cobaltstrike | b1fbc2fccd8930a6c69e1d5736c94acd05bde2d34325ea04e4df76ab2688ddce

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 02:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

467785aa9694cc1d76cc41d6235e336f
SHA1

14826bb8b5cd88b8cb0337e4a62d900dab8af709
SHA256

b1fbc2fccd8930a6c69e1d5736c94acd05bde2d34325ea04e4df76ab2688ddce
SHA512

206fd2d2e5215245a67f4f09aacca312ccedecfbbf391b090419f738c127366414b70b019a7294ded3bdaa91102bb1105de946002eaf0e646c726f0091627297
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lL:RWWBibd56utgpPFotBER/mQ32lUf

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000b000000023b8a-5.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8e-11.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b91-32.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b94-46.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b96-61.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b97-70.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b98-74.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9b-90.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9e-105.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba0-117.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9f-115.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9d-106.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9c-100.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9a-93.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b99-88.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b95-66.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b93-50.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b92-49.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b8b-36.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b90-28.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8f-19.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/116-73-0x00007FF658BA0000-0x00007FF658EF1000-memory.dmp	xmrig
behavioral2/memory/1396-119-0x00007FF6AE6B0000-0x00007FF6AEA01000-memory.dmp	xmrig
behavioral2/memory/2772-123-0x00007FF714250000-0x00007FF7145A1000-memory.dmp	xmrig
behavioral2/memory/2472-129-0x00007FF75B840000-0x00007FF75BB91000-memory.dmp	xmrig
behavioral2/memory/3832-133-0x00007FF677DC0000-0x00007FF678111000-memory.dmp	xmrig
behavioral2/memory/2508-137-0x00007FF74A170000-0x00007FF74A4C1000-memory.dmp	xmrig
behavioral2/memory/2052-139-0x00007FF6F2170000-0x00007FF6F24C1000-memory.dmp	xmrig
behavioral2/memory/3688-140-0x00007FF676F10000-0x00007FF677261000-memory.dmp	xmrig
behavioral2/memory/2544-141-0x00007FF630770000-0x00007FF630AC1000-memory.dmp	xmrig
behavioral2/memory/4944-138-0x00007FF60B320000-0x00007FF60B671000-memory.dmp	xmrig
behavioral2/memory/4608-136-0x00007FF7A9300000-0x00007FF7A9651000-memory.dmp	xmrig
behavioral2/memory/1704-135-0x00007FF7AA4A0000-0x00007FF7AA7F1000-memory.dmp	xmrig
behavioral2/memory/796-134-0x00007FF76C4B0000-0x00007FF76C801000-memory.dmp	xmrig
behavioral2/memory/4688-132-0x00007FF7AA920000-0x00007FF7AAC71000-memory.dmp	xmrig
behavioral2/memory/5000-128-0x00007FF7CF3F0000-0x00007FF7CF741000-memory.dmp	xmrig
behavioral2/memory/3064-131-0x00007FF61E570000-0x00007FF61E8C1000-memory.dmp	xmrig
behavioral2/memory/4012-127-0x00007FF736360000-0x00007FF7366B1000-memory.dmp	xmrig
behavioral2/memory/1784-125-0x00007FF7A2DF0000-0x00007FF7A3141000-memory.dmp	xmrig
behavioral2/memory/376-124-0x00007FF621C40000-0x00007FF621F91000-memory.dmp	xmrig
behavioral2/memory/3412-122-0x00007FF7A6F00000-0x00007FF7A7251000-memory.dmp	xmrig
behavioral2/memory/1396-120-0x00007FF6AE6B0000-0x00007FF6AEA01000-memory.dmp	xmrig
behavioral2/memory/1048-126-0x00007FF619470000-0x00007FF6197C1000-memory.dmp	xmrig
behavioral2/memory/4816-121-0x00007FF794C90000-0x00007FF794FE1000-memory.dmp	xmrig
behavioral2/memory/1396-142-0x00007FF6AE6B0000-0x00007FF6AEA01000-memory.dmp	xmrig
behavioral2/memory/4816-196-0x00007FF794C90000-0x00007FF794FE1000-memory.dmp	xmrig
behavioral2/memory/3412-198-0x00007FF7A6F00000-0x00007FF7A7251000-memory.dmp	xmrig
behavioral2/memory/2772-200-0x00007FF714250000-0x00007FF7145A1000-memory.dmp	xmrig
behavioral2/memory/1048-211-0x00007FF619470000-0x00007FF6197C1000-memory.dmp	xmrig
behavioral2/memory/1784-214-0x00007FF7A2DF0000-0x00007FF7A3141000-memory.dmp	xmrig
behavioral2/memory/376-212-0x00007FF621C40000-0x00007FF621F91000-memory.dmp	xmrig
behavioral2/memory/4012-219-0x00007FF736360000-0x00007FF7366B1000-memory.dmp	xmrig
behavioral2/memory/5000-220-0x00007FF7CF3F0000-0x00007FF7CF741000-memory.dmp	xmrig
behavioral2/memory/2472-217-0x00007FF75B840000-0x00007FF75BB91000-memory.dmp	xmrig
behavioral2/memory/116-236-0x00007FF658BA0000-0x00007FF658EF1000-memory.dmp	xmrig
behavioral2/memory/4688-234-0x00007FF7AA920000-0x00007FF7AAC71000-memory.dmp	xmrig
behavioral2/memory/3688-246-0x00007FF676F10000-0x00007FF677261000-memory.dmp	xmrig
behavioral2/memory/2544-248-0x00007FF630770000-0x00007FF630AC1000-memory.dmp	xmrig
behavioral2/memory/2052-244-0x00007FF6F2170000-0x00007FF6F24C1000-memory.dmp	xmrig
behavioral2/memory/3832-241-0x00007FF677DC0000-0x00007FF678111000-memory.dmp	xmrig
behavioral2/memory/2508-238-0x00007FF74A170000-0x00007FF74A4C1000-memory.dmp	xmrig
behavioral2/memory/796-240-0x00007FF76C4B0000-0x00007FF76C801000-memory.dmp	xmrig
behavioral2/memory/3064-227-0x00007FF61E570000-0x00007FF61E8C1000-memory.dmp	xmrig
behavioral2/memory/4608-231-0x00007FF7A9300000-0x00007FF7A9651000-memory.dmp	xmrig
behavioral2/memory/1704-230-0x00007FF7AA4A0000-0x00007FF7AA7F1000-memory.dmp	xmrig
behavioral2/memory/4944-249-0x00007FF60B320000-0x00007FF60B671000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4816	fwLXmoO.exe
3412	nmAHJpb.exe
2772	YheCRRB.exe
376	AifAwBy.exe
1048	FECQEpT.exe
1784	pUhdKwY.exe
4012	OirEJnJ.exe
5000	AYNLLpk.exe
2472	GmpypuC.exe
116	mjFAsWa.exe
3064	xnxVXnp.exe
4688	MdogozA.exe
3832	GrwsBFe.exe
796	rxanyeD.exe
1704	GfnhDti.exe
4608	ZywplPE.exe
2508	RPsqQNY.exe
4944	cvhXLwC.exe
2052	nYEDYec.exe
3688	uOggNEO.exe
2544	hYVyxbB.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1396-0-0x00007FF6AE6B0000-0x00007FF6AEA01000-memory.dmp	upx
behavioral2/files/0x000b000000023b8a-5.dat	upx
behavioral2/memory/4816-7-0x00007FF794C90000-0x00007FF794FE1000-memory.dmp	upx
behavioral2/files/0x000a000000023b8e-11.dat	upx
behavioral2/memory/3412-16-0x00007FF7A6F00000-0x00007FF7A7251000-memory.dmp	upx
behavioral2/memory/2772-18-0x00007FF714250000-0x00007FF7145A1000-memory.dmp	upx
behavioral2/files/0x000a000000023b91-32.dat	upx
behavioral2/memory/1784-39-0x00007FF7A2DF0000-0x00007FF7A3141000-memory.dmp	upx
behavioral2/files/0x000a000000023b94-46.dat	upx
behavioral2/files/0x000a000000023b96-61.dat	upx
behavioral2/files/0x000a000000023b97-70.dat	upx
behavioral2/files/0x000a000000023b98-74.dat	upx
behavioral2/memory/3832-82-0x00007FF677DC0000-0x00007FF678111000-memory.dmp	upx
behavioral2/files/0x000a000000023b9b-90.dat	upx
behavioral2/files/0x000a000000023b9e-105.dat	upx
behavioral2/files/0x000a000000023ba0-117.dat	upx
behavioral2/files/0x000a000000023b9f-115.dat	upx
behavioral2/files/0x000a000000023b9d-106.dat	upx
behavioral2/files/0x000a000000023b9c-100.dat	upx
behavioral2/files/0x000a000000023b9a-93.dat	upx
behavioral2/files/0x000a000000023b99-88.dat	upx
behavioral2/memory/116-73-0x00007FF658BA0000-0x00007FF658EF1000-memory.dmp	upx
behavioral2/files/0x000a000000023b95-66.dat	upx
behavioral2/memory/3064-65-0x00007FF61E570000-0x00007FF61E8C1000-memory.dmp	upx
behavioral2/memory/2472-62-0x00007FF75B840000-0x00007FF75BB91000-memory.dmp	upx
behavioral2/memory/5000-57-0x00007FF7CF3F0000-0x00007FF7CF741000-memory.dmp	upx
behavioral2/memory/4012-48-0x00007FF736360000-0x00007FF7366B1000-memory.dmp	upx
behavioral2/files/0x000a000000023b93-50.dat	upx
behavioral2/files/0x000a000000023b92-49.dat	upx
behavioral2/files/0x000b000000023b8b-36.dat	upx
behavioral2/memory/1048-33-0x00007FF619470000-0x00007FF6197C1000-memory.dmp	upx
behavioral2/files/0x000a000000023b90-28.dat	upx
behavioral2/memory/376-27-0x00007FF621C40000-0x00007FF621F91000-memory.dmp	upx
behavioral2/files/0x000a000000023b8f-19.dat	upx
behavioral2/memory/1396-119-0x00007FF6AE6B0000-0x00007FF6AEA01000-memory.dmp	upx
behavioral2/memory/2772-123-0x00007FF714250000-0x00007FF7145A1000-memory.dmp	upx
behavioral2/memory/2472-129-0x00007FF75B840000-0x00007FF75BB91000-memory.dmp	upx
behavioral2/memory/3832-133-0x00007FF677DC0000-0x00007FF678111000-memory.dmp	upx
behavioral2/memory/2508-137-0x00007FF74A170000-0x00007FF74A4C1000-memory.dmp	upx
behavioral2/memory/2052-139-0x00007FF6F2170000-0x00007FF6F24C1000-memory.dmp	upx
behavioral2/memory/3688-140-0x00007FF676F10000-0x00007FF677261000-memory.dmp	upx
behavioral2/memory/2544-141-0x00007FF630770000-0x00007FF630AC1000-memory.dmp	upx
behavioral2/memory/4944-138-0x00007FF60B320000-0x00007FF60B671000-memory.dmp	upx
behavioral2/memory/4608-136-0x00007FF7A9300000-0x00007FF7A9651000-memory.dmp	upx
behavioral2/memory/1704-135-0x00007FF7AA4A0000-0x00007FF7AA7F1000-memory.dmp	upx
behavioral2/memory/796-134-0x00007FF76C4B0000-0x00007FF76C801000-memory.dmp	upx
behavioral2/memory/4688-132-0x00007FF7AA920000-0x00007FF7AAC71000-memory.dmp	upx
behavioral2/memory/5000-128-0x00007FF7CF3F0000-0x00007FF7CF741000-memory.dmp	upx
behavioral2/memory/3064-131-0x00007FF61E570000-0x00007FF61E8C1000-memory.dmp	upx
behavioral2/memory/4012-127-0x00007FF736360000-0x00007FF7366B1000-memory.dmp	upx
behavioral2/memory/1784-125-0x00007FF7A2DF0000-0x00007FF7A3141000-memory.dmp	upx
behavioral2/memory/376-124-0x00007FF621C40000-0x00007FF621F91000-memory.dmp	upx
behavioral2/memory/3412-122-0x00007FF7A6F00000-0x00007FF7A7251000-memory.dmp	upx
behavioral2/memory/1396-120-0x00007FF6AE6B0000-0x00007FF6AEA01000-memory.dmp	upx
behavioral2/memory/1048-126-0x00007FF619470000-0x00007FF6197C1000-memory.dmp	upx
behavioral2/memory/4816-121-0x00007FF794C90000-0x00007FF794FE1000-memory.dmp	upx
behavioral2/memory/1396-142-0x00007FF6AE6B0000-0x00007FF6AEA01000-memory.dmp	upx
behavioral2/memory/4816-196-0x00007FF794C90000-0x00007FF794FE1000-memory.dmp	upx
behavioral2/memory/3412-198-0x00007FF7A6F00000-0x00007FF7A7251000-memory.dmp	upx
behavioral2/memory/2772-200-0x00007FF714250000-0x00007FF7145A1000-memory.dmp	upx
behavioral2/memory/1048-211-0x00007FF619470000-0x00007FF6197C1000-memory.dmp	upx
behavioral2/memory/1784-214-0x00007FF7A2DF0000-0x00007FF7A3141000-memory.dmp	upx
behavioral2/memory/376-212-0x00007FF621C40000-0x00007FF621F91000-memory.dmp	upx
behavioral2/memory/4012-219-0x00007FF736360000-0x00007FF7366B1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\nmAHJpb.exe	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AifAwBy.exe	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GmpypuC.exe	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hYVyxbB.exe	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZywplPE.exe	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RPsqQNY.exe	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cvhXLwC.exe	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YheCRRB.exe	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pUhdKwY.exe	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FECQEpT.exe	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OirEJnJ.exe	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GfnhDti.exe	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nYEDYec.exe	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fwLXmoO.exe	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mjFAsWa.exe	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GrwsBFe.exe	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uOggNEO.exe	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AYNLLpk.exe	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xnxVXnp.exe	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MdogozA.exe	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rxanyeD.exe	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1396	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1396	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1396 wrote to memory of 4816	1396	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1396 wrote to memory of 4816	1396	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1396 wrote to memory of 3412	1396	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1396 wrote to memory of 3412	1396	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1396 wrote to memory of 2772	1396	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1396 wrote to memory of 2772	1396	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1396 wrote to memory of 376	1396	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1396 wrote to memory of 376	1396	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1396 wrote to memory of 1784	1396	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1396 wrote to memory of 1784	1396	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1396 wrote to memory of 1048	1396	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1396 wrote to memory of 1048	1396	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1396 wrote to memory of 4012	1396	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1396 wrote to memory of 4012	1396	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1396 wrote to memory of 5000	1396	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1396 wrote to memory of 5000	1396	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1396 wrote to memory of 2472	1396	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1396 wrote to memory of 2472	1396	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1396 wrote to memory of 116	1396	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1396 wrote to memory of 116	1396	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1396 wrote to memory of 3064	1396	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1396 wrote to memory of 3064	1396	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1396 wrote to memory of 4688	1396	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1396 wrote to memory of 4688	1396	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1396 wrote to memory of 3832	1396	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1396 wrote to memory of 3832	1396	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1396 wrote to memory of 796	1396	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1396 wrote to memory of 796	1396	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1396 wrote to memory of 1704	1396	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1396 wrote to memory of 1704	1396	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1396 wrote to memory of 4608	1396	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1396 wrote to memory of 4608	1396	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1396 wrote to memory of 2508	1396	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1396 wrote to memory of 2508	1396	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1396 wrote to memory of 4944	1396	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1396 wrote to memory of 4944	1396	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1396 wrote to memory of 2052	1396	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1396 wrote to memory of 2052	1396	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1396 wrote to memory of 3688	1396	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1396 wrote to memory of 3688	1396	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1396 wrote to memory of 2544	1396	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1396 wrote to memory of 2544	1396	2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-20_467785aa9694cc1d76cc41d6235e336f_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1396
- C:\Windows\System\fwLXmoO.exe
  C:\Windows\System\fwLXmoO.exe
  2⤵
  - Executes dropped EXE
  PID:4816
- C:\Windows\System\nmAHJpb.exe
  C:\Windows\System\nmAHJpb.exe
  2⤵
  - Executes dropped EXE
  PID:3412
- C:\Windows\System\YheCRRB.exe
  C:\Windows\System\YheCRRB.exe
  2⤵
  - Executes dropped EXE
  PID:2772
- C:\Windows\System\AifAwBy.exe
  C:\Windows\System\AifAwBy.exe
  2⤵
  - Executes dropped EXE
  PID:376
- C:\Windows\System\pUhdKwY.exe
  C:\Windows\System\pUhdKwY.exe
  2⤵
  - Executes dropped EXE
  PID:1784
- C:\Windows\System\FECQEpT.exe
  C:\Windows\System\FECQEpT.exe
  2⤵
  - Executes dropped EXE
  PID:1048
- C:\Windows\System\OirEJnJ.exe
  C:\Windows\System\OirEJnJ.exe
  2⤵
  - Executes dropped EXE
  PID:4012
- C:\Windows\System\AYNLLpk.exe
  C:\Windows\System\AYNLLpk.exe
  2⤵
  - Executes dropped EXE
  PID:5000
- C:\Windows\System\GmpypuC.exe
  C:\Windows\System\GmpypuC.exe
  2⤵
  - Executes dropped EXE
  PID:2472
- C:\Windows\System\mjFAsWa.exe
  C:\Windows\System\mjFAsWa.exe
  2⤵
  - Executes dropped EXE
  PID:116
- C:\Windows\System\xnxVXnp.exe
  C:\Windows\System\xnxVXnp.exe
  2⤵
  - Executes dropped EXE
  PID:3064
- C:\Windows\System\MdogozA.exe
  C:\Windows\System\MdogozA.exe
  2⤵
  - Executes dropped EXE
  PID:4688
- C:\Windows\System\GrwsBFe.exe
  C:\Windows\System\GrwsBFe.exe
  2⤵
  - Executes dropped EXE
  PID:3832
- C:\Windows\System\rxanyeD.exe
  C:\Windows\System\rxanyeD.exe
  2⤵
  - Executes dropped EXE
  PID:796
- C:\Windows\System\GfnhDti.exe
  C:\Windows\System\GfnhDti.exe
  2⤵
  - Executes dropped EXE
  PID:1704
- C:\Windows\System\ZywplPE.exe
  C:\Windows\System\ZywplPE.exe
  2⤵
  - Executes dropped EXE
  PID:4608
- C:\Windows\System\RPsqQNY.exe
  C:\Windows\System\RPsqQNY.exe
  2⤵
  - Executes dropped EXE
  PID:2508
- C:\Windows\System\cvhXLwC.exe
  C:\Windows\System\cvhXLwC.exe
  2⤵
  - Executes dropped EXE
  PID:4944
- C:\Windows\System\nYEDYec.exe
  C:\Windows\System\nYEDYec.exe
  2⤵
  - Executes dropped EXE
  PID:2052
- C:\Windows\System\uOggNEO.exe
  C:\Windows\System\uOggNEO.exe
  2⤵
  - Executes dropped EXE
  PID:3688
- C:\Windows\System\hYVyxbB.exe
  C:\Windows\System\hYVyxbB.exe
  2⤵
  - Executes dropped EXE
  PID:2544

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AYNLLpk.exe

Filesize
5.2MB

MD5
f29f1e4770e39755f6774bd4783339d0

SHA1
32b4c02c458044e8554be47155972407373c0916

SHA256
0950fc96305f2c7c206ea031993f58a4c6cec1e9229e6171e5063d9ed101cbd6

SHA512
ded056190776760f0ac10739da3898f5a2da9ac1ef858bcf346061ebe7c9415b4068f848f949becd9b4a5038fbfacf8fec68ad4aa533cb7cd15e9b90bdbfbc33

Download Submit
C:\Windows\System\AifAwBy.exe

Filesize
5.2MB

MD5
a833405e910cc087cc38da1f30be8e74

SHA1
404c4bf19810a4ffaa8e47dd44334513230e1654

SHA256
34ec97072348810c344bc945fae50d5bb69b0b6b1e662b6017da9e0a4d4d42cc

SHA512
dfe5ff9604880f3836e2a65a34a5facec72c15a6f0aed2eee253ad3b77d2b4c0fa2250994d6c6115b800787edc1e779e757138e9a5c81bbc8d4bc3a2d8a34096

Download Submit
C:\Windows\System\FECQEpT.exe

Filesize
5.2MB

MD5
471d5daadca7976764c2e965100a8f82

SHA1
39ea281e7dbe58594c78d4459b012b4db9eaf3fe

SHA256
03bdfd1df7de0e67b08ca285054ee639d17bc10f9e7879410a60cc4b44ad9a2d

SHA512
ef98e408b0389fd301c5c41a9c0ebca01fc6b1dca053aab161084c89a3665da9367370afe05b70a8c29a2c0130241c4a0d6ded0712cbc5260b0781678454b2f4

Download Submit
C:\Windows\System\GfnhDti.exe

Filesize
5.2MB

MD5
f108f34450beacdb63439b62c01909c5

SHA1
b9222d6f04f0f949875da89d6fb5b003afafa992

SHA256
29c78904597ae67cc383cc4ffeaabe32faf65ebb68b3088ac44b1312de6c3aae

SHA512
486f5c14da0bf42495119842956f691a71d2d176d1c752049a364b76b0ab4985c15d2f6e18dc3463983d9b4c80adc6107bd1e11def2ab21ab05b2830872d9db4

Download Submit
C:\Windows\System\GmpypuC.exe

Filesize
5.2MB

MD5
0443c70e7d54c3a368982c3e61c5b5f2

SHA1
75fdbeea712290ff6ad0c1f35238b7acfc8ef634

SHA256
99fd266385db954ed17de2a45c76e25176e5870c00ce96910a67e53257903c2e

SHA512
1e345acdfab0b1a5498dc54753f44e18ddd02a4a9c532a77cfd0c4acc57586201c42fc80c3560743dda5c6b6fea4e05be6799442ba2c3d05b26823dd34503d7e

Download Submit
C:\Windows\System\GrwsBFe.exe

Filesize
5.2MB

MD5
56039d8991a4e6ce80b2ff98be5cd0c1

SHA1
d2d87b18af21d8748bd063c4fea0dcbd25ef6aee

SHA256
f7d0c0a632ff3bef34c41e00ce138562c92f70ec09670437a86390f4e072a23d

SHA512
615755c3096b305b4aae0bfc1bd3398d086f1ad533a9778fb63a9e3255359a366510be568cf21d97e835dcdee1f6292481059a0ea32dd792a4d2ee41ce043d94

Download Submit
C:\Windows\System\MdogozA.exe

Filesize
5.2MB

MD5
3d01cecd884cf906f9cc630cbdaae0b4

SHA1
dd3b0265851280658af196d5e63c1de444251be8

SHA256
ddfb938e33b9ea4725b8277a5a76106ab2e7876c6b4ef89320e47a4f10461793

SHA512
89b33e22f759ec3e63219baeba75b3b42c6f77e6d343050ec089b4cb5bc65248d7842f4ad9161b0c7043e6bbca438be4dd2054849ff6715d58e13be6fe3a7950

Download Submit
C:\Windows\System\OirEJnJ.exe

Filesize
5.2MB

MD5
98ba53c43e6455c2191ec9cdb2657bdc

SHA1
05a875455784bf24a4150c93b6c07110f33d60a4

SHA256
a881d98d2a755d9d425f959b191b2ab323bacd52d9ed0de8e7dd91e3a1b8f56f

SHA512
cfcc13c7be4d82e81725d22cedfcd9a9c72811354dbb00536c7cc7189c411bd4b54bc30c1d47680af3ae62900a0f0073bceed85aafaa99cb391ea5efeca3ddb8

Download Submit
C:\Windows\System\RPsqQNY.exe

Filesize
5.2MB

MD5
b240cc2a9ca593cd8ef0dc358cdcfe35

SHA1
4cf42c5cc55c14b7fa117ad47e872e2c74ee79c6

SHA256
c5fcc9fe9e7d09280af1e6cbc48b72222177a1f4ab01fdfea9816fce88f9ca08

SHA512
d62adb0b4562ea0ff7e06d2d98e5392dd395b310ce885057995c725122a2f33366c7f436c9ab4b96a30fd0a9596a2ec0cb5573da66f725040e076571b109377e

Download Submit
C:\Windows\System\YheCRRB.exe

Filesize
5.2MB

MD5
0709d8dbd1c111d4f09a81a2761fed28

SHA1
1ffa2586451e7863a0df0a79f9ff4c1cad22a746

SHA256
31dee36a69572811b9496daad4db415421a9125ffeac97988d0c3851f04cbb78

SHA512
3369e56496f8a27ceed9f8992238c40e351353445858fbf894064dc3ccf7ef764a45d6fc54eaa52adf8b12b516a1f4b453a9f4e1d65e8ba0a8d44d2064a1e517

Download Submit
C:\Windows\System\ZywplPE.exe

Filesize
5.2MB

MD5
82b77d7e5bf45e8c31bad6279aa95c5a

SHA1
b6e3d55afa3b7be81237f289be58ce0f44f20355

SHA256
7aad99a51bb67c7ce5bdf6d18dc6b861c73d315fd2968e9f7cf348dbae05eb1d

SHA512
2b196f865824c0a7b2526cbebd91a967b6b8dbe6c7427f8343f421520a39eda4c631e438d4db9b0af3a32c2624e73f4783cb0cfb87c733befde98dc729e2cb86

Download Submit
C:\Windows\System\cvhXLwC.exe

Filesize
5.2MB

MD5
bc4e5e54462c54b4d86ee246f5d4e472

SHA1
7e4b62d4a073f7a5ca1b5f90b21c784c6ec3b2e3

SHA256
899e78973cf47a5f1903c8a9d2d9665ed61f7ab04a769dad912470545b003c2b

SHA512
144dff1e0d27ec791cf600d4f526436bc432d3fd553ecd2186caf3715a6ba0fd72e0e01b8ef0192eae96fd0a842afd9cc910bc094540526667a955ecccbc677a

Download Submit
C:\Windows\System\fwLXmoO.exe

Filesize
5.2MB

MD5
f8c3a3996c83fc5d574ae1ae2cba2e51

SHA1
6f1ba8600bd93e554ef059c0483d6cd6ae39e031

SHA256
4b528d7d402f60e3c5cfa856fdaaddbf07c0599dbdbde9cc228112771ac11c94

SHA512
00701dfc5b3041fac0c4804a7c70d991db0de89a70ab2c85c5f3a7908fa91e5110115e81d387ba4962be948fdafc1f8da74244d5fc9231de9317c857bceb3876

Download Submit
C:\Windows\System\hYVyxbB.exe

Filesize
5.2MB

MD5
f3f055aa14b4aa77adf4a1652ce4c4dc

SHA1
3e1073cadde8ef4a34df2bc4c01db87f1703df08

SHA256
4673c8a378301ffdb9522574fd99ff56b4340fe36a3baf96c4422a0f1ee97207

SHA512
8ef47545e8f80c444153a111fef7ca7e92b19bcbfb518ea9cc0f1fe80318000a6df65f3d33e76462763ce30d554ef0a31623edfdb58a59db8b606c79286fa75d

Download Submit
C:\Windows\System\mjFAsWa.exe

Filesize
5.2MB

MD5
c661e086f223e695177893d005b260ec

SHA1
546b020c38cd8ee8de92be6b86b0393987e9bbdd

SHA256
bd7cd9e2af80b70481dce54355473bda4630c55c9f50e70bd024c8747011d7c8

SHA512
dda1d8b3535f06ded124ae642be26cff9c579e17d45e9018a0fea78b6e8a453300cb3be466fcce76ee87d913816d18f67ea5d733e3fde2676006a8ccd415511d

Download Submit
C:\Windows\System\nYEDYec.exe

Filesize
5.2MB

MD5
d42b808a3ddc211c506d0b19f878ea64

SHA1
42425b487fa976473c925402740a2526c6b2d691

SHA256
6631bec489606d7c7b55ae4c70e876949ba5762bf78ca3c9353703b65685de8f

SHA512
a6a0237da35d15b5394702e38de002381587dd67bcb615a353b2e505ab08c90ec90fc9ffd5f3b1563647ab4056e8787bc7dc2d5934cf49a4e23b75711091ffeb

Download Submit
C:\Windows\System\nmAHJpb.exe

Filesize
5.2MB

MD5
3f9dda67dc67ef616d09f863717b2a96

SHA1
6fcec365bb813966675271a880bad40939bed685

SHA256
7d9e132f36c2c03df4a35d9c90167095c5fce9e38972ae334c696992092d2872

SHA512
54d59a21b390f660c8f0e4bf419cc33344bc33f4085a65f358814b9fcb53b8d29447fb31256e7a98af7c1a958964189acd11d5184dafbe3364f586a93386b0d3

Download Submit
C:\Windows\System\pUhdKwY.exe

Filesize
5.2MB

MD5
4edef351ad4675aa48dc72912869e1dc

SHA1
b2062aaf3f015da42d752a34734554dfc113de89

SHA256
b06addeeb0b80e2f12a9490e8f97f91b265bb59f93e5bf1045949d08a27b2d1f

SHA512
596852aa5ab848f971fd80d33a16ae12250f9ff873086efd80fc49d9190ec1916c6cdcf7fb93ddb98a16bb85a216b61ef38e7733acd06286e91123ab850f9406

Download Submit
C:\Windows\System\rxanyeD.exe

Filesize
5.2MB

MD5
f7ddae1afa3a73d37f77d7a84c1556f1

SHA1
406d132249054511cdfc647d83f97b46f7fc53c8

SHA256
ed8b284628cc390648a9d87ed21b47e63c041cd4eab9ec1a4e46d7d0e15b21cc

SHA512
8dbf1adf49df2e3ec548391f69d512a344008de1b7163aa56a30585a0c268e9f92cc9871376ee7e6d2578895ff9b125bf60d344589857a72d7b2cfe86490eab1

Download Submit
C:\Windows\System\uOggNEO.exe

Filesize
5.2MB

MD5
10cbe6d75f154753b29cc069065fa730

SHA1
0cb73deba439a6310bde51be46ab41f1c93195e8

SHA256
b9847762c70b0df9897a6ba0d1b962da47d69db5acfe7a4122d467c84390869c

SHA512
df4e6eda97232bd1a5cfa1f37cfc93a5e4423049790879ca970ac048931977191453b05bf4a986c1e43e978b240828add18466029cd767f141ab16df29b54009

Download Submit
C:\Windows\System\xnxVXnp.exe

Filesize
5.2MB

MD5
6e558a7abc6fffc8618d6b1902838e8a

SHA1
5c5eeb127d7dc956ce4c5f093e64c0871f9881e3

SHA256
1943d5b4fa41736521f45a30138c1de862ed9920fb82b18735b35b527b6ffeb9

SHA512
aa598e273a0533a96fd3e19752eebddbae64313ed45f99c7f05790893306e7f7d7405e0d1bb2f0b27b22f6fe225c64e1515e694886a499073a370358732704e8

Download Submit
memory/116-73-0x00007FF658BA0000-0x00007FF658EF1000-memory.dmp

Filesize
3.3MB

Download
memory/116-236-0x00007FF658BA0000-0x00007FF658EF1000-memory.dmp

Filesize
3.3MB

Download
memory/376-212-0x00007FF621C40000-0x00007FF621F91000-memory.dmp

Filesize
3.3MB

Download
memory/376-27-0x00007FF621C40000-0x00007FF621F91000-memory.dmp

Filesize
3.3MB

Download
memory/376-124-0x00007FF621C40000-0x00007FF621F91000-memory.dmp

Filesize
3.3MB

Download
memory/796-240-0x00007FF76C4B0000-0x00007FF76C801000-memory.dmp

Filesize
3.3MB

Download
memory/796-134-0x00007FF76C4B0000-0x00007FF76C801000-memory.dmp

Filesize
3.3MB

Download
memory/1048-126-0x00007FF619470000-0x00007FF6197C1000-memory.dmp

Filesize
3.3MB

Download
memory/1048-33-0x00007FF619470000-0x00007FF6197C1000-memory.dmp

Filesize
3.3MB

Download
memory/1048-211-0x00007FF619470000-0x00007FF6197C1000-memory.dmp

Filesize
3.3MB

Download
memory/1396-120-0x00007FF6AE6B0000-0x00007FF6AEA01000-memory.dmp

Filesize
3.3MB

Download
memory/1396-142-0x00007FF6AE6B0000-0x00007FF6AEA01000-memory.dmp

Filesize
3.3MB

Download
memory/1396-1-0x000002008B580000-0x000002008B590000-memory.dmp

Filesize
64KB

Download
memory/1396-119-0x00007FF6AE6B0000-0x00007FF6AEA01000-memory.dmp

Filesize
3.3MB

Download
memory/1396-0-0x00007FF6AE6B0000-0x00007FF6AEA01000-memory.dmp

Filesize
3.3MB

Download
memory/1704-230-0x00007FF7AA4A0000-0x00007FF7AA7F1000-memory.dmp

Filesize
3.3MB

Download
memory/1704-135-0x00007FF7AA4A0000-0x00007FF7AA7F1000-memory.dmp

Filesize
3.3MB

Download
memory/1784-39-0x00007FF7A2DF0000-0x00007FF7A3141000-memory.dmp

Filesize
3.3MB

Download
memory/1784-214-0x00007FF7A2DF0000-0x00007FF7A3141000-memory.dmp

Filesize
3.3MB

Download
memory/1784-125-0x00007FF7A2DF0000-0x00007FF7A3141000-memory.dmp

Filesize
3.3MB

Download
memory/2052-139-0x00007FF6F2170000-0x00007FF6F24C1000-memory.dmp

Filesize
3.3MB

Download
memory/2052-244-0x00007FF6F2170000-0x00007FF6F24C1000-memory.dmp

Filesize
3.3MB

Download
memory/2472-129-0x00007FF75B840000-0x00007FF75BB91000-memory.dmp

Filesize
3.3MB

Download
memory/2472-62-0x00007FF75B840000-0x00007FF75BB91000-memory.dmp

Filesize
3.3MB

Download
memory/2472-217-0x00007FF75B840000-0x00007FF75BB91000-memory.dmp

Filesize
3.3MB

Download
memory/2508-137-0x00007FF74A170000-0x00007FF74A4C1000-memory.dmp

Filesize
3.3MB

Download
memory/2508-238-0x00007FF74A170000-0x00007FF74A4C1000-memory.dmp

Filesize
3.3MB

Download
memory/2544-141-0x00007FF630770000-0x00007FF630AC1000-memory.dmp

Filesize
3.3MB

Download
memory/2544-248-0x00007FF630770000-0x00007FF630AC1000-memory.dmp

Filesize
3.3MB

Download
memory/2772-18-0x00007FF714250000-0x00007FF7145A1000-memory.dmp

Filesize
3.3MB

Download
memory/2772-123-0x00007FF714250000-0x00007FF7145A1000-memory.dmp

Filesize
3.3MB

Download
memory/2772-200-0x00007FF714250000-0x00007FF7145A1000-memory.dmp

Filesize
3.3MB

Download
memory/3064-227-0x00007FF61E570000-0x00007FF61E8C1000-memory.dmp

Filesize
3.3MB

Download
memory/3064-131-0x00007FF61E570000-0x00007FF61E8C1000-memory.dmp

Filesize
3.3MB

Download
memory/3064-65-0x00007FF61E570000-0x00007FF61E8C1000-memory.dmp

Filesize
3.3MB

Download
memory/3412-198-0x00007FF7A6F00000-0x00007FF7A7251000-memory.dmp

Filesize
3.3MB

Download
memory/3412-16-0x00007FF7A6F00000-0x00007FF7A7251000-memory.dmp

Filesize
3.3MB

Download
memory/3412-122-0x00007FF7A6F00000-0x00007FF7A7251000-memory.dmp

Filesize
3.3MB

Download
memory/3688-140-0x00007FF676F10000-0x00007FF677261000-memory.dmp

Filesize
3.3MB

Download
memory/3688-246-0x00007FF676F10000-0x00007FF677261000-memory.dmp

Filesize
3.3MB

Download
memory/3832-82-0x00007FF677DC0000-0x00007FF678111000-memory.dmp

Filesize
3.3MB

Download
memory/3832-133-0x00007FF677DC0000-0x00007FF678111000-memory.dmp

Filesize
3.3MB

Download
memory/3832-241-0x00007FF677DC0000-0x00007FF678111000-memory.dmp

Filesize
3.3MB

Download
memory/4012-219-0x00007FF736360000-0x00007FF7366B1000-memory.dmp

Filesize
3.3MB

Download
memory/4012-48-0x00007FF736360000-0x00007FF7366B1000-memory.dmp

Filesize
3.3MB

Download
memory/4012-127-0x00007FF736360000-0x00007FF7366B1000-memory.dmp

Filesize
3.3MB

Download
memory/4608-231-0x00007FF7A9300000-0x00007FF7A9651000-memory.dmp

Filesize
3.3MB

Download
memory/4608-136-0x00007FF7A9300000-0x00007FF7A9651000-memory.dmp

Filesize
3.3MB

Download
memory/4688-234-0x00007FF7AA920000-0x00007FF7AAC71000-memory.dmp

Filesize
3.3MB

Download
memory/4688-132-0x00007FF7AA920000-0x00007FF7AAC71000-memory.dmp

Filesize
3.3MB

Download
memory/4816-196-0x00007FF794C90000-0x00007FF794FE1000-memory.dmp

Filesize
3.3MB

Download
memory/4816-121-0x00007FF794C90000-0x00007FF794FE1000-memory.dmp

Filesize
3.3MB

Download
memory/4816-7-0x00007FF794C90000-0x00007FF794FE1000-memory.dmp

Filesize
3.3MB

Download
memory/4944-138-0x00007FF60B320000-0x00007FF60B671000-memory.dmp

Filesize
3.3MB

Download
memory/4944-249-0x00007FF60B320000-0x00007FF60B671000-memory.dmp

Filesize
3.3MB

Download
memory/5000-57-0x00007FF7CF3F0000-0x00007FF7CF741000-memory.dmp

Filesize
3.3MB

Download
memory/5000-220-0x00007FF7CF3F0000-0x00007FF7CF741000-memory.dmp

Filesize
3.3MB

Download
memory/5000-128-0x00007FF7CF3F0000-0x00007FF7CF741000-memory.dmp

Filesize
3.3MB

Download