cobaltstrike | 19209576ba88a47dab03667291e7de50a9b9b498b45979685731b198f1e8b9ff

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2024, 01:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

be2c85d6efdfc4353a65b89ce48854f9
SHA1

97817c3cea696eceee04c58ac1be83f2e4827369
SHA256

19209576ba88a47dab03667291e7de50a9b9b498b45979685731b198f1e8b9ff
SHA512

39966ad0abae066586163b8982b4606341a86896ea7230e279e444a63de6bd2c5bfa1b2ac1a3ee8473af58924aaf08cc6fa49b5f956532b3b7ceadff41d75e19
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lf:RWWBibf56utgpPFotBER/mQ32lUD

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023b76-7.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7b-15.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7a-16.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b77-22.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7c-29.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7e-37.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7f-41.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b80-50.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b81-55.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b82-64.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b83-70.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b84-77.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b85-81.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b87-95.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b88-100.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8b-116.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8c-120.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8d-125.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8a-111.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b89-106.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b86-92.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/1440-73-0x00007FF75CA90000-0x00007FF75CDE1000-memory.dmp	xmrig
behavioral2/memory/4728-75-0x00007FF63BDF0000-0x00007FF63C141000-memory.dmp	xmrig
behavioral2/memory/4616-68-0x00007FF728CF0000-0x00007FF729041000-memory.dmp	xmrig
behavioral2/memory/3544-67-0x00007FF7781D0000-0x00007FF778521000-memory.dmp	xmrig
behavioral2/memory/1720-62-0x00007FF690B80000-0x00007FF690ED1000-memory.dmp	xmrig
behavioral2/memory/1568-51-0x00007FF662150000-0x00007FF6624A1000-memory.dmp	xmrig
behavioral2/memory/2676-87-0x00007FF743040000-0x00007FF743391000-memory.dmp	xmrig
behavioral2/memory/1332-82-0x00007FF76B890000-0x00007FF76BBE1000-memory.dmp	xmrig
behavioral2/memory/1568-128-0x00007FF662150000-0x00007FF6624A1000-memory.dmp	xmrig
behavioral2/memory/1664-127-0x00007FF7E0540000-0x00007FF7E0891000-memory.dmp	xmrig
behavioral2/memory/4628-129-0x00007FF68FCE0000-0x00007FF690031000-memory.dmp	xmrig
behavioral2/memory/2368-131-0x00007FF7B4150000-0x00007FF7B44A1000-memory.dmp	xmrig
behavioral2/memory/840-134-0x00007FF7E7120000-0x00007FF7E7471000-memory.dmp	xmrig
behavioral2/memory/2816-133-0x00007FF7BF6A0000-0x00007FF7BF9F1000-memory.dmp	xmrig
behavioral2/memory/4840-132-0x00007FF74CC50000-0x00007FF74CFA1000-memory.dmp	xmrig
behavioral2/memory/2940-130-0x00007FF7B9780000-0x00007FF7B9AD1000-memory.dmp	xmrig
behavioral2/memory/3416-139-0x00007FF791E20000-0x00007FF792171000-memory.dmp	xmrig
behavioral2/memory/3884-144-0x00007FF618560000-0x00007FF6188B1000-memory.dmp	xmrig
behavioral2/memory/2428-143-0x00007FF7E3360000-0x00007FF7E36B1000-memory.dmp	xmrig
behavioral2/memory/3240-149-0x00007FF79E0F0000-0x00007FF79E441000-memory.dmp	xmrig
behavioral2/memory/4640-148-0x00007FF747720000-0x00007FF747A71000-memory.dmp	xmrig
behavioral2/memory/3780-150-0x00007FF6222F0000-0x00007FF622641000-memory.dmp	xmrig
behavioral2/memory/3080-151-0x00007FF7599E0000-0x00007FF759D31000-memory.dmp	xmrig
behavioral2/memory/1568-159-0x00007FF662150000-0x00007FF6624A1000-memory.dmp	xmrig
behavioral2/memory/3544-207-0x00007FF7781D0000-0x00007FF778521000-memory.dmp	xmrig
behavioral2/memory/1440-211-0x00007FF75CA90000-0x00007FF75CDE1000-memory.dmp	xmrig
behavioral2/memory/4728-213-0x00007FF63BDF0000-0x00007FF63C141000-memory.dmp	xmrig
behavioral2/memory/1332-218-0x00007FF76B890000-0x00007FF76BBE1000-memory.dmp	xmrig
behavioral2/memory/2676-220-0x00007FF743040000-0x00007FF743391000-memory.dmp	xmrig
behavioral2/memory/1664-222-0x00007FF7E0540000-0x00007FF7E0891000-memory.dmp	xmrig
behavioral2/memory/2428-230-0x00007FF7E3360000-0x00007FF7E36B1000-memory.dmp	xmrig
behavioral2/memory/3884-232-0x00007FF618560000-0x00007FF6188B1000-memory.dmp	xmrig
behavioral2/memory/1720-234-0x00007FF690B80000-0x00007FF690ED1000-memory.dmp	xmrig
behavioral2/memory/4616-236-0x00007FF728CF0000-0x00007FF729041000-memory.dmp	xmrig
behavioral2/memory/4640-238-0x00007FF747720000-0x00007FF747A71000-memory.dmp	xmrig
behavioral2/memory/3240-240-0x00007FF79E0F0000-0x00007FF79E441000-memory.dmp	xmrig
behavioral2/memory/3780-246-0x00007FF6222F0000-0x00007FF622641000-memory.dmp	xmrig
behavioral2/memory/3080-248-0x00007FF7599E0000-0x00007FF759D31000-memory.dmp	xmrig
behavioral2/memory/4628-256-0x00007FF68FCE0000-0x00007FF690031000-memory.dmp	xmrig
behavioral2/memory/3416-255-0x00007FF791E20000-0x00007FF792171000-memory.dmp	xmrig
behavioral2/memory/2940-258-0x00007FF7B9780000-0x00007FF7B9AD1000-memory.dmp	xmrig
behavioral2/memory/2368-260-0x00007FF7B4150000-0x00007FF7B44A1000-memory.dmp	xmrig
behavioral2/memory/4840-262-0x00007FF74CC50000-0x00007FF74CFA1000-memory.dmp	xmrig
behavioral2/memory/2816-264-0x00007FF7BF6A0000-0x00007FF7BF9F1000-memory.dmp	xmrig
behavioral2/memory/840-266-0x00007FF7E7120000-0x00007FF7E7471000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3544	YCDTXsp.exe
1440	rfEUicg.exe
4728	sSxGjrL.exe
1332	UGrYSyD.exe
2676	HmJIbjF.exe
1664	iNJJoUu.exe
2428	GILVYxX.exe
3884	hZrqfOw.exe
1720	kACelfN.exe
4616	hkSeDSY.exe
4640	ZmtDbUC.exe
3240	slrYlSl.exe
3780	xfDwOWU.exe
3080	IiSgjDv.exe
4628	fjFkpnf.exe
3416	KewzPcm.exe
2940	mBleemC.exe
2368	hpuCdqA.exe
4840	IPmdCBC.exe
2816	iHBrdml.exe
840	knpFrDA.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1568-0-0x00007FF662150000-0x00007FF6624A1000-memory.dmp	upx
behavioral2/memory/3544-6-0x00007FF7781D0000-0x00007FF778521000-memory.dmp	upx
behavioral2/files/0x000c000000023b76-7.dat	upx
behavioral2/files/0x000a000000023b7b-15.dat	upx
behavioral2/files/0x000a000000023b7a-16.dat	upx
behavioral2/memory/4728-18-0x00007FF63BDF0000-0x00007FF63C141000-memory.dmp	upx
behavioral2/memory/1440-14-0x00007FF75CA90000-0x00007FF75CDE1000-memory.dmp	upx
behavioral2/files/0x000b000000023b77-22.dat	upx
behavioral2/memory/1332-24-0x00007FF76B890000-0x00007FF76BBE1000-memory.dmp	upx
behavioral2/files/0x000a000000023b7c-29.dat	upx
behavioral2/memory/2676-30-0x00007FF743040000-0x00007FF743391000-memory.dmp	upx
behavioral2/memory/1664-36-0x00007FF7E0540000-0x00007FF7E0891000-memory.dmp	upx
behavioral2/files/0x000a000000023b7e-37.dat	upx
behavioral2/files/0x000a000000023b7f-41.dat	upx
behavioral2/memory/2428-42-0x00007FF7E3360000-0x00007FF7E36B1000-memory.dmp	upx
behavioral2/files/0x000a000000023b80-50.dat	upx
behavioral2/files/0x000a000000023b81-55.dat	upx
behavioral2/memory/3884-60-0x00007FF618560000-0x00007FF6188B1000-memory.dmp	upx
behavioral2/files/0x000a000000023b82-64.dat	upx
behavioral2/files/0x000a000000023b83-70.dat	upx
behavioral2/memory/1440-73-0x00007FF75CA90000-0x00007FF75CDE1000-memory.dmp	upx
behavioral2/files/0x000a000000023b84-77.dat	upx
behavioral2/memory/4728-75-0x00007FF63BDF0000-0x00007FF63C141000-memory.dmp	upx
behavioral2/memory/3240-74-0x00007FF79E0F0000-0x00007FF79E441000-memory.dmp	upx
behavioral2/memory/4640-71-0x00007FF747720000-0x00007FF747A71000-memory.dmp	upx
behavioral2/memory/4616-68-0x00007FF728CF0000-0x00007FF729041000-memory.dmp	upx
behavioral2/memory/3544-67-0x00007FF7781D0000-0x00007FF778521000-memory.dmp	upx
behavioral2/memory/1720-62-0x00007FF690B80000-0x00007FF690ED1000-memory.dmp	upx
behavioral2/memory/1568-51-0x00007FF662150000-0x00007FF6624A1000-memory.dmp	upx
behavioral2/files/0x000a000000023b85-81.dat	upx
behavioral2/memory/3780-83-0x00007FF6222F0000-0x00007FF622641000-memory.dmp	upx
behavioral2/memory/2676-87-0x00007FF743040000-0x00007FF743391000-memory.dmp	upx
behavioral2/files/0x000a000000023b87-95.dat	upx
behavioral2/files/0x000a000000023b88-100.dat	upx
behavioral2/files/0x000a000000023b8b-116.dat	upx
behavioral2/files/0x000a000000023b8c-120.dat	upx
behavioral2/files/0x000a000000023b8d-125.dat	upx
behavioral2/files/0x000a000000023b8a-111.dat	upx
behavioral2/files/0x000a000000023b89-106.dat	upx
behavioral2/files/0x000a000000023b86-92.dat	upx
behavioral2/memory/3080-90-0x00007FF7599E0000-0x00007FF759D31000-memory.dmp	upx
behavioral2/memory/1332-82-0x00007FF76B890000-0x00007FF76BBE1000-memory.dmp	upx
behavioral2/memory/1568-128-0x00007FF662150000-0x00007FF6624A1000-memory.dmp	upx
behavioral2/memory/1664-127-0x00007FF7E0540000-0x00007FF7E0891000-memory.dmp	upx
behavioral2/memory/4628-129-0x00007FF68FCE0000-0x00007FF690031000-memory.dmp	upx
behavioral2/memory/2368-131-0x00007FF7B4150000-0x00007FF7B44A1000-memory.dmp	upx
behavioral2/memory/840-134-0x00007FF7E7120000-0x00007FF7E7471000-memory.dmp	upx
behavioral2/memory/2816-133-0x00007FF7BF6A0000-0x00007FF7BF9F1000-memory.dmp	upx
behavioral2/memory/4840-132-0x00007FF74CC50000-0x00007FF74CFA1000-memory.dmp	upx
behavioral2/memory/2940-130-0x00007FF7B9780000-0x00007FF7B9AD1000-memory.dmp	upx
behavioral2/memory/3416-139-0x00007FF791E20000-0x00007FF792171000-memory.dmp	upx
behavioral2/memory/3884-144-0x00007FF618560000-0x00007FF6188B1000-memory.dmp	upx
behavioral2/memory/2428-143-0x00007FF7E3360000-0x00007FF7E36B1000-memory.dmp	upx
behavioral2/memory/3240-149-0x00007FF79E0F0000-0x00007FF79E441000-memory.dmp	upx
behavioral2/memory/4640-148-0x00007FF747720000-0x00007FF747A71000-memory.dmp	upx
behavioral2/memory/3780-150-0x00007FF6222F0000-0x00007FF622641000-memory.dmp	upx
behavioral2/memory/3080-151-0x00007FF7599E0000-0x00007FF759D31000-memory.dmp	upx
behavioral2/memory/1568-159-0x00007FF662150000-0x00007FF6624A1000-memory.dmp	upx
behavioral2/memory/3544-207-0x00007FF7781D0000-0x00007FF778521000-memory.dmp	upx
behavioral2/memory/1440-211-0x00007FF75CA90000-0x00007FF75CDE1000-memory.dmp	upx
behavioral2/memory/4728-213-0x00007FF63BDF0000-0x00007FF63C141000-memory.dmp	upx
behavioral2/memory/1332-218-0x00007FF76B890000-0x00007FF76BBE1000-memory.dmp	upx
behavioral2/memory/2676-220-0x00007FF743040000-0x00007FF743391000-memory.dmp	upx
behavioral2/memory/1664-222-0x00007FF7E0540000-0x00007FF7E0891000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\xfDwOWU.exe	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iHBrdml.exe	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\knpFrDA.exe	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rfEUicg.exe	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UGrYSyD.exe	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iNJJoUu.exe	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hpuCdqA.exe	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YCDTXsp.exe	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sSxGjrL.exe	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IiSgjDv.exe	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fjFkpnf.exe	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KewzPcm.exe	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IPmdCBC.exe	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kACelfN.exe	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hkSeDSY.exe	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZmtDbUC.exe	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\slrYlSl.exe	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mBleemC.exe	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HmJIbjF.exe	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GILVYxX.exe	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hZrqfOw.exe	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1568	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1568	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1568 wrote to memory of 3544	1568	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1568 wrote to memory of 3544	1568	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1568 wrote to memory of 1440	1568	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1568 wrote to memory of 1440	1568	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1568 wrote to memory of 4728	1568	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1568 wrote to memory of 4728	1568	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1568 wrote to memory of 1332	1568	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1568 wrote to memory of 1332	1568	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1568 wrote to memory of 2676	1568	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1568 wrote to memory of 2676	1568	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1568 wrote to memory of 1664	1568	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1568 wrote to memory of 1664	1568	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1568 wrote to memory of 2428	1568	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1568 wrote to memory of 2428	1568	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1568 wrote to memory of 1720	1568	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1568 wrote to memory of 1720	1568	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1568 wrote to memory of 3884	1568	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1568 wrote to memory of 3884	1568	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1568 wrote to memory of 4616	1568	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1568 wrote to memory of 4616	1568	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1568 wrote to memory of 4640	1568	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1568 wrote to memory of 4640	1568	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1568 wrote to memory of 3240	1568	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1568 wrote to memory of 3240	1568	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1568 wrote to memory of 3780	1568	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1568 wrote to memory of 3780	1568	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1568 wrote to memory of 3080	1568	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1568 wrote to memory of 3080	1568	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1568 wrote to memory of 4628	1568	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1568 wrote to memory of 4628	1568	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1568 wrote to memory of 3416	1568	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1568 wrote to memory of 3416	1568	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1568 wrote to memory of 2940	1568	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1568 wrote to memory of 2940	1568	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1568 wrote to memory of 2368	1568	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1568 wrote to memory of 2368	1568	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1568 wrote to memory of 4840	1568	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1568 wrote to memory of 4840	1568	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1568 wrote to memory of 2816	1568	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1568 wrote to memory of 2816	1568	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1568 wrote to memory of 840	1568	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1568 wrote to memory of 840	1568	2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-31_be2c85d6efdfc4353a65b89ce48854f9_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1568
- C:\Windows\System\YCDTXsp.exe
  C:\Windows\System\YCDTXsp.exe
  2⤵
  - Executes dropped EXE
  PID:3544
- C:\Windows\System\rfEUicg.exe
  C:\Windows\System\rfEUicg.exe
  2⤵
  - Executes dropped EXE
  PID:1440
- C:\Windows\System\sSxGjrL.exe
  C:\Windows\System\sSxGjrL.exe
  2⤵
  - Executes dropped EXE
  PID:4728
- C:\Windows\System\UGrYSyD.exe
  C:\Windows\System\UGrYSyD.exe
  2⤵
  - Executes dropped EXE
  PID:1332
- C:\Windows\System\HmJIbjF.exe
  C:\Windows\System\HmJIbjF.exe
  2⤵
  - Executes dropped EXE
  PID:2676
- C:\Windows\System\iNJJoUu.exe
  C:\Windows\System\iNJJoUu.exe
  2⤵
  - Executes dropped EXE
  PID:1664
- C:\Windows\System\GILVYxX.exe
  C:\Windows\System\GILVYxX.exe
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Windows\System\kACelfN.exe
  C:\Windows\System\kACelfN.exe
  2⤵
  - Executes dropped EXE
  PID:1720
- C:\Windows\System\hZrqfOw.exe
  C:\Windows\System\hZrqfOw.exe
  2⤵
  - Executes dropped EXE
  PID:3884
- C:\Windows\System\hkSeDSY.exe
  C:\Windows\System\hkSeDSY.exe
  2⤵
  - Executes dropped EXE
  PID:4616
- C:\Windows\System\ZmtDbUC.exe
  C:\Windows\System\ZmtDbUC.exe
  2⤵
  - Executes dropped EXE
  PID:4640
- C:\Windows\System\slrYlSl.exe
  C:\Windows\System\slrYlSl.exe
  2⤵
  - Executes dropped EXE
  PID:3240
- C:\Windows\System\xfDwOWU.exe
  C:\Windows\System\xfDwOWU.exe
  2⤵
  - Executes dropped EXE
  PID:3780
- C:\Windows\System\IiSgjDv.exe
  C:\Windows\System\IiSgjDv.exe
  2⤵
  - Executes dropped EXE
  PID:3080
- C:\Windows\System\fjFkpnf.exe
  C:\Windows\System\fjFkpnf.exe
  2⤵
  - Executes dropped EXE
  PID:4628
- C:\Windows\System\KewzPcm.exe
  C:\Windows\System\KewzPcm.exe
  2⤵
  - Executes dropped EXE
  PID:3416
- C:\Windows\System\mBleemC.exe
  C:\Windows\System\mBleemC.exe
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\System\hpuCdqA.exe
  C:\Windows\System\hpuCdqA.exe
  2⤵
  - Executes dropped EXE
  PID:2368
- C:\Windows\System\IPmdCBC.exe
  C:\Windows\System\IPmdCBC.exe
  2⤵
  - Executes dropped EXE
  PID:4840
- C:\Windows\System\iHBrdml.exe
  C:\Windows\System\iHBrdml.exe
  2⤵
  - Executes dropped EXE
  PID:2816
- C:\Windows\System\knpFrDA.exe
  C:\Windows\System\knpFrDA.exe
  2⤵
  - Executes dropped EXE
  PID:840

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\GILVYxX.exe

Filesize
5.2MB

MD5
08d1aeb7f0cdd16e76e945a8056cf371

SHA1
ad38d8fd4c6b808437e904e7105bd8e2cf1bf635

SHA256
607ad182ca4275436f96b8fa6fad6eba6201c509d6dd22cfb64b626b1745ac6f

SHA512
d4432af7e34b1077c690134c80dbf3b3bdff968d2932a501f9889caa144ae57257467a70c626cb95f116325ad009e336e2a78af64b6f7e52bd11acfaf0526aab

Download Submit
C:\Windows\System\HmJIbjF.exe

Filesize
5.2MB

MD5
e7e9c26335bcedfbc91412c3a9dc29b0

SHA1
b36567ae9f8e20f0a418569b252592a4880a0ba5

SHA256
0e5b5247d62bcbcdba67448067745a609030aa84ce859ae0b7f08945f7397ad0

SHA512
88259a5d80db84ad2fe198d5f594509e4e860824cdba92684977e448e1ba4ef9673df0d8c0436e81f42e93c80217ca4943fdbba4fc832ea4f2697f3dd15e316c

Download Submit
C:\Windows\System\IPmdCBC.exe

Filesize
5.2MB

MD5
4c0b61a3fd9560d4976acd8091a307f9

SHA1
b6d73462ff2c0224ff3f3812017b38333d6e43d1

SHA256
c21b862ab4e1e2dd4f50f26eb7b538f41eb49d952a0c7ffdd2d0f035ab175af9

SHA512
4896a8ec8b003ea0653b896a0063a6776b1977b158283adac2793c7dea60a58b0c2fb82aebdbaa14b568c4848ab16d73d1d849983b04f4a8a1446bfb66561484

Download Submit
C:\Windows\System\IiSgjDv.exe

Filesize
5.2MB

MD5
d1db36ab46ead634ff34439e9d9af5d6

SHA1
676ed16436fcf14dd7d7db1f2ca1cdad1a21f9af

SHA256
7600e4f0cd73f3de37b228c716ae5ada7df24079298411868935b663bc6dfaf9

SHA512
77f4453514038b5e8a3cf5243e8989b7a20c1816c69473dce39d9bd693c302e35b9b0499dbeba5531203c6dd6fdfa0d77f5ecded8259404a7025735fc1867e4f

Download Submit
C:\Windows\System\KewzPcm.exe

Filesize
5.2MB

MD5
d460a3d9f372564baf97625d217e8843

SHA1
0434f7e5f0122fe6d007fbca2514b4c42497a05f

SHA256
a6b56f9db582c83a26b94c873db45448e575de5bee661d47ae73b0bd02a49854

SHA512
7b40a5f234724fe4840e6ae4a4d3eb6a4b98bfce3bb0a526ba3537ae4d4a0c30a5f8111e775148f8f95522256b33efb769427b3e62b087cdbcbbb60970b21dbe

Download Submit
C:\Windows\System\UGrYSyD.exe

Filesize
5.2MB

MD5
32e9254284539b47dc43f08755fed4d7

SHA1
533b7586909c1cf06be661a97d36725b64001e18

SHA256
b7595574bcfac2b2f2322fc57a5b8616025d5f6ef114d28a7096935a5fe18f02

SHA512
22f27e5a521215b96a91e5329dced2df6fa684db803ad2cdd1460bbc2fd185725ae4dd37e08e4e1325cbf8d3ee7611e62001ea4534017595401cab50123a538e

Download Submit
C:\Windows\System\YCDTXsp.exe

Filesize
5.2MB

MD5
5c813f6ce3e49701e815150ef35ffb4e

SHA1
554a990c249dfbf4fb3a9caa82d349fdaf2d2684

SHA256
258812c8c81bdc7d9c3a87ddfadd735a6654fc621f1d91a744bb91e298827a2e

SHA512
5d75e32caa48b092ded5e7c2d02feb4dc3fff5d0931f343a74982092389dfd2b49f7929d45d2e55a4968dd33b6d7615487b56c6201bf3e8f99b2c2bda7a15df2

Download Submit
C:\Windows\System\ZmtDbUC.exe

Filesize
5.2MB

MD5
7986e842048a629cde13c5ede2e13642

SHA1
d1bad3e46eea5d01384ee9ff09b1aad432a9cc62

SHA256
80694c014131acca2dc8cdd6523b0902312445cda22ca4113e0b6509d74bc041

SHA512
8a1d7abf832bced1d3b734fa1cd0c6e8970976bd585e17d72e44662a8fa26b8740c3be7f96d41a4006c3e44ace23779b488b3fc730b67b104ce793e42b7f389a

Download Submit
C:\Windows\System\fjFkpnf.exe

Filesize
5.2MB

MD5
70571e7f15e877a4c33b61e45428be2c

SHA1
b6190c953bb5ef881818840f804cdc7daa7ceac2

SHA256
58ae841e51ac41f18a0457b05ff88fc549465f0e62e4cc2cb62cef0d20876a2b

SHA512
0d44402959c9ea6d5472898d4c4f599c21a9e983abb631f549c112b116bf969eb5ba8c2036878fa7dc4dca52787b104b553fb2185997952bb8b39e5369743268

Download Submit
C:\Windows\System\hZrqfOw.exe

Filesize
5.2MB

MD5
67955b3c674b5661317eb2dd300f5ed4

SHA1
5f7ef27e7c8250072e4c85c4950457be18b1af44

SHA256
343834b26bb02af183b50a2f1633d735fa69a64d36e43536bb40e51b94431c8a

SHA512
09955c004b5d7c88af76711686d5540676424935a80c004a8011fdb416277cb1abc51c6e1ba702080683409901ca2fc9720ad32c6b381771916cb8a9aed00499

Download Submit
C:\Windows\System\hkSeDSY.exe

Filesize
5.2MB

MD5
3550a34e0f6da51960ca09393cf592cd

SHA1
bb063012b22c00416a11beede1d389630f6a4d54

SHA256
7e7a1c7880f6a90d3143506b2ccdc5f848f1809f61b7a672c0d6d7adc28a031b

SHA512
739badcfc0b5e318f572c2d841e58ab779d2dad36d69d6f7a8e2ac46d62642958935acb148b433d3199758ab6e95d9bf002832848091d740f84de7294c6d860a

Download Submit
C:\Windows\System\hpuCdqA.exe

Filesize
5.2MB

MD5
f53a02123b38d9cbd04edcec08c47b25

SHA1
97168967d285201747b048f21c4959899b28e045

SHA256
7c5a20154ffa31bcd8a6ef47a4e7e97b27338f65f229e87f07debac05be00111

SHA512
f4ee9f25130bc56b3021e8f80269ea394dd9261f427290ebe91dca0d819c733e9f8047ade879738a603c0f58531289ccad53927266187febbb216deefc3a0175

Download Submit
C:\Windows\System\iHBrdml.exe

Filesize
5.2MB

MD5
869611a285b2c1e5adade5b16657193d

SHA1
6e0bbcf9e171a05019dd0f31c30934a112933acb

SHA256
92a9b1367f57a3462a448b42831d5b9bd1ca842130f68655b45b3a93cd8f524a

SHA512
8a4e4ca6763861bb0989817b450d857b411f81659c3c92d9c8a074ed945dfa3a483bf1ab87d0ed00bf58c5d02c1bf3c2b4995f85ff81332a36acab5149989b5a

Download Submit
C:\Windows\System\iNJJoUu.exe

Filesize
5.2MB

MD5
2f94945bf94b9b561a9ed87d24d17e01

SHA1
85a083c82cd3712ad6afd0bb90ee6aaff7b989af

SHA256
15e3f558f315fe234f0e2d2cb60edbb51534d2f95b624c816dd7909cd2735e36

SHA512
33c9516a973d01e37cc6bb04066959e080a6d31fa85b56050443eb9a8d914bb902062d2f6a92892861f8cba5e19cee339d98917c4724a391ce9f2286564f1786

Download Submit
C:\Windows\System\kACelfN.exe

Filesize
5.2MB

MD5
ee8d5aed29544e88abbfacdd4a25ce16

SHA1
629b740f3aeb29635a29511eef28fa1019fa643d

SHA256
05a405f4a9cf46eea48012f2ae98c4d93bb36297c99a4eff82501038a90ccbfe

SHA512
49acd54fb48635268a5175613a7d8b3721ae1f0da57edeafef7f754f4abfd0bfba439bdc3c5ae7cb68672ea3172e27888c059c2c96305754ebb562b3ffeabe10

Download Submit
C:\Windows\System\knpFrDA.exe

Filesize
5.2MB

MD5
fb81b2c27e9e6fec545e8fc7a0e8e4ff

SHA1
ff08b4dd2f3bcf0c57baea37d9664d7367202361

SHA256
6f14d9905e39df2370dd04bdf5eb95290d584f34fe2f07ee81eda0e1bb6f63ee

SHA512
a2b661d269dfa614c92c84e82b25595ec2487345900958e4f265381e09ab2b5ae5b168ac67a4ec325c623e773b410c833d295fdab48250d2c4d9cffd3f7f8d2d

Download Submit
C:\Windows\System\mBleemC.exe

Filesize
5.2MB

MD5
00828d5e2645fc21a0f1ed1d90bbb5cd

SHA1
f4397c19424031c5b5c5a80c1d5e534c4101b547

SHA256
21c52735fd53dc0a9a860a31ed56a9e5878808034094f056edd3d3f6e2d7ca9a

SHA512
6658c445ef115278a2a827964e852c98ee4f6d36374eb46f3c7c00ef6f43e5a91435aacdf85abf511d506e2c9231ee228aa113eb4b0b68928c331959a9602022

Download Submit
C:\Windows\System\rfEUicg.exe

Filesize
5.2MB

MD5
5e2f73abee2d4d806f641becd616b74c

SHA1
c04e99ce4b293ee59b80b2dc9c4d20169a91d1f6

SHA256
eefcc34e052dc22e7757dc803996089fe47962b26c3ebb92e58e2fe9ff019e99

SHA512
8835e68e31c3f7485df7e1750040b1fe241a67c5c951c701c2bfe32e28d9cd27b8c146e2c39be30bead4fd1edbde0fca241fe7ed397f71eff2448f5dd5c3d114

Download Submit
C:\Windows\System\sSxGjrL.exe

Filesize
5.2MB

MD5
b4aed22ad2b8b5e7db4a1ceed1dd9353

SHA1
22fa8564537f2ba3317cf01d96f334358d090cfd

SHA256
bab7ae65d06bf7cc9f107173aaea24b5ee7abfa298090df21dd2b711b9c27a8a

SHA512
e1c6cdeaefdbd74718cc76df17760be1de625537b62636b2a28dd75ec1c2d50503233e6e680fac3d63da6e9b31d91cb2a000fed47f7261c49784e82e54e5e17f

Download Submit
C:\Windows\System\slrYlSl.exe

Filesize
5.2MB

MD5
bbb469939bc223dc3a2cb2cbe2333f15

SHA1
6e2ff58b3ef810c49f5024b58082d86f2ad24c02

SHA256
956735db8916aa2f124ef992b53490f18a565cc5d06a96d8f9cb505132802da3

SHA512
1f38651013d0c5f27ef1c24d73d9f3c391cb2f96f5d10bb0b34536c001bb13ff7b86d523843fa4e1e0975906fb846da3bcca3cc5c455a6f1dbe6319d6911bc2d

Download Submit
C:\Windows\System\xfDwOWU.exe

Filesize
5.2MB

MD5
6e8ac4f26a6889e23cbc0066b394ca76

SHA1
1c9b9dee802602ae5c89c861d474a915fe9e928d

SHA256
f28c610d3510db66fd5e97aad0832075bb3b3fc3388c01ff61a0d3e4e191befa

SHA512
baf2a4490aaa62253ed68911d8e4b90153a5e4b91d06501f801d773dcae6675b479742f8158baea8080fb19f5d3eb1232853ec1533b2682ba02bd0fc9e4b7d39

Download Submit
memory/840-266-0x00007FF7E7120000-0x00007FF7E7471000-memory.dmp

Filesize
3.3MB

Download
memory/840-134-0x00007FF7E7120000-0x00007FF7E7471000-memory.dmp

Filesize
3.3MB

Download
memory/1332-218-0x00007FF76B890000-0x00007FF76BBE1000-memory.dmp

Filesize
3.3MB

Download
memory/1332-24-0x00007FF76B890000-0x00007FF76BBE1000-memory.dmp

Filesize
3.3MB

Download
memory/1332-82-0x00007FF76B890000-0x00007FF76BBE1000-memory.dmp

Filesize
3.3MB

Download
memory/1440-211-0x00007FF75CA90000-0x00007FF75CDE1000-memory.dmp

Filesize
3.3MB

Download
memory/1440-73-0x00007FF75CA90000-0x00007FF75CDE1000-memory.dmp

Filesize
3.3MB

Download
memory/1440-14-0x00007FF75CA90000-0x00007FF75CDE1000-memory.dmp

Filesize
3.3MB

Download
memory/1568-1-0x000001C2741E0000-0x000001C2741F0000-memory.dmp

Filesize
64KB

Download
memory/1568-51-0x00007FF662150000-0x00007FF6624A1000-memory.dmp

Filesize
3.3MB

Download
memory/1568-159-0x00007FF662150000-0x00007FF6624A1000-memory.dmp

Filesize
3.3MB

Download
memory/1568-0-0x00007FF662150000-0x00007FF6624A1000-memory.dmp

Filesize
3.3MB

Download
memory/1568-128-0x00007FF662150000-0x00007FF6624A1000-memory.dmp

Filesize
3.3MB

Download
memory/1664-222-0x00007FF7E0540000-0x00007FF7E0891000-memory.dmp

Filesize
3.3MB

Download
memory/1664-127-0x00007FF7E0540000-0x00007FF7E0891000-memory.dmp

Filesize
3.3MB

Download
memory/1664-36-0x00007FF7E0540000-0x00007FF7E0891000-memory.dmp

Filesize
3.3MB

Download
memory/1720-234-0x00007FF690B80000-0x00007FF690ED1000-memory.dmp

Filesize
3.3MB

Download
memory/1720-62-0x00007FF690B80000-0x00007FF690ED1000-memory.dmp

Filesize
3.3MB

Download
memory/2368-131-0x00007FF7B4150000-0x00007FF7B44A1000-memory.dmp

Filesize
3.3MB

Download
memory/2368-260-0x00007FF7B4150000-0x00007FF7B44A1000-memory.dmp

Filesize
3.3MB

Download
memory/2428-143-0x00007FF7E3360000-0x00007FF7E36B1000-memory.dmp

Filesize
3.3MB

Download
memory/2428-42-0x00007FF7E3360000-0x00007FF7E36B1000-memory.dmp

Filesize
3.3MB

Download
memory/2428-230-0x00007FF7E3360000-0x00007FF7E36B1000-memory.dmp

Filesize
3.3MB

Download
memory/2676-87-0x00007FF743040000-0x00007FF743391000-memory.dmp

Filesize
3.3MB

Download
memory/2676-220-0x00007FF743040000-0x00007FF743391000-memory.dmp

Filesize
3.3MB

Download
memory/2676-30-0x00007FF743040000-0x00007FF743391000-memory.dmp

Filesize
3.3MB

Download
memory/2816-133-0x00007FF7BF6A0000-0x00007FF7BF9F1000-memory.dmp

Filesize
3.3MB

Download
memory/2816-264-0x00007FF7BF6A0000-0x00007FF7BF9F1000-memory.dmp

Filesize
3.3MB

Download
memory/2940-130-0x00007FF7B9780000-0x00007FF7B9AD1000-memory.dmp

Filesize
3.3MB

Download
memory/2940-258-0x00007FF7B9780000-0x00007FF7B9AD1000-memory.dmp

Filesize
3.3MB

Download
memory/3080-90-0x00007FF7599E0000-0x00007FF759D31000-memory.dmp

Filesize
3.3MB

Download
memory/3080-151-0x00007FF7599E0000-0x00007FF759D31000-memory.dmp

Filesize
3.3MB

Download
memory/3080-248-0x00007FF7599E0000-0x00007FF759D31000-memory.dmp

Filesize
3.3MB

Download
memory/3240-149-0x00007FF79E0F0000-0x00007FF79E441000-memory.dmp

Filesize
3.3MB

Download
memory/3240-74-0x00007FF79E0F0000-0x00007FF79E441000-memory.dmp

Filesize
3.3MB

Download
memory/3240-240-0x00007FF79E0F0000-0x00007FF79E441000-memory.dmp

Filesize
3.3MB

Download
memory/3416-139-0x00007FF791E20000-0x00007FF792171000-memory.dmp

Filesize
3.3MB

Download
memory/3416-255-0x00007FF791E20000-0x00007FF792171000-memory.dmp

Filesize
3.3MB

Download
memory/3544-67-0x00007FF7781D0000-0x00007FF778521000-memory.dmp

Filesize
3.3MB

Download
memory/3544-207-0x00007FF7781D0000-0x00007FF778521000-memory.dmp

Filesize
3.3MB

Download
memory/3544-6-0x00007FF7781D0000-0x00007FF778521000-memory.dmp

Filesize
3.3MB

Download
memory/3780-83-0x00007FF6222F0000-0x00007FF622641000-memory.dmp

Filesize
3.3MB

Download
memory/3780-150-0x00007FF6222F0000-0x00007FF622641000-memory.dmp

Filesize
3.3MB

Download
memory/3780-246-0x00007FF6222F0000-0x00007FF622641000-memory.dmp

Filesize
3.3MB

Download
memory/3884-144-0x00007FF618560000-0x00007FF6188B1000-memory.dmp

Filesize
3.3MB

Download
memory/3884-232-0x00007FF618560000-0x00007FF6188B1000-memory.dmp

Filesize
3.3MB

Download
memory/3884-60-0x00007FF618560000-0x00007FF6188B1000-memory.dmp

Filesize
3.3MB

Download
memory/4616-236-0x00007FF728CF0000-0x00007FF729041000-memory.dmp

Filesize
3.3MB

Download
memory/4616-68-0x00007FF728CF0000-0x00007FF729041000-memory.dmp

Filesize
3.3MB

Download
memory/4628-129-0x00007FF68FCE0000-0x00007FF690031000-memory.dmp

Filesize
3.3MB

Download
memory/4628-256-0x00007FF68FCE0000-0x00007FF690031000-memory.dmp

Filesize
3.3MB

Download
memory/4640-71-0x00007FF747720000-0x00007FF747A71000-memory.dmp

Filesize
3.3MB

Download
memory/4640-238-0x00007FF747720000-0x00007FF747A71000-memory.dmp

Filesize
3.3MB

Download
memory/4640-148-0x00007FF747720000-0x00007FF747A71000-memory.dmp

Filesize
3.3MB

Download
memory/4728-18-0x00007FF63BDF0000-0x00007FF63C141000-memory.dmp

Filesize
3.3MB

Download
memory/4728-75-0x00007FF63BDF0000-0x00007FF63C141000-memory.dmp

Filesize
3.3MB

Download
memory/4728-213-0x00007FF63BDF0000-0x00007FF63C141000-memory.dmp

Filesize
3.3MB

Download
memory/4840-262-0x00007FF74CC50000-0x00007FF74CFA1000-memory.dmp

Filesize
3.3MB

Download
memory/4840-132-0x00007FF74CC50000-0x00007FF74CFA1000-memory.dmp

Filesize
3.3MB

Download