cobaltstrike | 8b8cd079716102e6b75ad006051c66d3d3d4a8e08e3077a7aa4014f3393df598

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26-07-2024 21:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

a9abc553057c8be8e6484b8bb9579c87
SHA1

0bcf296c881c1a701cde674bf7fce8d27a4d9b87
SHA256

8b8cd079716102e6b75ad006051c66d3d3d4a8e08e3077a7aa4014f3393df598
SHA512

3c0741d44ce820a4667ac86f46333652afb5f5288b9af60b4f2cdda39170c40bc1cc3499b246d567d52fa426775d6682a0b2a50b95c01189f0502cc8fe5bb7e7
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6ln:RWWBibd56utgpPFotBER/mQ32lUb

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\PYUFffI.exe	cobalt_reflective_dll
C:\Windows\System\rUqpBdO.exe	cobalt_reflective_dll
C:\Windows\System\loRkRog.exe	cobalt_reflective_dll
C:\Windows\System\pXCNgME.exe	cobalt_reflective_dll
C:\Windows\System\ltEsiMn.exe	cobalt_reflective_dll
C:\Windows\System\FNagrdx.exe	cobalt_reflective_dll
C:\Windows\System\CMcCodI.exe	cobalt_reflective_dll
C:\Windows\System\PLJisfA.exe	cobalt_reflective_dll
C:\Windows\System\jqwrYLC.exe	cobalt_reflective_dll
C:\Windows\System\dtsOJWm.exe	cobalt_reflective_dll
C:\Windows\System\gIBTHpi.exe	cobalt_reflective_dll
C:\Windows\System\XydVdjT.exe	cobalt_reflective_dll
C:\Windows\System\axndeHw.exe	cobalt_reflective_dll
C:\Windows\System\tPXIwKp.exe	cobalt_reflective_dll
C:\Windows\System\AnGznlX.exe	cobalt_reflective_dll
C:\Windows\System\DZJInlq.exe	cobalt_reflective_dll
C:\Windows\System\qCSLFHU.exe	cobalt_reflective_dll
C:\Windows\System\tOQbjSI.exe	cobalt_reflective_dll
C:\Windows\System\DhFVfHp.exe	cobalt_reflective_dll
C:\Windows\System\XhfqlOC.exe	cobalt_reflective_dll
C:\Windows\System\uxSMqhA.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3012-8-0x00007FF7FF2E0000-0x00007FF7FF631000-memory.dmp	xmrig
behavioral2/memory/2088-43-0x00007FF6AC4B0000-0x00007FF6AC801000-memory.dmp	xmrig
behavioral2/memory/3972-50-0x00007FF711D80000-0x00007FF7120D1000-memory.dmp	xmrig
behavioral2/memory/2412-32-0x00007FF799D50000-0x00007FF79A0A1000-memory.dmp	xmrig
behavioral2/memory/1836-55-0x00007FF752990000-0x00007FF752CE1000-memory.dmp	xmrig
behavioral2/memory/4324-63-0x00007FF611160000-0x00007FF6114B1000-memory.dmp	xmrig
behavioral2/memory/1944-70-0x00007FF71C810000-0x00007FF71CB61000-memory.dmp	xmrig
behavioral2/memory/3012-69-0x00007FF7FF2E0000-0x00007FF7FF631000-memory.dmp	xmrig
behavioral2/memory/4416-62-0x00007FF78D4C0000-0x00007FF78D811000-memory.dmp	xmrig
behavioral2/memory/392-81-0x00007FF64DA10000-0x00007FF64DD61000-memory.dmp	xmrig
behavioral2/memory/4624-74-0x00007FF77E9D0000-0x00007FF77ED21000-memory.dmp	xmrig
behavioral2/memory/2636-88-0x00007FF632890000-0x00007FF632BE1000-memory.dmp	xmrig
behavioral2/memory/4516-100-0x00007FF793960000-0x00007FF793CB1000-memory.dmp	xmrig
behavioral2/memory/1360-116-0x00007FF757DD0000-0x00007FF758121000-memory.dmp	xmrig
behavioral2/memory/100-109-0x00007FF6BAF60000-0x00007FF6BB2B1000-memory.dmp	xmrig
behavioral2/memory/1836-129-0x00007FF752990000-0x00007FF752CE1000-memory.dmp	xmrig
behavioral2/memory/396-130-0x00007FF6AC950000-0x00007FF6ACCA1000-memory.dmp	xmrig
behavioral2/memory/4840-125-0x00007FF6DBAA0000-0x00007FF6DBDF1000-memory.dmp	xmrig
behavioral2/memory/4968-138-0x00007FF745DB0000-0x00007FF746101000-memory.dmp	xmrig
behavioral2/memory/4952-145-0x00007FF7992D0000-0x00007FF799621000-memory.dmp	xmrig
behavioral2/memory/4636-150-0x00007FF6B3100000-0x00007FF6B3451000-memory.dmp	xmrig
behavioral2/memory/2820-149-0x00007FF702210000-0x00007FF702561000-memory.dmp	xmrig
behavioral2/memory/4464-152-0x00007FF66ECE0000-0x00007FF66F031000-memory.dmp	xmrig
behavioral2/memory/1088-154-0x00007FF6F1690000-0x00007FF6F19E1000-memory.dmp	xmrig
behavioral2/memory/4416-156-0x00007FF78D4C0000-0x00007FF78D811000-memory.dmp	xmrig
behavioral2/memory/3012-207-0x00007FF7FF2E0000-0x00007FF7FF631000-memory.dmp	xmrig
behavioral2/memory/4624-209-0x00007FF77E9D0000-0x00007FF77ED21000-memory.dmp	xmrig
behavioral2/memory/392-211-0x00007FF64DA10000-0x00007FF64DD61000-memory.dmp	xmrig
behavioral2/memory/2636-213-0x00007FF632890000-0x00007FF632BE1000-memory.dmp	xmrig
behavioral2/memory/2412-220-0x00007FF799D50000-0x00007FF79A0A1000-memory.dmp	xmrig
behavioral2/memory/100-222-0x00007FF6BAF60000-0x00007FF6BB2B1000-memory.dmp	xmrig
behavioral2/memory/2088-224-0x00007FF6AC4B0000-0x00007FF6AC801000-memory.dmp	xmrig
behavioral2/memory/3972-226-0x00007FF711D80000-0x00007FF7120D1000-memory.dmp	xmrig
behavioral2/memory/1836-228-0x00007FF752990000-0x00007FF752CE1000-memory.dmp	xmrig
behavioral2/memory/4324-230-0x00007FF611160000-0x00007FF6114B1000-memory.dmp	xmrig
behavioral2/memory/1944-232-0x00007FF71C810000-0x00007FF71CB61000-memory.dmp	xmrig
behavioral2/memory/4952-235-0x00007FF7992D0000-0x00007FF799621000-memory.dmp	xmrig
behavioral2/memory/4636-244-0x00007FF6B3100000-0x00007FF6B3451000-memory.dmp	xmrig
behavioral2/memory/2820-246-0x00007FF702210000-0x00007FF702561000-memory.dmp	xmrig
behavioral2/memory/4516-248-0x00007FF793960000-0x00007FF793CB1000-memory.dmp	xmrig
behavioral2/memory/1360-251-0x00007FF757DD0000-0x00007FF758121000-memory.dmp	xmrig
behavioral2/memory/1088-253-0x00007FF6F1690000-0x00007FF6F19E1000-memory.dmp	xmrig
behavioral2/memory/4464-254-0x00007FF66ECE0000-0x00007FF66F031000-memory.dmp	xmrig
behavioral2/memory/4840-256-0x00007FF6DBAA0000-0x00007FF6DBDF1000-memory.dmp	xmrig
behavioral2/memory/396-258-0x00007FF6AC950000-0x00007FF6ACCA1000-memory.dmp	xmrig
behavioral2/memory/4968-262-0x00007FF745DB0000-0x00007FF746101000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

PYUFffI.exerUqpBdO.exeloRkRog.exepXCNgME.exeltEsiMn.exeFNagrdx.exeCMcCodI.exePLJisfA.exejqwrYLC.exedtsOJWm.exegIBTHpi.exeXydVdjT.exeaxndeHw.exetPXIwKp.exeqCSLFHU.exeDZJInlq.exeAnGznlX.exetOQbjSI.exeDhFVfHp.exeXhfqlOC.exeuxSMqhA.exe

pid	process
3012	PYUFffI.exe
4624	rUqpBdO.exe
392	loRkRog.exe
2636	pXCNgME.exe
2412	ltEsiMn.exe
100	FNagrdx.exe
2088	CMcCodI.exe
3972	PLJisfA.exe
1836	jqwrYLC.exe
4324	dtsOJWm.exe
1944	gIBTHpi.exe
4952	XydVdjT.exe
2820	axndeHw.exe
4636	tPXIwKp.exe
4516	qCSLFHU.exe
4464	DZJInlq.exe
1360	AnGznlX.exe
1088	tOQbjSI.exe
4840	DhFVfHp.exe
396	XhfqlOC.exe
4968	uxSMqhA.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4416-0-0x00007FF78D4C0000-0x00007FF78D811000-memory.dmp	upx
C:\Windows\System\PYUFffI.exe	upx
behavioral2/memory/3012-8-0x00007FF7FF2E0000-0x00007FF7FF631000-memory.dmp	upx
C:\Windows\System\rUqpBdO.exe	upx
C:\Windows\System\loRkRog.exe	upx
behavioral2/memory/4624-13-0x00007FF77E9D0000-0x00007FF77ED21000-memory.dmp	upx
behavioral2/memory/392-20-0x00007FF64DA10000-0x00007FF64DD61000-memory.dmp	upx
C:\Windows\System\pXCNgME.exe	upx
behavioral2/memory/2636-26-0x00007FF632890000-0x00007FF632BE1000-memory.dmp	upx
C:\Windows\System\ltEsiMn.exe	upx
C:\Windows\System\FNagrdx.exe	upx
C:\Windows\System\CMcCodI.exe	upx
behavioral2/memory/100-38-0x00007FF6BAF60000-0x00007FF6BB2B1000-memory.dmp	upx
behavioral2/memory/2088-43-0x00007FF6AC4B0000-0x00007FF6AC801000-memory.dmp	upx
C:\Windows\System\PLJisfA.exe	upx
behavioral2/memory/3972-50-0x00007FF711D80000-0x00007FF7120D1000-memory.dmp	upx
behavioral2/memory/2412-32-0x00007FF799D50000-0x00007FF79A0A1000-memory.dmp	upx
C:\Windows\System\jqwrYLC.exe	upx
behavioral2/memory/1836-55-0x00007FF752990000-0x00007FF752CE1000-memory.dmp	upx
C:\Windows\System\dtsOJWm.exe	upx
behavioral2/memory/4324-63-0x00007FF611160000-0x00007FF6114B1000-memory.dmp	upx
C:\Windows\System\gIBTHpi.exe	upx
behavioral2/memory/1944-70-0x00007FF71C810000-0x00007FF71CB61000-memory.dmp	upx
behavioral2/memory/3012-69-0x00007FF7FF2E0000-0x00007FF7FF631000-memory.dmp	upx
behavioral2/memory/4416-62-0x00007FF78D4C0000-0x00007FF78D811000-memory.dmp	upx
C:\Windows\System\XydVdjT.exe	upx
C:\Windows\System\axndeHw.exe	upx
behavioral2/memory/4952-80-0x00007FF7992D0000-0x00007FF799621000-memory.dmp	upx
C:\Windows\System\tPXIwKp.exe	upx
behavioral2/memory/2820-85-0x00007FF702210000-0x00007FF702561000-memory.dmp	upx
behavioral2/memory/392-81-0x00007FF64DA10000-0x00007FF64DD61000-memory.dmp	upx
behavioral2/memory/4624-74-0x00007FF77E9D0000-0x00007FF77ED21000-memory.dmp	upx
behavioral2/memory/4636-93-0x00007FF6B3100000-0x00007FF6B3451000-memory.dmp	upx
behavioral2/memory/2636-88-0x00007FF632890000-0x00007FF632BE1000-memory.dmp	upx
C:\Windows\System\AnGznlX.exe	upx
behavioral2/memory/4516-100-0x00007FF793960000-0x00007FF793CB1000-memory.dmp	upx
C:\Windows\System\DZJInlq.exe	upx
C:\Windows\System\qCSLFHU.exe	upx
behavioral2/memory/4464-105-0x00007FF66ECE0000-0x00007FF66F031000-memory.dmp	upx
C:\Windows\System\tOQbjSI.exe	upx
behavioral2/memory/1360-116-0x00007FF757DD0000-0x00007FF758121000-memory.dmp	upx
C:\Windows\System\DhFVfHp.exe	upx
behavioral2/memory/1088-115-0x00007FF6F1690000-0x00007FF6F19E1000-memory.dmp	upx
behavioral2/memory/100-109-0x00007FF6BAF60000-0x00007FF6BB2B1000-memory.dmp	upx
C:\Windows\System\XhfqlOC.exe	upx
behavioral2/memory/1836-129-0x00007FF752990000-0x00007FF752CE1000-memory.dmp	upx
C:\Windows\System\uxSMqhA.exe	upx
behavioral2/memory/396-130-0x00007FF6AC950000-0x00007FF6ACCA1000-memory.dmp	upx
behavioral2/memory/4840-125-0x00007FF6DBAA0000-0x00007FF6DBDF1000-memory.dmp	upx
behavioral2/memory/4968-138-0x00007FF745DB0000-0x00007FF746101000-memory.dmp	upx
behavioral2/memory/4952-145-0x00007FF7992D0000-0x00007FF799621000-memory.dmp	upx
behavioral2/memory/4636-150-0x00007FF6B3100000-0x00007FF6B3451000-memory.dmp	upx
behavioral2/memory/2820-149-0x00007FF702210000-0x00007FF702561000-memory.dmp	upx
behavioral2/memory/4464-152-0x00007FF66ECE0000-0x00007FF66F031000-memory.dmp	upx
behavioral2/memory/1088-154-0x00007FF6F1690000-0x00007FF6F19E1000-memory.dmp	upx
behavioral2/memory/4416-156-0x00007FF78D4C0000-0x00007FF78D811000-memory.dmp	upx
behavioral2/memory/3012-207-0x00007FF7FF2E0000-0x00007FF7FF631000-memory.dmp	upx
behavioral2/memory/4624-209-0x00007FF77E9D0000-0x00007FF77ED21000-memory.dmp	upx
behavioral2/memory/392-211-0x00007FF64DA10000-0x00007FF64DD61000-memory.dmp	upx
behavioral2/memory/2636-213-0x00007FF632890000-0x00007FF632BE1000-memory.dmp	upx
behavioral2/memory/2412-220-0x00007FF799D50000-0x00007FF79A0A1000-memory.dmp	upx
behavioral2/memory/100-222-0x00007FF6BAF60000-0x00007FF6BB2B1000-memory.dmp	upx
behavioral2/memory/2088-224-0x00007FF6AC4B0000-0x00007FF6AC801000-memory.dmp	upx
behavioral2/memory/3972-226-0x00007FF711D80000-0x00007FF7120D1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\PLJisfA.exe	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XydVdjT.exe	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XhfqlOC.exe	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ltEsiMn.exe	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pXCNgME.exe	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\axndeHw.exe	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qCSLFHU.exe	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tOQbjSI.exe	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DhFVfHp.exe	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uxSMqhA.exe	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\loRkRog.exe	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tPXIwKp.exe	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AnGznlX.exe	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dtsOJWm.exe	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rUqpBdO.exe	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FNagrdx.exe	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CMcCodI.exe	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jqwrYLC.exe	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gIBTHpi.exe	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DZJInlq.exe	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PYUFffI.exe	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	4416	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4416	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 4416 wrote to memory of 3012	4416	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe	PYUFffI.exe
PID 4416 wrote to memory of 3012	4416	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe	PYUFffI.exe
PID 4416 wrote to memory of 4624	4416	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe	rUqpBdO.exe
PID 4416 wrote to memory of 4624	4416	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe	rUqpBdO.exe
PID 4416 wrote to memory of 392	4416	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe	loRkRog.exe
PID 4416 wrote to memory of 392	4416	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe	loRkRog.exe
PID 4416 wrote to memory of 2636	4416	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe	pXCNgME.exe
PID 4416 wrote to memory of 2636	4416	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe	pXCNgME.exe
PID 4416 wrote to memory of 2412	4416	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe	ltEsiMn.exe
PID 4416 wrote to memory of 2412	4416	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe	ltEsiMn.exe
PID 4416 wrote to memory of 100	4416	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe	FNagrdx.exe
PID 4416 wrote to memory of 100	4416	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe	FNagrdx.exe
PID 4416 wrote to memory of 2088	4416	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe	CMcCodI.exe
PID 4416 wrote to memory of 2088	4416	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe	CMcCodI.exe
PID 4416 wrote to memory of 3972	4416	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe	PLJisfA.exe
PID 4416 wrote to memory of 3972	4416	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe	PLJisfA.exe
PID 4416 wrote to memory of 1836	4416	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe	jqwrYLC.exe
PID 4416 wrote to memory of 1836	4416	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe	jqwrYLC.exe
PID 4416 wrote to memory of 4324	4416	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe	dtsOJWm.exe
PID 4416 wrote to memory of 4324	4416	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe	dtsOJWm.exe
PID 4416 wrote to memory of 1944	4416	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe	gIBTHpi.exe
PID 4416 wrote to memory of 1944	4416	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe	gIBTHpi.exe
PID 4416 wrote to memory of 4952	4416	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe	XydVdjT.exe
PID 4416 wrote to memory of 4952	4416	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe	XydVdjT.exe
PID 4416 wrote to memory of 2820	4416	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe	axndeHw.exe
PID 4416 wrote to memory of 2820	4416	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe	axndeHw.exe
PID 4416 wrote to memory of 4636	4416	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe	tPXIwKp.exe
PID 4416 wrote to memory of 4636	4416	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe	tPXIwKp.exe
PID 4416 wrote to memory of 4516	4416	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe	qCSLFHU.exe
PID 4416 wrote to memory of 4516	4416	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe	qCSLFHU.exe
PID 4416 wrote to memory of 4464	4416	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe	DZJInlq.exe
PID 4416 wrote to memory of 4464	4416	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe	DZJInlq.exe
PID 4416 wrote to memory of 1360	4416	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe	AnGznlX.exe
PID 4416 wrote to memory of 1360	4416	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe	AnGznlX.exe
PID 4416 wrote to memory of 1088	4416	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe	tOQbjSI.exe
PID 4416 wrote to memory of 1088	4416	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe	tOQbjSI.exe
PID 4416 wrote to memory of 4840	4416	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe	DhFVfHp.exe
PID 4416 wrote to memory of 4840	4416	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe	DhFVfHp.exe
PID 4416 wrote to memory of 396	4416	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe	XhfqlOC.exe
PID 4416 wrote to memory of 396	4416	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe	XhfqlOC.exe
PID 4416 wrote to memory of 4968	4416	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe	uxSMqhA.exe
PID 4416 wrote to memory of 4968	4416	2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe	uxSMqhA.exe

C:\Users\Admin\AppData\Local\Temp\2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-26_a9abc553057c8be8e6484b8bb9579c87_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4416

C:\Windows\System\PYUFffI.exe
C:\Windows\System\PYUFffI.exe
2⤵
- Executes dropped EXE
PID:3012

C:\Windows\System\rUqpBdO.exe
C:\Windows\System\rUqpBdO.exe
2⤵
- Executes dropped EXE
PID:4624

C:\Windows\System\loRkRog.exe
C:\Windows\System\loRkRog.exe
2⤵
- Executes dropped EXE
PID:392

C:\Windows\System\pXCNgME.exe
C:\Windows\System\pXCNgME.exe
2⤵
- Executes dropped EXE
PID:2636

C:\Windows\System\ltEsiMn.exe
C:\Windows\System\ltEsiMn.exe
2⤵
- Executes dropped EXE
PID:2412

C:\Windows\System\FNagrdx.exe
C:\Windows\System\FNagrdx.exe
2⤵
- Executes dropped EXE
PID:100

C:\Windows\System\CMcCodI.exe
C:\Windows\System\CMcCodI.exe
2⤵
- Executes dropped EXE
PID:2088

C:\Windows\System\PLJisfA.exe
C:\Windows\System\PLJisfA.exe
2⤵
- Executes dropped EXE
PID:3972

C:\Windows\System\jqwrYLC.exe
C:\Windows\System\jqwrYLC.exe
2⤵
- Executes dropped EXE
PID:1836

C:\Windows\System\dtsOJWm.exe
C:\Windows\System\dtsOJWm.exe
2⤵
- Executes dropped EXE
PID:4324

C:\Windows\System\gIBTHpi.exe
C:\Windows\System\gIBTHpi.exe
2⤵
- Executes dropped EXE
PID:1944

C:\Windows\System\XydVdjT.exe
C:\Windows\System\XydVdjT.exe
2⤵
- Executes dropped EXE
PID:4952

C:\Windows\System\axndeHw.exe
C:\Windows\System\axndeHw.exe
2⤵
- Executes dropped EXE
PID:2820

C:\Windows\System\tPXIwKp.exe
C:\Windows\System\tPXIwKp.exe
2⤵
- Executes dropped EXE
PID:4636

C:\Windows\System\qCSLFHU.exe
C:\Windows\System\qCSLFHU.exe
2⤵
- Executes dropped EXE
PID:4516

C:\Windows\System\DZJInlq.exe
C:\Windows\System\DZJInlq.exe
2⤵
- Executes dropped EXE
PID:4464

C:\Windows\System\AnGznlX.exe
C:\Windows\System\AnGznlX.exe
2⤵
- Executes dropped EXE
PID:1360

C:\Windows\System\tOQbjSI.exe
C:\Windows\System\tOQbjSI.exe
2⤵
- Executes dropped EXE
PID:1088

C:\Windows\System\DhFVfHp.exe
C:\Windows\System\DhFVfHp.exe
2⤵
- Executes dropped EXE
PID:4840

C:\Windows\System\XhfqlOC.exe
C:\Windows\System\XhfqlOC.exe
2⤵
- Executes dropped EXE
PID:396

C:\Windows\System\uxSMqhA.exe
C:\Windows\System\uxSMqhA.exe
2⤵
- Executes dropped EXE
PID:4968

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AnGznlX.exe
Filesize
5.2MB

MD5
99c7302be9d3bd4193f90e2df9abafdb

SHA1
cdce118d346846fc846c48c344c2756b4a8c65c2

SHA256
cadb43252915aa9a4cccf59b10cb8386f870f004fa1923a7e2b55bef2acd35d3

SHA512
018feff7e4bef6bb276af9f09285a6db79dd12aba6649a265b64a070edcdd8f9355e676c01df17f8f83755e235f3002a1e3f69cf3b1781944cbf5980ea1d61cd

Download Submit
C:\Windows\System\CMcCodI.exe
Filesize
5.2MB

MD5
cf9dd89cf645716831f5a43b61fe46d2

SHA1
a0acb90edef1a5ee9b3fe513e5f8e1ab9a6df247

SHA256
d5369723f8ddeec9f9eeb0dbc6e4e90793f5f80047d315f410807bf1675ed779

SHA512
3da0432317d02b7e1e6ad0c1c6b5c151bac19662abee8348016893c71fcdf8e9a5dd77977ec2a0bae5651b10650ce2aeda4c5165ceb82bc747cde54cd5344a4a

Download Submit
C:\Windows\System\DZJInlq.exe
Filesize
5.2MB

MD5
3e2b99405d114a72564644784d6859be

SHA1
7b7ead68169fa539f6c5f023de19c23291d09fff

SHA256
26ef890a51b1901c31aeb0268432a5454ad318d87a38caa0d3e398abfc5627e6

SHA512
5c3d424b0ae6f416480e28c8b38f6376c298c9a1c6c35ea03bbc4537b1372de59e5e6254d68559993983fdb66bc495415db896807d687945bf039ece01242fff

Download Submit
C:\Windows\System\DhFVfHp.exe
Filesize
5.2MB

MD5
836e2ca8b7b72dbc93dd591cee28f059

SHA1
678fb825f3a64e149fcfa4592fd09d9292fa9175

SHA256
53bf2ce61ebc35b913727c4b29023900591f295e51548dc465d7b29ec4bbae8e

SHA512
484d52131f2921b3f71a12e130bd4ff4bf28e4e6f0513e26704cd1d7bd3838cf1e33efdce5430746155a72b16b4f68e9e835cddb9944fc9ce26978e6a286a4d1

Download Submit
C:\Windows\System\FNagrdx.exe
Filesize
5.2MB

MD5
5992f6f81e9efefa5e682c0ca0aee0a4

SHA1
fdd83b28c858eedecc617c6cf845b9b12b56d2b8

SHA256
10faf0f33413f132444c57e36667952600b4251cb0945482521320c56ad546d2

SHA512
4a14e0f57fe6596aa968a1a78a3c28d928ce55483e3700a2607ab14486fe4b6aaa33be40b636400ff35f5f50c7658e088d6a1ff930a55dc206cecbecee042853

Download Submit
C:\Windows\System\PLJisfA.exe
Filesize
5.2MB

MD5
bc9350dbd751b0429216b77c9f1224c2

SHA1
2fb061d66d6c0f78a9c5f831c4a9a2a039560a03

SHA256
b12e6badd64c21a68bd4589362ad3a84369854d716f79b7cc2312560ad4dbce0

SHA512
bd550ae6e05f1b77e2660567368992588bd731e5d2fcd9577ad74163f507524ba7eff11cdfe7389f4c3f53c56548d7d4f6d6ad92a40a747680e76a491a77d367

Download Submit
C:\Windows\System\PYUFffI.exe
Filesize
5.2MB

MD5
7a6adb9e2f4227a9b0e3f48b814cc6b4

SHA1
d4824266b3a0061ed5547ed1e2ec46d48e98ef93

SHA256
23ecede8b05c1cd5fb9b9ca999ed5395150d4a72b3334371ec38842120588eb1

SHA512
c5721fd52c7472c212ccc1ae9dfe2f20dbc951bd62f9b016d63f7f9b686aadb82479b18b182ad3b72c1e3540bd914dd9749030fee3eafdab4da365b9fdc65d20

Download Submit
C:\Windows\System\XhfqlOC.exe
Filesize
5.2MB

MD5
5e05daae03ad54c66c5daf625a2a9590

SHA1
f798b0507476045437d7b9cd5ed4360436776259

SHA256
e7027d7be55ab11c1de15369aa90634eecd89a81d17276f32978642ff2f01a3f

SHA512
443b48df89781d97d8a46f4015c37381be267b96c305af8babdc2ed3269f47b4dc7c8ff9b435dddb0e17a1783ff68250fa24efac016d12ec0d0040aa6bcab86b

Download Submit
C:\Windows\System\XydVdjT.exe
Filesize
5.2MB

MD5
c38f9e2a038aba9de8512d19b823b493

SHA1
642ea4b1ccea8ea097bbc77f8536c852fe7fe6b6

SHA256
01b7b49660509c4181dfce0ae2e91e247684f66d003b3fddb6421171984af4c4

SHA512
626ca2bf18f5cb6aba5f423811843883375310bd10107a226e2e3646c29ee110f86fa093d6f0001dfd627a1f2a37e289a2c34513b58b467f04f1718a4286bafc

Download Submit
C:\Windows\System\axndeHw.exe
Filesize
5.2MB

MD5
1250d790d99a74052e85dcb167d8d4e4

SHA1
8979291418e9cbf31a18ad959ea2cdbe9826434b

SHA256
9256a55a8b6827f9466c704fa9d4d9a7ca4d6526805f2b3a1ec395d02c6bd19b

SHA512
0024f3c8560ac0254eb738925a87a75ec3a1c87ce8e1368f7a7c584d636a5c8a733b5f9aad7e8806c90986442fd48a693b88488ee393f5b08b56a9023528ab42

Download Submit
C:\Windows\System\dtsOJWm.exe
Filesize
5.2MB

MD5
8e4cee8dbe93986720ffb97ca7e322d0

SHA1
eada2f3e6e63ffa6657c7c44eb82b334a3775d98

SHA256
24ddc74fb4c07f9d2498d73ab7d6a880343b2d84c18f4ae4dd0a58f337a31040

SHA512
2efbc5047f7b877d9f9d59d4f7083c27d3d287d3e72e46c95fcb6c044e69fc4e25dbc52846439fc2f41602ee59cb8f21c603be4028c600622c632a63e214e8c5

Download Submit
C:\Windows\System\gIBTHpi.exe
Filesize
5.2MB

MD5
a17b70459dc078129c0aaa83a84df673

SHA1
6fd1119e6e96ec18fd1f5b18ecdffbc7dafe9957

SHA256
cf90dfc2324278c2562d381f6e0781fc4b4dffa0baaedee5a3df1589907ccdda

SHA512
16e6cc0a0f844ab0e654846ec8e1371fd1fc184c6426f958546a8e9c152612d67b5b972ec89d5ae93a07fa8507a1dd6858d9b97832b43672236fae74c9882c5b

Download Submit
C:\Windows\System\jqwrYLC.exe
Filesize
5.2MB

MD5
c09fe407455981d450e9d24518dd169f

SHA1
c8226debb630c937ddd71beb39330b0df0407fd9

SHA256
c6b15acfa9a41db8ac993d219b6d7269c3121d5aa7dc56d632f8483333c6f094

SHA512
aafd5acc6d7fb201178afdbf685a611277f2f240b728e08ce64fdd30fa0ef6a6e9c49579f6af8d9a6bdda9ae57e9b47357343716d9deab7c2988b1626db6b67a

Download Submit
C:\Windows\System\loRkRog.exe
Filesize
5.2MB

MD5
d18c4c2902e7665b90b59eb072f008da

SHA1
789f27710bd025b0be4bc3acf23106195485c8fb

SHA256
39ffbab29dbf4e8ea62dcdb50ba017154b407f1026e36c9038efde8276de50dd

SHA512
2d896ffd1859117bba66ed8eebeb1ec6a33cafcb8ab97efdb4c60dd8167b5d90ec422bb311a419dc8a7a0aa885fff4e08aeec19bf54a63720b36a2ee5a98040b

Download Submit
C:\Windows\System\ltEsiMn.exe
Filesize
5.2MB

MD5
edf3e682edaf602f5b89703a7b7faaec

SHA1
d6a385072f2841cf948947036023e03a1847351c

SHA256
4dec37bfb0d236627999db909cead7c99b1d4bf50e9f9318f7e9658128ef9cd9

SHA512
7fd9c5edf1fa255f814b0d9ab513f9e142a90b393318b612d56dd175ae0d108cb24f2919b3df8851a099983ab509c59536c435e51682f483c2e28ed2b02f3979

Download Submit
C:\Windows\System\pXCNgME.exe
Filesize
5.2MB

MD5
c4b6f4139101b25e3d2b6e1eac75597b

SHA1
09814050f0b6019bdf02301125fb1e83e04cc0ba

SHA256
03b0ef253690cf65808b2f400501d9fa20f92f564482cafc1e1a90b6b579eff9

SHA512
1649b619cbf024b73b705eadd802011c04897ffd3365fd520055578e7111de04aa1142f64b3c45c4a4e4896d553ff7bf5abef152c3893276fb04b24232e1688d

Download Submit
C:\Windows\System\qCSLFHU.exe
Filesize
5.2MB

MD5
f66997942c1f6f18e2bc05c9eef671c2

SHA1
d48e52fe923d155dcf966ffab1934da8fd4d7339

SHA256
63398593f1633ba38ebdfacc185e9814c2d1c5d0770b0e681ee0afa97673ca52

SHA512
d54a84afca434d120f1fade5c06761259133f6f973b4f49a13aab4dcd054aaa27aab99cfcd04240ba868862c38972a0e6c7ea8a382f8b9d23cd798ba944e8011

Download Submit
C:\Windows\System\rUqpBdO.exe
Filesize
5.2MB

MD5
7c02ebd8c5a799ad88637176854eb48d

SHA1
c8359911a51224475efa54ece28afceca41f2ed7

SHA256
f1cd8f19d9ab62ebb00fc96f549ba3969b5eb23261ee0a0f8f07c520f6ef6256

SHA512
099b8ca092711f1187a795a7c412f53ba72d0ce730c6add553b1460115ff10a1d7faa5adf6f5d889bc761119afe7be63d046556312087c810f5cf4b5b7eadbf4

Download Submit
C:\Windows\System\tOQbjSI.exe
Filesize
5.2MB

MD5
590581c82869493022c3c057cb87f751

SHA1
cfa5794938e11d78b7d4df1a6af841d5ce8f2194

SHA256
ad1eed512b20fdb245b0f8ea666d5d32da7a1b5705a1f267ad1bf4f3d382cc05

SHA512
f13836ea4c20111fffd780a28bc708cf4a573c229516cb5f1375771066fd3b9257ede7b7fda647e327716082a8bd25b668cd8442006a64a2ff38087fbc3ce038

Download Submit
C:\Windows\System\tPXIwKp.exe
Filesize
5.2MB

MD5
79a7a2653fd68193f227b5433f9d9787

SHA1
bf0603c210e61aa92844b75e94b448d2b7734956

SHA256
1826aa87732714459eae7ab4e70ccf15dada0b20b0756cd812232a8c831b91cf

SHA512
298c211ade635a5d9ed7910d19502c870fef650c878d6e90d1003244e4e325ebe0587dfdee730dd246d81201b73956e0d7d4ddfd08d4ba24788ef63ecddcb824

Download Submit
C:\Windows\System\uxSMqhA.exe
Filesize
5.2MB

MD5
4be54ca97e8233d973a499969dbf872e

SHA1
8eb1cbece28d6b1ed2bc5b21bc11639f1d95e44f

SHA256
611f2d9417125ab893789dc55dfe08dbc82ee2e4c78dbfa01bc833499c30c1c4

SHA512
a8075291cb8e33a27cb99f6268f7a7bb47ea1d002d97ceb60d2b67ed958bcc5553a6eb7777d5aed4b65ae283a9da199ea6ed2845842e456d424b81c9e5619695

Download Submit
memory/100-222-0x00007FF6BAF60000-0x00007FF6BB2B1000-memory.dmp

Filesize
3.3MB

Download
memory/100-109-0x00007FF6BAF60000-0x00007FF6BB2B1000-memory.dmp

Filesize
3.3MB

Download
memory/100-38-0x00007FF6BAF60000-0x00007FF6BB2B1000-memory.dmp

Filesize
3.3MB

Download
memory/392-20-0x00007FF64DA10000-0x00007FF64DD61000-memory.dmp

Filesize
3.3MB

Download
memory/392-81-0x00007FF64DA10000-0x00007FF64DD61000-memory.dmp

Filesize
3.3MB

Download
memory/392-211-0x00007FF64DA10000-0x00007FF64DD61000-memory.dmp

Filesize
3.3MB

Download
memory/396-130-0x00007FF6AC950000-0x00007FF6ACCA1000-memory.dmp

Filesize
3.3MB

Download
memory/396-258-0x00007FF6AC950000-0x00007FF6ACCA1000-memory.dmp

Filesize
3.3MB

Download
memory/1088-154-0x00007FF6F1690000-0x00007FF6F19E1000-memory.dmp

Filesize
3.3MB

Download
memory/1088-253-0x00007FF6F1690000-0x00007FF6F19E1000-memory.dmp

Filesize
3.3MB

Download
memory/1088-115-0x00007FF6F1690000-0x00007FF6F19E1000-memory.dmp

Filesize
3.3MB

Download
memory/1360-251-0x00007FF757DD0000-0x00007FF758121000-memory.dmp

Filesize
3.3MB

Download
memory/1360-116-0x00007FF757DD0000-0x00007FF758121000-memory.dmp

Filesize
3.3MB

Download
memory/1836-228-0x00007FF752990000-0x00007FF752CE1000-memory.dmp

Filesize
3.3MB

Download
memory/1836-129-0x00007FF752990000-0x00007FF752CE1000-memory.dmp

Filesize
3.3MB

Download
memory/1836-55-0x00007FF752990000-0x00007FF752CE1000-memory.dmp

Filesize
3.3MB

Download
memory/1944-70-0x00007FF71C810000-0x00007FF71CB61000-memory.dmp

Filesize
3.3MB

Download
memory/1944-232-0x00007FF71C810000-0x00007FF71CB61000-memory.dmp

Filesize
3.3MB

Download
memory/2088-224-0x00007FF6AC4B0000-0x00007FF6AC801000-memory.dmp

Filesize
3.3MB

Download
memory/2088-43-0x00007FF6AC4B0000-0x00007FF6AC801000-memory.dmp

Filesize
3.3MB

Download
memory/2412-32-0x00007FF799D50000-0x00007FF79A0A1000-memory.dmp

Filesize
3.3MB

Download
memory/2412-220-0x00007FF799D50000-0x00007FF79A0A1000-memory.dmp

Filesize
3.3MB

Download
memory/2636-26-0x00007FF632890000-0x00007FF632BE1000-memory.dmp

Filesize
3.3MB

Download
memory/2636-213-0x00007FF632890000-0x00007FF632BE1000-memory.dmp

Filesize
3.3MB

Download
memory/2636-88-0x00007FF632890000-0x00007FF632BE1000-memory.dmp

Filesize
3.3MB

Download
memory/2820-246-0x00007FF702210000-0x00007FF702561000-memory.dmp

Filesize
3.3MB

Download
memory/2820-85-0x00007FF702210000-0x00007FF702561000-memory.dmp

Filesize
3.3MB

Download
memory/2820-149-0x00007FF702210000-0x00007FF702561000-memory.dmp

Filesize
3.3MB

Download
memory/3012-69-0x00007FF7FF2E0000-0x00007FF7FF631000-memory.dmp

Filesize
3.3MB

Download
memory/3012-207-0x00007FF7FF2E0000-0x00007FF7FF631000-memory.dmp

Filesize
3.3MB

Download
memory/3012-8-0x00007FF7FF2E0000-0x00007FF7FF631000-memory.dmp

Filesize
3.3MB

Download
memory/3972-226-0x00007FF711D80000-0x00007FF7120D1000-memory.dmp

Filesize
3.3MB

Download
memory/3972-50-0x00007FF711D80000-0x00007FF7120D1000-memory.dmp

Filesize
3.3MB

Download
memory/4324-63-0x00007FF611160000-0x00007FF6114B1000-memory.dmp

Filesize
3.3MB

Download
memory/4324-230-0x00007FF611160000-0x00007FF6114B1000-memory.dmp

Filesize
3.3MB

Download
memory/4416-156-0x00007FF78D4C0000-0x00007FF78D811000-memory.dmp

Filesize
3.3MB

Download
memory/4416-1-0x00000124FD5C0000-0x00000124FD5D0000-memory.dmp

Filesize
64KB

Download
memory/4416-0-0x00007FF78D4C0000-0x00007FF78D811000-memory.dmp

Filesize
3.3MB

Download
memory/4416-62-0x00007FF78D4C0000-0x00007FF78D811000-memory.dmp

Filesize
3.3MB

Download
memory/4464-105-0x00007FF66ECE0000-0x00007FF66F031000-memory.dmp

Filesize
3.3MB

Download
memory/4464-152-0x00007FF66ECE0000-0x00007FF66F031000-memory.dmp

Filesize
3.3MB

Download
memory/4464-254-0x00007FF66ECE0000-0x00007FF66F031000-memory.dmp

Filesize
3.3MB

Download
memory/4516-248-0x00007FF793960000-0x00007FF793CB1000-memory.dmp

Filesize
3.3MB

Download
memory/4516-100-0x00007FF793960000-0x00007FF793CB1000-memory.dmp

Filesize
3.3MB

Download
memory/4624-209-0x00007FF77E9D0000-0x00007FF77ED21000-memory.dmp

Filesize
3.3MB

Download
memory/4624-74-0x00007FF77E9D0000-0x00007FF77ED21000-memory.dmp

Filesize
3.3MB

Download
memory/4624-13-0x00007FF77E9D0000-0x00007FF77ED21000-memory.dmp

Filesize
3.3MB

Download
memory/4636-150-0x00007FF6B3100000-0x00007FF6B3451000-memory.dmp

Filesize
3.3MB

Download
memory/4636-244-0x00007FF6B3100000-0x00007FF6B3451000-memory.dmp

Filesize
3.3MB

Download
memory/4636-93-0x00007FF6B3100000-0x00007FF6B3451000-memory.dmp

Filesize
3.3MB

Download
memory/4840-125-0x00007FF6DBAA0000-0x00007FF6DBDF1000-memory.dmp

Filesize
3.3MB

Download
memory/4840-256-0x00007FF6DBAA0000-0x00007FF6DBDF1000-memory.dmp

Filesize
3.3MB

Download
memory/4952-80-0x00007FF7992D0000-0x00007FF799621000-memory.dmp

Filesize
3.3MB

Download
memory/4952-235-0x00007FF7992D0000-0x00007FF799621000-memory.dmp

Filesize
3.3MB

Download
memory/4952-145-0x00007FF7992D0000-0x00007FF799621000-memory.dmp

Filesize
3.3MB

Download
memory/4968-138-0x00007FF745DB0000-0x00007FF746101000-memory.dmp

Filesize
3.3MB

Download
memory/4968-262-0x00007FF745DB0000-0x00007FF746101000-memory.dmp

Filesize
3.3MB

Download