cobaltstrike | 1b931f8682b49d9b578e6599b2df44c207898cfbbe75ef7534af6997b7cc9414

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/09/2024, 17:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

9341a9b8bf611882fa84ba95a57057d2
SHA1

572f1b7fbe4cd9b9e148d0a84f15ae6fd4bdc122
SHA256

1b931f8682b49d9b578e6599b2df44c207898cfbbe75ef7534af6997b7cc9414
SHA512

480e12c0837571532f099d416311ed9af4b72fe8034acfd095887a5ad44d25c18e4d70fe25f5381c96295e98423c110e4258cfb0200f83dddd45952b9161d7fd
SSDEEP

98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUP:T+856utgpPF8u/7P

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000a000000023396-4.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002339f-11.dat	cobalt_reflective_dll
behavioral2/files/0x000400000001db75-17.dat	cobalt_reflective_dll
behavioral2/files/0x000400000001db77-28.dat	cobalt_reflective_dll
behavioral2/files/0x000400000001db76-27.dat	cobalt_reflective_dll
behavioral2/files/0x000400000001db78-34.dat	cobalt_reflective_dll
behavioral2/files/0x000200000001e6a5-41.dat	cobalt_reflective_dll
behavioral2/files/0x000200000001e6a7-46.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000233a1-53.dat	cobalt_reflective_dll
behavioral2/files/0x000c0000000233a9-64.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000233aa-71.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000233a2-70.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000233ac-82.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023462-89.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023465-94.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023466-101.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023467-109.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023468-118.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023469-126.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346a-132.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346b-137.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/3500-0-0x00007FF61AC20000-0x00007FF61AF74000-memory.dmp	xmrig
behavioral2/files/0x000a000000023396-4.dat	xmrig
behavioral2/memory/4948-6-0x00007FF6B5AA0000-0x00007FF6B5DF4000-memory.dmp	xmrig
behavioral2/files/0x000800000002339f-11.dat	xmrig
behavioral2/files/0x000400000001db75-17.dat	xmrig
behavioral2/files/0x000400000001db77-28.dat	xmrig
behavioral2/memory/5116-29-0x00007FF762180000-0x00007FF7624D4000-memory.dmp	xmrig
behavioral2/files/0x000400000001db76-27.dat	xmrig
behavioral2/memory/764-22-0x00007FF73C820000-0x00007FF73CB74000-memory.dmp	xmrig
behavioral2/memory/4924-21-0x00007FF6B6570000-0x00007FF6B68C4000-memory.dmp	xmrig
behavioral2/memory/1632-14-0x00007FF6F1B30000-0x00007FF6F1E84000-memory.dmp	xmrig
behavioral2/files/0x000400000001db78-34.dat	xmrig
behavioral2/memory/1732-36-0x00007FF7BAB20000-0x00007FF7BAE74000-memory.dmp	xmrig
behavioral2/files/0x000200000001e6a5-41.dat	xmrig
behavioral2/memory/5068-42-0x00007FF6DBDB0000-0x00007FF6DC104000-memory.dmp	xmrig
behavioral2/files/0x000200000001e6a7-46.dat	xmrig
behavioral2/memory/1380-48-0x00007FF610310000-0x00007FF610664000-memory.dmp	xmrig
behavioral2/files/0x00080000000233a1-53.dat	xmrig
behavioral2/memory/3500-54-0x00007FF61AC20000-0x00007FF61AF74000-memory.dmp	xmrig
behavioral2/memory/3952-55-0x00007FF7A4DD0000-0x00007FF7A5124000-memory.dmp	xmrig
behavioral2/memory/4948-61-0x00007FF6B5AA0000-0x00007FF6B5DF4000-memory.dmp	xmrig
behavioral2/files/0x000c0000000233a9-64.dat	xmrig
behavioral2/files/0x00080000000233aa-71.dat	xmrig
behavioral2/memory/3036-73-0x00007FF7C9750000-0x00007FF7C9AA4000-memory.dmp	xmrig
behavioral2/memory/4560-72-0x00007FF6FCF50000-0x00007FF6FD2A4000-memory.dmp	xmrig
behavioral2/files/0x00080000000233a2-70.dat	xmrig
behavioral2/memory/4924-67-0x00007FF6B6570000-0x00007FF6B68C4000-memory.dmp	xmrig
behavioral2/memory/1632-66-0x00007FF6F1B30000-0x00007FF6F1E84000-memory.dmp	xmrig
behavioral2/memory/3240-65-0x00007FF731760000-0x00007FF731AB4000-memory.dmp	xmrig
behavioral2/memory/764-79-0x00007FF73C820000-0x00007FF73CB74000-memory.dmp	xmrig
behavioral2/files/0x00080000000233ac-82.dat	xmrig
behavioral2/memory/5116-84-0x00007FF762180000-0x00007FF7624D4000-memory.dmp	xmrig
behavioral2/memory/1548-86-0x00007FF688380000-0x00007FF6886D4000-memory.dmp	xmrig
behavioral2/files/0x0009000000023462-89.dat	xmrig
behavioral2/files/0x0008000000023465-94.dat	xmrig
behavioral2/memory/4796-96-0x00007FF725370000-0x00007FF7256C4000-memory.dmp	xmrig
behavioral2/memory/1732-95-0x00007FF7BAB20000-0x00007FF7BAE74000-memory.dmp	xmrig
behavioral2/memory/4876-90-0x00007FF6C62F0000-0x00007FF6C6644000-memory.dmp	xmrig
behavioral2/files/0x0007000000023466-101.dat	xmrig
behavioral2/memory/5068-107-0x00007FF6DBDB0000-0x00007FF6DC104000-memory.dmp	xmrig
behavioral2/files/0x0007000000023467-109.dat	xmrig
behavioral2/memory/4460-111-0x00007FF71E230000-0x00007FF71E584000-memory.dmp	xmrig
behavioral2/memory/1380-110-0x00007FF610310000-0x00007FF610664000-memory.dmp	xmrig
behavioral2/memory/468-108-0x00007FF7274B0000-0x00007FF727804000-memory.dmp	xmrig
behavioral2/files/0x0007000000023468-118.dat	xmrig
behavioral2/memory/4344-120-0x00007FF62B9E0000-0x00007FF62BD34000-memory.dmp	xmrig
behavioral2/memory/4560-119-0x00007FF6FCF50000-0x00007FF6FD2A4000-memory.dmp	xmrig
behavioral2/memory/3240-117-0x00007FF731760000-0x00007FF731AB4000-memory.dmp	xmrig
behavioral2/memory/3952-115-0x00007FF7A4DD0000-0x00007FF7A5124000-memory.dmp	xmrig
behavioral2/files/0x0007000000023469-126.dat	xmrig
behavioral2/memory/1540-128-0x00007FF799E10000-0x00007FF79A164000-memory.dmp	xmrig
behavioral2/memory/3036-127-0x00007FF7C9750000-0x00007FF7C9AA4000-memory.dmp	xmrig
behavioral2/files/0x000700000002346a-132.dat	xmrig
behavioral2/files/0x000700000002346b-137.dat	xmrig
behavioral2/memory/2852-135-0x00007FF609BC0000-0x00007FF609F14000-memory.dmp	xmrig
behavioral2/memory/1628-140-0x00007FF7B63E0000-0x00007FF7B6734000-memory.dmp	xmrig
behavioral2/memory/4876-141-0x00007FF6C62F0000-0x00007FF6C6644000-memory.dmp	xmrig
behavioral2/memory/4796-142-0x00007FF725370000-0x00007FF7256C4000-memory.dmp	xmrig
behavioral2/memory/4460-143-0x00007FF71E230000-0x00007FF71E584000-memory.dmp	xmrig
behavioral2/memory/4344-144-0x00007FF62B9E0000-0x00007FF62BD34000-memory.dmp	xmrig
behavioral2/memory/1540-145-0x00007FF799E10000-0x00007FF79A164000-memory.dmp	xmrig
behavioral2/memory/2852-146-0x00007FF609BC0000-0x00007FF609F14000-memory.dmp	xmrig
behavioral2/memory/4948-147-0x00007FF6B5AA0000-0x00007FF6B5DF4000-memory.dmp	xmrig
behavioral2/memory/1632-148-0x00007FF6F1B30000-0x00007FF6F1E84000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4948	QLmIaEY.exe
1632	rarYFuc.exe
4924	IwYEolv.exe
764	XSgJhIt.exe
5116	fZxsIUm.exe
1732	nLMshba.exe
5068	LQBKgtg.exe
1380	gcGzaXP.exe
3952	JqVOqaM.exe
3240	DJXlPdT.exe
4560	xPjAZFD.exe
3036	mzdoJnm.exe
1548	hPDdvyP.exe
4876	HKxAAsd.exe
4796	ZcFOnwi.exe
468	OavGWur.exe
4460	CXlgXca.exe
4344	Engzrmy.exe
1540	mtrUWlY.exe
2852	vAGpHba.exe
1628	GLRoNGQ.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3500-0-0x00007FF61AC20000-0x00007FF61AF74000-memory.dmp	upx
behavioral2/files/0x000a000000023396-4.dat	upx
behavioral2/memory/4948-6-0x00007FF6B5AA0000-0x00007FF6B5DF4000-memory.dmp	upx
behavioral2/files/0x000800000002339f-11.dat	upx
behavioral2/files/0x000400000001db75-17.dat	upx
behavioral2/files/0x000400000001db77-28.dat	upx
behavioral2/memory/5116-29-0x00007FF762180000-0x00007FF7624D4000-memory.dmp	upx
behavioral2/files/0x000400000001db76-27.dat	upx
behavioral2/memory/764-22-0x00007FF73C820000-0x00007FF73CB74000-memory.dmp	upx
behavioral2/memory/4924-21-0x00007FF6B6570000-0x00007FF6B68C4000-memory.dmp	upx
behavioral2/memory/1632-14-0x00007FF6F1B30000-0x00007FF6F1E84000-memory.dmp	upx
behavioral2/files/0x000400000001db78-34.dat	upx
behavioral2/memory/1732-36-0x00007FF7BAB20000-0x00007FF7BAE74000-memory.dmp	upx
behavioral2/files/0x000200000001e6a5-41.dat	upx
behavioral2/memory/5068-42-0x00007FF6DBDB0000-0x00007FF6DC104000-memory.dmp	upx
behavioral2/files/0x000200000001e6a7-46.dat	upx
behavioral2/memory/1380-48-0x00007FF610310000-0x00007FF610664000-memory.dmp	upx
behavioral2/files/0x00080000000233a1-53.dat	upx
behavioral2/memory/3500-54-0x00007FF61AC20000-0x00007FF61AF74000-memory.dmp	upx
behavioral2/memory/3952-55-0x00007FF7A4DD0000-0x00007FF7A5124000-memory.dmp	upx
behavioral2/memory/4948-61-0x00007FF6B5AA0000-0x00007FF6B5DF4000-memory.dmp	upx
behavioral2/files/0x000c0000000233a9-64.dat	upx
behavioral2/files/0x00080000000233aa-71.dat	upx
behavioral2/memory/3036-73-0x00007FF7C9750000-0x00007FF7C9AA4000-memory.dmp	upx
behavioral2/memory/4560-72-0x00007FF6FCF50000-0x00007FF6FD2A4000-memory.dmp	upx
behavioral2/files/0x00080000000233a2-70.dat	upx
behavioral2/memory/4924-67-0x00007FF6B6570000-0x00007FF6B68C4000-memory.dmp	upx
behavioral2/memory/1632-66-0x00007FF6F1B30000-0x00007FF6F1E84000-memory.dmp	upx
behavioral2/memory/3240-65-0x00007FF731760000-0x00007FF731AB4000-memory.dmp	upx
behavioral2/memory/764-79-0x00007FF73C820000-0x00007FF73CB74000-memory.dmp	upx
behavioral2/files/0x00080000000233ac-82.dat	upx
behavioral2/memory/5116-84-0x00007FF762180000-0x00007FF7624D4000-memory.dmp	upx
behavioral2/memory/1548-86-0x00007FF688380000-0x00007FF6886D4000-memory.dmp	upx
behavioral2/files/0x0009000000023462-89.dat	upx
behavioral2/files/0x0008000000023465-94.dat	upx
behavioral2/memory/4796-96-0x00007FF725370000-0x00007FF7256C4000-memory.dmp	upx
behavioral2/memory/1732-95-0x00007FF7BAB20000-0x00007FF7BAE74000-memory.dmp	upx
behavioral2/memory/4876-90-0x00007FF6C62F0000-0x00007FF6C6644000-memory.dmp	upx
behavioral2/files/0x0007000000023466-101.dat	upx
behavioral2/memory/5068-107-0x00007FF6DBDB0000-0x00007FF6DC104000-memory.dmp	upx
behavioral2/files/0x0007000000023467-109.dat	upx
behavioral2/memory/4460-111-0x00007FF71E230000-0x00007FF71E584000-memory.dmp	upx
behavioral2/memory/1380-110-0x00007FF610310000-0x00007FF610664000-memory.dmp	upx
behavioral2/memory/468-108-0x00007FF7274B0000-0x00007FF727804000-memory.dmp	upx
behavioral2/files/0x0007000000023468-118.dat	upx
behavioral2/memory/4344-120-0x00007FF62B9E0000-0x00007FF62BD34000-memory.dmp	upx
behavioral2/memory/4560-119-0x00007FF6FCF50000-0x00007FF6FD2A4000-memory.dmp	upx
behavioral2/memory/3240-117-0x00007FF731760000-0x00007FF731AB4000-memory.dmp	upx
behavioral2/memory/3952-115-0x00007FF7A4DD0000-0x00007FF7A5124000-memory.dmp	upx
behavioral2/files/0x0007000000023469-126.dat	upx
behavioral2/memory/1540-128-0x00007FF799E10000-0x00007FF79A164000-memory.dmp	upx
behavioral2/memory/3036-127-0x00007FF7C9750000-0x00007FF7C9AA4000-memory.dmp	upx
behavioral2/files/0x000700000002346a-132.dat	upx
behavioral2/files/0x000700000002346b-137.dat	upx
behavioral2/memory/2852-135-0x00007FF609BC0000-0x00007FF609F14000-memory.dmp	upx
behavioral2/memory/1628-140-0x00007FF7B63E0000-0x00007FF7B6734000-memory.dmp	upx
behavioral2/memory/4876-141-0x00007FF6C62F0000-0x00007FF6C6644000-memory.dmp	upx
behavioral2/memory/4796-142-0x00007FF725370000-0x00007FF7256C4000-memory.dmp	upx
behavioral2/memory/4460-143-0x00007FF71E230000-0x00007FF71E584000-memory.dmp	upx
behavioral2/memory/4344-144-0x00007FF62B9E0000-0x00007FF62BD34000-memory.dmp	upx
behavioral2/memory/1540-145-0x00007FF799E10000-0x00007FF79A164000-memory.dmp	upx
behavioral2/memory/2852-146-0x00007FF609BC0000-0x00007FF609F14000-memory.dmp	upx
behavioral2/memory/4948-147-0x00007FF6B5AA0000-0x00007FF6B5DF4000-memory.dmp	upx
behavioral2/memory/1632-148-0x00007FF6F1B30000-0x00007FF6F1E84000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\CXlgXca.exe	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mtrUWlY.exe	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rarYFuc.exe	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IwYEolv.exe	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gcGzaXP.exe	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hPDdvyP.exe	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HKxAAsd.exe	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZcFOnwi.exe	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vAGpHba.exe	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GLRoNGQ.exe	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QLmIaEY.exe	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nLMshba.exe	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DJXlPdT.exe	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Engzrmy.exe	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fZxsIUm.exe	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LQBKgtg.exe	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xPjAZFD.exe	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XSgJhIt.exe	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JqVOqaM.exe	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mzdoJnm.exe	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OavGWur.exe	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3500	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3500	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3500 wrote to memory of 4948	3500	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3500 wrote to memory of 4948	3500	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3500 wrote to memory of 1632	3500	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3500 wrote to memory of 1632	3500	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3500 wrote to memory of 4924	3500	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3500 wrote to memory of 4924	3500	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3500 wrote to memory of 764	3500	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3500 wrote to memory of 764	3500	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3500 wrote to memory of 5116	3500	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3500 wrote to memory of 5116	3500	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3500 wrote to memory of 1732	3500	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3500 wrote to memory of 1732	3500	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3500 wrote to memory of 5068	3500	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3500 wrote to memory of 5068	3500	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3500 wrote to memory of 1380	3500	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3500 wrote to memory of 1380	3500	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3500 wrote to memory of 3952	3500	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3500 wrote to memory of 3952	3500	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3500 wrote to memory of 3240	3500	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3500 wrote to memory of 3240	3500	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3500 wrote to memory of 4560	3500	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3500 wrote to memory of 4560	3500	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3500 wrote to memory of 3036	3500	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3500 wrote to memory of 3036	3500	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3500 wrote to memory of 1548	3500	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3500 wrote to memory of 1548	3500	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3500 wrote to memory of 4876	3500	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3500 wrote to memory of 4876	3500	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3500 wrote to memory of 4796	3500	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3500 wrote to memory of 4796	3500	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3500 wrote to memory of 468	3500	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3500 wrote to memory of 468	3500	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3500 wrote to memory of 4460	3500	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3500 wrote to memory of 4460	3500	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3500 wrote to memory of 4344	3500	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3500 wrote to memory of 4344	3500	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3500 wrote to memory of 1540	3500	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3500 wrote to memory of 1540	3500	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3500 wrote to memory of 2852	3500	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3500 wrote to memory of 2852	3500	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3500 wrote to memory of 1628	3500	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 3500 wrote to memory of 1628	3500	2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe	105

C:\Users\Admin\AppData\Local\Temp\2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-25_9341a9b8bf611882fa84ba95a57057d2_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3500
- C:\Windows\System\QLmIaEY.exe
  C:\Windows\System\QLmIaEY.exe
  2⤵
  - Executes dropped EXE
  PID:4948
- C:\Windows\System\rarYFuc.exe
  C:\Windows\System\rarYFuc.exe
  2⤵
  - Executes dropped EXE
  PID:1632
- C:\Windows\System\IwYEolv.exe
  C:\Windows\System\IwYEolv.exe
  2⤵
  - Executes dropped EXE
  PID:4924
- C:\Windows\System\XSgJhIt.exe
  C:\Windows\System\XSgJhIt.exe
  2⤵
  - Executes dropped EXE
  PID:764
- C:\Windows\System\fZxsIUm.exe
  C:\Windows\System\fZxsIUm.exe
  2⤵
  - Executes dropped EXE
  PID:5116
- C:\Windows\System\nLMshba.exe
  C:\Windows\System\nLMshba.exe
  2⤵
  - Executes dropped EXE
  PID:1732
- C:\Windows\System\LQBKgtg.exe
  C:\Windows\System\LQBKgtg.exe
  2⤵
  - Executes dropped EXE
  PID:5068
- C:\Windows\System\gcGzaXP.exe
  C:\Windows\System\gcGzaXP.exe
  2⤵
  - Executes dropped EXE
  PID:1380
- C:\Windows\System\JqVOqaM.exe
  C:\Windows\System\JqVOqaM.exe
  2⤵
  - Executes dropped EXE
  PID:3952
- C:\Windows\System\DJXlPdT.exe
  C:\Windows\System\DJXlPdT.exe
  2⤵
  - Executes dropped EXE
  PID:3240
- C:\Windows\System\xPjAZFD.exe
  C:\Windows\System\xPjAZFD.exe
  2⤵
  - Executes dropped EXE
  PID:4560
- C:\Windows\System\mzdoJnm.exe
  C:\Windows\System\mzdoJnm.exe
  2⤵
  - Executes dropped EXE
  PID:3036
- C:\Windows\System\hPDdvyP.exe
  C:\Windows\System\hPDdvyP.exe
  2⤵
  - Executes dropped EXE
  PID:1548
- C:\Windows\System\HKxAAsd.exe
  C:\Windows\System\HKxAAsd.exe
  2⤵
  - Executes dropped EXE
  PID:4876
- C:\Windows\System\ZcFOnwi.exe
  C:\Windows\System\ZcFOnwi.exe
  2⤵
  - Executes dropped EXE
  PID:4796
- C:\Windows\System\OavGWur.exe
  C:\Windows\System\OavGWur.exe
  2⤵
  - Executes dropped EXE
  PID:468
- C:\Windows\System\CXlgXca.exe
  C:\Windows\System\CXlgXca.exe
  2⤵
  - Executes dropped EXE
  PID:4460
- C:\Windows\System\Engzrmy.exe
  C:\Windows\System\Engzrmy.exe
  2⤵
  - Executes dropped EXE
  PID:4344
- C:\Windows\System\mtrUWlY.exe
  C:\Windows\System\mtrUWlY.exe
  2⤵
  - Executes dropped EXE
  PID:1540
- C:\Windows\System\vAGpHba.exe
  C:\Windows\System\vAGpHba.exe
  2⤵
  - Executes dropped EXE
  PID:2852
- C:\Windows\System\GLRoNGQ.exe
  C:\Windows\System\GLRoNGQ.exe
  2⤵
  - Executes dropped EXE
  PID:1628

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CXlgXca.exe

Filesize
5.9MB

MD5
2b036d17f156c885a67db494d2d89bfe

SHA1
373fc969f44fb3a7fbe61b9aa7c511b6cd9c4f9d

SHA256
e11f311bc7ae669e90685c6f023d7e5431948b2f6fcb6b9bf5424f2ad50d12b1

SHA512
4ff148ee83d14c84d99c7233fb6e0f7accea7e5dfa27bad73ce1c836f8b9a41145ac818985d264b518d2a127f197f392cd7c41efabacd24f9b8950ca817de24b

Download Submit
C:\Windows\System\DJXlPdT.exe

Filesize
5.9MB

MD5
f67210ffe42cd7d702bbfcf390826ff3

SHA1
8f5cbd1bfc71fe3fcd8795ecf719b040aaaec2dc

SHA256
02fe14f673e9e743cf5631ba7668cbe3c6a253d3dd2bd52f5bc7bafaa0251e66

SHA512
fa8f5e60b1e12a5a357db643ec96bce1293d6d443ba6677b04efcef65bb85015163336d87ae03ec99c381efe318f5c3f72e7cac7891d617836e53d9a194482cf

Download Submit
C:\Windows\System\Engzrmy.exe

Filesize
5.9MB

MD5
edcf23ee6cdc637c77346838f29fc584

SHA1
4efa6adb0d8f3d6df03b4e84b97acc0d282ca6c8

SHA256
3b4a510492b7f5b7fd691d933a939df6aae104323039c9c1f921e719cc7f15b1

SHA512
1815245f29baf0194a7d18eb58715f95a853ab48e05d0c481a5af6ae2915a48be2ef7881a66719f058f992dd46ab72a60c02ae45590933a551dac28611c05b0f

Download Submit
C:\Windows\System\GLRoNGQ.exe

Filesize
5.9MB

MD5
67bebaf4b81cef93fcebce6308ef5bbb

SHA1
e4064258f3eea7f6189603d7f8f981b3db6c7ea8

SHA256
53319f9cc22415a445318585c9dfe3c206538bef1fb08397584007a9d1efe2cc

SHA512
82d9c39164265b396c80878e87422b5455b1d913de98d4380262c789cdbb85a5e10ba3ecbb644eef17a0903bcc356bf213feea4b62e033305e4008e3b6a03f66

Download Submit
C:\Windows\System\HKxAAsd.exe

Filesize
5.9MB

MD5
b9cc9fd9fd56f4c1d5b3cf3976cc71e1

SHA1
c08ebec689b7421b2fdc221c0d296543da18fecf

SHA256
a4ecad76ad4226236195378a9bfe87cb1ac5684267121bb27b91abb8112b500e

SHA512
014cdc717d863417dd4bcb2337a6527464beb8d145ac342da76fd819e25e8511da167d142a636f1cad8201eead42faac011b9c0760f2a20974f0609a9d66d016

Download Submit
C:\Windows\System\IwYEolv.exe

Filesize
5.9MB

MD5
d11f383b7ac89d18804a7318e5c01470

SHA1
ac6f9572caac26da6c7175b046a057403f3d6026

SHA256
ffc1ea40d823bff5c2fed8dcc20dc554edd6a00f853be945a7745363f6f2e9b1

SHA512
fb3a732a2b672a3f3770c199648ec2215b25e6f9e6be3261c2e9ed8f87108df6dd5d45bce4b958327322d64c1b36906a3bce3b69d29050adca616d5b262e2845

Download Submit
C:\Windows\System\JqVOqaM.exe

Filesize
5.9MB

MD5
9aefd7befa3f2574f0a46885ad1a368a

SHA1
1045d14ba1a6ed0ca2d2679fa658cb56d0925d08

SHA256
732095533ffc88a1aae945408f115420c7539fc08eddb82c097a12fb80cb2f51

SHA512
868408230b743047317aa0f32d78868f65b2cb20fcd3bdbe6c443d744292d67052483a797f056205cb75cd0928db246179d553e70aaf672ea40b1781fd3232ec

Download Submit
C:\Windows\System\LQBKgtg.exe

Filesize
5.9MB

MD5
68b93e3d9be994e834da4f5a244eed4b

SHA1
8b839c00a2e76548eec059e8c598376374ba8f6d

SHA256
46eaa7bf91478d70a1651556ca3f7037b0b0c986177bba70b55d9ae00a94740d

SHA512
374532350e4375ec1df31213459b1bfdf1e6f21f18af485c36786d511a2d9943175cda805a9f77191f25e210ac1378fe32c938730bb69694d9584499ffb0470b

Download Submit
C:\Windows\System\OavGWur.exe

Filesize
5.9MB

MD5
561367f24e6abc2bbbc97ed9ecfb4c0a

SHA1
6d4a4dbf707eac6bbe4872fb0eb20e34aa4dfef1

SHA256
d0574117db6ac4a1dcebf0ca4c2d5a98e696e7cd825cd7d4e4fafbb75917c4c8

SHA512
097ff02a3f12e19ef09875b519fcf779c2de04edcae0456a3813ed531a885884050c226d8023a526549c0dd032e556b88247def9172cbbffb1808a5c4be650c0

Download Submit
C:\Windows\System\QLmIaEY.exe

Filesize
5.9MB

MD5
6206e4fe44cf3f80c67777ff57520ac0

SHA1
c8592358ee7ea398bee293215d74c3e42d51cfb6

SHA256
a01f1ed268b437ae05ff292b3bec4890d6c0665ed84f0abbd9b24330ef4dbf42

SHA512
501bcbde3fe6e05614297232fa1afdfa279fe28bf5bbde78b87b570942d1fe043fe3d8c09582b26d5e9cc0689cc90d9733199bcb404e187d7a34ff85c78a01e4

Download Submit
C:\Windows\System\XSgJhIt.exe

Filesize
5.9MB

MD5
f4f0248f9eb8416e474834355d7480eb

SHA1
aae587cf18c1842bacc80eb23892df8dd54a0b41

SHA256
0d31365f729c3641092aae9e3ab4d18e074138ee9d9af5fe943def07c3f90669

SHA512
32a34ae380570c0a305829432b13312989db18c1fb6d6723138c92d6f2415f91f0ac28c0509f3906854a99f148e38170671ad7472e1fda2754d661ad5cceff3f

Download Submit
C:\Windows\System\ZcFOnwi.exe

Filesize
5.9MB

MD5
0f8debbcaf1afb8a400b59d9fbe8b201

SHA1
6ad368f280663c0a13b6ec4c0f93877ca02db9eb

SHA256
d6c8d42db917f4d31ec59646053987c151972dad94cf4ef4a6bae2285438be3b

SHA512
26495cd92190c28a14b643cddfec575a8bd663ee46c3a692b1006551f0b5aaf1a8506f1f62eaa724bca2e8e45428e1e92a7423df723c8314fafc375f87faaca6

Download Submit
C:\Windows\System\fZxsIUm.exe

Filesize
5.9MB

MD5
aaca69149389e1f571e9188717a56007

SHA1
5533bfc81376657b80752e19fdc89de846e6e587

SHA256
882d7c36b70aa69845492a772614c4987954862aee77e51d0505222d3cdc2c2c

SHA512
d6d2635505b53e013779078dee1083d5349cc162ceada2895915ef931ac4889612e7e717dfd266c95e95a5dd1d3018ff7bc8db3c0348fb0eb07495b833c681c4

Download Submit
C:\Windows\System\gcGzaXP.exe

Filesize
5.9MB

MD5
872840a3cf16fd8a64b750bc149b082b

SHA1
ba52086e171e8920f0a794ebd81f0dc6a9a3edba

SHA256
afd1ea7c5004edfe5784b945678dec9da3ab288b5c9a1d8b2c3b6b83d99aed7b

SHA512
e6b4817563514d6c0a804a7e6c31057beaef03f590dce72a192c1b1117089d8b6f155b4e82af0f5eb29364199f60b30bd04a07a4a135e1ca15e942227d164eee

Download Submit
C:\Windows\System\hPDdvyP.exe

Filesize
5.9MB

MD5
2624b559672f033f28094b5cfe1ce0dc

SHA1
7a12ace0ebff8f6bed3b6f8dc9e3313269ffa17b

SHA256
c3c40c4f6955ab708c5ae68b6cb3fe60f16b29a5a8a4479df271396dd14e69ee

SHA512
9d8760e71b661bb100f74b2410b241ecc5215a1f4355bfe06bb0eea2cb31f4b5ec35322f9a64f79d21f89612cf1921a830a2929578191c72cd4beb47c6f646ea

Download Submit
C:\Windows\System\mtrUWlY.exe

Filesize
5.9MB

MD5
57099cd5f2f53fa3819011a7ddc4fbb4

SHA1
3951dc285ab613b94bd8cdbe03d9ea5c6423f6f8

SHA256
0a777dad5b5a81be44bc5e7d88095a9a204c64cac5b1d2892c83739286d40177

SHA512
0fd72ce5ae54640f555d5431aa6abf2d67be0c55edb03d95d0a093a3c934675dff74a87d22f4dc91f4bd8985b8ae795a2c3e43042b82bdab477e071bd3c6f2c0

Download Submit
C:\Windows\System\mzdoJnm.exe

Filesize
5.9MB

MD5
4520719554747bbb2e940fbc9318d8d3

SHA1
d2b837cfa5a5b68102bda56f1f647fcfaf3d8533

SHA256
70fcfdfdcd19d77e646b996052f5cfd4bdea0b19d9876c955a8f317cae2e146a

SHA512
6ea9074eea56e705286a5827d61461b421924a51c1577975ad4b65d8b5b964bb803f262f37a99fcd757554d2a4abae08843599f0009f50259051cb647e796272

Download Submit
C:\Windows\System\nLMshba.exe

Filesize
5.9MB

MD5
069823bf689e28a7d0a52c59dd3b9b92

SHA1
fb6945b2744301214d71c6c6a05e7c7fb6b59855

SHA256
a486bf05cb4d36b65eeb78969b585bc59eccb325248965913c3edddbdfec9946

SHA512
967cbd54b19393f4cebf3d82456a622202404465d83eb5a26296bc2a28928314847d63b2cff64d781cfdea2bb473b6db3e04a5edd7bd5e218aad2107631d1dc8

Download Submit
C:\Windows\System\rarYFuc.exe

Filesize
5.9MB

MD5
b04628f4b2283fc9217999e254423a7c

SHA1
c17869a8cb6de3fed4c70620dd09935b46975d63

SHA256
6539f8fbf397afea63da1c86c9885c9c34071097b15cb8c64554313c95df2b2e

SHA512
ba39ca4a2b264946358556532867c206e4c79b3565679bc11d83232f9f67251bbc64c6db3a54f73b09944953b8fa1dde4c0e6726046a19268bfbec1e860239d9

Download Submit
C:\Windows\System\vAGpHba.exe

Filesize
5.9MB

MD5
41077a3c653fb615dc7328160afdb514

SHA1
a8666441ca2d9589bada5ad14a0f51b24816c5f8

SHA256
e1c188acf8457a4924bef13bd79839617925b93df46ef076bb312fb1014320e7

SHA512
54bd2d6a39de0e9bda18898129e8bb852058b8540fde1e4cd426ee8d1c2dbf4c38a02f14517f9ae6494898dde083b8226ccc3b1bd16d9c5f2b07180cb22e07c5

Download Submit
C:\Windows\System\xPjAZFD.exe

Filesize
5.9MB

MD5
931f8d77e5adf56013963adc944d64c8

SHA1
9b15b7ce1a2a6bf69b61005dd7861dbe7e44da49

SHA256
3f127566dbb8ef11610d18d2e5c0d7d5e76e223eb0cf5dfeed3279458cfc4a2d

SHA512
e3536edb12214fa9cf1737781c6b560c268dbc6d3af35059c52334ffe8c2d12963559ddad941270f6e5c809f301413b0b54123ad14cde275dccf314981a2127c

Download Submit
memory/468-161-0x00007FF7274B0000-0x00007FF727804000-memory.dmp

Filesize
3.3MB

Download
memory/468-108-0x00007FF7274B0000-0x00007FF727804000-memory.dmp

Filesize
3.3MB

Download
memory/764-79-0x00007FF73C820000-0x00007FF73CB74000-memory.dmp

Filesize
3.3MB

Download
memory/764-151-0x00007FF73C820000-0x00007FF73CB74000-memory.dmp

Filesize
3.3MB

Download
memory/764-22-0x00007FF73C820000-0x00007FF73CB74000-memory.dmp

Filesize
3.3MB

Download
memory/1380-110-0x00007FF610310000-0x00007FF610664000-memory.dmp

Filesize
3.3MB

Download
memory/1380-48-0x00007FF610310000-0x00007FF610664000-memory.dmp

Filesize
3.3MB

Download
memory/1380-154-0x00007FF610310000-0x00007FF610664000-memory.dmp

Filesize
3.3MB

Download
memory/1540-145-0x00007FF799E10000-0x00007FF79A164000-memory.dmp

Filesize
3.3MB

Download
memory/1540-165-0x00007FF799E10000-0x00007FF79A164000-memory.dmp

Filesize
3.3MB

Download
memory/1540-128-0x00007FF799E10000-0x00007FF79A164000-memory.dmp

Filesize
3.3MB

Download
memory/1548-159-0x00007FF688380000-0x00007FF6886D4000-memory.dmp

Filesize
3.3MB

Download
memory/1548-86-0x00007FF688380000-0x00007FF6886D4000-memory.dmp

Filesize
3.3MB

Download
memory/1628-140-0x00007FF7B63E0000-0x00007FF7B6734000-memory.dmp

Filesize
3.3MB

Download
memory/1628-167-0x00007FF7B63E0000-0x00007FF7B6734000-memory.dmp

Filesize
3.3MB

Download
memory/1632-66-0x00007FF6F1B30000-0x00007FF6F1E84000-memory.dmp

Filesize
3.3MB

Download
memory/1632-14-0x00007FF6F1B30000-0x00007FF6F1E84000-memory.dmp

Filesize
3.3MB

Download
memory/1632-148-0x00007FF6F1B30000-0x00007FF6F1E84000-memory.dmp

Filesize
3.3MB

Download
memory/1732-95-0x00007FF7BAB20000-0x00007FF7BAE74000-memory.dmp

Filesize
3.3MB

Download
memory/1732-36-0x00007FF7BAB20000-0x00007FF7BAE74000-memory.dmp

Filesize
3.3MB

Download
memory/1732-152-0x00007FF7BAB20000-0x00007FF7BAE74000-memory.dmp

Filesize
3.3MB

Download
memory/2852-146-0x00007FF609BC0000-0x00007FF609F14000-memory.dmp

Filesize
3.3MB

Download
memory/2852-166-0x00007FF609BC0000-0x00007FF609F14000-memory.dmp

Filesize
3.3MB

Download
memory/2852-135-0x00007FF609BC0000-0x00007FF609F14000-memory.dmp

Filesize
3.3MB

Download
memory/3036-127-0x00007FF7C9750000-0x00007FF7C9AA4000-memory.dmp

Filesize
3.3MB

Download
memory/3036-157-0x00007FF7C9750000-0x00007FF7C9AA4000-memory.dmp

Filesize
3.3MB

Download
memory/3036-73-0x00007FF7C9750000-0x00007FF7C9AA4000-memory.dmp

Filesize
3.3MB

Download
memory/3240-65-0x00007FF731760000-0x00007FF731AB4000-memory.dmp

Filesize
3.3MB

Download
memory/3240-117-0x00007FF731760000-0x00007FF731AB4000-memory.dmp

Filesize
3.3MB

Download
memory/3240-156-0x00007FF731760000-0x00007FF731AB4000-memory.dmp

Filesize
3.3MB

Download
memory/3500-54-0x00007FF61AC20000-0x00007FF61AF74000-memory.dmp

Filesize
3.3MB

Download
memory/3500-1-0x000001D141870000-0x000001D141880000-memory.dmp

Filesize
64KB

Download
memory/3500-0-0x00007FF61AC20000-0x00007FF61AF74000-memory.dmp

Filesize
3.3MB

Download
memory/3952-55-0x00007FF7A4DD0000-0x00007FF7A5124000-memory.dmp

Filesize
3.3MB

Download
memory/3952-115-0x00007FF7A4DD0000-0x00007FF7A5124000-memory.dmp

Filesize
3.3MB

Download
memory/3952-155-0x00007FF7A4DD0000-0x00007FF7A5124000-memory.dmp

Filesize
3.3MB

Download
memory/4344-144-0x00007FF62B9E0000-0x00007FF62BD34000-memory.dmp

Filesize
3.3MB

Download
memory/4344-164-0x00007FF62B9E0000-0x00007FF62BD34000-memory.dmp

Filesize
3.3MB

Download
memory/4344-120-0x00007FF62B9E0000-0x00007FF62BD34000-memory.dmp

Filesize
3.3MB

Download
memory/4460-143-0x00007FF71E230000-0x00007FF71E584000-memory.dmp

Filesize
3.3MB

Download
memory/4460-163-0x00007FF71E230000-0x00007FF71E584000-memory.dmp

Filesize
3.3MB

Download
memory/4460-111-0x00007FF71E230000-0x00007FF71E584000-memory.dmp

Filesize
3.3MB

Download
memory/4560-158-0x00007FF6FCF50000-0x00007FF6FD2A4000-memory.dmp

Filesize
3.3MB

Download
memory/4560-72-0x00007FF6FCF50000-0x00007FF6FD2A4000-memory.dmp

Filesize
3.3MB

Download
memory/4560-119-0x00007FF6FCF50000-0x00007FF6FD2A4000-memory.dmp

Filesize
3.3MB

Download
memory/4796-142-0x00007FF725370000-0x00007FF7256C4000-memory.dmp

Filesize
3.3MB

Download
memory/4796-162-0x00007FF725370000-0x00007FF7256C4000-memory.dmp

Filesize
3.3MB

Download
memory/4796-96-0x00007FF725370000-0x00007FF7256C4000-memory.dmp

Filesize
3.3MB

Download
memory/4876-90-0x00007FF6C62F0000-0x00007FF6C6644000-memory.dmp

Filesize
3.3MB

Download
memory/4876-141-0x00007FF6C62F0000-0x00007FF6C6644000-memory.dmp

Filesize
3.3MB

Download
memory/4876-160-0x00007FF6C62F0000-0x00007FF6C6644000-memory.dmp

Filesize
3.3MB

Download
memory/4924-149-0x00007FF6B6570000-0x00007FF6B68C4000-memory.dmp

Filesize
3.3MB

Download
memory/4924-21-0x00007FF6B6570000-0x00007FF6B68C4000-memory.dmp

Filesize
3.3MB

Download
memory/4924-67-0x00007FF6B6570000-0x00007FF6B68C4000-memory.dmp

Filesize
3.3MB

Download
memory/4948-61-0x00007FF6B5AA0000-0x00007FF6B5DF4000-memory.dmp

Filesize
3.3MB

Download
memory/4948-147-0x00007FF6B5AA0000-0x00007FF6B5DF4000-memory.dmp

Filesize
3.3MB

Download
memory/4948-6-0x00007FF6B5AA0000-0x00007FF6B5DF4000-memory.dmp

Filesize
3.3MB

Download
memory/5068-153-0x00007FF6DBDB0000-0x00007FF6DC104000-memory.dmp

Filesize
3.3MB

Download
memory/5068-42-0x00007FF6DBDB0000-0x00007FF6DC104000-memory.dmp

Filesize
3.3MB

Download
memory/5068-107-0x00007FF6DBDB0000-0x00007FF6DC104000-memory.dmp

Filesize
3.3MB

Download
memory/5116-150-0x00007FF762180000-0x00007FF7624D4000-memory.dmp

Filesize
3.3MB

Download
memory/5116-29-0x00007FF762180000-0x00007FF7624D4000-memory.dmp

Filesize
3.3MB

Download
memory/5116-84-0x00007FF762180000-0x00007FF7624D4000-memory.dmp

Filesize
3.3MB

Download