cobaltstrike | 6412482e0591934510b5697f27fe468399ac9957dc52567c875e3c3166316ed4

Analysis

max time kernel
143s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 10:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

2a94cf09232cc6cedde3b0ecec351e36
SHA1

7dbccda6efeed0f3e62824499de482f21d0e3265
SHA256

6412482e0591934510b5697f27fe468399ac9957dc52567c875e3c3166316ed4
SHA512

8e0b0e6e316a7486b3e8590d9377c23293caec9ed5dbd3a9c3d446d90ce741bfe9fadd46df7da84d52bae9a0a6eb3098e09b571710722d6359fc72c3662829c7
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUc:Q+856utgpPF8u/7c

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00080000000234cf-4.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d4-11.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d3-12.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d5-23.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d6-29.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000234d0-35.dat	cobalt_reflective_dll
behavioral2/files/0x000c000000023414-41.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023413-48.dat	cobalt_reflective_dll
behavioral2/files/0x000b00000002340d-55.dat	cobalt_reflective_dll
behavioral2/files/0x0002000000022d12-60.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234de-122.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234dd-124.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e0-138.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234df-133.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234dc-111.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234db-106.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234da-100.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d9-92.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d8-88.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d7-80.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023416-73.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/2400-0-0x00007FF6862B0000-0x00007FF686604000-memory.dmp	xmrig
behavioral2/files/0x00080000000234cf-4.dat	xmrig
behavioral2/memory/2612-8-0x00007FF694540000-0x00007FF694894000-memory.dmp	xmrig
behavioral2/files/0x00070000000234d4-11.dat	xmrig
behavioral2/memory/2320-18-0x00007FF7DC590000-0x00007FF7DC8E4000-memory.dmp	xmrig
behavioral2/memory/3364-14-0x00007FF7CD910000-0x00007FF7CDC64000-memory.dmp	xmrig
behavioral2/files/0x00070000000234d3-12.dat	xmrig
behavioral2/files/0x00070000000234d5-23.dat	xmrig
behavioral2/memory/3892-24-0x00007FF7744F0000-0x00007FF774844000-memory.dmp	xmrig
behavioral2/files/0x00070000000234d6-29.dat	xmrig
behavioral2/memory/4532-30-0x00007FF6677A0000-0x00007FF667AF4000-memory.dmp	xmrig
behavioral2/files/0x00080000000234d0-35.dat	xmrig
behavioral2/memory/628-36-0x00007FF6E56B0000-0x00007FF6E5A04000-memory.dmp	xmrig
behavioral2/files/0x000c000000023414-41.dat	xmrig
behavioral2/memory/1444-42-0x00007FF6B62E0000-0x00007FF6B6634000-memory.dmp	xmrig
behavioral2/files/0x0009000000023413-48.dat	xmrig
behavioral2/memory/2924-50-0x00007FF784FB0000-0x00007FF785304000-memory.dmp	xmrig
behavioral2/memory/2400-54-0x00007FF6862B0000-0x00007FF686604000-memory.dmp	xmrig
behavioral2/files/0x000b00000002340d-55.dat	xmrig
behavioral2/memory/1744-57-0x00007FF6738F0000-0x00007FF673C44000-memory.dmp	xmrig
behavioral2/files/0x0002000000022d12-60.dat	xmrig
behavioral2/memory/448-62-0x00007FF79A230000-0x00007FF79A584000-memory.dmp	xmrig
behavioral2/memory/2612-61-0x00007FF694540000-0x00007FF694894000-memory.dmp	xmrig
behavioral2/memory/5060-71-0x00007FF725E20000-0x00007FF726174000-memory.dmp	xmrig
behavioral2/memory/4052-85-0x00007FF776DA0000-0x00007FF7770F4000-memory.dmp	xmrig
behavioral2/memory/3892-91-0x00007FF7744F0000-0x00007FF774844000-memory.dmp	xmrig
behavioral2/memory/764-94-0x00007FF6CB3F0000-0x00007FF6CB744000-memory.dmp	xmrig
behavioral2/memory/3488-113-0x00007FF6CC220000-0x00007FF6CC574000-memory.dmp	xmrig
behavioral2/memory/1444-118-0x00007FF6B62E0000-0x00007FF6B6634000-memory.dmp	xmrig
behavioral2/files/0x00070000000234de-122.dat	xmrig
behavioral2/files/0x00070000000234dd-124.dat	xmrig
behavioral2/memory/1744-130-0x00007FF6738F0000-0x00007FF673C44000-memory.dmp	xmrig
behavioral2/files/0x00070000000234e0-138.dat	xmrig
behavioral2/memory/1388-137-0x00007FF6DF160000-0x00007FF6DF4B4000-memory.dmp	xmrig
behavioral2/memory/5060-136-0x00007FF725E20000-0x00007FF726174000-memory.dmp	xmrig
behavioral2/memory/448-135-0x00007FF79A230000-0x00007FF79A584000-memory.dmp	xmrig
behavioral2/files/0x00070000000234df-133.dat	xmrig
behavioral2/memory/1308-131-0x00007FF76C7D0000-0x00007FF76CB24000-memory.dmp	xmrig
behavioral2/memory/2924-121-0x00007FF784FB0000-0x00007FF785304000-memory.dmp	xmrig
behavioral2/memory/748-120-0x00007FF7DD100000-0x00007FF7DD454000-memory.dmp	xmrig
behavioral2/memory/4228-119-0x00007FF710420000-0x00007FF710774000-memory.dmp	xmrig
behavioral2/files/0x00070000000234dc-111.dat	xmrig
behavioral2/memory/628-110-0x00007FF6E56B0000-0x00007FF6E5A04000-memory.dmp	xmrig
behavioral2/files/0x00070000000234db-106.dat	xmrig
behavioral2/memory/1912-104-0x00007FF7AC6E0000-0x00007FF7ACA34000-memory.dmp	xmrig
behavioral2/files/0x00070000000234da-100.dat	xmrig
behavioral2/memory/4532-98-0x00007FF6677A0000-0x00007FF667AF4000-memory.dmp	xmrig
behavioral2/memory/112-97-0x00007FF72C3B0000-0x00007FF72C704000-memory.dmp	xmrig
behavioral2/files/0x00070000000234d9-92.dat	xmrig
behavioral2/files/0x00070000000234d8-88.dat	xmrig
behavioral2/memory/2196-86-0x00007FF7E8BC0000-0x00007FF7E8F14000-memory.dmp	xmrig
behavioral2/files/0x00070000000234d7-80.dat	xmrig
behavioral2/memory/2320-77-0x00007FF7DC590000-0x00007FF7DC8E4000-memory.dmp	xmrig
behavioral2/files/0x000b000000023416-73.dat	xmrig
behavioral2/memory/3364-68-0x00007FF7CD910000-0x00007FF7CDC64000-memory.dmp	xmrig
behavioral2/memory/4052-140-0x00007FF776DA0000-0x00007FF7770F4000-memory.dmp	xmrig
behavioral2/memory/2196-141-0x00007FF7E8BC0000-0x00007FF7E8F14000-memory.dmp	xmrig
behavioral2/memory/112-142-0x00007FF72C3B0000-0x00007FF72C704000-memory.dmp	xmrig
behavioral2/memory/1912-143-0x00007FF7AC6E0000-0x00007FF7ACA34000-memory.dmp	xmrig
behavioral2/memory/3488-144-0x00007FF6CC220000-0x00007FF6CC574000-memory.dmp	xmrig
behavioral2/memory/4228-145-0x00007FF710420000-0x00007FF710774000-memory.dmp	xmrig
behavioral2/memory/748-146-0x00007FF7DD100000-0x00007FF7DD454000-memory.dmp	xmrig
behavioral2/memory/1308-147-0x00007FF76C7D0000-0x00007FF76CB24000-memory.dmp	xmrig
behavioral2/memory/1388-148-0x00007FF6DF160000-0x00007FF6DF4B4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2612	OjVEjzi.exe
3364	LPCcjKj.exe
2320	YYkOXrR.exe
3892	qBgbQie.exe
4532	axSCYYj.exe
628	CesXXwz.exe
1444	zmWwnRt.exe
2924	GhjjjcQ.exe
1744	mwatLWH.exe
448	yLZLBIc.exe
5060	FOGCaZS.exe
4052	wTsTBJF.exe
764	vHeapso.exe
2196	TYDbvfx.exe
112	gFAOOUz.exe
1912	HhEzrMq.exe
3488	EEUtuqy.exe
4228	GTeRbVU.exe
748	cwOXsqv.exe
1308	NVIQlfn.exe
1388	Duxbpet.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2400-0-0x00007FF6862B0000-0x00007FF686604000-memory.dmp	upx
behavioral2/files/0x00080000000234cf-4.dat	upx
behavioral2/memory/2612-8-0x00007FF694540000-0x00007FF694894000-memory.dmp	upx
behavioral2/files/0x00070000000234d4-11.dat	upx
behavioral2/memory/2320-18-0x00007FF7DC590000-0x00007FF7DC8E4000-memory.dmp	upx
behavioral2/memory/3364-14-0x00007FF7CD910000-0x00007FF7CDC64000-memory.dmp	upx
behavioral2/files/0x00070000000234d3-12.dat	upx
behavioral2/files/0x00070000000234d5-23.dat	upx
behavioral2/memory/3892-24-0x00007FF7744F0000-0x00007FF774844000-memory.dmp	upx
behavioral2/files/0x00070000000234d6-29.dat	upx
behavioral2/memory/4532-30-0x00007FF6677A0000-0x00007FF667AF4000-memory.dmp	upx
behavioral2/files/0x00080000000234d0-35.dat	upx
behavioral2/memory/628-36-0x00007FF6E56B0000-0x00007FF6E5A04000-memory.dmp	upx
behavioral2/files/0x000c000000023414-41.dat	upx
behavioral2/memory/1444-42-0x00007FF6B62E0000-0x00007FF6B6634000-memory.dmp	upx
behavioral2/files/0x0009000000023413-48.dat	upx
behavioral2/memory/2924-50-0x00007FF784FB0000-0x00007FF785304000-memory.dmp	upx
behavioral2/memory/2400-54-0x00007FF6862B0000-0x00007FF686604000-memory.dmp	upx
behavioral2/files/0x000b00000002340d-55.dat	upx
behavioral2/memory/1744-57-0x00007FF6738F0000-0x00007FF673C44000-memory.dmp	upx
behavioral2/files/0x0002000000022d12-60.dat	upx
behavioral2/memory/448-62-0x00007FF79A230000-0x00007FF79A584000-memory.dmp	upx
behavioral2/memory/2612-61-0x00007FF694540000-0x00007FF694894000-memory.dmp	upx
behavioral2/memory/5060-71-0x00007FF725E20000-0x00007FF726174000-memory.dmp	upx
behavioral2/memory/4052-85-0x00007FF776DA0000-0x00007FF7770F4000-memory.dmp	upx
behavioral2/memory/3892-91-0x00007FF7744F0000-0x00007FF774844000-memory.dmp	upx
behavioral2/memory/764-94-0x00007FF6CB3F0000-0x00007FF6CB744000-memory.dmp	upx
behavioral2/memory/3488-113-0x00007FF6CC220000-0x00007FF6CC574000-memory.dmp	upx
behavioral2/memory/1444-118-0x00007FF6B62E0000-0x00007FF6B6634000-memory.dmp	upx
behavioral2/files/0x00070000000234de-122.dat	upx
behavioral2/files/0x00070000000234dd-124.dat	upx
behavioral2/memory/1744-130-0x00007FF6738F0000-0x00007FF673C44000-memory.dmp	upx
behavioral2/files/0x00070000000234e0-138.dat	upx
behavioral2/memory/1388-137-0x00007FF6DF160000-0x00007FF6DF4B4000-memory.dmp	upx
behavioral2/memory/5060-136-0x00007FF725E20000-0x00007FF726174000-memory.dmp	upx
behavioral2/memory/448-135-0x00007FF79A230000-0x00007FF79A584000-memory.dmp	upx
behavioral2/files/0x00070000000234df-133.dat	upx
behavioral2/memory/1308-131-0x00007FF76C7D0000-0x00007FF76CB24000-memory.dmp	upx
behavioral2/memory/2924-121-0x00007FF784FB0000-0x00007FF785304000-memory.dmp	upx
behavioral2/memory/748-120-0x00007FF7DD100000-0x00007FF7DD454000-memory.dmp	upx
behavioral2/memory/4228-119-0x00007FF710420000-0x00007FF710774000-memory.dmp	upx
behavioral2/files/0x00070000000234dc-111.dat	upx
behavioral2/memory/628-110-0x00007FF6E56B0000-0x00007FF6E5A04000-memory.dmp	upx
behavioral2/files/0x00070000000234db-106.dat	upx
behavioral2/memory/1912-104-0x00007FF7AC6E0000-0x00007FF7ACA34000-memory.dmp	upx
behavioral2/files/0x00070000000234da-100.dat	upx
behavioral2/memory/4532-98-0x00007FF6677A0000-0x00007FF667AF4000-memory.dmp	upx
behavioral2/memory/112-97-0x00007FF72C3B0000-0x00007FF72C704000-memory.dmp	upx
behavioral2/files/0x00070000000234d9-92.dat	upx
behavioral2/files/0x00070000000234d8-88.dat	upx
behavioral2/memory/2196-86-0x00007FF7E8BC0000-0x00007FF7E8F14000-memory.dmp	upx
behavioral2/files/0x00070000000234d7-80.dat	upx
behavioral2/memory/2320-77-0x00007FF7DC590000-0x00007FF7DC8E4000-memory.dmp	upx
behavioral2/files/0x000b000000023416-73.dat	upx
behavioral2/memory/3364-68-0x00007FF7CD910000-0x00007FF7CDC64000-memory.dmp	upx
behavioral2/memory/4052-140-0x00007FF776DA0000-0x00007FF7770F4000-memory.dmp	upx
behavioral2/memory/2196-141-0x00007FF7E8BC0000-0x00007FF7E8F14000-memory.dmp	upx
behavioral2/memory/112-142-0x00007FF72C3B0000-0x00007FF72C704000-memory.dmp	upx
behavioral2/memory/1912-143-0x00007FF7AC6E0000-0x00007FF7ACA34000-memory.dmp	upx
behavioral2/memory/3488-144-0x00007FF6CC220000-0x00007FF6CC574000-memory.dmp	upx
behavioral2/memory/4228-145-0x00007FF710420000-0x00007FF710774000-memory.dmp	upx
behavioral2/memory/748-146-0x00007FF7DD100000-0x00007FF7DD454000-memory.dmp	upx
behavioral2/memory/1308-147-0x00007FF76C7D0000-0x00007FF76CB24000-memory.dmp	upx
behavioral2/memory/1388-148-0x00007FF6DF160000-0x00007FF6DF4B4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\qBgbQie.exe	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mwatLWH.exe	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FOGCaZS.exe	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TYDbvfx.exe	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EEUtuqy.exe	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Duxbpet.exe	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YYkOXrR.exe	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LPCcjKj.exe	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\axSCYYj.exe	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CesXXwz.exe	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GhjjjcQ.exe	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yLZLBIc.exe	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wTsTBJF.exe	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gFAOOUz.exe	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OjVEjzi.exe	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cwOXsqv.exe	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NVIQlfn.exe	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HhEzrMq.exe	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vHeapso.exe	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GTeRbVU.exe	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zmWwnRt.exe	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2400	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2400	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2612	2400	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2400 wrote to memory of 2612	2400	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2400 wrote to memory of 3364	2400	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2400 wrote to memory of 3364	2400	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2400 wrote to memory of 2320	2400	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2400 wrote to memory of 2320	2400	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2400 wrote to memory of 3892	2400	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2400 wrote to memory of 3892	2400	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2400 wrote to memory of 4532	2400	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2400 wrote to memory of 4532	2400	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2400 wrote to memory of 628	2400	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2400 wrote to memory of 628	2400	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2400 wrote to memory of 1444	2400	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2400 wrote to memory of 1444	2400	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2400 wrote to memory of 2924	2400	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2400 wrote to memory of 2924	2400	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2400 wrote to memory of 1744	2400	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2400 wrote to memory of 1744	2400	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2400 wrote to memory of 448	2400	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2400 wrote to memory of 448	2400	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2400 wrote to memory of 5060	2400	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2400 wrote to memory of 5060	2400	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2400 wrote to memory of 4052	2400	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2400 wrote to memory of 4052	2400	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2400 wrote to memory of 764	2400	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2400 wrote to memory of 764	2400	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2400 wrote to memory of 2196	2400	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2400 wrote to memory of 2196	2400	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2400 wrote to memory of 112	2400	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2400 wrote to memory of 112	2400	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2400 wrote to memory of 1912	2400	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2400 wrote to memory of 1912	2400	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2400 wrote to memory of 3488	2400	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 2400 wrote to memory of 3488	2400	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 2400 wrote to memory of 748	2400	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 2400 wrote to memory of 748	2400	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 2400 wrote to memory of 4228	2400	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 2400 wrote to memory of 4228	2400	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 2400 wrote to memory of 1308	2400	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 2400 wrote to memory of 1308	2400	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 2400 wrote to memory of 1388	2400	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 2400 wrote to memory of 1388	2400	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	109

C:\Users\Admin\AppData\Local\Temp\2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\System\OjVEjzi.exe
  C:\Windows\System\OjVEjzi.exe
  2⤵
  - Executes dropped EXE
  PID:2612
- C:\Windows\System\LPCcjKj.exe
  C:\Windows\System\LPCcjKj.exe
  2⤵
  - Executes dropped EXE
  PID:3364
- C:\Windows\System\YYkOXrR.exe
  C:\Windows\System\YYkOXrR.exe
  2⤵
  - Executes dropped EXE
  PID:2320
- C:\Windows\System\qBgbQie.exe
  C:\Windows\System\qBgbQie.exe
  2⤵
  - Executes dropped EXE
  PID:3892
- C:\Windows\System\axSCYYj.exe
  C:\Windows\System\axSCYYj.exe
  2⤵
  - Executes dropped EXE
  PID:4532
- C:\Windows\System\CesXXwz.exe
  C:\Windows\System\CesXXwz.exe
  2⤵
  - Executes dropped EXE
  PID:628
- C:\Windows\System\zmWwnRt.exe
  C:\Windows\System\zmWwnRt.exe
  2⤵
  - Executes dropped EXE
  PID:1444
- C:\Windows\System\GhjjjcQ.exe
  C:\Windows\System\GhjjjcQ.exe
  2⤵
  - Executes dropped EXE
  PID:2924
- C:\Windows\System\mwatLWH.exe
  C:\Windows\System\mwatLWH.exe
  2⤵
  - Executes dropped EXE
  PID:1744
- C:\Windows\System\yLZLBIc.exe
  C:\Windows\System\yLZLBIc.exe
  2⤵
  - Executes dropped EXE
  PID:448
- C:\Windows\System\FOGCaZS.exe
  C:\Windows\System\FOGCaZS.exe
  2⤵
  - Executes dropped EXE
  PID:5060
- C:\Windows\System\wTsTBJF.exe
  C:\Windows\System\wTsTBJF.exe
  2⤵
  - Executes dropped EXE
  PID:4052
- C:\Windows\System\vHeapso.exe
  C:\Windows\System\vHeapso.exe
  2⤵
  - Executes dropped EXE
  PID:764
- C:\Windows\System\TYDbvfx.exe
  C:\Windows\System\TYDbvfx.exe
  2⤵
  - Executes dropped EXE
  PID:2196
- C:\Windows\System\gFAOOUz.exe
  C:\Windows\System\gFAOOUz.exe
  2⤵
  - Executes dropped EXE
  PID:112
- C:\Windows\System\HhEzrMq.exe
  C:\Windows\System\HhEzrMq.exe
  2⤵
  - Executes dropped EXE
  PID:1912
- C:\Windows\System\EEUtuqy.exe
  C:\Windows\System\EEUtuqy.exe
  2⤵
  - Executes dropped EXE
  PID:3488
- C:\Windows\System\cwOXsqv.exe
  C:\Windows\System\cwOXsqv.exe
  2⤵
  - Executes dropped EXE
  PID:748
- C:\Windows\System\GTeRbVU.exe
  C:\Windows\System\GTeRbVU.exe
  2⤵
  - Executes dropped EXE
  PID:4228
- C:\Windows\System\NVIQlfn.exe
  C:\Windows\System\NVIQlfn.exe
  2⤵
  - Executes dropped EXE
  PID:1308
- C:\Windows\System\Duxbpet.exe
  C:\Windows\System\Duxbpet.exe
  2⤵
  - Executes dropped EXE
  PID:1388

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CesXXwz.exe

Filesize
5.9MB

MD5
fc493fa2fac0f1fc4776f1d1aa7ef1d7

SHA1
bc7279638f66a18ca5f2008f4aa37faa98aa0ad0

SHA256
3766bba4f16110f2a9637f9e4fc19b42acd2f3ae0b5cb6825d30204242f3e135

SHA512
0676bb5b8ed037757eaa7d700c2c2d074b0581e569ac6abf614d49e634614760a3deb7a637f0fdd169b11029872d967b59c8f4bbe3048aa61332421922e1f510

Download Submit
C:\Windows\System\Duxbpet.exe

Filesize
5.9MB

MD5
b204c6a3026b0bb30a12d672e2bdfec0

SHA1
48a7ac0960a7fd63b832a5da82a16d6d30a97101

SHA256
df450554d4ef5c74fbafdb57c1a30f70c7dd2da22da9cca8bbf186e6d67711b9

SHA512
dd6291bde121a0442457f73861c39a52781877a4e33ff13999a643ed6d43f5f4f6180c3188d2533ea3ba4177b71e1220407da53224aee65a1a73db432e58dd58

Download Submit
C:\Windows\System\EEUtuqy.exe

Filesize
5.9MB

MD5
93816c1771d95186f58fca836545da70

SHA1
2a2741e7f2317d5fd51b4402abe2f63c26836c28

SHA256
63546eb83965c24f09a3e9b5e8c4126185ee58f74a1261ba666a6dcb1db5795c

SHA512
2df83c70876ef6d1afcebb65bc2312e20c46e2aab0e253e4f23f9f337e91ca1fbe778c725884da1311ccc5f25954d75b6bd6e6a8a71a3136c7305ba457440f64

Download Submit
C:\Windows\System\FOGCaZS.exe

Filesize
5.9MB

MD5
8459e15f5bdd6ecf1cd93d6dcc8ae42f

SHA1
f553c19dff7ebc09874cb15fddd32c88dc1a30c8

SHA256
7480d0bdeffd60213abb892dd88d0f7c53a5dd0de225d9bdc553ee48f17384de

SHA512
c1319f57ef68a287371f4771f6bbf93d22df7c3cd072c5547cffc404d8888b12a6a51e5f2da1b8c51234d635b92fb2bc00cf02c60f81b6c0a645085c9577616f

Download Submit
C:\Windows\System\GTeRbVU.exe

Filesize
5.9MB

MD5
be6d0e86c9b6221b6c6caf7b609206f2

SHA1
749fea4cb6401a4b8a17c7702a80bd74bdc807a9

SHA256
0356e15edd35ce40f5a0fd53343eab78de038b0bcf0b586fcf90c2291e35e2da

SHA512
54046014a96c27bd398496ef2a3a10a26e0df7e3072275f50f9ba65bb396335289043bfc61c2c8fea21ecc9a8af83c0616494941573a250080c9075a4a9a5db4

Download Submit
C:\Windows\System\GhjjjcQ.exe

Filesize
5.9MB

MD5
dc648e60b6dca1652c1aa2663c13581c

SHA1
c893718f64633fca3f4789b02657c48ba0062de5

SHA256
d9b94b27b7a471df01e9451770f3d553acc84d4920ac80f39299d987a5c5df1e

SHA512
eba16da48ea2151d22eb6cf6b87061a3c6f339f7a688551a4fd6b6846d979029be66b79cf1a6f16e06ec9ce10f158b074ded2eda752ac6f8f32e6622df02763b

Download Submit
C:\Windows\System\HhEzrMq.exe

Filesize
5.9MB

MD5
29ca44aee55b9e37c1e0c01eedf0b797

SHA1
1131b911de63351b38c72520a9654a435a4f3613

SHA256
c31abcef68db5da7ed9b9c86da6481a891074713c01f03c2f6d46ca675859563

SHA512
8828d2cd8ffd56722ce3af19cb4ee85763b307452bb10cb90f1f04575098dced825540f7b9ef0f9505d6e038c905a916a59f09c93ffd5768922fe7004795a300

Download Submit
C:\Windows\System\LPCcjKj.exe

Filesize
5.9MB

MD5
efed1fe6858f54d5d47e4d25bada6688

SHA1
144f125ca6e1e40f9898e63f10ca2cbe009cbc42

SHA256
487dd3f7676aee0c5f55f6abad232cbe3c3e49dae5968433066136152a709efc

SHA512
008ba5427a3b431b0a97266d67d9ec8a6c521c29b9c5e3b850293379e6083125ce98a6818f81383a536a83e9544482c948ed52849d4d54bc70a5f71978c431fe

Download Submit
C:\Windows\System\NVIQlfn.exe

Filesize
5.9MB

MD5
475d68bf4e88218da7d00a438a969dd4

SHA1
86928ddf88e646a58c70a39684a58c16776af75b

SHA256
aada9e078e384f7f34d277d772da347e12dd6e099e6063d2d3c2f6c599d1cd36

SHA512
a6bac9a1a1b7c8c7d33cf478cd1fc0a8ba17ae5490c8368ae2045fb5fc2cc541ce9729d61e6d55beaf913d8d87145cae6fc08926c6e626aa0920d532364bfbb7

Download Submit
C:\Windows\System\OjVEjzi.exe

Filesize
5.9MB

MD5
5201fbec37f160201f2ed415d17600f9

SHA1
fedfb35e95c099fab5e66ecc4631ae1455e7dd7e

SHA256
529c52c0527b4827d63256e9b8df7ba766596f637600ced2b8d21f3fceb22c32

SHA512
55906388c12c52bf9d3801cda98e48951061eeb1918a98dab0c5d4f814dd4cd8f10a9a1759b1e991fdf5be4f69f896f1dcebc28d91a2b44d5c76f0536643e730

Download Submit
C:\Windows\System\TYDbvfx.exe

Filesize
5.9MB

MD5
d3edae51d693bd234bce8b20e9915ebb

SHA1
c1ae6e2fc6fd6f718df69250cf652d04dba8df07

SHA256
94508b9665a2227d22c8477dce48e615a1ec2f7c80fe6a6d3e5ffacf65043814

SHA512
13e79d0fc2df29c5308ad4176f1aaf50b309e8230d05044087ae5e4cbe7ec4d5094c63dba01b97917e2fc24d0e54e19de29c9d46cc6bdee0ce070ee6e7715d4e

Download Submit
C:\Windows\System\YYkOXrR.exe

Filesize
5.9MB

MD5
558e3408b09a50340e89780ae1e7b991

SHA1
bf0b4975d6f9561028c65d551aef8fdb4f713142

SHA256
df166d3239d874ae6ade1edf7ed782be06e3acb34d3fb717ab2a3c34a5f77244

SHA512
b50659d533d02b70c5d96f182280c5c870fc699e9a6e2dbb7e86e0b2b374c76f6a52b1156dfd5c4c7e13f1ec95bb739967c211abd2dcd4464e874ca362579de6

Download Submit
C:\Windows\System\axSCYYj.exe

Filesize
5.9MB

MD5
497629a1f9c9e209756639bf16213452

SHA1
235384ff734b2358bab257c91a4d2f573e3f252e

SHA256
d3eac89417ca58e57aaf2137d3b2635bc8260244146b98969c23d7c9fd2cebc0

SHA512
5412bcd1fa6ed5bcb13b13af3d6ae30f2af0a9cfd6add7ab89911c20c8b4ac1b5dbf9ccf6f803766079629a80dccb1c81276bd4d3e2ebadba1db8661c49c839b

Download Submit
C:\Windows\System\cwOXsqv.exe

Filesize
5.9MB

MD5
b459d0eff2146ea11a36d846bb915cc9

SHA1
a07f152573f770ce876ee0503ac1a54200c42947

SHA256
9b914d767f6b93dc72f6b7195bee1cb03c1167099bd6fbea614f9dba9d370781

SHA512
005d80262789f8e30c5527f07c4c4e2968c01af9d3b25ee90defa1540485c737becf7d1121d3528d3a8fa76e60a3b22571f94f8e543345bfacede60d8fd81722

Download Submit
C:\Windows\System\gFAOOUz.exe

Filesize
5.9MB

MD5
8467ae6a8cad5b3dc032d911bfeadd47

SHA1
d9d0c6f1673c0501b3618ee787edb9222f085358

SHA256
86fd2cc2a1a1ba660e2acefccbe6d12decad51e972fbf9950c537b65b2cacf6b

SHA512
2f4e2d430338cd7d726c3b61d553959c5031447aa2d6a85054dd4b33164f62c0c304491ef92ee1da8866491a1e4786a177ba5ba519fac877872c29975ecf9e2b

Download Submit
C:\Windows\System\mwatLWH.exe

Filesize
5.9MB

MD5
825eaec4160bd7401c46690e1bc10a55

SHA1
6074b6773bd119b68e30f5c8e645c6bb7da4c73c

SHA256
bc9541b66585134a82032c3f40809f78f223ff64bb32d82c6761f4fa3bf962b3

SHA512
156815bccf178cd5022224a4357e90f455774368290876a112729ce7bbba500432e64a2ceb3b9568cbc081b9586774d79b535538fcaa9ffd4d7d01f7cb4e9e91

Download Submit
C:\Windows\System\qBgbQie.exe

Filesize
5.9MB

MD5
6a59abc302cc25abb80b99e3a37b3826

SHA1
f307ffe5d9ad8b8bcac20a1f8c238452b24bc403

SHA256
a277f025def6459228788be163068286c83810635eeb0532a0d24ac12840508f

SHA512
9901e624beb6b7b837e06252763d6b7e5e6abd5f422d995655964ac0d090c3b7157581066716391e97e82afc50843d0b593fe90aa3654695e42cbaa6edf20fa6

Download Submit
C:\Windows\System\vHeapso.exe

Filesize
5.9MB

MD5
7b37024aa93217399687dff11dd903b5

SHA1
48ad6f94f07f7e14318a74e5da9e2d8740c2f06f

SHA256
ff8eca567a081909c1501f22b4076e7f297b753d87ac4a6ac8e21ac2671514ef

SHA512
422d9cdecff3da085478f83cf5e029d027a79f25fa0514007dd99ef573edfab0b9fdc1dda531dc23ad1573e160efec4bdc20f4e81e8a0092f55e1c38e888fe49

Download Submit
C:\Windows\System\wTsTBJF.exe

Filesize
5.9MB

MD5
0a7a35f3007c7b75bbda86530ff38387

SHA1
fcfd0fe29a88acb5c6266a190ff80378d6e8c282

SHA256
67f0019ecb34cc2fa6f426c817eee13687750c9af272041452a938976626197c

SHA512
7b5f4dfaea390a4eddc0241953f5c5b454989cbaea92590a581cb2805d9564d244f679eced99f111f7a19c596431fea9372b7f6a43be8bdf2fe734347f791a41

Download Submit
C:\Windows\System\yLZLBIc.exe

Filesize
5.9MB

MD5
474f2882ef5fa086e6d96e2b459919ed

SHA1
d5781052a6c79254a0f0a6b29548d91d3b2d27ba

SHA256
d089e1fe96a158cb517942d57ea341df17f390a3021f03d3382ffd6ab5815f47

SHA512
b7b20e0836cd8b6ea7ac6cb57282eb2a542ec38dd75c7d163554812b105eb5aa00693e07d7ff781ff6879414c670638ec4e73fec93dfd63b98b8ff32043ab2b4

Download Submit
C:\Windows\System\zmWwnRt.exe

Filesize
5.9MB

MD5
01e3fca75aa1531a136bf59c7b4531cb

SHA1
9ee521123c04f43ab0e6d49f0b5d4f2464ddf11b

SHA256
1a0897dbc21d34eea06d7e5a4eda70c21ea379f3ac0dfd051d817a647364d663

SHA512
1ab1e48eaa3d85e07e1a205837519c5cbb04e91f0374552b341f9a7203479b6d7ad521920fb08c7d247a065851a7b7ab6c917741f2951bf06257a982624885f0

Download Submit
memory/112-97-0x00007FF72C3B0000-0x00007FF72C704000-memory.dmp

Filesize
3.3MB

Download
memory/112-162-0x00007FF72C3B0000-0x00007FF72C704000-memory.dmp

Filesize
3.3MB

Download
memory/112-142-0x00007FF72C3B0000-0x00007FF72C704000-memory.dmp

Filesize
3.3MB

Download
memory/448-62-0x00007FF79A230000-0x00007FF79A584000-memory.dmp

Filesize
3.3MB

Download
memory/448-158-0x00007FF79A230000-0x00007FF79A584000-memory.dmp

Filesize
3.3MB

Download
memory/448-135-0x00007FF79A230000-0x00007FF79A584000-memory.dmp

Filesize
3.3MB

Download
memory/628-110-0x00007FF6E56B0000-0x00007FF6E5A04000-memory.dmp

Filesize
3.3MB

Download
memory/628-154-0x00007FF6E56B0000-0x00007FF6E5A04000-memory.dmp

Filesize
3.3MB

Download
memory/628-36-0x00007FF6E56B0000-0x00007FF6E5A04000-memory.dmp

Filesize
3.3MB

Download
memory/748-167-0x00007FF7DD100000-0x00007FF7DD454000-memory.dmp

Filesize
3.3MB

Download
memory/748-146-0x00007FF7DD100000-0x00007FF7DD454000-memory.dmp

Filesize
3.3MB

Download
memory/748-120-0x00007FF7DD100000-0x00007FF7DD454000-memory.dmp

Filesize
3.3MB

Download
memory/764-94-0x00007FF6CB3F0000-0x00007FF6CB744000-memory.dmp

Filesize
3.3MB

Download
memory/764-160-0x00007FF6CB3F0000-0x00007FF6CB744000-memory.dmp

Filesize
3.3MB

Download
memory/1308-147-0x00007FF76C7D0000-0x00007FF76CB24000-memory.dmp

Filesize
3.3MB

Download
memory/1308-168-0x00007FF76C7D0000-0x00007FF76CB24000-memory.dmp

Filesize
3.3MB

Download
memory/1308-131-0x00007FF76C7D0000-0x00007FF76CB24000-memory.dmp

Filesize
3.3MB

Download
memory/1388-169-0x00007FF6DF160000-0x00007FF6DF4B4000-memory.dmp

Filesize
3.3MB

Download
memory/1388-137-0x00007FF6DF160000-0x00007FF6DF4B4000-memory.dmp

Filesize
3.3MB

Download
memory/1388-148-0x00007FF6DF160000-0x00007FF6DF4B4000-memory.dmp

Filesize
3.3MB

Download
memory/1444-118-0x00007FF6B62E0000-0x00007FF6B6634000-memory.dmp

Filesize
3.3MB

Download
memory/1444-42-0x00007FF6B62E0000-0x00007FF6B6634000-memory.dmp

Filesize
3.3MB

Download
memory/1444-155-0x00007FF6B62E0000-0x00007FF6B6634000-memory.dmp

Filesize
3.3MB

Download
memory/1744-130-0x00007FF6738F0000-0x00007FF673C44000-memory.dmp

Filesize
3.3MB

Download
memory/1744-157-0x00007FF6738F0000-0x00007FF673C44000-memory.dmp

Filesize
3.3MB

Download
memory/1744-57-0x00007FF6738F0000-0x00007FF673C44000-memory.dmp

Filesize
3.3MB

Download
memory/1912-143-0x00007FF7AC6E0000-0x00007FF7ACA34000-memory.dmp

Filesize
3.3MB

Download
memory/1912-104-0x00007FF7AC6E0000-0x00007FF7ACA34000-memory.dmp

Filesize
3.3MB

Download
memory/1912-164-0x00007FF7AC6E0000-0x00007FF7ACA34000-memory.dmp

Filesize
3.3MB

Download
memory/2196-141-0x00007FF7E8BC0000-0x00007FF7E8F14000-memory.dmp

Filesize
3.3MB

Download
memory/2196-86-0x00007FF7E8BC0000-0x00007FF7E8F14000-memory.dmp

Filesize
3.3MB

Download
memory/2196-163-0x00007FF7E8BC0000-0x00007FF7E8F14000-memory.dmp

Filesize
3.3MB

Download
memory/2320-151-0x00007FF7DC590000-0x00007FF7DC8E4000-memory.dmp

Filesize
3.3MB

Download
memory/2320-77-0x00007FF7DC590000-0x00007FF7DC8E4000-memory.dmp

Filesize
3.3MB

Download
memory/2320-18-0x00007FF7DC590000-0x00007FF7DC8E4000-memory.dmp

Filesize
3.3MB

Download
memory/2400-0-0x00007FF6862B0000-0x00007FF686604000-memory.dmp

Filesize
3.3MB

Download
memory/2400-54-0x00007FF6862B0000-0x00007FF686604000-memory.dmp

Filesize
3.3MB

Download
memory/2400-1-0x000001A128900000-0x000001A128910000-memory.dmp

Filesize
64KB

Download
memory/2612-61-0x00007FF694540000-0x00007FF694894000-memory.dmp

Filesize
3.3MB

Download
memory/2612-8-0x00007FF694540000-0x00007FF694894000-memory.dmp

Filesize
3.3MB

Download
memory/2612-149-0x00007FF694540000-0x00007FF694894000-memory.dmp

Filesize
3.3MB

Download
memory/2924-121-0x00007FF784FB0000-0x00007FF785304000-memory.dmp

Filesize
3.3MB

Download
memory/2924-156-0x00007FF784FB0000-0x00007FF785304000-memory.dmp

Filesize
3.3MB

Download
memory/2924-50-0x00007FF784FB0000-0x00007FF785304000-memory.dmp

Filesize
3.3MB

Download
memory/3364-68-0x00007FF7CD910000-0x00007FF7CDC64000-memory.dmp

Filesize
3.3MB

Download
memory/3364-14-0x00007FF7CD910000-0x00007FF7CDC64000-memory.dmp

Filesize
3.3MB

Download
memory/3364-150-0x00007FF7CD910000-0x00007FF7CDC64000-memory.dmp

Filesize
3.3MB

Download
memory/3488-113-0x00007FF6CC220000-0x00007FF6CC574000-memory.dmp

Filesize
3.3MB

Download
memory/3488-165-0x00007FF6CC220000-0x00007FF6CC574000-memory.dmp

Filesize
3.3MB

Download
memory/3488-144-0x00007FF6CC220000-0x00007FF6CC574000-memory.dmp

Filesize
3.3MB

Download
memory/3892-24-0x00007FF7744F0000-0x00007FF774844000-memory.dmp

Filesize
3.3MB

Download
memory/3892-152-0x00007FF7744F0000-0x00007FF774844000-memory.dmp

Filesize
3.3MB

Download
memory/3892-91-0x00007FF7744F0000-0x00007FF774844000-memory.dmp

Filesize
3.3MB

Download
memory/4052-161-0x00007FF776DA0000-0x00007FF7770F4000-memory.dmp

Filesize
3.3MB

Download
memory/4052-85-0x00007FF776DA0000-0x00007FF7770F4000-memory.dmp

Filesize
3.3MB

Download
memory/4052-140-0x00007FF776DA0000-0x00007FF7770F4000-memory.dmp

Filesize
3.3MB

Download
memory/4228-145-0x00007FF710420000-0x00007FF710774000-memory.dmp

Filesize
3.3MB

Download
memory/4228-119-0x00007FF710420000-0x00007FF710774000-memory.dmp

Filesize
3.3MB

Download
memory/4228-166-0x00007FF710420000-0x00007FF710774000-memory.dmp

Filesize
3.3MB

Download
memory/4532-30-0x00007FF6677A0000-0x00007FF667AF4000-memory.dmp

Filesize
3.3MB

Download
memory/4532-153-0x00007FF6677A0000-0x00007FF667AF4000-memory.dmp

Filesize
3.3MB

Download
memory/4532-98-0x00007FF6677A0000-0x00007FF667AF4000-memory.dmp

Filesize
3.3MB

Download
memory/5060-159-0x00007FF725E20000-0x00007FF726174000-memory.dmp

Filesize
3.3MB

Download
memory/5060-71-0x00007FF725E20000-0x00007FF726174000-memory.dmp

Filesize
3.3MB

Download
memory/5060-136-0x00007FF725E20000-0x00007FF726174000-memory.dmp

Filesize
3.3MB

Download