cobaltstrike | aad378742163eb42baca92c7bc0544062c369227cb04caf93b2d272864ca083b

Analysis

max time kernel
142s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/01/2025, 02:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

8ab0ea17c2a693c052c358e98e829d53
SHA1

e0ffb42c0d60877a21ca6b682f1ac6260009f464
SHA256

aad378742163eb42baca92c7bc0544062c369227cb04caf93b2d272864ca083b
SHA512

88308e66d02a488b698ba241b8bcff22391297c011205f5855504629b0907e49d3cef16f244234b3c8ff8f4a810f1220a7ad31a3dddf4bfe6787231e5c212364
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l8:RWWBibf56utgpPFotBER/mQ32lUY

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023c90-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c95-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c94-15.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c96-23.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c91-26.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c98-34.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c99-40.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9a-46.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9b-51.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9e-76.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9f-80.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca1-94.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca3-108.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca4-123.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca7-137.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca6-135.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca5-130.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca2-106.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca0-92.dat	cobalt_reflective_dll
behavioral2/files/0x000300000001e762-73.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9c-60.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/4852-66-0x00007FF6283F0000-0x00007FF628741000-memory.dmp	xmrig
behavioral2/memory/1960-71-0x00007FF701670000-0x00007FF7019C1000-memory.dmp	xmrig
behavioral2/memory/3516-81-0x00007FF777FE0000-0x00007FF778331000-memory.dmp	xmrig
behavioral2/memory/3204-88-0x00007FF66F930000-0x00007FF66FC81000-memory.dmp	xmrig
behavioral2/memory/536-129-0x00007FF691E40000-0x00007FF692191000-memory.dmp	xmrig
behavioral2/memory/4004-128-0x00007FF6CB6E0000-0x00007FF6CBA31000-memory.dmp	xmrig
behavioral2/memory/4356-121-0x00007FF64C110000-0x00007FF64C461000-memory.dmp	xmrig
behavioral2/memory/1676-111-0x00007FF643710000-0x00007FF643A61000-memory.dmp	xmrig
behavioral2/memory/2904-102-0x00007FF630670000-0x00007FF6309C1000-memory.dmp	xmrig
behavioral2/memory/3672-95-0x00007FF646570000-0x00007FF6468C1000-memory.dmp	xmrig
behavioral2/memory/2976-61-0x00007FF688D20000-0x00007FF689071000-memory.dmp	xmrig
behavioral2/memory/2976-139-0x00007FF688D20000-0x00007FF689071000-memory.dmp	xmrig
behavioral2/memory/1336-143-0x00007FF662AD0000-0x00007FF662E21000-memory.dmp	xmrig
behavioral2/memory/460-146-0x00007FF7D7A80000-0x00007FF7D7DD1000-memory.dmp	xmrig
behavioral2/memory/1132-152-0x00007FF6BD780000-0x00007FF6BDAD1000-memory.dmp	xmrig
behavioral2/memory/2000-155-0x00007FF780A30000-0x00007FF780D81000-memory.dmp	xmrig
behavioral2/memory/2248-162-0x00007FF758B70000-0x00007FF758EC1000-memory.dmp	xmrig
behavioral2/memory/2720-165-0x00007FF6C70F0000-0x00007FF6C7441000-memory.dmp	xmrig
behavioral2/memory/4824-163-0x00007FF742BF0000-0x00007FF742F41000-memory.dmp	xmrig
behavioral2/memory/3124-161-0x00007FF66F370000-0x00007FF66F6C1000-memory.dmp	xmrig
behavioral2/memory/2500-164-0x00007FF628C80000-0x00007FF628FD1000-memory.dmp	xmrig
behavioral2/memory/1120-160-0x00007FF714D60000-0x00007FF7150B1000-memory.dmp	xmrig
behavioral2/memory/1480-159-0x00007FF68FCC0000-0x00007FF690011000-memory.dmp	xmrig
behavioral2/memory/2976-166-0x00007FF688D20000-0x00007FF689071000-memory.dmp	xmrig
behavioral2/memory/4852-217-0x00007FF6283F0000-0x00007FF628741000-memory.dmp	xmrig
behavioral2/memory/1960-219-0x00007FF701670000-0x00007FF7019C1000-memory.dmp	xmrig
behavioral2/memory/3516-221-0x00007FF777FE0000-0x00007FF778331000-memory.dmp	xmrig
behavioral2/memory/3204-226-0x00007FF66F930000-0x00007FF66FC81000-memory.dmp	xmrig
behavioral2/memory/3672-228-0x00007FF646570000-0x00007FF6468C1000-memory.dmp	xmrig
behavioral2/memory/2904-230-0x00007FF630670000-0x00007FF6309C1000-memory.dmp	xmrig
behavioral2/memory/1676-232-0x00007FF643710000-0x00007FF643A61000-memory.dmp	xmrig
behavioral2/memory/4356-236-0x00007FF64C110000-0x00007FF64C461000-memory.dmp	xmrig
behavioral2/memory/4004-238-0x00007FF6CB6E0000-0x00007FF6CBA31000-memory.dmp	xmrig
behavioral2/memory/536-245-0x00007FF691E40000-0x00007FF692191000-memory.dmp	xmrig
behavioral2/memory/1336-247-0x00007FF662AD0000-0x00007FF662E21000-memory.dmp	xmrig
behavioral2/memory/1132-250-0x00007FF6BD780000-0x00007FF6BDAD1000-memory.dmp	xmrig
behavioral2/memory/460-251-0x00007FF7D7A80000-0x00007FF7D7DD1000-memory.dmp	xmrig
behavioral2/memory/2720-253-0x00007FF6C70F0000-0x00007FF6C7441000-memory.dmp	xmrig
behavioral2/memory/2000-261-0x00007FF780A30000-0x00007FF780D81000-memory.dmp	xmrig
behavioral2/memory/3124-270-0x00007FF66F370000-0x00007FF66F6C1000-memory.dmp	xmrig
behavioral2/memory/1480-271-0x00007FF68FCC0000-0x00007FF690011000-memory.dmp	xmrig
behavioral2/memory/2500-273-0x00007FF628C80000-0x00007FF628FD1000-memory.dmp	xmrig
behavioral2/memory/1120-268-0x00007FF714D60000-0x00007FF7150B1000-memory.dmp	xmrig
behavioral2/memory/2248-265-0x00007FF758B70000-0x00007FF758EC1000-memory.dmp	xmrig
behavioral2/memory/4824-264-0x00007FF742BF0000-0x00007FF742F41000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4852	hfuOFCV.exe
1960	tQxImmG.exe
3516	nWvDaaS.exe
3204	kNcAvrN.exe
3672	zGZTBOF.exe
2904	RBTRRxv.exe
1676	ZRMaluU.exe
4356	aLkweNK.exe
4004	jVXmKri.exe
536	KXMrhoS.exe
1336	AhjiwVr.exe
460	yIbhmNo.exe
1132	YUwavFP.exe
2000	SNyuUxR.exe
2720	nmIhkOf.exe
1480	UUPFgmK.exe
1120	ZXlWmSe.exe
3124	FBCEIiB.exe
2248	DIeBkhl.exe
4824	tAGiGbh.exe
2500	rXwUXep.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2976-0-0x00007FF688D20000-0x00007FF689071000-memory.dmp	upx
behavioral2/files/0x0008000000023c90-5.dat	upx
behavioral2/memory/4852-8-0x00007FF6283F0000-0x00007FF628741000-memory.dmp	upx
behavioral2/files/0x0007000000023c95-11.dat	upx
behavioral2/files/0x0007000000023c94-15.dat	upx
behavioral2/memory/3516-18-0x00007FF777FE0000-0x00007FF778331000-memory.dmp	upx
behavioral2/memory/1960-13-0x00007FF701670000-0x00007FF7019C1000-memory.dmp	upx
behavioral2/files/0x0007000000023c96-23.dat	upx
behavioral2/files/0x0008000000023c91-26.dat	upx
behavioral2/memory/3672-27-0x00007FF646570000-0x00007FF6468C1000-memory.dmp	upx
behavioral2/memory/3204-25-0x00007FF66F930000-0x00007FF66FC81000-memory.dmp	upx
behavioral2/files/0x0007000000023c98-34.dat	upx
behavioral2/memory/2904-38-0x00007FF630670000-0x00007FF6309C1000-memory.dmp	upx
behavioral2/files/0x0007000000023c99-40.dat	upx
behavioral2/memory/1676-41-0x00007FF643710000-0x00007FF643A61000-memory.dmp	upx
behavioral2/files/0x0007000000023c9a-46.dat	upx
behavioral2/memory/4356-49-0x00007FF64C110000-0x00007FF64C461000-memory.dmp	upx
behavioral2/files/0x0007000000023c9b-51.dat	upx
behavioral2/memory/4004-56-0x00007FF6CB6E0000-0x00007FF6CBA31000-memory.dmp	upx
behavioral2/memory/4852-66-0x00007FF6283F0000-0x00007FF628741000-memory.dmp	upx
behavioral2/memory/460-72-0x00007FF7D7A80000-0x00007FF7D7DD1000-memory.dmp	upx
behavioral2/files/0x0007000000023c9e-76.dat	upx
behavioral2/memory/1960-71-0x00007FF701670000-0x00007FF7019C1000-memory.dmp	upx
behavioral2/files/0x0007000000023c9f-80.dat	upx
behavioral2/memory/3516-81-0x00007FF777FE0000-0x00007FF778331000-memory.dmp	upx
behavioral2/memory/3204-88-0x00007FF66F930000-0x00007FF66FC81000-memory.dmp	upx
behavioral2/files/0x0007000000023ca1-94.dat	upx
behavioral2/memory/1480-103-0x00007FF68FCC0000-0x00007FF690011000-memory.dmp	upx
behavioral2/files/0x0007000000023ca3-108.dat	upx
behavioral2/files/0x0007000000023ca4-123.dat	upx
behavioral2/memory/4824-133-0x00007FF742BF0000-0x00007FF742F41000-memory.dmp	upx
behavioral2/files/0x0007000000023ca7-137.dat	upx
behavioral2/files/0x0007000000023ca6-135.dat	upx
behavioral2/memory/2500-134-0x00007FF628C80000-0x00007FF628FD1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca5-130.dat	upx
behavioral2/memory/536-129-0x00007FF691E40000-0x00007FF692191000-memory.dmp	upx
behavioral2/memory/4004-128-0x00007FF6CB6E0000-0x00007FF6CBA31000-memory.dmp	upx
behavioral2/memory/2248-127-0x00007FF758B70000-0x00007FF758EC1000-memory.dmp	upx
behavioral2/memory/3124-122-0x00007FF66F370000-0x00007FF66F6C1000-memory.dmp	upx
behavioral2/memory/4356-121-0x00007FF64C110000-0x00007FF64C461000-memory.dmp	upx
behavioral2/memory/1120-112-0x00007FF714D60000-0x00007FF7150B1000-memory.dmp	upx
behavioral2/memory/1676-111-0x00007FF643710000-0x00007FF643A61000-memory.dmp	upx
behavioral2/files/0x0007000000023ca2-106.dat	upx
behavioral2/memory/2904-102-0x00007FF630670000-0x00007FF6309C1000-memory.dmp	upx
behavioral2/memory/2720-96-0x00007FF6C70F0000-0x00007FF6C7441000-memory.dmp	upx
behavioral2/memory/3672-95-0x00007FF646570000-0x00007FF6468C1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca0-92.dat	upx
behavioral2/memory/2000-91-0x00007FF780A30000-0x00007FF780D81000-memory.dmp	upx
behavioral2/memory/1132-82-0x00007FF6BD780000-0x00007FF6BDAD1000-memory.dmp	upx
behavioral2/files/0x000300000001e762-73.dat	upx
behavioral2/memory/1336-68-0x00007FF662AD0000-0x00007FF662E21000-memory.dmp	upx
behavioral2/memory/536-65-0x00007FF691E40000-0x00007FF692191000-memory.dmp	upx
behavioral2/memory/2976-61-0x00007FF688D20000-0x00007FF689071000-memory.dmp	upx
behavioral2/files/0x0007000000023c9c-60.dat	upx
behavioral2/memory/2976-139-0x00007FF688D20000-0x00007FF689071000-memory.dmp	upx
behavioral2/memory/1336-143-0x00007FF662AD0000-0x00007FF662E21000-memory.dmp	upx
behavioral2/memory/460-146-0x00007FF7D7A80000-0x00007FF7D7DD1000-memory.dmp	upx
behavioral2/memory/1132-152-0x00007FF6BD780000-0x00007FF6BDAD1000-memory.dmp	upx
behavioral2/memory/2000-155-0x00007FF780A30000-0x00007FF780D81000-memory.dmp	upx
behavioral2/memory/2248-162-0x00007FF758B70000-0x00007FF758EC1000-memory.dmp	upx
behavioral2/memory/2720-165-0x00007FF6C70F0000-0x00007FF6C7441000-memory.dmp	upx
behavioral2/memory/4824-163-0x00007FF742BF0000-0x00007FF742F41000-memory.dmp	upx
behavioral2/memory/3124-161-0x00007FF66F370000-0x00007FF66F6C1000-memory.dmp	upx
behavioral2/memory/2500-164-0x00007FF628C80000-0x00007FF628FD1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\ZXlWmSe.exe	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DIeBkhl.exe	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tQxImmG.exe	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RBTRRxv.exe	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SNyuUxR.exe	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UUPFgmK.exe	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jVXmKri.exe	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AhjiwVr.exe	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yIbhmNo.exe	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nmIhkOf.exe	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hfuOFCV.exe	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nWvDaaS.exe	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kNcAvrN.exe	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zGZTBOF.exe	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aLkweNK.exe	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YUwavFP.exe	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rXwUXep.exe	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZRMaluU.exe	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KXMrhoS.exe	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FBCEIiB.exe	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tAGiGbh.exe	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2976	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2976	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 4852	2976	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2976 wrote to memory of 4852	2976	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2976 wrote to memory of 1960	2976	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2976 wrote to memory of 1960	2976	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2976 wrote to memory of 3516	2976	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2976 wrote to memory of 3516	2976	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2976 wrote to memory of 3204	2976	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2976 wrote to memory of 3204	2976	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2976 wrote to memory of 3672	2976	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2976 wrote to memory of 3672	2976	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2976 wrote to memory of 2904	2976	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2976 wrote to memory of 2904	2976	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2976 wrote to memory of 1676	2976	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2976 wrote to memory of 1676	2976	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2976 wrote to memory of 4356	2976	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2976 wrote to memory of 4356	2976	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2976 wrote to memory of 4004	2976	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2976 wrote to memory of 4004	2976	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2976 wrote to memory of 536	2976	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2976 wrote to memory of 536	2976	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2976 wrote to memory of 1336	2976	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2976 wrote to memory of 1336	2976	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2976 wrote to memory of 460	2976	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2976 wrote to memory of 460	2976	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2976 wrote to memory of 1132	2976	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2976 wrote to memory of 1132	2976	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2976 wrote to memory of 2000	2976	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2976 wrote to memory of 2000	2976	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2976 wrote to memory of 2720	2976	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2976 wrote to memory of 2720	2976	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2976 wrote to memory of 1480	2976	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2976 wrote to memory of 1480	2976	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2976 wrote to memory of 1120	2976	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2976 wrote to memory of 1120	2976	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2976 wrote to memory of 3124	2976	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2976 wrote to memory of 3124	2976	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2976 wrote to memory of 2248	2976	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2976 wrote to memory of 2248	2976	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2976 wrote to memory of 4824	2976	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2976 wrote to memory of 4824	2976	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2976 wrote to memory of 2500	2976	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2976 wrote to memory of 2500	2976	2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-21_8ab0ea17c2a693c052c358e98e829d53_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Windows\System\hfuOFCV.exe
  C:\Windows\System\hfuOFCV.exe
  2⤵
  - Executes dropped EXE
  PID:4852
- C:\Windows\System\tQxImmG.exe
  C:\Windows\System\tQxImmG.exe
  2⤵
  - Executes dropped EXE
  PID:1960
- C:\Windows\System\nWvDaaS.exe
  C:\Windows\System\nWvDaaS.exe
  2⤵
  - Executes dropped EXE
  PID:3516
- C:\Windows\System\kNcAvrN.exe
  C:\Windows\System\kNcAvrN.exe
  2⤵
  - Executes dropped EXE
  PID:3204
- C:\Windows\System\zGZTBOF.exe
  C:\Windows\System\zGZTBOF.exe
  2⤵
  - Executes dropped EXE
  PID:3672
- C:\Windows\System\RBTRRxv.exe
  C:\Windows\System\RBTRRxv.exe
  2⤵
  - Executes dropped EXE
  PID:2904
- C:\Windows\System\ZRMaluU.exe
  C:\Windows\System\ZRMaluU.exe
  2⤵
  - Executes dropped EXE
  PID:1676
- C:\Windows\System\aLkweNK.exe
  C:\Windows\System\aLkweNK.exe
  2⤵
  - Executes dropped EXE
  PID:4356
- C:\Windows\System\jVXmKri.exe
  C:\Windows\System\jVXmKri.exe
  2⤵
  - Executes dropped EXE
  PID:4004
- C:\Windows\System\KXMrhoS.exe
  C:\Windows\System\KXMrhoS.exe
  2⤵
  - Executes dropped EXE
  PID:536
- C:\Windows\System\AhjiwVr.exe
  C:\Windows\System\AhjiwVr.exe
  2⤵
  - Executes dropped EXE
  PID:1336
- C:\Windows\System\yIbhmNo.exe
  C:\Windows\System\yIbhmNo.exe
  2⤵
  - Executes dropped EXE
  PID:460
- C:\Windows\System\YUwavFP.exe
  C:\Windows\System\YUwavFP.exe
  2⤵
  - Executes dropped EXE
  PID:1132
- C:\Windows\System\SNyuUxR.exe
  C:\Windows\System\SNyuUxR.exe
  2⤵
  - Executes dropped EXE
  PID:2000
- C:\Windows\System\nmIhkOf.exe
  C:\Windows\System\nmIhkOf.exe
  2⤵
  - Executes dropped EXE
  PID:2720
- C:\Windows\System\UUPFgmK.exe
  C:\Windows\System\UUPFgmK.exe
  2⤵
  - Executes dropped EXE
  PID:1480
- C:\Windows\System\ZXlWmSe.exe
  C:\Windows\System\ZXlWmSe.exe
  2⤵
  - Executes dropped EXE
  PID:1120
- C:\Windows\System\FBCEIiB.exe
  C:\Windows\System\FBCEIiB.exe
  2⤵
  - Executes dropped EXE
  PID:3124
- C:\Windows\System\DIeBkhl.exe
  C:\Windows\System\DIeBkhl.exe
  2⤵
  - Executes dropped EXE
  PID:2248
- C:\Windows\System\tAGiGbh.exe
  C:\Windows\System\tAGiGbh.exe
  2⤵
  - Executes dropped EXE
  PID:4824
- C:\Windows\System\rXwUXep.exe
  C:\Windows\System\rXwUXep.exe
  2⤵
  - Executes dropped EXE
  PID:2500

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AhjiwVr.exe

Filesize
5.2MB

MD5
5caa1a6853829e632ee936fb2095f419

SHA1
8e0ea0985d5633458cddfa221850826fb8aac039

SHA256
515f76187b65c8ff591e47dec6c9092c379284a7dc18be1079622077e3c6a93c

SHA512
0bea32ec57f18bd3fdcd70a9f7b1df3231d54c2dd5c0152e8885122648e1611eacb58fa76cc4972f7b12f59ad290e1ec8e434c366150d99429442797a038f85f

Download Submit
C:\Windows\System\DIeBkhl.exe

Filesize
5.2MB

MD5
c455d5d3209c458cb3a873c008e4428b

SHA1
18cf163fedefc27ba97d24d9bfacb1650da6af2f

SHA256
dd3023425b280337112e7f943b3540e3701b47873c86339453fa7c593acc7160

SHA512
4f26ff0923d3b9b9c8888cc7bb6e94b480eff8697b202dc06a434bf7001b83ab7610586f894e170de02c01c02c60e948be5a070d4d21788cdf6346164d87e866

Download Submit
C:\Windows\System\FBCEIiB.exe

Filesize
5.2MB

MD5
cc23c2b8d77eaae31a4cde4e027c8992

SHA1
de4c00ea24c35b4ee5fd5f5fb5e911e8b21b6d04

SHA256
997c0bf5d56fe65d9ce116e05a9400ca912514682ee53598725d02363d1c0211

SHA512
7eb6018e1502dd880ea356ecbeb7b7218c6a79ef70d7727155a61d6834391ff471d4430288a47605c2d7a77a168e51dbd94de9845c7153a5ac058ce381e16377

Download Submit
C:\Windows\System\KXMrhoS.exe

Filesize
5.2MB

MD5
d4ba6877632eec7f052f6549676d4965

SHA1
880984388ba7326fc9bcf64c2a7740842be37e23

SHA256
06a60f18de9822e4fad980d3a1096191c6035ba7b4bc9795c4cf52f2e1c05f18

SHA512
e59a6bcf5bea96dc4897e30808b80f762915001be3599543ec119e8f019094c4a9c8aa576d7365a057dd0f4f7ed3c9c031609d2ee6132106250836be3b5dde19

Download Submit
C:\Windows\System\RBTRRxv.exe

Filesize
5.2MB

MD5
9e0426d2f6a056f59dde78a26eec2c86

SHA1
28ebd73f2da988df745c8c63e916e22f79ca9670

SHA256
835cad4baeb83d5b9e544e865e90b938b30f7171884b2715e50cf877976b8ed9

SHA512
c47b2e51c4833f6fda3767175eb4c9977271a625b3254db3beaaab726b7cc076e8bac89438e8770a2d03d71e8a9576d28b26e6d5c8be5ce1fbae9a108c1dd282

Download Submit
C:\Windows\System\SNyuUxR.exe

Filesize
5.2MB

MD5
2fc2b56a508af368effdc913ef4a2862

SHA1
17321cf9d855cbdab77e2b38c78677eaf4d00ef4

SHA256
e9dc83b8935067e2a89b2c9012a8dd53c94a4309b3b8b243e820d63e89a56020

SHA512
ca39572ab42aabac756d01151f959201d943925a375fb039db4fb15f76698fa3108a9dad482ec814107adddce7f4a3b25ba5e0df8316294bb25b557758d40d16

Download Submit
C:\Windows\System\UUPFgmK.exe

Filesize
5.2MB

MD5
f9d1acf67c63ed43f6c8df214522266b

SHA1
ed28abfe7d41fe469e01d75db7428979434f3694

SHA256
e6069d16e2b7c07b00db04e9c554f2f2a28a112a6159c83f0b0e76740a54a6a3

SHA512
6388cf636ce2aa443623cc3301806db7b141a7962353b7a56213511a805e447bbd308e9dfb6e205c4024b36a38637878d0cd131aef0228e70655ab404609910d

Download Submit
C:\Windows\System\YUwavFP.exe

Filesize
5.2MB

MD5
31228e82dc474dd5dabb8d57d4ed0ce7

SHA1
ef156c05bd575561e311627d5aec9271fd98e43a

SHA256
1a44b981c35e8a215764753ae62d3513b816263e34a6ad51da1e004353550530

SHA512
8198e76523a93aa21f0bff7ccb3ed4954c585e57249fc5fb9495d59eaab1a590e69c9fd4e799c0c46dc3f132b8052edab4c6b989543a177a402e2792a3988e2e

Download Submit
C:\Windows\System\ZRMaluU.exe

Filesize
5.2MB

MD5
ca3ef034004ee84f80feeb801ec6b9d3

SHA1
b47ae1facb649e2dcd09e3e8afddafdab9d05708

SHA256
757bd9a0406d2f8b80de2194288c1783b6f3382ed3bfe88a410fe5cf20956641

SHA512
a94e587d0f89b58ecfd7ea01fc4cfb492f8d5ae9af844f1578d76a707d4d5e28276f565bfcc9404ec73d3a2380e551ca5a1d5512607539aaf12e423146759d49

Download Submit
C:\Windows\System\ZXlWmSe.exe

Filesize
5.2MB

MD5
456be8bf90fc1eacfb043f45bc83ccf0

SHA1
f91f11f157129ce9a1997309cea10cf18a13bbfe

SHA256
39c37569548c2db98d9876d7030820b8f3fb08b5baadb379d6aad70a19773be3

SHA512
9827745341c44929b98ee67ca9f4ec04a6989d4ddb241f48c9035dac859f165a39543e51aadb634505cc7f091854b1c8548a1b154617b504e4f9558c42bcf845

Download Submit
C:\Windows\System\aLkweNK.exe

Filesize
5.2MB

MD5
cb428b080fe1611a7f95d707de328631

SHA1
a34ae464684193275f7d442b6947cdf7c09c8f75

SHA256
811c1043f5f646d394ccfb354f5b96e62c66dee40113130dfaf1ce866beee19e

SHA512
9b72eef8a5e659505748d4f74c746f6ccea0743cf020096057f4a0e47f17ebec0b05bb48ce85f24aff0a3ce8ff75e21d0e7bc3e153bac1a386b9be2fa37d6350

Download Submit
C:\Windows\System\hfuOFCV.exe

Filesize
5.2MB

MD5
9b39b390a7571ca1909f7a39d9885e43

SHA1
3c9a3b6944806a85ef25afed95af0a52e6882a59

SHA256
5170d44cae6367479c3834a5380b6f04997af132b21ebc076380449e829c171d

SHA512
142755047a88de3d1fcbff1c1ad3444b7df9bb7af44c0a5109d87dd8df6091c61bf206342198796f43b30ea02ef518d3708e2e16bbb60c7d598363e6f50778b0

Download Submit
C:\Windows\System\jVXmKri.exe

Filesize
5.2MB

MD5
2487b7a90b3a724bbfbbd4c74c5d6682

SHA1
04b97d1894b5e6c79e723b61ad001d351c30ebec

SHA256
0784e77386ab8d2f5706af75876b1314650a91d1adf22ad4c7c319daa5193ab4

SHA512
2cd8a84c0cccc27935d6e3ccdffe183d87a5220a842aabb6b54ae988f85da2b49e9dec45960ec8629d4ed0284a7621f50872a26c6cf01081e307c2d8e02680c0

Download Submit
C:\Windows\System\kNcAvrN.exe

Filesize
5.2MB

MD5
7adab372b3c65c94f1427309b5e39cba

SHA1
5e56a91ff7bc01e17f7437daebd64c8b3ab60917

SHA256
3191d54b368eab03af746fe186d4c785009c57868d8f82d4738b45d02ba10237

SHA512
574d8b70431221b76836487cf56cf531b3f53af2eb411dee386da0dd80a365e7bc6371ae9bcf7cf1050ae8ececfbed902f020b3a821827c17a72c81af441729a

Download Submit
C:\Windows\System\nWvDaaS.exe

Filesize
5.2MB

MD5
ece375eec3a3b3b297434a524b76c899

SHA1
e8d399a64d4f500477a8ca810e8e1cbbed91b0b5

SHA256
8f73f36873f82284c06869babf1caeab35ed55abd9d41f3e749d12aad196852f

SHA512
c9dcf69f35617728a5998e797b948f02e27853129cb2652461dfd27d703a79812e8a00b776e2eb416fa3f9940997da7b190eeeb4f67964d8433ed4c09cbc4628

Download Submit
C:\Windows\System\nmIhkOf.exe

Filesize
5.2MB

MD5
28b25fd04a31488293c0619f98b96a83

SHA1
bdd142cceba7bc673a65699b304b9af81e48f089

SHA256
3b19c6b62c0a3123204b12b9ec0b26f56f6b4a81fe8cfd6a644498b2976deb3c

SHA512
0e55c9e6da596a6d3ec8d697b994c8fb13f72510a51be9f5f21d096e281f7383c61c8356638ae842073fd7a910223a8ef6ecaa653f66830473ede8ed8d267a88

Download Submit
C:\Windows\System\rXwUXep.exe

Filesize
5.2MB

MD5
54b49dcffa62290ca433a71dbb605b6f

SHA1
2173021867dba8b03b1e330e2cfe6ed611761904

SHA256
6845b087adf91e8d0f34af6c3baf14031fa0f5f94f063ad59df56fd340111bf6

SHA512
061e564426c95f6f0b0af9a46c802c7f93cc5e982e2687eb7a409eb382bb2d8f6eb1e55bc923dce0af9504a8fb42d0928e067ac6c57ef82f9694ec49515f089a

Download Submit
C:\Windows\System\tAGiGbh.exe

Filesize
5.2MB

MD5
cce260711eee06a6ebc427c932a7a257

SHA1
72518233df12c0f6790e7b98dd8a65bb9df03603

SHA256
aa4bc051f2fc6ae3732233b22bd102ed6fe16cce0505d2804b80169d04f064c6

SHA512
a55100d3fc318843579cc68b196a48086a65e1ed3d8ad49f5aca157d87433862afea9c4424fd77a60a2ff3f757899ba1c0b719852d646d390c2234ab8c2ab8c5

Download Submit
C:\Windows\System\tQxImmG.exe

Filesize
5.2MB

MD5
b9ccf7c15ffe6f6534dda5a0971ba4cb

SHA1
72b06514a38e66b80c10bdcf955715e5fcdb5c60

SHA256
aef0ba0d14a95cb1cd12dd5d68051565dc5b1d10e4fde5046d5371b1ecd650d9

SHA512
8e63e707d907e6e45fe58dee2426039a2327c764b493ac4d161ba134b71b12612feb2f57a709bc3e72fc663a3c82d3710351c97a08aaab227b98e06df69602aa

Download Submit
C:\Windows\System\yIbhmNo.exe

Filesize
5.2MB

MD5
9453eba07217376b987e9797412568c7

SHA1
3ba5188dc8da05a2be8c47cc79f3300da40c311a

SHA256
5b9932b7705cfa0b04dbe40bddc342f25aada16636b9694a6b6cd48b0bc74153

SHA512
18421fde88f5dcc3fe02dd20029551ccfb2e47048ad2a9ef92f0dadb942d08b6ecc300e76f452d19a92bdd4d187ad2415861bab74a49c1c38a077d6071b3b0c6

Download Submit
C:\Windows\System\zGZTBOF.exe

Filesize
5.2MB

MD5
3eb575ddbe12ec67d7a2951824a44ee3

SHA1
3828e7b7432a1c99d462be97c7efe8adb9cae0d2

SHA256
cc1ae0fe5af0d5ca455662ad78cd0b1153f82d0573e197ab6b3afcbb31348adc

SHA512
aea655b27c954cfbb0cddf6024e6157ee182eea557e0bdfc2a2b9663e7c57cf0695a28e8e1e7b64d885ee640e4be83140e4f4ee5358826a80bc128d401ca108f

Download Submit
memory/460-251-0x00007FF7D7A80000-0x00007FF7D7DD1000-memory.dmp

Filesize
3.3MB

Download
memory/460-72-0x00007FF7D7A80000-0x00007FF7D7DD1000-memory.dmp

Filesize
3.3MB

Download
memory/460-146-0x00007FF7D7A80000-0x00007FF7D7DD1000-memory.dmp

Filesize
3.3MB

Download
memory/536-65-0x00007FF691E40000-0x00007FF692191000-memory.dmp

Filesize
3.3MB

Download
memory/536-245-0x00007FF691E40000-0x00007FF692191000-memory.dmp

Filesize
3.3MB

Download
memory/536-129-0x00007FF691E40000-0x00007FF692191000-memory.dmp

Filesize
3.3MB

Download
memory/1120-160-0x00007FF714D60000-0x00007FF7150B1000-memory.dmp

Filesize
3.3MB

Download
memory/1120-112-0x00007FF714D60000-0x00007FF7150B1000-memory.dmp

Filesize
3.3MB

Download
memory/1120-268-0x00007FF714D60000-0x00007FF7150B1000-memory.dmp

Filesize
3.3MB

Download
memory/1132-82-0x00007FF6BD780000-0x00007FF6BDAD1000-memory.dmp

Filesize
3.3MB

Download
memory/1132-250-0x00007FF6BD780000-0x00007FF6BDAD1000-memory.dmp

Filesize
3.3MB

Download
memory/1132-152-0x00007FF6BD780000-0x00007FF6BDAD1000-memory.dmp

Filesize
3.3MB

Download
memory/1336-247-0x00007FF662AD0000-0x00007FF662E21000-memory.dmp

Filesize
3.3MB

Download
memory/1336-68-0x00007FF662AD0000-0x00007FF662E21000-memory.dmp

Filesize
3.3MB

Download
memory/1336-143-0x00007FF662AD0000-0x00007FF662E21000-memory.dmp

Filesize
3.3MB

Download
memory/1480-159-0x00007FF68FCC0000-0x00007FF690011000-memory.dmp

Filesize
3.3MB

Download
memory/1480-103-0x00007FF68FCC0000-0x00007FF690011000-memory.dmp

Filesize
3.3MB

Download
memory/1480-271-0x00007FF68FCC0000-0x00007FF690011000-memory.dmp

Filesize
3.3MB

Download
memory/1676-111-0x00007FF643710000-0x00007FF643A61000-memory.dmp

Filesize
3.3MB

Download
memory/1676-41-0x00007FF643710000-0x00007FF643A61000-memory.dmp

Filesize
3.3MB

Download
memory/1676-232-0x00007FF643710000-0x00007FF643A61000-memory.dmp

Filesize
3.3MB

Download
memory/1960-71-0x00007FF701670000-0x00007FF7019C1000-memory.dmp

Filesize
3.3MB

Download
memory/1960-13-0x00007FF701670000-0x00007FF7019C1000-memory.dmp

Filesize
3.3MB

Download
memory/1960-219-0x00007FF701670000-0x00007FF7019C1000-memory.dmp

Filesize
3.3MB

Download
memory/2000-91-0x00007FF780A30000-0x00007FF780D81000-memory.dmp

Filesize
3.3MB

Download
memory/2000-261-0x00007FF780A30000-0x00007FF780D81000-memory.dmp

Filesize
3.3MB

Download
memory/2000-155-0x00007FF780A30000-0x00007FF780D81000-memory.dmp

Filesize
3.3MB

Download
memory/2248-265-0x00007FF758B70000-0x00007FF758EC1000-memory.dmp

Filesize
3.3MB

Download
memory/2248-127-0x00007FF758B70000-0x00007FF758EC1000-memory.dmp

Filesize
3.3MB

Download
memory/2248-162-0x00007FF758B70000-0x00007FF758EC1000-memory.dmp

Filesize
3.3MB

Download
memory/2500-273-0x00007FF628C80000-0x00007FF628FD1000-memory.dmp

Filesize
3.3MB

Download
memory/2500-164-0x00007FF628C80000-0x00007FF628FD1000-memory.dmp

Filesize
3.3MB

Download
memory/2500-134-0x00007FF628C80000-0x00007FF628FD1000-memory.dmp

Filesize
3.3MB

Download
memory/2720-165-0x00007FF6C70F0000-0x00007FF6C7441000-memory.dmp

Filesize
3.3MB

Download
memory/2720-96-0x00007FF6C70F0000-0x00007FF6C7441000-memory.dmp

Filesize
3.3MB

Download
memory/2720-253-0x00007FF6C70F0000-0x00007FF6C7441000-memory.dmp

Filesize
3.3MB

Download
memory/2904-102-0x00007FF630670000-0x00007FF6309C1000-memory.dmp

Filesize
3.3MB

Download
memory/2904-38-0x00007FF630670000-0x00007FF6309C1000-memory.dmp

Filesize
3.3MB

Download
memory/2904-230-0x00007FF630670000-0x00007FF6309C1000-memory.dmp

Filesize
3.3MB

Download
memory/2976-139-0x00007FF688D20000-0x00007FF689071000-memory.dmp

Filesize
3.3MB

Download
memory/2976-61-0x00007FF688D20000-0x00007FF689071000-memory.dmp

Filesize
3.3MB

Download
memory/2976-1-0x00000204C0630000-0x00000204C0640000-memory.dmp

Filesize
64KB

Download
memory/2976-0-0x00007FF688D20000-0x00007FF689071000-memory.dmp

Filesize
3.3MB

Download
memory/2976-166-0x00007FF688D20000-0x00007FF689071000-memory.dmp

Filesize
3.3MB

Download
memory/3124-270-0x00007FF66F370000-0x00007FF66F6C1000-memory.dmp

Filesize
3.3MB

Download
memory/3124-161-0x00007FF66F370000-0x00007FF66F6C1000-memory.dmp

Filesize
3.3MB

Download
memory/3124-122-0x00007FF66F370000-0x00007FF66F6C1000-memory.dmp

Filesize
3.3MB

Download
memory/3204-88-0x00007FF66F930000-0x00007FF66FC81000-memory.dmp

Filesize
3.3MB

Download
memory/3204-226-0x00007FF66F930000-0x00007FF66FC81000-memory.dmp

Filesize
3.3MB

Download
memory/3204-25-0x00007FF66F930000-0x00007FF66FC81000-memory.dmp

Filesize
3.3MB

Download
memory/3516-221-0x00007FF777FE0000-0x00007FF778331000-memory.dmp

Filesize
3.3MB

Download
memory/3516-81-0x00007FF777FE0000-0x00007FF778331000-memory.dmp

Filesize
3.3MB

Download
memory/3516-18-0x00007FF777FE0000-0x00007FF778331000-memory.dmp

Filesize
3.3MB

Download
memory/3672-27-0x00007FF646570000-0x00007FF6468C1000-memory.dmp

Filesize
3.3MB

Download
memory/3672-228-0x00007FF646570000-0x00007FF6468C1000-memory.dmp

Filesize
3.3MB

Download
memory/3672-95-0x00007FF646570000-0x00007FF6468C1000-memory.dmp

Filesize
3.3MB

Download
memory/4004-128-0x00007FF6CB6E0000-0x00007FF6CBA31000-memory.dmp

Filesize
3.3MB

Download
memory/4004-238-0x00007FF6CB6E0000-0x00007FF6CBA31000-memory.dmp

Filesize
3.3MB

Download
memory/4004-56-0x00007FF6CB6E0000-0x00007FF6CBA31000-memory.dmp

Filesize
3.3MB

Download
memory/4356-49-0x00007FF64C110000-0x00007FF64C461000-memory.dmp

Filesize
3.3MB

Download
memory/4356-236-0x00007FF64C110000-0x00007FF64C461000-memory.dmp

Filesize
3.3MB

Download
memory/4356-121-0x00007FF64C110000-0x00007FF64C461000-memory.dmp

Filesize
3.3MB

Download
memory/4824-163-0x00007FF742BF0000-0x00007FF742F41000-memory.dmp

Filesize
3.3MB

Download
memory/4824-133-0x00007FF742BF0000-0x00007FF742F41000-memory.dmp

Filesize
3.3MB

Download
memory/4824-264-0x00007FF742BF0000-0x00007FF742F41000-memory.dmp

Filesize
3.3MB

Download
memory/4852-8-0x00007FF6283F0000-0x00007FF628741000-memory.dmp

Filesize
3.3MB

Download
memory/4852-66-0x00007FF6283F0000-0x00007FF628741000-memory.dmp

Filesize
3.3MB

Download
memory/4852-217-0x00007FF6283F0000-0x00007FF628741000-memory.dmp

Filesize
3.3MB

Download