBkdVLp.exe	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dYsjDpq.exe	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DrCCRSV.exe	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hKPtDUS.exe	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mWPeIiu.exe	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QfzQICB.exe	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TQvCPDN.exe	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\myWgJua.exe	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hOyjmWO.exe	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\plxxUgI.exe	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lRCILHZ.exe	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aQUpUDo.exe	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\edWgLFr.exe	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dBpdVXW.exe	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sWGnaIr.exe	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LVlqjzv.exe	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IARMPty.exe	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bpzbbWz.exe	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4456	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4456	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4456 wrote to memory of 2996	4456	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4456 wrote to memory of 2996	4456	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4456 wrote to memory of 3048	4456	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4456 wrote to memory of 3048	4456	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4456 wrote to memory of 4780	4456	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4456 wrote to memory of 4780	4456	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4456 wrote to memory of 4764	4456	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4456 wrote to memory of 4764	4456	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4456 wrote to memory of 4408	4456	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4456 wrote to memory of 4408	4456	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4456 wrote to memory of 4820	4456	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4456 wrote to memory of 4820	4456	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4456 wrote to memory of 60	4456	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4456 wrote to memory of 60	4456	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4456 wrote to memory of 1052	4456	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4456 wrote to memory of 1052	4456	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4456 wrote to memory of 4856	4456	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4456 wrote to memory of 4856	4456	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4456 wrote to memory of 3524	4456	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4456 wrote to memory of 3524	4456	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4456 wrote to memory of 1596	4456	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4456 wrote to memory of 1596	4456	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4456 wrote to memory of 2168	4456	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4456 wrote to memory of 2168	4456	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4456 wrote to memory of 4168	4456	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4456 wrote to memory of 4168	4456	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4456 wrote to memory of 1488	4456	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4456 wrote to memory of 1488	4456	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4456 wrote to memory of 4756	4456	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4456 wrote to memory of 4756	4456	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4456 wrote to memory of 4580	4456	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4456 wrote to memory of 4580	4456	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4456 wrote to memory of 3588	4456	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4456 wrote to memory of 3588	4456	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4456 wrote to memory of 2760	4456	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4456 wrote to memory of 2760	4456	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4456 wrote to memory of 3536	4456	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4456 wrote to memory of 3536	4456	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4456 wrote to memory of 2772	4456	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4456 wrote to memory of 2772	4456	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4456 wrote to memory of 612	4456	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4456 wrote to memory of 612	4456	2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-12_ef815ed4ddc9641764fd1814990ca01a_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4456
- C:\Windows\System\IARMPty.exe
  C:\Windows\System\IARMPty.exe
  2⤵
  - Executes dropped EXE
  PID:2996
- C:\Windows\System\plxxUgI.exe
  C:\Windows\System\plxxUgI.exe
  2⤵
  - Executes dropped EXE
  PID:3048
- C:\Windows\System\DrCCRSV.exe
  C:\Windows\System\DrCCRSV.exe
  2⤵
  - Executes dropped EXE
  PID:4780
- C:\Windows\System\hKPtDUS.exe
  C:\Windows\System\hKPtDUS.exe
  2⤵
  - Executes dropped EXE
  PID:4764
- C:\Windows\System\lRCILHZ.exe
  C:\Windows\System\lRCILHZ.exe
  2⤵
  - Executes dropped EXE
  PID:4408
- C:\Windows\System\JqJjsuE.exe
  C:\Windows\System\JqJjsuE.exe
  2⤵
  - Executes dropped EXE
  PID:4820
- C:\Windows\System\bpzbbWz.exe
  C:\Windows\System\bpzbbWz.exe
  2⤵
  - Executes dropped EXE
  PID:60
- C:\Windows\System\mWPeIiu.exe
  C:\Windows\System\mWPeIiu.exe
  2⤵
  - Executes dropped EXE
  PID:1052
- C:\Windows\System\aQUpUDo.exe
  C:\Windows\System\aQUpUDo.exe
  2⤵
  - Executes dropped EXE
  PID:4856
- C:\Windows\System\FBkdVLp.exe
  C:\Windows\System\FBkdVLp.exe
  2⤵
  - Executes dropped EXE
  PID:3524
- C:\Windows\System\QfzQICB.exe
  C:\Windows\System\QfzQICB.exe
  2⤵
  - Executes dropped EXE
  PID:1596
- C:\Windows\System\edWgLFr.exe
  C:\Windows\System\edWgLFr.exe
  2⤵
  - Executes dropped EXE
  PID:2168
- C:\Windows\System\dBpdVXW.exe
  C:\Windows\System\dBpdVXW.exe
  2⤵
  - Executes dropped EXE
  PID:4168
- C:\Windows\System\TQvCPDN.exe
  C:\Windows\System\TQvCPDN.exe
  2⤵
  - Executes dropped EXE
  PID:1488
- C:\Windows\System\sWGnaIr.exe
  C:\Windows\System\sWGnaIr.exe
  2⤵
  - Executes dropped EXE
  PID:4756
- C:\Windows\System\SZTXVoc.exe
  C:\Windows\System\SZTXVoc.exe
  2⤵
  - Executes dropped EXE
  PID:4580
- C:\Windows\System\myWgJua.exe
  C:\Windows\System\myWgJua.exe
  2⤵
  - Executes dropped EXE
  PID:3588
- C:\Windows\System\VVXDAAE.exe
  C:\Windows\System\VVXDAAE.exe
  2⤵
  - Executes dropped EXE
  PID:2760
- C:\Windows\System\LVlqjzv.exe
  C:\Windows\System\LVlqjzv.exe
  2⤵
  - Executes dropped EXE
  PID:3536
- C:\Windows\System\hOyjmWO.exe
  C:\Windows\System\hOyjmWO.exe
  2⤵
  - Executes dropped EXE
  PID:2772
- C:\Windows\System\dYsjDpq.exe
  C:\Windows\System\dYsjDpq.exe
  2⤵
  - Executes dropped EXE
  PID:612

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\DrCCRSV.exe

Filesize
5.2MB

MD5
2fa8c52c9851ee7b607d7778c20e9178

SHA1
2754c2917838b89ad109b0aade8b75119f39f78f

SHA256
79bcea43df31156f5ce4718eb606daa7f3eadbcb520ae1f1a15e1f46abb45b9b

SHA512
beafb1e64955435434def2fdec48c49a5d31e2feea9e87205ce54250c9b885cffaa2e91c1a3d13319856bcb50a441a8a432bc72f35deab24e152c2e6f9e18d69

Download Submit
C:\Windows\System\FBkdVLp.exe

Filesize
5.2MB

MD5
714f7dc270c13292efa320d5df576cf5

SHA1
88208809680af9d64e75acade8a1f945f11c1579

SHA256
bac88ba774596e61fa164eae0490da08d2911242e4ce2c592ac54e8cff37908d

SHA512
445759deb639b9450baa1dd427dbd50c3c80526e2f41471b0d3f9cbb66ee7b3458b3629ad0f00c150d09d018b309b114b3ddfac7c5f7671465372236dfaa34c9

Download Submit
C:\Windows\System\IARMPty.exe

Filesize
5.2MB

MD5
8952d3b16a544d2a50dd4bf075ae5b8a

SHA1
087e526eb8a89406d5f14b5ce16fd7ecbedf3443

SHA256
e8090f143baa1f3c01123e3cc9d99af331bead3312cdec1f4e4e3ac7ccf15452

SHA512
db835f8b08a6de761cb0746b71297c834c90a39d1d9eb25bfa24078bac528f64d89a207845f4b2b067262e1c498d2e60fc5e31d3f9710a272877926347a31f46

Download Submit
C:\Windows\System\JqJjsuE.exe

Filesize
5.2MB

MD5
7fddbb669c344707bc3428db6b0b70a9

SHA1
f63d50792dd60bcd8645b84d6463bea7fa8bec97

SHA256
48bafd650dd3511cf81c03d5750794d248d56b0e18901713da5d655b22783620

SHA512
63452e18d268206417dd9cb8b2fc078d59c188bec3c9fae49ea97a65d760b1a07b46dce0b2ca28bfdb28d4b57fa3c14af850122a39ee3824a8a556f90215f1da

Download Submit
C:\Windows\System\LVlqjzv.exe

Filesize
5.2MB

MD5
58ca5bc75608ce269fd0ba1fbe9caa42

SHA1
a9f052838f8638182c23abf31868ac09258071eb

SHA256
7682a248b34647fcf58aea3c3597593bb06969f8025662879d9d88d8e60bf69c

SHA512
625489968da551b93845afbadb47d0747f4f7a270d71efc2ef975a0e12cd343e5a088efc1225b83a7831ae30aff6abd59857c111e4d70b4b16a05d986acc3c2b

Download Submit
C:\Windows\System\QfzQICB.exe

Filesize
5.2MB

MD5
0ff00d92b0e6f809fe8c0cf909b82c04

SHA1
9bc242cda3d5f91286aa29ecd6947b7aa25281df

SHA256
4f04acdefac046fd3036fbc92ddc6c9a1c3d196d138868a4a8de48317170aaf0

SHA512
f74e8cb8ca837e15291e0f0e01ea66533226e17100e5d56c3b05054f9fbd42a9da9812ecfcfc4c687cb58b5ea9146d9d38616dd093669fbff659a2c55910efa7

Download Submit
C:\Windows\System\SZTXVoc.exe

Filesize
5.2MB

MD5
6b661afb7a8a18a8a5a06baee8632002

SHA1
9b4b084fc2e147e9e5ef5f88eb78693ecdf0a583

SHA256
18209370367220e69b00e6c46c745951afb25a818d0dc566a7071a01be714af9

SHA512
fb09e582092e1af40197dcd0d69a981f7e1da0eb679492bb42a5e576346837b1f1273a947d048cb150a1794b64805ff3509b95983d97f4bce5dbb0d48d5f608e

Download Submit
C:\Windows\System\TQvCPDN.exe

Filesize
5.2MB

MD5
15f137062695fffe236dffa4459a527c

SHA1
7585394b33a84ea226afd32513f1220447a55b08

SHA256
0c6693dd1109855b335e74e15045952f012e0a6ec28a457080d50dabd74c9901

SHA512
a5886a41c356ec10a23a4fa4ab4bfb806773655977b1e3d38466da7c08230ee519c4f47d3e56ef06f3c8176c79b58a65bae34476acd29c4da6326c49b9ab23b4

Download Submit
C:\Windows\System\VVXDAAE.exe

Filesize
5.2MB

MD5
25994a1674b634742de26cb2b359dcf3

SHA1
50e432361f93045769bbcaafd63d74f769f844e7

SHA256
a2a87bd8170d947274d6ee40d6ac51192e28feff0d17e9f4e1573dc91f8d041e

SHA512
262ce6bad7fa29d2a1a0138114125d439ff5ca1891c1a23494d7a61eb2c381c470ec347409d889a51449afd185df9f7b4e6f2b2461a4edbe53c6075fba95b005

Download Submit
C:\Windows\System\aQUpUDo.exe

Filesize
5.2MB

MD5
aaf0687172253ba1c13a48ab3a9bde15

SHA1
763f97b8f96aaaccd88941da2013354698eaa064

SHA256
265d4374c7bf519b211ab29d309ea4fe7f2e66b01c03f7ff85d4b33dd9db01a7

SHA512
748cf4e767c6c96d6cffe3840f531efd4cc4dfd000345a73935aa0a8b006494ac60cddb90f097fbde784c24c4acb3b4c546bf73116babe2b28c323b9ad1a691e

Download Submit
C:\Windows\System\bpzbbWz.exe

Filesize
5.2MB

MD5
113319717d493a38e1558ee99d14b308

SHA1
e19fc989955a12ed5c4d518bcefd16514641fbb7

SHA256
e3cb2deb9ab1ee3fb4187916a8e851fc36186181a578f206f83a2f75ce5de196

SHA512
64cb2db4929ce41bc046c895b67956af0a6f7057fcc8a92378e55457dfd8c1962416af35063d43ba3ce11860f1badf00eedf50050c07998e59c014a41e8c144a

Download Submit
C:\Windows\System\dBpdVXW.exe

Filesize
5.2MB

MD5
f24ec4bc30fd605499b04a014a494d54

SHA1
0a682191e0ae8263d059f00fe164ed18cbf98104

SHA256
1d4e931bb9164599f60453c3937c05fefaeec02263d803bf193b9f820902cbce

SHA512
e166b9733449e6d9c80086578052940efbfb9cff41304f4920d037efc6d641ebf28e4c51590641077bddc92a8928499a0e075eebac06e48da900e162ca4d75e7

Download Submit
C:\Windows\System\dYsjDpq.exe

Filesize
5.2MB

MD5
63278f31ea77f90c26abdc76da07f1ff

SHA1
fdd96fe2f23c3b61505e48c63c016ca4f7fcae7b

SHA256
c934df9cbef0c62ec718237bafa6c67ebc4310d580e1264f6cdb0971ce1e479d

SHA512
603edd83a70087446ac5f9d1b8c87f7e784f3ac03262f45f2cd72a8f39c1f80342e7623f13e716af9dc9160ea5164eaf74996380e412f97dc876fd43c5734b39

Download Submit
C:\Windows\System\edWgLFr.exe

Filesize
5.2MB

MD5
8774c7c11753011a4d1229be6e3a0127

SHA1
593fecd722518b20d3fff7f6530c01450c9167cf

SHA256
38d89d886cb49069c6deca52b6164580eaacc982031375eda9adbd894112499a

SHA512
7f2df0dd16f9d4881833e2898745c53aa5c5444c82fe9f8caf26e3963ba066ac32332d2580c1390ec033b2ef3d50094d915b8a9090fe52f6fe7d4f833a972d87

Download Submit
C:\Windows\System\hKPtDUS.exe

Filesize
5.2MB

MD5
7b4998e1cb76351eeb50d5a7aa953784

SHA1
063f553902bfd888406fc29b34bc64a404da6874

SHA256
8925e7391a3f0186a16636a6153ebe12ff0f416a5c68063cf7f9212ba9723f50

SHA512
7a3f382d5fe68389d198963b9b2e7f7f3cfb7b2258617cfb444b61aead164784c36c05bab9c9fa49c2cb2741608109dcd4249f17d1949dcb0cba875d19d82ad7

Download Submit
C:\Windows\System\hOyjmWO.exe

Filesize
5.2MB

MD5
abde31ababeff1d448c7df6a162dc0ff

SHA1
14912f2550b4bb6e02d7147a84ed9c2a4af18b51

SHA256
3c4a855e7638e70f25993133ff89c02db02715097bfc5b6bf5713a96d67753f3

SHA512
c460193141c2d5441d6e13def64c677ac887bf50ed79127eef0acc8d58c0db3f3f55a46a4d294ac79fdbcacd6bb531df98307d35b81c8d1792c0ff8eec557a6f

Download Submit
C:\Windows\System\lRCILHZ.exe

Filesize
5.2MB

MD5
4747d474785420d80579f97c3e12e406

SHA1
0bba56ba22a42fe032e83d297001a3d8f0b9b74d

SHA256
e80b24409f8bdb9d368fd6c4c9e94aeecb126ec11c9521a19016540251ea962e

SHA512
1d9f6c47efad435fab2c681f141c03ec75a6e61a282c0f1e66acaefdd519b9d6082b4113e8d8319b6e5468f369ecb5d26091084a6330543f38abf6cc9e0588de

Download Submit
C:\Windows\System\mWPeIiu.exe

Filesize
5.2MB

MD5
139215e801373de12e238d0e3425441d

SHA1
1c1ffb5344996d6567d8732c93d51f16c730f79e

SHA256
9ecd726ded77fed671bd04bd891e27c27bb48e84d07e50cb12e8d83cfaee74c4

SHA512
4cac3d13b0d95934b36bc30a5d21dbd8f629ea08239f11c24d1238aff9f736719e86d5856fc420650dd1a60f4f906a9a93f6b5e3a1a8b510aac9e07fd2cd2b1d

Download Submit
C:\Windows\System\myWgJua.exe

Filesize
5.2MB

MD5
5d732a3ea4d12877396e23b3a4d47d35

SHA1
ecde91366d0d3e2c925125bf7b8bc496c27d36af

SHA256
c55313893897bc477d40e4f1ddb526103d9fb91f199e7e40f00dda3793f13633

SHA512
32697a15c4090ca41fb6d0581473717c7b1a4c5316b91b1941b18a14f7dc8886f4de3f4489ac5145f7de26e6db3411a6e66626a8bc79c3d941513cdb6aa71291

Download Submit
C:\Windows\System\plxxUgI.exe

Filesize
5.2MB

MD5
8763a12c5635dbfa1d56b8b3bfadaf87

SHA1
bd398678725b113944b184ae24b73f4e6761d84d

SHA256
7e9dded1630603f7a3f140a6ac03b66723b979598ffca0e42d4e6c42debfa6ea

SHA512
b94b67b626c1e384f20a8ef8dc96063171a01f251bf4ecb0ea070be3bd8b59892e468f7f5d7949073a3b7bb77f491be03278e7b662fbc23e3e5675a4946f2709

Download Submit
C:\Windows\System\sWGnaIr.exe

Filesize
5.2MB

MD5
a3c305c540623cd3b111601d67911984

SHA1
28607ae1a78f6d69632524fd4e60b96f971f123f

SHA256
cd537501fe84e2d98473d170c6733575f8983521cb6538b61f084a47faaf2a2a

SHA512
25d1471f7cc278fbd55ccee0f43510dbeb651447aa3694a7ba039bba4708520f70ded4e64d6679fa017bde4cb897db13a5c16561596108915858e8febac11865

Download Submit
memory/60-44-0x00007FF70FCD0000-0x00007FF710021000-memory.dmp

Filesize
3.3MB

Download
memory/60-135-0x00007FF70FCD0000-0x00007FF710021000-memory.dmp

Filesize
3.3MB

Download
memory/60-240-0x00007FF70FCD0000-0x00007FF710021000-memory.dmp

Filesize
3.3MB

Download
memory/612-160-0x00007FF7C7820000-0x00007FF7C7B71000-memory.dmp

Filesize
3.3MB

Download
memory/612-132-0x00007FF7C7820000-0x00007FF7C7B71000-memory.dmp

Filesize
3.3MB

Download
memory/612-269-0x00007FF7C7820000-0x00007FF7C7B71000-memory.dmp

Filesize
3.3MB

Download
memory/1052-56-0x00007FF7DC620000-0x00007FF7DC971000-memory.dmp

Filesize
3.3MB

Download
memory/1052-242-0x00007FF7DC620000-0x00007FF7DC971000-memory.dmp

Filesize
3.3MB

Download
memory/1488-254-0x00007FF7AB850000-0x00007FF7ABBA1000-memory.dmp

Filesize
3.3MB

Download
memory/1488-96-0x00007FF7AB850000-0x00007FF7ABBA1000-memory.dmp

Filesize
3.3MB

Download
memory/1596-71-0x00007FF60D680000-0x00007FF60D9D1000-memory.dmp

Filesize
3.3MB

Download
memory/1596-248-0x00007FF60D680000-0x00007FF60D9D1000-memory.dmp

Filesize
3.3MB

Download
memory/2168-250-0x00007FF6D1480000-0x00007FF6D17D1000-memory.dmp

Filesize
3.3MB

Download
memory/2168-74-0x00007FF6D1480000-0x00007FF6D17D1000-memory.dmp

Filesize
3.3MB

Download
memory/2168-153-0x00007FF6D1480000-0x00007FF6D17D1000-memory.dmp

Filesize
3.3MB

Download
memory/2760-119-0x00007FF68A630000-0x00007FF68A981000-memory.dmp

Filesize
3.3MB

Download
memory/2760-157-0x00007FF68A630000-0x00007FF68A981000-memory.dmp

Filesize
3.3MB

Download
memory/2760-260-0x00007FF68A630000-0x00007FF68A981000-memory.dmp

Filesize
3.3MB

Download
memory/2772-125-0x00007FF6E1120000-0x00007FF6E1471000-memory.dmp

Filesize
3.3MB

Download
memory/2772-159-0x00007FF6E1120000-0x00007FF6E1471000-memory.dmp

Filesize
3.3MB

Download
memory/2772-266-0x00007FF6E1120000-0x00007FF6E1471000-memory.dmp

Filesize
3.3MB

Download
memory/2996-73-0x00007FF633F70000-0x00007FF6342C1000-memory.dmp

Filesize
3.3MB

Download
memory/2996-8-0x00007FF633F70000-0x00007FF6342C1000-memory.dmp

Filesize
3.3MB

Download
memory/2996-213-0x00007FF633F70000-0x00007FF6342C1000-memory.dmp

Filesize
3.3MB

Download
memory/3048-14-0x00007FF7D8470000-0x00007FF7D87C1000-memory.dmp

Filesize
3.3MB

Download
memory/3048-82-0x00007FF7D8470000-0x00007FF7D87C1000-memory.dmp

Filesize
3.3MB

Download
memory/3048-215-0x00007FF7D8470000-0x00007FF7D87C1000-memory.dmp

Filesize
3.3MB

Download
memory/3524-245-0x00007FF787B50000-0x00007FF787EA1000-memory.dmp

Filesize
3.3MB

Download
memory/3524-64-0x00007FF787B50000-0x00007FF787EA1000-memory.dmp

Filesize
3.3MB

Download
memory/3524-137-0x00007FF787B50000-0x00007FF787EA1000-memory.dmp

Filesize
3.3MB

Download
memory/3536-126-0x00007FF63D150000-0x00007FF63D4A1000-memory.dmp

Filesize
3.3MB

Download
memory/3536-158-0x00007FF63D150000-0x00007FF63D4A1000-memory.dmp

Filesize
3.3MB

Download
memory/3536-267-0x00007FF63D150000-0x00007FF63D4A1000-memory.dmp

Filesize
3.3MB

Download
memory/3588-161-0x00007FF6B1360000-0x00007FF6B16B1000-memory.dmp

Filesize
3.3MB

Download
memory/3588-109-0x00007FF6B1360000-0x00007FF6B16B1000-memory.dmp

Filesize
3.3MB

Download
memory/3588-263-0x00007FF6B1360000-0x00007FF6B16B1000-memory.dmp

Filesize
3.3MB

Download
memory/4168-151-0x00007FF6A22B0000-0x00007FF6A2601000-memory.dmp

Filesize
3.3MB

Download
memory/4168-83-0x00007FF6A22B0000-0x00007FF6A2601000-memory.dmp

Filesize
3.3MB

Download
memory/4168-252-0x00007FF6A22B0000-0x00007FF6A2601000-memory.dmp

Filesize
3.3MB

Download
memory/4408-118-0x00007FF6A5840000-0x00007FF6A5B91000-memory.dmp

Filesize
3.3MB

Download
memory/4408-31-0x00007FF6A5840000-0x00007FF6A5B91000-memory.dmp

Filesize
3.3MB

Download
memory/4408-236-0x00007FF6A5840000-0x00007FF6A5B91000-memory.dmp

Filesize
3.3MB

Download
memory/4456-1-0x000002105BDA0000-0x000002105BDB0000-memory.dmp

Filesize
64KB

Download
memory/4456-138-0x00007FF744B90000-0x00007FF744EE1000-memory.dmp

Filesize
3.3MB

Download
memory/4456-70-0x00007FF744B90000-0x00007FF744EE1000-memory.dmp

Filesize
3.3MB

Download
memory/4456-0-0x00007FF744B90000-0x00007FF744EE1000-memory.dmp

Filesize
3.3MB

Download
memory/4456-162-0x00007FF744B90000-0x00007FF744EE1000-memory.dmp

Filesize
3.3MB

Download
memory/4580-262-0x00007FF799100000-0x00007FF799451000-memory.dmp

Filesize
3.3MB

Download
memory/4580-111-0x00007FF799100000-0x00007FF799451000-memory.dmp

Filesize
3.3MB

Download
memory/4580-155-0x00007FF799100000-0x00007FF799451000-memory.dmp

Filesize
3.3MB

Download
memory/4756-256-0x00007FF716080000-0x00007FF7163D1000-memory.dmp

Filesize
3.3MB

Download
memory/4756-102-0x00007FF716080000-0x00007FF7163D1000-memory.dmp

Filesize
3.3MB

Download
memory/4756-154-0x00007FF716080000-0x00007FF7163D1000-memory.dmp

Filesize
3.3MB

Download
memory/4764-25-0x00007FF6D5FC0000-0x00007FF6D6311000-memory.dmp

Filesize
3.3MB

Download
memory/4764-103-0x00007FF6D5FC0000-0x00007FF6D6311000-memory.dmp

Filesize
3.3MB

Download
memory/4764-219-0x00007FF6D5FC0000-0x00007FF6D6311000-memory.dmp

Filesize
3.3MB

Download
memory/4780-94-0x00007FF61CE30000-0x00007FF61D181000-memory.dmp

Filesize
3.3MB

Download
memory/4780-20-0x00007FF61CE30000-0x00007FF61D181000-memory.dmp

Filesize
3.3MB

Download
memory/4780-217-0x00007FF61CE30000-0x00007FF61D181000-memory.dmp

Filesize
3.3MB

Download
memory/4820-131-0x00007FF7DFF40000-0x00007FF7E0291000-memory.dmp

Filesize
3.3MB

Download
memory/4820-238-0x00007FF7DFF40000-0x00007FF7E0291000-memory.dmp

Filesize
3.3MB

Download
memory/4820-36-0x00007FF7DFF40000-0x00007FF7E0291000-memory.dmp

Filesize
3.3MB

Download
memory/4856-247-0x00007FF6E1E00000-0x00007FF6E2151000-memory.dmp

Filesize
3.3MB

Download
memory/4856-61-0x00007FF6E1E00000-0x00007FF6E2151000-memory.dmp

Filesize
3.3MB

Download
memory/4856-136-0x00007FF6E1E00000-0x00007FF6E2151000-memory.dmp

Filesize
3.3MB

Download