cobaltstrike | 27e182bfd39c61229723e5222c18e6f697bb41be63ad915549a832bef00fc180

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15/11/2024, 01:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

830a33b2d3108e090389d6adb75ca03c
SHA1

8542d38cad37dd82318ef31ce8cd66c27b818d7a
SHA256

27e182bfd39c61229723e5222c18e6f697bb41be63ad915549a832bef00fc180
SHA512

578d86b3bb6bf3aa0f45a478c05c88a9cac2ed19bb4fbc9578438447d330ada51c22a1e3959122aa5e542fef4ff658cda2ac69ed3813950a3dfcee289aa0f9b8
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lw:RWWBibf56utgpPFotBER/mQ32lU8

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000d000000023b72-6.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7d-19.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7e-33.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7f-36.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b80-34.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7c-25.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7b-12.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b85-70.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b86-71.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b89-90.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8c-112.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8d-123.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8b-117.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8a-111.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b88-102.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b83-88.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b87-83.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b84-82.dat	cobalt_reflective_dll
behavioral2/files/0x0032000000023b78-81.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b81-78.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b82-54.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/4972-7-0x00007FF703EE0000-0x00007FF704231000-memory.dmp	xmrig
behavioral2/memory/4476-126-0x00007FF7D9ED0000-0x00007FF7DA221000-memory.dmp	xmrig
behavioral2/memory/4780-125-0x00007FF7F19B0000-0x00007FF7F1D01000-memory.dmp	xmrig
behavioral2/memory/464-120-0x00007FF67E420000-0x00007FF67E771000-memory.dmp	xmrig
behavioral2/memory/4528-116-0x00007FF792FB0000-0x00007FF793301000-memory.dmp	xmrig
behavioral2/memory/4052-115-0x00007FF602600000-0x00007FF602951000-memory.dmp	xmrig
behavioral2/memory/2344-108-0x00007FF7C3E20000-0x00007FF7C4171000-memory.dmp	xmrig
behavioral2/memory/3768-50-0x00007FF665070000-0x00007FF6653C1000-memory.dmp	xmrig
behavioral2/memory/4836-46-0x00007FF6214E0000-0x00007FF621831000-memory.dmp	xmrig
behavioral2/memory/3788-137-0x00007FF6FBA60000-0x00007FF6FBDB1000-memory.dmp	xmrig
behavioral2/memory/1216-143-0x00007FF60CF00000-0x00007FF60D251000-memory.dmp	xmrig
behavioral2/memory/3544-150-0x00007FF663F20000-0x00007FF664271000-memory.dmp	xmrig
behavioral2/memory/1432-147-0x00007FF619DD0000-0x00007FF61A121000-memory.dmp	xmrig
behavioral2/memory/1436-145-0x00007FF7CAE80000-0x00007FF7CB1D1000-memory.dmp	xmrig
behavioral2/memory/4528-146-0x00007FF792FB0000-0x00007FF793301000-memory.dmp	xmrig
behavioral2/memory/4376-141-0x00007FF66F100000-0x00007FF66F451000-memory.dmp	xmrig
behavioral2/memory/4860-140-0x00007FF60FC80000-0x00007FF60FFD1000-memory.dmp	xmrig
behavioral2/memory/3772-139-0x00007FF73BB50000-0x00007FF73BEA1000-memory.dmp	xmrig
behavioral2/memory/3256-138-0x00007FF7A3520000-0x00007FF7A3871000-memory.dmp	xmrig
behavioral2/memory/4584-136-0x00007FF7E6600000-0x00007FF7E6951000-memory.dmp	xmrig
behavioral2/memory/944-133-0x00007FF68E580000-0x00007FF68E8D1000-memory.dmp	xmrig
behavioral2/memory/3512-132-0x00007FF721AC0000-0x00007FF721E11000-memory.dmp	xmrig
behavioral2/memory/464-129-0x00007FF67E420000-0x00007FF67E771000-memory.dmp	xmrig
behavioral2/memory/2356-131-0x00007FF679EF0000-0x00007FF67A241000-memory.dmp	xmrig
behavioral2/memory/4972-130-0x00007FF703EE0000-0x00007FF704231000-memory.dmp	xmrig
behavioral2/memory/4972-208-0x00007FF703EE0000-0x00007FF704231000-memory.dmp	xmrig
behavioral2/memory/2356-210-0x00007FF679EF0000-0x00007FF67A241000-memory.dmp	xmrig
behavioral2/memory/3512-214-0x00007FF721AC0000-0x00007FF721E11000-memory.dmp	xmrig
behavioral2/memory/944-213-0x00007FF68E580000-0x00007FF68E8D1000-memory.dmp	xmrig
behavioral2/memory/4836-218-0x00007FF6214E0000-0x00007FF621831000-memory.dmp	xmrig
behavioral2/memory/3768-217-0x00007FF665070000-0x00007FF6653C1000-memory.dmp	xmrig
behavioral2/memory/4584-220-0x00007FF7E6600000-0x00007FF7E6951000-memory.dmp	xmrig
behavioral2/memory/3256-232-0x00007FF7A3520000-0x00007FF7A3871000-memory.dmp	xmrig
behavioral2/memory/4860-235-0x00007FF60FC80000-0x00007FF60FFD1000-memory.dmp	xmrig
behavioral2/memory/3788-236-0x00007FF6FBA60000-0x00007FF6FBDB1000-memory.dmp	xmrig
behavioral2/memory/4052-238-0x00007FF602600000-0x00007FF602951000-memory.dmp	xmrig
behavioral2/memory/2344-251-0x00007FF7C3E20000-0x00007FF7C4171000-memory.dmp	xmrig
behavioral2/memory/4476-252-0x00007FF7D9ED0000-0x00007FF7DA221000-memory.dmp	xmrig
behavioral2/memory/3544-254-0x00007FF663F20000-0x00007FF664271000-memory.dmp	xmrig
behavioral2/memory/3772-247-0x00007FF73BB50000-0x00007FF73BEA1000-memory.dmp	xmrig
behavioral2/memory/4376-245-0x00007FF66F100000-0x00007FF66F451000-memory.dmp	xmrig
behavioral2/memory/1436-242-0x00007FF7CAE80000-0x00007FF7CB1D1000-memory.dmp	xmrig
behavioral2/memory/1216-249-0x00007FF60CF00000-0x00007FF60D251000-memory.dmp	xmrig
behavioral2/memory/4780-241-0x00007FF7F19B0000-0x00007FF7F1D01000-memory.dmp	xmrig
behavioral2/memory/1432-256-0x00007FF619DD0000-0x00007FF61A121000-memory.dmp	xmrig
behavioral2/memory/4528-260-0x00007FF792FB0000-0x00007FF793301000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4972	TpMXIyQ.exe
2356	jKzFDOu.exe
3512	SsoltXo.exe
944	kElpbvd.exe
3768	QGkBUDX.exe
4584	dEwATyT.exe
4836	pSoGZWL.exe
3788	MVoyXsE.exe
3256	fOmwaGF.exe
3772	boghjaU.exe
4860	lGzLYGd.exe
4376	rlwzSDO.exe
2344	dOoRRAq.exe
1216	wxcwirq.exe
4052	WRUqMiT.exe
1436	FFfHiGG.exe
4528	OcRTODg.exe
1432	QjUwibh.exe
4780	cLxRufi.exe
4476	BTdJgSr.exe
3544	fJOcIDm.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/464-0-0x00007FF67E420000-0x00007FF67E771000-memory.dmp	upx
behavioral2/files/0x000d000000023b72-6.dat	upx
behavioral2/files/0x000a000000023b7d-19.dat	upx
behavioral2/memory/3512-23-0x00007FF721AC0000-0x00007FF721E11000-memory.dmp	upx
behavioral2/files/0x000a000000023b7e-33.dat	upx
behavioral2/files/0x000a000000023b7f-36.dat	upx
behavioral2/files/0x000a000000023b80-34.dat	upx
behavioral2/memory/944-31-0x00007FF68E580000-0x00007FF68E8D1000-memory.dmp	upx
behavioral2/files/0x000a000000023b7c-25.dat	upx
behavioral2/memory/2356-15-0x00007FF679EF0000-0x00007FF67A241000-memory.dmp	upx
behavioral2/files/0x000a000000023b7b-12.dat	upx
behavioral2/memory/4972-7-0x00007FF703EE0000-0x00007FF704231000-memory.dmp	upx
behavioral2/memory/4584-43-0x00007FF7E6600000-0x00007FF7E6951000-memory.dmp	upx
behavioral2/files/0x000a000000023b85-70.dat	upx
behavioral2/files/0x000a000000023b86-71.dat	upx
behavioral2/files/0x000a000000023b89-90.dat	upx
behavioral2/files/0x000a000000023b8c-112.dat	upx
behavioral2/files/0x000a000000023b8d-123.dat	upx
behavioral2/memory/4476-126-0x00007FF7D9ED0000-0x00007FF7DA221000-memory.dmp	upx
behavioral2/memory/4780-125-0x00007FF7F19B0000-0x00007FF7F1D01000-memory.dmp	upx
behavioral2/memory/464-120-0x00007FF67E420000-0x00007FF67E771000-memory.dmp	upx
behavioral2/memory/3544-119-0x00007FF663F20000-0x00007FF664271000-memory.dmp	upx
behavioral2/files/0x000a000000023b8b-117.dat	upx
behavioral2/memory/4528-116-0x00007FF792FB0000-0x00007FF793301000-memory.dmp	upx
behavioral2/memory/4052-115-0x00007FF602600000-0x00007FF602951000-memory.dmp	upx
behavioral2/files/0x000a000000023b8a-111.dat	upx
behavioral2/memory/2344-108-0x00007FF7C3E20000-0x00007FF7C4171000-memory.dmp	upx
behavioral2/files/0x000a000000023b88-102.dat	upx
behavioral2/memory/1432-96-0x00007FF619DD0000-0x00007FF61A121000-memory.dmp	upx
behavioral2/files/0x000a000000023b83-88.dat	upx
behavioral2/memory/1436-87-0x00007FF7CAE80000-0x00007FF7CB1D1000-memory.dmp	upx
behavioral2/files/0x000a000000023b87-83.dat	upx
behavioral2/files/0x000a000000023b84-82.dat	upx
behavioral2/files/0x0032000000023b78-81.dat	upx
behavioral2/memory/1216-76-0x00007FF60CF00000-0x00007FF60D251000-memory.dmp	upx
behavioral2/memory/4376-72-0x00007FF66F100000-0x00007FF66F451000-memory.dmp	upx
behavioral2/files/0x000a000000023b81-78.dat	upx
behavioral2/memory/4860-63-0x00007FF60FC80000-0x00007FF60FFD1000-memory.dmp	upx
behavioral2/memory/3772-59-0x00007FF73BB50000-0x00007FF73BEA1000-memory.dmp	upx
behavioral2/files/0x000a000000023b82-54.dat	upx
behavioral2/memory/3256-53-0x00007FF7A3520000-0x00007FF7A3871000-memory.dmp	upx
behavioral2/memory/3788-51-0x00007FF6FBA60000-0x00007FF6FBDB1000-memory.dmp	upx
behavioral2/memory/3768-50-0x00007FF665070000-0x00007FF6653C1000-memory.dmp	upx
behavioral2/memory/4836-46-0x00007FF6214E0000-0x00007FF621831000-memory.dmp	upx
behavioral2/memory/3788-137-0x00007FF6FBA60000-0x00007FF6FBDB1000-memory.dmp	upx
behavioral2/memory/1216-143-0x00007FF60CF00000-0x00007FF60D251000-memory.dmp	upx
behavioral2/memory/3544-150-0x00007FF663F20000-0x00007FF664271000-memory.dmp	upx
behavioral2/memory/1432-147-0x00007FF619DD0000-0x00007FF61A121000-memory.dmp	upx
behavioral2/memory/1436-145-0x00007FF7CAE80000-0x00007FF7CB1D1000-memory.dmp	upx
behavioral2/memory/4528-146-0x00007FF792FB0000-0x00007FF793301000-memory.dmp	upx
behavioral2/memory/4376-141-0x00007FF66F100000-0x00007FF66F451000-memory.dmp	upx
behavioral2/memory/4860-140-0x00007FF60FC80000-0x00007FF60FFD1000-memory.dmp	upx
behavioral2/memory/3772-139-0x00007FF73BB50000-0x00007FF73BEA1000-memory.dmp	upx
behavioral2/memory/3256-138-0x00007FF7A3520000-0x00007FF7A3871000-memory.dmp	upx
behavioral2/memory/4584-136-0x00007FF7E6600000-0x00007FF7E6951000-memory.dmp	upx
behavioral2/memory/944-133-0x00007FF68E580000-0x00007FF68E8D1000-memory.dmp	upx
behavioral2/memory/3512-132-0x00007FF721AC0000-0x00007FF721E11000-memory.dmp	upx
behavioral2/memory/464-129-0x00007FF67E420000-0x00007FF67E771000-memory.dmp	upx
behavioral2/memory/2356-131-0x00007FF679EF0000-0x00007FF67A241000-memory.dmp	upx
behavioral2/memory/4972-130-0x00007FF703EE0000-0x00007FF704231000-memory.dmp	upx
behavioral2/memory/4972-208-0x00007FF703EE0000-0x00007FF704231000-memory.dmp	upx
behavioral2/memory/2356-210-0x00007FF679EF0000-0x00007FF67A241000-memory.dmp	upx
behavioral2/memory/3512-214-0x00007FF721AC0000-0x00007FF721E11000-memory.dmp	upx
behavioral2/memory/944-213-0x00007FF68E580000-0x00007FF68E8D1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\QGkBUDX.exe	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\boghjaU.exe	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dOoRRAq.exe	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QjUwibh.exe	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jKzFDOu.exe	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SsoltXo.exe	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kElpbvd.exe	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WRUqMiT.exe	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cLxRufi.exe	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rlwzSDO.exe	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wxcwirq.exe	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fJOcIDm.exe	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pSoGZWL.exe	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dEwATyT.exe	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lGzLYGd.exe	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FFfHiGG.exe	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OcRTODg.exe	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BTdJgSr.exe	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TpMXIyQ.exe	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MVoyXsE.exe	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fOmwaGF.exe	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	464	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	464	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 464 wrote to memory of 4972	464	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 464 wrote to memory of 4972	464	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 464 wrote to memory of 2356	464	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 464 wrote to memory of 2356	464	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 464 wrote to memory of 3512	464	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 464 wrote to memory of 3512	464	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 464 wrote to memory of 944	464	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 464 wrote to memory of 944	464	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 464 wrote to memory of 3768	464	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 464 wrote to memory of 3768	464	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 464 wrote to memory of 4836	464	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 464 wrote to memory of 4836	464	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 464 wrote to memory of 4584	464	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 464 wrote to memory of 4584	464	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 464 wrote to memory of 3788	464	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 464 wrote to memory of 3788	464	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 464 wrote to memory of 3256	464	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 464 wrote to memory of 3256	464	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 464 wrote to memory of 3772	464	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 464 wrote to memory of 3772	464	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 464 wrote to memory of 4860	464	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 464 wrote to memory of 4860	464	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 464 wrote to memory of 4376	464	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 464 wrote to memory of 4376	464	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 464 wrote to memory of 2344	464	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 464 wrote to memory of 2344	464	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 464 wrote to memory of 1216	464	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 464 wrote to memory of 1216	464	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 464 wrote to memory of 4052	464	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 464 wrote to memory of 4052	464	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 464 wrote to memory of 1436	464	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 464 wrote to memory of 1436	464	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 464 wrote to memory of 4528	464	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 464 wrote to memory of 4528	464	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 464 wrote to memory of 1432	464	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 464 wrote to memory of 1432	464	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 464 wrote to memory of 4780	464	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 464 wrote to memory of 4780	464	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 464 wrote to memory of 4476	464	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 464 wrote to memory of 4476	464	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 464 wrote to memory of 3544	464	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 464 wrote to memory of 3544	464	2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-15_830a33b2d3108e090389d6adb75ca03c_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:464
- C:\Windows\System\TpMXIyQ.exe
  C:\Windows\System\TpMXIyQ.exe
  2⤵
  - Executes dropped EXE
  PID:4972
- C:\Windows\System\jKzFDOu.exe
  C:\Windows\System\jKzFDOu.exe
  2⤵
  - Executes dropped EXE
  PID:2356
- C:\Windows\System\SsoltXo.exe
  C:\Windows\System\SsoltXo.exe
  2⤵
  - Executes dropped EXE
  PID:3512
- C:\Windows\System\kElpbvd.exe
  C:\Windows\System\kElpbvd.exe
  2⤵
  - Executes dropped EXE
  PID:944
- C:\Windows\System\QGkBUDX.exe
  C:\Windows\System\QGkBUDX.exe
  2⤵
  - Executes dropped EXE
  PID:3768
- C:\Windows\System\pSoGZWL.exe
  C:\Windows\System\pSoGZWL.exe
  2⤵
  - Executes dropped EXE
  PID:4836
- C:\Windows\System\dEwATyT.exe
  C:\Windows\System\dEwATyT.exe
  2⤵
  - Executes dropped EXE
  PID:4584
- C:\Windows\System\MVoyXsE.exe
  C:\Windows\System\MVoyXsE.exe
  2⤵
  - Executes dropped EXE
  PID:3788
- C:\Windows\System\fOmwaGF.exe
  C:\Windows\System\fOmwaGF.exe
  2⤵
  - Executes dropped EXE
  PID:3256
- C:\Windows\System\boghjaU.exe
  C:\Windows\System\boghjaU.exe
  2⤵
  - Executes dropped EXE
  PID:3772
- C:\Windows\System\lGzLYGd.exe
  C:\Windows\System\lGzLYGd.exe
  2⤵
  - Executes dropped EXE
  PID:4860
- C:\Windows\System\rlwzSDO.exe
  C:\Windows\System\rlwzSDO.exe
  2⤵
  - Executes dropped EXE
  PID:4376
- C:\Windows\System\dOoRRAq.exe
  C:\Windows\System\dOoRRAq.exe
  2⤵
  - Executes dropped EXE
  PID:2344
- C:\Windows\System\wxcwirq.exe
  C:\Windows\System\wxcwirq.exe
  2⤵
  - Executes dropped EXE
  PID:1216
- C:\Windows\System\WRUqMiT.exe
  C:\Windows\System\WRUqMiT.exe
  2⤵
  - Executes dropped EXE
  PID:4052
- C:\Windows\System\FFfHiGG.exe
  C:\Windows\System\FFfHiGG.exe
  2⤵
  - Executes dropped EXE
  PID:1436
- C:\Windows\System\OcRTODg.exe
  C:\Windows\System\OcRTODg.exe
  2⤵
  - Executes dropped EXE
  PID:4528
- C:\Windows\System\QjUwibh.exe
  C:\Windows\System\QjUwibh.exe
  2⤵
  - Executes dropped EXE
  PID:1432
- C:\Windows\System\cLxRufi.exe
  C:\Windows\System\cLxRufi.exe
  2⤵
  - Executes dropped EXE
  PID:4780
- C:\Windows\System\BTdJgSr.exe
  C:\Windows\System\BTdJgSr.exe
  2⤵
  - Executes dropped EXE
  PID:4476
- C:\Windows\System\fJOcIDm.exe
  C:\Windows\System\fJOcIDm.exe
  2⤵
  - Executes dropped EXE
  PID:3544

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BTdJgSr.exe

Filesize
5.2MB

MD5
0e53eb8bbfb736412704ec76f149e578

SHA1
30865ef73e36121a1197cc4da1060afa5b0066f0

SHA256
c8da32d2073bcb1d4068e15fcd5597b336310aa720f569eeedca21b1a4b1ad14

SHA512
89a0f577c18f50767adfb5d15bf43e0af6ce172a64159359542f3f3e624f4ba52db25e27e8d0eb176c621d5a24499272878de39dc5a7f227653d4887a75edfca

Download Submit
C:\Windows\System\FFfHiGG.exe

Filesize
5.2MB

MD5
be69a9e62cf73ce0ee22655e795df99e

SHA1
beb9279031c6a4975ea4e4619fe9cffccb114bdc

SHA256
8726ea2193e5049b00cf7bb690dd2813717b8705b9aaa1828da3db2291cf01f4

SHA512
e23ed5798c5e04c4d2e5f0feac59c962590156cb147289fa9ea51123b5e14f592f861736eb2e3d2fd1d6b08328099674f7c4563ddf1c3a50dc43f8e45afc0d76

Download Submit
C:\Windows\System\MVoyXsE.exe

Filesize
5.2MB

MD5
0bc779eb03b5604e6b56f84e2a0b4510

SHA1
fcf62788c5a39050c0e2ddc97ae7ff0ad2bd60f4

SHA256
90e43b0325d95c4c96fe185ffd1c41240c120ea16b345cde084199bde8788cc9

SHA512
ac8c9a5a7ab233ec0138cb3c07a913ec4cab352b878375e08216a585cc0ebced47e61b700daada771132ad96dfd5baaa5c21fd2f0ead24b68ddc6abeea4824a8

Download Submit
C:\Windows\System\OcRTODg.exe

Filesize
5.2MB

MD5
4aab6cdc4abf1d90e790e5bee06d1c67

SHA1
a8c8ad0beaa1fe6cb9945f2c13715b9728302727

SHA256
029723b35d7328fb54bd3ff2cedb4473731a561f1312985f89bfe391c99f15c0

SHA512
b1fbbf0c1c37857794e89a8d3acaf6062f1c1d4557be7eac4c8d0b6f40ffbb7047aabef82001ab7d582275f6ced053ef9e2b44331ceff33e85846169eaca4688

Download Submit
C:\Windows\System\QGkBUDX.exe

Filesize
5.2MB

MD5
7d8a14bd8eafb8cd9d45b3f9e2bb9dd3

SHA1
00f99261eb08dc6744c013d6b6673964cd8c63be

SHA256
7bf1d83ac39739ea4154c85e33bea6cd1a288f0ab6f3d927dd82e0dc95cfaa43

SHA512
b7b2eb828d69c903e616189be433a74549801645d60b8e85bcb5059e64a31e95a5984ed8bd2ce4a2f9df7beac327df4b0bce54d069ca99ea83e95aa30b5e5cf1

Download Submit
C:\Windows\System\QjUwibh.exe

Filesize
5.2MB

MD5
8e49af8d8508d4bf84df2a6e39b6d7da

SHA1
024978b2af2aef80a0fa39ade58082746f337b52

SHA256
04b8c47732632b1ccf5da933badbdc34565b5ac8f9ac40065eac3fb6a6adcdf7

SHA512
025b1313f661ecebb8f8498bf022338bed60f8066d8bf39f327bfc8570cb98e60147e66e11e67b2a85bf64179d14b5b35a4e017d7d95bb921d1ad691cc02f79b

Download Submit
C:\Windows\System\SsoltXo.exe

Filesize
5.2MB

MD5
816eae9c2efa8a451729db87578a8b0d

SHA1
68b93707fdcee24beb91637c50c0f3511b84028b

SHA256
b74a22568f1d409ea93a7b5c5ecb2afa1ea35d89c1ce5d77d9d8ba1f6d5f0389

SHA512
5b13cf6e36b1c2f177b520fc70d8a3b86951913c38da89180ce5d1f6783fb13659635b0b8ef224b575fdb660d03ec5941e4e9b39d98468e194c676ed5587aad2

Download Submit
C:\Windows\System\TpMXIyQ.exe

Filesize
5.2MB

MD5
2bc45525794df915ef0ef8584ca0e604

SHA1
c0f1c917d0c012a1943fbe8e767e86bbe3697c01

SHA256
bc164b454499c95f0264056f56e22869a9c31c66402f16422cb011ec6deb3fae

SHA512
5f2293087ca2bcd05f1463890d240a5e4627ab5e1397d2569c683b9bf229da40973db20627905ef671af450d74e21e081b03ccb58dfa937afb6c568155de8a6f

Download Submit
C:\Windows\System\WRUqMiT.exe

Filesize
5.2MB

MD5
cb000cd1d71a6dd42564c9826ba5c88c

SHA1
551d449ec7b0008632c0e10b8d39a04d2b6a6dc8

SHA256
5a8845b118f82e6507d6525f3072c503664e48be78f93defc5380a1122bc2a15

SHA512
d155393e6f68d8e55334530b3cb6f3e1261988a0a77e4c0c49484b2f41c89077e35a5e1816e5dee3c057a2675d372cc019df632fc3440d00b89ea3900b1d38e3

Download Submit
C:\Windows\System\boghjaU.exe

Filesize
5.2MB

MD5
6902f87baad7673ad6c7c1ec1d08b25e

SHA1
1155676d9a541116cbb987c3e67c39531778ebf1

SHA256
c5b4dc0daee0a2f8f1ecc79d4c7e92c676a74fe3887a90dd2c2fdf086fd8fd7d

SHA512
c5d2ffc5de9f809aa10256f24ecfab753f387523c22b653f611fc2660050bbe7b2a267155984d4c141057a6188501c03ad885fd9cde916575abe895dd7473fed

Download Submit
C:\Windows\System\cLxRufi.exe

Filesize
5.2MB

MD5
97bf13796799fc7fcb6c553cdaf9e68a

SHA1
373abbfb1b5e67480d4570984b720cdde5e2aa3c

SHA256
7420a50c8cd21ed566e6b753866d02080cbd326d252755d74b9aa2172873b891

SHA512
2acd8330ec70e82c011d469eda3d9c783f276e45102b4e7026887403f751b3cb995469029e652424acf17a0d8a566881e30dc7da18532b8b241a026c9615d9db

Download Submit
C:\Windows\System\dEwATyT.exe

Filesize
5.2MB

MD5
bade0ecf11214225024fdb5594d45735

SHA1
7c859c67181d8898ae594a767e23b2b487d67a81

SHA256
1ac47dd5f22b77bf4f0df5dda1c281684fa426c333957ba7d38d552533fed095

SHA512
b3401d8b80fcafbbac5231c08365a60d21bf02cc8a95dbba2eeaa697492fb5c5692bfb393fbbbc8b72d296e9c51d7b1f24285a93a7a66596a4f7e85271f5e946

Download Submit
C:\Windows\System\dOoRRAq.exe

Filesize
5.2MB

MD5
281388e95f4817eea9e6967dc073dd2d

SHA1
dbe00b0a9b6b3482e2469a613926dd98c84fac4d

SHA256
d6423cb59af2f17bf8105eae5498364b776dfa2411a1454a50ab6469ecf6ca6d

SHA512
ca7d90cdaaab0697abfa5f4b25f12453adc94a5ebe1ecbe4c689313ba54c341e539e5be335bc3f4ede674efa854c898756c5c695f9edb8195cb9b44e8fc6a35c

Download Submit
C:\Windows\System\fJOcIDm.exe

Filesize
5.2MB

MD5
82d8ba5da741dcd51c2ea7454f5aa04f

SHA1
31d34330b0de4f211250ecc7fe6ee8f0340afbb1

SHA256
e89cf1abcb3af7b22b1dca613c71ff3886057555d446c8b206a79e4c338721cc

SHA512
65bd919652df17c22d04d8ef174d659393264538d2013364912f3997e8838fbcd2e613b471f8f82546af1399c12d51712a2b4ac7d8addbb0221a2c981cab2079

Download Submit
C:\Windows\System\fOmwaGF.exe

Filesize
5.2MB

MD5
c41a03601a1d533a01ecc4d9b044aa7e

SHA1
4f48cfd9b8aed797ce41e8a81ae8d678f747d913

SHA256
622fe3aeb49a8b1a1516510b56f4ab438ee222c73550fdbc7ace34ca5549d775

SHA512
2b5cb232af8b9d674b07fb72f8c48b17b437ff873e5e8d2185d964433a11b58e4e97d3f56d1b9adc59e8250f360a84dd879693a2dca0bd65a49794a68d79b8a1

Download Submit
C:\Windows\System\jKzFDOu.exe

Filesize
5.2MB

MD5
0c0b44a8d46b5073a744d1ca2f7942d6

SHA1
ed7e11fff9b152e56d1a3bc58d5d50c61da261c3

SHA256
48c08047efeee55612215afb20ddd9eb2193bb6bc33cba1f0dec5eca9a62c134

SHA512
0cb54c856dafc4c83764d8ed728c1b2b97ea0996ac7492c663a99aba6bb4d839f1bc90bc2e230cbf477d20034864edada909d885dc379ab723e8129ba69faadb

Download Submit
C:\Windows\System\kElpbvd.exe

Filesize
5.2MB

MD5
19aa35ed715a7010cc413d671c356e2e

SHA1
0785bce565d5071a018cd1648c379408775b2c84

SHA256
579e7b5d8e7f67f9e2ab781d40cde301ec770f53fe38cdf248aa39cea02bf6f9

SHA512
b467d9e8e07f430d5fc583ded0da5ab7416e4b9db8c9943241ba4381eedd7e2e350b2a743ff9c52e2e60b87308c43a2fd523f160d846f6a6452501ec3c628b52

Download Submit
C:\Windows\System\lGzLYGd.exe

Filesize
5.2MB

MD5
aee58a28de119512c870002f2ca7064a

SHA1
1ed07bc063deffe0c3232ee30c4f2b4bf49dddab

SHA256
83e666d82308728c2074b890a4b838625457ff420dc7cea473aabc95ab65d78d

SHA512
32deb275204f8056d426a0f3ab727d5383f7c472ec9aec430a4c2184a2c0beaae9231ca21d24cfc8c033753923bf7f5913856d642e6451b2e01afb1a3e61085a

Download Submit
C:\Windows\System\pSoGZWL.exe

Filesize
5.2MB

MD5
fa41b8296ecff81327d867efa69d8b3b

SHA1
9ed8b6e6b76ca844a7ada21cca2554d0fc4d142e

SHA256
cb03519159d677a2ab011dcbfe32afb58cfee115758f618eff73e777ddc4a26e

SHA512
c662f6df1ce65d3f1a5c5334498682c1f620b17a23f58322fade1afe65449873be501930029436acf08406ab19e537401c7fd7cc7378671905df7e087452a59d

Download Submit
C:\Windows\System\rlwzSDO.exe

Filesize
5.2MB

MD5
5d785993e81ced17195f1c2071d46620

SHA1
9e2139cc7f7cfcf56ab64ffc16b5279cbf5ebd7e

SHA256
2ea5c60d34c64f7ddf791d5896134901273348b81251da6812b19717a5a4ebf5

SHA512
37ccc53f6309e8c3711a7a910a0843076286ccd8501ca67a0169e32e5ba5c1f220bdb5b85ebe95bf38287de539ef5680a91d5fd4184f8e4bd6d28a8995a598ef

Download Submit
C:\Windows\System\wxcwirq.exe

Filesize
5.2MB

MD5
45aaac5cda3a0aba3f1d6e38457db4e2

SHA1
efb5dba624e5d733985c3d4b95a46e66e5a015aa

SHA256
7a92315b2cabe979c72844720c75b098f5fa74a7c43263a32511f28a95e0c1b2

SHA512
64828b207bc44ebc7ebd3223d94c58a1f3c28e92240faa7b31249152cf87b0fc5b1a542a8e1d6fce6be6c7317d9715886de862e34885f8b0fec7cdb27c50a272

Download Submit
memory/464-129-0x00007FF67E420000-0x00007FF67E771000-memory.dmp

Filesize
3.3MB

Download
memory/464-120-0x00007FF67E420000-0x00007FF67E771000-memory.dmp

Filesize
3.3MB

Download
memory/464-0-0x00007FF67E420000-0x00007FF67E771000-memory.dmp

Filesize
3.3MB

Download
memory/464-1-0x0000025C99C00000-0x0000025C99C10000-memory.dmp

Filesize
64KB

Download
memory/944-133-0x00007FF68E580000-0x00007FF68E8D1000-memory.dmp

Filesize
3.3MB

Download
memory/944-31-0x00007FF68E580000-0x00007FF68E8D1000-memory.dmp

Filesize
3.3MB

Download
memory/944-213-0x00007FF68E580000-0x00007FF68E8D1000-memory.dmp

Filesize
3.3MB

Download
memory/1216-143-0x00007FF60CF00000-0x00007FF60D251000-memory.dmp

Filesize
3.3MB

Download
memory/1216-249-0x00007FF60CF00000-0x00007FF60D251000-memory.dmp

Filesize
3.3MB

Download
memory/1216-76-0x00007FF60CF00000-0x00007FF60D251000-memory.dmp

Filesize
3.3MB

Download
memory/1432-96-0x00007FF619DD0000-0x00007FF61A121000-memory.dmp

Filesize
3.3MB

Download
memory/1432-256-0x00007FF619DD0000-0x00007FF61A121000-memory.dmp

Filesize
3.3MB

Download
memory/1432-147-0x00007FF619DD0000-0x00007FF61A121000-memory.dmp

Filesize
3.3MB

Download
memory/1436-87-0x00007FF7CAE80000-0x00007FF7CB1D1000-memory.dmp

Filesize
3.3MB

Download
memory/1436-242-0x00007FF7CAE80000-0x00007FF7CB1D1000-memory.dmp

Filesize
3.3MB

Download
memory/1436-145-0x00007FF7CAE80000-0x00007FF7CB1D1000-memory.dmp

Filesize
3.3MB

Download
memory/2344-108-0x00007FF7C3E20000-0x00007FF7C4171000-memory.dmp

Filesize
3.3MB

Download
memory/2344-251-0x00007FF7C3E20000-0x00007FF7C4171000-memory.dmp

Filesize
3.3MB

Download
memory/2356-131-0x00007FF679EF0000-0x00007FF67A241000-memory.dmp

Filesize
3.3MB

Download
memory/2356-15-0x00007FF679EF0000-0x00007FF67A241000-memory.dmp

Filesize
3.3MB

Download
memory/2356-210-0x00007FF679EF0000-0x00007FF67A241000-memory.dmp

Filesize
3.3MB

Download
memory/3256-232-0x00007FF7A3520000-0x00007FF7A3871000-memory.dmp

Filesize
3.3MB

Download
memory/3256-53-0x00007FF7A3520000-0x00007FF7A3871000-memory.dmp

Filesize
3.3MB

Download
memory/3256-138-0x00007FF7A3520000-0x00007FF7A3871000-memory.dmp

Filesize
3.3MB

Download
memory/3512-23-0x00007FF721AC0000-0x00007FF721E11000-memory.dmp

Filesize
3.3MB

Download
memory/3512-132-0x00007FF721AC0000-0x00007FF721E11000-memory.dmp

Filesize
3.3MB

Download
memory/3512-214-0x00007FF721AC0000-0x00007FF721E11000-memory.dmp

Filesize
3.3MB

Download
memory/3544-254-0x00007FF663F20000-0x00007FF664271000-memory.dmp

Filesize
3.3MB

Download
memory/3544-150-0x00007FF663F20000-0x00007FF664271000-memory.dmp

Filesize
3.3MB

Download
memory/3544-119-0x00007FF663F20000-0x00007FF664271000-memory.dmp

Filesize
3.3MB

Download
memory/3768-50-0x00007FF665070000-0x00007FF6653C1000-memory.dmp

Filesize
3.3MB

Download
memory/3768-217-0x00007FF665070000-0x00007FF6653C1000-memory.dmp

Filesize
3.3MB

Download
memory/3772-139-0x00007FF73BB50000-0x00007FF73BEA1000-memory.dmp

Filesize
3.3MB

Download
memory/3772-59-0x00007FF73BB50000-0x00007FF73BEA1000-memory.dmp

Filesize
3.3MB

Download
memory/3772-247-0x00007FF73BB50000-0x00007FF73BEA1000-memory.dmp

Filesize
3.3MB

Download
memory/3788-236-0x00007FF6FBA60000-0x00007FF6FBDB1000-memory.dmp

Filesize
3.3MB

Download
memory/3788-137-0x00007FF6FBA60000-0x00007FF6FBDB1000-memory.dmp

Filesize
3.3MB

Download
memory/3788-51-0x00007FF6FBA60000-0x00007FF6FBDB1000-memory.dmp

Filesize
3.3MB

Download
memory/4052-238-0x00007FF602600000-0x00007FF602951000-memory.dmp

Filesize
3.3MB

Download
memory/4052-115-0x00007FF602600000-0x00007FF602951000-memory.dmp

Filesize
3.3MB

Download
memory/4376-141-0x00007FF66F100000-0x00007FF66F451000-memory.dmp

Filesize
3.3MB

Download
memory/4376-72-0x00007FF66F100000-0x00007FF66F451000-memory.dmp

Filesize
3.3MB

Download
memory/4376-245-0x00007FF66F100000-0x00007FF66F451000-memory.dmp

Filesize
3.3MB

Download
memory/4476-126-0x00007FF7D9ED0000-0x00007FF7DA221000-memory.dmp

Filesize
3.3MB

Download
memory/4476-252-0x00007FF7D9ED0000-0x00007FF7DA221000-memory.dmp

Filesize
3.3MB

Download
memory/4528-146-0x00007FF792FB0000-0x00007FF793301000-memory.dmp

Filesize
3.3MB

Download
memory/4528-260-0x00007FF792FB0000-0x00007FF793301000-memory.dmp

Filesize
3.3MB

Download
memory/4528-116-0x00007FF792FB0000-0x00007FF793301000-memory.dmp

Filesize
3.3MB

Download
memory/4584-220-0x00007FF7E6600000-0x00007FF7E6951000-memory.dmp

Filesize
3.3MB

Download
memory/4584-43-0x00007FF7E6600000-0x00007FF7E6951000-memory.dmp

Filesize
3.3MB

Download
memory/4584-136-0x00007FF7E6600000-0x00007FF7E6951000-memory.dmp

Filesize
3.3MB

Download
memory/4780-125-0x00007FF7F19B0000-0x00007FF7F1D01000-memory.dmp

Filesize
3.3MB

Download
memory/4780-241-0x00007FF7F19B0000-0x00007FF7F1D01000-memory.dmp

Filesize
3.3MB

Download
memory/4836-46-0x00007FF6214E0000-0x00007FF621831000-memory.dmp

Filesize
3.3MB

Download
memory/4836-218-0x00007FF6214E0000-0x00007FF621831000-memory.dmp

Filesize
3.3MB

Download
memory/4860-140-0x00007FF60FC80000-0x00007FF60FFD1000-memory.dmp

Filesize
3.3MB

Download
memory/4860-63-0x00007FF60FC80000-0x00007FF60FFD1000-memory.dmp

Filesize
3.3MB

Download
memory/4860-235-0x00007FF60FC80000-0x00007FF60FFD1000-memory.dmp

Filesize
3.3MB

Download
memory/4972-130-0x00007FF703EE0000-0x00007FF704231000-memory.dmp

Filesize
3.3MB

Download
memory/4972-7-0x00007FF703EE0000-0x00007FF704231000-memory.dmp

Filesize
3.3MB

Download
memory/4972-208-0x00007FF703EE0000-0x00007FF704231000-memory.dmp

Filesize
3.3MB

Download