cobaltstrike | f2deccebf844499cea837e8006950a480af60e5b2cfb98eedfb5178759cee737

Analysis

max time kernel
142s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2024, 16:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

463ef1711d91099378a9c029ce5537e8
SHA1

d41a392935c4fbc9c2a02d7329cb23e1c044e738
SHA256

f2deccebf844499cea837e8006950a480af60e5b2cfb98eedfb5178759cee737
SHA512

b96f7cb716dae61eb448d178382f2c1d5d76c30430b87e8a2dc28fc8e45feaeac18944c6c46966f11dae714e6826d6a0969424b8814cd11cbf4adef45866e1cb
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lR:RWWBibd56utgpPFotBER/mQ32lUd

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023ca1-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca8-29.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caa-34.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca9-44.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cae-55.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caf-62.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023ca2-79.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb1-94.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb2-97.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb0-84.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cad-67.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cac-60.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cab-59.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca6-32.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca7-33.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca5-17.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb3-101.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb4-106.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb5-126.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb7-130.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb6-128.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/368-74-0x00007FF67AD10000-0x00007FF67B061000-memory.dmp	xmrig
behavioral2/memory/2680-70-0x00007FF7DD6B0000-0x00007FF7DDA01000-memory.dmp	xmrig
behavioral2/memory/3540-69-0x00007FF67E570000-0x00007FF67E8C1000-memory.dmp	xmrig
behavioral2/memory/2832-49-0x00007FF752790000-0x00007FF752AE1000-memory.dmp	xmrig
behavioral2/memory/1696-114-0x00007FF6D74B0000-0x00007FF6D7801000-memory.dmp	xmrig
behavioral2/memory/2516-123-0x00007FF710260000-0x00007FF7105B1000-memory.dmp	xmrig
behavioral2/memory/1556-133-0x00007FF685530000-0x00007FF685881000-memory.dmp	xmrig
behavioral2/memory/1388-136-0x00007FF62B530000-0x00007FF62B881000-memory.dmp	xmrig
behavioral2/memory/1384-135-0x00007FF7D20F0000-0x00007FF7D2441000-memory.dmp	xmrig
behavioral2/memory/4176-134-0x00007FF625840000-0x00007FF625B91000-memory.dmp	xmrig
behavioral2/memory/4304-132-0x00007FF6D0000000-0x00007FF6D0351000-memory.dmp	xmrig
behavioral2/memory/1532-125-0x00007FF622060000-0x00007FF6223B1000-memory.dmp	xmrig
behavioral2/memory/1412-117-0x00007FF6BB840000-0x00007FF6BBB91000-memory.dmp	xmrig
behavioral2/memory/4724-113-0x00007FF7285B0000-0x00007FF728901000-memory.dmp	xmrig
behavioral2/memory/2320-108-0x00007FF741E60000-0x00007FF7421B1000-memory.dmp	xmrig
behavioral2/memory/2320-137-0x00007FF741E60000-0x00007FF7421B1000-memory.dmp	xmrig
behavioral2/memory/5008-147-0x00007FF60DDE0000-0x00007FF60E131000-memory.dmp	xmrig
behavioral2/memory/1940-154-0x00007FF6B0E60000-0x00007FF6B11B1000-memory.dmp	xmrig
behavioral2/memory/756-153-0x00007FF727790000-0x00007FF727AE1000-memory.dmp	xmrig
behavioral2/memory/4624-155-0x00007FF771AB0000-0x00007FF771E01000-memory.dmp	xmrig
behavioral2/memory/2212-152-0x00007FF7FE1E0000-0x00007FF7FE531000-memory.dmp	xmrig
behavioral2/memory/1876-156-0x00007FF7C1740000-0x00007FF7C1A91000-memory.dmp	xmrig
behavioral2/memory/4504-157-0x00007FF7B4670000-0x00007FF7B49C1000-memory.dmp	xmrig
behavioral2/memory/2320-162-0x00007FF741E60000-0x00007FF7421B1000-memory.dmp	xmrig
behavioral2/memory/4724-217-0x00007FF7285B0000-0x00007FF728901000-memory.dmp	xmrig
behavioral2/memory/1696-219-0x00007FF6D74B0000-0x00007FF6D7801000-memory.dmp	xmrig
behavioral2/memory/2516-223-0x00007FF710260000-0x00007FF7105B1000-memory.dmp	xmrig
behavioral2/memory/2832-222-0x00007FF752790000-0x00007FF752AE1000-memory.dmp	xmrig
behavioral2/memory/3540-233-0x00007FF67E570000-0x00007FF67E8C1000-memory.dmp	xmrig
behavioral2/memory/1412-239-0x00007FF6BB840000-0x00007FF6BBB91000-memory.dmp	xmrig
behavioral2/memory/368-241-0x00007FF67AD10000-0x00007FF67B061000-memory.dmp	xmrig
behavioral2/memory/1556-243-0x00007FF685530000-0x00007FF685881000-memory.dmp	xmrig
behavioral2/memory/1532-238-0x00007FF622060000-0x00007FF6223B1000-memory.dmp	xmrig
behavioral2/memory/2680-236-0x00007FF7DD6B0000-0x00007FF7DDA01000-memory.dmp	xmrig
behavioral2/memory/1388-248-0x00007FF62B530000-0x00007FF62B881000-memory.dmp	xmrig
behavioral2/memory/2212-253-0x00007FF7FE1E0000-0x00007FF7FE531000-memory.dmp	xmrig
behavioral2/memory/756-251-0x00007FF727790000-0x00007FF727AE1000-memory.dmp	xmrig
behavioral2/memory/1384-249-0x00007FF7D20F0000-0x00007FF7D2441000-memory.dmp	xmrig
behavioral2/memory/1940-245-0x00007FF6B0E60000-0x00007FF6B11B1000-memory.dmp	xmrig
behavioral2/memory/5008-255-0x00007FF60DDE0000-0x00007FF60E131000-memory.dmp	xmrig
behavioral2/memory/4624-261-0x00007FF771AB0000-0x00007FF771E01000-memory.dmp	xmrig
behavioral2/memory/1876-263-0x00007FF7C1740000-0x00007FF7C1A91000-memory.dmp	xmrig
behavioral2/memory/4504-265-0x00007FF7B4670000-0x00007FF7B49C1000-memory.dmp	xmrig
behavioral2/memory/4176-270-0x00007FF625840000-0x00007FF625B91000-memory.dmp	xmrig
behavioral2/memory/4304-269-0x00007FF6D0000000-0x00007FF6D0351000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4724	EouhEMG.exe
1696	XCpywQF.exe
2516	iMRcoxS.exe
1412	rUvMbqq.exe
2832	TocTzlO.exe
2680	JfMinJy.exe
1532	LNwpkJg.exe
368	fnqMNWA.exe
1556	rmjbcMv.exe
1388	zdlbtgs.exe
3540	LBdBDSG.exe
1384	tCfdNWX.exe
5008	DaFdTAC.exe
2212	joxlHnQ.exe
756	mMTmtJR.exe
1940	DuuLiCb.exe
4624	IFjQzCA.exe
1876	zBLplrM.exe
4504	WRMwBwg.exe
4304	Cszfwpm.exe
4176	kDIoJSv.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2320-0-0x00007FF741E60000-0x00007FF7421B1000-memory.dmp	upx
behavioral2/files/0x0008000000023ca1-5.dat	upx
behavioral2/files/0x0007000000023ca8-29.dat	upx
behavioral2/files/0x0007000000023caa-34.dat	upx
behavioral2/files/0x0007000000023ca9-44.dat	upx
behavioral2/files/0x0007000000023cae-55.dat	upx
behavioral2/files/0x0007000000023caf-62.dat	upx
behavioral2/files/0x0008000000023ca2-79.dat	upx
behavioral2/memory/5008-88-0x00007FF60DDE0000-0x00007FF60E131000-memory.dmp	upx
behavioral2/files/0x0007000000023cb1-94.dat	upx
behavioral2/files/0x0007000000023cb2-97.dat	upx
behavioral2/memory/1940-96-0x00007FF6B0E60000-0x00007FF6B11B1000-memory.dmp	upx
behavioral2/memory/756-93-0x00007FF727790000-0x00007FF727AE1000-memory.dmp	upx
behavioral2/memory/2212-89-0x00007FF7FE1E0000-0x00007FF7FE531000-memory.dmp	upx
behavioral2/files/0x0007000000023cb0-84.dat	upx
behavioral2/memory/1384-81-0x00007FF7D20F0000-0x00007FF7D2441000-memory.dmp	upx
behavioral2/memory/1388-75-0x00007FF62B530000-0x00007FF62B881000-memory.dmp	upx
behavioral2/memory/368-74-0x00007FF67AD10000-0x00007FF67B061000-memory.dmp	upx
behavioral2/memory/2680-70-0x00007FF7DD6B0000-0x00007FF7DDA01000-memory.dmp	upx
behavioral2/memory/3540-69-0x00007FF67E570000-0x00007FF67E8C1000-memory.dmp	upx
behavioral2/files/0x0007000000023cad-67.dat	upx
behavioral2/memory/1556-61-0x00007FF685530000-0x00007FF685881000-memory.dmp	upx
behavioral2/files/0x0007000000023cac-60.dat	upx
behavioral2/files/0x0007000000023cab-59.dat	upx
behavioral2/memory/1532-56-0x00007FF622060000-0x00007FF6223B1000-memory.dmp	upx
behavioral2/memory/2832-49-0x00007FF752790000-0x00007FF752AE1000-memory.dmp	upx
behavioral2/memory/2516-37-0x00007FF710260000-0x00007FF7105B1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca6-32.dat	upx
behavioral2/files/0x0007000000023ca7-33.dat	upx
behavioral2/memory/1696-23-0x00007FF6D74B0000-0x00007FF6D7801000-memory.dmp	upx
behavioral2/files/0x0007000000023ca5-17.dat	upx
behavioral2/memory/1412-26-0x00007FF6BB840000-0x00007FF6BBB91000-memory.dmp	upx
behavioral2/memory/4724-8-0x00007FF7285B0000-0x00007FF728901000-memory.dmp	upx
behavioral2/files/0x0007000000023cb3-101.dat	upx
behavioral2/files/0x0007000000023cb4-106.dat	upx
behavioral2/memory/1696-114-0x00007FF6D74B0000-0x00007FF6D7801000-memory.dmp	upx
behavioral2/memory/2516-123-0x00007FF710260000-0x00007FF7105B1000-memory.dmp	upx
behavioral2/files/0x0007000000023cb5-126.dat	upx
behavioral2/files/0x0007000000023cb7-130.dat	upx
behavioral2/memory/1556-133-0x00007FF685530000-0x00007FF685881000-memory.dmp	upx
behavioral2/memory/1388-136-0x00007FF62B530000-0x00007FF62B881000-memory.dmp	upx
behavioral2/memory/1384-135-0x00007FF7D20F0000-0x00007FF7D2441000-memory.dmp	upx
behavioral2/memory/4176-134-0x00007FF625840000-0x00007FF625B91000-memory.dmp	upx
behavioral2/memory/4304-132-0x00007FF6D0000000-0x00007FF6D0351000-memory.dmp	upx
behavioral2/files/0x0007000000023cb6-128.dat	upx
behavioral2/memory/1532-125-0x00007FF622060000-0x00007FF6223B1000-memory.dmp	upx
behavioral2/memory/4504-120-0x00007FF7B4670000-0x00007FF7B49C1000-memory.dmp	upx
behavioral2/memory/1412-117-0x00007FF6BB840000-0x00007FF6BBB91000-memory.dmp	upx
behavioral2/memory/4724-113-0x00007FF7285B0000-0x00007FF728901000-memory.dmp	upx
behavioral2/memory/1876-111-0x00007FF7C1740000-0x00007FF7C1A91000-memory.dmp	upx
behavioral2/memory/2320-108-0x00007FF741E60000-0x00007FF7421B1000-memory.dmp	upx
behavioral2/memory/4624-102-0x00007FF771AB0000-0x00007FF771E01000-memory.dmp	upx
behavioral2/memory/2320-137-0x00007FF741E60000-0x00007FF7421B1000-memory.dmp	upx
behavioral2/memory/5008-147-0x00007FF60DDE0000-0x00007FF60E131000-memory.dmp	upx
behavioral2/memory/1940-154-0x00007FF6B0E60000-0x00007FF6B11B1000-memory.dmp	upx
behavioral2/memory/756-153-0x00007FF727790000-0x00007FF727AE1000-memory.dmp	upx
behavioral2/memory/4624-155-0x00007FF771AB0000-0x00007FF771E01000-memory.dmp	upx
behavioral2/memory/2212-152-0x00007FF7FE1E0000-0x00007FF7FE531000-memory.dmp	upx
behavioral2/memory/1876-156-0x00007FF7C1740000-0x00007FF7C1A91000-memory.dmp	upx
behavioral2/memory/4504-157-0x00007FF7B4670000-0x00007FF7B49C1000-memory.dmp	upx
behavioral2/memory/2320-162-0x00007FF741E60000-0x00007FF7421B1000-memory.dmp	upx
behavioral2/memory/4724-217-0x00007FF7285B0000-0x00007FF728901000-memory.dmp	upx
behavioral2/memory/1696-219-0x00007FF6D74B0000-0x00007FF6D7801000-memory.dmp	upx
behavioral2/memory/2516-223-0x00007FF710260000-0x00007FF7105B1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\iMRcoxS.exe	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JfMinJy.exe	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rmjbcMv.exe	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kDIoJSv.exe	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rUvMbqq.exe	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LNwpkJg.exe	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DaFdTAC.exe	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mMTmtJR.exe	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IFjQzCA.exe	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zBLplrM.exe	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Cszfwpm.exe	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EouhEMG.exe	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XCpywQF.exe	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tCfdNWX.exe	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TocTzlO.exe	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fnqMNWA.exe	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zdlbtgs.exe	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LBdBDSG.exe	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\joxlHnQ.exe	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DuuLiCb.exe	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WRMwBwg.exe	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2320	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2320	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 4724	2320	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2320 wrote to memory of 4724	2320	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2320 wrote to memory of 1696	2320	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2320 wrote to memory of 1696	2320	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2320 wrote to memory of 2516	2320	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2320 wrote to memory of 2516	2320	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2320 wrote to memory of 1412	2320	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2320 wrote to memory of 1412	2320	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2320 wrote to memory of 2832	2320	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2320 wrote to memory of 2832	2320	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2320 wrote to memory of 2680	2320	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2320 wrote to memory of 2680	2320	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2320 wrote to memory of 1532	2320	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2320 wrote to memory of 1532	2320	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2320 wrote to memory of 368	2320	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2320 wrote to memory of 368	2320	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2320 wrote to memory of 1556	2320	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2320 wrote to memory of 1556	2320	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2320 wrote to memory of 1388	2320	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2320 wrote to memory of 1388	2320	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2320 wrote to memory of 3540	2320	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2320 wrote to memory of 3540	2320	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2320 wrote to memory of 1384	2320	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2320 wrote to memory of 1384	2320	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2320 wrote to memory of 5008	2320	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2320 wrote to memory of 5008	2320	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2320 wrote to memory of 2212	2320	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2320 wrote to memory of 2212	2320	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2320 wrote to memory of 756	2320	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2320 wrote to memory of 756	2320	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2320 wrote to memory of 1940	2320	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2320 wrote to memory of 1940	2320	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2320 wrote to memory of 4624	2320	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2320 wrote to memory of 4624	2320	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2320 wrote to memory of 1876	2320	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2320 wrote to memory of 1876	2320	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2320 wrote to memory of 4504	2320	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2320 wrote to memory of 4504	2320	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2320 wrote to memory of 4304	2320	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2320 wrote to memory of 4304	2320	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2320 wrote to memory of 4176	2320	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2320 wrote to memory of 4176	2320	2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-22_463ef1711d91099378a9c029ce5537e8_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\System\EouhEMG.exe
  C:\Windows\System\EouhEMG.exe
  2⤵
  - Executes dropped EXE
  PID:4724
- C:\Windows\System\XCpywQF.exe
  C:\Windows\System\XCpywQF.exe
  2⤵
  - Executes dropped EXE
  PID:1696
- C:\Windows\System\iMRcoxS.exe
  C:\Windows\System\iMRcoxS.exe
  2⤵
  - Executes dropped EXE
  PID:2516
- C:\Windows\System\rUvMbqq.exe
  C:\Windows\System\rUvMbqq.exe
  2⤵
  - Executes dropped EXE
  PID:1412
- C:\Windows\System\TocTzlO.exe
  C:\Windows\System\TocTzlO.exe
  2⤵
  - Executes dropped EXE
  PID:2832
- C:\Windows\System\JfMinJy.exe
  C:\Windows\System\JfMinJy.exe
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Windows\System\LNwpkJg.exe
  C:\Windows\System\LNwpkJg.exe
  2⤵
  - Executes dropped EXE
  PID:1532
- C:\Windows\System\fnqMNWA.exe
  C:\Windows\System\fnqMNWA.exe
  2⤵
  - Executes dropped EXE
  PID:368
- C:\Windows\System\rmjbcMv.exe
  C:\Windows\System\rmjbcMv.exe
  2⤵
  - Executes dropped EXE
  PID:1556
- C:\Windows\System\zdlbtgs.exe
  C:\Windows\System\zdlbtgs.exe
  2⤵
  - Executes dropped EXE
  PID:1388
- C:\Windows\System\LBdBDSG.exe
  C:\Windows\System\LBdBDSG.exe
  2⤵
  - Executes dropped EXE
  PID:3540
- C:\Windows\System\tCfdNWX.exe
  C:\Windows\System\tCfdNWX.exe
  2⤵
  - Executes dropped EXE
  PID:1384
- C:\Windows\System\DaFdTAC.exe
  C:\Windows\System\DaFdTAC.exe
  2⤵
  - Executes dropped EXE
  PID:5008
- C:\Windows\System\joxlHnQ.exe
  C:\Windows\System\joxlHnQ.exe
  2⤵
  - Executes dropped EXE
  PID:2212
- C:\Windows\System\mMTmtJR.exe
  C:\Windows\System\mMTmtJR.exe
  2⤵
  - Executes dropped EXE
  PID:756
- C:\Windows\System\DuuLiCb.exe
  C:\Windows\System\DuuLiCb.exe
  2⤵
  - Executes dropped EXE
  PID:1940
- C:\Windows\System\IFjQzCA.exe
  C:\Windows\System\IFjQzCA.exe
  2⤵
  - Executes dropped EXE
  PID:4624
- C:\Windows\System\zBLplrM.exe
  C:\Windows\System\zBLplrM.exe
  2⤵
  - Executes dropped EXE
  PID:1876
- C:\Windows\System\WRMwBwg.exe
  C:\Windows\System\WRMwBwg.exe
  2⤵
  - Executes dropped EXE
  PID:4504
- C:\Windows\System\Cszfwpm.exe
  C:\Windows\System\Cszfwpm.exe
  2⤵
  - Executes dropped EXE
  PID:4304
- C:\Windows\System\kDIoJSv.exe
  C:\Windows\System\kDIoJSv.exe
  2⤵
  - Executes dropped EXE
  PID:4176

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\Cszfwpm.exe

Filesize
5.2MB

MD5
e3ad88eaad24bb50f87b0e003b578947

SHA1
a3823009036049b63b150b3093187654794c4adb

SHA256
f8dce65d4f077f0ddc700fee42ba1567a2695e8d13e67f97d4472c1b1fe94cae

SHA512
92eaf28b3860ba1ffe62558604a02a415da46409b0b0339aa4c8cede2d834fb6dab09dbaa4c0aa6cedcb9867e8e1d794749bdca52c8a56a1b6cd494c459dedd7

Download Submit
C:\Windows\System\DaFdTAC.exe

Filesize
5.2MB

MD5
58fca6b4590c199e709d41d3fbec3009

SHA1
10f8a974f91959ffe07f62908b7a9305b376c02f

SHA256
55eb2bbfefec7b54b3ad0223487e7a9f6d3e15ac5e5d95c8957abb6b0e12f4f0

SHA512
6c649b21010a3cd871843107c23f63ed12dacf7495e5200dc682c0cc985247bc073f7026dd353782b50863bc500ae316cfb690b0cd67aae09acb82e741049344

Download Submit
C:\Windows\System\DuuLiCb.exe

Filesize
5.2MB

MD5
55f7dc6d2fddc2be15641a6e031be184

SHA1
b6101ff40c22042e1ec74eb585ec792e9007f788

SHA256
392de498032ba62078647a5620d93351687ff550db3e2d6b170b952ec0a8e965

SHA512
2d7bd831cdc98e182e1a6815b952e304ea492b746a739e5ac88cdccec9028ba619bfc6e600154cc7d53e25132d5c9abdb10caa10a0bbbf45f47d065453c93749

Download Submit
C:\Windows\System\EouhEMG.exe

Filesize
5.2MB

MD5
716bbbba94591059f126a24403917c23

SHA1
03f3dad43f8420da2e91143831947fa38372f8dc

SHA256
929971e380b5ccb0f1439c05de6e897b5649563ff26fd1a98ef640a380ca3946

SHA512
e186d057c2e58089b6e0c87ed3f46608f43d0702fdaca85f222e907e427cec1fd9dc355e5a50e4f40ff8af0d1a362c2ad0889addb3d4a725f80e0a59a9d61d12

Download Submit
C:\Windows\System\IFjQzCA.exe

Filesize
5.2MB

MD5
0e14ba4c65dba7a70354c1bdfda8b83b

SHA1
d340745c0b1363c6a5be14cd8d50287d5c970493

SHA256
ce0b7b31b775d5e5950b592bfac428da127e7dd62402af29212f34393f1cecb0

SHA512
03609cfc433e23f882594a12463b58f03f5c8c20e218019938e2a66dfc97aef18edbbae24678dd564770c31cc82de87bb775e4269b2d9a52f1ed653c4eb97f22

Download Submit
C:\Windows\System\JfMinJy.exe

Filesize
5.2MB

MD5
26c81e0f499202066e6fb672b39285e9

SHA1
c613d39cfa405ac351e1502eee3a2ca5964982d7

SHA256
bf34c1df7d82f1e739c6f0e30ab82dbe4fd11c995b48c5bdc44b5d2fa747c9d6

SHA512
d8d4ae907191d16b614b968d6391cab6c784c3568ea2c9ec699830bb68e696dc60b1bfc961b3927e756218a09bf039030bea3bcc736e63cfa3258749062b6955

Download Submit
C:\Windows\System\LBdBDSG.exe

Filesize
5.2MB

MD5
0fdf37d43a768a7db1c7a2b9503e1665

SHA1
930dae2681d6ed97f93822882053f2726357297b

SHA256
bf2e015a899921c6571d52fb7ad5120e2aaff7f20622dcf89af381a5435c4b93

SHA512
286505ed72c6d87cce9e11e38e35cb351ecbe1c8d3019f118371071dd8ac2fbbc278b11dec9feee925b81109ed5b7c91ffe17f75f0b955fbd858f6216e484e60

Download Submit
C:\Windows\System\LNwpkJg.exe

Filesize
5.2MB

MD5
b65f39620ffffdc5091261fa6a0bf6bb

SHA1
2a8bdb026b755349f48372f50f0f168c9bac6984

SHA256
4323dd0722086de04626505e056feda9f8a2382b7c383ef6cf8c37f8f6405976

SHA512
b00544ec8d9f8b5aee6dd41f80df72ae40aacefb000f2558d1116eb0a38b35e458bf7500443abb96f806a18304d43f92a4d6143eb38bf6798f93f4896aa223cf

Download Submit
C:\Windows\System\TocTzlO.exe

Filesize
5.2MB

MD5
6f1161dd5cd1080d581ebdcd58d726cb

SHA1
313cc6000eea5404f96fe187fd0a12269b846663

SHA256
ee0c738ce7fde362bf5ce7637efbfa2fb2905c99d1a0a9dfb72d6990c2d32df2

SHA512
0f9ec8119d074f087843304add12678f90e06a53484683dde7b3a5bb76fa8f0a8d626ec8a3d56dca13056e72a6ef227d94f0c14835eb4f0d225a3c43e7fba642

Download Submit
C:\Windows\System\WRMwBwg.exe

Filesize
5.2MB

MD5
ebb0b327064178d1161bed25cd4a7874

SHA1
f9dc6d01d24bb958721267ba17ee673e3361710a

SHA256
73d1d6938eb7e8926ef7dbcd1024e7ada54e456dd704b5f2416ce6f9e28c714e

SHA512
097ad6c5678e93934775b11a7870779606e2fc1bb4146a734f67d96841ef4c3717a50730891b9a0c11b4f54ac12858decf3cc95dc80cd4a7b1c4f7ce2f338bf1

Download Submit
C:\Windows\System\XCpywQF.exe

Filesize
5.2MB

MD5
a066da33a6f168777c4f4739175b3a3c

SHA1
52702c93201e95cd85a20c0eb5fa9d75b702ab98

SHA256
05d7f9a4fd098cf670310a4585d75ce7a8e8dab67137a6ef3e846932e80e390c

SHA512
353b0e1987257b9d9728331205d00fb105e28babac6e0c38256a8224ff6d39caff7e04acfcf0877e5af1fd5973e1d306d1b3f2f729dfa5b6156be09719e6c5f5

Download Submit
C:\Windows\System\fnqMNWA.exe

Filesize
5.2MB

MD5
b58f6c6ddb70623bd3cdd92d880cc1da

SHA1
5b4ed6c62c152f009e09a6fe767d7036aa65bc8d

SHA256
6693a5eb06ca8c2693dd4441172438d9bc3cfe0fdec2e0a01c54bd5cee1535d4

SHA512
da886308719f78d6027cb5b0076ed1b127e53e0c2600667bc18d7c99f43852949f0109e0e8d750a30b404a8d3d4e5184a23856bdb57962824122c84af9d5d2c1

Download Submit
C:\Windows\System\iMRcoxS.exe

Filesize
5.2MB

MD5
aea3ff2da241a5681559cc661d04cc4a

SHA1
6939f9b42f30787f8a4d9dc9f8d86332609b059d

SHA256
871c908f7766775a97626038ed72b5662e5e1fbabe4bde88d19f5f65b57aae89

SHA512
dcd82e5082056648afd5f7e2d2ae6059b43e921747b1a05d15562e6e4808c87dff45f817b58b6fcf5f13d6631c5cd33ac5695820da7d5c5bbd4cc2f99c1682b4

Download Submit
C:\Windows\System\joxlHnQ.exe

Filesize
5.2MB

MD5
af3df19d1aadb6863143e5d27c0593e0

SHA1
0fbb36bbb1401897c6e89b09b6affa15a2b0de6c

SHA256
7133ccb2c7ad6c0341122df033d1e5e68b70cd1096e389f1ff06fd1406ca8578

SHA512
a810e7e010f75e1a1c6e0b6a72aa7ae939c5fc1bd515053df0412c0f6aeb1ed64ed74029f22b4c9818a3fba384be0ab041f5ae78e24d99e966f6d370230eb3cf

Download Submit
C:\Windows\System\kDIoJSv.exe

Filesize
5.2MB

MD5
e95729c2b30a5b621b36e15a82d41951

SHA1
dae09897082b0faff6e18cdac59bc06eb1c9b2e7

SHA256
ee542cbe83050b8de209f88055437fcf5da01a8022661bac87259cf967a8c6fb

SHA512
442a0ca2c96256346bd991bf27ffaa73569e4533572d8b7ba855edebdf5db5fe19c1d3588b71ac39c6bddc7796cddd5a4fdaf8adebc6bcc21f26f3e9ac83ca1c

Download Submit
C:\Windows\System\mMTmtJR.exe

Filesize
5.2MB

MD5
07b89c9bdfa9023191fcd050ec3817a3

SHA1
f8cbf25e31edecf30c36c7413d5645fac46e4ad4

SHA256
4bd2c233ba086f61e24ad1c3c0b3725339113d18c5927dc571f8fdb7053db7e3

SHA512
5b11945baefa025c999fe6c59127ea9dee01c3ec7648e51ffdad7823e16531a3e60d75fdc7630f487ef268e00a68201661b8826491b12cf7fea0b1d6dd92514f

Download Submit
C:\Windows\System\rUvMbqq.exe

Filesize
5.2MB

MD5
72abc622f60662f17bab4aad78f4f8f9

SHA1
03439ea01e2bb69eabd12f4a6f7182d89f0d9946

SHA256
3342b2b6aabe906caaeb04bfa9287aaa01f80a6aabaedc8dcffb4ea1f3d22817

SHA512
2a2456aeb41ffefb7358d7390cb2d3168e863e9aa07844ef4029e0beab046ee86303317ac8492248bb8c8fb4527a891e0c1e02b84651f7b2742c9bfbc29ee338

Download Submit
C:\Windows\System\rmjbcMv.exe

Filesize
5.2MB

MD5
47c7da3c107a169b15f8ed6de107ca7c

SHA1
6a2f9c8d3917edcc1a806e4815d0a90b52521fa2

SHA256
15fced2cd7e87dab3323216f05d3676cf1cd2cbd101e6b92146a18f991fe6fd8

SHA512
97339b098b360c51c4cd1f184689c7ea1ae595a043be71ab1a91d278c9cc69f87da65a93fe6e94f2b39b93ae40de0d11d8c25801ebf7b6dc3630d5c8c9dc1449

Download Submit
C:\Windows\System\tCfdNWX.exe

Filesize
5.2MB

MD5
1794e1f32d6ef8988c60e6b067fe2362

SHA1
d34b884238b355ee82bee95be2a913c319869260

SHA256
21183c9ff7db119d8dd8b044b087a5b2fc2d1890a64f22a9a58b3616186b4b8e

SHA512
956272496857736c87a5c399c96e8ca1d80fdf16538bec34e993cabed8b820e502e01decf74a10e39eaef1d96c0120d4147ed24d190f423d564bcb6cd4fc0ce2

Download Submit
C:\Windows\System\zBLplrM.exe

Filesize
5.2MB

MD5
99f076e591a0035083392cd8df9f09ec

SHA1
d532ed75f34398f06a8858e853fc0289794b1cbc

SHA256
1c2032d64c5a2068be1bba8fa501cc5b9a97614b6a470e6350dd8a578601796d

SHA512
dabfa2c15c7f9f4cc57a9ac2a9350d78611944da5e610823c961ddd0e7cb85859d24a38a325f36a48ccbedb1e7e7cb5b1cd92d0356249460046e8c2929fe14cd

Download Submit
C:\Windows\System\zdlbtgs.exe

Filesize
5.2MB

MD5
cee8bbe89f404a89a46a629ac0ba5e69

SHA1
ce92f28eb38c7466d69ea58d4a36d9282f2a3bed

SHA256
59240f99c59f46f604d83be33b1e3bcb50e48440553d29659c4574b66b9feedb

SHA512
36e3ab24ac4def8bb924a1ed0e3170583c73690648db5431bf25a2e21510233d37f4dd298d0ff8b01c5a9adee9e47095d1b219033ac796350cb987770d01983e

Download Submit
memory/368-74-0x00007FF67AD10000-0x00007FF67B061000-memory.dmp

Filesize
3.3MB

Download
memory/368-241-0x00007FF67AD10000-0x00007FF67B061000-memory.dmp

Filesize
3.3MB

Download
memory/756-93-0x00007FF727790000-0x00007FF727AE1000-memory.dmp

Filesize
3.3MB

Download
memory/756-153-0x00007FF727790000-0x00007FF727AE1000-memory.dmp

Filesize
3.3MB

Download
memory/756-251-0x00007FF727790000-0x00007FF727AE1000-memory.dmp

Filesize
3.3MB

Download
memory/1384-135-0x00007FF7D20F0000-0x00007FF7D2441000-memory.dmp

Filesize
3.3MB

Download
memory/1384-81-0x00007FF7D20F0000-0x00007FF7D2441000-memory.dmp

Filesize
3.3MB

Download
memory/1384-249-0x00007FF7D20F0000-0x00007FF7D2441000-memory.dmp

Filesize
3.3MB

Download
memory/1388-248-0x00007FF62B530000-0x00007FF62B881000-memory.dmp

Filesize
3.3MB

Download
memory/1388-136-0x00007FF62B530000-0x00007FF62B881000-memory.dmp

Filesize
3.3MB

Download
memory/1388-75-0x00007FF62B530000-0x00007FF62B881000-memory.dmp

Filesize
3.3MB

Download
memory/1412-117-0x00007FF6BB840000-0x00007FF6BBB91000-memory.dmp

Filesize
3.3MB

Download
memory/1412-239-0x00007FF6BB840000-0x00007FF6BBB91000-memory.dmp

Filesize
3.3MB

Download
memory/1412-26-0x00007FF6BB840000-0x00007FF6BBB91000-memory.dmp

Filesize
3.3MB

Download
memory/1532-56-0x00007FF622060000-0x00007FF6223B1000-memory.dmp

Filesize
3.3MB

Download
memory/1532-238-0x00007FF622060000-0x00007FF6223B1000-memory.dmp

Filesize
3.3MB

Download
memory/1532-125-0x00007FF622060000-0x00007FF6223B1000-memory.dmp

Filesize
3.3MB

Download
memory/1556-243-0x00007FF685530000-0x00007FF685881000-memory.dmp

Filesize
3.3MB

Download
memory/1556-133-0x00007FF685530000-0x00007FF685881000-memory.dmp

Filesize
3.3MB

Download
memory/1556-61-0x00007FF685530000-0x00007FF685881000-memory.dmp

Filesize
3.3MB

Download
memory/1696-219-0x00007FF6D74B0000-0x00007FF6D7801000-memory.dmp

Filesize
3.3MB

Download
memory/1696-23-0x00007FF6D74B0000-0x00007FF6D7801000-memory.dmp

Filesize
3.3MB

Download
memory/1696-114-0x00007FF6D74B0000-0x00007FF6D7801000-memory.dmp

Filesize
3.3MB

Download
memory/1876-263-0x00007FF7C1740000-0x00007FF7C1A91000-memory.dmp

Filesize
3.3MB

Download
memory/1876-111-0x00007FF7C1740000-0x00007FF7C1A91000-memory.dmp

Filesize
3.3MB

Download
memory/1876-156-0x00007FF7C1740000-0x00007FF7C1A91000-memory.dmp

Filesize
3.3MB

Download
memory/1940-245-0x00007FF6B0E60000-0x00007FF6B11B1000-memory.dmp

Filesize
3.3MB

Download
memory/1940-96-0x00007FF6B0E60000-0x00007FF6B11B1000-memory.dmp

Filesize
3.3MB

Download
memory/1940-154-0x00007FF6B0E60000-0x00007FF6B11B1000-memory.dmp

Filesize
3.3MB

Download
memory/2212-89-0x00007FF7FE1E0000-0x00007FF7FE531000-memory.dmp

Filesize
3.3MB

Download
memory/2212-152-0x00007FF7FE1E0000-0x00007FF7FE531000-memory.dmp

Filesize
3.3MB

Download
memory/2212-253-0x00007FF7FE1E0000-0x00007FF7FE531000-memory.dmp

Filesize
3.3MB

Download
memory/2320-162-0x00007FF741E60000-0x00007FF7421B1000-memory.dmp

Filesize
3.3MB

Download
memory/2320-0-0x00007FF741E60000-0x00007FF7421B1000-memory.dmp

Filesize
3.3MB

Download
memory/2320-137-0x00007FF741E60000-0x00007FF7421B1000-memory.dmp

Filesize
3.3MB

Download
memory/2320-1-0x0000024DB19E0000-0x0000024DB19F0000-memory.dmp

Filesize
64KB

Download
memory/2320-108-0x00007FF741E60000-0x00007FF7421B1000-memory.dmp

Filesize
3.3MB

Download
memory/2516-37-0x00007FF710260000-0x00007FF7105B1000-memory.dmp

Filesize
3.3MB

Download
memory/2516-123-0x00007FF710260000-0x00007FF7105B1000-memory.dmp

Filesize
3.3MB

Download
memory/2516-223-0x00007FF710260000-0x00007FF7105B1000-memory.dmp

Filesize
3.3MB

Download
memory/2680-70-0x00007FF7DD6B0000-0x00007FF7DDA01000-memory.dmp

Filesize
3.3MB

Download
memory/2680-236-0x00007FF7DD6B0000-0x00007FF7DDA01000-memory.dmp

Filesize
3.3MB

Download
memory/2832-222-0x00007FF752790000-0x00007FF752AE1000-memory.dmp

Filesize
3.3MB

Download
memory/2832-49-0x00007FF752790000-0x00007FF752AE1000-memory.dmp

Filesize
3.3MB

Download
memory/3540-69-0x00007FF67E570000-0x00007FF67E8C1000-memory.dmp

Filesize
3.3MB

Download
memory/3540-233-0x00007FF67E570000-0x00007FF67E8C1000-memory.dmp

Filesize
3.3MB

Download
memory/4176-134-0x00007FF625840000-0x00007FF625B91000-memory.dmp

Filesize
3.3MB

Download
memory/4176-270-0x00007FF625840000-0x00007FF625B91000-memory.dmp

Filesize
3.3MB

Download
memory/4304-132-0x00007FF6D0000000-0x00007FF6D0351000-memory.dmp

Filesize
3.3MB

Download
memory/4304-269-0x00007FF6D0000000-0x00007FF6D0351000-memory.dmp

Filesize
3.3MB

Download
memory/4504-120-0x00007FF7B4670000-0x00007FF7B49C1000-memory.dmp

Filesize
3.3MB

Download
memory/4504-157-0x00007FF7B4670000-0x00007FF7B49C1000-memory.dmp

Filesize
3.3MB

Download
memory/4504-265-0x00007FF7B4670000-0x00007FF7B49C1000-memory.dmp

Filesize
3.3MB

Download
memory/4624-155-0x00007FF771AB0000-0x00007FF771E01000-memory.dmp

Filesize
3.3MB

Download
memory/4624-261-0x00007FF771AB0000-0x00007FF771E01000-memory.dmp

Filesize
3.3MB

Download
memory/4624-102-0x00007FF771AB0000-0x00007FF771E01000-memory.dmp

Filesize
3.3MB

Download
memory/4724-217-0x00007FF7285B0000-0x00007FF728901000-memory.dmp

Filesize
3.3MB

Download
memory/4724-8-0x00007FF7285B0000-0x00007FF728901000-memory.dmp

Filesize
3.3MB

Download
memory/4724-113-0x00007FF7285B0000-0x00007FF728901000-memory.dmp

Filesize
3.3MB

Download
memory/5008-147-0x00007FF60DDE0000-0x00007FF60E131000-memory.dmp

Filesize
3.3MB

Download
memory/5008-88-0x00007FF60DDE0000-0x00007FF60E131000-memory.dmp

Filesize
3.3MB

Download
memory/5008-255-0x00007FF60DDE0000-0x00007FF60E131000-memory.dmp

Filesize
3.3MB

Download