cobaltstrike | 1dafcc91527945aa63cd052121647c72d4df58b385b3f1c3c61e3371b14ee056

Analysis

max time kernel
143s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23-09-2024 06:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

3bd4e4db4b3098ac84cf26be2b08f364
SHA1

39516342e782ccdc1801f808ad67c16d1bd25f5a
SHA256

1dafcc91527945aa63cd052121647c72d4df58b385b3f1c3c61e3371b14ee056
SHA512

cd7461010533bbde30ab5d182a492dcde8dce3d907ff33c8205f5f8afbf75ae65ce2b6dcfe654931b9a0eb1646f5044fb812d8e5b1adbb717f2412a1db7e009b
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lY:RWWBibf56utgpPFotBER/mQ32lUE

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0007000000023431-7.dat	cobalt_reflective_dll
behavioral2/files/0x0006000000022998-5.dat	cobalt_reflective_dll
behavioral2/files/0x00090000000233ea-9.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023434-32.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023435-42.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023436-56.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023438-71.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343a-78.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343c-84.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343d-89.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343e-98.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023441-124.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023440-122.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343f-120.dat	cobalt_reflective_dll
behavioral2/files/0x000900000002342b-96.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343b-83.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023439-76.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023437-64.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023433-41.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023432-27.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023442-127.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/2912-118-0x00007FF7BA350000-0x00007FF7BA6A1000-memory.dmp	xmrig
behavioral2/memory/2456-117-0x00007FF6E94E0000-0x00007FF6E9831000-memory.dmp	xmrig
behavioral2/memory/3280-116-0x00007FF7D58F0000-0x00007FF7D5C41000-memory.dmp	xmrig
behavioral2/memory/2396-107-0x00007FF7FCDA0000-0x00007FF7FD0F1000-memory.dmp	xmrig
behavioral2/memory/2748-92-0x00007FF784A80000-0x00007FF784DD1000-memory.dmp	xmrig
behavioral2/memory/2832-81-0x00007FF657E80000-0x00007FF6581D1000-memory.dmp	xmrig
behavioral2/memory/1196-80-0x00007FF629130000-0x00007FF629481000-memory.dmp	xmrig
behavioral2/memory/3840-36-0x00007FF633C90000-0x00007FF633FE1000-memory.dmp	xmrig
behavioral2/memory/1196-128-0x00007FF629130000-0x00007FF629481000-memory.dmp	xmrig
behavioral2/memory/5080-129-0x00007FF7C9C00000-0x00007FF7C9F51000-memory.dmp	xmrig
behavioral2/memory/3736-137-0x00007FF6A2D80000-0x00007FF6A30D1000-memory.dmp	xmrig
behavioral2/memory/3232-140-0x00007FF76EED0000-0x00007FF76F221000-memory.dmp	xmrig
behavioral2/memory/1756-146-0x00007FF613A80000-0x00007FF613DD1000-memory.dmp	xmrig
behavioral2/memory/4948-144-0x00007FF7DABC0000-0x00007FF7DAF11000-memory.dmp	xmrig
behavioral2/memory/4936-141-0x00007FF609030000-0x00007FF609381000-memory.dmp	xmrig
behavioral2/memory/4900-139-0x00007FF642A00000-0x00007FF642D51000-memory.dmp	xmrig
behavioral2/memory/2940-147-0x00007FF79DA30000-0x00007FF79DD81000-memory.dmp	xmrig
behavioral2/memory/2340-145-0x00007FF65FBB0000-0x00007FF65FF01000-memory.dmp	xmrig
behavioral2/memory/5056-152-0x00007FF66E5C0000-0x00007FF66E911000-memory.dmp	xmrig
behavioral2/memory/2732-153-0x00007FF64BA30000-0x00007FF64BD81000-memory.dmp	xmrig
behavioral2/memory/3784-151-0x00007FF67E720000-0x00007FF67EA71000-memory.dmp	xmrig
behavioral2/memory/1672-150-0x00007FF6A5B10000-0x00007FF6A5E61000-memory.dmp	xmrig
behavioral2/memory/1196-154-0x00007FF629130000-0x00007FF629481000-memory.dmp	xmrig
behavioral2/memory/2336-159-0x00007FF727680000-0x00007FF7279D1000-memory.dmp	xmrig
behavioral2/memory/3280-208-0x00007FF7D58F0000-0x00007FF7D5C41000-memory.dmp	xmrig
behavioral2/memory/2832-210-0x00007FF657E80000-0x00007FF6581D1000-memory.dmp	xmrig
behavioral2/memory/5080-226-0x00007FF7C9C00000-0x00007FF7C9F51000-memory.dmp	xmrig
behavioral2/memory/2940-229-0x00007FF79DA30000-0x00007FF79DD81000-memory.dmp	xmrig
behavioral2/memory/3840-230-0x00007FF633C90000-0x00007FF633FE1000-memory.dmp	xmrig
behavioral2/memory/4900-232-0x00007FF642A00000-0x00007FF642D51000-memory.dmp	xmrig
behavioral2/memory/3736-234-0x00007FF6A2D80000-0x00007FF6A30D1000-memory.dmp	xmrig
behavioral2/memory/3232-236-0x00007FF76EED0000-0x00007FF76F221000-memory.dmp	xmrig
behavioral2/memory/2748-243-0x00007FF784A80000-0x00007FF784DD1000-memory.dmp	xmrig
behavioral2/memory/4936-248-0x00007FF609030000-0x00007FF609381000-memory.dmp	xmrig
behavioral2/memory/2396-246-0x00007FF7FCDA0000-0x00007FF7FD0F1000-memory.dmp	xmrig
behavioral2/memory/2340-241-0x00007FF65FBB0000-0x00007FF65FF01000-memory.dmp	xmrig
behavioral2/memory/1756-245-0x00007FF613A80000-0x00007FF613DD1000-memory.dmp	xmrig
behavioral2/memory/4948-239-0x00007FF7DABC0000-0x00007FF7DAF11000-memory.dmp	xmrig
behavioral2/memory/5056-257-0x00007FF66E5C0000-0x00007FF66E911000-memory.dmp	xmrig
behavioral2/memory/1672-260-0x00007FF6A5B10000-0x00007FF6A5E61000-memory.dmp	xmrig
behavioral2/memory/3784-259-0x00007FF67E720000-0x00007FF67EA71000-memory.dmp	xmrig
behavioral2/memory/2732-255-0x00007FF64BA30000-0x00007FF64BD81000-memory.dmp	xmrig
behavioral2/memory/2456-253-0x00007FF6E94E0000-0x00007FF6E9831000-memory.dmp	xmrig
behavioral2/memory/2912-251-0x00007FF7BA350000-0x00007FF7BA6A1000-memory.dmp	xmrig
behavioral2/memory/2336-264-0x00007FF727680000-0x00007FF7279D1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2832	BlQIkSf.exe
3280	fQfpzrP.exe
5080	IoLDaIS.exe
2940	sHOcAsQ.exe
3736	umixTme.exe
3840	dZqKqAq.exe
4900	HJFjygu.exe
3232	SPEPZxZ.exe
4936	oWHSUKU.exe
2748	uFUILTA.exe
4948	lrqyksM.exe
2396	cYjijQv.exe
2340	ylAORIU.exe
1756	ryiHCOh.exe
2456	njrFQyG.exe
2912	BRDOEMX.exe
1672	aJGblhm.exe
3784	ubGNdyb.exe
5056	fuvPiAN.exe
2732	nzNHeyk.exe
2336	EfjqMgh.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1196-0-0x00007FF629130000-0x00007FF629481000-memory.dmp	upx
behavioral2/files/0x0007000000023431-7.dat	upx
behavioral2/files/0x0006000000022998-5.dat	upx
behavioral2/files/0x00090000000233ea-9.dat	upx
behavioral2/memory/2832-10-0x00007FF657E80000-0x00007FF6581D1000-memory.dmp	upx
behavioral2/memory/3280-18-0x00007FF7D58F0000-0x00007FF7D5C41000-memory.dmp	upx
behavioral2/memory/2940-26-0x00007FF79DA30000-0x00007FF79DD81000-memory.dmp	upx
behavioral2/files/0x0007000000023434-32.dat	upx
behavioral2/memory/3736-33-0x00007FF6A2D80000-0x00007FF6A30D1000-memory.dmp	upx
behavioral2/files/0x0007000000023435-42.dat	upx
behavioral2/files/0x0007000000023436-56.dat	upx
behavioral2/files/0x0007000000023438-71.dat	upx
behavioral2/files/0x000700000002343a-78.dat	upx
behavioral2/files/0x000700000002343c-84.dat	upx
behavioral2/files/0x000700000002343d-89.dat	upx
behavioral2/files/0x000700000002343e-98.dat	upx
behavioral2/memory/1672-112-0x00007FF6A5B10000-0x00007FF6A5E61000-memory.dmp	upx
behavioral2/memory/2732-115-0x00007FF64BA30000-0x00007FF64BD81000-memory.dmp	upx
behavioral2/memory/2912-118-0x00007FF7BA350000-0x00007FF7BA6A1000-memory.dmp	upx
behavioral2/memory/2456-117-0x00007FF6E94E0000-0x00007FF6E9831000-memory.dmp	upx
behavioral2/files/0x0007000000023441-124.dat	upx
behavioral2/files/0x0007000000023440-122.dat	upx
behavioral2/files/0x000700000002343f-120.dat	upx
behavioral2/memory/3280-116-0x00007FF7D58F0000-0x00007FF7D5C41000-memory.dmp	upx
behavioral2/memory/5056-114-0x00007FF66E5C0000-0x00007FF66E911000-memory.dmp	upx
behavioral2/memory/3784-113-0x00007FF67E720000-0x00007FF67EA71000-memory.dmp	upx
behavioral2/memory/2396-107-0x00007FF7FCDA0000-0x00007FF7FD0F1000-memory.dmp	upx
behavioral2/files/0x000900000002342b-96.dat	upx
behavioral2/memory/2748-92-0x00007FF784A80000-0x00007FF784DD1000-memory.dmp	upx
behavioral2/files/0x000700000002343b-83.dat	upx
behavioral2/memory/2832-81-0x00007FF657E80000-0x00007FF6581D1000-memory.dmp	upx
behavioral2/memory/1196-80-0x00007FF629130000-0x00007FF629481000-memory.dmp	upx
behavioral2/files/0x0007000000023439-76.dat	upx
behavioral2/memory/1756-75-0x00007FF613A80000-0x00007FF613DD1000-memory.dmp	upx
behavioral2/memory/2340-74-0x00007FF65FBB0000-0x00007FF65FF01000-memory.dmp	upx
behavioral2/memory/4948-68-0x00007FF7DABC0000-0x00007FF7DAF11000-memory.dmp	upx
behavioral2/memory/4936-66-0x00007FF609030000-0x00007FF609381000-memory.dmp	upx
behavioral2/files/0x0007000000023437-64.dat	upx
behavioral2/memory/3232-50-0x00007FF76EED0000-0x00007FF76F221000-memory.dmp	upx
behavioral2/files/0x0007000000023433-41.dat	upx
behavioral2/memory/4900-40-0x00007FF642A00000-0x00007FF642D51000-memory.dmp	upx
behavioral2/memory/3840-36-0x00007FF633C90000-0x00007FF633FE1000-memory.dmp	upx
behavioral2/files/0x0007000000023432-27.dat	upx
behavioral2/memory/5080-19-0x00007FF7C9C00000-0x00007FF7C9F51000-memory.dmp	upx
behavioral2/files/0x0007000000023442-127.dat	upx
behavioral2/memory/1196-128-0x00007FF629130000-0x00007FF629481000-memory.dmp	upx
behavioral2/memory/2336-130-0x00007FF727680000-0x00007FF7279D1000-memory.dmp	upx
behavioral2/memory/5080-129-0x00007FF7C9C00000-0x00007FF7C9F51000-memory.dmp	upx
behavioral2/memory/3736-137-0x00007FF6A2D80000-0x00007FF6A30D1000-memory.dmp	upx
behavioral2/memory/3232-140-0x00007FF76EED0000-0x00007FF76F221000-memory.dmp	upx
behavioral2/memory/1756-146-0x00007FF613A80000-0x00007FF613DD1000-memory.dmp	upx
behavioral2/memory/4948-144-0x00007FF7DABC0000-0x00007FF7DAF11000-memory.dmp	upx
behavioral2/memory/4936-141-0x00007FF609030000-0x00007FF609381000-memory.dmp	upx
behavioral2/memory/4900-139-0x00007FF642A00000-0x00007FF642D51000-memory.dmp	upx
behavioral2/memory/2940-147-0x00007FF79DA30000-0x00007FF79DD81000-memory.dmp	upx
behavioral2/memory/2340-145-0x00007FF65FBB0000-0x00007FF65FF01000-memory.dmp	upx
behavioral2/memory/5056-152-0x00007FF66E5C0000-0x00007FF66E911000-memory.dmp	upx
behavioral2/memory/2732-153-0x00007FF64BA30000-0x00007FF64BD81000-memory.dmp	upx
behavioral2/memory/3784-151-0x00007FF67E720000-0x00007FF67EA71000-memory.dmp	upx
behavioral2/memory/1672-150-0x00007FF6A5B10000-0x00007FF6A5E61000-memory.dmp	upx
behavioral2/memory/1196-154-0x00007FF629130000-0x00007FF629481000-memory.dmp	upx
behavioral2/memory/2336-159-0x00007FF727680000-0x00007FF7279D1000-memory.dmp	upx
behavioral2/memory/3280-208-0x00007FF7D58F0000-0x00007FF7D5C41000-memory.dmp	upx
behavioral2/memory/2832-210-0x00007FF657E80000-0x00007FF6581D1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\SPEPZxZ.exe	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BlQIkSf.exe	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sHOcAsQ.exe	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dZqKqAq.exe	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oWHSUKU.exe	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ylAORIU.exe	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ryiHCOh.exe	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\umixTme.exe	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lrqyksM.exe	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\njrFQyG.exe	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BRDOEMX.exe	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aJGblhm.exe	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fuvPiAN.exe	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nzNHeyk.exe	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fQfpzrP.exe	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IoLDaIS.exe	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HJFjygu.exe	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uFUILTA.exe	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cYjijQv.exe	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ubGNdyb.exe	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EfjqMgh.exe	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1196	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1196	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 2832	1196	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 1196 wrote to memory of 2832	1196	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 1196 wrote to memory of 3280	1196	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1196 wrote to memory of 3280	1196	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1196 wrote to memory of 5080	1196	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1196 wrote to memory of 5080	1196	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1196 wrote to memory of 2940	1196	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1196 wrote to memory of 2940	1196	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1196 wrote to memory of 3736	1196	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1196 wrote to memory of 3736	1196	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1196 wrote to memory of 3840	1196	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1196 wrote to memory of 3840	1196	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1196 wrote to memory of 4900	1196	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1196 wrote to memory of 4900	1196	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1196 wrote to memory of 3232	1196	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1196 wrote to memory of 3232	1196	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1196 wrote to memory of 4936	1196	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1196 wrote to memory of 4936	1196	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1196 wrote to memory of 2748	1196	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1196 wrote to memory of 2748	1196	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1196 wrote to memory of 2396	1196	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1196 wrote to memory of 2396	1196	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1196 wrote to memory of 4948	1196	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1196 wrote to memory of 4948	1196	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1196 wrote to memory of 2340	1196	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1196 wrote to memory of 2340	1196	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1196 wrote to memory of 1756	1196	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1196 wrote to memory of 1756	1196	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1196 wrote to memory of 2456	1196	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1196 wrote to memory of 2456	1196	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1196 wrote to memory of 2912	1196	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1196 wrote to memory of 2912	1196	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1196 wrote to memory of 1672	1196	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1196 wrote to memory of 1672	1196	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1196 wrote to memory of 3784	1196	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1196 wrote to memory of 3784	1196	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1196 wrote to memory of 5056	1196	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1196 wrote to memory of 5056	1196	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1196 wrote to memory of 2732	1196	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1196 wrote to memory of 2732	1196	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1196 wrote to memory of 2336	1196	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1196 wrote to memory of 2336	1196	2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-23_3bd4e4db4b3098ac84cf26be2b08f364_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Windows\System\BlQIkSf.exe
  C:\Windows\System\BlQIkSf.exe
  2⤵
  - Executes dropped EXE
  PID:2832
- C:\Windows\System\fQfpzrP.exe
  C:\Windows\System\fQfpzrP.exe
  2⤵
  - Executes dropped EXE
  PID:3280
- C:\Windows\System\IoLDaIS.exe
  C:\Windows\System\IoLDaIS.exe
  2⤵
  - Executes dropped EXE
  PID:5080
- C:\Windows\System\sHOcAsQ.exe
  C:\Windows\System\sHOcAsQ.exe
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\System\umixTme.exe
  C:\Windows\System\umixTme.exe
  2⤵
  - Executes dropped EXE
  PID:3736
- C:\Windows\System\dZqKqAq.exe
  C:\Windows\System\dZqKqAq.exe
  2⤵
  - Executes dropped EXE
  PID:3840
- C:\Windows\System\HJFjygu.exe
  C:\Windows\System\HJFjygu.exe
  2⤵
  - Executes dropped EXE
  PID:4900
- C:\Windows\System\SPEPZxZ.exe
  C:\Windows\System\SPEPZxZ.exe
  2⤵
  - Executes dropped EXE
  PID:3232
- C:\Windows\System\oWHSUKU.exe
  C:\Windows\System\oWHSUKU.exe
  2⤵
  - Executes dropped EXE
  PID:4936
- C:\Windows\System\uFUILTA.exe
  C:\Windows\System\uFUILTA.exe
  2⤵
  - Executes dropped EXE
  PID:2748
- C:\Windows\System\cYjijQv.exe
  C:\Windows\System\cYjijQv.exe
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\System\lrqyksM.exe
  C:\Windows\System\lrqyksM.exe
  2⤵
  - Executes dropped EXE
  PID:4948
- C:\Windows\System\ylAORIU.exe
  C:\Windows\System\ylAORIU.exe
  2⤵
  - Executes dropped EXE
  PID:2340
- C:\Windows\System\ryiHCOh.exe
  C:\Windows\System\ryiHCOh.exe
  2⤵
  - Executes dropped EXE
  PID:1756
- C:\Windows\System\njrFQyG.exe
  C:\Windows\System\njrFQyG.exe
  2⤵
  - Executes dropped EXE
  PID:2456
- C:\Windows\System\BRDOEMX.exe
  C:\Windows\System\BRDOEMX.exe
  2⤵
  - Executes dropped EXE
  PID:2912
- C:\Windows\System\aJGblhm.exe
  C:\Windows\System\aJGblhm.exe
  2⤵
  - Executes dropped EXE
  PID:1672
- C:\Windows\System\ubGNdyb.exe
  C:\Windows\System\ubGNdyb.exe
  2⤵
  - Executes dropped EXE
  PID:3784
- C:\Windows\System\fuvPiAN.exe
  C:\Windows\System\fuvPiAN.exe
  2⤵
  - Executes dropped EXE
  PID:5056
- C:\Windows\System\nzNHeyk.exe
  C:\Windows\System\nzNHeyk.exe
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\Windows\System\EfjqMgh.exe
  C:\Windows\System\EfjqMgh.exe
  2⤵
  - Executes dropped EXE
  PID:2336

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BRDOEMX.exe

Filesize
5.2MB

MD5
d777199b039f5d8311e5756b5d2587a4

SHA1
45822b3cc79a124b55116a3086a383199f218a86

SHA256
9f77ace59c99bf9187ca6cee7692e0728dc140a4b7b618d23c353582b76853ca

SHA512
e333442adfbe5fa941cc1ae03d2c8d645688542f83d685a7ff631901c7f0802714e8632c10ce4a550ae86a99b9a5b6340d3f63f27f16e3c5a92a1d0b803205ff

Download Submit
C:\Windows\System\BlQIkSf.exe

Filesize
5.2MB

MD5
ef8037b7881a3b528a83749be42b2b2e

SHA1
83d57b4f202f6d5efeb586fc014b27fe8b237e95

SHA256
8840b0f6e5cabb0fff1e64b977992229f75faac0a28b35725d16c42b5a34358f

SHA512
96085708a6d9e0239b191cdef8a25e21a3e345384366054ea489d4d6a33db29ad96161ee5de8325bf18217428fb3864a0082385a275d4d60e15cdf8dd00e5ee7

Download Submit
C:\Windows\System\EfjqMgh.exe

Filesize
5.2MB

MD5
545210aa8a5b8c15702036727cf24382

SHA1
c06163a9ed43f6034492ba287afb2ad2f61c893d

SHA256
08c254e2d88818d4cc258ba100de4b91f6e9a45c0251f1255f0da62db8fce559

SHA512
4fa81c7066bdbb0822e813313a175559cc4b2850f3cb06b80e388fe988c69cf09751995aa0e0e1894906ab79a459ddf34deaf68e9ab46944771047522f7f8017

Download Submit
C:\Windows\System\HJFjygu.exe

Filesize
5.2MB

MD5
57cbb9ce424d07c961ded477f77ffddf

SHA1
8cefe739285afe70069a7ae89038ee6074fd039d

SHA256
a22a6ba17fafda57d3a22a88e7ce025125524338925d95628667f6195278bd9a

SHA512
80527d9fc63a327e451d781c7c63a76aaf8b61fd11b597cdadd89992653de2f59b282061f0df0d9f8b03ac0f30e49e1bd63ce887ed3010e74dd35ad2a2d400da

Download Submit
C:\Windows\System\IoLDaIS.exe

Filesize
5.2MB

MD5
6fffa6912670b7df187c9a3466938323

SHA1
b461106849f45992508bc1f0b460f2ffd6db3a27

SHA256
2df11cffca502896b0f80e28a4a3d36397504c3d9942b1d3cc4e18dce16d58b6

SHA512
15de19ed9c6f106031ea11e2dfe4d31aac53760f88292015021727b63a686d593f2b7407be7bead974d0dc38804a7622ce2c60575c968ef7f20c36c5cf1f932a

Download Submit
C:\Windows\System\SPEPZxZ.exe

Filesize
5.2MB

MD5
d3dd31cbe56c3589e7894a9c44343370

SHA1
48687394d22b25cb5ecedb784e7899e6e2a02377

SHA256
e29bf97fc86aefa5b32c7aa9920ae0dfd2fbd44422f1cb5c9a6deaf4a2a7d679

SHA512
5d91489a62ab9705af712a01684be08da1673cc88f2ae8362e70334d48e799614dbcbb40548cf08888f62a6df5d35eac1670af12bd31913baaaacb03b9014536

Download Submit
C:\Windows\System\aJGblhm.exe

Filesize
5.2MB

MD5
1b9f412fdbed4e1652aa2a56d62b9d6f

SHA1
4c7ca3bf7e62ea6efb691f266a7a9982c9b43bc5

SHA256
ddb37cc06ed66910e6626d565968a4b8030835bf36f9988fff7a4c211ba3e005

SHA512
eb1464a260e3faa0b1af2d355871728b40c1e7982378a9ba65f3a7a2a5027f4a78557d3073542bccfd40fd53a084297356b6c7d785da470dff2f31072d858980

Download Submit
C:\Windows\System\cYjijQv.exe

Filesize
5.2MB

MD5
8302459e62a01cb50cd49594b3491fc3

SHA1
f0e929c508fcb439b30ab4a904457ee38fdcb6ad

SHA256
44b5a0b64cb16f68ee79661f96ec9967e1b0c3354e2fdf31a85087c0a83e79b2

SHA512
412cd24a851a16bcb2113fd08fcbe774f8f3eaaa70391e795d219ee067beb0b5c57dd07375a50f7472ee6bf535c9cb9193e53373c072295915d05b9c2f1707cc

Download Submit
C:\Windows\System\dZqKqAq.exe

Filesize
5.2MB

MD5
289f20f46bb7b4638a55c62861d5cac9

SHA1
492c4422cfc13591470f28c2af4c0b6be6583efa

SHA256
b6cd119f667fd7873855ba68a57d8199377910aa0a899f2e3bfc7c87926bce49

SHA512
a05721f1d9e41817e2ff14f0ece2e92846a7717ed621219400aa15fc2e9ae797b3aaac179f6a68398f43b22b76adcdbfc21697b47e87083088c162e68d648673

Download Submit
C:\Windows\System\fQfpzrP.exe

Filesize
5.2MB

MD5
ecc20b2c5d6412ef590f4bfda15e76c9

SHA1
73028e6db68b23379ce7355c0047d05526639a00

SHA256
5d8f96c389f06f0c8738c13cc9ff8ed7f1b75d0d1698e5dab084a7e6bb75ff7f

SHA512
5a24e94fc96a3287cf7a2f1a358112de31974d8e33d380e58d3385c3a8fac3b57e730046ed9e483165dd7b9f2ae245f761693925a9b69905ae193f1d9470b061

Download Submit
C:\Windows\System\fuvPiAN.exe

Filesize
5.2MB

MD5
e4d1db58e1e037bbff8f2b8d559cbea7

SHA1
9ad2747d531c1a45232948b35886395e2808cad0

SHA256
9bd75bbc3361446616a89a8d5c1da02f8ef0334473d2cad418de73b5c8437a53

SHA512
f21b63127de425c3932ef9ce38725f443d34f83970abcd4e7f5b5782088f7cdb12647d26a6b968eb576d8783e2d25a45ac7058af665dc1b7581e10b70944ae2d

Download Submit
C:\Windows\System\lrqyksM.exe

Filesize
5.2MB

MD5
e198a0f63dc31a70dd2a5082ea2b89d9

SHA1
0b7cb2e77c29acc0a0abbc11cbdb9968f20ca6db

SHA256
467d66e5e860fef7526597a316219e5572416fdc6a7c2438f60c1f503ffbf517

SHA512
ca8c3eaca5c4d99c175650ca325bf2d56bb5fa9ae2990bf741a33f87e5e6980eb9856757cea1e339c2ec0c03ae46b019f780c14e98b90e7f08fe5393c3c07fa2

Download Submit
C:\Windows\System\njrFQyG.exe

Filesize
5.2MB

MD5
3c589f5a19be780ae71b61bbb5bec900

SHA1
14b5d88e6b49941b90ec5ce7a8ea9a95537a1e22

SHA256
c076b0d72653e0cc0241ec603f2b403e2198a81e46e197ae89efbb44c07c625d

SHA512
832e9fc88996a3e6472ec2fd4806d108fa435f2ecd146fd10950e2e39a0ef68165b654b988aa724bf53b9575e88b277c68e6addea82a52d70beb995db11bb0ca

Download Submit
C:\Windows\System\nzNHeyk.exe

Filesize
5.2MB

MD5
db288d79eee573bc1fee81226f214f95

SHA1
a86e4f1a96c671e200b4b97a7f5da318a925bcb8

SHA256
049fea68ea14fb7c3d4f8f8b3a9cacbde81b9a42c4308783a124edf43dce041d

SHA512
0a690ca188b62e1369a64ef4d81ea3c4ebe42fdbc76b872ca0fccb19a3a1a81b1ec307d963034f7e3383e223ad85188be0a35fd42bd76de531ad1fc90d4c22fa

Download Submit
C:\Windows\System\oWHSUKU.exe

Filesize
5.2MB

MD5
bfb565016fb6498227a2ec2ece6a3ee2

SHA1
e08474735f211c128924e661d41958fb1b1e4dea

SHA256
32dc17d887956a409f0f665509b3ad8802ad1f6111d3766f22c22d920fdf5973

SHA512
86f3440f49a7e1b1e3e4d375020f35891693d8b5066e777358f850a5d85dcc5dbafc22269535821a2b21aaf95200b132ab60806a41730a932b5e79a79b720158

Download Submit
C:\Windows\System\ryiHCOh.exe

Filesize
5.2MB

MD5
69997bfbdb90c256a841be96692cb9ca

SHA1
9cbffeee0d6279724869f014195e6c20b9e4bdb4

SHA256
c0c5a5528bf229a47c912820b377506990dc50cac5309e9d87d0b44a017d2158

SHA512
254c214c6674ee6013afa59bae3e83b5b5e2da04122c1578128881aecb73badc7824bdeaa8bb18a6cc9b5446c393b00c0e3bb2235858ee10542bb70822f1fc99

Download Submit
C:\Windows\System\sHOcAsQ.exe

Filesize
5.2MB

MD5
037f9a6cf6e55193318738fd9b2f8201

SHA1
5e07d6609a75cc04e5267ba028a82ea6657dfc25

SHA256
051581f72efc9fd26f381924a3cd654b4ff720c61048488a1f7cfef647da7d25

SHA512
8f5d7fc13bdb0f3ac3f54aae9a30afe90cbf931bedfba355a568b2b3e86c39970b666aabacc74c215df24bddaafc4160a7c964febe77ee9f4071b81bff51f509

Download Submit
C:\Windows\System\uFUILTA.exe

Filesize
5.2MB

MD5
07f650ddf26cb687c0d3c53426dfc18a

SHA1
4c0c6801d114a7042188a378cc16d81cc742df62

SHA256
f30ab6351c3371b739df967b1fd22dcf728576eb34ce19eecc686ce685c33b54

SHA512
943c973600bb8cb27c3da4a801be9bc79a538c731e1690629b2acf816cf29ee87f34a71c92c56e85bc366a2be8913d50e5723c27cbd99b4e3be2317a8fdc6ad6

Download Submit
C:\Windows\System\ubGNdyb.exe

Filesize
5.2MB

MD5
cedc1d2d021132057d44cebc7bf28327

SHA1
1613c1ac2d9c9951812ab52092e1a7a85ba44fdf

SHA256
cbad6b61db4fb5e1c31b42d8a19172034b2ddea0255ff7b435bbd95929a0fb1d

SHA512
dcb9974c2e59b41180e879bc2a3cae97dca3c238ee8523ed0644083e4c82a9294861713713898c57b358c26258ab35552ea341559fe837786bbaa154863bd17c

Download Submit
C:\Windows\System\umixTme.exe

Filesize
5.2MB

MD5
199112fe63e8825456480f393097fe3b

SHA1
07efd865b0ff268aa308164b6dc5e3bd476e7299

SHA256
43f6122814bb65609c4e77eca4722292339f70b6f611492d8200a3481609490e

SHA512
a53b2b4f3176e81127a0a043c27126f2e4c4c1e0477cc4590cb339c9e8031366e8f29951b42d8ac12d468bb801544cf54e0b9aadf829ed56ced0fad10f147fc0

Download Submit
C:\Windows\System\ylAORIU.exe

Filesize
5.2MB

MD5
89a8428383b707e2a9671e4384afbb0b

SHA1
ddf1582b2a4ddf9b1e20cf5cfcaebcb9b8b9f1b9

SHA256
34fc63ce8ba08ee1b040fa0ca6ef0f29d9dd1c2e8d127e571948d6e17563250c

SHA512
0fd9195ae5ea643bfef47b6f4cfbb9ab81738c413d0a5ff89b6b38d57587eb28bf10ba7304e10e04a77a03f0ac34f02272456c4043f1cd4ded5e3d66cbab4754

Download Submit
memory/1196-128-0x00007FF629130000-0x00007FF629481000-memory.dmp

Filesize
3.3MB

Download
memory/1196-80-0x00007FF629130000-0x00007FF629481000-memory.dmp

Filesize
3.3MB

Download
memory/1196-1-0x0000023A6AE50000-0x0000023A6AE60000-memory.dmp

Filesize
64KB

Download
memory/1196-0-0x00007FF629130000-0x00007FF629481000-memory.dmp

Filesize
3.3MB

Download
memory/1196-154-0x00007FF629130000-0x00007FF629481000-memory.dmp

Filesize
3.3MB

Download
memory/1672-112-0x00007FF6A5B10000-0x00007FF6A5E61000-memory.dmp

Filesize
3.3MB

Download
memory/1672-150-0x00007FF6A5B10000-0x00007FF6A5E61000-memory.dmp

Filesize
3.3MB

Download
memory/1672-260-0x00007FF6A5B10000-0x00007FF6A5E61000-memory.dmp

Filesize
3.3MB

Download
memory/1756-245-0x00007FF613A80000-0x00007FF613DD1000-memory.dmp

Filesize
3.3MB

Download
memory/1756-146-0x00007FF613A80000-0x00007FF613DD1000-memory.dmp

Filesize
3.3MB

Download
memory/1756-75-0x00007FF613A80000-0x00007FF613DD1000-memory.dmp

Filesize
3.3MB

Download
memory/2336-159-0x00007FF727680000-0x00007FF7279D1000-memory.dmp

Filesize
3.3MB

Download
memory/2336-264-0x00007FF727680000-0x00007FF7279D1000-memory.dmp

Filesize
3.3MB

Download
memory/2336-130-0x00007FF727680000-0x00007FF7279D1000-memory.dmp

Filesize
3.3MB

Download
memory/2340-74-0x00007FF65FBB0000-0x00007FF65FF01000-memory.dmp

Filesize
3.3MB

Download
memory/2340-241-0x00007FF65FBB0000-0x00007FF65FF01000-memory.dmp

Filesize
3.3MB

Download
memory/2340-145-0x00007FF65FBB0000-0x00007FF65FF01000-memory.dmp

Filesize
3.3MB

Download
memory/2396-107-0x00007FF7FCDA0000-0x00007FF7FD0F1000-memory.dmp

Filesize
3.3MB

Download
memory/2396-246-0x00007FF7FCDA0000-0x00007FF7FD0F1000-memory.dmp

Filesize
3.3MB

Download
memory/2456-117-0x00007FF6E94E0000-0x00007FF6E9831000-memory.dmp

Filesize
3.3MB

Download
memory/2456-253-0x00007FF6E94E0000-0x00007FF6E9831000-memory.dmp

Filesize
3.3MB

Download
memory/2732-153-0x00007FF64BA30000-0x00007FF64BD81000-memory.dmp

Filesize
3.3MB

Download
memory/2732-115-0x00007FF64BA30000-0x00007FF64BD81000-memory.dmp

Filesize
3.3MB

Download
memory/2732-255-0x00007FF64BA30000-0x00007FF64BD81000-memory.dmp

Filesize
3.3MB

Download
memory/2748-92-0x00007FF784A80000-0x00007FF784DD1000-memory.dmp

Filesize
3.3MB

Download
memory/2748-243-0x00007FF784A80000-0x00007FF784DD1000-memory.dmp

Filesize
3.3MB

Download
memory/2832-210-0x00007FF657E80000-0x00007FF6581D1000-memory.dmp

Filesize
3.3MB

Download
memory/2832-81-0x00007FF657E80000-0x00007FF6581D1000-memory.dmp

Filesize
3.3MB

Download
memory/2832-10-0x00007FF657E80000-0x00007FF6581D1000-memory.dmp

Filesize
3.3MB

Download
memory/2912-251-0x00007FF7BA350000-0x00007FF7BA6A1000-memory.dmp

Filesize
3.3MB

Download
memory/2912-118-0x00007FF7BA350000-0x00007FF7BA6A1000-memory.dmp

Filesize
3.3MB

Download
memory/2940-229-0x00007FF79DA30000-0x00007FF79DD81000-memory.dmp

Filesize
3.3MB

Download
memory/2940-147-0x00007FF79DA30000-0x00007FF79DD81000-memory.dmp

Filesize
3.3MB

Download
memory/2940-26-0x00007FF79DA30000-0x00007FF79DD81000-memory.dmp

Filesize
3.3MB

Download
memory/3232-50-0x00007FF76EED0000-0x00007FF76F221000-memory.dmp

Filesize
3.3MB

Download
memory/3232-140-0x00007FF76EED0000-0x00007FF76F221000-memory.dmp

Filesize
3.3MB

Download
memory/3232-236-0x00007FF76EED0000-0x00007FF76F221000-memory.dmp

Filesize
3.3MB

Download
memory/3280-116-0x00007FF7D58F0000-0x00007FF7D5C41000-memory.dmp

Filesize
3.3MB

Download
memory/3280-18-0x00007FF7D58F0000-0x00007FF7D5C41000-memory.dmp

Filesize
3.3MB

Download
memory/3280-208-0x00007FF7D58F0000-0x00007FF7D5C41000-memory.dmp

Filesize
3.3MB

Download
memory/3736-137-0x00007FF6A2D80000-0x00007FF6A30D1000-memory.dmp

Filesize
3.3MB

Download
memory/3736-33-0x00007FF6A2D80000-0x00007FF6A30D1000-memory.dmp

Filesize
3.3MB

Download
memory/3736-234-0x00007FF6A2D80000-0x00007FF6A30D1000-memory.dmp

Filesize
3.3MB

Download
memory/3784-113-0x00007FF67E720000-0x00007FF67EA71000-memory.dmp

Filesize
3.3MB

Download
memory/3784-151-0x00007FF67E720000-0x00007FF67EA71000-memory.dmp

Filesize
3.3MB

Download
memory/3784-259-0x00007FF67E720000-0x00007FF67EA71000-memory.dmp

Filesize
3.3MB

Download
memory/3840-36-0x00007FF633C90000-0x00007FF633FE1000-memory.dmp

Filesize
3.3MB

Download
memory/3840-230-0x00007FF633C90000-0x00007FF633FE1000-memory.dmp

Filesize
3.3MB

Download
memory/4900-40-0x00007FF642A00000-0x00007FF642D51000-memory.dmp

Filesize
3.3MB

Download
memory/4900-232-0x00007FF642A00000-0x00007FF642D51000-memory.dmp

Filesize
3.3MB

Download
memory/4900-139-0x00007FF642A00000-0x00007FF642D51000-memory.dmp

Filesize
3.3MB

Download
memory/4936-66-0x00007FF609030000-0x00007FF609381000-memory.dmp

Filesize
3.3MB

Download
memory/4936-248-0x00007FF609030000-0x00007FF609381000-memory.dmp

Filesize
3.3MB

Download
memory/4936-141-0x00007FF609030000-0x00007FF609381000-memory.dmp

Filesize
3.3MB

Download
memory/4948-144-0x00007FF7DABC0000-0x00007FF7DAF11000-memory.dmp

Filesize
3.3MB

Download
memory/4948-68-0x00007FF7DABC0000-0x00007FF7DAF11000-memory.dmp

Filesize
3.3MB

Download
memory/4948-239-0x00007FF7DABC0000-0x00007FF7DAF11000-memory.dmp

Filesize
3.3MB

Download
memory/5056-257-0x00007FF66E5C0000-0x00007FF66E911000-memory.dmp

Filesize
3.3MB

Download
memory/5056-114-0x00007FF66E5C0000-0x00007FF66E911000-memory.dmp

Filesize
3.3MB

Download
memory/5056-152-0x00007FF66E5C0000-0x00007FF66E911000-memory.dmp

Filesize
3.3MB

Download
memory/5080-19-0x00007FF7C9C00000-0x00007FF7C9F51000-memory.dmp

Filesize
3.3MB

Download
memory/5080-129-0x00007FF7C9C00000-0x00007FF7C9F51000-memory.dmp

Filesize
3.3MB

Download
memory/5080-226-0x00007FF7C9C00000-0x00007FF7C9F51000-memory.dmp

Filesize
3.3MB

Download