cobaltstrike | 7dfdfc9d3334e3a08b01f24053fb6b5efd0ebfd6439b74b38f02b034ee269cb1

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17/11/2024, 10:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

87d04c486746cfc7a4ef461da0f2afff
SHA1

28e541c2bb0f29f0e7db9446792c094e14488711
SHA256

7dfdfc9d3334e3a08b01f24053fb6b5efd0ebfd6439b74b38f02b034ee269cb1
SHA512

fd4134219b65f125bc7144b802f79408cbef611170d4cf15fb6e8b560badfcc0111ef3752497978fe103aa31713f39a4363f6c26608845a5673043041ccd8cdd
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lk:RWWBibf56utgpPFotBER/mQ32lUw

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000d000000023b72-5.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7b-10.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7c-11.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7d-22.dat	cobalt_reflective_dll
behavioral2/files/0x0032000000023b78-33.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7f-40.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b80-50.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b82-65.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b84-67.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b85-73.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b83-70.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b81-56.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7e-38.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b86-91.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b89-112.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8a-119.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8c-130.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8b-133.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b87-111.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b88-107.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8d-147.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/4836-42-0x00007FF7C8DD0000-0x00007FF7C9121000-memory.dmp	xmrig
behavioral2/memory/4248-46-0x00007FF663420000-0x00007FF663771000-memory.dmp	xmrig
behavioral2/memory/2220-80-0x00007FF6B02D0000-0x00007FF6B0621000-memory.dmp	xmrig
behavioral2/memory/8-79-0x00007FF64DF80000-0x00007FF64E2D1000-memory.dmp	xmrig
behavioral2/memory/2296-76-0x00007FF6D5500000-0x00007FF6D5851000-memory.dmp	xmrig
behavioral2/memory/4608-71-0x00007FF730790000-0x00007FF730AE1000-memory.dmp	xmrig
behavioral2/memory/3952-62-0x00007FF790520000-0x00007FF790871000-memory.dmp	xmrig
behavioral2/memory/4216-89-0x00007FF693240000-0x00007FF693591000-memory.dmp	xmrig
behavioral2/memory/2200-97-0x00007FF64B3E0000-0x00007FF64B731000-memory.dmp	xmrig
behavioral2/memory/4248-96-0x00007FF663420000-0x00007FF663771000-memory.dmp	xmrig
behavioral2/memory/1220-99-0x00007FF6696B0000-0x00007FF669A01000-memory.dmp	xmrig
behavioral2/memory/1780-109-0x00007FF7959D0000-0x00007FF795D21000-memory.dmp	xmrig
behavioral2/memory/1244-125-0x00007FF7BC1A0000-0x00007FF7BC4F1000-memory.dmp	xmrig
behavioral2/memory/1908-138-0x00007FF770D90000-0x00007FF7710E1000-memory.dmp	xmrig
behavioral2/memory/1600-139-0x00007FF694020000-0x00007FF694371000-memory.dmp	xmrig
behavioral2/memory/4996-135-0x00007FF7D75D0000-0x00007FF7D7921000-memory.dmp	xmrig
behavioral2/memory/2380-132-0x00007FF73C360000-0x00007FF73C6B1000-memory.dmp	xmrig
behavioral2/memory/1060-122-0x00007FF74EDD0000-0x00007FF74F121000-memory.dmp	xmrig
behavioral2/memory/1480-101-0x00007FF795CA0000-0x00007FF795FF1000-memory.dmp	xmrig
behavioral2/memory/2252-90-0x00007FF7D3360000-0x00007FF7D36B1000-memory.dmp	xmrig
behavioral2/memory/4260-94-0x00007FF7DA060000-0x00007FF7DA3B1000-memory.dmp	xmrig
behavioral2/memory/4676-151-0x00007FF66E150000-0x00007FF66E4A1000-memory.dmp	xmrig
behavioral2/memory/1216-159-0x00007FF738F60000-0x00007FF7392B1000-memory.dmp	xmrig
behavioral2/memory/3952-167-0x00007FF790520000-0x00007FF790871000-memory.dmp	xmrig
behavioral2/memory/2296-199-0x00007FF6D5500000-0x00007FF6D5851000-memory.dmp	xmrig
behavioral2/memory/8-201-0x00007FF64DF80000-0x00007FF64E2D1000-memory.dmp	xmrig
behavioral2/memory/4216-204-0x00007FF693240000-0x00007FF693591000-memory.dmp	xmrig
behavioral2/memory/2252-205-0x00007FF7D3360000-0x00007FF7D36B1000-memory.dmp	xmrig
behavioral2/memory/4836-210-0x00007FF7C8DD0000-0x00007FF7C9121000-memory.dmp	xmrig
behavioral2/memory/4260-208-0x00007FF7DA060000-0x00007FF7DA3B1000-memory.dmp	xmrig
behavioral2/memory/4248-216-0x00007FF663420000-0x00007FF663771000-memory.dmp	xmrig
behavioral2/memory/1220-218-0x00007FF6696B0000-0x00007FF669A01000-memory.dmp	xmrig
behavioral2/memory/4608-227-0x00007FF730790000-0x00007FF730AE1000-memory.dmp	xmrig
behavioral2/memory/2200-229-0x00007FF64B3E0000-0x00007FF64B731000-memory.dmp	xmrig
behavioral2/memory/2220-233-0x00007FF6B02D0000-0x00007FF6B0621000-memory.dmp	xmrig
behavioral2/memory/1480-232-0x00007FF795CA0000-0x00007FF795FF1000-memory.dmp	xmrig
behavioral2/memory/1780-235-0x00007FF7959D0000-0x00007FF795D21000-memory.dmp	xmrig
behavioral2/memory/2380-248-0x00007FF73C360000-0x00007FF73C6B1000-memory.dmp	xmrig
behavioral2/memory/1060-249-0x00007FF74EDD0000-0x00007FF74F121000-memory.dmp	xmrig
behavioral2/memory/1244-251-0x00007FF7BC1A0000-0x00007FF7BC4F1000-memory.dmp	xmrig
behavioral2/memory/4996-254-0x00007FF7D75D0000-0x00007FF7D7921000-memory.dmp	xmrig
behavioral2/memory/1216-255-0x00007FF738F60000-0x00007FF7392B1000-memory.dmp	xmrig
behavioral2/memory/1600-259-0x00007FF694020000-0x00007FF694371000-memory.dmp	xmrig
behavioral2/memory/1908-258-0x00007FF770D90000-0x00007FF7710E1000-memory.dmp	xmrig
behavioral2/memory/4676-262-0x00007FF66E150000-0x00007FF66E4A1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2296	kqyoEno.exe
8	gowpJCZ.exe
4216	oTCfnie.exe
2252	bxBRiBp.exe
4260	ZWuEuES.exe
4836	AoxvNvG.exe
4248	BXVOvDU.exe
2200	bsdkPfg.exe
1220	TZtMemk.exe
4608	VvGargl.exe
1480	KHgTOzU.exe
2220	DrSUHyx.exe
1780	FsRcBYN.exe
1216	JaKbdKE.exe
1060	utKUVoW.exe
1244	feNlHmR.exe
2380	GnGaiDl.exe
4996	MAdGAfU.exe
1908	aQXJaqt.exe
1600	dULlXDR.exe
4676	JYJbckn.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3952-0-0x00007FF790520000-0x00007FF790871000-memory.dmp	upx
behavioral2/files/0x000d000000023b72-5.dat	upx
behavioral2/memory/2296-6-0x00007FF6D5500000-0x00007FF6D5851000-memory.dmp	upx
behavioral2/files/0x000a000000023b7b-10.dat	upx
behavioral2/files/0x000a000000023b7c-11.dat	upx
behavioral2/memory/8-15-0x00007FF64DF80000-0x00007FF64E2D1000-memory.dmp	upx
behavioral2/memory/4216-17-0x00007FF693240000-0x00007FF693591000-memory.dmp	upx
behavioral2/files/0x000a000000023b7d-22.dat	upx
behavioral2/memory/2252-27-0x00007FF7D3360000-0x00007FF7D36B1000-memory.dmp	upx
behavioral2/files/0x0032000000023b78-33.dat	upx
behavioral2/files/0x000a000000023b7f-40.dat	upx
behavioral2/memory/4836-42-0x00007FF7C8DD0000-0x00007FF7C9121000-memory.dmp	upx
behavioral2/memory/4248-46-0x00007FF663420000-0x00007FF663771000-memory.dmp	upx
behavioral2/files/0x000a000000023b80-50.dat	upx
behavioral2/memory/1220-55-0x00007FF6696B0000-0x00007FF669A01000-memory.dmp	upx
behavioral2/files/0x000a000000023b82-65.dat	upx
behavioral2/files/0x000a000000023b84-67.dat	upx
behavioral2/files/0x000a000000023b85-73.dat	upx
behavioral2/memory/1480-75-0x00007FF795CA0000-0x00007FF795FF1000-memory.dmp	upx
behavioral2/memory/1780-81-0x00007FF7959D0000-0x00007FF795D21000-memory.dmp	upx
behavioral2/memory/2220-80-0x00007FF6B02D0000-0x00007FF6B0621000-memory.dmp	upx
behavioral2/memory/8-79-0x00007FF64DF80000-0x00007FF64E2D1000-memory.dmp	upx
behavioral2/memory/2296-76-0x00007FF6D5500000-0x00007FF6D5851000-memory.dmp	upx
behavioral2/memory/4608-71-0x00007FF730790000-0x00007FF730AE1000-memory.dmp	upx
behavioral2/files/0x000a000000023b83-70.dat	upx
behavioral2/memory/3952-62-0x00007FF790520000-0x00007FF790871000-memory.dmp	upx
behavioral2/files/0x000a000000023b81-56.dat	upx
behavioral2/memory/2200-49-0x00007FF64B3E0000-0x00007FF64B731000-memory.dmp	upx
behavioral2/files/0x000a000000023b7e-38.dat	upx
behavioral2/memory/4260-37-0x00007FF7DA060000-0x00007FF7DA3B1000-memory.dmp	upx
behavioral2/memory/4216-89-0x00007FF693240000-0x00007FF693591000-memory.dmp	upx
behavioral2/files/0x000a000000023b86-91.dat	upx
behavioral2/memory/2200-97-0x00007FF64B3E0000-0x00007FF64B731000-memory.dmp	upx
behavioral2/memory/4248-96-0x00007FF663420000-0x00007FF663771000-memory.dmp	upx
behavioral2/memory/1220-99-0x00007FF6696B0000-0x00007FF669A01000-memory.dmp	upx
behavioral2/memory/1780-109-0x00007FF7959D0000-0x00007FF795D21000-memory.dmp	upx
behavioral2/files/0x000a000000023b89-112.dat	upx
behavioral2/files/0x000a000000023b8a-119.dat	upx
behavioral2/memory/1244-125-0x00007FF7BC1A0000-0x00007FF7BC4F1000-memory.dmp	upx
behavioral2/files/0x000a000000023b8c-130.dat	upx
behavioral2/memory/1908-138-0x00007FF770D90000-0x00007FF7710E1000-memory.dmp	upx
behavioral2/memory/1600-139-0x00007FF694020000-0x00007FF694371000-memory.dmp	upx
behavioral2/memory/4996-135-0x00007FF7D75D0000-0x00007FF7D7921000-memory.dmp	upx
behavioral2/files/0x000a000000023b8b-133.dat	upx
behavioral2/memory/2380-132-0x00007FF73C360000-0x00007FF73C6B1000-memory.dmp	upx
behavioral2/memory/1060-122-0x00007FF74EDD0000-0x00007FF74F121000-memory.dmp	upx
behavioral2/files/0x000a000000023b87-111.dat	upx
behavioral2/memory/1216-118-0x00007FF738F60000-0x00007FF7392B1000-memory.dmp	upx
behavioral2/memory/1480-101-0x00007FF795CA0000-0x00007FF795FF1000-memory.dmp	upx
behavioral2/files/0x000a000000023b88-107.dat	upx
behavioral2/memory/2252-90-0x00007FF7D3360000-0x00007FF7D36B1000-memory.dmp	upx
behavioral2/memory/4260-94-0x00007FF7DA060000-0x00007FF7DA3B1000-memory.dmp	upx
behavioral2/files/0x000a000000023b8d-147.dat	upx
behavioral2/memory/4676-151-0x00007FF66E150000-0x00007FF66E4A1000-memory.dmp	upx
behavioral2/memory/1216-159-0x00007FF738F60000-0x00007FF7392B1000-memory.dmp	upx
behavioral2/memory/3952-167-0x00007FF790520000-0x00007FF790871000-memory.dmp	upx
behavioral2/memory/2296-199-0x00007FF6D5500000-0x00007FF6D5851000-memory.dmp	upx
behavioral2/memory/8-201-0x00007FF64DF80000-0x00007FF64E2D1000-memory.dmp	upx
behavioral2/memory/4216-204-0x00007FF693240000-0x00007FF693591000-memory.dmp	upx
behavioral2/memory/2252-205-0x00007FF7D3360000-0x00007FF7D36B1000-memory.dmp	upx
behavioral2/memory/4836-210-0x00007FF7C8DD0000-0x00007FF7C9121000-memory.dmp	upx
behavioral2/memory/4260-208-0x00007FF7DA060000-0x00007FF7DA3B1000-memory.dmp	upx
behavioral2/memory/4248-216-0x00007FF663420000-0x00007FF663771000-memory.dmp	upx
behavioral2/memory/1220-218-0x00007FF6696B0000-0x00007FF669A01000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\TZtMemk.exe	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KHgTOzU.exe	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BXVOvDU.exe	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bsdkPfg.exe	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VvGargl.exe	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JaKbdKE.exe	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\feNlHmR.exe	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GnGaiDl.exe	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aQXJaqt.exe	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gowpJCZ.exe	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bxBRiBp.exe	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\utKUVoW.exe	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MAdGAfU.exe	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JYJbckn.exe	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZWuEuES.exe	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AoxvNvG.exe	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DrSUHyx.exe	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FsRcBYN.exe	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dULlXDR.exe	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kqyoEno.exe	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oTCfnie.exe	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3952	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3952	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3952 wrote to memory of 2296	3952	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3952 wrote to memory of 2296	3952	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3952 wrote to memory of 8	3952	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3952 wrote to memory of 8	3952	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3952 wrote to memory of 4216	3952	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3952 wrote to memory of 4216	3952	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3952 wrote to memory of 2252	3952	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3952 wrote to memory of 2252	3952	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3952 wrote to memory of 4260	3952	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3952 wrote to memory of 4260	3952	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3952 wrote to memory of 4836	3952	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3952 wrote to memory of 4836	3952	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3952 wrote to memory of 4248	3952	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3952 wrote to memory of 4248	3952	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3952 wrote to memory of 2200	3952	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3952 wrote to memory of 2200	3952	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3952 wrote to memory of 1220	3952	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3952 wrote to memory of 1220	3952	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3952 wrote to memory of 4608	3952	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3952 wrote to memory of 4608	3952	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3952 wrote to memory of 1480	3952	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3952 wrote to memory of 1480	3952	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3952 wrote to memory of 2220	3952	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3952 wrote to memory of 2220	3952	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3952 wrote to memory of 1780	3952	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3952 wrote to memory of 1780	3952	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3952 wrote to memory of 1216	3952	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3952 wrote to memory of 1216	3952	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3952 wrote to memory of 1060	3952	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3952 wrote to memory of 1060	3952	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3952 wrote to memory of 1244	3952	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3952 wrote to memory of 1244	3952	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3952 wrote to memory of 2380	3952	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3952 wrote to memory of 2380	3952	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3952 wrote to memory of 4996	3952	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3952 wrote to memory of 4996	3952	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3952 wrote to memory of 1908	3952	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3952 wrote to memory of 1908	3952	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3952 wrote to memory of 1600	3952	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3952 wrote to memory of 1600	3952	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3952 wrote to memory of 4676	3952	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 3952 wrote to memory of 4676	3952	2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe	105

C:\Users\Admin\AppData\Local\Temp\2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-17_87d04c486746cfc7a4ef461da0f2afff_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3952
- C:\Windows\System\kqyoEno.exe
  C:\Windows\System\kqyoEno.exe
  2⤵
  - Executes dropped EXE
  PID:2296
- C:\Windows\System\gowpJCZ.exe
  C:\Windows\System\gowpJCZ.exe
  2⤵
  - Executes dropped EXE
  PID:8
- C:\Windows\System\oTCfnie.exe
  C:\Windows\System\oTCfnie.exe
  2⤵
  - Executes dropped EXE
  PID:4216
- C:\Windows\System\bxBRiBp.exe
  C:\Windows\System\bxBRiBp.exe
  2⤵
  - Executes dropped EXE
  PID:2252
- C:\Windows\System\ZWuEuES.exe
  C:\Windows\System\ZWuEuES.exe
  2⤵
  - Executes dropped EXE
  PID:4260
- C:\Windows\System\AoxvNvG.exe
  C:\Windows\System\AoxvNvG.exe
  2⤵
  - Executes dropped EXE
  PID:4836
- C:\Windows\System\BXVOvDU.exe
  C:\Windows\System\BXVOvDU.exe
  2⤵
  - Executes dropped EXE
  PID:4248
- C:\Windows\System\bsdkPfg.exe
  C:\Windows\System\bsdkPfg.exe
  2⤵
  - Executes dropped EXE
  PID:2200
- C:\Windows\System\TZtMemk.exe
  C:\Windows\System\TZtMemk.exe
  2⤵
  - Executes dropped EXE
  PID:1220
- C:\Windows\System\VvGargl.exe
  C:\Windows\System\VvGargl.exe
  2⤵
  - Executes dropped EXE
  PID:4608
- C:\Windows\System\KHgTOzU.exe
  C:\Windows\System\KHgTOzU.exe
  2⤵
  - Executes dropped EXE
  PID:1480
- C:\Windows\System\DrSUHyx.exe
  C:\Windows\System\DrSUHyx.exe
  2⤵
  - Executes dropped EXE
  PID:2220
- C:\Windows\System\FsRcBYN.exe
  C:\Windows\System\FsRcBYN.exe
  2⤵
  - Executes dropped EXE
  PID:1780
- C:\Windows\System\JaKbdKE.exe
  C:\Windows\System\JaKbdKE.exe
  2⤵
  - Executes dropped EXE
  PID:1216
- C:\Windows\System\utKUVoW.exe
  C:\Windows\System\utKUVoW.exe
  2⤵
  - Executes dropped EXE
  PID:1060
- C:\Windows\System\feNlHmR.exe
  C:\Windows\System\feNlHmR.exe
  2⤵
  - Executes dropped EXE
  PID:1244
- C:\Windows\System\GnGaiDl.exe
  C:\Windows\System\GnGaiDl.exe
  2⤵
  - Executes dropped EXE
  PID:2380
- C:\Windows\System\MAdGAfU.exe
  C:\Windows\System\MAdGAfU.exe
  2⤵
  - Executes dropped EXE
  PID:4996
- C:\Windows\System\aQXJaqt.exe
  C:\Windows\System\aQXJaqt.exe
  2⤵
  - Executes dropped EXE
  PID:1908
- C:\Windows\System\dULlXDR.exe
  C:\Windows\System\dULlXDR.exe
  2⤵
  - Executes dropped EXE
  PID:1600
- C:\Windows\System\JYJbckn.exe
  C:\Windows\System\JYJbckn.exe
  2⤵
  - Executes dropped EXE
  PID:4676

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AoxvNvG.exe

Filesize
5.2MB

MD5
b00387e21335715b93e390860766c8af

SHA1
ec09706eeb2f75edc053f424b16f17c661b1cff3

SHA256
11a16cff03ffa12c954ae496f14989f8bdde92731d4b5ccf428bf3351ff16d06

SHA512
23134d8d793833555c4447e8b4625fbcce6f0d4a1b1e6ba81ff9975fe78e70c6c9ca4ab701b0ae92fc02b287802bcc6147abee5205cc9a9f909150f27580d79b

Download Submit
C:\Windows\System\BXVOvDU.exe

Filesize
5.2MB

MD5
ec31751902572a2be7d5a7a8077f8e75

SHA1
c326953c894453a32e361f0cfbb3531d36e752be

SHA256
9d5241ec917788f5a719ec94fa1cc7358c3a3553cd4ca6fd9c8ab66d78ef79c1

SHA512
175ba3d51e4588754f6debf9d5a7369246763ed518935965a007d473adcd429bdc2d5c89dbb550949a346179e7b2268e586c426c3a4a7dbbf0491dbf78543f49

Download Submit
C:\Windows\System\DrSUHyx.exe

Filesize
5.2MB

MD5
b1bcbdd67b666b596abfa49611127b06

SHA1
fd624fce3f01e059e20c9af97e109e668931884e

SHA256
227499ae98bc748c358a30e5ac2913cd3504a2669eb55ed15acd227fdfdf72d7

SHA512
528bbbb9e502b67548001c9f5217b394cfeb19412d611d77297c5ae703ed474df0fce5798c10af66244516a52d382ec3f013fe0f341ec4bca8b5839b7fc6f08a

Download Submit
C:\Windows\System\FsRcBYN.exe

Filesize
5.2MB

MD5
5271a789bc18ca736f32c3383a4863ad

SHA1
d719e4673a5191d81c416e9c281fc860330a37e7

SHA256
5c26fcc4367663b7d49ad50caa1a210087bc986c0d563b717b89eadfc4b6e08d

SHA512
47cda781b270dc79aa664a2ba73ee380ab22e41d9bdc316fda3653d37d06cd1a163993c454b81508f27c7e0baab890519236e3e7dfad2d83f1a94b6972f1bc17

Download Submit
C:\Windows\System\GnGaiDl.exe

Filesize
5.2MB

MD5
375e1a205f26921ab4402980f838934d

SHA1
e2cd5a87c158cc7d893c8987da65ca1c95759583

SHA256
c05e7e6f101efe7289575ff6f5ec644ae7c345083128fe3e17ae491a82dbed5c

SHA512
278134eb03d8fe3b9f0df44d95d0e4cfdec7645420c7a688a59ff61b0d47c195b1b9456d82513bd466926899d0702723464b904619ae1d0db82286f6f1b5237e

Download Submit
C:\Windows\System\JYJbckn.exe

Filesize
5.2MB

MD5
ef6f73f73d28153a9e1dd103c80a95e9

SHA1
5f885b9d5e08dfd0ad8ee293ca37b292b80161ad

SHA256
706423601fcf2ee791880ccd0ec1f2ac2e3d6f08c3ef2f64d8f9de74be40b67c

SHA512
ddf98ad17bdf148f06a6184e93034bf9a8b86f3b5bc00295e7bd4b3f676209a3158bab6f17017bf7ab94a025fb204444a04e033af9a020d7744ae0d25ef5b0bf

Download Submit
C:\Windows\System\JaKbdKE.exe

Filesize
5.2MB

MD5
c2583549d968ed64f2dc1529298f1b45

SHA1
00ebfdfeaf822bb910d0df90bc0128778e30bd98

SHA256
e1297660256bc9d19090dc48f4726b51093490e807d3b29599879018fcfeb7b2

SHA512
d501a645abf9b338845e332a49efbf8a447490469a18a985e9998c938ad88a2b7b0f5667cd2628bff5bdb5090abfaecfeb3803c9e98837d96a16c62d3b62c408

Download Submit
C:\Windows\System\KHgTOzU.exe

Filesize
5.2MB

MD5
aabf0aeacc13265580b2c33d4753358a

SHA1
48c124cdb9ed679830a1383b643547d3c79fe3aa

SHA256
aae8f4d52800726681e5b5550197f0209ea6932b3c4cf9c4364d0e1419e40afd

SHA512
aea9dcd1dbd553a78c0b1e5195648b9a241133c160b3efdbc3a5b05ea534daff6b84c92ca78192503f9b1827d7a8d0fb1fdd94187005900a357d096bf1271850

Download Submit
C:\Windows\System\MAdGAfU.exe

Filesize
5.2MB

MD5
1ee05bbab140c6372d476f880a896fd1

SHA1
3dff4182e3a403ceca035c8b2e9d60819ddd51eb

SHA256
e9d9ac127c4400a4214044790bd5ee87cffcf7878be000b2115e24801a63f47c

SHA512
644d6de5fcc4e9564ce207fa117cd65e32aace58c877af65eb01e431b7d7f34ef94735fe6ef2760f69535219c4ca135f363f2a64c2646b28765a466049719285

Download Submit
C:\Windows\System\TZtMemk.exe

Filesize
5.2MB

MD5
6ba6c8540d5fd85133fd0da66f6f381b

SHA1
e4fe48d99617b97fe2771e4d7dc91987b1b9a70f

SHA256
7c73ec7453330e1b678d489f11a599ee1f71e8e8b477f7c04588a7eb2a47fa80

SHA512
2babcd13bb49474e085b3359fdda2bd03e70bb986a6a37a095a413ef0d8e209372b6becad39ed7cc7b2386088a6486052e9a498172cb14418c7684985396b2ca

Download Submit
C:\Windows\System\VvGargl.exe

Filesize
5.2MB

MD5
1242db319ba54a20f33e8471214fd279

SHA1
6a13ba0ba7210fb2b01fb0876ed7cbbf24a0965e

SHA256
dbb263c6f9fa78e9b272d9eb5f4dbff989d60f27d2808b384b5a2e3b04883cda

SHA512
fff6573c26e56fc18cd25d6b4d9e345e7248ef25bbaaac045af5623e2bd0995b988b314b71a58e06ba243ad61316bbd54adb43e66de728311c487e68e7736f3d

Download Submit
C:\Windows\System\ZWuEuES.exe

Filesize
5.2MB

MD5
6f1d35c55b20ef556dbe9623e3d2bb3d

SHA1
4465aae6780d072e3b08ded9e4b977d7f3b62aaf

SHA256
3267adc29980cc329aa7237684dbc09321094420119b11912b6f40d372c24d30

SHA512
4503e3e9226a9f02fb740b84fc37d334585f460f7118af802971bd446bb5a22c0adfc5330bc7b4ca8a19390e9f67108c41b26d916df6cc8f4b4b6efa0e07af78

Download Submit
C:\Windows\System\aQXJaqt.exe

Filesize
5.2MB

MD5
a66437bb5098cbd0dd53fd522126a3ad

SHA1
960ee09aae4dc0ef75e8871c1d984f7710d38fea

SHA256
71a20070b1259391bb70d84a212cf1ccaca1a2a755b1c1cce503c0ff0c0e3bb5

SHA512
b034b9e67ff8bac046b9f3670198dbc9621d2cd31a3784d23f0b8be8824b277780dec5140aa7d59c496a9735916e08b353d7f331d97fe05a71c6042fc83b8069

Download Submit
C:\Windows\System\bsdkPfg.exe

Filesize
5.2MB

MD5
78c1680587866bc5bd26f2e5b6619cf1

SHA1
e90cfa0b426ef69522670db67351f4d097cf3316

SHA256
8560bd80cd364c812235c5366a3b31a816b2fa124782dfa72ae1d870a921ac77

SHA512
19f574cc0bb2847686472f025d6fcc67afc4574fb63d6b7d8b65c0e94646c45a50ad02435dda28bc4e99877f1528802b3dc13763dd5a413134ad02d243498c63

Download Submit
C:\Windows\System\bxBRiBp.exe

Filesize
5.2MB

MD5
009850a415e553a7c42d70f4cff98f65

SHA1
d28ed0f0f1fcf1a74d86eac623b2738dda5d5683

SHA256
d4360650ac4a73261635d321291c83e46e7713c89fa3396e58b28bb9d904049d

SHA512
56bae8fb1c6427e16d06232009af3e4b3342e070d365833fd288f125af53c0e446195ea19d54291e15f2e829a2912ab7c097efe2c38f963186b15ebaf9d75be2

Download Submit
C:\Windows\System\dULlXDR.exe

Filesize
5.2MB

MD5
9b625633b5c9fa56431f417fc433cf21

SHA1
61174d1c5f95270779b5e0260435ec3c875e7a80

SHA256
2882d2e03000c147d145b8e1182b5548b7b7d99c0472e1ba31bb5d31ebfb8eec

SHA512
cf3247462a1a7bc44427d73e8e43dfdfd2a596ac202bca4f187dea1bad67b03e25fb3cba3f2f9d82b77eff8ae6434324d6865b5f3d37b273a68b30856e0d65d3

Download Submit
C:\Windows\System\feNlHmR.exe

Filesize
5.2MB

MD5
7a3e6dc9d666479c4bf29033a3dd3623

SHA1
674ec7127ddb67a33e9bf0fb16446bf297ee3d72

SHA256
1f92d5d53a607bf6a0a550fe06fa6bf76d31306448baae102dbe6e92900a7e7e

SHA512
ae20b077cd5fe26b812da205675502fa3ac83d69633366e39a649bfe14d9584413c04136b883802bd6a45d9c985ec377ccd7cb4af770b1526902233b4974b6a0

Download Submit
C:\Windows\System\gowpJCZ.exe

Filesize
5.2MB

MD5
7202ecbb46afbe3deb862f95e9057c41

SHA1
075434283d55f8d0e5c14fdc5c8834df6a6e28d1

SHA256
3e352644065540b791a5f123c12ae067b51dc1a4d7bc25ea70b3b8d38196a699

SHA512
2ad2c51a7d933d774f86e4f99948e5bc30667260cb036655a671a9ffd4fe6d6388f00a153e8b783ed4a4628f7aea596207f364db5ca1d3aaf8650f8c451add1f

Download Submit
C:\Windows\System\kqyoEno.exe

Filesize
5.2MB

MD5
2b9ad41f6c9f471a1ea483cd14f8903a

SHA1
98f379899b1cd8ea7bf15fa8cdbea4e4370e766c

SHA256
c27306a6ccc99c42d10615aa85f1025cffd08f1a0ae3de7fdfb813f65ecc9b62

SHA512
da817388933353d9420c3f5e94cb704b896334da50e7de1faa410f214b56b569ce825fef3c2b751e8c5021fd2eb11ee507c6799635e2d5addbe6c91025c3d3c0

Download Submit
C:\Windows\System\oTCfnie.exe

Filesize
5.2MB

MD5
ac063165460a1a8857091f4b32cc6f1e

SHA1
dc8bdb0518ff99fb4dd6f6241f3dbc32c5ef75fd

SHA256
aa7875f3345689f18ea86be522287a67c088431f5c6495d7dd760b90e3632076

SHA512
723a223070f8c6c3819444932ca14f6f46153c2dc5a009fd18634e9097cd98fc74688806c0a106af31b31880ec046a5034d895a1dcafa92dedae5ab85dd99634

Download Submit
C:\Windows\System\utKUVoW.exe

Filesize
5.2MB

MD5
d479073d314b24d9a1cd7f459369b1f7

SHA1
3de6077a7441ceea76d0ae77b78049ed591ed987

SHA256
f9704895c5cd4047ba27b4dfa923ff65a67b391dd10b33957da5eb291cce0a24

SHA512
56a72497807d0f635ae55a2ee6c36d5ac7b896be8bea05e279179b0e881fa80bef48a97989b10d6885d3b171bc4b643a24bae805fef0600593d84186a186968e

Download Submit
memory/8-201-0x00007FF64DF80000-0x00007FF64E2D1000-memory.dmp

Filesize
3.3MB

Download
memory/8-79-0x00007FF64DF80000-0x00007FF64E2D1000-memory.dmp

Filesize
3.3MB

Download
memory/8-15-0x00007FF64DF80000-0x00007FF64E2D1000-memory.dmp

Filesize
3.3MB

Download
memory/1060-122-0x00007FF74EDD0000-0x00007FF74F121000-memory.dmp

Filesize
3.3MB

Download
memory/1060-249-0x00007FF74EDD0000-0x00007FF74F121000-memory.dmp

Filesize
3.3MB

Download
memory/1216-255-0x00007FF738F60000-0x00007FF7392B1000-memory.dmp

Filesize
3.3MB

Download
memory/1216-118-0x00007FF738F60000-0x00007FF7392B1000-memory.dmp

Filesize
3.3MB

Download
memory/1216-159-0x00007FF738F60000-0x00007FF7392B1000-memory.dmp

Filesize
3.3MB

Download
memory/1220-99-0x00007FF6696B0000-0x00007FF669A01000-memory.dmp

Filesize
3.3MB

Download
memory/1220-218-0x00007FF6696B0000-0x00007FF669A01000-memory.dmp

Filesize
3.3MB

Download
memory/1220-55-0x00007FF6696B0000-0x00007FF669A01000-memory.dmp

Filesize
3.3MB

Download
memory/1244-125-0x00007FF7BC1A0000-0x00007FF7BC4F1000-memory.dmp

Filesize
3.3MB

Download
memory/1244-251-0x00007FF7BC1A0000-0x00007FF7BC4F1000-memory.dmp

Filesize
3.3MB

Download
memory/1480-75-0x00007FF795CA0000-0x00007FF795FF1000-memory.dmp

Filesize
3.3MB

Download
memory/1480-101-0x00007FF795CA0000-0x00007FF795FF1000-memory.dmp

Filesize
3.3MB

Download
memory/1480-232-0x00007FF795CA0000-0x00007FF795FF1000-memory.dmp

Filesize
3.3MB

Download
memory/1600-139-0x00007FF694020000-0x00007FF694371000-memory.dmp

Filesize
3.3MB

Download
memory/1600-259-0x00007FF694020000-0x00007FF694371000-memory.dmp

Filesize
3.3MB

Download
memory/1780-109-0x00007FF7959D0000-0x00007FF795D21000-memory.dmp

Filesize
3.3MB

Download
memory/1780-235-0x00007FF7959D0000-0x00007FF795D21000-memory.dmp

Filesize
3.3MB

Download
memory/1780-81-0x00007FF7959D0000-0x00007FF795D21000-memory.dmp

Filesize
3.3MB

Download
memory/1908-258-0x00007FF770D90000-0x00007FF7710E1000-memory.dmp

Filesize
3.3MB

Download
memory/1908-138-0x00007FF770D90000-0x00007FF7710E1000-memory.dmp

Filesize
3.3MB

Download
memory/2200-229-0x00007FF64B3E0000-0x00007FF64B731000-memory.dmp

Filesize
3.3MB

Download
memory/2200-97-0x00007FF64B3E0000-0x00007FF64B731000-memory.dmp

Filesize
3.3MB

Download
memory/2200-49-0x00007FF64B3E0000-0x00007FF64B731000-memory.dmp

Filesize
3.3MB

Download
memory/2220-233-0x00007FF6B02D0000-0x00007FF6B0621000-memory.dmp

Filesize
3.3MB

Download
memory/2220-80-0x00007FF6B02D0000-0x00007FF6B0621000-memory.dmp

Filesize
3.3MB

Download
memory/2252-90-0x00007FF7D3360000-0x00007FF7D36B1000-memory.dmp

Filesize
3.3MB

Download
memory/2252-27-0x00007FF7D3360000-0x00007FF7D36B1000-memory.dmp

Filesize
3.3MB

Download
memory/2252-205-0x00007FF7D3360000-0x00007FF7D36B1000-memory.dmp

Filesize
3.3MB

Download
memory/2296-199-0x00007FF6D5500000-0x00007FF6D5851000-memory.dmp

Filesize
3.3MB

Download
memory/2296-76-0x00007FF6D5500000-0x00007FF6D5851000-memory.dmp

Filesize
3.3MB

Download
memory/2296-6-0x00007FF6D5500000-0x00007FF6D5851000-memory.dmp

Filesize
3.3MB

Download
memory/2380-132-0x00007FF73C360000-0x00007FF73C6B1000-memory.dmp

Filesize
3.3MB

Download
memory/2380-248-0x00007FF73C360000-0x00007FF73C6B1000-memory.dmp

Filesize
3.3MB

Download
memory/3952-62-0x00007FF790520000-0x00007FF790871000-memory.dmp

Filesize
3.3MB

Download
memory/3952-167-0x00007FF790520000-0x00007FF790871000-memory.dmp

Filesize
3.3MB

Download
memory/3952-0-0x00007FF790520000-0x00007FF790871000-memory.dmp

Filesize
3.3MB

Download
memory/3952-1-0x0000018A59C90000-0x0000018A59CA0000-memory.dmp

Filesize
64KB

Download
memory/4216-204-0x00007FF693240000-0x00007FF693591000-memory.dmp

Filesize
3.3MB

Download
memory/4216-17-0x00007FF693240000-0x00007FF693591000-memory.dmp

Filesize
3.3MB

Download
memory/4216-89-0x00007FF693240000-0x00007FF693591000-memory.dmp

Filesize
3.3MB

Download
memory/4248-46-0x00007FF663420000-0x00007FF663771000-memory.dmp

Filesize
3.3MB

Download
memory/4248-216-0x00007FF663420000-0x00007FF663771000-memory.dmp

Filesize
3.3MB

Download
memory/4248-96-0x00007FF663420000-0x00007FF663771000-memory.dmp

Filesize
3.3MB

Download
memory/4260-94-0x00007FF7DA060000-0x00007FF7DA3B1000-memory.dmp

Filesize
3.3MB

Download
memory/4260-208-0x00007FF7DA060000-0x00007FF7DA3B1000-memory.dmp

Filesize
3.3MB

Download
memory/4260-37-0x00007FF7DA060000-0x00007FF7DA3B1000-memory.dmp

Filesize
3.3MB

Download
memory/4608-71-0x00007FF730790000-0x00007FF730AE1000-memory.dmp

Filesize
3.3MB

Download
memory/4608-227-0x00007FF730790000-0x00007FF730AE1000-memory.dmp

Filesize
3.3MB

Download
memory/4676-151-0x00007FF66E150000-0x00007FF66E4A1000-memory.dmp

Filesize
3.3MB

Download
memory/4676-262-0x00007FF66E150000-0x00007FF66E4A1000-memory.dmp

Filesize
3.3MB

Download
memory/4836-42-0x00007FF7C8DD0000-0x00007FF7C9121000-memory.dmp

Filesize
3.3MB

Download
memory/4836-210-0x00007FF7C8DD0000-0x00007FF7C9121000-memory.dmp

Filesize
3.3MB

Download
memory/4996-254-0x00007FF7D75D0000-0x00007FF7D7921000-memory.dmp

Filesize
3.3MB

Download
memory/4996-135-0x00007FF7D75D0000-0x00007FF7D7921000-memory.dmp

Filesize
3.3MB

Download