cobaltstrike | b04d02617574be7bede8a03df00f44835881b541f8e4380f29822e1f7bedc802

Analysis

max time kernel
139s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/08/2024, 12:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

bb1cf37adac63ce82b54ff5e18391f1b
SHA1

a0efb217a99ff175607ad2f0c85cc8026bc2227b
SHA256

b04d02617574be7bede8a03df00f44835881b541f8e4380f29822e1f7bedc802
SHA512

228a7f011cdf97943dbeac6172601a68afaa0a69ba0d89e96e6c8b9670097a37e28e849b69885736a5ee59bf91a8cddde55e3b531a0a5556461f9c1b15cbbaa7
SSDEEP

98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUS:T+856utgpPF8u/7S

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0009000000023424-4.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023480-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023483-21.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023482-22.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023484-29.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023485-34.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023486-45.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023488-54.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023489-62.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348a-71.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348b-77.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348c-79.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023487-49.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348d-85.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023477-91.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348e-96.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348f-103.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023490-107.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023491-118.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023493-126.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023492-124.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/1268-0-0x00007FF760E80000-0x00007FF7611D4000-memory.dmp	xmrig
behavioral2/files/0x0009000000023424-4.dat	xmrig
behavioral2/memory/4692-8-0x00007FF7596F0000-0x00007FF759A44000-memory.dmp	xmrig
behavioral2/files/0x0009000000023480-11.dat	xmrig
behavioral2/memory/3320-16-0x00007FF6E2E30000-0x00007FF6E3184000-memory.dmp	xmrig
behavioral2/files/0x0007000000023483-21.dat	xmrig
behavioral2/memory/4280-20-0x00007FF63FF00000-0x00007FF640254000-memory.dmp	xmrig
behavioral2/files/0x0007000000023482-22.dat	xmrig
behavioral2/files/0x0007000000023484-29.dat	xmrig
behavioral2/memory/2328-32-0x00007FF734120000-0x00007FF734474000-memory.dmp	xmrig
behavioral2/files/0x0007000000023485-34.dat	xmrig
behavioral2/memory/4728-40-0x00007FF746800000-0x00007FF746B54000-memory.dmp	xmrig
behavioral2/files/0x0007000000023486-45.dat	xmrig
behavioral2/files/0x0007000000023488-54.dat	xmrig
behavioral2/memory/2692-56-0x00007FF6B2040000-0x00007FF6B2394000-memory.dmp	xmrig
behavioral2/files/0x0007000000023489-62.dat	xmrig
behavioral2/memory/1484-65-0x00007FF6A0D30000-0x00007FF6A1084000-memory.dmp	xmrig
behavioral2/files/0x000700000002348a-71.dat	xmrig
behavioral2/files/0x000700000002348b-77.dat	xmrig
behavioral2/memory/4368-81-0x00007FF6EC6C0000-0x00007FF6ECA14000-memory.dmp	xmrig
behavioral2/files/0x000700000002348c-79.dat	xmrig
behavioral2/memory/1268-76-0x00007FF760E80000-0x00007FF7611D4000-memory.dmp	xmrig
behavioral2/memory/4064-74-0x00007FF645370000-0x00007FF6456C4000-memory.dmp	xmrig
behavioral2/memory/1248-73-0x00007FF7BA270000-0x00007FF7BA5C4000-memory.dmp	xmrig
behavioral2/memory/468-64-0x00007FF708140000-0x00007FF708494000-memory.dmp	xmrig
behavioral2/memory/4688-52-0x00007FF748AD0000-0x00007FF748E24000-memory.dmp	xmrig
behavioral2/files/0x0007000000023487-49.dat	xmrig
behavioral2/memory/1576-37-0x00007FF668DF0000-0x00007FF669144000-memory.dmp	xmrig
behavioral2/files/0x000700000002348d-85.dat	xmrig
behavioral2/files/0x0009000000023477-91.dat	xmrig
behavioral2/memory/4692-87-0x00007FF7596F0000-0x00007FF759A44000-memory.dmp	xmrig
behavioral2/files/0x000700000002348e-96.dat	xmrig
behavioral2/files/0x000700000002348f-103.dat	xmrig
behavioral2/files/0x0007000000023490-107.dat	xmrig
behavioral2/files/0x0007000000023491-118.dat	xmrig
behavioral2/files/0x0007000000023493-126.dat	xmrig
behavioral2/files/0x0007000000023492-124.dat	xmrig
behavioral2/memory/468-123-0x00007FF708140000-0x00007FF708494000-memory.dmp	xmrig
behavioral2/memory/1296-120-0x00007FF638DE0000-0x00007FF639134000-memory.dmp	xmrig
behavioral2/memory/2392-109-0x00007FF674EE0000-0x00007FF675234000-memory.dmp	xmrig
behavioral2/memory/1396-108-0x00007FF798FF0000-0x00007FF799344000-memory.dmp	xmrig
behavioral2/memory/3948-105-0x00007FF73E4E0000-0x00007FF73E834000-memory.dmp	xmrig
behavioral2/memory/4280-104-0x00007FF63FF00000-0x00007FF640254000-memory.dmp	xmrig
behavioral2/memory/2328-102-0x00007FF734120000-0x00007FF734474000-memory.dmp	xmrig
behavioral2/memory/1524-99-0x00007FF742070000-0x00007FF7423C4000-memory.dmp	xmrig
behavioral2/memory/2456-95-0x00007FF74DEA0000-0x00007FF74E1F4000-memory.dmp	xmrig
behavioral2/memory/1248-131-0x00007FF7BA270000-0x00007FF7BA5C4000-memory.dmp	xmrig
behavioral2/memory/3016-133-0x00007FF77E0B0000-0x00007FF77E404000-memory.dmp	xmrig
behavioral2/memory/4048-132-0x00007FF662D50000-0x00007FF6630A4000-memory.dmp	xmrig
behavioral2/memory/4064-134-0x00007FF645370000-0x00007FF6456C4000-memory.dmp	xmrig
behavioral2/memory/4368-135-0x00007FF6EC6C0000-0x00007FF6ECA14000-memory.dmp	xmrig
behavioral2/memory/1396-136-0x00007FF798FF0000-0x00007FF799344000-memory.dmp	xmrig
behavioral2/memory/2392-137-0x00007FF674EE0000-0x00007FF675234000-memory.dmp	xmrig
behavioral2/memory/1296-138-0x00007FF638DE0000-0x00007FF639134000-memory.dmp	xmrig
behavioral2/memory/4692-139-0x00007FF7596F0000-0x00007FF759A44000-memory.dmp	xmrig
behavioral2/memory/3320-140-0x00007FF6E2E30000-0x00007FF6E3184000-memory.dmp	xmrig
behavioral2/memory/4280-141-0x00007FF63FF00000-0x00007FF640254000-memory.dmp	xmrig
behavioral2/memory/2328-142-0x00007FF734120000-0x00007FF734474000-memory.dmp	xmrig
behavioral2/memory/1576-143-0x00007FF668DF0000-0x00007FF669144000-memory.dmp	xmrig
behavioral2/memory/4728-144-0x00007FF746800000-0x00007FF746B54000-memory.dmp	xmrig
behavioral2/memory/4688-145-0x00007FF748AD0000-0x00007FF748E24000-memory.dmp	xmrig
behavioral2/memory/2692-146-0x00007FF6B2040000-0x00007FF6B2394000-memory.dmp	xmrig
behavioral2/memory/1484-147-0x00007FF6A0D30000-0x00007FF6A1084000-memory.dmp	xmrig
behavioral2/memory/468-148-0x00007FF708140000-0x00007FF708494000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4692	xquJBnB.exe
3320	icPIetm.exe
4280	ihAeIea.exe
2328	ykGMUdu.exe
1576	WwhKcDs.exe
4728	tHwkQeG.exe
4688	LGgfVCH.exe
2692	JyVAiFq.exe
1484	xWJxrFB.exe
468	fXpzmLI.exe
1248	lzpuNZV.exe
4064	wsUiNsx.exe
4368	qoSAXZH.exe
2456	LqMTsWa.exe
1524	UZlxgXo.exe
3948	WjLOMhv.exe
1396	jiGetzi.exe
2392	CCTovov.exe
1296	lgooyXL.exe
4048	jdKwnma.exe
3016	MmgnMaa.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1268-0-0x00007FF760E80000-0x00007FF7611D4000-memory.dmp	upx
behavioral2/files/0x0009000000023424-4.dat	upx
behavioral2/memory/4692-8-0x00007FF7596F0000-0x00007FF759A44000-memory.dmp	upx
behavioral2/files/0x0009000000023480-11.dat	upx
behavioral2/memory/3320-16-0x00007FF6E2E30000-0x00007FF6E3184000-memory.dmp	upx
behavioral2/files/0x0007000000023483-21.dat	upx
behavioral2/memory/4280-20-0x00007FF63FF00000-0x00007FF640254000-memory.dmp	upx
behavioral2/files/0x0007000000023482-22.dat	upx
behavioral2/files/0x0007000000023484-29.dat	upx
behavioral2/memory/2328-32-0x00007FF734120000-0x00007FF734474000-memory.dmp	upx
behavioral2/files/0x0007000000023485-34.dat	upx
behavioral2/memory/4728-40-0x00007FF746800000-0x00007FF746B54000-memory.dmp	upx
behavioral2/files/0x0007000000023486-45.dat	upx
behavioral2/files/0x0007000000023488-54.dat	upx
behavioral2/memory/2692-56-0x00007FF6B2040000-0x00007FF6B2394000-memory.dmp	upx
behavioral2/files/0x0007000000023489-62.dat	upx
behavioral2/memory/1484-65-0x00007FF6A0D30000-0x00007FF6A1084000-memory.dmp	upx
behavioral2/files/0x000700000002348a-71.dat	upx
behavioral2/files/0x000700000002348b-77.dat	upx
behavioral2/memory/4368-81-0x00007FF6EC6C0000-0x00007FF6ECA14000-memory.dmp	upx
behavioral2/files/0x000700000002348c-79.dat	upx
behavioral2/memory/1268-76-0x00007FF760E80000-0x00007FF7611D4000-memory.dmp	upx
behavioral2/memory/4064-74-0x00007FF645370000-0x00007FF6456C4000-memory.dmp	upx
behavioral2/memory/1248-73-0x00007FF7BA270000-0x00007FF7BA5C4000-memory.dmp	upx
behavioral2/memory/468-64-0x00007FF708140000-0x00007FF708494000-memory.dmp	upx
behavioral2/memory/4688-52-0x00007FF748AD0000-0x00007FF748E24000-memory.dmp	upx
behavioral2/files/0x0007000000023487-49.dat	upx
behavioral2/memory/1576-37-0x00007FF668DF0000-0x00007FF669144000-memory.dmp	upx
behavioral2/files/0x000700000002348d-85.dat	upx
behavioral2/files/0x0009000000023477-91.dat	upx
behavioral2/memory/4692-87-0x00007FF7596F0000-0x00007FF759A44000-memory.dmp	upx
behavioral2/files/0x000700000002348e-96.dat	upx
behavioral2/files/0x000700000002348f-103.dat	upx
behavioral2/files/0x0007000000023490-107.dat	upx
behavioral2/files/0x0007000000023491-118.dat	upx
behavioral2/files/0x0007000000023493-126.dat	upx
behavioral2/files/0x0007000000023492-124.dat	upx
behavioral2/memory/468-123-0x00007FF708140000-0x00007FF708494000-memory.dmp	upx
behavioral2/memory/1296-120-0x00007FF638DE0000-0x00007FF639134000-memory.dmp	upx
behavioral2/memory/2392-109-0x00007FF674EE0000-0x00007FF675234000-memory.dmp	upx
behavioral2/memory/1396-108-0x00007FF798FF0000-0x00007FF799344000-memory.dmp	upx
behavioral2/memory/3948-105-0x00007FF73E4E0000-0x00007FF73E834000-memory.dmp	upx
behavioral2/memory/4280-104-0x00007FF63FF00000-0x00007FF640254000-memory.dmp	upx
behavioral2/memory/2328-102-0x00007FF734120000-0x00007FF734474000-memory.dmp	upx
behavioral2/memory/1524-99-0x00007FF742070000-0x00007FF7423C4000-memory.dmp	upx
behavioral2/memory/2456-95-0x00007FF74DEA0000-0x00007FF74E1F4000-memory.dmp	upx
behavioral2/memory/1248-131-0x00007FF7BA270000-0x00007FF7BA5C4000-memory.dmp	upx
behavioral2/memory/3016-133-0x00007FF77E0B0000-0x00007FF77E404000-memory.dmp	upx
behavioral2/memory/4048-132-0x00007FF662D50000-0x00007FF6630A4000-memory.dmp	upx
behavioral2/memory/4064-134-0x00007FF645370000-0x00007FF6456C4000-memory.dmp	upx
behavioral2/memory/4368-135-0x00007FF6EC6C0000-0x00007FF6ECA14000-memory.dmp	upx
behavioral2/memory/1396-136-0x00007FF798FF0000-0x00007FF799344000-memory.dmp	upx
behavioral2/memory/2392-137-0x00007FF674EE0000-0x00007FF675234000-memory.dmp	upx
behavioral2/memory/1296-138-0x00007FF638DE0000-0x00007FF639134000-memory.dmp	upx
behavioral2/memory/4692-139-0x00007FF7596F0000-0x00007FF759A44000-memory.dmp	upx
behavioral2/memory/3320-140-0x00007FF6E2E30000-0x00007FF6E3184000-memory.dmp	upx
behavioral2/memory/4280-141-0x00007FF63FF00000-0x00007FF640254000-memory.dmp	upx
behavioral2/memory/2328-142-0x00007FF734120000-0x00007FF734474000-memory.dmp	upx
behavioral2/memory/1576-143-0x00007FF668DF0000-0x00007FF669144000-memory.dmp	upx
behavioral2/memory/4728-144-0x00007FF746800000-0x00007FF746B54000-memory.dmp	upx
behavioral2/memory/4688-145-0x00007FF748AD0000-0x00007FF748E24000-memory.dmp	upx
behavioral2/memory/2692-146-0x00007FF6B2040000-0x00007FF6B2394000-memory.dmp	upx
behavioral2/memory/1484-147-0x00007FF6A0D30000-0x00007FF6A1084000-memory.dmp	upx
behavioral2/memory/468-148-0x00007FF708140000-0x00007FF708494000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\fXpzmLI.exe	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qoSAXZH.exe	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LqMTsWa.exe	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WjLOMhv.exe	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jiGetzi.exe	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CCTovov.exe	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lgooyXL.exe	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LGgfVCH.exe	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MmgnMaa.exe	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xWJxrFB.exe	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wsUiNsx.exe	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UZlxgXo.exe	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ihAeIea.exe	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tHwkQeG.exe	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JyVAiFq.exe	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WwhKcDs.exe	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\icPIetm.exe	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ykGMUdu.exe	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lzpuNZV.exe	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jdKwnma.exe	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xquJBnB.exe	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1268	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1268	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1268 wrote to memory of 4692	1268	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1268 wrote to memory of 4692	1268	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1268 wrote to memory of 3320	1268	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1268 wrote to memory of 3320	1268	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1268 wrote to memory of 4280	1268	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1268 wrote to memory of 4280	1268	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1268 wrote to memory of 2328	1268	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1268 wrote to memory of 2328	1268	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1268 wrote to memory of 1576	1268	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1268 wrote to memory of 1576	1268	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1268 wrote to memory of 4728	1268	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1268 wrote to memory of 4728	1268	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1268 wrote to memory of 4688	1268	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1268 wrote to memory of 4688	1268	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1268 wrote to memory of 2692	1268	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1268 wrote to memory of 2692	1268	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1268 wrote to memory of 1484	1268	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1268 wrote to memory of 1484	1268	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1268 wrote to memory of 468	1268	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1268 wrote to memory of 468	1268	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1268 wrote to memory of 1248	1268	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1268 wrote to memory of 1248	1268	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1268 wrote to memory of 4064	1268	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1268 wrote to memory of 4064	1268	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1268 wrote to memory of 4368	1268	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1268 wrote to memory of 4368	1268	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1268 wrote to memory of 2456	1268	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1268 wrote to memory of 2456	1268	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1268 wrote to memory of 1524	1268	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1268 wrote to memory of 1524	1268	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1268 wrote to memory of 3948	1268	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1268 wrote to memory of 3948	1268	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1268 wrote to memory of 1396	1268	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1268 wrote to memory of 1396	1268	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1268 wrote to memory of 2392	1268	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1268 wrote to memory of 2392	1268	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1268 wrote to memory of 1296	1268	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 1268 wrote to memory of 1296	1268	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 1268 wrote to memory of 4048	1268	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 1268 wrote to memory of 4048	1268	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 1268 wrote to memory of 3016	1268	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 1268 wrote to memory of 3016	1268	2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe	107

C:\Users\Admin\AppData\Local\Temp\2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-09_bb1cf37adac63ce82b54ff5e18391f1b_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Windows\System\xquJBnB.exe
  C:\Windows\System\xquJBnB.exe
  2⤵
  - Executes dropped EXE
  PID:4692
- C:\Windows\System\icPIetm.exe
  C:\Windows\System\icPIetm.exe
  2⤵
  - Executes dropped EXE
  PID:3320
- C:\Windows\System\ihAeIea.exe
  C:\Windows\System\ihAeIea.exe
  2⤵
  - Executes dropped EXE
  PID:4280
- C:\Windows\System\ykGMUdu.exe
  C:\Windows\System\ykGMUdu.exe
  2⤵
  - Executes dropped EXE
  PID:2328
- C:\Windows\System\WwhKcDs.exe
  C:\Windows\System\WwhKcDs.exe
  2⤵
  - Executes dropped EXE
  PID:1576
- C:\Windows\System\tHwkQeG.exe
  C:\Windows\System\tHwkQeG.exe
  2⤵
  - Executes dropped EXE
  PID:4728
- C:\Windows\System\LGgfVCH.exe
  C:\Windows\System\LGgfVCH.exe
  2⤵
  - Executes dropped EXE
  PID:4688
- C:\Windows\System\JyVAiFq.exe
  C:\Windows\System\JyVAiFq.exe
  2⤵
  - Executes dropped EXE
  PID:2692
- C:\Windows\System\xWJxrFB.exe
  C:\Windows\System\xWJxrFB.exe
  2⤵
  - Executes dropped EXE
  PID:1484
- C:\Windows\System\fXpzmLI.exe
  C:\Windows\System\fXpzmLI.exe
  2⤵
  - Executes dropped EXE
  PID:468
- C:\Windows\System\lzpuNZV.exe
  C:\Windows\System\lzpuNZV.exe
  2⤵
  - Executes dropped EXE
  PID:1248
- C:\Windows\System\wsUiNsx.exe
  C:\Windows\System\wsUiNsx.exe
  2⤵
  - Executes dropped EXE
  PID:4064
- C:\Windows\System\qoSAXZH.exe
  C:\Windows\System\qoSAXZH.exe
  2⤵
  - Executes dropped EXE
  PID:4368
- C:\Windows\System\LqMTsWa.exe
  C:\Windows\System\LqMTsWa.exe
  2⤵
  - Executes dropped EXE
  PID:2456
- C:\Windows\System\UZlxgXo.exe
  C:\Windows\System\UZlxgXo.exe
  2⤵
  - Executes dropped EXE
  PID:1524
- C:\Windows\System\WjLOMhv.exe
  C:\Windows\System\WjLOMhv.exe
  2⤵
  - Executes dropped EXE
  PID:3948
- C:\Windows\System\jiGetzi.exe
  C:\Windows\System\jiGetzi.exe
  2⤵
  - Executes dropped EXE
  PID:1396
- C:\Windows\System\CCTovov.exe
  C:\Windows\System\CCTovov.exe
  2⤵
  - Executes dropped EXE
  PID:2392
- C:\Windows\System\lgooyXL.exe
  C:\Windows\System\lgooyXL.exe
  2⤵
  - Executes dropped EXE
  PID:1296
- C:\Windows\System\jdKwnma.exe
  C:\Windows\System\jdKwnma.exe
  2⤵
  - Executes dropped EXE
  PID:4048
- C:\Windows\System\MmgnMaa.exe
  C:\Windows\System\MmgnMaa.exe
  2⤵
  - Executes dropped EXE
  PID:3016

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CCTovov.exe

Filesize
5.9MB

MD5
e4f59be296ff97a5aaf626d670d78371

SHA1
eb364faa7db21dec534037119812dffd4829f63a

SHA256
7653f01b8dccdb7f010fbef4be332f2f070d53a6400f48792451609d6c6761d7

SHA512
b129bb3ad319b00afe494820efc7c3a542bd6b2c71f0c097bd9cfc3afd57690b8629c4388df5ee1ffd91c5fd0503bcba40176a944c51d20bd16fee26eccb6334

Download Submit
C:\Windows\System\JyVAiFq.exe

Filesize
5.9MB

MD5
c07ca40e65e24a04cc8f034e9dba9b1b

SHA1
61aad2720a1a04c8c659b948b70207d99b338a96

SHA256
c3387398881e61cdf1c3379b68dbd26b30a50e50385a0d40141de6941820dbff

SHA512
917c0ed54110bd95db32b8ecfb887354a594156a0b74bfb0cdec52ebb9a5276eac790fe8e4e2fafe0bbc16791b79c1603a765d6a33861c2286b6ccd1395333b9

Download Submit
C:\Windows\System\LGgfVCH.exe

Filesize
5.9MB

MD5
10a4d3f6db120baa968360efe7ea7c9f

SHA1
bf07fcc767ef11a160ee35e462d47bfdcb362aa0

SHA256
ae395913f6b5d6a24cc5cc6034dec47a5b7b3df33dfd5198f5d329695462da79

SHA512
820f3329647b3d340a4168ec907a4abe97ca2dbf25d16045df154c071600e047de3506e4613e0cce32cf4c71497d382293c8418bf592f3a41284a6b5b4740b3f

Download Submit
C:\Windows\System\LqMTsWa.exe

Filesize
5.9MB

MD5
b31663bd257284c77e32b81335721623

SHA1
297dad7d68cb91a53f631abc962832e4ef299da1

SHA256
d938c2a3c6f5a3a17f3ce87d3853c53c3405fc45b877f083638b63ebea964fa0

SHA512
dd479e4ce35e43f61778138e4dfd8c314d08cc60e54817af7f762243b92a09acd0ea15edb632dd6b00eff93d7f3e2c84d7a56b7661cc5d3dded63b5b5b3a65a6

Download Submit
C:\Windows\System\MmgnMaa.exe

Filesize
5.9MB

MD5
9bc0c50a145f15fd02004d7b88fd09ab

SHA1
ad4d6b6603cf89c066bfd623d26daa848b12440e

SHA256
599022483c57f0b28cfe8a2ca64a160370dd82d724a0014a0c70b8e289425977

SHA512
18d5aaec655f81f85aac0b1957ccc7ffdd1deb631a38c783ed3316cbf3bba72205e0fc1574db2b037a9c687a903a4510175bd97f9188767e49093db121e9f1b6

Download Submit
C:\Windows\System\UZlxgXo.exe

Filesize
5.9MB

MD5
1942208cff0fc6d489f4c8b13d821e21

SHA1
2b4248f6efb19318d1921c13f71c322e969c66fa

SHA256
a0ca3d3c9b4c762363e125977d8c7e184100a4f3e5094322c7be03ff976f746e

SHA512
fbb0b95c225937b603bef0de3caf059f2a8ccfe83ad2f22aef194e8471cfd7996f6236655e145eea8bdc63ddfcfa9adee6395d4bdbf22fc395216a6122ac26b1

Download Submit
C:\Windows\System\WjLOMhv.exe

Filesize
5.9MB

MD5
3d0830cebfcf12cd3548fc8c04589935

SHA1
7c7818d363d24acce09a4db10a860c6570bbe847

SHA256
5c905f524a8169f6c1b6d382e0a041cdf368fbc9c0dcda1bb46411076bce24f0

SHA512
73dbea20a32504c39d1d0ae4c9d0d7c22df09aaba6641c914f4a9b004b43d5f7640ebd30b577c0c3196dac52f9949e5ee87af2144c5a8d5b4571397d94548af0

Download Submit
C:\Windows\System\WwhKcDs.exe

Filesize
5.9MB

MD5
bf9fc7fb1675532794c165d3a5295223

SHA1
a12f6cf706ed4005e85bfac618122c0dcf234939

SHA256
44eb6142185222c64865f41669dcb246cc04bd2ef1083c02fb207bb663e7e800

SHA512
efd9441f01bed4f649d40a58aef41e965484f7c5e92116107da84db1276e23e6f98163862f50edb6a0fa16ac84d5e2130f13c6f35657b32476f69b9cd34b1d5d

Download Submit
C:\Windows\System\fXpzmLI.exe

Filesize
5.9MB

MD5
f0333840fa2cbc63484d72e94d73d784

SHA1
973cb1a4f403740ec70c1b448d12ce68efc39642

SHA256
c9a66809cdbdc8d86f470c85fa8354698d25ff1c1d42d58392dae36cbfc67b5a

SHA512
9090edf60de20f86519c2ef0dc776b80153e005f9e09d83166e0197c351e855b4a995cc0742c20e2b856ba603aeaaa7725dfd830fbd54281cf14d8a4563e5166

Download Submit
C:\Windows\System\icPIetm.exe

Filesize
5.9MB

MD5
6a2fa58079a4627a3dbe189f16a89b47

SHA1
5cda5fa2add3fd684f69c63aa72c08b952289e6c

SHA256
63b81023c5d8d26399a49841eaede1c3cc65fe1198c68da1e0471b8d4c5ac29c

SHA512
8462dc8a63bc17b932a7550436c8827033a4ce0a130550ccdad3362e131a6bf539a9f50ba0ef80fea81d4f6016eb3d48b6a3896fde6197b7214b99f389edd987

Download Submit
C:\Windows\System\ihAeIea.exe

Filesize
5.9MB

MD5
48685e5169936813b008d2ea76774776

SHA1
e3d1bb7726c8fba5b650e71357ec44c5ca7af5ea

SHA256
702ed49d94c97325924948c8f85c8209deee1a105ff61b40fc24201b9e4cf22b

SHA512
a5c2c8bdbfa62f085f4d697d70ca92fd183f1cb5609d5965fd712ebd026a166af05378be80fd22d67fb6d79f53e901471b3fd4ffdbcca1a3b69ef838a425e306

Download Submit
C:\Windows\System\jdKwnma.exe

Filesize
5.9MB

MD5
fce409aaa0fa3b614b6afdecdae68e3f

SHA1
d087e32058c9d962549263a9bc972b46473e4246

SHA256
c28dae710073cca19045f18257241f7810881efbfea542fc4fff328adfbfb6da

SHA512
0ef5b3fa0e5865543de7e010e63adc0abae4d6dc39c5a5bbd6346a8823ff25b7b2fd2b85f8fd2927c5aebf1da3513e3bb6902bac207cbaea8631931514320697

Download Submit
C:\Windows\System\jiGetzi.exe

Filesize
5.9MB

MD5
4d814800c28fb988f560ad4985060368

SHA1
1596500d43b66bde517b90a9142a60bfe7a05112

SHA256
33aa203f3c799d9e4fe1a1028e8ca2a3f717e96d2ec13c5ddb5b125dfe9e73cf

SHA512
7c4e9ef70c9610f232da8befdbe488a2d37605ae377212062f6bf0c4cfcd2942cece7017f182e3415a3a7d038a3270df4b402fe115dd7e841e152586ffd80a18

Download Submit
C:\Windows\System\lgooyXL.exe

Filesize
5.9MB

MD5
3caa294e3ed1e2c9d78085efe4d3bb47

SHA1
f06329054aa6373f571ee7a360c967e0a9c78bf7

SHA256
288da50dd88157e8d0e2c93a76a2d0d04eda2e758078d213691a7753ee923679

SHA512
19b6d8191d876b9d73479f5ce87d97910bb8754a6f55d5912daec44b2644e58be86f44e02aadcd17ff945d2f8621647bb57cf9605064e3797d816f36c84c884f

Download Submit
C:\Windows\System\lzpuNZV.exe

Filesize
5.9MB

MD5
c837a203c21dcd88a639f3751583454a

SHA1
bfbb9a538de4108227911dfc62729c83a85d70e1

SHA256
0a298663babe192e3d5f32689aed659f5d55750d19e2aa01925e1087ef29dd6e

SHA512
e565acc93b6ed29f8d4c7676d6e21112584d0bab6d7e60b1eeac13856a820fa7b41f66ee3c037f87c1398f303543da5507e027e97348f14e7c97a945d8a2f72c

Download Submit
C:\Windows\System\qoSAXZH.exe

Filesize
5.9MB

MD5
ee3da500d90a959a66523a5f12efa391

SHA1
b1b61f726acb005d62f223dab86427762c9b5520

SHA256
4502bb77e13c6cadadec905411e75424bf041b3961d6ce6011b0c1310ff57ec3

SHA512
9d7245734a4d30e7100490b677fbff5cc0c672b0b0dc41139789c77e47c71022aa18301b510c3bcc8fa193522015d6ac4ce8f5b4d33120214ea45d7a1903a34e

Download Submit
C:\Windows\System\tHwkQeG.exe

Filesize
5.9MB

MD5
c86ed8fefcfcd616e91a0d402bd1ae5f

SHA1
2a27cf358eedd3846877d4da30841270e935c680

SHA256
979a5f946a32de0d63df6834f9146267b74da5013d61d97f0b23ab159d8ff0c1

SHA512
b8d13398a3f0f8acb97acb6edc0dcd498e66fa15ca8325dec78368d104b1f3e5bb324af54fb1e479a9a78b61af774a9fd805bc7ccec83a9ac45a9064057d87df

Download Submit
C:\Windows\System\wsUiNsx.exe

Filesize
5.9MB

MD5
4363894d95bb55d5212043131613f524

SHA1
71ea848c4b3826e1bcf2f97eec68b62e4e0c827e

SHA256
5921f9cfb5fa997095852384185451adb23c666eeaa02bb0cdaca271aa0b868a

SHA512
4fca7fa47be90f314a52b6da72c7d8f309ff73d202e2cb8fc5eb1e69206f842bcd395ef6d494342838fc37717973474150f9c195b81fb0105f8ad11b1df629cd

Download Submit
C:\Windows\System\xWJxrFB.exe

Filesize
5.9MB

MD5
31219f48b8789f3a72f2cf1b0b4a04f0

SHA1
0afc5e2082d03c2ddd55f6dd64ba0649ef360259

SHA256
4056238bc9290b043dec4f37378204c8dd53171bb075957356421d2b30bc5391

SHA512
e3e8f730e42dd8e48c761d186d3cf6d7bdc243d7e08a8d9658620fc90437810420e3a8dd1289a8f1830618c5624e0aef355c6c5c8ebd3657d76d83028013b6bb

Download Submit
C:\Windows\System\xquJBnB.exe

Filesize
5.9MB

MD5
ecde5415c480b0c1908488993bd2cc34

SHA1
ad8bf0e4687f7e1d2efb87d4ea7d356dd1dfde55

SHA256
4ca6779f70f339504166481cdd33a1d94e6b061c3a6813d19a9d4a627aa30a83

SHA512
79f6cf36db3855c8390c35efb0b89b370535fc175afb73a90fc9364a476f7b836250a22a2931a618a31d0e825e9dd2400ff91b320f62d9c5582ce143be2ec52f

Download Submit
C:\Windows\System\ykGMUdu.exe

Filesize
5.9MB

MD5
c06e10f7cb362c18d6fba51f374d549f

SHA1
5b749adc861dadea13d1af5d199a1b41a8ae2d73

SHA256
c1bb3860433cd70300f541fbae46ad39ffdcbf389ef7413270f1926a8fc352e0

SHA512
1172182aa4a9d7aed2eff3fd90429fa2911774359cacd89ca44f8f6194224bbdaef0e0463de5aff9b4764291e6aa7d80b241d4aab1edc4ced3ae6c49c8a1df43

Download Submit
memory/468-123-0x00007FF708140000-0x00007FF708494000-memory.dmp

Filesize
3.3MB

Download
memory/468-148-0x00007FF708140000-0x00007FF708494000-memory.dmp

Filesize
3.3MB

Download
memory/468-64-0x00007FF708140000-0x00007FF708494000-memory.dmp

Filesize
3.3MB

Download
memory/1248-73-0x00007FF7BA270000-0x00007FF7BA5C4000-memory.dmp

Filesize
3.3MB

Download
memory/1248-149-0x00007FF7BA270000-0x00007FF7BA5C4000-memory.dmp

Filesize
3.3MB

Download
memory/1248-131-0x00007FF7BA270000-0x00007FF7BA5C4000-memory.dmp

Filesize
3.3MB

Download
memory/1268-0-0x00007FF760E80000-0x00007FF7611D4000-memory.dmp

Filesize
3.3MB

Download
memory/1268-76-0x00007FF760E80000-0x00007FF7611D4000-memory.dmp

Filesize
3.3MB

Download
memory/1268-1-0x000001D9EC600000-0x000001D9EC610000-memory.dmp

Filesize
64KB

Download
memory/1296-157-0x00007FF638DE0000-0x00007FF639134000-memory.dmp

Filesize
3.3MB

Download
memory/1296-120-0x00007FF638DE0000-0x00007FF639134000-memory.dmp

Filesize
3.3MB

Download
memory/1296-138-0x00007FF638DE0000-0x00007FF639134000-memory.dmp

Filesize
3.3MB

Download
memory/1396-155-0x00007FF798FF0000-0x00007FF799344000-memory.dmp

Filesize
3.3MB

Download
memory/1396-136-0x00007FF798FF0000-0x00007FF799344000-memory.dmp

Filesize
3.3MB

Download
memory/1396-108-0x00007FF798FF0000-0x00007FF799344000-memory.dmp

Filesize
3.3MB

Download
memory/1484-147-0x00007FF6A0D30000-0x00007FF6A1084000-memory.dmp

Filesize
3.3MB

Download
memory/1484-65-0x00007FF6A0D30000-0x00007FF6A1084000-memory.dmp

Filesize
3.3MB

Download
memory/1524-99-0x00007FF742070000-0x00007FF7423C4000-memory.dmp

Filesize
3.3MB

Download
memory/1524-153-0x00007FF742070000-0x00007FF7423C4000-memory.dmp

Filesize
3.3MB

Download
memory/1576-37-0x00007FF668DF0000-0x00007FF669144000-memory.dmp

Filesize
3.3MB

Download
memory/1576-143-0x00007FF668DF0000-0x00007FF669144000-memory.dmp

Filesize
3.3MB

Download
memory/2328-32-0x00007FF734120000-0x00007FF734474000-memory.dmp

Filesize
3.3MB

Download
memory/2328-142-0x00007FF734120000-0x00007FF734474000-memory.dmp

Filesize
3.3MB

Download
memory/2328-102-0x00007FF734120000-0x00007FF734474000-memory.dmp

Filesize
3.3MB

Download
memory/2392-156-0x00007FF674EE0000-0x00007FF675234000-memory.dmp

Filesize
3.3MB

Download
memory/2392-109-0x00007FF674EE0000-0x00007FF675234000-memory.dmp

Filesize
3.3MB

Download
memory/2392-137-0x00007FF674EE0000-0x00007FF675234000-memory.dmp

Filesize
3.3MB

Download
memory/2456-95-0x00007FF74DEA0000-0x00007FF74E1F4000-memory.dmp

Filesize
3.3MB

Download
memory/2456-152-0x00007FF74DEA0000-0x00007FF74E1F4000-memory.dmp

Filesize
3.3MB

Download
memory/2692-146-0x00007FF6B2040000-0x00007FF6B2394000-memory.dmp

Filesize
3.3MB

Download
memory/2692-56-0x00007FF6B2040000-0x00007FF6B2394000-memory.dmp

Filesize
3.3MB

Download
memory/3016-133-0x00007FF77E0B0000-0x00007FF77E404000-memory.dmp

Filesize
3.3MB

Download
memory/3016-158-0x00007FF77E0B0000-0x00007FF77E404000-memory.dmp

Filesize
3.3MB

Download
memory/3320-16-0x00007FF6E2E30000-0x00007FF6E3184000-memory.dmp

Filesize
3.3MB

Download
memory/3320-140-0x00007FF6E2E30000-0x00007FF6E3184000-memory.dmp

Filesize
3.3MB

Download
memory/3948-105-0x00007FF73E4E0000-0x00007FF73E834000-memory.dmp

Filesize
3.3MB

Download
memory/3948-154-0x00007FF73E4E0000-0x00007FF73E834000-memory.dmp

Filesize
3.3MB

Download
memory/4048-159-0x00007FF662D50000-0x00007FF6630A4000-memory.dmp

Filesize
3.3MB

Download
memory/4048-132-0x00007FF662D50000-0x00007FF6630A4000-memory.dmp

Filesize
3.3MB

Download
memory/4064-151-0x00007FF645370000-0x00007FF6456C4000-memory.dmp

Filesize
3.3MB

Download
memory/4064-134-0x00007FF645370000-0x00007FF6456C4000-memory.dmp

Filesize
3.3MB

Download
memory/4064-74-0x00007FF645370000-0x00007FF6456C4000-memory.dmp

Filesize
3.3MB

Download
memory/4280-20-0x00007FF63FF00000-0x00007FF640254000-memory.dmp

Filesize
3.3MB

Download
memory/4280-141-0x00007FF63FF00000-0x00007FF640254000-memory.dmp

Filesize
3.3MB

Download
memory/4280-104-0x00007FF63FF00000-0x00007FF640254000-memory.dmp

Filesize
3.3MB

Download
memory/4368-150-0x00007FF6EC6C0000-0x00007FF6ECA14000-memory.dmp

Filesize
3.3MB

Download
memory/4368-135-0x00007FF6EC6C0000-0x00007FF6ECA14000-memory.dmp

Filesize
3.3MB

Download
memory/4368-81-0x00007FF6EC6C0000-0x00007FF6ECA14000-memory.dmp

Filesize
3.3MB

Download
memory/4688-145-0x00007FF748AD0000-0x00007FF748E24000-memory.dmp

Filesize
3.3MB

Download
memory/4688-52-0x00007FF748AD0000-0x00007FF748E24000-memory.dmp

Filesize
3.3MB

Download
memory/4692-139-0x00007FF7596F0000-0x00007FF759A44000-memory.dmp

Filesize
3.3MB

Download
memory/4692-8-0x00007FF7596F0000-0x00007FF759A44000-memory.dmp

Filesize
3.3MB

Download
memory/4692-87-0x00007FF7596F0000-0x00007FF759A44000-memory.dmp

Filesize
3.3MB

Download
memory/4728-144-0x00007FF746800000-0x00007FF746B54000-memory.dmp

Filesize
3.3MB

Download
memory/4728-40-0x00007FF746800000-0x00007FF746B54000-memory.dmp

Filesize
3.3MB

Download