cobaltstrike | 939b8c1dc67b2f1741d866041215ba4648d7d4424d3f1a5f0942681d723981eb

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22-09-2024 10:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

393baf922a51a00d7b2de54dd31cf8c1
SHA1

13c94557c7ff6dfe784fb03143698eb56b55ffa4
SHA256

939b8c1dc67b2f1741d866041215ba4648d7d4424d3f1a5f0942681d723981eb
SHA512

06e431235e1279845494e64e0ede0064cf90a8d0fedc7b06288e32835d992ebc861b7119f2bdcccdc5e79a84586084c2a293c5de1345d596091d5ab4a6227248
SSDEEP

98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUa:T+856utgpPF8u/7a

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023441-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023446-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023447-23.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023448-28.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023449-33.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023445-12.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344a-40.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023442-47.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344b-52.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344c-61.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344d-68.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344e-75.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023450-92.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344f-87.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023451-100.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023453-101.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023454-109.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023455-115.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023456-121.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023457-128.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023458-130.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/3200-0-0x00007FF718740000-0x00007FF718A94000-memory.dmp	xmrig
behavioral2/files/0x0008000000023441-4.dat	xmrig
behavioral2/memory/4348-8-0x00007FF7D2A00000-0x00007FF7D2D54000-memory.dmp	xmrig
behavioral2/files/0x0007000000023446-10.dat	xmrig
behavioral2/memory/3924-14-0x00007FF6EB660000-0x00007FF6EB9B4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023447-23.dat	xmrig
behavioral2/memory/4036-24-0x00007FF6AA2A0000-0x00007FF6AA5F4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023448-28.dat	xmrig
behavioral2/memory/4276-30-0x00007FF7BA2C0000-0x00007FF7BA614000-memory.dmp	xmrig
behavioral2/files/0x0007000000023449-33.dat	xmrig
behavioral2/memory/4448-35-0x00007FF621BA0000-0x00007FF621EF4000-memory.dmp	xmrig
behavioral2/memory/1052-18-0x00007FF74DE90000-0x00007FF74E1E4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023445-12.dat	xmrig
behavioral2/files/0x000700000002344a-40.dat	xmrig
behavioral2/memory/1592-44-0x00007FF6AB0E0000-0x00007FF6AB434000-memory.dmp	xmrig
behavioral2/files/0x0008000000023442-47.dat	xmrig
behavioral2/memory/1912-48-0x00007FF795900000-0x00007FF795C54000-memory.dmp	xmrig
behavioral2/files/0x000700000002344b-52.dat	xmrig
behavioral2/memory/3200-55-0x00007FF718740000-0x00007FF718A94000-memory.dmp	xmrig
behavioral2/memory/3684-57-0x00007FF64B1D0000-0x00007FF64B524000-memory.dmp	xmrig
behavioral2/memory/4348-63-0x00007FF7D2A00000-0x00007FF7D2D54000-memory.dmp	xmrig
behavioral2/memory/1452-64-0x00007FF604780000-0x00007FF604AD4000-memory.dmp	xmrig
behavioral2/files/0x000700000002344c-61.dat	xmrig
behavioral2/memory/3924-65-0x00007FF6EB660000-0x00007FF6EB9B4000-memory.dmp	xmrig
behavioral2/files/0x000700000002344d-68.dat	xmrig
behavioral2/memory/1052-69-0x00007FF74DE90000-0x00007FF74E1E4000-memory.dmp	xmrig
behavioral2/memory/4256-70-0x00007FF77AB80000-0x00007FF77AED4000-memory.dmp	xmrig
behavioral2/files/0x000700000002344e-75.dat	xmrig
behavioral2/memory/2872-79-0x00007FF63ADE0000-0x00007FF63B134000-memory.dmp	xmrig
behavioral2/memory/4276-86-0x00007FF7BA2C0000-0x00007FF7BA614000-memory.dmp	xmrig
behavioral2/memory/1540-88-0x00007FF682F90000-0x00007FF6832E4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023450-92.dat	xmrig
behavioral2/memory/4448-91-0x00007FF621BA0000-0x00007FF621EF4000-memory.dmp	xmrig
behavioral2/memory/2708-90-0x00007FF6BAEC0000-0x00007FF6BB214000-memory.dmp	xmrig
behavioral2/files/0x000700000002344f-87.dat	xmrig
behavioral2/memory/4036-76-0x00007FF6AA2A0000-0x00007FF6AA5F4000-memory.dmp	xmrig
behavioral2/memory/4728-97-0x00007FF74FE00000-0x00007FF750154000-memory.dmp	xmrig
behavioral2/files/0x0007000000023451-100.dat	xmrig
behavioral2/files/0x0007000000023453-101.dat	xmrig
behavioral2/files/0x0007000000023454-109.dat	xmrig
behavioral2/memory/3684-110-0x00007FF64B1D0000-0x00007FF64B524000-memory.dmp	xmrig
behavioral2/files/0x0007000000023455-115.dat	xmrig
behavioral2/memory/1572-117-0x00007FF77CB30000-0x00007FF77CE84000-memory.dmp	xmrig
behavioral2/files/0x0007000000023456-121.dat	xmrig
behavioral2/memory/3600-122-0x00007FF7B2100000-0x00007FF7B2454000-memory.dmp	xmrig
behavioral2/files/0x0007000000023457-128.dat	xmrig
behavioral2/files/0x0007000000023458-130.dat	xmrig
behavioral2/memory/4472-111-0x00007FF7FE460000-0x00007FF7FE7B4000-memory.dmp	xmrig
behavioral2/memory/2796-106-0x00007FF7CB560000-0x00007FF7CB8B4000-memory.dmp	xmrig
behavioral2/memory/1912-103-0x00007FF795900000-0x00007FF795C54000-memory.dmp	xmrig
behavioral2/memory/1596-136-0x00007FF73A6F0000-0x00007FF73AA44000-memory.dmp	xmrig
behavioral2/memory/4256-135-0x00007FF77AB80000-0x00007FF77AED4000-memory.dmp	xmrig
behavioral2/memory/2872-138-0x00007FF63ADE0000-0x00007FF63B134000-memory.dmp	xmrig
behavioral2/memory/3996-137-0x00007FF66B7A0000-0x00007FF66BAF4000-memory.dmp	xmrig
behavioral2/memory/1540-139-0x00007FF682F90000-0x00007FF6832E4000-memory.dmp	xmrig
behavioral2/memory/2708-140-0x00007FF6BAEC0000-0x00007FF6BB214000-memory.dmp	xmrig
behavioral2/memory/4728-141-0x00007FF74FE00000-0x00007FF750154000-memory.dmp	xmrig
behavioral2/memory/2796-142-0x00007FF7CB560000-0x00007FF7CB8B4000-memory.dmp	xmrig
behavioral2/memory/4472-143-0x00007FF7FE460000-0x00007FF7FE7B4000-memory.dmp	xmrig
behavioral2/memory/1572-144-0x00007FF77CB30000-0x00007FF77CE84000-memory.dmp	xmrig
behavioral2/memory/3600-145-0x00007FF7B2100000-0x00007FF7B2454000-memory.dmp	xmrig
behavioral2/memory/4348-146-0x00007FF7D2A00000-0x00007FF7D2D54000-memory.dmp	xmrig
behavioral2/memory/3924-147-0x00007FF6EB660000-0x00007FF6EB9B4000-memory.dmp	xmrig
behavioral2/memory/1052-148-0x00007FF74DE90000-0x00007FF74E1E4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4348	mYFUGSR.exe
3924	cECdbzL.exe
1052	yiepExj.exe
4036	kSXZKig.exe
4276	GcMKZBM.exe
4448	BquyKvC.exe
1592	DGoGKEy.exe
1912	edbjnhc.exe
3684	OrQqPws.exe
1452	qmieSGP.exe
4256	YrPJzSK.exe
2872	BkluPaM.exe
1540	EMkKHOm.exe
2708	rlPDIqk.exe
4728	yhPWwDb.exe
2796	odhOSHC.exe
4472	McQjfpz.exe
1572	xXMkVFR.exe
3600	zUPNddU.exe
1596	nwkZXUm.exe
3996	kGswNeM.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3200-0-0x00007FF718740000-0x00007FF718A94000-memory.dmp	upx
behavioral2/files/0x0008000000023441-4.dat	upx
behavioral2/memory/4348-8-0x00007FF7D2A00000-0x00007FF7D2D54000-memory.dmp	upx
behavioral2/files/0x0007000000023446-10.dat	upx
behavioral2/memory/3924-14-0x00007FF6EB660000-0x00007FF6EB9B4000-memory.dmp	upx
behavioral2/files/0x0007000000023447-23.dat	upx
behavioral2/memory/4036-24-0x00007FF6AA2A0000-0x00007FF6AA5F4000-memory.dmp	upx
behavioral2/files/0x0007000000023448-28.dat	upx
behavioral2/memory/4276-30-0x00007FF7BA2C0000-0x00007FF7BA614000-memory.dmp	upx
behavioral2/files/0x0007000000023449-33.dat	upx
behavioral2/memory/4448-35-0x00007FF621BA0000-0x00007FF621EF4000-memory.dmp	upx
behavioral2/memory/1052-18-0x00007FF74DE90000-0x00007FF74E1E4000-memory.dmp	upx
behavioral2/files/0x0007000000023445-12.dat	upx
behavioral2/files/0x000700000002344a-40.dat	upx
behavioral2/memory/1592-44-0x00007FF6AB0E0000-0x00007FF6AB434000-memory.dmp	upx
behavioral2/files/0x0008000000023442-47.dat	upx
behavioral2/memory/1912-48-0x00007FF795900000-0x00007FF795C54000-memory.dmp	upx
behavioral2/files/0x000700000002344b-52.dat	upx
behavioral2/memory/3200-55-0x00007FF718740000-0x00007FF718A94000-memory.dmp	upx
behavioral2/memory/3684-57-0x00007FF64B1D0000-0x00007FF64B524000-memory.dmp	upx
behavioral2/memory/4348-63-0x00007FF7D2A00000-0x00007FF7D2D54000-memory.dmp	upx
behavioral2/memory/1452-64-0x00007FF604780000-0x00007FF604AD4000-memory.dmp	upx
behavioral2/files/0x000700000002344c-61.dat	upx
behavioral2/memory/3924-65-0x00007FF6EB660000-0x00007FF6EB9B4000-memory.dmp	upx
behavioral2/files/0x000700000002344d-68.dat	upx
behavioral2/memory/1052-69-0x00007FF74DE90000-0x00007FF74E1E4000-memory.dmp	upx
behavioral2/memory/4256-70-0x00007FF77AB80000-0x00007FF77AED4000-memory.dmp	upx
behavioral2/files/0x000700000002344e-75.dat	upx
behavioral2/memory/2872-79-0x00007FF63ADE0000-0x00007FF63B134000-memory.dmp	upx
behavioral2/memory/4276-86-0x00007FF7BA2C0000-0x00007FF7BA614000-memory.dmp	upx
behavioral2/memory/1540-88-0x00007FF682F90000-0x00007FF6832E4000-memory.dmp	upx
behavioral2/files/0x0007000000023450-92.dat	upx
behavioral2/memory/4448-91-0x00007FF621BA0000-0x00007FF621EF4000-memory.dmp	upx
behavioral2/memory/2708-90-0x00007FF6BAEC0000-0x00007FF6BB214000-memory.dmp	upx
behavioral2/files/0x000700000002344f-87.dat	upx
behavioral2/memory/4036-76-0x00007FF6AA2A0000-0x00007FF6AA5F4000-memory.dmp	upx
behavioral2/memory/4728-97-0x00007FF74FE00000-0x00007FF750154000-memory.dmp	upx
behavioral2/files/0x0007000000023451-100.dat	upx
behavioral2/files/0x0007000000023453-101.dat	upx
behavioral2/files/0x0007000000023454-109.dat	upx
behavioral2/memory/3684-110-0x00007FF64B1D0000-0x00007FF64B524000-memory.dmp	upx
behavioral2/files/0x0007000000023455-115.dat	upx
behavioral2/memory/1572-117-0x00007FF77CB30000-0x00007FF77CE84000-memory.dmp	upx
behavioral2/files/0x0007000000023456-121.dat	upx
behavioral2/memory/3600-122-0x00007FF7B2100000-0x00007FF7B2454000-memory.dmp	upx
behavioral2/files/0x0007000000023457-128.dat	upx
behavioral2/files/0x0007000000023458-130.dat	upx
behavioral2/memory/4472-111-0x00007FF7FE460000-0x00007FF7FE7B4000-memory.dmp	upx
behavioral2/memory/2796-106-0x00007FF7CB560000-0x00007FF7CB8B4000-memory.dmp	upx
behavioral2/memory/1912-103-0x00007FF795900000-0x00007FF795C54000-memory.dmp	upx
behavioral2/memory/1596-136-0x00007FF73A6F0000-0x00007FF73AA44000-memory.dmp	upx
behavioral2/memory/4256-135-0x00007FF77AB80000-0x00007FF77AED4000-memory.dmp	upx
behavioral2/memory/2872-138-0x00007FF63ADE0000-0x00007FF63B134000-memory.dmp	upx
behavioral2/memory/3996-137-0x00007FF66B7A0000-0x00007FF66BAF4000-memory.dmp	upx
behavioral2/memory/1540-139-0x00007FF682F90000-0x00007FF6832E4000-memory.dmp	upx
behavioral2/memory/2708-140-0x00007FF6BAEC0000-0x00007FF6BB214000-memory.dmp	upx
behavioral2/memory/4728-141-0x00007FF74FE00000-0x00007FF750154000-memory.dmp	upx
behavioral2/memory/2796-142-0x00007FF7CB560000-0x00007FF7CB8B4000-memory.dmp	upx
behavioral2/memory/4472-143-0x00007FF7FE460000-0x00007FF7FE7B4000-memory.dmp	upx
behavioral2/memory/1572-144-0x00007FF77CB30000-0x00007FF77CE84000-memory.dmp	upx
behavioral2/memory/3600-145-0x00007FF7B2100000-0x00007FF7B2454000-memory.dmp	upx
behavioral2/memory/4348-146-0x00007FF7D2A00000-0x00007FF7D2D54000-memory.dmp	upx
behavioral2/memory/3924-147-0x00007FF6EB660000-0x00007FF6EB9B4000-memory.dmp	upx
behavioral2/memory/1052-148-0x00007FF74DE90000-0x00007FF74E1E4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\yhPWwDb.exe	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\McQjfpz.exe	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zUPNddU.exe	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cECdbzL.exe	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BquyKvC.exe	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qmieSGP.exe	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EMkKHOm.exe	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nwkZXUm.exe	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yiepExj.exe	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DGoGKEy.exe	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OrQqPws.exe	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YrPJzSK.exe	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xXMkVFR.exe	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mYFUGSR.exe	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kSXZKig.exe	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rlPDIqk.exe	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\odhOSHC.exe	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GcMKZBM.exe	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\edbjnhc.exe	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BkluPaM.exe	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kGswNeM.exe	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3200	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3200	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3200 wrote to memory of 4348	3200	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 3200 wrote to memory of 4348	3200	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 3200 wrote to memory of 3924	3200	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3200 wrote to memory of 3924	3200	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3200 wrote to memory of 1052	3200	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3200 wrote to memory of 1052	3200	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3200 wrote to memory of 4036	3200	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3200 wrote to memory of 4036	3200	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3200 wrote to memory of 4276	3200	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3200 wrote to memory of 4276	3200	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3200 wrote to memory of 4448	3200	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3200 wrote to memory of 4448	3200	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3200 wrote to memory of 1592	3200	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3200 wrote to memory of 1592	3200	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3200 wrote to memory of 1912	3200	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3200 wrote to memory of 1912	3200	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3200 wrote to memory of 3684	3200	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3200 wrote to memory of 3684	3200	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3200 wrote to memory of 1452	3200	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3200 wrote to memory of 1452	3200	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3200 wrote to memory of 4256	3200	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3200 wrote to memory of 4256	3200	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3200 wrote to memory of 2872	3200	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3200 wrote to memory of 2872	3200	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3200 wrote to memory of 1540	3200	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3200 wrote to memory of 1540	3200	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3200 wrote to memory of 2708	3200	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3200 wrote to memory of 2708	3200	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3200 wrote to memory of 4728	3200	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3200 wrote to memory of 4728	3200	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3200 wrote to memory of 2796	3200	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3200 wrote to memory of 2796	3200	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3200 wrote to memory of 4472	3200	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3200 wrote to memory of 4472	3200	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3200 wrote to memory of 1572	3200	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3200 wrote to memory of 1572	3200	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3200 wrote to memory of 3600	3200	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3200 wrote to memory of 3600	3200	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3200 wrote to memory of 1596	3200	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3200 wrote to memory of 1596	3200	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3200 wrote to memory of 3996	3200	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3200 wrote to memory of 3996	3200	2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-22_393baf922a51a00d7b2de54dd31cf8c1_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3200
- C:\Windows\System\mYFUGSR.exe
  C:\Windows\System\mYFUGSR.exe
  2⤵
  - Executes dropped EXE
  PID:4348
- C:\Windows\System\cECdbzL.exe
  C:\Windows\System\cECdbzL.exe
  2⤵
  - Executes dropped EXE
  PID:3924
- C:\Windows\System\yiepExj.exe
  C:\Windows\System\yiepExj.exe
  2⤵
  - Executes dropped EXE
  PID:1052
- C:\Windows\System\kSXZKig.exe
  C:\Windows\System\kSXZKig.exe
  2⤵
  - Executes dropped EXE
  PID:4036
- C:\Windows\System\GcMKZBM.exe
  C:\Windows\System\GcMKZBM.exe
  2⤵
  - Executes dropped EXE
  PID:4276
- C:\Windows\System\BquyKvC.exe
  C:\Windows\System\BquyKvC.exe
  2⤵
  - Executes dropped EXE
  PID:4448
- C:\Windows\System\DGoGKEy.exe
  C:\Windows\System\DGoGKEy.exe
  2⤵
  - Executes dropped EXE
  PID:1592
- C:\Windows\System\edbjnhc.exe
  C:\Windows\System\edbjnhc.exe
  2⤵
  - Executes dropped EXE
  PID:1912
- C:\Windows\System\OrQqPws.exe
  C:\Windows\System\OrQqPws.exe
  2⤵
  - Executes dropped EXE
  PID:3684
- C:\Windows\System\qmieSGP.exe
  C:\Windows\System\qmieSGP.exe
  2⤵
  - Executes dropped EXE
  PID:1452
- C:\Windows\System\YrPJzSK.exe
  C:\Windows\System\YrPJzSK.exe
  2⤵
  - Executes dropped EXE
  PID:4256
- C:\Windows\System\BkluPaM.exe
  C:\Windows\System\BkluPaM.exe
  2⤵
  - Executes dropped EXE
  PID:2872
- C:\Windows\System\EMkKHOm.exe
  C:\Windows\System\EMkKHOm.exe
  2⤵
  - Executes dropped EXE
  PID:1540
- C:\Windows\System\rlPDIqk.exe
  C:\Windows\System\rlPDIqk.exe
  2⤵
  - Executes dropped EXE
  PID:2708
- C:\Windows\System\yhPWwDb.exe
  C:\Windows\System\yhPWwDb.exe
  2⤵
  - Executes dropped EXE
  PID:4728
- C:\Windows\System\odhOSHC.exe
  C:\Windows\System\odhOSHC.exe
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Windows\System\McQjfpz.exe
  C:\Windows\System\McQjfpz.exe
  2⤵
  - Executes dropped EXE
  PID:4472
- C:\Windows\System\xXMkVFR.exe
  C:\Windows\System\xXMkVFR.exe
  2⤵
  - Executes dropped EXE
  PID:1572
- C:\Windows\System\zUPNddU.exe
  C:\Windows\System\zUPNddU.exe
  2⤵
  - Executes dropped EXE
  PID:3600
- C:\Windows\System\nwkZXUm.exe
  C:\Windows\System\nwkZXUm.exe
  2⤵
  - Executes dropped EXE
  PID:1596
- C:\Windows\System\kGswNeM.exe
  C:\Windows\System\kGswNeM.exe
  2⤵
  - Executes dropped EXE
  PID:3996

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BkluPaM.exe

Filesize
5.9MB

MD5
eb5de0b9d75f818222ceaa8a020597e1

SHA1
65e53d842d29ff0b41dbbd1ee0587331727079cf

SHA256
43f06df5c42d19ff3c0f5c349b66edb5d9096ebf449a77e0beae96f499c7ae89

SHA512
84c3e89f6e6d8ef2b6046b4de151da7d113f074a16eea1b45cb52ff003eca1b30be9c0c7d43df59cdc3ecd0d152c25d6575e1fe57008f72d77c47e125a369421

Download Submit
C:\Windows\System\BquyKvC.exe

Filesize
5.9MB

MD5
902262855474fb5df6b1f90f6bc6d198

SHA1
6746a801167a93355a328163b433cbf82fc41325

SHA256
80cbaa98ba814eb768c56722c0b1e18641f296effb08013bbb0c245b9b5bd397

SHA512
90d94c2be7dd6ee2bca39fb3ae7a0d007747de7b41845d58dcb4e6b9604e03a098d540b29d8ec9f5ad8ef12ba8225c2fe367c8795f9767a093b78399eb111026

Download Submit
C:\Windows\System\DGoGKEy.exe

Filesize
5.9MB

MD5
6cb10e5364ae6df983ba76f9fec66b9b

SHA1
c33d2687725c12a411d2dbf8750c0032717393d7

SHA256
b470f7db9fe3c1a892b36eb693b69b17a5210c3168a26538c4b891e9f18f9b44

SHA512
4b7a45265eccfb46ed12be4560297bf872b5d0c73a0e36e1d68b3537776e12f95e22cf2fcd6e809748e9d397f69e9e9299816b8f53209c66857fdd0608597574

Download Submit
C:\Windows\System\EMkKHOm.exe

Filesize
5.9MB

MD5
2891c8bd20141e3d986e9c670282875f

SHA1
a9e4455bfa97357f8f30a40b6035273f3ee33de7

SHA256
692d03912d07e8467ecb9a9476047f6a9e9461914862ac21f04a5371d3c245f0

SHA512
639e158c0f0835101c84c6aaea41e1b2693037f8914f0881e882a1b3f8f9972349597b70c2055c7f4b6cc81162f22d3b2ab1673df616f23b8f89695e666cd759

Download Submit
C:\Windows\System\GcMKZBM.exe

Filesize
5.9MB

MD5
9a68e5646a8bdd5741e34da65ef62fa7

SHA1
578b85cdddd1484e61332286d0eadea5392dfde9

SHA256
d8a9cbe1a0f9da52584a06ae9168c88e26f83673fb3258ada8c60d1069b57330

SHA512
7abaf444a2f161390f882d2d17f5e3a7912fcc6b4474f648690d5a37b3c7eb6acceb927f92cdfdd32d25922f837cc4231611d9dbf4c355c3848f0cc634c5ec84

Download Submit
C:\Windows\System\McQjfpz.exe

Filesize
5.9MB

MD5
94dc5630d31a5b41a04db86ebba27dce

SHA1
7dc768223ae9291e10bc6b6c2944715c0bf30baa

SHA256
0293592e53571d76775df3261c7f5d7fb2a1cff49eee265ee1067d24c555b672

SHA512
8b4078502a007807461268938c05c8cc92aff293a85201461945a62898f86347cf160a2a657cdc589a3019f2104f8ec14ca7386eafb8bbd4682b54414524c36a

Download Submit
C:\Windows\System\OrQqPws.exe

Filesize
5.9MB

MD5
7c8e2ecbd6748b3970e8891d97c95e51

SHA1
92ad8090a2ee775d4904813053c80007bf2c956a

SHA256
4d170320cc588cac05902316f388b531c9180f5b285e9be2bfd82bd8a782e800

SHA512
221b5482d7ce5fbd94726c8614ac5ba924b1e06f513c45d37a7d65841fea3f0cdf5df38183dc4529b24fbc6d18428b4a49a3114e657d0632181ff5c78f001eb4

Download Submit
C:\Windows\System\YrPJzSK.exe

Filesize
5.9MB

MD5
b8c2728e53977c038b91746379a96f76

SHA1
38e34428e613b1ffe7886a89d1f4c90a633dd2c6

SHA256
d853a84745fa9734e1bd14f9bf1af2df92fcfecf92918044bc7f5158e6861af7

SHA512
026f5030565b0fb6c6aa861f5d4ef7431d44c67ac4654cc73ac89ef109feaee8013fb045b79dbf28b36ff702841222e4df9eab1b9ede3de11ca9da0b325f8497

Download Submit
C:\Windows\System\cECdbzL.exe

Filesize
5.9MB

MD5
06d4843415acb49af48a46b04f7c62b4

SHA1
cbe52f47b07401e9976324c0c6b88b2336f7b72e

SHA256
2a66f282ff6b39a649e6ff5205b1d8d5a0f8f9ade328ce27d83dab0117e577da

SHA512
312b16c9f572bf2237374b67aa01e12cd0e27ad485dbff38a58d7c24abc85ecf7a92b01003c43f8e9717af390dcf5792ef5c0b6affac42fb1110f364a8acde03

Download Submit
C:\Windows\System\edbjnhc.exe

Filesize
5.9MB

MD5
3ce3f8194b9a81cef5e4edb4f723b679

SHA1
7b51d84bf54985dd820beed44352be93fa7c8b15

SHA256
a338f39ff0552cf06dced4e32351988631913c5b71b5b812a659a6b1a16de974

SHA512
983af76be7f8e3dffd6e51b9f1102f3dfa4a3597fca638a09500c3524542ec1a528c8f995d5c27665b17c259f87dc664b45b578d9a7b9989d623319c1adfa801

Download Submit
C:\Windows\System\kGswNeM.exe

Filesize
5.9MB

MD5
9f680043ca3ab2817ca28bd0dfe0eecf

SHA1
20dab19055b263d5af37d2a9322b0d49742d0d79

SHA256
90ca651e07daa126e6ec245a186a554368a6cefc15e84f238835caa2c24f038b

SHA512
98877422067aadc5e25a1bba64d5a2151f2c5307309ba98ebcc0720ba2bebd20fad02d60ec5efe9f480db0278ead0cb0a2dfb26a42f5c89de79727aa85fd2d7f

Download Submit
C:\Windows\System\kSXZKig.exe

Filesize
5.9MB

MD5
a5bc6b6514b326c68fe026340528a0cb

SHA1
62ce08ef524a67430d6030fbbe023eec95db3307

SHA256
ffc3b5124c02883c8968af8a1747c9656eac0bd3b4fa109d4abffb20318dbe70

SHA512
000ba530a7e6808df5192d18d82b09d67e3b78baef754119471996c477bb7615827bbf9e268f7ac67d6ee931eb2035425b8aae1b00754a5726b75f396c42480c

Download Submit
C:\Windows\System\mYFUGSR.exe

Filesize
5.9MB

MD5
4236913875807161c650793f61113700

SHA1
3fc2a6ebababdd5e18fee4b9c4275ce0a585bb4e

SHA256
f2ec125613b7c937169b6e1d8e107226e741499dc08b5322507397f43d005e0b

SHA512
5c9b093e4f9dfdb3819732aded5f7ec211fa0f8868445ec132dcb4c9e1ee41a8d1f70dacbaef100469d3a1e3303362d9fbae1b4aa7c022ec805f89525124cab6

Download Submit
C:\Windows\System\nwkZXUm.exe

Filesize
5.9MB

MD5
44f1758ea38beb787dd7a1865d964667

SHA1
4700e0e98b4e1b0c78731bc1b692b4109b9b367d

SHA256
8249cb4f8a3a896814170f036a6f735d83bf4a5fc76c01e1536b4dcd03ea5389

SHA512
c81f956b50e668653d3205176f7e5964bc42e1111e9c53458770aedf9d39c742690462fcaeec4c1df6e8d47edbab8d7314b9bb371c7a7858944d4ee49f7bccaa

Download Submit
C:\Windows\System\odhOSHC.exe

Filesize
5.9MB

MD5
0266b4019a4db9d34b410c2c72ce2778

SHA1
449492841b3d83b409611a0e26a1f038c6d2477a

SHA256
0c899177c9a2971dee3bb0f55ec867331ec438bbac816339f90854f8c06c69ae

SHA512
e65034baf7110a798c855ce177c975743052059ef01881ea16f4a73f4269286ac8b502fd2ad8f66d6879b2a9d39e3c7f5503b53a86c331da60c0b2c298a3039a

Download Submit
C:\Windows\System\qmieSGP.exe

Filesize
5.9MB

MD5
8d289b5d62d3b5db5dafaaa7de4ac45c

SHA1
8ef3278dc5fba45592a75e23004c7e391acc90a6

SHA256
32f865c7ddf7efe6a6e68b7b5e4fcf6795a5138c243fdc1f9fd718786f6853be

SHA512
73f161683b8f6996b19430fed4f4b5d9b5b43a7a63a7afd22e8dc68b18c32742654a0a894b270c4d7bf908ec8cea6ac04d8296f5c21b622d1773699c8f700db8

Download Submit
C:\Windows\System\rlPDIqk.exe

Filesize
5.9MB

MD5
2bd81c6555abd71dde38f5455c2246c1

SHA1
57e578ba03005024f11ce382035207f6a4cfc67f

SHA256
b8e16c8a90bac8130268db3e8649ae8458160fda7d21cd19f493b9f14186c59a

SHA512
81d2e8022dbbd2ed2b559ebeb7511828d8e0f655e1c638e76dead6c641127046f3dbb111a675a44591c1eb310f04d80db29ceee8cfc0a377e48a34434170b496

Download Submit
C:\Windows\System\xXMkVFR.exe

Filesize
5.9MB

MD5
034a24b4235f7397cb35f816a623fc49

SHA1
aa5c70b6e4739c671b4942fbc865860803f08e61

SHA256
9b5da34f6e6a9d5f790922bd3ae835bc0b97ffd26ec96298cb0f2e8009032ea8

SHA512
6ba7875ea73976b69cfa6b3cb5f931298b33814c927cf6bbb2c7cc99c1300f6d39af050900742dd53210dd7f8b18f6bdebeafb251dfccdbb4fb53040878481e5

Download Submit
C:\Windows\System\yhPWwDb.exe

Filesize
5.9MB

MD5
c7ffa2a38a95952627ab2b678f97a151

SHA1
a04f67429ad2c3bdde15f021dd27662fca4939a7

SHA256
ea1c5a2c8777d8388280a590438aa34ab54da19c170699d5c746d5f13691d99a

SHA512
60f0f8a8c5973d576c700da22e80bf4c35265fa91b0427bc4880be2977569b750b372117acba26c7a7cb64ca5fbf4497df6fdf551aac393252b4a08dc292fda0

Download Submit
C:\Windows\System\yiepExj.exe

Filesize
5.9MB

MD5
478345a0675c061800c32714d4b0b2dc

SHA1
6bf9f143e3fd72f60003eb65a3da6030468e042e

SHA256
81bdc558796c5c2414564122265f87893caa8f523116639e912e7df2ffe42098

SHA512
53fb159a75776d2d1f03b9794efa0a01ab75630a6eaa84e64446b5a58bd5ca433a5216448368d4991faf653be6b9f6a86c2a07566631ce3e7cade7c0ca69cead

Download Submit
C:\Windows\System\zUPNddU.exe

Filesize
5.9MB

MD5
2e118ecbd6deff2956d515176a8b7ec6

SHA1
a2bb8f406d93d829882134b526a21dd0be060860

SHA256
e52f38146edfe928cea36be438ab76d913404fded2aa5176ff2808d8f87b4ffa

SHA512
300451557f1ef711029903dc262da1f22b90804a27f8ab272f0852941de7d88ecd6c2f069b851f044d32bfaa179aab71f8efaaff7317cfaae841df7bf8c3deef

Download Submit
memory/1052-18-0x00007FF74DE90000-0x00007FF74E1E4000-memory.dmp

Filesize
3.3MB

Download
memory/1052-148-0x00007FF74DE90000-0x00007FF74E1E4000-memory.dmp

Filesize
3.3MB

Download
memory/1052-69-0x00007FF74DE90000-0x00007FF74E1E4000-memory.dmp

Filesize
3.3MB

Download
memory/1452-155-0x00007FF604780000-0x00007FF604AD4000-memory.dmp

Filesize
3.3MB

Download
memory/1452-64-0x00007FF604780000-0x00007FF604AD4000-memory.dmp

Filesize
3.3MB

Download
memory/1540-139-0x00007FF682F90000-0x00007FF6832E4000-memory.dmp

Filesize
3.3MB

Download
memory/1540-158-0x00007FF682F90000-0x00007FF6832E4000-memory.dmp

Filesize
3.3MB

Download
memory/1540-88-0x00007FF682F90000-0x00007FF6832E4000-memory.dmp

Filesize
3.3MB

Download
memory/1572-117-0x00007FF77CB30000-0x00007FF77CE84000-memory.dmp

Filesize
3.3MB

Download
memory/1572-144-0x00007FF77CB30000-0x00007FF77CE84000-memory.dmp

Filesize
3.3MB

Download
memory/1572-163-0x00007FF77CB30000-0x00007FF77CE84000-memory.dmp

Filesize
3.3MB

Download
memory/1592-152-0x00007FF6AB0E0000-0x00007FF6AB434000-memory.dmp

Filesize
3.3MB

Download
memory/1592-44-0x00007FF6AB0E0000-0x00007FF6AB434000-memory.dmp

Filesize
3.3MB

Download
memory/1596-165-0x00007FF73A6F0000-0x00007FF73AA44000-memory.dmp

Filesize
3.3MB

Download
memory/1596-136-0x00007FF73A6F0000-0x00007FF73AA44000-memory.dmp

Filesize
3.3MB

Download
memory/1912-153-0x00007FF795900000-0x00007FF795C54000-memory.dmp

Filesize
3.3MB

Download
memory/1912-103-0x00007FF795900000-0x00007FF795C54000-memory.dmp

Filesize
3.3MB

Download
memory/1912-48-0x00007FF795900000-0x00007FF795C54000-memory.dmp

Filesize
3.3MB

Download
memory/2708-90-0x00007FF6BAEC0000-0x00007FF6BB214000-memory.dmp

Filesize
3.3MB

Download
memory/2708-159-0x00007FF6BAEC0000-0x00007FF6BB214000-memory.dmp

Filesize
3.3MB

Download
memory/2708-140-0x00007FF6BAEC0000-0x00007FF6BB214000-memory.dmp

Filesize
3.3MB

Download
memory/2796-106-0x00007FF7CB560000-0x00007FF7CB8B4000-memory.dmp

Filesize
3.3MB

Download
memory/2796-161-0x00007FF7CB560000-0x00007FF7CB8B4000-memory.dmp

Filesize
3.3MB

Download
memory/2796-142-0x00007FF7CB560000-0x00007FF7CB8B4000-memory.dmp

Filesize
3.3MB

Download
memory/2872-157-0x00007FF63ADE0000-0x00007FF63B134000-memory.dmp

Filesize
3.3MB

Download
memory/2872-138-0x00007FF63ADE0000-0x00007FF63B134000-memory.dmp

Filesize
3.3MB

Download
memory/2872-79-0x00007FF63ADE0000-0x00007FF63B134000-memory.dmp

Filesize
3.3MB

Download
memory/3200-55-0x00007FF718740000-0x00007FF718A94000-memory.dmp

Filesize
3.3MB

Download
memory/3200-1-0x0000012F8C3A0000-0x0000012F8C3B0000-memory.dmp

Filesize
64KB

Download
memory/3200-0-0x00007FF718740000-0x00007FF718A94000-memory.dmp

Filesize
3.3MB

Download
memory/3600-145-0x00007FF7B2100000-0x00007FF7B2454000-memory.dmp

Filesize
3.3MB

Download
memory/3600-122-0x00007FF7B2100000-0x00007FF7B2454000-memory.dmp

Filesize
3.3MB

Download
memory/3600-164-0x00007FF7B2100000-0x00007FF7B2454000-memory.dmp

Filesize
3.3MB

Download
memory/3684-154-0x00007FF64B1D0000-0x00007FF64B524000-memory.dmp

Filesize
3.3MB

Download
memory/3684-57-0x00007FF64B1D0000-0x00007FF64B524000-memory.dmp

Filesize
3.3MB

Download
memory/3684-110-0x00007FF64B1D0000-0x00007FF64B524000-memory.dmp

Filesize
3.3MB

Download
memory/3924-14-0x00007FF6EB660000-0x00007FF6EB9B4000-memory.dmp

Filesize
3.3MB

Download
memory/3924-147-0x00007FF6EB660000-0x00007FF6EB9B4000-memory.dmp

Filesize
3.3MB

Download
memory/3924-65-0x00007FF6EB660000-0x00007FF6EB9B4000-memory.dmp

Filesize
3.3MB

Download
memory/3996-137-0x00007FF66B7A0000-0x00007FF66BAF4000-memory.dmp

Filesize
3.3MB

Download
memory/3996-166-0x00007FF66B7A0000-0x00007FF66BAF4000-memory.dmp

Filesize
3.3MB

Download
memory/4036-24-0x00007FF6AA2A0000-0x00007FF6AA5F4000-memory.dmp

Filesize
3.3MB

Download
memory/4036-76-0x00007FF6AA2A0000-0x00007FF6AA5F4000-memory.dmp

Filesize
3.3MB

Download
memory/4036-149-0x00007FF6AA2A0000-0x00007FF6AA5F4000-memory.dmp

Filesize
3.3MB

Download
memory/4256-156-0x00007FF77AB80000-0x00007FF77AED4000-memory.dmp

Filesize
3.3MB

Download
memory/4256-70-0x00007FF77AB80000-0x00007FF77AED4000-memory.dmp

Filesize
3.3MB

Download
memory/4256-135-0x00007FF77AB80000-0x00007FF77AED4000-memory.dmp

Filesize
3.3MB

Download
memory/4276-150-0x00007FF7BA2C0000-0x00007FF7BA614000-memory.dmp

Filesize
3.3MB

Download
memory/4276-30-0x00007FF7BA2C0000-0x00007FF7BA614000-memory.dmp

Filesize
3.3MB

Download
memory/4276-86-0x00007FF7BA2C0000-0x00007FF7BA614000-memory.dmp

Filesize
3.3MB

Download
memory/4348-146-0x00007FF7D2A00000-0x00007FF7D2D54000-memory.dmp

Filesize
3.3MB

Download
memory/4348-63-0x00007FF7D2A00000-0x00007FF7D2D54000-memory.dmp

Filesize
3.3MB

Download
memory/4348-8-0x00007FF7D2A00000-0x00007FF7D2D54000-memory.dmp

Filesize
3.3MB

Download
memory/4448-151-0x00007FF621BA0000-0x00007FF621EF4000-memory.dmp

Filesize
3.3MB

Download
memory/4448-91-0x00007FF621BA0000-0x00007FF621EF4000-memory.dmp

Filesize
3.3MB

Download
memory/4448-35-0x00007FF621BA0000-0x00007FF621EF4000-memory.dmp

Filesize
3.3MB

Download
memory/4472-143-0x00007FF7FE460000-0x00007FF7FE7B4000-memory.dmp

Filesize
3.3MB

Download
memory/4472-162-0x00007FF7FE460000-0x00007FF7FE7B4000-memory.dmp

Filesize
3.3MB

Download
memory/4472-111-0x00007FF7FE460000-0x00007FF7FE7B4000-memory.dmp

Filesize
3.3MB

Download
memory/4728-160-0x00007FF74FE00000-0x00007FF750154000-memory.dmp

Filesize
3.3MB

Download
memory/4728-97-0x00007FF74FE00000-0x00007FF750154000-memory.dmp

Filesize
3.3MB

Download
memory/4728-141-0x00007FF74FE00000-0x00007FF750154000-memory.dmp

Filesize
3.3MB

Download