cobaltstrike | d016e032afc66276f15e2d69e45e3fc8c16e166e971a59d5c57d90cf6aa6c3f4

Analysis

max time kernel
140s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-01-2025 00:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

48504766432811d5b6067c2ba7a4f8cf
SHA1

756a6e1d0cf8080295b5ca1b5eac27de469b1646
SHA256

d016e032afc66276f15e2d69e45e3fc8c16e166e971a59d5c57d90cf6aa6c3f4
SHA512

06f36c874a2f1ba4c768353529a7535e13730836d0acc4a2d47e9639f31013c5f4069b97396a7f7571c6891222995eb4c23c79f3d96ee3b41e9d08c76cbb3b29
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lv:RWWBibf56utgpPFotBER/mQ32lUL

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000d000000023b0a-6.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b93-11.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b92-12.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b94-23.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9c-30.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bac-41.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023ba3-37.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bb1-53.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bb9-69.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b8f-71.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bbc-79.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bbe-97.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bbf-103.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bbd-87.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023bb7-64.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bee-108.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bef-114.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bf0-125.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bf2-135.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bf1-131.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bb3-54.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/5064-32-0x00007FF608A40000-0x00007FF608D91000-memory.dmp	xmrig
behavioral2/memory/4804-93-0x00007FF659230000-0x00007FF659581000-memory.dmp	xmrig
behavioral2/memory/5064-101-0x00007FF608A40000-0x00007FF608D91000-memory.dmp	xmrig
behavioral2/memory/4560-94-0x00007FF627420000-0x00007FF627771000-memory.dmp	xmrig
behavioral2/memory/3472-89-0x00007FF778690000-0x00007FF7789E1000-memory.dmp	xmrig
behavioral2/memory/5076-80-0x00007FF76A090000-0x00007FF76A3E1000-memory.dmp	xmrig
behavioral2/memory/2132-73-0x00007FF66E470000-0x00007FF66E7C1000-memory.dmp	xmrig
behavioral2/memory/2184-67-0x00007FF7D49A0000-0x00007FF7D4CF1000-memory.dmp	xmrig
behavioral2/memory/4628-123-0x00007FF7CCC00000-0x00007FF7CCF51000-memory.dmp	xmrig
behavioral2/memory/2892-119-0x00007FF73BC30000-0x00007FF73BF81000-memory.dmp	xmrig
behavioral2/memory/2760-117-0x00007FF6C8AE0000-0x00007FF6C8E31000-memory.dmp	xmrig
behavioral2/memory/868-113-0x00007FF6516F0000-0x00007FF651A41000-memory.dmp	xmrig
behavioral2/memory/2824-111-0x00007FF6D0700000-0x00007FF6D0A51000-memory.dmp	xmrig
behavioral2/memory/2260-130-0x00007FF64ECB0000-0x00007FF64F001000-memory.dmp	xmrig
behavioral2/memory/700-137-0x00007FF6A9B00000-0x00007FF6A9E51000-memory.dmp	xmrig
behavioral2/memory/3080-139-0x00007FF794E10000-0x00007FF795161000-memory.dmp	xmrig
behavioral2/memory/3740-107-0x00007FF719960000-0x00007FF719CB1000-memory.dmp	xmrig
behavioral2/memory/4488-59-0x00007FF6E97E0000-0x00007FF6E9B31000-memory.dmp	xmrig
behavioral2/memory/3088-140-0x00007FF736030000-0x00007FF736381000-memory.dmp	xmrig
behavioral2/memory/4756-141-0x00007FF73DA90000-0x00007FF73DDE1000-memory.dmp	xmrig
behavioral2/memory/2452-142-0x00007FF7B72F0000-0x00007FF7B7641000-memory.dmp	xmrig
behavioral2/memory/2184-143-0x00007FF7D49A0000-0x00007FF7D4CF1000-memory.dmp	xmrig
behavioral2/memory/4732-161-0x00007FF6EBC00000-0x00007FF6EBF51000-memory.dmp	xmrig
behavioral2/memory/4980-165-0x00007FF6FC9C0000-0x00007FF6FCD11000-memory.dmp	xmrig
behavioral2/memory/2184-167-0x00007FF7D49A0000-0x00007FF7D4CF1000-memory.dmp	xmrig
behavioral2/memory/2132-218-0x00007FF66E470000-0x00007FF66E7C1000-memory.dmp	xmrig
behavioral2/memory/5076-220-0x00007FF76A090000-0x00007FF76A3E1000-memory.dmp	xmrig
behavioral2/memory/3472-222-0x00007FF778690000-0x00007FF7789E1000-memory.dmp	xmrig
behavioral2/memory/4560-224-0x00007FF627420000-0x00007FF627771000-memory.dmp	xmrig
behavioral2/memory/5064-236-0x00007FF608A40000-0x00007FF608D91000-memory.dmp	xmrig
behavioral2/memory/3740-237-0x00007FF719960000-0x00007FF719CB1000-memory.dmp	xmrig
behavioral2/memory/2824-239-0x00007FF6D0700000-0x00007FF6D0A51000-memory.dmp	xmrig
behavioral2/memory/4488-243-0x00007FF6E97E0000-0x00007FF6E9B31000-memory.dmp	xmrig
behavioral2/memory/2760-242-0x00007FF6C8AE0000-0x00007FF6C8E31000-memory.dmp	xmrig
behavioral2/memory/2892-245-0x00007FF73BC30000-0x00007FF73BF81000-memory.dmp	xmrig
behavioral2/memory/2260-247-0x00007FF64ECB0000-0x00007FF64F001000-memory.dmp	xmrig
behavioral2/memory/700-249-0x00007FF6A9B00000-0x00007FF6A9E51000-memory.dmp	xmrig
behavioral2/memory/3088-255-0x00007FF736030000-0x00007FF736381000-memory.dmp	xmrig
behavioral2/memory/4804-256-0x00007FF659230000-0x00007FF659581000-memory.dmp	xmrig
behavioral2/memory/4756-258-0x00007FF73DA90000-0x00007FF73DDE1000-memory.dmp	xmrig
behavioral2/memory/2452-260-0x00007FF7B72F0000-0x00007FF7B7641000-memory.dmp	xmrig
behavioral2/memory/868-265-0x00007FF6516F0000-0x00007FF651A41000-memory.dmp	xmrig
behavioral2/memory/4628-267-0x00007FF7CCC00000-0x00007FF7CCF51000-memory.dmp	xmrig
behavioral2/memory/4732-269-0x00007FF6EBC00000-0x00007FF6EBF51000-memory.dmp	xmrig
behavioral2/memory/4980-272-0x00007FF6FC9C0000-0x00007FF6FCD11000-memory.dmp	xmrig
behavioral2/memory/3080-274-0x00007FF794E10000-0x00007FF795161000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2132	mDlfsyz.exe
5076	zMrPIFp.exe
3472	HknKYfS.exe
4560	XyJHfzM.exe
5064	MboznPS.exe
3740	sxGwCKV.exe
2824	nwsphET.exe
2760	RszifBC.exe
4488	pieYJQS.exe
2892	tkTSKgK.exe
2260	OkltJou.exe
700	dOtNwjB.exe
3088	gPKdYdB.exe
4804	zSIIeak.exe
4756	ytjoEYK.exe
2452	bLoGhsJ.exe
868	IGrHVtJ.exe
4628	iDINEsJ.exe
4732	HCOBMHh.exe
4980	RnkGaQr.exe
3080	mjojNMn.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2184-0-0x00007FF7D49A0000-0x00007FF7D4CF1000-memory.dmp	upx
behavioral2/memory/2132-7-0x00007FF66E470000-0x00007FF66E7C1000-memory.dmp	upx
behavioral2/files/0x000d000000023b0a-6.dat	upx
behavioral2/files/0x000b000000023b93-11.dat	upx
behavioral2/files/0x000b000000023b92-12.dat	upx
behavioral2/memory/3472-18-0x00007FF778690000-0x00007FF7789E1000-memory.dmp	upx
behavioral2/files/0x000b000000023b94-23.dat	upx
behavioral2/memory/4560-25-0x00007FF627420000-0x00007FF627771000-memory.dmp	upx
behavioral2/files/0x000a000000023b9c-30.dat	upx
behavioral2/memory/3740-35-0x00007FF719960000-0x00007FF719CB1000-memory.dmp	upx
behavioral2/files/0x0008000000023bac-41.dat	upx
behavioral2/memory/2824-42-0x00007FF6D0700000-0x00007FF6D0A51000-memory.dmp	upx
behavioral2/files/0x000e000000023ba3-37.dat	upx
behavioral2/memory/5064-32-0x00007FF608A40000-0x00007FF608D91000-memory.dmp	upx
behavioral2/memory/5076-16-0x00007FF76A090000-0x00007FF76A3E1000-memory.dmp	upx
behavioral2/memory/2760-48-0x00007FF6C8AE0000-0x00007FF6C8E31000-memory.dmp	upx
behavioral2/files/0x0009000000023bb1-53.dat	upx
behavioral2/files/0x0008000000023bb9-69.dat	upx
behavioral2/files/0x000b000000023b8f-71.dat	upx
behavioral2/files/0x0008000000023bbc-79.dat	upx
behavioral2/memory/3088-81-0x00007FF736030000-0x00007FF736381000-memory.dmp	upx
behavioral2/memory/4804-93-0x00007FF659230000-0x00007FF659581000-memory.dmp	upx
behavioral2/files/0x0008000000023bbe-97.dat	upx
behavioral2/files/0x0008000000023bbf-103.dat	upx
behavioral2/memory/2452-102-0x00007FF7B72F0000-0x00007FF7B7641000-memory.dmp	upx
behavioral2/memory/5064-101-0x00007FF608A40000-0x00007FF608D91000-memory.dmp	upx
behavioral2/memory/4756-95-0x00007FF73DA90000-0x00007FF73DDE1000-memory.dmp	upx
behavioral2/memory/4560-94-0x00007FF627420000-0x00007FF627771000-memory.dmp	upx
behavioral2/memory/3472-89-0x00007FF778690000-0x00007FF7789E1000-memory.dmp	upx
behavioral2/files/0x0008000000023bbd-87.dat	upx
behavioral2/memory/5076-80-0x00007FF76A090000-0x00007FF76A3E1000-memory.dmp	upx
behavioral2/memory/700-78-0x00007FF6A9B00000-0x00007FF6A9E51000-memory.dmp	upx
behavioral2/memory/2260-70-0x00007FF64ECB0000-0x00007FF64F001000-memory.dmp	upx
behavioral2/memory/2132-73-0x00007FF66E470000-0x00007FF66E7C1000-memory.dmp	upx
behavioral2/memory/2184-67-0x00007FF7D49A0000-0x00007FF7D4CF1000-memory.dmp	upx
behavioral2/files/0x000e000000023bb7-64.dat	upx
behavioral2/files/0x0008000000023bee-108.dat	upx
behavioral2/files/0x0008000000023bef-114.dat	upx
behavioral2/memory/4628-123-0x00007FF7CCC00000-0x00007FF7CCF51000-memory.dmp	upx
behavioral2/files/0x0008000000023bf0-125.dat	upx
behavioral2/memory/4732-124-0x00007FF6EBC00000-0x00007FF6EBF51000-memory.dmp	upx
behavioral2/memory/2892-119-0x00007FF73BC30000-0x00007FF73BF81000-memory.dmp	upx
behavioral2/memory/2760-117-0x00007FF6C8AE0000-0x00007FF6C8E31000-memory.dmp	upx
behavioral2/memory/868-113-0x00007FF6516F0000-0x00007FF651A41000-memory.dmp	upx
behavioral2/memory/2824-111-0x00007FF6D0700000-0x00007FF6D0A51000-memory.dmp	upx
behavioral2/memory/2260-130-0x00007FF64ECB0000-0x00007FF64F001000-memory.dmp	upx
behavioral2/files/0x0008000000023bf2-135.dat	upx
behavioral2/memory/700-137-0x00007FF6A9B00000-0x00007FF6A9E51000-memory.dmp	upx
behavioral2/memory/4980-134-0x00007FF6FC9C0000-0x00007FF6FCD11000-memory.dmp	upx
behavioral2/files/0x0008000000023bf1-131.dat	upx
behavioral2/memory/3080-139-0x00007FF794E10000-0x00007FF795161000-memory.dmp	upx
behavioral2/memory/3740-107-0x00007FF719960000-0x00007FF719CB1000-memory.dmp	upx
behavioral2/memory/2892-62-0x00007FF73BC30000-0x00007FF73BF81000-memory.dmp	upx
behavioral2/memory/4488-59-0x00007FF6E97E0000-0x00007FF6E9B31000-memory.dmp	upx
behavioral2/files/0x0009000000023bb3-54.dat	upx
behavioral2/memory/3088-140-0x00007FF736030000-0x00007FF736381000-memory.dmp	upx
behavioral2/memory/4756-141-0x00007FF73DA90000-0x00007FF73DDE1000-memory.dmp	upx
behavioral2/memory/2452-142-0x00007FF7B72F0000-0x00007FF7B7641000-memory.dmp	upx
behavioral2/memory/2184-143-0x00007FF7D49A0000-0x00007FF7D4CF1000-memory.dmp	upx
behavioral2/memory/4732-161-0x00007FF6EBC00000-0x00007FF6EBF51000-memory.dmp	upx
behavioral2/memory/4980-165-0x00007FF6FC9C0000-0x00007FF6FCD11000-memory.dmp	upx
behavioral2/memory/2184-167-0x00007FF7D49A0000-0x00007FF7D4CF1000-memory.dmp	upx
behavioral2/memory/2132-218-0x00007FF66E470000-0x00007FF66E7C1000-memory.dmp	upx
behavioral2/memory/5076-220-0x00007FF76A090000-0x00007FF76A3E1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\mDlfsyz.exe	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zMrPIFp.exe	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dOtNwjB.exe	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MboznPS.exe	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nwsphET.exe	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pieYJQS.exe	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zSIIeak.exe	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bLoGhsJ.exe	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iDINEsJ.exe	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HCOBMHh.exe	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mjojNMn.exe	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sxGwCKV.exe	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RszifBC.exe	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tkTSKgK.exe	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OkltJou.exe	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gPKdYdB.exe	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RnkGaQr.exe	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HknKYfS.exe	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XyJHfzM.exe	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ytjoEYK.exe	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IGrHVtJ.exe	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2184	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2184	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2132	2184	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2184 wrote to memory of 2132	2184	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2184 wrote to memory of 5076	2184	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2184 wrote to memory of 5076	2184	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2184 wrote to memory of 3472	2184	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2184 wrote to memory of 3472	2184	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2184 wrote to memory of 4560	2184	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2184 wrote to memory of 4560	2184	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2184 wrote to memory of 5064	2184	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2184 wrote to memory of 5064	2184	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2184 wrote to memory of 3740	2184	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2184 wrote to memory of 3740	2184	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2184 wrote to memory of 2824	2184	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2184 wrote to memory of 2824	2184	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2184 wrote to memory of 2760	2184	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2184 wrote to memory of 2760	2184	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2184 wrote to memory of 4488	2184	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2184 wrote to memory of 4488	2184	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2184 wrote to memory of 2892	2184	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2184 wrote to memory of 2892	2184	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2184 wrote to memory of 2260	2184	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2184 wrote to memory of 2260	2184	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2184 wrote to memory of 700	2184	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2184 wrote to memory of 700	2184	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2184 wrote to memory of 3088	2184	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2184 wrote to memory of 3088	2184	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2184 wrote to memory of 4804	2184	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2184 wrote to memory of 4804	2184	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2184 wrote to memory of 4756	2184	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2184 wrote to memory of 4756	2184	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2184 wrote to memory of 2452	2184	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2184 wrote to memory of 2452	2184	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2184 wrote to memory of 868	2184	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2184 wrote to memory of 868	2184	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2184 wrote to memory of 4628	2184	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2184 wrote to memory of 4628	2184	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2184 wrote to memory of 4732	2184	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2184 wrote to memory of 4732	2184	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2184 wrote to memory of 4980	2184	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 2184 wrote to memory of 4980	2184	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 2184 wrote to memory of 3080	2184	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 2184 wrote to memory of 3080	2184	2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe	106

C:\Users\Admin\AppData\Local\Temp\2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-03_48504766432811d5b6067c2ba7a4f8cf_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\System\mDlfsyz.exe
  C:\Windows\System\mDlfsyz.exe
  2⤵
  - Executes dropped EXE
  PID:2132
- C:\Windows\System\zMrPIFp.exe
  C:\Windows\System\zMrPIFp.exe
  2⤵
  - Executes dropped EXE
  PID:5076
- C:\Windows\System\HknKYfS.exe
  C:\Windows\System\HknKYfS.exe
  2⤵
  - Executes dropped EXE
  PID:3472
- C:\Windows\System\XyJHfzM.exe
  C:\Windows\System\XyJHfzM.exe
  2⤵
  - Executes dropped EXE
  PID:4560
- C:\Windows\System\MboznPS.exe
  C:\Windows\System\MboznPS.exe
  2⤵
  - Executes dropped EXE
  PID:5064
- C:\Windows\System\sxGwCKV.exe
  C:\Windows\System\sxGwCKV.exe
  2⤵
  - Executes dropped EXE
  PID:3740
- C:\Windows\System\nwsphET.exe
  C:\Windows\System\nwsphET.exe
  2⤵
  - Executes dropped EXE
  PID:2824
- C:\Windows\System\RszifBC.exe
  C:\Windows\System\RszifBC.exe
  2⤵
  - Executes dropped EXE
  PID:2760
- C:\Windows\System\pieYJQS.exe
  C:\Windows\System\pieYJQS.exe
  2⤵
  - Executes dropped EXE
  PID:4488
- C:\Windows\System\tkTSKgK.exe
  C:\Windows\System\tkTSKgK.exe
  2⤵
  - Executes dropped EXE
  PID:2892
- C:\Windows\System\OkltJou.exe
  C:\Windows\System\OkltJou.exe
  2⤵
  - Executes dropped EXE
  PID:2260
- C:\Windows\System\dOtNwjB.exe
  C:\Windows\System\dOtNwjB.exe
  2⤵
  - Executes dropped EXE
  PID:700
- C:\Windows\System\gPKdYdB.exe
  C:\Windows\System\gPKdYdB.exe
  2⤵
  - Executes dropped EXE
  PID:3088
- C:\Windows\System\zSIIeak.exe
  C:\Windows\System\zSIIeak.exe
  2⤵
  - Executes dropped EXE
  PID:4804
- C:\Windows\System\ytjoEYK.exe
  C:\Windows\System\ytjoEYK.exe
  2⤵
  - Executes dropped EXE
  PID:4756
- C:\Windows\System\bLoGhsJ.exe
  C:\Windows\System\bLoGhsJ.exe
  2⤵
  - Executes dropped EXE
  PID:2452
- C:\Windows\System\IGrHVtJ.exe
  C:\Windows\System\IGrHVtJ.exe
  2⤵
  - Executes dropped EXE
  PID:868
- C:\Windows\System\iDINEsJ.exe
  C:\Windows\System\iDINEsJ.exe
  2⤵
  - Executes dropped EXE
  PID:4628
- C:\Windows\System\HCOBMHh.exe
  C:\Windows\System\HCOBMHh.exe
  2⤵
  - Executes dropped EXE
  PID:4732
- C:\Windows\System\RnkGaQr.exe
  C:\Windows\System\RnkGaQr.exe
  2⤵
  - Executes dropped EXE
  PID:4980
- C:\Windows\System\mjojNMn.exe
  C:\Windows\System\mjojNMn.exe
  2⤵
  - Executes dropped EXE
  PID:3080

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\HCOBMHh.exe

Filesize
5.2MB

MD5
34be732ba685ea18b4d8b894b01502ff

SHA1
fd33a2b68732fb676164b62693cf1bab5d2a3a16

SHA256
349ad2b6f0029241a0f88423dd2eccd3916d84919b6ae00ff158dcba90c4a87a

SHA512
2a409ed3a4ae256e8bca5cc496748189c38298346a4c346aada2510dd95b78f30bd336cf6c96f2cba4b952f1d10d3b8bc9de3cb43ee664e364d991ee1bd5f052

Download Submit
C:\Windows\System\HknKYfS.exe

Filesize
5.2MB

MD5
9cc137ab4c231d12431a50e0686159c6

SHA1
b018abdb4640ad7c165bcb5cd40733505f378eb1

SHA256
00bf19cbd6c84aa9ecfd466f65b4a014f52211c9225b41a9179c8247cf224615

SHA512
206a95ae7ac204dc16fe6e6d6c38568b01662b1a250cbb2b4dabebe66f6add16d802f8e22758612ffcd0bceea3e9240923ba0a13ef0fcfb57c98cf3ac7f805c8

Download Submit
C:\Windows\System\IGrHVtJ.exe

Filesize
5.2MB

MD5
1294ddd7c90993dce4b85f18f7b38306

SHA1
fee4af304edf9d3fee314cab920623234242dd36

SHA256
9a312a10ed8a80e6bb400a7dae7ce57fb7ee419a101627ca66bc6b0b7b835e9d

SHA512
374cb6b9700d19737223d54a20f081907aca2b22a88579c38f8ad7025f58763c6a55a096df12c75d71f33ee4f6c55e80832221895ad4f1b25bfd3fd16b0439d8

Download Submit
C:\Windows\System\MboznPS.exe

Filesize
5.2MB

MD5
169677d2d0cbdcf0746a8b0bf1b3e555

SHA1
f2639b21faaca799323b321b949726d1be78c39a

SHA256
6cd6511ae351d1847718474995e5a49d97e26afd5ec2baa1d733cdf191a4374c

SHA512
a39af0219a8b17e17099012e3d14071a2aa8b3099056aa7136e5304cf76a6c20f5d7c7149804f579e200f81ee52a964c682c0022f0eaebb74f57ef5b0c8a0d39

Download Submit
C:\Windows\System\OkltJou.exe

Filesize
5.2MB

MD5
c1555103b9079ccb3b522c8124b8146a

SHA1
53789f041e7eaf6406186f36509aeb30db6e3b6a

SHA256
174bdda34c149c41f377a05d12917ec5412f5d8d4c9ed8e50f926bc039b240c2

SHA512
39bf8b8797eb88a10eae48ad2bd6e1cecc1002035cbdc05e6bafe85acb168e963ce38bb1e9114f6d2ad9a99c77f739e4d9e01cffc19d64e214ea39751fb7ffeb

Download Submit
C:\Windows\System\RnkGaQr.exe

Filesize
5.2MB

MD5
4ce0940e08658a5b4fdbf03c20ab3b2f

SHA1
1e7b466fcb83172c51a4769f6d87a47d5b579cfa

SHA256
ccf441f2a43ffbe593d923712f7b400d36fb59b61955af48a99ea2943146b2db

SHA512
e465b89c6fb0af7bad0bd36dbeb2f57bf8c260b37fca3623f0b20bf9f695075d89565db932dabdc6981e00e2a098efa3855238c13a7c236576cd0cc6a0a07509

Download Submit
C:\Windows\System\RszifBC.exe

Filesize
5.2MB

MD5
470843c6b9ebbc495dca992e9029e725

SHA1
fe5cb7b4ac507080d37e9103e45681fd92052aaa

SHA256
2f1f1dc80b06e57134ec9dfa81b9a658b3ae84c398418e055ca4554e44f205fa

SHA512
c846f39c21e852c09737085418294e91e007e5da849449613d6b676d41b36267106d44833611319aafeda65723e5d5fd3fd36a5f11f08d1d2b441a5b66ac7c28

Download Submit
C:\Windows\System\XyJHfzM.exe

Filesize
5.2MB

MD5
4dd9af9eb9b6f39441319c88cf048b29

SHA1
09d4ec73c9b459d294ff403c256b3a5c9658b8cd

SHA256
154b90a2d936e118d9829b04d09982615149064e533616817e206f37c78fe772

SHA512
1ffc62d4a94a9fd9aa74806c957ad515d9da535e767aade580420d5f8df81751aca558aa08f8bd5ff4f23a7dbeb6fed6f59f69c872158c17f80fc210232bce04

Download Submit
C:\Windows\System\bLoGhsJ.exe

Filesize
5.2MB

MD5
16d0496376ff538de7caab4f5ca27aaf

SHA1
5d872e523d4d61df9d7e1f64d168816416dff333

SHA256
35c1a11799fc064743f7cdd074c68dd3e8cb0e2dedd50fe711161c56a57fdc3f

SHA512
3c5ce6690abd34f1e2e1c85d773718de12d3381ad99b42bf555555965bae2e3b4dd4341d1631e5bde49ec4df03489c844f367abfddda44354e63c5a5b1f47037

Download Submit
C:\Windows\System\dOtNwjB.exe

Filesize
5.2MB

MD5
f608a7993017920e18c1adbcafb42f95

SHA1
e8fc9c331fc151cd877dd390e8f93cd02a11b10c

SHA256
76e915cfeb00a1bc9e2070ff09c805634df98c8b01fa897ab5c80be985c2e7cf

SHA512
efdab654f265d0b1e85edcd2e2e807c9c089313f777029a38acbc398b8a2ad40a993ea556ecf82d59aa4b179b982315b0749c9cab3ec51f926dae570a249e4c8

Download Submit
C:\Windows\System\gPKdYdB.exe

Filesize
5.2MB

MD5
89554a092d332d0053136c8f5a6e4e58

SHA1
f835317fbc2d59f202130f10e6e29d03469b5a8e

SHA256
83da56904a6d2db56bfa89808704d3eaf530cfde2a0f2fdd230e463ef7e937bd

SHA512
a374a641bb91bb31e36701ec1ca40172933daa4cba039c014fcf1daa33b6c3b7128fafac254f3653b551bce40aef99a5619f633b4aabb1bf490159c3aa903be2

Download Submit
C:\Windows\System\iDINEsJ.exe

Filesize
5.2MB

MD5
263a7a58174dde79014febd3c6af28fe

SHA1
7124fd9e94f6bebbfc5256b30da8fda9bfaea076

SHA256
7bc165da6b8ca05a39a8507dcbfc1e3cb58961869f2a11a99ddfc0f70b84c99d

SHA512
e9795401ac64c59ebe46a0f7446950c0b20992f037b3debde0fffdbed9cf21c52640c7fdf0f2aef9bca825cc6d042e2c8ca5905e86012fd0fa4029f3d9a9006c

Download Submit
C:\Windows\System\mDlfsyz.exe

Filesize
5.2MB

MD5
1dcf14eab4a7894cd4558e58a8279e98

SHA1
271b49db38a8488e90c689e7a773d5cf866d0ebc

SHA256
2b653a25a1bf92df8a14d7b698bef6a99076f7927ecacca0338ef6b3ef097908

SHA512
57c5e3541d8b7bf23a5e098b4c4dfe206d639e50f7d52a2244b1699d96f4f5b33acf5f05cb9481519e1780596e20484021d76e0335a9f101ea8db52ff742c3d2

Download Submit
C:\Windows\System\mjojNMn.exe

Filesize
5.2MB

MD5
279a1763eb0d58c49b838b999963d340

SHA1
a66968c4920122e2999b5fa02cf2641a6d59fead

SHA256
a25ee346d1adb0021a78fd2e548ba588f81e53bf78c81ecacc245ffa3fb735f5

SHA512
33b3dcd4d518cf5d717487910baa581611b7f00ce9f6c90a37dbae22f202c809ca819650a66a1c47d4c0cd132f9be283958744058810a2df20cc9ed4ba1ab64f

Download Submit
C:\Windows\System\nwsphET.exe

Filesize
5.2MB

MD5
6c6a9fda3f4713abf81ba2b26e4c699e

SHA1
efbd23f34653bbb444dca7146c8995b43defe510

SHA256
2aee823068e6e2e63c61bc27ff1f7d3d1e7629f6980fb9b02bdaa1a717bfa766

SHA512
59f3ab16091f5ab4c90ec5810fd1ecdb885469c13d0641fb9012e81b99cce1654eb5896ece1603702a1ce8ac8cd745848055d184bbea32531a50f0d8a9555d74

Download Submit
C:\Windows\System\pieYJQS.exe

Filesize
5.2MB

MD5
39372b5ac49a3831e54822f66e6fec5c

SHA1
8df2f29e263355db4a712caf1e032255565868dd

SHA256
c32bf69cd8ec26af5808d7e199c6ba79bc211c788174858e509870053e4ec758

SHA512
fff7e4f278aceaf8c212ea4313065a5965a796996d240a783893b4c589faad7ced4533c4dbb2fb67737a768bf2f13e693e9615aee86622ae49fdce2b5bd14d08

Download Submit
C:\Windows\System\sxGwCKV.exe

Filesize
5.2MB

MD5
903f376342332d55dd5a84e12186e319

SHA1
3f43b1c5313725d7b4a5897d62060ca74d9be9a5

SHA256
ebc3951e6e5f4b920c60bf52840dd960fd61c5a2f8d2d9711772f317b3cc9a5b

SHA512
729db3efc0c394785333d7426c1420efdf22436194fcea3365d5891e6372e1989e91d567b2a3f56ca4c469174ef7fde48c90dff89a8ba35ba133dff4533ee5de

Download Submit
C:\Windows\System\tkTSKgK.exe

Filesize
5.2MB

MD5
ec485de385137594fa35ff7550cd655f

SHA1
8374361affc6f2cb742e95a5f19993a79963d323

SHA256
8177a142d9064b2e747d043b33f1879d9653ece5720969d6211037baa5d2f181

SHA512
b01b1ba335feb4b2e645ab75a3085affa1badbf1e6aa346db533b139d6726b3aabd5b09fd5727f06dcb4bf13921aa1524dfb40de6c2b5b3a0f407d1be5707334

Download Submit
C:\Windows\System\ytjoEYK.exe

Filesize
5.2MB

MD5
c3bceb0f7b5b61ffab9d39c1cef6b26f

SHA1
d58ec82e167ff5382b39d8b599bec14f083dea28

SHA256
d3ebeff36f7fe21c7586122774e6f812ad6e4269df565cb17912193a3c9fbff0

SHA512
8b4111d7d1a057b0da0da9f8cfe54e56e95c2a8f3db35fd7ed3814367ad5d95fbb11a44f13c165e64bbb75d1df05b1eb1fe865702a45ce069846183a51db702d

Download Submit
C:\Windows\System\zMrPIFp.exe

Filesize
5.2MB

MD5
7e07d36fcaa04f6a2504fe68516cc22c

SHA1
5ec42f1ec9298a37b92069139d488e125f06a69a

SHA256
6e40d6aa3712f9f247123ca3ad1a1bd7c8029519d0f321a70e1d1551767a4421

SHA512
31ec27f671eda067d3ea18438117593a2d7d18a91635d379b5042fdb423a2aa41b6014927422a21da8de14cac8584f3fb1de60893120d34fd93d5451c33b51e6

Download Submit
C:\Windows\System\zSIIeak.exe

Filesize
5.2MB

MD5
e0d552e836e1a9c6fbd2b55d3e2c8057

SHA1
4c909cc4e49ae857a5e57d1cd6992e1bdfdc04f1

SHA256
9abd8b897162ddb5451b449c9dab87a5244a0eb2075fec0d07f75be978d94b0b

SHA512
490b9aac5702bfae6ae792594088b6aa51bf4038ca81dbb3d0b44e3a2888e6ddf3464c8b0551544ac58eb00dd1573f9d79164b8d608854f6571aca9c6a60048c

Download Submit
memory/700-137-0x00007FF6A9B00000-0x00007FF6A9E51000-memory.dmp

Filesize
3.3MB

Download
memory/700-78-0x00007FF6A9B00000-0x00007FF6A9E51000-memory.dmp

Filesize
3.3MB

Download
memory/700-249-0x00007FF6A9B00000-0x00007FF6A9E51000-memory.dmp

Filesize
3.3MB

Download
memory/868-265-0x00007FF6516F0000-0x00007FF651A41000-memory.dmp

Filesize
3.3MB

Download
memory/868-113-0x00007FF6516F0000-0x00007FF651A41000-memory.dmp

Filesize
3.3MB

Download
memory/2132-218-0x00007FF66E470000-0x00007FF66E7C1000-memory.dmp

Filesize
3.3MB

Download
memory/2132-73-0x00007FF66E470000-0x00007FF66E7C1000-memory.dmp

Filesize
3.3MB

Download
memory/2132-7-0x00007FF66E470000-0x00007FF66E7C1000-memory.dmp

Filesize
3.3MB

Download
memory/2184-1-0x0000023567610000-0x0000023567620000-memory.dmp

Filesize
64KB

Download
memory/2184-167-0x00007FF7D49A0000-0x00007FF7D4CF1000-memory.dmp

Filesize
3.3MB

Download
memory/2184-0-0x00007FF7D49A0000-0x00007FF7D4CF1000-memory.dmp

Filesize
3.3MB

Download
memory/2184-143-0x00007FF7D49A0000-0x00007FF7D4CF1000-memory.dmp

Filesize
3.3MB

Download
memory/2184-67-0x00007FF7D49A0000-0x00007FF7D4CF1000-memory.dmp

Filesize
3.3MB

Download
memory/2260-130-0x00007FF64ECB0000-0x00007FF64F001000-memory.dmp

Filesize
3.3MB

Download
memory/2260-70-0x00007FF64ECB0000-0x00007FF64F001000-memory.dmp

Filesize
3.3MB

Download
memory/2260-247-0x00007FF64ECB0000-0x00007FF64F001000-memory.dmp

Filesize
3.3MB

Download
memory/2452-260-0x00007FF7B72F0000-0x00007FF7B7641000-memory.dmp

Filesize
3.3MB

Download
memory/2452-102-0x00007FF7B72F0000-0x00007FF7B7641000-memory.dmp

Filesize
3.3MB

Download
memory/2452-142-0x00007FF7B72F0000-0x00007FF7B7641000-memory.dmp

Filesize
3.3MB

Download
memory/2760-48-0x00007FF6C8AE0000-0x00007FF6C8E31000-memory.dmp

Filesize
3.3MB

Download
memory/2760-242-0x00007FF6C8AE0000-0x00007FF6C8E31000-memory.dmp

Filesize
3.3MB

Download
memory/2760-117-0x00007FF6C8AE0000-0x00007FF6C8E31000-memory.dmp

Filesize
3.3MB

Download
memory/2824-42-0x00007FF6D0700000-0x00007FF6D0A51000-memory.dmp

Filesize
3.3MB

Download
memory/2824-239-0x00007FF6D0700000-0x00007FF6D0A51000-memory.dmp

Filesize
3.3MB

Download
memory/2824-111-0x00007FF6D0700000-0x00007FF6D0A51000-memory.dmp

Filesize
3.3MB

Download
memory/2892-119-0x00007FF73BC30000-0x00007FF73BF81000-memory.dmp

Filesize
3.3MB

Download
memory/2892-245-0x00007FF73BC30000-0x00007FF73BF81000-memory.dmp

Filesize
3.3MB

Download
memory/2892-62-0x00007FF73BC30000-0x00007FF73BF81000-memory.dmp

Filesize
3.3MB

Download
memory/3080-274-0x00007FF794E10000-0x00007FF795161000-memory.dmp

Filesize
3.3MB

Download
memory/3080-139-0x00007FF794E10000-0x00007FF795161000-memory.dmp

Filesize
3.3MB

Download
memory/3088-140-0x00007FF736030000-0x00007FF736381000-memory.dmp

Filesize
3.3MB

Download
memory/3088-255-0x00007FF736030000-0x00007FF736381000-memory.dmp

Filesize
3.3MB

Download
memory/3088-81-0x00007FF736030000-0x00007FF736381000-memory.dmp

Filesize
3.3MB

Download
memory/3472-222-0x00007FF778690000-0x00007FF7789E1000-memory.dmp

Filesize
3.3MB

Download
memory/3472-89-0x00007FF778690000-0x00007FF7789E1000-memory.dmp

Filesize
3.3MB

Download
memory/3472-18-0x00007FF778690000-0x00007FF7789E1000-memory.dmp

Filesize
3.3MB

Download
memory/3740-107-0x00007FF719960000-0x00007FF719CB1000-memory.dmp

Filesize
3.3MB

Download
memory/3740-237-0x00007FF719960000-0x00007FF719CB1000-memory.dmp

Filesize
3.3MB

Download
memory/3740-35-0x00007FF719960000-0x00007FF719CB1000-memory.dmp

Filesize
3.3MB

Download
memory/4488-59-0x00007FF6E97E0000-0x00007FF6E9B31000-memory.dmp

Filesize
3.3MB

Download
memory/4488-243-0x00007FF6E97E0000-0x00007FF6E9B31000-memory.dmp

Filesize
3.3MB

Download
memory/4560-224-0x00007FF627420000-0x00007FF627771000-memory.dmp

Filesize
3.3MB

Download
memory/4560-94-0x00007FF627420000-0x00007FF627771000-memory.dmp

Filesize
3.3MB

Download
memory/4560-25-0x00007FF627420000-0x00007FF627771000-memory.dmp

Filesize
3.3MB

Download
memory/4628-267-0x00007FF7CCC00000-0x00007FF7CCF51000-memory.dmp

Filesize
3.3MB

Download
memory/4628-123-0x00007FF7CCC00000-0x00007FF7CCF51000-memory.dmp

Filesize
3.3MB

Download
memory/4732-124-0x00007FF6EBC00000-0x00007FF6EBF51000-memory.dmp

Filesize
3.3MB

Download
memory/4732-269-0x00007FF6EBC00000-0x00007FF6EBF51000-memory.dmp

Filesize
3.3MB

Download
memory/4732-161-0x00007FF6EBC00000-0x00007FF6EBF51000-memory.dmp

Filesize
3.3MB

Download
memory/4756-95-0x00007FF73DA90000-0x00007FF73DDE1000-memory.dmp

Filesize
3.3MB

Download
memory/4756-258-0x00007FF73DA90000-0x00007FF73DDE1000-memory.dmp

Filesize
3.3MB

Download
memory/4756-141-0x00007FF73DA90000-0x00007FF73DDE1000-memory.dmp

Filesize
3.3MB

Download
memory/4804-256-0x00007FF659230000-0x00007FF659581000-memory.dmp

Filesize
3.3MB

Download
memory/4804-93-0x00007FF659230000-0x00007FF659581000-memory.dmp

Filesize
3.3MB

Download
memory/4980-134-0x00007FF6FC9C0000-0x00007FF6FCD11000-memory.dmp

Filesize
3.3MB

Download
memory/4980-272-0x00007FF6FC9C0000-0x00007FF6FCD11000-memory.dmp

Filesize
3.3MB

Download
memory/4980-165-0x00007FF6FC9C0000-0x00007FF6FCD11000-memory.dmp

Filesize
3.3MB

Download
memory/5064-32-0x00007FF608A40000-0x00007FF608D91000-memory.dmp

Filesize
3.3MB

Download
memory/5064-236-0x00007FF608A40000-0x00007FF608D91000-memory.dmp

Filesize
3.3MB

Download
memory/5064-101-0x00007FF608A40000-0x00007FF608D91000-memory.dmp

Filesize
3.3MB

Download
memory/5076-80-0x00007FF76A090000-0x00007FF76A3E1000-memory.dmp

Filesize
3.3MB

Download
memory/5076-16-0x00007FF76A090000-0x00007FF76A3E1000-memory.dmp

Filesize
3.3MB

Download
memory/5076-220-0x00007FF76A090000-0x00007FF76A3E1000-memory.dmp

Filesize
3.3MB

Download