cobaltstrike | 1676ced20f9fa3e3a9a35af56d26055344cf81d5ce586a38eca931972562e1eb

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2024, 00:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

4a15e1781481dc27c90ed37d8df4b393
SHA1

a5345306f572153395e1b4072ff1b0912658c130
SHA256

1676ced20f9fa3e3a9a35af56d26055344cf81d5ce586a38eca931972562e1eb
SHA512

4fe2dc57a8f74e6742511455718d1496b062f150e1fd939b6546401ec46c22e6ee421e513af190f4729ee7e2cbceabb92fbc7848adb7f6edc8b7cfc89e2e3237
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lR:RWWBibf56utgpPFotBER/mQ32lUd

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000b000000023c71-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c79-7.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7a-23.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7b-24.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7e-44.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c83-79.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c85-91.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c75-99.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8a-129.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c89-127.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c88-125.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c87-112.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c86-102.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c84-89.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c82-75.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c81-69.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c80-66.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7f-65.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7d-53.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7c-45.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c78-19.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/1368-133-0x00007FF6B85F0000-0x00007FF6B8941000-memory.dmp	xmrig
behavioral2/memory/1944-132-0x00007FF695E40000-0x00007FF696191000-memory.dmp	xmrig
behavioral2/memory/3192-131-0x00007FF70DAB0000-0x00007FF70DE01000-memory.dmp	xmrig
behavioral2/memory/2272-122-0x00007FF7406C0000-0x00007FF740A11000-memory.dmp	xmrig
behavioral2/memory/4728-109-0x00007FF6338C0000-0x00007FF633C11000-memory.dmp	xmrig
behavioral2/memory/1708-104-0x00007FF63D280000-0x00007FF63D5D1000-memory.dmp	xmrig
behavioral2/memory/4752-94-0x00007FF69F550000-0x00007FF69F8A1000-memory.dmp	xmrig
behavioral2/memory/5032-93-0x00007FF73C680000-0x00007FF73C9D1000-memory.dmp	xmrig
behavioral2/memory/816-140-0x00007FF7CABB0000-0x00007FF7CAF01000-memory.dmp	xmrig
behavioral2/memory/2072-143-0x00007FF76A970000-0x00007FF76ACC1000-memory.dmp	xmrig
behavioral2/memory/2984-142-0x00007FF768050000-0x00007FF7683A1000-memory.dmp	xmrig
behavioral2/memory/5032-134-0x00007FF73C680000-0x00007FF73C9D1000-memory.dmp	xmrig
behavioral2/memory/1708-151-0x00007FF63D280000-0x00007FF63D5D1000-memory.dmp	xmrig
behavioral2/memory/396-153-0x00007FF64BBE0000-0x00007FF64BF31000-memory.dmp	xmrig
behavioral2/memory/2716-154-0x00007FF7D98F0000-0x00007FF7D9C41000-memory.dmp	xmrig
behavioral2/memory/1416-152-0x00007FF7779C0000-0x00007FF777D11000-memory.dmp	xmrig
behavioral2/memory/3720-150-0x00007FF670460000-0x00007FF6707B1000-memory.dmp	xmrig
behavioral2/memory/416-148-0x00007FF6A2600000-0x00007FF6A2951000-memory.dmp	xmrig
behavioral2/memory/4612-147-0x00007FF7C3EB0000-0x00007FF7C4201000-memory.dmp	xmrig
behavioral2/memory/1592-149-0x00007FF7CB2F0000-0x00007FF7CB641000-memory.dmp	xmrig
behavioral2/memory/3020-145-0x00007FF6B8CC0000-0x00007FF6B9011000-memory.dmp	xmrig
behavioral2/memory/2572-144-0x00007FF6B71C0000-0x00007FF6B7511000-memory.dmp	xmrig
behavioral2/memory/1952-156-0x00007FF7276E0000-0x00007FF727A31000-memory.dmp	xmrig
behavioral2/memory/2820-155-0x00007FF709C30000-0x00007FF709F81000-memory.dmp	xmrig
behavioral2/memory/5032-158-0x00007FF73C680000-0x00007FF73C9D1000-memory.dmp	xmrig
behavioral2/memory/4752-217-0x00007FF69F550000-0x00007FF69F8A1000-memory.dmp	xmrig
behavioral2/memory/2272-221-0x00007FF7406C0000-0x00007FF740A11000-memory.dmp	xmrig
behavioral2/memory/1368-225-0x00007FF6B85F0000-0x00007FF6B8941000-memory.dmp	xmrig
behavioral2/memory/1944-223-0x00007FF695E40000-0x00007FF696191000-memory.dmp	xmrig
behavioral2/memory/4728-219-0x00007FF6338C0000-0x00007FF633C11000-memory.dmp	xmrig
behavioral2/memory/816-227-0x00007FF7CABB0000-0x00007FF7CAF01000-memory.dmp	xmrig
behavioral2/memory/2072-229-0x00007FF76A970000-0x00007FF76ACC1000-memory.dmp	xmrig
behavioral2/memory/2984-231-0x00007FF768050000-0x00007FF7683A1000-memory.dmp	xmrig
behavioral2/memory/3020-235-0x00007FF6B8CC0000-0x00007FF6B9011000-memory.dmp	xmrig
behavioral2/memory/2716-237-0x00007FF7D98F0000-0x00007FF7D9C41000-memory.dmp	xmrig
behavioral2/memory/4612-239-0x00007FF7C3EB0000-0x00007FF7C4201000-memory.dmp	xmrig
behavioral2/memory/416-241-0x00007FF6A2600000-0x00007FF6A2951000-memory.dmp	xmrig
behavioral2/memory/2572-234-0x00007FF6B71C0000-0x00007FF6B7511000-memory.dmp	xmrig
behavioral2/memory/1708-255-0x00007FF63D280000-0x00007FF63D5D1000-memory.dmp	xmrig
behavioral2/memory/1416-257-0x00007FF7779C0000-0x00007FF777D11000-memory.dmp	xmrig
behavioral2/memory/3720-253-0x00007FF670460000-0x00007FF6707B1000-memory.dmp	xmrig
behavioral2/memory/396-259-0x00007FF64BBE0000-0x00007FF64BF31000-memory.dmp	xmrig
behavioral2/memory/1592-251-0x00007FF7CB2F0000-0x00007FF7CB641000-memory.dmp	xmrig
behavioral2/memory/1952-264-0x00007FF7276E0000-0x00007FF727A31000-memory.dmp	xmrig
behavioral2/memory/3192-265-0x00007FF70DAB0000-0x00007FF70DE01000-memory.dmp	xmrig
behavioral2/memory/2820-261-0x00007FF709C30000-0x00007FF709F81000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4752	oOQXKai.exe
4728	NgFkLtJ.exe
2272	ajMrJMz.exe
1944	qJngjiw.exe
1368	atlRdAi.exe
816	AtdoADb.exe
2072	rpIJqcg.exe
2984	WlDhWyF.exe
2572	BkrdthN.exe
3020	wWOGFuo.exe
2716	SFeWNzR.exe
4612	eNdurhv.exe
416	wPDKSYl.exe
1592	feLTiFd.exe
3720	UbAszCC.exe
1708	vfggHSG.exe
1416	DnkBFEN.exe
396	YVwjfDb.exe
2820	BTjLKpA.exe
1952	EbSiyDy.exe
3192	LVGCrSD.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5032-0-0x00007FF73C680000-0x00007FF73C9D1000-memory.dmp	upx
behavioral2/files/0x000b000000023c71-5.dat	upx
behavioral2/files/0x0007000000023c79-7.dat	upx
behavioral2/files/0x0007000000023c7a-23.dat	upx
behavioral2/files/0x0007000000023c7b-24.dat	upx
behavioral2/files/0x0007000000023c7e-44.dat	upx
behavioral2/memory/816-41-0x00007FF7CABB0000-0x00007FF7CAF01000-memory.dmp	upx
behavioral2/memory/2716-64-0x00007FF7D98F0000-0x00007FF7D9C41000-memory.dmp	upx
behavioral2/memory/2572-73-0x00007FF6B71C0000-0x00007FF6B7511000-memory.dmp	upx
behavioral2/files/0x0007000000023c83-79.dat	upx
behavioral2/files/0x0007000000023c85-91.dat	upx
behavioral2/files/0x0008000000023c75-99.dat	upx
behavioral2/memory/1416-108-0x00007FF7779C0000-0x00007FF777D11000-memory.dmp	upx
behavioral2/memory/2820-123-0x00007FF709C30000-0x00007FF709F81000-memory.dmp	upx
behavioral2/memory/1368-133-0x00007FF6B85F0000-0x00007FF6B8941000-memory.dmp	upx
behavioral2/memory/1944-132-0x00007FF695E40000-0x00007FF696191000-memory.dmp	upx
behavioral2/memory/3192-131-0x00007FF70DAB0000-0x00007FF70DE01000-memory.dmp	upx
behavioral2/files/0x0007000000023c8a-129.dat	upx
behavioral2/files/0x0007000000023c89-127.dat	upx
behavioral2/files/0x0007000000023c88-125.dat	upx
behavioral2/memory/1952-124-0x00007FF7276E0000-0x00007FF727A31000-memory.dmp	upx
behavioral2/memory/2272-122-0x00007FF7406C0000-0x00007FF740A11000-memory.dmp	upx
behavioral2/files/0x0007000000023c87-112.dat	upx
behavioral2/memory/396-111-0x00007FF64BBE0000-0x00007FF64BF31000-memory.dmp	upx
behavioral2/memory/4728-109-0x00007FF6338C0000-0x00007FF633C11000-memory.dmp	upx
behavioral2/memory/1708-104-0x00007FF63D280000-0x00007FF63D5D1000-memory.dmp	upx
behavioral2/files/0x0007000000023c86-102.dat	upx
behavioral2/memory/3720-96-0x00007FF670460000-0x00007FF6707B1000-memory.dmp	upx
behavioral2/memory/1592-95-0x00007FF7CB2F0000-0x00007FF7CB641000-memory.dmp	upx
behavioral2/memory/4752-94-0x00007FF69F550000-0x00007FF69F8A1000-memory.dmp	upx
behavioral2/memory/5032-93-0x00007FF73C680000-0x00007FF73C9D1000-memory.dmp	upx
behavioral2/files/0x0007000000023c84-89.dat	upx
behavioral2/memory/416-78-0x00007FF6A2600000-0x00007FF6A2951000-memory.dmp	upx
behavioral2/files/0x0007000000023c82-75.dat	upx
behavioral2/memory/4612-74-0x00007FF7C3EB0000-0x00007FF7C4201000-memory.dmp	upx
behavioral2/files/0x0007000000023c81-69.dat	upx
behavioral2/files/0x0007000000023c80-66.dat	upx
behavioral2/files/0x0007000000023c7f-65.dat	upx
behavioral2/memory/3020-60-0x00007FF6B8CC0000-0x00007FF6B9011000-memory.dmp	upx
behavioral2/memory/2984-59-0x00007FF768050000-0x00007FF7683A1000-memory.dmp	upx
behavioral2/files/0x0007000000023c7d-53.dat	upx
behavioral2/memory/2072-49-0x00007FF76A970000-0x00007FF76ACC1000-memory.dmp	upx
behavioral2/files/0x0007000000023c7c-45.dat	upx
behavioral2/memory/1368-28-0x00007FF6B85F0000-0x00007FF6B8941000-memory.dmp	upx
behavioral2/memory/1944-27-0x00007FF695E40000-0x00007FF696191000-memory.dmp	upx
behavioral2/memory/2272-21-0x00007FF7406C0000-0x00007FF740A11000-memory.dmp	upx
behavioral2/files/0x0007000000023c78-19.dat	upx
behavioral2/memory/4728-17-0x00007FF6338C0000-0x00007FF633C11000-memory.dmp	upx
behavioral2/memory/4752-8-0x00007FF69F550000-0x00007FF69F8A1000-memory.dmp	upx
behavioral2/memory/816-140-0x00007FF7CABB0000-0x00007FF7CAF01000-memory.dmp	upx
behavioral2/memory/2072-143-0x00007FF76A970000-0x00007FF76ACC1000-memory.dmp	upx
behavioral2/memory/2984-142-0x00007FF768050000-0x00007FF7683A1000-memory.dmp	upx
behavioral2/memory/5032-134-0x00007FF73C680000-0x00007FF73C9D1000-memory.dmp	upx
behavioral2/memory/1708-151-0x00007FF63D280000-0x00007FF63D5D1000-memory.dmp	upx
behavioral2/memory/396-153-0x00007FF64BBE0000-0x00007FF64BF31000-memory.dmp	upx
behavioral2/memory/2716-154-0x00007FF7D98F0000-0x00007FF7D9C41000-memory.dmp	upx
behavioral2/memory/1416-152-0x00007FF7779C0000-0x00007FF777D11000-memory.dmp	upx
behavioral2/memory/3720-150-0x00007FF670460000-0x00007FF6707B1000-memory.dmp	upx
behavioral2/memory/416-148-0x00007FF6A2600000-0x00007FF6A2951000-memory.dmp	upx
behavioral2/memory/4612-147-0x00007FF7C3EB0000-0x00007FF7C4201000-memory.dmp	upx
behavioral2/memory/1592-149-0x00007FF7CB2F0000-0x00007FF7CB641000-memory.dmp	upx
behavioral2/memory/3020-145-0x00007FF6B8CC0000-0x00007FF6B9011000-memory.dmp	upx
behavioral2/memory/2572-144-0x00007FF6B71C0000-0x00007FF6B7511000-memory.dmp	upx
behavioral2/memory/1952-156-0x00007FF7276E0000-0x00007FF727A31000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\EbSiyDy.exe	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AtdoADb.exe	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wWOGFuo.exe	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\feLTiFd.exe	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BTjLKpA.exe	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SFeWNzR.exe	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wPDKSYl.exe	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vfggHSG.exe	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DnkBFEN.exe	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ajMrJMz.exe	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qJngjiw.exe	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rpIJqcg.exe	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WlDhWyF.exe	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LVGCrSD.exe	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oOQXKai.exe	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UbAszCC.exe	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YVwjfDb.exe	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NgFkLtJ.exe	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\atlRdAi.exe	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BkrdthN.exe	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eNdurhv.exe	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	5032	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	5032	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 5032 wrote to memory of 4752	5032	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 5032 wrote to memory of 4752	5032	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 5032 wrote to memory of 4728	5032	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 5032 wrote to memory of 4728	5032	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 5032 wrote to memory of 2272	5032	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 5032 wrote to memory of 2272	5032	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 5032 wrote to memory of 1944	5032	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 5032 wrote to memory of 1944	5032	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 5032 wrote to memory of 1368	5032	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 5032 wrote to memory of 1368	5032	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 5032 wrote to memory of 816	5032	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 5032 wrote to memory of 816	5032	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 5032 wrote to memory of 2072	5032	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 5032 wrote to memory of 2072	5032	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 5032 wrote to memory of 2984	5032	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 5032 wrote to memory of 2984	5032	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 5032 wrote to memory of 2572	5032	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 5032 wrote to memory of 2572	5032	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 5032 wrote to memory of 3020	5032	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 5032 wrote to memory of 3020	5032	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 5032 wrote to memory of 2716	5032	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 5032 wrote to memory of 2716	5032	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 5032 wrote to memory of 4612	5032	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 5032 wrote to memory of 4612	5032	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 5032 wrote to memory of 416	5032	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 5032 wrote to memory of 416	5032	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 5032 wrote to memory of 1592	5032	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 5032 wrote to memory of 1592	5032	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 5032 wrote to memory of 3720	5032	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 5032 wrote to memory of 3720	5032	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 5032 wrote to memory of 1708	5032	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 5032 wrote to memory of 1708	5032	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 5032 wrote to memory of 1416	5032	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 5032 wrote to memory of 1416	5032	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 5032 wrote to memory of 396	5032	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 5032 wrote to memory of 396	5032	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 5032 wrote to memory of 2820	5032	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 5032 wrote to memory of 2820	5032	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 5032 wrote to memory of 1952	5032	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 5032 wrote to memory of 1952	5032	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 5032 wrote to memory of 3192	5032	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 5032 wrote to memory of 3192	5032	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	106

C:\Users\Admin\AppData\Local\Temp\2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5032
- C:\Windows\System\oOQXKai.exe
  C:\Windows\System\oOQXKai.exe
  2⤵
  - Executes dropped EXE
  PID:4752
- C:\Windows\System\NgFkLtJ.exe
  C:\Windows\System\NgFkLtJ.exe
  2⤵
  - Executes dropped EXE
  PID:4728
- C:\Windows\System\ajMrJMz.exe
  C:\Windows\System\ajMrJMz.exe
  2⤵
  - Executes dropped EXE
  PID:2272
- C:\Windows\System\qJngjiw.exe
  C:\Windows\System\qJngjiw.exe
  2⤵
  - Executes dropped EXE
  PID:1944
- C:\Windows\System\atlRdAi.exe
  C:\Windows\System\atlRdAi.exe
  2⤵
  - Executes dropped EXE
  PID:1368
- C:\Windows\System\AtdoADb.exe
  C:\Windows\System\AtdoADb.exe
  2⤵
  - Executes dropped EXE
  PID:816
- C:\Windows\System\rpIJqcg.exe
  C:\Windows\System\rpIJqcg.exe
  2⤵
  - Executes dropped EXE
  PID:2072
- C:\Windows\System\WlDhWyF.exe
  C:\Windows\System\WlDhWyF.exe
  2⤵
  - Executes dropped EXE
  PID:2984
- C:\Windows\System\BkrdthN.exe
  C:\Windows\System\BkrdthN.exe
  2⤵
  - Executes dropped EXE
  PID:2572
- C:\Windows\System\wWOGFuo.exe
  C:\Windows\System\wWOGFuo.exe
  2⤵
  - Executes dropped EXE
  PID:3020
- C:\Windows\System\SFeWNzR.exe
  C:\Windows\System\SFeWNzR.exe
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Windows\System\eNdurhv.exe
  C:\Windows\System\eNdurhv.exe
  2⤵
  - Executes dropped EXE
  PID:4612
- C:\Windows\System\wPDKSYl.exe
  C:\Windows\System\wPDKSYl.exe
  2⤵
  - Executes dropped EXE
  PID:416
- C:\Windows\System\feLTiFd.exe
  C:\Windows\System\feLTiFd.exe
  2⤵
  - Executes dropped EXE
  PID:1592
- C:\Windows\System\UbAszCC.exe
  C:\Windows\System\UbAszCC.exe
  2⤵
  - Executes dropped EXE
  PID:3720
- C:\Windows\System\vfggHSG.exe
  C:\Windows\System\vfggHSG.exe
  2⤵
  - Executes dropped EXE
  PID:1708
- C:\Windows\System\DnkBFEN.exe
  C:\Windows\System\DnkBFEN.exe
  2⤵
  - Executes dropped EXE
  PID:1416
- C:\Windows\System\YVwjfDb.exe
  C:\Windows\System\YVwjfDb.exe
  2⤵
  - Executes dropped EXE
  PID:396
- C:\Windows\System\BTjLKpA.exe
  C:\Windows\System\BTjLKpA.exe
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Windows\System\EbSiyDy.exe
  C:\Windows\System\EbSiyDy.exe
  2⤵
  - Executes dropped EXE
  PID:1952
- C:\Windows\System\LVGCrSD.exe
  C:\Windows\System\LVGCrSD.exe
  2⤵
  - Executes dropped EXE
  PID:3192

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AtdoADb.exe

Filesize
5.2MB

MD5
b2b8e5f645b07f381c2454cb14b62c80

SHA1
ab4cad8733972cc0a323a1bd172505e320ae1b56

SHA256
6c48dd6da85c77b5dbd16588d083ee61b5ec8db79530474fe7c8ef0378042e40

SHA512
cd29a76001bfe18eb43a179249f35f8f19bf47155f14429afac508889f90e1ae8659d9e345213dff6ab13b126d2aed645a77f0190eaa0ce9d5730649febaf4fe

Download Submit
C:\Windows\System\BTjLKpA.exe

Filesize
5.2MB

MD5
7c0df8e22631fbe8f37edf6eb40260a7

SHA1
27d03f5a9b0da48b3ac8d23742cea1e2f3e3555c

SHA256
6e2e010efcf4e73260827348c227f847a9aa45de7688de753bd0a2c084b9a2b0

SHA512
9c64a09a1404b521a9920e9f30c590ad3851696eca2e9efe0a015b11d9ba36ec1b219b376bb062adeae347a0f922ec950b1977a7db573f8494d246e8c115f826

Download Submit
C:\Windows\System\BkrdthN.exe

Filesize
5.2MB

MD5
1c8b898bd5cb2d46a514dd9c6688ac08

SHA1
55cf97480f8fdaefb2f5f427f3c6bcf2dfbd203b

SHA256
f549553c12f8809b0ef92933eb11b8f94675ee0c03242eb2cb310ef3d9542dea

SHA512
b3f2b397f85edc221d429a567e051d9cf98d2dbba6fb88a7472105f4e9e717ef654b81bcc44554a4da2b2f5896daee74022fd84449e9bcc4858ea8e0962bb8e0

Download Submit
C:\Windows\System\DnkBFEN.exe

Filesize
5.2MB

MD5
1fb265ea10b6759185d7f3002d42b95c

SHA1
d8613004d54204c1dc335d8a4dec6d815ec314d6

SHA256
89cb109b202b88c2f459a1b9805e63363bc49a22a4b05378183dbc840fd8f53c

SHA512
e68c9592f1c0105d59f6160762f977f917f2bd2b9fb04c5ac7ea91ddb8bcf5d076b6892eedd38bc439215e715dbf9415a8155b965b11ea15982c6b87d79ee114

Download Submit
C:\Windows\System\EbSiyDy.exe

Filesize
5.2MB

MD5
c0afe9c839e255f1ea1c3c4135d27dc3

SHA1
18a39272bdf5145170dbc506577b87dce6ae1df5

SHA256
e21157acc04cbad421ee7342c31209c40ffd42cfe9770e7295c868e18a111d95

SHA512
c593687ac6ff52659e3e4fe47fef9a84ef807a56f83797cf5c3ba5297089e69d2f50dd1cadf236b48261f575278a1295855aba7402bdc7c3201fa314ba1bfff0

Download Submit
C:\Windows\System\LVGCrSD.exe

Filesize
5.2MB

MD5
4eef3a6617b159ee0a376e17933f2bbe

SHA1
e8852b1df7686924ccf3dd8e281b68565cd1ab61

SHA256
360814bfaeee0e2a02a33e4ec218a4ca5c8adae874c323e19d5b1240820c5e91

SHA512
bc851231e46132e00e113a9138aebf1abbb730c6d16db645bd62be9223d1eeecea4d6767a1b92e2b685f0b90ea76184046ed7560d7dbb499d34cc89b5a653f1e

Download Submit
C:\Windows\System\NgFkLtJ.exe

Filesize
5.2MB

MD5
5ec640de762c8c30387b7438790eba76

SHA1
38f4da8052fd5e7da026d41f10dc76e838277f64

SHA256
0ec8730b7a2355a9003d66ec8991bfbfbb200ddfdd4e7cd1a85d12177d510e2c

SHA512
44fa5afe4fd9f6e8d03fcaf254d1d20bb9a4c9861197e71d4d031bb7b04efba7e316ce41b062bc1e67e37b337b97c80fabbbabf9a8c960a7b50cbc5895f089da

Download Submit
C:\Windows\System\SFeWNzR.exe

Filesize
5.2MB

MD5
f8ccabfebc720a971787315dfa7b8731

SHA1
456f1e99857e7c03685bbca5361824fb8a0ff4d4

SHA256
b716273a8e3af6b44480227f513ff75dbcb9a744e4a62e72baa430f255ad54e0

SHA512
ed5bbc6df56097484d67bb800d9fedc434cb1be509ff4ac7474e5188e175a5eec5f156f974312dad045544aa9b0918d28c630b34a9296dc9258a50734258ef4c

Download Submit
C:\Windows\System\UbAszCC.exe

Filesize
5.2MB

MD5
4d35d00613b466763a1c897c78539022

SHA1
cceb9396d34651f9d1b04c40593e88ce4bf9b3b7

SHA256
20bc5b14271ba526fca6f53f138ed74ebda040dbc65c3b9620f4da9a447dfc9f

SHA512
2a5008898a53d14c7bbda1169a9e9b2a7179874d1a18014f7e42b596baadbbf0d093ccce038d0fdd527829191acc547df1bb698ee599f2d59575c0621f49a9f2

Download Submit
C:\Windows\System\WlDhWyF.exe

Filesize
5.2MB

MD5
34b0a690888b17b818824ff1e2b303bb

SHA1
012c756e0b383a0fd6bfc4a1034a9338b6e4e3e5

SHA256
1470f58037ecab8734b028bdbbd9e7b5a0a9155a5eb6194998f520eb258618e3

SHA512
89bbf5aae46d113af5c1abbdcdb61be4bbb0a76e7c44ebb829b6d1b7ed75d9f3d03c95edd36d174b5982b309d6058abfb764bdebfc2f4576427fe1c6e18d6455

Download Submit
C:\Windows\System\YVwjfDb.exe

Filesize
5.2MB

MD5
2a377a577de6d3155932f32d839aa24d

SHA1
271ca849751041db4eff053383c267face77443f

SHA256
fba4ea441958c2aa79525af281e02f7722c1d6db5eb44f7525467034a8c9f3b5

SHA512
fae92d2ac554dc63501c9e7ff544ccf21218aa8ee91cef4aac8184023c8d5ecfbcf736e1f85d530d2ff5e944b78a2b6359b2f574f3ac90e1b4d27ecafcbaa087

Download Submit
C:\Windows\System\ajMrJMz.exe

Filesize
5.2MB

MD5
a279db185f1d856c9dadde82800a012e

SHA1
602aa7e937a725dfb9cc2363eb899a40fb74237a

SHA256
37fc6bb4d0c531f0290e637feb6f3aa6cd9a06a1607f6c2cf3b0766ecbd6daff

SHA512
68b862ea6d7dfadddb49caa31b011b751cd1f9b2c56080cf96f1c243a2049274c77b0be9a840589b6c6c57b3357f63595ed2692b68fe2dab306cd430c8dd40c5

Download Submit
C:\Windows\System\atlRdAi.exe

Filesize
5.2MB

MD5
e77ecda2b6cd10ceb66c047ef66b354c

SHA1
03aa828be7b4a859376ed5a86daa7faa69547dfe

SHA256
cc712d064c066c91f5a0eff8f96b1eb864aea3c3095bb033597d5445c9c8adfb

SHA512
06eb2d5ed86bed8577bf5dd2cecd3a063af9dbab1258aa9427dc328a822965203930cc0b89dcf8e268fa018f5a036f5d4ad8e3b72e60e9b5ab5a44ff8bf70d8a

Download Submit
C:\Windows\System\eNdurhv.exe

Filesize
5.2MB

MD5
226a85182e21aa90288659b2de48c34a

SHA1
9ea069a271723e4f6583ce2873d8eb67e4aedf60

SHA256
2cf493e8bc4d388d63f30c535fa0b7b7835abb594a1655e1df6a375793f46a0b

SHA512
9778a985eaf05afdb582ea3550862b5743a733b8e76afafb47f8751bff950ac709eba7dd3a4ac8a3ae91bcb784c8bc2292397daa680e8e08c3091f2620cd2a93

Download Submit
C:\Windows\System\feLTiFd.exe

Filesize
5.2MB

MD5
59150ffc7b1ccef86fc96def341f09ec

SHA1
d73f5fa932cf1f92f9f0c0bb4a821ba52da245ae

SHA256
8ae44ef29fed4a79d5f89d9cc609e533aebf0084b1ebe875e82da31593a4cdac

SHA512
fb31aa0b44a4bc959fc935fb08cc953f1e065f345f880c78401676604cf3e29bf95655c5bd96b8b422b378cc9bbde53cde6a5d14bb74c82f8b67dd560b5a6b61

Download Submit
C:\Windows\System\oOQXKai.exe

Filesize
5.2MB

MD5
7f12fb43e8faa8d5126042e8bb62c6a3

SHA1
6456061ac1843ba8fbf8685da3977eecdc130dd6

SHA256
67d8249567f8dabc495ad5cbce47be6219898ddfd482b8d19be24b4d539622fa

SHA512
a41e18dbedb601a75f334d017b1513f91c1e344f83ebd284fc5d458a3e4a960b07a7200751bec3494b87e479c5ebed59aa2ae6580f47713bde57890a55f35fd7

Download Submit
C:\Windows\System\qJngjiw.exe

Filesize
5.2MB

MD5
fc1f20c8763e02fc15299ba0d74a3ed4

SHA1
36307d04ea0dbd7584b83aae9ea070f7c4906cb2

SHA256
5524780d64efb89a11d86bb7722b197a486dee5b5fccbd4235d8abeae9cb7088

SHA512
b62b357c3ae7afd03d85971918fd7b5fd020f4751d4b4354b91b58273fbbfd8159c18a6b6f0546ff6e1a5d21a002f0a1e70815ad5094055e2d65e0f2b96625d3

Download Submit
C:\Windows\System\rpIJqcg.exe

Filesize
5.2MB

MD5
9e01115b6c659f439206de5dd9ec1994

SHA1
f3c0ba0ca0c22eb213a079365f0e5395a8b9d300

SHA256
442b43ca340429096a531a75bd4d09ab52b3bdea7b17444e80761ccb00d91f0a

SHA512
c7ba7f61ec0389f63eaf1226eacd4a316594672f180a446fdf032fd28c9954cbe3531b50cf0c88a805fb91366acfa5f0347fd75316bd7346dd3ef488c856773e

Download Submit
C:\Windows\System\vfggHSG.exe

Filesize
5.2MB

MD5
ee2782c8fc44f8967734f13ff9a0621b

SHA1
e5a20e54fe6fd703b6ae9d21e006952ca128e553

SHA256
4602e3b1647c59a0e448c0cf40df974e32098276f6fee81a8fe0421b49cb3526

SHA512
3a38546dffb4fe798224126b64f66e96c91b36c3c2a73f7964087d1d302cd1c73d3033c3f9ee1e1d5aec4d6449eb79aa581074d2d3e378c7d7547d333705dff3

Download Submit
C:\Windows\System\wPDKSYl.exe

Filesize
5.2MB

MD5
a4af93874514ec025fd9db71e0225a49

SHA1
1c493d7be597200bf7f45bc166bec1fb4052a878

SHA256
f4529e1441e7040a0cf0476718eff3c7c3f08cf8456fc9face2201ed7aaa6f3c

SHA512
337b8644e3d185b9b606a5110d305a240d7b4e4a7080bb14e37ee1a44bdc505d5f49e4cd6d7a25e3599c775efa5050c6036d11a56ca3a6bfdeb9414ed1d46488

Download Submit
C:\Windows\System\wWOGFuo.exe

Filesize
5.2MB

MD5
9f97ce5d7e3d830b572b8ab30d932e0b

SHA1
1d9e67a161258a2757d03e3fde0742961ebf96d2

SHA256
cf71c87e480d4385e5d2a07a682d718410d3eecd31ed4bc0aa55a258d9346d4e

SHA512
58353f4961540d993df2281d9c4d31a87118e3813a1df1ffa9cac50735e83234b93148c54c2a8e1db2e45a9645ec7c0eec1fafc6ba6d01e65e0a4dd0843166c9

Download Submit
memory/396-259-0x00007FF64BBE0000-0x00007FF64BF31000-memory.dmp

Filesize
3.3MB

Download
memory/396-111-0x00007FF64BBE0000-0x00007FF64BF31000-memory.dmp

Filesize
3.3MB

Download
memory/396-153-0x00007FF64BBE0000-0x00007FF64BF31000-memory.dmp

Filesize
3.3MB

Download
memory/416-78-0x00007FF6A2600000-0x00007FF6A2951000-memory.dmp

Filesize
3.3MB

Download
memory/416-148-0x00007FF6A2600000-0x00007FF6A2951000-memory.dmp

Filesize
3.3MB

Download
memory/416-241-0x00007FF6A2600000-0x00007FF6A2951000-memory.dmp

Filesize
3.3MB

Download
memory/816-140-0x00007FF7CABB0000-0x00007FF7CAF01000-memory.dmp

Filesize
3.3MB

Download
memory/816-227-0x00007FF7CABB0000-0x00007FF7CAF01000-memory.dmp

Filesize
3.3MB

Download
memory/816-41-0x00007FF7CABB0000-0x00007FF7CAF01000-memory.dmp

Filesize
3.3MB

Download
memory/1368-133-0x00007FF6B85F0000-0x00007FF6B8941000-memory.dmp

Filesize
3.3MB

Download
memory/1368-225-0x00007FF6B85F0000-0x00007FF6B8941000-memory.dmp

Filesize
3.3MB

Download
memory/1368-28-0x00007FF6B85F0000-0x00007FF6B8941000-memory.dmp

Filesize
3.3MB

Download
memory/1416-152-0x00007FF7779C0000-0x00007FF777D11000-memory.dmp

Filesize
3.3MB

Download
memory/1416-257-0x00007FF7779C0000-0x00007FF777D11000-memory.dmp

Filesize
3.3MB

Download
memory/1416-108-0x00007FF7779C0000-0x00007FF777D11000-memory.dmp

Filesize
3.3MB

Download
memory/1592-251-0x00007FF7CB2F0000-0x00007FF7CB641000-memory.dmp

Filesize
3.3MB

Download
memory/1592-95-0x00007FF7CB2F0000-0x00007FF7CB641000-memory.dmp

Filesize
3.3MB

Download
memory/1592-149-0x00007FF7CB2F0000-0x00007FF7CB641000-memory.dmp

Filesize
3.3MB

Download
memory/1708-104-0x00007FF63D280000-0x00007FF63D5D1000-memory.dmp

Filesize
3.3MB

Download
memory/1708-151-0x00007FF63D280000-0x00007FF63D5D1000-memory.dmp

Filesize
3.3MB

Download
memory/1708-255-0x00007FF63D280000-0x00007FF63D5D1000-memory.dmp

Filesize
3.3MB

Download
memory/1944-132-0x00007FF695E40000-0x00007FF696191000-memory.dmp

Filesize
3.3MB

Download
memory/1944-27-0x00007FF695E40000-0x00007FF696191000-memory.dmp

Filesize
3.3MB

Download
memory/1944-223-0x00007FF695E40000-0x00007FF696191000-memory.dmp

Filesize
3.3MB

Download
memory/1952-124-0x00007FF7276E0000-0x00007FF727A31000-memory.dmp

Filesize
3.3MB

Download
memory/1952-264-0x00007FF7276E0000-0x00007FF727A31000-memory.dmp

Filesize
3.3MB

Download
memory/1952-156-0x00007FF7276E0000-0x00007FF727A31000-memory.dmp

Filesize
3.3MB

Download
memory/2072-49-0x00007FF76A970000-0x00007FF76ACC1000-memory.dmp

Filesize
3.3MB

Download
memory/2072-143-0x00007FF76A970000-0x00007FF76ACC1000-memory.dmp

Filesize
3.3MB

Download
memory/2072-229-0x00007FF76A970000-0x00007FF76ACC1000-memory.dmp

Filesize
3.3MB

Download
memory/2272-21-0x00007FF7406C0000-0x00007FF740A11000-memory.dmp

Filesize
3.3MB

Download
memory/2272-122-0x00007FF7406C0000-0x00007FF740A11000-memory.dmp

Filesize
3.3MB

Download
memory/2272-221-0x00007FF7406C0000-0x00007FF740A11000-memory.dmp

Filesize
3.3MB

Download
memory/2572-144-0x00007FF6B71C0000-0x00007FF6B7511000-memory.dmp

Filesize
3.3MB

Download
memory/2572-73-0x00007FF6B71C0000-0x00007FF6B7511000-memory.dmp

Filesize
3.3MB

Download
memory/2572-234-0x00007FF6B71C0000-0x00007FF6B7511000-memory.dmp

Filesize
3.3MB

Download
memory/2716-237-0x00007FF7D98F0000-0x00007FF7D9C41000-memory.dmp

Filesize
3.3MB

Download
memory/2716-154-0x00007FF7D98F0000-0x00007FF7D9C41000-memory.dmp

Filesize
3.3MB

Download
memory/2716-64-0x00007FF7D98F0000-0x00007FF7D9C41000-memory.dmp

Filesize
3.3MB

Download
memory/2820-261-0x00007FF709C30000-0x00007FF709F81000-memory.dmp

Filesize
3.3MB

Download
memory/2820-123-0x00007FF709C30000-0x00007FF709F81000-memory.dmp

Filesize
3.3MB

Download
memory/2820-155-0x00007FF709C30000-0x00007FF709F81000-memory.dmp

Filesize
3.3MB

Download
memory/2984-59-0x00007FF768050000-0x00007FF7683A1000-memory.dmp

Filesize
3.3MB

Download
memory/2984-231-0x00007FF768050000-0x00007FF7683A1000-memory.dmp

Filesize
3.3MB

Download
memory/2984-142-0x00007FF768050000-0x00007FF7683A1000-memory.dmp

Filesize
3.3MB

Download
memory/3020-60-0x00007FF6B8CC0000-0x00007FF6B9011000-memory.dmp

Filesize
3.3MB

Download
memory/3020-235-0x00007FF6B8CC0000-0x00007FF6B9011000-memory.dmp

Filesize
3.3MB

Download
memory/3020-145-0x00007FF6B8CC0000-0x00007FF6B9011000-memory.dmp

Filesize
3.3MB

Download
memory/3192-131-0x00007FF70DAB0000-0x00007FF70DE01000-memory.dmp

Filesize
3.3MB

Download
memory/3192-265-0x00007FF70DAB0000-0x00007FF70DE01000-memory.dmp

Filesize
3.3MB

Download
memory/3720-253-0x00007FF670460000-0x00007FF6707B1000-memory.dmp

Filesize
3.3MB

Download
memory/3720-96-0x00007FF670460000-0x00007FF6707B1000-memory.dmp

Filesize
3.3MB

Download
memory/3720-150-0x00007FF670460000-0x00007FF6707B1000-memory.dmp

Filesize
3.3MB

Download
memory/4612-239-0x00007FF7C3EB0000-0x00007FF7C4201000-memory.dmp

Filesize
3.3MB

Download
memory/4612-147-0x00007FF7C3EB0000-0x00007FF7C4201000-memory.dmp

Filesize
3.3MB

Download
memory/4612-74-0x00007FF7C3EB0000-0x00007FF7C4201000-memory.dmp

Filesize
3.3MB

Download
memory/4728-219-0x00007FF6338C0000-0x00007FF633C11000-memory.dmp

Filesize
3.3MB

Download
memory/4728-17-0x00007FF6338C0000-0x00007FF633C11000-memory.dmp

Filesize
3.3MB

Download
memory/4728-109-0x00007FF6338C0000-0x00007FF633C11000-memory.dmp

Filesize
3.3MB

Download
memory/4752-217-0x00007FF69F550000-0x00007FF69F8A1000-memory.dmp

Filesize
3.3MB

Download
memory/4752-94-0x00007FF69F550000-0x00007FF69F8A1000-memory.dmp

Filesize
3.3MB

Download
memory/4752-8-0x00007FF69F550000-0x00007FF69F8A1000-memory.dmp

Filesize
3.3MB

Download
memory/5032-0-0x00007FF73C680000-0x00007FF73C9D1000-memory.dmp

Filesize
3.3MB

Download
memory/5032-1-0x000001CBBFCC0000-0x000001CBBFCD0000-memory.dmp

Filesize
64KB

Download
memory/5032-93-0x00007FF73C680000-0x00007FF73C9D1000-memory.dmp

Filesize
3.3MB

Download
memory/5032-158-0x00007FF73C680000-0x00007FF73C9D1000-memory.dmp

Filesize
3.3MB

Download
memory/5032-134-0x00007FF73C680000-0x00007FF73C9D1000-memory.dmp

Filesize
3.3MB

Download