cobaltstrike | 9b68da3e301dbefcd1766d96a446bd30b752737f477c07dfeee524dfb0219812

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2024 16:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

7d1c6c7f51525b57ab6dbf2ec2f9607d
SHA1

908db1a86d5cfc8deceeb56189f615bd54ced83b
SHA256

9b68da3e301dbefcd1766d96a446bd30b752737f477c07dfeee524dfb0219812
SHA512

144ef0734c33013fc8ed104299776c31d09df8ad472e0d48f391c0a607e7d2e25c17cf0210105d6662635a1be0fa592454ad84934bacb483fd93e3d88372db7e
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lu:RWWBibf56utgpPFotBER/mQ32lUq

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00090000000234ca-4.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d2-10.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d3-11.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d4-22.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d5-28.dat	cobalt_reflective_dll
behavioral2/files/0x00090000000234cb-34.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d6-43.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d7-47.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d8-52.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234da-64.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d9-66.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234db-76.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234dc-80.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234dd-92.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e0-107.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e3-131.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e4-137.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e2-128.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e1-119.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234df-105.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234de-100.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/1120-16-0x00007FF7E7E40000-0x00007FF7E8191000-memory.dmp	xmrig
behavioral2/memory/4268-88-0x00007FF7246F0000-0x00007FF724A41000-memory.dmp	xmrig
behavioral2/memory/4944-96-0x00007FF6CCB50000-0x00007FF6CCEA1000-memory.dmp	xmrig
behavioral2/memory/2808-135-0x00007FF6103E0000-0x00007FF610731000-memory.dmp	xmrig
behavioral2/memory/920-127-0x00007FF7FD4F0000-0x00007FF7FD841000-memory.dmp	xmrig
behavioral2/memory/3552-124-0x00007FF7D9C40000-0x00007FF7D9F91000-memory.dmp	xmrig
behavioral2/memory/1276-118-0x00007FF7A5850000-0x00007FF7A5BA1000-memory.dmp	xmrig
behavioral2/memory/836-111-0x00007FF66EE10000-0x00007FF66F161000-memory.dmp	xmrig
behavioral2/memory/1424-99-0x00007FF62B6A0000-0x00007FF62B9F1000-memory.dmp	xmrig
behavioral2/memory/4864-81-0x00007FF7C1560000-0x00007FF7C18B1000-memory.dmp	xmrig
behavioral2/memory/1120-74-0x00007FF7E7E40000-0x00007FF7E8191000-memory.dmp	xmrig
behavioral2/memory/716-65-0x00007FF7B14F0000-0x00007FF7B1841000-memory.dmp	xmrig
behavioral2/memory/916-60-0x00007FF7DB810000-0x00007FF7DBB61000-memory.dmp	xmrig
behavioral2/memory/916-140-0x00007FF7DB810000-0x00007FF7DBB61000-memory.dmp	xmrig
behavioral2/memory/512-146-0x00007FF78A980000-0x00007FF78ACD1000-memory.dmp	xmrig
behavioral2/memory/2928-149-0x00007FF67A410000-0x00007FF67A761000-memory.dmp	xmrig
behavioral2/memory/1380-151-0x00007FF7052B0000-0x00007FF705601000-memory.dmp	xmrig
behavioral2/memory/2932-152-0x00007FF7DB930000-0x00007FF7DBC81000-memory.dmp	xmrig
behavioral2/memory/1916-160-0x00007FF7CB950000-0x00007FF7CBCA1000-memory.dmp	xmrig
behavioral2/memory/2404-162-0x00007FF6DE9D0000-0x00007FF6DED21000-memory.dmp	xmrig
behavioral2/memory/884-163-0x00007FF6FB160000-0x00007FF6FB4B1000-memory.dmp	xmrig
behavioral2/memory/3832-164-0x00007FF6C3F40000-0x00007FF6C4291000-memory.dmp	xmrig
behavioral2/memory/5096-161-0x00007FF6772D0000-0x00007FF677621000-memory.dmp	xmrig
behavioral2/memory/860-165-0x00007FF75D3A0000-0x00007FF75D6F1000-memory.dmp	xmrig
behavioral2/memory/916-166-0x00007FF7DB810000-0x00007FF7DBB61000-memory.dmp	xmrig
behavioral2/memory/716-217-0x00007FF7B14F0000-0x00007FF7B1841000-memory.dmp	xmrig
behavioral2/memory/1120-219-0x00007FF7E7E40000-0x00007FF7E8191000-memory.dmp	xmrig
behavioral2/memory/4864-221-0x00007FF7C1560000-0x00007FF7C18B1000-memory.dmp	xmrig
behavioral2/memory/4268-223-0x00007FF7246F0000-0x00007FF724A41000-memory.dmp	xmrig
behavioral2/memory/4944-228-0x00007FF6CCB50000-0x00007FF6CCEA1000-memory.dmp	xmrig
behavioral2/memory/1424-230-0x00007FF62B6A0000-0x00007FF62B9F1000-memory.dmp	xmrig
behavioral2/memory/836-232-0x00007FF66EE10000-0x00007FF66F161000-memory.dmp	xmrig
behavioral2/memory/1276-244-0x00007FF7A5850000-0x00007FF7A5BA1000-memory.dmp	xmrig
behavioral2/memory/3552-247-0x00007FF7D9C40000-0x00007FF7D9F91000-memory.dmp	xmrig
behavioral2/memory/920-251-0x00007FF7FD4F0000-0x00007FF7FD841000-memory.dmp	xmrig
behavioral2/memory/2808-250-0x00007FF6103E0000-0x00007FF610731000-memory.dmp	xmrig
behavioral2/memory/512-253-0x00007FF78A980000-0x00007FF78ACD1000-memory.dmp	xmrig
behavioral2/memory/2928-255-0x00007FF67A410000-0x00007FF67A761000-memory.dmp	xmrig
behavioral2/memory/2932-257-0x00007FF7DB930000-0x00007FF7DBC81000-memory.dmp	xmrig
behavioral2/memory/1380-259-0x00007FF7052B0000-0x00007FF705601000-memory.dmp	xmrig
behavioral2/memory/5096-263-0x00007FF6772D0000-0x00007FF677621000-memory.dmp	xmrig
behavioral2/memory/2404-265-0x00007FF6DE9D0000-0x00007FF6DED21000-memory.dmp	xmrig
behavioral2/memory/884-267-0x00007FF6FB160000-0x00007FF6FB4B1000-memory.dmp	xmrig
behavioral2/memory/860-269-0x00007FF75D3A0000-0x00007FF75D6F1000-memory.dmp	xmrig
behavioral2/memory/3832-271-0x00007FF6C3F40000-0x00007FF6C4291000-memory.dmp	xmrig
behavioral2/memory/1916-274-0x00007FF7CB950000-0x00007FF7CBCA1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
716	IOBGMRb.exe
1120	FVrvuBM.exe
4864	FHZLRhh.exe
4268	OuMRyBc.exe
4944	hDvMHrz.exe
1424	GeOKchh.exe
836	eUwUGxi.exe
1276	Gnpzghb.exe
3552	dOvtBjI.exe
920	jwqdmhK.exe
2808	qpOhVaB.exe
512	jhGBRzy.exe
2928	mpJkySy.exe
1380	FEbWgza.exe
2932	XMunPZo.exe
1916	oKrWfbb.exe
5096	VEUiNyv.exe
2404	dsOQElL.exe
884	UvDWZcY.exe
3832	KRYCjPR.exe
860	AmllHbm.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/916-0-0x00007FF7DB810000-0x00007FF7DBB61000-memory.dmp	upx
behavioral2/files/0x00090000000234ca-4.dat	upx
behavioral2/memory/716-8-0x00007FF7B14F0000-0x00007FF7B1841000-memory.dmp	upx
behavioral2/files/0x00070000000234d2-10.dat	upx
behavioral2/files/0x00070000000234d3-11.dat	upx
behavioral2/files/0x00070000000234d4-22.dat	upx
behavioral2/memory/4268-23-0x00007FF7246F0000-0x00007FF724A41000-memory.dmp	upx
behavioral2/memory/4864-18-0x00007FF7C1560000-0x00007FF7C18B1000-memory.dmp	upx
behavioral2/memory/1120-16-0x00007FF7E7E40000-0x00007FF7E8191000-memory.dmp	upx
behavioral2/files/0x00070000000234d5-28.dat	upx
behavioral2/memory/4944-32-0x00007FF6CCB50000-0x00007FF6CCEA1000-memory.dmp	upx
behavioral2/files/0x00090000000234cb-34.dat	upx
behavioral2/memory/1424-38-0x00007FF62B6A0000-0x00007FF62B9F1000-memory.dmp	upx
behavioral2/files/0x00070000000234d6-43.dat	upx
behavioral2/memory/836-42-0x00007FF66EE10000-0x00007FF66F161000-memory.dmp	upx
behavioral2/files/0x00070000000234d7-47.dat	upx
behavioral2/memory/1276-48-0x00007FF7A5850000-0x00007FF7A5BA1000-memory.dmp	upx
behavioral2/files/0x00070000000234d8-52.dat	upx
behavioral2/memory/3552-56-0x00007FF7D9C40000-0x00007FF7D9F91000-memory.dmp	upx
behavioral2/files/0x00070000000234da-64.dat	upx
behavioral2/files/0x00070000000234d9-66.dat	upx
behavioral2/files/0x00070000000234db-76.dat	upx
behavioral2/files/0x00070000000234dc-80.dat	upx
behavioral2/memory/4268-88-0x00007FF7246F0000-0x00007FF724A41000-memory.dmp	upx
behavioral2/files/0x00070000000234dd-92.dat	upx
behavioral2/memory/4944-96-0x00007FF6CCB50000-0x00007FF6CCEA1000-memory.dmp	upx
behavioral2/files/0x00070000000234e0-107.dat	upx
behavioral2/memory/884-125-0x00007FF6FB160000-0x00007FF6FB4B1000-memory.dmp	upx
behavioral2/files/0x00070000000234e3-131.dat	upx
behavioral2/files/0x00070000000234e4-137.dat	upx
behavioral2/memory/860-136-0x00007FF75D3A0000-0x00007FF75D6F1000-memory.dmp	upx
behavioral2/memory/2808-135-0x00007FF6103E0000-0x00007FF610731000-memory.dmp	upx
behavioral2/memory/3832-130-0x00007FF6C3F40000-0x00007FF6C4291000-memory.dmp	upx
behavioral2/files/0x00070000000234e2-128.dat	upx
behavioral2/memory/920-127-0x00007FF7FD4F0000-0x00007FF7FD841000-memory.dmp	upx
behavioral2/memory/3552-124-0x00007FF7D9C40000-0x00007FF7D9F91000-memory.dmp	upx
behavioral2/files/0x00070000000234e1-119.dat	upx
behavioral2/memory/1276-118-0x00007FF7A5850000-0x00007FF7A5BA1000-memory.dmp	upx
behavioral2/memory/2404-117-0x00007FF6DE9D0000-0x00007FF6DED21000-memory.dmp	upx
behavioral2/memory/5096-112-0x00007FF6772D0000-0x00007FF677621000-memory.dmp	upx
behavioral2/memory/836-111-0x00007FF66EE10000-0x00007FF66F161000-memory.dmp	upx
behavioral2/files/0x00070000000234df-105.dat	upx
behavioral2/memory/1916-104-0x00007FF7CB950000-0x00007FF7CBCA1000-memory.dmp	upx
behavioral2/files/0x00070000000234de-100.dat	upx
behavioral2/memory/1424-99-0x00007FF62B6A0000-0x00007FF62B9F1000-memory.dmp	upx
behavioral2/memory/2932-98-0x00007FF7DB930000-0x00007FF7DBC81000-memory.dmp	upx
behavioral2/memory/1380-91-0x00007FF7052B0000-0x00007FF705601000-memory.dmp	upx
behavioral2/memory/2928-82-0x00007FF67A410000-0x00007FF67A761000-memory.dmp	upx
behavioral2/memory/4864-81-0x00007FF7C1560000-0x00007FF7C18B1000-memory.dmp	upx
behavioral2/memory/512-75-0x00007FF78A980000-0x00007FF78ACD1000-memory.dmp	upx
behavioral2/memory/1120-74-0x00007FF7E7E40000-0x00007FF7E8191000-memory.dmp	upx
behavioral2/memory/2808-72-0x00007FF6103E0000-0x00007FF610731000-memory.dmp	upx
behavioral2/memory/716-65-0x00007FF7B14F0000-0x00007FF7B1841000-memory.dmp	upx
behavioral2/memory/920-61-0x00007FF7FD4F0000-0x00007FF7FD841000-memory.dmp	upx
behavioral2/memory/916-60-0x00007FF7DB810000-0x00007FF7DBB61000-memory.dmp	upx
behavioral2/memory/916-140-0x00007FF7DB810000-0x00007FF7DBB61000-memory.dmp	upx
behavioral2/memory/512-146-0x00007FF78A980000-0x00007FF78ACD1000-memory.dmp	upx
behavioral2/memory/2928-149-0x00007FF67A410000-0x00007FF67A761000-memory.dmp	upx
behavioral2/memory/1380-151-0x00007FF7052B0000-0x00007FF705601000-memory.dmp	upx
behavioral2/memory/2932-152-0x00007FF7DB930000-0x00007FF7DBC81000-memory.dmp	upx
behavioral2/memory/1916-160-0x00007FF7CB950000-0x00007FF7CBCA1000-memory.dmp	upx
behavioral2/memory/2404-162-0x00007FF6DE9D0000-0x00007FF6DED21000-memory.dmp	upx
behavioral2/memory/884-163-0x00007FF6FB160000-0x00007FF6FB4B1000-memory.dmp	upx
behavioral2/memory/3832-164-0x00007FF6C3F40000-0x00007FF6C4291000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\FEbWgza.exe	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oKrWfbb.exe	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dsOQElL.exe	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KRYCjPR.exe	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OuMRyBc.exe	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GeOKchh.exe	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eUwUGxi.exe	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dOvtBjI.exe	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mpJkySy.exe	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UvDWZcY.exe	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Gnpzghb.exe	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jhGBRzy.exe	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XMunPZo.exe	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VEUiNyv.exe	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AmllHbm.exe	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IOBGMRb.exe	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FVrvuBM.exe	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FHZLRhh.exe	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hDvMHrz.exe	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jwqdmhK.exe	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qpOhVaB.exe	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	916	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	916	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 916 wrote to memory of 716	916	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe	82
PID 916 wrote to memory of 716	916	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe	82
PID 916 wrote to memory of 1120	916	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 916 wrote to memory of 1120	916	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 916 wrote to memory of 4864	916	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 916 wrote to memory of 4864	916	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 916 wrote to memory of 4268	916	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 916 wrote to memory of 4268	916	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 916 wrote to memory of 4944	916	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 916 wrote to memory of 4944	916	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 916 wrote to memory of 1424	916	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 916 wrote to memory of 1424	916	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 916 wrote to memory of 836	916	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 916 wrote to memory of 836	916	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 916 wrote to memory of 1276	916	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 916 wrote to memory of 1276	916	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 916 wrote to memory of 3552	916	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 916 wrote to memory of 3552	916	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 916 wrote to memory of 920	916	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 916 wrote to memory of 920	916	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 916 wrote to memory of 2808	916	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 916 wrote to memory of 2808	916	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 916 wrote to memory of 512	916	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 916 wrote to memory of 512	916	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 916 wrote to memory of 2928	916	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 916 wrote to memory of 2928	916	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 916 wrote to memory of 1380	916	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 916 wrote to memory of 1380	916	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 916 wrote to memory of 2932	916	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 916 wrote to memory of 2932	916	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 916 wrote to memory of 1916	916	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 916 wrote to memory of 1916	916	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 916 wrote to memory of 5096	916	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 916 wrote to memory of 5096	916	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 916 wrote to memory of 2404	916	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 916 wrote to memory of 2404	916	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 916 wrote to memory of 884	916	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 916 wrote to memory of 884	916	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 916 wrote to memory of 3832	916	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 916 wrote to memory of 3832	916	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 916 wrote to memory of 860	916	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 916 wrote to memory of 860	916	2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe	102

C:\Users\Admin\AppData\Local\Temp\2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-21_7d1c6c7f51525b57ab6dbf2ec2f9607d_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:916
- C:\Windows\System\IOBGMRb.exe
  C:\Windows\System\IOBGMRb.exe
  2⤵
  - Executes dropped EXE
  PID:716
- C:\Windows\System\FVrvuBM.exe
  C:\Windows\System\FVrvuBM.exe
  2⤵
  - Executes dropped EXE
  PID:1120
- C:\Windows\System\FHZLRhh.exe
  C:\Windows\System\FHZLRhh.exe
  2⤵
  - Executes dropped EXE
  PID:4864
- C:\Windows\System\OuMRyBc.exe
  C:\Windows\System\OuMRyBc.exe
  2⤵
  - Executes dropped EXE
  PID:4268
- C:\Windows\System\hDvMHrz.exe
  C:\Windows\System\hDvMHrz.exe
  2⤵
  - Executes dropped EXE
  PID:4944
- C:\Windows\System\GeOKchh.exe
  C:\Windows\System\GeOKchh.exe
  2⤵
  - Executes dropped EXE
  PID:1424
- C:\Windows\System\eUwUGxi.exe
  C:\Windows\System\eUwUGxi.exe
  2⤵
  - Executes dropped EXE
  PID:836
- C:\Windows\System\Gnpzghb.exe
  C:\Windows\System\Gnpzghb.exe
  2⤵
  - Executes dropped EXE
  PID:1276
- C:\Windows\System\dOvtBjI.exe
  C:\Windows\System\dOvtBjI.exe
  2⤵
  - Executes dropped EXE
  PID:3552
- C:\Windows\System\jwqdmhK.exe
  C:\Windows\System\jwqdmhK.exe
  2⤵
  - Executes dropped EXE
  PID:920
- C:\Windows\System\qpOhVaB.exe
  C:\Windows\System\qpOhVaB.exe
  2⤵
  - Executes dropped EXE
  PID:2808
- C:\Windows\System\jhGBRzy.exe
  C:\Windows\System\jhGBRzy.exe
  2⤵
  - Executes dropped EXE
  PID:512
- C:\Windows\System\mpJkySy.exe
  C:\Windows\System\mpJkySy.exe
  2⤵
  - Executes dropped EXE
  PID:2928
- C:\Windows\System\FEbWgza.exe
  C:\Windows\System\FEbWgza.exe
  2⤵
  - Executes dropped EXE
  PID:1380
- C:\Windows\System\XMunPZo.exe
  C:\Windows\System\XMunPZo.exe
  2⤵
  - Executes dropped EXE
  PID:2932
- C:\Windows\System\oKrWfbb.exe
  C:\Windows\System\oKrWfbb.exe
  2⤵
  - Executes dropped EXE
  PID:1916
- C:\Windows\System\VEUiNyv.exe
  C:\Windows\System\VEUiNyv.exe
  2⤵
  - Executes dropped EXE
  PID:5096
- C:\Windows\System\dsOQElL.exe
  C:\Windows\System\dsOQElL.exe
  2⤵
  - Executes dropped EXE
  PID:2404
- C:\Windows\System\UvDWZcY.exe
  C:\Windows\System\UvDWZcY.exe
  2⤵
  - Executes dropped EXE
  PID:884
- C:\Windows\System\KRYCjPR.exe
  C:\Windows\System\KRYCjPR.exe
  2⤵
  - Executes dropped EXE
  PID:3832
- C:\Windows\System\AmllHbm.exe
  C:\Windows\System\AmllHbm.exe
  2⤵
  - Executes dropped EXE
  PID:860

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AmllHbm.exe

Filesize
5.2MB

MD5
cf4f0a4069c2ac50a648d6765e0ed571

SHA1
ec81d65e5bc22ca919a721a849e721cab0854f7d

SHA256
c6b58928655d3ed17adff7399b43629e3d5a43788788c26f6f7d3ec96848fd57

SHA512
d36e0a9bdfbb29f8fc91efbdbc86f63fbab91cfa4de27fe4506275791b008fcb75e0cda15e88dac51d77fc6b8d777c6b2f05663d8fb207689c96a2a1ffcf621e

Download Submit
C:\Windows\System\FEbWgza.exe

Filesize
5.2MB

MD5
d132a772461f4c2afa26adb68df5b73d

SHA1
6890f56d3ddbd1ef89913eab69ae3da2107fa622

SHA256
a683b97ab19e8f24aa63c38f6297dbfd51dafd40665edff1802e0ef3f71e54be

SHA512
1ad01cf9fc6286dc16d3f9eb8369b015f59adfb99fe49645870075e36e69e05df7d8063146d907039e4d594c0ac568651ab9e792ab462c085191ce279ad43b0c

Download Submit
C:\Windows\System\FHZLRhh.exe

Filesize
5.2MB

MD5
4e5450990d8f5758d88e11544aa672e0

SHA1
2f15f42c4aa706f6c9150d0c6e574d26fb12355f

SHA256
bcccac7aa8b5673e50cb0df534832dd851bf17b82c8012f8db94b6e94798b9c0

SHA512
d7e6b12545be546cf1e8750d3c0ffe7b2caa38765436eecc5478d7c4d366f5901aabd59b238b2ad943acc9c015aa23ee83da06a3d509d2ba3f4e4a764cfcf9a6

Download Submit
C:\Windows\System\FVrvuBM.exe

Filesize
5.2MB

MD5
cd65ebed7f23eb8451533a4d6fa323be

SHA1
99416a7b537506a4f17d4202d9e881934d5ee50e

SHA256
9668c08d7fb87e955a2f94ae13edb40d962c3d39e8196b828a28224ab7ee0ee5

SHA512
5e36c7897810512e33934d722ee5162c3f1943c8e0cdb5a086b98959e684cb6811696cac7b7c40624c74bf2effd7c676c9c1bba726de24d06b74efae90c7925c

Download Submit
C:\Windows\System\GeOKchh.exe

Filesize
5.2MB

MD5
7f77d367a7f37b2348f1a834110977d1

SHA1
0095e527b09b62f072793453a5a8ae52b4dec957

SHA256
a827833409fb273bdd23c61c2f9b121e4f7dc0509e749d023c8d70561df32829

SHA512
d9f950dc10978358e373947330d49cfe7ac3d2038e6200ebec2f728a2b63662999ac32ee8b445c48c92cecbd7ce5d157c0363a60ce9a68e935084eac6b4c12ba

Download Submit
C:\Windows\System\Gnpzghb.exe

Filesize
5.2MB

MD5
c5eb5012a8156880c16d520d67d16c90

SHA1
6781cd0bf12fda0c94cd4b19b2e384f7deb17aa2

SHA256
482123d42bda0226e3b193b471e127128dcc950fc0421f0ea895f79481559edb

SHA512
8cfb6fd61194d490c753c0af6d0b0f409ca8df1a7343f69fe8cb604926be6ea64f340f4b76865add585582ef3bcabdaf0b524e7774ffa4e3f492b097a459f09d

Download Submit
C:\Windows\System\IOBGMRb.exe

Filesize
5.2MB

MD5
23bebd0cf351337c233325099a7d4a7a

SHA1
00b5b6928cf6acd40265855b6dda9cecbf1d1aad

SHA256
780b59e6873cb56276b268fcbac8757a2f28c5bea51ce65d91771947504f519a

SHA512
d0094ee7b7ebdb60c55529dceb44bc2ba915892f974147499deb68e429bfeb0fad73747ad4240f853e5a92fb714c9c421b8d3c4b1a525aaa35abc81692cfc00c

Download Submit
C:\Windows\System\KRYCjPR.exe

Filesize
5.2MB

MD5
b345f4856be0c739287ea090ae336e99

SHA1
ad6a99ddec2552cf90665487b236b460352fa706

SHA256
b4409a921f7fd02304523a68b82e36fc0adf05e64b0fc36fc9d6f9aa0b8e6bf3

SHA512
546b2a6cb97a2fd83161cf5f0694ff4ebbcaa46ebc094dbfa0a3dabec49e949394f7a1aba39ee6eb67e143cda877d6018cf6d3bd38156e34d4ea62e4ce59786d

Download Submit
C:\Windows\System\OuMRyBc.exe

Filesize
5.2MB

MD5
e693d655fb29a28a83082df711346d95

SHA1
1f544f9a851054314f5ed601decd8ad84a6d9d12

SHA256
407b9e6c2fb6e877b77953c2941dca3f83d0885bdaf5eb0a5795fced00070197

SHA512
f56a744ab6013aeea45ac8d197b5f8b7bc2b27e3d246807f8038fc5a85e77144897e020ae23b0f6f5de49d4b93d19d791a85e8ba8d6a5e29ccd6877a3d109d87

Download Submit
C:\Windows\System\UvDWZcY.exe

Filesize
5.2MB

MD5
872e90e161c638f161a6224defa7bcd2

SHA1
b34557ab8099487f2b6b1c0ccd97872ccccc651e

SHA256
dce8dfbc97b347d55e8ae9d29cb260d410fc509aa122433a22e403dbb7a43d71

SHA512
56dfed4a786ea468b20ca7b75b2ec60e23674e879d01edfc636dedeefd0cc90f8df9aeeb8741f7dc08f68a94e8124a3d2b1862331100090c2bba4903dbee2520

Download Submit
C:\Windows\System\VEUiNyv.exe

Filesize
5.2MB

MD5
6a968e4e0960314cb6a9c76badc68343

SHA1
fd7dbd9853adb7d677030d46c6811c124eb28cf3

SHA256
e3ddfb0b0bafacd255807fc16d58d7d214ee31aa90b64e0c297a5f33a4c4caaa

SHA512
2256969f209d2684afa8f6a1b2ac871672179d8ac97207e9e167c79b601cbea2a12bfabdacfc91ab48bcf564e47dfffed4cea57ac1b9a9b7b161098d2b552b43

Download Submit
C:\Windows\System\XMunPZo.exe

Filesize
5.2MB

MD5
eb2cba709a35cbf88ca59831f994b16d

SHA1
ae722ee82a633f795a994aab58fb4de6e7237077

SHA256
c706249900b59796d647c1c747a56c1d60f333aeaf2c8ac6f6e42d6ab35b0b7d

SHA512
341ff24a974f8d740248cb34c455733003d4d9a2f38068f5594a26f4a063e64472e99cc20965f3b858ed4558800da0a93348ac6b18cdb921f75331c72df9aca5

Download Submit
C:\Windows\System\dOvtBjI.exe

Filesize
5.2MB

MD5
e156412ccb4a87776a9c43879155f8e3

SHA1
042f411f881dd1d243ac1ebb119eb2e4eeb5bb15

SHA256
7cd20ae804de52fdb91369ec9d8bbbc8a3259cc5cb155aa9273406fbda4fca81

SHA512
810bc817292f8cd4d30e4e0c209f1d6ffa0fd59cf23c66c17aa19ec5528821af7d723ee1d41b33eb45a8a96c8610bd314fe10a1c002dac0889e6031294a8b873

Download Submit
C:\Windows\System\dsOQElL.exe

Filesize
5.2MB

MD5
ba3ed4a7e09fb0747f5a5d98758286ee

SHA1
2691dd20e22c98c4b79493e36f2f9b2b1e462fe2

SHA256
0df0936ef158fb2515b60b8deb4ea228e29bfc886009b9f64b8c664f711e4096

SHA512
0bddcb39bee798963dc032e3104c2377b39e99cbe8f273cf76635451d4724b6435f7fe6e40a03e8f23cde01ec584bef4ed58562a11cb6d531dc8725d0db08abd

Download Submit
C:\Windows\System\eUwUGxi.exe

Filesize
5.2MB

MD5
06f817d93dfa538cf3ffd8afa085a639

SHA1
a2a155a793dc7fe3dc15497d45da7601fb86ed43

SHA256
7613757883a4d72fde23c8a99c436ae759141a47895a69f78f7fb5b851b189e2

SHA512
ba94e3a0b3251129fba17289bfc608dc2318d5182e4268ea887fc8339ad3f18f0ea31918a15c2092727ac3e1073acbc9a5cbccc427eb48f660554640169c635a

Download Submit
C:\Windows\System\hDvMHrz.exe

Filesize
5.2MB

MD5
db401b891e39b7462d402e4b50c0da40

SHA1
b0d5bb9f61eafdf6a1271b144db8d553652eb5a9

SHA256
a6b51a5455151e96cc4a352eedee8a3783651baf62e780e7df0cca5b5ba9af19

SHA512
9100861689b1b2308762c2fb9ab3b05624bd29340208e109e8fe366ce00b3f69b5eb28c1f0a90551da47d2136b3c9455763a51d877b85b2b8f54364f26ae3564

Download Submit
C:\Windows\System\jhGBRzy.exe

Filesize
5.2MB

MD5
308b276cd103333ba1482b015b2dda17

SHA1
7d65fc3563bc6b7021452347963214a777634398

SHA256
cd2e3a2193eae414fdd6eec49127a325564c9e9a844b58c1e3f5fcdba564dd76

SHA512
7c453d81db1e67e1040499e089d19b3f978e1bc10dc050a05e94cbea4112f2ef77b6abeee8a8eb3120f29ec5e37bc581ba432070fa409588b7cc3c06c143adcc

Download Submit
C:\Windows\System\jwqdmhK.exe

Filesize
5.2MB

MD5
68508f4f4e747899606eb01bcd4165bc

SHA1
510a071cd382677b01cca99159932850689006bd

SHA256
0466ee780f81c7ffc7ecbe8431aa12e41d9c561f7e424a62741c483ab31338bf

SHA512
fa2d5b5e67fcd7931fda6b7629c3f2c0aef285ddb0e530affbbb86043cfe6e91d5bfbbad70909212dd5d71346d279987a44ef08983743f9332bd16658adf6ec3

Download Submit
C:\Windows\System\mpJkySy.exe

Filesize
5.2MB

MD5
2a50f8bb0285bfe0a8b8b0e6297032c7

SHA1
ad9596345dd1547465c76881111e2d527973ef96

SHA256
2af7ebd78c47e5b448eb1de25cbf7f9778b7a34f35b87a04e19d3947ad6ea1a1

SHA512
0b1dbb1f38b082100ea91edad6c1087cdd2d692201cc3e574788c1d885096697cd7f9d6844a0745587e8089e5e0701252a45fd2ba18f9cc5df4ca04f48cf9d15

Download Submit
C:\Windows\System\oKrWfbb.exe

Filesize
5.2MB

MD5
090ac1192dd362ae45be1a2c37c4e25a

SHA1
e786a318bdf8dcde2357bef65b2ff4637d2e8d58

SHA256
3002091cfec067eaeb8c7713d6208c255e37eaf69c2f27af81b55bceb6746922

SHA512
329179ad1b7fe7bad6a99452611f017495985e94f3dc768d5d96c6d16c0461b2a3c87095c98d5e1ed9644e03db27aafff4dcb9eb4d3cee3e306098357e6f9dbd

Download Submit
C:\Windows\System\qpOhVaB.exe

Filesize
5.2MB

MD5
ce66a1384101399596b9cfbf3f7720e0

SHA1
d90bbaf58d0fb466e8de84716a4563f3702c7e36

SHA256
813f78f10592facb75ab68531309acd79ff2162c7c6463d590072c5eb4bcbd0a

SHA512
640d65513e46e509b6a6a807f7527e547e9ab0b59e1a42f1d40dd7e8bcfed82fcda38dece8882813098eaffc915dd559d312f6cb89a616593089e0b98e346835

Download Submit
memory/512-146-0x00007FF78A980000-0x00007FF78ACD1000-memory.dmp

Filesize
3.3MB

Download
memory/512-75-0x00007FF78A980000-0x00007FF78ACD1000-memory.dmp

Filesize
3.3MB

Download
memory/512-253-0x00007FF78A980000-0x00007FF78ACD1000-memory.dmp

Filesize
3.3MB

Download
memory/716-8-0x00007FF7B14F0000-0x00007FF7B1841000-memory.dmp

Filesize
3.3MB

Download
memory/716-217-0x00007FF7B14F0000-0x00007FF7B1841000-memory.dmp

Filesize
3.3MB

Download
memory/716-65-0x00007FF7B14F0000-0x00007FF7B1841000-memory.dmp

Filesize
3.3MB

Download
memory/836-111-0x00007FF66EE10000-0x00007FF66F161000-memory.dmp

Filesize
3.3MB

Download
memory/836-42-0x00007FF66EE10000-0x00007FF66F161000-memory.dmp

Filesize
3.3MB

Download
memory/836-232-0x00007FF66EE10000-0x00007FF66F161000-memory.dmp

Filesize
3.3MB

Download
memory/860-165-0x00007FF75D3A0000-0x00007FF75D6F1000-memory.dmp

Filesize
3.3MB

Download
memory/860-136-0x00007FF75D3A0000-0x00007FF75D6F1000-memory.dmp

Filesize
3.3MB

Download
memory/860-269-0x00007FF75D3A0000-0x00007FF75D6F1000-memory.dmp

Filesize
3.3MB

Download
memory/884-267-0x00007FF6FB160000-0x00007FF6FB4B1000-memory.dmp

Filesize
3.3MB

Download
memory/884-125-0x00007FF6FB160000-0x00007FF6FB4B1000-memory.dmp

Filesize
3.3MB

Download
memory/884-163-0x00007FF6FB160000-0x00007FF6FB4B1000-memory.dmp

Filesize
3.3MB

Download
memory/916-166-0x00007FF7DB810000-0x00007FF7DBB61000-memory.dmp

Filesize
3.3MB

Download
memory/916-60-0x00007FF7DB810000-0x00007FF7DBB61000-memory.dmp

Filesize
3.3MB

Download
memory/916-0-0x00007FF7DB810000-0x00007FF7DBB61000-memory.dmp

Filesize
3.3MB

Download
memory/916-140-0x00007FF7DB810000-0x00007FF7DBB61000-memory.dmp

Filesize
3.3MB

Download
memory/916-1-0x0000025BF0030000-0x0000025BF0040000-memory.dmp

Filesize
64KB

Download
memory/920-127-0x00007FF7FD4F0000-0x00007FF7FD841000-memory.dmp

Filesize
3.3MB

Download
memory/920-251-0x00007FF7FD4F0000-0x00007FF7FD841000-memory.dmp

Filesize
3.3MB

Download
memory/920-61-0x00007FF7FD4F0000-0x00007FF7FD841000-memory.dmp

Filesize
3.3MB

Download
memory/1120-219-0x00007FF7E7E40000-0x00007FF7E8191000-memory.dmp

Filesize
3.3MB

Download
memory/1120-16-0x00007FF7E7E40000-0x00007FF7E8191000-memory.dmp

Filesize
3.3MB

Download
memory/1120-74-0x00007FF7E7E40000-0x00007FF7E8191000-memory.dmp

Filesize
3.3MB

Download
memory/1276-48-0x00007FF7A5850000-0x00007FF7A5BA1000-memory.dmp

Filesize
3.3MB

Download
memory/1276-244-0x00007FF7A5850000-0x00007FF7A5BA1000-memory.dmp

Filesize
3.3MB

Download
memory/1276-118-0x00007FF7A5850000-0x00007FF7A5BA1000-memory.dmp

Filesize
3.3MB

Download
memory/1380-259-0x00007FF7052B0000-0x00007FF705601000-memory.dmp

Filesize
3.3MB

Download
memory/1380-91-0x00007FF7052B0000-0x00007FF705601000-memory.dmp

Filesize
3.3MB

Download
memory/1380-151-0x00007FF7052B0000-0x00007FF705601000-memory.dmp

Filesize
3.3MB

Download
memory/1424-230-0x00007FF62B6A0000-0x00007FF62B9F1000-memory.dmp

Filesize
3.3MB

Download
memory/1424-38-0x00007FF62B6A0000-0x00007FF62B9F1000-memory.dmp

Filesize
3.3MB

Download
memory/1424-99-0x00007FF62B6A0000-0x00007FF62B9F1000-memory.dmp

Filesize
3.3MB

Download
memory/1916-104-0x00007FF7CB950000-0x00007FF7CBCA1000-memory.dmp

Filesize
3.3MB

Download
memory/1916-274-0x00007FF7CB950000-0x00007FF7CBCA1000-memory.dmp

Filesize
3.3MB

Download
memory/1916-160-0x00007FF7CB950000-0x00007FF7CBCA1000-memory.dmp

Filesize
3.3MB

Download
memory/2404-162-0x00007FF6DE9D0000-0x00007FF6DED21000-memory.dmp

Filesize
3.3MB

Download
memory/2404-117-0x00007FF6DE9D0000-0x00007FF6DED21000-memory.dmp

Filesize
3.3MB

Download
memory/2404-265-0x00007FF6DE9D0000-0x00007FF6DED21000-memory.dmp

Filesize
3.3MB

Download
memory/2808-72-0x00007FF6103E0000-0x00007FF610731000-memory.dmp

Filesize
3.3MB

Download
memory/2808-250-0x00007FF6103E0000-0x00007FF610731000-memory.dmp

Filesize
3.3MB

Download
memory/2808-135-0x00007FF6103E0000-0x00007FF610731000-memory.dmp

Filesize
3.3MB

Download
memory/2928-82-0x00007FF67A410000-0x00007FF67A761000-memory.dmp

Filesize
3.3MB

Download
memory/2928-149-0x00007FF67A410000-0x00007FF67A761000-memory.dmp

Filesize
3.3MB

Download
memory/2928-255-0x00007FF67A410000-0x00007FF67A761000-memory.dmp

Filesize
3.3MB

Download
memory/2932-152-0x00007FF7DB930000-0x00007FF7DBC81000-memory.dmp

Filesize
3.3MB

Download
memory/2932-257-0x00007FF7DB930000-0x00007FF7DBC81000-memory.dmp

Filesize
3.3MB

Download
memory/2932-98-0x00007FF7DB930000-0x00007FF7DBC81000-memory.dmp

Filesize
3.3MB

Download
memory/3552-247-0x00007FF7D9C40000-0x00007FF7D9F91000-memory.dmp

Filesize
3.3MB

Download
memory/3552-124-0x00007FF7D9C40000-0x00007FF7D9F91000-memory.dmp

Filesize
3.3MB

Download
memory/3552-56-0x00007FF7D9C40000-0x00007FF7D9F91000-memory.dmp

Filesize
3.3MB

Download
memory/3832-164-0x00007FF6C3F40000-0x00007FF6C4291000-memory.dmp

Filesize
3.3MB

Download
memory/3832-271-0x00007FF6C3F40000-0x00007FF6C4291000-memory.dmp

Filesize
3.3MB

Download
memory/3832-130-0x00007FF6C3F40000-0x00007FF6C4291000-memory.dmp

Filesize
3.3MB

Download
memory/4268-88-0x00007FF7246F0000-0x00007FF724A41000-memory.dmp

Filesize
3.3MB

Download
memory/4268-223-0x00007FF7246F0000-0x00007FF724A41000-memory.dmp

Filesize
3.3MB

Download
memory/4268-23-0x00007FF7246F0000-0x00007FF724A41000-memory.dmp

Filesize
3.3MB

Download
memory/4864-18-0x00007FF7C1560000-0x00007FF7C18B1000-memory.dmp

Filesize
3.3MB

Download
memory/4864-221-0x00007FF7C1560000-0x00007FF7C18B1000-memory.dmp

Filesize
3.3MB

Download
memory/4864-81-0x00007FF7C1560000-0x00007FF7C18B1000-memory.dmp

Filesize
3.3MB

Download
memory/4944-228-0x00007FF6CCB50000-0x00007FF6CCEA1000-memory.dmp

Filesize
3.3MB

Download
memory/4944-96-0x00007FF6CCB50000-0x00007FF6CCEA1000-memory.dmp

Filesize
3.3MB

Download
memory/4944-32-0x00007FF6CCB50000-0x00007FF6CCEA1000-memory.dmp

Filesize
3.3MB

Download
memory/5096-263-0x00007FF6772D0000-0x00007FF677621000-memory.dmp

Filesize
3.3MB

Download
memory/5096-112-0x00007FF6772D0000-0x00007FF677621000-memory.dmp

Filesize
3.3MB

Download
memory/5096-161-0x00007FF6772D0000-0x00007FF677621000-memory.dmp

Filesize
3.3MB

Download