cobaltstrike | 90aad10e5a2e0120be310078121a8d49a4b0a3b277b3291561cacb634f24c3c6

Analysis

max time kernel
141s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 11:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

4e8f1b851141b339a884be815859d92d
SHA1

c29b805b13ae6a14d265d7d5aca32e69fe74d472
SHA256

90aad10e5a2e0120be310078121a8d49a4b0a3b277b3291561cacb634f24c3c6
SHA512

b6ad78bb41831e600f733d4286bd655cdbc18f6e7440280843c0b1b4c504d792e53776c6733f2ca342d42557c945f88e20d5d46a96ecc56b2c942e0078b2268e
SSDEEP

98304:BemTLkNdfE0pZrT56utgpPFotBER/mQ32lUU:Q+u56utgpPF8u/7U

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023477-4.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347c-10.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347b-11.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347e-27.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347f-35.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347d-28.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023480-39.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023481-49.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023482-53.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023478-64.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023488-89.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023489-92.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023486-97.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348a-106.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348e-126.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348d-121.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348c-116.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348b-113.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023485-81.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023484-76.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023483-70.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/2928-0-0x00007FF7F7B30000-0x00007FF7F7E84000-memory.dmp	xmrig
behavioral2/files/0x0008000000023477-4.dat	xmrig
behavioral2/memory/1940-7-0x00007FF7ECEA0000-0x00007FF7ED1F4000-memory.dmp	xmrig
behavioral2/files/0x000700000002347c-10.dat	xmrig
behavioral2/files/0x000700000002347b-11.dat	xmrig
behavioral2/memory/3436-13-0x00007FF6B9DD0000-0x00007FF6BA124000-memory.dmp	xmrig
behavioral2/files/0x000700000002347e-27.dat	xmrig
behavioral2/memory/3132-26-0x00007FF771820000-0x00007FF771B74000-memory.dmp	xmrig
behavioral2/files/0x000700000002347f-35.dat	xmrig
behavioral2/files/0x000700000002347d-28.dat	xmrig
behavioral2/files/0x0007000000023480-39.dat	xmrig
behavioral2/memory/1932-43-0x00007FF7882B0000-0x00007FF788604000-memory.dmp	xmrig
behavioral2/files/0x0007000000023481-49.dat	xmrig
behavioral2/memory/5072-48-0x00007FF68D9C0000-0x00007FF68DD14000-memory.dmp	xmrig
behavioral2/memory/4452-46-0x00007FF735940000-0x00007FF735C94000-memory.dmp	xmrig
behavioral2/memory/4020-38-0x00007FF70FA50000-0x00007FF70FDA4000-memory.dmp	xmrig
behavioral2/memory/3200-18-0x00007FF6DA420000-0x00007FF6DA774000-memory.dmp	xmrig
behavioral2/files/0x0007000000023482-53.dat	xmrig
behavioral2/memory/2928-54-0x00007FF7F7B30000-0x00007FF7F7E84000-memory.dmp	xmrig
behavioral2/memory/2376-57-0x00007FF767830000-0x00007FF767B84000-memory.dmp	xmrig
behavioral2/files/0x0008000000023478-64.dat	xmrig
behavioral2/memory/5084-72-0x00007FF782A70000-0x00007FF782DC4000-memory.dmp	xmrig
behavioral2/memory/3732-85-0x00007FF631BF0000-0x00007FF631F44000-memory.dmp	xmrig
behavioral2/files/0x0007000000023488-89.dat	xmrig
behavioral2/files/0x0007000000023489-92.dat	xmrig
behavioral2/files/0x0007000000023486-97.dat	xmrig
behavioral2/files/0x000700000002348a-106.dat	xmrig
behavioral2/memory/4036-119-0x00007FF730790000-0x00007FF730AE4000-memory.dmp	xmrig
behavioral2/memory/4116-125-0x00007FF730340000-0x00007FF730694000-memory.dmp	xmrig
behavioral2/memory/1500-129-0x00007FF744740000-0x00007FF744A94000-memory.dmp	xmrig
behavioral2/memory/4780-131-0x00007FF7006D0000-0x00007FF700A24000-memory.dmp	xmrig
behavioral2/memory/764-130-0x00007FF6E4F40000-0x00007FF6E5294000-memory.dmp	xmrig
behavioral2/memory/4816-128-0x00007FF65CC30000-0x00007FF65CF84000-memory.dmp	xmrig
behavioral2/files/0x000700000002348e-126.dat	xmrig
behavioral2/memory/4936-124-0x00007FF790810000-0x00007FF790B64000-memory.dmp	xmrig
behavioral2/memory/4044-123-0x00007FF682030000-0x00007FF682384000-memory.dmp	xmrig
behavioral2/files/0x000700000002348d-121.dat	xmrig
behavioral2/files/0x000700000002348c-116.dat	xmrig
behavioral2/memory/3132-114-0x00007FF771820000-0x00007FF771B74000-memory.dmp	xmrig
behavioral2/files/0x000700000002348b-113.dat	xmrig
behavioral2/memory/776-91-0x00007FF7C4400000-0x00007FF7C4754000-memory.dmp	xmrig
behavioral2/files/0x0007000000023485-81.dat	xmrig
behavioral2/files/0x0007000000023484-76.dat	xmrig
behavioral2/memory/3200-74-0x00007FF6DA420000-0x00007FF6DA774000-memory.dmp	xmrig
behavioral2/memory/2196-68-0x00007FF6C2450000-0x00007FF6C27A4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023483-70.dat	xmrig
behavioral2/memory/3436-61-0x00007FF6B9DD0000-0x00007FF6BA124000-memory.dmp	xmrig
behavioral2/memory/1940-60-0x00007FF7ECEA0000-0x00007FF7ED1F4000-memory.dmp	xmrig
behavioral2/memory/5072-133-0x00007FF68D9C0000-0x00007FF68DD14000-memory.dmp	xmrig
behavioral2/memory/2376-134-0x00007FF767830000-0x00007FF767B84000-memory.dmp	xmrig
behavioral2/memory/5084-135-0x00007FF782A70000-0x00007FF782DC4000-memory.dmp	xmrig
behavioral2/memory/3732-136-0x00007FF631BF0000-0x00007FF631F44000-memory.dmp	xmrig
behavioral2/memory/2196-137-0x00007FF6C2450000-0x00007FF6C27A4000-memory.dmp	xmrig
behavioral2/memory/776-138-0x00007FF7C4400000-0x00007FF7C4754000-memory.dmp	xmrig
behavioral2/memory/4816-139-0x00007FF65CC30000-0x00007FF65CF84000-memory.dmp	xmrig
behavioral2/memory/1940-140-0x00007FF7ECEA0000-0x00007FF7ED1F4000-memory.dmp	xmrig
behavioral2/memory/3436-141-0x00007FF6B9DD0000-0x00007FF6BA124000-memory.dmp	xmrig
behavioral2/memory/3200-142-0x00007FF6DA420000-0x00007FF6DA774000-memory.dmp	xmrig
behavioral2/memory/4020-144-0x00007FF70FA50000-0x00007FF70FDA4000-memory.dmp	xmrig
behavioral2/memory/3132-143-0x00007FF771820000-0x00007FF771B74000-memory.dmp	xmrig
behavioral2/memory/4452-146-0x00007FF735940000-0x00007FF735C94000-memory.dmp	xmrig
behavioral2/memory/5072-145-0x00007FF68D9C0000-0x00007FF68DD14000-memory.dmp	xmrig
behavioral2/memory/1932-147-0x00007FF7882B0000-0x00007FF788604000-memory.dmp	xmrig
behavioral2/memory/2376-148-0x00007FF767830000-0x00007FF767B84000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1940	SBWMszA.exe
3436	iZpBFUd.exe
3200	beqewuR.exe
3132	rcVXDll.exe
4020	ocSCGGC.exe
1932	QyNyOJM.exe
4452	IRFvvUK.exe
5072	vXrxVcr.exe
2376	UtUNVji.exe
2196	fFjPHJR.exe
5084	BZBgViz.exe
3732	FpqxeEZ.exe
4036	RGRufIX.exe
776	suglmaK.exe
4044	zBphxAJ.exe
4936	caMBkvI.exe
1500	eStymDQ.exe
4116	WcCDbAy.exe
4816	PSRkNQc.exe
764	VMnjVAw.exe
4780	bVINmmp.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2928-0-0x00007FF7F7B30000-0x00007FF7F7E84000-memory.dmp	upx
behavioral2/files/0x0008000000023477-4.dat	upx
behavioral2/memory/1940-7-0x00007FF7ECEA0000-0x00007FF7ED1F4000-memory.dmp	upx
behavioral2/files/0x000700000002347c-10.dat	upx
behavioral2/files/0x000700000002347b-11.dat	upx
behavioral2/memory/3436-13-0x00007FF6B9DD0000-0x00007FF6BA124000-memory.dmp	upx
behavioral2/files/0x000700000002347e-27.dat	upx
behavioral2/memory/3132-26-0x00007FF771820000-0x00007FF771B74000-memory.dmp	upx
behavioral2/files/0x000700000002347f-35.dat	upx
behavioral2/files/0x000700000002347d-28.dat	upx
behavioral2/files/0x0007000000023480-39.dat	upx
behavioral2/memory/1932-43-0x00007FF7882B0000-0x00007FF788604000-memory.dmp	upx
behavioral2/files/0x0007000000023481-49.dat	upx
behavioral2/memory/5072-48-0x00007FF68D9C0000-0x00007FF68DD14000-memory.dmp	upx
behavioral2/memory/4452-46-0x00007FF735940000-0x00007FF735C94000-memory.dmp	upx
behavioral2/memory/4020-38-0x00007FF70FA50000-0x00007FF70FDA4000-memory.dmp	upx
behavioral2/memory/3200-18-0x00007FF6DA420000-0x00007FF6DA774000-memory.dmp	upx
behavioral2/files/0x0007000000023482-53.dat	upx
behavioral2/memory/2928-54-0x00007FF7F7B30000-0x00007FF7F7E84000-memory.dmp	upx
behavioral2/memory/2376-57-0x00007FF767830000-0x00007FF767B84000-memory.dmp	upx
behavioral2/files/0x0008000000023478-64.dat	upx
behavioral2/memory/5084-72-0x00007FF782A70000-0x00007FF782DC4000-memory.dmp	upx
behavioral2/memory/3732-85-0x00007FF631BF0000-0x00007FF631F44000-memory.dmp	upx
behavioral2/files/0x0007000000023488-89.dat	upx
behavioral2/files/0x0007000000023489-92.dat	upx
behavioral2/files/0x0007000000023486-97.dat	upx
behavioral2/files/0x000700000002348a-106.dat	upx
behavioral2/memory/4036-119-0x00007FF730790000-0x00007FF730AE4000-memory.dmp	upx
behavioral2/memory/4116-125-0x00007FF730340000-0x00007FF730694000-memory.dmp	upx
behavioral2/memory/1500-129-0x00007FF744740000-0x00007FF744A94000-memory.dmp	upx
behavioral2/memory/4780-131-0x00007FF7006D0000-0x00007FF700A24000-memory.dmp	upx
behavioral2/memory/764-130-0x00007FF6E4F40000-0x00007FF6E5294000-memory.dmp	upx
behavioral2/memory/4816-128-0x00007FF65CC30000-0x00007FF65CF84000-memory.dmp	upx
behavioral2/files/0x000700000002348e-126.dat	upx
behavioral2/memory/4936-124-0x00007FF790810000-0x00007FF790B64000-memory.dmp	upx
behavioral2/memory/4044-123-0x00007FF682030000-0x00007FF682384000-memory.dmp	upx
behavioral2/files/0x000700000002348d-121.dat	upx
behavioral2/files/0x000700000002348c-116.dat	upx
behavioral2/memory/3132-114-0x00007FF771820000-0x00007FF771B74000-memory.dmp	upx
behavioral2/files/0x000700000002348b-113.dat	upx
behavioral2/memory/776-91-0x00007FF7C4400000-0x00007FF7C4754000-memory.dmp	upx
behavioral2/files/0x0007000000023485-81.dat	upx
behavioral2/files/0x0007000000023484-76.dat	upx
behavioral2/memory/3200-74-0x00007FF6DA420000-0x00007FF6DA774000-memory.dmp	upx
behavioral2/memory/2196-68-0x00007FF6C2450000-0x00007FF6C27A4000-memory.dmp	upx
behavioral2/files/0x0007000000023483-70.dat	upx
behavioral2/memory/3436-61-0x00007FF6B9DD0000-0x00007FF6BA124000-memory.dmp	upx
behavioral2/memory/1940-60-0x00007FF7ECEA0000-0x00007FF7ED1F4000-memory.dmp	upx
behavioral2/memory/5072-133-0x00007FF68D9C0000-0x00007FF68DD14000-memory.dmp	upx
behavioral2/memory/2376-134-0x00007FF767830000-0x00007FF767B84000-memory.dmp	upx
behavioral2/memory/5084-135-0x00007FF782A70000-0x00007FF782DC4000-memory.dmp	upx
behavioral2/memory/3732-136-0x00007FF631BF0000-0x00007FF631F44000-memory.dmp	upx
behavioral2/memory/2196-137-0x00007FF6C2450000-0x00007FF6C27A4000-memory.dmp	upx
behavioral2/memory/776-138-0x00007FF7C4400000-0x00007FF7C4754000-memory.dmp	upx
behavioral2/memory/4816-139-0x00007FF65CC30000-0x00007FF65CF84000-memory.dmp	upx
behavioral2/memory/1940-140-0x00007FF7ECEA0000-0x00007FF7ED1F4000-memory.dmp	upx
behavioral2/memory/3436-141-0x00007FF6B9DD0000-0x00007FF6BA124000-memory.dmp	upx
behavioral2/memory/3200-142-0x00007FF6DA420000-0x00007FF6DA774000-memory.dmp	upx
behavioral2/memory/4020-144-0x00007FF70FA50000-0x00007FF70FDA4000-memory.dmp	upx
behavioral2/memory/3132-143-0x00007FF771820000-0x00007FF771B74000-memory.dmp	upx
behavioral2/memory/4452-146-0x00007FF735940000-0x00007FF735C94000-memory.dmp	upx
behavioral2/memory/5072-145-0x00007FF68D9C0000-0x00007FF68DD14000-memory.dmp	upx
behavioral2/memory/1932-147-0x00007FF7882B0000-0x00007FF788604000-memory.dmp	upx
behavioral2/memory/2376-148-0x00007FF767830000-0x00007FF767B84000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\VMnjVAw.exe	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rcVXDll.exe	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UtUNVji.exe	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fFjPHJR.exe	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zBphxAJ.exe	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\caMBkvI.exe	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eStymDQ.exe	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PSRkNQc.exe	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iZpBFUd.exe	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IRFvvUK.exe	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FpqxeEZ.exe	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vXrxVcr.exe	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WcCDbAy.exe	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bVINmmp.exe	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SBWMszA.exe	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\beqewuR.exe	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QyNyOJM.exe	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\suglmaK.exe	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ocSCGGC.exe	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BZBgViz.exe	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RGRufIX.exe	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2928	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2928	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 1940	2928	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2928 wrote to memory of 1940	2928	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2928 wrote to memory of 3436	2928	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2928 wrote to memory of 3436	2928	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2928 wrote to memory of 3200	2928	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2928 wrote to memory of 3200	2928	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2928 wrote to memory of 3132	2928	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2928 wrote to memory of 3132	2928	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2928 wrote to memory of 4020	2928	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2928 wrote to memory of 4020	2928	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2928 wrote to memory of 1932	2928	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2928 wrote to memory of 1932	2928	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2928 wrote to memory of 4452	2928	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2928 wrote to memory of 4452	2928	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2928 wrote to memory of 5072	2928	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2928 wrote to memory of 5072	2928	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2928 wrote to memory of 2376	2928	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2928 wrote to memory of 2376	2928	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2928 wrote to memory of 2196	2928	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2928 wrote to memory of 2196	2928	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2928 wrote to memory of 5084	2928	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2928 wrote to memory of 5084	2928	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2928 wrote to memory of 3732	2928	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2928 wrote to memory of 3732	2928	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2928 wrote to memory of 4036	2928	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2928 wrote to memory of 4036	2928	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2928 wrote to memory of 776	2928	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2928 wrote to memory of 776	2928	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2928 wrote to memory of 4044	2928	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2928 wrote to memory of 4044	2928	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2928 wrote to memory of 4936	2928	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2928 wrote to memory of 4936	2928	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2928 wrote to memory of 1500	2928	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2928 wrote to memory of 1500	2928	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2928 wrote to memory of 4116	2928	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2928 wrote to memory of 4116	2928	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2928 wrote to memory of 4816	2928	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2928 wrote to memory of 4816	2928	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2928 wrote to memory of 764	2928	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2928 wrote to memory of 764	2928	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2928 wrote to memory of 4780	2928	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 2928 wrote to memory of 4780	2928	2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe	105

C:\Users\Admin\AppData\Local\Temp\2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-07_4e8f1b851141b339a884be815859d92d_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Windows\System\SBWMszA.exe
  C:\Windows\System\SBWMszA.exe
  2⤵
  - Executes dropped EXE
  PID:1940
- C:\Windows\System\iZpBFUd.exe
  C:\Windows\System\iZpBFUd.exe
  2⤵
  - Executes dropped EXE
  PID:3436
- C:\Windows\System\beqewuR.exe
  C:\Windows\System\beqewuR.exe
  2⤵
  - Executes dropped EXE
  PID:3200
- C:\Windows\System\rcVXDll.exe
  C:\Windows\System\rcVXDll.exe
  2⤵
  - Executes dropped EXE
  PID:3132
- C:\Windows\System\ocSCGGC.exe
  C:\Windows\System\ocSCGGC.exe
  2⤵
  - Executes dropped EXE
  PID:4020
- C:\Windows\System\QyNyOJM.exe
  C:\Windows\System\QyNyOJM.exe
  2⤵
  - Executes dropped EXE
  PID:1932
- C:\Windows\System\IRFvvUK.exe
  C:\Windows\System\IRFvvUK.exe
  2⤵
  - Executes dropped EXE
  PID:4452
- C:\Windows\System\vXrxVcr.exe
  C:\Windows\System\vXrxVcr.exe
  2⤵
  - Executes dropped EXE
  PID:5072
- C:\Windows\System\UtUNVji.exe
  C:\Windows\System\UtUNVji.exe
  2⤵
  - Executes dropped EXE
  PID:2376
- C:\Windows\System\fFjPHJR.exe
  C:\Windows\System\fFjPHJR.exe
  2⤵
  - Executes dropped EXE
  PID:2196
- C:\Windows\System\BZBgViz.exe
  C:\Windows\System\BZBgViz.exe
  2⤵
  - Executes dropped EXE
  PID:5084
- C:\Windows\System\FpqxeEZ.exe
  C:\Windows\System\FpqxeEZ.exe
  2⤵
  - Executes dropped EXE
  PID:3732
- C:\Windows\System\RGRufIX.exe
  C:\Windows\System\RGRufIX.exe
  2⤵
  - Executes dropped EXE
  PID:4036
- C:\Windows\System\suglmaK.exe
  C:\Windows\System\suglmaK.exe
  2⤵
  - Executes dropped EXE
  PID:776
- C:\Windows\System\zBphxAJ.exe
  C:\Windows\System\zBphxAJ.exe
  2⤵
  - Executes dropped EXE
  PID:4044
- C:\Windows\System\caMBkvI.exe
  C:\Windows\System\caMBkvI.exe
  2⤵
  - Executes dropped EXE
  PID:4936
- C:\Windows\System\eStymDQ.exe
  C:\Windows\System\eStymDQ.exe
  2⤵
  - Executes dropped EXE
  PID:1500
- C:\Windows\System\WcCDbAy.exe
  C:\Windows\System\WcCDbAy.exe
  2⤵
  - Executes dropped EXE
  PID:4116
- C:\Windows\System\PSRkNQc.exe
  C:\Windows\System\PSRkNQc.exe
  2⤵
  - Executes dropped EXE
  PID:4816
- C:\Windows\System\VMnjVAw.exe
  C:\Windows\System\VMnjVAw.exe
  2⤵
  - Executes dropped EXE
  PID:764
- C:\Windows\System\bVINmmp.exe
  C:\Windows\System\bVINmmp.exe
  2⤵
  - Executes dropped EXE
  PID:4780

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BZBgViz.exe

Filesize
5.9MB

MD5
69088d6836af1476793273f65745cb36

SHA1
e2241b81ed7fd90ffed0837834a6f747dc047f9e

SHA256
7c290594e686eb87a66914d5b5e9595ae0adf74ce80fce4b7ef222d0da26fd43

SHA512
0c5f495abce314790018b16dd1f195ce5a07602f7d7a06c3bfc36bfb135bf285a1dd5375077e705336a36061de5203e5dcc8794e485a0b7d66dcb5776860a52a

Download Submit
C:\Windows\System\FpqxeEZ.exe

Filesize
5.9MB

MD5
927f2c864149acaba57abc268ff2a445

SHA1
36c2793d54a6c7af22d971c82a7e2dc3a66d4ae7

SHA256
ce7f4aa4c18ee7f56cacf3838d6603220b297bf176dce52eaca2e45b6f662579

SHA512
a2660e4237d113159f501efe02e05cda36b7dab32dca679f8ca4778e2882077ca55b5c2655adf980d8bc745c276fd8b25929a85b14a4d27bd7a6c407634fa221

Download Submit
C:\Windows\System\IRFvvUK.exe

Filesize
5.9MB

MD5
dd064c360cf79887effdd9c41cdc1d9a

SHA1
20ed839530697b749dda655cda113c22659a1d69

SHA256
67f726abbfc776d2e70ae04515c990bfc29012b8c149e7f157fbc1a86b7b1523

SHA512
320f651832b518927aa04fa70d247936f744a7eec95b595b06ae76d911ba4caad10bde2cf6304b52a7b16c5837fc4ab05b54453a75d3fcd3a20f4b5fd63216eb

Download Submit
C:\Windows\System\PSRkNQc.exe

Filesize
5.9MB

MD5
a4ef9b4f8aba6dffeab487b44a5df18b

SHA1
b28809cab55973011b0285121e3e136d58548380

SHA256
2eb8ece46c56b2966d1f5c76a76d586096428ecebe2a3c6776713274f42f9617

SHA512
a1903fa086cc0132119f437179a7af3cc3ccd25183abdb7e09083386f19e9126be705c1e334bca6cf181d74a2fe59753c225d11cdb2f0ccd9b96d3335e743585

Download Submit
C:\Windows\System\QyNyOJM.exe

Filesize
5.9MB

MD5
4a6e73ed2d8096d8ff0f0f9043ada867

SHA1
a6f93804596a0b7373e4e53813fa719ba0ddc93e

SHA256
9107fcac426e8074200ec5b553d3a4fcef21349104feca7df59ec5d4a286a783

SHA512
534697ad4ce29092656d09b52b986eb7a04955212bd2d456db0226887d77aa18dcad01cf1a0a736f548b1c53a2a212a873e4ac4558607cf3578fdef5063d75f5

Download Submit
C:\Windows\System\RGRufIX.exe

Filesize
5.9MB

MD5
adf8497a8d7f9b03bba297c0050a1701

SHA1
56969d7f7360a768285a2e8f4e0e27fb190cb0f1

SHA256
716d2e2ffc8962a2f3c28ba92ec39c0d3e1f95aca5065975115f0309de7258bc

SHA512
4e76a673077cd62e51db04070e0addd0933d94d9902a29f89c6d3d7913998f520a5bbe87708548139a61712e7c1afd2fccf223afe2be11c73b6c69c75e8bcc03

Download Submit
C:\Windows\System\SBWMszA.exe

Filesize
5.9MB

MD5
cc6853a27bba756c06514a88d8fced2d

SHA1
538d1e0d81ca9378007bfd4ea6575aa2bf75b372

SHA256
9f15fbac4c47e5f509976573ecab95ca18073a4f2905af33e09fbf0194f8fbe6

SHA512
ebb53683990bb138a12b349aede7931b6cc834badebaa848357f1d7ff2cec27c1be62e28f246b8a3875c554ba13b55bd1cefd6eab4b3a717c5d3aa46238bf0e6

Download Submit
C:\Windows\System\UtUNVji.exe

Filesize
5.9MB

MD5
0834b9880ce8ad015a2672a65135fef9

SHA1
1519ff36b7d2e38397882cc486b14ca1d91351f1

SHA256
ab0bf7b45b5657143bd74462da46fe1da157137859a0e00708ab03d755a47e5b

SHA512
a648903036b71e130a403e766af84798ccd9a101c409e6b29797ef6cc1f56a4b46c895a171e5f7a3bbcacedd225d88cd9872ffdad30a0a5971cf1d49b0d0b6c6

Download Submit
C:\Windows\System\VMnjVAw.exe

Filesize
5.9MB

MD5
60ae74f726011ddbda14fe3bdda22cc1

SHA1
7202f0852d26774391e6057c440c2f38a9fcd9e2

SHA256
921fcb5c91ce0555b7f6facdc79259a8d3689eeeca39756bfdf0edf4814ad478

SHA512
2c755bdaa3aad08dfc9ae0a86ab93cab90bc9ff0a358461cf9e3915058306cf062e6335af4db5a7f96a982848470c54f1b755bf4e8e1d2ec3f679fadad4b3949

Download Submit
C:\Windows\System\WcCDbAy.exe

Filesize
5.9MB

MD5
eb899c146ba4c2fe481d142380baf2b2

SHA1
472b947ab6ceb1218f873b7082fc8b933eee577c

SHA256
10e5a27e675cdbba71294ab4f9ce647ffb8ea5b82167cfe237b80139907ae9c1

SHA512
935d8e162b2b3ba51cb9e1c3bb1c41ad8fa928cad9159f370bcd1b2bd63ab415295c37e6c7a9583dde6167c696b648232db3bc8a65f115cfa13af26f127aca1d

Download Submit
C:\Windows\System\bVINmmp.exe

Filesize
5.9MB

MD5
e7ce44be967364fa4e68c9e6d9cdc284

SHA1
14e7ae3e2ba0efd45a98be0ab318db3bc780897f

SHA256
10d4507f93e08919a3063e322fdd7843a572ca6fe817023c1409c0d21fb2d481

SHA512
8596d6a631f9dfe56a9252ba9ca3565d74415eb6c071cb051b2ebd741e0442d24a8fc254a1ee46e0f249363cda6c204354a2567039648c8b6ff707a20d3bfd56

Download Submit
C:\Windows\System\beqewuR.exe

Filesize
5.9MB

MD5
1e3ee3776f151f76c358959e88ab0336

SHA1
c24610b8cfab6c7ccec116528524f30c82c0d257

SHA256
d6e23ecb61b41613555aa9ddbd79df8d72f2eae9a2555194fc0c603e34ec069b

SHA512
f0830aabc656c40525605474a7bff69c16b63f8dcdc0ab14dbd4a1d588c9a622bdce3001617a66774b836850ec7deeae0047ba4926039976e507277057dfc657

Download Submit
C:\Windows\System\caMBkvI.exe

Filesize
5.9MB

MD5
1294710b3ca3525606a63793a407333d

SHA1
0f6b89865c59a6afae0ab6113493bfa0f96a3910

SHA256
9c9d9b8cb19778c5a50cf05f393a02216095de222ce6102e14e17c9c555242dc

SHA512
dc9d13d54106d333c7d9a23bd54dd6767e041fac43ad84460a2bef382a7213c410b81f22868bc7841dc0ca6b6cf4f387bda661addadfcaa0e49ae1274d942bfa

Download Submit
C:\Windows\System\eStymDQ.exe

Filesize
5.9MB

MD5
589df9bdb5b95afbe58159e7e27f41a2

SHA1
99d09a924fcfe8746e48bb948de77c0588ff181a

SHA256
f1083f8e88daf583416e6f30a0778433ffcb562b97b7e360532a76cee32c88ac

SHA512
32eef95686efb2af97db8b6ccd5d211e13e87cf87078c2155744a07cae000bd5dea6309af15f269a3777a648f2fcd1a1e59a8ea9d45ed9a4b08004134933ea4d

Download Submit
C:\Windows\System\fFjPHJR.exe

Filesize
5.9MB

MD5
dcc85bfd2e7690fd8712294911b1a5b9

SHA1
9f2fd463e5a8b5a8098ffb0f1a1058ecf0f417d4

SHA256
6c9d6de7d19ffe3fcfeaf7e6715829ff7f382dc9fa2aec465a360172592388b2

SHA512
26a457f2eedadfff6b6ee10843792d4eb48a783baf92921963f88de6fe6a0e3fb2f8a55633f2efbdcd8e2c9023392f1045b7a70d6c7dad7defd5c9ec310a03e6

Download Submit
C:\Windows\System\iZpBFUd.exe

Filesize
5.9MB

MD5
3fb8936c8839a7c0bf31a985ecbbf619

SHA1
0e69b0aae83bdd69036e9f12454b45a5e63e0a87

SHA256
3a7afc34be696da5ea7e93313bb937870a5c421ca4d40972876b789e712a3c09

SHA512
3fe6ac5371aa262c818580f57cabde440630d1b291f835262fb235f4c845a753bd37690ed111abd8d689973bd60c30fb6dfdea39c774353bf77636917edbc635

Download Submit
C:\Windows\System\ocSCGGC.exe

Filesize
5.9MB

MD5
2a71a19cf971a0419a5dba53fa3f1506

SHA1
86133015566eca227bbec69e136b5c3c38a9570f

SHA256
3fb5353e95dab8308f05f66f4f5f1282d0714353904dfd0dfa2361ec4a27833d

SHA512
b8a485650d95ae91a54e7711789282280375e388dfdc9c539b4bd249fd7a7529152dbba2f5238a9d673bd29d4f16998ad745ab97374b217097fd0c43110c456f

Download Submit
C:\Windows\System\rcVXDll.exe

Filesize
5.9MB

MD5
ce42d6cb342fc0751b1842e1a7192af5

SHA1
c646234e15ec7336b656da2efbe3c3943f3f61d5

SHA256
842a104e7d6da5a934f05ef2fc3b1031983760cb6a01ea4a44e34370eaf6a229

SHA512
2a8214ec88801e2a991f3c193094497c7c3989d61d529a2d9524c11c571eee2b8f747d1ea116938b9d37e8f4a2e5715db0150b88adb33eaf6c1e463649511f0f

Download Submit
C:\Windows\System\suglmaK.exe

Filesize
5.9MB

MD5
4fb74c61705b280c4c746119410a0dc0

SHA1
39b04f11b2470234fdc0531a80b53fef1e950105

SHA256
7febcafe637eca6f8e39f4f92a4f8371ab7e3a0bb66282fc6964e0966fbd2a2b

SHA512
13e43431644699baa1d53441d21b9454f8f7f6a6864e5e625b9df6db410d6e2f2ba1bb08413fb98ac97885a600251514e1df40c66f24f21dec19045d70189eae

Download Submit
C:\Windows\System\vXrxVcr.exe

Filesize
5.9MB

MD5
eea4b5660b41502095ae25d7cc192949

SHA1
3b3013bfe1dbf1104ca2d7fac8cb32b17b64d0ef

SHA256
85211dd608a4ddae2b5a1922f581d8dd04f3deb1d608b9490d82659aec18eefc

SHA512
d2e4d4e1e72ac6c3619efcd30f9697eab8038f4924a91c84802b278e45542e0aa35635ee2a42c529e07eeb22386cc0fabf911c4b7cdebdcea2811f81f1e48f61

Download Submit
C:\Windows\System\zBphxAJ.exe

Filesize
5.9MB

MD5
8d52be220a874d72d59bfc6518d20ce7

SHA1
7a0a8e95f44dd480a23673d1ccb8dcf2d2672f54

SHA256
03617a4c722be6538a2f33a0cfb0f52e1442249c6cef8361469af6993f2df2c1

SHA512
a0bb68aae27dd1c3bc95e757f873bda93fcf075da94a3f76a5cd5baee9800687bf33b9b30864938abf8c622c0940d662e01bdcd0d08899e480b1fc6b9ee60529

Download Submit
memory/764-130-0x00007FF6E4F40000-0x00007FF6E5294000-memory.dmp

Filesize
3.3MB

Download
memory/764-157-0x00007FF6E4F40000-0x00007FF6E5294000-memory.dmp

Filesize
3.3MB

Download
memory/776-91-0x00007FF7C4400000-0x00007FF7C4754000-memory.dmp

Filesize
3.3MB

Download
memory/776-138-0x00007FF7C4400000-0x00007FF7C4754000-memory.dmp

Filesize
3.3MB

Download
memory/776-153-0x00007FF7C4400000-0x00007FF7C4754000-memory.dmp

Filesize
3.3MB

Download
memory/1500-129-0x00007FF744740000-0x00007FF744A94000-memory.dmp

Filesize
3.3MB

Download
memory/1500-156-0x00007FF744740000-0x00007FF744A94000-memory.dmp

Filesize
3.3MB

Download
memory/1932-147-0x00007FF7882B0000-0x00007FF788604000-memory.dmp

Filesize
3.3MB

Download
memory/1932-43-0x00007FF7882B0000-0x00007FF788604000-memory.dmp

Filesize
3.3MB

Download
memory/1940-7-0x00007FF7ECEA0000-0x00007FF7ED1F4000-memory.dmp

Filesize
3.3MB

Download
memory/1940-60-0x00007FF7ECEA0000-0x00007FF7ED1F4000-memory.dmp

Filesize
3.3MB

Download
memory/1940-140-0x00007FF7ECEA0000-0x00007FF7ED1F4000-memory.dmp

Filesize
3.3MB

Download
memory/2196-68-0x00007FF6C2450000-0x00007FF6C27A4000-memory.dmp

Filesize
3.3MB

Download
memory/2196-137-0x00007FF6C2450000-0x00007FF6C27A4000-memory.dmp

Filesize
3.3MB

Download
memory/2196-150-0x00007FF6C2450000-0x00007FF6C27A4000-memory.dmp

Filesize
3.3MB

Download
memory/2376-57-0x00007FF767830000-0x00007FF767B84000-memory.dmp

Filesize
3.3MB

Download
memory/2376-148-0x00007FF767830000-0x00007FF767B84000-memory.dmp

Filesize
3.3MB

Download
memory/2376-134-0x00007FF767830000-0x00007FF767B84000-memory.dmp

Filesize
3.3MB

Download
memory/2928-0-0x00007FF7F7B30000-0x00007FF7F7E84000-memory.dmp

Filesize
3.3MB

Download
memory/2928-1-0x0000029CDE710000-0x0000029CDE720000-memory.dmp

Filesize
64KB

Download
memory/2928-54-0x00007FF7F7B30000-0x00007FF7F7E84000-memory.dmp

Filesize
3.3MB

Download
memory/3132-114-0x00007FF771820000-0x00007FF771B74000-memory.dmp

Filesize
3.3MB

Download
memory/3132-26-0x00007FF771820000-0x00007FF771B74000-memory.dmp

Filesize
3.3MB

Download
memory/3132-143-0x00007FF771820000-0x00007FF771B74000-memory.dmp

Filesize
3.3MB

Download
memory/3200-142-0x00007FF6DA420000-0x00007FF6DA774000-memory.dmp

Filesize
3.3MB

Download
memory/3200-74-0x00007FF6DA420000-0x00007FF6DA774000-memory.dmp

Filesize
3.3MB

Download
memory/3200-18-0x00007FF6DA420000-0x00007FF6DA774000-memory.dmp

Filesize
3.3MB

Download
memory/3436-141-0x00007FF6B9DD0000-0x00007FF6BA124000-memory.dmp

Filesize
3.3MB

Download
memory/3436-61-0x00007FF6B9DD0000-0x00007FF6BA124000-memory.dmp

Filesize
3.3MB

Download
memory/3436-13-0x00007FF6B9DD0000-0x00007FF6BA124000-memory.dmp

Filesize
3.3MB

Download
memory/3732-136-0x00007FF631BF0000-0x00007FF631F44000-memory.dmp

Filesize
3.3MB

Download
memory/3732-85-0x00007FF631BF0000-0x00007FF631F44000-memory.dmp

Filesize
3.3MB

Download
memory/3732-151-0x00007FF631BF0000-0x00007FF631F44000-memory.dmp

Filesize
3.3MB

Download
memory/4020-38-0x00007FF70FA50000-0x00007FF70FDA4000-memory.dmp

Filesize
3.3MB

Download
memory/4020-144-0x00007FF70FA50000-0x00007FF70FDA4000-memory.dmp

Filesize
3.3MB

Download
memory/4036-119-0x00007FF730790000-0x00007FF730AE4000-memory.dmp

Filesize
3.3MB

Download
memory/4036-152-0x00007FF730790000-0x00007FF730AE4000-memory.dmp

Filesize
3.3MB

Download
memory/4044-123-0x00007FF682030000-0x00007FF682384000-memory.dmp

Filesize
3.3MB

Download
memory/4044-154-0x00007FF682030000-0x00007FF682384000-memory.dmp

Filesize
3.3MB

Download
memory/4116-158-0x00007FF730340000-0x00007FF730694000-memory.dmp

Filesize
3.3MB

Download
memory/4116-125-0x00007FF730340000-0x00007FF730694000-memory.dmp

Filesize
3.3MB

Download
memory/4452-46-0x00007FF735940000-0x00007FF735C94000-memory.dmp

Filesize
3.3MB

Download
memory/4452-146-0x00007FF735940000-0x00007FF735C94000-memory.dmp

Filesize
3.3MB

Download
memory/4780-131-0x00007FF7006D0000-0x00007FF700A24000-memory.dmp

Filesize
3.3MB

Download
memory/4780-159-0x00007FF7006D0000-0x00007FF700A24000-memory.dmp

Filesize
3.3MB

Download
memory/4816-139-0x00007FF65CC30000-0x00007FF65CF84000-memory.dmp

Filesize
3.3MB

Download
memory/4816-160-0x00007FF65CC30000-0x00007FF65CF84000-memory.dmp

Filesize
3.3MB

Download
memory/4816-128-0x00007FF65CC30000-0x00007FF65CF84000-memory.dmp

Filesize
3.3MB

Download
memory/4936-124-0x00007FF790810000-0x00007FF790B64000-memory.dmp

Filesize
3.3MB

Download
memory/4936-155-0x00007FF790810000-0x00007FF790B64000-memory.dmp

Filesize
3.3MB

Download
memory/5072-48-0x00007FF68D9C0000-0x00007FF68DD14000-memory.dmp

Filesize
3.3MB

Download
memory/5072-145-0x00007FF68D9C0000-0x00007FF68DD14000-memory.dmp

Filesize
3.3MB

Download
memory/5072-133-0x00007FF68D9C0000-0x00007FF68DD14000-memory.dmp

Filesize
3.3MB

Download
memory/5084-72-0x00007FF782A70000-0x00007FF782DC4000-memory.dmp

Filesize
3.3MB

Download
memory/5084-135-0x00007FF782A70000-0x00007FF782DC4000-memory.dmp

Filesize
3.3MB

Download
memory/5084-149-0x00007FF782A70000-0x00007FF782DC4000-memory.dmp

Filesize
3.3MB

Download