cobaltstrike | 76841af22c2d920c2b4eee44c95499196257107069055de5cf575fe39159b6c8

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-01-2025 12:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

8ab3d4435039feabca3af9d345215783
SHA1

020004596869406c5dbc4bbc1e3b9b83f0ac3a59
SHA256

76841af22c2d920c2b4eee44c95499196257107069055de5cf575fe39159b6c8
SHA512

92fb512588efb9f1efccf33c775546e061331291655a6483de90a7094d7f6634c52a0fe1fb3bf4a00d82f3c70f377c2f3adbc7737f92877f08a8720f9d551ab2
SSDEEP

98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUP:T+856utgpPF8u/7P

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000b000000023bc0-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9c-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9b-12.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9d-23.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca0-35.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9e-33.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c98-41.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca1-48.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca2-53.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca3-60.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca4-66.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca5-77.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca6-81.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca7-88.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca8-98.dat	cobalt_reflective_dll
behavioral2/files/0x000200000001e747-103.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cab-110.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cac-119.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cad-123.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cae-130.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caf-136.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/944-0-0x00007FF6AD5C0000-0x00007FF6AD914000-memory.dmp	xmrig
behavioral2/files/0x000b000000023bc0-5.dat	xmrig
behavioral2/memory/4240-7-0x00007FF75C580000-0x00007FF75C8D4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c9c-11.dat	xmrig
behavioral2/files/0x0007000000023c9b-12.dat	xmrig
behavioral2/memory/1340-14-0x00007FF7DA3C0000-0x00007FF7DA714000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c9d-23.dat	xmrig
behavioral2/memory/2320-24-0x00007FF603200000-0x00007FF603554000-memory.dmp	xmrig
behavioral2/memory/2012-18-0x00007FF682090000-0x00007FF6823E4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023ca0-35.dat	xmrig
behavioral2/files/0x0007000000023c9e-33.dat	xmrig
behavioral2/memory/2984-30-0x00007FF789BE0000-0x00007FF789F34000-memory.dmp	xmrig
behavioral2/files/0x0008000000023c98-41.dat	xmrig
behavioral2/memory/2808-47-0x00007FF7F8890000-0x00007FF7F8BE4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023ca1-48.dat	xmrig
behavioral2/memory/4968-42-0x00007FF75D850000-0x00007FF75DBA4000-memory.dmp	xmrig
behavioral2/memory/2576-36-0x00007FF667360000-0x00007FF6676B4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023ca2-53.dat	xmrig
behavioral2/memory/700-57-0x00007FF794DB0000-0x00007FF795104000-memory.dmp	xmrig
behavioral2/memory/944-56-0x00007FF6AD5C0000-0x00007FF6AD914000-memory.dmp	xmrig
behavioral2/files/0x0007000000023ca3-60.dat	xmrig
behavioral2/files/0x0007000000023ca4-66.dat	xmrig
behavioral2/memory/1340-68-0x00007FF7DA3C0000-0x00007FF7DA714000-memory.dmp	xmrig
behavioral2/files/0x0007000000023ca5-77.dat	xmrig
behavioral2/memory/3408-76-0x00007FF674CD0000-0x00007FF675024000-memory.dmp	xmrig
behavioral2/memory/2012-74-0x00007FF682090000-0x00007FF6823E4000-memory.dmp	xmrig
behavioral2/memory/4500-71-0x00007FF688920000-0x00007FF688C74000-memory.dmp	xmrig
behavioral2/memory/3740-62-0x00007FF7DC3D0000-0x00007FF7DC724000-memory.dmp	xmrig
behavioral2/memory/4240-61-0x00007FF75C580000-0x00007FF75C8D4000-memory.dmp	xmrig
behavioral2/memory/2320-79-0x00007FF603200000-0x00007FF603554000-memory.dmp	xmrig
behavioral2/files/0x0007000000023ca6-81.dat	xmrig
behavioral2/memory/2984-85-0x00007FF789BE0000-0x00007FF789F34000-memory.dmp	xmrig
behavioral2/memory/4892-86-0x00007FF63D2E0000-0x00007FF63D634000-memory.dmp	xmrig
behavioral2/files/0x0007000000023ca7-88.dat	xmrig
behavioral2/memory/4676-93-0x00007FF78EB80000-0x00007FF78EED4000-memory.dmp	xmrig
behavioral2/memory/2576-92-0x00007FF667360000-0x00007FF6676B4000-memory.dmp	xmrig
behavioral2/memory/4968-94-0x00007FF75D850000-0x00007FF75DBA4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023ca8-98.dat	xmrig
behavioral2/memory/2808-99-0x00007FF7F8890000-0x00007FF7F8BE4000-memory.dmp	xmrig
behavioral2/memory/3664-101-0x00007FF7CB5C0000-0x00007FF7CB914000-memory.dmp	xmrig
behavioral2/files/0x000200000001e747-103.dat	xmrig
behavioral2/memory/3504-107-0x00007FF72D4C0000-0x00007FF72D814000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cab-110.dat	xmrig
behavioral2/memory/3472-113-0x00007FF7443E0000-0x00007FF744734000-memory.dmp	xmrig
behavioral2/memory/3740-117-0x00007FF7DC3D0000-0x00007FF7DC724000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cac-119.dat	xmrig
behavioral2/memory/3808-118-0x00007FF792890000-0x00007FF792BE4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cad-123.dat	xmrig
behavioral2/memory/4516-125-0x00007FF7A29B0000-0x00007FF7A2D04000-memory.dmp	xmrig
behavioral2/memory/4500-124-0x00007FF688920000-0x00007FF688C74000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cae-130.dat	xmrig
behavioral2/memory/3408-132-0x00007FF674CD0000-0x00007FF675024000-memory.dmp	xmrig
behavioral2/memory/740-134-0x00007FF7A89B0000-0x00007FF7A8D04000-memory.dmp	xmrig
behavioral2/files/0x0007000000023caf-136.dat	xmrig
behavioral2/memory/3404-139-0x00007FF614AF0000-0x00007FF614E44000-memory.dmp	xmrig
behavioral2/memory/3664-140-0x00007FF7CB5C0000-0x00007FF7CB914000-memory.dmp	xmrig
behavioral2/memory/3808-141-0x00007FF792890000-0x00007FF792BE4000-memory.dmp	xmrig
behavioral2/memory/4516-142-0x00007FF7A29B0000-0x00007FF7A2D04000-memory.dmp	xmrig
behavioral2/memory/3404-143-0x00007FF614AF0000-0x00007FF614E44000-memory.dmp	xmrig
behavioral2/memory/4240-144-0x00007FF75C580000-0x00007FF75C8D4000-memory.dmp	xmrig
behavioral2/memory/1340-145-0x00007FF7DA3C0000-0x00007FF7DA714000-memory.dmp	xmrig
behavioral2/memory/2012-146-0x00007FF682090000-0x00007FF6823E4000-memory.dmp	xmrig
behavioral2/memory/2320-147-0x00007FF603200000-0x00007FF603554000-memory.dmp	xmrig
behavioral2/memory/2984-148-0x00007FF789BE0000-0x00007FF789F34000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4240	EkXgMeO.exe
1340	WEUYcdf.exe
2012	dPAQTnE.exe
2320	zHcOxGO.exe
2984	cXjVPNl.exe
2576	vytEuNI.exe
4968	GwaQlcr.exe
2808	CzWlMQN.exe
700	vVBjVmy.exe
3740	pkILfNZ.exe
4500	Gjbiliu.exe
3408	nldHGbO.exe
4892	inxtYbF.exe
4676	NAkUodU.exe
3664	BvLJDgM.exe
3504	pgqMcWu.exe
3472	CcHkbEq.exe
3808	tOYynLV.exe
4516	NKFuFgy.exe
740	bRNvNSv.exe
3404	JblxUqD.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/944-0-0x00007FF6AD5C0000-0x00007FF6AD914000-memory.dmp	upx
behavioral2/files/0x000b000000023bc0-5.dat	upx
behavioral2/memory/4240-7-0x00007FF75C580000-0x00007FF75C8D4000-memory.dmp	upx
behavioral2/files/0x0007000000023c9c-11.dat	upx
behavioral2/files/0x0007000000023c9b-12.dat	upx
behavioral2/memory/1340-14-0x00007FF7DA3C0000-0x00007FF7DA714000-memory.dmp	upx
behavioral2/files/0x0007000000023c9d-23.dat	upx
behavioral2/memory/2320-24-0x00007FF603200000-0x00007FF603554000-memory.dmp	upx
behavioral2/memory/2012-18-0x00007FF682090000-0x00007FF6823E4000-memory.dmp	upx
behavioral2/files/0x0007000000023ca0-35.dat	upx
behavioral2/files/0x0007000000023c9e-33.dat	upx
behavioral2/memory/2984-30-0x00007FF789BE0000-0x00007FF789F34000-memory.dmp	upx
behavioral2/files/0x0008000000023c98-41.dat	upx
behavioral2/memory/2808-47-0x00007FF7F8890000-0x00007FF7F8BE4000-memory.dmp	upx
behavioral2/files/0x0007000000023ca1-48.dat	upx
behavioral2/memory/4968-42-0x00007FF75D850000-0x00007FF75DBA4000-memory.dmp	upx
behavioral2/memory/2576-36-0x00007FF667360000-0x00007FF6676B4000-memory.dmp	upx
behavioral2/files/0x0007000000023ca2-53.dat	upx
behavioral2/memory/700-57-0x00007FF794DB0000-0x00007FF795104000-memory.dmp	upx
behavioral2/memory/944-56-0x00007FF6AD5C0000-0x00007FF6AD914000-memory.dmp	upx
behavioral2/files/0x0007000000023ca3-60.dat	upx
behavioral2/files/0x0007000000023ca4-66.dat	upx
behavioral2/memory/1340-68-0x00007FF7DA3C0000-0x00007FF7DA714000-memory.dmp	upx
behavioral2/files/0x0007000000023ca5-77.dat	upx
behavioral2/memory/3408-76-0x00007FF674CD0000-0x00007FF675024000-memory.dmp	upx
behavioral2/memory/2012-74-0x00007FF682090000-0x00007FF6823E4000-memory.dmp	upx
behavioral2/memory/4500-71-0x00007FF688920000-0x00007FF688C74000-memory.dmp	upx
behavioral2/memory/3740-62-0x00007FF7DC3D0000-0x00007FF7DC724000-memory.dmp	upx
behavioral2/memory/4240-61-0x00007FF75C580000-0x00007FF75C8D4000-memory.dmp	upx
behavioral2/memory/2320-79-0x00007FF603200000-0x00007FF603554000-memory.dmp	upx
behavioral2/files/0x0007000000023ca6-81.dat	upx
behavioral2/memory/2984-85-0x00007FF789BE0000-0x00007FF789F34000-memory.dmp	upx
behavioral2/memory/4892-86-0x00007FF63D2E0000-0x00007FF63D634000-memory.dmp	upx
behavioral2/files/0x0007000000023ca7-88.dat	upx
behavioral2/memory/4676-93-0x00007FF78EB80000-0x00007FF78EED4000-memory.dmp	upx
behavioral2/memory/2576-92-0x00007FF667360000-0x00007FF6676B4000-memory.dmp	upx
behavioral2/memory/4968-94-0x00007FF75D850000-0x00007FF75DBA4000-memory.dmp	upx
behavioral2/files/0x0007000000023ca8-98.dat	upx
behavioral2/memory/2808-99-0x00007FF7F8890000-0x00007FF7F8BE4000-memory.dmp	upx
behavioral2/memory/3664-101-0x00007FF7CB5C0000-0x00007FF7CB914000-memory.dmp	upx
behavioral2/files/0x000200000001e747-103.dat	upx
behavioral2/memory/3504-107-0x00007FF72D4C0000-0x00007FF72D814000-memory.dmp	upx
behavioral2/files/0x0007000000023cab-110.dat	upx
behavioral2/memory/3472-113-0x00007FF7443E0000-0x00007FF744734000-memory.dmp	upx
behavioral2/memory/3740-117-0x00007FF7DC3D0000-0x00007FF7DC724000-memory.dmp	upx
behavioral2/files/0x0007000000023cac-119.dat	upx
behavioral2/memory/3808-118-0x00007FF792890000-0x00007FF792BE4000-memory.dmp	upx
behavioral2/files/0x0007000000023cad-123.dat	upx
behavioral2/memory/4516-125-0x00007FF7A29B0000-0x00007FF7A2D04000-memory.dmp	upx
behavioral2/memory/4500-124-0x00007FF688920000-0x00007FF688C74000-memory.dmp	upx
behavioral2/files/0x0007000000023cae-130.dat	upx
behavioral2/memory/3408-132-0x00007FF674CD0000-0x00007FF675024000-memory.dmp	upx
behavioral2/memory/740-134-0x00007FF7A89B0000-0x00007FF7A8D04000-memory.dmp	upx
behavioral2/files/0x0007000000023caf-136.dat	upx
behavioral2/memory/3404-139-0x00007FF614AF0000-0x00007FF614E44000-memory.dmp	upx
behavioral2/memory/3664-140-0x00007FF7CB5C0000-0x00007FF7CB914000-memory.dmp	upx
behavioral2/memory/3808-141-0x00007FF792890000-0x00007FF792BE4000-memory.dmp	upx
behavioral2/memory/4516-142-0x00007FF7A29B0000-0x00007FF7A2D04000-memory.dmp	upx
behavioral2/memory/3404-143-0x00007FF614AF0000-0x00007FF614E44000-memory.dmp	upx
behavioral2/memory/4240-144-0x00007FF75C580000-0x00007FF75C8D4000-memory.dmp	upx
behavioral2/memory/1340-145-0x00007FF7DA3C0000-0x00007FF7DA714000-memory.dmp	upx
behavioral2/memory/2012-146-0x00007FF682090000-0x00007FF6823E4000-memory.dmp	upx
behavioral2/memory/2320-147-0x00007FF603200000-0x00007FF603554000-memory.dmp	upx
behavioral2/memory/2984-148-0x00007FF789BE0000-0x00007FF789F34000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\vVBjVmy.exe	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NAkUodU.exe	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bRNvNSv.exe	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vytEuNI.exe	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GwaQlcr.exe	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CcHkbEq.exe	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NKFuFgy.exe	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CzWlMQN.exe	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BvLJDgM.exe	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pkILfNZ.exe	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nldHGbO.exe	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\inxtYbF.exe	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pgqMcWu.exe	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tOYynLV.exe	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WEUYcdf.exe	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dPAQTnE.exe	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cXjVPNl.exe	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Gjbiliu.exe	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JblxUqD.exe	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EkXgMeO.exe	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zHcOxGO.exe	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	944	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	944	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 944 wrote to memory of 4240	944	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 944 wrote to memory of 4240	944	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 944 wrote to memory of 1340	944	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 944 wrote to memory of 1340	944	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 944 wrote to memory of 2012	944	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 944 wrote to memory of 2012	944	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 944 wrote to memory of 2320	944	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 944 wrote to memory of 2320	944	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 944 wrote to memory of 2984	944	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 944 wrote to memory of 2984	944	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 944 wrote to memory of 2576	944	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 944 wrote to memory of 2576	944	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 944 wrote to memory of 4968	944	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 944 wrote to memory of 4968	944	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 944 wrote to memory of 2808	944	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 944 wrote to memory of 2808	944	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 944 wrote to memory of 700	944	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 944 wrote to memory of 700	944	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 944 wrote to memory of 3740	944	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 944 wrote to memory of 3740	944	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 944 wrote to memory of 4500	944	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 944 wrote to memory of 4500	944	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 944 wrote to memory of 3408	944	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 944 wrote to memory of 3408	944	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 944 wrote to memory of 4892	944	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 944 wrote to memory of 4892	944	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 944 wrote to memory of 4676	944	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 944 wrote to memory of 4676	944	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 944 wrote to memory of 3664	944	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 944 wrote to memory of 3664	944	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 944 wrote to memory of 3504	944	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 944 wrote to memory of 3504	944	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 944 wrote to memory of 3472	944	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 944 wrote to memory of 3472	944	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 944 wrote to memory of 3808	944	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 944 wrote to memory of 3808	944	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 944 wrote to memory of 4516	944	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 944 wrote to memory of 4516	944	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 944 wrote to memory of 740	944	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 944 wrote to memory of 740	944	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 944 wrote to memory of 3404	944	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 944 wrote to memory of 3404	944	2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe	105

C:\Users\Admin\AppData\Local\Temp\2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-02_8ab3d4435039feabca3af9d345215783_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:944
- C:\Windows\System\EkXgMeO.exe
  C:\Windows\System\EkXgMeO.exe
  2⤵
  - Executes dropped EXE
  PID:4240
- C:\Windows\System\WEUYcdf.exe
  C:\Windows\System\WEUYcdf.exe
  2⤵
  - Executes dropped EXE
  PID:1340
- C:\Windows\System\dPAQTnE.exe
  C:\Windows\System\dPAQTnE.exe
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Windows\System\zHcOxGO.exe
  C:\Windows\System\zHcOxGO.exe
  2⤵
  - Executes dropped EXE
  PID:2320
- C:\Windows\System\cXjVPNl.exe
  C:\Windows\System\cXjVPNl.exe
  2⤵
  - Executes dropped EXE
  PID:2984
- C:\Windows\System\vytEuNI.exe
  C:\Windows\System\vytEuNI.exe
  2⤵
  - Executes dropped EXE
  PID:2576
- C:\Windows\System\GwaQlcr.exe
  C:\Windows\System\GwaQlcr.exe
  2⤵
  - Executes dropped EXE
  PID:4968
- C:\Windows\System\CzWlMQN.exe
  C:\Windows\System\CzWlMQN.exe
  2⤵
  - Executes dropped EXE
  PID:2808
- C:\Windows\System\vVBjVmy.exe
  C:\Windows\System\vVBjVmy.exe
  2⤵
  - Executes dropped EXE
  PID:700
- C:\Windows\System\pkILfNZ.exe
  C:\Windows\System\pkILfNZ.exe
  2⤵
  - Executes dropped EXE
  PID:3740
- C:\Windows\System\Gjbiliu.exe
  C:\Windows\System\Gjbiliu.exe
  2⤵
  - Executes dropped EXE
  PID:4500
- C:\Windows\System\nldHGbO.exe
  C:\Windows\System\nldHGbO.exe
  2⤵
  - Executes dropped EXE
  PID:3408
- C:\Windows\System\inxtYbF.exe
  C:\Windows\System\inxtYbF.exe
  2⤵
  - Executes dropped EXE
  PID:4892
- C:\Windows\System\NAkUodU.exe
  C:\Windows\System\NAkUodU.exe
  2⤵
  - Executes dropped EXE
  PID:4676
- C:\Windows\System\BvLJDgM.exe
  C:\Windows\System\BvLJDgM.exe
  2⤵
  - Executes dropped EXE
  PID:3664
- C:\Windows\System\pgqMcWu.exe
  C:\Windows\System\pgqMcWu.exe
  2⤵
  - Executes dropped EXE
  PID:3504
- C:\Windows\System\CcHkbEq.exe
  C:\Windows\System\CcHkbEq.exe
  2⤵
  - Executes dropped EXE
  PID:3472
- C:\Windows\System\tOYynLV.exe
  C:\Windows\System\tOYynLV.exe
  2⤵
  - Executes dropped EXE
  PID:3808
- C:\Windows\System\NKFuFgy.exe
  C:\Windows\System\NKFuFgy.exe
  2⤵
  - Executes dropped EXE
  PID:4516
- C:\Windows\System\bRNvNSv.exe
  C:\Windows\System\bRNvNSv.exe
  2⤵
  - Executes dropped EXE
  PID:740
- C:\Windows\System\JblxUqD.exe
  C:\Windows\System\JblxUqD.exe
  2⤵
  - Executes dropped EXE
  PID:3404

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BvLJDgM.exe

Filesize
5.9MB

MD5
efbf94fd8f07deb2bac7184f997e0454

SHA1
fae66fad47178cc4d552df0d88996a348d918650

SHA256
484afedea68b6042576050b0a58cb203f0a05acfa5f9752b3404d8c4bcedb6c3

SHA512
6325c3eb3c3ecdf4b007408c4945f4c5a5deb08761c206001bcee19ada9ca0423cb3ed6a8f1e69a45ce68ad5ae64ada96e42137f220a219b733bb50fd3677fdc

Download Submit
C:\Windows\System\CcHkbEq.exe

Filesize
5.9MB

MD5
eeeb1730bf0ed7693bc80dc6a3383238

SHA1
fca08817b997a7c4bcc309e422f9c4fbceb3bce9

SHA256
d3760cecc27dc791f2e82ad8aa3472708b96202503468d47b86d3d883139380c

SHA512
63a4c458515f4811bcb12cec1da876bea0affa4961ed5189ab1052042aba336b177d71ba886821f363b85f9ad67bd21054806d6702fc436164f41e20da301d99

Download Submit
C:\Windows\System\CzWlMQN.exe

Filesize
5.9MB

MD5
4d59c46dc5df61dd9fc23ebf05811885

SHA1
0bcce31ded6aefa5b302ae1418889dac05366ded

SHA256
83c8fb048a5591f5bcbcce969bb7137ad1ea07c81cb9a1d48e4a30b937f52953

SHA512
7eca05fd8e827c94634df182dcf00c10ecac6af3d8ca289d81ea3e4684b419f96fb8e13fac1868a7471153634aeb91394a11a44a86efa1dfcadb3dfd0ce6f137

Download Submit
C:\Windows\System\EkXgMeO.exe

Filesize
5.9MB

MD5
d2a058bdf281a93ff7c1d1c9faeb4b48

SHA1
2457e840b32fc9a3b2996eb48f663740de49c0d3

SHA256
1b4e7db192f117d973d2ce20d59daadd5aa4492195096d0aa49da86632e1074e

SHA512
46dc307c4cf64a555ee1a8991a3f1b0fe4fceaa012229bfe30f30cd8def51d36ca8cc9996f4eddfbc113f4c43719d6b02c9f0edb5b03564c73249cc59e9b2f3d

Download Submit
C:\Windows\System\Gjbiliu.exe

Filesize
5.9MB

MD5
0ea0ae7b52da8e993d4d578dca08c2eb

SHA1
da6c20ac233102a20917075f5550a29c10c0a9ed

SHA256
6a73106d620b61a4d6a2876f4aaf336ddb84758fa80ec1b36151f638032af979

SHA512
b263e40343e9cb08b8540e03e741635eb917453e6eae8bbbd6d2414b0c52da76a38dcc17663cd293079821ec8d8ace56b0a676b436aa201c15b2d2364c399314

Download Submit
C:\Windows\System\GwaQlcr.exe

Filesize
5.9MB

MD5
03d7822d6868aa06c24a8d6f49177f38

SHA1
88f15e81d8419ee0bf1865e66d6aa976bc0b6db5

SHA256
55855030807d4323b30b53b425d0efc4de9268e51bbc1691cc37d1bf78dbab02

SHA512
bc055834e3bd9d4f88bb5f9d622e622769269680aecff68e6d79cd796aa64d6ff95175f0cfd0c0bc55c11c2dd73c5ed954e7532ca01edac6799666ae36d0edb1

Download Submit
C:\Windows\System\JblxUqD.exe

Filesize
6.0MB

MD5
8bfac853d531e1669e7d9278a9cb054c

SHA1
bbc57654718e2ca6294a9f89024a9bc3eae621b1

SHA256
ad79a254f690d95e37b127b89e985829332d53a40b19c81435dc76c51609d5bb

SHA512
baf58098bd5e1264dee00ff61f414bbfbc36617b20590b3ba3adcd074bfc36f344e2602d412d7016622ad9af291be3c24b526d5b5490790f66f37bd14e3d5a65

Download Submit
C:\Windows\System\NAkUodU.exe

Filesize
5.9MB

MD5
4684bf0a4163833669f55b9ff178ab81

SHA1
86fa7191e8b6ec551466cfb21680401a1b491978

SHA256
d9d5b3f71de05a8e17637db6123fa6a798cc1b356c088dc657a9a2512a21ac5e

SHA512
332d0f923a1fa9a1c1d51d88cc46f1268a20dfa2cb2626eef42747398a0dac026c5caf8455852d8179d11c026559fd13d5f5cf10d658c940fd1d258e8c40bb74

Download Submit
C:\Windows\System\NKFuFgy.exe

Filesize
6.0MB

MD5
62005d111956fb0becd33476be9cbed2

SHA1
4fdcb061cac3a5e34bddf42ee36ade8bfe946438

SHA256
ffc24cdb94610b9d63e3e801fa8a72472ef361c70fc58da03b2a8e37bb681f02

SHA512
e14ad6e801b58b01ae696773f65d91cd063a80f3fd3b8a89fb7ceb00e4208476f76ff24f4b99b0c6a88e4ab673f209aaab2233411f1ee60414ee50b56cc9a5ef

Download Submit
C:\Windows\System\WEUYcdf.exe

Filesize
5.9MB

MD5
61203d101dfac4927ce94a775d305da8

SHA1
ee0573a1bc0ae370a5f9dae05187a05656af4206

SHA256
8d5ad899954be5e2caf9a7664af8a653e634107f8b3f2b7d705bd685db57c0bc

SHA512
dbd3f70383cec68a39b736ebeea2fa683088ec1d8d53e94627110f1a856cd8973f4f5ab3f72f1a9958a2911ef00213937a13e60919bc7d5c9daecdd36b646f49

Download Submit
C:\Windows\System\bRNvNSv.exe

Filesize
6.0MB

MD5
362f3406d438a795c0776c22ae30fbac

SHA1
347535842e7b1374414d35ea3dfda55255d21077

SHA256
007564110ff3803bc712175f50d1ffb0be24dd359a80da0afda1644b1214afe4

SHA512
978c6785306a87294c07394d3e84fbd66443efe23d1d4a48756d23a196961279adea1e29969190f0574961a733a8566cb7fb16926ddf372bd784c0102f9bbb6a

Download Submit
C:\Windows\System\cXjVPNl.exe

Filesize
5.9MB

MD5
0c724cea0d3fc852d1bd94164c2accf9

SHA1
fdfa73a2658d295e0ace6c541c1ac2ed5b908c7d

SHA256
21b33aa83e02af018841c78829d1a43d8c7a2bda0c149edac52dbf0d6683dd32

SHA512
9d8e0ccb96801acfa919b8288ff9be5e80ee1d5da872283177db1c4050df6f7bd1eec84bda321071f0a7f493c4b9b3642bccc972433af6f5d70bf9eb6f835382

Download Submit
C:\Windows\System\dPAQTnE.exe

Filesize
5.9MB

MD5
ca9082a1c2220b88582c0f4ca17bc444

SHA1
9a36c5529684d7f5a4258222bdb0283818f44599

SHA256
aceb21e7152088ecb7ff1ddb0421695560065c0d4ae6e9a932f79d8543b09267

SHA512
2ab58e8e8085b18b369c85b2850f5ad773d289233a0af8a19df3cf20624ed3dfdccae6c20f4e19ef1f93363d7db9fa6294feeec50e251cde32fd50dc49e104ef

Download Submit
C:\Windows\System\inxtYbF.exe

Filesize
5.9MB

MD5
858841cc79dde60805cea30dd6b35b32

SHA1
6acea6e9904f801d4342a54cf0df0ead9cef5ce7

SHA256
3f969e9dd0699d7425cbe0d1dbc438c0dd959019522ce6725a912dde5f7d242f

SHA512
099bf9f3b2311c6281bd5c13cf7d6a3419dbaaecd56721587eaef2e74439e68c61e1186d1b8ee30c332f43b4253d520e92074b6c6ae711edd9cb75015d2727f2

Download Submit
C:\Windows\System\nldHGbO.exe

Filesize
5.9MB

MD5
2524e81cca73e36dac3bbdf929a4ad77

SHA1
2dde31e64afea7d434f019e1953201038694c592

SHA256
4237a49ab31a1abf2c7211b49c519ad275c5d9500e6c835769bee7b8c43eae56

SHA512
eb45529a4b8dcf7695e14cfbe93791a0f50080e863c0de5de5ec97859758bde6b71150225d26fc949ba64f30a6d6085b9af4a23ddef78c4bc1d52af163ec6822

Download Submit
C:\Windows\System\pgqMcWu.exe

Filesize
5.9MB

MD5
69209a60008bcb6f241061843c0a37f5

SHA1
7552ce96f2510eb3adadd80e85021232a63549aa

SHA256
51dc696a4e315c5eec2de3f242f1c1b38828e0a3769186c104ba094aa7012228

SHA512
e197d38f4696940ad06341f6a679bba3c988e8d1b4b78bfaa83dfa3f2aefa2011746248e07dc7f14c63f900aa337211dc5efeb2aad0147762f9c5f4957f4bdb4

Download Submit
C:\Windows\System\pkILfNZ.exe

Filesize
5.9MB

MD5
0b66e9491a0a3f8408e4b9749434f853

SHA1
c2a533d1659296333c1dd93e32844bf6d701e5ea

SHA256
f6c6d16bf12508f1dda4f09877306e90dcb5f3aa3d3d930801e4dea8ffe840b2

SHA512
1a6d8fa9d0b4918eb5bf5abab5d7e2162b727840e73517c33bea08c2a0b241ec197d05bebfc2751f735f1527b3b2c0341bd3f843386a35e835d269b647e7eea1

Download Submit
C:\Windows\System\tOYynLV.exe

Filesize
6.0MB

MD5
b64df13502262fa14c5ea6a9dba4c2ec

SHA1
f3ee1945d3f40c4e86032d16d7d8ea27628178d3

SHA256
08e9e5e48403ef5c65a2f8839f5b72bfe44a5746cd6a284d97b270d64b7d4120

SHA512
fcb8cdd2923958be816d887fd34dd09bef0200347cb86dab13d77cf6c686058bc01ea68c434ffb6b1ef84f1d8b4fd5c42d2054d939e0c8e0254988151c1ead77

Download Submit
C:\Windows\System\vVBjVmy.exe

Filesize
5.9MB

MD5
8e2cec19c00031e1a494c23d1b38a291

SHA1
a12db8640aab0be9fcc49b8b7176b0540e978807

SHA256
3a7ee713f9dc1a8586baa01bc449c643c17f14a018f0ab8d7515bc8d01c4c1ce

SHA512
c1191175df11bc54a511169731efedc3c131d808fb344d0e96fe70c4222c551484ee9c6d1992685cf94db9c837bab23ec9535794812d3cb75fd0a3f9415e6c4b

Download Submit
C:\Windows\System\vytEuNI.exe

Filesize
5.9MB

MD5
f7735fdb81d6443a7e9a8bac638263da

SHA1
bc6d17caf1b65092ce75bd3c1e262c6991cc4714

SHA256
62c977c2fbbb0372f4be7e8abc644e7cb268704d6f93187a4f2bed8b216edff3

SHA512
944b89f94953e477b7dd7838a94a187b302d15722145d1786b3bbe0556a5336a031eb72614d6795fc6625c0269a0accfddafc9257094fd180d49ef738a77a8f9

Download Submit
C:\Windows\System\zHcOxGO.exe

Filesize
5.9MB

MD5
27628ab916c98c2473fe95516e7724e5

SHA1
ebb7ceba7495f3beef8f88bc5239c4c31812327c

SHA256
bc4787ecf7aaf7412f913482437180f7f0c88bb90313941e2a32d9e7e617873a

SHA512
fb900a76bf44723a1f475a2935aa7df15213dede422749e10240fff453969af1f4949ffd3bee91a09ec8f89e46fbe2ed793b917746dcef9e7be82664b9d00245

Download Submit
memory/700-57-0x00007FF794DB0000-0x00007FF795104000-memory.dmp

Filesize
3.3MB

Download
memory/700-152-0x00007FF794DB0000-0x00007FF795104000-memory.dmp

Filesize
3.3MB

Download
memory/740-134-0x00007FF7A89B0000-0x00007FF7A8D04000-memory.dmp

Filesize
3.3MB

Download
memory/740-163-0x00007FF7A89B0000-0x00007FF7A8D04000-memory.dmp

Filesize
3.3MB

Download
memory/944-56-0x00007FF6AD5C0000-0x00007FF6AD914000-memory.dmp

Filesize
3.3MB

Download
memory/944-0-0x00007FF6AD5C0000-0x00007FF6AD914000-memory.dmp

Filesize
3.3MB

Download
memory/944-1-0x000001F6BF120000-0x000001F6BF130000-memory.dmp

Filesize
64KB

Download
memory/1340-145-0x00007FF7DA3C0000-0x00007FF7DA714000-memory.dmp

Filesize
3.3MB

Download
memory/1340-68-0x00007FF7DA3C0000-0x00007FF7DA714000-memory.dmp

Filesize
3.3MB

Download
memory/1340-14-0x00007FF7DA3C0000-0x00007FF7DA714000-memory.dmp

Filesize
3.3MB

Download
memory/2012-18-0x00007FF682090000-0x00007FF6823E4000-memory.dmp

Filesize
3.3MB

Download
memory/2012-146-0x00007FF682090000-0x00007FF6823E4000-memory.dmp

Filesize
3.3MB

Download
memory/2012-74-0x00007FF682090000-0x00007FF6823E4000-memory.dmp

Filesize
3.3MB

Download
memory/2320-147-0x00007FF603200000-0x00007FF603554000-memory.dmp

Filesize
3.3MB

Download
memory/2320-24-0x00007FF603200000-0x00007FF603554000-memory.dmp

Filesize
3.3MB

Download
memory/2320-79-0x00007FF603200000-0x00007FF603554000-memory.dmp

Filesize
3.3MB

Download
memory/2576-92-0x00007FF667360000-0x00007FF6676B4000-memory.dmp

Filesize
3.3MB

Download
memory/2576-149-0x00007FF667360000-0x00007FF6676B4000-memory.dmp

Filesize
3.3MB

Download
memory/2576-36-0x00007FF667360000-0x00007FF6676B4000-memory.dmp

Filesize
3.3MB

Download
memory/2808-99-0x00007FF7F8890000-0x00007FF7F8BE4000-memory.dmp

Filesize
3.3MB

Download
memory/2808-151-0x00007FF7F8890000-0x00007FF7F8BE4000-memory.dmp

Filesize
3.3MB

Download
memory/2808-47-0x00007FF7F8890000-0x00007FF7F8BE4000-memory.dmp

Filesize
3.3MB

Download
memory/2984-85-0x00007FF789BE0000-0x00007FF789F34000-memory.dmp

Filesize
3.3MB

Download
memory/2984-30-0x00007FF789BE0000-0x00007FF789F34000-memory.dmp

Filesize
3.3MB

Download
memory/2984-148-0x00007FF789BE0000-0x00007FF789F34000-memory.dmp

Filesize
3.3MB

Download
memory/3404-164-0x00007FF614AF0000-0x00007FF614E44000-memory.dmp

Filesize
3.3MB

Download
memory/3404-143-0x00007FF614AF0000-0x00007FF614E44000-memory.dmp

Filesize
3.3MB

Download
memory/3404-139-0x00007FF614AF0000-0x00007FF614E44000-memory.dmp

Filesize
3.3MB

Download
memory/3408-155-0x00007FF674CD0000-0x00007FF675024000-memory.dmp

Filesize
3.3MB

Download
memory/3408-76-0x00007FF674CD0000-0x00007FF675024000-memory.dmp

Filesize
3.3MB

Download
memory/3408-132-0x00007FF674CD0000-0x00007FF675024000-memory.dmp

Filesize
3.3MB

Download
memory/3472-160-0x00007FF7443E0000-0x00007FF744734000-memory.dmp

Filesize
3.3MB

Download
memory/3472-113-0x00007FF7443E0000-0x00007FF744734000-memory.dmp

Filesize
3.3MB

Download
memory/3504-107-0x00007FF72D4C0000-0x00007FF72D814000-memory.dmp

Filesize
3.3MB

Download
memory/3504-159-0x00007FF72D4C0000-0x00007FF72D814000-memory.dmp

Filesize
3.3MB

Download
memory/3664-140-0x00007FF7CB5C0000-0x00007FF7CB914000-memory.dmp

Filesize
3.3MB

Download
memory/3664-158-0x00007FF7CB5C0000-0x00007FF7CB914000-memory.dmp

Filesize
3.3MB

Download
memory/3664-101-0x00007FF7CB5C0000-0x00007FF7CB914000-memory.dmp

Filesize
3.3MB

Download
memory/3740-62-0x00007FF7DC3D0000-0x00007FF7DC724000-memory.dmp

Filesize
3.3MB

Download
memory/3740-153-0x00007FF7DC3D0000-0x00007FF7DC724000-memory.dmp

Filesize
3.3MB

Download
memory/3740-117-0x00007FF7DC3D0000-0x00007FF7DC724000-memory.dmp

Filesize
3.3MB

Download
memory/3808-141-0x00007FF792890000-0x00007FF792BE4000-memory.dmp

Filesize
3.3MB

Download
memory/3808-161-0x00007FF792890000-0x00007FF792BE4000-memory.dmp

Filesize
3.3MB

Download
memory/3808-118-0x00007FF792890000-0x00007FF792BE4000-memory.dmp

Filesize
3.3MB

Download
memory/4240-7-0x00007FF75C580000-0x00007FF75C8D4000-memory.dmp

Filesize
3.3MB

Download
memory/4240-144-0x00007FF75C580000-0x00007FF75C8D4000-memory.dmp

Filesize
3.3MB

Download
memory/4240-61-0x00007FF75C580000-0x00007FF75C8D4000-memory.dmp

Filesize
3.3MB

Download
memory/4500-124-0x00007FF688920000-0x00007FF688C74000-memory.dmp

Filesize
3.3MB

Download
memory/4500-71-0x00007FF688920000-0x00007FF688C74000-memory.dmp

Filesize
3.3MB

Download
memory/4500-154-0x00007FF688920000-0x00007FF688C74000-memory.dmp

Filesize
3.3MB

Download
memory/4516-142-0x00007FF7A29B0000-0x00007FF7A2D04000-memory.dmp

Filesize
3.3MB

Download
memory/4516-162-0x00007FF7A29B0000-0x00007FF7A2D04000-memory.dmp

Filesize
3.3MB

Download
memory/4516-125-0x00007FF7A29B0000-0x00007FF7A2D04000-memory.dmp

Filesize
3.3MB

Download
memory/4676-157-0x00007FF78EB80000-0x00007FF78EED4000-memory.dmp

Filesize
3.3MB

Download
memory/4676-93-0x00007FF78EB80000-0x00007FF78EED4000-memory.dmp

Filesize
3.3MB

Download
memory/4892-156-0x00007FF63D2E0000-0x00007FF63D634000-memory.dmp

Filesize
3.3MB

Download
memory/4892-86-0x00007FF63D2E0000-0x00007FF63D634000-memory.dmp

Filesize
3.3MB

Download
memory/4968-42-0x00007FF75D850000-0x00007FF75DBA4000-memory.dmp

Filesize
3.3MB

Download
memory/4968-94-0x00007FF75D850000-0x00007FF75DBA4000-memory.dmp

Filesize
3.3MB

Download
memory/4968-150-0x00007FF75D850000-0x00007FF75DBA4000-memory.dmp

Filesize
3.3MB

Download