cobaltstrike | 2b211c1a61c5eaebddfde3cd16537ff85876c8ea517b00d07c96ef6648286a26

Analysis

max time kernel
141s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-12-2024 02:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

82fa350c690590840584042057e81c1d
SHA1

9cfb41bebed8af62d09763a09f0c94beb793e1f9
SHA256

2b211c1a61c5eaebddfde3cd16537ff85876c8ea517b00d07c96ef6648286a26
SHA512

158a55f4e063b98febf3c25d5d018a2d61c3e34eb25fb533d11a6171a7a12267704be41b14e585690d914a08500d6b5172ea33b9c78ef9ed4f745359e39be5d2
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l7:RWWBibd56utgpPFotBER/mQ32lU3

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000b000000023bb1-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c92-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c93-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c94-22.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c95-28.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c96-35.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c98-44.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c97-40.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9a-59.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9b-66.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9d-76.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c8f-80.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9e-88.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c99-54.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca0-103.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9f-95.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca2-115.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca4-133.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca3-124.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca1-111.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca5-137.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 47 IoCs

miner

resource	yara_rule
behavioral2/memory/1632-86-0x00007FF6A9BB0000-0x00007FF6A9F01000-memory.dmp	xmrig
behavioral2/memory/3356-81-0x00007FF7354D0000-0x00007FF735821000-memory.dmp	xmrig
behavioral2/memory/4940-73-0x00007FF6890A0000-0x00007FF6893F1000-memory.dmp	xmrig
behavioral2/memory/3480-67-0x00007FF64CDA0000-0x00007FF64D0F1000-memory.dmp	xmrig
behavioral2/memory/4980-60-0x00007FF7F2A40000-0x00007FF7F2D91000-memory.dmp	xmrig
behavioral2/memory/1416-92-0x00007FF6908C0000-0x00007FF690C11000-memory.dmp	xmrig
behavioral2/memory/2052-96-0x00007FF624100000-0x00007FF624451000-memory.dmp	xmrig
behavioral2/memory/1936-99-0x00007FF75C480000-0x00007FF75C7D1000-memory.dmp	xmrig
behavioral2/memory/4352-104-0x00007FF6D55D0000-0x00007FF6D5921000-memory.dmp	xmrig
behavioral2/memory/4228-98-0x00007FF6CEC40000-0x00007FF6CEF91000-memory.dmp	xmrig
behavioral2/memory/3684-118-0x00007FF64F650000-0x00007FF64F9A1000-memory.dmp	xmrig
behavioral2/memory/3076-131-0x00007FF67E5E0000-0x00007FF67E931000-memory.dmp	xmrig
behavioral2/memory/1976-128-0x00007FF665170000-0x00007FF6654C1000-memory.dmp	xmrig
behavioral2/memory/3664-125-0x00007FF613C00000-0x00007FF613F51000-memory.dmp	xmrig
behavioral2/memory/2392-138-0x00007FF7273F0000-0x00007FF727741000-memory.dmp	xmrig
behavioral2/memory/4756-140-0x00007FF763C90000-0x00007FF763FE1000-memory.dmp	xmrig
behavioral2/memory/4732-141-0x00007FF6DC720000-0x00007FF6DCA71000-memory.dmp	xmrig
behavioral2/memory/400-142-0x00007FF656610000-0x00007FF656961000-memory.dmp	xmrig
behavioral2/memory/4980-143-0x00007FF7F2A40000-0x00007FF7F2D91000-memory.dmp	xmrig
behavioral2/memory/1936-152-0x00007FF75C480000-0x00007FF75C7D1000-memory.dmp	xmrig
behavioral2/memory/60-159-0x00007FF67D480000-0x00007FF67D7D1000-memory.dmp	xmrig
behavioral2/memory/1580-160-0x00007FF610140000-0x00007FF610491000-memory.dmp	xmrig
behavioral2/memory/3988-161-0x00007FF6C0730000-0x00007FF6C0A81000-memory.dmp	xmrig
behavioral2/memory/1808-167-0x00007FF673290000-0x00007FF6735E1000-memory.dmp	xmrig
behavioral2/memory/4756-170-0x00007FF763C90000-0x00007FF763FE1000-memory.dmp	xmrig
behavioral2/memory/4980-171-0x00007FF7F2A40000-0x00007FF7F2D91000-memory.dmp	xmrig
behavioral2/memory/3480-228-0x00007FF64CDA0000-0x00007FF64D0F1000-memory.dmp	xmrig
behavioral2/memory/4940-230-0x00007FF6890A0000-0x00007FF6893F1000-memory.dmp	xmrig
behavioral2/memory/3356-232-0x00007FF7354D0000-0x00007FF735821000-memory.dmp	xmrig
behavioral2/memory/1632-234-0x00007FF6A9BB0000-0x00007FF6A9F01000-memory.dmp	xmrig
behavioral2/memory/1416-236-0x00007FF6908C0000-0x00007FF690C11000-memory.dmp	xmrig
behavioral2/memory/2052-238-0x00007FF624100000-0x00007FF624451000-memory.dmp	xmrig
behavioral2/memory/4352-242-0x00007FF6D55D0000-0x00007FF6D5921000-memory.dmp	xmrig
behavioral2/memory/4228-241-0x00007FF6CEC40000-0x00007FF6CEF91000-memory.dmp	xmrig
behavioral2/memory/3664-247-0x00007FF613C00000-0x00007FF613F51000-memory.dmp	xmrig
behavioral2/memory/3684-249-0x00007FF64F650000-0x00007FF64F9A1000-memory.dmp	xmrig
behavioral2/memory/2392-253-0x00007FF7273F0000-0x00007FF727741000-memory.dmp	xmrig
behavioral2/memory/3076-252-0x00007FF67E5E0000-0x00007FF67E931000-memory.dmp	xmrig
behavioral2/memory/400-255-0x00007FF656610000-0x00007FF656961000-memory.dmp	xmrig
behavioral2/memory/4732-257-0x00007FF6DC720000-0x00007FF6DCA71000-memory.dmp	xmrig
behavioral2/memory/1936-262-0x00007FF75C480000-0x00007FF75C7D1000-memory.dmp	xmrig
behavioral2/memory/60-264-0x00007FF67D480000-0x00007FF67D7D1000-memory.dmp	xmrig
behavioral2/memory/1580-270-0x00007FF610140000-0x00007FF610491000-memory.dmp	xmrig
behavioral2/memory/3988-272-0x00007FF6C0730000-0x00007FF6C0A81000-memory.dmp	xmrig
behavioral2/memory/1976-274-0x00007FF665170000-0x00007FF6654C1000-memory.dmp	xmrig
behavioral2/memory/1808-276-0x00007FF673290000-0x00007FF6735E1000-memory.dmp	xmrig
behavioral2/memory/4756-278-0x00007FF763C90000-0x00007FF763FE1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3480	GFSDeOl.exe
4940	ZbhgAri.exe
3356	BPGPsAx.exe
1632	Xrunsfl.exe
1416	AVWRSXT.exe
2052	lKRYfJR.exe
4228	loGpChf.exe
4352	HpYwonZ.exe
3684	YpjHAYn.exe
3664	QzlVEUS.exe
3076	YSsinBz.exe
2392	zLZlAZk.exe
4732	UgTcHKu.exe
400	ruVLvra.exe
1936	OtMzBPp.exe
60	HdLwBWy.exe
1580	tzijZBB.exe
3988	KPZiQhO.exe
1976	bItORSL.exe
1808	Qgstcsr.exe
4756	BLhZUDN.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4980-0-0x00007FF7F2A40000-0x00007FF7F2D91000-memory.dmp	upx
behavioral2/files/0x000b000000023bb1-4.dat	upx
behavioral2/memory/3480-8-0x00007FF64CDA0000-0x00007FF64D0F1000-memory.dmp	upx
behavioral2/files/0x0007000000023c92-11.dat	upx
behavioral2/files/0x0007000000023c93-10.dat	upx
behavioral2/memory/4940-14-0x00007FF6890A0000-0x00007FF6893F1000-memory.dmp	upx
behavioral2/memory/3356-18-0x00007FF7354D0000-0x00007FF735821000-memory.dmp	upx
behavioral2/files/0x0007000000023c94-22.dat	upx
behavioral2/files/0x0007000000023c95-28.dat	upx
behavioral2/files/0x0007000000023c96-35.dat	upx
behavioral2/memory/1416-32-0x00007FF6908C0000-0x00007FF690C11000-memory.dmp	upx
behavioral2/files/0x0007000000023c98-44.dat	upx
behavioral2/files/0x0007000000023c97-40.dat	upx
behavioral2/memory/4352-51-0x00007FF6D55D0000-0x00007FF6D5921000-memory.dmp	upx
behavioral2/memory/4228-45-0x00007FF6CEC40000-0x00007FF6CEF91000-memory.dmp	upx
behavioral2/files/0x0007000000023c9a-59.dat	upx
behavioral2/memory/3664-61-0x00007FF613C00000-0x00007FF613F51000-memory.dmp	upx
behavioral2/files/0x0007000000023c9b-66.dat	upx
behavioral2/memory/3076-68-0x00007FF67E5E0000-0x00007FF67E931000-memory.dmp	upx
behavioral2/files/0x0007000000023c9d-76.dat	upx
behavioral2/files/0x0008000000023c8f-80.dat	upx
behavioral2/files/0x0007000000023c9e-88.dat	upx
behavioral2/memory/400-87-0x00007FF656610000-0x00007FF656961000-memory.dmp	upx
behavioral2/memory/1632-86-0x00007FF6A9BB0000-0x00007FF6A9F01000-memory.dmp	upx
behavioral2/memory/4732-82-0x00007FF6DC720000-0x00007FF6DCA71000-memory.dmp	upx
behavioral2/memory/3356-81-0x00007FF7354D0000-0x00007FF735821000-memory.dmp	upx
behavioral2/memory/2392-75-0x00007FF7273F0000-0x00007FF727741000-memory.dmp	upx
behavioral2/memory/4940-73-0x00007FF6890A0000-0x00007FF6893F1000-memory.dmp	upx
behavioral2/memory/3480-67-0x00007FF64CDA0000-0x00007FF64D0F1000-memory.dmp	upx
behavioral2/memory/4980-60-0x00007FF7F2A40000-0x00007FF7F2D91000-memory.dmp	upx
behavioral2/memory/3684-55-0x00007FF64F650000-0x00007FF64F9A1000-memory.dmp	upx
behavioral2/files/0x0007000000023c99-54.dat	upx
behavioral2/memory/2052-36-0x00007FF624100000-0x00007FF624451000-memory.dmp	upx
behavioral2/memory/1632-24-0x00007FF6A9BB0000-0x00007FF6A9F01000-memory.dmp	upx
behavioral2/memory/1416-92-0x00007FF6908C0000-0x00007FF690C11000-memory.dmp	upx
behavioral2/memory/2052-96-0x00007FF624100000-0x00007FF624451000-memory.dmp	upx
behavioral2/memory/1936-99-0x00007FF75C480000-0x00007FF75C7D1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca0-103.dat	upx
behavioral2/memory/60-105-0x00007FF67D480000-0x00007FF67D7D1000-memory.dmp	upx
behavioral2/memory/4352-104-0x00007FF6D55D0000-0x00007FF6D5921000-memory.dmp	upx
behavioral2/memory/4228-98-0x00007FF6CEC40000-0x00007FF6CEF91000-memory.dmp	upx
behavioral2/files/0x0007000000023c9f-95.dat	upx
behavioral2/files/0x0007000000023ca2-115.dat	upx
behavioral2/memory/1580-113-0x00007FF610140000-0x00007FF610491000-memory.dmp	upx
behavioral2/memory/3684-118-0x00007FF64F650000-0x00007FF64F9A1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca4-133.dat	upx
behavioral2/memory/1808-132-0x00007FF673290000-0x00007FF6735E1000-memory.dmp	upx
behavioral2/memory/3076-131-0x00007FF67E5E0000-0x00007FF67E931000-memory.dmp	upx
behavioral2/memory/1976-128-0x00007FF665170000-0x00007FF6654C1000-memory.dmp	upx
behavioral2/memory/3664-125-0x00007FF613C00000-0x00007FF613F51000-memory.dmp	upx
behavioral2/files/0x0007000000023ca3-124.dat	upx
behavioral2/memory/3988-119-0x00007FF6C0730000-0x00007FF6C0A81000-memory.dmp	upx
behavioral2/files/0x0007000000023ca1-111.dat	upx
behavioral2/memory/2392-138-0x00007FF7273F0000-0x00007FF727741000-memory.dmp	upx
behavioral2/memory/4756-140-0x00007FF763C90000-0x00007FF763FE1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca5-137.dat	upx
behavioral2/memory/4732-141-0x00007FF6DC720000-0x00007FF6DCA71000-memory.dmp	upx
behavioral2/memory/400-142-0x00007FF656610000-0x00007FF656961000-memory.dmp	upx
behavioral2/memory/4980-143-0x00007FF7F2A40000-0x00007FF7F2D91000-memory.dmp	upx
behavioral2/memory/1936-152-0x00007FF75C480000-0x00007FF75C7D1000-memory.dmp	upx
behavioral2/memory/60-159-0x00007FF67D480000-0x00007FF67D7D1000-memory.dmp	upx
behavioral2/memory/1580-160-0x00007FF610140000-0x00007FF610491000-memory.dmp	upx
behavioral2/memory/3988-161-0x00007FF6C0730000-0x00007FF6C0A81000-memory.dmp	upx
behavioral2/memory/1808-167-0x00007FF673290000-0x00007FF6735E1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\tzijZBB.exe	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GFSDeOl.exe	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YpjHAYn.exe	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QzlVEUS.exe	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YSsinBz.exe	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ruVLvra.exe	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HdLwBWy.exe	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KPZiQhO.exe	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bItORSL.exe	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BLhZUDN.exe	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Xrunsfl.exe	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AVWRSXT.exe	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lKRYfJR.exe	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\loGpChf.exe	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zLZlAZk.exe	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Qgstcsr.exe	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZbhgAri.exe	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BPGPsAx.exe	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HpYwonZ.exe	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UgTcHKu.exe	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OtMzBPp.exe	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4980	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4980	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4980 wrote to memory of 3480	4980	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4980 wrote to memory of 3480	4980	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4980 wrote to memory of 4940	4980	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4980 wrote to memory of 4940	4980	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4980 wrote to memory of 3356	4980	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4980 wrote to memory of 3356	4980	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4980 wrote to memory of 1632	4980	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4980 wrote to memory of 1632	4980	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4980 wrote to memory of 1416	4980	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4980 wrote to memory of 1416	4980	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4980 wrote to memory of 2052	4980	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4980 wrote to memory of 2052	4980	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4980 wrote to memory of 4228	4980	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4980 wrote to memory of 4228	4980	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4980 wrote to memory of 4352	4980	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4980 wrote to memory of 4352	4980	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4980 wrote to memory of 3684	4980	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4980 wrote to memory of 3684	4980	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4980 wrote to memory of 3664	4980	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4980 wrote to memory of 3664	4980	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4980 wrote to memory of 3076	4980	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4980 wrote to memory of 3076	4980	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4980 wrote to memory of 2392	4980	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4980 wrote to memory of 2392	4980	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4980 wrote to memory of 4732	4980	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4980 wrote to memory of 4732	4980	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4980 wrote to memory of 400	4980	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4980 wrote to memory of 400	4980	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4980 wrote to memory of 1936	4980	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4980 wrote to memory of 1936	4980	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4980 wrote to memory of 60	4980	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4980 wrote to memory of 60	4980	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4980 wrote to memory of 1580	4980	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4980 wrote to memory of 1580	4980	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4980 wrote to memory of 3988	4980	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4980 wrote to memory of 3988	4980	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4980 wrote to memory of 1976	4980	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4980 wrote to memory of 1976	4980	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4980 wrote to memory of 1808	4980	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4980 wrote to memory of 1808	4980	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4980 wrote to memory of 4756	4980	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4980 wrote to memory of 4756	4980	2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4980
- C:\Windows\System\GFSDeOl.exe
  C:\Windows\System\GFSDeOl.exe
  2⤵
  - Executes dropped EXE
  PID:3480
- C:\Windows\System\ZbhgAri.exe
  C:\Windows\System\ZbhgAri.exe
  2⤵
  - Executes dropped EXE
  PID:4940
- C:\Windows\System\BPGPsAx.exe
  C:\Windows\System\BPGPsAx.exe
  2⤵
  - Executes dropped EXE
  PID:3356
- C:\Windows\System\Xrunsfl.exe
  C:\Windows\System\Xrunsfl.exe
  2⤵
  - Executes dropped EXE
  PID:1632
- C:\Windows\System\AVWRSXT.exe
  C:\Windows\System\AVWRSXT.exe
  2⤵
  - Executes dropped EXE
  PID:1416
- C:\Windows\System\lKRYfJR.exe
  C:\Windows\System\lKRYfJR.exe
  2⤵
  - Executes dropped EXE
  PID:2052
- C:\Windows\System\loGpChf.exe
  C:\Windows\System\loGpChf.exe
  2⤵
  - Executes dropped EXE
  PID:4228
- C:\Windows\System\HpYwonZ.exe
  C:\Windows\System\HpYwonZ.exe
  2⤵
  - Executes dropped EXE
  PID:4352
- C:\Windows\System\YpjHAYn.exe
  C:\Windows\System\YpjHAYn.exe
  2⤵
  - Executes dropped EXE
  PID:3684
- C:\Windows\System\QzlVEUS.exe
  C:\Windows\System\QzlVEUS.exe
  2⤵
  - Executes dropped EXE
  PID:3664
- C:\Windows\System\YSsinBz.exe
  C:\Windows\System\YSsinBz.exe
  2⤵
  - Executes dropped EXE
  PID:3076
- C:\Windows\System\zLZlAZk.exe
  C:\Windows\System\zLZlAZk.exe
  2⤵
  - Executes dropped EXE
  PID:2392
- C:\Windows\System\UgTcHKu.exe
  C:\Windows\System\UgTcHKu.exe
  2⤵
  - Executes dropped EXE
  PID:4732
- C:\Windows\System\ruVLvra.exe
  C:\Windows\System\ruVLvra.exe
  2⤵
  - Executes dropped EXE
  PID:400
- C:\Windows\System\OtMzBPp.exe
  C:\Windows\System\OtMzBPp.exe
  2⤵
  - Executes dropped EXE
  PID:1936
- C:\Windows\System\HdLwBWy.exe
  C:\Windows\System\HdLwBWy.exe
  2⤵
  - Executes dropped EXE
  PID:60
- C:\Windows\System\tzijZBB.exe
  C:\Windows\System\tzijZBB.exe
  2⤵
  - Executes dropped EXE
  PID:1580
- C:\Windows\System\KPZiQhO.exe
  C:\Windows\System\KPZiQhO.exe
  2⤵
  - Executes dropped EXE
  PID:3988
- C:\Windows\System\bItORSL.exe
  C:\Windows\System\bItORSL.exe
  2⤵
  - Executes dropped EXE
  PID:1976
- C:\Windows\System\Qgstcsr.exe
  C:\Windows\System\Qgstcsr.exe
  2⤵
  - Executes dropped EXE
  PID:1808
- C:\Windows\System\BLhZUDN.exe
  C:\Windows\System\BLhZUDN.exe
  2⤵
  - Executes dropped EXE
  PID:4756

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AVWRSXT.exe

Filesize
5.2MB

MD5
550feb173eb29d2fec67818be2fdc096

SHA1
5ade17224a541cba92139d8766723101ec21e31c

SHA256
e315092373d5fed63712b2262442fab051f12a046cf3aeb2fbf5ee5b011999c4

SHA512
a3008a0f31a467b4cc7796217707abb8b3ba8b6e814ed3af90280bfdf85e63ad6af3367fc52fe05cbba7a1edc27c3e2fedabaa16f862b956028a0e730bf039d5

Download Submit
C:\Windows\System\BLhZUDN.exe

Filesize
5.2MB

MD5
8bbc568e27cbc0dc202f80f7232e1966

SHA1
81e19ae723b35ab96da4bb977d691184beb23997

SHA256
a16fe5983016da984c4856547da7420350a63b6d4ceb2e72dc704ec03dccbbed

SHA512
5fd4dca2fdd572f177a5372a34f5f4e99323d6aa278d7bf1e348a42e3d25f64151e3f2d9afb98172ef5a30bd8759e7ad93b18bf14e8b211125c4789d4a495f28

Download Submit
C:\Windows\System\BPGPsAx.exe

Filesize
5.2MB

MD5
376976d692a1dad7d1f736a7812470a4

SHA1
a9179cb1c045ad433325300d0bc17c7ff9242572

SHA256
e8d74526997778c2fe41739dd66196e4af838fd2261d171a5b841108c7ed2f91

SHA512
8d0910115684ad69bce6ff64278edf41f4e0f0f74f6ed228283e428d7426c7e83d2c0c1c32672906c961c10ceddf3ff32436410947fa973635f96a09a9467cb0

Download Submit
C:\Windows\System\GFSDeOl.exe

Filesize
5.2MB

MD5
653043197738af6fdb5fb86821db1227

SHA1
815ad86282e7641d5a5cd278a15705907eda60b0

SHA256
a15dbae8bf6d7084089e79ca374223684788e1a02e8d97aecc97e7e0726e7d6a

SHA512
977e2ad79e82debca4203f8a5dffc2f7c260b06a38631f734e9be44926692009d3c335beb690a3f8c40193d88f4314175abee2d5b0db7407581505c8f6d0f856

Download Submit
C:\Windows\System\HdLwBWy.exe

Filesize
5.2MB

MD5
100b68aa4600e89021f4be252b8eaf21

SHA1
39e0fb454894f916e40af00d3bf062461316beb1

SHA256
2e9971e07bde125df35e108a9cf54c9987ed431b45c1285dd646c5242a32dc42

SHA512
c0686e900852c47f1604d98fd8031b9d719431187d5b8a02a6c52663864e12833d61185bebc25e97e68d36f801ba73be057e907d87a288edc62589d6195b6e26

Download Submit
C:\Windows\System\HpYwonZ.exe

Filesize
5.2MB

MD5
19e2e226d11e656d3db7e037135a63ef

SHA1
d0b06c9e87692a394448d9c887a2ccf67c9651e1

SHA256
e06238f2ec7a4b836213c8644b7ba55ffb0229acf4955533a09df7497f4b41f5

SHA512
4a939bdf73a49cba796b4d7b6d57da993bf710cddf68e8c4fad3f780623699f9a37c834cea525ab489d1f851ff685c542acc5ce3627eea882bdc344c44cd1b22

Download Submit
C:\Windows\System\KPZiQhO.exe

Filesize
5.2MB

MD5
42a36179bab9b13a4e9f9d360a0e6712

SHA1
afff1c0cf85b743aecdd03861db5dd456799f561

SHA256
49163953a7cff2a22596e459ae95c3848e4656a3a83c61ebd96946c7a8e7fb19

SHA512
7e21b6ad9adcd57566560e21b9ab3bfb20689a82f306e5b7b70a0b52cee59932c235389a5ead77fdb948432a6fa6d1a162f3dde1671d5109709824632a066f6e

Download Submit
C:\Windows\System\OtMzBPp.exe

Filesize
5.2MB

MD5
191bc15e14824fcef0127a36783a7f5f

SHA1
c05da69a94e2b1eb31577ac79d31f63e2bf20cfc

SHA256
9b52a2fd6e0a69df063bce5dae4624cce5ce657f91b1d53e4a1ed4de1b1ece76

SHA512
38fb6eec98f6369a16ded51b00abf8aa003186cf79d02aa41f7d35449e9b6c9cd40b46101f1be8720b27629f2235c4ea9f1308b29178a727c679b063afe4861a

Download Submit
C:\Windows\System\Qgstcsr.exe

Filesize
5.2MB

MD5
bb7ae10c9a56b02a2d876a86d32d1d71

SHA1
6ef1dd96477f4a84e875acdb2323ea972f9453f1

SHA256
f7449965551ce992727a7c569672ee79789c4199b6c186c112918dd8a7c32273

SHA512
a28465f760f55f95a3a01f3c178b12d029b285961d5e9c66f7e027bb62be6f89469ae10aca04eaabcd66d278a74047e00e9a3554aab8cfc53faad92b7533c3b9

Download Submit
C:\Windows\System\QzlVEUS.exe

Filesize
5.2MB

MD5
cbf0e85ca94281d4e9b8ef8e24cb720f

SHA1
efe20ee1a6ec19f5400874fd75709b018dc71f15

SHA256
97468742b4ee3707b4352f9792d6fd6e2af68e60df29e0b6b619b5673f6ff1ea

SHA512
97791fb59b432f657f4a1a2af161e1a1f0933d5b8002301ef1b13a252c8c0275ee9dfc446628e9759708c99818783b9e23f792ad79295ba69eb513bd806ec45a

Download Submit
C:\Windows\System\UgTcHKu.exe

Filesize
5.2MB

MD5
f3e1988c92d1dd95499929a784b205d0

SHA1
e7635c2d2ec5129bb6e30f4eda1e8391f3813dea

SHA256
ce6c0de4cc51857cb7b3e6fdc71a612ba625660b87de22582915d5f77d1b7eb8

SHA512
cabad770faf0d64e0bc0e1d18cc50dbbb133dba8b80fdf5450c260ca7472d07890bedeeeee6eb2f7adddc5ece29dbbf0a3f0e4cf89254d872ff89d61ebfbb4eb

Download Submit
C:\Windows\System\Xrunsfl.exe

Filesize
5.2MB

MD5
023401e0643ec3463981cf3c3981911e

SHA1
480104250029f8d4d1632e9c262107ef66cdea63

SHA256
56cf7e4565547341c10a3a14ebc1ba9b1a0cb3f8cf9d023edfcb58768ff88133

SHA512
cd97f993c3538aa6839a3a895ed2d51be1d4acd6253ea1524613a539a3fa854828a856d52b5453462dbf1c41e107af221fc38561c811ae04c3cee92b42fd4207

Download Submit
C:\Windows\System\YSsinBz.exe

Filesize
5.2MB

MD5
57faf31ec9b243a0e8e771d5117edf9c

SHA1
78d069c30e57f8850f1e083e8609eb839453e76a

SHA256
aec81374ffcea3e1ca1e123b751d32153a2c1c9d92c8fe8049344cea8214119d

SHA512
2b0e6335281eabc7f7bed427bc2e91f174851552243260439c39552267d67f86aa9532564e79e5ab94a8ec338b890c974df10ee7e9dbc8f0faeed147fdf51a92

Download Submit
C:\Windows\System\YpjHAYn.exe

Filesize
5.2MB

MD5
79b416f3f548937811072cb14b120c29

SHA1
c6ef1d34b45e9015291ee755328a68d5a6919681

SHA256
0c9e2299714c0b90daeee117e24793c3bd304712b1f3f020bfce8393e9e5e709

SHA512
55b05ebacc2a7d4687f498c7257931a5ebc4b9e44f91ec0885ae066de0627cc2e21d1c3e38d1e7990028df187ee3a4201ba7a9434d493c7f2fc435f5d913a4d3

Download Submit
C:\Windows\System\ZbhgAri.exe

Filesize
5.2MB

MD5
5d170579e126dacad7e014d3341e5e9b

SHA1
be63c97a4851e70dded6df2d201efe9d441b8d4e

SHA256
65657c30a8b6fb113585488ea24f734dd11550d03457bc4ea186dc3e58e9f403

SHA512
611040c818e93283b86f9e70690bcbae58d61239a6cd01fd2e213d33deb791f6e3aaf11fa45faea55470529e8aa52f73111bfaa23c3da0487de7ff75d075b8cc

Download Submit
C:\Windows\System\bItORSL.exe

Filesize
5.2MB

MD5
05688d01b7723419d859ecd657387b5f

SHA1
0aef4ba8d10356d091597c96ad8de0ce7beda10c

SHA256
4875d626851127ebc8d9a910f0bc4a12b6f221a72c9ddb771b217e994d0e28bc

SHA512
9b98fca0484e370ce4b76f097b6096de77bae198fe0bd719c4a84c1bcd6af2379e717c09fd0ef468522cbe1724b5e95889579048cfa0e01f27983e384cc456a5

Download Submit
C:\Windows\System\lKRYfJR.exe

Filesize
5.2MB

MD5
c6672d13d8aeb35d8e155dbac971d2df

SHA1
369e5d375a6f93997981ea871698a2730b8aa259

SHA256
270002256d7e6163427565492eb76738652448fdbfa03bb402e0f5e66e3b7cb4

SHA512
e85951216b10fed6db98b293df2132921730a4d232880a88f1d5e9f4ff19763697b332c77a359e13ca88efe675efadf4181c910b23c10fbc720568913532288b

Download Submit
C:\Windows\System\loGpChf.exe

Filesize
5.2MB

MD5
5d98221825e30da37abfd34ec1cd0f84

SHA1
fa07b5ebad80300468ce6dafd3d2f9b6cc85f0c7

SHA256
f5aa8148bde5ffc39bd67c3826f9fb1ff496800280ba2d00e42cdcaf7f925558

SHA512
3069cdeac65493ed5f9ce51ab8fe77d4776df340b997c44baef5a678eb0716a4060b89c2fb903676375eb6deb6ae3fc4ab2c764828e5537bab7de4237bece7e2

Download Submit
C:\Windows\System\ruVLvra.exe

Filesize
5.2MB

MD5
10fde0e956eff1db1e3b72e53915f706

SHA1
ac93d024d247e76a11fbda3afe59e6fb31a6e2ca

SHA256
3fdfd083f5e11d97205cc7fa167d2a7f4259be5d0502fb0075bcde2b0e7ffde3

SHA512
4bb1d57a8a0cde2de91d649521828e98ba317a7da425c31655768e64e7fb3b23f6b6a6cb739cba9bc95a7da6bc7e1f70f15d4db37bcc69f8a7f38a1c6f6a38b5

Download Submit
C:\Windows\System\tzijZBB.exe

Filesize
5.2MB

MD5
53107c8f264dd3cf703e0080c98388ba

SHA1
6b38ee51c6c92b65f35ee275597d76b4b4c8eeb4

SHA256
5607265075dae5b49d495cf798bdaa6b0d17b7f1ecaad4fc92495372633655df

SHA512
e65252a8ff061b1a2cd475f2ed0e19fdcf358a8cb14dd698427b9c9bc4fa08587ee232bdf84adf058a2f40d9f1bc508af48b1d7df3d06dbbc7c3f3273ae759cd

Download Submit
C:\Windows\System\zLZlAZk.exe

Filesize
5.2MB

MD5
2864a2e41df9a81a72b6056f37e3e9d3

SHA1
bf91425fc7d6dd72710ad7c353f72dc5a65b1ded

SHA256
8450114c01c613226e68a7e4bc1fcaf07bea31f78886bcb6e13d3a0520cddcea

SHA512
2b148f0434330518b7d2894d2148d650bab26848e4c2e18df4be5b81e3924e616288ec053a7fb2b1ffbfee545cebf295e4301b3ae579046e4129cf2404f16f7c

Download Submit
memory/60-159-0x00007FF67D480000-0x00007FF67D7D1000-memory.dmp

Filesize
3.3MB

Download
memory/60-105-0x00007FF67D480000-0x00007FF67D7D1000-memory.dmp

Filesize
3.3MB

Download
memory/60-264-0x00007FF67D480000-0x00007FF67D7D1000-memory.dmp

Filesize
3.3MB

Download
memory/400-142-0x00007FF656610000-0x00007FF656961000-memory.dmp

Filesize
3.3MB

Download
memory/400-87-0x00007FF656610000-0x00007FF656961000-memory.dmp

Filesize
3.3MB

Download
memory/400-255-0x00007FF656610000-0x00007FF656961000-memory.dmp

Filesize
3.3MB

Download
memory/1416-32-0x00007FF6908C0000-0x00007FF690C11000-memory.dmp

Filesize
3.3MB

Download
memory/1416-236-0x00007FF6908C0000-0x00007FF690C11000-memory.dmp

Filesize
3.3MB

Download
memory/1416-92-0x00007FF6908C0000-0x00007FF690C11000-memory.dmp

Filesize
3.3MB

Download
memory/1580-113-0x00007FF610140000-0x00007FF610491000-memory.dmp

Filesize
3.3MB

Download
memory/1580-270-0x00007FF610140000-0x00007FF610491000-memory.dmp

Filesize
3.3MB

Download
memory/1580-160-0x00007FF610140000-0x00007FF610491000-memory.dmp

Filesize
3.3MB

Download
memory/1632-86-0x00007FF6A9BB0000-0x00007FF6A9F01000-memory.dmp

Filesize
3.3MB

Download
memory/1632-24-0x00007FF6A9BB0000-0x00007FF6A9F01000-memory.dmp

Filesize
3.3MB

Download
memory/1632-234-0x00007FF6A9BB0000-0x00007FF6A9F01000-memory.dmp

Filesize
3.3MB

Download
memory/1808-167-0x00007FF673290000-0x00007FF6735E1000-memory.dmp

Filesize
3.3MB

Download
memory/1808-132-0x00007FF673290000-0x00007FF6735E1000-memory.dmp

Filesize
3.3MB

Download
memory/1808-276-0x00007FF673290000-0x00007FF6735E1000-memory.dmp

Filesize
3.3MB

Download
memory/1936-152-0x00007FF75C480000-0x00007FF75C7D1000-memory.dmp

Filesize
3.3MB

Download
memory/1936-262-0x00007FF75C480000-0x00007FF75C7D1000-memory.dmp

Filesize
3.3MB

Download
memory/1936-99-0x00007FF75C480000-0x00007FF75C7D1000-memory.dmp

Filesize
3.3MB

Download
memory/1976-274-0x00007FF665170000-0x00007FF6654C1000-memory.dmp

Filesize
3.3MB

Download
memory/1976-128-0x00007FF665170000-0x00007FF6654C1000-memory.dmp

Filesize
3.3MB

Download
memory/2052-238-0x00007FF624100000-0x00007FF624451000-memory.dmp

Filesize
3.3MB

Download
memory/2052-96-0x00007FF624100000-0x00007FF624451000-memory.dmp

Filesize
3.3MB

Download
memory/2052-36-0x00007FF624100000-0x00007FF624451000-memory.dmp

Filesize
3.3MB

Download
memory/2392-253-0x00007FF7273F0000-0x00007FF727741000-memory.dmp

Filesize
3.3MB

Download
memory/2392-138-0x00007FF7273F0000-0x00007FF727741000-memory.dmp

Filesize
3.3MB

Download
memory/2392-75-0x00007FF7273F0000-0x00007FF727741000-memory.dmp

Filesize
3.3MB

Download
memory/3076-131-0x00007FF67E5E0000-0x00007FF67E931000-memory.dmp

Filesize
3.3MB

Download
memory/3076-68-0x00007FF67E5E0000-0x00007FF67E931000-memory.dmp

Filesize
3.3MB

Download
memory/3076-252-0x00007FF67E5E0000-0x00007FF67E931000-memory.dmp

Filesize
3.3MB

Download
memory/3356-81-0x00007FF7354D0000-0x00007FF735821000-memory.dmp

Filesize
3.3MB

Download
memory/3356-18-0x00007FF7354D0000-0x00007FF735821000-memory.dmp

Filesize
3.3MB

Download
memory/3356-232-0x00007FF7354D0000-0x00007FF735821000-memory.dmp

Filesize
3.3MB

Download
memory/3480-228-0x00007FF64CDA0000-0x00007FF64D0F1000-memory.dmp

Filesize
3.3MB

Download
memory/3480-67-0x00007FF64CDA0000-0x00007FF64D0F1000-memory.dmp

Filesize
3.3MB

Download
memory/3480-8-0x00007FF64CDA0000-0x00007FF64D0F1000-memory.dmp

Filesize
3.3MB

Download
memory/3664-247-0x00007FF613C00000-0x00007FF613F51000-memory.dmp

Filesize
3.3MB

Download
memory/3664-61-0x00007FF613C00000-0x00007FF613F51000-memory.dmp

Filesize
3.3MB

Download
memory/3664-125-0x00007FF613C00000-0x00007FF613F51000-memory.dmp

Filesize
3.3MB

Download
memory/3684-55-0x00007FF64F650000-0x00007FF64F9A1000-memory.dmp

Filesize
3.3MB

Download
memory/3684-249-0x00007FF64F650000-0x00007FF64F9A1000-memory.dmp

Filesize
3.3MB

Download
memory/3684-118-0x00007FF64F650000-0x00007FF64F9A1000-memory.dmp

Filesize
3.3MB

Download
memory/3988-161-0x00007FF6C0730000-0x00007FF6C0A81000-memory.dmp

Filesize
3.3MB

Download
memory/3988-119-0x00007FF6C0730000-0x00007FF6C0A81000-memory.dmp

Filesize
3.3MB

Download
memory/3988-272-0x00007FF6C0730000-0x00007FF6C0A81000-memory.dmp

Filesize
3.3MB

Download
memory/4228-241-0x00007FF6CEC40000-0x00007FF6CEF91000-memory.dmp

Filesize
3.3MB

Download
memory/4228-45-0x00007FF6CEC40000-0x00007FF6CEF91000-memory.dmp

Filesize
3.3MB

Download
memory/4228-98-0x00007FF6CEC40000-0x00007FF6CEF91000-memory.dmp

Filesize
3.3MB

Download
memory/4352-242-0x00007FF6D55D0000-0x00007FF6D5921000-memory.dmp

Filesize
3.3MB

Download
memory/4352-51-0x00007FF6D55D0000-0x00007FF6D5921000-memory.dmp

Filesize
3.3MB

Download
memory/4352-104-0x00007FF6D55D0000-0x00007FF6D5921000-memory.dmp

Filesize
3.3MB

Download
memory/4732-141-0x00007FF6DC720000-0x00007FF6DCA71000-memory.dmp

Filesize
3.3MB

Download
memory/4732-257-0x00007FF6DC720000-0x00007FF6DCA71000-memory.dmp

Filesize
3.3MB

Download
memory/4732-82-0x00007FF6DC720000-0x00007FF6DCA71000-memory.dmp

Filesize
3.3MB

Download
memory/4756-140-0x00007FF763C90000-0x00007FF763FE1000-memory.dmp

Filesize
3.3MB

Download
memory/4756-170-0x00007FF763C90000-0x00007FF763FE1000-memory.dmp

Filesize
3.3MB

Download
memory/4756-278-0x00007FF763C90000-0x00007FF763FE1000-memory.dmp

Filesize
3.3MB

Download
memory/4940-14-0x00007FF6890A0000-0x00007FF6893F1000-memory.dmp

Filesize
3.3MB

Download
memory/4940-230-0x00007FF6890A0000-0x00007FF6893F1000-memory.dmp

Filesize
3.3MB

Download
memory/4940-73-0x00007FF6890A0000-0x00007FF6893F1000-memory.dmp

Filesize
3.3MB

Download
memory/4980-143-0x00007FF7F2A40000-0x00007FF7F2D91000-memory.dmp

Filesize
3.3MB

Download
memory/4980-0-0x00007FF7F2A40000-0x00007FF7F2D91000-memory.dmp

Filesize
3.3MB

Download
memory/4980-1-0x00000224C7DC0000-0x00000224C7DD0000-memory.dmp

Filesize
64KB

Download
memory/4980-171-0x00007FF7F2A40000-0x00007FF7F2D91000-memory.dmp

Filesize
3.3MB

Download
memory/4980-60-0x00007FF7F2A40000-0x00007FF7F2D91000-memory.dmp

Filesize
3.3MB

Download