cobaltstrike | 2598501a9a87ecd72466d468c066e6d62572d206ea0669994bd0b92521ba0af6

Analysis

max time kernel
143s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2024, 11:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

66ff7b24106ab708197531cbfb9098a1
SHA1

97d82d014a76ecca925e8486a9f8090c7ba27227
SHA256

2598501a9a87ecd72466d468c066e6d62572d206ea0669994bd0b92521ba0af6
SHA512

793cf0eda7b0a2db3e7bbe7d3bead48b4a868ad062f5c3a3107c4fcc676d073fb2dcf63f6d3b8a70d0b08930ba5bf12c29c1ab22f326cba0a07d9d3f69f35e74
SSDEEP

98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUl:T+856utgpPF8u/7l

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000b0000000234b6-4.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c1-11.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c2-17.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c3-27.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c4-29.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c6-40.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c7-43.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c9-54.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ca-62.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234cc-70.dat	cobalt_reflective_dll
behavioral2/files/0x00090000000234be-74.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234cd-77.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d0-97.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234cf-95.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ce-89.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234cb-65.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c8-50.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c5-35.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d1-113.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d3-122.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d4-121.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/4476-0-0x00007FF7D8080000-0x00007FF7D83D4000-memory.dmp	xmrig
behavioral2/files/0x000b0000000234b6-4.dat	xmrig
behavioral2/files/0x00070000000234c1-11.dat	xmrig
behavioral2/files/0x00070000000234c2-17.dat	xmrig
behavioral2/files/0x00070000000234c3-27.dat	xmrig
behavioral2/files/0x00070000000234c4-29.dat	xmrig
behavioral2/files/0x00070000000234c6-40.dat	xmrig
behavioral2/files/0x00070000000234c7-43.dat	xmrig
behavioral2/files/0x00070000000234c9-54.dat	xmrig
behavioral2/files/0x00070000000234ca-62.dat	xmrig
behavioral2/files/0x00070000000234cc-70.dat	xmrig
behavioral2/files/0x00090000000234be-74.dat	xmrig
behavioral2/files/0x00070000000234cd-77.dat	xmrig
behavioral2/memory/64-92-0x00007FF643AB0000-0x00007FF643E04000-memory.dmp	xmrig
behavioral2/memory/2292-99-0x00007FF725470000-0x00007FF7257C4000-memory.dmp	xmrig
behavioral2/memory/1608-102-0x00007FF6268E0000-0x00007FF626C34000-memory.dmp	xmrig
behavioral2/memory/4716-106-0x00007FF600920000-0x00007FF600C74000-memory.dmp	xmrig
behavioral2/memory/4836-109-0x00007FF7C4680000-0x00007FF7C49D4000-memory.dmp	xmrig
behavioral2/memory/2224-108-0x00007FF6E4A90000-0x00007FF6E4DE4000-memory.dmp	xmrig
behavioral2/memory/3152-107-0x00007FF6AFC30000-0x00007FF6AFF84000-memory.dmp	xmrig
behavioral2/memory/5088-105-0x00007FF6CDA00000-0x00007FF6CDD54000-memory.dmp	xmrig
behavioral2/memory/564-104-0x00007FF6814C0000-0x00007FF681814000-memory.dmp	xmrig
behavioral2/memory/3920-103-0x00007FF6A4C30000-0x00007FF6A4F84000-memory.dmp	xmrig
behavioral2/memory/2140-101-0x00007FF64B5A0000-0x00007FF64B8F4000-memory.dmp	xmrig
behavioral2/memory/2064-100-0x00007FF6E0BF0000-0x00007FF6E0F44000-memory.dmp	xmrig
behavioral2/files/0x00070000000234d0-97.dat	xmrig
behavioral2/files/0x00070000000234cf-95.dat	xmrig
behavioral2/memory/3516-94-0x00007FF620AF0000-0x00007FF620E44000-memory.dmp	xmrig
behavioral2/memory/916-93-0x00007FF6596C0000-0x00007FF659A14000-memory.dmp	xmrig
behavioral2/files/0x00070000000234ce-89.dat	xmrig
behavioral2/files/0x00070000000234cb-65.dat	xmrig
behavioral2/files/0x00070000000234c8-50.dat	xmrig
behavioral2/files/0x00070000000234c5-35.dat	xmrig
behavioral2/memory/2732-31-0x00007FF78D4C0000-0x00007FF78D814000-memory.dmp	xmrig
behavioral2/memory/2696-24-0x00007FF6A7F30000-0x00007FF6A8284000-memory.dmp	xmrig
behavioral2/memory/624-12-0x00007FF6EE4F0000-0x00007FF6EE844000-memory.dmp	xmrig
behavioral2/memory/4508-8-0x00007FF76D400000-0x00007FF76D754000-memory.dmp	xmrig
behavioral2/files/0x00070000000234d1-113.dat	xmrig
behavioral2/files/0x00070000000234d3-122.dat	xmrig
behavioral2/files/0x00070000000234d4-121.dat	xmrig
behavioral2/memory/928-126-0x00007FF688FF0000-0x00007FF689344000-memory.dmp	xmrig
behavioral2/memory/8-127-0x00007FF7E3B80000-0x00007FF7E3ED4000-memory.dmp	xmrig
behavioral2/memory/3132-120-0x00007FF735790000-0x00007FF735AE4000-memory.dmp	xmrig
behavioral2/memory/4476-128-0x00007FF7D8080000-0x00007FF7D83D4000-memory.dmp	xmrig
behavioral2/memory/4508-129-0x00007FF76D400000-0x00007FF76D754000-memory.dmp	xmrig
behavioral2/memory/2696-130-0x00007FF6A7F30000-0x00007FF6A8284000-memory.dmp	xmrig
behavioral2/memory/624-131-0x00007FF6EE4F0000-0x00007FF6EE844000-memory.dmp	xmrig
behavioral2/memory/2732-132-0x00007FF78D4C0000-0x00007FF78D814000-memory.dmp	xmrig
behavioral2/memory/3132-133-0x00007FF735790000-0x00007FF735AE4000-memory.dmp	xmrig
behavioral2/memory/4508-134-0x00007FF76D400000-0x00007FF76D754000-memory.dmp	xmrig
behavioral2/memory/624-135-0x00007FF6EE4F0000-0x00007FF6EE844000-memory.dmp	xmrig
behavioral2/memory/2696-136-0x00007FF6A7F30000-0x00007FF6A8284000-memory.dmp	xmrig
behavioral2/memory/64-137-0x00007FF643AB0000-0x00007FF643E04000-memory.dmp	xmrig
behavioral2/memory/2732-138-0x00007FF78D4C0000-0x00007FF78D814000-memory.dmp	xmrig
behavioral2/memory/2224-139-0x00007FF6E4A90000-0x00007FF6E4DE4000-memory.dmp	xmrig
behavioral2/memory/916-141-0x00007FF6596C0000-0x00007FF659A14000-memory.dmp	xmrig
behavioral2/memory/2064-142-0x00007FF6E0BF0000-0x00007FF6E0F44000-memory.dmp	xmrig
behavioral2/memory/3516-140-0x00007FF620AF0000-0x00007FF620E44000-memory.dmp	xmrig
behavioral2/memory/2292-143-0x00007FF725470000-0x00007FF7257C4000-memory.dmp	xmrig
behavioral2/memory/4836-144-0x00007FF7C4680000-0x00007FF7C49D4000-memory.dmp	xmrig
behavioral2/memory/1608-146-0x00007FF6268E0000-0x00007FF626C34000-memory.dmp	xmrig
behavioral2/memory/5088-150-0x00007FF6CDA00000-0x00007FF6CDD54000-memory.dmp	xmrig
behavioral2/memory/2140-149-0x00007FF64B5A0000-0x00007FF64B8F4000-memory.dmp	xmrig
behavioral2/memory/4716-148-0x00007FF600920000-0x00007FF600C74000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4508	RbCqFaW.exe
624	dQDAoZU.exe
2696	SLrtOWJ.exe
64	RLsvRxr.exe
2732	NwObOTC.exe
2224	kmsykbo.exe
916	geuCUVr.exe
3516	oxZTgRO.exe
2292	EQuKVMH.exe
2064	llYrYAL.exe
2140	akkxpCj.exe
4836	fKoldBv.exe
1608	sCEuZwQ.exe
3920	jITVBrG.exe
564	zGlrKbE.exe
5088	FaVxyKG.exe
4716	ETjoKQG.exe
3152	rkXMDIv.exe
3132	CJGIAxb.exe
928	IanqmnQ.exe
8	NFUrCGx.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4476-0-0x00007FF7D8080000-0x00007FF7D83D4000-memory.dmp	upx
behavioral2/files/0x000b0000000234b6-4.dat	upx
behavioral2/files/0x00070000000234c1-11.dat	upx
behavioral2/files/0x00070000000234c2-17.dat	upx
behavioral2/files/0x00070000000234c3-27.dat	upx
behavioral2/files/0x00070000000234c4-29.dat	upx
behavioral2/files/0x00070000000234c6-40.dat	upx
behavioral2/files/0x00070000000234c7-43.dat	upx
behavioral2/files/0x00070000000234c9-54.dat	upx
behavioral2/files/0x00070000000234ca-62.dat	upx
behavioral2/files/0x00070000000234cc-70.dat	upx
behavioral2/files/0x00090000000234be-74.dat	upx
behavioral2/files/0x00070000000234cd-77.dat	upx
behavioral2/memory/64-92-0x00007FF643AB0000-0x00007FF643E04000-memory.dmp	upx
behavioral2/memory/2292-99-0x00007FF725470000-0x00007FF7257C4000-memory.dmp	upx
behavioral2/memory/1608-102-0x00007FF6268E0000-0x00007FF626C34000-memory.dmp	upx
behavioral2/memory/4716-106-0x00007FF600920000-0x00007FF600C74000-memory.dmp	upx
behavioral2/memory/4836-109-0x00007FF7C4680000-0x00007FF7C49D4000-memory.dmp	upx
behavioral2/memory/2224-108-0x00007FF6E4A90000-0x00007FF6E4DE4000-memory.dmp	upx
behavioral2/memory/3152-107-0x00007FF6AFC30000-0x00007FF6AFF84000-memory.dmp	upx
behavioral2/memory/5088-105-0x00007FF6CDA00000-0x00007FF6CDD54000-memory.dmp	upx
behavioral2/memory/564-104-0x00007FF6814C0000-0x00007FF681814000-memory.dmp	upx
behavioral2/memory/3920-103-0x00007FF6A4C30000-0x00007FF6A4F84000-memory.dmp	upx
behavioral2/memory/2140-101-0x00007FF64B5A0000-0x00007FF64B8F4000-memory.dmp	upx
behavioral2/memory/2064-100-0x00007FF6E0BF0000-0x00007FF6E0F44000-memory.dmp	upx
behavioral2/files/0x00070000000234d0-97.dat	upx
behavioral2/files/0x00070000000234cf-95.dat	upx
behavioral2/memory/3516-94-0x00007FF620AF0000-0x00007FF620E44000-memory.dmp	upx
behavioral2/memory/916-93-0x00007FF6596C0000-0x00007FF659A14000-memory.dmp	upx
behavioral2/files/0x00070000000234ce-89.dat	upx
behavioral2/files/0x00070000000234cb-65.dat	upx
behavioral2/files/0x00070000000234c8-50.dat	upx
behavioral2/files/0x00070000000234c5-35.dat	upx
behavioral2/memory/2732-31-0x00007FF78D4C0000-0x00007FF78D814000-memory.dmp	upx
behavioral2/memory/2696-24-0x00007FF6A7F30000-0x00007FF6A8284000-memory.dmp	upx
behavioral2/memory/624-12-0x00007FF6EE4F0000-0x00007FF6EE844000-memory.dmp	upx
behavioral2/memory/4508-8-0x00007FF76D400000-0x00007FF76D754000-memory.dmp	upx
behavioral2/files/0x00070000000234d1-113.dat	upx
behavioral2/files/0x00070000000234d3-122.dat	upx
behavioral2/files/0x00070000000234d4-121.dat	upx
behavioral2/memory/928-126-0x00007FF688FF0000-0x00007FF689344000-memory.dmp	upx
behavioral2/memory/8-127-0x00007FF7E3B80000-0x00007FF7E3ED4000-memory.dmp	upx
behavioral2/memory/3132-120-0x00007FF735790000-0x00007FF735AE4000-memory.dmp	upx
behavioral2/memory/4476-128-0x00007FF7D8080000-0x00007FF7D83D4000-memory.dmp	upx
behavioral2/memory/4508-129-0x00007FF76D400000-0x00007FF76D754000-memory.dmp	upx
behavioral2/memory/2696-130-0x00007FF6A7F30000-0x00007FF6A8284000-memory.dmp	upx
behavioral2/memory/624-131-0x00007FF6EE4F0000-0x00007FF6EE844000-memory.dmp	upx
behavioral2/memory/2732-132-0x00007FF78D4C0000-0x00007FF78D814000-memory.dmp	upx
behavioral2/memory/3132-133-0x00007FF735790000-0x00007FF735AE4000-memory.dmp	upx
behavioral2/memory/4508-134-0x00007FF76D400000-0x00007FF76D754000-memory.dmp	upx
behavioral2/memory/624-135-0x00007FF6EE4F0000-0x00007FF6EE844000-memory.dmp	upx
behavioral2/memory/2696-136-0x00007FF6A7F30000-0x00007FF6A8284000-memory.dmp	upx
behavioral2/memory/64-137-0x00007FF643AB0000-0x00007FF643E04000-memory.dmp	upx
behavioral2/memory/2732-138-0x00007FF78D4C0000-0x00007FF78D814000-memory.dmp	upx
behavioral2/memory/2224-139-0x00007FF6E4A90000-0x00007FF6E4DE4000-memory.dmp	upx
behavioral2/memory/916-141-0x00007FF6596C0000-0x00007FF659A14000-memory.dmp	upx
behavioral2/memory/2064-142-0x00007FF6E0BF0000-0x00007FF6E0F44000-memory.dmp	upx
behavioral2/memory/3516-140-0x00007FF620AF0000-0x00007FF620E44000-memory.dmp	upx
behavioral2/memory/2292-143-0x00007FF725470000-0x00007FF7257C4000-memory.dmp	upx
behavioral2/memory/4836-144-0x00007FF7C4680000-0x00007FF7C49D4000-memory.dmp	upx
behavioral2/memory/1608-146-0x00007FF6268E0000-0x00007FF626C34000-memory.dmp	upx
behavioral2/memory/5088-150-0x00007FF6CDA00000-0x00007FF6CDD54000-memory.dmp	upx
behavioral2/memory/2140-149-0x00007FF64B5A0000-0x00007FF64B8F4000-memory.dmp	upx
behavioral2/memory/4716-148-0x00007FF600920000-0x00007FF600C74000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\dQDAoZU.exe	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NwObOTC.exe	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kmsykbo.exe	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\geuCUVr.exe	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EQuKVMH.exe	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rkXMDIv.exe	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RbCqFaW.exe	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\akkxpCj.exe	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SLrtOWJ.exe	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\llYrYAL.exe	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jITVBrG.exe	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zGlrKbE.exe	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ETjoKQG.exe	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CJGIAxb.exe	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NFUrCGx.exe	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oxZTgRO.exe	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fKoldBv.exe	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sCEuZwQ.exe	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FaVxyKG.exe	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IanqmnQ.exe	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RLsvRxr.exe	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4476	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4476	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4476 wrote to memory of 4508	4476	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4476 wrote to memory of 4508	4476	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4476 wrote to memory of 624	4476	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4476 wrote to memory of 624	4476	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4476 wrote to memory of 2696	4476	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4476 wrote to memory of 2696	4476	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4476 wrote to memory of 64	4476	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4476 wrote to memory of 64	4476	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4476 wrote to memory of 2732	4476	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4476 wrote to memory of 2732	4476	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4476 wrote to memory of 2224	4476	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4476 wrote to memory of 2224	4476	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4476 wrote to memory of 916	4476	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4476 wrote to memory of 916	4476	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4476 wrote to memory of 3516	4476	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4476 wrote to memory of 3516	4476	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4476 wrote to memory of 2292	4476	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4476 wrote to memory of 2292	4476	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4476 wrote to memory of 2064	4476	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4476 wrote to memory of 2064	4476	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4476 wrote to memory of 2140	4476	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4476 wrote to memory of 2140	4476	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4476 wrote to memory of 4836	4476	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4476 wrote to memory of 4836	4476	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4476 wrote to memory of 1608	4476	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4476 wrote to memory of 1608	4476	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4476 wrote to memory of 3920	4476	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4476 wrote to memory of 3920	4476	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4476 wrote to memory of 564	4476	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4476 wrote to memory of 564	4476	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4476 wrote to memory of 5088	4476	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4476 wrote to memory of 5088	4476	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4476 wrote to memory of 4716	4476	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4476 wrote to memory of 4716	4476	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4476 wrote to memory of 3152	4476	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4476 wrote to memory of 3152	4476	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4476 wrote to memory of 3132	4476	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4476 wrote to memory of 3132	4476	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4476 wrote to memory of 928	4476	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4476 wrote to memory of 928	4476	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4476 wrote to memory of 8	4476	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 4476 wrote to memory of 8	4476	2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe	106

C:\Users\Admin\AppData\Local\Temp\2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-20_66ff7b24106ab708197531cbfb9098a1_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4476
- C:\Windows\System\RbCqFaW.exe
  C:\Windows\System\RbCqFaW.exe
  2⤵
  - Executes dropped EXE
  PID:4508
- C:\Windows\System\dQDAoZU.exe
  C:\Windows\System\dQDAoZU.exe
  2⤵
  - Executes dropped EXE
  PID:624
- C:\Windows\System\SLrtOWJ.exe
  C:\Windows\System\SLrtOWJ.exe
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Windows\System\RLsvRxr.exe
  C:\Windows\System\RLsvRxr.exe
  2⤵
  - Executes dropped EXE
  PID:64
- C:\Windows\System\NwObOTC.exe
  C:\Windows\System\NwObOTC.exe
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\Windows\System\kmsykbo.exe
  C:\Windows\System\kmsykbo.exe
  2⤵
  - Executes dropped EXE
  PID:2224
- C:\Windows\System\geuCUVr.exe
  C:\Windows\System\geuCUVr.exe
  2⤵
  - Executes dropped EXE
  PID:916
- C:\Windows\System\oxZTgRO.exe
  C:\Windows\System\oxZTgRO.exe
  2⤵
  - Executes dropped EXE
  PID:3516
- C:\Windows\System\EQuKVMH.exe
  C:\Windows\System\EQuKVMH.exe
  2⤵
  - Executes dropped EXE
  PID:2292
- C:\Windows\System\llYrYAL.exe
  C:\Windows\System\llYrYAL.exe
  2⤵
  - Executes dropped EXE
  PID:2064
- C:\Windows\System\akkxpCj.exe
  C:\Windows\System\akkxpCj.exe
  2⤵
  - Executes dropped EXE
  PID:2140
- C:\Windows\System\fKoldBv.exe
  C:\Windows\System\fKoldBv.exe
  2⤵
  - Executes dropped EXE
  PID:4836
- C:\Windows\System\sCEuZwQ.exe
  C:\Windows\System\sCEuZwQ.exe
  2⤵
  - Executes dropped EXE
  PID:1608
- C:\Windows\System\jITVBrG.exe
  C:\Windows\System\jITVBrG.exe
  2⤵
  - Executes dropped EXE
  PID:3920
- C:\Windows\System\zGlrKbE.exe
  C:\Windows\System\zGlrKbE.exe
  2⤵
  - Executes dropped EXE
  PID:564
- C:\Windows\System\FaVxyKG.exe
  C:\Windows\System\FaVxyKG.exe
  2⤵
  - Executes dropped EXE
  PID:5088
- C:\Windows\System\ETjoKQG.exe
  C:\Windows\System\ETjoKQG.exe
  2⤵
  - Executes dropped EXE
  PID:4716
- C:\Windows\System\rkXMDIv.exe
  C:\Windows\System\rkXMDIv.exe
  2⤵
  - Executes dropped EXE
  PID:3152
- C:\Windows\System\CJGIAxb.exe
  C:\Windows\System\CJGIAxb.exe
  2⤵
  - Executes dropped EXE
  PID:3132
- C:\Windows\System\IanqmnQ.exe
  C:\Windows\System\IanqmnQ.exe
  2⤵
  - Executes dropped EXE
  PID:928
- C:\Windows\System\NFUrCGx.exe
  C:\Windows\System\NFUrCGx.exe
  2⤵
  - Executes dropped EXE
  PID:8

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CJGIAxb.exe

Filesize
5.9MB

MD5
e154c3af65f8383ea0c19a588e569ad3

SHA1
38ac0aba1d52a98a064eb44bdee1b305f9c1b43a

SHA256
b0db2cc9c6d01f942e79f2a6cd65b964d01ddcd0222f070b6149a25c4167310b

SHA512
a38a0bec95f8fc333fe373f68b86ae23630ee137cded4d67b87806b9a17898108a91118560aee99733e63521d8c207cd17fab0ba58916e5a375bb66e815ddcbc

Download Submit
C:\Windows\System\EQuKVMH.exe

Filesize
5.9MB

MD5
445dde28ef1d432d06bb75c5f3d9c457

SHA1
262cc626e7769c9018c766e6dce9dc27e37d32a7

SHA256
2a23ab69593a25b5131042f2d7768b421cf9cfb5c4b343bddc3fb1182b1d96e2

SHA512
edae63309df4297cce82a0b379cd63d49b82843bb720f8912561f48e77e6dd32e55722b43d1aef78cde71b59e13db4e8afe07b4fd8540d92f735a44d1028c0d4

Download Submit
C:\Windows\System\ETjoKQG.exe

Filesize
5.9MB

MD5
4b2f3f8ef21096984c75e6e81f254766

SHA1
fcec520a1c5b3775fa28367405c5184dacbe3055

SHA256
0cb474ab787513bfa81769ba3d237aef3a73f1d032b885e0e395a064cc6bd355

SHA512
b0b94a83498b30ba037a103a3a6f0e04d1cf7f59f15106451a5a54b02331f1276ca3656976cdcc86de49afb3fd50edae3b23035271016d88718652d5e63fc162

Download Submit
C:\Windows\System\FaVxyKG.exe

Filesize
5.9MB

MD5
8af46ca5c1b3cc2696b804b39b0e210a

SHA1
692b2c2f4621ca2768b3f2819ab8f4766cce6554

SHA256
093b25487a6bd4874ea0a0e81d41579bc99ffcc1d2d11648d8848625cfd10362

SHA512
1b4ee98e182f777835f0e3c309eed5922815e7634a698c2f0c3a96b903ea6cbd8a4977c3031f6b8f48faa4e8df990f5005e7ac882210fd5911a2671c14595241

Download Submit
C:\Windows\System\IanqmnQ.exe

Filesize
5.9MB

MD5
b88cf5d18534f001b8ed607d21468c71

SHA1
64d6cccd19a0a87037bfff269075c20fa3d34906

SHA256
0ce816af5e3b9abb7a4129603b5910e7cfef2a78a1c64f529a975f331acb7ca4

SHA512
e17e815cc439b7512245e6c031e19ad3f1b67fd5b0637607db8a2518ac5c502956a59e8f8724348bbdad1a5433582f3b788ca926983730d53c200ee5af355684

Download Submit
C:\Windows\System\NFUrCGx.exe

Filesize
5.9MB

MD5
914e76a333702099a427850da321e2fd

SHA1
5916c6b382a3c8b35f14c970b1c247e36ba2804a

SHA256
95bf75c3a15532baf6cdfa35286aabff074ba0a7a91c599ffdf81cc5379cf92c

SHA512
1a5bfe40de5e2a465b91f5be1e0dd797bec6cb791a20f0ddbd19decaf7ed5ae7a78990a1116d9dd3e8167286b2fb926f72a64817c8a3c0328adc59559253da0f

Download Submit
C:\Windows\System\NwObOTC.exe

Filesize
5.9MB

MD5
1f37de408134f060f128286957efce6d

SHA1
c64dbcbf3febf730f657472c85b08d3856a23aee

SHA256
4e1daa171df5a40ebea0390057a9076db3058bb61300a224a91b2e2a0c13632f

SHA512
a91b11db96ad6fd3aa3bd8c122e7ad94b5268fe6ead84b1140da66597575a076f9026e3f81936a8d10404f77e39e99d126ba600dabec9eda528d91020742727f

Download Submit
C:\Windows\System\RLsvRxr.exe

Filesize
5.9MB

MD5
ac3d8de5a2ae1416b3e66be3767f8047

SHA1
70d85987ba848b8d4ed527f394a5dd7bb5c5c99a

SHA256
598108051f4029529188e04993c1d2f61de28666c801d4e92de7390851f2f825

SHA512
c8e174b6d93a755a30ff9900fc7d2a4b3fca81e0daf6ee389c6c5a86d1bd0868e393f9143aefa4ec09a5bc0ed3365ed1e1021b6577681f9b22f0855ed4b5bfbc

Download Submit
C:\Windows\System\RbCqFaW.exe

Filesize
5.9MB

MD5
c5f2b65cdb5e1eaa53c60cd26d2dada0

SHA1
5d3ba5848b1241fc35c85c607dde1ed60e954f60

SHA256
959e34ec61b89978c65a16d23e0af489df455b51ee5bee3a4cdb7238c5ae9a10

SHA512
37c91a8acf7c88b19aab0d0fc80c6c226f56a91e96e9142f903758a8de287f47e7a1ed276741aae0b67c075c3428f94c507f8c95829483c7355146d68b8ed33c

Download Submit
C:\Windows\System\SLrtOWJ.exe

Filesize
5.9MB

MD5
281d3f82fd792b2af65372e6074f7b99

SHA1
6af06f3937da84e0eda2090c335ee02a4a68617a

SHA256
25d32c725c7df4b73c3534c6928f74327c8bc48c75d6b5eabe5752cd0eb82510

SHA512
c0b51e9cf35a83814f2c5cb4ee7cfda43cc629f6f84836fbea1b0e5ef2ddc1ab9e8d829313a26b99c933807bfcf126b2fb81cca37ad48f579c10309f5eac2067

Download Submit
C:\Windows\System\akkxpCj.exe

Filesize
5.9MB

MD5
f0cf1482ac85e0efa8e4ba5f7f4939b2

SHA1
b59ebea9f5d511b0046e527ecf3dfee2f4894d60

SHA256
ecf34083fa7dad5054291858e1ff3c34dd32bc44ea1e87bfaf2945b83412229c

SHA512
2d33f2baf11caefea20cb6c9b80d22dfd327f8495d85c32da091f62e5b5d637b4412b3c259bb6a44a045f214cdfab9d11bc628135a540d7bedc9e27a633712e0

Download Submit
C:\Windows\System\dQDAoZU.exe

Filesize
5.9MB

MD5
996869557037c8e4214194f17f76a60c

SHA1
0881acf0e947dd98f14db3f356252e9e9891649f

SHA256
6815e9cfe6b2dceb825c1b15044a7058d230080239da03d3abb9826f22b75d0c

SHA512
2340c02cd1953dd5e84835c3ef4fb056ed8425f4e4137547474565f0a0bc3ee48a0cbec1d5aea36f130cb1826473589e5b353ecc8e84c9db564b2e6fe433fd9b

Download Submit
C:\Windows\System\fKoldBv.exe

Filesize
5.9MB

MD5
827c68ae4327971b8ca22f4b85e83427

SHA1
4ce0a1266a8328433173419050aba86653d883a1

SHA256
d00ae70a3b2b43e42b62856b08bdb19278e5cca8c5bbe5bb049b511c3529c32f

SHA512
3d572d835e2319094ee0fac6989064e4f40a684feec774a7520d7f03762c1e707c6710b6229b683752c2fca6fe0ab0f3122e2887b6bc3ac5ca6679faf51000d2

Download Submit
C:\Windows\System\geuCUVr.exe

Filesize
5.9MB

MD5
89796d9faa8303b256f09d70acf991be

SHA1
fa6045533e11b1a8a60961b3835352e27e786b6e

SHA256
8a2693e6d9ae3e0e0b06777cf8165b445279c07e01ed81983376a774197a825c

SHA512
c04b42737340f15969eb855ef2917c4356f63d818adeea31a32d31d5c46fe3bf9bd09dd8e077ff08bd281de3f0a3e7810713a9fa77ec3a741c229f4c63c35b89

Download Submit
C:\Windows\System\jITVBrG.exe

Filesize
5.9MB

MD5
51d67231735d134f5d8679c2095f9f7b

SHA1
a35d1d15b1f7ab96eb6f14a3fb9cd7738e784598

SHA256
8eaecb6aef3c466eea74eca5f77470bc7f0fe695e4e87ea9f5fbff75a0054016

SHA512
9b0a27e3d5a9ef1aa7480a607b3cc187600d44de3ffdf54d89b496c87c272bdb292bc3fbd5631580e4227fecc992312ef280b5f232843b3f8e31195a2d516ce6

Download Submit
C:\Windows\System\kmsykbo.exe

Filesize
5.9MB

MD5
ac59d313d86861a57398b35e76dab02e

SHA1
a7ba45af9ba0d3f820d57bf1d700a3c19b0948ef

SHA256
2ec92f555d169698c1726ef06409269b2670e8f3b02e95485be0494ec953e4d3

SHA512
ae34522114ccac12ee04c20cb0864932418b5747ce214c8375476e944402b6813380e617e36c4eaced4b464a54b6b1a0ee21e0efed2cf7ac66f8d35f71bc4b40

Download Submit
C:\Windows\System\llYrYAL.exe

Filesize
5.9MB

MD5
a0c631df5532919df548da20226de3af

SHA1
cc7177aba7b6445c46e50668538f7e41895620fd

SHA256
9487c03ca1df381f65c1e8fef107cf8360f1b2c33552c43961c5e9e00325491e

SHA512
a8b665e30f90a905e1c37a8cf57c6c0c63918115d0fde9858101ee63e7f9487dadd6a9be13a894542cd69e28e6c5af45478f6ffb137e80d6a3635e892ee9c915

Download Submit
C:\Windows\System\oxZTgRO.exe

Filesize
5.9MB

MD5
06103e205e1865c2a9b013cc85d15afd

SHA1
505ca172589b33b90266682dd0004d6f91687f51

SHA256
8010301c698f46a9e3d6782b1017ae97ca5f6c2c4d50e5b010507ed93beaf0f6

SHA512
6ec25ae89739a6327179358c44851f0ffc5a20df388d19888bcf2aec81f86dfcfd76fa01bd63362e4f9cc62a5edd78c767e04bdccda9a580d31cf37056c1071c

Download Submit
C:\Windows\System\rkXMDIv.exe

Filesize
5.9MB

MD5
42a35e23bfb9f2e0f0280fa3cc14bb10

SHA1
64de472dbbf4cc501224cbd88f690ce51af0fdf7

SHA256
c9a60ba582b611262760fdd79a2c4ef8c54b49c0afa2dff39927c73034a5db85

SHA512
f83041dce1effc584b05f659221eb0331d7716eada4203e511f09f65a402abd1ee93c953b98be8cc9c49c062e8cfec57296a14996ce2d63b059bffb174f0e56d

Download Submit
C:\Windows\System\sCEuZwQ.exe

Filesize
5.9MB

MD5
b8139b17d83d08702687c86200e861b9

SHA1
0845cc7774623b7807f0bf7b1582b0e93f2f744d

SHA256
ef2111a375fffe7302d11ce6807b1b146b9bf38b50e83733d4f6765814ac3c0e

SHA512
d338a89f1bfcaa1e8c99ce73efbc4385d37aa6df9fed1ec936d2f7928f2ca074eff4b26fb6f2efbef228972c3e432679a2b6291e847bc22a4393e8c4d7eebec7

Download Submit
C:\Windows\System\zGlrKbE.exe

Filesize
5.9MB

MD5
236386450de66fe9a9bb1a3a9ba2953b

SHA1
2d1fe817cdbc3ef106b07ad07404c4946a6ff363

SHA256
0ef1a187c6fe70c02831b6f974b501a654a20ae3b170704dd81d00b26d4932c4

SHA512
8d7ddfa97e8fdfa113f27241aab3612edb9d0a780b3e35e5c7689640d9386e6fbe309cdc4bced92afb43cf65aba28d39459fa8012172b90c4ba92dcef2f7d91d

Download Submit
memory/8-127-0x00007FF7E3B80000-0x00007FF7E3ED4000-memory.dmp

Filesize
3.3MB

Download
memory/8-154-0x00007FF7E3B80000-0x00007FF7E3ED4000-memory.dmp

Filesize
3.3MB

Download
memory/64-137-0x00007FF643AB0000-0x00007FF643E04000-memory.dmp

Filesize
3.3MB

Download
memory/64-92-0x00007FF643AB0000-0x00007FF643E04000-memory.dmp

Filesize
3.3MB

Download
memory/564-104-0x00007FF6814C0000-0x00007FF681814000-memory.dmp

Filesize
3.3MB

Download
memory/564-151-0x00007FF6814C0000-0x00007FF681814000-memory.dmp

Filesize
3.3MB

Download
memory/624-131-0x00007FF6EE4F0000-0x00007FF6EE844000-memory.dmp

Filesize
3.3MB

Download
memory/624-135-0x00007FF6EE4F0000-0x00007FF6EE844000-memory.dmp

Filesize
3.3MB

Download
memory/624-12-0x00007FF6EE4F0000-0x00007FF6EE844000-memory.dmp

Filesize
3.3MB

Download
memory/916-93-0x00007FF6596C0000-0x00007FF659A14000-memory.dmp

Filesize
3.3MB

Download
memory/916-141-0x00007FF6596C0000-0x00007FF659A14000-memory.dmp

Filesize
3.3MB

Download
memory/928-126-0x00007FF688FF0000-0x00007FF689344000-memory.dmp

Filesize
3.3MB

Download
memory/928-153-0x00007FF688FF0000-0x00007FF689344000-memory.dmp

Filesize
3.3MB

Download
memory/1608-102-0x00007FF6268E0000-0x00007FF626C34000-memory.dmp

Filesize
3.3MB

Download
memory/1608-146-0x00007FF6268E0000-0x00007FF626C34000-memory.dmp

Filesize
3.3MB

Download
memory/2064-142-0x00007FF6E0BF0000-0x00007FF6E0F44000-memory.dmp

Filesize
3.3MB

Download
memory/2064-100-0x00007FF6E0BF0000-0x00007FF6E0F44000-memory.dmp

Filesize
3.3MB

Download
memory/2140-149-0x00007FF64B5A0000-0x00007FF64B8F4000-memory.dmp

Filesize
3.3MB

Download
memory/2140-101-0x00007FF64B5A0000-0x00007FF64B8F4000-memory.dmp

Filesize
3.3MB

Download
memory/2224-108-0x00007FF6E4A90000-0x00007FF6E4DE4000-memory.dmp

Filesize
3.3MB

Download
memory/2224-139-0x00007FF6E4A90000-0x00007FF6E4DE4000-memory.dmp

Filesize
3.3MB

Download
memory/2292-99-0x00007FF725470000-0x00007FF7257C4000-memory.dmp

Filesize
3.3MB

Download
memory/2292-143-0x00007FF725470000-0x00007FF7257C4000-memory.dmp

Filesize
3.3MB

Download
memory/2696-136-0x00007FF6A7F30000-0x00007FF6A8284000-memory.dmp

Filesize
3.3MB

Download
memory/2696-130-0x00007FF6A7F30000-0x00007FF6A8284000-memory.dmp

Filesize
3.3MB

Download
memory/2696-24-0x00007FF6A7F30000-0x00007FF6A8284000-memory.dmp

Filesize
3.3MB

Download
memory/2732-138-0x00007FF78D4C0000-0x00007FF78D814000-memory.dmp

Filesize
3.3MB

Download
memory/2732-132-0x00007FF78D4C0000-0x00007FF78D814000-memory.dmp

Filesize
3.3MB

Download
memory/2732-31-0x00007FF78D4C0000-0x00007FF78D814000-memory.dmp

Filesize
3.3MB

Download
memory/3132-152-0x00007FF735790000-0x00007FF735AE4000-memory.dmp

Filesize
3.3MB

Download
memory/3132-133-0x00007FF735790000-0x00007FF735AE4000-memory.dmp

Filesize
3.3MB

Download
memory/3132-120-0x00007FF735790000-0x00007FF735AE4000-memory.dmp

Filesize
3.3MB

Download
memory/3152-107-0x00007FF6AFC30000-0x00007FF6AFF84000-memory.dmp

Filesize
3.3MB

Download
memory/3152-147-0x00007FF6AFC30000-0x00007FF6AFF84000-memory.dmp

Filesize
3.3MB

Download
memory/3516-94-0x00007FF620AF0000-0x00007FF620E44000-memory.dmp

Filesize
3.3MB

Download
memory/3516-140-0x00007FF620AF0000-0x00007FF620E44000-memory.dmp

Filesize
3.3MB

Download
memory/3920-145-0x00007FF6A4C30000-0x00007FF6A4F84000-memory.dmp

Filesize
3.3MB

Download
memory/3920-103-0x00007FF6A4C30000-0x00007FF6A4F84000-memory.dmp

Filesize
3.3MB

Download
memory/4476-1-0x000002087CD10000-0x000002087CD20000-memory.dmp

Filesize
64KB

Download
memory/4476-128-0x00007FF7D8080000-0x00007FF7D83D4000-memory.dmp

Filesize
3.3MB

Download
memory/4476-0-0x00007FF7D8080000-0x00007FF7D83D4000-memory.dmp

Filesize
3.3MB

Download
memory/4508-134-0x00007FF76D400000-0x00007FF76D754000-memory.dmp

Filesize
3.3MB

Download
memory/4508-129-0x00007FF76D400000-0x00007FF76D754000-memory.dmp

Filesize
3.3MB

Download
memory/4508-8-0x00007FF76D400000-0x00007FF76D754000-memory.dmp

Filesize
3.3MB

Download
memory/4716-106-0x00007FF600920000-0x00007FF600C74000-memory.dmp

Filesize
3.3MB

Download
memory/4716-148-0x00007FF600920000-0x00007FF600C74000-memory.dmp

Filesize
3.3MB

Download
memory/4836-109-0x00007FF7C4680000-0x00007FF7C49D4000-memory.dmp

Filesize
3.3MB

Download
memory/4836-144-0x00007FF7C4680000-0x00007FF7C49D4000-memory.dmp

Filesize
3.3MB

Download
memory/5088-150-0x00007FF6CDA00000-0x00007FF6CDD54000-memory.dmp

Filesize
3.3MB

Download
memory/5088-105-0x00007FF6CDA00000-0x00007FF6CDD54000-memory.dmp

Filesize
3.3MB

Download