cobaltstrike | 91259be9c86bf8034a3febb5e887dbc77344de37539e9175b028e4899ad4df9f

Analysis

max time kernel
144s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 02:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

8994ae92d415ab0ac2334077a90f1e44
SHA1

eb39920e631d8e6031ca320de8a9a42870700bad
SHA256

91259be9c86bf8034a3febb5e887dbc77344de37539e9175b028e4899ad4df9f
SHA512

2777fb63f8249a845392631b3ad50595b7a331d14a2db6f9de046256aec94b312511695efd36ee237cf53dcf36ea1e59cf33082cb25f7aff9da60264e6742c68
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lQ:RWWBibf56utgpPFotBER/mQ32lU0

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0009000000023c6c-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c78-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c79-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7a-22.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7c-35.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7d-48.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7f-55.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7e-53.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7b-31.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c80-59.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023c71-70.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c81-75.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c83-84.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c82-88.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c86-103.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c84-97.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c88-131.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c89-130.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c87-124.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8b-146.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8a-139.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/3448-57-0x00007FF6BD300000-0x00007FF6BD651000-memory.dmp	xmrig
behavioral2/memory/3644-68-0x00007FF76B8E0000-0x00007FF76BC31000-memory.dmp	xmrig
behavioral2/memory/2892-61-0x00007FF7CB660000-0x00007FF7CB9B1000-memory.dmp	xmrig
behavioral2/memory/232-77-0x00007FF6B1670000-0x00007FF6B19C1000-memory.dmp	xmrig
behavioral2/memory/5076-85-0x00007FF7E8F70000-0x00007FF7E92C1000-memory.dmp	xmrig
behavioral2/memory/4808-91-0x00007FF711490000-0x00007FF7117E1000-memory.dmp	xmrig
behavioral2/memory/2660-99-0x00007FF688C90000-0x00007FF688FE1000-memory.dmp	xmrig
behavioral2/memory/4136-105-0x00007FF770200000-0x00007FF770551000-memory.dmp	xmrig
behavioral2/memory/1372-104-0x00007FF783CC0000-0x00007FF784011000-memory.dmp	xmrig
behavioral2/memory/2544-101-0x00007FF71F010000-0x00007FF71F361000-memory.dmp	xmrig
behavioral2/memory/2468-81-0x00007FF7FC120000-0x00007FF7FC471000-memory.dmp	xmrig
behavioral2/memory/4888-79-0x00007FF71D400000-0x00007FF71D751000-memory.dmp	xmrig
behavioral2/memory/4288-119-0x00007FF713A40000-0x00007FF713D91000-memory.dmp	xmrig
behavioral2/memory/4044-129-0x00007FF76B390000-0x00007FF76B6E1000-memory.dmp	xmrig
behavioral2/memory/2404-144-0x00007FF6DA7B0000-0x00007FF6DAB01000-memory.dmp	xmrig
behavioral2/memory/3232-145-0x00007FF6062B0000-0x00007FF606601000-memory.dmp	xmrig
behavioral2/memory/2408-143-0x00007FF70BC10000-0x00007FF70BF61000-memory.dmp	xmrig
behavioral2/memory/2240-141-0x00007FF778550000-0x00007FF7788A1000-memory.dmp	xmrig
behavioral2/memory/2432-150-0x00007FF604F10000-0x00007FF605261000-memory.dmp	xmrig
behavioral2/memory/3664-151-0x00007FF76D200000-0x00007FF76D551000-memory.dmp	xmrig
behavioral2/memory/1980-157-0x00007FF7CEB60000-0x00007FF7CEEB1000-memory.dmp	xmrig
behavioral2/memory/3448-160-0x00007FF6BD300000-0x00007FF6BD651000-memory.dmp	xmrig
behavioral2/memory/2668-174-0x00007FF7ABFB0000-0x00007FF7AC301000-memory.dmp	xmrig
behavioral2/memory/3448-182-0x00007FF6BD300000-0x00007FF6BD651000-memory.dmp	xmrig
behavioral2/memory/2892-209-0x00007FF7CB660000-0x00007FF7CB9B1000-memory.dmp	xmrig
behavioral2/memory/3644-218-0x00007FF76B8E0000-0x00007FF76BC31000-memory.dmp	xmrig
behavioral2/memory/232-220-0x00007FF6B1670000-0x00007FF6B19C1000-memory.dmp	xmrig
behavioral2/memory/2468-224-0x00007FF7FC120000-0x00007FF7FC471000-memory.dmp	xmrig
behavioral2/memory/5076-223-0x00007FF7E8F70000-0x00007FF7E92C1000-memory.dmp	xmrig
behavioral2/memory/4808-227-0x00007FF711490000-0x00007FF7117E1000-memory.dmp	xmrig
behavioral2/memory/2660-228-0x00007FF688C90000-0x00007FF688FE1000-memory.dmp	xmrig
behavioral2/memory/4136-230-0x00007FF770200000-0x00007FF770551000-memory.dmp	xmrig
behavioral2/memory/1372-232-0x00007FF783CC0000-0x00007FF784011000-memory.dmp	xmrig
behavioral2/memory/4288-240-0x00007FF713A40000-0x00007FF713D91000-memory.dmp	xmrig
behavioral2/memory/2404-242-0x00007FF6DA7B0000-0x00007FF6DAB01000-memory.dmp	xmrig
behavioral2/memory/4888-249-0x00007FF71D400000-0x00007FF71D751000-memory.dmp	xmrig
behavioral2/memory/2432-251-0x00007FF604F10000-0x00007FF605261000-memory.dmp	xmrig
behavioral2/memory/3664-253-0x00007FF76D200000-0x00007FF76D551000-memory.dmp	xmrig
behavioral2/memory/2544-255-0x00007FF71F010000-0x00007FF71F361000-memory.dmp	xmrig
behavioral2/memory/1980-257-0x00007FF7CEB60000-0x00007FF7CEEB1000-memory.dmp	xmrig
behavioral2/memory/4044-264-0x00007FF76B390000-0x00007FF76B6E1000-memory.dmp	xmrig
behavioral2/memory/2240-266-0x00007FF778550000-0x00007FF7788A1000-memory.dmp	xmrig
behavioral2/memory/3232-269-0x00007FF6062B0000-0x00007FF606601000-memory.dmp	xmrig
behavioral2/memory/2408-270-0x00007FF70BC10000-0x00007FF70BF61000-memory.dmp	xmrig
behavioral2/memory/2668-272-0x00007FF7ABFB0000-0x00007FF7AC301000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2892	CgNIIin.exe
3644	mkZpDOm.exe
232	gRXeAcb.exe
2468	JcWAiRW.exe
5076	qIGLzhv.exe
4808	cTLWjpY.exe
2660	gqTPNHp.exe
1372	KlQxVAj.exe
4136	dNtkdBr.exe
4288	HcLyrje.exe
2404	lCsLFPi.exe
4888	YgZmUKS.exe
2432	yLGKoqI.exe
3664	FWkiTIf.exe
2544	RmFKQBD.exe
1980	TGRwiRd.exe
4044	VWAKKui.exe
2240	SfVfqRf.exe
2408	RxFNZCg.exe
3232	BmiXJLI.exe
2668	uCnIsxP.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3448-0-0x00007FF6BD300000-0x00007FF6BD651000-memory.dmp	upx
behavioral2/files/0x0009000000023c6c-5.dat	upx
behavioral2/memory/2892-6-0x00007FF7CB660000-0x00007FF7CB9B1000-memory.dmp	upx
behavioral2/files/0x0007000000023c78-11.dat	upx
behavioral2/files/0x0007000000023c79-10.dat	upx
behavioral2/memory/3644-13-0x00007FF76B8E0000-0x00007FF76BC31000-memory.dmp	upx
behavioral2/files/0x0007000000023c7a-22.dat	upx
behavioral2/files/0x0007000000023c7c-35.dat	upx
behavioral2/files/0x0007000000023c7d-48.dat	upx
behavioral2/memory/1372-51-0x00007FF783CC0000-0x00007FF784011000-memory.dmp	upx
behavioral2/files/0x0007000000023c7f-55.dat	upx
behavioral2/files/0x0007000000023c7e-53.dat	upx
behavioral2/memory/4136-52-0x00007FF770200000-0x00007FF770551000-memory.dmp	upx
behavioral2/memory/2660-44-0x00007FF688C90000-0x00007FF688FE1000-memory.dmp	upx
behavioral2/memory/4808-36-0x00007FF711490000-0x00007FF7117E1000-memory.dmp	upx
behavioral2/files/0x0007000000023c7b-31.dat	upx
behavioral2/memory/5076-29-0x00007FF7E8F70000-0x00007FF7E92C1000-memory.dmp	upx
behavioral2/memory/2468-24-0x00007FF7FC120000-0x00007FF7FC471000-memory.dmp	upx
behavioral2/memory/232-18-0x00007FF6B1670000-0x00007FF6B19C1000-memory.dmp	upx
behavioral2/memory/3448-57-0x00007FF6BD300000-0x00007FF6BD651000-memory.dmp	upx
behavioral2/files/0x0007000000023c80-59.dat	upx
behavioral2/memory/4288-62-0x00007FF713A40000-0x00007FF713D91000-memory.dmp	upx
behavioral2/files/0x000a000000023c71-70.dat	upx
behavioral2/memory/2404-69-0x00007FF6DA7B0000-0x00007FF6DAB01000-memory.dmp	upx
behavioral2/memory/3644-68-0x00007FF76B8E0000-0x00007FF76BC31000-memory.dmp	upx
behavioral2/memory/2892-61-0x00007FF7CB660000-0x00007FF7CB9B1000-memory.dmp	upx
behavioral2/files/0x0007000000023c81-75.dat	upx
behavioral2/memory/232-77-0x00007FF6B1670000-0x00007FF6B19C1000-memory.dmp	upx
behavioral2/files/0x0007000000023c83-84.dat	upx
behavioral2/memory/5076-85-0x00007FF7E8F70000-0x00007FF7E92C1000-memory.dmp	upx
behavioral2/files/0x0007000000023c82-88.dat	upx
behavioral2/memory/4808-91-0x00007FF711490000-0x00007FF7117E1000-memory.dmp	upx
behavioral2/memory/3664-90-0x00007FF76D200000-0x00007FF76D551000-memory.dmp	upx
behavioral2/memory/2432-87-0x00007FF604F10000-0x00007FF605261000-memory.dmp	upx
behavioral2/memory/2660-99-0x00007FF688C90000-0x00007FF688FE1000-memory.dmp	upx
behavioral2/files/0x0007000000023c86-103.dat	upx
behavioral2/memory/1980-106-0x00007FF7CEB60000-0x00007FF7CEEB1000-memory.dmp	upx
behavioral2/memory/4136-105-0x00007FF770200000-0x00007FF770551000-memory.dmp	upx
behavioral2/memory/1372-104-0x00007FF783CC0000-0x00007FF784011000-memory.dmp	upx
behavioral2/memory/2544-101-0x00007FF71F010000-0x00007FF71F361000-memory.dmp	upx
behavioral2/files/0x0007000000023c84-97.dat	upx
behavioral2/memory/2468-81-0x00007FF7FC120000-0x00007FF7FC471000-memory.dmp	upx
behavioral2/memory/4888-79-0x00007FF71D400000-0x00007FF71D751000-memory.dmp	upx
behavioral2/memory/4288-119-0x00007FF713A40000-0x00007FF713D91000-memory.dmp	upx
behavioral2/files/0x0007000000023c88-131.dat	upx
behavioral2/files/0x0007000000023c89-130.dat	upx
behavioral2/memory/4044-129-0x00007FF76B390000-0x00007FF76B6E1000-memory.dmp	upx
behavioral2/files/0x0007000000023c87-124.dat	upx
behavioral2/memory/2404-144-0x00007FF6DA7B0000-0x00007FF6DAB01000-memory.dmp	upx
behavioral2/memory/3232-145-0x00007FF6062B0000-0x00007FF606601000-memory.dmp	upx
behavioral2/files/0x0007000000023c8b-146.dat	upx
behavioral2/memory/2668-147-0x00007FF7ABFB0000-0x00007FF7AC301000-memory.dmp	upx
behavioral2/memory/2408-143-0x00007FF70BC10000-0x00007FF70BF61000-memory.dmp	upx
behavioral2/memory/2240-141-0x00007FF778550000-0x00007FF7788A1000-memory.dmp	upx
behavioral2/files/0x0007000000023c8a-139.dat	upx
behavioral2/memory/2432-150-0x00007FF604F10000-0x00007FF605261000-memory.dmp	upx
behavioral2/memory/3664-151-0x00007FF76D200000-0x00007FF76D551000-memory.dmp	upx
behavioral2/memory/1980-157-0x00007FF7CEB60000-0x00007FF7CEEB1000-memory.dmp	upx
behavioral2/memory/3448-160-0x00007FF6BD300000-0x00007FF6BD651000-memory.dmp	upx
behavioral2/memory/2668-174-0x00007FF7ABFB0000-0x00007FF7AC301000-memory.dmp	upx
behavioral2/memory/3448-182-0x00007FF6BD300000-0x00007FF6BD651000-memory.dmp	upx
behavioral2/memory/2892-209-0x00007FF7CB660000-0x00007FF7CB9B1000-memory.dmp	upx
behavioral2/memory/3644-218-0x00007FF76B8E0000-0x00007FF76BC31000-memory.dmp	upx
behavioral2/memory/232-220-0x00007FF6B1670000-0x00007FF6B19C1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\TGRwiRd.exe	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BmiXJLI.exe	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HcLyrje.exe	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FWkiTIf.exe	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cTLWjpY.exe	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dNtkdBr.exe	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RxFNZCg.exe	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mkZpDOm.exe	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qIGLzhv.exe	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yLGKoqI.exe	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KlQxVAj.exe	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YgZmUKS.exe	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JcWAiRW.exe	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gqTPNHp.exe	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lCsLFPi.exe	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RmFKQBD.exe	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VWAKKui.exe	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SfVfqRf.exe	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CgNIIin.exe	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gRXeAcb.exe	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uCnIsxP.exe	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3448	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3448	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3448 wrote to memory of 2892	3448	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 3448 wrote to memory of 2892	3448	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 3448 wrote to memory of 3644	3448	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3448 wrote to memory of 3644	3448	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3448 wrote to memory of 232	3448	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3448 wrote to memory of 232	3448	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3448 wrote to memory of 2468	3448	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3448 wrote to memory of 2468	3448	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3448 wrote to memory of 5076	3448	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3448 wrote to memory of 5076	3448	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3448 wrote to memory of 4808	3448	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3448 wrote to memory of 4808	3448	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3448 wrote to memory of 2660	3448	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3448 wrote to memory of 2660	3448	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3448 wrote to memory of 1372	3448	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3448 wrote to memory of 1372	3448	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3448 wrote to memory of 4136	3448	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3448 wrote to memory of 4136	3448	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3448 wrote to memory of 4288	3448	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3448 wrote to memory of 4288	3448	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3448 wrote to memory of 2404	3448	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3448 wrote to memory of 2404	3448	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3448 wrote to memory of 4888	3448	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3448 wrote to memory of 4888	3448	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3448 wrote to memory of 2432	3448	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3448 wrote to memory of 2432	3448	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3448 wrote to memory of 3664	3448	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3448 wrote to memory of 3664	3448	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3448 wrote to memory of 2544	3448	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3448 wrote to memory of 2544	3448	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3448 wrote to memory of 1980	3448	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3448 wrote to memory of 1980	3448	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3448 wrote to memory of 4044	3448	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3448 wrote to memory of 4044	3448	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3448 wrote to memory of 2408	3448	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3448 wrote to memory of 2408	3448	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3448 wrote to memory of 2240	3448	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3448 wrote to memory of 2240	3448	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3448 wrote to memory of 3232	3448	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3448 wrote to memory of 3232	3448	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3448 wrote to memory of 2668	3448	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3448 wrote to memory of 2668	3448	2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-22_8994ae92d415ab0ac2334077a90f1e44_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3448
- C:\Windows\System\CgNIIin.exe
  C:\Windows\System\CgNIIin.exe
  2⤵
  - Executes dropped EXE
  PID:2892
- C:\Windows\System\mkZpDOm.exe
  C:\Windows\System\mkZpDOm.exe
  2⤵
  - Executes dropped EXE
  PID:3644
- C:\Windows\System\gRXeAcb.exe
  C:\Windows\System\gRXeAcb.exe
  2⤵
  - Executes dropped EXE
  PID:232
- C:\Windows\System\JcWAiRW.exe
  C:\Windows\System\JcWAiRW.exe
  2⤵
  - Executes dropped EXE
  PID:2468
- C:\Windows\System\qIGLzhv.exe
  C:\Windows\System\qIGLzhv.exe
  2⤵
  - Executes dropped EXE
  PID:5076
- C:\Windows\System\cTLWjpY.exe
  C:\Windows\System\cTLWjpY.exe
  2⤵
  - Executes dropped EXE
  PID:4808
- C:\Windows\System\gqTPNHp.exe
  C:\Windows\System\gqTPNHp.exe
  2⤵
  - Executes dropped EXE
  PID:2660
- C:\Windows\System\KlQxVAj.exe
  C:\Windows\System\KlQxVAj.exe
  2⤵
  - Executes dropped EXE
  PID:1372
- C:\Windows\System\dNtkdBr.exe
  C:\Windows\System\dNtkdBr.exe
  2⤵
  - Executes dropped EXE
  PID:4136
- C:\Windows\System\HcLyrje.exe
  C:\Windows\System\HcLyrje.exe
  2⤵
  - Executes dropped EXE
  PID:4288
- C:\Windows\System\lCsLFPi.exe
  C:\Windows\System\lCsLFPi.exe
  2⤵
  - Executes dropped EXE
  PID:2404
- C:\Windows\System\YgZmUKS.exe
  C:\Windows\System\YgZmUKS.exe
  2⤵
  - Executes dropped EXE
  PID:4888
- C:\Windows\System\yLGKoqI.exe
  C:\Windows\System\yLGKoqI.exe
  2⤵
  - Executes dropped EXE
  PID:2432
- C:\Windows\System\FWkiTIf.exe
  C:\Windows\System\FWkiTIf.exe
  2⤵
  - Executes dropped EXE
  PID:3664
- C:\Windows\System\RmFKQBD.exe
  C:\Windows\System\RmFKQBD.exe
  2⤵
  - Executes dropped EXE
  PID:2544
- C:\Windows\System\TGRwiRd.exe
  C:\Windows\System\TGRwiRd.exe
  2⤵
  - Executes dropped EXE
  PID:1980
- C:\Windows\System\VWAKKui.exe
  C:\Windows\System\VWAKKui.exe
  2⤵
  - Executes dropped EXE
  PID:4044
- C:\Windows\System\RxFNZCg.exe
  C:\Windows\System\RxFNZCg.exe
  2⤵
  - Executes dropped EXE
  PID:2408
- C:\Windows\System\SfVfqRf.exe
  C:\Windows\System\SfVfqRf.exe
  2⤵
  - Executes dropped EXE
  PID:2240
- C:\Windows\System\BmiXJLI.exe
  C:\Windows\System\BmiXJLI.exe
  2⤵
  - Executes dropped EXE
  PID:3232
- C:\Windows\System\uCnIsxP.exe
  C:\Windows\System\uCnIsxP.exe
  2⤵
  - Executes dropped EXE
  PID:2668

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BmiXJLI.exe

Filesize
5.2MB

MD5
74720b42523804f6d9060fc41b3a2f3c

SHA1
2f4058d04682af5ddf240653e1443012a85b464d

SHA256
b67e0bc117cbf56b3daa2d03d0d067b66479fd87f11276838389e8a3881fa608

SHA512
498c7c076991d510047c3a0e20aced544a27aebfa1ecfa40bbd525e41361a4a86aa29aee44c1d492598fe0ada8ed40117f4605236b482d163897462c115ebefc

Download Submit
C:\Windows\System\CgNIIin.exe

Filesize
5.2MB

MD5
bb73594f38c7d464519172ca26b8379a

SHA1
7f4225c9f77d4391bc323d4c35f8c4b110807c0c

SHA256
5bf016fcb28f38aee1d1840b6e1ca3c7c3fa79d8319bf749987d1e0db3f41d6c

SHA512
982a8eea4abe4ef8f93c1248262773fa8ab094d7d6e52bbf86a73afecb2f2bd4902149033df73bfc570dd0cd4ac9056222b76cf729ae2f5a953a336670d00fa0

Download Submit
C:\Windows\System\FWkiTIf.exe

Filesize
5.2MB

MD5
df349729aa0b0f90a919555dc5f3975f

SHA1
b9eb233a2fa7f94c4b0c4cd8eb179e7a7486a181

SHA256
e7d3f2e9113c6a012cf854f35e65e3bce155f55488d51a3079523869d5d90486

SHA512
89fb79c154857d908599fd54527429f83c86b7a5dc66bc566d067da15a3cae30fc15e316b6bca5b254d8986357f9d26db0ef09d66bc4bdfe888d1b8f1c3410e3

Download Submit
C:\Windows\System\HcLyrje.exe

Filesize
5.2MB

MD5
95867c35106b8962d01be7cb6efb8f26

SHA1
7a2e0319a742e7bd4936097896c246e9f9577189

SHA256
3c1ef67d09e7f5af88491851b502b9b60c7db7cd69a145da72596579cd15fbb8

SHA512
1be6ee60a841c1a260253e17781dabdbd05aa747ad601b698c793e311253c553b70164dc279ee29f7e51d9b4336e5997ef425350b07ba798fa6b57b5ade04910

Download Submit
C:\Windows\System\JcWAiRW.exe

Filesize
5.2MB

MD5
8f04c42f8ffdef03ccbc841f3b001ed2

SHA1
c24b36db88bd5c3629178fc5124031369e551431

SHA256
ab8a3b6c951524e4479c8025c61fd997dc17efc083d9b0efb4f3da299d09235a

SHA512
1bf625e50d40f061405bf4ca21c231a2791577e4db9cc080e82988f430075e87c67ba58caa1b77e92d76d61ebe5cc439694848a4ebc616c1bd5d3d2b7408b1cd

Download Submit
C:\Windows\System\KlQxVAj.exe

Filesize
5.2MB

MD5
06e8d7a18f86e3a568a17ffb9a5d9026

SHA1
dd148f922d544f25c62e3b765a73650126b788c5

SHA256
243f772f59e2fad0ba694fd14f383ca80c1b614fea49d80eb236828358a949b8

SHA512
beaa9db2b6f9f5e54a0c8150f8a7d1fdb999106c3158c904912c8de81e0817737b9ff595adc7e4fea7079f8acec3dcddf1c8cc1c8f0b99d385a54d2e276884b8

Download Submit
C:\Windows\System\RmFKQBD.exe

Filesize
5.2MB

MD5
8a662e32d375fe7a389aeba2cef0750a

SHA1
1b1f5c5abfc0c812c5346caf7dfbee935fdb4fe8

SHA256
980fea3425649f5c88d6c2305ea282b2734d3a2defa98084231bcf0db7b88d7d

SHA512
ddea974b30dc7f6dad92ac1c756eeef9070da7ff6dc22b5e52c1085354f4ac5c402c67a08eeac807a187f60824f71c6423d87e66029aa07ea49ef35887805a84

Download Submit
C:\Windows\System\RxFNZCg.exe

Filesize
5.2MB

MD5
f0e83fa37450909472e6a77472030efe

SHA1
370106ce37ba8c36642b877bacf92f7258ec0e81

SHA256
39eb0ebb472e666ad438a8e8ac9ec003acd7c54a03cc279ad536862e2fd67f65

SHA512
d0a79b5f883835b68e9ccc66fd7666534b952b4aaa096a2d8f95f8e14f0a79ead238386b5b0495a2015abbdb5e1a16d49e6cbcb06a82ac9bdd7a89fc770fd220

Download Submit
C:\Windows\System\SfVfqRf.exe

Filesize
5.2MB

MD5
4c491dd3fa0dded1b039420c2fe7120b

SHA1
dd33a84e4ecc27f258ec3fc560226227fed1543d

SHA256
3f2c596ef70f768c5e259d5d8af9ebc6324b88e0b5b7c2d8d31869215355f746

SHA512
0db70f01e37ef36cf677b86315d1af71eb26b9a65cceb098b59e06cab2412d298a9e8d7617735e8c5c789149e19e00f9ecd472eff065b51c81dcc66697bd4ad4

Download Submit
C:\Windows\System\TGRwiRd.exe

Filesize
5.2MB

MD5
0b63ccc690e9c0be9b13bb303dca3145

SHA1
f79832e2aa4652855456b598cd89b8bc8c3d02f1

SHA256
270a86196109ab58ff40ab3f069fc7fd3232837c3258c2acaddbc3c8b689cbaa

SHA512
fbb7ebc27fc6c871ae0bd0d087ec395b05264cd1a06efd7fe4d2e0bde644d8e52764b575375fcf6b43640eec5a39ae8d7afcbd08abb3f6d05d74b244f2206967

Download Submit
C:\Windows\System\VWAKKui.exe

Filesize
5.2MB

MD5
6c5ff5429dc2c2195c8cc57ae66ba004

SHA1
bdb183dfb4c7f9db7f75afa9763ee963c708a5af

SHA256
94e7a2af21512a2d464ed60ea57c0c98f2e8d9dfe70b12c9c48c4167c3ee6f2e

SHA512
26be061910a1d2fa3f298628292675ec8f7e0cab8a204b5f20ccce1bfdd1e7d08eb4eaf06fd968c1b2214865b82a04cae603edb330745e7f2870dc201eac4fba

Download Submit
C:\Windows\System\YgZmUKS.exe

Filesize
5.2MB

MD5
36bc2cfe22c54f04193ad1dfa140926f

SHA1
0129bd408d539e6ea832175a7d223fdb87f814ed

SHA256
3b18635a0cc748fd894ec972faded24a5cfd5db968802da36b263d04d1970328

SHA512
3be2302ee4392d34527d1f6ff0602ff3e2c45babb66ec311ca96bd48518bbf755020da9a28d08db66a5e90770e3e55b53766fb79f39af258f37fd748f8f65973

Download Submit
C:\Windows\System\cTLWjpY.exe

Filesize
5.2MB

MD5
1da26dc3d0992c9be90ec813be535e2a

SHA1
fa00217b94f667c88a37d2a10d06718982e2f12a

SHA256
371923822451aeeb83fa2dba204259509c76176a85d90c09368607f6527e622c

SHA512
d239378a78e35a83a77adddb1d5769287484788dd4a72c89dde65d8b6ac4499f39fad8749904686412b9ae7a4d9ce9f5ef9c9a85cd676d9ff644b9df07fa099d

Download Submit
C:\Windows\System\dNtkdBr.exe

Filesize
5.2MB

MD5
3c78efef580d3933cfeee3a43fbb64f0

SHA1
00d9354ea555c83138de8a8c9e6e5e37949addc3

SHA256
3a8aebd6ce775acc62accc25552c37def2d6b44034af57441e6b184b9a02c25a

SHA512
b52d30392803d0cc282d1d327116f53a4ddef011f77ea2e2c8784928062791a349b10c94ab9f539aa25603f7f0e7e10c50bc16ea9cbf2184476c94a2828ca997

Download Submit
C:\Windows\System\gRXeAcb.exe

Filesize
5.2MB

MD5
17983b628cb41cc2e0d5da3c66aab777

SHA1
0ea70490b23a50d1ac627f26e80e37c6bffe4043

SHA256
78dbd60bf3a00596e837fec079b87e763c18ed31f9aa8626c5797ee5aaca12a2

SHA512
00a45baf25fe0fdc9be87e3e667ce340ab69d0701fa60f87b771fc8e3c3eb7f15c1343cfbd0a4d027f4663885f14244bb5e285350c0da424463f87f6fbb2b9e9

Download Submit
C:\Windows\System\gqTPNHp.exe

Filesize
5.2MB

MD5
b1f92214a0ee2c7975c68b50988cc8cd

SHA1
715c8ec23c686e165eea2cb1faef37c1f50b02c2

SHA256
2eda7f828f4f9b558e32d706660796c7c342fae583824fa68051a931ba19616f

SHA512
02cf1fee19c25cdad314c6e428f889d9fde15457e9d5a2d6743a1883fbbbf70f9bcbd5305ff3dc4d5f7406de2905860be1a671158de69fc1fd81320b2a558c19

Download Submit
C:\Windows\System\lCsLFPi.exe

Filesize
5.2MB

MD5
dd1aa833f33e8e6472dac7f79263f0a3

SHA1
71378767bb8d8d403886dd090cafb5956226d363

SHA256
0ef0a974e148f3dadcb53631349b11bfbbda4b9396fea2ef0519ac362ab24a13

SHA512
57fa6b3568a29087b0564afb51381b8b82d6f4b1bdca0965cc64c84896f86b83932dce9ae7cf6596271051cbe9d3e7a1d1d592f56927cfa4267be60e6086e766

Download Submit
C:\Windows\System\mkZpDOm.exe

Filesize
5.2MB

MD5
956bddc5143082074e6d584baa5aa0bb

SHA1
beb6994340a4d4c9b48572bd453ae7dc07ebea04

SHA256
376eb9fafc640e7ce73ca1c6d94b4aaa9a6168c2c07f030741acb82f9036783f

SHA512
b6f91116dcd82dce6976fa9cfa1922ca3937f2c07f040626f54a5f197583a0542f0063002d22c7256aa352a79f5230213517cb6ff686b6402c0f4eda5296525b

Download Submit
C:\Windows\System\qIGLzhv.exe

Filesize
5.2MB

MD5
92c326b3d50afa9f3bdc47fcb6668652

SHA1
710e39364d79c8d62d180b6d50a792e4dbdcba18

SHA256
13c731030c538fe42963ec88f9d1e6b7d4755bf46ce7f7f4392ea661fe95f23b

SHA512
03213218b500a334b21a464950ab2a0a85ace40e0da2a625028817718af254c9f66d9ebf2e8a5e99e32c094745700d17b281213505c3833ad492ef26c61db349

Download Submit
C:\Windows\System\uCnIsxP.exe

Filesize
5.2MB

MD5
bb96c9ea6e8d82b343a8f207aa27f267

SHA1
8ee0296f06378b46439c42439de2ee5eefbe37d9

SHA256
2eaf3589d4e14a23de83fee6bb3f8ea210278be96f3dc3e451ab6e5326dcff51

SHA512
138db08537fca51db129aa9450d3f27a1a4316ec9e4631939006aa3fc9a4506ea2946a5c7d2d7818d744ad9afe6fe7a2f793b4c56e3be6f63aa68e1b30a7a36a

Download Submit
C:\Windows\System\yLGKoqI.exe

Filesize
5.2MB

MD5
7a71ecaa552c7267c776b825e53b9903

SHA1
38350fdbf5507ce7d601d11f4c715007b3a84450

SHA256
406dcdaedea0074f2e3c975546ba0f9c4b20b3c3ed62153dedc284a174f339a0

SHA512
a02bf8f24b279389e7563c7410c2d19c8c40c8355317973659d974228b3f52df31078d1dc7399d81e41dd255871b40cfe4ed8b655e8488c368846a53d61b29b7

Download Submit
memory/232-18-0x00007FF6B1670000-0x00007FF6B19C1000-memory.dmp

Filesize
3.3MB

Download
memory/232-77-0x00007FF6B1670000-0x00007FF6B19C1000-memory.dmp

Filesize
3.3MB

Download
memory/232-220-0x00007FF6B1670000-0x00007FF6B19C1000-memory.dmp

Filesize
3.3MB

Download
memory/1372-104-0x00007FF783CC0000-0x00007FF784011000-memory.dmp

Filesize
3.3MB

Download
memory/1372-51-0x00007FF783CC0000-0x00007FF784011000-memory.dmp

Filesize
3.3MB

Download
memory/1372-232-0x00007FF783CC0000-0x00007FF784011000-memory.dmp

Filesize
3.3MB

Download
memory/1980-157-0x00007FF7CEB60000-0x00007FF7CEEB1000-memory.dmp

Filesize
3.3MB

Download
memory/1980-106-0x00007FF7CEB60000-0x00007FF7CEEB1000-memory.dmp

Filesize
3.3MB

Download
memory/1980-257-0x00007FF7CEB60000-0x00007FF7CEEB1000-memory.dmp

Filesize
3.3MB

Download
memory/2240-266-0x00007FF778550000-0x00007FF7788A1000-memory.dmp

Filesize
3.3MB

Download
memory/2240-141-0x00007FF778550000-0x00007FF7788A1000-memory.dmp

Filesize
3.3MB

Download
memory/2404-242-0x00007FF6DA7B0000-0x00007FF6DAB01000-memory.dmp

Filesize
3.3MB

Download
memory/2404-144-0x00007FF6DA7B0000-0x00007FF6DAB01000-memory.dmp

Filesize
3.3MB

Download
memory/2404-69-0x00007FF6DA7B0000-0x00007FF6DAB01000-memory.dmp

Filesize
3.3MB

Download
memory/2408-143-0x00007FF70BC10000-0x00007FF70BF61000-memory.dmp

Filesize
3.3MB

Download
memory/2408-270-0x00007FF70BC10000-0x00007FF70BF61000-memory.dmp

Filesize
3.3MB

Download
memory/2432-87-0x00007FF604F10000-0x00007FF605261000-memory.dmp

Filesize
3.3MB

Download
memory/2432-251-0x00007FF604F10000-0x00007FF605261000-memory.dmp

Filesize
3.3MB

Download
memory/2432-150-0x00007FF604F10000-0x00007FF605261000-memory.dmp

Filesize
3.3MB

Download
memory/2468-81-0x00007FF7FC120000-0x00007FF7FC471000-memory.dmp

Filesize
3.3MB

Download
memory/2468-24-0x00007FF7FC120000-0x00007FF7FC471000-memory.dmp

Filesize
3.3MB

Download
memory/2468-224-0x00007FF7FC120000-0x00007FF7FC471000-memory.dmp

Filesize
3.3MB

Download
memory/2544-255-0x00007FF71F010000-0x00007FF71F361000-memory.dmp

Filesize
3.3MB

Download
memory/2544-101-0x00007FF71F010000-0x00007FF71F361000-memory.dmp

Filesize
3.3MB

Download
memory/2660-228-0x00007FF688C90000-0x00007FF688FE1000-memory.dmp

Filesize
3.3MB

Download
memory/2660-44-0x00007FF688C90000-0x00007FF688FE1000-memory.dmp

Filesize
3.3MB

Download
memory/2660-99-0x00007FF688C90000-0x00007FF688FE1000-memory.dmp

Filesize
3.3MB

Download
memory/2668-174-0x00007FF7ABFB0000-0x00007FF7AC301000-memory.dmp

Filesize
3.3MB

Download
memory/2668-272-0x00007FF7ABFB0000-0x00007FF7AC301000-memory.dmp

Filesize
3.3MB

Download
memory/2668-147-0x00007FF7ABFB0000-0x00007FF7AC301000-memory.dmp

Filesize
3.3MB

Download
memory/2892-209-0x00007FF7CB660000-0x00007FF7CB9B1000-memory.dmp

Filesize
3.3MB

Download
memory/2892-61-0x00007FF7CB660000-0x00007FF7CB9B1000-memory.dmp

Filesize
3.3MB

Download
memory/2892-6-0x00007FF7CB660000-0x00007FF7CB9B1000-memory.dmp

Filesize
3.3MB

Download
memory/3232-145-0x00007FF6062B0000-0x00007FF606601000-memory.dmp

Filesize
3.3MB

Download
memory/3232-269-0x00007FF6062B0000-0x00007FF606601000-memory.dmp

Filesize
3.3MB

Download
memory/3448-0-0x00007FF6BD300000-0x00007FF6BD651000-memory.dmp

Filesize
3.3MB

Download
memory/3448-1-0x000001A185810000-0x000001A185820000-memory.dmp

Filesize
64KB

Download
memory/3448-160-0x00007FF6BD300000-0x00007FF6BD651000-memory.dmp

Filesize
3.3MB

Download
memory/3448-57-0x00007FF6BD300000-0x00007FF6BD651000-memory.dmp

Filesize
3.3MB

Download
memory/3448-182-0x00007FF6BD300000-0x00007FF6BD651000-memory.dmp

Filesize
3.3MB

Download
memory/3644-13-0x00007FF76B8E0000-0x00007FF76BC31000-memory.dmp

Filesize
3.3MB

Download
memory/3644-68-0x00007FF76B8E0000-0x00007FF76BC31000-memory.dmp

Filesize
3.3MB

Download
memory/3644-218-0x00007FF76B8E0000-0x00007FF76BC31000-memory.dmp

Filesize
3.3MB

Download
memory/3664-253-0x00007FF76D200000-0x00007FF76D551000-memory.dmp

Filesize
3.3MB

Download
memory/3664-151-0x00007FF76D200000-0x00007FF76D551000-memory.dmp

Filesize
3.3MB

Download
memory/3664-90-0x00007FF76D200000-0x00007FF76D551000-memory.dmp

Filesize
3.3MB

Download
memory/4044-129-0x00007FF76B390000-0x00007FF76B6E1000-memory.dmp

Filesize
3.3MB

Download
memory/4044-264-0x00007FF76B390000-0x00007FF76B6E1000-memory.dmp

Filesize
3.3MB

Download
memory/4136-230-0x00007FF770200000-0x00007FF770551000-memory.dmp

Filesize
3.3MB

Download
memory/4136-52-0x00007FF770200000-0x00007FF770551000-memory.dmp

Filesize
3.3MB

Download
memory/4136-105-0x00007FF770200000-0x00007FF770551000-memory.dmp

Filesize
3.3MB

Download
memory/4288-240-0x00007FF713A40000-0x00007FF713D91000-memory.dmp

Filesize
3.3MB

Download
memory/4288-119-0x00007FF713A40000-0x00007FF713D91000-memory.dmp

Filesize
3.3MB

Download
memory/4288-62-0x00007FF713A40000-0x00007FF713D91000-memory.dmp

Filesize
3.3MB

Download
memory/4808-227-0x00007FF711490000-0x00007FF7117E1000-memory.dmp

Filesize
3.3MB

Download
memory/4808-36-0x00007FF711490000-0x00007FF7117E1000-memory.dmp

Filesize
3.3MB

Download
memory/4808-91-0x00007FF711490000-0x00007FF7117E1000-memory.dmp

Filesize
3.3MB

Download
memory/4888-249-0x00007FF71D400000-0x00007FF71D751000-memory.dmp

Filesize
3.3MB

Download
memory/4888-79-0x00007FF71D400000-0x00007FF71D751000-memory.dmp

Filesize
3.3MB

Download
memory/5076-85-0x00007FF7E8F70000-0x00007FF7E92C1000-memory.dmp

Filesize
3.3MB

Download
memory/5076-223-0x00007FF7E8F70000-0x00007FF7E92C1000-memory.dmp

Filesize
3.3MB

Download
memory/5076-29-0x00007FF7E8F70000-0x00007FF7E92C1000-memory.dmp

Filesize
3.3MB

Download