cobaltstrike | aa5646b61dfd06af4d64b1c0c18233eb660290b512dd6fbc2135b9989164ba12

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 15:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

34ba92dfd1bf7cc56bec10176786d921
SHA1

bef6c6ea6885761cb61a74e8bc3dd1af60d70d0e
SHA256

aa5646b61dfd06af4d64b1c0c18233eb660290b512dd6fbc2135b9989164ba12
SHA512

d250c48be33eb4320aea5b66eb0fd49bb5bcb7ad8e8643c3e3eae4b5c1f862edccf7821c7c98e437b97b07b0f25a35e73d22a9483c5f3be9085f22043fbf3dc8
SSDEEP

49152:ROdWCCi7/raN56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lD:RWWBib+56utgpPFotBER/mQ32lUn

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023ccc-6.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd0-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd1-12.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd3-35.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd5-40.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd8-56.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd9-59.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cda-74.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cdb-77.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cdd-90.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023ccd-99.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce1-109.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce2-117.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce0-121.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cdf-115.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cde-107.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cdc-101.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd7-63.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd6-52.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd4-50.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd2-25.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 44 IoCs

miner

resource	yara_rule
behavioral2/memory/1764-68-0x00007FF66FD50000-0x00007FF6700A1000-memory.dmp	xmrig
behavioral2/memory/5116-125-0x00007FF7A9860000-0x00007FF7A9BB1000-memory.dmp	xmrig
behavioral2/memory/4956-127-0x00007FF69ED50000-0x00007FF69F0A1000-memory.dmp	xmrig
behavioral2/memory/624-126-0x00007FF7FE4B0000-0x00007FF7FE801000-memory.dmp	xmrig
behavioral2/memory/2240-114-0x00007FF696120000-0x00007FF696471000-memory.dmp	xmrig
behavioral2/memory/4012-113-0x00007FF6255E0000-0x00007FF625931000-memory.dmp	xmrig
behavioral2/memory/1064-111-0x00007FF736840000-0x00007FF736B91000-memory.dmp	xmrig
behavioral2/memory/2584-104-0x00007FF769500000-0x00007FF769851000-memory.dmp	xmrig
behavioral2/memory/3004-83-0x00007FF767650000-0x00007FF7679A1000-memory.dmp	xmrig
behavioral2/memory/4996-73-0x00007FF7EA0C0000-0x00007FF7EA411000-memory.dmp	xmrig
behavioral2/memory/4740-72-0x00007FF775ED0000-0x00007FF776221000-memory.dmp	xmrig
behavioral2/memory/4116-17-0x00007FF70F210000-0x00007FF70F561000-memory.dmp	xmrig
behavioral2/memory/4184-128-0x00007FF7E7100000-0x00007FF7E7451000-memory.dmp	xmrig
behavioral2/memory/4656-129-0x00007FF6AD770000-0x00007FF6ADAC1000-memory.dmp	xmrig
behavioral2/memory/1660-137-0x00007FF66D980000-0x00007FF66DCD1000-memory.dmp	xmrig
behavioral2/memory/3816-135-0x00007FF7C5220000-0x00007FF7C5571000-memory.dmp	xmrig
behavioral2/memory/2840-133-0x00007FF7168C0000-0x00007FF716C11000-memory.dmp	xmrig
behavioral2/memory/2928-132-0x00007FF600A30000-0x00007FF600D81000-memory.dmp	xmrig
behavioral2/memory/4936-131-0x00007FF7EBBC0000-0x00007FF7EBF11000-memory.dmp	xmrig
behavioral2/memory/4668-148-0x00007FF61C120000-0x00007FF61C471000-memory.dmp	xmrig
behavioral2/memory/3148-146-0x00007FF74C570000-0x00007FF74C8C1000-memory.dmp	xmrig
behavioral2/memory/3444-140-0x00007FF69ABC0000-0x00007FF69AF11000-memory.dmp	xmrig
behavioral2/memory/4184-150-0x00007FF7E7100000-0x00007FF7E7451000-memory.dmp	xmrig
behavioral2/memory/4656-201-0x00007FF6AD770000-0x00007FF6ADAC1000-memory.dmp	xmrig
behavioral2/memory/4116-203-0x00007FF70F210000-0x00007FF70F561000-memory.dmp	xmrig
behavioral2/memory/4936-218-0x00007FF7EBBC0000-0x00007FF7EBF11000-memory.dmp	xmrig
behavioral2/memory/2928-220-0x00007FF600A30000-0x00007FF600D81000-memory.dmp	xmrig
behavioral2/memory/2840-223-0x00007FF7168C0000-0x00007FF716C11000-memory.dmp	xmrig
behavioral2/memory/3816-224-0x00007FF7C5220000-0x00007FF7C5571000-memory.dmp	xmrig
behavioral2/memory/4996-227-0x00007FF7EA0C0000-0x00007FF7EA411000-memory.dmp	xmrig
behavioral2/memory/1764-230-0x00007FF66FD50000-0x00007FF6700A1000-memory.dmp	xmrig
behavioral2/memory/4740-229-0x00007FF775ED0000-0x00007FF776221000-memory.dmp	xmrig
behavioral2/memory/1660-232-0x00007FF66D980000-0x00007FF66DCD1000-memory.dmp	xmrig
behavioral2/memory/4012-239-0x00007FF6255E0000-0x00007FF625931000-memory.dmp	xmrig
behavioral2/memory/2584-241-0x00007FF769500000-0x00007FF769851000-memory.dmp	xmrig
behavioral2/memory/1064-249-0x00007FF736840000-0x00007FF736B91000-memory.dmp	xmrig
behavioral2/memory/2240-247-0x00007FF696120000-0x00007FF696471000-memory.dmp	xmrig
behavioral2/memory/3444-243-0x00007FF69ABC0000-0x00007FF69AF11000-memory.dmp	xmrig
behavioral2/memory/3004-245-0x00007FF767650000-0x00007FF7679A1000-memory.dmp	xmrig
behavioral2/memory/5116-237-0x00007FF7A9860000-0x00007FF7A9BB1000-memory.dmp	xmrig
behavioral2/memory/4956-257-0x00007FF69ED50000-0x00007FF69F0A1000-memory.dmp	xmrig
behavioral2/memory/3148-256-0x00007FF74C570000-0x00007FF74C8C1000-memory.dmp	xmrig
behavioral2/memory/624-253-0x00007FF7FE4B0000-0x00007FF7FE801000-memory.dmp	xmrig
behavioral2/memory/4668-252-0x00007FF61C120000-0x00007FF61C471000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4656	hrOiEuy.exe
4116	ZCkiVgk.exe
4936	IvrolzF.exe
2928	auARZYm.exe
2840	CKWIXmc.exe
1764	fWgDopn.exe
3816	aogGnmP.exe
4740	jiFMVEn.exe
1660	emgZbik.exe
4996	GgthvCW.exe
3004	pbJTFLJ.exe
3444	sBeRVEX.exe
2584	Nxwdqyd.exe
5116	erRfHSi.exe
1064	kRApTup.exe
4012	lscVrnf.exe
2240	NIiGQzV.exe
3148	GeKkEew.exe
624	PHrRBOo.exe
4668	ARTcqqi.exe
4956	cdWkJHJ.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4184-0-0x00007FF7E7100000-0x00007FF7E7451000-memory.dmp	upx
behavioral2/memory/4656-7-0x00007FF6AD770000-0x00007FF6ADAC1000-memory.dmp	upx
behavioral2/files/0x0008000000023ccc-6.dat	upx
behavioral2/files/0x0007000000023cd0-10.dat	upx
behavioral2/files/0x0007000000023cd1-12.dat	upx
behavioral2/files/0x0007000000023cd3-35.dat	upx
behavioral2/files/0x0007000000023cd5-40.dat	upx
behavioral2/files/0x0007000000023cd8-56.dat	upx
behavioral2/files/0x0007000000023cd9-59.dat	upx
behavioral2/memory/1764-68-0x00007FF66FD50000-0x00007FF6700A1000-memory.dmp	upx
behavioral2/files/0x0007000000023cda-74.dat	upx
behavioral2/files/0x0007000000023cdb-77.dat	upx
behavioral2/files/0x0007000000023cdd-90.dat	upx
behavioral2/files/0x0008000000023ccd-99.dat	upx
behavioral2/files/0x0007000000023ce1-109.dat	upx
behavioral2/files/0x0007000000023ce2-117.dat	upx
behavioral2/memory/5116-125-0x00007FF7A9860000-0x00007FF7A9BB1000-memory.dmp	upx
behavioral2/memory/4956-127-0x00007FF69ED50000-0x00007FF69F0A1000-memory.dmp	upx
behavioral2/memory/624-126-0x00007FF7FE4B0000-0x00007FF7FE801000-memory.dmp	upx
behavioral2/files/0x0007000000023ce0-121.dat	upx
behavioral2/memory/4668-120-0x00007FF61C120000-0x00007FF61C471000-memory.dmp	upx
behavioral2/memory/3148-119-0x00007FF74C570000-0x00007FF74C8C1000-memory.dmp	upx
behavioral2/files/0x0007000000023cdf-115.dat	upx
behavioral2/memory/2240-114-0x00007FF696120000-0x00007FF696471000-memory.dmp	upx
behavioral2/memory/4012-113-0x00007FF6255E0000-0x00007FF625931000-memory.dmp	upx
behavioral2/memory/1064-111-0x00007FF736840000-0x00007FF736B91000-memory.dmp	upx
behavioral2/files/0x0007000000023cde-107.dat	upx
behavioral2/memory/2584-104-0x00007FF769500000-0x00007FF769851000-memory.dmp	upx
behavioral2/files/0x0007000000023cdc-101.dat	upx
behavioral2/memory/3004-83-0x00007FF767650000-0x00007FF7679A1000-memory.dmp	upx
behavioral2/memory/3444-76-0x00007FF69ABC0000-0x00007FF69AF11000-memory.dmp	upx
behavioral2/memory/4996-73-0x00007FF7EA0C0000-0x00007FF7EA411000-memory.dmp	upx
behavioral2/memory/4740-72-0x00007FF775ED0000-0x00007FF776221000-memory.dmp	upx
behavioral2/files/0x0007000000023cd7-63.dat	upx
behavioral2/memory/1660-57-0x00007FF66D980000-0x00007FF66DCD1000-memory.dmp	upx
behavioral2/files/0x0007000000023cd6-52.dat	upx
behavioral2/memory/3816-49-0x00007FF7C5220000-0x00007FF7C5571000-memory.dmp	upx
behavioral2/files/0x0007000000023cd4-50.dat	upx
behavioral2/memory/2840-34-0x00007FF7168C0000-0x00007FF716C11000-memory.dmp	upx
behavioral2/memory/2928-27-0x00007FF600A30000-0x00007FF600D81000-memory.dmp	upx
behavioral2/files/0x0007000000023cd2-25.dat	upx
behavioral2/memory/4936-23-0x00007FF7EBBC0000-0x00007FF7EBF11000-memory.dmp	upx
behavioral2/memory/4116-17-0x00007FF70F210000-0x00007FF70F561000-memory.dmp	upx
behavioral2/memory/4184-128-0x00007FF7E7100000-0x00007FF7E7451000-memory.dmp	upx
behavioral2/memory/4656-129-0x00007FF6AD770000-0x00007FF6ADAC1000-memory.dmp	upx
behavioral2/memory/1660-137-0x00007FF66D980000-0x00007FF66DCD1000-memory.dmp	upx
behavioral2/memory/3816-135-0x00007FF7C5220000-0x00007FF7C5571000-memory.dmp	upx
behavioral2/memory/2840-133-0x00007FF7168C0000-0x00007FF716C11000-memory.dmp	upx
behavioral2/memory/2928-132-0x00007FF600A30000-0x00007FF600D81000-memory.dmp	upx
behavioral2/memory/4936-131-0x00007FF7EBBC0000-0x00007FF7EBF11000-memory.dmp	upx
behavioral2/memory/4668-148-0x00007FF61C120000-0x00007FF61C471000-memory.dmp	upx
behavioral2/memory/3148-146-0x00007FF74C570000-0x00007FF74C8C1000-memory.dmp	upx
behavioral2/memory/3444-140-0x00007FF69ABC0000-0x00007FF69AF11000-memory.dmp	upx
behavioral2/memory/4184-150-0x00007FF7E7100000-0x00007FF7E7451000-memory.dmp	upx
behavioral2/memory/4656-201-0x00007FF6AD770000-0x00007FF6ADAC1000-memory.dmp	upx
behavioral2/memory/4116-203-0x00007FF70F210000-0x00007FF70F561000-memory.dmp	upx
behavioral2/memory/4936-218-0x00007FF7EBBC0000-0x00007FF7EBF11000-memory.dmp	upx
behavioral2/memory/2928-220-0x00007FF600A30000-0x00007FF600D81000-memory.dmp	upx
behavioral2/memory/2840-223-0x00007FF7168C0000-0x00007FF716C11000-memory.dmp	upx
behavioral2/memory/3816-224-0x00007FF7C5220000-0x00007FF7C5571000-memory.dmp	upx
behavioral2/memory/4996-227-0x00007FF7EA0C0000-0x00007FF7EA411000-memory.dmp	upx
behavioral2/memory/1764-230-0x00007FF66FD50000-0x00007FF6700A1000-memory.dmp	upx
behavioral2/memory/4740-229-0x00007FF775ED0000-0x00007FF776221000-memory.dmp	upx
behavioral2/memory/1660-232-0x00007FF66D980000-0x00007FF66DCD1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\aogGnmP.exe	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jiFMVEn.exe	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\emgZbik.exe	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GgthvCW.exe	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cdWkJHJ.exe	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IvrolzF.exe	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pbJTFLJ.exe	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Nxwdqyd.exe	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lscVrnf.exe	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GeKkEew.exe	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\auARZYm.exe	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fWgDopn.exe	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sBeRVEX.exe	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\erRfHSi.exe	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kRApTup.exe	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NIiGQzV.exe	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PHrRBOo.exe	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hrOiEuy.exe	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZCkiVgk.exe	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CKWIXmc.exe	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ARTcqqi.exe	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4184	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4184	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4184 wrote to memory of 4656	4184	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4184 wrote to memory of 4656	4184	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4184 wrote to memory of 4116	4184	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4184 wrote to memory of 4116	4184	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4184 wrote to memory of 4936	4184	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4184 wrote to memory of 4936	4184	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4184 wrote to memory of 2928	4184	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4184 wrote to memory of 2928	4184	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4184 wrote to memory of 2840	4184	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4184 wrote to memory of 2840	4184	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4184 wrote to memory of 1764	4184	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4184 wrote to memory of 1764	4184	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4184 wrote to memory of 3816	4184	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4184 wrote to memory of 3816	4184	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4184 wrote to memory of 4740	4184	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4184 wrote to memory of 4740	4184	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4184 wrote to memory of 1660	4184	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4184 wrote to memory of 1660	4184	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4184 wrote to memory of 4996	4184	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4184 wrote to memory of 4996	4184	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4184 wrote to memory of 3004	4184	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4184 wrote to memory of 3004	4184	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4184 wrote to memory of 3444	4184	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4184 wrote to memory of 3444	4184	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4184 wrote to memory of 2584	4184	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4184 wrote to memory of 2584	4184	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4184 wrote to memory of 5116	4184	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4184 wrote to memory of 5116	4184	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4184 wrote to memory of 1064	4184	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4184 wrote to memory of 1064	4184	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4184 wrote to memory of 4012	4184	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4184 wrote to memory of 4012	4184	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4184 wrote to memory of 2240	4184	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4184 wrote to memory of 2240	4184	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4184 wrote to memory of 3148	4184	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4184 wrote to memory of 3148	4184	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4184 wrote to memory of 624	4184	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4184 wrote to memory of 624	4184	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4184 wrote to memory of 4668	4184	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4184 wrote to memory of 4668	4184	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4184 wrote to memory of 4956	4184	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4184 wrote to memory of 4956	4184	2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-08_34ba92dfd1bf7cc56bec10176786d921_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4184
- C:\Windows\System\hrOiEuy.exe
  C:\Windows\System\hrOiEuy.exe
  2⤵
  - Executes dropped EXE
  PID:4656
- C:\Windows\System\ZCkiVgk.exe
  C:\Windows\System\ZCkiVgk.exe
  2⤵
  - Executes dropped EXE
  PID:4116
- C:\Windows\System\IvrolzF.exe
  C:\Windows\System\IvrolzF.exe
  2⤵
  - Executes dropped EXE
  PID:4936
- C:\Windows\System\auARZYm.exe
  C:\Windows\System\auARZYm.exe
  2⤵
  - Executes dropped EXE
  PID:2928
- C:\Windows\System\CKWIXmc.exe
  C:\Windows\System\CKWIXmc.exe
  2⤵
  - Executes dropped EXE
  PID:2840
- C:\Windows\System\fWgDopn.exe
  C:\Windows\System\fWgDopn.exe
  2⤵
  - Executes dropped EXE
  PID:1764
- C:\Windows\System\aogGnmP.exe
  C:\Windows\System\aogGnmP.exe
  2⤵
  - Executes dropped EXE
  PID:3816
- C:\Windows\System\jiFMVEn.exe
  C:\Windows\System\jiFMVEn.exe
  2⤵
  - Executes dropped EXE
  PID:4740
- C:\Windows\System\emgZbik.exe
  C:\Windows\System\emgZbik.exe
  2⤵
  - Executes dropped EXE
  PID:1660
- C:\Windows\System\GgthvCW.exe
  C:\Windows\System\GgthvCW.exe
  2⤵
  - Executes dropped EXE
  PID:4996
- C:\Windows\System\pbJTFLJ.exe
  C:\Windows\System\pbJTFLJ.exe
  2⤵
  - Executes dropped EXE
  PID:3004
- C:\Windows\System\sBeRVEX.exe
  C:\Windows\System\sBeRVEX.exe
  2⤵
  - Executes dropped EXE
  PID:3444
- C:\Windows\System\Nxwdqyd.exe
  C:\Windows\System\Nxwdqyd.exe
  2⤵
  - Executes dropped EXE
  PID:2584
- C:\Windows\System\erRfHSi.exe
  C:\Windows\System\erRfHSi.exe
  2⤵
  - Executes dropped EXE
  PID:5116
- C:\Windows\System\kRApTup.exe
  C:\Windows\System\kRApTup.exe
  2⤵
  - Executes dropped EXE
  PID:1064
- C:\Windows\System\lscVrnf.exe
  C:\Windows\System\lscVrnf.exe
  2⤵
  - Executes dropped EXE
  PID:4012
- C:\Windows\System\NIiGQzV.exe
  C:\Windows\System\NIiGQzV.exe
  2⤵
  - Executes dropped EXE
  PID:2240
- C:\Windows\System\GeKkEew.exe
  C:\Windows\System\GeKkEew.exe
  2⤵
  - Executes dropped EXE
  PID:3148
- C:\Windows\System\PHrRBOo.exe
  C:\Windows\System\PHrRBOo.exe
  2⤵
  - Executes dropped EXE
  PID:624
- C:\Windows\System\ARTcqqi.exe
  C:\Windows\System\ARTcqqi.exe
  2⤵
  - Executes dropped EXE
  PID:4668
- C:\Windows\System\cdWkJHJ.exe
  C:\Windows\System\cdWkJHJ.exe
  2⤵
  - Executes dropped EXE
  PID:4956

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\ARTcqqi.exe

Filesize
5.2MB

MD5
d3af108a8828b095fb43c2eb8ba0ed5d

SHA1
7b5f7e2ff51fd3cf62d6de8433a8929f174acaab

SHA256
12469442e3ad83ba1bb175e6c63e0fa3711db044dc39a5511d83f6e2116faf18

SHA512
bfab723c9a39c3bcf2a0029f45bf92ef2ad82530f2da128b115a477d9772bd252f44fcbee069a2ae1c9036bb90fc20afa8c34bae22c6dc409f4c185c12b20189

Download Submit
C:\Windows\System\CKWIXmc.exe

Filesize
5.2MB

MD5
2c108f0c14f7671de3d486ea9b76cae1

SHA1
3878c97517a664408665c087f2121d6b973a1ced

SHA256
eb60edf2fe95d6a2e5f316941334078ac8d504a9cefa99f4bfc4fb41d80a89c8

SHA512
a1ccabbd730e8659e936f4da9d129d25436c49b6586109fb23b7d1d97784a25d78851312aade551096f8361bfe8bddb044e1c4d2f84babde652f753080def2e6

Download Submit
C:\Windows\System\GeKkEew.exe

Filesize
5.2MB

MD5
623929e7801d48b65693c74481891e4f

SHA1
de5337c303e472b89ef547fd53864f07759ff6cf

SHA256
faa0dc682de71f82ae080a4883516f007405dd7e7c3fac795d95adc9f06d490c

SHA512
1fb2bce4e6bdbb5f340bb9529e5dff9a7a7d2484d954831b9bddeb29767136ecc963f4157130baee0d60cee3ed6f12cbd3a9de9a89d8423c9b457fe197ccdded

Download Submit
C:\Windows\System\GgthvCW.exe

Filesize
5.2MB

MD5
5db7b5076a5e5e01cf1a757178c9d119

SHA1
49c1028f5263492d5d31ba45b14a1ae811617dc1

SHA256
fde7f48bc120909882054785cabf2908f45f4fcea5cb8006355d333d7be75048

SHA512
e7e259d12304927a94af9372d1ac602ec850d0893afed70352b288161c67ee517908c817345c38522c0e2bc620aff0ad78d5b1080f681c86f1a230a809b93d18

Download Submit
C:\Windows\System\IvrolzF.exe

Filesize
5.2MB

MD5
d6889020a034d70e2c50dd3f8c79aedf

SHA1
18d2bdcc6a79a98702a9937005db575a929f9506

SHA256
0522697688afe7b5f7a0fb991557a8b8b7e7630c57f119dd736c5b818bd24898

SHA512
e37adb3d329d40bc162bf7d4cc1b1f84ce7af9e5f02acff0038757f7117249fafe990b3ed2005cb6157036e2dc24cf127d9654b65388a884d2e10ed08edad0d4

Download Submit
C:\Windows\System\NIiGQzV.exe

Filesize
5.2MB

MD5
21da56eaa77b806eea1c8d2995beac70

SHA1
d2d055a8a19257f6a2e0b895585bf911671126fd

SHA256
4a51c29897a2fb5d84b2a7d25a5b12a4af42d4fde85fe46df617cc69bffd55c0

SHA512
0f4f8a45e2ace738991535ee1e252de7abbe5bf6ae0bb9870520e2f759db6f66d9777ac22786c16edfcf805b8a96f9b480b24258e5111171becece779c9dfad2

Download Submit
C:\Windows\System\Nxwdqyd.exe

Filesize
5.2MB

MD5
e0e403754a780bb306eae706b7a47b01

SHA1
b4d1ddfaf9bb33289329e7c355774b0cfc594a34

SHA256
2bcf27792935f437d687eae9512502caf73e346c4ab08cc1ebe9d27ec254e282

SHA512
e0390b1402f6d279304bfa05cccb58bb1048fce3c01b51b06f013eca93e4556c0b6f981745bc2362cfe03ce6bacd050ccc1d8e24745401d24c1a20eb42b47c09

Download Submit
C:\Windows\System\PHrRBOo.exe

Filesize
5.2MB

MD5
74d613ccc5de950dcc7b9dd7b82ae361

SHA1
20aed23c1dd19f7487e0e82f71fe45a3077cc080

SHA256
b745f222f518085a15eae6d77c61cce52dadbda5cb108b182285134f188e268a

SHA512
31f33b61f8fe87b539a5fc11202212d66ec86d895cc4731d7b02fe57bacfd60401ab5268d60451bdd38e6af9b267a9c7c48e55345ce4cc1453ded8ce080ceabb

Download Submit
C:\Windows\System\ZCkiVgk.exe

Filesize
5.2MB

MD5
eedb5d1ef08a944b2621f60afb73a797

SHA1
1fdc70d728a071552262289639d99a3b7fa2bd35

SHA256
f2232166482562c851c68907f4b34f7e2c8ca307873ad759b55d8df4be8204ce

SHA512
ca0fbd7d4ba931971ee4c7811bb02878aa8d2638d5b7d91a66148ccd5be8bbe88be8a892b4ee7c10d453ae3e50943424429cf7cb469aad1478b7f9a4d3d6d038

Download Submit
C:\Windows\System\aogGnmP.exe

Filesize
5.2MB

MD5
7761b0cbee3dc7adde5d8d9606ebe24d

SHA1
3c679b0d9527b2de5b2020d99833d5ce39ff8c02

SHA256
c0ba972bfc3d940c1f65a5b7745688a900306f33d406367f3f658f59448c92d2

SHA512
8121cf46813f862263804645114e5e4bebafc8d790db01750298477524f55e9031e6404e76303e72562a9560ad1212f0d7eb0422fb9e2c4f349ee42fe1af21e3

Download Submit
C:\Windows\System\auARZYm.exe

Filesize
5.2MB

MD5
25c82391d7502014641a962f73159d41

SHA1
8d3c6f5f53e115f3faa622c1397390d92efe6e63

SHA256
78e21743469071bc78494e575f988ec2db59b4c04877e1314bb0414081f09c0f

SHA512
cbffe842bf5348e26a2856a4f59d828776152b67563888f74e38041e94a4a3d927791eb84061ecc0b44649fd7616c01be5ef035123aaee6ddfaff27f7c2530b9

Download Submit
C:\Windows\System\cdWkJHJ.exe

Filesize
5.2MB

MD5
1de028b1fee0126abfb50ea62b62d303

SHA1
d7e1663d7238e1e16ec7bfb6ca9f0185141d438e

SHA256
cf61ba92c9417d3160a9cc108dc2d507a94ced8368b3383f9d5160d93fb444fa

SHA512
97890bb534e4bcae63eb784c5cf88555a3a2c7502261e48f0b51e0ac148dfc7b7cbce7f36c9f22c3ae0046861bfc7373236fecf3359b77a49a0cd567f335d1c2

Download Submit
C:\Windows\System\emgZbik.exe

Filesize
5.2MB

MD5
368fa1f6074d6c790562c57f002fff5d

SHA1
633c5d6d86c892fe5f4ea39bd40ad68269979a05

SHA256
ce38dec681ec220702b6e35e96e4f38d00fa5d2733a58d6591c2ec5eaf3d4530

SHA512
ad13ec840476e1592196c96e0bc999c215349946749817c44c16bc32f018575e067b15b948bc72b0bc306d0f7872b02ebf0f3fd6dc176debbc7be6f53148f54c

Download Submit
C:\Windows\System\erRfHSi.exe

Filesize
5.2MB

MD5
dedb8e69e9364bd2dfc6d225cc485ba8

SHA1
a479b54c4467a8900c206ddcaa77940175b8186b

SHA256
75e56b870673d321a2c6d9d5179bdecc2da63f258bda745025700deea5385a78

SHA512
34210a4ad25047b18c7dfc5b66a920a835fc3c18dff2853b7e50392ef765ed8373d007477d097bf172f3c32370ba93d7f18d0b80d0cf957703ae42fc1be522f7

Download Submit
C:\Windows\System\fWgDopn.exe

Filesize
5.2MB

MD5
8229c23130dce718156fd273e66f2329

SHA1
ad0b23aafa51c00d9b72266177cbfaaee931427f

SHA256
09ab1205c40a4cc8aefc19db8ba8875bd3942f977d04e72f5c08361edea10a47

SHA512
23cc18b59cc4cda6594f864828dc62aca507ea065de7874b9584b193ff6abb1bfbc8fad397541afa33560024de5596432498385a980d978197f66f353ed4d23d

Download Submit
C:\Windows\System\hrOiEuy.exe

Filesize
5.2MB

MD5
c567aa9b8df1940256e6ec4263449257

SHA1
93f46c07884196da24b9af3691d9a491dc05feb3

SHA256
d05bcd4d28b63f531f375d568328434a4b2856c01d6ba297f71d53c6e331c975

SHA512
bcc3cd5a10601ef774b374dc923656cfb5111044a1c271c14349952145c5f6590edf9213a8cf9dafe7ca6b556a94ddc5cd61284b04d3e2e4f8c8e73a076bebd6

Download Submit
C:\Windows\System\jiFMVEn.exe

Filesize
5.2MB

MD5
b7f3492536268a5a22b7b46798f0a328

SHA1
b2cdba5bd232b976ae516fb6791736bc063a0c55

SHA256
f7835addf7a21e2afe5739389425e6687725350221713e222d62e34ad71100fa

SHA512
3c7d8698b68c719c1e861320a0d92c69cbd498eb9f7c550dd8f5e708f78ea728700ac6a29e2fc3d4c95613d9f77217b440de760562cc07b59f49b592fac0dbde

Download Submit
C:\Windows\System\kRApTup.exe

Filesize
5.2MB

MD5
f0eea69a77b5d95cd0e16c8e819cf11c

SHA1
6b71acb005d9974e26ea782107a6988d2b8b84e8

SHA256
b13fdb96b82b42710b1b4bf9e9e48433439a0ad7c312a6b59a17dbbe24cf2c11

SHA512
cf1733006a6ace0a7600aaec624be24bc72b7861e3e9ddfa0772e2c0b7f70d3c5f915cb162e672de8a32a6783bf579f2092ebd78800deef4e80dbbc2b6e38b24

Download Submit
C:\Windows\System\lscVrnf.exe

Filesize
5.2MB

MD5
7bc55a675a34651a9723518f7da93b7e

SHA1
f0b44fdea3d92cc26a065d1d5967381a682c517f

SHA256
3077547f6ef655d88e1bf909bd06d8e03c4811a9dcd532d602a635ddc574865d

SHA512
693a839f84db47c0d80fa5ac45be039757c0dd0559710cc234951cde5f69cb120379774457e547bb072a6605175ca22e94241e2b2b013f723edbe12ee5a219b4

Download Submit
C:\Windows\System\pbJTFLJ.exe

Filesize
5.2MB

MD5
f506a96a2b9626b0ca05cbbfd37fbe3b

SHA1
a6ad32487a01c7f876aa982045a2ecf0c530fa93

SHA256
8dba267e086ccd173cce971486b13927569ff6e1656f99c178c617385b982da3

SHA512
5ff7e75ea3bb344535ef04544de6350f473d23957c6f217c57d9347f2c47d51917e3668f97f63d778be330c01be44354e8e4eec6681197f0e30265c9a5a67a13

Download Submit
C:\Windows\System\sBeRVEX.exe

Filesize
5.2MB

MD5
51070e937ddd060b810e234fb452989f

SHA1
ba62895444551139ee5d9dd15f91e40fbdacb14e

SHA256
4e4b13dc9c538c3c2b7a88a8d325bee5f6be1d40317186187a7d90192bf7ea23

SHA512
76988beb98c0ea9f41368688eb47b09cebbbd13bf6fc15e444cb6a7f3c5666b5b88984e14ee6936c1027bcfa02c437d73d7b91002e1954531c6eddb73526da61

Download Submit
memory/624-126-0x00007FF7FE4B0000-0x00007FF7FE801000-memory.dmp

Filesize
3.3MB

Download
memory/624-253-0x00007FF7FE4B0000-0x00007FF7FE801000-memory.dmp

Filesize
3.3MB

Download
memory/1064-249-0x00007FF736840000-0x00007FF736B91000-memory.dmp

Filesize
3.3MB

Download
memory/1064-111-0x00007FF736840000-0x00007FF736B91000-memory.dmp

Filesize
3.3MB

Download
memory/1660-232-0x00007FF66D980000-0x00007FF66DCD1000-memory.dmp

Filesize
3.3MB

Download
memory/1660-57-0x00007FF66D980000-0x00007FF66DCD1000-memory.dmp

Filesize
3.3MB

Download
memory/1660-137-0x00007FF66D980000-0x00007FF66DCD1000-memory.dmp

Filesize
3.3MB

Download
memory/1764-230-0x00007FF66FD50000-0x00007FF6700A1000-memory.dmp

Filesize
3.3MB

Download
memory/1764-68-0x00007FF66FD50000-0x00007FF6700A1000-memory.dmp

Filesize
3.3MB

Download
memory/2240-247-0x00007FF696120000-0x00007FF696471000-memory.dmp

Filesize
3.3MB

Download
memory/2240-114-0x00007FF696120000-0x00007FF696471000-memory.dmp

Filesize
3.3MB

Download
memory/2584-104-0x00007FF769500000-0x00007FF769851000-memory.dmp

Filesize
3.3MB

Download
memory/2584-241-0x00007FF769500000-0x00007FF769851000-memory.dmp

Filesize
3.3MB

Download
memory/2840-34-0x00007FF7168C0000-0x00007FF716C11000-memory.dmp

Filesize
3.3MB

Download
memory/2840-223-0x00007FF7168C0000-0x00007FF716C11000-memory.dmp

Filesize
3.3MB

Download
memory/2840-133-0x00007FF7168C0000-0x00007FF716C11000-memory.dmp

Filesize
3.3MB

Download
memory/2928-220-0x00007FF600A30000-0x00007FF600D81000-memory.dmp

Filesize
3.3MB

Download
memory/2928-27-0x00007FF600A30000-0x00007FF600D81000-memory.dmp

Filesize
3.3MB

Download
memory/2928-132-0x00007FF600A30000-0x00007FF600D81000-memory.dmp

Filesize
3.3MB

Download
memory/3004-245-0x00007FF767650000-0x00007FF7679A1000-memory.dmp

Filesize
3.3MB

Download
memory/3004-83-0x00007FF767650000-0x00007FF7679A1000-memory.dmp

Filesize
3.3MB

Download
memory/3148-119-0x00007FF74C570000-0x00007FF74C8C1000-memory.dmp

Filesize
3.3MB

Download
memory/3148-146-0x00007FF74C570000-0x00007FF74C8C1000-memory.dmp

Filesize
3.3MB

Download
memory/3148-256-0x00007FF74C570000-0x00007FF74C8C1000-memory.dmp

Filesize
3.3MB

Download
memory/3444-140-0x00007FF69ABC0000-0x00007FF69AF11000-memory.dmp

Filesize
3.3MB

Download
memory/3444-76-0x00007FF69ABC0000-0x00007FF69AF11000-memory.dmp

Filesize
3.3MB

Download
memory/3444-243-0x00007FF69ABC0000-0x00007FF69AF11000-memory.dmp

Filesize
3.3MB

Download
memory/3816-135-0x00007FF7C5220000-0x00007FF7C5571000-memory.dmp

Filesize
3.3MB

Download
memory/3816-224-0x00007FF7C5220000-0x00007FF7C5571000-memory.dmp

Filesize
3.3MB

Download
memory/3816-49-0x00007FF7C5220000-0x00007FF7C5571000-memory.dmp

Filesize
3.3MB

Download
memory/4012-113-0x00007FF6255E0000-0x00007FF625931000-memory.dmp

Filesize
3.3MB

Download
memory/4012-239-0x00007FF6255E0000-0x00007FF625931000-memory.dmp

Filesize
3.3MB

Download
memory/4116-17-0x00007FF70F210000-0x00007FF70F561000-memory.dmp

Filesize
3.3MB

Download
memory/4116-203-0x00007FF70F210000-0x00007FF70F561000-memory.dmp

Filesize
3.3MB

Download
memory/4184-150-0x00007FF7E7100000-0x00007FF7E7451000-memory.dmp

Filesize
3.3MB

Download
memory/4184-0-0x00007FF7E7100000-0x00007FF7E7451000-memory.dmp

Filesize
3.3MB

Download
memory/4184-128-0x00007FF7E7100000-0x00007FF7E7451000-memory.dmp

Filesize
3.3MB

Download
memory/4184-1-0x0000029C8C420000-0x0000029C8C430000-memory.dmp

Filesize
64KB

Download
memory/4656-129-0x00007FF6AD770000-0x00007FF6ADAC1000-memory.dmp

Filesize
3.3MB

Download
memory/4656-201-0x00007FF6AD770000-0x00007FF6ADAC1000-memory.dmp

Filesize
3.3MB

Download
memory/4656-7-0x00007FF6AD770000-0x00007FF6ADAC1000-memory.dmp

Filesize
3.3MB

Download
memory/4668-120-0x00007FF61C120000-0x00007FF61C471000-memory.dmp

Filesize
3.3MB

Download
memory/4668-148-0x00007FF61C120000-0x00007FF61C471000-memory.dmp

Filesize
3.3MB

Download
memory/4668-252-0x00007FF61C120000-0x00007FF61C471000-memory.dmp

Filesize
3.3MB

Download
memory/4740-72-0x00007FF775ED0000-0x00007FF776221000-memory.dmp

Filesize
3.3MB

Download
memory/4740-229-0x00007FF775ED0000-0x00007FF776221000-memory.dmp

Filesize
3.3MB

Download
memory/4936-218-0x00007FF7EBBC0000-0x00007FF7EBF11000-memory.dmp

Filesize
3.3MB

Download
memory/4936-23-0x00007FF7EBBC0000-0x00007FF7EBF11000-memory.dmp

Filesize
3.3MB

Download
memory/4936-131-0x00007FF7EBBC0000-0x00007FF7EBF11000-memory.dmp

Filesize
3.3MB

Download
memory/4956-127-0x00007FF69ED50000-0x00007FF69F0A1000-memory.dmp

Filesize
3.3MB

Download
memory/4956-257-0x00007FF69ED50000-0x00007FF69F0A1000-memory.dmp

Filesize
3.3MB

Download
memory/4996-227-0x00007FF7EA0C0000-0x00007FF7EA411000-memory.dmp

Filesize
3.3MB

Download
memory/4996-73-0x00007FF7EA0C0000-0x00007FF7EA411000-memory.dmp

Filesize
3.3MB

Download
memory/5116-237-0x00007FF7A9860000-0x00007FF7A9BB1000-memory.dmp

Filesize
3.3MB

Download
memory/5116-125-0x00007FF7A9860000-0x00007FF7A9BB1000-memory.dmp

Filesize
3.3MB

Download