cobaltstrike | a8f197d180af1e68aa82caec4c148f78c4ecb5f145d48ef1d086c48afbc6f3e2

Analysis

max time kernel
141s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 13:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

8c6ee039d92ed4292fdadc52d804fc92
SHA1

9a1785145fb1fdd967e6ee537984d1843233d83b
SHA256

a8f197d180af1e68aa82caec4c148f78c4ecb5f145d48ef1d086c48afbc6f3e2
SHA512

5ddacec5d1ba0354f85b9fbb7ebceafd49f4d30f48bacafac4f05d614732fe51dcf31f708cfce26524e019ad98e3e586282f5529740c4421c66b29df90e5d59f
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUo:Q+856utgpPF8u/7o

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023429-5.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342d-11.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342f-20.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023431-32.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023430-31.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023434-44.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023435-52.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023436-57.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023437-78.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343a-90.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023439-83.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023438-79.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023432-56.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023433-48.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342e-23.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343b-94.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343c-101.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343d-107.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343e-111.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343f-121.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023440-125.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/5096-0-0x00007FF622910000-0x00007FF622C64000-memory.dmp	xmrig
behavioral2/files/0x0008000000023429-5.dat	xmrig
behavioral2/memory/4768-8-0x00007FF7F4730000-0x00007FF7F4A84000-memory.dmp	xmrig
behavioral2/files/0x000700000002342d-11.dat	xmrig
behavioral2/memory/1648-15-0x00007FF6A3970000-0x00007FF6A3CC4000-memory.dmp	xmrig
behavioral2/files/0x000700000002342f-20.dat	xmrig
behavioral2/files/0x0007000000023431-32.dat	xmrig
behavioral2/files/0x0007000000023430-31.dat	xmrig
behavioral2/files/0x0007000000023434-44.dat	xmrig
behavioral2/files/0x0007000000023435-52.dat	xmrig
behavioral2/files/0x0007000000023436-57.dat	xmrig
behavioral2/memory/3588-70-0x00007FF715B00000-0x00007FF715E54000-memory.dmp	xmrig
behavioral2/files/0x0007000000023437-78.dat	xmrig
behavioral2/memory/2272-86-0x00007FF7B8320000-0x00007FF7B8674000-memory.dmp	xmrig
behavioral2/files/0x000700000002343a-90.dat	xmrig
behavioral2/memory/1988-92-0x00007FF7F0BE0000-0x00007FF7F0F34000-memory.dmp	xmrig
behavioral2/memory/1748-89-0x00007FF72DCF0000-0x00007FF72E044000-memory.dmp	xmrig
behavioral2/memory/3356-87-0x00007FF665730000-0x00007FF665A84000-memory.dmp	xmrig
behavioral2/files/0x0007000000023439-83.dat	xmrig
behavioral2/memory/4068-81-0x00007FF731D10000-0x00007FF732064000-memory.dmp	xmrig
behavioral2/files/0x0007000000023438-79.dat	xmrig
behavioral2/memory/2140-75-0x00007FF6A4F80000-0x00007FF6A52D4000-memory.dmp	xmrig
behavioral2/memory/3708-74-0x00007FF628300000-0x00007FF628654000-memory.dmp	xmrig
behavioral2/memory/3972-69-0x00007FF748B40000-0x00007FF748E94000-memory.dmp	xmrig
behavioral2/memory/452-60-0x00007FF688200000-0x00007FF688554000-memory.dmp	xmrig
behavioral2/files/0x0007000000023432-56.dat	xmrig
behavioral2/memory/1004-49-0x00007FF78F010000-0x00007FF78F364000-memory.dmp	xmrig
behavioral2/files/0x0007000000023433-48.dat	xmrig
behavioral2/memory/4184-38-0x00007FF7B46F0000-0x00007FF7B4A44000-memory.dmp	xmrig
behavioral2/memory/3848-33-0x00007FF758210000-0x00007FF758564000-memory.dmp	xmrig
behavioral2/files/0x000700000002342e-23.dat	xmrig
behavioral2/files/0x000700000002343b-94.dat	xmrig
behavioral2/memory/2284-96-0x00007FF638EB0000-0x00007FF639204000-memory.dmp	xmrig
behavioral2/files/0x000700000002343c-101.dat	xmrig
behavioral2/memory/384-102-0x00007FF7D5340000-0x00007FF7D5694000-memory.dmp	xmrig
behavioral2/files/0x000700000002343d-107.dat	xmrig
behavioral2/memory/2440-108-0x00007FF73B3E0000-0x00007FF73B734000-memory.dmp	xmrig
behavioral2/files/0x000700000002343e-111.dat	xmrig
behavioral2/memory/1116-115-0x00007FF7648B0000-0x00007FF764C04000-memory.dmp	xmrig
behavioral2/memory/5096-114-0x00007FF622910000-0x00007FF622C64000-memory.dmp	xmrig
behavioral2/files/0x000700000002343f-121.dat	xmrig
behavioral2/files/0x0007000000023440-125.dat	xmrig
behavioral2/memory/2128-127-0x00007FF648E10000-0x00007FF649164000-memory.dmp	xmrig
behavioral2/memory/1648-128-0x00007FF6A3970000-0x00007FF6A3CC4000-memory.dmp	xmrig
behavioral2/memory/1004-130-0x00007FF78F010000-0x00007FF78F364000-memory.dmp	xmrig
behavioral2/memory/452-131-0x00007FF688200000-0x00007FF688554000-memory.dmp	xmrig
behavioral2/memory/3848-129-0x00007FF758210000-0x00007FF758564000-memory.dmp	xmrig
behavioral2/memory/3708-132-0x00007FF628300000-0x00007FF628654000-memory.dmp	xmrig
behavioral2/memory/3856-133-0x00007FF7F41E0000-0x00007FF7F4534000-memory.dmp	xmrig
behavioral2/memory/3588-134-0x00007FF715B00000-0x00007FF715E54000-memory.dmp	xmrig
behavioral2/memory/2272-135-0x00007FF7B8320000-0x00007FF7B8674000-memory.dmp	xmrig
behavioral2/memory/3356-136-0x00007FF665730000-0x00007FF665A84000-memory.dmp	xmrig
behavioral2/memory/1988-137-0x00007FF7F0BE0000-0x00007FF7F0F34000-memory.dmp	xmrig
behavioral2/memory/2284-138-0x00007FF638EB0000-0x00007FF639204000-memory.dmp	xmrig
behavioral2/memory/384-139-0x00007FF7D5340000-0x00007FF7D5694000-memory.dmp	xmrig
behavioral2/memory/2440-140-0x00007FF73B3E0000-0x00007FF73B734000-memory.dmp	xmrig
behavioral2/memory/1116-141-0x00007FF7648B0000-0x00007FF764C04000-memory.dmp	xmrig
behavioral2/memory/4768-142-0x00007FF7F4730000-0x00007FF7F4A84000-memory.dmp	xmrig
behavioral2/memory/1648-143-0x00007FF6A3970000-0x00007FF6A3CC4000-memory.dmp	xmrig
behavioral2/memory/3848-144-0x00007FF758210000-0x00007FF758564000-memory.dmp	xmrig
behavioral2/memory/4184-145-0x00007FF7B46F0000-0x00007FF7B4A44000-memory.dmp	xmrig
behavioral2/memory/2140-146-0x00007FF6A4F80000-0x00007FF6A52D4000-memory.dmp	xmrig
behavioral2/memory/3972-147-0x00007FF748B40000-0x00007FF748E94000-memory.dmp	xmrig
behavioral2/memory/1004-148-0x00007FF78F010000-0x00007FF78F364000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4768	EHUTFGB.exe
1648	uzgEaXe.exe
3848	pbHWxvD.exe
4184	DTJDuUn.exe
2140	iLYOyEM.exe
1004	VyYkbZc.exe
4068	zUNlmpe.exe
452	ltsleWx.exe
3972	GmNpLIU.exe
2272	xyjjTvE.exe
3588	ilALtLI.exe
3356	FUFJkam.exe
3708	PLzspMz.exe
1748	KDvBrIK.exe
1988	bcqCVBz.exe
2284	rhULaQZ.exe
384	llnhHnl.exe
2440	aSCXoqd.exe
1116	AcxFQpY.exe
2128	AVVCTzU.exe
3856	ZhNtsGq.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5096-0-0x00007FF622910000-0x00007FF622C64000-memory.dmp	upx
behavioral2/files/0x0008000000023429-5.dat	upx
behavioral2/memory/4768-8-0x00007FF7F4730000-0x00007FF7F4A84000-memory.dmp	upx
behavioral2/files/0x000700000002342d-11.dat	upx
behavioral2/memory/1648-15-0x00007FF6A3970000-0x00007FF6A3CC4000-memory.dmp	upx
behavioral2/files/0x000700000002342f-20.dat	upx
behavioral2/files/0x0007000000023431-32.dat	upx
behavioral2/files/0x0007000000023430-31.dat	upx
behavioral2/files/0x0007000000023434-44.dat	upx
behavioral2/files/0x0007000000023435-52.dat	upx
behavioral2/files/0x0007000000023436-57.dat	upx
behavioral2/memory/3588-70-0x00007FF715B00000-0x00007FF715E54000-memory.dmp	upx
behavioral2/files/0x0007000000023437-78.dat	upx
behavioral2/memory/2272-86-0x00007FF7B8320000-0x00007FF7B8674000-memory.dmp	upx
behavioral2/files/0x000700000002343a-90.dat	upx
behavioral2/memory/1988-92-0x00007FF7F0BE0000-0x00007FF7F0F34000-memory.dmp	upx
behavioral2/memory/1748-89-0x00007FF72DCF0000-0x00007FF72E044000-memory.dmp	upx
behavioral2/memory/3356-87-0x00007FF665730000-0x00007FF665A84000-memory.dmp	upx
behavioral2/files/0x0007000000023439-83.dat	upx
behavioral2/memory/4068-81-0x00007FF731D10000-0x00007FF732064000-memory.dmp	upx
behavioral2/files/0x0007000000023438-79.dat	upx
behavioral2/memory/2140-75-0x00007FF6A4F80000-0x00007FF6A52D4000-memory.dmp	upx
behavioral2/memory/3708-74-0x00007FF628300000-0x00007FF628654000-memory.dmp	upx
behavioral2/memory/3972-69-0x00007FF748B40000-0x00007FF748E94000-memory.dmp	upx
behavioral2/memory/452-60-0x00007FF688200000-0x00007FF688554000-memory.dmp	upx
behavioral2/files/0x0007000000023432-56.dat	upx
behavioral2/memory/1004-49-0x00007FF78F010000-0x00007FF78F364000-memory.dmp	upx
behavioral2/files/0x0007000000023433-48.dat	upx
behavioral2/memory/4184-38-0x00007FF7B46F0000-0x00007FF7B4A44000-memory.dmp	upx
behavioral2/memory/3848-33-0x00007FF758210000-0x00007FF758564000-memory.dmp	upx
behavioral2/files/0x000700000002342e-23.dat	upx
behavioral2/files/0x000700000002343b-94.dat	upx
behavioral2/memory/2284-96-0x00007FF638EB0000-0x00007FF639204000-memory.dmp	upx
behavioral2/files/0x000700000002343c-101.dat	upx
behavioral2/memory/384-102-0x00007FF7D5340000-0x00007FF7D5694000-memory.dmp	upx
behavioral2/files/0x000700000002343d-107.dat	upx
behavioral2/memory/2440-108-0x00007FF73B3E0000-0x00007FF73B734000-memory.dmp	upx
behavioral2/files/0x000700000002343e-111.dat	upx
behavioral2/memory/1116-115-0x00007FF7648B0000-0x00007FF764C04000-memory.dmp	upx
behavioral2/memory/5096-114-0x00007FF622910000-0x00007FF622C64000-memory.dmp	upx
behavioral2/files/0x000700000002343f-121.dat	upx
behavioral2/files/0x0007000000023440-125.dat	upx
behavioral2/memory/2128-127-0x00007FF648E10000-0x00007FF649164000-memory.dmp	upx
behavioral2/memory/1648-128-0x00007FF6A3970000-0x00007FF6A3CC4000-memory.dmp	upx
behavioral2/memory/1004-130-0x00007FF78F010000-0x00007FF78F364000-memory.dmp	upx
behavioral2/memory/452-131-0x00007FF688200000-0x00007FF688554000-memory.dmp	upx
behavioral2/memory/3848-129-0x00007FF758210000-0x00007FF758564000-memory.dmp	upx
behavioral2/memory/3708-132-0x00007FF628300000-0x00007FF628654000-memory.dmp	upx
behavioral2/memory/3856-133-0x00007FF7F41E0000-0x00007FF7F4534000-memory.dmp	upx
behavioral2/memory/3588-134-0x00007FF715B00000-0x00007FF715E54000-memory.dmp	upx
behavioral2/memory/2272-135-0x00007FF7B8320000-0x00007FF7B8674000-memory.dmp	upx
behavioral2/memory/3356-136-0x00007FF665730000-0x00007FF665A84000-memory.dmp	upx
behavioral2/memory/1988-137-0x00007FF7F0BE0000-0x00007FF7F0F34000-memory.dmp	upx
behavioral2/memory/2284-138-0x00007FF638EB0000-0x00007FF639204000-memory.dmp	upx
behavioral2/memory/384-139-0x00007FF7D5340000-0x00007FF7D5694000-memory.dmp	upx
behavioral2/memory/2440-140-0x00007FF73B3E0000-0x00007FF73B734000-memory.dmp	upx
behavioral2/memory/1116-141-0x00007FF7648B0000-0x00007FF764C04000-memory.dmp	upx
behavioral2/memory/4768-142-0x00007FF7F4730000-0x00007FF7F4A84000-memory.dmp	upx
behavioral2/memory/1648-143-0x00007FF6A3970000-0x00007FF6A3CC4000-memory.dmp	upx
behavioral2/memory/3848-144-0x00007FF758210000-0x00007FF758564000-memory.dmp	upx
behavioral2/memory/4184-145-0x00007FF7B46F0000-0x00007FF7B4A44000-memory.dmp	upx
behavioral2/memory/2140-146-0x00007FF6A4F80000-0x00007FF6A52D4000-memory.dmp	upx
behavioral2/memory/3972-147-0x00007FF748B40000-0x00007FF748E94000-memory.dmp	upx
behavioral2/memory/1004-148-0x00007FF78F010000-0x00007FF78F364000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\GmNpLIU.exe	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ilALtLI.exe	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PLzspMz.exe	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bcqCVBz.exe	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AVVCTzU.exe	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZhNtsGq.exe	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EHUTFGB.exe	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pbHWxvD.exe	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ltsleWx.exe	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zUNlmpe.exe	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DTJDuUn.exe	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VyYkbZc.exe	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rhULaQZ.exe	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aSCXoqd.exe	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KDvBrIK.exe	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\llnhHnl.exe	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AcxFQpY.exe	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uzgEaXe.exe	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iLYOyEM.exe	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xyjjTvE.exe	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FUFJkam.exe	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	5096	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	5096	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 5096 wrote to memory of 4768	5096	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 5096 wrote to memory of 4768	5096	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 5096 wrote to memory of 1648	5096	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 5096 wrote to memory of 1648	5096	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 5096 wrote to memory of 3848	5096	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 5096 wrote to memory of 3848	5096	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 5096 wrote to memory of 4184	5096	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 5096 wrote to memory of 4184	5096	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 5096 wrote to memory of 2140	5096	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 5096 wrote to memory of 2140	5096	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 5096 wrote to memory of 1004	5096	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 5096 wrote to memory of 1004	5096	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 5096 wrote to memory of 452	5096	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 5096 wrote to memory of 452	5096	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 5096 wrote to memory of 4068	5096	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 5096 wrote to memory of 4068	5096	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 5096 wrote to memory of 3972	5096	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 5096 wrote to memory of 3972	5096	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 5096 wrote to memory of 2272	5096	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 5096 wrote to memory of 2272	5096	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 5096 wrote to memory of 3588	5096	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 5096 wrote to memory of 3588	5096	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 5096 wrote to memory of 3356	5096	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 5096 wrote to memory of 3356	5096	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 5096 wrote to memory of 3708	5096	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 5096 wrote to memory of 3708	5096	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 5096 wrote to memory of 1748	5096	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 5096 wrote to memory of 1748	5096	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 5096 wrote to memory of 1988	5096	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 5096 wrote to memory of 1988	5096	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 5096 wrote to memory of 2284	5096	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 5096 wrote to memory of 2284	5096	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 5096 wrote to memory of 384	5096	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 5096 wrote to memory of 384	5096	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 5096 wrote to memory of 2440	5096	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 5096 wrote to memory of 2440	5096	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 5096 wrote to memory of 1116	5096	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 5096 wrote to memory of 1116	5096	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 5096 wrote to memory of 2128	5096	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 5096 wrote to memory of 2128	5096	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 5096 wrote to memory of 3856	5096	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 5096 wrote to memory of 3856	5096	2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-19_8c6ee039d92ed4292fdadc52d804fc92_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5096
- C:\Windows\System\EHUTFGB.exe
  C:\Windows\System\EHUTFGB.exe
  2⤵
  - Executes dropped EXE
  PID:4768
- C:\Windows\System\uzgEaXe.exe
  C:\Windows\System\uzgEaXe.exe
  2⤵
  - Executes dropped EXE
  PID:1648
- C:\Windows\System\pbHWxvD.exe
  C:\Windows\System\pbHWxvD.exe
  2⤵
  - Executes dropped EXE
  PID:3848
- C:\Windows\System\DTJDuUn.exe
  C:\Windows\System\DTJDuUn.exe
  2⤵
  - Executes dropped EXE
  PID:4184
- C:\Windows\System\iLYOyEM.exe
  C:\Windows\System\iLYOyEM.exe
  2⤵
  - Executes dropped EXE
  PID:2140
- C:\Windows\System\VyYkbZc.exe
  C:\Windows\System\VyYkbZc.exe
  2⤵
  - Executes dropped EXE
  PID:1004
- C:\Windows\System\ltsleWx.exe
  C:\Windows\System\ltsleWx.exe
  2⤵
  - Executes dropped EXE
  PID:452
- C:\Windows\System\zUNlmpe.exe
  C:\Windows\System\zUNlmpe.exe
  2⤵
  - Executes dropped EXE
  PID:4068
- C:\Windows\System\GmNpLIU.exe
  C:\Windows\System\GmNpLIU.exe
  2⤵
  - Executes dropped EXE
  PID:3972
- C:\Windows\System\xyjjTvE.exe
  C:\Windows\System\xyjjTvE.exe
  2⤵
  - Executes dropped EXE
  PID:2272
- C:\Windows\System\ilALtLI.exe
  C:\Windows\System\ilALtLI.exe
  2⤵
  - Executes dropped EXE
  PID:3588
- C:\Windows\System\FUFJkam.exe
  C:\Windows\System\FUFJkam.exe
  2⤵
  - Executes dropped EXE
  PID:3356
- C:\Windows\System\PLzspMz.exe
  C:\Windows\System\PLzspMz.exe
  2⤵
  - Executes dropped EXE
  PID:3708
- C:\Windows\System\KDvBrIK.exe
  C:\Windows\System\KDvBrIK.exe
  2⤵
  - Executes dropped EXE
  PID:1748
- C:\Windows\System\bcqCVBz.exe
  C:\Windows\System\bcqCVBz.exe
  2⤵
  - Executes dropped EXE
  PID:1988
- C:\Windows\System\rhULaQZ.exe
  C:\Windows\System\rhULaQZ.exe
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Windows\System\llnhHnl.exe
  C:\Windows\System\llnhHnl.exe
  2⤵
  - Executes dropped EXE
  PID:384
- C:\Windows\System\aSCXoqd.exe
  C:\Windows\System\aSCXoqd.exe
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Windows\System\AcxFQpY.exe
  C:\Windows\System\AcxFQpY.exe
  2⤵
  - Executes dropped EXE
  PID:1116
- C:\Windows\System\AVVCTzU.exe
  C:\Windows\System\AVVCTzU.exe
  2⤵
  - Executes dropped EXE
  PID:2128
- C:\Windows\System\ZhNtsGq.exe
  C:\Windows\System\ZhNtsGq.exe
  2⤵
  - Executes dropped EXE
  PID:3856

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AVVCTzU.exe

Filesize
5.9MB

MD5
b465884c0ff3379003fb7b5ee066a788

SHA1
f563681bb9f2226c450f019f9ccc6aef0ab120bb

SHA256
e95e137d32dd6b52304ee90bf853d8235aaa287fecacdf1255d64e22474fd9fb

SHA512
1217e23c4c17aa079b77a236e13096a33a7962e23de49ff2bd65d1c452c20affbf860e70ba281f436bd29b839694763fc4a4774cfd46a6d638594ec5f57a3f85

Download Submit
C:\Windows\System\AcxFQpY.exe

Filesize
5.9MB

MD5
21d0a29ae88cfa2c7d11282e4602d040

SHA1
737fc6e1d6a04f4dabb85d040462c0e3dbdbe47b

SHA256
b51bfa9c87ae931db48a565436ae335fa69b00d99982eaeec0677de3e14a8301

SHA512
9a9792293acf2e4a14dbfeda240003b14b339ee8cdaa04ad72c5188843378451e20b8bbbfd47cf285f588b366f266e19221c7443a033d55ae7d299d2b9462fce

Download Submit
C:\Windows\System\DTJDuUn.exe

Filesize
5.9MB

MD5
f09b5c11a01dca2db73bf91dc5ae8296

SHA1
64803c03d252f4b1562eebadb7636a3dc5259b85

SHA256
496db4ccfb5a8c0ba5205659d48f4a1c8d7fc77ab01b468be95e6387d33a71e2

SHA512
ccd1165f26aadef4ca0a7c46976a25ec9606449402fe124dde534b7a6a038d8ae310fecf330b35f8f633a62fec57afd8d68a5fa172a6f15354ffcc177072f3d9

Download Submit
C:\Windows\System\EHUTFGB.exe

Filesize
5.9MB

MD5
5979c32864889d0445c431745aab31bd

SHA1
f699f940587d3c43e6d324c90bd5971c616fa75d

SHA256
d50447f811232e93da1c6fbb3fa5f3326623390115bc1c6c9f621639ed431c2c

SHA512
dac13d35eaf22310fd5bffe50d028c0be4109d152ecb91d516722805fb78413ba4a35eb45403ab1941972da672b65950524aa7dbdf830b06af85c2d4bffbe9fc

Download Submit
C:\Windows\System\FUFJkam.exe

Filesize
5.9MB

MD5
f6e1a6662e8b2789615f111e963563fc

SHA1
72f9f0e3e93641c991e5de9761b5c0809a742fdc

SHA256
4ff098b915a097b5c596deea89bc365bda9cd2c3a975e1e245822797c19cba72

SHA512
a08179146ab836868208471b37e5f3a6231508f4be1ed9d01cf1195eed2ad6b51481b04647f5783747a3556aae833a990550676db52ddac61591e2a0a2271a3e

Download Submit
C:\Windows\System\GmNpLIU.exe

Filesize
5.9MB

MD5
a961e6909486cb09b8f4626d1c2f810b

SHA1
80848d978224ea0a34e2e51ed0f48911506727a0

SHA256
7151f5ec70f0e551d253d9e10e0d32156e1868b181f6e8c44522978bd75a9e68

SHA512
d8857562256bfc48ce6fb200e287b25f3389a81a7cf956faaded657e6b9117204d60015db6fcbca4dafa4b4b116e3e8a7b75c76bef47f5aad44fe0f8b19b04e0

Download Submit
C:\Windows\System\KDvBrIK.exe

Filesize
5.9MB

MD5
17c6c30920893c50e2ee69e14c3c6e44

SHA1
5b81ff138a4fa67cca3b77de55de012834082df5

SHA256
bb5831399d136e4c21fe7da3d223c4f8c13cae549085620c321bf811d7a22d1c

SHA512
280b538ed9c6066f377e3d75e01ac899e4c3caf0b8bcc3bf13afedf7349eeaf5c167177605953e56b15c20e4db5f6aece66ae0fcb87c2a6c5bea782529fe30c3

Download Submit
C:\Windows\System\PLzspMz.exe

Filesize
5.9MB

MD5
0d4b43dd72c718564584b47b8393df52

SHA1
a532b85f467154fdd55762777e6a44fb250f410a

SHA256
dd3da42baaaffe712bfa2eed0198c5439d0894f1b37c644ab6b82a6ffac4cad4

SHA512
51c50bc5633704085253959d9249aebe72301be5928139dda6db862ddfb39b7b8a4bb2963f7bd917b51253c00cad2fba82157b3e7d9d9ba0d0fc47ce5af20ad7

Download Submit
C:\Windows\System\VyYkbZc.exe

Filesize
5.9MB

MD5
7d1fd29998ffdc95e5048b8a6ad391db

SHA1
c66733d18b0c1995a1ed4da84b24dbd888f78ae3

SHA256
8eeb0c29a7f16704733ad2f1cbd5e1a1dd63c6fd1216d976d2169deb9a6eda1a

SHA512
eed442d400645cf6e3055e78bbd55c8a25af10aaf384a45a81efacf6962b2c895456950574300b7ca03f26d1e263ba2483586127cd950aeebe12b28265ea8f11

Download Submit
C:\Windows\System\ZhNtsGq.exe

Filesize
5.9MB

MD5
488e52a2fead8261fb5fad99398b7426

SHA1
b4b2cb61163347d604c6c8e08f9c986993b3b11c

SHA256
7aae62f1eb1c605a9c8d1443b2cb92eae75dea8b31200e4072b406727fae753f

SHA512
b72cbc24c68f3ff1a733d7d54585881980a4370a65aae639c7c1062d698d4892c74f01d0b9beb68820df7c86af28d86c4d1f0223b1996f42c833ee94b5bad970

Download Submit
C:\Windows\System\aSCXoqd.exe

Filesize
5.9MB

MD5
de66181b033dc1e4f89ed0ac5bacac29

SHA1
41b76fce2f1a2e79600330c18e8af60f3972f7be

SHA256
dccec6a2a7c9a393c7142ea29185542e892bac13fc5e5e79347508c71a80d87b

SHA512
b04f5bb59d29a06ca9e53b034472eb24d72faf7c04eb9bbae78acf3c99abed20c79dcde864d3f62a9ec46ed9c52484643681336069f3910ea4d9d769f059a80e

Download Submit
C:\Windows\System\bcqCVBz.exe

Filesize
5.9MB

MD5
a56fcab8634cb1861e38a1e4e2abda1a

SHA1
e70e88bf84b36f4373e5a552037dae8ce6e17d08

SHA256
35bd1d8d7e1b5aba7d798e68b7f65b3bc1198e6cc225075781575eb12ac4aac5

SHA512
e0c055f32a2e09639f54b9a81a12a82f60ab12aab36e441e97e61407d4c91a3fb27466855891e7bc3b5bc52e428a18ca76e146c5aacb4a88ad7b85a76228a771

Download Submit
C:\Windows\System\iLYOyEM.exe

Filesize
5.9MB

MD5
e0455168ebe45be6b4f02c8bc7638d12

SHA1
4a16abf28234bc4b1b46cc0457d59601e779d2fe

SHA256
0c5a0a54e092d40579dfeabca2cafb7771b6a7ad7ff93d64bbb04a008885abce

SHA512
5ba96ee99c90dc4d756d5faa1435d043e6aeb6294bfcd75d7c92a4509ad7e588d64fe9e063475e8647d89e6d6e2baba37af4ed3a51a2ca33e3b8f01902101d7b

Download Submit
C:\Windows\System\ilALtLI.exe

Filesize
5.9MB

MD5
c85edee51abec75bb62407aa0d4071da

SHA1
78bb1a8fab4a904df2e5e1630faf6e2c9e632651

SHA256
9262c9542f5a4cc5f802f3bb30894d56787934532117aa028442e445985b1476

SHA512
1ba8506e7251a9107705cd9a82b86b57a9cc968c784f1bb8dec810103c684ba6a6e6cdd143a771bf9a2baed4b0559cd959d3aee8b666784e340a75d44a6f7a33

Download Submit
C:\Windows\System\llnhHnl.exe

Filesize
5.9MB

MD5
c37de58514f848704b0553f6922153a9

SHA1
23136557455a4facf98fde468677b1e6c17531fe

SHA256
a2ec56a56f8c04a9afdd71f201bfeb975bd9b55bdc2012f35fe07b6a035b3db5

SHA512
8cc110507793f820d2defa7bdf287a52eb8304c4f36e607f8a90e358774ce9e53398407c69181bdd11b7ec1eefc37bd08b1776783c91fb1f6b6f6adfe5107246

Download Submit
C:\Windows\System\ltsleWx.exe

Filesize
5.9MB

MD5
a02982a1fb70208813a7c2a6bb1975d4

SHA1
fc36efe391b7534600b17e12fa84dafce6487b83

SHA256
3500390189c1682f72e7d1a5c0ae2fe29a4fe94358af8b1935578a7fe78f436d

SHA512
ff5194b11da4a8b92c8d157ffeaa1dfcd8a2688f314e2e5d6a8e96509e880419a495ef9ca2b24d67ffec92b0b3d69cc2392e886b15bdfbd35a36ab6a2d103124

Download Submit
C:\Windows\System\pbHWxvD.exe

Filesize
5.9MB

MD5
949018639d0a39cde8096f15e309b236

SHA1
0e9b05313690cce2cfab23e950c7f9a58822c005

SHA256
080f798a1f5e90e16d7b9c2f934a2261ac21786d35425fcb11be6aff7b8f405a

SHA512
f0be040a7e3c1061e6e5790f556129a2c5a605236fb7da5961f7a95d968be57f275993dac94bd4f004a1b0ae28ca8ae722c883851cee5d23a1876c93fc9806a5

Download Submit
C:\Windows\System\rhULaQZ.exe

Filesize
5.9MB

MD5
d43d7b9330945eacb0653e5b5a93c94b

SHA1
3c1cfdf9c9957185fdb963df5383da780272271d

SHA256
a0449f5a15120102c5db961cdaacad67f0e78496787095c58c1b91c080f5362b

SHA512
636ca35cd85fe7b1bd0a85ebd49b14543f9a2ea146204bb1b68ca7c0a15954e15ecd30f96f69c2a88dad9c1db10837b75287bcd5c086b8e822bcfcbc9d4dd345

Download Submit
C:\Windows\System\uzgEaXe.exe

Filesize
5.9MB

MD5
ef49e1eeffb7cef1219c3cd647aab1bf

SHA1
6a5e71a3e77d637dbb1592a8e34edeade10fe257

SHA256
9a86a2bfefbc203f91533d23c66c6ad38a05590a241180cf99ac5c5c62fd1567

SHA512
2b7a90679f801539884782c8c48bab01233682e17aa8097a0bdc9f2dccc73ac72d8c343b5ed74c7c9af855fa633ec83368aed3561ff6aabf4e8c5aa5c52e1c14

Download Submit
C:\Windows\System\xyjjTvE.exe

Filesize
5.9MB

MD5
fc2c03c6217f0509b83f93fcbb14197c

SHA1
981668aa1f4f6be084a1b2bac77fb50496836324

SHA256
76718b67aaf364f17a19abcc3e1e46fabbe6814e071cb7317537108cc333940a

SHA512
087194e28538285c41a71e8d57e859fc532b30a660fd8589e2ca16287e7d71266dd323337c18d7b33e9e33b68a1c8fc044e2d407c47aa5f7e7c7eb738b324341

Download Submit
C:\Windows\System\zUNlmpe.exe

Filesize
5.9MB

MD5
6628b35d6323bbb05928377746fca771

SHA1
3774c8b23bbe41b27cc483c7ebabdd9337f1cd50

SHA256
962c3cb474cf8507d73d6929f8a082514fe0121236fc69b82544e4b856aad9d5

SHA512
03f00d5d01656a62cce3cfb17533b18457335968c3b72baeb11578b160fc73a7debc315322e7ec4f2d0e56c86ac44b5ab512359247710ea82babe668c9baed91

Download Submit
memory/384-102-0x00007FF7D5340000-0x00007FF7D5694000-memory.dmp

Filesize
3.3MB

Download
memory/384-158-0x00007FF7D5340000-0x00007FF7D5694000-memory.dmp

Filesize
3.3MB

Download
memory/384-139-0x00007FF7D5340000-0x00007FF7D5694000-memory.dmp

Filesize
3.3MB

Download
memory/452-150-0x00007FF688200000-0x00007FF688554000-memory.dmp

Filesize
3.3MB

Download
memory/452-60-0x00007FF688200000-0x00007FF688554000-memory.dmp

Filesize
3.3MB

Download
memory/452-131-0x00007FF688200000-0x00007FF688554000-memory.dmp

Filesize
3.3MB

Download
memory/1004-148-0x00007FF78F010000-0x00007FF78F364000-memory.dmp

Filesize
3.3MB

Download
memory/1004-49-0x00007FF78F010000-0x00007FF78F364000-memory.dmp

Filesize
3.3MB

Download
memory/1004-130-0x00007FF78F010000-0x00007FF78F364000-memory.dmp

Filesize
3.3MB

Download
memory/1116-160-0x00007FF7648B0000-0x00007FF764C04000-memory.dmp

Filesize
3.3MB

Download
memory/1116-141-0x00007FF7648B0000-0x00007FF764C04000-memory.dmp

Filesize
3.3MB

Download
memory/1116-115-0x00007FF7648B0000-0x00007FF764C04000-memory.dmp

Filesize
3.3MB

Download
memory/1648-15-0x00007FF6A3970000-0x00007FF6A3CC4000-memory.dmp

Filesize
3.3MB

Download
memory/1648-128-0x00007FF6A3970000-0x00007FF6A3CC4000-memory.dmp

Filesize
3.3MB

Download
memory/1648-143-0x00007FF6A3970000-0x00007FF6A3CC4000-memory.dmp

Filesize
3.3MB

Download
memory/1748-89-0x00007FF72DCF0000-0x00007FF72E044000-memory.dmp

Filesize
3.3MB

Download
memory/1748-154-0x00007FF72DCF0000-0x00007FF72E044000-memory.dmp

Filesize
3.3MB

Download
memory/1988-137-0x00007FF7F0BE0000-0x00007FF7F0F34000-memory.dmp

Filesize
3.3MB

Download
memory/1988-153-0x00007FF7F0BE0000-0x00007FF7F0F34000-memory.dmp

Filesize
3.3MB

Download
memory/1988-92-0x00007FF7F0BE0000-0x00007FF7F0F34000-memory.dmp

Filesize
3.3MB

Download
memory/2128-161-0x00007FF648E10000-0x00007FF649164000-memory.dmp

Filesize
3.3MB

Download
memory/2128-127-0x00007FF648E10000-0x00007FF649164000-memory.dmp

Filesize
3.3MB

Download
memory/2140-75-0x00007FF6A4F80000-0x00007FF6A52D4000-memory.dmp

Filesize
3.3MB

Download
memory/2140-146-0x00007FF6A4F80000-0x00007FF6A52D4000-memory.dmp

Filesize
3.3MB

Download
memory/2272-135-0x00007FF7B8320000-0x00007FF7B8674000-memory.dmp

Filesize
3.3MB

Download
memory/2272-86-0x00007FF7B8320000-0x00007FF7B8674000-memory.dmp

Filesize
3.3MB

Download
memory/2272-155-0x00007FF7B8320000-0x00007FF7B8674000-memory.dmp

Filesize
3.3MB

Download
memory/2284-96-0x00007FF638EB0000-0x00007FF639204000-memory.dmp

Filesize
3.3MB

Download
memory/2284-157-0x00007FF638EB0000-0x00007FF639204000-memory.dmp

Filesize
3.3MB

Download
memory/2284-138-0x00007FF638EB0000-0x00007FF639204000-memory.dmp

Filesize
3.3MB

Download
memory/2440-140-0x00007FF73B3E0000-0x00007FF73B734000-memory.dmp

Filesize
3.3MB

Download
memory/2440-159-0x00007FF73B3E0000-0x00007FF73B734000-memory.dmp

Filesize
3.3MB

Download
memory/2440-108-0x00007FF73B3E0000-0x00007FF73B734000-memory.dmp

Filesize
3.3MB

Download
memory/3356-156-0x00007FF665730000-0x00007FF665A84000-memory.dmp

Filesize
3.3MB

Download
memory/3356-136-0x00007FF665730000-0x00007FF665A84000-memory.dmp

Filesize
3.3MB

Download
memory/3356-87-0x00007FF665730000-0x00007FF665A84000-memory.dmp

Filesize
3.3MB

Download
memory/3588-134-0x00007FF715B00000-0x00007FF715E54000-memory.dmp

Filesize
3.3MB

Download
memory/3588-151-0x00007FF715B00000-0x00007FF715E54000-memory.dmp

Filesize
3.3MB

Download
memory/3588-70-0x00007FF715B00000-0x00007FF715E54000-memory.dmp

Filesize
3.3MB

Download
memory/3708-74-0x00007FF628300000-0x00007FF628654000-memory.dmp

Filesize
3.3MB

Download
memory/3708-132-0x00007FF628300000-0x00007FF628654000-memory.dmp

Filesize
3.3MB

Download
memory/3708-152-0x00007FF628300000-0x00007FF628654000-memory.dmp

Filesize
3.3MB

Download
memory/3848-33-0x00007FF758210000-0x00007FF758564000-memory.dmp

Filesize
3.3MB

Download
memory/3848-144-0x00007FF758210000-0x00007FF758564000-memory.dmp

Filesize
3.3MB

Download
memory/3848-129-0x00007FF758210000-0x00007FF758564000-memory.dmp

Filesize
3.3MB

Download
memory/3856-162-0x00007FF7F41E0000-0x00007FF7F4534000-memory.dmp

Filesize
3.3MB

Download
memory/3856-133-0x00007FF7F41E0000-0x00007FF7F4534000-memory.dmp

Filesize
3.3MB

Download
memory/3972-69-0x00007FF748B40000-0x00007FF748E94000-memory.dmp

Filesize
3.3MB

Download
memory/3972-147-0x00007FF748B40000-0x00007FF748E94000-memory.dmp

Filesize
3.3MB

Download
memory/4068-149-0x00007FF731D10000-0x00007FF732064000-memory.dmp

Filesize
3.3MB

Download
memory/4068-81-0x00007FF731D10000-0x00007FF732064000-memory.dmp

Filesize
3.3MB

Download
memory/4184-38-0x00007FF7B46F0000-0x00007FF7B4A44000-memory.dmp

Filesize
3.3MB

Download
memory/4184-145-0x00007FF7B46F0000-0x00007FF7B4A44000-memory.dmp

Filesize
3.3MB

Download
memory/4768-142-0x00007FF7F4730000-0x00007FF7F4A84000-memory.dmp

Filesize
3.3MB

Download
memory/4768-8-0x00007FF7F4730000-0x00007FF7F4A84000-memory.dmp

Filesize
3.3MB

Download
memory/5096-114-0x00007FF622910000-0x00007FF622C64000-memory.dmp

Filesize
3.3MB

Download
memory/5096-1-0x000001E8BA7A0000-0x000001E8BA7B0000-memory.dmp

Filesize
64KB

Download
memory/5096-0-0x00007FF622910000-0x00007FF622C64000-memory.dmp

Filesize
3.3MB

Download