cobaltstrike | e0c08c4879f75f8d7611ce88ce9b3f61e1011923f57bff3212d14045fbf18cff

Analysis

max time kernel
144s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-01-2025 02:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

d89c1c6f00b4834b8906e4253268e8c9
SHA1

adf792c02e2eadec61d31ac67c5c521acf4b8416
SHA256

e0c08c4879f75f8d7611ce88ce9b3f61e1011923f57bff3212d14045fbf18cff
SHA512

610873d8a22df01bde8a54cd0b4818bd8b905540fa0ab0284f53f223312222520e02560e1df8ae8f0c7aefe9238fb48088304f6856422bef7c0cccb577c043a4
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6le:RWWBibf56utgpPFotBER/mQ32lU6

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0031000000023b76-7.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b71-9.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b75-12.dat	cobalt_reflective_dll
behavioral2/files/0x0031000000023b78-26.dat	cobalt_reflective_dll
behavioral2/files/0x0031000000023b77-28.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b79-34.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b72-40.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7b-48.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7c-53.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7d-55.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7e-70.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7f-78.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b80-82.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b82-89.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b83-96.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b86-116.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b87-132.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b85-121.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b84-119.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b88-137.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b89-143.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/2916-45-0x00007FF66C0B0000-0x00007FF66C401000-memory.dmp	xmrig
behavioral2/memory/2024-56-0x00007FF682380000-0x00007FF6826D1000-memory.dmp	xmrig
behavioral2/memory/4460-59-0x00007FF7583C0000-0x00007FF758711000-memory.dmp	xmrig
behavioral2/memory/3860-68-0x00007FF7E5C30000-0x00007FF7E5F81000-memory.dmp	xmrig
behavioral2/memory/2800-75-0x00007FF6AC040000-0x00007FF6AC391000-memory.dmp	xmrig
behavioral2/memory/4532-76-0x00007FF684E50000-0x00007FF6851A1000-memory.dmp	xmrig
behavioral2/memory/2384-83-0x00007FF638450000-0x00007FF6387A1000-memory.dmp	xmrig
behavioral2/memory/2428-103-0x00007FF7452C0000-0x00007FF745611000-memory.dmp	xmrig
behavioral2/memory/4364-126-0x00007FF797A30000-0x00007FF797D81000-memory.dmp	xmrig
behavioral2/memory/952-130-0x00007FF6CBB10000-0x00007FF6CBE61000-memory.dmp	xmrig
behavioral2/memory/4440-117-0x00007FF7A0D60000-0x00007FF7A10B1000-memory.dmp	xmrig
behavioral2/memory/1184-134-0x00007FF77F410000-0x00007FF77F761000-memory.dmp	xmrig
behavioral2/memory/380-138-0x00007FF762C60000-0x00007FF762FB1000-memory.dmp	xmrig
behavioral2/memory/2900-154-0x00007FF7CAB10000-0x00007FF7CAE61000-memory.dmp	xmrig
behavioral2/memory/2104-155-0x00007FF6EB9E0000-0x00007FF6EBD31000-memory.dmp	xmrig
behavioral2/memory/3508-156-0x00007FF71DA40000-0x00007FF71DD91000-memory.dmp	xmrig
behavioral2/memory/3172-157-0x00007FF7FF440000-0x00007FF7FF791000-memory.dmp	xmrig
behavioral2/memory/4452-158-0x00007FF649560000-0x00007FF6498B1000-memory.dmp	xmrig
behavioral2/memory/3292-159-0x00007FF64CAE0000-0x00007FF64CE31000-memory.dmp	xmrig
behavioral2/memory/2024-160-0x00007FF682380000-0x00007FF6826D1000-memory.dmp	xmrig
behavioral2/memory/4716-173-0x00007FF6AE600000-0x00007FF6AE951000-memory.dmp	xmrig
behavioral2/memory/4800-174-0x00007FF601130000-0x00007FF601481000-memory.dmp	xmrig
behavioral2/memory/1632-175-0x00007FF708060000-0x00007FF7083B1000-memory.dmp	xmrig
behavioral2/memory/2024-183-0x00007FF682380000-0x00007FF6826D1000-memory.dmp	xmrig
behavioral2/memory/4460-213-0x00007FF7583C0000-0x00007FF758711000-memory.dmp	xmrig
behavioral2/memory/3860-215-0x00007FF7E5C30000-0x00007FF7E5F81000-memory.dmp	xmrig
behavioral2/memory/2800-223-0x00007FF6AC040000-0x00007FF6AC391000-memory.dmp	xmrig
behavioral2/memory/4532-225-0x00007FF684E50000-0x00007FF6851A1000-memory.dmp	xmrig
behavioral2/memory/2384-227-0x00007FF638450000-0x00007FF6387A1000-memory.dmp	xmrig
behavioral2/memory/2428-235-0x00007FF7452C0000-0x00007FF745611000-memory.dmp	xmrig
behavioral2/memory/2916-237-0x00007FF66C0B0000-0x00007FF66C401000-memory.dmp	xmrig
behavioral2/memory/4440-239-0x00007FF7A0D60000-0x00007FF7A10B1000-memory.dmp	xmrig
behavioral2/memory/4364-244-0x00007FF797A30000-0x00007FF797D81000-memory.dmp	xmrig
behavioral2/memory/952-246-0x00007FF6CBB10000-0x00007FF6CBE61000-memory.dmp	xmrig
behavioral2/memory/1184-248-0x00007FF77F410000-0x00007FF77F761000-memory.dmp	xmrig
behavioral2/memory/380-250-0x00007FF762C60000-0x00007FF762FB1000-memory.dmp	xmrig
behavioral2/memory/2900-255-0x00007FF7CAB10000-0x00007FF7CAE61000-memory.dmp	xmrig
behavioral2/memory/2104-257-0x00007FF6EB9E0000-0x00007FF6EBD31000-memory.dmp	xmrig
behavioral2/memory/3508-263-0x00007FF71DA40000-0x00007FF71DD91000-memory.dmp	xmrig
behavioral2/memory/3172-265-0x00007FF7FF440000-0x00007FF7FF791000-memory.dmp	xmrig
behavioral2/memory/4716-270-0x00007FF6AE600000-0x00007FF6AE951000-memory.dmp	xmrig
behavioral2/memory/3292-268-0x00007FF64CAE0000-0x00007FF64CE31000-memory.dmp	xmrig
behavioral2/memory/4452-271-0x00007FF649560000-0x00007FF6498B1000-memory.dmp	xmrig
behavioral2/memory/4800-275-0x00007FF601130000-0x00007FF601481000-memory.dmp	xmrig
behavioral2/memory/1632-277-0x00007FF708060000-0x00007FF7083B1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4460	yxHSdTx.exe
3860	ARTeFJT.exe
2800	eMRqfXi.exe
4532	UfNKYHP.exe
2384	hJDmInW.exe
2428	MoTEoHy.exe
2916	pIWOsQt.exe
4440	OXLqdxN.exe
4364	DrTCWTi.exe
952	HnzdsKZ.exe
1184	Gjhbrgc.exe
380	aOAFNtI.exe
2900	oAkNkqt.exe
2104	whaBSQs.exe
3508	hUzRhyQ.exe
3172	bEujMnE.exe
4452	BQbcaWr.exe
3292	xOWCkqP.exe
4716	vtKhWwh.exe
4800	CznvVSM.exe
1632	sSzmjEV.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2024-0-0x00007FF682380000-0x00007FF6826D1000-memory.dmp	upx
behavioral2/files/0x0031000000023b76-7.dat	upx
behavioral2/files/0x000b000000023b71-9.dat	upx
behavioral2/files/0x000a000000023b75-12.dat	upx
behavioral2/files/0x0031000000023b78-26.dat	upx
behavioral2/memory/2384-29-0x00007FF638450000-0x00007FF6387A1000-memory.dmp	upx
behavioral2/files/0x0031000000023b77-28.dat	upx
behavioral2/memory/4532-27-0x00007FF684E50000-0x00007FF6851A1000-memory.dmp	upx
behavioral2/memory/2800-22-0x00007FF6AC040000-0x00007FF6AC391000-memory.dmp	upx
behavioral2/memory/3860-16-0x00007FF7E5C30000-0x00007FF7E5F81000-memory.dmp	upx
behavioral2/memory/4460-8-0x00007FF7583C0000-0x00007FF758711000-memory.dmp	upx
behavioral2/files/0x000a000000023b79-34.dat	upx
behavioral2/memory/2428-38-0x00007FF7452C0000-0x00007FF745611000-memory.dmp	upx
behavioral2/files/0x000b000000023b72-40.dat	upx
behavioral2/memory/2916-45-0x00007FF66C0B0000-0x00007FF66C401000-memory.dmp	upx
behavioral2/files/0x000a000000023b7b-48.dat	upx
behavioral2/files/0x000a000000023b7c-53.dat	upx
behavioral2/memory/4440-50-0x00007FF7A0D60000-0x00007FF7A10B1000-memory.dmp	upx
behavioral2/memory/2024-56-0x00007FF682380000-0x00007FF6826D1000-memory.dmp	upx
behavioral2/memory/952-58-0x00007FF6CBB10000-0x00007FF6CBE61000-memory.dmp	upx
behavioral2/memory/4460-59-0x00007FF7583C0000-0x00007FF758711000-memory.dmp	upx
behavioral2/memory/4364-57-0x00007FF797A30000-0x00007FF797D81000-memory.dmp	upx
behavioral2/files/0x000a000000023b7d-55.dat	upx
behavioral2/memory/3860-68-0x00007FF7E5C30000-0x00007FF7E5F81000-memory.dmp	upx
behavioral2/files/0x000a000000023b7e-70.dat	upx
behavioral2/memory/2800-75-0x00007FF6AC040000-0x00007FF6AC391000-memory.dmp	upx
behavioral2/files/0x000a000000023b7f-78.dat	upx
behavioral2/memory/380-77-0x00007FF762C60000-0x00007FF762FB1000-memory.dmp	upx
behavioral2/memory/4532-76-0x00007FF684E50000-0x00007FF6851A1000-memory.dmp	upx
behavioral2/memory/1184-69-0x00007FF77F410000-0x00007FF77F761000-memory.dmp	upx
behavioral2/files/0x000a000000023b80-82.dat	upx
behavioral2/memory/2900-84-0x00007FF7CAB10000-0x00007FF7CAE61000-memory.dmp	upx
behavioral2/memory/2384-83-0x00007FF638450000-0x00007FF6387A1000-memory.dmp	upx
behavioral2/memory/2104-91-0x00007FF6EB9E0000-0x00007FF6EBD31000-memory.dmp	upx
behavioral2/files/0x000a000000023b82-89.dat	upx
behavioral2/files/0x000a000000023b83-96.dat	upx
behavioral2/memory/2428-103-0x00007FF7452C0000-0x00007FF745611000-memory.dmp	upx
behavioral2/memory/3508-110-0x00007FF71DA40000-0x00007FF71DD91000-memory.dmp	upx
behavioral2/files/0x000a000000023b86-116.dat	upx
behavioral2/memory/3292-122-0x00007FF64CAE0000-0x00007FF64CE31000-memory.dmp	upx
behavioral2/memory/4364-126-0x00007FF797A30000-0x00007FF797D81000-memory.dmp	upx
behavioral2/memory/952-130-0x00007FF6CBB10000-0x00007FF6CBE61000-memory.dmp	upx
behavioral2/files/0x000a000000023b87-132.dat	upx
behavioral2/memory/4716-131-0x00007FF6AE600000-0x00007FF6AE951000-memory.dmp	upx
behavioral2/files/0x000a000000023b85-121.dat	upx
behavioral2/files/0x000a000000023b84-119.dat	upx
behavioral2/memory/4452-118-0x00007FF649560000-0x00007FF6498B1000-memory.dmp	upx
behavioral2/memory/4440-117-0x00007FF7A0D60000-0x00007FF7A10B1000-memory.dmp	upx
behavioral2/memory/3172-113-0x00007FF7FF440000-0x00007FF7FF791000-memory.dmp	upx
behavioral2/memory/1184-134-0x00007FF77F410000-0x00007FF77F761000-memory.dmp	upx
behavioral2/files/0x000a000000023b88-137.dat	upx
behavioral2/memory/380-138-0x00007FF762C60000-0x00007FF762FB1000-memory.dmp	upx
behavioral2/files/0x000a000000023b89-143.dat	upx
behavioral2/memory/4800-142-0x00007FF601130000-0x00007FF601481000-memory.dmp	upx
behavioral2/memory/1632-146-0x00007FF708060000-0x00007FF7083B1000-memory.dmp	upx
behavioral2/memory/2900-154-0x00007FF7CAB10000-0x00007FF7CAE61000-memory.dmp	upx
behavioral2/memory/2104-155-0x00007FF6EB9E0000-0x00007FF6EBD31000-memory.dmp	upx
behavioral2/memory/3508-156-0x00007FF71DA40000-0x00007FF71DD91000-memory.dmp	upx
behavioral2/memory/3172-157-0x00007FF7FF440000-0x00007FF7FF791000-memory.dmp	upx
behavioral2/memory/4452-158-0x00007FF649560000-0x00007FF6498B1000-memory.dmp	upx
behavioral2/memory/3292-159-0x00007FF64CAE0000-0x00007FF64CE31000-memory.dmp	upx
behavioral2/memory/2024-160-0x00007FF682380000-0x00007FF6826D1000-memory.dmp	upx
behavioral2/memory/4716-173-0x00007FF6AE600000-0x00007FF6AE951000-memory.dmp	upx
behavioral2/memory/4800-174-0x00007FF601130000-0x00007FF601481000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\hUzRhyQ.exe	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CznvVSM.exe	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Gjhbrgc.exe	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oAkNkqt.exe	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\whaBSQs.exe	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bEujMnE.exe	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sSzmjEV.exe	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eMRqfXi.exe	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UfNKYHP.exe	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pIWOsQt.exe	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vtKhWwh.exe	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hJDmInW.exe	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OXLqdxN.exe	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BQbcaWr.exe	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DrTCWTi.exe	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HnzdsKZ.exe	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aOAFNtI.exe	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xOWCkqP.exe	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yxHSdTx.exe	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ARTeFJT.exe	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MoTEoHy.exe	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2024	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2024	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 4460	2024	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2024 wrote to memory of 4460	2024	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2024 wrote to memory of 3860	2024	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2024 wrote to memory of 3860	2024	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2024 wrote to memory of 2800	2024	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2024 wrote to memory of 2800	2024	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2024 wrote to memory of 4532	2024	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2024 wrote to memory of 4532	2024	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2024 wrote to memory of 2384	2024	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2024 wrote to memory of 2384	2024	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2024 wrote to memory of 2428	2024	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2024 wrote to memory of 2428	2024	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2024 wrote to memory of 2916	2024	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2024 wrote to memory of 2916	2024	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2024 wrote to memory of 4440	2024	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2024 wrote to memory of 4440	2024	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2024 wrote to memory of 4364	2024	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2024 wrote to memory of 4364	2024	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2024 wrote to memory of 952	2024	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2024 wrote to memory of 952	2024	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2024 wrote to memory of 1184	2024	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2024 wrote to memory of 1184	2024	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2024 wrote to memory of 380	2024	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2024 wrote to memory of 380	2024	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2024 wrote to memory of 2900	2024	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2024 wrote to memory of 2900	2024	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2024 wrote to memory of 2104	2024	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2024 wrote to memory of 2104	2024	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2024 wrote to memory of 3508	2024	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2024 wrote to memory of 3508	2024	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2024 wrote to memory of 3172	2024	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2024 wrote to memory of 3172	2024	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2024 wrote to memory of 4452	2024	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2024 wrote to memory of 4452	2024	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2024 wrote to memory of 3292	2024	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2024 wrote to memory of 3292	2024	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2024 wrote to memory of 4716	2024	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2024 wrote to memory of 4716	2024	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2024 wrote to memory of 4800	2024	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2024 wrote to memory of 4800	2024	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2024 wrote to memory of 1632	2024	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2024 wrote to memory of 1632	2024	2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-21_d89c1c6f00b4834b8906e4253268e8c9_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\System\yxHSdTx.exe
  C:\Windows\System\yxHSdTx.exe
  2⤵
  - Executes dropped EXE
  PID:4460
- C:\Windows\System\ARTeFJT.exe
  C:\Windows\System\ARTeFJT.exe
  2⤵
  - Executes dropped EXE
  PID:3860
- C:\Windows\System\eMRqfXi.exe
  C:\Windows\System\eMRqfXi.exe
  2⤵
  - Executes dropped EXE
  PID:2800
- C:\Windows\System\UfNKYHP.exe
  C:\Windows\System\UfNKYHP.exe
  2⤵
  - Executes dropped EXE
  PID:4532
- C:\Windows\System\hJDmInW.exe
  C:\Windows\System\hJDmInW.exe
  2⤵
  - Executes dropped EXE
  PID:2384
- C:\Windows\System\MoTEoHy.exe
  C:\Windows\System\MoTEoHy.exe
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Windows\System\pIWOsQt.exe
  C:\Windows\System\pIWOsQt.exe
  2⤵
  - Executes dropped EXE
  PID:2916
- C:\Windows\System\OXLqdxN.exe
  C:\Windows\System\OXLqdxN.exe
  2⤵
  - Executes dropped EXE
  PID:4440
- C:\Windows\System\DrTCWTi.exe
  C:\Windows\System\DrTCWTi.exe
  2⤵
  - Executes dropped EXE
  PID:4364
- C:\Windows\System\HnzdsKZ.exe
  C:\Windows\System\HnzdsKZ.exe
  2⤵
  - Executes dropped EXE
  PID:952
- C:\Windows\System\Gjhbrgc.exe
  C:\Windows\System\Gjhbrgc.exe
  2⤵
  - Executes dropped EXE
  PID:1184
- C:\Windows\System\aOAFNtI.exe
  C:\Windows\System\aOAFNtI.exe
  2⤵
  - Executes dropped EXE
  PID:380
- C:\Windows\System\oAkNkqt.exe
  C:\Windows\System\oAkNkqt.exe
  2⤵
  - Executes dropped EXE
  PID:2900
- C:\Windows\System\whaBSQs.exe
  C:\Windows\System\whaBSQs.exe
  2⤵
  - Executes dropped EXE
  PID:2104
- C:\Windows\System\hUzRhyQ.exe
  C:\Windows\System\hUzRhyQ.exe
  2⤵
  - Executes dropped EXE
  PID:3508
- C:\Windows\System\bEujMnE.exe
  C:\Windows\System\bEujMnE.exe
  2⤵
  - Executes dropped EXE
  PID:3172
- C:\Windows\System\BQbcaWr.exe
  C:\Windows\System\BQbcaWr.exe
  2⤵
  - Executes dropped EXE
  PID:4452
- C:\Windows\System\xOWCkqP.exe
  C:\Windows\System\xOWCkqP.exe
  2⤵
  - Executes dropped EXE
  PID:3292
- C:\Windows\System\vtKhWwh.exe
  C:\Windows\System\vtKhWwh.exe
  2⤵
  - Executes dropped EXE
  PID:4716
- C:\Windows\System\CznvVSM.exe
  C:\Windows\System\CznvVSM.exe
  2⤵
  - Executes dropped EXE
  PID:4800
- C:\Windows\System\sSzmjEV.exe
  C:\Windows\System\sSzmjEV.exe
  2⤵
  - Executes dropped EXE
  PID:1632

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\ARTeFJT.exe

Filesize
5.2MB

MD5
90a3751a3c72072349f404cf3910d1c0

SHA1
7354413317e45bed8e822a1cb73e5ca21eea5588

SHA256
f65173e5b32f158a7b8ba72744a64e8fedc6ed4f89ab7888fe5a9ae527f3897d

SHA512
bd20d19ce24069f4556604b04b1d04fc241a262541ae6f6d91aefc7005bd72e10841e34234de242d1abd2b173390ed637fd9e8af7d629343ecb0f250262a1ee9

Download Submit
C:\Windows\System\BQbcaWr.exe

Filesize
5.2MB

MD5
c77c14064a46ddc9fe487f5da88a7b93

SHA1
0ab93b9c6757f31b3f342d64d774fb7b43387acd

SHA256
858c95f1f6bd896efd937d5430a314419db38cb6c91353686e04b3baecc07f6b

SHA512
ffe13f264be7d981608df6f93fd99dc8ffe5409fd603d83f60d98996eb8978f9ab6e99230c84a86c6560ce6f9720fe4995e921642958e3553762df954641d604

Download Submit
C:\Windows\System\CznvVSM.exe

Filesize
5.2MB

MD5
619c3038a670ecab9a66ab4eb0e2ac0e

SHA1
91040e437cf5b4bb588f4ec030f9f8ccd640d7d3

SHA256
556f61e8a732fb2341c099c0ff310b44f054e1880425e264426e20c8dfe21d3a

SHA512
3af26b48dc8b428ce8ad8ee201496552666949762975729a86e77997c882534860dd4c4d41ebf4f8c7f0e902f5a92ec06b58335d8406fd1dbe9547e793090a52

Download Submit
C:\Windows\System\DrTCWTi.exe

Filesize
5.2MB

MD5
540b7fd5ac3851f5ed56e3c864d4bb37

SHA1
c0e4d0b05781b8414d8fc0964c63550422cead43

SHA256
31e54205b64108ee190534bc7f6e07ddcd63e544c2f51ce951d4b8101dc07ac8

SHA512
4bdb8abfc5c5857f02fce652fde7ca0d5d27f698b8cb2c8dcc829082a2bb599dc9a983a31502e7c2f3dc347fecc56ef559ba2f7fb2d1308b83ed685f8cbe48c3

Download Submit
C:\Windows\System\Gjhbrgc.exe

Filesize
5.2MB

MD5
7aee2776b4657bccf049f65759698d7e

SHA1
291afda2152542cb7eac2533fed75db2f342a165

SHA256
3b5a5eafb873fe9eb0cdd6c69cd6ed2617ba1dda6e299eac39f3ee7e276dfe3d

SHA512
27cedf9175c91821419f4c38342576c95fc6c5809a7f3ebd8a909d5b66e2a876c6e95d914aab16cedf291afb8ba719567b3bdef9cd183993338ba5ea8a472dc5

Download Submit
C:\Windows\System\HnzdsKZ.exe

Filesize
5.2MB

MD5
00799741cf758a21ea3c92daa40892c2

SHA1
78f1f39fb17345c90a6a161ecdc7b9deefe470fb

SHA256
c30332ce92023cc5bc0abe0e53371bf944d503eea4db4f3e1f0ba599ce3a8f0c

SHA512
3573da49cf5cb6c1745de5a420da2ddd09626a86aa4809350ab8a0b855187fe0f93135609cb63e75160672be0c29fffffb38e9c873e6000d59e884a832bd50e3

Download Submit
C:\Windows\System\MoTEoHy.exe

Filesize
5.2MB

MD5
fee871d7ba6fa2ceb1ecb900a0fbcaa5

SHA1
0d4116e25c8c289623ea67388a1779cedce6bf46

SHA256
6d2dc9cd253e57aedd9922d2315b0376d3d880f00247d52fb001c6db19333884

SHA512
20ea95b455247ae1e84068bf997f9299ccd90df3562a71cd2371c88413ce75b6a02b8a5966a1d561c479a85dd2e6e7e62cbdf738962ab16b4895861393194ba6

Download Submit
C:\Windows\System\OXLqdxN.exe

Filesize
5.2MB

MD5
f66e5f756667e0aa07b51a2486461208

SHA1
aa121b7c1c5433c34004acdb8908410d4d4d6df2

SHA256
fe379eb5c1b465e23e6edc2d3ba6c3487bd43ff5649562747bcbff5dafa5bad3

SHA512
a6ec09c416123f7cb8cec07759faea4d0995cd35bee84db1d78aa5b9d773bb5569b5b99c7f998792089687cb1b7362d48c28a8ae7cf765a682ca264bf01a4c50

Download Submit
C:\Windows\System\UfNKYHP.exe

Filesize
5.2MB

MD5
a0bb8f06be1a6950ddbb84060e737bc1

SHA1
e81fe435c10b987b67b750d24088fa9690f86517

SHA256
bc6a0d31ff43fd027f675321c0c3bdecbcee0a34e4718e81ddabea7981b3cafa

SHA512
73fa4c0e03f34fe5b0c6025b6c6e4a88c0dd061a8932c63ec75ff80d08cd8f5c4a55320ee247a9eae7e4bd0a733b6501f78d5614cc69d44891b4e5e2e7cd68e5

Download Submit
C:\Windows\System\aOAFNtI.exe

Filesize
5.2MB

MD5
c300e4da54601ceeaef296901a385ecb

SHA1
4d46efd40329333781d2d797431799a76dffa066

SHA256
adf45ce3331843499dc054cac86d52f210b5f4a291eaab6976e30036bc212562

SHA512
4ce124b5d2a3ed222e74d1481586c01cf4250696d0c33398e6cb5aadebde5bad09ac8161861642d74e01979dd1a9933b75eb31521054bf790b37c9ea7644b237

Download Submit
C:\Windows\System\bEujMnE.exe

Filesize
5.2MB

MD5
79d84d82cc7351b1f6c631b3e9f87510

SHA1
167b93226e283c999b6b22ab733616cef0e1b217

SHA256
2d1f7178440d003142651f2965b6b8b5c89d57bcd953dd4526483014a7703d56

SHA512
93718bfe35fa0277dc5f2f37d4de993e6965eb1aafc0724b86387bc2749e874ec159d28bb0fcb9fdae965f50922f87425b07c3cdc0dd8e332d9bfd45b998829d

Download Submit
C:\Windows\System\eMRqfXi.exe

Filesize
5.2MB

MD5
f790502cf9b7d8aedabcb2d4a93550cc

SHA1
da2dcb61ab7b12829d33f0692503667611883137

SHA256
8a71fc9dd13313663274ab85a4eba5b36674a3bfdfae48cde2bdab4af1fbfcef

SHA512
75c2802452d6f8faefe59184809f639a06c7efb1245c69e6f365eeed73a7efc2ae80f566445258b5c8c8c15ca7ed32f12311deba12677d2185073b18678d8dc8

Download Submit
C:\Windows\System\hJDmInW.exe

Filesize
5.2MB

MD5
7ad32b12518cfdbccca35da8b6cbf718

SHA1
9c07de5f67eb05cf24fd14f49a8d4f31fa850be8

SHA256
591c7af70a84fb9ce97db1afc870b5f3c61e16882d093a254fdc27814b6e250d

SHA512
59a97b296eaee8c4d58583d2036fefe87c9ba09a64bb0eb719653bb14d06a52dc8296c2921164d0577c5061b618ac8ea43eb257d50ef606f8969a854c1241e2c

Download Submit
C:\Windows\System\hUzRhyQ.exe

Filesize
5.2MB

MD5
5762aaa226eb61df924f6b511d52089a

SHA1
6db30a9f96366655406ec33010217fb4d1f29afa

SHA256
452c9045c76c436cd8736ecd4bc6110de25ef12756b2c9fb8ccdc10590d19be8

SHA512
acae9601462a73a78fef0bff591dd7298649e83146b66ba7fc85df2390678b2dc92beb9554b658d68b1764d5603d5195f9c7bbcc6cbab8f3fefb8d77af67093f

Download Submit
C:\Windows\System\oAkNkqt.exe

Filesize
5.2MB

MD5
b19aac4ff366f684fa04ce7bd523e503

SHA1
44fc14c3e2439d0ca9975bafb131a1b10378db13

SHA256
e42dc3a234dc01e9165b9a8b6cc39c4e7014cd0687438a767b205fe263a4c148

SHA512
eb41c4451bc4f952c8bbb3f9366a7993f81b5d3474d9f7e0dec06dbd04aa4da23f64d115a8de02cd18112fbf633cc1bd323a179962ace4f71df6effed9bba3a6

Download Submit
C:\Windows\System\pIWOsQt.exe

Filesize
5.2MB

MD5
c8d21bd62c5c1381c206dddadf872550

SHA1
0861e441f2209b45da112e4e65b75f6061d94f84

SHA256
7be400df576b1955bdb7c56338685759f14cad038bb5d65cd0dd16c11eef6b34

SHA512
ffb293e64da5a91712a87ef4736a7c61bc824df5609566df11ce0e2f7213404014196ad73abb43f8f0b75bcb1612dc813336f3d8b58fba21202b594ca2eb4aea

Download Submit
C:\Windows\System\sSzmjEV.exe

Filesize
5.2MB

MD5
ce467108d47266bee213b06cd1722a17

SHA1
9fe9119b184ae516753fe199e48cecd3e086707b

SHA256
208fa18d80722f6eec2759316f3e91d909d0ee2ac7684e17bddc2d6937903e49

SHA512
51b8bf9ce0ffac5fb6fef96d9200584b2ebbee6d33beee10f5ce6df8a5b54744a376838499288bfaa1f06c4c444c6da1f77deb29056af54353a4401cfdc43d3c

Download Submit
C:\Windows\System\vtKhWwh.exe

Filesize
5.2MB

MD5
b795fc350566495430e603425151e0bb

SHA1
cbe6a27d1ab68230ec8b9c2fdf719badb86418e1

SHA256
d0c5a620808c58db5ccd7788e8961b2d7c2f56ed5d1c4f848c9a688658952ae5

SHA512
ffb1672be1ec988ca8a5cb24b2b805c43e12b3e525e453fbba0ffcacd59277f30970b55764a6e434caba23e9ecff960c58d9bbd40f69c75832da66162b6ce46b

Download Submit
C:\Windows\System\whaBSQs.exe

Filesize
5.2MB

MD5
eb0671488e3acdf780eb2206f3ad3070

SHA1
ca368ebc4a35856d283f4453a5fb697617239c1a

SHA256
29b00ca706b6887f2cc1175de9cb95151164e39b1066469869f44c17e3e5c5e6

SHA512
1cfe8983c93e2754cbf4e9dad401aa282f574f49e50df9783596008e87bfe4e2c570c7293695a00efb1b7dd8464d36373e7b7d9832b6d96388c85db23389a7c5

Download Submit
C:\Windows\System\xOWCkqP.exe

Filesize
5.2MB

MD5
800cc62ebb03721df9efc951cf94e6cc

SHA1
74d0ecb5a176c2f5d9b2d3043185a5f91c4d6def

SHA256
5b7640ade73ece011b610cb762363514db889536e02fcfed9e3c0b3f39ed75ce

SHA512
955a504f9b7977be0506fc938c0c7d7a809c0f2c6649e1826463c2caa924744f10d9eb1f73a0ada3001920a9ac557fe631fcd591fafe6612945e1551fa9a9dc3

Download Submit
C:\Windows\System\yxHSdTx.exe

Filesize
5.2MB

MD5
c2aedd1b1845f529c2d4f55d1d3e1926

SHA1
6edf21f000ba72c1d450ca4c92b20231010065ee

SHA256
bbce916c982aa5662e862fd016f80a294280b4591e3a46817e941a537228be66

SHA512
00de895cdcdac487807e398fa1d00e43fa80186e346769b0a65acaa4c520dc3c85f7d64498fade2d4c91897aa050634bda6a5588033e6af376c83f8bb03492c4

Download Submit
memory/380-250-0x00007FF762C60000-0x00007FF762FB1000-memory.dmp

Filesize
3.3MB

Download
memory/380-138-0x00007FF762C60000-0x00007FF762FB1000-memory.dmp

Filesize
3.3MB

Download
memory/380-77-0x00007FF762C60000-0x00007FF762FB1000-memory.dmp

Filesize
3.3MB

Download
memory/952-246-0x00007FF6CBB10000-0x00007FF6CBE61000-memory.dmp

Filesize
3.3MB

Download
memory/952-130-0x00007FF6CBB10000-0x00007FF6CBE61000-memory.dmp

Filesize
3.3MB

Download
memory/952-58-0x00007FF6CBB10000-0x00007FF6CBE61000-memory.dmp

Filesize
3.3MB

Download
memory/1184-248-0x00007FF77F410000-0x00007FF77F761000-memory.dmp

Filesize
3.3MB

Download
memory/1184-69-0x00007FF77F410000-0x00007FF77F761000-memory.dmp

Filesize
3.3MB

Download
memory/1184-134-0x00007FF77F410000-0x00007FF77F761000-memory.dmp

Filesize
3.3MB

Download
memory/1632-175-0x00007FF708060000-0x00007FF7083B1000-memory.dmp

Filesize
3.3MB

Download
memory/1632-146-0x00007FF708060000-0x00007FF7083B1000-memory.dmp

Filesize
3.3MB

Download
memory/1632-277-0x00007FF708060000-0x00007FF7083B1000-memory.dmp

Filesize
3.3MB

Download
memory/2024-183-0x00007FF682380000-0x00007FF6826D1000-memory.dmp

Filesize
3.3MB

Download
memory/2024-1-0x000002A3686E0000-0x000002A3686F0000-memory.dmp

Filesize
64KB

Download
memory/2024-160-0x00007FF682380000-0x00007FF6826D1000-memory.dmp

Filesize
3.3MB

Download
memory/2024-0-0x00007FF682380000-0x00007FF6826D1000-memory.dmp

Filesize
3.3MB

Download
memory/2024-56-0x00007FF682380000-0x00007FF6826D1000-memory.dmp

Filesize
3.3MB

Download
memory/2104-155-0x00007FF6EB9E0000-0x00007FF6EBD31000-memory.dmp

Filesize
3.3MB

Download
memory/2104-91-0x00007FF6EB9E0000-0x00007FF6EBD31000-memory.dmp

Filesize
3.3MB

Download
memory/2104-257-0x00007FF6EB9E0000-0x00007FF6EBD31000-memory.dmp

Filesize
3.3MB

Download
memory/2384-227-0x00007FF638450000-0x00007FF6387A1000-memory.dmp

Filesize
3.3MB

Download
memory/2384-83-0x00007FF638450000-0x00007FF6387A1000-memory.dmp

Filesize
3.3MB

Download
memory/2384-29-0x00007FF638450000-0x00007FF6387A1000-memory.dmp

Filesize
3.3MB

Download
memory/2428-235-0x00007FF7452C0000-0x00007FF745611000-memory.dmp

Filesize
3.3MB

Download
memory/2428-103-0x00007FF7452C0000-0x00007FF745611000-memory.dmp

Filesize
3.3MB

Download
memory/2428-38-0x00007FF7452C0000-0x00007FF745611000-memory.dmp

Filesize
3.3MB

Download
memory/2800-75-0x00007FF6AC040000-0x00007FF6AC391000-memory.dmp

Filesize
3.3MB

Download
memory/2800-22-0x00007FF6AC040000-0x00007FF6AC391000-memory.dmp

Filesize
3.3MB

Download
memory/2800-223-0x00007FF6AC040000-0x00007FF6AC391000-memory.dmp

Filesize
3.3MB

Download
memory/2900-255-0x00007FF7CAB10000-0x00007FF7CAE61000-memory.dmp

Filesize
3.3MB

Download
memory/2900-154-0x00007FF7CAB10000-0x00007FF7CAE61000-memory.dmp

Filesize
3.3MB

Download
memory/2900-84-0x00007FF7CAB10000-0x00007FF7CAE61000-memory.dmp

Filesize
3.3MB

Download
memory/2916-237-0x00007FF66C0B0000-0x00007FF66C401000-memory.dmp

Filesize
3.3MB

Download
memory/2916-45-0x00007FF66C0B0000-0x00007FF66C401000-memory.dmp

Filesize
3.3MB

Download
memory/3172-113-0x00007FF7FF440000-0x00007FF7FF791000-memory.dmp

Filesize
3.3MB

Download
memory/3172-265-0x00007FF7FF440000-0x00007FF7FF791000-memory.dmp

Filesize
3.3MB

Download
memory/3172-157-0x00007FF7FF440000-0x00007FF7FF791000-memory.dmp

Filesize
3.3MB

Download
memory/3292-159-0x00007FF64CAE0000-0x00007FF64CE31000-memory.dmp

Filesize
3.3MB

Download
memory/3292-268-0x00007FF64CAE0000-0x00007FF64CE31000-memory.dmp

Filesize
3.3MB

Download
memory/3292-122-0x00007FF64CAE0000-0x00007FF64CE31000-memory.dmp

Filesize
3.3MB

Download
memory/3508-110-0x00007FF71DA40000-0x00007FF71DD91000-memory.dmp

Filesize
3.3MB

Download
memory/3508-263-0x00007FF71DA40000-0x00007FF71DD91000-memory.dmp

Filesize
3.3MB

Download
memory/3508-156-0x00007FF71DA40000-0x00007FF71DD91000-memory.dmp

Filesize
3.3MB

Download
memory/3860-215-0x00007FF7E5C30000-0x00007FF7E5F81000-memory.dmp

Filesize
3.3MB

Download
memory/3860-68-0x00007FF7E5C30000-0x00007FF7E5F81000-memory.dmp

Filesize
3.3MB

Download
memory/3860-16-0x00007FF7E5C30000-0x00007FF7E5F81000-memory.dmp

Filesize
3.3MB

Download
memory/4364-57-0x00007FF797A30000-0x00007FF797D81000-memory.dmp

Filesize
3.3MB

Download
memory/4364-126-0x00007FF797A30000-0x00007FF797D81000-memory.dmp

Filesize
3.3MB

Download
memory/4364-244-0x00007FF797A30000-0x00007FF797D81000-memory.dmp

Filesize
3.3MB

Download
memory/4440-50-0x00007FF7A0D60000-0x00007FF7A10B1000-memory.dmp

Filesize
3.3MB

Download
memory/4440-117-0x00007FF7A0D60000-0x00007FF7A10B1000-memory.dmp

Filesize
3.3MB

Download
memory/4440-239-0x00007FF7A0D60000-0x00007FF7A10B1000-memory.dmp

Filesize
3.3MB

Download
memory/4452-118-0x00007FF649560000-0x00007FF6498B1000-memory.dmp

Filesize
3.3MB

Download
memory/4452-158-0x00007FF649560000-0x00007FF6498B1000-memory.dmp

Filesize
3.3MB

Download
memory/4452-271-0x00007FF649560000-0x00007FF6498B1000-memory.dmp

Filesize
3.3MB

Download
memory/4460-59-0x00007FF7583C0000-0x00007FF758711000-memory.dmp

Filesize
3.3MB

Download
memory/4460-8-0x00007FF7583C0000-0x00007FF758711000-memory.dmp

Filesize
3.3MB

Download
memory/4460-213-0x00007FF7583C0000-0x00007FF758711000-memory.dmp

Filesize
3.3MB

Download
memory/4532-76-0x00007FF684E50000-0x00007FF6851A1000-memory.dmp

Filesize
3.3MB

Download
memory/4532-27-0x00007FF684E50000-0x00007FF6851A1000-memory.dmp

Filesize
3.3MB

Download
memory/4532-225-0x00007FF684E50000-0x00007FF6851A1000-memory.dmp

Filesize
3.3MB

Download
memory/4716-270-0x00007FF6AE600000-0x00007FF6AE951000-memory.dmp

Filesize
3.3MB

Download
memory/4716-173-0x00007FF6AE600000-0x00007FF6AE951000-memory.dmp

Filesize
3.3MB

Download
memory/4716-131-0x00007FF6AE600000-0x00007FF6AE951000-memory.dmp

Filesize
3.3MB

Download
memory/4800-142-0x00007FF601130000-0x00007FF601481000-memory.dmp

Filesize
3.3MB

Download
memory/4800-174-0x00007FF601130000-0x00007FF601481000-memory.dmp

Filesize
3.3MB

Download
memory/4800-275-0x00007FF601130000-0x00007FF601481000-memory.dmp

Filesize
3.3MB

Download