cobaltstrike | 5f18fb04e7318f89f30b0725910523e1dae06679e9e95b7fca262fc0c56bc61a

Analysis

max time kernel
138s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-09-2024 13:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

1f957dd963ba2eee630c2a1753a7347e
SHA1

8da6c595a5a1076006dc8f3ae3089a5b47a16c27
SHA256

5f18fb04e7318f89f30b0725910523e1dae06679e9e95b7fca262fc0c56bc61a
SHA512

20bd5a2c5e3c6b719e42734e9330cbffac63432dabff81abcfbb931d8129fd8cba86bcd537c23c8af817ceb9bcf9310be57bbc84e53d7db3f4537ad8d6c135d7
SSDEEP

98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUe:T+856utgpPF8u/7e

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00090000000234c9-5.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ce-11.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234cd-13.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234cf-22.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d0-34.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d1-32.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d3-44.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d2-50.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d4-54.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d5-59.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d6-66.dat	cobalt_reflective_dll
behavioral2/files/0x000400000001e742-81.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000022721-87.dat	cobalt_reflective_dll
behavioral2/files/0x000c00000002341e-100.dat	cobalt_reflective_dll
behavioral2/files/0x0004000000022723-94.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023423-109.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234db-136.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d9-131.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234da-129.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d8-116.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d7-77.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/2748-0-0x00007FF7223B0000-0x00007FF722704000-memory.dmp	xmrig
behavioral2/files/0x00090000000234c9-5.dat	xmrig
behavioral2/memory/1704-6-0x00007FF616310000-0x00007FF616664000-memory.dmp	xmrig
behavioral2/files/0x00070000000234ce-11.dat	xmrig
behavioral2/memory/4184-12-0x00007FF6B4620000-0x00007FF6B4974000-memory.dmp	xmrig
behavioral2/files/0x00070000000234cd-13.dat	xmrig
behavioral2/memory/3984-20-0x00007FF6903A0000-0x00007FF6906F4000-memory.dmp	xmrig
behavioral2/files/0x00070000000234cf-22.dat	xmrig
behavioral2/files/0x00070000000234d0-34.dat	xmrig
behavioral2/files/0x00070000000234d1-32.dat	xmrig
behavioral2/memory/3576-36-0x00007FF63B040000-0x00007FF63B394000-memory.dmp	xmrig
behavioral2/memory/4836-31-0x00007FF73F140000-0x00007FF73F494000-memory.dmp	xmrig
behavioral2/memory/2932-26-0x00007FF6FF5C0000-0x00007FF6FF914000-memory.dmp	xmrig
behavioral2/files/0x00070000000234d3-44.dat	xmrig
behavioral2/memory/1216-45-0x00007FF6DBDB0000-0x00007FF6DC104000-memory.dmp	xmrig
behavioral2/files/0x00070000000234d2-50.dat	xmrig
behavioral2/files/0x00070000000234d4-54.dat	xmrig
behavioral2/files/0x00070000000234d5-59.dat	xmrig
behavioral2/files/0x00070000000234d6-66.dat	xmrig
behavioral2/memory/4200-68-0x00007FF6EF460000-0x00007FF6EF7B4000-memory.dmp	xmrig
behavioral2/memory/1704-67-0x00007FF616310000-0x00007FF616664000-memory.dmp	xmrig
behavioral2/memory/3944-61-0x00007FF685540000-0x00007FF685894000-memory.dmp	xmrig
behavioral2/memory/2748-60-0x00007FF7223B0000-0x00007FF722704000-memory.dmp	xmrig
behavioral2/memory/3000-56-0x00007FF74B080000-0x00007FF74B3D4000-memory.dmp	xmrig
behavioral2/memory/2264-46-0x00007FF6D2B70000-0x00007FF6D2EC4000-memory.dmp	xmrig
behavioral2/memory/4184-71-0x00007FF6B4620000-0x00007FF6B4974000-memory.dmp	xmrig
behavioral2/memory/3984-75-0x00007FF6903A0000-0x00007FF6906F4000-memory.dmp	xmrig
behavioral2/files/0x000400000001e742-81.dat	xmrig
behavioral2/files/0x0007000000022721-87.dat	xmrig
behavioral2/memory/2576-101-0x00007FF7CB550000-0x00007FF7CB8A4000-memory.dmp	xmrig
behavioral2/memory/4736-107-0x00007FF62AAF0000-0x00007FF62AE44000-memory.dmp	xmrig
behavioral2/memory/2264-106-0x00007FF6D2B70000-0x00007FF6D2EC4000-memory.dmp	xmrig
behavioral2/memory/1216-105-0x00007FF6DBDB0000-0x00007FF6DC104000-memory.dmp	xmrig
behavioral2/files/0x000c00000002341e-100.dat	xmrig
behavioral2/memory/3576-97-0x00007FF63B040000-0x00007FF63B394000-memory.dmp	xmrig
behavioral2/files/0x0004000000022723-94.dat	xmrig
behavioral2/memory/1864-92-0x00007FF7EA720000-0x00007FF7EAA74000-memory.dmp	xmrig
behavioral2/files/0x0009000000023423-109.dat	xmrig
behavioral2/memory/2060-111-0x00007FF6F10D0000-0x00007FF6F1424000-memory.dmp	xmrig
behavioral2/memory/3996-85-0x00007FF6A9FF0000-0x00007FF6AA344000-memory.dmp	xmrig
behavioral2/memory/4836-83-0x00007FF73F140000-0x00007FF73F494000-memory.dmp	xmrig
behavioral2/memory/2932-82-0x00007FF6FF5C0000-0x00007FF6FF914000-memory.dmp	xmrig
behavioral2/memory/1440-132-0x00007FF7AD610000-0x00007FF7AD964000-memory.dmp	xmrig
behavioral2/memory/3476-138-0x00007FF6EDBB0000-0x00007FF6EDF04000-memory.dmp	xmrig
behavioral2/memory/2780-139-0x00007FF75E510000-0x00007FF75E864000-memory.dmp	xmrig
behavioral2/files/0x00070000000234db-136.dat	xmrig
behavioral2/memory/4200-135-0x00007FF6EF460000-0x00007FF6EF7B4000-memory.dmp	xmrig
behavioral2/files/0x00070000000234d9-131.dat	xmrig
behavioral2/files/0x00070000000234da-129.dat	xmrig
behavioral2/memory/3944-125-0x00007FF685540000-0x00007FF685894000-memory.dmp	xmrig
behavioral2/memory/3432-120-0x00007FF6C8D90000-0x00007FF6C90E4000-memory.dmp	xmrig
behavioral2/memory/3000-117-0x00007FF74B080000-0x00007FF74B3D4000-memory.dmp	xmrig
behavioral2/files/0x00070000000234d8-116.dat	xmrig
behavioral2/memory/3480-76-0x00007FF680F90000-0x00007FF6812E4000-memory.dmp	xmrig
behavioral2/files/0x00070000000234d7-77.dat	xmrig
behavioral2/memory/3480-140-0x00007FF680F90000-0x00007FF6812E4000-memory.dmp	xmrig
behavioral2/memory/3996-141-0x00007FF6A9FF0000-0x00007FF6AA344000-memory.dmp	xmrig
behavioral2/memory/1864-142-0x00007FF7EA720000-0x00007FF7EAA74000-memory.dmp	xmrig
behavioral2/memory/2060-143-0x00007FF6F10D0000-0x00007FF6F1424000-memory.dmp	xmrig
behavioral2/memory/1440-144-0x00007FF7AD610000-0x00007FF7AD964000-memory.dmp	xmrig
behavioral2/memory/1704-145-0x00007FF616310000-0x00007FF616664000-memory.dmp	xmrig
behavioral2/memory/4184-146-0x00007FF6B4620000-0x00007FF6B4974000-memory.dmp	xmrig
behavioral2/memory/3984-147-0x00007FF6903A0000-0x00007FF6906F4000-memory.dmp	xmrig
behavioral2/memory/2932-148-0x00007FF6FF5C0000-0x00007FF6FF914000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1704	TUGzMhn.exe
4184	mzIDNzr.exe
3984	ESRnKjd.exe
2932	UhAhvlq.exe
4836	DBJMhJq.exe
3576	xJoPHNn.exe
1216	MKHbJPM.exe
2264	WvaKHbM.exe
3000	XHzBlJm.exe
3944	XYZIcNA.exe
4200	dpdwPrw.exe
3480	OIayAfP.exe
3996	pAamluy.exe
1864	xvhRJNI.exe
2576	azOtCFa.exe
4736	dbyDEjS.exe
2060	VNNMLMm.exe
3432	EaSrlLF.exe
1440	EGtExyQ.exe
3476	nCDvqKi.exe
2780	vRxiRPQ.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2748-0-0x00007FF7223B0000-0x00007FF722704000-memory.dmp	upx
behavioral2/files/0x00090000000234c9-5.dat	upx
behavioral2/memory/1704-6-0x00007FF616310000-0x00007FF616664000-memory.dmp	upx
behavioral2/files/0x00070000000234ce-11.dat	upx
behavioral2/memory/4184-12-0x00007FF6B4620000-0x00007FF6B4974000-memory.dmp	upx
behavioral2/files/0x00070000000234cd-13.dat	upx
behavioral2/memory/3984-20-0x00007FF6903A0000-0x00007FF6906F4000-memory.dmp	upx
behavioral2/files/0x00070000000234cf-22.dat	upx
behavioral2/files/0x00070000000234d0-34.dat	upx
behavioral2/files/0x00070000000234d1-32.dat	upx
behavioral2/memory/3576-36-0x00007FF63B040000-0x00007FF63B394000-memory.dmp	upx
behavioral2/memory/4836-31-0x00007FF73F140000-0x00007FF73F494000-memory.dmp	upx
behavioral2/memory/2932-26-0x00007FF6FF5C0000-0x00007FF6FF914000-memory.dmp	upx
behavioral2/files/0x00070000000234d3-44.dat	upx
behavioral2/memory/1216-45-0x00007FF6DBDB0000-0x00007FF6DC104000-memory.dmp	upx
behavioral2/files/0x00070000000234d2-50.dat	upx
behavioral2/files/0x00070000000234d4-54.dat	upx
behavioral2/files/0x00070000000234d5-59.dat	upx
behavioral2/files/0x00070000000234d6-66.dat	upx
behavioral2/memory/4200-68-0x00007FF6EF460000-0x00007FF6EF7B4000-memory.dmp	upx
behavioral2/memory/1704-67-0x00007FF616310000-0x00007FF616664000-memory.dmp	upx
behavioral2/memory/3944-61-0x00007FF685540000-0x00007FF685894000-memory.dmp	upx
behavioral2/memory/2748-60-0x00007FF7223B0000-0x00007FF722704000-memory.dmp	upx
behavioral2/memory/3000-56-0x00007FF74B080000-0x00007FF74B3D4000-memory.dmp	upx
behavioral2/memory/2264-46-0x00007FF6D2B70000-0x00007FF6D2EC4000-memory.dmp	upx
behavioral2/memory/4184-71-0x00007FF6B4620000-0x00007FF6B4974000-memory.dmp	upx
behavioral2/memory/3984-75-0x00007FF6903A0000-0x00007FF6906F4000-memory.dmp	upx
behavioral2/files/0x000400000001e742-81.dat	upx
behavioral2/files/0x0007000000022721-87.dat	upx
behavioral2/memory/2576-101-0x00007FF7CB550000-0x00007FF7CB8A4000-memory.dmp	upx
behavioral2/memory/4736-107-0x00007FF62AAF0000-0x00007FF62AE44000-memory.dmp	upx
behavioral2/memory/2264-106-0x00007FF6D2B70000-0x00007FF6D2EC4000-memory.dmp	upx
behavioral2/memory/1216-105-0x00007FF6DBDB0000-0x00007FF6DC104000-memory.dmp	upx
behavioral2/files/0x000c00000002341e-100.dat	upx
behavioral2/memory/3576-97-0x00007FF63B040000-0x00007FF63B394000-memory.dmp	upx
behavioral2/files/0x0004000000022723-94.dat	upx
behavioral2/memory/1864-92-0x00007FF7EA720000-0x00007FF7EAA74000-memory.dmp	upx
behavioral2/files/0x0009000000023423-109.dat	upx
behavioral2/memory/2060-111-0x00007FF6F10D0000-0x00007FF6F1424000-memory.dmp	upx
behavioral2/memory/3996-85-0x00007FF6A9FF0000-0x00007FF6AA344000-memory.dmp	upx
behavioral2/memory/4836-83-0x00007FF73F140000-0x00007FF73F494000-memory.dmp	upx
behavioral2/memory/2932-82-0x00007FF6FF5C0000-0x00007FF6FF914000-memory.dmp	upx
behavioral2/memory/1440-132-0x00007FF7AD610000-0x00007FF7AD964000-memory.dmp	upx
behavioral2/memory/3476-138-0x00007FF6EDBB0000-0x00007FF6EDF04000-memory.dmp	upx
behavioral2/memory/2780-139-0x00007FF75E510000-0x00007FF75E864000-memory.dmp	upx
behavioral2/files/0x00070000000234db-136.dat	upx
behavioral2/memory/4200-135-0x00007FF6EF460000-0x00007FF6EF7B4000-memory.dmp	upx
behavioral2/files/0x00070000000234d9-131.dat	upx
behavioral2/files/0x00070000000234da-129.dat	upx
behavioral2/memory/3944-125-0x00007FF685540000-0x00007FF685894000-memory.dmp	upx
behavioral2/memory/3432-120-0x00007FF6C8D90000-0x00007FF6C90E4000-memory.dmp	upx
behavioral2/memory/3000-117-0x00007FF74B080000-0x00007FF74B3D4000-memory.dmp	upx
behavioral2/files/0x00070000000234d8-116.dat	upx
behavioral2/memory/3480-76-0x00007FF680F90000-0x00007FF6812E4000-memory.dmp	upx
behavioral2/files/0x00070000000234d7-77.dat	upx
behavioral2/memory/3480-140-0x00007FF680F90000-0x00007FF6812E4000-memory.dmp	upx
behavioral2/memory/3996-141-0x00007FF6A9FF0000-0x00007FF6AA344000-memory.dmp	upx
behavioral2/memory/1864-142-0x00007FF7EA720000-0x00007FF7EAA74000-memory.dmp	upx
behavioral2/memory/2060-143-0x00007FF6F10D0000-0x00007FF6F1424000-memory.dmp	upx
behavioral2/memory/1440-144-0x00007FF7AD610000-0x00007FF7AD964000-memory.dmp	upx
behavioral2/memory/1704-145-0x00007FF616310000-0x00007FF616664000-memory.dmp	upx
behavioral2/memory/4184-146-0x00007FF6B4620000-0x00007FF6B4974000-memory.dmp	upx
behavioral2/memory/3984-147-0x00007FF6903A0000-0x00007FF6906F4000-memory.dmp	upx
behavioral2/memory/2932-148-0x00007FF6FF5C0000-0x00007FF6FF914000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\OIayAfP.exe	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EGtExyQ.exe	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mzIDNzr.exe	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ESRnKjd.exe	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UhAhvlq.exe	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DBJMhJq.exe	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XHzBlJm.exe	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XYZIcNA.exe	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nCDvqKi.exe	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xJoPHNn.exe	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WvaKHbM.exe	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VNNMLMm.exe	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EaSrlLF.exe	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vRxiRPQ.exe	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dbyDEjS.exe	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TUGzMhn.exe	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MKHbJPM.exe	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dpdwPrw.exe	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pAamluy.exe	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xvhRJNI.exe	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\azOtCFa.exe	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2748	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2748	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 1704	2748	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2748 wrote to memory of 1704	2748	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2748 wrote to memory of 4184	2748	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2748 wrote to memory of 4184	2748	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2748 wrote to memory of 3984	2748	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2748 wrote to memory of 3984	2748	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2748 wrote to memory of 2932	2748	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2748 wrote to memory of 2932	2748	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2748 wrote to memory of 4836	2748	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2748 wrote to memory of 4836	2748	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2748 wrote to memory of 3576	2748	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2748 wrote to memory of 3576	2748	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2748 wrote to memory of 1216	2748	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2748 wrote to memory of 1216	2748	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2748 wrote to memory of 2264	2748	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2748 wrote to memory of 2264	2748	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2748 wrote to memory of 3000	2748	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2748 wrote to memory of 3000	2748	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2748 wrote to memory of 3944	2748	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2748 wrote to memory of 3944	2748	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2748 wrote to memory of 4200	2748	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2748 wrote to memory of 4200	2748	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2748 wrote to memory of 3480	2748	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2748 wrote to memory of 3480	2748	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2748 wrote to memory of 3996	2748	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2748 wrote to memory of 3996	2748	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2748 wrote to memory of 1864	2748	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2748 wrote to memory of 1864	2748	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2748 wrote to memory of 2576	2748	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2748 wrote to memory of 2576	2748	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2748 wrote to memory of 4736	2748	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2748 wrote to memory of 4736	2748	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2748 wrote to memory of 2060	2748	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 2748 wrote to memory of 2060	2748	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 2748 wrote to memory of 3432	2748	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 2748 wrote to memory of 3432	2748	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 2748 wrote to memory of 1440	2748	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 2748 wrote to memory of 1440	2748	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 2748 wrote to memory of 3476	2748	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	110
PID 2748 wrote to memory of 3476	2748	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	110
PID 2748 wrote to memory of 2780	2748	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	111
PID 2748 wrote to memory of 2780	2748	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	111

C:\Users\Admin\AppData\Local\Temp\2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Windows\System\TUGzMhn.exe
  C:\Windows\System\TUGzMhn.exe
  2⤵
  - Executes dropped EXE
  PID:1704
- C:\Windows\System\mzIDNzr.exe
  C:\Windows\System\mzIDNzr.exe
  2⤵
  - Executes dropped EXE
  PID:4184
- C:\Windows\System\ESRnKjd.exe
  C:\Windows\System\ESRnKjd.exe
  2⤵
  - Executes dropped EXE
  PID:3984
- C:\Windows\System\UhAhvlq.exe
  C:\Windows\System\UhAhvlq.exe
  2⤵
  - Executes dropped EXE
  PID:2932
- C:\Windows\System\DBJMhJq.exe
  C:\Windows\System\DBJMhJq.exe
  2⤵
  - Executes dropped EXE
  PID:4836
- C:\Windows\System\xJoPHNn.exe
  C:\Windows\System\xJoPHNn.exe
  2⤵
  - Executes dropped EXE
  PID:3576
- C:\Windows\System\MKHbJPM.exe
  C:\Windows\System\MKHbJPM.exe
  2⤵
  - Executes dropped EXE
  PID:1216
- C:\Windows\System\WvaKHbM.exe
  C:\Windows\System\WvaKHbM.exe
  2⤵
  - Executes dropped EXE
  PID:2264
- C:\Windows\System\XHzBlJm.exe
  C:\Windows\System\XHzBlJm.exe
  2⤵
  - Executes dropped EXE
  PID:3000
- C:\Windows\System\XYZIcNA.exe
  C:\Windows\System\XYZIcNA.exe
  2⤵
  - Executes dropped EXE
  PID:3944
- C:\Windows\System\dpdwPrw.exe
  C:\Windows\System\dpdwPrw.exe
  2⤵
  - Executes dropped EXE
  PID:4200
- C:\Windows\System\OIayAfP.exe
  C:\Windows\System\OIayAfP.exe
  2⤵
  - Executes dropped EXE
  PID:3480
- C:\Windows\System\pAamluy.exe
  C:\Windows\System\pAamluy.exe
  2⤵
  - Executes dropped EXE
  PID:3996
- C:\Windows\System\xvhRJNI.exe
  C:\Windows\System\xvhRJNI.exe
  2⤵
  - Executes dropped EXE
  PID:1864
- C:\Windows\System\azOtCFa.exe
  C:\Windows\System\azOtCFa.exe
  2⤵
  - Executes dropped EXE
  PID:2576
- C:\Windows\System\dbyDEjS.exe
  C:\Windows\System\dbyDEjS.exe
  2⤵
  - Executes dropped EXE
  PID:4736
- C:\Windows\System\VNNMLMm.exe
  C:\Windows\System\VNNMLMm.exe
  2⤵
  - Executes dropped EXE
  PID:2060
- C:\Windows\System\EaSrlLF.exe
  C:\Windows\System\EaSrlLF.exe
  2⤵
  - Executes dropped EXE
  PID:3432
- C:\Windows\System\EGtExyQ.exe
  C:\Windows\System\EGtExyQ.exe
  2⤵
  - Executes dropped EXE
  PID:1440
- C:\Windows\System\nCDvqKi.exe
  C:\Windows\System\nCDvqKi.exe
  2⤵
  - Executes dropped EXE
  PID:3476
- C:\Windows\System\vRxiRPQ.exe
  C:\Windows\System\vRxiRPQ.exe
  2⤵
  - Executes dropped EXE
  PID:2780

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\DBJMhJq.exe

Filesize
5.9MB

MD5
ad67e3a665bf4c21bb788d8a5f7acec7

SHA1
efd5d3e386800ca65218e0e41cbdb739ab4bfea6

SHA256
59a28c6d2d19a90db04f995a306c917c3bad1836d0e68a2cc3d88b4f57d08747

SHA512
8a6e6b0a3a42bfbe7a630bd5f9da1e058ad4a22eed6a9ca7dd6b65c57a0a5a4ca4b89f20f82f323af7da73123a13490d386accd4ddccbda0203ac0ed6f6285b5

Download Submit
C:\Windows\System\EGtExyQ.exe

Filesize
6.0MB

MD5
a76f176ece84e77a0e70ce2055da012d

SHA1
98955b4dd19e2fecdbedadc9649e5214eebb9526

SHA256
80febc6a8e993107eec026393f2da215d906af2a80597dbfb060e1fb2ab1eb43

SHA512
757a20577512ed192ac3bc0bcfc460286387231e22ac0a3f69af5c2ecd0e0a8cdfc92a43b2a238c1cf8e54b58798f272a0f9da03119350c9ececa227d08f1670

Download Submit
C:\Windows\System\ESRnKjd.exe

Filesize
5.9MB

MD5
3b2181a13a2c66ccfed91e628673a672

SHA1
57f23255ac6d37729b45347332c70091990e3449

SHA256
1604b91105c4970d88493942f953ecb4f7530e0147b30ed952e73d048b80d151

SHA512
6bf216134e9e33a31e081a82b750b70c9e26eed6e5512f035dd35160fc49d3eb69f4634cf463414d75087533012edab3d20d213f95bac8cbf0288ec0251c4942

Download Submit
C:\Windows\System\EaSrlLF.exe

Filesize
5.9MB

MD5
7f2ac2351d08409172bffa42535cd5eb

SHA1
2e4d85eca27d1108dfa64e20e2739f87406688cb

SHA256
812c9b16e87b676f4d4878abb8b37be0ac7f860314ec8001eaf939546adbce07

SHA512
8032e152ac12d589de0ff52c1f734b28db7761e3ffb6200f66f0abd47b0b664794da73e142cc02c3f180146b0d4b692cba468cde2ba8b4e1c25283883e27ad3d

Download Submit
C:\Windows\System\MKHbJPM.exe

Filesize
5.9MB

MD5
bb4d84c380f29535d3d10645e02aea50

SHA1
a2cfba0bf0c3da41ca3a6eaee468d4f0edc765e8

SHA256
0fc0591c117e333926793f1227832da775bd585ea1f26574f2365c36fba4e260

SHA512
54b3f98eeb26756d655c0d2d82e0e236514ba4712bfc2ace2ba6e17b818c618e7fed1f085fd5072dc361957afe812e6d99a2ac57c24474e4e6c0662573d772fe

Download Submit
C:\Windows\System\OIayAfP.exe

Filesize
5.9MB

MD5
256f7d3a75c8ecf882e5b52c04bc103b

SHA1
3729dbcf0c36525ae6c18aeea753dcbdc6331da2

SHA256
9890672d629cec2f6332082848ff7041705cec23adf1a7d5a873bd23c511f42b

SHA512
6a7322946b5b4b161c2fa939deb78e92c4180f9b5c3d467e5be1a3117267682e9590afd8e6d8dad3ba6d80e55bd32ec02bfdb425219d45894533271d6179aebc

Download Submit
C:\Windows\System\TUGzMhn.exe

Filesize
5.9MB

MD5
eeba1ba80f8ac9ee39601a933ce014ee

SHA1
dadc00d0e025957584022bac4a148a7112c2e171

SHA256
5d91ded22a18fd80227f4acc753417b6ec1637502bf5e20b72d2c8cfe82663cc

SHA512
d9c0d32250a1d785f3ea06503e47af0108988722bf500b32e5eb1f3424ed44bc2ded49277c428f7fb1335811db0561adbdaf356988b03b21690fb7f7d1a60036

Download Submit
C:\Windows\System\UhAhvlq.exe

Filesize
5.9MB

MD5
f75d74c54d90ca6150784910c883e692

SHA1
31fee0dbd88cb0ccaf65ce3516839c2b9614e47e

SHA256
1d401da2b890c3d323eb2b3d3fbee7e345ddadd1e5d65583053604b537c91c85

SHA512
5d3c2e480fae180a02d70e3b3c41667f4268d10d7f7b8d504af875eac291392f87d1f30a77fce478a2e97fbaafc26156baf364fd312b0dd1248ebe33b8fb9954

Download Submit
C:\Windows\System\VNNMLMm.exe

Filesize
5.9MB

MD5
d2f9c8030d5f778ef6c91257f9b3ff0d

SHA1
79ae54367730b6117022bdc9231a9c4b7fc5e73c

SHA256
a9b993b9192eeef42fd0034020ddb05a67a275c409eeb4d5dd9813e16dc0f9c3

SHA512
674bbcdcd5080199e6f228d85413ca262cb58c184f51b23beab807da63fe5a54e585f88c9749b5d0f46e0d4cc707aaa543d0791f5b457da1ca4f27ec2bd07383

Download Submit
C:\Windows\System\WvaKHbM.exe

Filesize
5.9MB

MD5
fc0063a4c2ce65fdefd822b6e6b5cf1a

SHA1
8632ea40cf7aba89154534307bab5cb44037a1cc

SHA256
44a9a5c96874f59c2f30b8b36d0073f012355fd9ea5a9786011e4988beb01020

SHA512
9353ccd689ef103e21d6857f039c8083a1197dc7d85976c10c15e9a0af4eca2b5924e5d52716e65d472e30d581285bd18bd255e030a1eb1ed8009b60ab2d3a1c

Download Submit
C:\Windows\System\XHzBlJm.exe

Filesize
5.9MB

MD5
bf365d87524c4c7f7d99044bbd698810

SHA1
5854699276cd60bb6d291ea017729c861b044ed9

SHA256
6ed92e8efe3a0d78fbce78d0a0513b0ea89a882b805abd618cd837fd2c898999

SHA512
addf1e794517959f3c78bbf419f7df21ab1c250e130dd83e466aa90b5156656fc99f3a30a481c3c1516f0506f94fa9c8993ca29cad6ae1f14f339bb5c4f9472c

Download Submit
C:\Windows\System\XYZIcNA.exe

Filesize
5.9MB

MD5
6cce601f07af2bf22ace4bd353573535

SHA1
98f10a585d7b6e217b3ac648b90ce0b5dc9528dd

SHA256
b92997c49ea95a5934e0c6e0beceeb0a2c87edb7cf1000795de67a01c3210285

SHA512
6b2145f3aaa4aab9b67681c07ec0d2b21a6f6ab86438b9014e6f0f4b801f39bdf9643463b71a4f05d63a13e185d261a47343ee0d48166ae9cfc792434b1953cd

Download Submit
C:\Windows\System\azOtCFa.exe

Filesize
5.9MB

MD5
e959144a4f68edd7202dc771cdeb4f50

SHA1
e6a436671b3214c05dd7b31e08db6345be4287cf

SHA256
30324444ec73831aa7974003e68e77daef617041caeb201976fdd15a78edc414

SHA512
0db023da99721b4bf25c12a2aff5d1daf9fe53c20f3c4a11712839ce0751ea181221f4f1da286784d11acd6d208a83e4b8e9e49d684d5d4b3d9cb4d564a9f0a9

Download Submit
C:\Windows\System\dbyDEjS.exe

Filesize
5.9MB

MD5
d51dbe521fac1895adfe74a641924192

SHA1
f39a26f93c1100f2138fcc4fea3fa0ccba194ede

SHA256
14ee9a0a2fd6ab7cf3d87005c4e9738d76e64340295a476a0051b4476e567e60

SHA512
aebca82ad33c2cf98c4321c7d05e8d7420276946837706c3c60165e906d83f831edbb4725bee32de43a3e4bbe9b3297ad7027ffe02b07b3481e8a7ba7e61b0b5

Download Submit
C:\Windows\System\dpdwPrw.exe

Filesize
5.9MB

MD5
bd8ddf66fa66203ebaa6aed3df64103a

SHA1
a223a5b36978a38eef74df80958a12c01954a086

SHA256
b6e72d07bb51029c5b2ffb2d7b6ba3efee0f795992928ddcdfc355e4fcedfa52

SHA512
22ccb06f8e0d6b4f20f6feb57b97d358adbd6557b9c9af3f765980a74a0972e79b3a0321e16c67d902f741b8d2a99e990681ef1ae27e14eafd585b7b9b516ae9

Download Submit
C:\Windows\System\mzIDNzr.exe

Filesize
5.9MB

MD5
9bf052a2f6e1021c8aad1b9303fe00fb

SHA1
a5902ae8b11a3b8e3d7d178a2d3f02936fcfcd85

SHA256
acd7c82912e6b3e739d21b9b034957d7df700fe50911ec0c84e8a5f67f208715

SHA512
e2992e13a95e7a6f249adca0af4880668cb0a3b7e2c5470e5b68811e185ad53c3829c391253f6756fa9f62d3fef8e9c7b6a243cc8acfa9ec6445a11905658db3

Download Submit
C:\Windows\System\nCDvqKi.exe

Filesize
6.0MB

MD5
7b232df769e75c74c8d3cc45e7f0d0f8

SHA1
2942d4c7d344e0161cb7a1c5bd5e8e9b6a034e5e

SHA256
8a8568c397209eddf5f64b394bdf447b937ba5632e5ac17f4df3c3324fd0e388

SHA512
6e8b8ef2ca4ff4fe285e114a526b6da0c8155ff05ee8f9797fe255677bdfcb4bb4e44849059d2db3fa13dfcf6a0417c8cdead22e39873165aac3f8d992f2f8fd

Download Submit
C:\Windows\System\pAamluy.exe

Filesize
5.9MB

MD5
aad958fd4a4c721ff9887089447553f8

SHA1
d9a68559ed0db09c550b1ff1e5b7a6cd8e093ef6

SHA256
d295eada2c25bf472447cf19035aecf1999f077e9c79d22c1a791e3186b55b21

SHA512
38fd3613becf070b14ec23170c66a98fc61efcb81264b5a8cd55aa7bbeec0b3a32b01d75a499e1b6ecd8dd7f90518bb64749832e75a858001e47680b70fbc374

Download Submit
C:\Windows\System\vRxiRPQ.exe

Filesize
6.0MB

MD5
28f53c7b7d4f9a5c094ba91459bdc948

SHA1
bca16c62bc00b994ba86f7e87174b54e4d16a693

SHA256
a125821c5fe52a9af2ee02c86f341468b618f4ececcc6d47a55edd560d389169

SHA512
64a0aaffb2e403f6b2059126d6d22a29594d811a0f345da22f6043a901964363a952dd189897b98a64ef3f1c3264168ed473e711706e5b8b695e46f752e02d02

Download Submit
C:\Windows\System\xJoPHNn.exe

Filesize
5.9MB

MD5
6830c51558891a8aa3091a6e2925fb5a

SHA1
ba3288cbfe72028ddb532e0d40bede19fba96708

SHA256
cd8f6321a74fe127d2f8accbffa2745d868ada5f892bd9704f1c876a5b522cff

SHA512
b6570731eb8750bb28a1d4172f9fd0d7fc88f398b1710298aebd4ad73e2857f1e5fd13aeefc09455e05f1c330c11be7366b6e1bc99318886b797df590ff4d21c

Download Submit
C:\Windows\System\xvhRJNI.exe

Filesize
5.9MB

MD5
1e98db06a8f7fe6921ba2d6751311746

SHA1
3777bcc072be2b042085fb6bfaac3f0d01af2805

SHA256
b941ee9ac3adfaf2d63a12033640f7f333bf1f63f6ee59d07f5410230e9939ad

SHA512
df7ce53064a3190b71c6748d4dd80b45e76589fde99f42d1957ceefe907f918f71e9ac968e42ecfcd89007bb4d096c37f2670cd000d54ff9aa317ed4cb416ca4

Download Submit
memory/1216-45-0x00007FF6DBDB0000-0x00007FF6DC104000-memory.dmp

Filesize
3.3MB

Download
memory/1216-152-0x00007FF6DBDB0000-0x00007FF6DC104000-memory.dmp

Filesize
3.3MB

Download
memory/1216-105-0x00007FF6DBDB0000-0x00007FF6DC104000-memory.dmp

Filesize
3.3MB

Download
memory/1440-132-0x00007FF7AD610000-0x00007FF7AD964000-memory.dmp

Filesize
3.3MB

Download
memory/1440-144-0x00007FF7AD610000-0x00007FF7AD964000-memory.dmp

Filesize
3.3MB

Download
memory/1440-163-0x00007FF7AD610000-0x00007FF7AD964000-memory.dmp

Filesize
3.3MB

Download
memory/1704-145-0x00007FF616310000-0x00007FF616664000-memory.dmp

Filesize
3.3MB

Download
memory/1704-6-0x00007FF616310000-0x00007FF616664000-memory.dmp

Filesize
3.3MB

Download
memory/1704-67-0x00007FF616310000-0x00007FF616664000-memory.dmp

Filesize
3.3MB

Download
memory/1864-92-0x00007FF7EA720000-0x00007FF7EAA74000-memory.dmp

Filesize
3.3MB

Download
memory/1864-142-0x00007FF7EA720000-0x00007FF7EAA74000-memory.dmp

Filesize
3.3MB

Download
memory/1864-159-0x00007FF7EA720000-0x00007FF7EAA74000-memory.dmp

Filesize
3.3MB

Download
memory/2060-143-0x00007FF6F10D0000-0x00007FF6F1424000-memory.dmp

Filesize
3.3MB

Download
memory/2060-161-0x00007FF6F10D0000-0x00007FF6F1424000-memory.dmp

Filesize
3.3MB

Download
memory/2060-111-0x00007FF6F10D0000-0x00007FF6F1424000-memory.dmp

Filesize
3.3MB

Download
memory/2264-106-0x00007FF6D2B70000-0x00007FF6D2EC4000-memory.dmp

Filesize
3.3MB

Download
memory/2264-151-0x00007FF6D2B70000-0x00007FF6D2EC4000-memory.dmp

Filesize
3.3MB

Download
memory/2264-46-0x00007FF6D2B70000-0x00007FF6D2EC4000-memory.dmp

Filesize
3.3MB

Download
memory/2576-158-0x00007FF7CB550000-0x00007FF7CB8A4000-memory.dmp

Filesize
3.3MB

Download
memory/2576-101-0x00007FF7CB550000-0x00007FF7CB8A4000-memory.dmp

Filesize
3.3MB

Download
memory/2748-60-0x00007FF7223B0000-0x00007FF722704000-memory.dmp

Filesize
3.3MB

Download
memory/2748-1-0x000002B012400000-0x000002B012410000-memory.dmp

Filesize
64KB

Download
memory/2748-0-0x00007FF7223B0000-0x00007FF722704000-memory.dmp

Filesize
3.3MB

Download
memory/2780-165-0x00007FF75E510000-0x00007FF75E864000-memory.dmp

Filesize
3.3MB

Download
memory/2780-139-0x00007FF75E510000-0x00007FF75E864000-memory.dmp

Filesize
3.3MB

Download
memory/2932-82-0x00007FF6FF5C0000-0x00007FF6FF914000-memory.dmp

Filesize
3.3MB

Download
memory/2932-26-0x00007FF6FF5C0000-0x00007FF6FF914000-memory.dmp

Filesize
3.3MB

Download
memory/2932-148-0x00007FF6FF5C0000-0x00007FF6FF914000-memory.dmp

Filesize
3.3MB

Download
memory/3000-153-0x00007FF74B080000-0x00007FF74B3D4000-memory.dmp

Filesize
3.3MB

Download
memory/3000-117-0x00007FF74B080000-0x00007FF74B3D4000-memory.dmp

Filesize
3.3MB

Download
memory/3000-56-0x00007FF74B080000-0x00007FF74B3D4000-memory.dmp

Filesize
3.3MB

Download
memory/3432-120-0x00007FF6C8D90000-0x00007FF6C90E4000-memory.dmp

Filesize
3.3MB

Download
memory/3432-162-0x00007FF6C8D90000-0x00007FF6C90E4000-memory.dmp

Filesize
3.3MB

Download
memory/3476-138-0x00007FF6EDBB0000-0x00007FF6EDF04000-memory.dmp

Filesize
3.3MB

Download
memory/3476-164-0x00007FF6EDBB0000-0x00007FF6EDF04000-memory.dmp

Filesize
3.3MB

Download
memory/3480-156-0x00007FF680F90000-0x00007FF6812E4000-memory.dmp

Filesize
3.3MB

Download
memory/3480-76-0x00007FF680F90000-0x00007FF6812E4000-memory.dmp

Filesize
3.3MB

Download
memory/3480-140-0x00007FF680F90000-0x00007FF6812E4000-memory.dmp

Filesize
3.3MB

Download
memory/3576-36-0x00007FF63B040000-0x00007FF63B394000-memory.dmp

Filesize
3.3MB

Download
memory/3576-150-0x00007FF63B040000-0x00007FF63B394000-memory.dmp

Filesize
3.3MB

Download
memory/3576-97-0x00007FF63B040000-0x00007FF63B394000-memory.dmp

Filesize
3.3MB

Download
memory/3944-61-0x00007FF685540000-0x00007FF685894000-memory.dmp

Filesize
3.3MB

Download
memory/3944-154-0x00007FF685540000-0x00007FF685894000-memory.dmp

Filesize
3.3MB

Download
memory/3944-125-0x00007FF685540000-0x00007FF685894000-memory.dmp

Filesize
3.3MB

Download
memory/3984-20-0x00007FF6903A0000-0x00007FF6906F4000-memory.dmp

Filesize
3.3MB

Download
memory/3984-75-0x00007FF6903A0000-0x00007FF6906F4000-memory.dmp

Filesize
3.3MB

Download
memory/3984-147-0x00007FF6903A0000-0x00007FF6906F4000-memory.dmp

Filesize
3.3MB

Download
memory/3996-85-0x00007FF6A9FF0000-0x00007FF6AA344000-memory.dmp

Filesize
3.3MB

Download
memory/3996-141-0x00007FF6A9FF0000-0x00007FF6AA344000-memory.dmp

Filesize
3.3MB

Download
memory/3996-157-0x00007FF6A9FF0000-0x00007FF6AA344000-memory.dmp

Filesize
3.3MB

Download
memory/4184-71-0x00007FF6B4620000-0x00007FF6B4974000-memory.dmp

Filesize
3.3MB

Download
memory/4184-146-0x00007FF6B4620000-0x00007FF6B4974000-memory.dmp

Filesize
3.3MB

Download
memory/4184-12-0x00007FF6B4620000-0x00007FF6B4974000-memory.dmp

Filesize
3.3MB

Download
memory/4200-135-0x00007FF6EF460000-0x00007FF6EF7B4000-memory.dmp

Filesize
3.3MB

Download
memory/4200-68-0x00007FF6EF460000-0x00007FF6EF7B4000-memory.dmp

Filesize
3.3MB

Download
memory/4200-155-0x00007FF6EF460000-0x00007FF6EF7B4000-memory.dmp

Filesize
3.3MB

Download
memory/4736-107-0x00007FF62AAF0000-0x00007FF62AE44000-memory.dmp

Filesize
3.3MB

Download
memory/4736-160-0x00007FF62AAF0000-0x00007FF62AE44000-memory.dmp

Filesize
3.3MB

Download
memory/4836-149-0x00007FF73F140000-0x00007FF73F494000-memory.dmp

Filesize
3.3MB

Download
memory/4836-83-0x00007FF73F140000-0x00007FF73F494000-memory.dmp

Filesize
3.3MB

Download
memory/4836-31-0x00007FF73F140000-0x00007FF73F494000-memory.dmp

Filesize
3.3MB

Download