cobaltstrike | 9896b3a2d7393ea7c53def66661b5045f1067ebf63c2e15843717e0ea2dbfcb2

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 23:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

22a78eabde98f942f0513bda3391a1d0
SHA1

1f38e94429c0aa20dba296540cd4e7921fb76cd6
SHA256

9896b3a2d7393ea7c53def66661b5045f1067ebf63c2e15843717e0ea2dbfcb2
SHA512

34edf4039016d79ba00b00a8e2bf896db02965a1e4e51b143f21ca104c7a33e0e94e797023cb790529ffbf77421daacd04708336214f806a892800a20cf2618e
SSDEEP

98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUS:T+856utgpPF8u/7S

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00080000000234a8-4.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ac-11.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ad-10.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ae-24.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234af-29.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b0-34.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b1-41.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b2-45.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b3-50.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000234a9-54.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b4-61.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b5-71.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b7-77.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b9-89.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ba-100.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b8-87.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234bb-105.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234be-119.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234bd-118.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234bc-112.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234bf-130.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/1136-0-0x00007FF6CE100000-0x00007FF6CE454000-memory.dmp	xmrig
behavioral2/files/0x00080000000234a8-4.dat	xmrig
behavioral2/memory/1140-6-0x00007FF766EF0000-0x00007FF767244000-memory.dmp	xmrig
behavioral2/files/0x00070000000234ac-11.dat	xmrig
behavioral2/files/0x00070000000234ad-10.dat	xmrig
behavioral2/memory/3452-22-0x00007FF7A6B00000-0x00007FF7A6E54000-memory.dmp	xmrig
behavioral2/files/0x00070000000234ae-24.dat	xmrig
behavioral2/memory/1980-16-0x00007FF7813A0000-0x00007FF7816F4000-memory.dmp	xmrig
behavioral2/files/0x00070000000234af-29.dat	xmrig
behavioral2/files/0x00070000000234b0-34.dat	xmrig
behavioral2/files/0x00070000000234b1-41.dat	xmrig
behavioral2/files/0x00070000000234b2-45.dat	xmrig
behavioral2/files/0x00070000000234b3-50.dat	xmrig
behavioral2/files/0x00080000000234a9-54.dat	xmrig
behavioral2/memory/2176-60-0x00007FF71E5D0000-0x00007FF71E924000-memory.dmp	xmrig
behavioral2/memory/2132-63-0x00007FF69CC50000-0x00007FF69CFA4000-memory.dmp	xmrig
behavioral2/memory/4408-66-0x00007FF7A4970000-0x00007FF7A4CC4000-memory.dmp	xmrig
behavioral2/memory/4044-67-0x00007FF77D180000-0x00007FF77D4D4000-memory.dmp	xmrig
behavioral2/memory/1832-68-0x00007FF7CA520000-0x00007FF7CA874000-memory.dmp	xmrig
behavioral2/memory/3784-65-0x00007FF74F4A0000-0x00007FF74F7F4000-memory.dmp	xmrig
behavioral2/memory/224-64-0x00007FF6E9890000-0x00007FF6E9BE4000-memory.dmp	xmrig
behavioral2/files/0x00070000000234b4-61.dat	xmrig
behavioral2/memory/4592-44-0x00007FF72BC80000-0x00007FF72BFD4000-memory.dmp	xmrig
behavioral2/files/0x00070000000234b5-71.dat	xmrig
behavioral2/files/0x00070000000234b7-77.dat	xmrig
behavioral2/memory/536-83-0x00007FF70F8B0000-0x00007FF70FC04000-memory.dmp	xmrig
behavioral2/files/0x00070000000234b9-89.dat	xmrig
behavioral2/memory/1136-90-0x00007FF6CE100000-0x00007FF6CE454000-memory.dmp	xmrig
behavioral2/memory/1552-99-0x00007FF67C580000-0x00007FF67C8D4000-memory.dmp	xmrig
behavioral2/files/0x00070000000234ba-100.dat	xmrig
behavioral2/memory/1980-98-0x00007FF7813A0000-0x00007FF7816F4000-memory.dmp	xmrig
behavioral2/memory/1140-97-0x00007FF766EF0000-0x00007FF767244000-memory.dmp	xmrig
behavioral2/memory/3468-91-0x00007FF779620000-0x00007FF779974000-memory.dmp	xmrig
behavioral2/files/0x00070000000234b8-87.dat	xmrig
behavioral2/memory/5048-86-0x00007FF753D70000-0x00007FF7540C4000-memory.dmp	xmrig
behavioral2/memory/2592-79-0x00007FF6ADC50000-0x00007FF6ADFA4000-memory.dmp	xmrig
behavioral2/memory/3452-102-0x00007FF7A6B00000-0x00007FF7A6E54000-memory.dmp	xmrig
behavioral2/files/0x00070000000234bb-105.dat	xmrig
behavioral2/files/0x00070000000234be-119.dat	xmrig
behavioral2/files/0x00070000000234bd-118.dat	xmrig
behavioral2/memory/4404-125-0x00007FF631D10000-0x00007FF632064000-memory.dmp	xmrig
behavioral2/memory/1940-126-0x00007FF708CA0000-0x00007FF708FF4000-memory.dmp	xmrig
behavioral2/memory/4332-127-0x00007FF74CE30000-0x00007FF74D184000-memory.dmp	xmrig
behavioral2/memory/3364-124-0x00007FF7A6030000-0x00007FF7A6384000-memory.dmp	xmrig
behavioral2/files/0x00070000000234bc-112.dat	xmrig
behavioral2/memory/4592-106-0x00007FF72BC80000-0x00007FF72BFD4000-memory.dmp	xmrig
behavioral2/files/0x00070000000234bf-130.dat	xmrig
behavioral2/memory/3060-132-0x00007FF7A15C0000-0x00007FF7A1914000-memory.dmp	xmrig
behavioral2/memory/5048-133-0x00007FF753D70000-0x00007FF7540C4000-memory.dmp	xmrig
behavioral2/memory/3468-134-0x00007FF779620000-0x00007FF779974000-memory.dmp	xmrig
behavioral2/memory/1552-135-0x00007FF67C580000-0x00007FF67C8D4000-memory.dmp	xmrig
behavioral2/memory/1140-136-0x00007FF766EF0000-0x00007FF767244000-memory.dmp	xmrig
behavioral2/memory/1980-137-0x00007FF7813A0000-0x00007FF7816F4000-memory.dmp	xmrig
behavioral2/memory/4592-138-0x00007FF72BC80000-0x00007FF72BFD4000-memory.dmp	xmrig
behavioral2/memory/3452-139-0x00007FF7A6B00000-0x00007FF7A6E54000-memory.dmp	xmrig
behavioral2/memory/4044-140-0x00007FF77D180000-0x00007FF77D4D4000-memory.dmp	xmrig
behavioral2/memory/2176-141-0x00007FF71E5D0000-0x00007FF71E924000-memory.dmp	xmrig
behavioral2/memory/2132-142-0x00007FF69CC50000-0x00007FF69CFA4000-memory.dmp	xmrig
behavioral2/memory/224-143-0x00007FF6E9890000-0x00007FF6E9BE4000-memory.dmp	xmrig
behavioral2/memory/3784-144-0x00007FF74F4A0000-0x00007FF74F7F4000-memory.dmp	xmrig
behavioral2/memory/4408-146-0x00007FF7A4970000-0x00007FF7A4CC4000-memory.dmp	xmrig
behavioral2/memory/1832-145-0x00007FF7CA520000-0x00007FF7CA874000-memory.dmp	xmrig
behavioral2/memory/2592-147-0x00007FF6ADC50000-0x00007FF6ADFA4000-memory.dmp	xmrig
behavioral2/memory/536-148-0x00007FF70F8B0000-0x00007FF70FC04000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1140	lZvmKqk.exe
1980	iRJIVZP.exe
3452	PneDYwU.exe
4592	VRvINbh.exe
4044	FEJJuEJ.exe
2176	pMzaYOo.exe
2132	AdHdFvA.exe
224	IHSZiIi.exe
3784	yuTRhTV.exe
4408	GtYGwma.exe
1832	HhCqrcT.exe
2592	LYTFqoq.exe
536	OqWcffo.exe
5048	sbYlfqc.exe
3468	CYnRPBD.exe
1552	TmZuIzy.exe
3364	uXcnBHe.exe
4332	CyXIudw.exe
4404	yuJibMn.exe
1940	soIWhIs.exe
3060	VcpabaW.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1136-0-0x00007FF6CE100000-0x00007FF6CE454000-memory.dmp	upx
behavioral2/files/0x00080000000234a8-4.dat	upx
behavioral2/memory/1140-6-0x00007FF766EF0000-0x00007FF767244000-memory.dmp	upx
behavioral2/files/0x00070000000234ac-11.dat	upx
behavioral2/files/0x00070000000234ad-10.dat	upx
behavioral2/memory/3452-22-0x00007FF7A6B00000-0x00007FF7A6E54000-memory.dmp	upx
behavioral2/files/0x00070000000234ae-24.dat	upx
behavioral2/memory/1980-16-0x00007FF7813A0000-0x00007FF7816F4000-memory.dmp	upx
behavioral2/files/0x00070000000234af-29.dat	upx
behavioral2/files/0x00070000000234b0-34.dat	upx
behavioral2/files/0x00070000000234b1-41.dat	upx
behavioral2/files/0x00070000000234b2-45.dat	upx
behavioral2/files/0x00070000000234b3-50.dat	upx
behavioral2/files/0x00080000000234a9-54.dat	upx
behavioral2/memory/2176-60-0x00007FF71E5D0000-0x00007FF71E924000-memory.dmp	upx
behavioral2/memory/2132-63-0x00007FF69CC50000-0x00007FF69CFA4000-memory.dmp	upx
behavioral2/memory/4408-66-0x00007FF7A4970000-0x00007FF7A4CC4000-memory.dmp	upx
behavioral2/memory/4044-67-0x00007FF77D180000-0x00007FF77D4D4000-memory.dmp	upx
behavioral2/memory/1832-68-0x00007FF7CA520000-0x00007FF7CA874000-memory.dmp	upx
behavioral2/memory/3784-65-0x00007FF74F4A0000-0x00007FF74F7F4000-memory.dmp	upx
behavioral2/memory/224-64-0x00007FF6E9890000-0x00007FF6E9BE4000-memory.dmp	upx
behavioral2/files/0x00070000000234b4-61.dat	upx
behavioral2/memory/4592-44-0x00007FF72BC80000-0x00007FF72BFD4000-memory.dmp	upx
behavioral2/files/0x00070000000234b5-71.dat	upx
behavioral2/files/0x00070000000234b7-77.dat	upx
behavioral2/memory/536-83-0x00007FF70F8B0000-0x00007FF70FC04000-memory.dmp	upx
behavioral2/files/0x00070000000234b9-89.dat	upx
behavioral2/memory/1136-90-0x00007FF6CE100000-0x00007FF6CE454000-memory.dmp	upx
behavioral2/memory/1552-99-0x00007FF67C580000-0x00007FF67C8D4000-memory.dmp	upx
behavioral2/files/0x00070000000234ba-100.dat	upx
behavioral2/memory/1980-98-0x00007FF7813A0000-0x00007FF7816F4000-memory.dmp	upx
behavioral2/memory/1140-97-0x00007FF766EF0000-0x00007FF767244000-memory.dmp	upx
behavioral2/memory/3468-91-0x00007FF779620000-0x00007FF779974000-memory.dmp	upx
behavioral2/files/0x00070000000234b8-87.dat	upx
behavioral2/memory/5048-86-0x00007FF753D70000-0x00007FF7540C4000-memory.dmp	upx
behavioral2/memory/2592-79-0x00007FF6ADC50000-0x00007FF6ADFA4000-memory.dmp	upx
behavioral2/memory/3452-102-0x00007FF7A6B00000-0x00007FF7A6E54000-memory.dmp	upx
behavioral2/files/0x00070000000234bb-105.dat	upx
behavioral2/files/0x00070000000234be-119.dat	upx
behavioral2/files/0x00070000000234bd-118.dat	upx
behavioral2/memory/4404-125-0x00007FF631D10000-0x00007FF632064000-memory.dmp	upx
behavioral2/memory/1940-126-0x00007FF708CA0000-0x00007FF708FF4000-memory.dmp	upx
behavioral2/memory/4332-127-0x00007FF74CE30000-0x00007FF74D184000-memory.dmp	upx
behavioral2/memory/3364-124-0x00007FF7A6030000-0x00007FF7A6384000-memory.dmp	upx
behavioral2/files/0x00070000000234bc-112.dat	upx
behavioral2/memory/4592-106-0x00007FF72BC80000-0x00007FF72BFD4000-memory.dmp	upx
behavioral2/files/0x00070000000234bf-130.dat	upx
behavioral2/memory/3060-132-0x00007FF7A15C0000-0x00007FF7A1914000-memory.dmp	upx
behavioral2/memory/5048-133-0x00007FF753D70000-0x00007FF7540C4000-memory.dmp	upx
behavioral2/memory/3468-134-0x00007FF779620000-0x00007FF779974000-memory.dmp	upx
behavioral2/memory/1552-135-0x00007FF67C580000-0x00007FF67C8D4000-memory.dmp	upx
behavioral2/memory/1140-136-0x00007FF766EF0000-0x00007FF767244000-memory.dmp	upx
behavioral2/memory/1980-137-0x00007FF7813A0000-0x00007FF7816F4000-memory.dmp	upx
behavioral2/memory/4592-138-0x00007FF72BC80000-0x00007FF72BFD4000-memory.dmp	upx
behavioral2/memory/3452-139-0x00007FF7A6B00000-0x00007FF7A6E54000-memory.dmp	upx
behavioral2/memory/4044-140-0x00007FF77D180000-0x00007FF77D4D4000-memory.dmp	upx
behavioral2/memory/2176-141-0x00007FF71E5D0000-0x00007FF71E924000-memory.dmp	upx
behavioral2/memory/2132-142-0x00007FF69CC50000-0x00007FF69CFA4000-memory.dmp	upx
behavioral2/memory/224-143-0x00007FF6E9890000-0x00007FF6E9BE4000-memory.dmp	upx
behavioral2/memory/3784-144-0x00007FF74F4A0000-0x00007FF74F7F4000-memory.dmp	upx
behavioral2/memory/4408-146-0x00007FF7A4970000-0x00007FF7A4CC4000-memory.dmp	upx
behavioral2/memory/1832-145-0x00007FF7CA520000-0x00007FF7CA874000-memory.dmp	upx
behavioral2/memory/2592-147-0x00007FF6ADC50000-0x00007FF6ADFA4000-memory.dmp	upx
behavioral2/memory/536-148-0x00007FF70F8B0000-0x00007FF70FC04000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\VRvINbh.exe	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FEJJuEJ.exe	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yuTRhTV.exe	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yuJibMn.exe	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IHSZiIi.exe	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sbYlfqc.exe	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TmZuIzy.exe	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uXcnBHe.exe	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lZvmKqk.exe	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iRJIVZP.exe	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pMzaYOo.exe	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AdHdFvA.exe	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\soIWhIs.exe	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HhCqrcT.exe	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OqWcffo.exe	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CYnRPBD.exe	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CyXIudw.exe	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PneDYwU.exe	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GtYGwma.exe	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LYTFqoq.exe	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VcpabaW.exe	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1136	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1136	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1136 wrote to memory of 1140	1136	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1136 wrote to memory of 1140	1136	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1136 wrote to memory of 1980	1136	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1136 wrote to memory of 1980	1136	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1136 wrote to memory of 3452	1136	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1136 wrote to memory of 3452	1136	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1136 wrote to memory of 4592	1136	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1136 wrote to memory of 4592	1136	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1136 wrote to memory of 4044	1136	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1136 wrote to memory of 4044	1136	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1136 wrote to memory of 2176	1136	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1136 wrote to memory of 2176	1136	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1136 wrote to memory of 2132	1136	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1136 wrote to memory of 2132	1136	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1136 wrote to memory of 224	1136	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1136 wrote to memory of 224	1136	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1136 wrote to memory of 3784	1136	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1136 wrote to memory of 3784	1136	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1136 wrote to memory of 4408	1136	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1136 wrote to memory of 4408	1136	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1136 wrote to memory of 1832	1136	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1136 wrote to memory of 1832	1136	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1136 wrote to memory of 2592	1136	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1136 wrote to memory of 2592	1136	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1136 wrote to memory of 536	1136	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1136 wrote to memory of 536	1136	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1136 wrote to memory of 5048	1136	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1136 wrote to memory of 5048	1136	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1136 wrote to memory of 3468	1136	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1136 wrote to memory of 3468	1136	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1136 wrote to memory of 1552	1136	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1136 wrote to memory of 1552	1136	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1136 wrote to memory of 3364	1136	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 1136 wrote to memory of 3364	1136	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 1136 wrote to memory of 4332	1136	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 1136 wrote to memory of 4332	1136	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 1136 wrote to memory of 4404	1136	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 1136 wrote to memory of 4404	1136	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 1136 wrote to memory of 1940	1136	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 1136 wrote to memory of 1940	1136	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 1136 wrote to memory of 3060	1136	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 1136 wrote to memory of 3060	1136	2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe	109

C:\Users\Admin\AppData\Local\Temp\2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-08_22a78eabde98f942f0513bda3391a1d0_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1136
- C:\Windows\System\lZvmKqk.exe
  C:\Windows\System\lZvmKqk.exe
  2⤵
  - Executes dropped EXE
  PID:1140
- C:\Windows\System\iRJIVZP.exe
  C:\Windows\System\iRJIVZP.exe
  2⤵
  - Executes dropped EXE
  PID:1980
- C:\Windows\System\PneDYwU.exe
  C:\Windows\System\PneDYwU.exe
  2⤵
  - Executes dropped EXE
  PID:3452
- C:\Windows\System\VRvINbh.exe
  C:\Windows\System\VRvINbh.exe
  2⤵
  - Executes dropped EXE
  PID:4592
- C:\Windows\System\FEJJuEJ.exe
  C:\Windows\System\FEJJuEJ.exe
  2⤵
  - Executes dropped EXE
  PID:4044
- C:\Windows\System\pMzaYOo.exe
  C:\Windows\System\pMzaYOo.exe
  2⤵
  - Executes dropped EXE
  PID:2176
- C:\Windows\System\AdHdFvA.exe
  C:\Windows\System\AdHdFvA.exe
  2⤵
  - Executes dropped EXE
  PID:2132
- C:\Windows\System\IHSZiIi.exe
  C:\Windows\System\IHSZiIi.exe
  2⤵
  - Executes dropped EXE
  PID:224
- C:\Windows\System\yuTRhTV.exe
  C:\Windows\System\yuTRhTV.exe
  2⤵
  - Executes dropped EXE
  PID:3784
- C:\Windows\System\GtYGwma.exe
  C:\Windows\System\GtYGwma.exe
  2⤵
  - Executes dropped EXE
  PID:4408
- C:\Windows\System\HhCqrcT.exe
  C:\Windows\System\HhCqrcT.exe
  2⤵
  - Executes dropped EXE
  PID:1832
- C:\Windows\System\LYTFqoq.exe
  C:\Windows\System\LYTFqoq.exe
  2⤵
  - Executes dropped EXE
  PID:2592
- C:\Windows\System\OqWcffo.exe
  C:\Windows\System\OqWcffo.exe
  2⤵
  - Executes dropped EXE
  PID:536
- C:\Windows\System\sbYlfqc.exe
  C:\Windows\System\sbYlfqc.exe
  2⤵
  - Executes dropped EXE
  PID:5048
- C:\Windows\System\CYnRPBD.exe
  C:\Windows\System\CYnRPBD.exe
  2⤵
  - Executes dropped EXE
  PID:3468
- C:\Windows\System\TmZuIzy.exe
  C:\Windows\System\TmZuIzy.exe
  2⤵
  - Executes dropped EXE
  PID:1552
- C:\Windows\System\uXcnBHe.exe
  C:\Windows\System\uXcnBHe.exe
  2⤵
  - Executes dropped EXE
  PID:3364
- C:\Windows\System\CyXIudw.exe
  C:\Windows\System\CyXIudw.exe
  2⤵
  - Executes dropped EXE
  PID:4332
- C:\Windows\System\yuJibMn.exe
  C:\Windows\System\yuJibMn.exe
  2⤵
  - Executes dropped EXE
  PID:4404
- C:\Windows\System\soIWhIs.exe
  C:\Windows\System\soIWhIs.exe
  2⤵
  - Executes dropped EXE
  PID:1940
- C:\Windows\System\VcpabaW.exe
  C:\Windows\System\VcpabaW.exe
  2⤵
  - Executes dropped EXE
  PID:3060

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AdHdFvA.exe

Filesize
5.9MB

MD5
86985e90dd1890d9f6fbb609fd1790d8

SHA1
40a3eb712578c07f6ac8805ee3c207b03ac6458b

SHA256
834d04e8a782dcd5b2d6cb802be8eb21f9c84001a06b5365315b482267e6e6d8

SHA512
ae48da38d15724cc53cd2107a967b55f7b9fc27b6e96ce31415dfb433d5cf8004bba35126918a57f2f8dbd63b6c400655add47daebef89cc5b5950b2b62be0c7

Download Submit
C:\Windows\System\CYnRPBD.exe

Filesize
5.9MB

MD5
9cfb00fbb57c064ffd5bdc2b26f08964

SHA1
e27e8ddaf510eb945d1280d521f4ec9e27a3b865

SHA256
a42ed2efeaaa0d93f0397939468fe6c2e92ef1f8cc05729b48f5eaa5b9bd7515

SHA512
63e96aed156324f5c354d974c736f1c73d0d61ae66fd7e680d98b4aa57d7f57d7f9012f6c9d7699b3ac28f38e129f458313c9a4bc26041adf125d219c600046c

Download Submit
C:\Windows\System\CyXIudw.exe

Filesize
5.9MB

MD5
1c041def9b7da3fb89b4d682a530590e

SHA1
2ee862a8451198b21af5d03692871f9d6f40010a

SHA256
71afef544a595aea6238ab374f80588f62bf18086c5399c6c8573dfbcb22836d

SHA512
c0ac26f00a11e30d04d64cb2a58aa2e985a92476ba4eba4b5e250d5f0645cad433f367a20fc0a3786c16148acfb8060a193fbd39a4358947270c39a40a75d96c

Download Submit
C:\Windows\System\FEJJuEJ.exe

Filesize
5.9MB

MD5
11f27c4bbcf6386b74a21ed7faff7871

SHA1
52d4c503275c9b82e998aa92c8954519214a1cba

SHA256
636799c5c0a08897e269676a079173cf6368e757cdf2314bdd77693350493c1b

SHA512
e03c9e40e2655ccfce801216084035fa1871c5b51a935432040dd0fa42d3e4fdaf7f5bdb98392b6eb0443eb89ba49584fc2db80489bc404ef78d34b501872cb7

Download Submit
C:\Windows\System\GtYGwma.exe

Filesize
5.9MB

MD5
afa66e8fd433240e795916b994a07205

SHA1
5811cbaf414043312625a7e12b544be4059cb2e5

SHA256
459be1aa9cfe5120b35216f543ec177ab88b0f385d2a634594d30a6946ab20d4

SHA512
5cd1bb6fbced36b5b9d96782fa188466bb871a42fac2729fbd1fc9800bb3ca8dbe7d8cc63f625805a99e7a9b3c1185cc99f98f4754df5e5101f1aa9776fe6eef

Download Submit
C:\Windows\System\HhCqrcT.exe

Filesize
5.9MB

MD5
a490cf707f7dd4a0af23472f5b03eccb

SHA1
0a7fa229842f6681d2288e113887d855df88577e

SHA256
cbeb5d4d3740deb9ebe44bc6711a0317059ced7433aa794d3e3cf80220499ffc

SHA512
79c7a2416ec16079e54fc3d2f4b4a8cf40aba9ddf084ef60614bc7ceac50f1f4f4f425c25ab69745740463d3fb9d35874afe5c76673b7ab2ef26ccc45af7e0ff

Download Submit
C:\Windows\System\IHSZiIi.exe

Filesize
5.9MB

MD5
c26d1bc68e64db87f827a220caf28440

SHA1
0dcf194b23204cc53b6a67792423218bf6dcdb1d

SHA256
acabb5d313d818050a356bf2589af9cbef0a49aa1c04ede81ff93f14fadbefb5

SHA512
46d14dc23ce3903b1eec9b4d9c9c0b3b155ca68b2fcb2b4a04b062310fbe1665be03f9181f0a996ffe4b5cf30b1b07c29c067a2fe81a3719be3770b780c6ae34

Download Submit
C:\Windows\System\LYTFqoq.exe

Filesize
5.9MB

MD5
24ed48383d8c4432312931799724271e

SHA1
9f140f092ff06a61071bb03d751fa57d17c02204

SHA256
db2174d1053b90639bc417694a9b976666945eed9800837a8ed034a38304beb0

SHA512
9f7dd0a5fd3e05b6fdeeabd94510af491d8000e62fe3272b14ca666c55d5effee6f1d6759dac0d11f9935dbe19f68041ff3e84eb5b6e88f9de7ab0ddaafc9f79

Download Submit
C:\Windows\System\OqWcffo.exe

Filesize
5.9MB

MD5
5406f7826244bd9c6943ca90a9b55343

SHA1
a04df1382750055f2d2912e8f2537215df62c7a3

SHA256
49f67aa9631f881fc05af11ddb19c12a37536cee355de0b992fd3ac43a4e0d11

SHA512
be0533eebd5b2e3e84b80ba1d54997b097da461b7062840ad9f03b5ac2879c510d1a090b3b1cd0e9d54994371cad949f67883fc4da1f8551c283f216cfbd581b

Download Submit
C:\Windows\System\PneDYwU.exe

Filesize
5.9MB

MD5
7da4640df37429d14c2043882404b2a1

SHA1
94df9ab5eb1c4bfa6e93164e312a7ca0a7584914

SHA256
4bd84bf6ade27dbb579784ee8d792df6ffb2d9c899c83215edf1e9178a52628a

SHA512
44b22804cd22f5fd758a99e9990d684c2862aefbfefbfaf43036dd21ac0ba70b10085dd77ba83361d4b9c185778f31ccc0f9fe1ca6f5d873c2126e6951c829c8

Download Submit
C:\Windows\System\TmZuIzy.exe

Filesize
5.9MB

MD5
9b0719949b564eef830a9c3f047e0cc4

SHA1
6ccec9f4764c0882922a24bf1280b7d8fb171df7

SHA256
165f1645b41c4231e3008a19f714a40f26e80578bff2849b489feecd7a5b6cc4

SHA512
21522c94173d7c1d66d1d1ccd6b601b21e0ba116f1a2951adf606d2a29162759276cb49b5304691083c85ec3d79d3a860a67e23c26416c1375bbefacec356b07

Download Submit
C:\Windows\System\VRvINbh.exe

Filesize
5.9MB

MD5
a9890cbbed234e593dfcc0ddbaac7bcb

SHA1
9d70766e67439592c58fd5ac3cb9b67fe203f4ef

SHA256
d2cfdf5192a79a200e227b6fffecbe5f55377e3058ce11335f8920e66a4804d1

SHA512
fec05608557fc5a3ca88e9092f8cfce4adb56486196b691547beae73833381eb0aba7297b1a693ce7b973aac920acc4afc2a0d78d3c1ac834eb21e9479ee077c

Download Submit
C:\Windows\System\VcpabaW.exe

Filesize
5.9MB

MD5
f3859181c46babc1d6277db0ee50bead

SHA1
6f924e48b1f07ed636136f19c3c636e3c7be84b8

SHA256
5e0a3c207569906048a38629c1e45752ff279a47a382c068388fa49af257fbde

SHA512
6a4f247525edf706493624c5ad592f83f0af9bf24035a1e07a7d717cfafb79f4bee94913440d5a721b2771d672118410d18ce27ffe8820217bfc0273a2a512b2

Download Submit
C:\Windows\System\iRJIVZP.exe

Filesize
5.9MB

MD5
228447f0c7ab0bc4481aca45a5f16caa

SHA1
88df9bb38f0d210eb0723bc2098c211f5dde0a45

SHA256
51002c1e4cf2cec21110c77b2b5c3df7a80230dcf003a602c92610ac2b51f053

SHA512
a076c739e1990f1c773328d94cc1bf2c22f9a0cff7b547de9ae6be1875146e1e6093692ff46bd5cf246cd59d9216b164c17432fe872660c32907f3107518d451

Download Submit
C:\Windows\System\lZvmKqk.exe

Filesize
5.9MB

MD5
e5773a2c2e4c38b503f2026025d87c12

SHA1
8cf865a7dc638d6aa5d86b4ebf41ee3c6618b99d

SHA256
bb62a4cb156e725bc7cb43e7bbbcf6c71be63bb7cd87ba655027f60aac9171e1

SHA512
19cb55e962f833c23729470651ecbf8a6f8ed4b52ea18a76019da33e512b1ab9c917ab55c9bd642916d482b702fa5236f3d0eb8adc7ab797fb15783ba227346f

Download Submit
C:\Windows\System\pMzaYOo.exe

Filesize
5.9MB

MD5
bd4b69886fcab94b320acc4d7c6650a3

SHA1
52c92d71ebcad59dcc1039345bd51f3c47be3ea8

SHA256
d4a5386adf88b69fe7dbc70eef590cbe93ede46e7197d9bf8e7653c75292539b

SHA512
90eeee62bfd33e9586d338ae60c46dcdad083ec04caa2f05b1a4e21002eb310f6c53e2be5ca5c78382e24282990d19756b6467b82ff92b0eaeadfaade1015380

Download Submit
C:\Windows\System\sbYlfqc.exe

Filesize
5.9MB

MD5
bdce7e8967929a52df63ac02a5ccba40

SHA1
b052c0bd75310ecdf9573d3b1b28759d7ad592aa

SHA256
7cdf90076fd421ca49edaed83ee63047e317f0a0be6eea204858058def07c316

SHA512
f5ba665c2d578ee1900e740226030666aa918ea6053e2f32289a3e666c46eae6b671bad24e92943718b378b9b18b289e7b8bd8a4a05441d86d4c3b900bc41bc8

Download Submit
C:\Windows\System\soIWhIs.exe

Filesize
5.9MB

MD5
9565fc2e85394c6f04436d63a2d788e0

SHA1
5f1b35c41dbfcb9cc93eb5ff42dd8f445131cebf

SHA256
303f0345a64676d443a7f80ccec2a2088c97c8102af1abb5a3fcd9c8e9972471

SHA512
ab9d1d8030bda51ce42e00f98aa7bece53ef06a7ef021d3f98468b21c6c7c95ded78baa5ea97b65fb7745db25d98441fb04cba26fa923cae4b52352bb5377239

Download Submit
C:\Windows\System\uXcnBHe.exe

Filesize
5.9MB

MD5
bf0ddea5585a47e396f97afa1a4354d9

SHA1
39cf294fe0a48dd329bb11efb106437e879d6ba3

SHA256
2ddfcb5fd398984e0ebc74c7dddc6fb017215cdae691dc617f27a6c0bc76e2b9

SHA512
dd6e1f8812da6c5797258e7d1b4d3e7b42440f177087c3be0d8f71b20b8935aa8967b601418b6b20c099a489c67c1ec2d90415778a5f169f077591709abb66e4

Download Submit
C:\Windows\System\yuJibMn.exe

Filesize
5.9MB

MD5
dbc91342029a57fb9df2b2558ed31632

SHA1
ddf85fe36fbb6124f5d1099bdaa61b3ee561c460

SHA256
b178d2cd7ec3d91a73822abc7854bd38feab287833326f62e7fb69a4ada90d6b

SHA512
54adbdc9a025110598cf0e08a5978f375e006098d7202ce9663ad8dba250057f3ae165623a7ab9b2130603f355fd08706d6c09f2882758451e573fb4b4fdcc12

Download Submit
C:\Windows\System\yuTRhTV.exe

Filesize
5.9MB

MD5
1b405dd41138b3a706f650a4ff16d4f0

SHA1
c59e169e6df99c9c47305bd29624c3f7c3f69e34

SHA256
438413bbd78372102e21de36bea0d2af0a2004f60378a1866bc03779342a23b8

SHA512
b88acec53e9a1a2f71453385e9e1b5de451a9f75f73c06cdd8a66a1d33a88673cb755162eebb1f1913f867e9984b3e07784edd9a069034671cb5bf976ac7c63e

Download Submit
memory/224-143-0x00007FF6E9890000-0x00007FF6E9BE4000-memory.dmp

Filesize
3.3MB

Download
memory/224-64-0x00007FF6E9890000-0x00007FF6E9BE4000-memory.dmp

Filesize
3.3MB

Download
memory/536-148-0x00007FF70F8B0000-0x00007FF70FC04000-memory.dmp

Filesize
3.3MB

Download
memory/536-83-0x00007FF70F8B0000-0x00007FF70FC04000-memory.dmp

Filesize
3.3MB

Download
memory/1136-0-0x00007FF6CE100000-0x00007FF6CE454000-memory.dmp

Filesize
3.3MB

Download
memory/1136-1-0x000001D2DB4E0000-0x000001D2DB4F0000-memory.dmp

Filesize
64KB

Download
memory/1136-90-0x00007FF6CE100000-0x00007FF6CE454000-memory.dmp

Filesize
3.3MB

Download
memory/1140-6-0x00007FF766EF0000-0x00007FF767244000-memory.dmp

Filesize
3.3MB

Download
memory/1140-97-0x00007FF766EF0000-0x00007FF767244000-memory.dmp

Filesize
3.3MB

Download
memory/1140-136-0x00007FF766EF0000-0x00007FF767244000-memory.dmp

Filesize
3.3MB

Download
memory/1552-99-0x00007FF67C580000-0x00007FF67C8D4000-memory.dmp

Filesize
3.3MB

Download
memory/1552-135-0x00007FF67C580000-0x00007FF67C8D4000-memory.dmp

Filesize
3.3MB

Download
memory/1552-151-0x00007FF67C580000-0x00007FF67C8D4000-memory.dmp

Filesize
3.3MB

Download
memory/1832-145-0x00007FF7CA520000-0x00007FF7CA874000-memory.dmp

Filesize
3.3MB

Download
memory/1832-68-0x00007FF7CA520000-0x00007FF7CA874000-memory.dmp

Filesize
3.3MB

Download
memory/1940-154-0x00007FF708CA0000-0x00007FF708FF4000-memory.dmp

Filesize
3.3MB

Download
memory/1940-126-0x00007FF708CA0000-0x00007FF708FF4000-memory.dmp

Filesize
3.3MB

Download
memory/1980-137-0x00007FF7813A0000-0x00007FF7816F4000-memory.dmp

Filesize
3.3MB

Download
memory/1980-16-0x00007FF7813A0000-0x00007FF7816F4000-memory.dmp

Filesize
3.3MB

Download
memory/1980-98-0x00007FF7813A0000-0x00007FF7816F4000-memory.dmp

Filesize
3.3MB

Download
memory/2132-142-0x00007FF69CC50000-0x00007FF69CFA4000-memory.dmp

Filesize
3.3MB

Download
memory/2132-63-0x00007FF69CC50000-0x00007FF69CFA4000-memory.dmp

Filesize
3.3MB

Download
memory/2176-60-0x00007FF71E5D0000-0x00007FF71E924000-memory.dmp

Filesize
3.3MB

Download
memory/2176-141-0x00007FF71E5D0000-0x00007FF71E924000-memory.dmp

Filesize
3.3MB

Download
memory/2592-79-0x00007FF6ADC50000-0x00007FF6ADFA4000-memory.dmp

Filesize
3.3MB

Download
memory/2592-147-0x00007FF6ADC50000-0x00007FF6ADFA4000-memory.dmp

Filesize
3.3MB

Download
memory/3060-156-0x00007FF7A15C0000-0x00007FF7A1914000-memory.dmp

Filesize
3.3MB

Download
memory/3060-132-0x00007FF7A15C0000-0x00007FF7A1914000-memory.dmp

Filesize
3.3MB

Download
memory/3364-152-0x00007FF7A6030000-0x00007FF7A6384000-memory.dmp

Filesize
3.3MB

Download
memory/3364-124-0x00007FF7A6030000-0x00007FF7A6384000-memory.dmp

Filesize
3.3MB

Download
memory/3452-139-0x00007FF7A6B00000-0x00007FF7A6E54000-memory.dmp

Filesize
3.3MB

Download
memory/3452-22-0x00007FF7A6B00000-0x00007FF7A6E54000-memory.dmp

Filesize
3.3MB

Download
memory/3452-102-0x00007FF7A6B00000-0x00007FF7A6E54000-memory.dmp

Filesize
3.3MB

Download
memory/3468-91-0x00007FF779620000-0x00007FF779974000-memory.dmp

Filesize
3.3MB

Download
memory/3468-134-0x00007FF779620000-0x00007FF779974000-memory.dmp

Filesize
3.3MB

Download
memory/3468-150-0x00007FF779620000-0x00007FF779974000-memory.dmp

Filesize
3.3MB

Download
memory/3784-65-0x00007FF74F4A0000-0x00007FF74F7F4000-memory.dmp

Filesize
3.3MB

Download
memory/3784-144-0x00007FF74F4A0000-0x00007FF74F7F4000-memory.dmp

Filesize
3.3MB

Download
memory/4044-67-0x00007FF77D180000-0x00007FF77D4D4000-memory.dmp

Filesize
3.3MB

Download
memory/4044-140-0x00007FF77D180000-0x00007FF77D4D4000-memory.dmp

Filesize
3.3MB

Download
memory/4332-127-0x00007FF74CE30000-0x00007FF74D184000-memory.dmp

Filesize
3.3MB

Download
memory/4332-153-0x00007FF74CE30000-0x00007FF74D184000-memory.dmp

Filesize
3.3MB

Download
memory/4404-125-0x00007FF631D10000-0x00007FF632064000-memory.dmp

Filesize
3.3MB

Download
memory/4404-155-0x00007FF631D10000-0x00007FF632064000-memory.dmp

Filesize
3.3MB

Download
memory/4408-146-0x00007FF7A4970000-0x00007FF7A4CC4000-memory.dmp

Filesize
3.3MB

Download
memory/4408-66-0x00007FF7A4970000-0x00007FF7A4CC4000-memory.dmp

Filesize
3.3MB

Download
memory/4592-44-0x00007FF72BC80000-0x00007FF72BFD4000-memory.dmp

Filesize
3.3MB

Download
memory/4592-106-0x00007FF72BC80000-0x00007FF72BFD4000-memory.dmp

Filesize
3.3MB

Download
memory/4592-138-0x00007FF72BC80000-0x00007FF72BFD4000-memory.dmp

Filesize
3.3MB

Download
memory/5048-86-0x00007FF753D70000-0x00007FF7540C4000-memory.dmp

Filesize
3.3MB

Download
memory/5048-149-0x00007FF753D70000-0x00007FF7540C4000-memory.dmp

Filesize
3.3MB

Download
memory/5048-133-0x00007FF753D70000-0x00007FF7540C4000-memory.dmp

Filesize
3.3MB

Download