cobaltstrike | 31513725d2fcf3e7cd771bd4231c5acf26853afe5ce692b6bfb228b05368dd8f

Analysis

max time kernel
144s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 02:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

65aa2fc2828856ec41aaad8375ae46aa
SHA1

cc07ab21f31d6470088818934513763e11405763
SHA256

31513725d2fcf3e7cd771bd4231c5acf26853afe5ce692b6bfb228b05368dd8f
SHA512

37bb6b4bb4da7c622ca9df20e661925d9a046625614e204be206977ec16e29a192511833f3c47036a4dd5d382a8861c3190c393635d14059c881e7a62379ec9e
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lp:RWWBibf56utgpPFotBER/mQ32lUF

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023bba-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb5-58.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb2-66.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb4-57.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb1-62.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caf-54.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb3-50.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cad-39.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb0-38.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cae-32.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cac-26.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cab-15.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb6-71.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cba-94.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbc-107.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbd-125.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023ca5-121.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbb-105.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb9-103.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb8-100.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb7-92.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 47 IoCs

miner

resource	yara_rule
behavioral2/memory/3596-46-0x00007FF62B520000-0x00007FF62B871000-memory.dmp	xmrig
behavioral2/memory/952-114-0x00007FF772060000-0x00007FF7723B1000-memory.dmp	xmrig
behavioral2/memory/4580-118-0x00007FF631450000-0x00007FF6317A1000-memory.dmp	xmrig
behavioral2/memory/3732-117-0x00007FF7CF0B0000-0x00007FF7CF401000-memory.dmp	xmrig
behavioral2/memory/4756-115-0x00007FF702590000-0x00007FF7028E1000-memory.dmp	xmrig
behavioral2/memory/8-113-0x00007FF638840000-0x00007FF638B91000-memory.dmp	xmrig
behavioral2/memory/3460-112-0x00007FF605AF0000-0x00007FF605E41000-memory.dmp	xmrig
behavioral2/memory/3852-110-0x00007FF694680000-0x00007FF6949D1000-memory.dmp	xmrig
behavioral2/memory/3936-109-0x00007FF75C820000-0x00007FF75CB71000-memory.dmp	xmrig
behavioral2/memory/5000-99-0x00007FF7EBBA0000-0x00007FF7EBEF1000-memory.dmp	xmrig
behavioral2/memory/1908-79-0x00007FF7E7810000-0x00007FF7E7B61000-memory.dmp	xmrig
behavioral2/memory/5036-128-0x00007FF6A0330000-0x00007FF6A0681000-memory.dmp	xmrig
behavioral2/memory/2456-132-0x00007FF6D9190000-0x00007FF6D94E1000-memory.dmp	xmrig
behavioral2/memory/3188-147-0x00007FF766820000-0x00007FF766B71000-memory.dmp	xmrig
behavioral2/memory/2712-149-0x00007FF629FC0000-0x00007FF62A311000-memory.dmp	xmrig
behavioral2/memory/3124-148-0x00007FF780770000-0x00007FF780AC1000-memory.dmp	xmrig
behavioral2/memory/4756-146-0x00007FF702590000-0x00007FF7028E1000-memory.dmp	xmrig
behavioral2/memory/5032-137-0x00007FF7CF230000-0x00007FF7CF581000-memory.dmp	xmrig
behavioral2/memory/3168-140-0x00007FF752B30000-0x00007FF752E81000-memory.dmp	xmrig
behavioral2/memory/2648-136-0x00007FF6E03F0000-0x00007FF6E0741000-memory.dmp	xmrig
behavioral2/memory/4624-131-0x00007FF759A30000-0x00007FF759D81000-memory.dmp	xmrig
behavioral2/memory/1056-130-0x00007FF679200000-0x00007FF679551000-memory.dmp	xmrig
behavioral2/memory/3192-129-0x00007FF6C04B0000-0x00007FF6C0801000-memory.dmp	xmrig
behavioral2/memory/3596-133-0x00007FF62B520000-0x00007FF62B871000-memory.dmp	xmrig
behavioral2/memory/5036-150-0x00007FF6A0330000-0x00007FF6A0681000-memory.dmp	xmrig
behavioral2/memory/5036-151-0x00007FF6A0330000-0x00007FF6A0681000-memory.dmp	xmrig
behavioral2/memory/3192-203-0x00007FF6C04B0000-0x00007FF6C0801000-memory.dmp	xmrig
behavioral2/memory/1056-205-0x00007FF679200000-0x00007FF679551000-memory.dmp	xmrig
behavioral2/memory/4624-222-0x00007FF759A30000-0x00007FF759D81000-memory.dmp	xmrig
behavioral2/memory/2456-224-0x00007FF6D9190000-0x00007FF6D94E1000-memory.dmp	xmrig
behavioral2/memory/3596-226-0x00007FF62B520000-0x00007FF62B871000-memory.dmp	xmrig
behavioral2/memory/1908-228-0x00007FF7E7810000-0x00007FF7E7B61000-memory.dmp	xmrig
behavioral2/memory/3936-230-0x00007FF75C820000-0x00007FF75CB71000-memory.dmp	xmrig
behavioral2/memory/3732-239-0x00007FF7CF0B0000-0x00007FF7CF401000-memory.dmp	xmrig
behavioral2/memory/2648-241-0x00007FF6E03F0000-0x00007FF6E0741000-memory.dmp	xmrig
behavioral2/memory/8-246-0x00007FF638840000-0x00007FF638B91000-memory.dmp	xmrig
behavioral2/memory/952-248-0x00007FF772060000-0x00007FF7723B1000-memory.dmp	xmrig
behavioral2/memory/4580-250-0x00007FF631450000-0x00007FF6317A1000-memory.dmp	xmrig
behavioral2/memory/5032-244-0x00007FF7CF230000-0x00007FF7CF581000-memory.dmp	xmrig
behavioral2/memory/5000-243-0x00007FF7EBBA0000-0x00007FF7EBEF1000-memory.dmp	xmrig
behavioral2/memory/3852-237-0x00007FF694680000-0x00007FF6949D1000-memory.dmp	xmrig
behavioral2/memory/3460-235-0x00007FF605AF0000-0x00007FF605E41000-memory.dmp	xmrig
behavioral2/memory/3168-233-0x00007FF752B30000-0x00007FF752E81000-memory.dmp	xmrig
behavioral2/memory/2712-254-0x00007FF629FC0000-0x00007FF62A311000-memory.dmp	xmrig
behavioral2/memory/3124-253-0x00007FF780770000-0x00007FF780AC1000-memory.dmp	xmrig
behavioral2/memory/3188-256-0x00007FF766820000-0x00007FF766B71000-memory.dmp	xmrig
behavioral2/memory/4756-260-0x00007FF702590000-0x00007FF7028E1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3192	DQayDsH.exe
1056	YhJLpwx.exe
4624	ztQCrko.exe
2456	qjyVkdY.exe
3596	dzWNkBC.exe
1908	jVDDUTW.exe
5000	TZnBrtS.exe
2648	nAZhPDQ.exe
5032	VIDXrLj.exe
3936	PIFXLNI.exe
3852	EEiQLal.exe
3168	qYLAAYB.exe
3460	EUzLUiW.exe
3732	TfDDIxK.exe
4580	PFgKJhu.exe
8	brEVRMg.exe
952	pvDHGyn.exe
4756	pSYDvVz.exe
3188	pIcuhqx.exe
3124	ZGeAIgj.exe
2712	OZnGIYN.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5036-0-0x00007FF6A0330000-0x00007FF6A0681000-memory.dmp	upx
behavioral2/files/0x000c000000023bba-5.dat	upx
behavioral2/memory/4624-20-0x00007FF759A30000-0x00007FF759D81000-memory.dmp	upx
behavioral2/files/0x0007000000023cb5-58.dat	upx
behavioral2/files/0x0007000000023cb2-66.dat	upx
behavioral2/memory/5032-59-0x00007FF7CF230000-0x00007FF7CF581000-memory.dmp	upx
behavioral2/files/0x0007000000023cb4-57.dat	upx
behavioral2/files/0x0007000000023cb1-62.dat	upx
behavioral2/files/0x0007000000023caf-54.dat	upx
behavioral2/memory/2648-51-0x00007FF6E03F0000-0x00007FF6E0741000-memory.dmp	upx
behavioral2/files/0x0007000000023cb3-50.dat	upx
behavioral2/memory/3596-46-0x00007FF62B520000-0x00007FF62B871000-memory.dmp	upx
behavioral2/files/0x0007000000023cad-39.dat	upx
behavioral2/files/0x0007000000023cb0-38.dat	upx
behavioral2/memory/2456-35-0x00007FF6D9190000-0x00007FF6D94E1000-memory.dmp	upx
behavioral2/files/0x0007000000023cae-32.dat	upx
behavioral2/files/0x0007000000023cac-26.dat	upx
behavioral2/files/0x0007000000023cab-15.dat	upx
behavioral2/memory/1056-19-0x00007FF679200000-0x00007FF679551000-memory.dmp	upx
behavioral2/memory/3192-7-0x00007FF6C04B0000-0x00007FF6C0801000-memory.dmp	upx
behavioral2/files/0x0007000000023cb6-71.dat	upx
behavioral2/files/0x0007000000023cba-94.dat	upx
behavioral2/files/0x0007000000023cbc-107.dat	upx
behavioral2/memory/952-114-0x00007FF772060000-0x00007FF7723B1000-memory.dmp	upx
behavioral2/memory/4580-118-0x00007FF631450000-0x00007FF6317A1000-memory.dmp	upx
behavioral2/files/0x0007000000023cbd-125.dat	upx
behavioral2/files/0x0009000000023ca5-121.dat	upx
behavioral2/memory/2712-120-0x00007FF629FC0000-0x00007FF62A311000-memory.dmp	upx
behavioral2/memory/3188-119-0x00007FF766820000-0x00007FF766B71000-memory.dmp	upx
behavioral2/memory/3732-117-0x00007FF7CF0B0000-0x00007FF7CF401000-memory.dmp	upx
behavioral2/memory/3124-116-0x00007FF780770000-0x00007FF780AC1000-memory.dmp	upx
behavioral2/memory/4756-115-0x00007FF702590000-0x00007FF7028E1000-memory.dmp	upx
behavioral2/memory/8-113-0x00007FF638840000-0x00007FF638B91000-memory.dmp	upx
behavioral2/memory/3460-112-0x00007FF605AF0000-0x00007FF605E41000-memory.dmp	upx
behavioral2/memory/3852-110-0x00007FF694680000-0x00007FF6949D1000-memory.dmp	upx
behavioral2/memory/3936-109-0x00007FF75C820000-0x00007FF75CB71000-memory.dmp	upx
behavioral2/files/0x0007000000023cbb-105.dat	upx
behavioral2/files/0x0007000000023cb9-103.dat	upx
behavioral2/files/0x0007000000023cb8-100.dat	upx
behavioral2/memory/5000-99-0x00007FF7EBBA0000-0x00007FF7EBEF1000-memory.dmp	upx
behavioral2/files/0x0007000000023cb7-92.dat	upx
behavioral2/memory/1908-79-0x00007FF7E7810000-0x00007FF7E7B61000-memory.dmp	upx
behavioral2/memory/3168-70-0x00007FF752B30000-0x00007FF752E81000-memory.dmp	upx
behavioral2/memory/5036-128-0x00007FF6A0330000-0x00007FF6A0681000-memory.dmp	upx
behavioral2/memory/2456-132-0x00007FF6D9190000-0x00007FF6D94E1000-memory.dmp	upx
behavioral2/memory/3188-147-0x00007FF766820000-0x00007FF766B71000-memory.dmp	upx
behavioral2/memory/2712-149-0x00007FF629FC0000-0x00007FF62A311000-memory.dmp	upx
behavioral2/memory/3124-148-0x00007FF780770000-0x00007FF780AC1000-memory.dmp	upx
behavioral2/memory/4756-146-0x00007FF702590000-0x00007FF7028E1000-memory.dmp	upx
behavioral2/memory/5032-137-0x00007FF7CF230000-0x00007FF7CF581000-memory.dmp	upx
behavioral2/memory/3168-140-0x00007FF752B30000-0x00007FF752E81000-memory.dmp	upx
behavioral2/memory/2648-136-0x00007FF6E03F0000-0x00007FF6E0741000-memory.dmp	upx
behavioral2/memory/4624-131-0x00007FF759A30000-0x00007FF759D81000-memory.dmp	upx
behavioral2/memory/1056-130-0x00007FF679200000-0x00007FF679551000-memory.dmp	upx
behavioral2/memory/3192-129-0x00007FF6C04B0000-0x00007FF6C0801000-memory.dmp	upx
behavioral2/memory/3596-133-0x00007FF62B520000-0x00007FF62B871000-memory.dmp	upx
behavioral2/memory/5036-150-0x00007FF6A0330000-0x00007FF6A0681000-memory.dmp	upx
behavioral2/memory/5036-151-0x00007FF6A0330000-0x00007FF6A0681000-memory.dmp	upx
behavioral2/memory/3192-203-0x00007FF6C04B0000-0x00007FF6C0801000-memory.dmp	upx
behavioral2/memory/1056-205-0x00007FF679200000-0x00007FF679551000-memory.dmp	upx
behavioral2/memory/4624-222-0x00007FF759A30000-0x00007FF759D81000-memory.dmp	upx
behavioral2/memory/2456-224-0x00007FF6D9190000-0x00007FF6D94E1000-memory.dmp	upx
behavioral2/memory/3596-226-0x00007FF62B520000-0x00007FF62B871000-memory.dmp	upx
behavioral2/memory/1908-228-0x00007FF7E7810000-0x00007FF7E7B61000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\qjyVkdY.exe	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nAZhPDQ.exe	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pvDHGyn.exe	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OZnGIYN.exe	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YhJLpwx.exe	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ztQCrko.exe	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TZnBrtS.exe	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qYLAAYB.exe	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TfDDIxK.exe	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DQayDsH.exe	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dzWNkBC.exe	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VIDXrLj.exe	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EEiQLal.exe	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZGeAIgj.exe	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pSYDvVz.exe	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pIcuhqx.exe	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jVDDUTW.exe	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PIFXLNI.exe	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EUzLUiW.exe	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\brEVRMg.exe	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PFgKJhu.exe	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	5036	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	5036	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 3192	5036	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 5036 wrote to memory of 3192	5036	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 5036 wrote to memory of 1056	5036	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 5036 wrote to memory of 1056	5036	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 5036 wrote to memory of 4624	5036	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 5036 wrote to memory of 4624	5036	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 5036 wrote to memory of 2456	5036	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 5036 wrote to memory of 2456	5036	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 5036 wrote to memory of 3596	5036	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 5036 wrote to memory of 3596	5036	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 5036 wrote to memory of 1908	5036	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 5036 wrote to memory of 1908	5036	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 5036 wrote to memory of 5000	5036	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 5036 wrote to memory of 5000	5036	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 5036 wrote to memory of 2648	5036	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 5036 wrote to memory of 2648	5036	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 5036 wrote to memory of 5032	5036	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 5036 wrote to memory of 5032	5036	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 5036 wrote to memory of 3936	5036	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 5036 wrote to memory of 3936	5036	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 5036 wrote to memory of 3852	5036	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 5036 wrote to memory of 3852	5036	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 5036 wrote to memory of 3168	5036	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 5036 wrote to memory of 3168	5036	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 5036 wrote to memory of 3460	5036	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 5036 wrote to memory of 3460	5036	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 5036 wrote to memory of 3732	5036	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 5036 wrote to memory of 3732	5036	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 5036 wrote to memory of 8	5036	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 5036 wrote to memory of 8	5036	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 5036 wrote to memory of 952	5036	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 5036 wrote to memory of 952	5036	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 5036 wrote to memory of 4580	5036	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 5036 wrote to memory of 4580	5036	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 5036 wrote to memory of 4756	5036	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 5036 wrote to memory of 4756	5036	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 5036 wrote to memory of 3188	5036	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 5036 wrote to memory of 3188	5036	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 5036 wrote to memory of 3124	5036	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 5036 wrote to memory of 3124	5036	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 5036 wrote to memory of 2712	5036	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 5036 wrote to memory of 2712	5036	2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-22_65aa2fc2828856ec41aaad8375ae46aa_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Windows\System\DQayDsH.exe
  C:\Windows\System\DQayDsH.exe
  2⤵
  - Executes dropped EXE
  PID:3192
- C:\Windows\System\YhJLpwx.exe
  C:\Windows\System\YhJLpwx.exe
  2⤵
  - Executes dropped EXE
  PID:1056
- C:\Windows\System\ztQCrko.exe
  C:\Windows\System\ztQCrko.exe
  2⤵
  - Executes dropped EXE
  PID:4624
- C:\Windows\System\qjyVkdY.exe
  C:\Windows\System\qjyVkdY.exe
  2⤵
  - Executes dropped EXE
  PID:2456
- C:\Windows\System\dzWNkBC.exe
  C:\Windows\System\dzWNkBC.exe
  2⤵
  - Executes dropped EXE
  PID:3596
- C:\Windows\System\jVDDUTW.exe
  C:\Windows\System\jVDDUTW.exe
  2⤵
  - Executes dropped EXE
  PID:1908
- C:\Windows\System\TZnBrtS.exe
  C:\Windows\System\TZnBrtS.exe
  2⤵
  - Executes dropped EXE
  PID:5000
- C:\Windows\System\nAZhPDQ.exe
  C:\Windows\System\nAZhPDQ.exe
  2⤵
  - Executes dropped EXE
  PID:2648
- C:\Windows\System\VIDXrLj.exe
  C:\Windows\System\VIDXrLj.exe
  2⤵
  - Executes dropped EXE
  PID:5032
- C:\Windows\System\PIFXLNI.exe
  C:\Windows\System\PIFXLNI.exe
  2⤵
  - Executes dropped EXE
  PID:3936
- C:\Windows\System\EEiQLal.exe
  C:\Windows\System\EEiQLal.exe
  2⤵
  - Executes dropped EXE
  PID:3852
- C:\Windows\System\qYLAAYB.exe
  C:\Windows\System\qYLAAYB.exe
  2⤵
  - Executes dropped EXE
  PID:3168
- C:\Windows\System\EUzLUiW.exe
  C:\Windows\System\EUzLUiW.exe
  2⤵
  - Executes dropped EXE
  PID:3460
- C:\Windows\System\TfDDIxK.exe
  C:\Windows\System\TfDDIxK.exe
  2⤵
  - Executes dropped EXE
  PID:3732
- C:\Windows\System\brEVRMg.exe
  C:\Windows\System\brEVRMg.exe
  2⤵
  - Executes dropped EXE
  PID:8
- C:\Windows\System\pvDHGyn.exe
  C:\Windows\System\pvDHGyn.exe
  2⤵
  - Executes dropped EXE
  PID:952
- C:\Windows\System\PFgKJhu.exe
  C:\Windows\System\PFgKJhu.exe
  2⤵
  - Executes dropped EXE
  PID:4580
- C:\Windows\System\pSYDvVz.exe
  C:\Windows\System\pSYDvVz.exe
  2⤵
  - Executes dropped EXE
  PID:4756
- C:\Windows\System\pIcuhqx.exe
  C:\Windows\System\pIcuhqx.exe
  2⤵
  - Executes dropped EXE
  PID:3188
- C:\Windows\System\ZGeAIgj.exe
  C:\Windows\System\ZGeAIgj.exe
  2⤵
  - Executes dropped EXE
  PID:3124
- C:\Windows\System\OZnGIYN.exe
  C:\Windows\System\OZnGIYN.exe
  2⤵
  - Executes dropped EXE
  PID:2712

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\DQayDsH.exe

Filesize
5.2MB

MD5
726a83d7fd64e82e3f15091291c3336a

SHA1
915672d9f267e7ab6e7d51d8abe24b89bd7cdcf6

SHA256
bb14791e2f16a6147f6d8e6d778d1aea910846a094f2505efdc7c011f2906920

SHA512
3e9300ca617fd090bc3810df6085ad056a638ebf9377d69ef634410722f9d16faa9892598d95a0fec5356a10a6248eb139460103333104547e0e6cccbafe09fa

Download Submit
C:\Windows\System\EEiQLal.exe

Filesize
5.2MB

MD5
a44a4b342b681084fd26c00ba2680f91

SHA1
821b32412b89e5626b43b6214a42e663f6eb4b0a

SHA256
5c99eca449c16cfa466c75fac1e01ddace32340a7f89f00265a8db6650933cf8

SHA512
f982c7cc8f52827ef364a1c2780e2c7d08b16010a57eb832cc013c1d49caabf7139ea608bcb69d8f7799ea4fccaf4bcfc4f9386de52c494edd89a79c7b23afc8

Download Submit
C:\Windows\System\EUzLUiW.exe

Filesize
5.2MB

MD5
13b4f17ddd962f6a504cad59af7d2093

SHA1
7cd70bd1382c722fcbf4492a477d6412d66a1e37

SHA256
f2db78e098cb3937709589bc6fe2b51501c54f02a956f8e218b1d4ae741a97ce

SHA512
a2dc66b9a7162e5e1e9b2918eeb9aa0b42bd9272dc7621fd14d7892a7296758e30a7fe26d6236ceeab895ad6b868c7440ffbffdd17d7fe04364be3334a0447bb

Download Submit
C:\Windows\System\OZnGIYN.exe

Filesize
5.2MB

MD5
f59782f5318caf42333691391dcc9404

SHA1
93f225a86bac03e583efa3041c0de4922ae97f1f

SHA256
d4d9b1461ef51128b29c61d0d1cedff7a9c5d8a34ee22ef8191bf6dbba7b7a4b

SHA512
35ff7b1513b5efee79959c74ef29d6ed00309f3a23fb52edfdaa4c4286458c2fe434f9066611d17f7b2920e4074f37fd09dd2ed4c71f0426cde17099d36307de

Download Submit
C:\Windows\System\PFgKJhu.exe

Filesize
5.2MB

MD5
683932e6fc838dfff9101a791ee52038

SHA1
f6ef1a8ecbf8e789b26234890421eee1491e6096

SHA256
7eda1d6dbeb7842b1b71253db5a58ca208a120f48286db5d5e012cfdd97ea47b

SHA512
cdb32873debfc37af046fcab15ec79ec426caf9e00f773bf209455ca0e72b15b197cc145cb8f82a6e385913aee87f9a8de47ad8d7733bab7ac233c323260b4e7

Download Submit
C:\Windows\System\PIFXLNI.exe

Filesize
5.2MB

MD5
ff3ebbd616bbb03f4b125d8c02a82f5c

SHA1
0e743352ed668f32376eb5a7eba5b43ba6412720

SHA256
806793335464edb402c98f4cd4892cfd13c77e31d3caa6ff9072924c48061b3a

SHA512
227ba4f6f3c8f592fbab24b46b4ff9563e7a2843ded1e4a6298d247d92d17e16b88a5fcc651848c6da42dd12821955fa2ec960d65570518643431e82244c9942

Download Submit
C:\Windows\System\TZnBrtS.exe

Filesize
5.2MB

MD5
0adff2e40b9047956792ea16a5988fa9

SHA1
3d3581a88041c9266eba16ad043abba3c18f767f

SHA256
e857d19db3c0cdf67ce17ea80be2b2c50e2d8c3074c1e26d2f9380962f99d1d0

SHA512
5daf0d7d2c4cba69e1bc06815173e30782f95d045522295f13a301ebfa3a0429d6bb152d8da415d83638ed61257fbc85ccef8c3fdbb0daaf07d560a57b1d2066

Download Submit
C:\Windows\System\TfDDIxK.exe

Filesize
5.2MB

MD5
cc201c9df04dfeaa3377bef9a2b2b9f3

SHA1
ea74f39c68faadc13ab9bee41a0f5e223b433034

SHA256
033a2e173efea53b7d52cd5cedaee319abe28c0a07209a6038b8c0ba90eb08b1

SHA512
e982e992a1ac487c1756f0c75a0910dc628269add4bced34f79d19bad69d67e385d331576c30b6bf210a8cbdea5574c923ce317e93e2bf21824481494563296f

Download Submit
C:\Windows\System\VIDXrLj.exe

Filesize
5.2MB

MD5
3e6bb8cd1bb76ea0682623c9ea24a9f6

SHA1
da96f2bf3dda8e8330c70662c2eb86fa5c149e04

SHA256
2f4f964dba60747626c7bb96db23480f384cd3e1f003fc6ac0a23fa40c4beef7

SHA512
460abe15b0a3a8504942650e531b5364db98d6d173c018230a64e3408a6959938df4adb3abfe31dbc2fb28ea35175f7699e379545f2187be59141b93de2edddb

Download Submit
C:\Windows\System\YhJLpwx.exe

Filesize
5.2MB

MD5
ef9cb688382ee11961a2de5f29ec0eda

SHA1
c3287871117a1f14cb27711836e1547adb1ecd61

SHA256
ad594f4c8797d1c97de429440d7f71d7c7d2f20f2386cea964c0f52f966fa2aa

SHA512
8256091c980a3d6b6f3627028f38aebe9eb67207d600369c967631149abcad6efae9ea795f3b35e1b6ec0e017233d4d14a5f20ae84cd507e2026c980d15b3fba

Download Submit
C:\Windows\System\ZGeAIgj.exe

Filesize
5.2MB

MD5
c522b11fafa9a0384552ad6c09e963ae

SHA1
041a2f1782708bca8864088c34bd122b0795dd14

SHA256
ea1dbf415738f89dd340119e66ed45625f0b694932ff77abaadd0c99d21046cb

SHA512
b16701a7f58666a5f044536874b4c6ac8af7f65a86d6c2b9ef3095b2a9bdfec14cbef86881788e9f35a2354a3eae3d5fbc1c8c40d61e844f6b9ec6c06d38c3be

Download Submit
C:\Windows\System\brEVRMg.exe

Filesize
5.2MB

MD5
393c5b41643125c3054fc8a299c018d5

SHA1
0c6c431d14c43ffb12fb17e849e00ef672ecb81b

SHA256
e9019af93062c1ce7ab11b2e6365a601546a045315645ae0b4e4343efb7729ae

SHA512
d08fbe67261c4c8c2e3a06dfdf204440624a63fe28951849648b2f260e5c1bfffeaad23133439d08529040a40818d6d81ebe422f84a6d119bda08d6a35cf5383

Download Submit
C:\Windows\System\dzWNkBC.exe

Filesize
5.2MB

MD5
2e05e05fd5f9ca6f6f4cec918f54fd23

SHA1
3af32d214733b75a5b5222d3351117acd40c9276

SHA256
17b4aa2c2c9a487cdaaa9e4ceccef0c1b35fb895b75ea2d5f22e31b237fe1caa

SHA512
11a6c88903e4fb41f8168084da82be7a2cf361715365606955f5626fb116fe0dc70558775e36811f5905ba85a14300e7a894c4d4445c2999e65a9879dc2945b0

Download Submit
C:\Windows\System\jVDDUTW.exe

Filesize
5.2MB

MD5
a4491e22c93b05857e1259bd89ebc454

SHA1
a510757d8c6a92102ddeb3e79b1fdebe580223f3

SHA256
9fc9f4b7c1257fe7eabb5c1b1a5895ae8f261b54b602fcebd82a3a9b746bfe37

SHA512
b291f34b1805c8680f5a10e51161d50240d40c62f670755b150bb9e4292729575b5b50b81513bc288653dca9d279830d2024de084f9aaf08bc5c2c0a2d6e7323

Download Submit
C:\Windows\System\nAZhPDQ.exe

Filesize
5.2MB

MD5
a1107daa19bc73d4c1b5fd441597c1c8

SHA1
c96a94693a5a8b9e239c2b2f1dfe91937c6eed71

SHA256
351e394640ba68a2fcb107b3004f938d80a957d09384fc6100b4e378d6c99bd2

SHA512
040a799e9a9a2b4813f016e146a616a14a728bbed4d48ed533d1201663d5914b4071ca36b79d9d5f42e54a8f4c17512e4268f9d21e947acb53d72331adfe16be

Download Submit
C:\Windows\System\pIcuhqx.exe

Filesize
5.2MB

MD5
07a6df913b914155a63e995254279ae0

SHA1
3c31ff869b0a2c164ddedfa5b53bcaa7c3aac179

SHA256
cac510523dce217ee6d9904bbf6d5168eaf2261cf01b72aef16d29e441e0284d

SHA512
79b78e62321fa96e24a9dd730bb2b95839d4478502a16e8f266dfa3958a5d2b05c93de8e0ac81ed8db57b705b55f3e4fbb33f2bfdb566086baa3410ddd0bfe56

Download Submit
C:\Windows\System\pSYDvVz.exe

Filesize
5.2MB

MD5
2f2a7fe5b5f3c9e8d4bec61d38283cfd

SHA1
d72327fed8f516625a54a7f3b962af3f4c642eeb

SHA256
3fc883cf4d250e8740bfe4075084cd00918c28c9b7e45aec1543e3a9e4d079ee

SHA512
fd9ad6260cfafc89d600793f42e49a808546dfc97ec95efa9e50ab3f6acf9c012ac675a88dacc241685f12eec2c95b73643e9c02f0b63c40cb4d26253ca6685c

Download Submit
C:\Windows\System\pvDHGyn.exe

Filesize
5.2MB

MD5
ea2696131f19d60063011c99920291cb

SHA1
3ff61c32c96b4ecc1a5a95f13f66847d15990b3b

SHA256
e90c267573a192ac9faffd1d77f382890eb7ea93c7281ebe7cb7271e3f2f4e3d

SHA512
28e905e3c5f005a1e2d8f90e61186ba5ef20df81e724607a3850ac4dca854a7af3ad00109a4f3bb9244b2608d20c726f5936f93bed4b8e9c6bc98e7acdbfb7b6

Download Submit
C:\Windows\System\qYLAAYB.exe

Filesize
5.2MB

MD5
774c64a8f0325954ceab94a60d3275ea

SHA1
73ef8ed96530387956faf883d39b446d201c60a9

SHA256
549d04304fb7a821f1569ed0185b88ae703dad7d3c832a11499b9f7ee46f5d3a

SHA512
d03a26eced60f189d360e5efaaac3dd58ad8d3f52ef7277ee35658e528efa930bdcc6eea97713c9a9b018eeea0208eb417c9004d458bf2ae3dc7b78c6fd01667

Download Submit
C:\Windows\System\qjyVkdY.exe

Filesize
5.2MB

MD5
3135ddeeec07148197c27bb599ac3d4a

SHA1
1b663272996ef78d276d8a5263fa68ed10af82e1

SHA256
b77b40ac7cc08f88a00eccd6bbcf2b6390a428b08605d122d82ca38f19989e5f

SHA512
2c7bb960156c28b4aa041094c764ab994f700ce8ebf3f35add97f163a196d57e9dcaff38adcf39c3223d01a92954b9a566b4eddb9673277e814f868903c95588

Download Submit
C:\Windows\System\ztQCrko.exe

Filesize
5.2MB

MD5
0b07cfed573ef17ffb2e9013a061c6ea

SHA1
48ea133f8c1563248dd9529d275acfd643ec8d57

SHA256
57c6862499c82b7edc8730e80374672597e994525a66341e330bdab8b9574245

SHA512
1df80c25baaf802c7d1d0083668f6de3d56d2e7dd59cf5bbc9bdf038fbca396f38510cb04422b5acbc58e68e665195507cf8fd1a09e176893364a0b26683aea0

Download Submit
memory/8-113-0x00007FF638840000-0x00007FF638B91000-memory.dmp

Filesize
3.3MB

Download
memory/8-246-0x00007FF638840000-0x00007FF638B91000-memory.dmp

Filesize
3.3MB

Download
memory/952-248-0x00007FF772060000-0x00007FF7723B1000-memory.dmp

Filesize
3.3MB

Download
memory/952-114-0x00007FF772060000-0x00007FF7723B1000-memory.dmp

Filesize
3.3MB

Download
memory/1056-19-0x00007FF679200000-0x00007FF679551000-memory.dmp

Filesize
3.3MB

Download
memory/1056-205-0x00007FF679200000-0x00007FF679551000-memory.dmp

Filesize
3.3MB

Download
memory/1056-130-0x00007FF679200000-0x00007FF679551000-memory.dmp

Filesize
3.3MB

Download
memory/1908-79-0x00007FF7E7810000-0x00007FF7E7B61000-memory.dmp

Filesize
3.3MB

Download
memory/1908-228-0x00007FF7E7810000-0x00007FF7E7B61000-memory.dmp

Filesize
3.3MB

Download
memory/2456-35-0x00007FF6D9190000-0x00007FF6D94E1000-memory.dmp

Filesize
3.3MB

Download
memory/2456-132-0x00007FF6D9190000-0x00007FF6D94E1000-memory.dmp

Filesize
3.3MB

Download
memory/2456-224-0x00007FF6D9190000-0x00007FF6D94E1000-memory.dmp

Filesize
3.3MB

Download
memory/2648-241-0x00007FF6E03F0000-0x00007FF6E0741000-memory.dmp

Filesize
3.3MB

Download
memory/2648-136-0x00007FF6E03F0000-0x00007FF6E0741000-memory.dmp

Filesize
3.3MB

Download
memory/2648-51-0x00007FF6E03F0000-0x00007FF6E0741000-memory.dmp

Filesize
3.3MB

Download
memory/2712-149-0x00007FF629FC0000-0x00007FF62A311000-memory.dmp

Filesize
3.3MB

Download
memory/2712-254-0x00007FF629FC0000-0x00007FF62A311000-memory.dmp

Filesize
3.3MB

Download
memory/2712-120-0x00007FF629FC0000-0x00007FF62A311000-memory.dmp

Filesize
3.3MB

Download
memory/3124-253-0x00007FF780770000-0x00007FF780AC1000-memory.dmp

Filesize
3.3MB

Download
memory/3124-116-0x00007FF780770000-0x00007FF780AC1000-memory.dmp

Filesize
3.3MB

Download
memory/3124-148-0x00007FF780770000-0x00007FF780AC1000-memory.dmp

Filesize
3.3MB

Download
memory/3168-233-0x00007FF752B30000-0x00007FF752E81000-memory.dmp

Filesize
3.3MB

Download
memory/3168-140-0x00007FF752B30000-0x00007FF752E81000-memory.dmp

Filesize
3.3MB

Download
memory/3168-70-0x00007FF752B30000-0x00007FF752E81000-memory.dmp

Filesize
3.3MB

Download
memory/3188-119-0x00007FF766820000-0x00007FF766B71000-memory.dmp

Filesize
3.3MB

Download
memory/3188-147-0x00007FF766820000-0x00007FF766B71000-memory.dmp

Filesize
3.3MB

Download
memory/3188-256-0x00007FF766820000-0x00007FF766B71000-memory.dmp

Filesize
3.3MB

Download
memory/3192-7-0x00007FF6C04B0000-0x00007FF6C0801000-memory.dmp

Filesize
3.3MB

Download
memory/3192-203-0x00007FF6C04B0000-0x00007FF6C0801000-memory.dmp

Filesize
3.3MB

Download
memory/3192-129-0x00007FF6C04B0000-0x00007FF6C0801000-memory.dmp

Filesize
3.3MB

Download
memory/3460-112-0x00007FF605AF0000-0x00007FF605E41000-memory.dmp

Filesize
3.3MB

Download
memory/3460-235-0x00007FF605AF0000-0x00007FF605E41000-memory.dmp

Filesize
3.3MB

Download
memory/3596-46-0x00007FF62B520000-0x00007FF62B871000-memory.dmp

Filesize
3.3MB

Download
memory/3596-133-0x00007FF62B520000-0x00007FF62B871000-memory.dmp

Filesize
3.3MB

Download
memory/3596-226-0x00007FF62B520000-0x00007FF62B871000-memory.dmp

Filesize
3.3MB

Download
memory/3732-239-0x00007FF7CF0B0000-0x00007FF7CF401000-memory.dmp

Filesize
3.3MB

Download
memory/3732-117-0x00007FF7CF0B0000-0x00007FF7CF401000-memory.dmp

Filesize
3.3MB

Download
memory/3852-110-0x00007FF694680000-0x00007FF6949D1000-memory.dmp

Filesize
3.3MB

Download
memory/3852-237-0x00007FF694680000-0x00007FF6949D1000-memory.dmp

Filesize
3.3MB

Download
memory/3936-109-0x00007FF75C820000-0x00007FF75CB71000-memory.dmp

Filesize
3.3MB

Download
memory/3936-230-0x00007FF75C820000-0x00007FF75CB71000-memory.dmp

Filesize
3.3MB

Download
memory/4580-250-0x00007FF631450000-0x00007FF6317A1000-memory.dmp

Filesize
3.3MB

Download
memory/4580-118-0x00007FF631450000-0x00007FF6317A1000-memory.dmp

Filesize
3.3MB

Download
memory/4624-222-0x00007FF759A30000-0x00007FF759D81000-memory.dmp

Filesize
3.3MB

Download
memory/4624-20-0x00007FF759A30000-0x00007FF759D81000-memory.dmp

Filesize
3.3MB

Download
memory/4624-131-0x00007FF759A30000-0x00007FF759D81000-memory.dmp

Filesize
3.3MB

Download
memory/4756-146-0x00007FF702590000-0x00007FF7028E1000-memory.dmp

Filesize
3.3MB

Download
memory/4756-115-0x00007FF702590000-0x00007FF7028E1000-memory.dmp

Filesize
3.3MB

Download
memory/4756-260-0x00007FF702590000-0x00007FF7028E1000-memory.dmp

Filesize
3.3MB

Download
memory/5000-243-0x00007FF7EBBA0000-0x00007FF7EBEF1000-memory.dmp

Filesize
3.3MB

Download
memory/5000-99-0x00007FF7EBBA0000-0x00007FF7EBEF1000-memory.dmp

Filesize
3.3MB

Download
memory/5032-244-0x00007FF7CF230000-0x00007FF7CF581000-memory.dmp

Filesize
3.3MB

Download
memory/5032-59-0x00007FF7CF230000-0x00007FF7CF581000-memory.dmp

Filesize
3.3MB

Download
memory/5032-137-0x00007FF7CF230000-0x00007FF7CF581000-memory.dmp

Filesize
3.3MB

Download
memory/5036-1-0x00000173E0F40000-0x00000173E0F50000-memory.dmp

Filesize
64KB

Download
memory/5036-128-0x00007FF6A0330000-0x00007FF6A0681000-memory.dmp

Filesize
3.3MB

Download
memory/5036-0-0x00007FF6A0330000-0x00007FF6A0681000-memory.dmp

Filesize
3.3MB

Download
memory/5036-151-0x00007FF6A0330000-0x00007FF6A0681000-memory.dmp

Filesize
3.3MB

Download
memory/5036-150-0x00007FF6A0330000-0x00007FF6A0681000-memory.dmp

Filesize
3.3MB

Download