cobaltstrike | 4c3d8c523396f60baa73332c1f529cea4fd7adca2684d920e1272d78b9963f57

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-12-2024 12:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

f0873c34d12253402768c6f23cd375c5
SHA1

84d67a7553069dffa720c891bf0637f3b123a301
SHA256

4c3d8c523396f60baa73332c1f529cea4fd7adca2684d920e1272d78b9963f57
SHA512

a979ecd723b81c0349c6665fd6188c2b596afad9f31ee7729bbff2df36244325bb808a41a1692b885b0180de197abe6b08ada170999f16fcb5f07f8e0ed14e96
SSDEEP

49152:ROdWCCi7/raN56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lY:RWWBib+56utgpPFotBER/mQ32lUs

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023b9d-6.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023bae-12.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bb7-11.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bbc-23.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bbe-32.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023bc2-43.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bbd-33.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bc4-48.dat	cobalt_reflective_dll
behavioral2/files/0x000c000000023b9e-55.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bc7-58.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bc8-69.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bc9-76.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bf9-83.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bfa-87.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bfb-96.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bfc-101.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bfe-120.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c04-129.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c03-124.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bfd-111.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c05-137.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/4716-40-0x00007FF7DED00000-0x00007FF7DF051000-memory.dmp	xmrig
behavioral2/memory/3568-59-0x00007FF602AE0000-0x00007FF602E31000-memory.dmp	xmrig
behavioral2/memory/4000-67-0x00007FF6B0520000-0x00007FF6B0871000-memory.dmp	xmrig
behavioral2/memory/4760-89-0x00007FF6E91C0000-0x00007FF6E9511000-memory.dmp	xmrig
behavioral2/memory/3768-88-0x00007FF61CA90000-0x00007FF61CDE1000-memory.dmp	xmrig
behavioral2/memory/2948-81-0x00007FF6D1200000-0x00007FF6D1551000-memory.dmp	xmrig
behavioral2/memory/3320-73-0x00007FF740CD0000-0x00007FF741021000-memory.dmp	xmrig
behavioral2/memory/3440-108-0x00007FF6FE380000-0x00007FF6FE6D1000-memory.dmp	xmrig
behavioral2/memory/2080-130-0x00007FF760140000-0x00007FF760491000-memory.dmp	xmrig
behavioral2/memory/3948-117-0x00007FF675090000-0x00007FF6753E1000-memory.dmp	xmrig
behavioral2/memory/3500-116-0x00007FF76B5F0000-0x00007FF76B941000-memory.dmp	xmrig
behavioral2/memory/1120-102-0x00007FF6B5D30000-0x00007FF6B6081000-memory.dmp	xmrig
behavioral2/memory/3940-100-0x00007FF60EFB0000-0x00007FF60F301000-memory.dmp	xmrig
behavioral2/memory/1352-134-0x00007FF659090000-0x00007FF6593E1000-memory.dmp	xmrig
behavioral2/memory/5116-140-0x00007FF6979F0000-0x00007FF697D41000-memory.dmp	xmrig
behavioral2/memory/3172-138-0x00007FF6A56B0000-0x00007FF6A5A01000-memory.dmp	xmrig
behavioral2/memory/4460-141-0x00007FF7FD390000-0x00007FF7FD6E1000-memory.dmp	xmrig
behavioral2/memory/2368-142-0x00007FF640090000-0x00007FF6403E1000-memory.dmp	xmrig
behavioral2/memory/3568-143-0x00007FF602AE0000-0x00007FF602E31000-memory.dmp	xmrig
behavioral2/memory/2972-152-0x00007FF70F420000-0x00007FF70F771000-memory.dmp	xmrig
behavioral2/memory/3228-160-0x00007FF7ED5C0000-0x00007FF7ED911000-memory.dmp	xmrig
behavioral2/memory/400-161-0x00007FF7CD860000-0x00007FF7CDBB1000-memory.dmp	xmrig
behavioral2/memory/3968-167-0x00007FF6CDB10000-0x00007FF6CDE61000-memory.dmp	xmrig
behavioral2/memory/5116-169-0x00007FF6979F0000-0x00007FF697D41000-memory.dmp	xmrig
behavioral2/memory/3568-170-0x00007FF602AE0000-0x00007FF602E31000-memory.dmp	xmrig
behavioral2/memory/4000-219-0x00007FF6B0520000-0x00007FF6B0871000-memory.dmp	xmrig
behavioral2/memory/3320-221-0x00007FF740CD0000-0x00007FF741021000-memory.dmp	xmrig
behavioral2/memory/2948-231-0x00007FF6D1200000-0x00007FF6D1551000-memory.dmp	xmrig
behavioral2/memory/3768-233-0x00007FF61CA90000-0x00007FF61CDE1000-memory.dmp	xmrig
behavioral2/memory/4716-237-0x00007FF7DED00000-0x00007FF7DF051000-memory.dmp	xmrig
behavioral2/memory/4760-235-0x00007FF6E91C0000-0x00007FF6E9511000-memory.dmp	xmrig
behavioral2/memory/1120-239-0x00007FF6B5D30000-0x00007FF6B6081000-memory.dmp	xmrig
behavioral2/memory/3440-241-0x00007FF6FE380000-0x00007FF6FE6D1000-memory.dmp	xmrig
behavioral2/memory/3500-243-0x00007FF76B5F0000-0x00007FF76B941000-memory.dmp	xmrig
behavioral2/memory/3948-246-0x00007FF675090000-0x00007FF6753E1000-memory.dmp	xmrig
behavioral2/memory/2080-251-0x00007FF760140000-0x00007FF760491000-memory.dmp	xmrig
behavioral2/memory/1352-253-0x00007FF659090000-0x00007FF6593E1000-memory.dmp	xmrig
behavioral2/memory/3172-255-0x00007FF6A56B0000-0x00007FF6A5A01000-memory.dmp	xmrig
behavioral2/memory/4460-257-0x00007FF7FD390000-0x00007FF7FD6E1000-memory.dmp	xmrig
behavioral2/memory/3940-264-0x00007FF60EFB0000-0x00007FF60F301000-memory.dmp	xmrig
behavioral2/memory/2368-266-0x00007FF640090000-0x00007FF6403E1000-memory.dmp	xmrig
behavioral2/memory/2972-268-0x00007FF70F420000-0x00007FF70F771000-memory.dmp	xmrig
behavioral2/memory/3228-270-0x00007FF7ED5C0000-0x00007FF7ED911000-memory.dmp	xmrig
behavioral2/memory/400-272-0x00007FF7CD860000-0x00007FF7CDBB1000-memory.dmp	xmrig
behavioral2/memory/3968-274-0x00007FF6CDB10000-0x00007FF6CDE61000-memory.dmp	xmrig
behavioral2/memory/5116-277-0x00007FF6979F0000-0x00007FF697D41000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4000	iESVjwR.exe
3320	iURdThp.exe
2948	sqodjqm.exe
3768	IOsvwsd.exe
4760	hemKUny.exe
4716	BdHWNzy.exe
1120	jEiEKcG.exe
3440	DzasOFd.exe
3500	afyKsEI.exe
3948	zIVSPaw.exe
2080	bqfSUDi.exe
1352	KnOsyVh.exe
3172	EcTceFI.exe
4460	NlbHheb.exe
3940	rRAPyET.exe
2368	FNRLGRW.exe
2972	mZofIYy.exe
3228	eZnYhbF.exe
400	sqTyYCU.exe
3968	mdyZzhF.exe
5116	AcxSzrg.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3568-0-0x00007FF602AE0000-0x00007FF602E31000-memory.dmp	upx
behavioral2/files/0x000c000000023b9d-6.dat	upx
behavioral2/memory/4000-8-0x00007FF6B0520000-0x00007FF6B0871000-memory.dmp	upx
behavioral2/files/0x000e000000023bae-12.dat	upx
behavioral2/files/0x0008000000023bb7-11.dat	upx
behavioral2/memory/3320-14-0x00007FF740CD0000-0x00007FF741021000-memory.dmp	upx
behavioral2/memory/2948-20-0x00007FF6D1200000-0x00007FF6D1551000-memory.dmp	upx
behavioral2/files/0x0009000000023bbc-23.dat	upx
behavioral2/files/0x0009000000023bbe-32.dat	upx
behavioral2/memory/4716-40-0x00007FF7DED00000-0x00007FF7DF051000-memory.dmp	upx
behavioral2/files/0x000e000000023bc2-43.dat	upx
behavioral2/memory/1120-42-0x00007FF6B5D30000-0x00007FF6B6081000-memory.dmp	upx
behavioral2/memory/4760-38-0x00007FF6E91C0000-0x00007FF6E9511000-memory.dmp	upx
behavioral2/files/0x0009000000023bbd-33.dat	upx
behavioral2/memory/3768-24-0x00007FF61CA90000-0x00007FF61CDE1000-memory.dmp	upx
behavioral2/files/0x0008000000023bc4-48.dat	upx
behavioral2/memory/3440-50-0x00007FF6FE380000-0x00007FF6FE6D1000-memory.dmp	upx
behavioral2/files/0x000c000000023b9e-55.dat	upx
behavioral2/memory/3500-54-0x00007FF76B5F0000-0x00007FF76B941000-memory.dmp	upx
behavioral2/files/0x0008000000023bc7-58.dat	upx
behavioral2/memory/3568-59-0x00007FF602AE0000-0x00007FF602E31000-memory.dmp	upx
behavioral2/memory/3948-66-0x00007FF675090000-0x00007FF6753E1000-memory.dmp	upx
behavioral2/memory/2080-68-0x00007FF760140000-0x00007FF760491000-memory.dmp	upx
behavioral2/files/0x0008000000023bc8-69.dat	upx
behavioral2/memory/4000-67-0x00007FF6B0520000-0x00007FF6B0871000-memory.dmp	upx
behavioral2/memory/1352-75-0x00007FF659090000-0x00007FF6593E1000-memory.dmp	upx
behavioral2/files/0x0008000000023bc9-76.dat	upx
behavioral2/memory/3172-82-0x00007FF6A56B0000-0x00007FF6A5A01000-memory.dmp	upx
behavioral2/files/0x0008000000023bf9-83.dat	upx
behavioral2/files/0x0008000000023bfa-87.dat	upx
behavioral2/memory/4460-90-0x00007FF7FD390000-0x00007FF7FD6E1000-memory.dmp	upx
behavioral2/memory/4760-89-0x00007FF6E91C0000-0x00007FF6E9511000-memory.dmp	upx
behavioral2/memory/3768-88-0x00007FF61CA90000-0x00007FF61CDE1000-memory.dmp	upx
behavioral2/memory/2948-81-0x00007FF6D1200000-0x00007FF6D1551000-memory.dmp	upx
behavioral2/memory/3320-73-0x00007FF740CD0000-0x00007FF741021000-memory.dmp	upx
behavioral2/files/0x0008000000023bfb-96.dat	upx
behavioral2/files/0x0008000000023bfc-101.dat	upx
behavioral2/memory/2368-103-0x00007FF640090000-0x00007FF6403E1000-memory.dmp	upx
behavioral2/memory/3440-108-0x00007FF6FE380000-0x00007FF6FE6D1000-memory.dmp	upx
behavioral2/files/0x0008000000023bfe-120.dat	upx
behavioral2/memory/400-123-0x00007FF7CD860000-0x00007FF7CDBB1000-memory.dmp	upx
behavioral2/files/0x0008000000023c04-129.dat	upx
behavioral2/memory/3968-131-0x00007FF6CDB10000-0x00007FF6CDE61000-memory.dmp	upx
behavioral2/memory/2080-130-0x00007FF760140000-0x00007FF760491000-memory.dmp	upx
behavioral2/files/0x0008000000023c03-124.dat	upx
behavioral2/memory/3228-118-0x00007FF7ED5C0000-0x00007FF7ED911000-memory.dmp	upx
behavioral2/memory/3948-117-0x00007FF675090000-0x00007FF6753E1000-memory.dmp	upx
behavioral2/memory/3500-116-0x00007FF76B5F0000-0x00007FF76B941000-memory.dmp	upx
behavioral2/files/0x0008000000023bfd-111.dat	upx
behavioral2/memory/2972-110-0x00007FF70F420000-0x00007FF70F771000-memory.dmp	upx
behavioral2/memory/1120-102-0x00007FF6B5D30000-0x00007FF6B6081000-memory.dmp	upx
behavioral2/memory/3940-100-0x00007FF60EFB0000-0x00007FF60F301000-memory.dmp	upx
behavioral2/memory/1352-134-0x00007FF659090000-0x00007FF6593E1000-memory.dmp	upx
behavioral2/memory/5116-140-0x00007FF6979F0000-0x00007FF697D41000-memory.dmp	upx
behavioral2/memory/3172-138-0x00007FF6A56B0000-0x00007FF6A5A01000-memory.dmp	upx
behavioral2/files/0x0008000000023c05-137.dat	upx
behavioral2/memory/4460-141-0x00007FF7FD390000-0x00007FF7FD6E1000-memory.dmp	upx
behavioral2/memory/2368-142-0x00007FF640090000-0x00007FF6403E1000-memory.dmp	upx
behavioral2/memory/3568-143-0x00007FF602AE0000-0x00007FF602E31000-memory.dmp	upx
behavioral2/memory/2972-152-0x00007FF70F420000-0x00007FF70F771000-memory.dmp	upx
behavioral2/memory/3228-160-0x00007FF7ED5C0000-0x00007FF7ED911000-memory.dmp	upx
behavioral2/memory/400-161-0x00007FF7CD860000-0x00007FF7CDBB1000-memory.dmp	upx
behavioral2/memory/3968-167-0x00007FF6CDB10000-0x00007FF6CDE61000-memory.dmp	upx
behavioral2/memory/5116-169-0x00007FF6979F0000-0x00007FF697D41000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\afyKsEI.exe	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FNRLGRW.exe	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sqTyYCU.exe	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mdyZzhF.exe	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AcxSzrg.exe	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iURdThp.exe	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NlbHheb.exe	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rRAPyET.exe	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eZnYhbF.exe	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IOsvwsd.exe	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DzasOFd.exe	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KnOsyVh.exe	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mZofIYy.exe	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BdHWNzy.exe	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sqodjqm.exe	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hemKUny.exe	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jEiEKcG.exe	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zIVSPaw.exe	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bqfSUDi.exe	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EcTceFI.exe	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iESVjwR.exe	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3568	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3568	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3568 wrote to memory of 4000	3568	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 3568 wrote to memory of 4000	3568	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 3568 wrote to memory of 3320	3568	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3568 wrote to memory of 3320	3568	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3568 wrote to memory of 2948	3568	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3568 wrote to memory of 2948	3568	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3568 wrote to memory of 3768	3568	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3568 wrote to memory of 3768	3568	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3568 wrote to memory of 4760	3568	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3568 wrote to memory of 4760	3568	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3568 wrote to memory of 4716	3568	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3568 wrote to memory of 4716	3568	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3568 wrote to memory of 1120	3568	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3568 wrote to memory of 1120	3568	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3568 wrote to memory of 3440	3568	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3568 wrote to memory of 3440	3568	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3568 wrote to memory of 3500	3568	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3568 wrote to memory of 3500	3568	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3568 wrote to memory of 3948	3568	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3568 wrote to memory of 3948	3568	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3568 wrote to memory of 2080	3568	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3568 wrote to memory of 2080	3568	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3568 wrote to memory of 1352	3568	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3568 wrote to memory of 1352	3568	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3568 wrote to memory of 3172	3568	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3568 wrote to memory of 3172	3568	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3568 wrote to memory of 4460	3568	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3568 wrote to memory of 4460	3568	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3568 wrote to memory of 3940	3568	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3568 wrote to memory of 3940	3568	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3568 wrote to memory of 2368	3568	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3568 wrote to memory of 2368	3568	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3568 wrote to memory of 2972	3568	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3568 wrote to memory of 2972	3568	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3568 wrote to memory of 3228	3568	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3568 wrote to memory of 3228	3568	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3568 wrote to memory of 400	3568	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3568 wrote to memory of 400	3568	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3568 wrote to memory of 3968	3568	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3568 wrote to memory of 3968	3568	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3568 wrote to memory of 5116	3568	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3568 wrote to memory of 5116	3568	2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-17_f0873c34d12253402768c6f23cd375c5_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3568
- C:\Windows\System\iESVjwR.exe
  C:\Windows\System\iESVjwR.exe
  2⤵
  - Executes dropped EXE
  PID:4000
- C:\Windows\System\iURdThp.exe
  C:\Windows\System\iURdThp.exe
  2⤵
  - Executes dropped EXE
  PID:3320
- C:\Windows\System\sqodjqm.exe
  C:\Windows\System\sqodjqm.exe
  2⤵
  - Executes dropped EXE
  PID:2948
- C:\Windows\System\IOsvwsd.exe
  C:\Windows\System\IOsvwsd.exe
  2⤵
  - Executes dropped EXE
  PID:3768
- C:\Windows\System\hemKUny.exe
  C:\Windows\System\hemKUny.exe
  2⤵
  - Executes dropped EXE
  PID:4760
- C:\Windows\System\BdHWNzy.exe
  C:\Windows\System\BdHWNzy.exe
  2⤵
  - Executes dropped EXE
  PID:4716
- C:\Windows\System\jEiEKcG.exe
  C:\Windows\System\jEiEKcG.exe
  2⤵
  - Executes dropped EXE
  PID:1120
- C:\Windows\System\DzasOFd.exe
  C:\Windows\System\DzasOFd.exe
  2⤵
  - Executes dropped EXE
  PID:3440
- C:\Windows\System\afyKsEI.exe
  C:\Windows\System\afyKsEI.exe
  2⤵
  - Executes dropped EXE
  PID:3500
- C:\Windows\System\zIVSPaw.exe
  C:\Windows\System\zIVSPaw.exe
  2⤵
  - Executes dropped EXE
  PID:3948
- C:\Windows\System\bqfSUDi.exe
  C:\Windows\System\bqfSUDi.exe
  2⤵
  - Executes dropped EXE
  PID:2080
- C:\Windows\System\KnOsyVh.exe
  C:\Windows\System\KnOsyVh.exe
  2⤵
  - Executes dropped EXE
  PID:1352
- C:\Windows\System\EcTceFI.exe
  C:\Windows\System\EcTceFI.exe
  2⤵
  - Executes dropped EXE
  PID:3172
- C:\Windows\System\NlbHheb.exe
  C:\Windows\System\NlbHheb.exe
  2⤵
  - Executes dropped EXE
  PID:4460
- C:\Windows\System\rRAPyET.exe
  C:\Windows\System\rRAPyET.exe
  2⤵
  - Executes dropped EXE
  PID:3940
- C:\Windows\System\FNRLGRW.exe
  C:\Windows\System\FNRLGRW.exe
  2⤵
  - Executes dropped EXE
  PID:2368
- C:\Windows\System\mZofIYy.exe
  C:\Windows\System\mZofIYy.exe
  2⤵
  - Executes dropped EXE
  PID:2972
- C:\Windows\System\eZnYhbF.exe
  C:\Windows\System\eZnYhbF.exe
  2⤵
  - Executes dropped EXE
  PID:3228
- C:\Windows\System\sqTyYCU.exe
  C:\Windows\System\sqTyYCU.exe
  2⤵
  - Executes dropped EXE
  PID:400
- C:\Windows\System\mdyZzhF.exe
  C:\Windows\System\mdyZzhF.exe
  2⤵
  - Executes dropped EXE
  PID:3968
- C:\Windows\System\AcxSzrg.exe
  C:\Windows\System\AcxSzrg.exe
  2⤵
  - Executes dropped EXE
  PID:5116

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AcxSzrg.exe

Filesize
5.2MB

MD5
35f533202b7ae73fb0c36b8861097dcd

SHA1
ef4d4a2b5344c764ccd66a4c8f627423db51c305

SHA256
bc46d0b5473fde1ccbf48d3839800ba2699ecc6d326eda92c500b873f404369a

SHA512
622d9057c4cb8201eb2cb50d34309a8f97b774ead8222b4a9db44b961a3421c176973b743a75ad45eaf8efcf9e295129e20b60e1f553ce557ada93e1db20486f

Download Submit
C:\Windows\System\BdHWNzy.exe

Filesize
5.2MB

MD5
b4d9b5e75ce8f1961f43ebaf802b21f4

SHA1
76bffc76513424ba8c1dcc3dbd5b19ac92027d1b

SHA256
146122e0e071a7210ab9fe05b778e9d4bfc1b48929481b29491f8857216ec915

SHA512
5715abae7c2b482f06b2b5ae9007345aab05c5708fe770ff2d1219ac96b75fdf839a8423bae1d1bb9d44419de7aca1bac75842fb22b772cbcb4578ad6878351c

Download Submit
C:\Windows\System\DzasOFd.exe

Filesize
5.2MB

MD5
acc7255ec656cb75814f1973b7f0ff5f

SHA1
fa389ba1b9ecdeee958d31e21eca83c6a2976b13

SHA256
66f6f82de11549eccf32bce3f1574fae51bb82dca0a9f8e047c409d1fbdd2cea

SHA512
c67540213258216e3045ef111482aa5e89039bd6679a09a33061201828ebb7d11907d741a375961ced86729279b4ce4376523e867b01c713b9edc635166527ee

Download Submit
C:\Windows\System\EcTceFI.exe

Filesize
5.2MB

MD5
5245ea7e1938c2bffb8b5a6120a10b53

SHA1
a5da2042c3b8ec049c2802870c78e4c97018920b

SHA256
02a909f3675a2a9e540c5bbe95dfeba219d5314ce75a904e79642b3b5b32439d

SHA512
bb0f503a18141f14c5b92faedcba3703fef448faac0c58966b5aacf8b7f9f16637c1f80a16f51d55e5d5082a83c9b06c777e882ee1bcbe9bb5a767ea2377ca2b

Download Submit
C:\Windows\System\FNRLGRW.exe

Filesize
5.2MB

MD5
95f02d9e347962f9abbca2bd3db620b9

SHA1
0e4220ede74febc35c54009adad36f88b044f90c

SHA256
4091b9a7bf017e29e3bde5f60e942c301e000e9a16ef88c7b03664ea64a12a7d

SHA512
f861d8568061b743c7f43d9ece360cdebca43fe05bb48b2e8195bf003aaae484e486bdc3c6b5f74f3b2a98d12fb0b3d990509db9c4207cbeac8936948808d88b

Download Submit
C:\Windows\System\IOsvwsd.exe

Filesize
5.2MB

MD5
7ba9c2edbe421483e3952780f85b88ec

SHA1
61be7411f9c3d9fa3788a3010757caceaa34b102

SHA256
39c4f8de45e10234f75bbb0cb84780117122c8917d2f88da63cfec4c5d18b5ce

SHA512
b093f2d3bffdc1bc975207f137ea493c0f70c37a258ed5277dc8fb3795f9372b6a7802826c32e83eb9c5b4b21eb46aaa844680e650d4fdba4b25530ba047b611

Download Submit
C:\Windows\System\KnOsyVh.exe

Filesize
5.2MB

MD5
a40984e15ad680b04a890997dfecfca3

SHA1
7fa016390a13a5d272e6f6d5ab46499f5ad83a91

SHA256
a49df0ae13fe18f5dc255533f83e71d9dc849e784ea20587f9a0b3060e8cb66c

SHA512
e998844905b3b87f2dfbac2882f28f7b9ff4786ed2886d318cdeccd325160bb81e5595d880aa8a3aafa11a41cda6970d63ac356ed9e8375cc8f81894ef894cc0

Download Submit
C:\Windows\System\NlbHheb.exe

Filesize
5.2MB

MD5
9ad0a2e40826d767cc57e58585ac63c7

SHA1
65d8f31298432d7589cc0f5d5081ca54b09a5ce0

SHA256
b2965b1e1aea5c8a9465360fff624f926c311c0eca3a7ccb2f362893910f5c80

SHA512
3ad22abd29502a3c41446e4661818c673ae290e3ccc20cf7c0860d2031e268745335011edbe67902345ceae11121a91d1f1a4dc52f4dab9db2e829f07c109474

Download Submit
C:\Windows\System\afyKsEI.exe

Filesize
5.2MB

MD5
32704d6a8ef2691d0eb1b0e911039f8a

SHA1
cec3e279bc2eacebd027c25d82da8bbd13faaa8c

SHA256
a8fe41aede2577944977411906c98afcf7a31ef498577145d76a0c730712a1cc

SHA512
b7d27c97d9a5d5d766002f04164016df3f74cb88dfc0664fa592416fedcbe0cef3886640495445b2f612514d2a9360f9ae330a7486a27bc4a58cb19a74cfcc64

Download Submit
C:\Windows\System\bqfSUDi.exe

Filesize
5.2MB

MD5
3b81a26e727b76a146eb195a6d5ca590

SHA1
9dd036648dc1315acf1e421d91cbc2b73927ae64

SHA256
e6c2fd58f9f8775beecc77987fe5cd63ea672831a3fa0f506c04ffc6bc9b843f

SHA512
e3b8802a4aa9c0a33a5ef310656a605a39cfd104e169e42ac7700375fe75906284f70b6d3b1097178df5098ebcc366647f4ca70c78694bc0806cf0c3e1394012

Download Submit
C:\Windows\System\eZnYhbF.exe

Filesize
5.2MB

MD5
6ac0889ea6e5640c0ce6aa7b5600ba4a

SHA1
39ed76e91534b8e7df46669f95a6ca10f8918671

SHA256
9f9cda4aec8a94d05fd8a19613e16fcf1912d3a34fcd6e300926e80c25f5ea55

SHA512
a4cd4ad51c72dac6b4244e727072d810119747a2dd34278e416d03d57716d335372912b639be720d7cc81378fecd3ad2b3e5e7a01c5f29526fa999d41da0873f

Download Submit
C:\Windows\System\hemKUny.exe

Filesize
5.2MB

MD5
f43f8257b86765e34f6cb1d94c5dc1eb

SHA1
fb6809a6258e4a8ed12a924ffdf02aff378b8b05

SHA256
1c80ea9c4fbdad6e4e6885d25fcf2733d2c498ad087a1f1b964f0bf8321561c5

SHA512
d6c190e62587ed9681761cd162aec0a5783560d5542f7f5a718fb8e7d6b18d45e9dfa3ca0030b1cb44676f27592fb2a43f596961a834f922f6e32de28b2eb1c3

Download Submit
C:\Windows\System\iESVjwR.exe

Filesize
5.2MB

MD5
a04dae8c32457d989b0bb25221c3f39b

SHA1
8ad9cbdc4d0ba16d0471b361e5e87c4c8fc26aa6

SHA256
fbe7e7a66f66c4bb3fbedb969054458d35bcd5058a385ce293b9dabd9e69cac9

SHA512
8eaa866aa67123796004994fd2524afcb21f855b5dcaefd518e6f56293e23265c0f073fb01788d0090d0a4f0f037d66e26bdcb2cc6fca7edfc89a617c8942d45

Download Submit
C:\Windows\System\iURdThp.exe

Filesize
5.2MB

MD5
5f907470daac12e3a657ad7a0e3be16f

SHA1
411757b77180d1b555bb46d1eccf51ad259e39c6

SHA256
302bd2e1e9cbfb1e1637061b99366a2738a3d38fc17a581335f5d1504d1ab124

SHA512
d11ad2a1f8a9e7cabc843b30d09a1ead821e16a0f6c6d3063be5dd54c821080b52c817996412d789f3371b1c21bcf6dcc6120212ffc63065f2f45c2cab00877c

Download Submit
C:\Windows\System\jEiEKcG.exe

Filesize
5.2MB

MD5
af5c630012d4011d17185df28fc465c6

SHA1
bc8b5165789bed85eb27c40a468cad5043a316af

SHA256
95adbb87ed388030d8940a0b35c2fbe994ec376b7f9dff4df7bd82f21781a1d1

SHA512
ea95059670d44d30a07dd86659a471ac5f051e7abd5a309c1c5a015ac06a7c094b3fbadd637bf743e1967992c62ce9b228718a7622b920f1c4c39d29aed070b0

Download Submit
C:\Windows\System\mZofIYy.exe

Filesize
5.2MB

MD5
fd0a645c382e2595963c24e6e948abe9

SHA1
c501aa2ee6731ab61113c085c3951b34ce3c9c60

SHA256
fcf49777c79a85e2ddcdb9b7f3a62e8693b744e4848524a0682d863eddb0af29

SHA512
7a1f03c21e6cec8d560dc5d60190dcb3272ab11bf9381c026f95efa33168605ab62c18fd8974a2de9ad11ddcb765838f5961c78cebef463f8a2e1b7ff9ff316a

Download Submit
C:\Windows\System\mdyZzhF.exe

Filesize
5.2MB

MD5
a1153c514bc8fa0aedbd62210cbd6e4e

SHA1
77b68f2e5eb29d8ed29e8a9ce235156b85d6abdf

SHA256
23c73b9bc5c8614b74d26b3cccd583318a102782ba6224a6b6acabdf7ced5929

SHA512
e6bcc3b575e773831a9b316a40a34d5b9a0250330675fc7acddae96ca514246e64f2f7480d24fd68c7a0349a4edf158938b90e3a0064e7338a4de6746ba11806

Download Submit
C:\Windows\System\rRAPyET.exe

Filesize
5.2MB

MD5
f4fa58e6bb8d53e7269ee72af3a51810

SHA1
5fd4d67e298f998d954452bef5f541d20babbee6

SHA256
dbb2d96196dfcc6ca635543c4c52409530583a65ebbed1554cb867a3b52b0f3c

SHA512
d66b175b292bf3db37edb248528781193c6ca9bd11f72a06f007ffc7ebeb6ba820dd52c71f57c1a5d31e8dcbe6e7a8942273b4d465dc9a318abeb84a0f1a6479

Download Submit
C:\Windows\System\sqTyYCU.exe

Filesize
5.2MB

MD5
b01596d47e8bb806e5b0d8f56c5d1c08

SHA1
769a59e8095d062e6c00753a3c3dbb91b61bf629

SHA256
2c84d147190605013c4dea44cbdb45e53af517e51b9f88db4dfb9d5ee0e2c9c0

SHA512
5774358c70ff7a152ab38e30ec61c2fe6422f49d283b365f0c9bfe90c3f2c879498381c9f5c580b8490767d52b3f9d3ba38de6aac9244829cdc88227baa9193d

Download Submit
C:\Windows\System\sqodjqm.exe

Filesize
5.2MB

MD5
419879b4326fd43f701361f7f88b2fe7

SHA1
967f6359e5e75fb2ef1d2c5608fa14fa405cc3f2

SHA256
7ce06b7f8783cb4ff8df0c6b570bd98e51d33910097fa12dc79afe28531b4481

SHA512
8f0242b08e99b59e21b1fa70f1be4efeeb4e4f346c8e3bf47843ddcfd559d33f5f355101ed35194fdd92198ee47bd2ea4a1f42c748f0d991bf78666dece75aa8

Download Submit
C:\Windows\System\zIVSPaw.exe

Filesize
5.2MB

MD5
364dbd599cb2848ce6da0972364554b0

SHA1
70350493d05fdb1f125f04afd985dbf11f22c1d4

SHA256
994e2b2aa0b13ca5e797a91a22dca10c3787bbf8cfe8ac56ed898814dff8e9af

SHA512
8752e7f500a85168a7c5f68991e49f10b5299137affc700026dbad252ecf0702aea8bbfc85d566a7ca2c63a7eb9b84a947cb925f390825f52642f9fbbcf8d631

Download Submit
memory/400-123-0x00007FF7CD860000-0x00007FF7CDBB1000-memory.dmp

Filesize
3.3MB

Download
memory/400-272-0x00007FF7CD860000-0x00007FF7CDBB1000-memory.dmp

Filesize
3.3MB

Download
memory/400-161-0x00007FF7CD860000-0x00007FF7CDBB1000-memory.dmp

Filesize
3.3MB

Download
memory/1120-42-0x00007FF6B5D30000-0x00007FF6B6081000-memory.dmp

Filesize
3.3MB

Download
memory/1120-102-0x00007FF6B5D30000-0x00007FF6B6081000-memory.dmp

Filesize
3.3MB

Download
memory/1120-239-0x00007FF6B5D30000-0x00007FF6B6081000-memory.dmp

Filesize
3.3MB

Download
memory/1352-75-0x00007FF659090000-0x00007FF6593E1000-memory.dmp

Filesize
3.3MB

Download
memory/1352-134-0x00007FF659090000-0x00007FF6593E1000-memory.dmp

Filesize
3.3MB

Download
memory/1352-253-0x00007FF659090000-0x00007FF6593E1000-memory.dmp

Filesize
3.3MB

Download
memory/2080-251-0x00007FF760140000-0x00007FF760491000-memory.dmp

Filesize
3.3MB

Download
memory/2080-130-0x00007FF760140000-0x00007FF760491000-memory.dmp

Filesize
3.3MB

Download
memory/2080-68-0x00007FF760140000-0x00007FF760491000-memory.dmp

Filesize
3.3MB

Download
memory/2368-266-0x00007FF640090000-0x00007FF6403E1000-memory.dmp

Filesize
3.3MB

Download
memory/2368-142-0x00007FF640090000-0x00007FF6403E1000-memory.dmp

Filesize
3.3MB

Download
memory/2368-103-0x00007FF640090000-0x00007FF6403E1000-memory.dmp

Filesize
3.3MB

Download
memory/2948-231-0x00007FF6D1200000-0x00007FF6D1551000-memory.dmp

Filesize
3.3MB

Download
memory/2948-20-0x00007FF6D1200000-0x00007FF6D1551000-memory.dmp

Filesize
3.3MB

Download
memory/2948-81-0x00007FF6D1200000-0x00007FF6D1551000-memory.dmp

Filesize
3.3MB

Download
memory/2972-110-0x00007FF70F420000-0x00007FF70F771000-memory.dmp

Filesize
3.3MB

Download
memory/2972-268-0x00007FF70F420000-0x00007FF70F771000-memory.dmp

Filesize
3.3MB

Download
memory/2972-152-0x00007FF70F420000-0x00007FF70F771000-memory.dmp

Filesize
3.3MB

Download
memory/3172-255-0x00007FF6A56B0000-0x00007FF6A5A01000-memory.dmp

Filesize
3.3MB

Download
memory/3172-82-0x00007FF6A56B0000-0x00007FF6A5A01000-memory.dmp

Filesize
3.3MB

Download
memory/3172-138-0x00007FF6A56B0000-0x00007FF6A5A01000-memory.dmp

Filesize
3.3MB

Download
memory/3228-270-0x00007FF7ED5C0000-0x00007FF7ED911000-memory.dmp

Filesize
3.3MB

Download
memory/3228-118-0x00007FF7ED5C0000-0x00007FF7ED911000-memory.dmp

Filesize
3.3MB

Download
memory/3228-160-0x00007FF7ED5C0000-0x00007FF7ED911000-memory.dmp

Filesize
3.3MB

Download
memory/3320-73-0x00007FF740CD0000-0x00007FF741021000-memory.dmp

Filesize
3.3MB

Download
memory/3320-221-0x00007FF740CD0000-0x00007FF741021000-memory.dmp

Filesize
3.3MB

Download
memory/3320-14-0x00007FF740CD0000-0x00007FF741021000-memory.dmp

Filesize
3.3MB

Download
memory/3440-241-0x00007FF6FE380000-0x00007FF6FE6D1000-memory.dmp

Filesize
3.3MB

Download
memory/3440-50-0x00007FF6FE380000-0x00007FF6FE6D1000-memory.dmp

Filesize
3.3MB

Download
memory/3440-108-0x00007FF6FE380000-0x00007FF6FE6D1000-memory.dmp

Filesize
3.3MB

Download
memory/3500-116-0x00007FF76B5F0000-0x00007FF76B941000-memory.dmp

Filesize
3.3MB

Download
memory/3500-54-0x00007FF76B5F0000-0x00007FF76B941000-memory.dmp

Filesize
3.3MB

Download
memory/3500-243-0x00007FF76B5F0000-0x00007FF76B941000-memory.dmp

Filesize
3.3MB

Download
memory/3568-59-0x00007FF602AE0000-0x00007FF602E31000-memory.dmp

Filesize
3.3MB

Download
memory/3568-170-0x00007FF602AE0000-0x00007FF602E31000-memory.dmp

Filesize
3.3MB

Download
memory/3568-143-0x00007FF602AE0000-0x00007FF602E31000-memory.dmp

Filesize
3.3MB

Download
memory/3568-0-0x00007FF602AE0000-0x00007FF602E31000-memory.dmp

Filesize
3.3MB

Download
memory/3568-1-0x0000028BCEEA0000-0x0000028BCEEB0000-memory.dmp

Filesize
64KB

Download
memory/3768-24-0x00007FF61CA90000-0x00007FF61CDE1000-memory.dmp

Filesize
3.3MB

Download
memory/3768-233-0x00007FF61CA90000-0x00007FF61CDE1000-memory.dmp

Filesize
3.3MB

Download
memory/3768-88-0x00007FF61CA90000-0x00007FF61CDE1000-memory.dmp

Filesize
3.3MB

Download
memory/3940-100-0x00007FF60EFB0000-0x00007FF60F301000-memory.dmp

Filesize
3.3MB

Download
memory/3940-264-0x00007FF60EFB0000-0x00007FF60F301000-memory.dmp

Filesize
3.3MB

Download
memory/3948-66-0x00007FF675090000-0x00007FF6753E1000-memory.dmp

Filesize
3.3MB

Download
memory/3948-117-0x00007FF675090000-0x00007FF6753E1000-memory.dmp

Filesize
3.3MB

Download
memory/3948-246-0x00007FF675090000-0x00007FF6753E1000-memory.dmp

Filesize
3.3MB

Download
memory/3968-131-0x00007FF6CDB10000-0x00007FF6CDE61000-memory.dmp

Filesize
3.3MB

Download
memory/3968-167-0x00007FF6CDB10000-0x00007FF6CDE61000-memory.dmp

Filesize
3.3MB

Download
memory/3968-274-0x00007FF6CDB10000-0x00007FF6CDE61000-memory.dmp

Filesize
3.3MB

Download
memory/4000-219-0x00007FF6B0520000-0x00007FF6B0871000-memory.dmp

Filesize
3.3MB

Download
memory/4000-67-0x00007FF6B0520000-0x00007FF6B0871000-memory.dmp

Filesize
3.3MB

Download
memory/4000-8-0x00007FF6B0520000-0x00007FF6B0871000-memory.dmp

Filesize
3.3MB

Download
memory/4460-257-0x00007FF7FD390000-0x00007FF7FD6E1000-memory.dmp

Filesize
3.3MB

Download
memory/4460-90-0x00007FF7FD390000-0x00007FF7FD6E1000-memory.dmp

Filesize
3.3MB

Download
memory/4460-141-0x00007FF7FD390000-0x00007FF7FD6E1000-memory.dmp

Filesize
3.3MB

Download
memory/4716-40-0x00007FF7DED00000-0x00007FF7DF051000-memory.dmp

Filesize
3.3MB

Download
memory/4716-237-0x00007FF7DED00000-0x00007FF7DF051000-memory.dmp

Filesize
3.3MB

Download
memory/4760-89-0x00007FF6E91C0000-0x00007FF6E9511000-memory.dmp

Filesize
3.3MB

Download
memory/4760-235-0x00007FF6E91C0000-0x00007FF6E9511000-memory.dmp

Filesize
3.3MB

Download
memory/4760-38-0x00007FF6E91C0000-0x00007FF6E9511000-memory.dmp

Filesize
3.3MB

Download
memory/5116-169-0x00007FF6979F0000-0x00007FF697D41000-memory.dmp

Filesize
3.3MB

Download
memory/5116-140-0x00007FF6979F0000-0x00007FF697D41000-memory.dmp

Filesize
3.3MB

Download
memory/5116-277-0x00007FF6979F0000-0x00007FF697D41000-memory.dmp

Filesize
3.3MB

Download