cobaltstrike | c75f244fc806c5b64083ce10e1f33e9f1e54435f9548677b9b07ade9bb8c5c21

Analysis

max time kernel
142s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2024 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

db15583d1d14a37c4b3adb1413673bdd
SHA1

f5104a8ac7c60d4f718cb554dc3f5a64b82fcc8e
SHA256

c75f244fc806c5b64083ce10e1f33e9f1e54435f9548677b9b07ade9bb8c5c21
SHA512

b99a32d3e929cc8a19e882632080bd16687b167b3adab031e4afacdfb4476fe846601e93c9bb2eb510d8a2f34da32208c21d458c5455819fa87d85b2594e963d
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lw:RWWBibf56utgpPFotBER/mQ32lUE

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00080000000234af-5.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b4-9.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b3-18.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b5-21.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b7-30.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b8-35.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b9-43.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234bc-63.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234bd-68.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234be-84.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c1-97.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c3-108.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c4-118.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c5-123.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c2-121.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c0-111.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234bf-89.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000234b0-78.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ba-62.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234bb-53.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b6-28.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/1660-76-0x00007FF7BCE70000-0x00007FF7BD1C1000-memory.dmp	xmrig
behavioral2/memory/4436-122-0x00007FF6E54B0000-0x00007FF6E5801000-memory.dmp	xmrig
behavioral2/memory/1668-91-0x00007FF7DFCA0000-0x00007FF7DFFF1000-memory.dmp	xmrig
behavioral2/memory/2124-88-0x00007FF77D980000-0x00007FF77DCD1000-memory.dmp	xmrig
behavioral2/memory/3136-87-0x00007FF6E4F80000-0x00007FF6E52D1000-memory.dmp	xmrig
behavioral2/memory/2256-82-0x00007FF757A80000-0x00007FF757DD1000-memory.dmp	xmrig
behavioral2/memory/3200-81-0x00007FF6575C0000-0x00007FF657911000-memory.dmp	xmrig
behavioral2/memory/2664-61-0x00007FF6C4430000-0x00007FF6C4781000-memory.dmp	xmrig
behavioral2/memory/780-58-0x00007FF749D20000-0x00007FF74A071000-memory.dmp	xmrig
behavioral2/memory/3344-54-0x00007FF7A30D0000-0x00007FF7A3421000-memory.dmp	xmrig
behavioral2/memory/5108-33-0x00007FF6EF850000-0x00007FF6EFBA1000-memory.dmp	xmrig
behavioral2/memory/1960-129-0x00007FF7CFB60000-0x00007FF7CFEB1000-memory.dmp	xmrig
behavioral2/memory/3916-130-0x00007FF654840000-0x00007FF654B91000-memory.dmp	xmrig
behavioral2/memory/4168-136-0x00007FF6BB470000-0x00007FF6BB7C1000-memory.dmp	xmrig
behavioral2/memory/3884-132-0x00007FF6DFDA0000-0x00007FF6E00F1000-memory.dmp	xmrig
behavioral2/memory/2700-128-0x00007FF7AA8F0000-0x00007FF7AAC41000-memory.dmp	xmrig
behavioral2/memory/1348-146-0x00007FF725ED0000-0x00007FF726221000-memory.dmp	xmrig
behavioral2/memory/4044-141-0x00007FF7EB890000-0x00007FF7EBBE1000-memory.dmp	xmrig
behavioral2/memory/1816-147-0x00007FF69D480000-0x00007FF69D7D1000-memory.dmp	xmrig
behavioral2/memory/1096-149-0x00007FF75A020000-0x00007FF75A371000-memory.dmp	xmrig
behavioral2/memory/3972-145-0x00007FF7EF860000-0x00007FF7EFBB1000-memory.dmp	xmrig
behavioral2/memory/3696-144-0x00007FF6F6720000-0x00007FF6F6A71000-memory.dmp	xmrig
behavioral2/memory/2700-150-0x00007FF7AA8F0000-0x00007FF7AAC41000-memory.dmp	xmrig
behavioral2/memory/2700-151-0x00007FF7AA8F0000-0x00007FF7AAC41000-memory.dmp	xmrig
behavioral2/memory/1960-202-0x00007FF7CFB60000-0x00007FF7CFEB1000-memory.dmp	xmrig
behavioral2/memory/5108-212-0x00007FF6EF850000-0x00007FF6EFBA1000-memory.dmp	xmrig
behavioral2/memory/3916-216-0x00007FF654840000-0x00007FF654B91000-memory.dmp	xmrig
behavioral2/memory/2664-218-0x00007FF6C4430000-0x00007FF6C4781000-memory.dmp	xmrig
behavioral2/memory/3884-220-0x00007FF6DFDA0000-0x00007FF6E00F1000-memory.dmp	xmrig
behavioral2/memory/3344-222-0x00007FF7A30D0000-0x00007FF7A3421000-memory.dmp	xmrig
behavioral2/memory/1660-224-0x00007FF7BCE70000-0x00007FF7BD1C1000-memory.dmp	xmrig
behavioral2/memory/780-226-0x00007FF749D20000-0x00007FF74A071000-memory.dmp	xmrig
behavioral2/memory/4168-228-0x00007FF6BB470000-0x00007FF6BB7C1000-memory.dmp	xmrig
behavioral2/memory/2256-230-0x00007FF757A80000-0x00007FF757DD1000-memory.dmp	xmrig
behavioral2/memory/3200-232-0x00007FF6575C0000-0x00007FF657911000-memory.dmp	xmrig
behavioral2/memory/2124-234-0x00007FF77D980000-0x00007FF77DCD1000-memory.dmp	xmrig
behavioral2/memory/3136-242-0x00007FF6E4F80000-0x00007FF6E52D1000-memory.dmp	xmrig
behavioral2/memory/1668-244-0x00007FF7DFCA0000-0x00007FF7DFFF1000-memory.dmp	xmrig
behavioral2/memory/4044-246-0x00007FF7EB890000-0x00007FF7EBBE1000-memory.dmp	xmrig
behavioral2/memory/3696-248-0x00007FF6F6720000-0x00007FF6F6A71000-memory.dmp	xmrig
behavioral2/memory/3972-250-0x00007FF7EF860000-0x00007FF7EFBB1000-memory.dmp	xmrig
behavioral2/memory/1816-252-0x00007FF69D480000-0x00007FF69D7D1000-memory.dmp	xmrig
behavioral2/memory/4436-254-0x00007FF6E54B0000-0x00007FF6E5801000-memory.dmp	xmrig
behavioral2/memory/1096-256-0x00007FF75A020000-0x00007FF75A371000-memory.dmp	xmrig
behavioral2/memory/1348-258-0x00007FF725ED0000-0x00007FF726221000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1960	FbfcMSQ.exe
3916	Qtsxrfa.exe
5108	ASUcmsk.exe
3884	MzAjkno.exe
2664	ngYcArP.exe
3344	gpopuKd.exe
1660	RXoJlVJ.exe
4168	wplgnPf.exe
3200	oSZdVaU.exe
780	hjGWbTd.exe
2256	mrypAMq.exe
2124	isSfnSl.exe
4044	fuEpXCP.exe
3136	xpktoXp.exe
1668	YVutqkm.exe
3696	malardo.exe
3972	TJuWMnj.exe
1348	OqtZCtd.exe
1816	ZmFAZoh.exe
4436	tHmALvH.exe
1096	NXMdHqU.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2700-0-0x00007FF7AA8F0000-0x00007FF7AAC41000-memory.dmp	upx
behavioral2/files/0x00080000000234af-5.dat	upx
behavioral2/files/0x00070000000234b4-9.dat	upx
behavioral2/files/0x00070000000234b3-18.dat	upx
behavioral2/files/0x00070000000234b5-21.dat	upx
behavioral2/files/0x00070000000234b7-30.dat	upx
behavioral2/files/0x00070000000234b8-35.dat	upx
behavioral2/files/0x00070000000234b9-43.dat	upx
behavioral2/files/0x00070000000234bc-63.dat	upx
behavioral2/files/0x00070000000234bd-68.dat	upx
behavioral2/memory/1660-76-0x00007FF7BCE70000-0x00007FF7BD1C1000-memory.dmp	upx
behavioral2/files/0x00070000000234be-84.dat	upx
behavioral2/files/0x00070000000234c1-97.dat	upx
behavioral2/files/0x00070000000234c3-108.dat	upx
behavioral2/files/0x00070000000234c4-118.dat	upx
behavioral2/memory/1096-125-0x00007FF75A020000-0x00007FF75A371000-memory.dmp	upx
behavioral2/memory/1348-124-0x00007FF725ED0000-0x00007FF726221000-memory.dmp	upx
behavioral2/files/0x00070000000234c5-123.dat	upx
behavioral2/memory/4436-122-0x00007FF6E54B0000-0x00007FF6E5801000-memory.dmp	upx
behavioral2/files/0x00070000000234c2-121.dat	upx
behavioral2/memory/1816-120-0x00007FF69D480000-0x00007FF69D7D1000-memory.dmp	upx
behavioral2/files/0x00070000000234c0-111.dat	upx
behavioral2/memory/3972-110-0x00007FF7EF860000-0x00007FF7EFBB1000-memory.dmp	upx
behavioral2/memory/3696-105-0x00007FF6F6720000-0x00007FF6F6A71000-memory.dmp	upx
behavioral2/memory/1668-91-0x00007FF7DFCA0000-0x00007FF7DFFF1000-memory.dmp	upx
behavioral2/files/0x00070000000234bf-89.dat	upx
behavioral2/memory/2124-88-0x00007FF77D980000-0x00007FF77DCD1000-memory.dmp	upx
behavioral2/memory/3136-87-0x00007FF6E4F80000-0x00007FF6E52D1000-memory.dmp	upx
behavioral2/memory/4044-86-0x00007FF7EB890000-0x00007FF7EBBE1000-memory.dmp	upx
behavioral2/memory/2256-82-0x00007FF757A80000-0x00007FF757DD1000-memory.dmp	upx
behavioral2/memory/3200-81-0x00007FF6575C0000-0x00007FF657911000-memory.dmp	upx
behavioral2/files/0x00080000000234b0-78.dat	upx
behavioral2/files/0x00070000000234ba-62.dat	upx
behavioral2/memory/2664-61-0x00007FF6C4430000-0x00007FF6C4781000-memory.dmp	upx
behavioral2/memory/780-58-0x00007FF749D20000-0x00007FF74A071000-memory.dmp	upx
behavioral2/memory/4168-57-0x00007FF6BB470000-0x00007FF6BB7C1000-memory.dmp	upx
behavioral2/memory/3344-54-0x00007FF7A30D0000-0x00007FF7A3421000-memory.dmp	upx
behavioral2/files/0x00070000000234bb-53.dat	upx
behavioral2/memory/3884-44-0x00007FF6DFDA0000-0x00007FF6E00F1000-memory.dmp	upx
behavioral2/memory/5108-33-0x00007FF6EF850000-0x00007FF6EFBA1000-memory.dmp	upx
behavioral2/files/0x00070000000234b6-28.dat	upx
behavioral2/memory/3916-23-0x00007FF654840000-0x00007FF654B91000-memory.dmp	upx
behavioral2/memory/1960-8-0x00007FF7CFB60000-0x00007FF7CFEB1000-memory.dmp	upx
behavioral2/memory/1960-129-0x00007FF7CFB60000-0x00007FF7CFEB1000-memory.dmp	upx
behavioral2/memory/3916-130-0x00007FF654840000-0x00007FF654B91000-memory.dmp	upx
behavioral2/memory/4168-136-0x00007FF6BB470000-0x00007FF6BB7C1000-memory.dmp	upx
behavioral2/memory/3884-132-0x00007FF6DFDA0000-0x00007FF6E00F1000-memory.dmp	upx
behavioral2/memory/2700-128-0x00007FF7AA8F0000-0x00007FF7AAC41000-memory.dmp	upx
behavioral2/memory/1348-146-0x00007FF725ED0000-0x00007FF726221000-memory.dmp	upx
behavioral2/memory/4044-141-0x00007FF7EB890000-0x00007FF7EBBE1000-memory.dmp	upx
behavioral2/memory/1816-147-0x00007FF69D480000-0x00007FF69D7D1000-memory.dmp	upx
behavioral2/memory/1096-149-0x00007FF75A020000-0x00007FF75A371000-memory.dmp	upx
behavioral2/memory/3972-145-0x00007FF7EF860000-0x00007FF7EFBB1000-memory.dmp	upx
behavioral2/memory/3696-144-0x00007FF6F6720000-0x00007FF6F6A71000-memory.dmp	upx
behavioral2/memory/2700-150-0x00007FF7AA8F0000-0x00007FF7AAC41000-memory.dmp	upx
behavioral2/memory/2700-151-0x00007FF7AA8F0000-0x00007FF7AAC41000-memory.dmp	upx
behavioral2/memory/1960-202-0x00007FF7CFB60000-0x00007FF7CFEB1000-memory.dmp	upx
behavioral2/memory/5108-212-0x00007FF6EF850000-0x00007FF6EFBA1000-memory.dmp	upx
behavioral2/memory/3916-216-0x00007FF654840000-0x00007FF654B91000-memory.dmp	upx
behavioral2/memory/2664-218-0x00007FF6C4430000-0x00007FF6C4781000-memory.dmp	upx
behavioral2/memory/3884-220-0x00007FF6DFDA0000-0x00007FF6E00F1000-memory.dmp	upx
behavioral2/memory/3344-222-0x00007FF7A30D0000-0x00007FF7A3421000-memory.dmp	upx
behavioral2/memory/1660-224-0x00007FF7BCE70000-0x00007FF7BD1C1000-memory.dmp	upx
behavioral2/memory/780-226-0x00007FF749D20000-0x00007FF74A071000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\ASUcmsk.exe	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZmFAZoh.exe	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tHmALvH.exe	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\malardo.exe	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OqtZCtd.exe	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Qtsxrfa.exe	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ngYcArP.exe	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oSZdVaU.exe	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hjGWbTd.exe	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\isSfnSl.exe	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YVutqkm.exe	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NXMdHqU.exe	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FbfcMSQ.exe	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gpopuKd.exe	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fuEpXCP.exe	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xpktoXp.exe	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TJuWMnj.exe	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MzAjkno.exe	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RXoJlVJ.exe	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wplgnPf.exe	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mrypAMq.exe	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2700	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2700	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 1960	2700	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2700 wrote to memory of 1960	2700	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2700 wrote to memory of 3916	2700	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2700 wrote to memory of 3916	2700	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2700 wrote to memory of 5108	2700	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2700 wrote to memory of 5108	2700	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2700 wrote to memory of 3884	2700	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2700 wrote to memory of 3884	2700	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2700 wrote to memory of 2664	2700	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2700 wrote to memory of 2664	2700	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2700 wrote to memory of 3344	2700	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2700 wrote to memory of 3344	2700	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2700 wrote to memory of 1660	2700	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2700 wrote to memory of 1660	2700	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2700 wrote to memory of 4168	2700	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2700 wrote to memory of 4168	2700	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2700 wrote to memory of 3200	2700	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2700 wrote to memory of 3200	2700	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2700 wrote to memory of 780	2700	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2700 wrote to memory of 780	2700	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2700 wrote to memory of 2256	2700	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2700 wrote to memory of 2256	2700	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2700 wrote to memory of 2124	2700	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2700 wrote to memory of 2124	2700	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2700 wrote to memory of 4044	2700	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2700 wrote to memory of 4044	2700	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2700 wrote to memory of 3136	2700	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2700 wrote to memory of 3136	2700	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2700 wrote to memory of 1668	2700	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2700 wrote to memory of 1668	2700	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2700 wrote to memory of 3696	2700	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2700 wrote to memory of 3696	2700	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2700 wrote to memory of 3972	2700	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2700 wrote to memory of 3972	2700	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2700 wrote to memory of 1348	2700	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2700 wrote to memory of 1348	2700	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2700 wrote to memory of 1816	2700	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2700 wrote to memory of 1816	2700	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2700 wrote to memory of 4436	2700	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2700 wrote to memory of 4436	2700	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2700 wrote to memory of 1096	2700	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2700 wrote to memory of 1096	2700	2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-20_db15583d1d14a37c4b3adb1413673bdd_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\System\FbfcMSQ.exe
  C:\Windows\System\FbfcMSQ.exe
  2⤵
  - Executes dropped EXE
  PID:1960
- C:\Windows\System\Qtsxrfa.exe
  C:\Windows\System\Qtsxrfa.exe
  2⤵
  - Executes dropped EXE
  PID:3916
- C:\Windows\System\ASUcmsk.exe
  C:\Windows\System\ASUcmsk.exe
  2⤵
  - Executes dropped EXE
  PID:5108
- C:\Windows\System\MzAjkno.exe
  C:\Windows\System\MzAjkno.exe
  2⤵
  - Executes dropped EXE
  PID:3884
- C:\Windows\System\ngYcArP.exe
  C:\Windows\System\ngYcArP.exe
  2⤵
  - Executes dropped EXE
  PID:2664
- C:\Windows\System\gpopuKd.exe
  C:\Windows\System\gpopuKd.exe
  2⤵
  - Executes dropped EXE
  PID:3344
- C:\Windows\System\RXoJlVJ.exe
  C:\Windows\System\RXoJlVJ.exe
  2⤵
  - Executes dropped EXE
  PID:1660
- C:\Windows\System\wplgnPf.exe
  C:\Windows\System\wplgnPf.exe
  2⤵
  - Executes dropped EXE
  PID:4168
- C:\Windows\System\oSZdVaU.exe
  C:\Windows\System\oSZdVaU.exe
  2⤵
  - Executes dropped EXE
  PID:3200
- C:\Windows\System\hjGWbTd.exe
  C:\Windows\System\hjGWbTd.exe
  2⤵
  - Executes dropped EXE
  PID:780
- C:\Windows\System\mrypAMq.exe
  C:\Windows\System\mrypAMq.exe
  2⤵
  - Executes dropped EXE
  PID:2256
- C:\Windows\System\isSfnSl.exe
  C:\Windows\System\isSfnSl.exe
  2⤵
  - Executes dropped EXE
  PID:2124
- C:\Windows\System\fuEpXCP.exe
  C:\Windows\System\fuEpXCP.exe
  2⤵
  - Executes dropped EXE
  PID:4044
- C:\Windows\System\xpktoXp.exe
  C:\Windows\System\xpktoXp.exe
  2⤵
  - Executes dropped EXE
  PID:3136
- C:\Windows\System\YVutqkm.exe
  C:\Windows\System\YVutqkm.exe
  2⤵
  - Executes dropped EXE
  PID:1668
- C:\Windows\System\malardo.exe
  C:\Windows\System\malardo.exe
  2⤵
  - Executes dropped EXE
  PID:3696
- C:\Windows\System\TJuWMnj.exe
  C:\Windows\System\TJuWMnj.exe
  2⤵
  - Executes dropped EXE
  PID:3972
- C:\Windows\System\OqtZCtd.exe
  C:\Windows\System\OqtZCtd.exe
  2⤵
  - Executes dropped EXE
  PID:1348
- C:\Windows\System\ZmFAZoh.exe
  C:\Windows\System\ZmFAZoh.exe
  2⤵
  - Executes dropped EXE
  PID:1816
- C:\Windows\System\tHmALvH.exe
  C:\Windows\System\tHmALvH.exe
  2⤵
  - Executes dropped EXE
  PID:4436
- C:\Windows\System\NXMdHqU.exe
  C:\Windows\System\NXMdHqU.exe
  2⤵
  - Executes dropped EXE
  PID:1096

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\ASUcmsk.exe

Filesize
5.2MB

MD5
74ec86854dbbb3c54acb4cbc5d2f8061

SHA1
54f4201502bc5da144e3d5eb77ca263d4da205b7

SHA256
64a435c5ca33f68253290824f4dfc4f69068c0b048a075febbf3163cb19faf55

SHA512
aa5e7889aa86e4fb017619329ab73357a0475d37361e1848782c49eb8329d8306a65498ca72f6d1f5e213c24f0acb563c3e7da8315a30167f4c11c8895c5b703

Download Submit
C:\Windows\System\FbfcMSQ.exe

Filesize
5.2MB

MD5
bdf23f5fa1b7da8cfac04d3183026eb0

SHA1
6e47eb9c4ea64bbc2234f2003800f163e6af950c

SHA256
1ab628ef73ed9449960610ce83341dacf46208389ed59562a4cb3e4e43b2beff

SHA512
9426cae55c827983d73a9ee162e864922915a5c28f7eda5191a3ae55820843a283d826deaa486c37fa06766561121eb71142f8168b9d3452553b1e8be10d7594

Download Submit
C:\Windows\System\MzAjkno.exe

Filesize
5.2MB

MD5
237ab097dab32fe0c6f87af28d04809f

SHA1
b20fc4a337c70fa88e2ce04a8434f70543f2525c

SHA256
e877027ce61d7563022098015d6ec4877e7bef61ec3da57626a7f0516943ae5d

SHA512
d6488b18eaf7be750c94eda8fe9b9f46b57283fe066ccb7366d8b2640d56acb7d8bd94136497c4050f49757dd32242b993d94828ee2471bc634aa13cd17e37af

Download Submit
C:\Windows\System\NXMdHqU.exe

Filesize
5.2MB

MD5
a0262029ddc2a6e951082b3744ab8d56

SHA1
7556496c2185afc21ccc73336b5222e117fa0bd6

SHA256
b14804e7d7e5093858c517deba987533705a55ee68b8e63957fc0a1a36a1094d

SHA512
80d06c94c33019f35d5b9c15b2ebac93d8dc994840ccb6bfb02755e254a8805bc358c33bd0f3aad4bdbeab66568f2ae842f56f6434f081422fbf972a8ed3df6d

Download Submit
C:\Windows\System\OqtZCtd.exe

Filesize
5.2MB

MD5
f5118d58c5db2df346cb600ae4ca2c51

SHA1
751fd5aebd468e4407ae02dde9236067b50ca665

SHA256
eb7a24fc0f9aaee95f0791179e508d4e2a575a3092ce9b63e7228b1f007b3061

SHA512
9858c37ce3dec29fe0e41a2ecb6a82f5782bcd7f23383804b6f39b4b506c39a73a78a4c4485200e43d1331a5170bad4e3487857648e20a39589090fb467413d6

Download Submit
C:\Windows\System\Qtsxrfa.exe

Filesize
5.2MB

MD5
9219e088c0e430fd46fd79aa834ccbb0

SHA1
273f11fe7d4edadc929c0f4a6e16423e0bc0dd41

SHA256
0b7664033fc19228cd45c28e6a8b43aa4f174e3ee79c0f65a0c9209ddc3a5268

SHA512
6aabaed92d4ee8e3b217354d5b4f365090a0ad3ee279a8e852c40e9d6055649acc7b28f4a421093c9f41d06555f0428061fc6aa187a1865b124ee0347950026a

Download Submit
C:\Windows\System\RXoJlVJ.exe

Filesize
5.2MB

MD5
48e13f282bd100a1120603c9175057ee

SHA1
958dd1b3924ba25533f56938faa4df2297ed3159

SHA256
cc50106c86f71ed88c084c92d8bc109f6167458919e665b342599a66067e2ec2

SHA512
9d3321c2ed304a306d300d9507def7fa5e75d690d2047e34a07db67d12f6865c265235dbd0f3ee01b854a6172c2ec4a4b4b9ac38858cf7192394486eea9b6aa3

Download Submit
C:\Windows\System\TJuWMnj.exe

Filesize
5.2MB

MD5
bc611608352cdc1f7ac7ddffc71aa69c

SHA1
c5617c96027254e3f17648cce704dc7be88255d5

SHA256
6105ab2fe0ced6d6ce3643a8e9db026609bb947d6533ced9240a25453fe08274

SHA512
607e3aff69aadc46ceca51d311d571506ecbd81a9563ecbc20938098df97767e7c1b5dcafe6bb779b228658469b5cfb94ff97786ae7aa8373b2377e8deb6bbfd

Download Submit
C:\Windows\System\YVutqkm.exe

Filesize
5.2MB

MD5
7896fb166608bdcede4e6f8837022455

SHA1
b6f8275aa86b4c5a60dbdb3b0ced812c9ae897bb

SHA256
f58cefd93bf68d96b84c55c95e7ee9277a5dcc59a26cf5d9fb361ce5b3e96fd9

SHA512
77b87acbc2668a7d7dfdb4ee0d651fa70307e4c37ef241305dbe503c8f81de00b12ddd2b91076871107d6303046b398981730f9ff73c33a9d324dd21ef7f5a5e

Download Submit
C:\Windows\System\ZmFAZoh.exe

Filesize
5.2MB

MD5
d318230d428a69b33d7bc46c74911fff

SHA1
4f6cb5a188527c22fda66dd6c248d64ffc2521c5

SHA256
37b51eedfb827495988d99d63d091a23e39c507fe8d5c9b69ad97983d9dd1c37

SHA512
a762d4f4bc9ce93fd01089cede5bc206dd4275b9aaa7565abb947bdcbe70f797e42d9ad49472b93da0a3c6883b08caddf040dc8827933bef5702cf8b1fd3fe17

Download Submit
C:\Windows\System\fuEpXCP.exe

Filesize
5.2MB

MD5
6f035d58eaeb50131d0ac38051a07979

SHA1
b4f1d8055141a243af1a6ef2826b532e750ca139

SHA256
9df9a896d70d13e63130f02084a8a547d67bcd8ee15a694cfd737ec9a1a5ae95

SHA512
a87f321ad1d171dc0233808bd950bba66e1d14335425037daf62db566b6cf0df63bae19da40d43b4ffc70175720834e830be5dc69891a4ab369f1a8063b9b714

Download Submit
C:\Windows\System\gpopuKd.exe

Filesize
5.2MB

MD5
a4120fde3ccba8f3e39cfc608e57d4ba

SHA1
8eb7a2eaea76d506babe87a19730839d794db754

SHA256
f4ac113d8170039d23dc977a6c7228661f90592dd24dfb3e323ad1374085d1f1

SHA512
1be6166e8f4a0039b0f05ddfd9544db262a4be23021da02ec2d1b0539620cf7931d0393569301caacc057d7a428bdd37b4949be8f91d0683e12041aad3f812ab

Download Submit
C:\Windows\System\hjGWbTd.exe

Filesize
5.2MB

MD5
1b21a102721d5ea3b8740633bb528986

SHA1
8c3ef9e1d29f388b15e313a89d197a889e466f50

SHA256
cc53047f6ad61ffaa7fc40e75aa0893370e0e7e412a05535d22fd4ace43f0b43

SHA512
e16c3d5484297796d7e2e0b477bc31c2e357e6456d68955831a8dee522f8eec4e751eed08a440ccba8cda474e57c9e5a389466ac1865a7ea2e6ec73cd0055f89

Download Submit
C:\Windows\System\isSfnSl.exe

Filesize
5.2MB

MD5
16f967be68fe34379e3c73b6f122810d

SHA1
4581054f2599162fef958548eb317bb037d65cb9

SHA256
5a94b8f1b281f8a16fde62001af32763b2bbde2d3e7023b35ead69ba3c686a29

SHA512
7e29a9457ead3335f9e74134f12ef7f249653c2c6f1602e0e552fd2339ee7f12d5807c9016c9edf6968bea6f77412a9b740228e75dd1e16ba2d977729ee544ca

Download Submit
C:\Windows\System\malardo.exe

Filesize
5.2MB

MD5
bb698f8ab9f7db0827dfb5a78ae2d9e2

SHA1
6213ff191c1a111a79881e865772bf7592b11b94

SHA256
c9f11e917d65dd19c232d2561dfd9099f95a6636c5564e05a4e7157d30839de1

SHA512
dad4c0aae32b4f965baaa5fe9c7c62486b0714e7c9076bc7c807c935ca6121cc4199610bd94bba68e106bbc24972de78f6255aa64d8592fd8f40dbd63ac22d02

Download Submit
C:\Windows\System\mrypAMq.exe

Filesize
5.2MB

MD5
6f908eec827fc1c89fca4b3a139f5800

SHA1
546806fa8d36f5630a01846e5b65125cc8a7c208

SHA256
49cff7f8d13f04c5a43d09f2820216f354eab366000a5315d02ffe176424abd6

SHA512
d8df9edf9d9d8606b55acb6e9fe3603b516114eb286953e0546fcd964e65bc7aa054a2b74a1f89644e3bc73147ae2a23db69d88475f54768170f03727e6272b4

Download Submit
C:\Windows\System\ngYcArP.exe

Filesize
5.2MB

MD5
6e3c296ecc2628c104de2c42992e68d4

SHA1
6bb67c95ae930f2199efc6fa37c47d10ab872d3d

SHA256
a3dc86882036b84a8e4da4943eb5b9ff10052872441b7feb85bccb97969e8594

SHA512
a177a990876ab73c0c1e6dd538535ba2d45be45f49d04ad2c87ae909e12a7a46010874a6b3cf512f73ea4d4cdaa8860bb2bbaca281feb6dad37ef4b32e560d32

Download Submit
C:\Windows\System\oSZdVaU.exe

Filesize
5.2MB

MD5
1ad8403929657b96ade5f4e058b82a78

SHA1
c333e32a6a45c23508c34a4370e484a04836dd7d

SHA256
b7115c44a4333058ec35660ae28f74f653c8d02e4c86830bded745a86e2a30a5

SHA512
f8098b430a5ecdf796a4fdaba333b59f6017c0519eb5b3eeed2000a81251800dd00d223d16b1585900d1108a7bad81e523ef58152999bd9a7655bed481e3c344

Download Submit
C:\Windows\System\tHmALvH.exe

Filesize
5.2MB

MD5
12a5b83e3e835e5401f6b946911daabf

SHA1
51d82e110a99dda07b3ff0beed5d8aef2f1f076b

SHA256
01313bcfb867816eeff1e43dd7f291fe90b71a7f138eac87aa6ed4b15b1b43e5

SHA512
24d3cead2f23335364ff56b4520283ae3289a285c3435b9e0ec1cc7d1893e1334cbf5f3b9c09af07d04a9b6c50cc267b6ba3a423e2f9d48f5a68d1a6197bbefb

Download Submit
C:\Windows\System\wplgnPf.exe

Filesize
5.2MB

MD5
f73cc479eaed2c989889fdb233d1c655

SHA1
6af6a837d32c68e2fb9500e630d6f81c9e5400e2

SHA256
2907653c4502b98c2b8a903bca5a0d6b8df32a704823041f21f4092bb57fc335

SHA512
20aaeb8970d7638c9db63778d14b5cfb12ec6d9a90e7f527e26e6888ad4839347298e96e165891eb8f45f798a69002d66b2099139cc6807a1ba87df5e08937ac

Download Submit
C:\Windows\System\xpktoXp.exe

Filesize
5.2MB

MD5
8c801897bf6742971576a730e46771a0

SHA1
ff20d7938491cac3fd7382686741c765bc13a7df

SHA256
cbb92dd50d5a0dcd0e8028de87443151ce2f2eb6897240e374e54672a369130b

SHA512
424e25dfb6501644b651287c9549c2e893af06c350cd7db7360535bcf578e68e9e01bbfc999c60f94bdb60150d6f01921a4a54c0f73e36ce4b665c66720be06e

Download Submit
memory/780-58-0x00007FF749D20000-0x00007FF74A071000-memory.dmp

Filesize
3.3MB

Download
memory/780-226-0x00007FF749D20000-0x00007FF74A071000-memory.dmp

Filesize
3.3MB

Download
memory/1096-256-0x00007FF75A020000-0x00007FF75A371000-memory.dmp

Filesize
3.3MB

Download
memory/1096-125-0x00007FF75A020000-0x00007FF75A371000-memory.dmp

Filesize
3.3MB

Download
memory/1096-149-0x00007FF75A020000-0x00007FF75A371000-memory.dmp

Filesize
3.3MB

Download
memory/1348-124-0x00007FF725ED0000-0x00007FF726221000-memory.dmp

Filesize
3.3MB

Download
memory/1348-258-0x00007FF725ED0000-0x00007FF726221000-memory.dmp

Filesize
3.3MB

Download
memory/1348-146-0x00007FF725ED0000-0x00007FF726221000-memory.dmp

Filesize
3.3MB

Download
memory/1660-224-0x00007FF7BCE70000-0x00007FF7BD1C1000-memory.dmp

Filesize
3.3MB

Download
memory/1660-76-0x00007FF7BCE70000-0x00007FF7BD1C1000-memory.dmp

Filesize
3.3MB

Download
memory/1668-244-0x00007FF7DFCA0000-0x00007FF7DFFF1000-memory.dmp

Filesize
3.3MB

Download
memory/1668-91-0x00007FF7DFCA0000-0x00007FF7DFFF1000-memory.dmp

Filesize
3.3MB

Download
memory/1816-120-0x00007FF69D480000-0x00007FF69D7D1000-memory.dmp

Filesize
3.3MB

Download
memory/1816-252-0x00007FF69D480000-0x00007FF69D7D1000-memory.dmp

Filesize
3.3MB

Download
memory/1816-147-0x00007FF69D480000-0x00007FF69D7D1000-memory.dmp

Filesize
3.3MB

Download
memory/1960-202-0x00007FF7CFB60000-0x00007FF7CFEB1000-memory.dmp

Filesize
3.3MB

Download
memory/1960-8-0x00007FF7CFB60000-0x00007FF7CFEB1000-memory.dmp

Filesize
3.3MB

Download
memory/1960-129-0x00007FF7CFB60000-0x00007FF7CFEB1000-memory.dmp

Filesize
3.3MB

Download
memory/2124-234-0x00007FF77D980000-0x00007FF77DCD1000-memory.dmp

Filesize
3.3MB

Download
memory/2124-88-0x00007FF77D980000-0x00007FF77DCD1000-memory.dmp

Filesize
3.3MB

Download
memory/2256-230-0x00007FF757A80000-0x00007FF757DD1000-memory.dmp

Filesize
3.3MB

Download
memory/2256-82-0x00007FF757A80000-0x00007FF757DD1000-memory.dmp

Filesize
3.3MB

Download
memory/2664-61-0x00007FF6C4430000-0x00007FF6C4781000-memory.dmp

Filesize
3.3MB

Download
memory/2664-218-0x00007FF6C4430000-0x00007FF6C4781000-memory.dmp

Filesize
3.3MB

Download
memory/2700-151-0x00007FF7AA8F0000-0x00007FF7AAC41000-memory.dmp

Filesize
3.3MB

Download
memory/2700-0-0x00007FF7AA8F0000-0x00007FF7AAC41000-memory.dmp

Filesize
3.3MB

Download
memory/2700-1-0x0000028CA25C0000-0x0000028CA25D0000-memory.dmp

Filesize
64KB

Download
memory/2700-128-0x00007FF7AA8F0000-0x00007FF7AAC41000-memory.dmp

Filesize
3.3MB

Download
memory/2700-150-0x00007FF7AA8F0000-0x00007FF7AAC41000-memory.dmp

Filesize
3.3MB

Download
memory/3136-242-0x00007FF6E4F80000-0x00007FF6E52D1000-memory.dmp

Filesize
3.3MB

Download
memory/3136-87-0x00007FF6E4F80000-0x00007FF6E52D1000-memory.dmp

Filesize
3.3MB

Download
memory/3200-232-0x00007FF6575C0000-0x00007FF657911000-memory.dmp

Filesize
3.3MB

Download
memory/3200-81-0x00007FF6575C0000-0x00007FF657911000-memory.dmp

Filesize
3.3MB

Download
memory/3344-222-0x00007FF7A30D0000-0x00007FF7A3421000-memory.dmp

Filesize
3.3MB

Download
memory/3344-54-0x00007FF7A30D0000-0x00007FF7A3421000-memory.dmp

Filesize
3.3MB

Download
memory/3696-144-0x00007FF6F6720000-0x00007FF6F6A71000-memory.dmp

Filesize
3.3MB

Download
memory/3696-248-0x00007FF6F6720000-0x00007FF6F6A71000-memory.dmp

Filesize
3.3MB

Download
memory/3696-105-0x00007FF6F6720000-0x00007FF6F6A71000-memory.dmp

Filesize
3.3MB

Download
memory/3884-44-0x00007FF6DFDA0000-0x00007FF6E00F1000-memory.dmp

Filesize
3.3MB

Download
memory/3884-132-0x00007FF6DFDA0000-0x00007FF6E00F1000-memory.dmp

Filesize
3.3MB

Download
memory/3884-220-0x00007FF6DFDA0000-0x00007FF6E00F1000-memory.dmp

Filesize
3.3MB

Download
memory/3916-23-0x00007FF654840000-0x00007FF654B91000-memory.dmp

Filesize
3.3MB

Download
memory/3916-216-0x00007FF654840000-0x00007FF654B91000-memory.dmp

Filesize
3.3MB

Download
memory/3916-130-0x00007FF654840000-0x00007FF654B91000-memory.dmp

Filesize
3.3MB

Download
memory/3972-250-0x00007FF7EF860000-0x00007FF7EFBB1000-memory.dmp

Filesize
3.3MB

Download
memory/3972-110-0x00007FF7EF860000-0x00007FF7EFBB1000-memory.dmp

Filesize
3.3MB

Download
memory/3972-145-0x00007FF7EF860000-0x00007FF7EFBB1000-memory.dmp

Filesize
3.3MB

Download
memory/4044-141-0x00007FF7EB890000-0x00007FF7EBBE1000-memory.dmp

Filesize
3.3MB

Download
memory/4044-246-0x00007FF7EB890000-0x00007FF7EBBE1000-memory.dmp

Filesize
3.3MB

Download
memory/4044-86-0x00007FF7EB890000-0x00007FF7EBBE1000-memory.dmp

Filesize
3.3MB

Download
memory/4168-136-0x00007FF6BB470000-0x00007FF6BB7C1000-memory.dmp

Filesize
3.3MB

Download
memory/4168-57-0x00007FF6BB470000-0x00007FF6BB7C1000-memory.dmp

Filesize
3.3MB

Download
memory/4168-228-0x00007FF6BB470000-0x00007FF6BB7C1000-memory.dmp

Filesize
3.3MB

Download
memory/4436-254-0x00007FF6E54B0000-0x00007FF6E5801000-memory.dmp

Filesize
3.3MB

Download
memory/4436-122-0x00007FF6E54B0000-0x00007FF6E5801000-memory.dmp

Filesize
3.3MB

Download
memory/5108-33-0x00007FF6EF850000-0x00007FF6EFBA1000-memory.dmp

Filesize
3.3MB

Download
memory/5108-212-0x00007FF6EF850000-0x00007FF6EFBA1000-memory.dmp

Filesize
3.3MB

Download