cobaltstrike | 65ace0cf8021d667fb9a5c17d61c220ae4d1d2d340c725d29668adcad432959a

Analysis

max time kernel
150s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28/11/2024, 02:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

2ba4231eed5377cd8e45a86fa7636aee
SHA1

489281ba612c709d404900d043fec4eef2541065
SHA256

65ace0cf8021d667fb9a5c17d61c220ae4d1d2d340c725d29668adcad432959a
SHA512

8ae0db5492c00445cf00ec8d47e7763f12a07c0958a152515a986f0c26bbe55abbf332e766603bf1d47541e35c87a1a9ae82db552f79980f7546519bed26783b
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lJ:RWWBibd56utgpPFotBER/mQ32lUV

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023cc1-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc2-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc3-16.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc4-23.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023cbf-33.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc6-32.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc7-38.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc8-49.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cca-60.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc9-58.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ccf-90.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd5-97.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cce-101.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd0-113.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd1-112.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ccd-108.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd4-104.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd3-103.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ccc-107.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd2-106.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ccb-92.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/4956-54-0x00007FF654D60000-0x00007FF6550B1000-memory.dmp	xmrig
behavioral2/memory/2888-61-0x00007FF798270000-0x00007FF7985C1000-memory.dmp	xmrig
behavioral2/memory/4592-84-0x00007FF7D47E0000-0x00007FF7D4B31000-memory.dmp	xmrig
behavioral2/memory/4956-118-0x00007FF654D60000-0x00007FF6550B1000-memory.dmp	xmrig
behavioral2/memory/5108-126-0x00007FF6930E0000-0x00007FF693431000-memory.dmp	xmrig
behavioral2/memory/4400-130-0x00007FF657000000-0x00007FF657351000-memory.dmp	xmrig
behavioral2/memory/4108-132-0x00007FF6D1290000-0x00007FF6D15E1000-memory.dmp	xmrig
behavioral2/memory/2388-131-0x00007FF613950000-0x00007FF613CA1000-memory.dmp	xmrig
behavioral2/memory/4912-128-0x00007FF78C280000-0x00007FF78C5D1000-memory.dmp	xmrig
behavioral2/memory/4064-127-0x00007FF736AB0000-0x00007FF736E01000-memory.dmp	xmrig
behavioral2/memory/3164-125-0x00007FF749900000-0x00007FF749C51000-memory.dmp	xmrig
behavioral2/memory/4548-124-0x00007FF6E3920000-0x00007FF6E3C71000-memory.dmp	xmrig
behavioral2/memory/4672-105-0x00007FF732D10000-0x00007FF733061000-memory.dmp	xmrig
behavioral2/memory/2268-100-0x00007FF671FE0000-0x00007FF672331000-memory.dmp	xmrig
behavioral2/memory/4276-140-0x00007FF729E90000-0x00007FF72A1E1000-memory.dmp	xmrig
behavioral2/memory/4228-142-0x00007FF70A780000-0x00007FF70AAD1000-memory.dmp	xmrig
behavioral2/memory/372-145-0x00007FF679B40000-0x00007FF679E91000-memory.dmp	xmrig
behavioral2/memory/4012-144-0x00007FF66BC70000-0x00007FF66BFC1000-memory.dmp	xmrig
behavioral2/memory/4956-154-0x00007FF654D60000-0x00007FF6550B1000-memory.dmp	xmrig
behavioral2/memory/3140-141-0x00007FF7E9130000-0x00007FF7E9481000-memory.dmp	xmrig
behavioral2/memory/1664-139-0x00007FF7AA2D0000-0x00007FF7AA621000-memory.dmp	xmrig
behavioral2/memory/1844-138-0x00007FF747D80000-0x00007FF7480D1000-memory.dmp	xmrig
behavioral2/memory/2132-137-0x00007FF79C590000-0x00007FF79C8E1000-memory.dmp	xmrig
behavioral2/memory/212-136-0x00007FF7175E0000-0x00007FF717931000-memory.dmp	xmrig
behavioral2/memory/2888-204-0x00007FF798270000-0x00007FF7985C1000-memory.dmp	xmrig
behavioral2/memory/4592-207-0x00007FF7D47E0000-0x00007FF7D4B31000-memory.dmp	xmrig
behavioral2/memory/2268-208-0x00007FF671FE0000-0x00007FF672331000-memory.dmp	xmrig
behavioral2/memory/212-216-0x00007FF7175E0000-0x00007FF717931000-memory.dmp	xmrig
behavioral2/memory/2132-218-0x00007FF79C590000-0x00007FF79C8E1000-memory.dmp	xmrig
behavioral2/memory/1664-220-0x00007FF7AA2D0000-0x00007FF7AA621000-memory.dmp	xmrig
behavioral2/memory/1844-222-0x00007FF747D80000-0x00007FF7480D1000-memory.dmp	xmrig
behavioral2/memory/3140-237-0x00007FF7E9130000-0x00007FF7E9481000-memory.dmp	xmrig
behavioral2/memory/4276-235-0x00007FF729E90000-0x00007FF72A1E1000-memory.dmp	xmrig
behavioral2/memory/4672-240-0x00007FF732D10000-0x00007FF733061000-memory.dmp	xmrig
behavioral2/memory/4228-242-0x00007FF70A780000-0x00007FF70AAD1000-memory.dmp	xmrig
behavioral2/memory/4548-246-0x00007FF6E3920000-0x00007FF6E3C71000-memory.dmp	xmrig
behavioral2/memory/4012-245-0x00007FF66BC70000-0x00007FF66BFC1000-memory.dmp	xmrig
behavioral2/memory/3164-248-0x00007FF749900000-0x00007FF749C51000-memory.dmp	xmrig
behavioral2/memory/4064-250-0x00007FF736AB0000-0x00007FF736E01000-memory.dmp	xmrig
behavioral2/memory/2388-252-0x00007FF613950000-0x00007FF613CA1000-memory.dmp	xmrig
behavioral2/memory/372-260-0x00007FF679B40000-0x00007FF679E91000-memory.dmp	xmrig
behavioral2/memory/4108-262-0x00007FF6D1290000-0x00007FF6D15E1000-memory.dmp	xmrig
behavioral2/memory/4400-257-0x00007FF657000000-0x00007FF657351000-memory.dmp	xmrig
behavioral2/memory/4912-255-0x00007FF78C280000-0x00007FF78C5D1000-memory.dmp	xmrig
behavioral2/memory/5108-259-0x00007FF6930E0000-0x00007FF693431000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2888	jGMGCzm.exe
4592	ECyRTGN.exe
2268	WXgXpAk.exe
212	wUxawVA.exe
2132	WMXlgVv.exe
1844	uDFoDAS.exe
1664	eNNAMOW.exe
4276	GLISbBn.exe
3140	FYzvqEr.exe
4228	ccrHmbt.exe
4672	nLwghVa.exe
4012	xZyWYZI.exe
372	GSPQuYC.exe
4548	nknaXRI.exe
3164	SVnCixz.exe
5108	CuMOJkf.exe
4064	edbPDCQ.exe
4912	jmAdbsr.exe
4400	sNtbNnb.exe
2388	HlJvpUp.exe
4108	cpjsIMh.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4956-0-0x00007FF654D60000-0x00007FF6550B1000-memory.dmp	upx
behavioral2/files/0x0008000000023cc1-5.dat	upx
behavioral2/memory/2888-7-0x00007FF798270000-0x00007FF7985C1000-memory.dmp	upx
behavioral2/files/0x0007000000023cc2-11.dat	upx
behavioral2/files/0x0007000000023cc3-16.dat	upx
behavioral2/memory/2268-17-0x00007FF671FE0000-0x00007FF672331000-memory.dmp	upx
behavioral2/memory/4592-12-0x00007FF7D47E0000-0x00007FF7D4B31000-memory.dmp	upx
behavioral2/files/0x0007000000023cc4-23.dat	upx
behavioral2/memory/212-25-0x00007FF7175E0000-0x00007FF717931000-memory.dmp	upx
behavioral2/files/0x0008000000023cbf-33.dat	upx
behavioral2/files/0x0007000000023cc6-32.dat	upx
behavioral2/memory/2132-34-0x00007FF79C590000-0x00007FF79C8E1000-memory.dmp	upx
behavioral2/files/0x0007000000023cc7-38.dat	upx
behavioral2/memory/1844-36-0x00007FF747D80000-0x00007FF7480D1000-memory.dmp	upx
behavioral2/memory/1664-40-0x00007FF7AA2D0000-0x00007FF7AA621000-memory.dmp	upx
behavioral2/memory/4276-48-0x00007FF729E90000-0x00007FF72A1E1000-memory.dmp	upx
behavioral2/files/0x0007000000023cc8-49.dat	upx
behavioral2/memory/4956-54-0x00007FF654D60000-0x00007FF6550B1000-memory.dmp	upx
behavioral2/files/0x0007000000023cca-60.dat	upx
behavioral2/memory/4228-62-0x00007FF70A780000-0x00007FF70AAD1000-memory.dmp	upx
behavioral2/memory/2888-61-0x00007FF798270000-0x00007FF7985C1000-memory.dmp	upx
behavioral2/files/0x0007000000023cc9-58.dat	upx
behavioral2/memory/3140-57-0x00007FF7E9130000-0x00007FF7E9481000-memory.dmp	upx
behavioral2/memory/4592-84-0x00007FF7D47E0000-0x00007FF7D4B31000-memory.dmp	upx
behavioral2/files/0x0007000000023ccf-90.dat	upx
behavioral2/files/0x0007000000023cd5-97.dat	upx
behavioral2/files/0x0007000000023cce-101.dat	upx
behavioral2/memory/4956-118-0x00007FF654D60000-0x00007FF6550B1000-memory.dmp	upx
behavioral2/memory/372-123-0x00007FF679B40000-0x00007FF679E91000-memory.dmp	upx
behavioral2/memory/5108-126-0x00007FF6930E0000-0x00007FF693431000-memory.dmp	upx
behavioral2/memory/4400-130-0x00007FF657000000-0x00007FF657351000-memory.dmp	upx
behavioral2/memory/4108-132-0x00007FF6D1290000-0x00007FF6D15E1000-memory.dmp	upx
behavioral2/memory/2388-131-0x00007FF613950000-0x00007FF613CA1000-memory.dmp	upx
behavioral2/memory/4912-128-0x00007FF78C280000-0x00007FF78C5D1000-memory.dmp	upx
behavioral2/memory/4064-127-0x00007FF736AB0000-0x00007FF736E01000-memory.dmp	upx
behavioral2/memory/3164-125-0x00007FF749900000-0x00007FF749C51000-memory.dmp	upx
behavioral2/memory/4548-124-0x00007FF6E3920000-0x00007FF6E3C71000-memory.dmp	upx
behavioral2/memory/4012-117-0x00007FF66BC70000-0x00007FF66BFC1000-memory.dmp	upx
behavioral2/files/0x0007000000023cd0-113.dat	upx
behavioral2/files/0x0007000000023cd1-112.dat	upx
behavioral2/files/0x0007000000023ccd-108.dat	upx
behavioral2/memory/4672-105-0x00007FF732D10000-0x00007FF733061000-memory.dmp	upx
behavioral2/files/0x0007000000023cd4-104.dat	upx
behavioral2/files/0x0007000000023cd3-103.dat	upx
behavioral2/files/0x0007000000023ccc-107.dat	upx
behavioral2/files/0x0007000000023cd2-106.dat	upx
behavioral2/memory/2268-100-0x00007FF671FE0000-0x00007FF672331000-memory.dmp	upx
behavioral2/files/0x0007000000023ccb-92.dat	upx
behavioral2/memory/4276-140-0x00007FF729E90000-0x00007FF72A1E1000-memory.dmp	upx
behavioral2/memory/4228-142-0x00007FF70A780000-0x00007FF70AAD1000-memory.dmp	upx
behavioral2/memory/372-145-0x00007FF679B40000-0x00007FF679E91000-memory.dmp	upx
behavioral2/memory/4012-144-0x00007FF66BC70000-0x00007FF66BFC1000-memory.dmp	upx
behavioral2/memory/4956-154-0x00007FF654D60000-0x00007FF6550B1000-memory.dmp	upx
behavioral2/memory/3140-141-0x00007FF7E9130000-0x00007FF7E9481000-memory.dmp	upx
behavioral2/memory/1664-139-0x00007FF7AA2D0000-0x00007FF7AA621000-memory.dmp	upx
behavioral2/memory/1844-138-0x00007FF747D80000-0x00007FF7480D1000-memory.dmp	upx
behavioral2/memory/2132-137-0x00007FF79C590000-0x00007FF79C8E1000-memory.dmp	upx
behavioral2/memory/212-136-0x00007FF7175E0000-0x00007FF717931000-memory.dmp	upx
behavioral2/memory/2888-204-0x00007FF798270000-0x00007FF7985C1000-memory.dmp	upx
behavioral2/memory/4592-207-0x00007FF7D47E0000-0x00007FF7D4B31000-memory.dmp	upx
behavioral2/memory/2268-208-0x00007FF671FE0000-0x00007FF672331000-memory.dmp	upx
behavioral2/memory/212-216-0x00007FF7175E0000-0x00007FF717931000-memory.dmp	upx
behavioral2/memory/2132-218-0x00007FF79C590000-0x00007FF79C8E1000-memory.dmp	upx
behavioral2/memory/1664-220-0x00007FF7AA2D0000-0x00007FF7AA621000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\jmAdbsr.exe	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nknaXRI.exe	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CuMOJkf.exe	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GLISbBn.exe	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xZyWYZI.exe	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GSPQuYC.exe	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HlJvpUp.exe	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cpjsIMh.exe	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WXgXpAk.exe	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wUxawVA.exe	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eNNAMOW.exe	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FYzvqEr.exe	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nLwghVa.exe	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jGMGCzm.exe	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WMXlgVv.exe	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ccrHmbt.exe	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SVnCixz.exe	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\edbPDCQ.exe	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sNtbNnb.exe	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ECyRTGN.exe	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uDFoDAS.exe	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4956	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4956	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4956 wrote to memory of 2888	4956	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4956 wrote to memory of 2888	4956	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4956 wrote to memory of 4592	4956	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4956 wrote to memory of 4592	4956	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4956 wrote to memory of 2268	4956	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4956 wrote to memory of 2268	4956	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4956 wrote to memory of 212	4956	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4956 wrote to memory of 212	4956	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4956 wrote to memory of 2132	4956	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4956 wrote to memory of 2132	4956	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4956 wrote to memory of 1844	4956	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4956 wrote to memory of 1844	4956	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4956 wrote to memory of 1664	4956	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4956 wrote to memory of 1664	4956	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4956 wrote to memory of 4276	4956	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4956 wrote to memory of 4276	4956	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4956 wrote to memory of 3140	4956	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4956 wrote to memory of 3140	4956	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4956 wrote to memory of 4228	4956	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4956 wrote to memory of 4228	4956	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4956 wrote to memory of 4672	4956	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4956 wrote to memory of 4672	4956	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4956 wrote to memory of 4012	4956	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4956 wrote to memory of 4012	4956	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4956 wrote to memory of 372	4956	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4956 wrote to memory of 372	4956	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4956 wrote to memory of 4548	4956	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4956 wrote to memory of 4548	4956	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4956 wrote to memory of 3164	4956	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4956 wrote to memory of 3164	4956	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4956 wrote to memory of 5108	4956	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4956 wrote to memory of 5108	4956	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4956 wrote to memory of 4064	4956	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4956 wrote to memory of 4064	4956	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4956 wrote to memory of 4912	4956	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4956 wrote to memory of 4912	4956	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4956 wrote to memory of 4400	4956	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4956 wrote to memory of 4400	4956	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4956 wrote to memory of 2388	4956	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4956 wrote to memory of 2388	4956	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4956 wrote to memory of 4108	4956	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4956 wrote to memory of 4108	4956	2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-28_2ba4231eed5377cd8e45a86fa7636aee_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Windows\System\jGMGCzm.exe
  C:\Windows\System\jGMGCzm.exe
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\System\ECyRTGN.exe
  C:\Windows\System\ECyRTGN.exe
  2⤵
  - Executes dropped EXE
  PID:4592
- C:\Windows\System\WXgXpAk.exe
  C:\Windows\System\WXgXpAk.exe
  2⤵
  - Executes dropped EXE
  PID:2268
- C:\Windows\System\wUxawVA.exe
  C:\Windows\System\wUxawVA.exe
  2⤵
  - Executes dropped EXE
  PID:212
- C:\Windows\System\WMXlgVv.exe
  C:\Windows\System\WMXlgVv.exe
  2⤵
  - Executes dropped EXE
  PID:2132
- C:\Windows\System\uDFoDAS.exe
  C:\Windows\System\uDFoDAS.exe
  2⤵
  - Executes dropped EXE
  PID:1844
- C:\Windows\System\eNNAMOW.exe
  C:\Windows\System\eNNAMOW.exe
  2⤵
  - Executes dropped EXE
  PID:1664
- C:\Windows\System\GLISbBn.exe
  C:\Windows\System\GLISbBn.exe
  2⤵
  - Executes dropped EXE
  PID:4276
- C:\Windows\System\FYzvqEr.exe
  C:\Windows\System\FYzvqEr.exe
  2⤵
  - Executes dropped EXE
  PID:3140
- C:\Windows\System\ccrHmbt.exe
  C:\Windows\System\ccrHmbt.exe
  2⤵
  - Executes dropped EXE
  PID:4228
- C:\Windows\System\nLwghVa.exe
  C:\Windows\System\nLwghVa.exe
  2⤵
  - Executes dropped EXE
  PID:4672
- C:\Windows\System\xZyWYZI.exe
  C:\Windows\System\xZyWYZI.exe
  2⤵
  - Executes dropped EXE
  PID:4012
- C:\Windows\System\GSPQuYC.exe
  C:\Windows\System\GSPQuYC.exe
  2⤵
  - Executes dropped EXE
  PID:372
- C:\Windows\System\nknaXRI.exe
  C:\Windows\System\nknaXRI.exe
  2⤵
  - Executes dropped EXE
  PID:4548
- C:\Windows\System\SVnCixz.exe
  C:\Windows\System\SVnCixz.exe
  2⤵
  - Executes dropped EXE
  PID:3164
- C:\Windows\System\CuMOJkf.exe
  C:\Windows\System\CuMOJkf.exe
  2⤵
  - Executes dropped EXE
  PID:5108
- C:\Windows\System\edbPDCQ.exe
  C:\Windows\System\edbPDCQ.exe
  2⤵
  - Executes dropped EXE
  PID:4064
- C:\Windows\System\jmAdbsr.exe
  C:\Windows\System\jmAdbsr.exe
  2⤵
  - Executes dropped EXE
  PID:4912
- C:\Windows\System\sNtbNnb.exe
  C:\Windows\System\sNtbNnb.exe
  2⤵
  - Executes dropped EXE
  PID:4400
- C:\Windows\System\HlJvpUp.exe
  C:\Windows\System\HlJvpUp.exe
  2⤵
  - Executes dropped EXE
  PID:2388
- C:\Windows\System\cpjsIMh.exe
  C:\Windows\System\cpjsIMh.exe
  2⤵
  - Executes dropped EXE
  PID:4108

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CuMOJkf.exe

Filesize
5.2MB

MD5
9e55dba0f0c0323769c8fe20e90dbf25

SHA1
2bef189266d5132325ce7c65c84cf144c734ebf9

SHA256
91abde6a2b5ed0ec99efacb762bf183a80de1edf7556606b54af0320f24782b5

SHA512
4dc1408091f6cfc06c58bb54863cfff6dcd158b6173cfaae3063e436e04ef9f0a672e8ffed56e3975ce482a7a8981002325c93f4ebe2e0fbae41a2817417a267

Download Submit
C:\Windows\System\ECyRTGN.exe

Filesize
5.2MB

MD5
307c6f77d3910713b8b21d540cad17d7

SHA1
d3c807b67abe2a69d1042f3d82edb41fb917c790

SHA256
b77a28e04a2c48b76e2cec1b12accc4f12cc45c2c5d1556ed10e9d7d5c30077b

SHA512
3083eeaee5fe35fdab94d2d800c90dfcb1850dcd470f06aa5ef514f6a5545f0e0469de36771d73ac79144a0b7628b6f400152ec4e84a74ce946624d8773ec038

Download Submit
C:\Windows\System\FYzvqEr.exe

Filesize
5.2MB

MD5
aee2d8d10fc6c5007b3b2f5214af3e9c

SHA1
632f1a9a3f7c13f514810930e1b332fa656108ef

SHA256
703921dd0507829215a72a584f1aeb0bc94587fdac7975c12357ea9245c9eb1e

SHA512
415dc1de08fd42700cd4bb02e82872fc57fe4ddd63132df3ca18222a1f1f222d00814fd1d1dcf2436bc4da593c283c7af5542ea4ab6fb73dc06a33ad25836d01

Download Submit
C:\Windows\System\GLISbBn.exe

Filesize
5.2MB

MD5
015cf7d7a6a3a01cec274f839ab247dd

SHA1
7f423599bfe23f9d48fd20423a8c7b7187573c7b

SHA256
041600c2e68b4599da8f8dbd5b22aa92fefa28d938d2810d525a5708c8296885

SHA512
f284943576fe91f56be5dc97e109b6e05b52ae677945c9ce4f3405459a54540ef1749ee65905a4f281cb9ab36d6a8ed5a01ddd3f240ac08d89e0119744f9086e

Download Submit
C:\Windows\System\GSPQuYC.exe

Filesize
5.2MB

MD5
989b161cf8943a0cdcac509480d265fe

SHA1
24fbe887f17ec102ecd8657e1ac5c78725f31890

SHA256
e72af758d7723050e419649881ecc909873148c9d46ddcdd6c6317a08d9d597c

SHA512
e9cf750df559259548096cc9fcc526fd668426444b75d58ab0658988aee588d71b568b8d2015b29f984d504c60f845a62c65e5c625e456fde4e600816b84fdc4

Download Submit
C:\Windows\System\HlJvpUp.exe

Filesize
5.2MB

MD5
8c6b5fbc6bb7dfce52b4259dc146e72c

SHA1
2e720078bf4ab52012a5259a422e47b3506e6726

SHA256
c2addf6c5b057b53cd05bab06ba27fa724b03bb37987f6c6b6e70284afb07f78

SHA512
5c16e06003eeb934b4faf1077a4adbc0401eb291c4d6a56d9c713069118eb96b409d75fc5aee0073c73be092719854d425b39861e7d7d4648fd4b5dcc88fd7ee

Download Submit
C:\Windows\System\SVnCixz.exe

Filesize
5.2MB

MD5
015a5faeaa96eeb1119a57b544b9ff1d

SHA1
f41e363cccb6aba22274137caeb3837a482a42de

SHA256
2618cb8c9a9678cd9a402da3d6f89f37526599648f6c91e719e949a22b9f8b9b

SHA512
cb13ee65972fad90000b6747932449f9f67c61c1b4c729f061757dbaf04ed127f31c246e885998f4bfc3a8f240f8ac0474bdc2d90552b88cfad9e9082f2c4bf3

Download Submit
C:\Windows\System\WMXlgVv.exe

Filesize
5.2MB

MD5
32096db81f8b6b79f1f9efcd958c8163

SHA1
a1e0ba1288ba35e1c824e7c867c97c13eaf59226

SHA256
8b2421fc4d557bfca9cb6ae70d789dc78bbdcffadebd415312c5725a19628f04

SHA512
a1fb1049ac55e1fa2b0ccd01d4d736242a5d70eee00aa1cef1d7a248310dea7dd16707a03e64b9cfbdb17f53393137d3df5ec0650a3828627c354101ce128cb7

Download Submit
C:\Windows\System\WXgXpAk.exe

Filesize
5.2MB

MD5
f5f433a805605b8d92090fdb1296d552

SHA1
f3a955e3d22a7d09ecf49205194d52c4486cb4ae

SHA256
5d77fb6de3de3c1a90e3979fcd36f5673ad30cc151e689dace47478dfeab7a6a

SHA512
b221b6adfefcbcd85bae7f0012be26849c8354957627a8b748fc55e1fff22bf11b60fd7ca7120f84acdc70cc7336d334cffd2f6ffc3441a3890062b26a52ec3d

Download Submit
C:\Windows\System\ccrHmbt.exe

Filesize
5.2MB

MD5
8d5c9ab4c2e8625a6d87aa3bb21d1b60

SHA1
94aa195e8249c703407ae20846909bf5ec003ecd

SHA256
c05ee5303edf11508bf7f0f3e092c9b01c392040e948d444ae4f53b1fec569cc

SHA512
b78ca7f32e5f54e5c775b04bdfe67cab939789c6b4e632d0d5aac772f178ad911c3e03a0a724fda773c2bfc2a8ac59f085e4cb488328da3eabee1fd1005d593f

Download Submit
C:\Windows\System\cpjsIMh.exe

Filesize
5.2MB

MD5
50b87448e46fca1a270a75058a075c9e

SHA1
dbbc5f89a0d42923e1e4ac9431760a95a9b3ad85

SHA256
697fd2f848d3e67b83b0132d5da41b0ca2efefe0d4b6ac2b3f3ca0f7b78e9a10

SHA512
615b2fb455d6fc26991a20264315659e1e8a85ca628e98083ef2b3d93f49d9eff0fd93992c99794a29674502da6d21bd70aa7b78a952a8e20b663e712cb51c2a

Download Submit
C:\Windows\System\eNNAMOW.exe

Filesize
5.2MB

MD5
ca89eb4f39b893a4deaf6a4915d74fbb

SHA1
60a0e5edc52f05bb03a764dd64e346314a387507

SHA256
e91f711058ed4ce654a21dcadf6d62b31476c48e2a942517d3b3b1703a0d5ba6

SHA512
bc2827f499d9ca6823a92bc290efea743aaf476227dc07058a27de24021a231dbda7abc20dbe9cd6d4965a9f9cc0bb2411eefac0f3fde7fd7f677a722fd14d12

Download Submit
C:\Windows\System\edbPDCQ.exe

Filesize
5.2MB

MD5
63fe3f886e7de420a439fc1e28fa0318

SHA1
2b190364db7a6072d07f4ad88e0786c301f7f6c5

SHA256
8a230c8f26d3a09ed000dfbd6da91c6315fb436ec30597da5d49fbf33dcc4a9d

SHA512
37f72f00adbfb2bb1355de7c8e1eb3a770d892babdd3fafbe82147fcce06c93c4d8569de0bdeeec4e8fb987960ab8463ecbaa73b998929fb4b998605fbc3c6c8

Download Submit
C:\Windows\System\jGMGCzm.exe

Filesize
5.2MB

MD5
ddf5b24fc0f561b0d775673a2ad53079

SHA1
fda9ddc92eae70b55649bebf5d059d66bd5a63c2

SHA256
58fefbc5d3d244252fcfd9c1d5f9be9f38b8a39a37cdc962b29a00a3188871ac

SHA512
300247793fb7fb796a89f2c6480e67ba64c41bf329597cf7656b65a0d4746bdbe159e72d5f2ba267b9227532332174a330f02977315f49358e809526b5055c06

Download Submit
C:\Windows\System\jmAdbsr.exe

Filesize
5.2MB

MD5
f8ee0832268ff267a69b4a6ec8362a79

SHA1
3cfde28543e2786ea52a3cb71c248a9e3956854b

SHA256
551a13391336712df88043985884fd70e5de4fce7eb88ffca33d3044e17fa915

SHA512
bda170a198b2c429e5501e8b549902f5163149c73f391b5f040c6136dbf273e75957e49dbabb2177e701e61f9d4469932dcdfa262d036e9a6d5fb488b8705b99

Download Submit
C:\Windows\System\nLwghVa.exe

Filesize
5.2MB

MD5
472d791b664aec8e3d2a3b18f0136fa8

SHA1
a9d619ea916a9c7d2ef44d978ddaee5fd1097461

SHA256
b6ebc7758865148c0b06a49c8092525e4d5aca2b7a46e5c6c4aa329f83449eb8

SHA512
9383b7aea142b7723e798062ff0f7494f544865f9bec76b1239c606086483a6ca745f8c12c9ebaf262efc9bd2213a3d86e0a40de57f3bbba394a71b46ffbad66

Download Submit
C:\Windows\System\nknaXRI.exe

Filesize
5.2MB

MD5
6e38b6caff3c1024ea15f7835c1b5b9f

SHA1
6432c39f873b3f0fddefc9338367a434e1ca6b2a

SHA256
23dad737b7b566a6cda31b0d61787ed8b7eb18fa0ff6954cb6ac7612b2d31581

SHA512
88f21d8fbc88773dcf4fa25bd83af8d48c578937ede0ce5267d1e771bd49bc7c8f4c8c28304759dc311699581b41934d5127ec3401ac009590b8edec8139ef31

Download Submit
C:\Windows\System\sNtbNnb.exe

Filesize
5.2MB

MD5
b835a3fd0fc76e3801bff4651569114b

SHA1
dfb86212a6c1ba74793b70cd3de402f320823d37

SHA256
2309f2ec74aa0013a881c8274f06e6cee4003a20052941f5285351c442fc4f27

SHA512
a384d01363fbf633151c27c1459d969928fd53bda305ed22adc2d7f656a701d2feb3ec2e0cdd4e820539064792ba4f53e9ff732beb5fb0bce12e6c0f674afde4

Download Submit
C:\Windows\System\uDFoDAS.exe

Filesize
5.2MB

MD5
a1cf61285bebbb7a93939e2849bff44a

SHA1
39b9f9557d6e17c1e44b3375d2a53e6aabafc7ef

SHA256
1c0992ce60030fe475f28cd47cb4fe39d5c0d7a4db49d87f40a8aaa759d6ceb9

SHA512
c285ae22e30a9ec2c1079cfdcd1e000fbc5bbffc0787044a0f274ccf10eec099b0fcfc7e4b0acd3642151041ebcb6a3f4f354b9bb6a11f738f2fd43580abffcc

Download Submit
C:\Windows\System\wUxawVA.exe

Filesize
5.2MB

MD5
d5613c678b843545510066eb793f0b37

SHA1
a72b46abf4578f6f6b85e7aeeba2004e35d10373

SHA256
3f52c311c43f417d3f1d3b11f3711c1a708cbfccfb9d54f237b3653f272ab6f1

SHA512
558ce6a1cd5bb6b2f5c089ec5952bb0e5d9103f1e296dda2099b5f99b9d8c4fbaa998503f437716656de5f1a9ea73f114416cc19ff1cb3ecfe29f62a6734013b

Download Submit
C:\Windows\System\xZyWYZI.exe

Filesize
5.2MB

MD5
1921d792f019e6eb3a6f12a918197a4e

SHA1
a5867026e2c9cb039e2c21791e0d7654a20d0a10

SHA256
55d176a6c969be4fe1eb7583ab19fac2143bafebd14740e4069fa3d64fc8fc79

SHA512
188d939c134f64b9db29f4ce596e3eaaffa07a96961ad45c09ab05da078468e2dc9979cc916ea04f494f87ff6e61a8b10b7378ef65b665e2117b2ec9b28836d7

Download Submit
memory/212-216-0x00007FF7175E0000-0x00007FF717931000-memory.dmp

Filesize
3.3MB

Download
memory/212-136-0x00007FF7175E0000-0x00007FF717931000-memory.dmp

Filesize
3.3MB

Download
memory/212-25-0x00007FF7175E0000-0x00007FF717931000-memory.dmp

Filesize
3.3MB

Download
memory/372-123-0x00007FF679B40000-0x00007FF679E91000-memory.dmp

Filesize
3.3MB

Download
memory/372-260-0x00007FF679B40000-0x00007FF679E91000-memory.dmp

Filesize
3.3MB

Download
memory/372-145-0x00007FF679B40000-0x00007FF679E91000-memory.dmp

Filesize
3.3MB

Download
memory/1664-139-0x00007FF7AA2D0000-0x00007FF7AA621000-memory.dmp

Filesize
3.3MB

Download
memory/1664-220-0x00007FF7AA2D0000-0x00007FF7AA621000-memory.dmp

Filesize
3.3MB

Download
memory/1664-40-0x00007FF7AA2D0000-0x00007FF7AA621000-memory.dmp

Filesize
3.3MB

Download
memory/1844-222-0x00007FF747D80000-0x00007FF7480D1000-memory.dmp

Filesize
3.3MB

Download
memory/1844-36-0x00007FF747D80000-0x00007FF7480D1000-memory.dmp

Filesize
3.3MB

Download
memory/1844-138-0x00007FF747D80000-0x00007FF7480D1000-memory.dmp

Filesize
3.3MB

Download
memory/2132-34-0x00007FF79C590000-0x00007FF79C8E1000-memory.dmp

Filesize
3.3MB

Download
memory/2132-218-0x00007FF79C590000-0x00007FF79C8E1000-memory.dmp

Filesize
3.3MB

Download
memory/2132-137-0x00007FF79C590000-0x00007FF79C8E1000-memory.dmp

Filesize
3.3MB

Download
memory/2268-208-0x00007FF671FE0000-0x00007FF672331000-memory.dmp

Filesize
3.3MB

Download
memory/2268-100-0x00007FF671FE0000-0x00007FF672331000-memory.dmp

Filesize
3.3MB

Download
memory/2268-17-0x00007FF671FE0000-0x00007FF672331000-memory.dmp

Filesize
3.3MB

Download
memory/2388-131-0x00007FF613950000-0x00007FF613CA1000-memory.dmp

Filesize
3.3MB

Download
memory/2388-252-0x00007FF613950000-0x00007FF613CA1000-memory.dmp

Filesize
3.3MB

Download
memory/2888-61-0x00007FF798270000-0x00007FF7985C1000-memory.dmp

Filesize
3.3MB

Download
memory/2888-204-0x00007FF798270000-0x00007FF7985C1000-memory.dmp

Filesize
3.3MB

Download
memory/2888-7-0x00007FF798270000-0x00007FF7985C1000-memory.dmp

Filesize
3.3MB

Download
memory/3140-237-0x00007FF7E9130000-0x00007FF7E9481000-memory.dmp

Filesize
3.3MB

Download
memory/3140-57-0x00007FF7E9130000-0x00007FF7E9481000-memory.dmp

Filesize
3.3MB

Download
memory/3140-141-0x00007FF7E9130000-0x00007FF7E9481000-memory.dmp

Filesize
3.3MB

Download
memory/3164-248-0x00007FF749900000-0x00007FF749C51000-memory.dmp

Filesize
3.3MB

Download
memory/3164-125-0x00007FF749900000-0x00007FF749C51000-memory.dmp

Filesize
3.3MB

Download
memory/4012-144-0x00007FF66BC70000-0x00007FF66BFC1000-memory.dmp

Filesize
3.3MB

Download
memory/4012-245-0x00007FF66BC70000-0x00007FF66BFC1000-memory.dmp

Filesize
3.3MB

Download
memory/4012-117-0x00007FF66BC70000-0x00007FF66BFC1000-memory.dmp

Filesize
3.3MB

Download
memory/4064-250-0x00007FF736AB0000-0x00007FF736E01000-memory.dmp

Filesize
3.3MB

Download
memory/4064-127-0x00007FF736AB0000-0x00007FF736E01000-memory.dmp

Filesize
3.3MB

Download
memory/4108-132-0x00007FF6D1290000-0x00007FF6D15E1000-memory.dmp

Filesize
3.3MB

Download
memory/4108-262-0x00007FF6D1290000-0x00007FF6D15E1000-memory.dmp

Filesize
3.3MB

Download
memory/4228-142-0x00007FF70A780000-0x00007FF70AAD1000-memory.dmp

Filesize
3.3MB

Download
memory/4228-62-0x00007FF70A780000-0x00007FF70AAD1000-memory.dmp

Filesize
3.3MB

Download
memory/4228-242-0x00007FF70A780000-0x00007FF70AAD1000-memory.dmp

Filesize
3.3MB

Download
memory/4276-140-0x00007FF729E90000-0x00007FF72A1E1000-memory.dmp

Filesize
3.3MB

Download
memory/4276-235-0x00007FF729E90000-0x00007FF72A1E1000-memory.dmp

Filesize
3.3MB

Download
memory/4276-48-0x00007FF729E90000-0x00007FF72A1E1000-memory.dmp

Filesize
3.3MB

Download
memory/4400-130-0x00007FF657000000-0x00007FF657351000-memory.dmp

Filesize
3.3MB

Download
memory/4400-257-0x00007FF657000000-0x00007FF657351000-memory.dmp

Filesize
3.3MB

Download
memory/4548-246-0x00007FF6E3920000-0x00007FF6E3C71000-memory.dmp

Filesize
3.3MB

Download
memory/4548-124-0x00007FF6E3920000-0x00007FF6E3C71000-memory.dmp

Filesize
3.3MB

Download
memory/4592-12-0x00007FF7D47E0000-0x00007FF7D4B31000-memory.dmp

Filesize
3.3MB

Download
memory/4592-207-0x00007FF7D47E0000-0x00007FF7D4B31000-memory.dmp

Filesize
3.3MB

Download
memory/4592-84-0x00007FF7D47E0000-0x00007FF7D4B31000-memory.dmp

Filesize
3.3MB

Download
memory/4672-105-0x00007FF732D10000-0x00007FF733061000-memory.dmp

Filesize
3.3MB

Download
memory/4672-240-0x00007FF732D10000-0x00007FF733061000-memory.dmp

Filesize
3.3MB

Download
memory/4912-255-0x00007FF78C280000-0x00007FF78C5D1000-memory.dmp

Filesize
3.3MB

Download
memory/4912-128-0x00007FF78C280000-0x00007FF78C5D1000-memory.dmp

Filesize
3.3MB

Download
memory/4956-1-0x0000024DBB770000-0x0000024DBB780000-memory.dmp

Filesize
64KB

Download
memory/4956-154-0x00007FF654D60000-0x00007FF6550B1000-memory.dmp

Filesize
3.3MB

Download
memory/4956-54-0x00007FF654D60000-0x00007FF6550B1000-memory.dmp

Filesize
3.3MB

Download
memory/4956-118-0x00007FF654D60000-0x00007FF6550B1000-memory.dmp

Filesize
3.3MB

Download
memory/4956-0-0x00007FF654D60000-0x00007FF6550B1000-memory.dmp

Filesize
3.3MB

Download
memory/5108-126-0x00007FF6930E0000-0x00007FF693431000-memory.dmp

Filesize
3.3MB

Download
memory/5108-259-0x00007FF6930E0000-0x00007FF693431000-memory.dmp

Filesize
3.3MB

Download