cobaltstrike | 7c0b1d1d8f993b9bdc40997b27c64e1027bede8b9c5f903500981401f47e72ce

Analysis

max time kernel
148s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23-09-2024 07:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

42bdb8e57c5ce804552d1a1c8dbd3cfd
SHA1

b0618f69681f1994c7445682980b98145b1f3c25
SHA256

7c0b1d1d8f993b9bdc40997b27c64e1027bede8b9c5f903500981401f47e72ce
SHA512

4d9decfd2acc575f190d8a431d79ac7fee21ae59a12786a450c52ed0d4315cfc4ff989e682586bb8eff0a58060f0e13a7102d6ca20deccf8f7aab0769b9f8a2f
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6ll:RWWBibf56utgpPFotBER/mQ32lUp

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0009000000023462-4.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c1-11.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c2-19.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c3-30.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c4-36.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c7-46.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c9-67.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234cb-87.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234cd-90.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234cf-99.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ce-103.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d0-117.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d2-115.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d1-113.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234cc-96.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ca-85.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000234bd-81.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c6-60.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c8-52.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c5-50.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c0-13.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/2676-94-0x00007FF75F550000-0x00007FF75F8A1000-memory.dmp	xmrig
behavioral2/memory/2480-89-0x00007FF68DEE0000-0x00007FF68E231000-memory.dmp	xmrig
behavioral2/memory/512-84-0x00007FF6FD650000-0x00007FF6FD9A1000-memory.dmp	xmrig
behavioral2/memory/916-78-0x00007FF620830000-0x00007FF620B81000-memory.dmp	xmrig
behavioral2/memory/3324-69-0x00007FF79E380000-0x00007FF79E6D1000-memory.dmp	xmrig
behavioral2/memory/1424-119-0x00007FF6C34A0000-0x00007FF6C37F1000-memory.dmp	xmrig
behavioral2/memory/3108-120-0x00007FF7D9280000-0x00007FF7D95D1000-memory.dmp	xmrig
behavioral2/memory/3264-128-0x00007FF7707A0000-0x00007FF770AF1000-memory.dmp	xmrig
behavioral2/memory/3712-125-0x00007FF6D8FA0000-0x00007FF6D92F1000-memory.dmp	xmrig
behavioral2/memory/4300-124-0x00007FF7586B0000-0x00007FF758A01000-memory.dmp	xmrig
behavioral2/memory/400-123-0x00007FF6753C0000-0x00007FF675711000-memory.dmp	xmrig
behavioral2/memory/4916-122-0x00007FF622460000-0x00007FF6227B1000-memory.dmp	xmrig
behavioral2/memory/3380-121-0x00007FF66EE00000-0x00007FF66F151000-memory.dmp	xmrig
behavioral2/memory/216-133-0x00007FF7E6B30000-0x00007FF7E6E81000-memory.dmp	xmrig
behavioral2/memory/3104-137-0x00007FF6D7CB0000-0x00007FF6D8001000-memory.dmp	xmrig
behavioral2/memory/2036-139-0x00007FF7CE3C0000-0x00007FF7CE711000-memory.dmp	xmrig
behavioral2/memory/3504-135-0x00007FF7EB0B0000-0x00007FF7EB401000-memory.dmp	xmrig
behavioral2/memory/2908-131-0x00007FF60A060000-0x00007FF60A3B1000-memory.dmp	xmrig
behavioral2/memory/3596-127-0x00007FF773BD0000-0x00007FF773F21000-memory.dmp	xmrig
behavioral2/memory/440-141-0x00007FF70FC60000-0x00007FF70FFB1000-memory.dmp	xmrig
behavioral2/memory/2068-140-0x00007FF6B1180000-0x00007FF6B14D1000-memory.dmp	xmrig
behavioral2/memory/4264-142-0x00007FF677070000-0x00007FF6773C1000-memory.dmp	xmrig
behavioral2/memory/3108-143-0x00007FF7D9280000-0x00007FF7D95D1000-memory.dmp	xmrig
behavioral2/memory/3108-144-0x00007FF7D9280000-0x00007FF7D95D1000-memory.dmp	xmrig
behavioral2/memory/3380-200-0x00007FF66EE00000-0x00007FF66F151000-memory.dmp	xmrig
behavioral2/memory/4916-202-0x00007FF622460000-0x00007FF6227B1000-memory.dmp	xmrig
behavioral2/memory/400-204-0x00007FF6753C0000-0x00007FF675711000-memory.dmp	xmrig
behavioral2/memory/4300-206-0x00007FF7586B0000-0x00007FF758A01000-memory.dmp	xmrig
behavioral2/memory/3324-208-0x00007FF79E380000-0x00007FF79E6D1000-memory.dmp	xmrig
behavioral2/memory/3712-221-0x00007FF6D8FA0000-0x00007FF6D92F1000-memory.dmp	xmrig
behavioral2/memory/512-223-0x00007FF6FD650000-0x00007FF6FD9A1000-memory.dmp	xmrig
behavioral2/memory/3264-226-0x00007FF7707A0000-0x00007FF770AF1000-memory.dmp	xmrig
behavioral2/memory/3596-227-0x00007FF773BD0000-0x00007FF773F21000-memory.dmp	xmrig
behavioral2/memory/916-229-0x00007FF620830000-0x00007FF620B81000-memory.dmp	xmrig
behavioral2/memory/216-236-0x00007FF7E6B30000-0x00007FF7E6E81000-memory.dmp	xmrig
behavioral2/memory/3504-243-0x00007FF7EB0B0000-0x00007FF7EB401000-memory.dmp	xmrig
behavioral2/memory/440-250-0x00007FF70FC60000-0x00007FF70FFB1000-memory.dmp	xmrig
behavioral2/memory/2068-247-0x00007FF6B1180000-0x00007FF6B14D1000-memory.dmp	xmrig
behavioral2/memory/4264-251-0x00007FF677070000-0x00007FF6773C1000-memory.dmp	xmrig
behavioral2/memory/2036-245-0x00007FF7CE3C0000-0x00007FF7CE711000-memory.dmp	xmrig
behavioral2/memory/3104-242-0x00007FF6D7CB0000-0x00007FF6D8001000-memory.dmp	xmrig
behavioral2/memory/2480-240-0x00007FF68DEE0000-0x00007FF68E231000-memory.dmp	xmrig
behavioral2/memory/2908-238-0x00007FF60A060000-0x00007FF60A3B1000-memory.dmp	xmrig
behavioral2/memory/1424-232-0x00007FF6C34A0000-0x00007FF6C37F1000-memory.dmp	xmrig
behavioral2/memory/2676-234-0x00007FF75F550000-0x00007FF75F8A1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3380	XgeCwvm.exe
4916	AHPIGeS.exe
400	EQJMjob.exe
4300	xgzZBsi.exe
3712	CVmgsMH.exe
3324	DOYyPPz.exe
3596	mBLhZFq.exe
916	lreMRfa.exe
3264	OpkYDCc.exe
512	BfUbyXX.exe
2908	qWIkcor.exe
2480	DzqpPOf.exe
216	wnBvsis.exe
2676	yMaHGkT.exe
3504	PJffjkr.exe
1424	HTAvExR.exe
3104	EehGmmZ.exe
2036	uPhmOZu.exe
440	XDDNfTg.exe
4264	jpCjcMU.exe
2068	WLcgOqd.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3108-0-0x00007FF7D9280000-0x00007FF7D95D1000-memory.dmp	upx
behavioral2/files/0x0009000000023462-4.dat	upx
behavioral2/memory/3380-7-0x00007FF66EE00000-0x00007FF66F151000-memory.dmp	upx
behavioral2/files/0x00070000000234c1-11.dat	upx
behavioral2/files/0x00070000000234c2-19.dat	upx
behavioral2/files/0x00070000000234c3-30.dat	upx
behavioral2/files/0x00070000000234c4-36.dat	upx
behavioral2/files/0x00070000000234c7-46.dat	upx
behavioral2/files/0x00070000000234c9-67.dat	upx
behavioral2/files/0x00070000000234cb-87.dat	upx
behavioral2/files/0x00070000000234cd-90.dat	upx
behavioral2/files/0x00070000000234cf-99.dat	upx
behavioral2/files/0x00070000000234ce-103.dat	upx
behavioral2/files/0x00070000000234d0-117.dat	upx
behavioral2/files/0x00070000000234d2-115.dat	upx
behavioral2/files/0x00070000000234d1-113.dat	upx
behavioral2/files/0x00070000000234cc-96.dat	upx
behavioral2/memory/2676-94-0x00007FF75F550000-0x00007FF75F8A1000-memory.dmp	upx
behavioral2/memory/2480-89-0x00007FF68DEE0000-0x00007FF68E231000-memory.dmp	upx
behavioral2/files/0x00070000000234ca-85.dat	upx
behavioral2/memory/512-84-0x00007FF6FD650000-0x00007FF6FD9A1000-memory.dmp	upx
behavioral2/files/0x00080000000234bd-81.dat	upx
behavioral2/memory/916-78-0x00007FF620830000-0x00007FF620B81000-memory.dmp	upx
behavioral2/memory/3324-69-0x00007FF79E380000-0x00007FF79E6D1000-memory.dmp	upx
behavioral2/files/0x00070000000234c6-60.dat	upx
behavioral2/memory/3264-57-0x00007FF7707A0000-0x00007FF770AF1000-memory.dmp	upx
behavioral2/files/0x00070000000234c8-52.dat	upx
behavioral2/files/0x00070000000234c5-50.dat	upx
behavioral2/memory/3596-45-0x00007FF773BD0000-0x00007FF773F21000-memory.dmp	upx
behavioral2/memory/3712-40-0x00007FF6D8FA0000-0x00007FF6D92F1000-memory.dmp	upx
behavioral2/memory/4300-27-0x00007FF7586B0000-0x00007FF758A01000-memory.dmp	upx
behavioral2/memory/400-22-0x00007FF6753C0000-0x00007FF675711000-memory.dmp	upx
behavioral2/memory/4916-17-0x00007FF622460000-0x00007FF6227B1000-memory.dmp	upx
behavioral2/files/0x00070000000234c0-13.dat	upx
behavioral2/memory/1424-119-0x00007FF6C34A0000-0x00007FF6C37F1000-memory.dmp	upx
behavioral2/memory/3108-120-0x00007FF7D9280000-0x00007FF7D95D1000-memory.dmp	upx
behavioral2/memory/3264-128-0x00007FF7707A0000-0x00007FF770AF1000-memory.dmp	upx
behavioral2/memory/3712-125-0x00007FF6D8FA0000-0x00007FF6D92F1000-memory.dmp	upx
behavioral2/memory/4300-124-0x00007FF7586B0000-0x00007FF758A01000-memory.dmp	upx
behavioral2/memory/400-123-0x00007FF6753C0000-0x00007FF675711000-memory.dmp	upx
behavioral2/memory/4916-122-0x00007FF622460000-0x00007FF6227B1000-memory.dmp	upx
behavioral2/memory/3380-121-0x00007FF66EE00000-0x00007FF66F151000-memory.dmp	upx
behavioral2/memory/216-133-0x00007FF7E6B30000-0x00007FF7E6E81000-memory.dmp	upx
behavioral2/memory/3104-137-0x00007FF6D7CB0000-0x00007FF6D8001000-memory.dmp	upx
behavioral2/memory/2036-139-0x00007FF7CE3C0000-0x00007FF7CE711000-memory.dmp	upx
behavioral2/memory/3504-135-0x00007FF7EB0B0000-0x00007FF7EB401000-memory.dmp	upx
behavioral2/memory/2908-131-0x00007FF60A060000-0x00007FF60A3B1000-memory.dmp	upx
behavioral2/memory/3596-127-0x00007FF773BD0000-0x00007FF773F21000-memory.dmp	upx
behavioral2/memory/440-141-0x00007FF70FC60000-0x00007FF70FFB1000-memory.dmp	upx
behavioral2/memory/2068-140-0x00007FF6B1180000-0x00007FF6B14D1000-memory.dmp	upx
behavioral2/memory/4264-142-0x00007FF677070000-0x00007FF6773C1000-memory.dmp	upx
behavioral2/memory/3108-143-0x00007FF7D9280000-0x00007FF7D95D1000-memory.dmp	upx
behavioral2/memory/3108-144-0x00007FF7D9280000-0x00007FF7D95D1000-memory.dmp	upx
behavioral2/memory/3380-200-0x00007FF66EE00000-0x00007FF66F151000-memory.dmp	upx
behavioral2/memory/4916-202-0x00007FF622460000-0x00007FF6227B1000-memory.dmp	upx
behavioral2/memory/400-204-0x00007FF6753C0000-0x00007FF675711000-memory.dmp	upx
behavioral2/memory/4300-206-0x00007FF7586B0000-0x00007FF758A01000-memory.dmp	upx
behavioral2/memory/3324-208-0x00007FF79E380000-0x00007FF79E6D1000-memory.dmp	upx
behavioral2/memory/3712-221-0x00007FF6D8FA0000-0x00007FF6D92F1000-memory.dmp	upx
behavioral2/memory/512-223-0x00007FF6FD650000-0x00007FF6FD9A1000-memory.dmp	upx
behavioral2/memory/3264-226-0x00007FF7707A0000-0x00007FF770AF1000-memory.dmp	upx
behavioral2/memory/3596-227-0x00007FF773BD0000-0x00007FF773F21000-memory.dmp	upx
behavioral2/memory/916-229-0x00007FF620830000-0x00007FF620B81000-memory.dmp	upx
behavioral2/memory/216-236-0x00007FF7E6B30000-0x00007FF7E6E81000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\yMaHGkT.exe	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xgzZBsi.exe	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CVmgsMH.exe	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mBLhZFq.exe	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BfUbyXX.exe	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DzqpPOf.exe	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wnBvsis.exe	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PJffjkr.exe	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HTAvExR.exe	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EQJMjob.exe	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XDDNfTg.exe	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OpkYDCc.exe	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lreMRfa.exe	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qWIkcor.exe	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EehGmmZ.exe	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jpCjcMU.exe	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DOYyPPz.exe	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AHPIGeS.exe	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uPhmOZu.exe	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WLcgOqd.exe	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XgeCwvm.exe	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3108	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3108	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3108 wrote to memory of 3380	3108	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 3108 wrote to memory of 3380	3108	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 3108 wrote to memory of 4916	3108	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3108 wrote to memory of 4916	3108	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3108 wrote to memory of 400	3108	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3108 wrote to memory of 400	3108	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3108 wrote to memory of 4300	3108	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3108 wrote to memory of 4300	3108	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3108 wrote to memory of 3712	3108	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3108 wrote to memory of 3712	3108	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3108 wrote to memory of 3324	3108	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3108 wrote to memory of 3324	3108	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3108 wrote to memory of 3596	3108	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3108 wrote to memory of 3596	3108	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3108 wrote to memory of 3264	3108	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3108 wrote to memory of 3264	3108	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3108 wrote to memory of 916	3108	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3108 wrote to memory of 916	3108	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3108 wrote to memory of 512	3108	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3108 wrote to memory of 512	3108	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3108 wrote to memory of 2908	3108	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3108 wrote to memory of 2908	3108	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3108 wrote to memory of 2480	3108	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3108 wrote to memory of 2480	3108	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3108 wrote to memory of 216	3108	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3108 wrote to memory of 216	3108	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3108 wrote to memory of 2676	3108	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3108 wrote to memory of 2676	3108	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3108 wrote to memory of 3504	3108	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3108 wrote to memory of 3504	3108	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3108 wrote to memory of 1424	3108	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3108 wrote to memory of 1424	3108	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3108 wrote to memory of 3104	3108	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3108 wrote to memory of 3104	3108	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3108 wrote to memory of 2036	3108	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3108 wrote to memory of 2036	3108	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3108 wrote to memory of 2068	3108	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3108 wrote to memory of 2068	3108	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3108 wrote to memory of 440	3108	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3108 wrote to memory of 440	3108	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3108 wrote to memory of 4264	3108	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3108 wrote to memory of 4264	3108	2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-23_42bdb8e57c5ce804552d1a1c8dbd3cfd_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3108
- C:\Windows\System\XgeCwvm.exe
  C:\Windows\System\XgeCwvm.exe
  2⤵
  - Executes dropped EXE
  PID:3380
- C:\Windows\System\AHPIGeS.exe
  C:\Windows\System\AHPIGeS.exe
  2⤵
  - Executes dropped EXE
  PID:4916
- C:\Windows\System\EQJMjob.exe
  C:\Windows\System\EQJMjob.exe
  2⤵
  - Executes dropped EXE
  PID:400
- C:\Windows\System\xgzZBsi.exe
  C:\Windows\System\xgzZBsi.exe
  2⤵
  - Executes dropped EXE
  PID:4300
- C:\Windows\System\CVmgsMH.exe
  C:\Windows\System\CVmgsMH.exe
  2⤵
  - Executes dropped EXE
  PID:3712
- C:\Windows\System\DOYyPPz.exe
  C:\Windows\System\DOYyPPz.exe
  2⤵
  - Executes dropped EXE
  PID:3324
- C:\Windows\System\mBLhZFq.exe
  C:\Windows\System\mBLhZFq.exe
  2⤵
  - Executes dropped EXE
  PID:3596
- C:\Windows\System\OpkYDCc.exe
  C:\Windows\System\OpkYDCc.exe
  2⤵
  - Executes dropped EXE
  PID:3264
- C:\Windows\System\lreMRfa.exe
  C:\Windows\System\lreMRfa.exe
  2⤵
  - Executes dropped EXE
  PID:916
- C:\Windows\System\BfUbyXX.exe
  C:\Windows\System\BfUbyXX.exe
  2⤵
  - Executes dropped EXE
  PID:512
- C:\Windows\System\qWIkcor.exe
  C:\Windows\System\qWIkcor.exe
  2⤵
  - Executes dropped EXE
  PID:2908
- C:\Windows\System\DzqpPOf.exe
  C:\Windows\System\DzqpPOf.exe
  2⤵
  - Executes dropped EXE
  PID:2480
- C:\Windows\System\wnBvsis.exe
  C:\Windows\System\wnBvsis.exe
  2⤵
  - Executes dropped EXE
  PID:216
- C:\Windows\System\yMaHGkT.exe
  C:\Windows\System\yMaHGkT.exe
  2⤵
  - Executes dropped EXE
  PID:2676
- C:\Windows\System\PJffjkr.exe
  C:\Windows\System\PJffjkr.exe
  2⤵
  - Executes dropped EXE
  PID:3504
- C:\Windows\System\HTAvExR.exe
  C:\Windows\System\HTAvExR.exe
  2⤵
  - Executes dropped EXE
  PID:1424
- C:\Windows\System\EehGmmZ.exe
  C:\Windows\System\EehGmmZ.exe
  2⤵
  - Executes dropped EXE
  PID:3104
- C:\Windows\System\uPhmOZu.exe
  C:\Windows\System\uPhmOZu.exe
  2⤵
  - Executes dropped EXE
  PID:2036
- C:\Windows\System\WLcgOqd.exe
  C:\Windows\System\WLcgOqd.exe
  2⤵
  - Executes dropped EXE
  PID:2068
- C:\Windows\System\XDDNfTg.exe
  C:\Windows\System\XDDNfTg.exe
  2⤵
  - Executes dropped EXE
  PID:440
- C:\Windows\System\jpCjcMU.exe
  C:\Windows\System\jpCjcMU.exe
  2⤵
  - Executes dropped EXE
  PID:4264

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AHPIGeS.exe

Filesize
5.2MB

MD5
fc0978958c1f3b97c396bd5307bbcd6b

SHA1
863867afb9fa0e3e7bec675555aba47ef33b5606

SHA256
12628df11eb6d9aa592c66491debfd9b10a75b0f7c183ff0c1d61730baa2b9d9

SHA512
2d38e60bf2d279fe2de38440cc6adc996b654387f763b2b27c104a62614dd9432eba38f3f73782ea4a46482f2c313a58894383f69a1c1a828f55d0e2f5eddc20

Download Submit
C:\Windows\System\BfUbyXX.exe

Filesize
5.2MB

MD5
459e24d28effbffe0f69b72d26a0335a

SHA1
01e9dc05c090ae18e54122866c6b229e0ca520dc

SHA256
81d32df3d6e207d3e55557879dc55e919044aaaa0aaa3c25b87148da4b654da5

SHA512
b74b8111e8441a56839c1b6dae090f683504966f4a43f28d86090f5703d81a6301c33afd557e28e3b0a5f44932ab654e3fd46313af12e8ee8cee50255af700ed

Download Submit
C:\Windows\System\CVmgsMH.exe

Filesize
5.2MB

MD5
a6610f6159e9fa4cf309ff5d3346cebc

SHA1
2746c635dad9cb2702fa3d9a8e0aa4898d7eee14

SHA256
95a0821208f81ec8c4ab0fb68894c06c51babe2b8830ec242c2b75f6db320b6e

SHA512
5f953f6b916d6e04747d1a9d2143fd149d90d71f2e1cfc2a369590d68a94a5dbb84bd3b63876dfe1f4908c8bfb11eab85f55dd9d30e8dee51a358fccfdf61392

Download Submit
C:\Windows\System\DOYyPPz.exe

Filesize
5.2MB

MD5
f872d95cd415c08d95d5f761d3ed36d1

SHA1
f8c210547653aa67494faa10f32fcb22771b3c6f

SHA256
0af2eec6189684d620324192ba5728b00478d30ad5356a61e5a7fa5dffab589b

SHA512
78e3d9a0de79e383aed7d7f6323899e83fa7e2836708cbfe60909a79bc88627ebdcff7692f4de6227f1170c7008031688f63e3a4788c45c0b6a1686877c90edc

Download Submit
C:\Windows\System\DzqpPOf.exe

Filesize
5.2MB

MD5
1c0f794a033b0fe362037369858a7b18

SHA1
85577a694939d3d0f13215d46160033156afbca4

SHA256
7bf449a6c83c325707893ad8c5b4c69f7390ec310fe1ab9a1ab42c0b021985a4

SHA512
53b01d13bc09094542673ac1dd0a39d8f0a7609443c1d834156ddd6a3530afb9902dd0316ec6d84d7261c8127d39b9dd458dd6fecb1e25becb87b4b8a6fa870b

Download Submit
C:\Windows\System\EQJMjob.exe

Filesize
5.2MB

MD5
730985074da64c91c1bff80cec79c2bc

SHA1
f1a89a114798274e72b52565d7943fa01f40d7f7

SHA256
f56b987e8f3b6aa561a4e78f7b1c39448ed4b996e2746b9ef92f6c77a0aaf21a

SHA512
c0ea4d268c58996116e587b4e42e9b1f92a226ae50f4931d6529697796bda15816427bc3b721fc0d27072a0f805c13941c312b737dbdffe4bf1b020b4ee6b790

Download Submit
C:\Windows\System\EehGmmZ.exe

Filesize
5.2MB

MD5
6e80f18c8f9cdec86e388687dff14452

SHA1
00a4779b0b28f6bbb781ed6f8b2af796bb140b19

SHA256
43bb2eeace1981a2b071f8a0fc4ba7434d74fb8153493a05b60bb7461f5f73b9

SHA512
9fef11a414192e8c18c0b6dc0b8bea259f71489f41217b8f94735fa2df80d5fc8b2a84f3f5bcda2bd802586a5df637cb8d41b23ac977f4176c74884fb860ae8a

Download Submit
C:\Windows\System\HTAvExR.exe

Filesize
5.2MB

MD5
5f2fc6b0714bbc640c14c2849028b530

SHA1
5f8eb49e53615e29e66d148cc00ff502747ddc4b

SHA256
8a36bc77265fa46dfd2a7a7340b7bc40a7099c5eab13f96dff9c52466536df5d

SHA512
78e800333578ee5a58f47de207b71d183c66f48e595e8aa0fe8d477c84de54b37c3ceccb3a0eba6a11885345d63f2ba284b16d170d28644ff4c6e97dd301b33a

Download Submit
C:\Windows\System\OpkYDCc.exe

Filesize
5.2MB

MD5
0e28e94e38cab40193102de77ec0f167

SHA1
1b99465b0cdc1c1d5230806b25155b68e7cff7b2

SHA256
fb9aa3c44ffafe7853091a0db59ccd48d3468df1d2ea8ba96928feb5c80381f7

SHA512
2b672b4117b92e3e92767637fee761f927fd12bf69c62e333fd84aeea5d0997099f1bedb2bdc837cfbe2ad5e6100d24d1fdb3e5aae595b740262ea7e16b7f6e7

Download Submit
C:\Windows\System\PJffjkr.exe

Filesize
5.2MB

MD5
78a159b6e6ed40f4080009be09db15cb

SHA1
4d102600fc50b67c8d73145cc8a3245cb11904b0

SHA256
7f3340c8f36a087eb84c5fe55333d992c117e9c8d80062f303f8e6109bc016a0

SHA512
d0233afab28540888d4677997ccd19dc363d1e7d1392f71ce1b85736da6464d0d13b3b05992fa3a141e6c9b24b6f54ba9d291990f3b4ba52eaa112d67c2daec0

Download Submit
C:\Windows\System\WLcgOqd.exe

Filesize
5.2MB

MD5
7a326290f68c4152ba6541ad62f98e72

SHA1
5cdd1cf594cedf96fab14d433095d784d3eadf4a

SHA256
6698d70347417ac6183591987425a8c06dfd8cd9eb25c1390aa6b1425b6a6a4b

SHA512
645121099e5abf6f6ba5153d4c44db6e1b7823c99736019d55352705511342ad8117b1d9e04cfa358e85591e97cb4b9320ee26f77deb17104ed504943d0c0ce9

Download Submit
C:\Windows\System\XDDNfTg.exe

Filesize
5.2MB

MD5
94a6819c2fd6f1f7cdae007fe9b15057

SHA1
584aaae12bc3d2a5ab0a80a2e6d04ef8a828f9ee

SHA256
4701c6c83dfc57e3b6acb48e54f76cab4c81cf19ab79e07056d5b794f82ec7d7

SHA512
f63cbab34f55d393520c4ec04508abade04bf06408748d7bf15d6b7e34adc2759a639cccad733628ba8f6c840b3f1fee4f92605d93286ef4152c474bef6c30a8

Download Submit
C:\Windows\System\XgeCwvm.exe

Filesize
5.2MB

MD5
e8ba1d9d5b974e38fdf5893e8ad82d3e

SHA1
65e58e8258e1c1eaf0d9ed2fc29b63075b028531

SHA256
70563c427422689abdb257437ae1d24cc6dea1abdedb25ff20d91c4798b2dfe6

SHA512
4510d71ea15cb010e1183d71aacf93582d371173a74f75a7cd0724013e67fc57023c3cb478b169f37b503e2b2bcbe9b311df31d0e7f7715ea6e17c93a22c6bfa

Download Submit
C:\Windows\System\jpCjcMU.exe

Filesize
5.2MB

MD5
dcb4efb9b4b708e93b158b040e093746

SHA1
8daad8a3e6c8acf9c9226c0b372aa4edea31ae4f

SHA256
dc6f5342412877f495c1c5be7765c1de6e8416e0b8b254923c22aa73f4b101e9

SHA512
232b9651c115f4df7d677ba3256f55fbaa797f3ba71479282d61087a4838d66879b36d1b6f271cef02149e11a1a0254f39ebd65ea1c5e368e49ef6d5cd704c69

Download Submit
C:\Windows\System\lreMRfa.exe

Filesize
5.2MB

MD5
58732b898f209705dd90bf2607535c21

SHA1
2b25f56acb254451b54ebde7c1a74ef3f6926822

SHA256
1e70fadc43e7e9004ed0346737790b0f42ff473d886bbe789fad738402fe9e2e

SHA512
4f737e934d2b88f4c184f7c1f04bfa4694e19776e3215c5389ceb674829cd52e15cfe7878fa0202788dd2b611caecb7b62fe762475f210c5382bf307b7f0297a

Download Submit
C:\Windows\System\mBLhZFq.exe

Filesize
5.2MB

MD5
f4ee6ffe3e27dcc2783149b4a0fedd8a

SHA1
60117a35df6119b5e8d7a18a47345f9403427435

SHA256
312d6328ab7bf8b5e294ecdd2b6db3a13dd6bfeae824912c569523903ddd7c39

SHA512
6b7531eab3c981a2607ddaa41b389ae56d7273f37bc0afaa713bc3adecb6b2acb7f4494ee21fcb56ead99bd28c33b18b7ecfc959a9e14e2e23c38ba97c1b095b

Download Submit
C:\Windows\System\qWIkcor.exe

Filesize
5.2MB

MD5
0e91eebea8e7ce929698c3a9e0091fb1

SHA1
218a445dad9d398927e450e4f922b79dd31ee709

SHA256
5840afc78287398b85177d7a23c5408139d94fd6da3b1d6e29ccb6a5ce37533f

SHA512
d467bee8d7079e019e5b7add4a3c6ae5facc27627e118b0112a3d65abda9cefa07468c8325731665834a6fbd9777d6745b12175b0bab35715c0106d6873b7b27

Download Submit
C:\Windows\System\uPhmOZu.exe

Filesize
5.2MB

MD5
efdd5ab867b2a8b30e1c73c228c189b7

SHA1
7b303c735d69d6fbae297a965f475d15d3e1dbc7

SHA256
5be19b08b3be526ab7972f77e84bd2f8440e7d4c1970fa6f59fed69eae0eaac4

SHA512
cca28ec54b76facb2a28d01e0905b77bf23f8cc63595f79c94ee8a1daf66e346339e4447b4b6350ce5c73837b428b5087b652f1e3edbe923cde98622308f183b

Download Submit
C:\Windows\System\wnBvsis.exe

Filesize
5.2MB

MD5
4da2069e90392ff21f43778972889788

SHA1
698813b2d807e41760a258cc45e2cea0543dc5dd

SHA256
2ff23a2c6d79cc7289ee67ac84ad35b71c731b460dd0c2815f4c019f5a13dfa6

SHA512
942fe7184af1f76394200b7621f985f7e19df2ce23e3c4c30aa9e1ec8651325f27c9f19a37dd79b234ed64588975d836e30430d938ba4074fce56750543f7a47

Download Submit
C:\Windows\System\xgzZBsi.exe

Filesize
5.2MB

MD5
7c354c37f39312fae42bd30267fd7850

SHA1
b383fda70db08d435e367083f997f2259902c815

SHA256
2292bdbd6688827920c172ab514d0a79ae74953aa2f2a6ed31193996553b5023

SHA512
917bc60bbd1d4009b60db08451b6f86dcb1e35865c0bd9a3586bda568ccdff25d3a1ef2da4f02897e0b1548253215e2022e21408ea796a4bf45fff527ff9f1e8

Download Submit
C:\Windows\System\yMaHGkT.exe

Filesize
5.2MB

MD5
5fa68438bec3d355504d7570213f4a0e

SHA1
07c3cc4d47e4c6cc919f2d043d68cb1cb73ab09b

SHA256
5c46cfd54e56d49518f9eb8e9910ace4fbe9ed25b18e4a8601a7533c1e4ae2e1

SHA512
6485bd262cf175a0908bb68e36c947e1c0ab3a7b6808d9bf37585c157a51edc0c94c0ce4211a1b2c4af69cdc5dba9530fcec77bd564d7fc58014df10168ffbfa

Download Submit
memory/216-133-0x00007FF7E6B30000-0x00007FF7E6E81000-memory.dmp

Filesize
3.3MB

Download
memory/216-236-0x00007FF7E6B30000-0x00007FF7E6E81000-memory.dmp

Filesize
3.3MB

Download
memory/400-22-0x00007FF6753C0000-0x00007FF675711000-memory.dmp

Filesize
3.3MB

Download
memory/400-123-0x00007FF6753C0000-0x00007FF675711000-memory.dmp

Filesize
3.3MB

Download
memory/400-204-0x00007FF6753C0000-0x00007FF675711000-memory.dmp

Filesize
3.3MB

Download
memory/440-250-0x00007FF70FC60000-0x00007FF70FFB1000-memory.dmp

Filesize
3.3MB

Download
memory/440-141-0x00007FF70FC60000-0x00007FF70FFB1000-memory.dmp

Filesize
3.3MB

Download
memory/512-84-0x00007FF6FD650000-0x00007FF6FD9A1000-memory.dmp

Filesize
3.3MB

Download
memory/512-223-0x00007FF6FD650000-0x00007FF6FD9A1000-memory.dmp

Filesize
3.3MB

Download
memory/916-78-0x00007FF620830000-0x00007FF620B81000-memory.dmp

Filesize
3.3MB

Download
memory/916-229-0x00007FF620830000-0x00007FF620B81000-memory.dmp

Filesize
3.3MB

Download
memory/1424-232-0x00007FF6C34A0000-0x00007FF6C37F1000-memory.dmp

Filesize
3.3MB

Download
memory/1424-119-0x00007FF6C34A0000-0x00007FF6C37F1000-memory.dmp

Filesize
3.3MB

Download
memory/2036-245-0x00007FF7CE3C0000-0x00007FF7CE711000-memory.dmp

Filesize
3.3MB

Download
memory/2036-139-0x00007FF7CE3C0000-0x00007FF7CE711000-memory.dmp

Filesize
3.3MB

Download
memory/2068-247-0x00007FF6B1180000-0x00007FF6B14D1000-memory.dmp

Filesize
3.3MB

Download
memory/2068-140-0x00007FF6B1180000-0x00007FF6B14D1000-memory.dmp

Filesize
3.3MB

Download
memory/2480-240-0x00007FF68DEE0000-0x00007FF68E231000-memory.dmp

Filesize
3.3MB

Download
memory/2480-89-0x00007FF68DEE0000-0x00007FF68E231000-memory.dmp

Filesize
3.3MB

Download
memory/2676-234-0x00007FF75F550000-0x00007FF75F8A1000-memory.dmp

Filesize
3.3MB

Download
memory/2676-94-0x00007FF75F550000-0x00007FF75F8A1000-memory.dmp

Filesize
3.3MB

Download
memory/2908-238-0x00007FF60A060000-0x00007FF60A3B1000-memory.dmp

Filesize
3.3MB

Download
memory/2908-131-0x00007FF60A060000-0x00007FF60A3B1000-memory.dmp

Filesize
3.3MB

Download
memory/3104-242-0x00007FF6D7CB0000-0x00007FF6D8001000-memory.dmp

Filesize
3.3MB

Download
memory/3104-137-0x00007FF6D7CB0000-0x00007FF6D8001000-memory.dmp

Filesize
3.3MB

Download
memory/3108-120-0x00007FF7D9280000-0x00007FF7D95D1000-memory.dmp

Filesize
3.3MB

Download
memory/3108-1-0x00000235197B0000-0x00000235197C0000-memory.dmp

Filesize
64KB

Download
memory/3108-0-0x00007FF7D9280000-0x00007FF7D95D1000-memory.dmp

Filesize
3.3MB

Download
memory/3108-143-0x00007FF7D9280000-0x00007FF7D95D1000-memory.dmp

Filesize
3.3MB

Download
memory/3108-144-0x00007FF7D9280000-0x00007FF7D95D1000-memory.dmp

Filesize
3.3MB

Download
memory/3264-57-0x00007FF7707A0000-0x00007FF770AF1000-memory.dmp

Filesize
3.3MB

Download
memory/3264-128-0x00007FF7707A0000-0x00007FF770AF1000-memory.dmp

Filesize
3.3MB

Download
memory/3264-226-0x00007FF7707A0000-0x00007FF770AF1000-memory.dmp

Filesize
3.3MB

Download
memory/3324-208-0x00007FF79E380000-0x00007FF79E6D1000-memory.dmp

Filesize
3.3MB

Download
memory/3324-69-0x00007FF79E380000-0x00007FF79E6D1000-memory.dmp

Filesize
3.3MB

Download
memory/3380-200-0x00007FF66EE00000-0x00007FF66F151000-memory.dmp

Filesize
3.3MB

Download
memory/3380-7-0x00007FF66EE00000-0x00007FF66F151000-memory.dmp

Filesize
3.3MB

Download
memory/3380-121-0x00007FF66EE00000-0x00007FF66F151000-memory.dmp

Filesize
3.3MB

Download
memory/3504-243-0x00007FF7EB0B0000-0x00007FF7EB401000-memory.dmp

Filesize
3.3MB

Download
memory/3504-135-0x00007FF7EB0B0000-0x00007FF7EB401000-memory.dmp

Filesize
3.3MB

Download
memory/3596-127-0x00007FF773BD0000-0x00007FF773F21000-memory.dmp

Filesize
3.3MB

Download
memory/3596-45-0x00007FF773BD0000-0x00007FF773F21000-memory.dmp

Filesize
3.3MB

Download
memory/3596-227-0x00007FF773BD0000-0x00007FF773F21000-memory.dmp

Filesize
3.3MB

Download
memory/3712-40-0x00007FF6D8FA0000-0x00007FF6D92F1000-memory.dmp

Filesize
3.3MB

Download
memory/3712-125-0x00007FF6D8FA0000-0x00007FF6D92F1000-memory.dmp

Filesize
3.3MB

Download
memory/3712-221-0x00007FF6D8FA0000-0x00007FF6D92F1000-memory.dmp

Filesize
3.3MB

Download
memory/4264-142-0x00007FF677070000-0x00007FF6773C1000-memory.dmp

Filesize
3.3MB

Download
memory/4264-251-0x00007FF677070000-0x00007FF6773C1000-memory.dmp

Filesize
3.3MB

Download
memory/4300-27-0x00007FF7586B0000-0x00007FF758A01000-memory.dmp

Filesize
3.3MB

Download
memory/4300-206-0x00007FF7586B0000-0x00007FF758A01000-memory.dmp

Filesize
3.3MB

Download
memory/4300-124-0x00007FF7586B0000-0x00007FF758A01000-memory.dmp

Filesize
3.3MB

Download
memory/4916-17-0x00007FF622460000-0x00007FF6227B1000-memory.dmp

Filesize
3.3MB

Download
memory/4916-202-0x00007FF622460000-0x00007FF6227B1000-memory.dmp

Filesize
3.3MB

Download
memory/4916-122-0x00007FF622460000-0x00007FF6227B1000-memory.dmp

Filesize
3.3MB

Download