cobaltstrike | f8fa98b4213364ac3cce2bdb936697d59bcfcae8c60d84286b317e355cf4471b

Analysis

max time kernel
140s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-09-2024 07:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

4fe41d35119e9a5ff2c367eaf2e28ee7
SHA1

13a55883a332b9f5652cf8552d8a0f93271a0e2b
SHA256

f8fa98b4213364ac3cce2bdb936697d59bcfcae8c60d84286b317e355cf4471b
SHA512

2fb90c17169a3e00c8574478f155720376ad93e80809ebdbae14cb0d2b6fa5af86f5dafdb50c0b1a83d5ca7d2e67078288b965bb3f8745e2098303f487e5a29f
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lz:RWWBibf56utgpPFotBER/mQ32lUX

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000900000002343c-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023455-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023456-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023457-21.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345a-38.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345b-49.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023449-57.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345e-70.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345f-83.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023460-87.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345d-68.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345c-63.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023459-43.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023458-29.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023462-100.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023463-108.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023467-123.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023468-135.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023464-128.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023466-121.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023461-93.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/5084-85-0x00007FF6D9080000-0x00007FF6D93D1000-memory.dmp	xmrig
behavioral2/memory/4172-79-0x00007FF679830000-0x00007FF679B81000-memory.dmp	xmrig
behavioral2/memory/4028-33-0x00007FF745E10000-0x00007FF746161000-memory.dmp	xmrig
behavioral2/memory/3680-18-0x00007FF742B50000-0x00007FF742EA1000-memory.dmp	xmrig
behavioral2/memory/1860-89-0x00007FF7778C0000-0x00007FF777C11000-memory.dmp	xmrig
behavioral2/memory/2772-94-0x00007FF654980000-0x00007FF654CD1000-memory.dmp	xmrig
behavioral2/memory/640-106-0x00007FF6CF480000-0x00007FF6CF7D1000-memory.dmp	xmrig
behavioral2/memory/1304-117-0x00007FF6F1400000-0x00007FF6F1751000-memory.dmp	xmrig
behavioral2/memory/2268-134-0x00007FF61E870000-0x00007FF61EBC1000-memory.dmp	xmrig
behavioral2/memory/1784-133-0x00007FF7A8D10000-0x00007FF7A9061000-memory.dmp	xmrig
behavioral2/memory/924-131-0x00007FF64B400000-0x00007FF64B751000-memory.dmp	xmrig
behavioral2/memory/1184-126-0x00007FF6AB1A0000-0x00007FF6AB4F1000-memory.dmp	xmrig
behavioral2/memory/4000-125-0x00007FF679DF0000-0x00007FF67A141000-memory.dmp	xmrig
behavioral2/memory/3064-116-0x00007FF6F3B40000-0x00007FF6F3E91000-memory.dmp	xmrig
behavioral2/memory/264-140-0x00007FF602A70000-0x00007FF602DC1000-memory.dmp	xmrig
behavioral2/memory/4172-141-0x00007FF679830000-0x00007FF679B81000-memory.dmp	xmrig
behavioral2/memory/3012-156-0x00007FF78C6B0000-0x00007FF78CA01000-memory.dmp	xmrig
behavioral2/memory/4092-157-0x00007FF7978D0000-0x00007FF797C21000-memory.dmp	xmrig
behavioral2/memory/3652-158-0x00007FF70B250000-0x00007FF70B5A1000-memory.dmp	xmrig
behavioral2/memory/5052-160-0x00007FF750280000-0x00007FF7505D1000-memory.dmp	xmrig
behavioral2/memory/2132-159-0x00007FF63A360000-0x00007FF63A6B1000-memory.dmp	xmrig
behavioral2/memory/4120-168-0x00007FF6D5080000-0x00007FF6D53D1000-memory.dmp	xmrig
behavioral2/memory/1212-167-0x00007FF68C940000-0x00007FF68CC91000-memory.dmp	xmrig
behavioral2/memory/4172-169-0x00007FF679830000-0x00007FF679B81000-memory.dmp	xmrig
behavioral2/memory/5084-225-0x00007FF6D9080000-0x00007FF6D93D1000-memory.dmp	xmrig
behavioral2/memory/3680-227-0x00007FF742B50000-0x00007FF742EA1000-memory.dmp	xmrig
behavioral2/memory/1860-229-0x00007FF7778C0000-0x00007FF777C11000-memory.dmp	xmrig
behavioral2/memory/4028-231-0x00007FF745E10000-0x00007FF746161000-memory.dmp	xmrig
behavioral2/memory/2772-233-0x00007FF654980000-0x00007FF654CD1000-memory.dmp	xmrig
behavioral2/memory/3064-235-0x00007FF6F3B40000-0x00007FF6F3E91000-memory.dmp	xmrig
behavioral2/memory/640-241-0x00007FF6CF480000-0x00007FF6CF7D1000-memory.dmp	xmrig
behavioral2/memory/1304-243-0x00007FF6F1400000-0x00007FF6F1751000-memory.dmp	xmrig
behavioral2/memory/924-246-0x00007FF64B400000-0x00007FF64B751000-memory.dmp	xmrig
behavioral2/memory/1184-247-0x00007FF6AB1A0000-0x00007FF6AB4F1000-memory.dmp	xmrig
behavioral2/memory/4000-249-0x00007FF679DF0000-0x00007FF67A141000-memory.dmp	xmrig
behavioral2/memory/264-251-0x00007FF602A70000-0x00007FF602DC1000-memory.dmp	xmrig
behavioral2/memory/2268-253-0x00007FF61E870000-0x00007FF61EBC1000-memory.dmp	xmrig
behavioral2/memory/1784-255-0x00007FF7A8D10000-0x00007FF7A9061000-memory.dmp	xmrig
behavioral2/memory/3012-261-0x00007FF78C6B0000-0x00007FF78CA01000-memory.dmp	xmrig
behavioral2/memory/4092-263-0x00007FF7978D0000-0x00007FF797C21000-memory.dmp	xmrig
behavioral2/memory/3652-268-0x00007FF70B250000-0x00007FF70B5A1000-memory.dmp	xmrig
behavioral2/memory/5052-270-0x00007FF750280000-0x00007FF7505D1000-memory.dmp	xmrig
behavioral2/memory/1212-272-0x00007FF68C940000-0x00007FF68CC91000-memory.dmp	xmrig
behavioral2/memory/4120-274-0x00007FF6D5080000-0x00007FF6D53D1000-memory.dmp	xmrig
behavioral2/memory/2132-276-0x00007FF63A360000-0x00007FF63A6B1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
5084	rjIelLA.exe
3680	sUlfyrL.exe
1860	yXEpegu.exe
2772	JWirNOV.exe
4028	qnGoxrj.exe
3064	zubbzjX.exe
640	DpLdPnq.exe
4000	ZVFXxSb.exe
1304	UtehtoN.exe
924	OlbBZBz.exe
1184	wqpLLai.exe
1784	jLzErvk.exe
2268	CtDsvNd.exe
264	XysoNhn.exe
3012	JiVhbwf.exe
4092	EmYVVqx.exe
3652	gvFLgTf.exe
2132	gOkunDc.exe
5052	qWIWRUI.exe
4120	uZdHzmp.exe
1212	rhKHMrB.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4172-0-0x00007FF679830000-0x00007FF679B81000-memory.dmp	upx
behavioral2/files/0x000900000002343c-5.dat	upx
behavioral2/memory/5084-8-0x00007FF6D9080000-0x00007FF6D93D1000-memory.dmp	upx
behavioral2/files/0x0007000000023455-10.dat	upx
behavioral2/files/0x0007000000023456-11.dat	upx
behavioral2/files/0x0007000000023457-21.dat	upx
behavioral2/files/0x000700000002345a-38.dat	upx
behavioral2/files/0x000700000002345b-49.dat	upx
behavioral2/files/0x000b000000023449-57.dat	upx
behavioral2/memory/1184-59-0x00007FF6AB1A0000-0x00007FF6AB4F1000-memory.dmp	upx
behavioral2/files/0x000700000002345e-70.dat	upx
behavioral2/memory/1784-75-0x00007FF7A8D10000-0x00007FF7A9061000-memory.dmp	upx
behavioral2/files/0x000700000002345f-83.dat	upx
behavioral2/files/0x0007000000023460-87.dat	upx
behavioral2/memory/264-86-0x00007FF602A70000-0x00007FF602DC1000-memory.dmp	upx
behavioral2/memory/5084-85-0x00007FF6D9080000-0x00007FF6D93D1000-memory.dmp	upx
behavioral2/memory/4172-79-0x00007FF679830000-0x00007FF679B81000-memory.dmp	upx
behavioral2/memory/2268-78-0x00007FF61E870000-0x00007FF61EBC1000-memory.dmp	upx
behavioral2/files/0x000700000002345d-68.dat	upx
behavioral2/memory/924-66-0x00007FF64B400000-0x00007FF64B751000-memory.dmp	upx
behavioral2/files/0x000700000002345c-63.dat	upx
behavioral2/memory/1304-58-0x00007FF6F1400000-0x00007FF6F1751000-memory.dmp	upx
behavioral2/memory/4000-53-0x00007FF679DF0000-0x00007FF67A141000-memory.dmp	upx
behavioral2/files/0x0007000000023459-43.dat	upx
behavioral2/memory/3064-42-0x00007FF6F3B40000-0x00007FF6F3E91000-memory.dmp	upx
behavioral2/memory/640-39-0x00007FF6CF480000-0x00007FF6CF7D1000-memory.dmp	upx
behavioral2/memory/4028-33-0x00007FF745E10000-0x00007FF746161000-memory.dmp	upx
behavioral2/memory/2772-31-0x00007FF654980000-0x00007FF654CD1000-memory.dmp	upx
behavioral2/files/0x0007000000023458-29.dat	upx
behavioral2/memory/1860-22-0x00007FF7778C0000-0x00007FF777C11000-memory.dmp	upx
behavioral2/memory/3680-18-0x00007FF742B50000-0x00007FF742EA1000-memory.dmp	upx
behavioral2/memory/1860-89-0x00007FF7778C0000-0x00007FF777C11000-memory.dmp	upx
behavioral2/memory/2772-94-0x00007FF654980000-0x00007FF654CD1000-memory.dmp	upx
behavioral2/files/0x0007000000023462-100.dat	upx
behavioral2/files/0x0007000000023463-108.dat	upx
behavioral2/memory/3652-107-0x00007FF70B250000-0x00007FF70B5A1000-memory.dmp	upx
behavioral2/memory/640-106-0x00007FF6CF480000-0x00007FF6CF7D1000-memory.dmp	upx
behavioral2/memory/4092-101-0x00007FF7978D0000-0x00007FF797C21000-memory.dmp	upx
behavioral2/memory/1304-117-0x00007FF6F1400000-0x00007FF6F1751000-memory.dmp	upx
behavioral2/memory/2132-118-0x00007FF63A360000-0x00007FF63A6B1000-memory.dmp	upx
behavioral2/files/0x0007000000023467-123.dat	upx
behavioral2/memory/1212-132-0x00007FF68C940000-0x00007FF68CC91000-memory.dmp	upx
behavioral2/files/0x0007000000023468-135.dat	upx
behavioral2/memory/2268-134-0x00007FF61E870000-0x00007FF61EBC1000-memory.dmp	upx
behavioral2/memory/1784-133-0x00007FF7A8D10000-0x00007FF7A9061000-memory.dmp	upx
behavioral2/memory/924-131-0x00007FF64B400000-0x00007FF64B751000-memory.dmp	upx
behavioral2/memory/4120-129-0x00007FF6D5080000-0x00007FF6D53D1000-memory.dmp	upx
behavioral2/files/0x0007000000023464-128.dat	upx
behavioral2/memory/1184-126-0x00007FF6AB1A0000-0x00007FF6AB4F1000-memory.dmp	upx
behavioral2/memory/4000-125-0x00007FF679DF0000-0x00007FF67A141000-memory.dmp	upx
behavioral2/memory/5052-119-0x00007FF750280000-0x00007FF7505D1000-memory.dmp	upx
behavioral2/files/0x0007000000023466-121.dat	upx
behavioral2/memory/3064-116-0x00007FF6F3B40000-0x00007FF6F3E91000-memory.dmp	upx
behavioral2/memory/3012-95-0x00007FF78C6B0000-0x00007FF78CA01000-memory.dmp	upx
behavioral2/files/0x0007000000023461-93.dat	upx
behavioral2/memory/264-140-0x00007FF602A70000-0x00007FF602DC1000-memory.dmp	upx
behavioral2/memory/4172-141-0x00007FF679830000-0x00007FF679B81000-memory.dmp	upx
behavioral2/memory/3012-156-0x00007FF78C6B0000-0x00007FF78CA01000-memory.dmp	upx
behavioral2/memory/4092-157-0x00007FF7978D0000-0x00007FF797C21000-memory.dmp	upx
behavioral2/memory/3652-158-0x00007FF70B250000-0x00007FF70B5A1000-memory.dmp	upx
behavioral2/memory/5052-160-0x00007FF750280000-0x00007FF7505D1000-memory.dmp	upx
behavioral2/memory/2132-159-0x00007FF63A360000-0x00007FF63A6B1000-memory.dmp	upx
behavioral2/memory/4120-168-0x00007FF6D5080000-0x00007FF6D53D1000-memory.dmp	upx
behavioral2/memory/1212-167-0x00007FF68C940000-0x00007FF68CC91000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\rjIelLA.exe	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yXEpegu.exe	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qnGoxrj.exe	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zubbzjX.exe	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DpLdPnq.exe	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OlbBZBz.exe	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jLzErvk.exe	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JiVhbwf.exe	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JWirNOV.exe	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wqpLLai.exe	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gvFLgTf.exe	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uZdHzmp.exe	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZVFXxSb.exe	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UtehtoN.exe	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CtDsvNd.exe	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gOkunDc.exe	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sUlfyrL.exe	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XysoNhn.exe	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EmYVVqx.exe	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qWIWRUI.exe	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rhKHMrB.exe	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4172	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4172	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4172 wrote to memory of 5084	4172	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4172 wrote to memory of 5084	4172	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4172 wrote to memory of 3680	4172	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4172 wrote to memory of 3680	4172	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4172 wrote to memory of 1860	4172	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4172 wrote to memory of 1860	4172	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4172 wrote to memory of 2772	4172	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4172 wrote to memory of 2772	4172	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4172 wrote to memory of 4028	4172	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4172 wrote to memory of 4028	4172	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4172 wrote to memory of 3064	4172	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4172 wrote to memory of 3064	4172	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4172 wrote to memory of 640	4172	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4172 wrote to memory of 640	4172	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4172 wrote to memory of 4000	4172	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4172 wrote to memory of 4000	4172	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4172 wrote to memory of 1304	4172	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4172 wrote to memory of 1304	4172	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4172 wrote to memory of 924	4172	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4172 wrote to memory of 924	4172	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4172 wrote to memory of 1184	4172	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4172 wrote to memory of 1184	4172	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4172 wrote to memory of 1784	4172	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4172 wrote to memory of 1784	4172	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4172 wrote to memory of 2268	4172	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4172 wrote to memory of 2268	4172	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4172 wrote to memory of 264	4172	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4172 wrote to memory of 264	4172	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4172 wrote to memory of 3012	4172	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4172 wrote to memory of 3012	4172	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4172 wrote to memory of 4092	4172	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4172 wrote to memory of 4092	4172	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4172 wrote to memory of 3652	4172	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4172 wrote to memory of 3652	4172	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4172 wrote to memory of 2132	4172	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4172 wrote to memory of 2132	4172	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4172 wrote to memory of 5052	4172	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4172 wrote to memory of 5052	4172	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4172 wrote to memory of 4120	4172	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4172 wrote to memory of 4120	4172	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4172 wrote to memory of 1212	4172	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4172 wrote to memory of 1212	4172	2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-17_4fe41d35119e9a5ff2c367eaf2e28ee7_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4172
- C:\Windows\System\rjIelLA.exe
  C:\Windows\System\rjIelLA.exe
  2⤵
  - Executes dropped EXE
  PID:5084
- C:\Windows\System\sUlfyrL.exe
  C:\Windows\System\sUlfyrL.exe
  2⤵
  - Executes dropped EXE
  PID:3680
- C:\Windows\System\yXEpegu.exe
  C:\Windows\System\yXEpegu.exe
  2⤵
  - Executes dropped EXE
  PID:1860
- C:\Windows\System\JWirNOV.exe
  C:\Windows\System\JWirNOV.exe
  2⤵
  - Executes dropped EXE
  PID:2772
- C:\Windows\System\qnGoxrj.exe
  C:\Windows\System\qnGoxrj.exe
  2⤵
  - Executes dropped EXE
  PID:4028
- C:\Windows\System\zubbzjX.exe
  C:\Windows\System\zubbzjX.exe
  2⤵
  - Executes dropped EXE
  PID:3064
- C:\Windows\System\DpLdPnq.exe
  C:\Windows\System\DpLdPnq.exe
  2⤵
  - Executes dropped EXE
  PID:640
- C:\Windows\System\ZVFXxSb.exe
  C:\Windows\System\ZVFXxSb.exe
  2⤵
  - Executes dropped EXE
  PID:4000
- C:\Windows\System\UtehtoN.exe
  C:\Windows\System\UtehtoN.exe
  2⤵
  - Executes dropped EXE
  PID:1304
- C:\Windows\System\OlbBZBz.exe
  C:\Windows\System\OlbBZBz.exe
  2⤵
  - Executes dropped EXE
  PID:924
- C:\Windows\System\wqpLLai.exe
  C:\Windows\System\wqpLLai.exe
  2⤵
  - Executes dropped EXE
  PID:1184
- C:\Windows\System\jLzErvk.exe
  C:\Windows\System\jLzErvk.exe
  2⤵
  - Executes dropped EXE
  PID:1784
- C:\Windows\System\CtDsvNd.exe
  C:\Windows\System\CtDsvNd.exe
  2⤵
  - Executes dropped EXE
  PID:2268
- C:\Windows\System\XysoNhn.exe
  C:\Windows\System\XysoNhn.exe
  2⤵
  - Executes dropped EXE
  PID:264
- C:\Windows\System\JiVhbwf.exe
  C:\Windows\System\JiVhbwf.exe
  2⤵
  - Executes dropped EXE
  PID:3012
- C:\Windows\System\EmYVVqx.exe
  C:\Windows\System\EmYVVqx.exe
  2⤵
  - Executes dropped EXE
  PID:4092
- C:\Windows\System\gvFLgTf.exe
  C:\Windows\System\gvFLgTf.exe
  2⤵
  - Executes dropped EXE
  PID:3652
- C:\Windows\System\gOkunDc.exe
  C:\Windows\System\gOkunDc.exe
  2⤵
  - Executes dropped EXE
  PID:2132
- C:\Windows\System\qWIWRUI.exe
  C:\Windows\System\qWIWRUI.exe
  2⤵
  - Executes dropped EXE
  PID:5052
- C:\Windows\System\uZdHzmp.exe
  C:\Windows\System\uZdHzmp.exe
  2⤵
  - Executes dropped EXE
  PID:4120
- C:\Windows\System\rhKHMrB.exe
  C:\Windows\System\rhKHMrB.exe
  2⤵
  - Executes dropped EXE
  PID:1212

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CtDsvNd.exe

Filesize
5.2MB

MD5
9f31e48919aee8336518048ed56ca80e

SHA1
cbdf5ed9d3a06f1c6c21e6a9534f90c45f8df3c0

SHA256
8e07b175b825c25e783cc57344f33eef6186ec8b3f10c7824b2a0e5f634cc08d

SHA512
d1a45188476ce086b86225a74f915232841c5474937559c1cfaa46e9b3780e0c9a6ed89893fcec06ee95029f9bf5d8a54b9f8882996671f8b855fc07eec20a40

Download Submit
C:\Windows\System\DpLdPnq.exe

Filesize
5.2MB

MD5
0ca2bbb1712daaf177c01a3c10909334

SHA1
cb7cf245d87c7e003e211be558af446dca928368

SHA256
5df767bd5c97880309ebb0898aaded1996228bb9f71546606c648fce3bada485

SHA512
72c02f6510709018093a9ef4d98510a0d5bc56ec9c9cc1b8e9a174e355008ad0d93802d8a367a579279711ad64c9678a1e8ee1cf70c92a468ab00cb4dc152d44

Download Submit
C:\Windows\System\EmYVVqx.exe

Filesize
5.2MB

MD5
2f8e97f3f668a6a5477be58cb95bb579

SHA1
38b7e94fb11b0e481bc8ed2e32029149387be184

SHA256
adabdc0c6c802cf5e4b3becad8146602074b4a4c8cc33a5d176649f0e00fab17

SHA512
9e6450a35397e68d5e614a8e1734a4cfe527d4399884ad8b452b21b4ead4b404aaa01a66803589d030a1c816211ecfe693fd132da9193324ee24be4759896378

Download Submit
C:\Windows\System\JWirNOV.exe

Filesize
5.2MB

MD5
da970df013ad221bbad3783950f5d62f

SHA1
87e1a5ba76ea3abda910f4e96268bced3a70746a

SHA256
01e37177536084b6572f9f64f7d0b8c636d4b5c08ebfbf21313e30822413c861

SHA512
3192481c4fd683bdd23a22e5d907d50bbf7a5565e33f96eedb10bb1c9f2dd94e0d7eda14bd4973986dd1ef01fa597d713d643b8006b647868bcf53fa20ea993f

Download Submit
C:\Windows\System\JiVhbwf.exe

Filesize
5.2MB

MD5
9efeb42b735ee0237a6ae28321f6fabb

SHA1
9943bb8b5a8c31225985a88ae51a89f96e02ac24

SHA256
182eb7ae446078d0deb8d8a244ce64376c30b9be90e9d05f3c84ab6984c69c99

SHA512
8a64c235f5dc6e3f323a1c8d2ba9ee5237ff99ed400e57c88ac8baff92eb46628ecfead1b0cf8a1f895960ce6475600e8dd1e689ea64b7234e163b1d876888f2

Download Submit
C:\Windows\System\OlbBZBz.exe

Filesize
5.2MB

MD5
b02c706a4a654db8ff3ce43474a06039

SHA1
9d77daf0c547bf8505152f6c2ca169f91e995af1

SHA256
684f00aa7196ee2651b93d8d50316d42f3a18f8b61b1848a45fd75235f08fbd0

SHA512
ba90da730cd2e4cc0d4512b23f1d98c1d672348c2c216b451936eea0b832deeeb75163236e0a5aac52218243af5a2b00ebee8dd7269c66e6907e88f2f6e88d7a

Download Submit
C:\Windows\System\UtehtoN.exe

Filesize
5.2MB

MD5
bfd9ee304379234c8047eed955c886af

SHA1
be84a62a49e0cb8df3da4c866957867db9c9b3a9

SHA256
36214640d42915f66046a1560b7b46af3ccda265783d75dcfeee8392fa5993ed

SHA512
43e7983614662e07c1d609d74b1fee51dddc81d4f3a79328d364180ab6dbe6921f783e8b19f817fd769945a697440df445e9412020a29f267c69da836f2384e4

Download Submit
C:\Windows\System\XysoNhn.exe

Filesize
5.2MB

MD5
2dbd1b5c3e498bf9e03ac99515ffb30c

SHA1
6d01bfb1eddee774589cbaf303a4790c4bd5c6b3

SHA256
661122e6a6bb06b8c86222e1b83c96c2d24bbd298b87a91935663a0957a25414

SHA512
480ac0346cffe4ca7503e88f26f12c21152e2b26ea894d759b5c9cde9ae42a0d6b8129314e6b9ce9150ff98805ed317e43d8caa7185a6d171db3166dbff6a79f

Download Submit
C:\Windows\System\ZVFXxSb.exe

Filesize
5.2MB

MD5
975ecc9a6f7748f52ee6cc32131b9205

SHA1
0012557b132dcf23c9ebbbfa03b8630eff65c32a

SHA256
2b3b3fa3d476d697e337e26d147675d9a885e5ec88afcabc4fce3ebbddf0b087

SHA512
dd8b43d99eae66a296446078cd4050736a3c529edec506e7f7f38b8539648dd2f315750cdae1d9e21688d2dc39a8a3a2c146c0b74e605c4e0eaab1fa472c486b

Download Submit
C:\Windows\System\gOkunDc.exe

Filesize
5.2MB

MD5
3c317b452fbb401be7aac6a1122d362c

SHA1
d4b8c64d8a24211f25e4fe69a2e752de49a37b7c

SHA256
0a125378cb7eb286bc9ac7a746f400364587b03a1622dec29ec71fa06b32b0ea

SHA512
77763fd6a4319617e67756c99cf45d82b3c7db934f6ff08c90c450cf2931ab4ce1c1d4c0781342cef13b7dbeaf348cc81516fa6ba08d1cf6953045a03409d547

Download Submit
C:\Windows\System\gvFLgTf.exe

Filesize
5.2MB

MD5
1c4a5bdd9bbafcd1dd3fd9e64a8fa6ab

SHA1
788be5cbe9563bdfe986c2203444cb86784bb203

SHA256
9d801db1e31675ba7dfbd2d59a6ed4daa7853433839bdb94a961c25212eb53d2

SHA512
b58f6233076e8cdeb67c1d73415c07563410b309c2f0d07031646fc095763fdd2b39a3f872faac429ad359f66e2e1e2957ca1a2beadccb2e3633d4d426d936be

Download Submit
C:\Windows\System\jLzErvk.exe

Filesize
5.2MB

MD5
a6d9f112af9b1809b404a7b552c8c1f6

SHA1
53b0d36254e563d7b1ab1e820c6d0581d55d1b42

SHA256
e9aea2a0fa7abc1e90e37d65fc8bbc6ad8682c4231d0e4c7cefb0ecd5deb1066

SHA512
166ca468f2f9f76750eeccd5210383176421a8e0e70833391177ad2218db13eabe8796ef9643cb8f8aa2db9eeedea1bf1ab6d24c1d69911f80e96ca4a8e3d78f

Download Submit
C:\Windows\System\qWIWRUI.exe

Filesize
5.2MB

MD5
6b915314f79270f716440e0bd21ba403

SHA1
96d1c4c0431cedace3df36045b290b287607be47

SHA256
44dc39e06ba347d2ab740eca8bb2992ce97b08418f9e54644c8d46e4a0490611

SHA512
2bb7fd8011e4458bca56265558d9bb7eb90a4a70447081a47730d4cf93dc629f4e071fb7e3a13955a03a9914b0725949970885b9fab5a291ac328478c2690a6e

Download Submit
C:\Windows\System\qnGoxrj.exe

Filesize
5.2MB

MD5
da2feaafaf4796e44ec395570a3d21b0

SHA1
ba7f2b986bf266b7b5e098293b2bdd86cecdb7d2

SHA256
d576d25e2db459299bc3003251c2246f577e58d2f1a886d72eb160e08a662145

SHA512
8cd3f2d35eeab7acbcb81da8c19600d470baa6ab44e59adfced4e232c5043c84d386de2a385c6d0dfc1ce4f7f79c3bf015ad6a0fc8884ef305ebee4710b7477f

Download Submit
C:\Windows\System\rhKHMrB.exe

Filesize
5.2MB

MD5
9e4a48c3e594cf557245b326d592c62c

SHA1
50bad71f8e0b30d45f3fac9f5281cce6c4653e34

SHA256
ca52830f659ce75bb706c306582480cf70328b76cc05df7a04cbd13929f1d688

SHA512
e15f876103b80d669a414f00e0814ba92ca3c505cc6e9b18e1dac858220a760374d54b9e90d347adfad2887323226df8caf248faf2a16a06bbef6dc12b40f3a7

Download Submit
C:\Windows\System\rjIelLA.exe

Filesize
5.2MB

MD5
808e275ab176132f661f2bcf56a7e1b6

SHA1
4b0cfa768ef0591a37afc8d6759a86e43eea9cee

SHA256
ad8da9cd3a344d27f43c01549e6b6494116c7813d0a7f232d30f0e7ea779f4bf

SHA512
68cff99e104b27047826612070be05dbbdeccefda13124991745466761d8d3fb8def6c01e33be74e518f5a7e72f229a36e8e4835da91f32c4e29aa5eeb2edbcc

Download Submit
C:\Windows\System\sUlfyrL.exe

Filesize
5.2MB

MD5
57116a7825568fd02efbf2ca045763dc

SHA1
2c173e37e23a2610ec8f1a1a641d6707138634ed

SHA256
cf1ac060a02310a6d2012009c8f27212f0d0f87d7ad72aeb80bf613073d235c8

SHA512
57fe27e31c9966c1e997cb63c097594084127dc499f44198ca473c977d781950c9cee1d00fedf9ebf8363be19abe6d7fd14508b4fcfd1a03cd56c36810508c4b

Download Submit
C:\Windows\System\uZdHzmp.exe

Filesize
5.2MB

MD5
ed3175a4072d6ffc0276b191d3550686

SHA1
b55d134e2adee9f9649a3416f2275506bdfcfb28

SHA256
5f5641f544f303507e2a40bad4944ae8b05c890901d5557edb4e39d87223cc28

SHA512
1743c493385a2623a386d89bcb02b540ad4d041732f4cf930303d46220c314501319bd58eb9619ed19a0496fb9c3e43ae377f0d449e296acf01c3904e5c390ad

Download Submit
C:\Windows\System\wqpLLai.exe

Filesize
5.2MB

MD5
b89f04207216c80831e290619b9e684e

SHA1
d44d6688b8e4840dbc845201e209593bfdd253c1

SHA256
8060d952a64458c19e25c4b8879d0fd9d0da70548b804e49fac3e5db84710482

SHA512
2171d990a782870749e3f6c8f2b52b8c45bc5c1acfc8002e424a27258b1ccc8574bee1c3fb170d20735fa799fd1cb61c6f572503a687eabc96983bb44877d1ab

Download Submit
C:\Windows\System\yXEpegu.exe

Filesize
5.2MB

MD5
1ee1b1d6886fa797abd34f101111141a

SHA1
26a683b3090ffcb0f26de1305404a72de17adc3c

SHA256
527f33c155ae0aae457cbb47c5442a8ec3da5b213a24124e7fa77c1412e7030c

SHA512
6d39bbe3eca58bd22db3b9770944e216a5a647cd42aa14cf04a117358827671abae339c9c83b066c36832c5a04b04cbcc51fe2e0e59d61ca8612d129849a613e

Download Submit
C:\Windows\System\zubbzjX.exe

Filesize
5.2MB

MD5
7fc5d9c6ed1cbd8b40fa6d3d66515869

SHA1
7d14b22567a89cfd7749a6c04f5ad16faa0b8822

SHA256
2af1d2ab8ae9f65e4f3d0fbcf492e06fd006ce245951dee2d43fa6383fe0af47

SHA512
d9e90c4c6a5268d21d44122e7e4e2f510f173880bffa94d3b41b0493d38414866df0ebadc96fc96804a9b8df3505a5cd7fb42f984485072bebd412dc8a99fcfa

Download Submit
memory/264-140-0x00007FF602A70000-0x00007FF602DC1000-memory.dmp

Filesize
3.3MB

Download
memory/264-86-0x00007FF602A70000-0x00007FF602DC1000-memory.dmp

Filesize
3.3MB

Download
memory/264-251-0x00007FF602A70000-0x00007FF602DC1000-memory.dmp

Filesize
3.3MB

Download
memory/640-106-0x00007FF6CF480000-0x00007FF6CF7D1000-memory.dmp

Filesize
3.3MB

Download
memory/640-241-0x00007FF6CF480000-0x00007FF6CF7D1000-memory.dmp

Filesize
3.3MB

Download
memory/640-39-0x00007FF6CF480000-0x00007FF6CF7D1000-memory.dmp

Filesize
3.3MB

Download
memory/924-66-0x00007FF64B400000-0x00007FF64B751000-memory.dmp

Filesize
3.3MB

Download
memory/924-131-0x00007FF64B400000-0x00007FF64B751000-memory.dmp

Filesize
3.3MB

Download
memory/924-246-0x00007FF64B400000-0x00007FF64B751000-memory.dmp

Filesize
3.3MB

Download
memory/1184-247-0x00007FF6AB1A0000-0x00007FF6AB4F1000-memory.dmp

Filesize
3.3MB

Download
memory/1184-59-0x00007FF6AB1A0000-0x00007FF6AB4F1000-memory.dmp

Filesize
3.3MB

Download
memory/1184-126-0x00007FF6AB1A0000-0x00007FF6AB4F1000-memory.dmp

Filesize
3.3MB

Download
memory/1212-272-0x00007FF68C940000-0x00007FF68CC91000-memory.dmp

Filesize
3.3MB

Download
memory/1212-132-0x00007FF68C940000-0x00007FF68CC91000-memory.dmp

Filesize
3.3MB

Download
memory/1212-167-0x00007FF68C940000-0x00007FF68CC91000-memory.dmp

Filesize
3.3MB

Download
memory/1304-243-0x00007FF6F1400000-0x00007FF6F1751000-memory.dmp

Filesize
3.3MB

Download
memory/1304-58-0x00007FF6F1400000-0x00007FF6F1751000-memory.dmp

Filesize
3.3MB

Download
memory/1304-117-0x00007FF6F1400000-0x00007FF6F1751000-memory.dmp

Filesize
3.3MB

Download
memory/1784-255-0x00007FF7A8D10000-0x00007FF7A9061000-memory.dmp

Filesize
3.3MB

Download
memory/1784-133-0x00007FF7A8D10000-0x00007FF7A9061000-memory.dmp

Filesize
3.3MB

Download
memory/1784-75-0x00007FF7A8D10000-0x00007FF7A9061000-memory.dmp

Filesize
3.3MB

Download
memory/1860-229-0x00007FF7778C0000-0x00007FF777C11000-memory.dmp

Filesize
3.3MB

Download
memory/1860-89-0x00007FF7778C0000-0x00007FF777C11000-memory.dmp

Filesize
3.3MB

Download
memory/1860-22-0x00007FF7778C0000-0x00007FF777C11000-memory.dmp

Filesize
3.3MB

Download
memory/2132-159-0x00007FF63A360000-0x00007FF63A6B1000-memory.dmp

Filesize
3.3MB

Download
memory/2132-118-0x00007FF63A360000-0x00007FF63A6B1000-memory.dmp

Filesize
3.3MB

Download
memory/2132-276-0x00007FF63A360000-0x00007FF63A6B1000-memory.dmp

Filesize
3.3MB

Download
memory/2268-78-0x00007FF61E870000-0x00007FF61EBC1000-memory.dmp

Filesize
3.3MB

Download
memory/2268-253-0x00007FF61E870000-0x00007FF61EBC1000-memory.dmp

Filesize
3.3MB

Download
memory/2268-134-0x00007FF61E870000-0x00007FF61EBC1000-memory.dmp

Filesize
3.3MB

Download
memory/2772-94-0x00007FF654980000-0x00007FF654CD1000-memory.dmp

Filesize
3.3MB

Download
memory/2772-233-0x00007FF654980000-0x00007FF654CD1000-memory.dmp

Filesize
3.3MB

Download
memory/2772-31-0x00007FF654980000-0x00007FF654CD1000-memory.dmp

Filesize
3.3MB

Download
memory/3012-95-0x00007FF78C6B0000-0x00007FF78CA01000-memory.dmp

Filesize
3.3MB

Download
memory/3012-261-0x00007FF78C6B0000-0x00007FF78CA01000-memory.dmp

Filesize
3.3MB

Download
memory/3012-156-0x00007FF78C6B0000-0x00007FF78CA01000-memory.dmp

Filesize
3.3MB

Download
memory/3064-116-0x00007FF6F3B40000-0x00007FF6F3E91000-memory.dmp

Filesize
3.3MB

Download
memory/3064-42-0x00007FF6F3B40000-0x00007FF6F3E91000-memory.dmp

Filesize
3.3MB

Download
memory/3064-235-0x00007FF6F3B40000-0x00007FF6F3E91000-memory.dmp

Filesize
3.3MB

Download
memory/3652-268-0x00007FF70B250000-0x00007FF70B5A1000-memory.dmp

Filesize
3.3MB

Download
memory/3652-107-0x00007FF70B250000-0x00007FF70B5A1000-memory.dmp

Filesize
3.3MB

Download
memory/3652-158-0x00007FF70B250000-0x00007FF70B5A1000-memory.dmp

Filesize
3.3MB

Download
memory/3680-227-0x00007FF742B50000-0x00007FF742EA1000-memory.dmp

Filesize
3.3MB

Download
memory/3680-18-0x00007FF742B50000-0x00007FF742EA1000-memory.dmp

Filesize
3.3MB

Download
memory/4000-53-0x00007FF679DF0000-0x00007FF67A141000-memory.dmp

Filesize
3.3MB

Download
memory/4000-125-0x00007FF679DF0000-0x00007FF67A141000-memory.dmp

Filesize
3.3MB

Download
memory/4000-249-0x00007FF679DF0000-0x00007FF67A141000-memory.dmp

Filesize
3.3MB

Download
memory/4028-231-0x00007FF745E10000-0x00007FF746161000-memory.dmp

Filesize
3.3MB

Download
memory/4028-33-0x00007FF745E10000-0x00007FF746161000-memory.dmp

Filesize
3.3MB

Download
memory/4092-263-0x00007FF7978D0000-0x00007FF797C21000-memory.dmp

Filesize
3.3MB

Download
memory/4092-101-0x00007FF7978D0000-0x00007FF797C21000-memory.dmp

Filesize
3.3MB

Download
memory/4092-157-0x00007FF7978D0000-0x00007FF797C21000-memory.dmp

Filesize
3.3MB

Download
memory/4120-129-0x00007FF6D5080000-0x00007FF6D53D1000-memory.dmp

Filesize
3.3MB

Download
memory/4120-168-0x00007FF6D5080000-0x00007FF6D53D1000-memory.dmp

Filesize
3.3MB

Download
memory/4120-274-0x00007FF6D5080000-0x00007FF6D53D1000-memory.dmp

Filesize
3.3MB

Download
memory/4172-141-0x00007FF679830000-0x00007FF679B81000-memory.dmp

Filesize
3.3MB

Download
memory/4172-79-0x00007FF679830000-0x00007FF679B81000-memory.dmp

Filesize
3.3MB

Download
memory/4172-1-0x000001C93F9C0000-0x000001C93F9D0000-memory.dmp

Filesize
64KB

Download
memory/4172-0-0x00007FF679830000-0x00007FF679B81000-memory.dmp

Filesize
3.3MB

Download
memory/4172-169-0x00007FF679830000-0x00007FF679B81000-memory.dmp

Filesize
3.3MB

Download
memory/5052-119-0x00007FF750280000-0x00007FF7505D1000-memory.dmp

Filesize
3.3MB

Download
memory/5052-270-0x00007FF750280000-0x00007FF7505D1000-memory.dmp

Filesize
3.3MB

Download
memory/5052-160-0x00007FF750280000-0x00007FF7505D1000-memory.dmp

Filesize
3.3MB

Download
memory/5084-8-0x00007FF6D9080000-0x00007FF6D93D1000-memory.dmp

Filesize
3.3MB

Download
memory/5084-225-0x00007FF6D9080000-0x00007FF6D93D1000-memory.dmp

Filesize
3.3MB

Download
memory/5084-85-0x00007FF6D9080000-0x00007FF6D93D1000-memory.dmp

Filesize
3.3MB

Download