cobaltstrike | 254931a7682f94bdac410a0a51d1ef8a8f146ad3cf785dd56a3bc4d8320d7a38

Analysis

max time kernel
140s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-09-2024 07:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

0f110d92bcb58f576437998a564180ea
SHA1

0fb8f292393b8ef2558d200a7e0972a56fec34bc
SHA256

254931a7682f94bdac410a0a51d1ef8a8f146ad3cf785dd56a3bc4d8320d7a38
SHA512

a60cdbc0fc7923d68c653ec6c29860bd8bf7f135ce1329e88c6f4e97ebe788dafae066d4573d9253fa72bd7d68e5a34d52b1daf5cc90398aad35d1e38616b1e5
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l7:RWWBibf56utgpPFotBER/mQ32lUP

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000a0000000233e2-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023447-25.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023449-33.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344a-41.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344b-45.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344c-52.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023448-31.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023446-22.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023442-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023450-67.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344d-71.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023443-70.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023451-79.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023452-85.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023455-101.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023453-100.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023454-106.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023457-118.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023456-121.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023458-127.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023459-137.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/428-17-0x00007FF7CF200000-0x00007FF7CF551000-memory.dmp	xmrig
behavioral2/memory/872-43-0x00007FF672370000-0x00007FF6726C1000-memory.dmp	xmrig
behavioral2/memory/3908-49-0x00007FF6277A0000-0x00007FF627AF1000-memory.dmp	xmrig
behavioral2/memory/2324-63-0x00007FF6BDED0000-0x00007FF6BE221000-memory.dmp	xmrig
behavioral2/memory/4112-60-0x00007FF7C32F0000-0x00007FF7C3641000-memory.dmp	xmrig
behavioral2/memory/5056-81-0x00007FF7506D0000-0x00007FF750A21000-memory.dmp	xmrig
behavioral2/memory/4904-90-0x00007FF65F200000-0x00007FF65F551000-memory.dmp	xmrig
behavioral2/memory/1216-119-0x00007FF6D71C0000-0x00007FF6D7511000-memory.dmp	xmrig
behavioral2/memory/1844-115-0x00007FF7579C0000-0x00007FF757D11000-memory.dmp	xmrig
behavioral2/memory/2912-102-0x00007FF688000000-0x00007FF688351000-memory.dmp	xmrig
behavioral2/memory/116-95-0x00007FF63C320000-0x00007FF63C671000-memory.dmp	xmrig
behavioral2/memory/2020-80-0x00007FF6133D0000-0x00007FF613721000-memory.dmp	xmrig
behavioral2/memory/4520-134-0x00007FF7167B0000-0x00007FF716B01000-memory.dmp	xmrig
behavioral2/memory/4328-130-0x00007FF640510000-0x00007FF640861000-memory.dmp	xmrig
behavioral2/memory/828-129-0x00007FF78EB80000-0x00007FF78EED1000-memory.dmp	xmrig
behavioral2/memory/2948-139-0x00007FF62FF20000-0x00007FF630271000-memory.dmp	xmrig
behavioral2/memory/4112-140-0x00007FF7C32F0000-0x00007FF7C3641000-memory.dmp	xmrig
behavioral2/memory/2168-150-0x00007FF7F0E40000-0x00007FF7F1191000-memory.dmp	xmrig
behavioral2/memory/1672-151-0x00007FF6220E0000-0x00007FF622431000-memory.dmp	xmrig
behavioral2/memory/5020-156-0x00007FF721CF0000-0x00007FF722041000-memory.dmp	xmrig
behavioral2/memory/1380-157-0x00007FF6B02B0000-0x00007FF6B0601000-memory.dmp	xmrig
behavioral2/memory/3992-164-0x00007FF6C0BE0000-0x00007FF6C0F31000-memory.dmp	xmrig
behavioral2/memory/3412-167-0x00007FF7FF680000-0x00007FF7FF9D1000-memory.dmp	xmrig
behavioral2/memory/4112-168-0x00007FF7C32F0000-0x00007FF7C3641000-memory.dmp	xmrig
behavioral2/memory/2324-218-0x00007FF6BDED0000-0x00007FF6BE221000-memory.dmp	xmrig
behavioral2/memory/428-219-0x00007FF7CF200000-0x00007FF7CF551000-memory.dmp	xmrig
behavioral2/memory/5056-228-0x00007FF7506D0000-0x00007FF750A21000-memory.dmp	xmrig
behavioral2/memory/2020-229-0x00007FF6133D0000-0x00007FF613721000-memory.dmp	xmrig
behavioral2/memory/872-231-0x00007FF672370000-0x00007FF6726C1000-memory.dmp	xmrig
behavioral2/memory/4904-233-0x00007FF65F200000-0x00007FF65F551000-memory.dmp	xmrig
behavioral2/memory/3908-235-0x00007FF6277A0000-0x00007FF627AF1000-memory.dmp	xmrig
behavioral2/memory/1844-237-0x00007FF7579C0000-0x00007FF757D11000-memory.dmp	xmrig
behavioral2/memory/2912-239-0x00007FF688000000-0x00007FF688351000-memory.dmp	xmrig
behavioral2/memory/828-245-0x00007FF78EB80000-0x00007FF78EED1000-memory.dmp	xmrig
behavioral2/memory/4328-249-0x00007FF640510000-0x00007FF640861000-memory.dmp	xmrig
behavioral2/memory/1216-248-0x00007FF6D71C0000-0x00007FF6D7511000-memory.dmp	xmrig
behavioral2/memory/116-255-0x00007FF63C320000-0x00007FF63C671000-memory.dmp	xmrig
behavioral2/memory/4520-259-0x00007FF7167B0000-0x00007FF716B01000-memory.dmp	xmrig
behavioral2/memory/2948-261-0x00007FF62FF20000-0x00007FF630271000-memory.dmp	xmrig
behavioral2/memory/1672-263-0x00007FF6220E0000-0x00007FF622431000-memory.dmp	xmrig
behavioral2/memory/2168-265-0x00007FF7F0E40000-0x00007FF7F1191000-memory.dmp	xmrig
behavioral2/memory/5020-269-0x00007FF721CF0000-0x00007FF722041000-memory.dmp	xmrig
behavioral2/memory/1380-268-0x00007FF6B02B0000-0x00007FF6B0601000-memory.dmp	xmrig
behavioral2/memory/3992-274-0x00007FF6C0BE0000-0x00007FF6C0F31000-memory.dmp	xmrig
behavioral2/memory/3412-275-0x00007FF7FF680000-0x00007FF7FF9D1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2324	khHZUEi.exe
428	FYvKaMC.exe
2020	tRctMWr.exe
5056	ICwAmtt.exe
4904	Gyundla.exe
872	eexxIUY.exe
3908	kVRuPYp.exe
2912	IkgKBub.exe
1844	yfBPUDp.exe
1216	TxdgMWr.exe
828	NNUYVJl.exe
4328	LbWzthN.exe
4520	KWuaLcD.exe
116	FkXzZtd.exe
2948	zQGGaSM.exe
2168	DcjCBQF.exe
1672	GdbYCxT.exe
5020	TzceHvn.exe
1380	wtEEZJA.exe
3992	GOdNCGI.exe
3412	mdpQKWd.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4112-0-0x00007FF7C32F0000-0x00007FF7C3641000-memory.dmp	upx
behavioral2/files/0x000a0000000233e2-4.dat	upx
behavioral2/memory/2324-13-0x00007FF6BDED0000-0x00007FF6BE221000-memory.dmp	upx
behavioral2/memory/428-17-0x00007FF7CF200000-0x00007FF7CF551000-memory.dmp	upx
behavioral2/files/0x0007000000023447-25.dat	upx
behavioral2/memory/5056-29-0x00007FF7506D0000-0x00007FF750A21000-memory.dmp	upx
behavioral2/files/0x0007000000023449-33.dat	upx
behavioral2/files/0x000700000002344a-41.dat	upx
behavioral2/files/0x000700000002344b-45.dat	upx
behavioral2/memory/872-43-0x00007FF672370000-0x00007FF6726C1000-memory.dmp	upx
behavioral2/memory/2912-47-0x00007FF688000000-0x00007FF688351000-memory.dmp	upx
behavioral2/files/0x000700000002344c-52.dat	upx
behavioral2/memory/1844-55-0x00007FF7579C0000-0x00007FF757D11000-memory.dmp	upx
behavioral2/memory/3908-49-0x00007FF6277A0000-0x00007FF627AF1000-memory.dmp	upx
behavioral2/memory/4904-34-0x00007FF65F200000-0x00007FF65F551000-memory.dmp	upx
behavioral2/files/0x0007000000023448-31.dat	upx
behavioral2/files/0x0007000000023446-22.dat	upx
behavioral2/memory/2020-20-0x00007FF6133D0000-0x00007FF613721000-memory.dmp	upx
behavioral2/files/0x0008000000023442-10.dat	upx
behavioral2/files/0x0007000000023450-67.dat	upx
behavioral2/files/0x000700000002344d-71.dat	upx
behavioral2/memory/4328-73-0x00007FF640510000-0x00007FF640861000-memory.dmp	upx
behavioral2/files/0x0008000000023443-70.dat	upx
behavioral2/memory/828-69-0x00007FF78EB80000-0x00007FF78EED1000-memory.dmp	upx
behavioral2/memory/1216-68-0x00007FF6D71C0000-0x00007FF6D7511000-memory.dmp	upx
behavioral2/memory/2324-63-0x00007FF6BDED0000-0x00007FF6BE221000-memory.dmp	upx
behavioral2/memory/4112-60-0x00007FF7C32F0000-0x00007FF7C3641000-memory.dmp	upx
behavioral2/files/0x0007000000023451-79.dat	upx
behavioral2/memory/5056-81-0x00007FF7506D0000-0x00007FF750A21000-memory.dmp	upx
behavioral2/files/0x0007000000023452-85.dat	upx
behavioral2/memory/4904-90-0x00007FF65F200000-0x00007FF65F551000-memory.dmp	upx
behavioral2/files/0x0007000000023455-101.dat	upx
behavioral2/files/0x0007000000023453-100.dat	upx
behavioral2/files/0x0007000000023454-106.dat	upx
behavioral2/memory/1672-108-0x00007FF6220E0000-0x00007FF622431000-memory.dmp	upx
behavioral2/files/0x0007000000023457-118.dat	upx
behavioral2/files/0x0007000000023456-121.dat	upx
behavioral2/memory/1380-120-0x00007FF6B02B0000-0x00007FF6B0601000-memory.dmp	upx
behavioral2/memory/1216-119-0x00007FF6D71C0000-0x00007FF6D7511000-memory.dmp	upx
behavioral2/memory/5020-117-0x00007FF721CF0000-0x00007FF722041000-memory.dmp	upx
behavioral2/memory/1844-115-0x00007FF7579C0000-0x00007FF757D11000-memory.dmp	upx
behavioral2/memory/2168-103-0x00007FF7F0E40000-0x00007FF7F1191000-memory.dmp	upx
behavioral2/memory/2912-102-0x00007FF688000000-0x00007FF688351000-memory.dmp	upx
behavioral2/memory/2948-99-0x00007FF62FF20000-0x00007FF630271000-memory.dmp	upx
behavioral2/memory/116-95-0x00007FF63C320000-0x00007FF63C671000-memory.dmp	upx
behavioral2/memory/4520-89-0x00007FF7167B0000-0x00007FF716B01000-memory.dmp	upx
behavioral2/memory/2020-80-0x00007FF6133D0000-0x00007FF613721000-memory.dmp	upx
behavioral2/files/0x0007000000023458-127.dat	upx
behavioral2/memory/4520-134-0x00007FF7167B0000-0x00007FF716B01000-memory.dmp	upx
behavioral2/memory/4328-130-0x00007FF640510000-0x00007FF640861000-memory.dmp	upx
behavioral2/files/0x0007000000023459-137.dat	upx
behavioral2/memory/3412-135-0x00007FF7FF680000-0x00007FF7FF9D1000-memory.dmp	upx
behavioral2/memory/3992-132-0x00007FF6C0BE0000-0x00007FF6C0F31000-memory.dmp	upx
behavioral2/memory/828-129-0x00007FF78EB80000-0x00007FF78EED1000-memory.dmp	upx
behavioral2/memory/2948-139-0x00007FF62FF20000-0x00007FF630271000-memory.dmp	upx
behavioral2/memory/4112-140-0x00007FF7C32F0000-0x00007FF7C3641000-memory.dmp	upx
behavioral2/memory/2168-150-0x00007FF7F0E40000-0x00007FF7F1191000-memory.dmp	upx
behavioral2/memory/1672-151-0x00007FF6220E0000-0x00007FF622431000-memory.dmp	upx
behavioral2/memory/5020-156-0x00007FF721CF0000-0x00007FF722041000-memory.dmp	upx
behavioral2/memory/1380-157-0x00007FF6B02B0000-0x00007FF6B0601000-memory.dmp	upx
behavioral2/memory/3992-164-0x00007FF6C0BE0000-0x00007FF6C0F31000-memory.dmp	upx
behavioral2/memory/3412-167-0x00007FF7FF680000-0x00007FF7FF9D1000-memory.dmp	upx
behavioral2/memory/4112-168-0x00007FF7C32F0000-0x00007FF7C3641000-memory.dmp	upx
behavioral2/memory/2324-218-0x00007FF6BDED0000-0x00007FF6BE221000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\Gyundla.exe	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kVRuPYp.exe	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DcjCBQF.exe	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GdbYCxT.exe	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GOdNCGI.exe	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FYvKaMC.exe	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NNUYVJl.exe	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zQGGaSM.exe	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mdpQKWd.exe	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\khHZUEi.exe	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ICwAmtt.exe	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eexxIUY.exe	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FkXzZtd.exe	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TzceHvn.exe	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tRctMWr.exe	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IkgKBub.exe	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yfBPUDp.exe	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TxdgMWr.exe	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LbWzthN.exe	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KWuaLcD.exe	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wtEEZJA.exe	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4112	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4112	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4112 wrote to memory of 2324	4112	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4112 wrote to memory of 2324	4112	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4112 wrote to memory of 428	4112	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4112 wrote to memory of 428	4112	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4112 wrote to memory of 2020	4112	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4112 wrote to memory of 2020	4112	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4112 wrote to memory of 5056	4112	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4112 wrote to memory of 5056	4112	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4112 wrote to memory of 4904	4112	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4112 wrote to memory of 4904	4112	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4112 wrote to memory of 872	4112	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4112 wrote to memory of 872	4112	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4112 wrote to memory of 3908	4112	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4112 wrote to memory of 3908	4112	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4112 wrote to memory of 2912	4112	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4112 wrote to memory of 2912	4112	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4112 wrote to memory of 1844	4112	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4112 wrote to memory of 1844	4112	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4112 wrote to memory of 1216	4112	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4112 wrote to memory of 1216	4112	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4112 wrote to memory of 828	4112	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4112 wrote to memory of 828	4112	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4112 wrote to memory of 4328	4112	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4112 wrote to memory of 4328	4112	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4112 wrote to memory of 4520	4112	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4112 wrote to memory of 4520	4112	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4112 wrote to memory of 116	4112	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4112 wrote to memory of 116	4112	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4112 wrote to memory of 2168	4112	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4112 wrote to memory of 2168	4112	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4112 wrote to memory of 2948	4112	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4112 wrote to memory of 2948	4112	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4112 wrote to memory of 1672	4112	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4112 wrote to memory of 1672	4112	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4112 wrote to memory of 5020	4112	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4112 wrote to memory of 5020	4112	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4112 wrote to memory of 1380	4112	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4112 wrote to memory of 1380	4112	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4112 wrote to memory of 3992	4112	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4112 wrote to memory of 3992	4112	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4112 wrote to memory of 3412	4112	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4112 wrote to memory of 3412	4112	2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-17_0f110d92bcb58f576437998a564180ea_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4112
- C:\Windows\System\khHZUEi.exe
  C:\Windows\System\khHZUEi.exe
  2⤵
  - Executes dropped EXE
  PID:2324
- C:\Windows\System\FYvKaMC.exe
  C:\Windows\System\FYvKaMC.exe
  2⤵
  - Executes dropped EXE
  PID:428
- C:\Windows\System\tRctMWr.exe
  C:\Windows\System\tRctMWr.exe
  2⤵
  - Executes dropped EXE
  PID:2020
- C:\Windows\System\ICwAmtt.exe
  C:\Windows\System\ICwAmtt.exe
  2⤵
  - Executes dropped EXE
  PID:5056
- C:\Windows\System\Gyundla.exe
  C:\Windows\System\Gyundla.exe
  2⤵
  - Executes dropped EXE
  PID:4904
- C:\Windows\System\eexxIUY.exe
  C:\Windows\System\eexxIUY.exe
  2⤵
  - Executes dropped EXE
  PID:872
- C:\Windows\System\kVRuPYp.exe
  C:\Windows\System\kVRuPYp.exe
  2⤵
  - Executes dropped EXE
  PID:3908
- C:\Windows\System\IkgKBub.exe
  C:\Windows\System\IkgKBub.exe
  2⤵
  - Executes dropped EXE
  PID:2912
- C:\Windows\System\yfBPUDp.exe
  C:\Windows\System\yfBPUDp.exe
  2⤵
  - Executes dropped EXE
  PID:1844
- C:\Windows\System\TxdgMWr.exe
  C:\Windows\System\TxdgMWr.exe
  2⤵
  - Executes dropped EXE
  PID:1216
- C:\Windows\System\NNUYVJl.exe
  C:\Windows\System\NNUYVJl.exe
  2⤵
  - Executes dropped EXE
  PID:828
- C:\Windows\System\LbWzthN.exe
  C:\Windows\System\LbWzthN.exe
  2⤵
  - Executes dropped EXE
  PID:4328
- C:\Windows\System\KWuaLcD.exe
  C:\Windows\System\KWuaLcD.exe
  2⤵
  - Executes dropped EXE
  PID:4520
- C:\Windows\System\FkXzZtd.exe
  C:\Windows\System\FkXzZtd.exe
  2⤵
  - Executes dropped EXE
  PID:116
- C:\Windows\System\DcjCBQF.exe
  C:\Windows\System\DcjCBQF.exe
  2⤵
  - Executes dropped EXE
  PID:2168
- C:\Windows\System\zQGGaSM.exe
  C:\Windows\System\zQGGaSM.exe
  2⤵
  - Executes dropped EXE
  PID:2948
- C:\Windows\System\GdbYCxT.exe
  C:\Windows\System\GdbYCxT.exe
  2⤵
  - Executes dropped EXE
  PID:1672
- C:\Windows\System\TzceHvn.exe
  C:\Windows\System\TzceHvn.exe
  2⤵
  - Executes dropped EXE
  PID:5020
- C:\Windows\System\wtEEZJA.exe
  C:\Windows\System\wtEEZJA.exe
  2⤵
  - Executes dropped EXE
  PID:1380
- C:\Windows\System\GOdNCGI.exe
  C:\Windows\System\GOdNCGI.exe
  2⤵
  - Executes dropped EXE
  PID:3992
- C:\Windows\System\mdpQKWd.exe
  C:\Windows\System\mdpQKWd.exe
  2⤵
  - Executes dropped EXE
  PID:3412

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\DcjCBQF.exe

Filesize
5.2MB

MD5
5218c9f90361f92762cff242d1fa663e

SHA1
a0f4480c6a362bd416259d74b42a47b2f34ee199

SHA256
ee7ca0b0097c18cba05a5a5ed2677ceb32c5f81bacc66a3bc3c948453a627786

SHA512
34b4f39baef06f8c3e88f0e6037de53d5a93770708e020ac2ed43ef6af0e62562477b237c175b14cf8e5dd696f11986c33dfd86bd3e19b4482d5455d1e69ccf0

Download Submit
C:\Windows\System\FYvKaMC.exe

Filesize
5.2MB

MD5
a838f838f255b662e1bef8bdccaa8deb

SHA1
12ca72eadb5121e6506e08318c025bb2a297ed29

SHA256
dd6998d5b493853f3353bff9bcdd8eeee4686ec474f1e796f1b5c83e1a63ceca

SHA512
b85e3806fb967745ddb1af8caf17611f4910249653169755baee4b416ff011859675ec78e78ed46591035ce66b01b530de4ccf467170c8e108f23b7c1a71c1c5

Download Submit
C:\Windows\System\FkXzZtd.exe

Filesize
5.2MB

MD5
2e9a08fb81cd390e296d714494fde46d

SHA1
d21e407a59ea2ae86feb603e8ae1af19ebec81e0

SHA256
ec40527e93084f182a08732f52b94ca372aa1a9910002bbdaa45cc91811ccc36

SHA512
43e88bae9c4f1384040c3d6cdb5700710ba79048232452e1a5af9e51269eeca31ddba98d631f8048e3f43f19116984e908f0fdc3c99a5dcb57913b26fc820600

Download Submit
C:\Windows\System\GOdNCGI.exe

Filesize
5.2MB

MD5
c669829451508da3119e5629d07d12e8

SHA1
1c64ada67b2a9302f973262b36506d2a5a7d8cc8

SHA256
9a0fc2d3876941e533a2f5743956bc27b3a526070f9b2d0ab85d81077cf9fb79

SHA512
d8f858d26eaf5be603e9397b26357424a149c1f89df61e6529f7c064e1a66c1bef52bbc6811fd08f20a4ad376f2b4856b82209a2e9f80465e9282c3b49f213f2

Download Submit
C:\Windows\System\GdbYCxT.exe

Filesize
5.2MB

MD5
c410ab30486c59b276679952a6c6d8d9

SHA1
1697541fd7491ad174574fba1e0d60801f8de926

SHA256
3c8d9b2cfce131ad6385625787d56054d04a7924ede7cd15d868d437d055b72a

SHA512
cdcf8da8c98aec794ca28f706ec88b420f5a2d5ce7613eb9f77e96c07dddf30c20f5c2a63badbf94b1af2643a55ab6bc1897780f0c6a15b2a644205766729e17

Download Submit
C:\Windows\System\Gyundla.exe

Filesize
5.2MB

MD5
3e1e09893751226f7d66606fec418953

SHA1
e23e34d628b8fe64eeb17db48f022ae8393d0011

SHA256
87db709160b2b02b26adb981f0e9dcbbc65da3084e664c6fc95b071f37a43316

SHA512
2f1995c64ac31f1cc752216df0d9b43948bbaee8bbe1942cfb93f0f54fede1018945bb91dbafb36b65b8b726f65435f48cd7380253ad5ae8adad63afd39f6a52

Download Submit
C:\Windows\System\ICwAmtt.exe

Filesize
5.2MB

MD5
61949d63070ceb4902358cc49c51805a

SHA1
09a7b7581f50cb805a9fc1e420162c98573eeba1

SHA256
7086a4897e004afc71d47e77d4737b9a97a57c9b7d0c70e45729e59f0d3c60ee

SHA512
f760bf71fd05daaa4373b073b6210601b7cbfff9df6a3c32374be2c60f2e62ec40a9ce7d9c3193538f2aac3edcbf32c54cc6337b258d9ea0bf79c11640777843

Download Submit
C:\Windows\System\IkgKBub.exe

Filesize
5.2MB

MD5
108afb5e087c9f081c4434144b50782f

SHA1
6e511d1dbb4336838bb1f908a596dcd35e7b8f36

SHA256
8cf41d3ff846a409e2d6c0398ae02bc1a3c8763f4488b4479767363bc9eb7b32

SHA512
31f2131201bd2bdf0f6c55e1e85c2d2823c377899748adc80738fea5f1dedc0ac7f0f0c122e7ea5646f9d72d7b337a123be08f49fb548598f5346e3796899776

Download Submit
C:\Windows\System\KWuaLcD.exe

Filesize
5.2MB

MD5
8572fffa2d37964b2608a9e04f015e44

SHA1
4865541b873e1a36626dfc7da086234a2e7dd454

SHA256
277698680cfef64b55a80bc6148a99b15f429c71edec2350aecc2699c37caeeb

SHA512
1d95fcb9d7db8f8edec3cbbab0bffc3ddbce4ec2afef149f3241d4ed642e4e7952f082f41e5fba9625129b3e2d6da324d084c87988fb42aa1ddd5ecbe43ab989

Download Submit
C:\Windows\System\LbWzthN.exe

Filesize
5.2MB

MD5
e80c0184434b783ccdca9039e9e09582

SHA1
b1cd61cc8daa65462f5dfc592b143d9d8bb55d32

SHA256
96f1cba2d85cf581b9b4ed74836e0fe43049851feed2d663fbe4a74f68d2a1b6

SHA512
3f513d0fb290cba5a520409914067281ad74182fc5b05b7488409e50b4911a05fe48764a02c9c41513813db4767a95563ed72510a9a1c7d8c504a5c47d867852

Download Submit
C:\Windows\System\NNUYVJl.exe

Filesize
5.2MB

MD5
028ae1e6372958a3fe626e174abd4f45

SHA1
b1e28645d5da076098c16e57008a030fc28e7198

SHA256
1806d505ab9d1309953dee140c632af5a40bf9d6b854e820a15b69fc49bbe58d

SHA512
f64a33fe76753206e1a094c8ea489672c4b48d752b85272af381e94dea53aa6c9cc726bd6cd06fa571040509f64609093a333090a77b9b47033030b119db794a

Download Submit
C:\Windows\System\TxdgMWr.exe

Filesize
5.2MB

MD5
2991be95cf944c8b7b3957eec1585351

SHA1
cd5e30c3a7b43b67980520d835cfe0de00bbf230

SHA256
df0fda65d85be4f44bb88773730fa9da23b99667447b8cf630d17d97949d7c69

SHA512
560d335af4a5ffcda108f163a8ae280b146214535e88deb53423a1451dfb385a2bd1d9df8d8c2629fc2fdb29cfa23583c82e1c2ced393d90111b2c68fa42715e

Download Submit
C:\Windows\System\TzceHvn.exe

Filesize
5.2MB

MD5
464f11c3b128867646115a9457818826

SHA1
26c143bce71fa77b7e375b603a75d031058feaf7

SHA256
91a04caf2f8b3cebc5a3e7c782562d9b41dcf723151cc702d6c6b07d35d5b98f

SHA512
616f849914a115583d79dd8852d4aa801d0bd67480b2e3a895f070ca51101f83d28f58e45ca8656c1e9fb3fbf5147c9c08ff8926d52c731588f3a9c6a522a54b

Download Submit
C:\Windows\System\eexxIUY.exe

Filesize
5.2MB

MD5
16780f47c5724da9507d2c70be24c740

SHA1
b770925c83a60d7e3cf3bd8378715b57ccb5f072

SHA256
035d8098eb9043f6d4a4fa82aa60065355ea5ead6a0604f7f4f4d26440e2fb13

SHA512
1020fee3a60ec23bfe8659fea290747f2d9430fbb65dded8db7cecb41aed4a31a12a7bb46d444047ad3b4e7d481702df0aeff85c540f5494d538226bccbc3a82

Download Submit
C:\Windows\System\kVRuPYp.exe

Filesize
5.2MB

MD5
83714a70203f53dd4d279b5784f6542d

SHA1
d61fa0278c6dd47684628c71bbec7e97df2d9b52

SHA256
e3a0bced13ab2461953440fc2c2548e59398751eabf8dbf97e006f23aed8b258

SHA512
96a48825d8c69fbe118e67280e7e33914f0730babec6cb56865ac3f07ab827fb1efdd2c1b52caf12ca246c3c9eebd7be8aa89c3f2cb6331a14588e21d5256fce

Download Submit
C:\Windows\System\khHZUEi.exe

Filesize
5.2MB

MD5
433cdc150ecf3d7efa73213bb5d0d447

SHA1
f34d120f68ab00f7c157f2373eb073d6d76a053f

SHA256
39767cbd2774638e0fc8ae40a66dfb59e831bf3f8ad83168c1dc5f7f95acfbf5

SHA512
520f27098b3528ef8d77dc25f7799e2a0b60846530daab67ba4a327cdc7641da691d166713622d19abf22003fc9a99606c32de8adbe53bcad6ad0ab284700c26

Download Submit
C:\Windows\System\mdpQKWd.exe

Filesize
5.2MB

MD5
079339d9cd887e230998454f0227d1aa

SHA1
1d3b57cf59b809f446a7f1a5be90b06b115e804a

SHA256
89e58a72c15b5ee55bfce8994d57ce58055c1ef3fcc73e6567645e7547d90585

SHA512
80584b79a0ab1fdf3f078f97a1410a0d59a6641bf252491c06c044ca22aee1e9db53b61cb7bed7bd61bd8e2b31b34f136a33495b53ab992c76213e346e4e807e

Download Submit
C:\Windows\System\tRctMWr.exe

Filesize
5.2MB

MD5
4220f46bd4dce7557a67818799e0ac57

SHA1
ff292b6e59dc2103379c510772a4ef5e0876d732

SHA256
23a2b6e0a80d8fb83ceb8bd7a261bd73fd16aa1effb281fe9be52ddbeee9ab09

SHA512
dd886024631751db7afcd486381da2c98a08ca56c1676dc03db1cff913fe7a3e0d68729ba9d9f4cc9d552ab7146fdad98a8f8b5752151faa6dfa728a1acb5ff0

Download Submit
C:\Windows\System\wtEEZJA.exe

Filesize
5.2MB

MD5
43acdb6159fb26106f9eddd7f8f006d1

SHA1
4bffa82f5d8dc5e695a69bcdec7c8f1804f7c1c0

SHA256
e36c681c0102b342af951e116fd0105bc7481053e0029db49a6a786798ddac42

SHA512
7a9ff6295bce441fa57947a896c100bf640bdb9c6f5eee9a233a0b2c7c71f0cd92038777acded44543951d4ff508150b8470c06ef68286a5cae7f6217b825629

Download Submit
C:\Windows\System\yfBPUDp.exe

Filesize
5.2MB

MD5
4b4528652546781ea6481970ce6c455f

SHA1
0124a71fa94d60ac04145d9ad5eca2a3db05a535

SHA256
a2c58c51fed8b9774ed6398bb0ede7c677787b70de3147c6c7934390affc1872

SHA512
af4bd812353e617154789aed02a724fb849449d1771eb1e524721d69326829ea153f74c3c97e9e7a98f9cc7e5e9007925dcd0db541a470fdf564ec29a6207589

Download Submit
C:\Windows\System\zQGGaSM.exe

Filesize
5.2MB

MD5
680a04b461d0c81b70d503ef00c910b3

SHA1
754aa07609cf2cf594cc1745a91eea22728e2a2d

SHA256
9a3f746958223673e78037d9aa377b909c199d4b2f5ecc9cd5e420df17e0a482

SHA512
adb70f0c03d2119402aacfd4b211ed7b16d4790799b8110b60a6a05082a0dfa94607227a1cca470b5e58ce652faf8436c8c3944ff6ee2c91320d37e30e99a892

Download Submit
memory/116-255-0x00007FF63C320000-0x00007FF63C671000-memory.dmp

Filesize
3.3MB

Download
memory/116-95-0x00007FF63C320000-0x00007FF63C671000-memory.dmp

Filesize
3.3MB

Download
memory/428-17-0x00007FF7CF200000-0x00007FF7CF551000-memory.dmp

Filesize
3.3MB

Download
memory/428-219-0x00007FF7CF200000-0x00007FF7CF551000-memory.dmp

Filesize
3.3MB

Download
memory/828-129-0x00007FF78EB80000-0x00007FF78EED1000-memory.dmp

Filesize
3.3MB

Download
memory/828-245-0x00007FF78EB80000-0x00007FF78EED1000-memory.dmp

Filesize
3.3MB

Download
memory/828-69-0x00007FF78EB80000-0x00007FF78EED1000-memory.dmp

Filesize
3.3MB

Download
memory/872-231-0x00007FF672370000-0x00007FF6726C1000-memory.dmp

Filesize
3.3MB

Download
memory/872-43-0x00007FF672370000-0x00007FF6726C1000-memory.dmp

Filesize
3.3MB

Download
memory/1216-119-0x00007FF6D71C0000-0x00007FF6D7511000-memory.dmp

Filesize
3.3MB

Download
memory/1216-68-0x00007FF6D71C0000-0x00007FF6D7511000-memory.dmp

Filesize
3.3MB

Download
memory/1216-248-0x00007FF6D71C0000-0x00007FF6D7511000-memory.dmp

Filesize
3.3MB

Download
memory/1380-268-0x00007FF6B02B0000-0x00007FF6B0601000-memory.dmp

Filesize
3.3MB

Download
memory/1380-157-0x00007FF6B02B0000-0x00007FF6B0601000-memory.dmp

Filesize
3.3MB

Download
memory/1380-120-0x00007FF6B02B0000-0x00007FF6B0601000-memory.dmp

Filesize
3.3MB

Download
memory/1672-151-0x00007FF6220E0000-0x00007FF622431000-memory.dmp

Filesize
3.3MB

Download
memory/1672-263-0x00007FF6220E0000-0x00007FF622431000-memory.dmp

Filesize
3.3MB

Download
memory/1672-108-0x00007FF6220E0000-0x00007FF622431000-memory.dmp

Filesize
3.3MB

Download
memory/1844-115-0x00007FF7579C0000-0x00007FF757D11000-memory.dmp

Filesize
3.3MB

Download
memory/1844-55-0x00007FF7579C0000-0x00007FF757D11000-memory.dmp

Filesize
3.3MB

Download
memory/1844-237-0x00007FF7579C0000-0x00007FF757D11000-memory.dmp

Filesize
3.3MB

Download
memory/2020-20-0x00007FF6133D0000-0x00007FF613721000-memory.dmp

Filesize
3.3MB

Download
memory/2020-229-0x00007FF6133D0000-0x00007FF613721000-memory.dmp

Filesize
3.3MB

Download
memory/2020-80-0x00007FF6133D0000-0x00007FF613721000-memory.dmp

Filesize
3.3MB

Download
memory/2168-103-0x00007FF7F0E40000-0x00007FF7F1191000-memory.dmp

Filesize
3.3MB

Download
memory/2168-150-0x00007FF7F0E40000-0x00007FF7F1191000-memory.dmp

Filesize
3.3MB

Download
memory/2168-265-0x00007FF7F0E40000-0x00007FF7F1191000-memory.dmp

Filesize
3.3MB

Download
memory/2324-13-0x00007FF6BDED0000-0x00007FF6BE221000-memory.dmp

Filesize
3.3MB

Download
memory/2324-63-0x00007FF6BDED0000-0x00007FF6BE221000-memory.dmp

Filesize
3.3MB

Download
memory/2324-218-0x00007FF6BDED0000-0x00007FF6BE221000-memory.dmp

Filesize
3.3MB

Download
memory/2912-102-0x00007FF688000000-0x00007FF688351000-memory.dmp

Filesize
3.3MB

Download
memory/2912-47-0x00007FF688000000-0x00007FF688351000-memory.dmp

Filesize
3.3MB

Download
memory/2912-239-0x00007FF688000000-0x00007FF688351000-memory.dmp

Filesize
3.3MB

Download
memory/2948-139-0x00007FF62FF20000-0x00007FF630271000-memory.dmp

Filesize
3.3MB

Download
memory/2948-99-0x00007FF62FF20000-0x00007FF630271000-memory.dmp

Filesize
3.3MB

Download
memory/2948-261-0x00007FF62FF20000-0x00007FF630271000-memory.dmp

Filesize
3.3MB

Download
memory/3412-275-0x00007FF7FF680000-0x00007FF7FF9D1000-memory.dmp

Filesize
3.3MB

Download
memory/3412-135-0x00007FF7FF680000-0x00007FF7FF9D1000-memory.dmp

Filesize
3.3MB

Download
memory/3412-167-0x00007FF7FF680000-0x00007FF7FF9D1000-memory.dmp

Filesize
3.3MB

Download
memory/3908-235-0x00007FF6277A0000-0x00007FF627AF1000-memory.dmp

Filesize
3.3MB

Download
memory/3908-49-0x00007FF6277A0000-0x00007FF627AF1000-memory.dmp

Filesize
3.3MB

Download
memory/3992-274-0x00007FF6C0BE0000-0x00007FF6C0F31000-memory.dmp

Filesize
3.3MB

Download
memory/3992-132-0x00007FF6C0BE0000-0x00007FF6C0F31000-memory.dmp

Filesize
3.3MB

Download
memory/3992-164-0x00007FF6C0BE0000-0x00007FF6C0F31000-memory.dmp

Filesize
3.3MB

Download
memory/4112-1-0x0000017E89850000-0x0000017E89860000-memory.dmp

Filesize
64KB

Download
memory/4112-60-0x00007FF7C32F0000-0x00007FF7C3641000-memory.dmp

Filesize
3.3MB

Download
memory/4112-168-0x00007FF7C32F0000-0x00007FF7C3641000-memory.dmp

Filesize
3.3MB

Download
memory/4112-140-0x00007FF7C32F0000-0x00007FF7C3641000-memory.dmp

Filesize
3.3MB

Download
memory/4112-0-0x00007FF7C32F0000-0x00007FF7C3641000-memory.dmp

Filesize
3.3MB

Download
memory/4328-73-0x00007FF640510000-0x00007FF640861000-memory.dmp

Filesize
3.3MB

Download
memory/4328-130-0x00007FF640510000-0x00007FF640861000-memory.dmp

Filesize
3.3MB

Download
memory/4328-249-0x00007FF640510000-0x00007FF640861000-memory.dmp

Filesize
3.3MB

Download
memory/4520-134-0x00007FF7167B0000-0x00007FF716B01000-memory.dmp

Filesize
3.3MB

Download
memory/4520-259-0x00007FF7167B0000-0x00007FF716B01000-memory.dmp

Filesize
3.3MB

Download
memory/4520-89-0x00007FF7167B0000-0x00007FF716B01000-memory.dmp

Filesize
3.3MB

Download
memory/4904-233-0x00007FF65F200000-0x00007FF65F551000-memory.dmp

Filesize
3.3MB

Download
memory/4904-34-0x00007FF65F200000-0x00007FF65F551000-memory.dmp

Filesize
3.3MB

Download
memory/4904-90-0x00007FF65F200000-0x00007FF65F551000-memory.dmp

Filesize
3.3MB

Download
memory/5020-269-0x00007FF721CF0000-0x00007FF722041000-memory.dmp

Filesize
3.3MB

Download
memory/5020-156-0x00007FF721CF0000-0x00007FF722041000-memory.dmp

Filesize
3.3MB

Download
memory/5020-117-0x00007FF721CF0000-0x00007FF722041000-memory.dmp

Filesize
3.3MB

Download
memory/5056-29-0x00007FF7506D0000-0x00007FF750A21000-memory.dmp

Filesize
3.3MB

Download
memory/5056-228-0x00007FF7506D0000-0x00007FF750A21000-memory.dmp

Filesize
3.3MB

Download
memory/5056-81-0x00007FF7506D0000-0x00007FF750A21000-memory.dmp

Filesize
3.3MB

Download