cobaltstrike | db852c3810344cb85fa10dfc0893c1d1a2da3f762b6612cdc6beee5e7654e5c3

Analysis

max time kernel
141s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17/11/2024, 10:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

08d9ea0c2409963573658a369799df6b
SHA1

5511a4782f983cef8d8df0cfb36974ba22d6a30d
SHA256

db852c3810344cb85fa10dfc0893c1d1a2da3f762b6612cdc6beee5e7654e5c3
SHA512

c1947f87aefed864acb81bcecf64bc6d4e5bc3b7c12b9c4326cfb83162f5ceba1ce074e9283ac18af2dbedc1ca66e481b9f97845275324dbc9c6ad7de1d82c1d
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6ld:RWWBibf56utgpPFotBER/mQ32lU5

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023c84-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c89-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c88-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8a-29.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8c-31.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8e-37.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c90-52.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c85-60.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c92-80.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9a-104.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c99-117.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c98-108.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c97-107.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c96-106.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c94-102.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c95-94.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c93-92.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c91-73.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8d-59.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8f-51.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8b-39.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/4088-122-0x00007FF68D8E0000-0x00007FF68DC31000-memory.dmp	xmrig
behavioral2/memory/1092-126-0x00007FF7B2BA0000-0x00007FF7B2EF1000-memory.dmp	xmrig
behavioral2/memory/4496-125-0x00007FF7CAB50000-0x00007FF7CAEA1000-memory.dmp	xmrig
behavioral2/memory/3656-124-0x00007FF7E30A0000-0x00007FF7E33F1000-memory.dmp	xmrig
behavioral2/memory/4176-123-0x00007FF724610000-0x00007FF724961000-memory.dmp	xmrig
behavioral2/memory/3256-116-0x00007FF631460000-0x00007FF6317B1000-memory.dmp	xmrig
behavioral2/memory/3068-133-0x00007FF784B60000-0x00007FF784EB1000-memory.dmp	xmrig
behavioral2/memory/4888-131-0x00007FF746AF0000-0x00007FF746E41000-memory.dmp	xmrig
behavioral2/memory/2788-130-0x00007FF789E40000-0x00007FF78A191000-memory.dmp	xmrig
behavioral2/memory/4556-128-0x00007FF7DFDB0000-0x00007FF7E0101000-memory.dmp	xmrig
behavioral2/memory/3276-141-0x00007FF7DE760000-0x00007FF7DEAB1000-memory.dmp	xmrig
behavioral2/memory/4112-138-0x00007FF65E510000-0x00007FF65E861000-memory.dmp	xmrig
behavioral2/memory/1840-135-0x00007FF6E53B0000-0x00007FF6E5701000-memory.dmp	xmrig
behavioral2/memory/4776-134-0x00007FF708820000-0x00007FF708B71000-memory.dmp	xmrig
behavioral2/memory/4148-132-0x00007FF7AD1A0000-0x00007FF7AD4F1000-memory.dmp	xmrig
behavioral2/memory/3708-129-0x00007FF73D360000-0x00007FF73D6B1000-memory.dmp	xmrig
behavioral2/memory/2340-127-0x00007FF7A3FA0000-0x00007FF7A42F1000-memory.dmp	xmrig
behavioral2/memory/912-143-0x00007FF798DF0000-0x00007FF799141000-memory.dmp	xmrig
behavioral2/memory/1232-149-0x00007FF681370000-0x00007FF6816C1000-memory.dmp	xmrig
behavioral2/memory/2340-150-0x00007FF7A3FA0000-0x00007FF7A42F1000-memory.dmp	xmrig
behavioral2/memory/4512-144-0x00007FF716300000-0x00007FF716651000-memory.dmp	xmrig
behavioral2/memory/1728-140-0x00007FF667120000-0x00007FF667471000-memory.dmp	xmrig
behavioral2/memory/3256-147-0x00007FF631460000-0x00007FF6317B1000-memory.dmp	xmrig
behavioral2/memory/4572-145-0x00007FF6230B0000-0x00007FF623401000-memory.dmp	xmrig
behavioral2/memory/2340-172-0x00007FF7A3FA0000-0x00007FF7A42F1000-memory.dmp	xmrig
behavioral2/memory/4556-200-0x00007FF7DFDB0000-0x00007FF7E0101000-memory.dmp	xmrig
behavioral2/memory/3708-214-0x00007FF73D360000-0x00007FF73D6B1000-memory.dmp	xmrig
behavioral2/memory/2788-216-0x00007FF789E40000-0x00007FF78A191000-memory.dmp	xmrig
behavioral2/memory/4888-218-0x00007FF746AF0000-0x00007FF746E41000-memory.dmp	xmrig
behavioral2/memory/4148-220-0x00007FF7AD1A0000-0x00007FF7AD4F1000-memory.dmp	xmrig
behavioral2/memory/1840-226-0x00007FF6E53B0000-0x00007FF6E5701000-memory.dmp	xmrig
behavioral2/memory/4112-228-0x00007FF65E510000-0x00007FF65E861000-memory.dmp	xmrig
behavioral2/memory/3068-224-0x00007FF784B60000-0x00007FF784EB1000-memory.dmp	xmrig
behavioral2/memory/4088-223-0x00007FF68D8E0000-0x00007FF68DC31000-memory.dmp	xmrig
behavioral2/memory/1728-236-0x00007FF667120000-0x00007FF667471000-memory.dmp	xmrig
behavioral2/memory/4776-238-0x00007FF708820000-0x00007FF708B71000-memory.dmp	xmrig
behavioral2/memory/3656-242-0x00007FF7E30A0000-0x00007FF7E33F1000-memory.dmp	xmrig
behavioral2/memory/3256-252-0x00007FF631460000-0x00007FF6317B1000-memory.dmp	xmrig
behavioral2/memory/1232-256-0x00007FF681370000-0x00007FF6816C1000-memory.dmp	xmrig
behavioral2/memory/1092-254-0x00007FF7B2BA0000-0x00007FF7B2EF1000-memory.dmp	xmrig
behavioral2/memory/4496-250-0x00007FF7CAB50000-0x00007FF7CAEA1000-memory.dmp	xmrig
behavioral2/memory/3276-248-0x00007FF7DE760000-0x00007FF7DEAB1000-memory.dmp	xmrig
behavioral2/memory/912-247-0x00007FF798DF0000-0x00007FF799141000-memory.dmp	xmrig
behavioral2/memory/4572-245-0x00007FF6230B0000-0x00007FF623401000-memory.dmp	xmrig
behavioral2/memory/4176-240-0x00007FF724610000-0x00007FF724961000-memory.dmp	xmrig
behavioral2/memory/4512-262-0x00007FF716300000-0x00007FF716651000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4556	eqrxQAE.exe
3708	JPtPzOS.exe
2788	rEFQXmV.exe
4888	uLpInTw.exe
4148	SbsBTFW.exe
3068	tRKnZIk.exe
1840	RXTJWLn.exe
4088	GmJGLYY.exe
4776	ikDMcWk.exe
4112	DbgMSfX.exe
4176	MHJyyIK.exe
1728	CMcmgHv.exe
3656	znRQxiQ.exe
3276	YWrKDFQ.exe
912	EKvLllp.exe
4512	exvBAoa.exe
4572	UVaHHyb.exe
4496	DSuMOHl.exe
3256	ZQIEbaT.exe
1092	OOPEUVh.exe
1232	nzggEtz.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2340-0-0x00007FF7A3FA0000-0x00007FF7A42F1000-memory.dmp	upx
behavioral2/files/0x0008000000023c84-4.dat	upx
behavioral2/files/0x0007000000023c89-10.dat	upx
behavioral2/files/0x0007000000023c88-11.dat	upx
behavioral2/files/0x0007000000023c8a-29.dat	upx
behavioral2/files/0x0007000000023c8c-31.dat	upx
behavioral2/files/0x0007000000023c8e-37.dat	upx
behavioral2/files/0x0007000000023c90-52.dat	upx
behavioral2/files/0x0008000000023c85-60.dat	upx
behavioral2/files/0x0007000000023c92-80.dat	upx
behavioral2/memory/1728-91-0x00007FF667120000-0x00007FF667471000-memory.dmp	upx
behavioral2/files/0x0007000000023c9a-104.dat	upx
behavioral2/memory/4572-110-0x00007FF6230B0000-0x00007FF623401000-memory.dmp	upx
behavioral2/memory/4088-122-0x00007FF68D8E0000-0x00007FF68DC31000-memory.dmp	upx
behavioral2/memory/1092-126-0x00007FF7B2BA0000-0x00007FF7B2EF1000-memory.dmp	upx
behavioral2/memory/4496-125-0x00007FF7CAB50000-0x00007FF7CAEA1000-memory.dmp	upx
behavioral2/memory/3656-124-0x00007FF7E30A0000-0x00007FF7E33F1000-memory.dmp	upx
behavioral2/memory/4176-123-0x00007FF724610000-0x00007FF724961000-memory.dmp	upx
behavioral2/memory/1232-121-0x00007FF681370000-0x00007FF6816C1000-memory.dmp	upx
behavioral2/files/0x0007000000023c99-117.dat	upx
behavioral2/memory/3256-116-0x00007FF631460000-0x00007FF6317B1000-memory.dmp	upx
behavioral2/memory/4512-109-0x00007FF716300000-0x00007FF716651000-memory.dmp	upx
behavioral2/files/0x0007000000023c98-108.dat	upx
behavioral2/files/0x0007000000023c97-107.dat	upx
behavioral2/files/0x0007000000023c96-106.dat	upx
behavioral2/memory/912-105-0x00007FF798DF0000-0x00007FF799141000-memory.dmp	upx
behavioral2/files/0x0007000000023c94-102.dat	upx
behavioral2/memory/3276-100-0x00007FF7DE760000-0x00007FF7DEAB1000-memory.dmp	upx
behavioral2/files/0x0007000000023c95-94.dat	upx
behavioral2/files/0x0007000000023c93-92.dat	upx
behavioral2/files/0x0007000000023c91-73.dat	upx
behavioral2/memory/4112-71-0x00007FF65E510000-0x00007FF65E861000-memory.dmp	upx
behavioral2/memory/4776-63-0x00007FF708820000-0x00007FF708B71000-memory.dmp	upx
behavioral2/files/0x0007000000023c8d-59.dat	upx
behavioral2/memory/1840-49-0x00007FF6E53B0000-0x00007FF6E5701000-memory.dmp	upx
behavioral2/files/0x0007000000023c8f-51.dat	upx
behavioral2/memory/3068-41-0x00007FF784B60000-0x00007FF784EB1000-memory.dmp	upx
behavioral2/files/0x0007000000023c8b-39.dat	upx
behavioral2/memory/4148-36-0x00007FF7AD1A0000-0x00007FF7AD4F1000-memory.dmp	upx
behavioral2/memory/4888-26-0x00007FF746AF0000-0x00007FF746E41000-memory.dmp	upx
behavioral2/memory/2788-23-0x00007FF789E40000-0x00007FF78A191000-memory.dmp	upx
behavioral2/memory/3708-15-0x00007FF73D360000-0x00007FF73D6B1000-memory.dmp	upx
behavioral2/memory/4556-7-0x00007FF7DFDB0000-0x00007FF7E0101000-memory.dmp	upx
behavioral2/memory/3068-133-0x00007FF784B60000-0x00007FF784EB1000-memory.dmp	upx
behavioral2/memory/4888-131-0x00007FF746AF0000-0x00007FF746E41000-memory.dmp	upx
behavioral2/memory/2788-130-0x00007FF789E40000-0x00007FF78A191000-memory.dmp	upx
behavioral2/memory/4556-128-0x00007FF7DFDB0000-0x00007FF7E0101000-memory.dmp	upx
behavioral2/memory/3276-141-0x00007FF7DE760000-0x00007FF7DEAB1000-memory.dmp	upx
behavioral2/memory/4112-138-0x00007FF65E510000-0x00007FF65E861000-memory.dmp	upx
behavioral2/memory/1840-135-0x00007FF6E53B0000-0x00007FF6E5701000-memory.dmp	upx
behavioral2/memory/4776-134-0x00007FF708820000-0x00007FF708B71000-memory.dmp	upx
behavioral2/memory/4148-132-0x00007FF7AD1A0000-0x00007FF7AD4F1000-memory.dmp	upx
behavioral2/memory/3708-129-0x00007FF73D360000-0x00007FF73D6B1000-memory.dmp	upx
behavioral2/memory/2340-127-0x00007FF7A3FA0000-0x00007FF7A42F1000-memory.dmp	upx
behavioral2/memory/912-143-0x00007FF798DF0000-0x00007FF799141000-memory.dmp	upx
behavioral2/memory/1232-149-0x00007FF681370000-0x00007FF6816C1000-memory.dmp	upx
behavioral2/memory/2340-150-0x00007FF7A3FA0000-0x00007FF7A42F1000-memory.dmp	upx
behavioral2/memory/4512-144-0x00007FF716300000-0x00007FF716651000-memory.dmp	upx
behavioral2/memory/1728-140-0x00007FF667120000-0x00007FF667471000-memory.dmp	upx
behavioral2/memory/3256-147-0x00007FF631460000-0x00007FF6317B1000-memory.dmp	upx
behavioral2/memory/4572-145-0x00007FF6230B0000-0x00007FF623401000-memory.dmp	upx
behavioral2/memory/2340-172-0x00007FF7A3FA0000-0x00007FF7A42F1000-memory.dmp	upx
behavioral2/memory/4556-200-0x00007FF7DFDB0000-0x00007FF7E0101000-memory.dmp	upx
behavioral2/memory/3708-214-0x00007FF73D360000-0x00007FF73D6B1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\JPtPzOS.exe	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uLpInTw.exe	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\exvBAoa.exe	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZQIEbaT.exe	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RXTJWLn.exe	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YWrKDFQ.exe	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\znRQxiQ.exe	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nzggEtz.exe	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EKvLllp.exe	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eqrxQAE.exe	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rEFQXmV.exe	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tRKnZIk.exe	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ikDMcWk.exe	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GmJGLYY.exe	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DbgMSfX.exe	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MHJyyIK.exe	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OOPEUVh.exe	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SbsBTFW.exe	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CMcmgHv.exe	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UVaHHyb.exe	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DSuMOHl.exe	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2340	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2340	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 4556	2340	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2340 wrote to memory of 4556	2340	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2340 wrote to memory of 3708	2340	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2340 wrote to memory of 3708	2340	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2340 wrote to memory of 2788	2340	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2340 wrote to memory of 2788	2340	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2340 wrote to memory of 4888	2340	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2340 wrote to memory of 4888	2340	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2340 wrote to memory of 4148	2340	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2340 wrote to memory of 4148	2340	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2340 wrote to memory of 3068	2340	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2340 wrote to memory of 3068	2340	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2340 wrote to memory of 4776	2340	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2340 wrote to memory of 4776	2340	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2340 wrote to memory of 1840	2340	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2340 wrote to memory of 1840	2340	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2340 wrote to memory of 4088	2340	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2340 wrote to memory of 4088	2340	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2340 wrote to memory of 4112	2340	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2340 wrote to memory of 4112	2340	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2340 wrote to memory of 4176	2340	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2340 wrote to memory of 4176	2340	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2340 wrote to memory of 1728	2340	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2340 wrote to memory of 1728	2340	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2340 wrote to memory of 3276	2340	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2340 wrote to memory of 3276	2340	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2340 wrote to memory of 3656	2340	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2340 wrote to memory of 3656	2340	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2340 wrote to memory of 912	2340	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2340 wrote to memory of 912	2340	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2340 wrote to memory of 4512	2340	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2340 wrote to memory of 4512	2340	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2340 wrote to memory of 4572	2340	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2340 wrote to memory of 4572	2340	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2340 wrote to memory of 4496	2340	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2340 wrote to memory of 4496	2340	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2340 wrote to memory of 3256	2340	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2340 wrote to memory of 3256	2340	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2340 wrote to memory of 1092	2340	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2340 wrote to memory of 1092	2340	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2340 wrote to memory of 1232	2340	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2340 wrote to memory of 1232	2340	2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-17_08d9ea0c2409963573658a369799df6b_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Windows\System\eqrxQAE.exe
  C:\Windows\System\eqrxQAE.exe
  2⤵
  - Executes dropped EXE
  PID:4556
- C:\Windows\System\JPtPzOS.exe
  C:\Windows\System\JPtPzOS.exe
  2⤵
  - Executes dropped EXE
  PID:3708
- C:\Windows\System\rEFQXmV.exe
  C:\Windows\System\rEFQXmV.exe
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Windows\System\uLpInTw.exe
  C:\Windows\System\uLpInTw.exe
  2⤵
  - Executes dropped EXE
  PID:4888
- C:\Windows\System\SbsBTFW.exe
  C:\Windows\System\SbsBTFW.exe
  2⤵
  - Executes dropped EXE
  PID:4148
- C:\Windows\System\tRKnZIk.exe
  C:\Windows\System\tRKnZIk.exe
  2⤵
  - Executes dropped EXE
  PID:3068
- C:\Windows\System\ikDMcWk.exe
  C:\Windows\System\ikDMcWk.exe
  2⤵
  - Executes dropped EXE
  PID:4776
- C:\Windows\System\RXTJWLn.exe
  C:\Windows\System\RXTJWLn.exe
  2⤵
  - Executes dropped EXE
  PID:1840
- C:\Windows\System\GmJGLYY.exe
  C:\Windows\System\GmJGLYY.exe
  2⤵
  - Executes dropped EXE
  PID:4088
- C:\Windows\System\DbgMSfX.exe
  C:\Windows\System\DbgMSfX.exe
  2⤵
  - Executes dropped EXE
  PID:4112
- C:\Windows\System\MHJyyIK.exe
  C:\Windows\System\MHJyyIK.exe
  2⤵
  - Executes dropped EXE
  PID:4176
- C:\Windows\System\CMcmgHv.exe
  C:\Windows\System\CMcmgHv.exe
  2⤵
  - Executes dropped EXE
  PID:1728
- C:\Windows\System\YWrKDFQ.exe
  C:\Windows\System\YWrKDFQ.exe
  2⤵
  - Executes dropped EXE
  PID:3276
- C:\Windows\System\znRQxiQ.exe
  C:\Windows\System\znRQxiQ.exe
  2⤵
  - Executes dropped EXE
  PID:3656
- C:\Windows\System\EKvLllp.exe
  C:\Windows\System\EKvLllp.exe
  2⤵
  - Executes dropped EXE
  PID:912
- C:\Windows\System\exvBAoa.exe
  C:\Windows\System\exvBAoa.exe
  2⤵
  - Executes dropped EXE
  PID:4512
- C:\Windows\System\UVaHHyb.exe
  C:\Windows\System\UVaHHyb.exe
  2⤵
  - Executes dropped EXE
  PID:4572
- C:\Windows\System\DSuMOHl.exe
  C:\Windows\System\DSuMOHl.exe
  2⤵
  - Executes dropped EXE
  PID:4496
- C:\Windows\System\ZQIEbaT.exe
  C:\Windows\System\ZQIEbaT.exe
  2⤵
  - Executes dropped EXE
  PID:3256
- C:\Windows\System\OOPEUVh.exe
  C:\Windows\System\OOPEUVh.exe
  2⤵
  - Executes dropped EXE
  PID:1092
- C:\Windows\System\nzggEtz.exe
  C:\Windows\System\nzggEtz.exe
  2⤵
  - Executes dropped EXE
  PID:1232

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CMcmgHv.exe

Filesize
5.2MB

MD5
a7f0398c55db66d22c22cd3c1192f452

SHA1
33d33de95a77c687bc95418ae35eaa379b8eb444

SHA256
760c5f44f5e93ca065987b3110a8c96e55a358372038f0f3bba89055931ec20f

SHA512
e7cc3f7443d21dbbbeb7c192eaad32d234056f95d17c7af93c23f9e44d6e363bec2ab6f51ef007425c5559f2993c8d622eb617ce5f64b7bc881d7fa4e39ced52

Download Submit
C:\Windows\System\DSuMOHl.exe

Filesize
5.2MB

MD5
beacb407f889285a0a98eff506b6f4e9

SHA1
538dd08ccf556ee1a1df25ebe4d7977c1d4554e4

SHA256
3ea389670e4c6cac88aef69361c1a1c6128ba31e1b1605ad722590d467f9f301

SHA512
1a7be4484cc01e152adb4fd47d0c8c14ed11618f606a15da079c7a50e9ce0fccd9d58f3586aa4b8c8e9ed6b11a6a56fc6527507e3f782662b3d6ba4fecb3fb7a

Download Submit
C:\Windows\System\DbgMSfX.exe

Filesize
5.2MB

MD5
bb8fb16e855c3d7cdd9e32f0c0c1f68e

SHA1
7cee4e89f31f8b95c96020ffb8c70aeabfd277be

SHA256
f4b38a9a8184f8b2fb482032ca867f931647f9398d7855cafcea57957cb25fc5

SHA512
c2a467d04cd158ac4e802eff62c88f3c97a2ef2a05f65ee0fee6bb05b1f76071e5935343b030b2a21007129e3ae50358d4b6523d9198cbdefd9cf044f89212df

Download Submit
C:\Windows\System\EKvLllp.exe

Filesize
5.2MB

MD5
46c762cb4112845bec2130fb95a3e9c3

SHA1
934d74d96f057136a8a3f1442ac3410fc7ea2c37

SHA256
b4e5d6c7f2d0cfc2bcf9b4d75b52ec756cc0b2909f7bbc44e1d26b26f4972614

SHA512
65e90bab342bc8abc468f0714db8a0b0674d35463cdec7c47b2c2be4a638d7a42d16cfcaaf4154b3c52fc3b26615bda4435643735816e9fac3b9d579fc03998b

Download Submit
C:\Windows\System\GmJGLYY.exe

Filesize
5.2MB

MD5
bfd7aed1b8e47739ade96cfa6f99a507

SHA1
fb4cb4cdfc24bcb24d4eb36651a01cdd2717ef62

SHA256
5404a48f8b5b3f7b90923859583bd3a3559a27cb350e232df56600c4641ae00b

SHA512
a6d54fc87ca5dca0a8ce647151464bb9d6d5c125dbcad54eb4ac58d2eb6f6e2fb8372676ac8810f0e9c57a5572742300382dbbee88db90701a13836b7b372d1a

Download Submit
C:\Windows\System\JPtPzOS.exe

Filesize
5.2MB

MD5
3b0f6667ab08d4780734514fd3d94787

SHA1
14ef918b98e8a057749de55b1f9e6e7888855687

SHA256
3c41d6dd3fbb1b9308cd6a24fb0e90315c50d503f43c8fb51db6b6550a26babd

SHA512
9d07438358d6513f9cc8c24ca18a08ad8d74460475ea5ac3c29122a93006961e59172f7fc4f0a8df962d41657318c2dbe5e78326f74fdbaf72763e79eadfa069

Download Submit
C:\Windows\System\MHJyyIK.exe

Filesize
5.2MB

MD5
20468b41b1b1891cc23c3d0b376146dc

SHA1
70d28d3d3c2a3b7083aedecb0d3d08fc687af7b4

SHA256
81ac133f4be800e1c359e356c188976cf03dd85911defa2030283396d5f0b1ca

SHA512
c21d58fd4efd6f4b793900c1e7b449e0a3152c55501eb9b608737fcae4d660c230736fef17a90a430bc60594625f10cc77f559ab0d6f0c253dccb480ea371401

Download Submit
C:\Windows\System\OOPEUVh.exe

Filesize
5.2MB

MD5
7432f5927a166e230d15cc26374bab7a

SHA1
d1e872599b7b5580e021c1d2642bc35e5eed06c7

SHA256
4099e5ae7c1d60dad498cdfbcdb7cb56b32cc70bdd437c897c0def13fbf8dfef

SHA512
b7a466a8def0c494718663d45f1c08aede686dfd48d71a1277ba3ae512b55c6c80a48b1095fde67acc8085068a31909e526de2f75c0c1c39160880fea8560ff8

Download Submit
C:\Windows\System\RXTJWLn.exe

Filesize
5.2MB

MD5
9156175eec06b5672e08eeb947904043

SHA1
434b5230571ab172395bf4b8fe27364cef52a51c

SHA256
5587a6f2c5e8ec4d4065af5c5a47e210955c7f816efe18e21b90e25b53a49cf8

SHA512
e92e1d90cd25b01aebcc3739f73c24629c54f9d5446c791b319b705f684ce96948bbe5016310de1cbd84904d748fb76ad87d00327b39eff5ceaba2ee7b62a932

Download Submit
C:\Windows\System\SbsBTFW.exe

Filesize
5.2MB

MD5
d18c779ba1f3e9951ad751f60c475a8d

SHA1
314c184f70bb9c54d3923b9fdfdc5c863af2c09a

SHA256
ada8ca02f8acd915e1c316be818d450513f4d866ca9b1b3d3399e6bba3c71291

SHA512
0a9fab4584067a215abeebf23832ed2ad6477d2cb98b3099caa922fc22f2e1382dd12beae3dd1cb9c52e4096c66055ec3a549e07d393e8a997de43b5cfdde92b

Download Submit
C:\Windows\System\UVaHHyb.exe

Filesize
5.2MB

MD5
ebdb4a7cb1c34152ce52912d3e99ec17

SHA1
2e3ae7e2d63148300e3a283daf2337c8ee0c1916

SHA256
57761fb08ff05c530a9fa4650e34f476a3d7cd14450e5f350cc582b218471f59

SHA512
36646d41f82965f2ac14173b0d636437606bc21f9e00a8c4ad19fc984894a47e45899b3c217303cca5c5673e7135ea109b34dcc0098286d0a693f62671e21813

Download Submit
C:\Windows\System\YWrKDFQ.exe

Filesize
5.2MB

MD5
b52f29b272f68fe00ba0adc63ec14ef3

SHA1
32e1116851578655b818054fb225e6796ea3fe37

SHA256
096907d74398b3d78e030e5acc47d48a9c0a5c49f3d59562a3b6432657c0a017

SHA512
224f5fa0c018c0e0b18577fb39efd9ecb0569cb277736d0ef8a9852453752d35531d2140ca746850bb4e7c0052883ba59e035df563c47c13b11b6af1093ade1f

Download Submit
C:\Windows\System\ZQIEbaT.exe

Filesize
5.2MB

MD5
b594861a27c3ab19c76fa691efc6e5ff

SHA1
430ae526e141465e7545f4236c598d57b9a3d2d5

SHA256
3a89706c2d16f758058d899e2b6fd4bafeba29c63b24baed5aedab611e368436

SHA512
0d724ad572b3631675a9b07b74f422565b994198f8fd2c85a63b55e3793e610f79ed8ede24a2df4361609d8d1e409f1e9e94efe2f43924f79ab9bd42ae51e9c9

Download Submit
C:\Windows\System\eqrxQAE.exe

Filesize
5.2MB

MD5
861ba55833cfef5cfb875259b3639635

SHA1
e5c7b66a3f3ae1064b5b2801b27bd968a3810d1f

SHA256
59c127a1fb496a746fb63e25968e88f657263d6e18a3d88a56784898ffafdca6

SHA512
e48b5ac3e6d7f3e07d5b859a1de97db56bece921e8cef57623f54565643cf8cd61726d553f836e4c6d76a3cc35989af33095c81b72ca55725c36cf0193806e9b

Download Submit
C:\Windows\System\exvBAoa.exe

Filesize
5.2MB

MD5
7798555a31fd14d97e23f89b344b3f77

SHA1
f1f0c9c05f923b96e45eff5eb0f2df6338e1491f

SHA256
ee0ff9e3a43c1271fbc25dcbb6cede2262d952c7988e7fad9bd4eee6490dd6cf

SHA512
6d3ba812c23647a9469c1879c0b0464ce74855a64f7c5ecb03c5901b78f7cf0c9d116a05900cc7ce4a518efa1dbb323f4a32200e0ab74af651c7d3cfe7413774

Download Submit
C:\Windows\System\ikDMcWk.exe

Filesize
5.2MB

MD5
b8297000e3e3a9c516a38bf52367378d

SHA1
e847597591339ba194d2f7070e37f0af721ec25e

SHA256
97eb9ae23ee267e278a65d857eb31092c6ae67b7b1dae3ad493bb07c8610fb24

SHA512
b9f08bfac41db2753618af7e3ceba9f9b50dc9a342aac6f0799cfe9cd02a7c5563968fb56c496457ae983fe3917ea1c4914d1a457c778e45c4d912391ae82d1e

Download Submit
C:\Windows\System\nzggEtz.exe

Filesize
5.2MB

MD5
f5a86969a47e1d8b698d5415938e5fdb

SHA1
3258bb92c43081b7fd112e3362751c81983c61d0

SHA256
5ae1d3b5ffc02ad8472f5c1cf01b12d84751c38a8d857ee05cddfbf18a12a1ca

SHA512
d43951c7a8db176c4ec39133105887a782c226e175a13704ea58693589a26dd5c82679968566e91e6c086e049601ea5c3c9decbac707073bd040ce2b10eed1b5

Download Submit
C:\Windows\System\rEFQXmV.exe

Filesize
5.2MB

MD5
45df7472612b11e211a4f712eeb4c210

SHA1
3cfe55426d61c26ae5c634dd550d1c274e701b08

SHA256
af96b52a9675f1e4fd7728e908cdbfac588637c738094e06e848154ec58e6fa6

SHA512
9fe98db84efe83cda215b7a505e0d2417cac5e2cc5594b4ca4acdb6914c57e07a40edd62f0978b701fb1186d45e75c198f95b2372e1c73cc33ec339d02cb551c

Download Submit
C:\Windows\System\tRKnZIk.exe

Filesize
5.2MB

MD5
c24df2c06553fd7afe027f8eef6c4a5c

SHA1
4d1e8384f21deaf13e5da1142ad0b06db6a34ee6

SHA256
27f684340204e04c2616eeac1a08a8fffd45872bd573e2c6c9b0a7edfd258293

SHA512
c6bb06c9584142fbefea1929a1793c3b5389bf3e2a072b5590d0aea601b944af78c2da58c8bf0956da62702af322efb5ee9a9af061e8069c639bba7a0b4a7448

Download Submit
C:\Windows\System\uLpInTw.exe

Filesize
5.2MB

MD5
08cd63f5b406fd73a5e8b3bcab845d63

SHA1
b15b9833c7ba7a291ea7bdbd0964084b56bfb53f

SHA256
9aad04391e37cce82cc9812215c133f693e32af0dc3a1b73dfbec14005cc782d

SHA512
e020a15e379b26d258ba5b2019800580e032e3d0d5f9bfc7695ceddc80eb19604c4d568412e23d8d48e81b59ca184a99f55c5738631a7a9f72302b480919ff36

Download Submit
C:\Windows\System\znRQxiQ.exe

Filesize
5.2MB

MD5
2357c2722e62e6adc142666348fa083d

SHA1
d62ae711368712ddf747c2008c52f431be8c15ca

SHA256
df4b99c9b062fe5d81ed3773074d91d7a4331fab9ae7d3fd149fcbf162414c0d

SHA512
e125c8f35beb1275234e77bd5009c28bddb1eda71dc8aea542b4b56389e492156477f0ee6aa206e7628457eacd744140ad25a3a4fc1f89b773bf23f350f2bca1

Download Submit
memory/912-247-0x00007FF798DF0000-0x00007FF799141000-memory.dmp

Filesize
3.3MB

Download
memory/912-143-0x00007FF798DF0000-0x00007FF799141000-memory.dmp

Filesize
3.3MB

Download
memory/912-105-0x00007FF798DF0000-0x00007FF799141000-memory.dmp

Filesize
3.3MB

Download
memory/1092-254-0x00007FF7B2BA0000-0x00007FF7B2EF1000-memory.dmp

Filesize
3.3MB

Download
memory/1092-126-0x00007FF7B2BA0000-0x00007FF7B2EF1000-memory.dmp

Filesize
3.3MB

Download
memory/1232-121-0x00007FF681370000-0x00007FF6816C1000-memory.dmp

Filesize
3.3MB

Download
memory/1232-256-0x00007FF681370000-0x00007FF6816C1000-memory.dmp

Filesize
3.3MB

Download
memory/1232-149-0x00007FF681370000-0x00007FF6816C1000-memory.dmp

Filesize
3.3MB

Download
memory/1728-140-0x00007FF667120000-0x00007FF667471000-memory.dmp

Filesize
3.3MB

Download
memory/1728-236-0x00007FF667120000-0x00007FF667471000-memory.dmp

Filesize
3.3MB

Download
memory/1728-91-0x00007FF667120000-0x00007FF667471000-memory.dmp

Filesize
3.3MB

Download
memory/1840-135-0x00007FF6E53B0000-0x00007FF6E5701000-memory.dmp

Filesize
3.3MB

Download
memory/1840-49-0x00007FF6E53B0000-0x00007FF6E5701000-memory.dmp

Filesize
3.3MB

Download
memory/1840-226-0x00007FF6E53B0000-0x00007FF6E5701000-memory.dmp

Filesize
3.3MB

Download
memory/2340-1-0x00000187D09D0000-0x00000187D09E0000-memory.dmp

Filesize
64KB

Download
memory/2340-172-0x00007FF7A3FA0000-0x00007FF7A42F1000-memory.dmp

Filesize
3.3MB

Download
memory/2340-127-0x00007FF7A3FA0000-0x00007FF7A42F1000-memory.dmp

Filesize
3.3MB

Download
memory/2340-150-0x00007FF7A3FA0000-0x00007FF7A42F1000-memory.dmp

Filesize
3.3MB

Download
memory/2340-0-0x00007FF7A3FA0000-0x00007FF7A42F1000-memory.dmp

Filesize
3.3MB

Download
memory/2788-23-0x00007FF789E40000-0x00007FF78A191000-memory.dmp

Filesize
3.3MB

Download
memory/2788-216-0x00007FF789E40000-0x00007FF78A191000-memory.dmp

Filesize
3.3MB

Download
memory/2788-130-0x00007FF789E40000-0x00007FF78A191000-memory.dmp

Filesize
3.3MB

Download
memory/3068-224-0x00007FF784B60000-0x00007FF784EB1000-memory.dmp

Filesize
3.3MB

Download
memory/3068-133-0x00007FF784B60000-0x00007FF784EB1000-memory.dmp

Filesize
3.3MB

Download
memory/3068-41-0x00007FF784B60000-0x00007FF784EB1000-memory.dmp

Filesize
3.3MB

Download
memory/3256-116-0x00007FF631460000-0x00007FF6317B1000-memory.dmp

Filesize
3.3MB

Download
memory/3256-252-0x00007FF631460000-0x00007FF6317B1000-memory.dmp

Filesize
3.3MB

Download
memory/3256-147-0x00007FF631460000-0x00007FF6317B1000-memory.dmp

Filesize
3.3MB

Download
memory/3276-141-0x00007FF7DE760000-0x00007FF7DEAB1000-memory.dmp

Filesize
3.3MB

Download
memory/3276-100-0x00007FF7DE760000-0x00007FF7DEAB1000-memory.dmp

Filesize
3.3MB

Download
memory/3276-248-0x00007FF7DE760000-0x00007FF7DEAB1000-memory.dmp

Filesize
3.3MB

Download
memory/3656-124-0x00007FF7E30A0000-0x00007FF7E33F1000-memory.dmp

Filesize
3.3MB

Download
memory/3656-242-0x00007FF7E30A0000-0x00007FF7E33F1000-memory.dmp

Filesize
3.3MB

Download
memory/3708-15-0x00007FF73D360000-0x00007FF73D6B1000-memory.dmp

Filesize
3.3MB

Download
memory/3708-129-0x00007FF73D360000-0x00007FF73D6B1000-memory.dmp

Filesize
3.3MB

Download
memory/3708-214-0x00007FF73D360000-0x00007FF73D6B1000-memory.dmp

Filesize
3.3MB

Download
memory/4088-122-0x00007FF68D8E0000-0x00007FF68DC31000-memory.dmp

Filesize
3.3MB

Download
memory/4088-223-0x00007FF68D8E0000-0x00007FF68DC31000-memory.dmp

Filesize
3.3MB

Download
memory/4112-138-0x00007FF65E510000-0x00007FF65E861000-memory.dmp

Filesize
3.3MB

Download
memory/4112-71-0x00007FF65E510000-0x00007FF65E861000-memory.dmp

Filesize
3.3MB

Download
memory/4112-228-0x00007FF65E510000-0x00007FF65E861000-memory.dmp

Filesize
3.3MB

Download
memory/4148-220-0x00007FF7AD1A0000-0x00007FF7AD4F1000-memory.dmp

Filesize
3.3MB

Download
memory/4148-132-0x00007FF7AD1A0000-0x00007FF7AD4F1000-memory.dmp

Filesize
3.3MB

Download
memory/4148-36-0x00007FF7AD1A0000-0x00007FF7AD4F1000-memory.dmp

Filesize
3.3MB

Download
memory/4176-123-0x00007FF724610000-0x00007FF724961000-memory.dmp

Filesize
3.3MB

Download
memory/4176-240-0x00007FF724610000-0x00007FF724961000-memory.dmp

Filesize
3.3MB

Download
memory/4496-250-0x00007FF7CAB50000-0x00007FF7CAEA1000-memory.dmp

Filesize
3.3MB

Download
memory/4496-125-0x00007FF7CAB50000-0x00007FF7CAEA1000-memory.dmp

Filesize
3.3MB

Download
memory/4512-109-0x00007FF716300000-0x00007FF716651000-memory.dmp

Filesize
3.3MB

Download
memory/4512-262-0x00007FF716300000-0x00007FF716651000-memory.dmp

Filesize
3.3MB

Download
memory/4512-144-0x00007FF716300000-0x00007FF716651000-memory.dmp

Filesize
3.3MB

Download
memory/4556-128-0x00007FF7DFDB0000-0x00007FF7E0101000-memory.dmp

Filesize
3.3MB

Download
memory/4556-200-0x00007FF7DFDB0000-0x00007FF7E0101000-memory.dmp

Filesize
3.3MB

Download
memory/4556-7-0x00007FF7DFDB0000-0x00007FF7E0101000-memory.dmp

Filesize
3.3MB

Download
memory/4572-145-0x00007FF6230B0000-0x00007FF623401000-memory.dmp

Filesize
3.3MB

Download
memory/4572-110-0x00007FF6230B0000-0x00007FF623401000-memory.dmp

Filesize
3.3MB

Download
memory/4572-245-0x00007FF6230B0000-0x00007FF623401000-memory.dmp

Filesize
3.3MB

Download
memory/4776-238-0x00007FF708820000-0x00007FF708B71000-memory.dmp

Filesize
3.3MB

Download
memory/4776-63-0x00007FF708820000-0x00007FF708B71000-memory.dmp

Filesize
3.3MB

Download
memory/4776-134-0x00007FF708820000-0x00007FF708B71000-memory.dmp

Filesize
3.3MB

Download
memory/4888-218-0x00007FF746AF0000-0x00007FF746E41000-memory.dmp

Filesize
3.3MB

Download
memory/4888-131-0x00007FF746AF0000-0x00007FF746E41000-memory.dmp

Filesize
3.3MB

Download
memory/4888-26-0x00007FF746AF0000-0x00007FF746E41000-memory.dmp

Filesize
3.3MB

Download