cobaltstrike | 39e0db56bf46a0bed1a9bd8b46380e381f3481abe6e4688ffd5867fc0787c93e

Analysis

max time kernel
143s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2024 01:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

4d12b892da437565632f3568d7ac510f
SHA1

a788b7866e73ed0def7776464facf0310be9523e
SHA256

39e0db56bf46a0bed1a9bd8b46380e381f3481abe6e4688ffd5867fc0787c93e
SHA512

4021afac51c7a0611f2a6230b625d993d745f9f8403e030991caf146bf3c575e9cbb0a6a4e6fff007e14baf1dce1f85f442ce33198a09c544e668da4aad5a48d
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lh:RWWBibf56utgpPFotBER/mQ32lU9

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
behavioral2/files/0x0009000000023cc3-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc8-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc9-18.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cca-26.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ccc-32.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ccb-33.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cce-43.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ccf-54.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ccd-46.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd2-69.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023cc5-70.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd0-60.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd4-82.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd3-87.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd7-99.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd8-103.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cda-109.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cdb-111.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd9-106.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd5-102.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd6-94.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3956-31-0x00007FF6074F0000-0x00007FF607841000-memory.dmp	xmrig
behavioral2/memory/4332-68-0x00007FF73F210000-0x00007FF73F561000-memory.dmp	xmrig
behavioral2/memory/5032-73-0x00007FF7F5AB0000-0x00007FF7F5E01000-memory.dmp	xmrig
behavioral2/memory/2352-80-0x00007FF761800000-0x00007FF761B51000-memory.dmp	xmrig
behavioral2/memory/3928-98-0x00007FF793FD0000-0x00007FF794321000-memory.dmp	xmrig
behavioral2/memory/4468-91-0x00007FF6641D0000-0x00007FF664521000-memory.dmp	xmrig
behavioral2/memory/3392-88-0x00007FF7D24B0000-0x00007FF7D2801000-memory.dmp	xmrig
behavioral2/memory/2156-127-0x00007FF67E280000-0x00007FF67E5D1000-memory.dmp	xmrig
behavioral2/memory/2880-129-0x00007FF6F78A0000-0x00007FF6F7BF1000-memory.dmp	xmrig
behavioral2/memory/4488-131-0x00007FF655BD0000-0x00007FF655F21000-memory.dmp	xmrig
behavioral2/memory/3128-133-0x00007FF7B3590000-0x00007FF7B38E1000-memory.dmp	xmrig
behavioral2/memory/3512-132-0x00007FF751E00000-0x00007FF752151000-memory.dmp	xmrig
behavioral2/memory/4176-130-0x00007FF681050000-0x00007FF6813A1000-memory.dmp	xmrig
behavioral2/memory/3760-128-0x00007FF742D10000-0x00007FF743061000-memory.dmp	xmrig
behavioral2/memory/3688-81-0x00007FF7B69D0000-0x00007FF7B6D21000-memory.dmp	xmrig
behavioral2/memory/860-141-0x00007FF6B4DB0000-0x00007FF6B5101000-memory.dmp	xmrig
behavioral2/memory/4232-143-0x00007FF6AC5F0000-0x00007FF6AC941000-memory.dmp	xmrig
behavioral2/memory/1476-144-0x00007FF61F2C0000-0x00007FF61F611000-memory.dmp	xmrig
behavioral2/memory/4332-134-0x00007FF73F210000-0x00007FF73F561000-memory.dmp	xmrig
behavioral2/memory/3600-151-0x00007FF6C0010000-0x00007FF6C0361000-memory.dmp	xmrig
behavioral2/memory/3556-148-0x00007FF7EDF10000-0x00007FF7EE261000-memory.dmp	xmrig
behavioral2/memory/4948-146-0x00007FF69E3D0000-0x00007FF69E721000-memory.dmp	xmrig
behavioral2/memory/4408-145-0x00007FF7688B0000-0x00007FF768C01000-memory.dmp	xmrig
behavioral2/memory/4332-157-0x00007FF73F210000-0x00007FF73F561000-memory.dmp	xmrig
behavioral2/memory/5032-212-0x00007FF7F5AB0000-0x00007FF7F5E01000-memory.dmp	xmrig
behavioral2/memory/2352-214-0x00007FF761800000-0x00007FF761B51000-memory.dmp	xmrig
behavioral2/memory/3956-216-0x00007FF6074F0000-0x00007FF607841000-memory.dmp	xmrig
behavioral2/memory/3392-218-0x00007FF7D24B0000-0x00007FF7D2801000-memory.dmp	xmrig
behavioral2/memory/3512-222-0x00007FF751E00000-0x00007FF752151000-memory.dmp	xmrig
behavioral2/memory/3928-221-0x00007FF793FD0000-0x00007FF794321000-memory.dmp	xmrig
behavioral2/memory/1476-226-0x00007FF61F2C0000-0x00007FF61F611000-memory.dmp	xmrig
behavioral2/memory/860-225-0x00007FF6B4DB0000-0x00007FF6B5101000-memory.dmp	xmrig
behavioral2/memory/4232-228-0x00007FF6AC5F0000-0x00007FF6AC941000-memory.dmp	xmrig
behavioral2/memory/4408-235-0x00007FF7688B0000-0x00007FF768C01000-memory.dmp	xmrig
behavioral2/memory/3688-237-0x00007FF7B69D0000-0x00007FF7B6D21000-memory.dmp	xmrig
behavioral2/memory/4948-239-0x00007FF69E3D0000-0x00007FF69E721000-memory.dmp	xmrig
behavioral2/memory/4468-248-0x00007FF6641D0000-0x00007FF664521000-memory.dmp	xmrig
behavioral2/memory/3556-250-0x00007FF7EDF10000-0x00007FF7EE261000-memory.dmp	xmrig
behavioral2/memory/3600-252-0x00007FF6C0010000-0x00007FF6C0361000-memory.dmp	xmrig
behavioral2/memory/3128-254-0x00007FF7B3590000-0x00007FF7B38E1000-memory.dmp	xmrig
behavioral2/memory/2156-256-0x00007FF67E280000-0x00007FF67E5D1000-memory.dmp	xmrig
behavioral2/memory/3760-261-0x00007FF742D10000-0x00007FF743061000-memory.dmp	xmrig
behavioral2/memory/4176-264-0x00007FF681050000-0x00007FF6813A1000-memory.dmp	xmrig
behavioral2/memory/4488-263-0x00007FF655BD0000-0x00007FF655F21000-memory.dmp	xmrig
behavioral2/memory/2880-259-0x00007FF6F78A0000-0x00007FF6F7BF1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

zwdkfQH.exeMgmQOsS.exeoxyLqxr.exeucxzTdH.exekgWpxFt.exeMuVOTQa.exeEypGOOi.exeSzgQslt.exeqHfQCMA.exePCQSXjg.exeWVQltgk.exeevxbUFE.exepwbluxk.exeHjDIqmC.exeLqqGaNT.exefMGocAL.exeMrFnxqe.exeXySYBuS.exeRknCBiz.exeBKMGeFx.exeurgbOSd.exe

pid	Process
5032	zwdkfQH.exe
2352	MgmQOsS.exe
3392	oxyLqxr.exe
3956	ucxzTdH.exe
3928	kgWpxFt.exe
3512	MuVOTQa.exe
860	EypGOOi.exe
1476	SzgQslt.exe
4232	qHfQCMA.exe
4408	PCQSXjg.exe
4948	WVQltgk.exe
3688	evxbUFE.exe
3556	pwbluxk.exe
4468	HjDIqmC.exe
3600	LqqGaNT.exe
3128	fMGocAL.exe
2156	MrFnxqe.exe
3760	XySYBuS.exe
2880	RknCBiz.exe
4176	BKMGeFx.exe
4488	urgbOSd.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4332-0-0x00007FF73F210000-0x00007FF73F561000-memory.dmp	upx
behavioral2/files/0x0009000000023cc3-4.dat	upx
behavioral2/memory/5032-8-0x00007FF7F5AB0000-0x00007FF7F5E01000-memory.dmp	upx
behavioral2/files/0x0007000000023cc8-11.dat	upx
behavioral2/files/0x0007000000023cc9-18.dat	upx
behavioral2/memory/2352-19-0x00007FF761800000-0x00007FF761B51000-memory.dmp	upx
behavioral2/files/0x0007000000023cca-26.dat	upx
behavioral2/files/0x0007000000023ccc-32.dat	upx
behavioral2/files/0x0007000000023ccb-33.dat	upx
behavioral2/files/0x0007000000023cce-43.dat	upx
behavioral2/memory/860-49-0x00007FF6B4DB0000-0x00007FF6B5101000-memory.dmp	upx
behavioral2/memory/4232-51-0x00007FF6AC5F0000-0x00007FF6AC941000-memory.dmp	upx
behavioral2/files/0x0007000000023ccf-54.dat	upx
behavioral2/files/0x0007000000023ccd-46.dat	upx
behavioral2/memory/1476-45-0x00007FF61F2C0000-0x00007FF61F611000-memory.dmp	upx
behavioral2/memory/3512-44-0x00007FF751E00000-0x00007FF752151000-memory.dmp	upx
behavioral2/memory/3928-37-0x00007FF793FD0000-0x00007FF794321000-memory.dmp	upx
behavioral2/memory/3956-31-0x00007FF6074F0000-0x00007FF607841000-memory.dmp	upx
behavioral2/memory/3392-25-0x00007FF7D24B0000-0x00007FF7D2801000-memory.dmp	upx
behavioral2/files/0x0007000000023cd2-69.dat	upx
behavioral2/memory/4332-68-0x00007FF73F210000-0x00007FF73F561000-memory.dmp	upx
behavioral2/files/0x0009000000023cc5-70.dat	upx
behavioral2/memory/4408-64-0x00007FF7688B0000-0x00007FF768C01000-memory.dmp	upx
behavioral2/files/0x0007000000023cd0-60.dat	upx
behavioral2/memory/5032-73-0x00007FF7F5AB0000-0x00007FF7F5E01000-memory.dmp	upx
behavioral2/memory/2352-80-0x00007FF761800000-0x00007FF761B51000-memory.dmp	upx
behavioral2/files/0x0007000000023cd4-82.dat	upx
behavioral2/files/0x0007000000023cd3-87.dat	upx
behavioral2/files/0x0007000000023cd7-99.dat	upx
behavioral2/files/0x0007000000023cd8-103.dat	upx
behavioral2/files/0x0007000000023cda-109.dat	upx
behavioral2/files/0x0007000000023cdb-111.dat	upx
behavioral2/files/0x0007000000023cd9-106.dat	upx
behavioral2/files/0x0007000000023cd5-102.dat	upx
behavioral2/memory/3928-98-0x00007FF793FD0000-0x00007FF794321000-memory.dmp	upx
behavioral2/files/0x0007000000023cd6-94.dat	upx
behavioral2/memory/4468-91-0x00007FF6641D0000-0x00007FF664521000-memory.dmp	upx
behavioral2/memory/3392-88-0x00007FF7D24B0000-0x00007FF7D2801000-memory.dmp	upx
behavioral2/memory/2156-127-0x00007FF67E280000-0x00007FF67E5D1000-memory.dmp	upx
behavioral2/memory/2880-129-0x00007FF6F78A0000-0x00007FF6F7BF1000-memory.dmp	upx
behavioral2/memory/4488-131-0x00007FF655BD0000-0x00007FF655F21000-memory.dmp	upx
behavioral2/memory/3128-133-0x00007FF7B3590000-0x00007FF7B38E1000-memory.dmp	upx
behavioral2/memory/3512-132-0x00007FF751E00000-0x00007FF752151000-memory.dmp	upx
behavioral2/memory/4176-130-0x00007FF681050000-0x00007FF6813A1000-memory.dmp	upx
behavioral2/memory/3760-128-0x00007FF742D10000-0x00007FF743061000-memory.dmp	upx
behavioral2/memory/3600-126-0x00007FF6C0010000-0x00007FF6C0361000-memory.dmp	upx
behavioral2/memory/3556-86-0x00007FF7EDF10000-0x00007FF7EE261000-memory.dmp	upx
behavioral2/memory/3688-81-0x00007FF7B69D0000-0x00007FF7B6D21000-memory.dmp	upx
behavioral2/memory/4948-79-0x00007FF69E3D0000-0x00007FF69E721000-memory.dmp	upx
behavioral2/memory/860-141-0x00007FF6B4DB0000-0x00007FF6B5101000-memory.dmp	upx
behavioral2/memory/4232-143-0x00007FF6AC5F0000-0x00007FF6AC941000-memory.dmp	upx
behavioral2/memory/1476-144-0x00007FF61F2C0000-0x00007FF61F611000-memory.dmp	upx
behavioral2/memory/4332-134-0x00007FF73F210000-0x00007FF73F561000-memory.dmp	upx
behavioral2/memory/3600-151-0x00007FF6C0010000-0x00007FF6C0361000-memory.dmp	upx
behavioral2/memory/3556-148-0x00007FF7EDF10000-0x00007FF7EE261000-memory.dmp	upx
behavioral2/memory/4948-146-0x00007FF69E3D0000-0x00007FF69E721000-memory.dmp	upx
behavioral2/memory/4408-145-0x00007FF7688B0000-0x00007FF768C01000-memory.dmp	upx
behavioral2/memory/4332-157-0x00007FF73F210000-0x00007FF73F561000-memory.dmp	upx
behavioral2/memory/5032-212-0x00007FF7F5AB0000-0x00007FF7F5E01000-memory.dmp	upx
behavioral2/memory/2352-214-0x00007FF761800000-0x00007FF761B51000-memory.dmp	upx
behavioral2/memory/3956-216-0x00007FF6074F0000-0x00007FF607841000-memory.dmp	upx
behavioral2/memory/3392-218-0x00007FF7D24B0000-0x00007FF7D2801000-memory.dmp	upx
behavioral2/memory/3512-222-0x00007FF751E00000-0x00007FF752151000-memory.dmp	upx
behavioral2/memory/3928-221-0x00007FF793FD0000-0x00007FF794321000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	Process
File created	C:\Windows\System\WVQltgk.exe	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fMGocAL.exe	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BKMGeFx.exe	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oxyLqxr.exe	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MuVOTQa.exe	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SzgQslt.exe	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PCQSXjg.exe	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HjDIqmC.exe	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LqqGaNT.exe	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zwdkfQH.exe	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EypGOOi.exe	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qHfQCMA.exe	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pwbluxk.exe	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RknCBiz.exe	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\urgbOSd.exe	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ucxzTdH.exe	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kgWpxFt.exe	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MrFnxqe.exe	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XySYBuS.exe	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MgmQOsS.exe	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\evxbUFE.exe	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	Process
Token: SeLockMemoryPrivilege	4332	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4332	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	Process	procid_target
PID 4332 wrote to memory of 5032	4332	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4332 wrote to memory of 5032	4332	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4332 wrote to memory of 2352	4332	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4332 wrote to memory of 2352	4332	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4332 wrote to memory of 3392	4332	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4332 wrote to memory of 3392	4332	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4332 wrote to memory of 3956	4332	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4332 wrote to memory of 3956	4332	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4332 wrote to memory of 3928	4332	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4332 wrote to memory of 3928	4332	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4332 wrote to memory of 3512	4332	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4332 wrote to memory of 3512	4332	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4332 wrote to memory of 860	4332	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4332 wrote to memory of 860	4332	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4332 wrote to memory of 1476	4332	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4332 wrote to memory of 1476	4332	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4332 wrote to memory of 4232	4332	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4332 wrote to memory of 4232	4332	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4332 wrote to memory of 4408	4332	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4332 wrote to memory of 4408	4332	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4332 wrote to memory of 4948	4332	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4332 wrote to memory of 4948	4332	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4332 wrote to memory of 3688	4332	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4332 wrote to memory of 3688	4332	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4332 wrote to memory of 3556	4332	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4332 wrote to memory of 3556	4332	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4332 wrote to memory of 4468	4332	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4332 wrote to memory of 4468	4332	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4332 wrote to memory of 2156	4332	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4332 wrote to memory of 2156	4332	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4332 wrote to memory of 3600	4332	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4332 wrote to memory of 3600	4332	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4332 wrote to memory of 3128	4332	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4332 wrote to memory of 3128	4332	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4332 wrote to memory of 3760	4332	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4332 wrote to memory of 3760	4332	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4332 wrote to memory of 2880	4332	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4332 wrote to memory of 2880	4332	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4332 wrote to memory of 4176	4332	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4332 wrote to memory of 4176	4332	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4332 wrote to memory of 4488	4332	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4332 wrote to memory of 4488	4332	2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-25_4d12b892da437565632f3568d7ac510f_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4332
- C:\Windows\System\zwdkfQH.exe
  C:\Windows\System\zwdkfQH.exe
  2⤵
  - Executes dropped EXE
  PID:5032
- C:\Windows\System\MgmQOsS.exe
  C:\Windows\System\MgmQOsS.exe
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Windows\System\oxyLqxr.exe
  C:\Windows\System\oxyLqxr.exe
  2⤵
  - Executes dropped EXE
  PID:3392
- C:\Windows\System\ucxzTdH.exe
  C:\Windows\System\ucxzTdH.exe
  2⤵
  - Executes dropped EXE
  PID:3956
- C:\Windows\System\kgWpxFt.exe
  C:\Windows\System\kgWpxFt.exe
  2⤵
  - Executes dropped EXE
  PID:3928
- C:\Windows\System\MuVOTQa.exe
  C:\Windows\System\MuVOTQa.exe
  2⤵
  - Executes dropped EXE
  PID:3512
- C:\Windows\System\EypGOOi.exe
  C:\Windows\System\EypGOOi.exe
  2⤵
  - Executes dropped EXE
  PID:860
- C:\Windows\System\SzgQslt.exe
  C:\Windows\System\SzgQslt.exe
  2⤵
  - Executes dropped EXE
  PID:1476
- C:\Windows\System\qHfQCMA.exe
  C:\Windows\System\qHfQCMA.exe
  2⤵
  - Executes dropped EXE
  PID:4232
- C:\Windows\System\PCQSXjg.exe
  C:\Windows\System\PCQSXjg.exe
  2⤵
  - Executes dropped EXE
  PID:4408
- C:\Windows\System\WVQltgk.exe
  C:\Windows\System\WVQltgk.exe
  2⤵
  - Executes dropped EXE
  PID:4948
- C:\Windows\System\evxbUFE.exe
  C:\Windows\System\evxbUFE.exe
  2⤵
  - Executes dropped EXE
  PID:3688
- C:\Windows\System\pwbluxk.exe
  C:\Windows\System\pwbluxk.exe
  2⤵
  - Executes dropped EXE
  PID:3556
- C:\Windows\System\HjDIqmC.exe
  C:\Windows\System\HjDIqmC.exe
  2⤵
  - Executes dropped EXE
  PID:4468
- C:\Windows\System\MrFnxqe.exe
  C:\Windows\System\MrFnxqe.exe
  2⤵
  - Executes dropped EXE
  PID:2156
- C:\Windows\System\LqqGaNT.exe
  C:\Windows\System\LqqGaNT.exe
  2⤵
  - Executes dropped EXE
  PID:3600
- C:\Windows\System\fMGocAL.exe
  C:\Windows\System\fMGocAL.exe
  2⤵
  - Executes dropped EXE
  PID:3128
- C:\Windows\System\XySYBuS.exe
  C:\Windows\System\XySYBuS.exe
  2⤵
  - Executes dropped EXE
  PID:3760
- C:\Windows\System\RknCBiz.exe
  C:\Windows\System\RknCBiz.exe
  2⤵
  - Executes dropped EXE
  PID:2880
- C:\Windows\System\BKMGeFx.exe
  C:\Windows\System\BKMGeFx.exe
  2⤵
  - Executes dropped EXE
  PID:4176
- C:\Windows\System\urgbOSd.exe
  C:\Windows\System\urgbOSd.exe
  2⤵
  - Executes dropped EXE
  PID:4488

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BKMGeFx.exe

Filesize
5.2MB

MD5
f0c0e67d03a8c03c7cfc55fa1b2cfb1c

SHA1
8b4b37bc17b7869200ecdf7759bb9e42bb7d1e32

SHA256
97f1d3d234af4086febaac90c7c5d2e58d4b770d73666fea77457d295fac1bcf

SHA512
ee53d8627eb1fbb2c383de404045fe4b8d118b9c97f59ead2277a0b2a3749a67dc4219f70de17c2a0abee8bab755eb50e9675abd60342029a0d1e00193d06c69

Download Submit
C:\Windows\System\EypGOOi.exe

Filesize
5.2MB

MD5
cf15bc5d74e8c4b5290a91b3adb7ecda

SHA1
6a1d7fc6a70a718058e56317c2577407b76d7666

SHA256
912a321ed769de7fcf027985f8286c2b914ba2b62e6cfa5931d99e6f7218277f

SHA512
b8d3f92c99abc84d9d76040f1f3dafdc793ae17f71acbdedba7ebd76c38dfc30af5122f94aeca4e01b10f8ed65b551df870cbeb84fe500bbba6615c99fb5c065

Download Submit
C:\Windows\System\HjDIqmC.exe

Filesize
5.2MB

MD5
fe12fb9325950e9d177c55a2050146c0

SHA1
6e5d95d210bbb77e1364c3e486473a4fdd12eb27

SHA256
3e227d11933247f6e6da7cf26e5d25929285cfaa0aa4696bac1935da6ae681e3

SHA512
6bbe675fb47d2d3323dcaae3e3415855c07aaaffd433425e27a3840ad4084701db1af89f8e56b41d2678feeea055b7e666ff127076793fb5e12b742de79624b5

Download Submit
C:\Windows\System\LqqGaNT.exe

Filesize
5.2MB

MD5
3fb448ce70a71b8cdfeeaee121affd48

SHA1
e1e83f3d5cb8ae06187aac5b2d54d9e2d444a8f8

SHA256
e42cc142419d498a066d9b6e82dcb0b932263c642f0b079575f72d0efb23a66e

SHA512
52b2e8e3154f44574ae6c277f58f6c4193d577c4d142e6be9e7629f8a542cd471501eb4f73895536c240ef2d198749689a9c359285e7d5a33fb2cf3ccc61c1a5

Download Submit
C:\Windows\System\MgmQOsS.exe

Filesize
5.2MB

MD5
ad7c95daaf1da4bb3fe3237cb2edbc27

SHA1
014af3191363e630eef985931e9c9b2618dddb97

SHA256
76206d4668e1cb633a89fa5904a1af01cf7330024467a6e24181edfc93f41ea6

SHA512
f1226286411724da5bc96126277e2aaac63bb620fc354a3b51b77852fbbd3d87818b1a6677e17556d8697e79dc5e81676d468e3197175928eb3054c15ca76ee0

Download Submit
C:\Windows\System\MrFnxqe.exe

Filesize
5.2MB

MD5
54608e11997e9a4123dc8d4440c24c7c

SHA1
199e88b0f16af6d79897ee7054b9f9e7068e202f

SHA256
fc98b5f6e71f6a4df16368c8c092ebf1d2e2f8cb6f74f9bafd1356cc3ad23ded

SHA512
9171c67ab862ff901316720b017c920fb8a121301d811e4291db8b23cfaec6ebaf68f20e58bf78bf35ab61678228163328a2034344d9c4c8790047ed78e01e8b

Download Submit
C:\Windows\System\MuVOTQa.exe

Filesize
5.2MB

MD5
b43bb0f38d4bcac2aa68140d50c5feba

SHA1
9fe191c11035a5a7991c43d58522b6df358d26f6

SHA256
9aeb5fd65d4e1f4e1dc2e8eda2f659bb9286bce3efdb20d2f6c7068310cb210f

SHA512
831b1f11db71d8d87a11b1c027cd111258ab8fb97cfced3bb7b68c067ddc4c9b524184988fa06af22f30ce24cbdfb0540279fd3a903b82d9705cebbc831234be

Download Submit
C:\Windows\System\PCQSXjg.exe

Filesize
5.2MB

MD5
98b06a9d9a7c574966bd15450e23e06b

SHA1
7a9a9cb89f2584b3d5b0f38ed0246ffdf9e393ea

SHA256
2a087230aad0e0bd8fdbba00b7f14e8a9f1d22f6e2ad1661a88c7046ddb7baef

SHA512
1811adc60e00ec200006947ead908e1b393e46b742eefcfd204a7d145926645c1dbd9784932ea73cb7c91c44bdc2bf9c5dca8380de24491316d5a24a1c3490a0

Download Submit
C:\Windows\System\RknCBiz.exe

Filesize
5.2MB

MD5
32380a66249a8227d1f359aff0c23b3e

SHA1
3b8bb89d4a979464a56fd1f911f5ad7e3eec0035

SHA256
7405223c08fe7341f6cb8576bd260f031b2689d0a48eea0a54ba70095c99d15d

SHA512
6a186643d6e0d28ef1bb3783fe70377d5a7c190a334268eb3105e6e2af1905ea39d1e4a35045f2211807db9948ad24df66eef0509b452b30b40fd5bbfe62099c

Download Submit
C:\Windows\System\SzgQslt.exe

Filesize
5.2MB

MD5
395f12aa9ce819d6cdaa3cfa091fe0a3

SHA1
43eac30f5ae47230492803636185bd497c806082

SHA256
5dc8ba23c423c384b6244477e0109c0b117d358b9cab85b94c1a1e618748a50f

SHA512
4be093d82b41e346d3875569b5dc10188f8dfd6fa0b85accde90bfdc8fdd7812730201171ba34ee0e5c88e3f7c92ff7ed6c10d3206e5f4a95a12bea5eaa2997b

Download Submit
C:\Windows\System\WVQltgk.exe

Filesize
5.2MB

MD5
c8867484a86c216f7f03a273fa9f8d6b

SHA1
9e1c86347f46f06b9cc5bc3756dcf7c497406b11

SHA256
013eaf55cc18ecfc3785f93bebee5c408001b0b48f93b167cb4549ec5fbbd184

SHA512
8a7933ac065b99aead4cb6f348ada8a5916cb1e567cc75415b4f757cdd1ba28698a9b1bcee0b4d61626e0a365f28a85870ff47984479d5e18be77b187a130c5e

Download Submit
C:\Windows\System\XySYBuS.exe

Filesize
5.2MB

MD5
dea39f0de13a38df28bcb71f321fadaa

SHA1
9d4d16d0c240a9f9987f0863b35e019235473865

SHA256
1973c1efc9592d2973648b5e9573dcb40ac7736be604daf1f5863a6652ae42ce

SHA512
e8e4002c2451a0ec94464f07cc10dd59d34480a16c677331f8f5c498041078ad45507e3720b5c01ac88b69c897f895015428da146697fb35ae1cb7cfa087949b

Download Submit
C:\Windows\System\evxbUFE.exe

Filesize
5.2MB

MD5
feabe4a3d849e4a8d6989c35a831660c

SHA1
7469e7f2908280363b33452aa614bc28e75156e1

SHA256
607394304384807f85c23e06f30e8dba7e5d092619fa980ffcc90c4069d109b0

SHA512
3574c0f1aaab22cce433e5e2c1d94b0f67e2cb91f562d24bbf4ede1fad33c8d77759bbe4db87d7f9ea061dc7f5b5a49ab6618409b755adde5e4ce1ba828847a8

Download Submit
C:\Windows\System\fMGocAL.exe

Filesize
5.2MB

MD5
291256c498a522463489bb0a877f0c38

SHA1
f16ea509bfa4cdf9c18332c450cab0540bda91ff

SHA256
f9a938735107b833a65925f4ae59d260db5e65ec7d0dd0131177d593b5750b71

SHA512
a282c8e48b9056af3521480f100034d5ac2750185cbf676a62b2f7e4e5a5670b8d1e90c7ad7d07061348098d1396b433ddf39fcc15e00544370dbdfc470b033c

Download Submit
C:\Windows\System\kgWpxFt.exe

Filesize
5.2MB

MD5
23b10bd499a1919ee6b8cae4b63dbbda

SHA1
1d4ea0b3e3bbb1553bf069fb5c9fd3df41f18199

SHA256
e9599a02fffde9f3a761f6e48eeaa6c72bd655b394ee092cbf5c9b8af6e83511

SHA512
350bbffe28971fe31edfa25839abc7be3b5415185bb9fc4a24e178471db326256d28599ced3372c788d2c366184e0b6dcb0e9d59fca4317f6859e0e1b612a9be

Download Submit
C:\Windows\System\oxyLqxr.exe

Filesize
5.2MB

MD5
4668b88143274fa12240f1335f479ce0

SHA1
ec6f9a2e8a49358f406a4b30ce139864d7cb3fb0

SHA256
85a1268db0bc86304be0707b15f0f4def82aa675296ba32008b34571bf9e570e

SHA512
1b5e172a2c660d7883bffeb0ee56930ee17623e883d636edac7e991109284acd02dfdc03b60c732f153a4f9b6fc194f4bc71c71a719a6dd5926fc5020c39e368

Download Submit
C:\Windows\System\pwbluxk.exe

Filesize
5.2MB

MD5
f95e9d7a0b5a50e2207359e0aac53a01

SHA1
1625f13c712620777646bf681b640e86d461f066

SHA256
336ba2c191867e7c377f9efcfaa5a6fba77e1f2629449ec8b6e2abe8aae10d58

SHA512
b520102a9fbce6dbca620817fc95e806130b6a87ddaaf03a0ac941414cf5e67984fedcc8d1b39e347f7ba274400928987726fbd064850e48fd6509ca3efb964f

Download Submit
C:\Windows\System\qHfQCMA.exe

Filesize
5.2MB

MD5
2df886cf8df0dd7b5d71b642e838e242

SHA1
08bb3c49f5a00d7d018f4f2458171c5db305576a

SHA256
6d750d62c0afea77b60b5586a374ba77467abeec554b8cf78e00b4df6dab08bc

SHA512
c8e1ab11a574f31c670b499368f077fff60239a9324d88b16f1ede34de6f3a93e3b8f0e93bab7f111a426a7c57356998b527cdb3861696308077fb0ebed17bf0

Download Submit
C:\Windows\System\ucxzTdH.exe

Filesize
5.2MB

MD5
f38f7cdae425617cc669504724ef6b33

SHA1
3fa80d011f46abc0483c7bfbbf2e4b717ca1dcdd

SHA256
f0a2c89773a5637061bd8469d69ad2ac823542398c6091aeebf540981805b5f0

SHA512
86aa847577f39c8b88f8ec34dc9ec6b37913e3d88d50fd7b8a6d14d3321b1363285c418ff75869025e4893fd46a5d018eb986eea9297f5a582946bdd7aec1f10

Download Submit
C:\Windows\System\urgbOSd.exe

Filesize
5.2MB

MD5
a71e48d116710a818bd01e3b770b2b45

SHA1
ae62d2f00f09cfc484400c6cbe11dd1e7c8e401d

SHA256
7f7967bb146cf8fa895ed2f215eb9ddda71828265a30acde82a3bf5f128341dd

SHA512
599c24c87c147eb2fa50b29d586a9d78e3be493f644862b633b012e0f85729e46e5f91d5c271c2cfb81644946e564488298f14062919dd911557adaf272a015c

Download Submit
C:\Windows\System\zwdkfQH.exe

Filesize
5.2MB

MD5
1132be250bce3a6c9178b82e7c5c3e23

SHA1
e8cc4a9fde4e54d3dc6359d8f92cf8f872a6789a

SHA256
95bc3990d0b3e04d5488f4cff6ffddf5d148218c85d5b2c6a437b6c244bada46

SHA512
6d578dee9ce48b4ca36b90242da2d3c5eef716315e3a745c5e03a6d5d33f84356e44bfd8ec076fbbafb7296fdd506ed4aa18526272a103da88a0b7c886e078a0

Download Submit
memory/860-225-0x00007FF6B4DB0000-0x00007FF6B5101000-memory.dmp

Filesize
3.3MB

Download
memory/860-141-0x00007FF6B4DB0000-0x00007FF6B5101000-memory.dmp

Filesize
3.3MB

Download
memory/860-49-0x00007FF6B4DB0000-0x00007FF6B5101000-memory.dmp

Filesize
3.3MB

Download
memory/1476-144-0x00007FF61F2C0000-0x00007FF61F611000-memory.dmp

Filesize
3.3MB

Download
memory/1476-45-0x00007FF61F2C0000-0x00007FF61F611000-memory.dmp

Filesize
3.3MB

Download
memory/1476-226-0x00007FF61F2C0000-0x00007FF61F611000-memory.dmp

Filesize
3.3MB

Download
memory/2156-127-0x00007FF67E280000-0x00007FF67E5D1000-memory.dmp

Filesize
3.3MB

Download
memory/2156-256-0x00007FF67E280000-0x00007FF67E5D1000-memory.dmp

Filesize
3.3MB

Download
memory/2352-80-0x00007FF761800000-0x00007FF761B51000-memory.dmp

Filesize
3.3MB

Download
memory/2352-19-0x00007FF761800000-0x00007FF761B51000-memory.dmp

Filesize
3.3MB

Download
memory/2352-214-0x00007FF761800000-0x00007FF761B51000-memory.dmp

Filesize
3.3MB

Download
memory/2880-129-0x00007FF6F78A0000-0x00007FF6F7BF1000-memory.dmp

Filesize
3.3MB

Download
memory/2880-259-0x00007FF6F78A0000-0x00007FF6F7BF1000-memory.dmp

Filesize
3.3MB

Download
memory/3128-133-0x00007FF7B3590000-0x00007FF7B38E1000-memory.dmp

Filesize
3.3MB

Download
memory/3128-254-0x00007FF7B3590000-0x00007FF7B38E1000-memory.dmp

Filesize
3.3MB

Download
memory/3392-25-0x00007FF7D24B0000-0x00007FF7D2801000-memory.dmp

Filesize
3.3MB

Download
memory/3392-88-0x00007FF7D24B0000-0x00007FF7D2801000-memory.dmp

Filesize
3.3MB

Download
memory/3392-218-0x00007FF7D24B0000-0x00007FF7D2801000-memory.dmp

Filesize
3.3MB

Download
memory/3512-222-0x00007FF751E00000-0x00007FF752151000-memory.dmp

Filesize
3.3MB

Download
memory/3512-44-0x00007FF751E00000-0x00007FF752151000-memory.dmp

Filesize
3.3MB

Download
memory/3512-132-0x00007FF751E00000-0x00007FF752151000-memory.dmp

Filesize
3.3MB

Download
memory/3556-86-0x00007FF7EDF10000-0x00007FF7EE261000-memory.dmp

Filesize
3.3MB

Download
memory/3556-148-0x00007FF7EDF10000-0x00007FF7EE261000-memory.dmp

Filesize
3.3MB

Download
memory/3556-250-0x00007FF7EDF10000-0x00007FF7EE261000-memory.dmp

Filesize
3.3MB

Download
memory/3600-252-0x00007FF6C0010000-0x00007FF6C0361000-memory.dmp

Filesize
3.3MB

Download
memory/3600-126-0x00007FF6C0010000-0x00007FF6C0361000-memory.dmp

Filesize
3.3MB

Download
memory/3600-151-0x00007FF6C0010000-0x00007FF6C0361000-memory.dmp

Filesize
3.3MB

Download
memory/3688-81-0x00007FF7B69D0000-0x00007FF7B6D21000-memory.dmp

Filesize
3.3MB

Download
memory/3688-237-0x00007FF7B69D0000-0x00007FF7B6D21000-memory.dmp

Filesize
3.3MB

Download
memory/3760-128-0x00007FF742D10000-0x00007FF743061000-memory.dmp

Filesize
3.3MB

Download
memory/3760-261-0x00007FF742D10000-0x00007FF743061000-memory.dmp

Filesize
3.3MB

Download
memory/3928-37-0x00007FF793FD0000-0x00007FF794321000-memory.dmp

Filesize
3.3MB

Download
memory/3928-221-0x00007FF793FD0000-0x00007FF794321000-memory.dmp

Filesize
3.3MB

Download
memory/3928-98-0x00007FF793FD0000-0x00007FF794321000-memory.dmp

Filesize
3.3MB

Download
memory/3956-31-0x00007FF6074F0000-0x00007FF607841000-memory.dmp

Filesize
3.3MB

Download
memory/3956-216-0x00007FF6074F0000-0x00007FF607841000-memory.dmp

Filesize
3.3MB

Download
memory/4176-130-0x00007FF681050000-0x00007FF6813A1000-memory.dmp

Filesize
3.3MB

Download
memory/4176-264-0x00007FF681050000-0x00007FF6813A1000-memory.dmp

Filesize
3.3MB

Download
memory/4232-228-0x00007FF6AC5F0000-0x00007FF6AC941000-memory.dmp

Filesize
3.3MB

Download
memory/4232-51-0x00007FF6AC5F0000-0x00007FF6AC941000-memory.dmp

Filesize
3.3MB

Download
memory/4232-143-0x00007FF6AC5F0000-0x00007FF6AC941000-memory.dmp

Filesize
3.3MB

Download
memory/4332-1-0x0000027611E20000-0x0000027611E30000-memory.dmp

Filesize
64KB

Download
memory/4332-134-0x00007FF73F210000-0x00007FF73F561000-memory.dmp

Filesize
3.3MB

Download
memory/4332-0-0x00007FF73F210000-0x00007FF73F561000-memory.dmp

Filesize
3.3MB

Download
memory/4332-157-0x00007FF73F210000-0x00007FF73F561000-memory.dmp

Filesize
3.3MB

Download
memory/4332-68-0x00007FF73F210000-0x00007FF73F561000-memory.dmp

Filesize
3.3MB

Download
memory/4408-145-0x00007FF7688B0000-0x00007FF768C01000-memory.dmp

Filesize
3.3MB

Download
memory/4408-235-0x00007FF7688B0000-0x00007FF768C01000-memory.dmp

Filesize
3.3MB

Download
memory/4408-64-0x00007FF7688B0000-0x00007FF768C01000-memory.dmp

Filesize
3.3MB

Download
memory/4468-91-0x00007FF6641D0000-0x00007FF664521000-memory.dmp

Filesize
3.3MB

Download
memory/4468-248-0x00007FF6641D0000-0x00007FF664521000-memory.dmp

Filesize
3.3MB

Download
memory/4488-263-0x00007FF655BD0000-0x00007FF655F21000-memory.dmp

Filesize
3.3MB

Download
memory/4488-131-0x00007FF655BD0000-0x00007FF655F21000-memory.dmp

Filesize
3.3MB

Download
memory/4948-239-0x00007FF69E3D0000-0x00007FF69E721000-memory.dmp

Filesize
3.3MB

Download
memory/4948-79-0x00007FF69E3D0000-0x00007FF69E721000-memory.dmp

Filesize
3.3MB

Download
memory/4948-146-0x00007FF69E3D0000-0x00007FF69E721000-memory.dmp

Filesize
3.3MB

Download
memory/5032-8-0x00007FF7F5AB0000-0x00007FF7F5E01000-memory.dmp

Filesize
3.3MB

Download
memory/5032-73-0x00007FF7F5AB0000-0x00007FF7F5E01000-memory.dmp

Filesize
3.3MB

Download
memory/5032-212-0x00007FF7F5AB0000-0x00007FF7F5E01000-memory.dmp

Filesize
3.3MB

Download