cobaltstrike | a9e8f70212f7f0e9cd682977de9f1e8ad25c33998bcf79834cb5f8a2f6cd0706

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2024 09:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

4c4c8a66a204dbedf869a0e01ece4561
SHA1

93f8c9d51f7a0eadd83ab66c277832d6450b192e
SHA256

a9e8f70212f7f0e9cd682977de9f1e8ad25c33998bcf79834cb5f8a2f6cd0706
SHA512

540dc2e0ba2a63e06009677e2d83b08bb0dfc676dbff91ed72d222acc8493fa496ea599bd33173c3eb26cc32298e33727c9523978fbd5270f75f0a08e0c46b23
SSDEEP

98304:oemTLkNdfE0pZrx56utgpPFotBER/mQ32lUP:T+o56utgpPF8u/7P

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00090000000233a2-4.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023405-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023406-17.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023407-23.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023408-31.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023409-35.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023403-41.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002340b-46.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002340c-53.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002340d-63.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002340f-77.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002340e-70.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023410-82.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023411-89.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023414-98.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023413-93.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023415-114.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023418-126.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023419-135.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023417-133.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023416-118.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/4820-0-0x00007FF754BB0000-0x00007FF754F04000-memory.dmp	xmrig
behavioral2/files/0x00090000000233a2-4.dat	xmrig
behavioral2/memory/2612-8-0x00007FF6E6640000-0x00007FF6E6994000-memory.dmp	xmrig
behavioral2/files/0x0008000000023405-10.dat	xmrig
behavioral2/files/0x0007000000023406-17.dat	xmrig
behavioral2/files/0x0007000000023407-23.dat	xmrig
behavioral2/memory/4144-30-0x00007FF638CE0000-0x00007FF639034000-memory.dmp	xmrig
behavioral2/files/0x0007000000023408-31.dat	xmrig
behavioral2/memory/1724-26-0x00007FF615460000-0x00007FF6157B4000-memory.dmp	xmrig
behavioral2/memory/2968-18-0x00007FF684310000-0x00007FF684664000-memory.dmp	xmrig
behavioral2/memory/5032-13-0x00007FF7D1680000-0x00007FF7D19D4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023409-35.dat	xmrig
behavioral2/memory/744-36-0x00007FF68E440000-0x00007FF68E794000-memory.dmp	xmrig
behavioral2/files/0x0008000000023403-41.dat	xmrig
behavioral2/files/0x000700000002340b-46.dat	xmrig
behavioral2/memory/3588-50-0x00007FF7E2D40000-0x00007FF7E3094000-memory.dmp	xmrig
behavioral2/memory/4664-43-0x00007FF787300000-0x00007FF787654000-memory.dmp	xmrig
behavioral2/files/0x000700000002340c-53.dat	xmrig
behavioral2/memory/4820-54-0x00007FF754BB0000-0x00007FF754F04000-memory.dmp	xmrig
behavioral2/files/0x000700000002340d-63.dat	xmrig
behavioral2/memory/4244-67-0x00007FF679880000-0x00007FF679BD4000-memory.dmp	xmrig
behavioral2/memory/5032-69-0x00007FF7D1680000-0x00007FF7D19D4000-memory.dmp	xmrig
behavioral2/memory/2968-75-0x00007FF684310000-0x00007FF684664000-memory.dmp	xmrig
behavioral2/files/0x000700000002340f-77.dat	xmrig
behavioral2/memory/544-76-0x00007FF7350D0000-0x00007FF735424000-memory.dmp	xmrig
behavioral2/memory/1488-74-0x00007FF6FD190000-0x00007FF6FD4E4000-memory.dmp	xmrig
behavioral2/files/0x000700000002340e-70.dat	xmrig
behavioral2/memory/2612-61-0x00007FF6E6640000-0x00007FF6E6994000-memory.dmp	xmrig
behavioral2/memory/4536-59-0x00007FF795340000-0x00007FF795694000-memory.dmp	xmrig
behavioral2/memory/1724-79-0x00007FF615460000-0x00007FF6157B4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023410-82.dat	xmrig
behavioral2/memory/4144-83-0x00007FF638CE0000-0x00007FF639034000-memory.dmp	xmrig
behavioral2/files/0x0007000000023411-89.dat	xmrig
behavioral2/memory/2072-99-0x00007FF77AF90000-0x00007FF77B2E4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023414-98.dat	xmrig
behavioral2/memory/3956-95-0x00007FF6ACEF0000-0x00007FF6AD244000-memory.dmp	xmrig
behavioral2/memory/3920-94-0x00007FF7BB160000-0x00007FF7BB4B4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023413-93.dat	xmrig
behavioral2/memory/4664-107-0x00007FF787300000-0x00007FF787654000-memory.dmp	xmrig
behavioral2/memory/4544-109-0x00007FF740720000-0x00007FF740A74000-memory.dmp	xmrig
behavioral2/files/0x0007000000023415-114.dat	xmrig
behavioral2/memory/1400-117-0x00007FF66EA40000-0x00007FF66ED94000-memory.dmp	xmrig
behavioral2/files/0x0007000000023418-126.dat	xmrig
behavioral2/memory/4564-130-0x00007FF6A8E30000-0x00007FF6A9184000-memory.dmp	xmrig
behavioral2/files/0x0007000000023419-135.dat	xmrig
behavioral2/files/0x0007000000023417-133.dat	xmrig
behavioral2/memory/4172-132-0x00007FF6A4880000-0x00007FF6A4BD4000-memory.dmp	xmrig
behavioral2/memory/1488-131-0x00007FF6FD190000-0x00007FF6FD4E4000-memory.dmp	xmrig
behavioral2/memory/2628-128-0x00007FF7E5340000-0x00007FF7E5694000-memory.dmp	xmrig
behavioral2/memory/4244-127-0x00007FF679880000-0x00007FF679BD4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023416-118.dat	xmrig
behavioral2/memory/4536-116-0x00007FF795340000-0x00007FF795694000-memory.dmp	xmrig
behavioral2/memory/636-112-0x00007FF7C4070000-0x00007FF7C43C4000-memory.dmp	xmrig
behavioral2/memory/744-106-0x00007FF68E440000-0x00007FF68E794000-memory.dmp	xmrig
behavioral2/memory/544-139-0x00007FF7350D0000-0x00007FF735424000-memory.dmp	xmrig
behavioral2/memory/3920-140-0x00007FF7BB160000-0x00007FF7BB4B4000-memory.dmp	xmrig
behavioral2/memory/3956-141-0x00007FF6ACEF0000-0x00007FF6AD244000-memory.dmp	xmrig
behavioral2/memory/636-142-0x00007FF7C4070000-0x00007FF7C43C4000-memory.dmp	xmrig
behavioral2/memory/1400-143-0x00007FF66EA40000-0x00007FF66ED94000-memory.dmp	xmrig
behavioral2/memory/4564-144-0x00007FF6A8E30000-0x00007FF6A9184000-memory.dmp	xmrig
behavioral2/memory/2628-145-0x00007FF7E5340000-0x00007FF7E5694000-memory.dmp	xmrig
behavioral2/memory/4172-146-0x00007FF6A4880000-0x00007FF6A4BD4000-memory.dmp	xmrig
behavioral2/memory/2612-147-0x00007FF6E6640000-0x00007FF6E6994000-memory.dmp	xmrig
behavioral2/memory/5032-148-0x00007FF7D1680000-0x00007FF7D19D4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2612	HHDwMWj.exe
5032	NDeGIgL.exe
2968	xMTACOU.exe
1724	IsgLTgN.exe
4144	aWzUJHC.exe
744	oaBZhix.exe
4664	fYeKvUX.exe
3588	tuGUObU.exe
4536	khrLHXz.exe
4244	xPkrnUG.exe
1488	RcNuzDH.exe
544	xmRuDNr.exe
3920	DIcRkQS.exe
2072	pIhSVzZ.exe
3956	oZDPOUU.exe
4544	OMQUcpx.exe
636	TkleJLB.exe
1400	oAFdMus.exe
2628	JkFcFfO.exe
4564	FpbOxQj.exe
4172	RdXOSXF.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4820-0-0x00007FF754BB0000-0x00007FF754F04000-memory.dmp	upx
behavioral2/files/0x00090000000233a2-4.dat	upx
behavioral2/memory/2612-8-0x00007FF6E6640000-0x00007FF6E6994000-memory.dmp	upx
behavioral2/files/0x0008000000023405-10.dat	upx
behavioral2/files/0x0007000000023406-17.dat	upx
behavioral2/files/0x0007000000023407-23.dat	upx
behavioral2/memory/4144-30-0x00007FF638CE0000-0x00007FF639034000-memory.dmp	upx
behavioral2/files/0x0007000000023408-31.dat	upx
behavioral2/memory/1724-26-0x00007FF615460000-0x00007FF6157B4000-memory.dmp	upx
behavioral2/memory/2968-18-0x00007FF684310000-0x00007FF684664000-memory.dmp	upx
behavioral2/memory/5032-13-0x00007FF7D1680000-0x00007FF7D19D4000-memory.dmp	upx
behavioral2/files/0x0007000000023409-35.dat	upx
behavioral2/memory/744-36-0x00007FF68E440000-0x00007FF68E794000-memory.dmp	upx
behavioral2/files/0x0008000000023403-41.dat	upx
behavioral2/files/0x000700000002340b-46.dat	upx
behavioral2/memory/3588-50-0x00007FF7E2D40000-0x00007FF7E3094000-memory.dmp	upx
behavioral2/memory/4664-43-0x00007FF787300000-0x00007FF787654000-memory.dmp	upx
behavioral2/files/0x000700000002340c-53.dat	upx
behavioral2/memory/4820-54-0x00007FF754BB0000-0x00007FF754F04000-memory.dmp	upx
behavioral2/files/0x000700000002340d-63.dat	upx
behavioral2/memory/4244-67-0x00007FF679880000-0x00007FF679BD4000-memory.dmp	upx
behavioral2/memory/5032-69-0x00007FF7D1680000-0x00007FF7D19D4000-memory.dmp	upx
behavioral2/memory/2968-75-0x00007FF684310000-0x00007FF684664000-memory.dmp	upx
behavioral2/files/0x000700000002340f-77.dat	upx
behavioral2/memory/544-76-0x00007FF7350D0000-0x00007FF735424000-memory.dmp	upx
behavioral2/memory/1488-74-0x00007FF6FD190000-0x00007FF6FD4E4000-memory.dmp	upx
behavioral2/files/0x000700000002340e-70.dat	upx
behavioral2/memory/2612-61-0x00007FF6E6640000-0x00007FF6E6994000-memory.dmp	upx
behavioral2/memory/4536-59-0x00007FF795340000-0x00007FF795694000-memory.dmp	upx
behavioral2/memory/1724-79-0x00007FF615460000-0x00007FF6157B4000-memory.dmp	upx
behavioral2/files/0x0007000000023410-82.dat	upx
behavioral2/memory/4144-83-0x00007FF638CE0000-0x00007FF639034000-memory.dmp	upx
behavioral2/files/0x0007000000023411-89.dat	upx
behavioral2/memory/2072-99-0x00007FF77AF90000-0x00007FF77B2E4000-memory.dmp	upx
behavioral2/files/0x0007000000023414-98.dat	upx
behavioral2/memory/3956-95-0x00007FF6ACEF0000-0x00007FF6AD244000-memory.dmp	upx
behavioral2/memory/3920-94-0x00007FF7BB160000-0x00007FF7BB4B4000-memory.dmp	upx
behavioral2/files/0x0007000000023413-93.dat	upx
behavioral2/memory/4664-107-0x00007FF787300000-0x00007FF787654000-memory.dmp	upx
behavioral2/memory/4544-109-0x00007FF740720000-0x00007FF740A74000-memory.dmp	upx
behavioral2/files/0x0007000000023415-114.dat	upx
behavioral2/memory/1400-117-0x00007FF66EA40000-0x00007FF66ED94000-memory.dmp	upx
behavioral2/files/0x0007000000023418-126.dat	upx
behavioral2/memory/4564-130-0x00007FF6A8E30000-0x00007FF6A9184000-memory.dmp	upx
behavioral2/files/0x0007000000023419-135.dat	upx
behavioral2/files/0x0007000000023417-133.dat	upx
behavioral2/memory/4172-132-0x00007FF6A4880000-0x00007FF6A4BD4000-memory.dmp	upx
behavioral2/memory/1488-131-0x00007FF6FD190000-0x00007FF6FD4E4000-memory.dmp	upx
behavioral2/memory/2628-128-0x00007FF7E5340000-0x00007FF7E5694000-memory.dmp	upx
behavioral2/memory/4244-127-0x00007FF679880000-0x00007FF679BD4000-memory.dmp	upx
behavioral2/files/0x0007000000023416-118.dat	upx
behavioral2/memory/4536-116-0x00007FF795340000-0x00007FF795694000-memory.dmp	upx
behavioral2/memory/636-112-0x00007FF7C4070000-0x00007FF7C43C4000-memory.dmp	upx
behavioral2/memory/744-106-0x00007FF68E440000-0x00007FF68E794000-memory.dmp	upx
behavioral2/memory/544-139-0x00007FF7350D0000-0x00007FF735424000-memory.dmp	upx
behavioral2/memory/3920-140-0x00007FF7BB160000-0x00007FF7BB4B4000-memory.dmp	upx
behavioral2/memory/3956-141-0x00007FF6ACEF0000-0x00007FF6AD244000-memory.dmp	upx
behavioral2/memory/636-142-0x00007FF7C4070000-0x00007FF7C43C4000-memory.dmp	upx
behavioral2/memory/1400-143-0x00007FF66EA40000-0x00007FF66ED94000-memory.dmp	upx
behavioral2/memory/4564-144-0x00007FF6A8E30000-0x00007FF6A9184000-memory.dmp	upx
behavioral2/memory/2628-145-0x00007FF7E5340000-0x00007FF7E5694000-memory.dmp	upx
behavioral2/memory/4172-146-0x00007FF6A4880000-0x00007FF6A4BD4000-memory.dmp	upx
behavioral2/memory/2612-147-0x00007FF6E6640000-0x00007FF6E6994000-memory.dmp	upx
behavioral2/memory/5032-148-0x00007FF7D1680000-0x00007FF7D19D4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\HHDwMWj.exe	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xMTACOU.exe	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tuGUObU.exe	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\khrLHXz.exe	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RcNuzDH.exe	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RdXOSXF.exe	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IsgLTgN.exe	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DIcRkQS.exe	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oAFdMus.exe	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FpbOxQj.exe	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NDeGIgL.exe	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xPkrnUG.exe	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OMQUcpx.exe	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TkleJLB.exe	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JkFcFfO.exe	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aWzUJHC.exe	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oaBZhix.exe	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fYeKvUX.exe	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xmRuDNr.exe	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pIhSVzZ.exe	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oZDPOUU.exe	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4820	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4820	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4820 wrote to memory of 2612	4820	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4820 wrote to memory of 2612	4820	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4820 wrote to memory of 5032	4820	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4820 wrote to memory of 5032	4820	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4820 wrote to memory of 2968	4820	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4820 wrote to memory of 2968	4820	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4820 wrote to memory of 1724	4820	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4820 wrote to memory of 1724	4820	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4820 wrote to memory of 4144	4820	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4820 wrote to memory of 4144	4820	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4820 wrote to memory of 744	4820	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4820 wrote to memory of 744	4820	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4820 wrote to memory of 4664	4820	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4820 wrote to memory of 4664	4820	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4820 wrote to memory of 3588	4820	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4820 wrote to memory of 3588	4820	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4820 wrote to memory of 4536	4820	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4820 wrote to memory of 4536	4820	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4820 wrote to memory of 4244	4820	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4820 wrote to memory of 4244	4820	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4820 wrote to memory of 1488	4820	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4820 wrote to memory of 1488	4820	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4820 wrote to memory of 544	4820	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4820 wrote to memory of 544	4820	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4820 wrote to memory of 3920	4820	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4820 wrote to memory of 3920	4820	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4820 wrote to memory of 2072	4820	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4820 wrote to memory of 2072	4820	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4820 wrote to memory of 3956	4820	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4820 wrote to memory of 3956	4820	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4820 wrote to memory of 4544	4820	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4820 wrote to memory of 4544	4820	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4820 wrote to memory of 636	4820	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4820 wrote to memory of 636	4820	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4820 wrote to memory of 1400	4820	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4820 wrote to memory of 1400	4820	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4820 wrote to memory of 2628	4820	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4820 wrote to memory of 2628	4820	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4820 wrote to memory of 4564	4820	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4820 wrote to memory of 4564	4820	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4820 wrote to memory of 4172	4820	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4820 wrote to memory of 4172	4820	2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-21_4c4c8a66a204dbedf869a0e01ece4561_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Windows\System\HHDwMWj.exe
  C:\Windows\System\HHDwMWj.exe
  2⤵
  - Executes dropped EXE
  PID:2612
- C:\Windows\System\NDeGIgL.exe
  C:\Windows\System\NDeGIgL.exe
  2⤵
  - Executes dropped EXE
  PID:5032
- C:\Windows\System\xMTACOU.exe
  C:\Windows\System\xMTACOU.exe
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Windows\System\IsgLTgN.exe
  C:\Windows\System\IsgLTgN.exe
  2⤵
  - Executes dropped EXE
  PID:1724
- C:\Windows\System\aWzUJHC.exe
  C:\Windows\System\aWzUJHC.exe
  2⤵
  - Executes dropped EXE
  PID:4144
- C:\Windows\System\oaBZhix.exe
  C:\Windows\System\oaBZhix.exe
  2⤵
  - Executes dropped EXE
  PID:744
- C:\Windows\System\fYeKvUX.exe
  C:\Windows\System\fYeKvUX.exe
  2⤵
  - Executes dropped EXE
  PID:4664
- C:\Windows\System\tuGUObU.exe
  C:\Windows\System\tuGUObU.exe
  2⤵
  - Executes dropped EXE
  PID:3588
- C:\Windows\System\khrLHXz.exe
  C:\Windows\System\khrLHXz.exe
  2⤵
  - Executes dropped EXE
  PID:4536
- C:\Windows\System\xPkrnUG.exe
  C:\Windows\System\xPkrnUG.exe
  2⤵
  - Executes dropped EXE
  PID:4244
- C:\Windows\System\RcNuzDH.exe
  C:\Windows\System\RcNuzDH.exe
  2⤵
  - Executes dropped EXE
  PID:1488
- C:\Windows\System\xmRuDNr.exe
  C:\Windows\System\xmRuDNr.exe
  2⤵
  - Executes dropped EXE
  PID:544
- C:\Windows\System\DIcRkQS.exe
  C:\Windows\System\DIcRkQS.exe
  2⤵
  - Executes dropped EXE
  PID:3920
- C:\Windows\System\pIhSVzZ.exe
  C:\Windows\System\pIhSVzZ.exe
  2⤵
  - Executes dropped EXE
  PID:2072
- C:\Windows\System\oZDPOUU.exe
  C:\Windows\System\oZDPOUU.exe
  2⤵
  - Executes dropped EXE
  PID:3956
- C:\Windows\System\OMQUcpx.exe
  C:\Windows\System\OMQUcpx.exe
  2⤵
  - Executes dropped EXE
  PID:4544
- C:\Windows\System\TkleJLB.exe
  C:\Windows\System\TkleJLB.exe
  2⤵
  - Executes dropped EXE
  PID:636
- C:\Windows\System\oAFdMus.exe
  C:\Windows\System\oAFdMus.exe
  2⤵
  - Executes dropped EXE
  PID:1400
- C:\Windows\System\JkFcFfO.exe
  C:\Windows\System\JkFcFfO.exe
  2⤵
  - Executes dropped EXE
  PID:2628
- C:\Windows\System\FpbOxQj.exe
  C:\Windows\System\FpbOxQj.exe
  2⤵
  - Executes dropped EXE
  PID:4564
- C:\Windows\System\RdXOSXF.exe
  C:\Windows\System\RdXOSXF.exe
  2⤵
  - Executes dropped EXE
  PID:4172

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\DIcRkQS.exe

Filesize
5.9MB

MD5
c14a296804604bdcac366441285fddde

SHA1
b4225ce0437c351102b6d49066d8a2f755aed9dc

SHA256
8a51fbe3dad2a6ecf74def776db63346ca7a4be8e4e099397071b73adaebe50d

SHA512
16b1bca1f1ca24860045af04ef46148a734993cdba2a388e24153eb08f43f91c0c06df2ae53d091860da85a20691a669db0a0ee95784ce8a946c3641099a7194

Download Submit
C:\Windows\System\FpbOxQj.exe

Filesize
5.9MB

MD5
fcd4f931c46c2431b2d0d56c22f7e302

SHA1
d9712350037968dcee579a20d84e81e7ab621484

SHA256
d0e97f9d1bf28ccdb630a1d8eaed2999da4c673bb70df24b1e2eecbf1436a992

SHA512
54e84ec9ac2602a7b216c8e4e58b7cadfa9bc618ac6a5f3cb13408fba71aad4ad9aaffd9ac0e89c9c6f1d3db50223333341048fefc403b0661068708601f2024

Download Submit
C:\Windows\System\HHDwMWj.exe

Filesize
5.9MB

MD5
fdf866cde015ece289c31b70a6f0864d

SHA1
324ebccaee66f133c70463bc151f4f8e1e7bdf68

SHA256
85500b98eaad73f50446c41296a53640dd76973866bcb50fa6228c203b9a5c13

SHA512
0ffb5036006b13b75c50e06562e3d7884ab94cf5b33a1a6a2155bde460ee6782e1306640038bdcc650a159b2ec0f6ed4667a5c56d29c49ec6c029bd301b7c4ae

Download Submit
C:\Windows\System\IsgLTgN.exe

Filesize
5.9MB

MD5
18e16af408165156ff9dbbd22e2b6625

SHA1
f6087d5a75034e84717c2b3b10955b6a07a9d041

SHA256
48b4e5cbeb35ce826410311965e8105588b60e80cfd8fb22718dac19208254e4

SHA512
780f1648fda766cf4b1ca6477a3bce7aff9e24a074b6d1a5ee67c723b5cff07f11ea5cd0132b0fb47490873b9a5b753d5e8570067db9634bb33469a87f81bbd9

Download Submit
C:\Windows\System\JkFcFfO.exe

Filesize
5.9MB

MD5
4305068127658e751703a10013062630

SHA1
a1368958bd92e3f20b2df69f8042414005caf544

SHA256
59d63e2b06a4bedd344bd53bdbde16072266920b000ab9fba665573a61f5b948

SHA512
fd856e2c51f1e2c6437091033b7701cff9b2f3235207e0af0d20ffc0b917d23cb63fff3973df2fd01086d8ce8d0da1f28360936cf4d7583835abd295a55c99d0

Download Submit
C:\Windows\System\NDeGIgL.exe

Filesize
5.9MB

MD5
fe8fecd147e48e4699ea79674315afe0

SHA1
2485b1a50ff113b7d7d1c7352eb2998d7db8f63d

SHA256
ca276c7dd783a612c9a7fe61ad2d3cf26a55f71ff360bd740b4c0787b1114c31

SHA512
2c2c5493372d999a4f065c04b857c9f7cf2278bd33393c500b23a4ab195a26419c3948b796b652e310d1b3007895dee8ae2142dd8b8fc371e4708ec028b2431f

Download Submit
C:\Windows\System\OMQUcpx.exe

Filesize
5.9MB

MD5
ebdf8043840df8f5962e8c105f13fabb

SHA1
e86fac6da88f847e43c9c6932e6107606950c213

SHA256
88799cd7b5613a208fdd29f196964bb41051fb51b19b17189d48dbaeb129bf2d

SHA512
a67db2259e6e5e8a305a6342d150e93afede92231db7cd0e97343d51c6f6de24ac489c69e83811a080c20103bf07371fbf8468a07187828de35642fbc6adeede

Download Submit
C:\Windows\System\RcNuzDH.exe

Filesize
5.9MB

MD5
fc51f641ce8dcf66db444f2ff1e7e267

SHA1
c0689db47aa3d87b61f35bdcf41a9e7b34a0331b

SHA256
cd3a9dd41aead359eb57ce57c74529ddd2fbe2fadebf274b79659e8d2dd807cc

SHA512
9994072f39170970b60678fce3a9e590d7a0679c03cf6dbd3f2e577a89ca02a26db8c14caaf3572055c48428535353dfc9c25058863cfe95a1a30ed1374d51e2

Download Submit
C:\Windows\System\RdXOSXF.exe

Filesize
5.9MB

MD5
16c9576ff6da0b8ff2e808e88b7b0e19

SHA1
f114566fdfe7728ff6f0e118840b8cacbcfaff80

SHA256
8c38dbdb0825755212eb9d8cd74515e7986bf646fcb29a682959a42b9c15986b

SHA512
bb0968b137f0bf2c37111024b37bcfdc97cdc11c588299453566c7632c672548ac764611538c4b8fdc6f15202f9a875036c73899cc4399fbf3cf23e32ecc318f

Download Submit
C:\Windows\System\TkleJLB.exe

Filesize
5.9MB

MD5
6caabb066b14d48d32f304765033e192

SHA1
742b779087080dab1bc9393510c91b9cf5c7e9c7

SHA256
75044d6fc3aa831b1462798a2f19cec76fcbda4f3e309703346655cd423246af

SHA512
581753e30d977e9117b7c5df157954b3ba047102c3e27661c1e00c0a6dcd4a5c87d59b0919619e0a02809b5d03de73dc20c88922fd2e3a1f5a82e8604db98ba5

Download Submit
C:\Windows\System\aWzUJHC.exe

Filesize
5.9MB

MD5
3f7cfe38c9971ab75728dc2561d7d99c

SHA1
e8c8676b7aadc439d768c9fd223fcd4d27fe982f

SHA256
3edfd01f9800e015b85201292ed4e3a957572ee96a33fa67326e12cc94a2c9a5

SHA512
eb0cb5738e7dd981c21d25362562cdb9bce37b698b017dc22ae51556a5623e8e1ba857e667dce308e315d92799f89fb38d6d0ddf4b06b7e009d6665607e2ddb4

Download Submit
C:\Windows\System\fYeKvUX.exe

Filesize
5.9MB

MD5
cd13cf20abac916e1e6df62188d1e0de

SHA1
6067c8847b559e1223582da7a56a2db7573a78c7

SHA256
a5c75457c37b67f48ef9bc2bbb18bcc8f3c7cf63bb87222b958b80499867071a

SHA512
68dc80a62c14849f5549a4a9f1a3405f9218e3114b91928d64246a63de41937c16f131a30fd8e5a03815d456361191de3e1d3da646362ceea8f1ec179f93cf8a

Download Submit
C:\Windows\System\khrLHXz.exe

Filesize
5.9MB

MD5
41ce85b49b0f390b33f19209a04f2653

SHA1
af7586d73943448e35b26a8dac8c9c6bb5a2742f

SHA256
3542c8f5ff73e2c9c9715c3c8f1943227f0bace8d7afe672ad4ab2a439ae85c5

SHA512
02364b8523787565f75ab91ce7690c772a9157d929314d445d4e78a1e2295c21da9644ccedc9f11cf468e82c2b738185f9b9d5caed1542976bd273b30780373a

Download Submit
C:\Windows\System\oAFdMus.exe

Filesize
5.9MB

MD5
21497ec1569581d40d6266c9c012bff0

SHA1
7fd8593601357f7e43ac0652fd7bf1b36387ac7e

SHA256
1d9adddc35782d248b0ccebad4296aaac8c93ea2b31511136490c7000e4ab699

SHA512
a2d67483bd8eda555c57fc5baeee00de8f854c5ad04e797dd7a629e0a28bad017227bcb01fcc4c2007844b8fbfeb40db2358831f3013612d9b8c1e05f83d0297

Download Submit
C:\Windows\System\oZDPOUU.exe

Filesize
5.9MB

MD5
b2976acba33840f10b38c24ea07091bb

SHA1
7e26a65d7aef758ca60d7ccab9727334165e539a

SHA256
9fb7773e87159eb03af17750ef877e2e3efbe3858b4b54e5ea20db5f3711e1bb

SHA512
9084a8c831acbbffd205daa069304091ad077c689a9bbdda02774d28d961faa15ce48657967e7bed380817fb5d552ef8cf1b2240d7e163886ab66577b9e02384

Download Submit
C:\Windows\System\oaBZhix.exe

Filesize
5.9MB

MD5
fe5cf3ee559d63fba57aa007a9eb4813

SHA1
971bdcaad58abd191038db297cfe813be592c6ee

SHA256
625b01a88cfc589511a0cd70a3464f266ded766d5a50a98e121224f6a5dd2a8f

SHA512
f9cffdaa388dd39d84c0e9ff58a5ddbfd81c7aee7922e3dda839bb418a8f95198d0ce2ffaae3b1499a86f1e5d6e309084b9eba98ace12e8b60e5178f434e6a24

Download Submit
C:\Windows\System\pIhSVzZ.exe

Filesize
5.9MB

MD5
a398b9fd07e0d273125bb4d692bcc209

SHA1
81b859c7dc51a9f118e4869862b5de14ce61cad0

SHA256
157cfa67d55641f712bacfdb677fe241f287e019d3dad2e9b74ff5607bb5a0b5

SHA512
aab5cd6797b35b525f171adadd2570d4f9b000f5819b53c53bbc9975f0fcf7adf68251d96b1708304ef66c8fec8fb886f26352bfaeaf027bbbe3aa4bfe0b908d

Download Submit
C:\Windows\System\tuGUObU.exe

Filesize
5.9MB

MD5
8302d1a1fafabf3e2a5ec6aca6c1f703

SHA1
bb5ad14590a96041c78fd39677e08489c575d4ed

SHA256
148f381c32f75164af166e66b6b2fc058904c321af38dceeadcdc0487f2a3aac

SHA512
f78d3043a823228bfd0e794af0d181437b69ad32fac7caccb4414155c1433b9882d409f1b254c8de6cdaf15c4b1ef6e0d1c843100ff1bbb9c87f348982325938

Download Submit
C:\Windows\System\xMTACOU.exe

Filesize
5.9MB

MD5
0bdaa01babf272fad2612e603347ec00

SHA1
3f6130048a1922168e14f15395c82947ca2b1b48

SHA256
085e2d1e47c1209024e714c8e1f630fb9647ae28230e934f4baf9d23b868f9a6

SHA512
7590e18dd2a085373e9672f247cf8561c007bb2a1711bc23f3c86cfcc062d1908d794df5a189617453b9f8f675cc87af40beaa1aae7761f2d2d2e85d0cd1dab9

Download Submit
C:\Windows\System\xPkrnUG.exe

Filesize
5.9MB

MD5
66a56d08269af46e35e53b90a7abae7a

SHA1
2a4cde5e774f8ec1c2281966c5ba9c4fcc02bc02

SHA256
46c1e91a75d0a7e2fedda3acd58876ce9f3da33e6375a4d07ac593a2fe037893

SHA512
97e03e80e07750fe311f7d0354f7479827a909b6af821dbce6c102bbe7ef91b5681bbe515436ac4853b1c1a5d54ce89fb998faeaafe3921b6b3dec1aeb5b7840

Download Submit
C:\Windows\System\xmRuDNr.exe

Filesize
5.9MB

MD5
63e8ae672cef60b159cd17aeba66446f

SHA1
d2cb952c84a84e69410f8b61ef7e2d6b2b82e7ac

SHA256
cc60562f4ea5fe1d0a757119d881e5c91a3bcdf9f034eea260af0403e3181ba0

SHA512
92225ed5d967df1eeadc8e60867cc4b6f74831ba0894dab901c0a9cd7aaf6fbedc13bfba409903450f0a8ff779c6c069a83fc17c9f69f289bbe518ebcd71dab5

Download Submit
memory/544-158-0x00007FF7350D0000-0x00007FF735424000-memory.dmp

Filesize
3.3MB

Download
memory/544-76-0x00007FF7350D0000-0x00007FF735424000-memory.dmp

Filesize
3.3MB

Download
memory/544-139-0x00007FF7350D0000-0x00007FF735424000-memory.dmp

Filesize
3.3MB

Download
memory/636-163-0x00007FF7C4070000-0x00007FF7C43C4000-memory.dmp

Filesize
3.3MB

Download
memory/636-112-0x00007FF7C4070000-0x00007FF7C43C4000-memory.dmp

Filesize
3.3MB

Download
memory/636-142-0x00007FF7C4070000-0x00007FF7C43C4000-memory.dmp

Filesize
3.3MB

Download
memory/744-152-0x00007FF68E440000-0x00007FF68E794000-memory.dmp

Filesize
3.3MB

Download
memory/744-106-0x00007FF68E440000-0x00007FF68E794000-memory.dmp

Filesize
3.3MB

Download
memory/744-36-0x00007FF68E440000-0x00007FF68E794000-memory.dmp

Filesize
3.3MB

Download
memory/1400-143-0x00007FF66EA40000-0x00007FF66ED94000-memory.dmp

Filesize
3.3MB

Download
memory/1400-164-0x00007FF66EA40000-0x00007FF66ED94000-memory.dmp

Filesize
3.3MB

Download
memory/1400-117-0x00007FF66EA40000-0x00007FF66ED94000-memory.dmp

Filesize
3.3MB

Download
memory/1488-131-0x00007FF6FD190000-0x00007FF6FD4E4000-memory.dmp

Filesize
3.3MB

Download
memory/1488-74-0x00007FF6FD190000-0x00007FF6FD4E4000-memory.dmp

Filesize
3.3MB

Download
memory/1488-157-0x00007FF6FD190000-0x00007FF6FD4E4000-memory.dmp

Filesize
3.3MB

Download
memory/1724-79-0x00007FF615460000-0x00007FF6157B4000-memory.dmp

Filesize
3.3MB

Download
memory/1724-150-0x00007FF615460000-0x00007FF6157B4000-memory.dmp

Filesize
3.3MB

Download
memory/1724-26-0x00007FF615460000-0x00007FF6157B4000-memory.dmp

Filesize
3.3MB

Download
memory/2072-160-0x00007FF77AF90000-0x00007FF77B2E4000-memory.dmp

Filesize
3.3MB

Download
memory/2072-99-0x00007FF77AF90000-0x00007FF77B2E4000-memory.dmp

Filesize
3.3MB

Download
memory/2612-61-0x00007FF6E6640000-0x00007FF6E6994000-memory.dmp

Filesize
3.3MB

Download
memory/2612-147-0x00007FF6E6640000-0x00007FF6E6994000-memory.dmp

Filesize
3.3MB

Download
memory/2612-8-0x00007FF6E6640000-0x00007FF6E6994000-memory.dmp

Filesize
3.3MB

Download
memory/2628-167-0x00007FF7E5340000-0x00007FF7E5694000-memory.dmp

Filesize
3.3MB

Download
memory/2628-145-0x00007FF7E5340000-0x00007FF7E5694000-memory.dmp

Filesize
3.3MB

Download
memory/2628-128-0x00007FF7E5340000-0x00007FF7E5694000-memory.dmp

Filesize
3.3MB

Download
memory/2968-18-0x00007FF684310000-0x00007FF684664000-memory.dmp

Filesize
3.3MB

Download
memory/2968-75-0x00007FF684310000-0x00007FF684664000-memory.dmp

Filesize
3.3MB

Download
memory/2968-149-0x00007FF684310000-0x00007FF684664000-memory.dmp

Filesize
3.3MB

Download
memory/3588-50-0x00007FF7E2D40000-0x00007FF7E3094000-memory.dmp

Filesize
3.3MB

Download
memory/3588-154-0x00007FF7E2D40000-0x00007FF7E3094000-memory.dmp

Filesize
3.3MB

Download
memory/3920-94-0x00007FF7BB160000-0x00007FF7BB4B4000-memory.dmp

Filesize
3.3MB

Download
memory/3920-140-0x00007FF7BB160000-0x00007FF7BB4B4000-memory.dmp

Filesize
3.3MB

Download
memory/3920-159-0x00007FF7BB160000-0x00007FF7BB4B4000-memory.dmp

Filesize
3.3MB

Download
memory/3956-95-0x00007FF6ACEF0000-0x00007FF6AD244000-memory.dmp

Filesize
3.3MB

Download
memory/3956-141-0x00007FF6ACEF0000-0x00007FF6AD244000-memory.dmp

Filesize
3.3MB

Download
memory/3956-161-0x00007FF6ACEF0000-0x00007FF6AD244000-memory.dmp

Filesize
3.3MB

Download
memory/4144-83-0x00007FF638CE0000-0x00007FF639034000-memory.dmp

Filesize
3.3MB

Download
memory/4144-151-0x00007FF638CE0000-0x00007FF639034000-memory.dmp

Filesize
3.3MB

Download
memory/4144-30-0x00007FF638CE0000-0x00007FF639034000-memory.dmp

Filesize
3.3MB

Download
memory/4172-146-0x00007FF6A4880000-0x00007FF6A4BD4000-memory.dmp

Filesize
3.3MB

Download
memory/4172-132-0x00007FF6A4880000-0x00007FF6A4BD4000-memory.dmp

Filesize
3.3MB

Download
memory/4172-165-0x00007FF6A4880000-0x00007FF6A4BD4000-memory.dmp

Filesize
3.3MB

Download
memory/4244-156-0x00007FF679880000-0x00007FF679BD4000-memory.dmp

Filesize
3.3MB

Download
memory/4244-67-0x00007FF679880000-0x00007FF679BD4000-memory.dmp

Filesize
3.3MB

Download
memory/4244-127-0x00007FF679880000-0x00007FF679BD4000-memory.dmp

Filesize
3.3MB

Download
memory/4536-155-0x00007FF795340000-0x00007FF795694000-memory.dmp

Filesize
3.3MB

Download
memory/4536-116-0x00007FF795340000-0x00007FF795694000-memory.dmp

Filesize
3.3MB

Download
memory/4536-59-0x00007FF795340000-0x00007FF795694000-memory.dmp

Filesize
3.3MB

Download
memory/4544-109-0x00007FF740720000-0x00007FF740A74000-memory.dmp

Filesize
3.3MB

Download
memory/4544-162-0x00007FF740720000-0x00007FF740A74000-memory.dmp

Filesize
3.3MB

Download
memory/4564-144-0x00007FF6A8E30000-0x00007FF6A9184000-memory.dmp

Filesize
3.3MB

Download
memory/4564-130-0x00007FF6A8E30000-0x00007FF6A9184000-memory.dmp

Filesize
3.3MB

Download
memory/4564-166-0x00007FF6A8E30000-0x00007FF6A9184000-memory.dmp

Filesize
3.3MB

Download
memory/4664-107-0x00007FF787300000-0x00007FF787654000-memory.dmp

Filesize
3.3MB

Download
memory/4664-43-0x00007FF787300000-0x00007FF787654000-memory.dmp

Filesize
3.3MB

Download
memory/4664-153-0x00007FF787300000-0x00007FF787654000-memory.dmp

Filesize
3.3MB

Download
memory/4820-54-0x00007FF754BB0000-0x00007FF754F04000-memory.dmp

Filesize
3.3MB

Download
memory/4820-0-0x00007FF754BB0000-0x00007FF754F04000-memory.dmp

Filesize
3.3MB

Download
memory/4820-1-0x0000017F2D5E0000-0x0000017F2D5F0000-memory.dmp

Filesize
64KB

Download
memory/5032-69-0x00007FF7D1680000-0x00007FF7D19D4000-memory.dmp

Filesize
3.3MB

Download
memory/5032-13-0x00007FF7D1680000-0x00007FF7D19D4000-memory.dmp

Filesize
3.3MB

Download
memory/5032-148-0x00007FF7D1680000-0x00007FF7D19D4000-memory.dmp

Filesize
3.3MB

Download