cobaltstrike | 7f7935b5ac5f0d8ed1a649042a7c3c6625bb9ddb648b4525ef29c42b32f87099

Analysis

max time kernel
140s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-08-2024 11:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

2f4f0bf5cf4ef0d9391ff33afe3acb85
SHA1

4af2c2f180562a58fd61f7d881c868fea3771d73
SHA256

7f7935b5ac5f0d8ed1a649042a7c3c6625bb9ddb648b4525ef29c42b32f87099
SHA512

8c281f16bd192dab308a2ee0ba6944a5decbf4abc2ea2ec7dc62fad567699c534d5a8de1afe7c97a5a5d9d2107d7d05c866d288572a7ec463f9f55621a243615
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l0:RWWBibf56utgpPFotBER/mQ32lUo

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023497-6.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002349e-11.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002349f-24.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234a0-30.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234a3-47.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234a4-52.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002349b-61.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234a5-65.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234a8-79.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234a6-84.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ab-98.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ac-114.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ad-117.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234af-130.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ae-126.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234a9-97.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234aa-91.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234a7-83.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234a2-41.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234a1-37.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002349d-12.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 48 IoCs

miner

resource	yara_rule
behavioral2/memory/5004-60-0x00007FF7DF580000-0x00007FF7DF8D1000-memory.dmp	xmrig
behavioral2/memory/2128-103-0x00007FF765880000-0x00007FF765BD1000-memory.dmp	xmrig
behavioral2/memory/1832-107-0x00007FF6F79B0000-0x00007FF6F7D01000-memory.dmp	xmrig
behavioral2/memory/684-120-0x00007FF6A50B0000-0x00007FF6A5401000-memory.dmp	xmrig
behavioral2/memory/4928-124-0x00007FF6D5E90000-0x00007FF6D61E1000-memory.dmp	xmrig
behavioral2/memory/2524-119-0x00007FF6B1200000-0x00007FF6B1551000-memory.dmp	xmrig
behavioral2/memory/2944-116-0x00007FF612030000-0x00007FF612381000-memory.dmp	xmrig
behavioral2/memory/4480-113-0x00007FF7D19D0000-0x00007FF7D1D21000-memory.dmp	xmrig
behavioral2/memory/2464-109-0x00007FF724DE0000-0x00007FF725131000-memory.dmp	xmrig
behavioral2/memory/1100-101-0x00007FF659EA0000-0x00007FF65A1F1000-memory.dmp	xmrig
behavioral2/memory/3432-81-0x00007FF67E700000-0x00007FF67EA51000-memory.dmp	xmrig
behavioral2/memory/464-66-0x00007FF6EE710000-0x00007FF6EEA61000-memory.dmp	xmrig
behavioral2/memory/2136-54-0x00007FF635B00000-0x00007FF635E51000-memory.dmp	xmrig
behavioral2/memory/1236-46-0x00007FF6628B0000-0x00007FF662C01000-memory.dmp	xmrig
behavioral2/memory/4928-25-0x00007FF6D5E90000-0x00007FF6D61E1000-memory.dmp	xmrig
behavioral2/memory/5092-133-0x00007FF740C10000-0x00007FF740F61000-memory.dmp	xmrig
behavioral2/memory/400-132-0x00007FF77BB30000-0x00007FF77BE81000-memory.dmp	xmrig
behavioral2/memory/3432-8-0x00007FF67E700000-0x00007FF67EA51000-memory.dmp	xmrig
behavioral2/memory/464-134-0x00007FF6EE710000-0x00007FF6EEA61000-memory.dmp	xmrig
behavioral2/memory/1384-145-0x00007FF71B780000-0x00007FF71BAD1000-memory.dmp	xmrig
behavioral2/memory/2204-149-0x00007FF666370000-0x00007FF6666C1000-memory.dmp	xmrig
behavioral2/memory/2028-144-0x00007FF75BF60000-0x00007FF75C2B1000-memory.dmp	xmrig
behavioral2/memory/3768-140-0x00007FF68DF40000-0x00007FF68E291000-memory.dmp	xmrig
behavioral2/memory/3076-146-0x00007FF629B70000-0x00007FF629EC1000-memory.dmp	xmrig
behavioral2/memory/5004-143-0x00007FF7DF580000-0x00007FF7DF8D1000-memory.dmp	xmrig
behavioral2/memory/764-154-0x00007FF75F770000-0x00007FF75FAC1000-memory.dmp	xmrig
behavioral2/memory/464-156-0x00007FF6EE710000-0x00007FF6EEA61000-memory.dmp	xmrig
behavioral2/memory/3432-203-0x00007FF67E700000-0x00007FF67EA51000-memory.dmp	xmrig
behavioral2/memory/1100-205-0x00007FF659EA0000-0x00007FF65A1F1000-memory.dmp	xmrig
behavioral2/memory/2524-207-0x00007FF6B1200000-0x00007FF6B1551000-memory.dmp	xmrig
behavioral2/memory/4928-209-0x00007FF6D5E90000-0x00007FF6D61E1000-memory.dmp	xmrig
behavioral2/memory/400-211-0x00007FF77BB30000-0x00007FF77BE81000-memory.dmp	xmrig
behavioral2/memory/3768-213-0x00007FF68DF40000-0x00007FF68E291000-memory.dmp	xmrig
behavioral2/memory/1236-215-0x00007FF6628B0000-0x00007FF662C01000-memory.dmp	xmrig
behavioral2/memory/2136-217-0x00007FF635B00000-0x00007FF635E51000-memory.dmp	xmrig
behavioral2/memory/5004-219-0x00007FF7DF580000-0x00007FF7DF8D1000-memory.dmp	xmrig
behavioral2/memory/2028-221-0x00007FF75BF60000-0x00007FF75C2B1000-memory.dmp	xmrig
behavioral2/memory/1384-223-0x00007FF71B780000-0x00007FF71BAD1000-memory.dmp	xmrig
behavioral2/memory/1832-225-0x00007FF6F79B0000-0x00007FF6F7D01000-memory.dmp	xmrig
behavioral2/memory/3076-227-0x00007FF629B70000-0x00007FF629EC1000-memory.dmp	xmrig
behavioral2/memory/2464-231-0x00007FF724DE0000-0x00007FF725131000-memory.dmp	xmrig
behavioral2/memory/2128-230-0x00007FF765880000-0x00007FF765BD1000-memory.dmp	xmrig
behavioral2/memory/2944-234-0x00007FF612030000-0x00007FF612381000-memory.dmp	xmrig
behavioral2/memory/2204-236-0x00007FF666370000-0x00007FF6666C1000-memory.dmp	xmrig
behavioral2/memory/4480-237-0x00007FF7D19D0000-0x00007FF7D1D21000-memory.dmp	xmrig
behavioral2/memory/684-239-0x00007FF6A50B0000-0x00007FF6A5401000-memory.dmp	xmrig
behavioral2/memory/764-243-0x00007FF75F770000-0x00007FF75FAC1000-memory.dmp	xmrig
behavioral2/memory/5092-242-0x00007FF740C10000-0x00007FF740F61000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3432	KyOdqtl.exe
1100	HpgHOws.exe
2524	qLbAAmu.exe
4928	VVvLAwa.exe
400	kXwqjdl.exe
3768	PJdiWiH.exe
1236	JLJVjkH.exe
2136	fjAiVub.exe
5004	kwltqRu.exe
2028	jgpjezL.exe
1384	JxgYNPu.exe
3076	yjYkmmi.exe
2128	VqMXtzH.exe
2204	fXOLvYf.exe
1832	pvqLgLw.exe
2464	PjIjzVF.exe
4480	xcoYiFF.exe
2944	mErPEAh.exe
684	pWWRImQ.exe
764	CIMdmqg.exe
5092	WRHbCdx.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/464-0-0x00007FF6EE710000-0x00007FF6EEA61000-memory.dmp	upx
behavioral2/files/0x0008000000023497-6.dat	upx
behavioral2/files/0x000700000002349e-11.dat	upx
behavioral2/memory/2524-20-0x00007FF6B1200000-0x00007FF6B1551000-memory.dmp	upx
behavioral2/files/0x000700000002349f-24.dat	upx
behavioral2/files/0x00070000000234a0-30.dat	upx
behavioral2/memory/400-32-0x00007FF77BB30000-0x00007FF77BE81000-memory.dmp	upx
behavioral2/files/0x00070000000234a3-47.dat	upx
behavioral2/files/0x00070000000234a4-52.dat	upx
behavioral2/files/0x000800000002349b-61.dat	upx
behavioral2/memory/5004-60-0x00007FF7DF580000-0x00007FF7DF8D1000-memory.dmp	upx
behavioral2/files/0x00070000000234a5-65.dat	upx
behavioral2/memory/2028-71-0x00007FF75BF60000-0x00007FF75C2B1000-memory.dmp	upx
behavioral2/files/0x00070000000234a8-79.dat	upx
behavioral2/files/0x00070000000234a6-84.dat	upx
behavioral2/files/0x00070000000234ab-98.dat	upx
behavioral2/memory/2128-103-0x00007FF765880000-0x00007FF765BD1000-memory.dmp	upx
behavioral2/memory/1832-107-0x00007FF6F79B0000-0x00007FF6F7D01000-memory.dmp	upx
behavioral2/files/0x00070000000234ac-114.dat	upx
behavioral2/files/0x00070000000234ad-117.dat	upx
behavioral2/memory/684-120-0x00007FF6A50B0000-0x00007FF6A5401000-memory.dmp	upx
behavioral2/files/0x00070000000234af-130.dat	upx
behavioral2/files/0x00070000000234ae-126.dat	upx
behavioral2/memory/764-125-0x00007FF75F770000-0x00007FF75FAC1000-memory.dmp	upx
behavioral2/memory/4928-124-0x00007FF6D5E90000-0x00007FF6D61E1000-memory.dmp	upx
behavioral2/memory/2524-119-0x00007FF6B1200000-0x00007FF6B1551000-memory.dmp	upx
behavioral2/memory/2944-116-0x00007FF612030000-0x00007FF612381000-memory.dmp	upx
behavioral2/memory/4480-113-0x00007FF7D19D0000-0x00007FF7D1D21000-memory.dmp	upx
behavioral2/memory/2464-109-0x00007FF724DE0000-0x00007FF725131000-memory.dmp	upx
behavioral2/memory/1100-101-0x00007FF659EA0000-0x00007FF65A1F1000-memory.dmp	upx
behavioral2/files/0x00070000000234a9-97.dat	upx
behavioral2/memory/2204-93-0x00007FF666370000-0x00007FF6666C1000-memory.dmp	upx
behavioral2/files/0x00070000000234aa-91.dat	upx
behavioral2/memory/3076-90-0x00007FF629B70000-0x00007FF629EC1000-memory.dmp	upx
behavioral2/files/0x00070000000234a7-83.dat	upx
behavioral2/memory/3432-81-0x00007FF67E700000-0x00007FF67EA51000-memory.dmp	upx
behavioral2/memory/1384-77-0x00007FF71B780000-0x00007FF71BAD1000-memory.dmp	upx
behavioral2/memory/464-66-0x00007FF6EE710000-0x00007FF6EEA61000-memory.dmp	upx
behavioral2/memory/2136-54-0x00007FF635B00000-0x00007FF635E51000-memory.dmp	upx
behavioral2/memory/1236-46-0x00007FF6628B0000-0x00007FF662C01000-memory.dmp	upx
behavioral2/files/0x00070000000234a2-41.dat	upx
behavioral2/files/0x00070000000234a1-37.dat	upx
behavioral2/memory/3768-36-0x00007FF68DF40000-0x00007FF68E291000-memory.dmp	upx
behavioral2/memory/4928-25-0x00007FF6D5E90000-0x00007FF6D61E1000-memory.dmp	upx
behavioral2/memory/5092-133-0x00007FF740C10000-0x00007FF740F61000-memory.dmp	upx
behavioral2/memory/400-132-0x00007FF77BB30000-0x00007FF77BE81000-memory.dmp	upx
behavioral2/memory/1100-14-0x00007FF659EA0000-0x00007FF65A1F1000-memory.dmp	upx
behavioral2/files/0x000800000002349d-12.dat	upx
behavioral2/memory/3432-8-0x00007FF67E700000-0x00007FF67EA51000-memory.dmp	upx
behavioral2/memory/464-134-0x00007FF6EE710000-0x00007FF6EEA61000-memory.dmp	upx
behavioral2/memory/1384-145-0x00007FF71B780000-0x00007FF71BAD1000-memory.dmp	upx
behavioral2/memory/2204-149-0x00007FF666370000-0x00007FF6666C1000-memory.dmp	upx
behavioral2/memory/2028-144-0x00007FF75BF60000-0x00007FF75C2B1000-memory.dmp	upx
behavioral2/memory/3768-140-0x00007FF68DF40000-0x00007FF68E291000-memory.dmp	upx
behavioral2/memory/3076-146-0x00007FF629B70000-0x00007FF629EC1000-memory.dmp	upx
behavioral2/memory/5004-143-0x00007FF7DF580000-0x00007FF7DF8D1000-memory.dmp	upx
behavioral2/memory/764-154-0x00007FF75F770000-0x00007FF75FAC1000-memory.dmp	upx
behavioral2/memory/464-156-0x00007FF6EE710000-0x00007FF6EEA61000-memory.dmp	upx
behavioral2/memory/3432-203-0x00007FF67E700000-0x00007FF67EA51000-memory.dmp	upx
behavioral2/memory/1100-205-0x00007FF659EA0000-0x00007FF65A1F1000-memory.dmp	upx
behavioral2/memory/2524-207-0x00007FF6B1200000-0x00007FF6B1551000-memory.dmp	upx
behavioral2/memory/4928-209-0x00007FF6D5E90000-0x00007FF6D61E1000-memory.dmp	upx
behavioral2/memory/400-211-0x00007FF77BB30000-0x00007FF77BE81000-memory.dmp	upx
behavioral2/memory/3768-213-0x00007FF68DF40000-0x00007FF68E291000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\jgpjezL.exe	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yjYkmmi.exe	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mErPEAh.exe	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pWWRImQ.exe	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KyOdqtl.exe	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HpgHOws.exe	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fjAiVub.exe	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VqMXtzH.exe	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fXOLvYf.exe	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xcoYiFF.exe	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CIMdmqg.exe	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kXwqjdl.exe	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PJdiWiH.exe	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kwltqRu.exe	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WRHbCdx.exe	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VVvLAwa.exe	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JLJVjkH.exe	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pvqLgLw.exe	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qLbAAmu.exe	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JxgYNPu.exe	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PjIjzVF.exe	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	464	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	464	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 464 wrote to memory of 3432	464	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 464 wrote to memory of 3432	464	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 464 wrote to memory of 1100	464	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 464 wrote to memory of 1100	464	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 464 wrote to memory of 2524	464	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 464 wrote to memory of 2524	464	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 464 wrote to memory of 4928	464	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 464 wrote to memory of 4928	464	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 464 wrote to memory of 400	464	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 464 wrote to memory of 400	464	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 464 wrote to memory of 3768	464	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 464 wrote to memory of 3768	464	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 464 wrote to memory of 1236	464	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 464 wrote to memory of 1236	464	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 464 wrote to memory of 2136	464	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 464 wrote to memory of 2136	464	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 464 wrote to memory of 5004	464	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 464 wrote to memory of 5004	464	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 464 wrote to memory of 2028	464	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 464 wrote to memory of 2028	464	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 464 wrote to memory of 1384	464	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 464 wrote to memory of 1384	464	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 464 wrote to memory of 3076	464	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 464 wrote to memory of 3076	464	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 464 wrote to memory of 1832	464	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 464 wrote to memory of 1832	464	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 464 wrote to memory of 2128	464	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 464 wrote to memory of 2128	464	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 464 wrote to memory of 2204	464	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 464 wrote to memory of 2204	464	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 464 wrote to memory of 2464	464	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 464 wrote to memory of 2464	464	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 464 wrote to memory of 4480	464	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 464 wrote to memory of 4480	464	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 464 wrote to memory of 2944	464	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 464 wrote to memory of 2944	464	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 464 wrote to memory of 684	464	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 464 wrote to memory of 684	464	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 464 wrote to memory of 764	464	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 464 wrote to memory of 764	464	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 464 wrote to memory of 5092	464	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 464 wrote to memory of 5092	464	2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe	107

C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:464
- C:\Windows\System\KyOdqtl.exe
  C:\Windows\System\KyOdqtl.exe
  2⤵
  - Executes dropped EXE
  PID:3432
- C:\Windows\System\HpgHOws.exe
  C:\Windows\System\HpgHOws.exe
  2⤵
  - Executes dropped EXE
  PID:1100
- C:\Windows\System\qLbAAmu.exe
  C:\Windows\System\qLbAAmu.exe
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Windows\System\VVvLAwa.exe
  C:\Windows\System\VVvLAwa.exe
  2⤵
  - Executes dropped EXE
  PID:4928
- C:\Windows\System\kXwqjdl.exe
  C:\Windows\System\kXwqjdl.exe
  2⤵
  - Executes dropped EXE
  PID:400
- C:\Windows\System\PJdiWiH.exe
  C:\Windows\System\PJdiWiH.exe
  2⤵
  - Executes dropped EXE
  PID:3768
- C:\Windows\System\JLJVjkH.exe
  C:\Windows\System\JLJVjkH.exe
  2⤵
  - Executes dropped EXE
  PID:1236
- C:\Windows\System\fjAiVub.exe
  C:\Windows\System\fjAiVub.exe
  2⤵
  - Executes dropped EXE
  PID:2136
- C:\Windows\System\kwltqRu.exe
  C:\Windows\System\kwltqRu.exe
  2⤵
  - Executes dropped EXE
  PID:5004
- C:\Windows\System\jgpjezL.exe
  C:\Windows\System\jgpjezL.exe
  2⤵
  - Executes dropped EXE
  PID:2028
- C:\Windows\System\JxgYNPu.exe
  C:\Windows\System\JxgYNPu.exe
  2⤵
  - Executes dropped EXE
  PID:1384
- C:\Windows\System\yjYkmmi.exe
  C:\Windows\System\yjYkmmi.exe
  2⤵
  - Executes dropped EXE
  PID:3076
- C:\Windows\System\pvqLgLw.exe
  C:\Windows\System\pvqLgLw.exe
  2⤵
  - Executes dropped EXE
  PID:1832
- C:\Windows\System\VqMXtzH.exe
  C:\Windows\System\VqMXtzH.exe
  2⤵
  - Executes dropped EXE
  PID:2128
- C:\Windows\System\fXOLvYf.exe
  C:\Windows\System\fXOLvYf.exe
  2⤵
  - Executes dropped EXE
  PID:2204
- C:\Windows\System\PjIjzVF.exe
  C:\Windows\System\PjIjzVF.exe
  2⤵
  - Executes dropped EXE
  PID:2464
- C:\Windows\System\xcoYiFF.exe
  C:\Windows\System\xcoYiFF.exe
  2⤵
  - Executes dropped EXE
  PID:4480
- C:\Windows\System\mErPEAh.exe
  C:\Windows\System\mErPEAh.exe
  2⤵
  - Executes dropped EXE
  PID:2944
- C:\Windows\System\pWWRImQ.exe
  C:\Windows\System\pWWRImQ.exe
  2⤵
  - Executes dropped EXE
  PID:684
- C:\Windows\System\CIMdmqg.exe
  C:\Windows\System\CIMdmqg.exe
  2⤵
  - Executes dropped EXE
  PID:764
- C:\Windows\System\WRHbCdx.exe
  C:\Windows\System\WRHbCdx.exe
  2⤵
  - Executes dropped EXE
  PID:5092

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CIMdmqg.exe

Filesize
5.2MB

MD5
6cec71ee69287080bd5913ea195eafe4

SHA1
b82b5f4159fd28f38ca3687a2619a7c99c650638

SHA256
c7d05af819075ec678d47ec14df782542a16c202fb9a4c4ba057f0579a0e5c91

SHA512
fd7b4f0377167fb20588df697dcd5a88b2cd0badc2394e8debb5798e9020d85d30852d8880f53e969a2339b6ad3bb4cdc0c8a7a1f1c507cf34bca86d98f82597

Download Submit
C:\Windows\System\HpgHOws.exe

Filesize
5.2MB

MD5
ebfe0f9a69db3f2130654b38cffced3a

SHA1
638484ae47c74f7ede8b774a22e8b644c4df3827

SHA256
8f01f2f7cbaeff75aa3ff5a3807a0fad783a5732a577a2c0f1c31c0a978d1db5

SHA512
4f2b6912a9aa1b6ddf1467b18345cd6621e0e966b1ca34d974445c56060233e44e9973956634daf700baf506c1386fee92aa4b7bb6f4187482fe23a92775872c

Download Submit
C:\Windows\System\JLJVjkH.exe

Filesize
5.2MB

MD5
c17d14e0a68fa356a85bf61179ed5c0c

SHA1
fe1153b42e7a7d92ac18e6641c86ed4ff6e24466

SHA256
77b9d0f52917141c0d21719f688addf81d78c4962b21cbbfa732e5a11e8a609b

SHA512
dc2e7c8c599d3e09220185868540d673d719db0a0ef6d5488aeed466cd86ad98a6d5cd49e2aa38b63cc1b402becbd0359bbeaff1d2e3ab61b1058ee5ffa1fd51

Download Submit
C:\Windows\System\JxgYNPu.exe

Filesize
5.2MB

MD5
4708234acee6aa7f41a524ca9f530d6d

SHA1
a8fb267dddce6d63403063ea2267f567d3eabe07

SHA256
1596f5e7fab511f7348d68a2aaf9d47bdc1eecbe7ba6758e8e329ef2481a6334

SHA512
fdc6fb53ae51f191245fdc588fcda18c822295bd1cb274db3a08229bf80b6f61ccafa5f840c1d57c92f2b33e643a070d6e97464a52cd1e9fa180eef9bb8b2576

Download Submit
C:\Windows\System\KyOdqtl.exe

Filesize
5.2MB

MD5
bc37172b174b78f647f2bd01772fac08

SHA1
57a2780c5cac5a940dbb99ff5d263c6dd5916964

SHA256
20a5311c9d6ffa3505f888934e2a1fc00fc4e2829cbcf411e5e25401cef5a6b8

SHA512
bd3e1347334af29952c4deb0df9348aa312147b4c33563197918583fb91c446bda25789fa99c06a433831bc6e9583dbc23a26ae006547e8dcb7f674317115bb7

Download Submit
C:\Windows\System\PJdiWiH.exe

Filesize
5.2MB

MD5
a0ac01548be1258a9713dd41253b51ab

SHA1
a8af64b93e3739065ba32107cb09bb04b657acfc

SHA256
5067afc8bbd84283385667d8b1140c9c077d852c783086d36e99a65205eb5476

SHA512
118e3fbe437e654282a27432838997a537f46781314559c9cac5ab18f2ccf002a627ec9914a297e781e5b4bec5a65247542dc6ae8fbecc7a1ef51c5801689f8e

Download Submit
C:\Windows\System\PjIjzVF.exe

Filesize
5.2MB

MD5
b8304d59024dcc007f20b8d13e879cd5

SHA1
d09a2e5b626c8b4507346071feff9a0774b6b212

SHA256
ef8a23210536333c03a8b7e36933fbb570d562944f8100edc636d720e5dcf065

SHA512
6a81acc7dbd0aff03c8a45f76a2a827dd7d41f28426631796c59b00200c03d4cca6a707699c706ed29d618a05560cff4a4558bc96baa568e9daca801349df039

Download Submit
C:\Windows\System\VVvLAwa.exe

Filesize
5.2MB

MD5
2df0e936be2cfd00cf1f3eba68649630

SHA1
b36d5f6a3e4770458713dedd0cafd4c6585c162c

SHA256
e396620e9e5f56316f804f19cc63b819fa3a2c5dba311e8f38f333ef2c715fb7

SHA512
81f01263b627885153818e317e294429148f9d7679ce798d6e3d6379cba596c8c59d7b718fb790739014b320fce00ac15e3407e1b84f664404851d2abb2d2efd

Download Submit
C:\Windows\System\VqMXtzH.exe

Filesize
5.2MB

MD5
28d28222c44bd0354f270daf7838c1ca

SHA1
1a65bb24e1d270627aeda07f06a95c13aab9307b

SHA256
972e32d9efa231770c3b4e185da0cf4e61359ca2cbc202e712d5821140f04983

SHA512
51632abd24ec098ed428d2455c0670306e1f03ef78cd6fc31e6cded2dc53d5a81a0d1b01418789ea5b65b9f7a33c5fb5556d546947f95cf2612fba9c847a5828

Download Submit
C:\Windows\System\WRHbCdx.exe

Filesize
5.2MB

MD5
0094ce5e31057948e0794154c5941a11

SHA1
3454dd8227838b219f78f0f2e9c09078bbfce98d

SHA256
80d55f9880aa1731742895ffd0241f65077e5706f678364796cac1ef2f6c6b38

SHA512
50a181a132922f2abdbd492698b5ee65c12f4d80b68b7255fb864209b8108a0a5ba33cd9da3362be9563e85e11aa685629bb1be5b6290e522f0ab7a29043f0cb

Download Submit
C:\Windows\System\fXOLvYf.exe

Filesize
5.2MB

MD5
020497ab51cf1f0586729c9dae3ce919

SHA1
c893633b06f0f1c3fdf963ff903d25a4c151177e

SHA256
757de446b886ae1c1c4d535d5313d346d1a63b1b513792619eff7409df43430a

SHA512
ed698d4e0ea2c3997e89a7b8cdaed24bbfb04ddbeddf9c8f61e89a095e7a72ed6181fa80e25f0a69c5ae0d069fb3ae0df2937635e69a03267215be225d3981bb

Download Submit
C:\Windows\System\fjAiVub.exe

Filesize
5.2MB

MD5
7e33fe5e86767452d205bb39e901a250

SHA1
d5b11edfe089e2beb2761424897f4b2ee30789e7

SHA256
fc8f073222ea566a3cc5ddef11973908e8e52f374eb78f3cae4ac163a954aa67

SHA512
4ab3a24a4069f03483b6e040c011b0aa19baeec8a8e839794e11f406943a5a281fa799e5cc09a4a9ca49a3fce2140eda09ef498b75289d21eb413b2d0c8b5bc7

Download Submit
C:\Windows\System\jgpjezL.exe

Filesize
5.2MB

MD5
9b01942f047f23f4cb9a8cd9fe2f5e11

SHA1
3a22c68ed19106372a668d587e556c31b1f96486

SHA256
83d292ff7d17d2078b72afa7f5b401a9eb0048eeef402087099a946ab6c1b7d5

SHA512
548efc52e6495d1069f67a4e2241e00797517be50857809db2a47ae9f1d00984188fc76470c415adc60e99082624506bc107aba9368962df21f6373001b1d0b5

Download Submit
C:\Windows\System\kXwqjdl.exe

Filesize
5.2MB

MD5
17405e66388c4aa4b5a0e7813befc1a8

SHA1
c15ef83e45d8fc3108bf6b816de1894f4c4e0b61

SHA256
443254e0860f60e3e12068b91e674bbdf0bfffb1194074efdc6b732ec7aa04e6

SHA512
e5fb3eef5e73e274cc86fe670887cec85d81c792f9f74c933a11e47673b16c8a3f784b95e9ae51d766f0f98c856c32590eba176983c71700c3426b9878c05f31

Download Submit
C:\Windows\System\kwltqRu.exe

Filesize
5.2MB

MD5
8fd26746bbf05f5c5b0538a20d043a2b

SHA1
4aa965925d054648c028788294ca59076e660252

SHA256
e57291001d76766c90514655aff0478cd8f6aa32daaa2b12b38caa3c2e95d725

SHA512
766411e3a2b9547d8caf10c2935ae201f8849904daade52f5a539bc6ca12c0f7aa536c49642041af7e06da593b14a70ddce96c0b202113ff3a5be4dda612076f

Download Submit
C:\Windows\System\mErPEAh.exe

Filesize
5.2MB

MD5
ecf2302123d2f5b2f2cbea1908dbe828

SHA1
53e9967e6bda011479d218b0991372a95fe3b9f3

SHA256
e7c949e08b7d6e1cdb5ea29bef420c67aca68841fa93feda577ea2ffed7fc647

SHA512
03aaac9cdfa3dd8bf2cc6b5e2733e3009f8dd9dfa01d901d3dc80fd788be54eff88328559c2bea1501daa28db440ca4c97a07b586efd52fa6322deb117b03973

Download Submit
C:\Windows\System\pWWRImQ.exe

Filesize
5.2MB

MD5
5be6bdf75b39246a1dcf2b01994ee6fd

SHA1
3f544b61a0e9dea18744d1872e078ab3b9f9cec7

SHA256
741eb649f286b2d5004c62db4626956473db976d7b9e72846e29883c3df65853

SHA512
f862cdd33bcac9419847daf01482ae084943d26ab5f235d4881458e6c896d621044badb9046ae679cd8b2ac4431bca5727492b6a6f9b2b9e61fc13d1ab9c4cd0

Download Submit
C:\Windows\System\pvqLgLw.exe

Filesize
5.2MB

MD5
34fb22467fda120edc2cdd929af906ab

SHA1
26428a802ac98503fd58a65b3c4c79c9d522908e

SHA256
61bf7e4fc1b848a1048489dd76de99c30e117e33295b8ef293abf289971e3347

SHA512
7087ec97af6f6a10f1d9ac2a2a3ffa2baf506c50e438c6cf836e34d36e504fe3ade47a40c654cfec976956421236ce9d374334d05112fb1d3d650e10b1b5c82d

Download Submit
C:\Windows\System\qLbAAmu.exe

Filesize
5.2MB

MD5
a270e975ee6905dd7cba70815591b011

SHA1
5aa2bacba1207d7a06f8b8da038f7170f83f759a

SHA256
679a0265a7927a6809c10bfeb5e6c69c7f064e05a15f6b45dbff62548b918314

SHA512
b9828ab08eaa2aca9af0bd9e259e24a7d4f82bd1e02cbda4c676df28558194bf0421da4fa1b3e674220403ad39d5d7566d558357dbceaeed8c9c8346e2ea6a63

Download Submit
C:\Windows\System\xcoYiFF.exe

Filesize
5.2MB

MD5
f2798c1b401f05a9eea9c712ceda60c8

SHA1
ea42a77fec2e5beb98d242e0003b7e047fd494a2

SHA256
4ef500a2da652b5696b86966c6604ef70502c2507ed0d32688af932e05be4226

SHA512
954aa80327e4fd9a95ec9aa83444b4c943a3f4e558265dc8324985c8da5790c93d0bb32d6d614263f8e6416c0819f34fa0c60f3c1d0d878434e453a1cd32a41f

Download Submit
C:\Windows\System\yjYkmmi.exe

Filesize
5.2MB

MD5
1c1b40ff38b54c18e22c635ba9457c01

SHA1
6ec318458094f7062b2a6a31a0b6b886f53b1269

SHA256
f128cf2ab7013ad7527fc0ea0b10ee88e7ef624e3b0b7d8bd0d1fe9217cbdabf

SHA512
4b7f8ffb854911ca71722c1a32cbeb0511c0a9854c865e5d7af292c0568707b810bc0a7ea6beabd057bd9b129db2aa0c22440d40df4ef0eb7ea71083edf332ac

Download Submit
memory/400-132-0x00007FF77BB30000-0x00007FF77BE81000-memory.dmp

Filesize
3.3MB

Download
memory/400-32-0x00007FF77BB30000-0x00007FF77BE81000-memory.dmp

Filesize
3.3MB

Download
memory/400-211-0x00007FF77BB30000-0x00007FF77BE81000-memory.dmp

Filesize
3.3MB

Download
memory/464-66-0x00007FF6EE710000-0x00007FF6EEA61000-memory.dmp

Filesize
3.3MB

Download
memory/464-134-0x00007FF6EE710000-0x00007FF6EEA61000-memory.dmp

Filesize
3.3MB

Download
memory/464-1-0x000001790CC60000-0x000001790CC70000-memory.dmp

Filesize
64KB

Download
memory/464-156-0x00007FF6EE710000-0x00007FF6EEA61000-memory.dmp

Filesize
3.3MB

Download
memory/464-0-0x00007FF6EE710000-0x00007FF6EEA61000-memory.dmp

Filesize
3.3MB

Download
memory/684-239-0x00007FF6A50B0000-0x00007FF6A5401000-memory.dmp

Filesize
3.3MB

Download
memory/684-120-0x00007FF6A50B0000-0x00007FF6A5401000-memory.dmp

Filesize
3.3MB

Download
memory/764-154-0x00007FF75F770000-0x00007FF75FAC1000-memory.dmp

Filesize
3.3MB

Download
memory/764-243-0x00007FF75F770000-0x00007FF75FAC1000-memory.dmp

Filesize
3.3MB

Download
memory/764-125-0x00007FF75F770000-0x00007FF75FAC1000-memory.dmp

Filesize
3.3MB

Download
memory/1100-101-0x00007FF659EA0000-0x00007FF65A1F1000-memory.dmp

Filesize
3.3MB

Download
memory/1100-14-0x00007FF659EA0000-0x00007FF65A1F1000-memory.dmp

Filesize
3.3MB

Download
memory/1100-205-0x00007FF659EA0000-0x00007FF65A1F1000-memory.dmp

Filesize
3.3MB

Download
memory/1236-46-0x00007FF6628B0000-0x00007FF662C01000-memory.dmp

Filesize
3.3MB

Download
memory/1236-215-0x00007FF6628B0000-0x00007FF662C01000-memory.dmp

Filesize
3.3MB

Download
memory/1384-145-0x00007FF71B780000-0x00007FF71BAD1000-memory.dmp

Filesize
3.3MB

Download
memory/1384-223-0x00007FF71B780000-0x00007FF71BAD1000-memory.dmp

Filesize
3.3MB

Download
memory/1384-77-0x00007FF71B780000-0x00007FF71BAD1000-memory.dmp

Filesize
3.3MB

Download
memory/1832-225-0x00007FF6F79B0000-0x00007FF6F7D01000-memory.dmp

Filesize
3.3MB

Download
memory/1832-107-0x00007FF6F79B0000-0x00007FF6F7D01000-memory.dmp

Filesize
3.3MB

Download
memory/2028-221-0x00007FF75BF60000-0x00007FF75C2B1000-memory.dmp

Filesize
3.3MB

Download
memory/2028-144-0x00007FF75BF60000-0x00007FF75C2B1000-memory.dmp

Filesize
3.3MB

Download
memory/2028-71-0x00007FF75BF60000-0x00007FF75C2B1000-memory.dmp

Filesize
3.3MB

Download
memory/2128-103-0x00007FF765880000-0x00007FF765BD1000-memory.dmp

Filesize
3.3MB

Download
memory/2128-230-0x00007FF765880000-0x00007FF765BD1000-memory.dmp

Filesize
3.3MB

Download
memory/2136-54-0x00007FF635B00000-0x00007FF635E51000-memory.dmp

Filesize
3.3MB

Download
memory/2136-217-0x00007FF635B00000-0x00007FF635E51000-memory.dmp

Filesize
3.3MB

Download
memory/2204-236-0x00007FF666370000-0x00007FF6666C1000-memory.dmp

Filesize
3.3MB

Download
memory/2204-149-0x00007FF666370000-0x00007FF6666C1000-memory.dmp

Filesize
3.3MB

Download
memory/2204-93-0x00007FF666370000-0x00007FF6666C1000-memory.dmp

Filesize
3.3MB

Download
memory/2464-109-0x00007FF724DE0000-0x00007FF725131000-memory.dmp

Filesize
3.3MB

Download
memory/2464-231-0x00007FF724DE0000-0x00007FF725131000-memory.dmp

Filesize
3.3MB

Download
memory/2524-207-0x00007FF6B1200000-0x00007FF6B1551000-memory.dmp

Filesize
3.3MB

Download
memory/2524-20-0x00007FF6B1200000-0x00007FF6B1551000-memory.dmp

Filesize
3.3MB

Download
memory/2524-119-0x00007FF6B1200000-0x00007FF6B1551000-memory.dmp

Filesize
3.3MB

Download
memory/2944-234-0x00007FF612030000-0x00007FF612381000-memory.dmp

Filesize
3.3MB

Download
memory/2944-116-0x00007FF612030000-0x00007FF612381000-memory.dmp

Filesize
3.3MB

Download
memory/3076-146-0x00007FF629B70000-0x00007FF629EC1000-memory.dmp

Filesize
3.3MB

Download
memory/3076-90-0x00007FF629B70000-0x00007FF629EC1000-memory.dmp

Filesize
3.3MB

Download
memory/3076-227-0x00007FF629B70000-0x00007FF629EC1000-memory.dmp

Filesize
3.3MB

Download
memory/3432-203-0x00007FF67E700000-0x00007FF67EA51000-memory.dmp

Filesize
3.3MB

Download
memory/3432-8-0x00007FF67E700000-0x00007FF67EA51000-memory.dmp

Filesize
3.3MB

Download
memory/3432-81-0x00007FF67E700000-0x00007FF67EA51000-memory.dmp

Filesize
3.3MB

Download
memory/3768-213-0x00007FF68DF40000-0x00007FF68E291000-memory.dmp

Filesize
3.3MB

Download
memory/3768-140-0x00007FF68DF40000-0x00007FF68E291000-memory.dmp

Filesize
3.3MB

Download
memory/3768-36-0x00007FF68DF40000-0x00007FF68E291000-memory.dmp

Filesize
3.3MB

Download
memory/4480-237-0x00007FF7D19D0000-0x00007FF7D1D21000-memory.dmp

Filesize
3.3MB

Download
memory/4480-113-0x00007FF7D19D0000-0x00007FF7D1D21000-memory.dmp

Filesize
3.3MB

Download
memory/4928-209-0x00007FF6D5E90000-0x00007FF6D61E1000-memory.dmp

Filesize
3.3MB

Download
memory/4928-25-0x00007FF6D5E90000-0x00007FF6D61E1000-memory.dmp

Filesize
3.3MB

Download
memory/4928-124-0x00007FF6D5E90000-0x00007FF6D61E1000-memory.dmp

Filesize
3.3MB

Download
memory/5004-219-0x00007FF7DF580000-0x00007FF7DF8D1000-memory.dmp

Filesize
3.3MB

Download
memory/5004-60-0x00007FF7DF580000-0x00007FF7DF8D1000-memory.dmp

Filesize
3.3MB

Download
memory/5004-143-0x00007FF7DF580000-0x00007FF7DF8D1000-memory.dmp

Filesize
3.3MB

Download
memory/5092-133-0x00007FF740C10000-0x00007FF740F61000-memory.dmp

Filesize
3.3MB

Download
memory/5092-242-0x00007FF740C10000-0x00007FF740F61000-memory.dmp

Filesize
3.3MB

Download