cobaltstrike | 86d715e487d4ea971f57d5edb2674a549afe3322a43257a1985998545ecb5762

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-12-2024 11:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

6f5113af0bc35129b506aa5ceadd60b6
SHA1

9175f070060b23b338b45082acbdad44ddaf8533
SHA256

86d715e487d4ea971f57d5edb2674a549afe3322a43257a1985998545ecb5762
SHA512

18c83a12f0d20780cbed260bc90423e1c0a0f92d1e5c7e52246729df9d2d017791922f58419e625ceb93ebd3678111492ae871fdde352acf59ccbca3c97b333f
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l/:RWWBibd56utgpPFotBER/mQ32lUz

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000a000000023c0f-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caf-17.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb1-28.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb0-44.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb5-49.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb7-79.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb9-82.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb8-69.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb6-67.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb2-61.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb4-58.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb3-53.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cae-30.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cad-24.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cba-88.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbb-96.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbc-102.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbd-119.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc0-128.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbf-131.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbe-123.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/4556-65-0x00007FF68E3B0000-0x00007FF68E701000-memory.dmp	xmrig
behavioral2/memory/4700-85-0x00007FF6978C0000-0x00007FF697C11000-memory.dmp	xmrig
behavioral2/memory/1060-86-0x00007FF735E70000-0x00007FF7361C1000-memory.dmp	xmrig
behavioral2/memory/1932-84-0x00007FF716290000-0x00007FF7165E1000-memory.dmp	xmrig
behavioral2/memory/1436-81-0x00007FF72E720000-0x00007FF72EA71000-memory.dmp	xmrig
behavioral2/memory/3356-78-0x00007FF642080000-0x00007FF6423D1000-memory.dmp	xmrig
behavioral2/memory/4536-108-0x00007FF756720000-0x00007FF756A71000-memory.dmp	xmrig
behavioral2/memory/1708-116-0x00007FF67E090000-0x00007FF67E3E1000-memory.dmp	xmrig
behavioral2/memory/824-137-0x00007FF73D3C0000-0x00007FF73D711000-memory.dmp	xmrig
behavioral2/memory/1660-139-0x00007FF616690000-0x00007FF6169E1000-memory.dmp	xmrig
behavioral2/memory/1184-140-0x00007FF7B17C0000-0x00007FF7B1B11000-memory.dmp	xmrig
behavioral2/memory/1952-136-0x00007FF7FEF60000-0x00007FF7FF2B1000-memory.dmp	xmrig
behavioral2/memory/1812-126-0x00007FF62A3B0000-0x00007FF62A701000-memory.dmp	xmrig
behavioral2/memory/4600-115-0x00007FF755240000-0x00007FF755591000-memory.dmp	xmrig
behavioral2/memory/216-110-0x00007FF7502D0000-0x00007FF750621000-memory.dmp	xmrig
behavioral2/memory/508-109-0x00007FF6864E0000-0x00007FF686831000-memory.dmp	xmrig
behavioral2/memory/2228-145-0x00007FF6D7740000-0x00007FF6D7A91000-memory.dmp	xmrig
behavioral2/memory/3856-146-0x00007FF6D8690000-0x00007FF6D89E1000-memory.dmp	xmrig
behavioral2/memory/4084-147-0x00007FF70EE30000-0x00007FF70F181000-memory.dmp	xmrig
behavioral2/memory/4536-148-0x00007FF756720000-0x00007FF756A71000-memory.dmp	xmrig
behavioral2/memory/4832-153-0x00007FF689B60000-0x00007FF689EB1000-memory.dmp	xmrig
behavioral2/memory/3980-152-0x00007FF71CAE0000-0x00007FF71CE31000-memory.dmp	xmrig
behavioral2/memory/632-169-0x00007FF73E940000-0x00007FF73EC91000-memory.dmp	xmrig
behavioral2/memory/4536-172-0x00007FF756720000-0x00007FF756A71000-memory.dmp	xmrig
behavioral2/memory/508-217-0x00007FF6864E0000-0x00007FF686831000-memory.dmp	xmrig
behavioral2/memory/216-219-0x00007FF7502D0000-0x00007FF750621000-memory.dmp	xmrig
behavioral2/memory/4600-221-0x00007FF755240000-0x00007FF755591000-memory.dmp	xmrig
behavioral2/memory/1812-224-0x00007FF62A3B0000-0x00007FF62A701000-memory.dmp	xmrig
behavioral2/memory/3356-225-0x00007FF642080000-0x00007FF6423D1000-memory.dmp	xmrig
behavioral2/memory/1708-227-0x00007FF67E090000-0x00007FF67E3E1000-memory.dmp	xmrig
behavioral2/memory/1436-230-0x00007FF72E720000-0x00007FF72EA71000-memory.dmp	xmrig
behavioral2/memory/824-239-0x00007FF73D3C0000-0x00007FF73D711000-memory.dmp	xmrig
behavioral2/memory/4556-238-0x00007FF68E3B0000-0x00007FF68E701000-memory.dmp	xmrig
behavioral2/memory/1660-235-0x00007FF616690000-0x00007FF6169E1000-memory.dmp	xmrig
behavioral2/memory/4700-234-0x00007FF6978C0000-0x00007FF697C11000-memory.dmp	xmrig
behavioral2/memory/1932-231-0x00007FF716290000-0x00007FF7165E1000-memory.dmp	xmrig
behavioral2/memory/1184-242-0x00007FF7B17C0000-0x00007FF7B1B11000-memory.dmp	xmrig
behavioral2/memory/1060-243-0x00007FF735E70000-0x00007FF7361C1000-memory.dmp	xmrig
behavioral2/memory/2228-247-0x00007FF6D7740000-0x00007FF6D7A91000-memory.dmp	xmrig
behavioral2/memory/3856-249-0x00007FF6D8690000-0x00007FF6D89E1000-memory.dmp	xmrig
behavioral2/memory/4084-254-0x00007FF70EE30000-0x00007FF70F181000-memory.dmp	xmrig
behavioral2/memory/3980-258-0x00007FF71CAE0000-0x00007FF71CE31000-memory.dmp	xmrig
behavioral2/memory/4832-260-0x00007FF689B60000-0x00007FF689EB1000-memory.dmp	xmrig
behavioral2/memory/632-263-0x00007FF73E940000-0x00007FF73EC91000-memory.dmp	xmrig
behavioral2/memory/1952-264-0x00007FF7FEF60000-0x00007FF7FF2B1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
508	cbQjQor.exe
216	ObRfxCM.exe
4600	rfoXpZO.exe
1708	CymAtMT.exe
3356	vkjZTpE.exe
1812	gslheiu.exe
1436	QNgUhLB.exe
824	NeDTNBO.exe
4556	VgRZVAs.exe
1932	aZwCmUz.exe
1660	cfaYPtf.exe
1184	ZJvuNdN.exe
4700	DGzGCvi.exe
1060	XmiWoCV.exe
2228	YZfGRTS.exe
3856	vcgkMtt.exe
4084	gtneouR.exe
3980	ZvefnVA.exe
4832	UrxQAku.exe
632	MEWdFQQ.exe
1952	WleEKkS.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4536-0-0x00007FF756720000-0x00007FF756A71000-memory.dmp	upx
behavioral2/files/0x000a000000023c0f-5.dat	upx
behavioral2/memory/508-7-0x00007FF6864E0000-0x00007FF686831000-memory.dmp	upx
behavioral2/files/0x0007000000023caf-17.dat	upx
behavioral2/files/0x0007000000023cb1-28.dat	upx
behavioral2/files/0x0007000000023cb0-44.dat	upx
behavioral2/files/0x0007000000023cb5-49.dat	upx
behavioral2/memory/4556-65-0x00007FF68E3B0000-0x00007FF68E701000-memory.dmp	upx
behavioral2/memory/1660-75-0x00007FF616690000-0x00007FF6169E1000-memory.dmp	upx
behavioral2/files/0x0007000000023cb7-79.dat	upx
behavioral2/memory/4700-85-0x00007FF6978C0000-0x00007FF697C11000-memory.dmp	upx
behavioral2/memory/1060-86-0x00007FF735E70000-0x00007FF7361C1000-memory.dmp	upx
behavioral2/memory/1932-84-0x00007FF716290000-0x00007FF7165E1000-memory.dmp	upx
behavioral2/files/0x0007000000023cb9-82.dat	upx
behavioral2/memory/1436-81-0x00007FF72E720000-0x00007FF72EA71000-memory.dmp	upx
behavioral2/memory/3356-78-0x00007FF642080000-0x00007FF6423D1000-memory.dmp	upx
behavioral2/memory/1184-77-0x00007FF7B17C0000-0x00007FF7B1B11000-memory.dmp	upx
behavioral2/files/0x0007000000023cb8-69.dat	upx
behavioral2/files/0x0007000000023cb6-67.dat	upx
behavioral2/files/0x0007000000023cb2-61.dat	upx
behavioral2/files/0x0007000000023cb4-58.dat	upx
behavioral2/memory/824-57-0x00007FF73D3C0000-0x00007FF73D711000-memory.dmp	upx
behavioral2/files/0x0007000000023cb3-53.dat	upx
behavioral2/memory/1812-39-0x00007FF62A3B0000-0x00007FF62A701000-memory.dmp	upx
behavioral2/memory/4600-37-0x00007FF755240000-0x00007FF755591000-memory.dmp	upx
behavioral2/files/0x0007000000023cae-30.dat	upx
behavioral2/files/0x0007000000023cad-24.dat	upx
behavioral2/memory/1708-22-0x00007FF67E090000-0x00007FF67E3E1000-memory.dmp	upx
behavioral2/memory/216-20-0x00007FF7502D0000-0x00007FF750621000-memory.dmp	upx
behavioral2/files/0x0007000000023cba-88.dat	upx
behavioral2/memory/2228-90-0x00007FF6D7740000-0x00007FF6D7A91000-memory.dmp	upx
behavioral2/files/0x0007000000023cbb-96.dat	upx
behavioral2/memory/3856-98-0x00007FF6D8690000-0x00007FF6D89E1000-memory.dmp	upx
behavioral2/files/0x0007000000023cbc-102.dat	upx
behavioral2/memory/4084-104-0x00007FF70EE30000-0x00007FF70F181000-memory.dmp	upx
behavioral2/memory/4536-108-0x00007FF756720000-0x00007FF756A71000-memory.dmp	upx
behavioral2/files/0x0007000000023cbd-119.dat	upx
behavioral2/memory/1708-116-0x00007FF67E090000-0x00007FF67E3E1000-memory.dmp	upx
behavioral2/files/0x0007000000023cc0-128.dat	upx
behavioral2/memory/824-137-0x00007FF73D3C0000-0x00007FF73D711000-memory.dmp	upx
behavioral2/memory/1660-139-0x00007FF616690000-0x00007FF6169E1000-memory.dmp	upx
behavioral2/memory/1184-140-0x00007FF7B17C0000-0x00007FF7B1B11000-memory.dmp	upx
behavioral2/memory/1952-136-0x00007FF7FEF60000-0x00007FF7FF2B1000-memory.dmp	upx
behavioral2/memory/632-134-0x00007FF73E940000-0x00007FF73EC91000-memory.dmp	upx
behavioral2/files/0x0007000000023cbf-131.dat	upx
behavioral2/memory/1812-126-0x00007FF62A3B0000-0x00007FF62A701000-memory.dmp	upx
behavioral2/memory/4832-124-0x00007FF689B60000-0x00007FF689EB1000-memory.dmp	upx
behavioral2/files/0x0007000000023cbe-123.dat	upx
behavioral2/memory/4600-115-0x00007FF755240000-0x00007FF755591000-memory.dmp	upx
behavioral2/memory/3980-111-0x00007FF71CAE0000-0x00007FF71CE31000-memory.dmp	upx
behavioral2/memory/216-110-0x00007FF7502D0000-0x00007FF750621000-memory.dmp	upx
behavioral2/memory/508-109-0x00007FF6864E0000-0x00007FF686831000-memory.dmp	upx
behavioral2/memory/2228-145-0x00007FF6D7740000-0x00007FF6D7A91000-memory.dmp	upx
behavioral2/memory/3856-146-0x00007FF6D8690000-0x00007FF6D89E1000-memory.dmp	upx
behavioral2/memory/4084-147-0x00007FF70EE30000-0x00007FF70F181000-memory.dmp	upx
behavioral2/memory/4536-148-0x00007FF756720000-0x00007FF756A71000-memory.dmp	upx
behavioral2/memory/4832-153-0x00007FF689B60000-0x00007FF689EB1000-memory.dmp	upx
behavioral2/memory/3980-152-0x00007FF71CAE0000-0x00007FF71CE31000-memory.dmp	upx
behavioral2/memory/632-169-0x00007FF73E940000-0x00007FF73EC91000-memory.dmp	upx
behavioral2/memory/4536-172-0x00007FF756720000-0x00007FF756A71000-memory.dmp	upx
behavioral2/memory/508-217-0x00007FF6864E0000-0x00007FF686831000-memory.dmp	upx
behavioral2/memory/216-219-0x00007FF7502D0000-0x00007FF750621000-memory.dmp	upx
behavioral2/memory/4600-221-0x00007FF755240000-0x00007FF755591000-memory.dmp	upx
behavioral2/memory/1812-224-0x00007FF62A3B0000-0x00007FF62A701000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\VgRZVAs.exe	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cfaYPtf.exe	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DGzGCvi.exe	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XmiWoCV.exe	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vcgkMtt.exe	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MEWdFQQ.exe	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WleEKkS.exe	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gslheiu.exe	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QNgUhLB.exe	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZJvuNdN.exe	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YZfGRTS.exe	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vkjZTpE.exe	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aZwCmUz.exe	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gtneouR.exe	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UrxQAku.exe	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cbQjQor.exe	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ObRfxCM.exe	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rfoXpZO.exe	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CymAtMT.exe	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NeDTNBO.exe	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZvefnVA.exe	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4536	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4536	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4536 wrote to memory of 508	4536	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4536 wrote to memory of 508	4536	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4536 wrote to memory of 216	4536	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4536 wrote to memory of 216	4536	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4536 wrote to memory of 4600	4536	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4536 wrote to memory of 4600	4536	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4536 wrote to memory of 1708	4536	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4536 wrote to memory of 1708	4536	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4536 wrote to memory of 3356	4536	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4536 wrote to memory of 3356	4536	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4536 wrote to memory of 1812	4536	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4536 wrote to memory of 1812	4536	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4536 wrote to memory of 4556	4536	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4536 wrote to memory of 4556	4536	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4536 wrote to memory of 1436	4536	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4536 wrote to memory of 1436	4536	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4536 wrote to memory of 824	4536	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4536 wrote to memory of 824	4536	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4536 wrote to memory of 1932	4536	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4536 wrote to memory of 1932	4536	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4536 wrote to memory of 1660	4536	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4536 wrote to memory of 1660	4536	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4536 wrote to memory of 1184	4536	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4536 wrote to memory of 1184	4536	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4536 wrote to memory of 4700	4536	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4536 wrote to memory of 4700	4536	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4536 wrote to memory of 1060	4536	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4536 wrote to memory of 1060	4536	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4536 wrote to memory of 2228	4536	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4536 wrote to memory of 2228	4536	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4536 wrote to memory of 3856	4536	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4536 wrote to memory of 3856	4536	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4536 wrote to memory of 4084	4536	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4536 wrote to memory of 4084	4536	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4536 wrote to memory of 3980	4536	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4536 wrote to memory of 3980	4536	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4536 wrote to memory of 4832	4536	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4536 wrote to memory of 4832	4536	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4536 wrote to memory of 632	4536	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4536 wrote to memory of 632	4536	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4536 wrote to memory of 1952	4536	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4536 wrote to memory of 1952	4536	2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-12_6f5113af0bc35129b506aa5ceadd60b6_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4536
- C:\Windows\System\cbQjQor.exe
  C:\Windows\System\cbQjQor.exe
  2⤵
  - Executes dropped EXE
  PID:508
- C:\Windows\System\ObRfxCM.exe
  C:\Windows\System\ObRfxCM.exe
  2⤵
  - Executes dropped EXE
  PID:216
- C:\Windows\System\rfoXpZO.exe
  C:\Windows\System\rfoXpZO.exe
  2⤵
  - Executes dropped EXE
  PID:4600
- C:\Windows\System\CymAtMT.exe
  C:\Windows\System\CymAtMT.exe
  2⤵
  - Executes dropped EXE
  PID:1708
- C:\Windows\System\vkjZTpE.exe
  C:\Windows\System\vkjZTpE.exe
  2⤵
  - Executes dropped EXE
  PID:3356
- C:\Windows\System\gslheiu.exe
  C:\Windows\System\gslheiu.exe
  2⤵
  - Executes dropped EXE
  PID:1812
- C:\Windows\System\VgRZVAs.exe
  C:\Windows\System\VgRZVAs.exe
  2⤵
  - Executes dropped EXE
  PID:4556
- C:\Windows\System\QNgUhLB.exe
  C:\Windows\System\QNgUhLB.exe
  2⤵
  - Executes dropped EXE
  PID:1436
- C:\Windows\System\NeDTNBO.exe
  C:\Windows\System\NeDTNBO.exe
  2⤵
  - Executes dropped EXE
  PID:824
- C:\Windows\System\aZwCmUz.exe
  C:\Windows\System\aZwCmUz.exe
  2⤵
  - Executes dropped EXE
  PID:1932
- C:\Windows\System\cfaYPtf.exe
  C:\Windows\System\cfaYPtf.exe
  2⤵
  - Executes dropped EXE
  PID:1660
- C:\Windows\System\ZJvuNdN.exe
  C:\Windows\System\ZJvuNdN.exe
  2⤵
  - Executes dropped EXE
  PID:1184
- C:\Windows\System\DGzGCvi.exe
  C:\Windows\System\DGzGCvi.exe
  2⤵
  - Executes dropped EXE
  PID:4700
- C:\Windows\System\XmiWoCV.exe
  C:\Windows\System\XmiWoCV.exe
  2⤵
  - Executes dropped EXE
  PID:1060
- C:\Windows\System\YZfGRTS.exe
  C:\Windows\System\YZfGRTS.exe
  2⤵
  - Executes dropped EXE
  PID:2228
- C:\Windows\System\vcgkMtt.exe
  C:\Windows\System\vcgkMtt.exe
  2⤵
  - Executes dropped EXE
  PID:3856
- C:\Windows\System\gtneouR.exe
  C:\Windows\System\gtneouR.exe
  2⤵
  - Executes dropped EXE
  PID:4084
- C:\Windows\System\ZvefnVA.exe
  C:\Windows\System\ZvefnVA.exe
  2⤵
  - Executes dropped EXE
  PID:3980
- C:\Windows\System\UrxQAku.exe
  C:\Windows\System\UrxQAku.exe
  2⤵
  - Executes dropped EXE
  PID:4832
- C:\Windows\System\MEWdFQQ.exe
  C:\Windows\System\MEWdFQQ.exe
  2⤵
  - Executes dropped EXE
  PID:632
- C:\Windows\System\WleEKkS.exe
  C:\Windows\System\WleEKkS.exe
  2⤵
  - Executes dropped EXE
  PID:1952

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CymAtMT.exe

Filesize
5.2MB

MD5
0eed3f4ada59d908f47eae44e7fe23b3

SHA1
2f47e90adef87700d3336e44513a839eaa0502b1

SHA256
70fe86e5b2fefeedb7d1b4147f6f0eaea4dc90c19b0184fdced21cd449d2a7b4

SHA512
8ff8a062dbc6a17efc363b8a80f0169412538b06c21eb5da9dd7222b92cf8a4f75dc01375a0c7b102401717b29a0734d21529816df91e8d7c96536048f3a14fe

Download Submit
C:\Windows\System\DGzGCvi.exe

Filesize
5.2MB

MD5
bd335a85852317ff37692a43c1e1b184

SHA1
957d9f93de494e1b3a3a2709d0e523ff1538733c

SHA256
e53f0fe6ece4c2ef1ddeb954be01e2b8561eb34801822be4374cfc33745c8d2a

SHA512
ba25d6fba09fd83d1c9c12e49f8247bd65d0f0eb9c428aab94ead3c110f7dac1c208ce2e447e9e4ba0b948a4912d62c64e9d1f1235cac1323a5a91b3e2ead6ca

Download Submit
C:\Windows\System\MEWdFQQ.exe

Filesize
5.2MB

MD5
d60d4d3ad628164e62d7c81b666c7561

SHA1
c4a1214c994a388c3b6bbf1c0091af8e2b4f5c52

SHA256
678f3999f12359fe116d96d0ca53e5f521b672224aef1735973aba0af67a534c

SHA512
cf14026e6367d5b73e8a25896ea2ab1c943250753e6199bdf8791bdbbcde8f8c964010f9a926704443ceb223469eda6e8720fdead62a3fbcdec5bfa05edf8e65

Download Submit
C:\Windows\System\NeDTNBO.exe

Filesize
5.2MB

MD5
1a80407fcdcf4ce0c578fca3a2db3172

SHA1
52917eef84c1c969ecf2f9eb9cdd009a65120013

SHA256
34faf3eae648971a0d2912455b0721b6dd7f25d97b018983140c49c9779bd131

SHA512
f818b94d01fba3ecaba5fd0931251e05318f7f4197c29a87ec77e03f383583451d57bfac32df34f87a5dc7ec9321d747aaa774ba318102e26b87576a5a536d5f

Download Submit
C:\Windows\System\ObRfxCM.exe

Filesize
5.2MB

MD5
85948951ea616164edf080d20aab6583

SHA1
86c42627b52584900db0296b63786fb62938ab86

SHA256
fb539bc5dd4aa0f65938b0fba5a446cc67c1c7356acf9589af9c4cfc8f8a8e9e

SHA512
60172bc19c6255f3f6bea4fe911a12d01066a38a0cf1dfd9bb536d7a9d4a4ee68935dd1b89cf0801b5a14dccb36b7ae3841ed98575309467c2cf339b6bc2a130

Download Submit
C:\Windows\System\QNgUhLB.exe

Filesize
5.2MB

MD5
5cc6e8c3726e52d88927a32d3e7cbb6d

SHA1
0f7df33f1ac8f2e6a789ae4bc3f19f5c2bdd0f4a

SHA256
ffa309c0271b60abb2e5a4b2c36bbf041e8948424b4b0cf1338795391593cc26

SHA512
2993f7db2dac06527a4cc9762af6065e6631ccf07dec99932287241428ab4ae9d7c1ac43df006accb656bb73e6dde120154508ce34381f50b7c7943e5187b664

Download Submit
C:\Windows\System\UrxQAku.exe

Filesize
5.2MB

MD5
9be7380ab9a7cbb8b03dd0744d76fbfb

SHA1
88988041042b8e7835b6a57b15b3453f678df2d9

SHA256
80ca03e9fd0dc57d60674c6c27da6fcefe77baa1b8ed0a913ec72141f5f63942

SHA512
e897ee703de5fc5f53f960ac65cddb7f137967abb4465b6619e4dcf490b1b1eae99cafae36100f5d8faa48a7ad26380a9a8ed0662ea7475444ad60aa8d0ae218

Download Submit
C:\Windows\System\VgRZVAs.exe

Filesize
5.2MB

MD5
2cc96dd1a8f2bf008d0faafde37cc1e4

SHA1
c2d66963c581696af1346cbc0004fcb96dbf3478

SHA256
22c8c07e130991533df0be3a7ca695c01dda97029b9bd7114a15b394c2c4d15d

SHA512
58ba9952b440d802d0de0ec2ad7546a2afaf46e22d564a98c2c70fedfce018018fbb17968ad080ee4b0a0e3cf08e4409a1594b260b465af100b430d560d283ef

Download Submit
C:\Windows\System\WleEKkS.exe

Filesize
5.2MB

MD5
4cf140666b8bdd8331f0d37c2cef24af

SHA1
f603ddd85f04e122784b9447af62f09b10472a9d

SHA256
11513f774ea668f8771fb6cc747aba5e62648b7308d224169cc9cd2c042c329f

SHA512
6b81a25025c02b9e647ef430c0ef64f6c99cf4b9270dc8c705fdfa358f586407862caa780e1f6a3bd576c8c0081d95d0fc1aef364a6874d46040eebddae37718

Download Submit
C:\Windows\System\XmiWoCV.exe

Filesize
5.2MB

MD5
04a45fb06fb19ee257186949be098b0b

SHA1
8a4653928e61918d67080a78b510d6dbb2a979b4

SHA256
4ac1295538341b7c68cd524475646baf6e44857015cfea72fa09888159b1af77

SHA512
7cc2b9914e7b0b2e9bb053215136ae39e9149f0ab9b8dbe79b8b4321f182d3e3e598029f76d9f1f02f37d83486531adb2538bc32770f923e2b0d5ba860ddeb4d

Download Submit
C:\Windows\System\YZfGRTS.exe

Filesize
5.2MB

MD5
70429f7daab522e585685d5e30bd97a6

SHA1
9a11b1b96b1ddee498e88e31b68029d07b8a7b2f

SHA256
e7650965bb2d21e6e9377ea3c0394d05e2849b672789efe1e10dee1cf56ada7e

SHA512
807b05c449f40a967b95566ac0232bb7c4fe94fd0f3d2c37649273dc4e6e4b6a0609112df6734c25f7990f61d336a46bf289383e7c6a1012451aec496d349a45

Download Submit
C:\Windows\System\ZJvuNdN.exe

Filesize
5.2MB

MD5
539b0fddb4da1bec64db3ce66cabe296

SHA1
994a516ba186f35c8ca5c31ab286ca731de0d1ae

SHA256
d35aae3223ed84a122ef907a47e45404c556120078c4fb077efe934cf1ffea63

SHA512
28e1c47576b2b70f8ea4b0d92f7ae6838128ac737bec9fa1a1e5426e6aa3a0665f8798c05f11c776007628e65223b940a8c68272daecc8454ac05f9268b80b51

Download Submit
C:\Windows\System\ZvefnVA.exe

Filesize
5.2MB

MD5
11793f070815d70a065444207ad720c4

SHA1
fd43479b7ef011bfe90604e771f7c2b17257590f

SHA256
0a8e7ac4c9263e3f296dc7010c715a032de26bc8684ba6062c091db5a0f23e2c

SHA512
3bd794e6ba8a1fa52045b7d967c86e739b1385a85b6b2a9adaa933e85320ad4f2fe187c83b2101b077dde5fae917cee6b30ea1db710fcce72dd38839998bed53

Download Submit
C:\Windows\System\aZwCmUz.exe

Filesize
5.2MB

MD5
774a0c55213d3cb2fd3466f9cc783795

SHA1
85212cfd859003ce67167c9c09a43f4a73df5b32

SHA256
af6ac9619ba7b291299a7bdab4f90336d7eb5ef2430ae1f609baffa4d8d8318b

SHA512
eafb5924daa60a880df2d50e39c21a109f7b2ae618f87ab821783e1b4db5e7f7256b0c7548d0c976c85bc7b4fa66f191d8bab3fb8758866492219607084f1b65

Download Submit
C:\Windows\System\cbQjQor.exe

Filesize
5.2MB

MD5
e328d813d699a8669d0c5b2389b5408d

SHA1
be189b085f61b61c08a507f7cc5fcce180ed6b58

SHA256
65dc2b9e70376a3c7ed9970ed6ed83e94e549870bd82d29a52e77a233f2387a6

SHA512
b88b787b8ddf3a88229b7aa75ae4c2bab6e4fe1612e2065930ffcb3e292db45dc4e1681c9c99f8a51afa6cc524ed2b4946efc451abcccf6e7425cc3b47529fc4

Download Submit
C:\Windows\System\cfaYPtf.exe

Filesize
5.2MB

MD5
0ac2a4b89a1ab9374b1e6eb7920fc898

SHA1
7fc8cf119f52a8e070a1644c6641a0b8021d9278

SHA256
0fd285ec4362b7362a4ea7a0ede63629f6ff7c28c25aa74df2d96652d821ced6

SHA512
511f5547420355c1b7e3a9bdaa2c8e55ebafb1e90fb0ab8fbcb407ac116c68e642b9f1cb6e9c57f855be858b52e6d37eb714d6ff7f4af1d893c4d36236fa5122

Download Submit
C:\Windows\System\gslheiu.exe

Filesize
5.2MB

MD5
9c7ff4ff8b9b0d668878a08d8e12cd0a

SHA1
d86394c0783cbbeda88a23e746ff20a5d7b32c9d

SHA256
e9226ded876e1253651d9fb58cce93cde3c715ba18bc5c166e8db954205c9023

SHA512
1085b9cc0ea986361ae732f8c1dda27e619479aad2bcbcfd9200bbc91f4b4469c53191010f69ae6650433c9de5b9f5ac1d9fdbeac69df7819cca8ed66c2fd3e4

Download Submit
C:\Windows\System\gtneouR.exe

Filesize
5.2MB

MD5
dc6c5d8695f1274f56971c9814f9ccb6

SHA1
6d89676cb317060dda04fdaf1dd5456b3155a8cc

SHA256
75a98401c430cf49d3ba8d0f6277946b901177f517c6281aa07a988850c3606e

SHA512
18dc3371292c726a0d4a25f38dbfbd439b9cd1f9874bba6b4f6e43599ef43a211b349cc36352c8458f0bfeab724c398ad716e255ecfe7f9858a27c2234e368de

Download Submit
C:\Windows\System\rfoXpZO.exe

Filesize
5.2MB

MD5
2548070cef63ac71c5f19e1a7d0f8cac

SHA1
d9d107d8dfa85d5a2d31b52f019fbf6131d40c5b

SHA256
90f9235ed5f4d223d454f20de809ba5562bd83ea366215f71a76d7c967be246a

SHA512
e0f42042ce73720e00c7e7084b38dd78040ab704df55dc2f75fae3fba0575cf676eea38a26b5d1ea218c945e83bed1cef76637cb46b87bac6d9ddd8cbb62bac4

Download Submit
C:\Windows\System\vcgkMtt.exe

Filesize
5.2MB

MD5
537295127b004e2f9cb02f49e9840554

SHA1
3d67b07f2d3cd1cccd0bcd0b335f846984d47a7d

SHA256
62ad537f8c61c164740ec41e601ce289524278ce4e05ea83dd619400f77219a0

SHA512
364694fe93cba333632eaf277ba943e0c705bb873e1750c4cfe7c1ae3ca4f53017989b33ec0986574f2a563fa2c894e3577409b12c9121f49809899e251e2735

Download Submit
C:\Windows\System\vkjZTpE.exe

Filesize
5.2MB

MD5
a176732501eb645e03652a64e8395cf5

SHA1
014c42a5d523417f86ea74751cc46bd872dc0821

SHA256
70bece33745ac0e214f91e78c847317502b8f5132d70ef81235bf7bddadac48a

SHA512
4af53f62e676a7c94bd5e6d18e8a68a81ce124220ca443fb843d63851b6851ecf560d4511a0ebbef3d5efcf2ad2824c20e26852d4c1bce33c558417a37ddc497

Download Submit
memory/216-110-0x00007FF7502D0000-0x00007FF750621000-memory.dmp

Filesize
3.3MB

Download
memory/216-219-0x00007FF7502D0000-0x00007FF750621000-memory.dmp

Filesize
3.3MB

Download
memory/216-20-0x00007FF7502D0000-0x00007FF750621000-memory.dmp

Filesize
3.3MB

Download
memory/508-7-0x00007FF6864E0000-0x00007FF686831000-memory.dmp

Filesize
3.3MB

Download
memory/508-109-0x00007FF6864E0000-0x00007FF686831000-memory.dmp

Filesize
3.3MB

Download
memory/508-217-0x00007FF6864E0000-0x00007FF686831000-memory.dmp

Filesize
3.3MB

Download
memory/632-169-0x00007FF73E940000-0x00007FF73EC91000-memory.dmp

Filesize
3.3MB

Download
memory/632-263-0x00007FF73E940000-0x00007FF73EC91000-memory.dmp

Filesize
3.3MB

Download
memory/632-134-0x00007FF73E940000-0x00007FF73EC91000-memory.dmp

Filesize
3.3MB

Download
memory/824-137-0x00007FF73D3C0000-0x00007FF73D711000-memory.dmp

Filesize
3.3MB

Download
memory/824-57-0x00007FF73D3C0000-0x00007FF73D711000-memory.dmp

Filesize
3.3MB

Download
memory/824-239-0x00007FF73D3C0000-0x00007FF73D711000-memory.dmp

Filesize
3.3MB

Download
memory/1060-243-0x00007FF735E70000-0x00007FF7361C1000-memory.dmp

Filesize
3.3MB

Download
memory/1060-86-0x00007FF735E70000-0x00007FF7361C1000-memory.dmp

Filesize
3.3MB

Download
memory/1184-242-0x00007FF7B17C0000-0x00007FF7B1B11000-memory.dmp

Filesize
3.3MB

Download
memory/1184-77-0x00007FF7B17C0000-0x00007FF7B1B11000-memory.dmp

Filesize
3.3MB

Download
memory/1184-140-0x00007FF7B17C0000-0x00007FF7B1B11000-memory.dmp

Filesize
3.3MB

Download
memory/1436-230-0x00007FF72E720000-0x00007FF72EA71000-memory.dmp

Filesize
3.3MB

Download
memory/1436-81-0x00007FF72E720000-0x00007FF72EA71000-memory.dmp

Filesize
3.3MB

Download
memory/1660-75-0x00007FF616690000-0x00007FF6169E1000-memory.dmp

Filesize
3.3MB

Download
memory/1660-139-0x00007FF616690000-0x00007FF6169E1000-memory.dmp

Filesize
3.3MB

Download
memory/1660-235-0x00007FF616690000-0x00007FF6169E1000-memory.dmp

Filesize
3.3MB

Download
memory/1708-116-0x00007FF67E090000-0x00007FF67E3E1000-memory.dmp

Filesize
3.3MB

Download
memory/1708-22-0x00007FF67E090000-0x00007FF67E3E1000-memory.dmp

Filesize
3.3MB

Download
memory/1708-227-0x00007FF67E090000-0x00007FF67E3E1000-memory.dmp

Filesize
3.3MB

Download
memory/1812-126-0x00007FF62A3B0000-0x00007FF62A701000-memory.dmp

Filesize
3.3MB

Download
memory/1812-224-0x00007FF62A3B0000-0x00007FF62A701000-memory.dmp

Filesize
3.3MB

Download
memory/1812-39-0x00007FF62A3B0000-0x00007FF62A701000-memory.dmp

Filesize
3.3MB

Download
memory/1932-84-0x00007FF716290000-0x00007FF7165E1000-memory.dmp

Filesize
3.3MB

Download
memory/1932-231-0x00007FF716290000-0x00007FF7165E1000-memory.dmp

Filesize
3.3MB

Download
memory/1952-264-0x00007FF7FEF60000-0x00007FF7FF2B1000-memory.dmp

Filesize
3.3MB

Download
memory/1952-136-0x00007FF7FEF60000-0x00007FF7FF2B1000-memory.dmp

Filesize
3.3MB

Download
memory/2228-247-0x00007FF6D7740000-0x00007FF6D7A91000-memory.dmp

Filesize
3.3MB

Download
memory/2228-145-0x00007FF6D7740000-0x00007FF6D7A91000-memory.dmp

Filesize
3.3MB

Download
memory/2228-90-0x00007FF6D7740000-0x00007FF6D7A91000-memory.dmp

Filesize
3.3MB

Download
memory/3356-225-0x00007FF642080000-0x00007FF6423D1000-memory.dmp

Filesize
3.3MB

Download
memory/3356-78-0x00007FF642080000-0x00007FF6423D1000-memory.dmp

Filesize
3.3MB

Download
memory/3856-146-0x00007FF6D8690000-0x00007FF6D89E1000-memory.dmp

Filesize
3.3MB

Download
memory/3856-249-0x00007FF6D8690000-0x00007FF6D89E1000-memory.dmp

Filesize
3.3MB

Download
memory/3856-98-0x00007FF6D8690000-0x00007FF6D89E1000-memory.dmp

Filesize
3.3MB

Download
memory/3980-152-0x00007FF71CAE0000-0x00007FF71CE31000-memory.dmp

Filesize
3.3MB

Download
memory/3980-111-0x00007FF71CAE0000-0x00007FF71CE31000-memory.dmp

Filesize
3.3MB

Download
memory/3980-258-0x00007FF71CAE0000-0x00007FF71CE31000-memory.dmp

Filesize
3.3MB

Download
memory/4084-254-0x00007FF70EE30000-0x00007FF70F181000-memory.dmp

Filesize
3.3MB

Download
memory/4084-147-0x00007FF70EE30000-0x00007FF70F181000-memory.dmp

Filesize
3.3MB

Download
memory/4084-104-0x00007FF70EE30000-0x00007FF70F181000-memory.dmp

Filesize
3.3MB

Download
memory/4536-1-0x000001DB1A5D0000-0x000001DB1A5E0000-memory.dmp

Filesize
64KB

Download
memory/4536-108-0x00007FF756720000-0x00007FF756A71000-memory.dmp

Filesize
3.3MB

Download
memory/4536-172-0x00007FF756720000-0x00007FF756A71000-memory.dmp

Filesize
3.3MB

Download
memory/4536-0-0x00007FF756720000-0x00007FF756A71000-memory.dmp

Filesize
3.3MB

Download
memory/4536-148-0x00007FF756720000-0x00007FF756A71000-memory.dmp

Filesize
3.3MB

Download
memory/4556-238-0x00007FF68E3B0000-0x00007FF68E701000-memory.dmp

Filesize
3.3MB

Download
memory/4556-65-0x00007FF68E3B0000-0x00007FF68E701000-memory.dmp

Filesize
3.3MB

Download
memory/4600-221-0x00007FF755240000-0x00007FF755591000-memory.dmp

Filesize
3.3MB

Download
memory/4600-115-0x00007FF755240000-0x00007FF755591000-memory.dmp

Filesize
3.3MB

Download
memory/4600-37-0x00007FF755240000-0x00007FF755591000-memory.dmp

Filesize
3.3MB

Download
memory/4700-234-0x00007FF6978C0000-0x00007FF697C11000-memory.dmp

Filesize
3.3MB

Download
memory/4700-85-0x00007FF6978C0000-0x00007FF697C11000-memory.dmp

Filesize
3.3MB

Download
memory/4832-153-0x00007FF689B60000-0x00007FF689EB1000-memory.dmp

Filesize
3.3MB

Download
memory/4832-260-0x00007FF689B60000-0x00007FF689EB1000-memory.dmp

Filesize
3.3MB

Download
memory/4832-124-0x00007FF689B60000-0x00007FF689EB1000-memory.dmp

Filesize
3.3MB

Download