cobaltstrike | 73f8a0799975ed012f114ebcba484f4c0d07aad9482a40c3700b2e278e3a99d1

Analysis

max time kernel
142s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26-09-2024 18:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

00f3a43ce69d013ab27dcb22ec39e072
SHA1

d91e302ec239291fc94bbf86bb22068081a50461
SHA256

73f8a0799975ed012f114ebcba484f4c0d07aad9482a40c3700b2e278e3a99d1
SHA512

ffa7c835c14a2a76ce1b96080b7b3bbca4a44f9dca030bef9d377974dc9981be86db4f8f26031947e2e6896f29d093dd10296418b49c577a43e584a26c4d6e9b
SSDEEP

98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUI:T+856utgpPF8u/7I

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0009000000023457-4.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234bc-10.dat	cobalt_reflective_dll
behavioral2/files/0x00090000000234b4-12.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234bd-23.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234be-28.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000234b8-35.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c0-42.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c1-46.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c2-54.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c3-61.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c4-68.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c5-76.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c6-83.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c7-89.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c8-96.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c9-103.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ca-108.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234cb-115.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234cc-123.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234cd-129.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ce-134.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/2648-0-0x00007FF670640000-0x00007FF670994000-memory.dmp	xmrig
behavioral2/files/0x0009000000023457-4.dat	xmrig
behavioral2/memory/4072-8-0x00007FF6B0A40000-0x00007FF6B0D94000-memory.dmp	xmrig
behavioral2/files/0x00070000000234bc-10.dat	xmrig
behavioral2/files/0x00090000000234b4-12.dat	xmrig
behavioral2/memory/1832-16-0x00007FF674A10000-0x00007FF674D64000-memory.dmp	xmrig
behavioral2/files/0x00070000000234bd-23.dat	xmrig
behavioral2/memory/2316-24-0x00007FF613EB0000-0x00007FF614204000-memory.dmp	xmrig
behavioral2/memory/3284-18-0x00007FF7E8270000-0x00007FF7E85C4000-memory.dmp	xmrig
behavioral2/files/0x00070000000234be-28.dat	xmrig
behavioral2/memory/3748-30-0x00007FF63D590000-0x00007FF63D8E4000-memory.dmp	xmrig
behavioral2/files/0x00080000000234b8-35.dat	xmrig
behavioral2/memory/4928-36-0x00007FF7C2510000-0x00007FF7C2864000-memory.dmp	xmrig
behavioral2/files/0x00070000000234c0-42.dat	xmrig
behavioral2/memory/4244-44-0x00007FF693870000-0x00007FF693BC4000-memory.dmp	xmrig
behavioral2/files/0x00070000000234c1-46.dat	xmrig
behavioral2/memory/2680-49-0x00007FF6D6500000-0x00007FF6D6854000-memory.dmp	xmrig
behavioral2/memory/2648-48-0x00007FF670640000-0x00007FF670994000-memory.dmp	xmrig
behavioral2/files/0x00070000000234c2-54.dat	xmrig
behavioral2/files/0x00070000000234c3-61.dat	xmrig
behavioral2/memory/3828-63-0x00007FF7A7E70000-0x00007FF7A81C4000-memory.dmp	xmrig
behavioral2/memory/1832-58-0x00007FF674A10000-0x00007FF674D64000-memory.dmp	xmrig
behavioral2/memory/4072-57-0x00007FF6B0A40000-0x00007FF6B0D94000-memory.dmp	xmrig
behavioral2/memory/4976-60-0x00007FF6DA920000-0x00007FF6DAC74000-memory.dmp	xmrig
behavioral2/files/0x00070000000234c4-68.dat	xmrig
behavioral2/files/0x00070000000234c5-76.dat	xmrig
behavioral2/memory/4932-79-0x00007FF7F6FF0000-0x00007FF7F7344000-memory.dmp	xmrig
behavioral2/memory/2316-73-0x00007FF613EB0000-0x00007FF614204000-memory.dmp	xmrig
behavioral2/memory/2364-72-0x00007FF6B4F80000-0x00007FF6B52D4000-memory.dmp	xmrig
behavioral2/memory/3284-69-0x00007FF7E8270000-0x00007FF7E85C4000-memory.dmp	xmrig
behavioral2/files/0x00070000000234c6-83.dat	xmrig
behavioral2/memory/4928-84-0x00007FF7C2510000-0x00007FF7C2864000-memory.dmp	xmrig
behavioral2/files/0x00070000000234c7-89.dat	xmrig
behavioral2/memory/3748-80-0x00007FF63D590000-0x00007FF63D8E4000-memory.dmp	xmrig
behavioral2/files/0x00070000000234c8-96.dat	xmrig
behavioral2/memory/536-94-0x00007FF67FA80000-0x00007FF67FDD4000-memory.dmp	xmrig
behavioral2/memory/4244-93-0x00007FF693870000-0x00007FF693BC4000-memory.dmp	xmrig
behavioral2/memory/1848-92-0x00007FF62BD80000-0x00007FF62C0D4000-memory.dmp	xmrig
behavioral2/memory/1604-100-0x00007FF6EF4C0000-0x00007FF6EF814000-memory.dmp	xmrig
behavioral2/files/0x00070000000234c9-103.dat	xmrig
behavioral2/memory/3120-105-0x00007FF7BA920000-0x00007FF7BAC74000-memory.dmp	xmrig
behavioral2/files/0x00070000000234ca-108.dat	xmrig
behavioral2/memory/2332-111-0x00007FF785180000-0x00007FF7854D4000-memory.dmp	xmrig
behavioral2/memory/2680-104-0x00007FF6D6500000-0x00007FF6D6854000-memory.dmp	xmrig
behavioral2/files/0x00070000000234cb-115.dat	xmrig
behavioral2/files/0x00070000000234cc-123.dat	xmrig
behavioral2/memory/3896-120-0x00007FF67E900000-0x00007FF67EC54000-memory.dmp	xmrig
behavioral2/memory/3828-119-0x00007FF7A7E70000-0x00007FF7A81C4000-memory.dmp	xmrig
behavioral2/files/0x00070000000234cd-129.dat	xmrig
behavioral2/memory/2248-124-0x00007FF780590000-0x00007FF7808E4000-memory.dmp	xmrig
behavioral2/memory/624-132-0x00007FF69B3B0000-0x00007FF69B704000-memory.dmp	xmrig
behavioral2/files/0x00070000000234ce-134.dat	xmrig
behavioral2/memory/4932-137-0x00007FF7F6FF0000-0x00007FF7F7344000-memory.dmp	xmrig
behavioral2/memory/4576-138-0x00007FF662480000-0x00007FF6627D4000-memory.dmp	xmrig
behavioral2/memory/1848-139-0x00007FF62BD80000-0x00007FF62C0D4000-memory.dmp	xmrig
behavioral2/memory/3120-140-0x00007FF7BA920000-0x00007FF7BAC74000-memory.dmp	xmrig
behavioral2/memory/2332-141-0x00007FF785180000-0x00007FF7854D4000-memory.dmp	xmrig
behavioral2/memory/2248-142-0x00007FF780590000-0x00007FF7808E4000-memory.dmp	xmrig
behavioral2/memory/624-143-0x00007FF69B3B0000-0x00007FF69B704000-memory.dmp	xmrig
behavioral2/memory/4072-144-0x00007FF6B0A40000-0x00007FF6B0D94000-memory.dmp	xmrig
behavioral2/memory/1832-145-0x00007FF674A10000-0x00007FF674D64000-memory.dmp	xmrig
behavioral2/memory/3284-146-0x00007FF7E8270000-0x00007FF7E85C4000-memory.dmp	xmrig
behavioral2/memory/2316-147-0x00007FF613EB0000-0x00007FF614204000-memory.dmp	xmrig
behavioral2/memory/3748-148-0x00007FF63D590000-0x00007FF63D8E4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4072	LZeWLmY.exe
1832	zQOgTaR.exe
3284	lTbviMk.exe
2316	XQogivh.exe
3748	QRGVFKS.exe
4928	AAMjiVX.exe
4244	aXSSIVW.exe
2680	JyYxrsv.exe
4976	HhrSlmO.exe
3828	aTivWcG.exe
2364	oSVyfnx.exe
4932	tCAvvUE.exe
1848	yqpoQye.exe
536	TFWCkfw.exe
1604	VtaDrAV.exe
3120	UZVwEod.exe
2332	OKfOLXw.exe
3896	RhwSLBf.exe
2248	LUcrBUa.exe
624	yeLiWsx.exe
4576	hEzCdol.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2648-0-0x00007FF670640000-0x00007FF670994000-memory.dmp	upx
behavioral2/files/0x0009000000023457-4.dat	upx
behavioral2/memory/4072-8-0x00007FF6B0A40000-0x00007FF6B0D94000-memory.dmp	upx
behavioral2/files/0x00070000000234bc-10.dat	upx
behavioral2/files/0x00090000000234b4-12.dat	upx
behavioral2/memory/1832-16-0x00007FF674A10000-0x00007FF674D64000-memory.dmp	upx
behavioral2/files/0x00070000000234bd-23.dat	upx
behavioral2/memory/2316-24-0x00007FF613EB0000-0x00007FF614204000-memory.dmp	upx
behavioral2/memory/3284-18-0x00007FF7E8270000-0x00007FF7E85C4000-memory.dmp	upx
behavioral2/files/0x00070000000234be-28.dat	upx
behavioral2/memory/3748-30-0x00007FF63D590000-0x00007FF63D8E4000-memory.dmp	upx
behavioral2/files/0x00080000000234b8-35.dat	upx
behavioral2/memory/4928-36-0x00007FF7C2510000-0x00007FF7C2864000-memory.dmp	upx
behavioral2/files/0x00070000000234c0-42.dat	upx
behavioral2/memory/4244-44-0x00007FF693870000-0x00007FF693BC4000-memory.dmp	upx
behavioral2/files/0x00070000000234c1-46.dat	upx
behavioral2/memory/2680-49-0x00007FF6D6500000-0x00007FF6D6854000-memory.dmp	upx
behavioral2/memory/2648-48-0x00007FF670640000-0x00007FF670994000-memory.dmp	upx
behavioral2/files/0x00070000000234c2-54.dat	upx
behavioral2/files/0x00070000000234c3-61.dat	upx
behavioral2/memory/3828-63-0x00007FF7A7E70000-0x00007FF7A81C4000-memory.dmp	upx
behavioral2/memory/1832-58-0x00007FF674A10000-0x00007FF674D64000-memory.dmp	upx
behavioral2/memory/4072-57-0x00007FF6B0A40000-0x00007FF6B0D94000-memory.dmp	upx
behavioral2/memory/4976-60-0x00007FF6DA920000-0x00007FF6DAC74000-memory.dmp	upx
behavioral2/files/0x00070000000234c4-68.dat	upx
behavioral2/files/0x00070000000234c5-76.dat	upx
behavioral2/memory/4932-79-0x00007FF7F6FF0000-0x00007FF7F7344000-memory.dmp	upx
behavioral2/memory/2316-73-0x00007FF613EB0000-0x00007FF614204000-memory.dmp	upx
behavioral2/memory/2364-72-0x00007FF6B4F80000-0x00007FF6B52D4000-memory.dmp	upx
behavioral2/memory/3284-69-0x00007FF7E8270000-0x00007FF7E85C4000-memory.dmp	upx
behavioral2/files/0x00070000000234c6-83.dat	upx
behavioral2/memory/4928-84-0x00007FF7C2510000-0x00007FF7C2864000-memory.dmp	upx
behavioral2/files/0x00070000000234c7-89.dat	upx
behavioral2/memory/3748-80-0x00007FF63D590000-0x00007FF63D8E4000-memory.dmp	upx
behavioral2/files/0x00070000000234c8-96.dat	upx
behavioral2/memory/536-94-0x00007FF67FA80000-0x00007FF67FDD4000-memory.dmp	upx
behavioral2/memory/4244-93-0x00007FF693870000-0x00007FF693BC4000-memory.dmp	upx
behavioral2/memory/1848-92-0x00007FF62BD80000-0x00007FF62C0D4000-memory.dmp	upx
behavioral2/memory/1604-100-0x00007FF6EF4C0000-0x00007FF6EF814000-memory.dmp	upx
behavioral2/files/0x00070000000234c9-103.dat	upx
behavioral2/memory/3120-105-0x00007FF7BA920000-0x00007FF7BAC74000-memory.dmp	upx
behavioral2/files/0x00070000000234ca-108.dat	upx
behavioral2/memory/2332-111-0x00007FF785180000-0x00007FF7854D4000-memory.dmp	upx
behavioral2/memory/2680-104-0x00007FF6D6500000-0x00007FF6D6854000-memory.dmp	upx
behavioral2/files/0x00070000000234cb-115.dat	upx
behavioral2/files/0x00070000000234cc-123.dat	upx
behavioral2/memory/3896-120-0x00007FF67E900000-0x00007FF67EC54000-memory.dmp	upx
behavioral2/memory/3828-119-0x00007FF7A7E70000-0x00007FF7A81C4000-memory.dmp	upx
behavioral2/files/0x00070000000234cd-129.dat	upx
behavioral2/memory/2248-124-0x00007FF780590000-0x00007FF7808E4000-memory.dmp	upx
behavioral2/memory/624-132-0x00007FF69B3B0000-0x00007FF69B704000-memory.dmp	upx
behavioral2/files/0x00070000000234ce-134.dat	upx
behavioral2/memory/4932-137-0x00007FF7F6FF0000-0x00007FF7F7344000-memory.dmp	upx
behavioral2/memory/4576-138-0x00007FF662480000-0x00007FF6627D4000-memory.dmp	upx
behavioral2/memory/1848-139-0x00007FF62BD80000-0x00007FF62C0D4000-memory.dmp	upx
behavioral2/memory/3120-140-0x00007FF7BA920000-0x00007FF7BAC74000-memory.dmp	upx
behavioral2/memory/2332-141-0x00007FF785180000-0x00007FF7854D4000-memory.dmp	upx
behavioral2/memory/2248-142-0x00007FF780590000-0x00007FF7808E4000-memory.dmp	upx
behavioral2/memory/624-143-0x00007FF69B3B0000-0x00007FF69B704000-memory.dmp	upx
behavioral2/memory/4072-144-0x00007FF6B0A40000-0x00007FF6B0D94000-memory.dmp	upx
behavioral2/memory/1832-145-0x00007FF674A10000-0x00007FF674D64000-memory.dmp	upx
behavioral2/memory/3284-146-0x00007FF7E8270000-0x00007FF7E85C4000-memory.dmp	upx
behavioral2/memory/2316-147-0x00007FF613EB0000-0x00007FF614204000-memory.dmp	upx
behavioral2/memory/3748-148-0x00007FF63D590000-0x00007FF63D8E4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\tCAvvUE.exe	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UZVwEod.exe	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OKfOLXw.exe	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zQOgTaR.exe	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AAMjiVX.exe	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VtaDrAV.exe	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RhwSLBf.exe	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lTbviMk.exe	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aTivWcG.exe	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oSVyfnx.exe	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yqpoQye.exe	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LUcrBUa.exe	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yeLiWsx.exe	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hEzCdol.exe	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LZeWLmY.exe	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XQogivh.exe	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QRGVFKS.exe	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aXSSIVW.exe	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JyYxrsv.exe	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HhrSlmO.exe	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TFWCkfw.exe	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2648	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2648	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 4072	2648	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 2648 wrote to memory of 4072	2648	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 2648 wrote to memory of 1832	2648	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2648 wrote to memory of 1832	2648	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2648 wrote to memory of 3284	2648	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2648 wrote to memory of 3284	2648	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2648 wrote to memory of 2316	2648	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2648 wrote to memory of 2316	2648	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2648 wrote to memory of 3748	2648	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2648 wrote to memory of 3748	2648	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2648 wrote to memory of 4928	2648	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2648 wrote to memory of 4928	2648	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2648 wrote to memory of 4244	2648	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2648 wrote to memory of 4244	2648	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2648 wrote to memory of 2680	2648	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2648 wrote to memory of 2680	2648	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2648 wrote to memory of 4976	2648	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2648 wrote to memory of 4976	2648	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2648 wrote to memory of 3828	2648	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2648 wrote to memory of 3828	2648	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2648 wrote to memory of 2364	2648	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2648 wrote to memory of 2364	2648	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2648 wrote to memory of 4932	2648	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2648 wrote to memory of 4932	2648	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2648 wrote to memory of 1848	2648	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2648 wrote to memory of 1848	2648	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2648 wrote to memory of 536	2648	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2648 wrote to memory of 536	2648	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2648 wrote to memory of 1604	2648	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2648 wrote to memory of 1604	2648	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2648 wrote to memory of 3120	2648	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2648 wrote to memory of 3120	2648	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2648 wrote to memory of 2332	2648	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2648 wrote to memory of 2332	2648	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2648 wrote to memory of 3896	2648	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2648 wrote to memory of 3896	2648	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2648 wrote to memory of 2248	2648	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2648 wrote to memory of 2248	2648	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2648 wrote to memory of 624	2648	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2648 wrote to memory of 624	2648	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2648 wrote to memory of 4576	2648	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2648 wrote to memory of 4576	2648	2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-26_00f3a43ce69d013ab27dcb22ec39e072_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Windows\System\LZeWLmY.exe
  C:\Windows\System\LZeWLmY.exe
  2⤵
  - Executes dropped EXE
  PID:4072
- C:\Windows\System\zQOgTaR.exe
  C:\Windows\System\zQOgTaR.exe
  2⤵
  - Executes dropped EXE
  PID:1832
- C:\Windows\System\lTbviMk.exe
  C:\Windows\System\lTbviMk.exe
  2⤵
  - Executes dropped EXE
  PID:3284
- C:\Windows\System\XQogivh.exe
  C:\Windows\System\XQogivh.exe
  2⤵
  - Executes dropped EXE
  PID:2316
- C:\Windows\System\QRGVFKS.exe
  C:\Windows\System\QRGVFKS.exe
  2⤵
  - Executes dropped EXE
  PID:3748
- C:\Windows\System\AAMjiVX.exe
  C:\Windows\System\AAMjiVX.exe
  2⤵
  - Executes dropped EXE
  PID:4928
- C:\Windows\System\aXSSIVW.exe
  C:\Windows\System\aXSSIVW.exe
  2⤵
  - Executes dropped EXE
  PID:4244
- C:\Windows\System\JyYxrsv.exe
  C:\Windows\System\JyYxrsv.exe
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Windows\System\HhrSlmO.exe
  C:\Windows\System\HhrSlmO.exe
  2⤵
  - Executes dropped EXE
  PID:4976
- C:\Windows\System\aTivWcG.exe
  C:\Windows\System\aTivWcG.exe
  2⤵
  - Executes dropped EXE
  PID:3828
- C:\Windows\System\oSVyfnx.exe
  C:\Windows\System\oSVyfnx.exe
  2⤵
  - Executes dropped EXE
  PID:2364
- C:\Windows\System\tCAvvUE.exe
  C:\Windows\System\tCAvvUE.exe
  2⤵
  - Executes dropped EXE
  PID:4932
- C:\Windows\System\yqpoQye.exe
  C:\Windows\System\yqpoQye.exe
  2⤵
  - Executes dropped EXE
  PID:1848
- C:\Windows\System\TFWCkfw.exe
  C:\Windows\System\TFWCkfw.exe
  2⤵
  - Executes dropped EXE
  PID:536
- C:\Windows\System\VtaDrAV.exe
  C:\Windows\System\VtaDrAV.exe
  2⤵
  - Executes dropped EXE
  PID:1604
- C:\Windows\System\UZVwEod.exe
  C:\Windows\System\UZVwEod.exe
  2⤵
  - Executes dropped EXE
  PID:3120
- C:\Windows\System\OKfOLXw.exe
  C:\Windows\System\OKfOLXw.exe
  2⤵
  - Executes dropped EXE
  PID:2332
- C:\Windows\System\RhwSLBf.exe
  C:\Windows\System\RhwSLBf.exe
  2⤵
  - Executes dropped EXE
  PID:3896
- C:\Windows\System\LUcrBUa.exe
  C:\Windows\System\LUcrBUa.exe
  2⤵
  - Executes dropped EXE
  PID:2248
- C:\Windows\System\yeLiWsx.exe
  C:\Windows\System\yeLiWsx.exe
  2⤵
  - Executes dropped EXE
  PID:624
- C:\Windows\System\hEzCdol.exe
  C:\Windows\System\hEzCdol.exe
  2⤵
  - Executes dropped EXE
  PID:4576

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AAMjiVX.exe

Filesize
5.9MB

MD5
78a1222b89a1e5ffe2f4a77c1f311924

SHA1
af8b2975e20d67a41b679a7d721a0b39bd6a4290

SHA256
453cff8cda6ce192cd9ac36d2655a129f19c5c126ee362e7cbabc7d9c6a24ea0

SHA512
daa9346800dfd3646e00f54607a37c42e2b0dd648823bb3fb7939810965b8ea73b23ef03b6d3c1f1213c758756c327011bf28ff32a5a1df82a91263e342902a5

Download Submit
C:\Windows\System\HhrSlmO.exe

Filesize
5.9MB

MD5
63c9748a4d265f09f0d9bc8ffb17b0ac

SHA1
2cb474d08b34d800f07303b5c25c82493eca10b9

SHA256
c251e21f977c1dbb243c73dbba81f814acd0be1860e5d6b8e9c59651034f6d34

SHA512
fb21cac27d3982ea0dc46854f67c1fd21a10153ccd5596dfd220d380f1c19d0af9055f15f8d6b519613bcda0c0b760468d0e9549db0bd0d4cd8e2db01b536c2b

Download Submit
C:\Windows\System\JyYxrsv.exe

Filesize
5.9MB

MD5
11c50ceacd0ece9685a380e56624124a

SHA1
a39da071163523965e0eae464514189161d045af

SHA256
13d4d258f70b4cc6065e9b3584c53c15470cc5ede707299c810b795b3d308808

SHA512
a6c8adea812ed618c6fc9275661fa2360f1623fb75ef6cbf988a96382d24eeccfb510dd8469ab0e491922fc578b3288a747d3a51a85372bc459fb51d5ecdd781

Download Submit
C:\Windows\System\LUcrBUa.exe

Filesize
5.9MB

MD5
197b08979bf196597790b0483c3d945d

SHA1
b43b184635bfc45b42d8d307245cf5cd3a0612bc

SHA256
84ac5fb508f2bb86d6ae91cff9d8345fb2f2cd60c8d0067c41be61d503f314b9

SHA512
606d864c48b9d40fc251075b115b263240d0c33cca4cf1f9d24b7a26bfe31e148ead59bacc9c641ebf429b2799602cd131f1220f58a1e870fedcb2a4d1ebd506

Download Submit
C:\Windows\System\LZeWLmY.exe

Filesize
5.9MB

MD5
51e9e877a00c3ace6aaac957af122a58

SHA1
c452846cfd422379cf321ed5c899ae9d1b1ca89f

SHA256
2e26f68551eefd79a3a530549a9720325b85e0c29681eff6075a0cd204707f20

SHA512
815b5b211fc09c9a389a01843dd993beac6ec32d12f3f63cf9ce56d0f58968240c79cd42d065d1a7864add194afb44d1ff1525cb36d9ea953d5b4ad582bdd270

Download Submit
C:\Windows\System\OKfOLXw.exe

Filesize
5.9MB

MD5
f5de4a2b34e216a1c83443df43ab15ca

SHA1
87dffd35750fd2bc878ec362addb4633a31207ec

SHA256
e54079bd7c4ba5ca6593589d518e20b06a8e8e72f2bf591ac91e9acd1c1dddd7

SHA512
c1cdc7781320637d846a5f583c53b958292f5accbf81b43f9672ab64099a74a729d353e6926270b1358de7e107d3508e929105f44643cd578dadfffbb9738a63

Download Submit
C:\Windows\System\QRGVFKS.exe

Filesize
5.9MB

MD5
abcbb5599ecf9e3d0b5c43d1b9f86590

SHA1
72a58eced0ef4bc2b2a1a45ee3ad5b88fccf0ffa

SHA256
e9b174af2fcd04a00d651291ab6159769569483a1c053e893273cfabbb6546ac

SHA512
307fe1f98879a15ddba763c16d82476d9049422c2bac8f9617c370344c549e80e1544a2e27f50af9dfa964ff5cad4115b29c07449a3b7ba0536105a9474a2ae2

Download Submit
C:\Windows\System\RhwSLBf.exe

Filesize
5.9MB

MD5
9ef6f2c8fef271ffb048f76a88fcb53a

SHA1
69af262e32bc9be735bff17eea18c163035a3c33

SHA256
b50005bc2bc7b41a49496ca075a0369fd163cbafe972b9c5874cfb7ae11040d6

SHA512
abf3eb29865017641fe488faf6c0c32c67a7be260afb26e0cb6047a4c86cee728889df7e22e943959eee4bd85a655021f5ba42114d18be321d1c71dd5c2b4ab4

Download Submit
C:\Windows\System\TFWCkfw.exe

Filesize
5.9MB

MD5
1e3ecbd52c6eb6aab1b27119ba3e2473

SHA1
44d5c12e79d19eb5dbbe235cddfaebbc33ac9651

SHA256
5644a7c14c08eea0bacc96be2e470de6c099b6619ee8fbb08d28ab432d84592b

SHA512
52ee791f38d2a224b7eadf65b9efdfba4c75ce9ee17262d3a70c83de3721ee9d04d7f6f44ce59014aed42d7cec88a970913299452ec8dc7fdf88a9cd5483a6ba

Download Submit
C:\Windows\System\UZVwEod.exe

Filesize
5.9MB

MD5
11a6dc066e396e34bb9345421d25835a

SHA1
b6b03c48d7b1144ecbad2118fcb48414d797ebb3

SHA256
083a1248efe77d33fc20585e5dd8dec062db61571d08feb81a0c38ff878a6694

SHA512
644152e63fa3be4aae462a1273a5f267a33325bae84a222f2eecb794e535071c0223dca0a28713b5e8e5c4c4ad637e4aab58eb1249875f1854c4ed4469f01fd9

Download Submit
C:\Windows\System\VtaDrAV.exe

Filesize
5.9MB

MD5
fb64c113fabf99d3afb80afb90c724a9

SHA1
44918acd75ef31fde5f3cc92f4403ba4876949ec

SHA256
d57800b3299762fb6ec71b68079d9acd8a6da25efed13c3f5926bb136ae5f681

SHA512
a7f28cc9a3d30e9a6f66fa022d2cced3e601d016244cdee000504a340fa7095e04439c59659457a2116ba5f78adde333c4f9ec34aeee45060d422b8a16b230c5

Download Submit
C:\Windows\System\XQogivh.exe

Filesize
5.9MB

MD5
dd8888958e88ab1db034aed9a0f8c23e

SHA1
1ba25011e87c1007897bf2270dbd9d0057f2436e

SHA256
273b8fd99049161d24ee2ee1c4bd5a8ebc20cb4093672e47cb53933e60f032eb

SHA512
951ea98766f9818611c5e27210c7614332de87b035bbeed017339ca5893480a68d494d9dcfe21bf5053ad0e085bece7029218cc3937979968d17307360f4de20

Download Submit
C:\Windows\System\aTivWcG.exe

Filesize
5.9MB

MD5
0de4e966d1467f79d11970f83aa94e9c

SHA1
c15953ee2d84bfdc67f59f6f6ae549a50ba362dc

SHA256
4108a3ba874f370523a432579c70ddcdf02a862615e7887abd6abfb16be8f70b

SHA512
a22f31fae059573563f6338fabe76e79e0c42ec2c388c053747bde6a70792100d3450f548b245fab5035bac11c53918bca011d30c271e612c9a39a13d6820665

Download Submit
C:\Windows\System\aXSSIVW.exe

Filesize
5.9MB

MD5
8faffd9ad8299a41a06e64596630a5a6

SHA1
c2a9596d010902c5d4f2d8b6f0308103a0d50e1a

SHA256
6310cc7349fd24e577ee1603e97084f60e9790efcaf98e38628b813465529462

SHA512
958dd0cfa1f81c700f2f84be465095965bc9e10cbb328fc0623144e5e58b7f31ef9bfb50ea5785b991bcd6f2c6d489f1bd3c3cd474de6bc963dc8555bb36d573

Download Submit
C:\Windows\System\hEzCdol.exe

Filesize
5.9MB

MD5
c07e94f4b3b3a10cf615e68eb1cfe21a

SHA1
90d9fae4446402f39a99d2ea075468534fd39313

SHA256
4fd035b75c4b0f012586afde260b7a583d63ba034523b671c300e76fca9ca6c6

SHA512
0034c1d41c69df8dcae56f47d2f5b2de5a39c40268b9bb0a2bc6bb104690f7ac5ac9db462da33261d90da629ba9dc869bed1ce02243ae51b2065d6a3a3945587

Download Submit
C:\Windows\System\lTbviMk.exe

Filesize
5.9MB

MD5
891256342b131729a9bd4bc55efaaf1d

SHA1
c12e9ae78e46be498068282f60126600a3cdbee8

SHA256
8a51cca35f42d947587d0f541b0cfd4dce7a35ffbb191d6147575f136f02a6e4

SHA512
aff8d487677263700d09065a216d819c44aa463b892c34d64a249a2febd06e77ec89616ada7f542b40327bc490bf0ef4b7c9bd52c0a9a9ebdfc3c5767b671581

Download Submit
C:\Windows\System\oSVyfnx.exe

Filesize
5.9MB

MD5
5f8388103a945920e9c1cec94a5aa450

SHA1
891095ed3f80d7385b9174e7d0c21f691c845de5

SHA256
e91f7329f452758351be56f5e43e4877fa26b36cd6deb287604d45e451809ac6

SHA512
efa480487eab205d72f930a38c0da40d31e5ee8e76c82fd7a1d1e55260631dfd3fa48f72e8a58fd400bbd579cb218f48d2adc53c64bef4133bc14e7edc1f0442

Download Submit
C:\Windows\System\tCAvvUE.exe

Filesize
5.9MB

MD5
c4291fea62d330cf9ef2b3710b142110

SHA1
726ebb98780ebe2b8ed403b9757090726420ad78

SHA256
790d8db7beef61db37cd424461dea2b04ed760ba5c89c69aab8d932e84d380c0

SHA512
3f02d48d504ff3d439c72261d63f887fec8ed3357b9df7e8cebfea3aa8b2be22ae66e3394a0fbcfaae78ea8b3ab9714cf555bc509fbc8bfcb8e1645d7046a461

Download Submit
C:\Windows\System\yeLiWsx.exe

Filesize
5.9MB

MD5
c00c05ce19e834935e81fb4334c628fd

SHA1
1034d68512fe0a49d09856ae038a3e172098cedd

SHA256
74b29c8665899e288c990f06b638b44f7ac3c574efb451b95d83912454ebb820

SHA512
18c5bdc3168ffc8221948ed9377cb9313089566e7b0028b458357443428494550da491e82cda9e329708886fb3446d3faec5f909f4995bca3348246c3a5e71d7

Download Submit
C:\Windows\System\yqpoQye.exe

Filesize
5.9MB

MD5
0b59704cbab2a0746081316fe1d12ac1

SHA1
9c523daaf0f29a7b6b9baaa7413006955357b137

SHA256
c9ecae6799b8b185e9a051e5ed7c8af2d636acbda1a25fe7231a66ae403ec8eb

SHA512
eb763d9144547237330cb9ddfc7955fde48e52c9c3ccf8a006f102038903468b2066a4029c4990f849f1f0a1fda08ebf097c85178e1c411da1c695d7841e9773

Download Submit
C:\Windows\System\zQOgTaR.exe

Filesize
5.9MB

MD5
392b3f456781e52a0902d2e46a523903

SHA1
ed1a687436a96f4acd8130512bc9087d3f33e8b2

SHA256
261cea355dddb90eae76c3d6c1b69c5338d0110b6acfdc0b675494bef11b1645

SHA512
954f29b4bbcb0ffcdd7922d927373b416be0cccdf00291f27f23e68a6402ba424b8c51a2d192afb9e12befdd20bb460e84528aa5c3aab8ea219a733ed1cb3135

Download Submit
memory/536-157-0x00007FF67FA80000-0x00007FF67FDD4000-memory.dmp

Filesize
3.3MB

Download
memory/536-94-0x00007FF67FA80000-0x00007FF67FDD4000-memory.dmp

Filesize
3.3MB

Download
memory/624-132-0x00007FF69B3B0000-0x00007FF69B704000-memory.dmp

Filesize
3.3MB

Download
memory/624-143-0x00007FF69B3B0000-0x00007FF69B704000-memory.dmp

Filesize
3.3MB

Download
memory/624-163-0x00007FF69B3B0000-0x00007FF69B704000-memory.dmp

Filesize
3.3MB

Download
memory/1604-100-0x00007FF6EF4C0000-0x00007FF6EF814000-memory.dmp

Filesize
3.3MB

Download
memory/1604-158-0x00007FF6EF4C0000-0x00007FF6EF814000-memory.dmp

Filesize
3.3MB

Download
memory/1832-16-0x00007FF674A10000-0x00007FF674D64000-memory.dmp

Filesize
3.3MB

Download
memory/1832-145-0x00007FF674A10000-0x00007FF674D64000-memory.dmp

Filesize
3.3MB

Download
memory/1832-58-0x00007FF674A10000-0x00007FF674D64000-memory.dmp

Filesize
3.3MB

Download
memory/1848-139-0x00007FF62BD80000-0x00007FF62C0D4000-memory.dmp

Filesize
3.3MB

Download
memory/1848-156-0x00007FF62BD80000-0x00007FF62C0D4000-memory.dmp

Filesize
3.3MB

Download
memory/1848-92-0x00007FF62BD80000-0x00007FF62C0D4000-memory.dmp

Filesize
3.3MB

Download
memory/2248-142-0x00007FF780590000-0x00007FF7808E4000-memory.dmp

Filesize
3.3MB

Download
memory/2248-162-0x00007FF780590000-0x00007FF7808E4000-memory.dmp

Filesize
3.3MB

Download
memory/2248-124-0x00007FF780590000-0x00007FF7808E4000-memory.dmp

Filesize
3.3MB

Download
memory/2316-147-0x00007FF613EB0000-0x00007FF614204000-memory.dmp

Filesize
3.3MB

Download
memory/2316-73-0x00007FF613EB0000-0x00007FF614204000-memory.dmp

Filesize
3.3MB

Download
memory/2316-24-0x00007FF613EB0000-0x00007FF614204000-memory.dmp

Filesize
3.3MB

Download
memory/2332-160-0x00007FF785180000-0x00007FF7854D4000-memory.dmp

Filesize
3.3MB

Download
memory/2332-111-0x00007FF785180000-0x00007FF7854D4000-memory.dmp

Filesize
3.3MB

Download
memory/2332-141-0x00007FF785180000-0x00007FF7854D4000-memory.dmp

Filesize
3.3MB

Download
memory/2364-72-0x00007FF6B4F80000-0x00007FF6B52D4000-memory.dmp

Filesize
3.3MB

Download
memory/2364-154-0x00007FF6B4F80000-0x00007FF6B52D4000-memory.dmp

Filesize
3.3MB

Download
memory/2648-48-0x00007FF670640000-0x00007FF670994000-memory.dmp

Filesize
3.3MB

Download
memory/2648-1-0x000002323CB10000-0x000002323CB20000-memory.dmp

Filesize
64KB

Download
memory/2648-0-0x00007FF670640000-0x00007FF670994000-memory.dmp

Filesize
3.3MB

Download
memory/2680-151-0x00007FF6D6500000-0x00007FF6D6854000-memory.dmp

Filesize
3.3MB

Download
memory/2680-49-0x00007FF6D6500000-0x00007FF6D6854000-memory.dmp

Filesize
3.3MB

Download
memory/2680-104-0x00007FF6D6500000-0x00007FF6D6854000-memory.dmp

Filesize
3.3MB

Download
memory/3120-140-0x00007FF7BA920000-0x00007FF7BAC74000-memory.dmp

Filesize
3.3MB

Download
memory/3120-105-0x00007FF7BA920000-0x00007FF7BAC74000-memory.dmp

Filesize
3.3MB

Download
memory/3120-159-0x00007FF7BA920000-0x00007FF7BAC74000-memory.dmp

Filesize
3.3MB

Download
memory/3284-18-0x00007FF7E8270000-0x00007FF7E85C4000-memory.dmp

Filesize
3.3MB

Download
memory/3284-69-0x00007FF7E8270000-0x00007FF7E85C4000-memory.dmp

Filesize
3.3MB

Download
memory/3284-146-0x00007FF7E8270000-0x00007FF7E85C4000-memory.dmp

Filesize
3.3MB

Download
memory/3748-80-0x00007FF63D590000-0x00007FF63D8E4000-memory.dmp

Filesize
3.3MB

Download
memory/3748-30-0x00007FF63D590000-0x00007FF63D8E4000-memory.dmp

Filesize
3.3MB

Download
memory/3748-148-0x00007FF63D590000-0x00007FF63D8E4000-memory.dmp

Filesize
3.3MB

Download
memory/3828-153-0x00007FF7A7E70000-0x00007FF7A81C4000-memory.dmp

Filesize
3.3MB

Download
memory/3828-63-0x00007FF7A7E70000-0x00007FF7A81C4000-memory.dmp

Filesize
3.3MB

Download
memory/3828-119-0x00007FF7A7E70000-0x00007FF7A81C4000-memory.dmp

Filesize
3.3MB

Download
memory/3896-161-0x00007FF67E900000-0x00007FF67EC54000-memory.dmp

Filesize
3.3MB

Download
memory/3896-120-0x00007FF67E900000-0x00007FF67EC54000-memory.dmp

Filesize
3.3MB

Download
memory/4072-144-0x00007FF6B0A40000-0x00007FF6B0D94000-memory.dmp

Filesize
3.3MB

Download
memory/4072-8-0x00007FF6B0A40000-0x00007FF6B0D94000-memory.dmp

Filesize
3.3MB

Download
memory/4072-57-0x00007FF6B0A40000-0x00007FF6B0D94000-memory.dmp

Filesize
3.3MB

Download
memory/4244-150-0x00007FF693870000-0x00007FF693BC4000-memory.dmp

Filesize
3.3MB

Download
memory/4244-44-0x00007FF693870000-0x00007FF693BC4000-memory.dmp

Filesize
3.3MB

Download
memory/4244-93-0x00007FF693870000-0x00007FF693BC4000-memory.dmp

Filesize
3.3MB

Download
memory/4576-138-0x00007FF662480000-0x00007FF6627D4000-memory.dmp

Filesize
3.3MB

Download
memory/4576-164-0x00007FF662480000-0x00007FF6627D4000-memory.dmp

Filesize
3.3MB

Download
memory/4928-149-0x00007FF7C2510000-0x00007FF7C2864000-memory.dmp

Filesize
3.3MB

Download
memory/4928-36-0x00007FF7C2510000-0x00007FF7C2864000-memory.dmp

Filesize
3.3MB

Download
memory/4928-84-0x00007FF7C2510000-0x00007FF7C2864000-memory.dmp

Filesize
3.3MB

Download
memory/4932-79-0x00007FF7F6FF0000-0x00007FF7F7344000-memory.dmp

Filesize
3.3MB

Download
memory/4932-155-0x00007FF7F6FF0000-0x00007FF7F7344000-memory.dmp

Filesize
3.3MB

Download
memory/4932-137-0x00007FF7F6FF0000-0x00007FF7F7344000-memory.dmp

Filesize
3.3MB

Download
memory/4976-152-0x00007FF6DA920000-0x00007FF6DAC74000-memory.dmp

Filesize
3.3MB

Download
memory/4976-60-0x00007FF6DA920000-0x00007FF6DAC74000-memory.dmp

Filesize
3.3MB

Download