cobaltstrike | 29bb664e6edb753aefbbd9a14d767774368c8be506de4808b684b85c197c2ce0

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 21:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

78f7d3019001c5f51b25c2d5fbc7ff29
SHA1

9fb84506c8d72bd520be2e62fa5505e517c9b7df
SHA256

29bb664e6edb753aefbbd9a14d767774368c8be506de4808b684b85c197c2ce0
SHA512

86dcd240cdc813bfec2fccaac9fdeba14f5c7bbe22d769befd7e53e01f1f8c2b7ec9f1fac441ec8d14f6dba1e346842a515405462e4eabcddd28adb860677f53
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lF:RWWBibf56utgpPFotBER/mQ32lUR

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000d000000023ae7-5.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b4e-10.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b4a-12.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b4f-23.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b50-28.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b51-34.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b52-41.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b4b-48.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b54-54.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b55-58.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b56-63.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b57-77.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b58-89.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b5a-97.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b59-91.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b5b-103.dat	cobalt_reflective_dll
behavioral2/files/0x004a0000000234ab-109.dat	cobalt_reflective_dll
behavioral2/files/0x001a00000002397e-115.dat	cobalt_reflective_dll
behavioral2/files/0x0018000000023985-121.dat	cobalt_reflective_dll
behavioral2/files/0x0016000000023989-127.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b5d-136.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/4536-14-0x00007FF7059B0000-0x00007FF705D01000-memory.dmp	xmrig
behavioral2/memory/3100-69-0x00007FF6D17C0000-0x00007FF6D1B11000-memory.dmp	xmrig
behavioral2/memory/1000-70-0x00007FF637820000-0x00007FF637B71000-memory.dmp	xmrig
behavioral2/memory/4316-96-0x00007FF6660A0000-0x00007FF6663F1000-memory.dmp	xmrig
behavioral2/memory/2132-93-0x00007FF7A5980000-0x00007FF7A5CD1000-memory.dmp	xmrig
behavioral2/memory/920-85-0x00007FF7E08F0000-0x00007FF7E0C41000-memory.dmp	xmrig
behavioral2/memory/4536-79-0x00007FF7059B0000-0x00007FF705D01000-memory.dmp	xmrig
behavioral2/memory/1304-65-0x00007FF74F110000-0x00007FF74F461000-memory.dmp	xmrig
behavioral2/memory/1428-59-0x00007FF664E50000-0x00007FF6651A1000-memory.dmp	xmrig
behavioral2/memory/1052-52-0x00007FF6099D0000-0x00007FF609D21000-memory.dmp	xmrig
behavioral2/memory/4824-99-0x00007FF77B4E0000-0x00007FF77B831000-memory.dmp	xmrig
behavioral2/memory/1444-105-0x00007FF7992C0000-0x00007FF799611000-memory.dmp	xmrig
behavioral2/memory/3372-106-0x00007FF752050000-0x00007FF7523A1000-memory.dmp	xmrig
behavioral2/memory/4784-128-0x00007FF7201B0000-0x00007FF720501000-memory.dmp	xmrig
behavioral2/memory/1368-134-0x00007FF7731D0000-0x00007FF773521000-memory.dmp	xmrig
behavioral2/memory/5116-146-0x00007FF656C30000-0x00007FF656F81000-memory.dmp	xmrig
behavioral2/memory/1428-138-0x00007FF664E50000-0x00007FF6651A1000-memory.dmp	xmrig
behavioral2/memory/2228-147-0x00007FF6D7550000-0x00007FF6D78A1000-memory.dmp	xmrig
behavioral2/memory/5072-148-0x00007FF6B78F0000-0x00007FF6B7C41000-memory.dmp	xmrig
behavioral2/memory/3336-158-0x00007FF771520000-0x00007FF771871000-memory.dmp	xmrig
behavioral2/memory/4812-159-0x00007FF72CCA0000-0x00007FF72CFF1000-memory.dmp	xmrig
behavioral2/memory/2040-164-0x00007FF7A05C0000-0x00007FF7A0911000-memory.dmp	xmrig
behavioral2/memory/4724-163-0x00007FF6B4670000-0x00007FF6B49C1000-memory.dmp	xmrig
behavioral2/memory/5080-165-0x00007FF6A68F0000-0x00007FF6A6C41000-memory.dmp	xmrig
behavioral2/memory/1428-166-0x00007FF664E50000-0x00007FF6651A1000-memory.dmp	xmrig
behavioral2/memory/1000-219-0x00007FF637820000-0x00007FF637B71000-memory.dmp	xmrig
behavioral2/memory/4536-221-0x00007FF7059B0000-0x00007FF705D01000-memory.dmp	xmrig
behavioral2/memory/920-223-0x00007FF7E08F0000-0x00007FF7E0C41000-memory.dmp	xmrig
behavioral2/memory/2132-225-0x00007FF7A5980000-0x00007FF7A5CD1000-memory.dmp	xmrig
behavioral2/memory/4316-227-0x00007FF6660A0000-0x00007FF6663F1000-memory.dmp	xmrig
behavioral2/memory/4824-229-0x00007FF77B4E0000-0x00007FF77B831000-memory.dmp	xmrig
behavioral2/memory/1444-232-0x00007FF7992C0000-0x00007FF799611000-memory.dmp	xmrig
behavioral2/memory/1052-242-0x00007FF6099D0000-0x00007FF609D21000-memory.dmp	xmrig
behavioral2/memory/1304-244-0x00007FF74F110000-0x00007FF74F461000-memory.dmp	xmrig
behavioral2/memory/3100-246-0x00007FF6D17C0000-0x00007FF6D1B11000-memory.dmp	xmrig
behavioral2/memory/4784-248-0x00007FF7201B0000-0x00007FF720501000-memory.dmp	xmrig
behavioral2/memory/1368-250-0x00007FF7731D0000-0x00007FF773521000-memory.dmp	xmrig
behavioral2/memory/5116-252-0x00007FF656C30000-0x00007FF656F81000-memory.dmp	xmrig
behavioral2/memory/2228-254-0x00007FF6D7550000-0x00007FF6D78A1000-memory.dmp	xmrig
behavioral2/memory/5072-256-0x00007FF6B78F0000-0x00007FF6B7C41000-memory.dmp	xmrig
behavioral2/memory/3372-263-0x00007FF752050000-0x00007FF7523A1000-memory.dmp	xmrig
behavioral2/memory/3336-265-0x00007FF771520000-0x00007FF771871000-memory.dmp	xmrig
behavioral2/memory/4812-267-0x00007FF72CCA0000-0x00007FF72CFF1000-memory.dmp	xmrig
behavioral2/memory/2040-269-0x00007FF7A05C0000-0x00007FF7A0911000-memory.dmp	xmrig
behavioral2/memory/4724-271-0x00007FF6B4670000-0x00007FF6B49C1000-memory.dmp	xmrig
behavioral2/memory/5080-273-0x00007FF6A68F0000-0x00007FF6A6C41000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1000	sRBkGUl.exe
4536	GnBuIcw.exe
920	jFrQizY.exe
2132	DvMukiH.exe
4316	ubeBoIl.exe
4824	piSspAd.exe
1444	NZtLUvG.exe
1052	gPRxsmb.exe
1304	mvTIYfA.exe
3100	gVaHORc.exe
4784	FMGeolR.exe
1368	xKkYfkO.exe
5116	BqSbLyv.exe
2228	QrhOdHT.exe
5072	WnvkBhD.exe
3372	wCyVBsH.exe
3336	vNxdxEz.exe
4812	OdRPplh.exe
2040	dhnWKvX.exe
4724	wJmMiQR.exe
5080	HxHpINJ.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1428-0-0x00007FF664E50000-0x00007FF6651A1000-memory.dmp	upx
behavioral2/files/0x000d000000023ae7-5.dat	upx
behavioral2/memory/1000-7-0x00007FF637820000-0x00007FF637B71000-memory.dmp	upx
behavioral2/files/0x000a000000023b4e-10.dat	upx
behavioral2/files/0x000b000000023b4a-12.dat	upx
behavioral2/memory/4536-14-0x00007FF7059B0000-0x00007FF705D01000-memory.dmp	upx
behavioral2/memory/2132-24-0x00007FF7A5980000-0x00007FF7A5CD1000-memory.dmp	upx
behavioral2/files/0x000a000000023b4f-23.dat	upx
behavioral2/memory/920-18-0x00007FF7E08F0000-0x00007FF7E0C41000-memory.dmp	upx
behavioral2/files/0x000a000000023b50-28.dat	upx
behavioral2/memory/4316-30-0x00007FF6660A0000-0x00007FF6663F1000-memory.dmp	upx
behavioral2/files/0x000a000000023b51-34.dat	upx
behavioral2/memory/4824-35-0x00007FF77B4E0000-0x00007FF77B831000-memory.dmp	upx
behavioral2/files/0x000a000000023b52-41.dat	upx
behavioral2/memory/1444-43-0x00007FF7992C0000-0x00007FF799611000-memory.dmp	upx
behavioral2/files/0x000b000000023b4b-48.dat	upx
behavioral2/files/0x000a000000023b54-54.dat	upx
behavioral2/files/0x000a000000023b55-58.dat	upx
behavioral2/files/0x000a000000023b56-63.dat	upx
behavioral2/memory/3100-69-0x00007FF6D17C0000-0x00007FF6D1B11000-memory.dmp	upx
behavioral2/memory/1000-70-0x00007FF637820000-0x00007FF637B71000-memory.dmp	upx
behavioral2/files/0x000a000000023b57-77.dat	upx
behavioral2/memory/5116-80-0x00007FF656C30000-0x00007FF656F81000-memory.dmp	upx
behavioral2/files/0x000a000000023b58-89.dat	upx
behavioral2/memory/5072-94-0x00007FF6B78F0000-0x00007FF6B7C41000-memory.dmp	upx
behavioral2/files/0x000a000000023b5a-97.dat	upx
behavioral2/memory/4316-96-0x00007FF6660A0000-0x00007FF6663F1000-memory.dmp	upx
behavioral2/memory/2132-93-0x00007FF7A5980000-0x00007FF7A5CD1000-memory.dmp	upx
behavioral2/files/0x000a000000023b59-91.dat	upx
behavioral2/memory/2228-88-0x00007FF6D7550000-0x00007FF6D78A1000-memory.dmp	upx
behavioral2/memory/920-85-0x00007FF7E08F0000-0x00007FF7E0C41000-memory.dmp	upx
behavioral2/memory/4536-79-0x00007FF7059B0000-0x00007FF705D01000-memory.dmp	upx
behavioral2/memory/1368-76-0x00007FF7731D0000-0x00007FF773521000-memory.dmp	upx
behavioral2/memory/4784-75-0x00007FF7201B0000-0x00007FF720501000-memory.dmp	upx
behavioral2/memory/1304-65-0x00007FF74F110000-0x00007FF74F461000-memory.dmp	upx
behavioral2/memory/1428-59-0x00007FF664E50000-0x00007FF6651A1000-memory.dmp	upx
behavioral2/memory/1052-52-0x00007FF6099D0000-0x00007FF609D21000-memory.dmp	upx
behavioral2/memory/4824-99-0x00007FF77B4E0000-0x00007FF77B831000-memory.dmp	upx
behavioral2/files/0x000a000000023b5b-103.dat	upx
behavioral2/memory/1444-105-0x00007FF7992C0000-0x00007FF799611000-memory.dmp	upx
behavioral2/files/0x004a0000000234ab-109.dat	upx
behavioral2/memory/3372-106-0x00007FF752050000-0x00007FF7523A1000-memory.dmp	upx
behavioral2/memory/3336-110-0x00007FF771520000-0x00007FF771871000-memory.dmp	upx
behavioral2/files/0x001a00000002397e-115.dat	upx
behavioral2/files/0x0018000000023985-121.dat	upx
behavioral2/memory/2040-122-0x00007FF7A05C0000-0x00007FF7A0911000-memory.dmp	upx
behavioral2/files/0x0016000000023989-127.dat	upx
behavioral2/memory/4784-128-0x00007FF7201B0000-0x00007FF720501000-memory.dmp	upx
behavioral2/memory/4724-131-0x00007FF6B4670000-0x00007FF6B49C1000-memory.dmp	upx
behavioral2/memory/1368-134-0x00007FF7731D0000-0x00007FF773521000-memory.dmp	upx
behavioral2/files/0x000a000000023b5d-136.dat	upx
behavioral2/memory/5080-135-0x00007FF6A68F0000-0x00007FF6A6C41000-memory.dmp	upx
behavioral2/memory/4812-116-0x00007FF72CCA0000-0x00007FF72CFF1000-memory.dmp	upx
behavioral2/memory/5116-146-0x00007FF656C30000-0x00007FF656F81000-memory.dmp	upx
behavioral2/memory/1428-138-0x00007FF664E50000-0x00007FF6651A1000-memory.dmp	upx
behavioral2/memory/2228-147-0x00007FF6D7550000-0x00007FF6D78A1000-memory.dmp	upx
behavioral2/memory/5072-148-0x00007FF6B78F0000-0x00007FF6B7C41000-memory.dmp	upx
behavioral2/memory/3336-158-0x00007FF771520000-0x00007FF771871000-memory.dmp	upx
behavioral2/memory/4812-159-0x00007FF72CCA0000-0x00007FF72CFF1000-memory.dmp	upx
behavioral2/memory/2040-164-0x00007FF7A05C0000-0x00007FF7A0911000-memory.dmp	upx
behavioral2/memory/4724-163-0x00007FF6B4670000-0x00007FF6B49C1000-memory.dmp	upx
behavioral2/memory/5080-165-0x00007FF6A68F0000-0x00007FF6A6C41000-memory.dmp	upx
behavioral2/memory/1428-166-0x00007FF664E50000-0x00007FF6651A1000-memory.dmp	upx
behavioral2/memory/1000-219-0x00007FF637820000-0x00007FF637B71000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\NZtLUvG.exe	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BqSbLyv.exe	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OdRPplh.exe	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dhnWKvX.exe	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wJmMiQR.exe	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GnBuIcw.exe	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\piSspAd.exe	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FMGeolR.exe	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mvTIYfA.exe	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xKkYfkO.exe	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WnvkBhD.exe	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vNxdxEz.exe	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sRBkGUl.exe	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DvMukiH.exe	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gPRxsmb.exe	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gVaHORc.exe	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QrhOdHT.exe	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wCyVBsH.exe	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HxHpINJ.exe	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jFrQizY.exe	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ubeBoIl.exe	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1428	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1428	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1428 wrote to memory of 1000	1428	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1428 wrote to memory of 1000	1428	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1428 wrote to memory of 4536	1428	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1428 wrote to memory of 4536	1428	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1428 wrote to memory of 920	1428	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1428 wrote to memory of 920	1428	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1428 wrote to memory of 2132	1428	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1428 wrote to memory of 2132	1428	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1428 wrote to memory of 4316	1428	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1428 wrote to memory of 4316	1428	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1428 wrote to memory of 4824	1428	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1428 wrote to memory of 4824	1428	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1428 wrote to memory of 1444	1428	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1428 wrote to memory of 1444	1428	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1428 wrote to memory of 1052	1428	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1428 wrote to memory of 1052	1428	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1428 wrote to memory of 1304	1428	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1428 wrote to memory of 1304	1428	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1428 wrote to memory of 3100	1428	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1428 wrote to memory of 3100	1428	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1428 wrote to memory of 4784	1428	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1428 wrote to memory of 4784	1428	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1428 wrote to memory of 1368	1428	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1428 wrote to memory of 1368	1428	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1428 wrote to memory of 5116	1428	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1428 wrote to memory of 5116	1428	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1428 wrote to memory of 2228	1428	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1428 wrote to memory of 2228	1428	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1428 wrote to memory of 5072	1428	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1428 wrote to memory of 5072	1428	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1428 wrote to memory of 3372	1428	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1428 wrote to memory of 3372	1428	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1428 wrote to memory of 3336	1428	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1428 wrote to memory of 3336	1428	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1428 wrote to memory of 4812	1428	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1428 wrote to memory of 4812	1428	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1428 wrote to memory of 2040	1428	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 1428 wrote to memory of 2040	1428	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 1428 wrote to memory of 4724	1428	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 1428 wrote to memory of 4724	1428	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 1428 wrote to memory of 5080	1428	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 1428 wrote to memory of 5080	1428	2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe	107

C:\Users\Admin\AppData\Local\Temp\2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-11_78f7d3019001c5f51b25c2d5fbc7ff29_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1428
- C:\Windows\System\sRBkGUl.exe
  C:\Windows\System\sRBkGUl.exe
  2⤵
  - Executes dropped EXE
  PID:1000
- C:\Windows\System\GnBuIcw.exe
  C:\Windows\System\GnBuIcw.exe
  2⤵
  - Executes dropped EXE
  PID:4536
- C:\Windows\System\jFrQizY.exe
  C:\Windows\System\jFrQizY.exe
  2⤵
  - Executes dropped EXE
  PID:920
- C:\Windows\System\DvMukiH.exe
  C:\Windows\System\DvMukiH.exe
  2⤵
  - Executes dropped EXE
  PID:2132
- C:\Windows\System\ubeBoIl.exe
  C:\Windows\System\ubeBoIl.exe
  2⤵
  - Executes dropped EXE
  PID:4316
- C:\Windows\System\piSspAd.exe
  C:\Windows\System\piSspAd.exe
  2⤵
  - Executes dropped EXE
  PID:4824
- C:\Windows\System\NZtLUvG.exe
  C:\Windows\System\NZtLUvG.exe
  2⤵
  - Executes dropped EXE
  PID:1444
- C:\Windows\System\gPRxsmb.exe
  C:\Windows\System\gPRxsmb.exe
  2⤵
  - Executes dropped EXE
  PID:1052
- C:\Windows\System\mvTIYfA.exe
  C:\Windows\System\mvTIYfA.exe
  2⤵
  - Executes dropped EXE
  PID:1304
- C:\Windows\System\gVaHORc.exe
  C:\Windows\System\gVaHORc.exe
  2⤵
  - Executes dropped EXE
  PID:3100
- C:\Windows\System\FMGeolR.exe
  C:\Windows\System\FMGeolR.exe
  2⤵
  - Executes dropped EXE
  PID:4784
- C:\Windows\System\xKkYfkO.exe
  C:\Windows\System\xKkYfkO.exe
  2⤵
  - Executes dropped EXE
  PID:1368
- C:\Windows\System\BqSbLyv.exe
  C:\Windows\System\BqSbLyv.exe
  2⤵
  - Executes dropped EXE
  PID:5116
- C:\Windows\System\QrhOdHT.exe
  C:\Windows\System\QrhOdHT.exe
  2⤵
  - Executes dropped EXE
  PID:2228
- C:\Windows\System\WnvkBhD.exe
  C:\Windows\System\WnvkBhD.exe
  2⤵
  - Executes dropped EXE
  PID:5072
- C:\Windows\System\wCyVBsH.exe
  C:\Windows\System\wCyVBsH.exe
  2⤵
  - Executes dropped EXE
  PID:3372
- C:\Windows\System\vNxdxEz.exe
  C:\Windows\System\vNxdxEz.exe
  2⤵
  - Executes dropped EXE
  PID:3336
- C:\Windows\System\OdRPplh.exe
  C:\Windows\System\OdRPplh.exe
  2⤵
  - Executes dropped EXE
  PID:4812
- C:\Windows\System\dhnWKvX.exe
  C:\Windows\System\dhnWKvX.exe
  2⤵
  - Executes dropped EXE
  PID:2040
- C:\Windows\System\wJmMiQR.exe
  C:\Windows\System\wJmMiQR.exe
  2⤵
  - Executes dropped EXE
  PID:4724
- C:\Windows\System\HxHpINJ.exe
  C:\Windows\System\HxHpINJ.exe
  2⤵
  - Executes dropped EXE
  PID:5080

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BqSbLyv.exe

Filesize
5.2MB

MD5
f66488a896dd405b508a9aafc8066b6e

SHA1
156489a50010a85c44098e2c6571f6c7df902f64

SHA256
7ee56d450a54c191fba1fcc6bd68668e128da27ca0ad04947d6686fde5addb00

SHA512
96a47fedfab8a964bdc9bfeea99d6a58023dbc02291a8597513abd6a6a2416a5c7b023bd6cfa1be7405ca62cc84232d7604823fa36c50a22d2cd9367ad980030

Download Submit
C:\Windows\System\DvMukiH.exe

Filesize
5.2MB

MD5
2e1580dd00a2f2404611b55b72365461

SHA1
7511c3f57895416b0674655ab1a4a3eb7a6cb985

SHA256
4686427640edcf82a6a0c1f761650e74b425bbeee9af39e88fef605bc659d7ae

SHA512
22cd6aa137c7489fa76587aba963c00bd47d905eac55a24f698d4b43ddea33d94c996dbcc1251fe3c539ffa732f9acc51d66bac9b71112b3c4f10512d983587b

Download Submit
C:\Windows\System\FMGeolR.exe

Filesize
5.2MB

MD5
4db61156898b38aa2d8e3b5900ae91f4

SHA1
0cdae3c08494ddd383a80fa533f76761889e64e5

SHA256
042c3f9b0417f8c12d933c30e138152b8a3534e366f9e624b05f0a9e7561197b

SHA512
a48c3d9e2aa4fa4cbfd412a01bc2cb07488bfc27d3816fa07a4322eb2412bf1e2048ce3fdc7c9eacb24470aca9bf82e32b89a08e10fe68be6f7d52b34fbdd9d1

Download Submit
C:\Windows\System\GnBuIcw.exe

Filesize
5.2MB

MD5
b5c32b9592874b7212bef1540dbca923

SHA1
60b1a79cc749fc6a4a22989fbc915683192fe750

SHA256
5b5bc46be9cd6c6f9a7602820f2d3587311b8ba31604c6f617ee57309c3f5f09

SHA512
74ffa4ab2a804d9e0c92628e82442ea2d8b422daf7bb79b658f7b3c8e769000988af45eb0ff722bc763f73a74002f93efa86c75abe69109f18c145f2c831e871

Download Submit
C:\Windows\System\HxHpINJ.exe

Filesize
5.2MB

MD5
545d69f30ab3db14823be38b7c6826c8

SHA1
882d383bac78172f7a59ac7c72164690da8f20d9

SHA256
f56f3ef0d95c91fbf1b0831bc93e414a52588dd0de5362a83396ad97ebe4a6ac

SHA512
04fce2e81a917f4e72a16570f20926f78b4100ad32feb9c3152302e366dc3ecc8c42e61d1ee43e3eb048f9e44626e4db813eba403b3ac6e91da0c6957dc8ae93

Download Submit
C:\Windows\System\NZtLUvG.exe

Filesize
5.2MB

MD5
3c018796cb1a379a27f2af6edb0bbabc

SHA1
1d287106677dcef793a768e193b51766b9232b54

SHA256
3a50344a11ad189b16bc4d40cba55acac0e8846d23579133ce9dce6eccb1d733

SHA512
97baab3e43fd0afdf7c52626399e4d4c99aed4b1d831e58c70a18ad38781b3e380873ef3e935459fb6dff4ada156d76c284badf53ae25f506010ae60b7a16deb

Download Submit
C:\Windows\System\OdRPplh.exe

Filesize
5.2MB

MD5
c5f00a56c8ff50da1266cab268da62df

SHA1
81a5912f437a728c33eea23ba4f1718fbfbf3baa

SHA256
e6f08fafce07c65af6c21598e7c4c4f0d219a23d698a54bf6753eb291760490f

SHA512
9a1b1004477e37395111032de672c5c2bfb79c01894f0f6458614289638c97aef518bcb4b4cf611fa80908c82a6d00cdbac941e1a3a1b6072f596768a89626fb

Download Submit
C:\Windows\System\QrhOdHT.exe

Filesize
5.2MB

MD5
94bf9dad5a2cc597c86844ae80d77d1e

SHA1
513e8921f57451f96c4ef2879a061894f3956d2d

SHA256
e8ed069cec7aaf44a90d57789c10970d5d31a7677dc2520558eb034c76c807f8

SHA512
58780e1c651180adc638e0b237af5be3f18ff37e9522bad7e397f5f58d878a6386073cbbb390b91ba523e73be6d05b954fdd20082f3f57ff91cdf13554dd8c8b

Download Submit
C:\Windows\System\WnvkBhD.exe

Filesize
5.2MB

MD5
1c6446bab30631cdba41acbc71431769

SHA1
613faae991f3e608866e4ca3acd824c96e8603a0

SHA256
b999b27420b68624085387ece8a315859ce8651376217025b89c9cde0cbc2b3f

SHA512
65ff6240feffa3d5c01aa3dccf9c49ff405961c322350db210f1fd7138d9492d03f5fed7a9cea941e28226ca33dd9dadcdd9766506eb7d13a5051a70b3f11b0a

Download Submit
C:\Windows\System\dhnWKvX.exe

Filesize
5.2MB

MD5
4d6d9620618f1f3a16b0fdaaa3413040

SHA1
9473ed2de8995bc26289e41dd8e5358cec6897c9

SHA256
fc8240846614b5b8996c7fd8f4ecf73c32c2ca5b0a20f30ac245edc560b0e519

SHA512
cf043087b032274bc5d4881e8fdcf487519dbb4513c8203d26b9f57478ca591063ff189c39cdb06d0144a265fab2bf153b926e9230ecf758d7eb5450a4bdb415

Download Submit
C:\Windows\System\gPRxsmb.exe

Filesize
5.2MB

MD5
5fc482545b97d912e77278fc05ae8e04

SHA1
095a0a30c81285d01596e225639835e57e638265

SHA256
9c635751a5e93b233e7b93f32e9f4cecc5221b7ba57032de750f16e685e63ac7

SHA512
96b2c855aee55c7b063ba0c53227f13b45735dadfb617b5fe847fcc4300f44e0c0300df630661a340251031e1749232c0eb6d9874b86617e84ec7811ff9a4d57

Download Submit
C:\Windows\System\gVaHORc.exe

Filesize
5.2MB

MD5
f4ee5378ce734a199dbbd85885a17581

SHA1
cf5ba0ef06896ca0f2dea62a3ac00e322eac5575

SHA256
cce25895bf4b6d1e776c525c3477bb66a2f7428121bd8162f2e96928cefa248c

SHA512
caa1483cfe85768b60433854138c6067c7a81d29b62ef9075e6ad468348d8a1ef95a89415c2f9c9364ebcad90de3d390723163bdaf33a16f2805ba961d4664c9

Download Submit
C:\Windows\System\jFrQizY.exe

Filesize
5.2MB

MD5
34e54745f4b850ce0d1a7b638c50aec6

SHA1
555a6dd301dfd8ce8e2260aa5b9edae29cafb5bb

SHA256
853a51bedb8fc3373da4c2ef554249f8c1f193115e99d0925dba9e564cd5520f

SHA512
ec8bcdd13ceb7b3fe8d74176d765f43229d269372e1bff8d19a3785baf15bbbc4bc565365376bfc1ae85e8f391c724b81b87205285790a853ff9146f8f7a3895

Download Submit
C:\Windows\System\mvTIYfA.exe

Filesize
5.2MB

MD5
a377b0a502275ae42a66ffd1babfa964

SHA1
63fe7fca0ff837c9a770fc4721294429e46a4948

SHA256
9f518d60019222e2caa867c3966483ca1a23bf03b175fac4206d4ac1826fc239

SHA512
ba0ab433a7932903baeb577255deb64e128c0351665dab1b8e311004205be23b7c8ea8e3020fde86b81d14b706084f7f2b808992e25337780f2c4822a43f6031

Download Submit
C:\Windows\System\piSspAd.exe

Filesize
5.2MB

MD5
62293bb3c5f3c2d9aeeb77e3f6bf6816

SHA1
eef97987cc655aac9256ed6fff92baf482b4dd78

SHA256
5219e923ce8cb325bc19ed0e382ae7f22a0d789091b0d63100fd3e077739a6c4

SHA512
5ff379925392eec9017a5620a6ddff2bc0348d07bfaf4f7660bcf63ac6922b9514567d90f0b7f4a4dc00adce7cdd8573f0bd580bccd893199b7cc8848a3d6fa7

Download Submit
C:\Windows\System\sRBkGUl.exe

Filesize
5.2MB

MD5
c1c03ff74bb0e06be12166b012296b41

SHA1
8a4eb2a327a5c43310aa2d90912334231e38e447

SHA256
7de67e7efb03c92c07400f8ff9cfddce713a7cf3dd43d44e7f9363afb7f9bf73

SHA512
0cd6bdc0866b0289da30877efb0b88a321bd535b48905e4193af7f2d2048e99c07f5bf957986976dec42dd31d19799ca5574a2b2ef202c69dd98000c127932c5

Download Submit
C:\Windows\System\ubeBoIl.exe

Filesize
5.2MB

MD5
23f6976ec07dd90dea46d8c3072f484d

SHA1
d1899bb136c7e8cd8d6f6f3a67f7969a8a7443cc

SHA256
128765936bb0185a86bb63673f1e148c33f49f8aaae79cdd6ff31b0c1ff41232

SHA512
d1514fa871f7cac2b8bf1466320aeca3b5810229d34c8025d6e6827dca80048ea219b79e4868a04c082a432857de259f967989ca3f26833f33141dc68ca5d4b3

Download Submit
C:\Windows\System\vNxdxEz.exe

Filesize
5.2MB

MD5
4cbe0417f6e3d05fd19b1e8d161ac028

SHA1
0e41a6807dab305bbe6632ac8a8af10c3885079d

SHA256
21bbecd9f7e232c5ad4de6dfc6e6432c1e9f5a2e4f5e628029dfcc5b2ef4af07

SHA512
64ce48c4b3fa09ef16a9d947c040a82381589ad8e18efd7553d6f1806f7d14f622dab65d34f5b193e5b4a673f75bc09195056b6919affb3e36487b307764d909

Download Submit
C:\Windows\System\wCyVBsH.exe

Filesize
5.2MB

MD5
7eca72991b2d01bf384a7a6dedbbe6e3

SHA1
e2c6d681028eaa526a668973dc294c669341d532

SHA256
8791afca9a8f2849b796fc0a6dfa7760b6a27922415ec267a37960812a0a8c1f

SHA512
b691b251576b8cc0bd5fcca0fa4dbd5acce0b66fd514ea0fd2c27906dcf67e59f542e8477ce5b2ad461107655dfae721e33a58bec8391a44795b273248c46933

Download Submit
C:\Windows\System\wJmMiQR.exe

Filesize
5.2MB

MD5
1784467e05ad7bd2ab5631f70d96d6d6

SHA1
1e68266e53d89a307bfe000f27c76e00c096b842

SHA256
1efb8288f59000008aa8fffd4cfd729a765f251def374f6e6a199bac889bf190

SHA512
19236632973475c1c1af44c9da7380922ea600f16a3f9b778b315ac61872f9010e53a4ebff757513b30422c825456497a6f66f864455f60a194b0679d47003e1

Download Submit
C:\Windows\System\xKkYfkO.exe

Filesize
5.2MB

MD5
b16c5ee96e0000e48d22f4201d02bbba

SHA1
33c3375ae9382fb4603c8cc9f17052b272405773

SHA256
95f07e1f03af2228f0559424c180b63987b7aee7bde26534e0445c0798a414a2

SHA512
925204caae5e906bdb88cf428c4d959000221388f1a07de039ed8679ea1600f866db74f3b12268d8cc271e5c353d045fd14427656c41748354ab7f046cd68413

Download Submit
memory/920-18-0x00007FF7E08F0000-0x00007FF7E0C41000-memory.dmp

Filesize
3.3MB

Download
memory/920-85-0x00007FF7E08F0000-0x00007FF7E0C41000-memory.dmp

Filesize
3.3MB

Download
memory/920-223-0x00007FF7E08F0000-0x00007FF7E0C41000-memory.dmp

Filesize
3.3MB

Download
memory/1000-70-0x00007FF637820000-0x00007FF637B71000-memory.dmp

Filesize
3.3MB

Download
memory/1000-219-0x00007FF637820000-0x00007FF637B71000-memory.dmp

Filesize
3.3MB

Download
memory/1000-7-0x00007FF637820000-0x00007FF637B71000-memory.dmp

Filesize
3.3MB

Download
memory/1052-242-0x00007FF6099D0000-0x00007FF609D21000-memory.dmp

Filesize
3.3MB

Download
memory/1052-52-0x00007FF6099D0000-0x00007FF609D21000-memory.dmp

Filesize
3.3MB

Download
memory/1304-244-0x00007FF74F110000-0x00007FF74F461000-memory.dmp

Filesize
3.3MB

Download
memory/1304-65-0x00007FF74F110000-0x00007FF74F461000-memory.dmp

Filesize
3.3MB

Download
memory/1368-250-0x00007FF7731D0000-0x00007FF773521000-memory.dmp

Filesize
3.3MB

Download
memory/1368-134-0x00007FF7731D0000-0x00007FF773521000-memory.dmp

Filesize
3.3MB

Download
memory/1368-76-0x00007FF7731D0000-0x00007FF773521000-memory.dmp

Filesize
3.3MB

Download
memory/1428-166-0x00007FF664E50000-0x00007FF6651A1000-memory.dmp

Filesize
3.3MB

Download
memory/1428-59-0x00007FF664E50000-0x00007FF6651A1000-memory.dmp

Filesize
3.3MB

Download
memory/1428-138-0x00007FF664E50000-0x00007FF6651A1000-memory.dmp

Filesize
3.3MB

Download
memory/1428-0-0x00007FF664E50000-0x00007FF6651A1000-memory.dmp

Filesize
3.3MB

Download
memory/1428-1-0x000002C659740000-0x000002C659750000-memory.dmp

Filesize
64KB

Download
memory/1444-232-0x00007FF7992C0000-0x00007FF799611000-memory.dmp

Filesize
3.3MB

Download
memory/1444-43-0x00007FF7992C0000-0x00007FF799611000-memory.dmp

Filesize
3.3MB

Download
memory/1444-105-0x00007FF7992C0000-0x00007FF799611000-memory.dmp

Filesize
3.3MB

Download
memory/2040-269-0x00007FF7A05C0000-0x00007FF7A0911000-memory.dmp

Filesize
3.3MB

Download
memory/2040-164-0x00007FF7A05C0000-0x00007FF7A0911000-memory.dmp

Filesize
3.3MB

Download
memory/2040-122-0x00007FF7A05C0000-0x00007FF7A0911000-memory.dmp

Filesize
3.3MB

Download
memory/2132-93-0x00007FF7A5980000-0x00007FF7A5CD1000-memory.dmp

Filesize
3.3MB

Download
memory/2132-24-0x00007FF7A5980000-0x00007FF7A5CD1000-memory.dmp

Filesize
3.3MB

Download
memory/2132-225-0x00007FF7A5980000-0x00007FF7A5CD1000-memory.dmp

Filesize
3.3MB

Download
memory/2228-88-0x00007FF6D7550000-0x00007FF6D78A1000-memory.dmp

Filesize
3.3MB

Download
memory/2228-254-0x00007FF6D7550000-0x00007FF6D78A1000-memory.dmp

Filesize
3.3MB

Download
memory/2228-147-0x00007FF6D7550000-0x00007FF6D78A1000-memory.dmp

Filesize
3.3MB

Download
memory/3100-246-0x00007FF6D17C0000-0x00007FF6D1B11000-memory.dmp

Filesize
3.3MB

Download
memory/3100-69-0x00007FF6D17C0000-0x00007FF6D1B11000-memory.dmp

Filesize
3.3MB

Download
memory/3336-158-0x00007FF771520000-0x00007FF771871000-memory.dmp

Filesize
3.3MB

Download
memory/3336-110-0x00007FF771520000-0x00007FF771871000-memory.dmp

Filesize
3.3MB

Download
memory/3336-265-0x00007FF771520000-0x00007FF771871000-memory.dmp

Filesize
3.3MB

Download
memory/3372-263-0x00007FF752050000-0x00007FF7523A1000-memory.dmp

Filesize
3.3MB

Download
memory/3372-106-0x00007FF752050000-0x00007FF7523A1000-memory.dmp

Filesize
3.3MB

Download
memory/4316-227-0x00007FF6660A0000-0x00007FF6663F1000-memory.dmp

Filesize
3.3MB

Download
memory/4316-30-0x00007FF6660A0000-0x00007FF6663F1000-memory.dmp

Filesize
3.3MB

Download
memory/4316-96-0x00007FF6660A0000-0x00007FF6663F1000-memory.dmp

Filesize
3.3MB

Download
memory/4536-221-0x00007FF7059B0000-0x00007FF705D01000-memory.dmp

Filesize
3.3MB

Download
memory/4536-14-0x00007FF7059B0000-0x00007FF705D01000-memory.dmp

Filesize
3.3MB

Download
memory/4536-79-0x00007FF7059B0000-0x00007FF705D01000-memory.dmp

Filesize
3.3MB

Download
memory/4724-131-0x00007FF6B4670000-0x00007FF6B49C1000-memory.dmp

Filesize
3.3MB

Download
memory/4724-163-0x00007FF6B4670000-0x00007FF6B49C1000-memory.dmp

Filesize
3.3MB

Download
memory/4724-271-0x00007FF6B4670000-0x00007FF6B49C1000-memory.dmp

Filesize
3.3MB

Download
memory/4784-248-0x00007FF7201B0000-0x00007FF720501000-memory.dmp

Filesize
3.3MB

Download
memory/4784-128-0x00007FF7201B0000-0x00007FF720501000-memory.dmp

Filesize
3.3MB

Download
memory/4784-75-0x00007FF7201B0000-0x00007FF720501000-memory.dmp

Filesize
3.3MB

Download
memory/4812-159-0x00007FF72CCA0000-0x00007FF72CFF1000-memory.dmp

Filesize
3.3MB

Download
memory/4812-267-0x00007FF72CCA0000-0x00007FF72CFF1000-memory.dmp

Filesize
3.3MB

Download
memory/4812-116-0x00007FF72CCA0000-0x00007FF72CFF1000-memory.dmp

Filesize
3.3MB

Download
memory/4824-99-0x00007FF77B4E0000-0x00007FF77B831000-memory.dmp

Filesize
3.3MB

Download
memory/4824-229-0x00007FF77B4E0000-0x00007FF77B831000-memory.dmp

Filesize
3.3MB

Download
memory/4824-35-0x00007FF77B4E0000-0x00007FF77B831000-memory.dmp

Filesize
3.3MB

Download
memory/5072-148-0x00007FF6B78F0000-0x00007FF6B7C41000-memory.dmp

Filesize
3.3MB

Download
memory/5072-256-0x00007FF6B78F0000-0x00007FF6B7C41000-memory.dmp

Filesize
3.3MB

Download
memory/5072-94-0x00007FF6B78F0000-0x00007FF6B7C41000-memory.dmp

Filesize
3.3MB

Download
memory/5080-273-0x00007FF6A68F0000-0x00007FF6A6C41000-memory.dmp

Filesize
3.3MB

Download
memory/5080-165-0x00007FF6A68F0000-0x00007FF6A6C41000-memory.dmp

Filesize
3.3MB

Download
memory/5080-135-0x00007FF6A68F0000-0x00007FF6A6C41000-memory.dmp

Filesize
3.3MB

Download
memory/5116-252-0x00007FF656C30000-0x00007FF656F81000-memory.dmp

Filesize
3.3MB

Download
memory/5116-146-0x00007FF656C30000-0x00007FF656F81000-memory.dmp

Filesize
3.3MB

Download
memory/5116-80-0x00007FF656C30000-0x00007FF656F81000-memory.dmp

Filesize
3.3MB

Download