cobaltstrike | fab1984b7c6d39395ceaa6e28a471ebaeae967ff0f80981ed091f4deb873db2e

Analysis

max time kernel
138s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26-09-2024 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

6446f6424c578df6b3e82fff08c71a58
SHA1

68e4079a706babe1fdacfb3879080cf298d57605
SHA256

fab1984b7c6d39395ceaa6e28a471ebaeae967ff0f80981ed091f4deb873db2e
SHA512

039b1ecd81d0d37da323739c76df33f032b0fa07b17fb1465ca7388d6f1a0795de7a2f629573bf4c92988a9987462ac52a18ab74a8e3b5fdd5cfdb8596165f2c
SSDEEP

98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUc:T+856utgpPF8u/7c

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0009000000023458-4.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b9-10.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000234b8-11.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234bb-29.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234bc-33.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234be-44.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234bf-48.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c1-64.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c3-69.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000234b6-85.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c4-83.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c2-67.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c0-56.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234bd-46.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ba-27.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c5-95.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c7-100.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c9-112.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c8-109.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234cc-122.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ca-123.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/4612-0-0x00007FF6FC760000-0x00007FF6FCAB4000-memory.dmp	xmrig
behavioral2/files/0x0009000000023458-4.dat	xmrig
behavioral2/memory/4032-8-0x00007FF7A5990000-0x00007FF7A5CE4000-memory.dmp	xmrig
behavioral2/files/0x00070000000234b9-10.dat	xmrig
behavioral2/files/0x00080000000234b8-11.dat	xmrig
behavioral2/files/0x00070000000234bb-29.dat	xmrig
behavioral2/files/0x00070000000234bc-33.dat	xmrig
behavioral2/files/0x00070000000234be-44.dat	xmrig
behavioral2/files/0x00070000000234bf-48.dat	xmrig
behavioral2/files/0x00070000000234c1-64.dat	xmrig
behavioral2/files/0x00070000000234c3-69.dat	xmrig
behavioral2/memory/5088-79-0x00007FF678CC0000-0x00007FF679014000-memory.dmp	xmrig
behavioral2/memory/5072-81-0x00007FF744180000-0x00007FF7444D4000-memory.dmp	xmrig
behavioral2/memory/4172-88-0x00007FF7888B0000-0x00007FF788C04000-memory.dmp	xmrig
behavioral2/memory/716-91-0x00007FF77F270000-0x00007FF77F5C4000-memory.dmp	xmrig
behavioral2/memory/3404-90-0x00007FF736B10000-0x00007FF736E64000-memory.dmp	xmrig
behavioral2/memory/1160-89-0x00007FF7882D0000-0x00007FF788624000-memory.dmp	xmrig
behavioral2/memory/4976-87-0x00007FF7AB3E0000-0x00007FF7AB734000-memory.dmp	xmrig
behavioral2/files/0x00080000000234b6-85.dat	xmrig
behavioral2/files/0x00070000000234c4-83.dat	xmrig
behavioral2/memory/116-82-0x00007FF7ACB20000-0x00007FF7ACE74000-memory.dmp	xmrig
behavioral2/memory/2556-80-0x00007FF6EFF60000-0x00007FF6F02B4000-memory.dmp	xmrig
behavioral2/memory/4980-78-0x00007FF62F9B0000-0x00007FF62FD04000-memory.dmp	xmrig
behavioral2/files/0x00070000000234c2-67.dat	xmrig
behavioral2/files/0x00070000000234c0-56.dat	xmrig
behavioral2/memory/2204-47-0x00007FF670780000-0x00007FF670AD4000-memory.dmp	xmrig
behavioral2/files/0x00070000000234bd-46.dat	xmrig
behavioral2/memory/1576-39-0x00007FF6C5130000-0x00007FF6C5484000-memory.dmp	xmrig
behavioral2/files/0x00070000000234ba-27.dat	xmrig
behavioral2/memory/1656-26-0x00007FF6C4040000-0x00007FF6C4394000-memory.dmp	xmrig
behavioral2/memory/1244-20-0x00007FF7C6D80000-0x00007FF7C70D4000-memory.dmp	xmrig
behavioral2/files/0x00070000000234c5-95.dat	xmrig
behavioral2/files/0x00070000000234c7-100.dat	xmrig
behavioral2/memory/4600-96-0x00007FF7F68C0000-0x00007FF7F6C14000-memory.dmp	xmrig
behavioral2/memory/1008-105-0x00007FF7CDAE0000-0x00007FF7CDE34000-memory.dmp	xmrig
behavioral2/memory/2240-107-0x00007FF6F3ED0000-0x00007FF6F4224000-memory.dmp	xmrig
behavioral2/files/0x00070000000234c9-112.dat	xmrig
behavioral2/memory/2864-113-0x00007FF72F630000-0x00007FF72F984000-memory.dmp	xmrig
behavioral2/files/0x00070000000234c8-109.dat	xmrig
behavioral2/files/0x00070000000234cc-122.dat	xmrig
behavioral2/memory/4612-121-0x00007FF6FC760000-0x00007FF6FCAB4000-memory.dmp	xmrig
behavioral2/memory/4032-126-0x00007FF7A5990000-0x00007FF7A5CE4000-memory.dmp	xmrig
behavioral2/memory/4824-129-0x00007FF6C2FC0000-0x00007FF6C3314000-memory.dmp	xmrig
behavioral2/memory/1244-127-0x00007FF7C6D80000-0x00007FF7C70D4000-memory.dmp	xmrig
behavioral2/memory/2688-125-0x00007FF6EB7B0000-0x00007FF6EBB04000-memory.dmp	xmrig
behavioral2/files/0x00070000000234ca-123.dat	xmrig
behavioral2/memory/2204-132-0x00007FF670780000-0x00007FF670AD4000-memory.dmp	xmrig
behavioral2/memory/1656-131-0x00007FF6C4040000-0x00007FF6C4394000-memory.dmp	xmrig
behavioral2/memory/116-133-0x00007FF7ACB20000-0x00007FF7ACE74000-memory.dmp	xmrig
behavioral2/memory/4600-134-0x00007FF7F68C0000-0x00007FF7F6C14000-memory.dmp	xmrig
behavioral2/memory/1008-135-0x00007FF7CDAE0000-0x00007FF7CDE34000-memory.dmp	xmrig
behavioral2/memory/2240-136-0x00007FF6F3ED0000-0x00007FF6F4224000-memory.dmp	xmrig
behavioral2/memory/2864-137-0x00007FF72F630000-0x00007FF72F984000-memory.dmp	xmrig
behavioral2/memory/2688-138-0x00007FF6EB7B0000-0x00007FF6EBB04000-memory.dmp	xmrig
behavioral2/memory/4824-139-0x00007FF6C2FC0000-0x00007FF6C3314000-memory.dmp	xmrig
behavioral2/memory/4032-140-0x00007FF7A5990000-0x00007FF7A5CE4000-memory.dmp	xmrig
behavioral2/memory/1244-141-0x00007FF7C6D80000-0x00007FF7C70D4000-memory.dmp	xmrig
behavioral2/memory/1656-142-0x00007FF6C4040000-0x00007FF6C4394000-memory.dmp	xmrig
behavioral2/memory/1576-144-0x00007FF6C5130000-0x00007FF6C5484000-memory.dmp	xmrig
behavioral2/memory/4172-143-0x00007FF7888B0000-0x00007FF788C04000-memory.dmp	xmrig
behavioral2/memory/1160-145-0x00007FF7882D0000-0x00007FF788624000-memory.dmp	xmrig
behavioral2/memory/4980-146-0x00007FF62F9B0000-0x00007FF62FD04000-memory.dmp	xmrig
behavioral2/memory/2204-147-0x00007FF670780000-0x00007FF670AD4000-memory.dmp	xmrig
behavioral2/memory/3404-148-0x00007FF736B10000-0x00007FF736E64000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4032	MWiDrfb.exe
1244	WNMHvPE.exe
1656	VdTcGxZ.exe
4172	RfEDEms.exe
1576	ZwXhvvO.exe
1160	sKkgdTk.exe
2204	JIzDbxG.exe
3404	ngOPHFp.exe
4980	qvGqEOx.exe
5088	IlKmyAb.exe
716	dDgsvWN.exe
2556	KYYTnzG.exe
5072	VuNHpaE.exe
116	heZshkM.exe
4976	lnOjfZM.exe
4600	MFKEApF.exe
1008	CBtxHwC.exe
2240	pbYZyXe.exe
2864	heTFVLz.exe
2688	CVYhfnh.exe
4824	LoceFZE.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4612-0-0x00007FF6FC760000-0x00007FF6FCAB4000-memory.dmp	upx
behavioral2/files/0x0009000000023458-4.dat	upx
behavioral2/memory/4032-8-0x00007FF7A5990000-0x00007FF7A5CE4000-memory.dmp	upx
behavioral2/files/0x00070000000234b9-10.dat	upx
behavioral2/files/0x00080000000234b8-11.dat	upx
behavioral2/files/0x00070000000234bb-29.dat	upx
behavioral2/files/0x00070000000234bc-33.dat	upx
behavioral2/files/0x00070000000234be-44.dat	upx
behavioral2/files/0x00070000000234bf-48.dat	upx
behavioral2/files/0x00070000000234c1-64.dat	upx
behavioral2/files/0x00070000000234c3-69.dat	upx
behavioral2/memory/5088-79-0x00007FF678CC0000-0x00007FF679014000-memory.dmp	upx
behavioral2/memory/5072-81-0x00007FF744180000-0x00007FF7444D4000-memory.dmp	upx
behavioral2/memory/4172-88-0x00007FF7888B0000-0x00007FF788C04000-memory.dmp	upx
behavioral2/memory/716-91-0x00007FF77F270000-0x00007FF77F5C4000-memory.dmp	upx
behavioral2/memory/3404-90-0x00007FF736B10000-0x00007FF736E64000-memory.dmp	upx
behavioral2/memory/1160-89-0x00007FF7882D0000-0x00007FF788624000-memory.dmp	upx
behavioral2/memory/4976-87-0x00007FF7AB3E0000-0x00007FF7AB734000-memory.dmp	upx
behavioral2/files/0x00080000000234b6-85.dat	upx
behavioral2/files/0x00070000000234c4-83.dat	upx
behavioral2/memory/116-82-0x00007FF7ACB20000-0x00007FF7ACE74000-memory.dmp	upx
behavioral2/memory/2556-80-0x00007FF6EFF60000-0x00007FF6F02B4000-memory.dmp	upx
behavioral2/memory/4980-78-0x00007FF62F9B0000-0x00007FF62FD04000-memory.dmp	upx
behavioral2/files/0x00070000000234c2-67.dat	upx
behavioral2/files/0x00070000000234c0-56.dat	upx
behavioral2/memory/2204-47-0x00007FF670780000-0x00007FF670AD4000-memory.dmp	upx
behavioral2/files/0x00070000000234bd-46.dat	upx
behavioral2/memory/1576-39-0x00007FF6C5130000-0x00007FF6C5484000-memory.dmp	upx
behavioral2/files/0x00070000000234ba-27.dat	upx
behavioral2/memory/1656-26-0x00007FF6C4040000-0x00007FF6C4394000-memory.dmp	upx
behavioral2/memory/1244-20-0x00007FF7C6D80000-0x00007FF7C70D4000-memory.dmp	upx
behavioral2/files/0x00070000000234c5-95.dat	upx
behavioral2/files/0x00070000000234c7-100.dat	upx
behavioral2/memory/4600-96-0x00007FF7F68C0000-0x00007FF7F6C14000-memory.dmp	upx
behavioral2/memory/1008-105-0x00007FF7CDAE0000-0x00007FF7CDE34000-memory.dmp	upx
behavioral2/memory/2240-107-0x00007FF6F3ED0000-0x00007FF6F4224000-memory.dmp	upx
behavioral2/files/0x00070000000234c9-112.dat	upx
behavioral2/memory/2864-113-0x00007FF72F630000-0x00007FF72F984000-memory.dmp	upx
behavioral2/files/0x00070000000234c8-109.dat	upx
behavioral2/files/0x00070000000234cc-122.dat	upx
behavioral2/memory/4612-121-0x00007FF6FC760000-0x00007FF6FCAB4000-memory.dmp	upx
behavioral2/memory/4032-126-0x00007FF7A5990000-0x00007FF7A5CE4000-memory.dmp	upx
behavioral2/memory/4824-129-0x00007FF6C2FC0000-0x00007FF6C3314000-memory.dmp	upx
behavioral2/memory/1244-127-0x00007FF7C6D80000-0x00007FF7C70D4000-memory.dmp	upx
behavioral2/memory/2688-125-0x00007FF6EB7B0000-0x00007FF6EBB04000-memory.dmp	upx
behavioral2/files/0x00070000000234ca-123.dat	upx
behavioral2/memory/2204-132-0x00007FF670780000-0x00007FF670AD4000-memory.dmp	upx
behavioral2/memory/1656-131-0x00007FF6C4040000-0x00007FF6C4394000-memory.dmp	upx
behavioral2/memory/116-133-0x00007FF7ACB20000-0x00007FF7ACE74000-memory.dmp	upx
behavioral2/memory/4600-134-0x00007FF7F68C0000-0x00007FF7F6C14000-memory.dmp	upx
behavioral2/memory/1008-135-0x00007FF7CDAE0000-0x00007FF7CDE34000-memory.dmp	upx
behavioral2/memory/2240-136-0x00007FF6F3ED0000-0x00007FF6F4224000-memory.dmp	upx
behavioral2/memory/2864-137-0x00007FF72F630000-0x00007FF72F984000-memory.dmp	upx
behavioral2/memory/2688-138-0x00007FF6EB7B0000-0x00007FF6EBB04000-memory.dmp	upx
behavioral2/memory/4824-139-0x00007FF6C2FC0000-0x00007FF6C3314000-memory.dmp	upx
behavioral2/memory/4032-140-0x00007FF7A5990000-0x00007FF7A5CE4000-memory.dmp	upx
behavioral2/memory/1244-141-0x00007FF7C6D80000-0x00007FF7C70D4000-memory.dmp	upx
behavioral2/memory/1656-142-0x00007FF6C4040000-0x00007FF6C4394000-memory.dmp	upx
behavioral2/memory/1576-144-0x00007FF6C5130000-0x00007FF6C5484000-memory.dmp	upx
behavioral2/memory/4172-143-0x00007FF7888B0000-0x00007FF788C04000-memory.dmp	upx
behavioral2/memory/1160-145-0x00007FF7882D0000-0x00007FF788624000-memory.dmp	upx
behavioral2/memory/4980-146-0x00007FF62F9B0000-0x00007FF62FD04000-memory.dmp	upx
behavioral2/memory/2204-147-0x00007FF670780000-0x00007FF670AD4000-memory.dmp	upx
behavioral2/memory/3404-148-0x00007FF736B10000-0x00007FF736E64000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\CBtxHwC.exe	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pbYZyXe.exe	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MWiDrfb.exe	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZwXhvvO.exe	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VuNHpaE.exe	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MFKEApF.exe	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WNMHvPE.exe	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RfEDEms.exe	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\heZshkM.exe	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LoceFZE.exe	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dDgsvWN.exe	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KYYTnzG.exe	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CVYhfnh.exe	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VdTcGxZ.exe	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JIzDbxG.exe	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ngOPHFp.exe	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IlKmyAb.exe	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sKkgdTk.exe	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qvGqEOx.exe	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lnOjfZM.exe	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\heTFVLz.exe	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4612	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4612	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4612 wrote to memory of 4032	4612	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4612 wrote to memory of 4032	4612	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4612 wrote to memory of 1244	4612	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4612 wrote to memory of 1244	4612	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4612 wrote to memory of 1656	4612	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4612 wrote to memory of 1656	4612	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4612 wrote to memory of 4172	4612	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4612 wrote to memory of 4172	4612	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4612 wrote to memory of 1576	4612	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4612 wrote to memory of 1576	4612	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4612 wrote to memory of 1160	4612	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4612 wrote to memory of 1160	4612	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4612 wrote to memory of 2204	4612	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4612 wrote to memory of 2204	4612	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4612 wrote to memory of 3404	4612	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4612 wrote to memory of 3404	4612	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4612 wrote to memory of 4980	4612	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4612 wrote to memory of 4980	4612	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4612 wrote to memory of 5088	4612	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4612 wrote to memory of 5088	4612	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4612 wrote to memory of 716	4612	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4612 wrote to memory of 716	4612	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4612 wrote to memory of 2556	4612	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4612 wrote to memory of 2556	4612	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4612 wrote to memory of 5072	4612	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4612 wrote to memory of 5072	4612	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4612 wrote to memory of 116	4612	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4612 wrote to memory of 116	4612	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4612 wrote to memory of 4976	4612	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4612 wrote to memory of 4976	4612	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4612 wrote to memory of 4600	4612	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4612 wrote to memory of 4600	4612	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4612 wrote to memory of 1008	4612	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4612 wrote to memory of 1008	4612	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4612 wrote to memory of 2240	4612	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4612 wrote to memory of 2240	4612	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4612 wrote to memory of 2864	4612	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4612 wrote to memory of 2864	4612	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4612 wrote to memory of 2688	4612	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4612 wrote to memory of 2688	4612	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4612 wrote to memory of 4824	4612	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4612 wrote to memory of 4824	4612	2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-26_6446f6424c578df6b3e82fff08c71a58_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4612
- C:\Windows\System\MWiDrfb.exe
  C:\Windows\System\MWiDrfb.exe
  2⤵
  - Executes dropped EXE
  PID:4032
- C:\Windows\System\WNMHvPE.exe
  C:\Windows\System\WNMHvPE.exe
  2⤵
  - Executes dropped EXE
  PID:1244
- C:\Windows\System\VdTcGxZ.exe
  C:\Windows\System\VdTcGxZ.exe
  2⤵
  - Executes dropped EXE
  PID:1656
- C:\Windows\System\RfEDEms.exe
  C:\Windows\System\RfEDEms.exe
  2⤵
  - Executes dropped EXE
  PID:4172
- C:\Windows\System\ZwXhvvO.exe
  C:\Windows\System\ZwXhvvO.exe
  2⤵
  - Executes dropped EXE
  PID:1576
- C:\Windows\System\sKkgdTk.exe
  C:\Windows\System\sKkgdTk.exe
  2⤵
  - Executes dropped EXE
  PID:1160
- C:\Windows\System\JIzDbxG.exe
  C:\Windows\System\JIzDbxG.exe
  2⤵
  - Executes dropped EXE
  PID:2204
- C:\Windows\System\ngOPHFp.exe
  C:\Windows\System\ngOPHFp.exe
  2⤵
  - Executes dropped EXE
  PID:3404
- C:\Windows\System\qvGqEOx.exe
  C:\Windows\System\qvGqEOx.exe
  2⤵
  - Executes dropped EXE
  PID:4980
- C:\Windows\System\IlKmyAb.exe
  C:\Windows\System\IlKmyAb.exe
  2⤵
  - Executes dropped EXE
  PID:5088
- C:\Windows\System\dDgsvWN.exe
  C:\Windows\System\dDgsvWN.exe
  2⤵
  - Executes dropped EXE
  PID:716
- C:\Windows\System\KYYTnzG.exe
  C:\Windows\System\KYYTnzG.exe
  2⤵
  - Executes dropped EXE
  PID:2556
- C:\Windows\System\VuNHpaE.exe
  C:\Windows\System\VuNHpaE.exe
  2⤵
  - Executes dropped EXE
  PID:5072
- C:\Windows\System\heZshkM.exe
  C:\Windows\System\heZshkM.exe
  2⤵
  - Executes dropped EXE
  PID:116
- C:\Windows\System\lnOjfZM.exe
  C:\Windows\System\lnOjfZM.exe
  2⤵
  - Executes dropped EXE
  PID:4976
- C:\Windows\System\MFKEApF.exe
  C:\Windows\System\MFKEApF.exe
  2⤵
  - Executes dropped EXE
  PID:4600
- C:\Windows\System\CBtxHwC.exe
  C:\Windows\System\CBtxHwC.exe
  2⤵
  - Executes dropped EXE
  PID:1008
- C:\Windows\System\pbYZyXe.exe
  C:\Windows\System\pbYZyXe.exe
  2⤵
  - Executes dropped EXE
  PID:2240
- C:\Windows\System\heTFVLz.exe
  C:\Windows\System\heTFVLz.exe
  2⤵
  - Executes dropped EXE
  PID:2864
- C:\Windows\System\CVYhfnh.exe
  C:\Windows\System\CVYhfnh.exe
  2⤵
  - Executes dropped EXE
  PID:2688
- C:\Windows\System\LoceFZE.exe
  C:\Windows\System\LoceFZE.exe
  2⤵
  - Executes dropped EXE
  PID:4824

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CBtxHwC.exe

Filesize
5.9MB

MD5
120ca0b6f85c539170775e2e7f93209f

SHA1
e2474b7a3ceb1291eb7de56b428479ea2e885d56

SHA256
234844a99a2519c197ac9ce956fabe99d4abcdc4a0283b93ffbe1769788a1d5b

SHA512
898ad5c4d6fcdb4c078f1b9713c3ba61ac4362768e863333ee6d73d8cb14470d1cbdb933506308faf81f70951fc1a91ccc22a63dc00d8a43eb7ae220978a732b

Download Submit
C:\Windows\System\CVYhfnh.exe

Filesize
5.9MB

MD5
db1babe027da860db870d968547bdbc3

SHA1
2bd3b52a2bed0729852eb2f3de406f7293a2cff3

SHA256
37c1f9c952258546eb008fd7a8948296456f559efaac4f33736a795672c58fec

SHA512
2158d0da6023353333e7d71955e0f4740b6d9a1b273343c05840b7e0d42ed2fb951118fae138d70d12e191d5dd19534d788d291295b029222df0bd11a5cafb93

Download Submit
C:\Windows\System\IlKmyAb.exe

Filesize
5.9MB

MD5
b2e5fa094d4b7d4cbf2922ed6e6797ca

SHA1
cc37ff569938d0f73b6d75762769d8f8bca03001

SHA256
224b4a49a41294d8cbe5dfe79cd21aed5ed22a4d10bf58aeb03bdbd203bbdc35

SHA512
7c7d038d6cf15bf0c0e4e5445c2984958df11a3db5b5cccf6b15837256e7e85a39397681ada0afd35745e3d1ebea15c621236cada40b2dbfe9ceabf067cd807b

Download Submit
C:\Windows\System\JIzDbxG.exe

Filesize
5.9MB

MD5
11482a03c17ab7415dd09b669d53401e

SHA1
7a90262e9cd19afa8a76f526e80c1aabdb95a01b

SHA256
8ac351b6b9d0383378b8fec672552818c931169d7f260b5094960b7f23b21345

SHA512
1e65ef014a2d6934d183de185a4100db3d7313ccada10b828b265737c1066c579072890069c5490049f2536f2c6279a64040b73b62f889fb93f16a08ab8062a6

Download Submit
C:\Windows\System\KYYTnzG.exe

Filesize
5.9MB

MD5
c4b4483f3a64aaa1b9557ca858a72e44

SHA1
2bfe45308d0aababb9b166e23b3d75b9bc24eb87

SHA256
a8f1e55ab17415187543b7aa3960a1d83bcb13470ba89ae9b858aa58028f1170

SHA512
7ec1925ca69037d8a1006f7404a23dc7c0d89934da7d3028da269ad4b92519c1ec296e8a9f5c61d16de989e04425b201e61496ebcf95600a34935cfc1a697bf8

Download Submit
C:\Windows\System\LoceFZE.exe

Filesize
5.9MB

MD5
dac93d35025e8e94ed43f689dc700a83

SHA1
280f872d01c1d80480a845f5557e480b920d5962

SHA256
7d5c1da62103143295bc918d734c442147b5d2274bd73acf1597b2d748ae42aa

SHA512
0f66d629a60cdea93ab6d39ebc3b4b056621f62f81dc038b7292edb8024136370045886bbdf794cd2f34451995566043052856ae7a9bc4fd7a7de446c0362f8f

Download Submit
C:\Windows\System\MFKEApF.exe

Filesize
5.9MB

MD5
7d309af00d1fce20bd4f40ad03328957

SHA1
d06c735c262f8e15bd36c4b143666d7cb1fcbdb3

SHA256
789e70bd36b3c084794653a442a541c7e69ab2077bc22105343ddcc2718ed603

SHA512
e6d3f318c80e375b230e5a2228e0350d5ba373145945158a65acc2d34bfb0b75de330cfe6d9087694b5f4db6d34acbe85b70af2b5cd6987b9ed53da4f62a7495

Download Submit
C:\Windows\System\MWiDrfb.exe

Filesize
5.9MB

MD5
d1883598c5271a655a2690ad5b27d1b0

SHA1
aa81eb1bddea4681743ad8abcdd3410dba2a5a59

SHA256
7c1b172c07273248d4a20c2b80799b7dfef4e589a931022dda3e8403d68eaa3b

SHA512
6ee7bb4bc45033156d6110f4f417d259c6712758587b70f059604718084c309692e99a5536d895abf9e59e8df721553faf8c50351acf8ad4f2c9137c19e610bd

Download Submit
C:\Windows\System\RfEDEms.exe

Filesize
5.9MB

MD5
b894bc7461986dd5a3bcb07158af7553

SHA1
c2ad3734759980ecffac0edefbccb7e7fb479773

SHA256
a817fe841082261a80826e3e823096f62136a1443f037e61eaf7dd9d8ad3ca16

SHA512
9f91b9f8572a171dcead35166542c23cbd1340da813f139aed7142194ee70dc81f9bbbadd08a41db392038bdd439014faabd9d984857bc55c22fec5bb5a937c6

Download Submit
C:\Windows\System\VdTcGxZ.exe

Filesize
5.9MB

MD5
ad9fa416e29b8f35e87f1d9fe447f994

SHA1
84d862ef93c707a032c37f5866d3065c6fe531f6

SHA256
b3d537b6f2bb281286a552b2d5e13d5f340474d6b719445a58bfe4bea19a15f2

SHA512
27c186b57e444e67769bd7d1acfeb46643de560c1dbd116f292f27db69627ece3ceb0e9caebfb5010eb26d183019ecacd4a9e9af5cb90d2566026d9de56f7d20

Download Submit
C:\Windows\System\VuNHpaE.exe

Filesize
5.9MB

MD5
ebe4894d583b88572120fc181096309d

SHA1
a4ab10aff7676617ea4922926f10775390476895

SHA256
b668d1f8de7f600ea46108d408062c6db6c5888fdedf477aadfa5b82d9c93a98

SHA512
2a5f3424e2687a988e7ef8591613fe8fd3739f8d9bf561725aaa46c3f7fc98c4e04a1f1490c2e0593b653beaac28b7b06a86324b51d64325759845cf9f1d86b4

Download Submit
C:\Windows\System\WNMHvPE.exe

Filesize
5.9MB

MD5
e780df2477cbc332cc23579bfb833b52

SHA1
64d880120f75ac7257258de4f9f6baa349c4b27c

SHA256
07a5ab51bce494f238b79ec826f5d3aa9578720ec0cf5bb4cbef6120897781e1

SHA512
43dd83ffb1bd6298da5912ae1e2c716cce14d9bc624b1356d5f7ad2ad6181ec8ac6981ef14024993025eff4e6160977edb8b3d7bae8fb77b96801661be548fa9

Download Submit
C:\Windows\System\ZwXhvvO.exe

Filesize
5.9MB

MD5
25d9c3cb14786f3c83ea0a2a22a0ea8a

SHA1
d66f5aca370bfd312cdce8fe2b6643b5cbbf8d82

SHA256
ba6b2b07ff48fcfe5f8676c965733fc2a91d2431a191689f882cba471b208617

SHA512
13bcbb6de5396715344c327053dda1db6a65361921b97a7a2deea8150fc2c72d9b38c424f8426be0f492c729487b431cafdb837e84e7661ef4e4dadd46210cf5

Download Submit
C:\Windows\System\dDgsvWN.exe

Filesize
5.9MB

MD5
0c65944f9c0842922113d681f68c20d3

SHA1
0d45839cc0bd4e523b05c2b48a0a208e51414230

SHA256
401ccde07bbafd719785fe2334cf859a3c8d2149d1b122a92982c58a53abf86b

SHA512
ddd4e9fefe2d687e5479d3232b7e910b339723766dc8b3cabd0053afa135c8a269e0dcc27156183a2b444f0bd7a9b3aa753d4a1c5250451a735e619a7ec5881d

Download Submit
C:\Windows\System\heTFVLz.exe

Filesize
5.9MB

MD5
a91a0686ee3c17e6fa585278a0aacdbf

SHA1
ea8f6598887b30c5e7570e2fb9fdfd2db0dee1e0

SHA256
7632277c377dab89edcebd9e2ffeb86372b83d15b7bd0004ef92cda7513f2642

SHA512
c1356415679d4b80afe1e9b9619eced4684a7c77f7878234aae562ab4020f4e76433d7fc13a51361a742c5d2930f2abfd4efe44ff806e85c2cd9a698fab8c235

Download Submit
C:\Windows\System\heZshkM.exe

Filesize
5.9MB

MD5
9b1e51084cf7e42b74f19f16db25b8ab

SHA1
92bed22c29765dec23a6b8e10db963ed39c8af18

SHA256
78e882d913cd2a49261a6cad5e781df6c15314cd6216b78a25c26aec7ed84187

SHA512
c4260f1a70d844b5c2443ddcb3ba04300b3628cd60963cca979a392fac3bf7ea26ca57a150db7c770ec1762d4f918bc1e5392c3c3447ba4f3217990262ad4910

Download Submit
C:\Windows\System\lnOjfZM.exe

Filesize
5.9MB

MD5
a47ac3fae776ee6f60cb17738d9ae178

SHA1
cc453133084fc646d14b6c57c5df189bfbeffd2d

SHA256
2f840d8ad4e228da1693ed8ece9a8a9471e998f886ff9a1e14dff81e74aaa6b3

SHA512
2199bf97352d473f8253a58c50e2e9358733e8f558152b5cb3a16efda6c486ae7433628b3904d401d9ae1db6f3cd4d0af8c796d00bf768dd7ca0d8a342b8cbf0

Download Submit
C:\Windows\System\ngOPHFp.exe

Filesize
5.9MB

MD5
da48c3e916107500578b760ca9e76bc0

SHA1
fca122523a0333c8c4049a3f41c168afd95772a2

SHA256
94597fbba17a9e537fd8068d2ae97efe12eb5cfad415616cab407994c7487887

SHA512
601448e678847722fd67c3d784aa1f30e75b36bdb3e7d224e83c373dd803ac8e4d3504183202ce136af8db48261d82c30d0274cc58d784a9b9fa28edd3f1c5fb

Download Submit
C:\Windows\System\pbYZyXe.exe

Filesize
5.9MB

MD5
26a402b52ff7af512088e57bcccf6279

SHA1
627a2c7a4bd18232a02b9f40a65dad77b7b3bd5e

SHA256
6875b4766ad946c037d0b887f5bb596d520a8066433c43f12bbc1f111f286a99

SHA512
922b724b4da547a4ae9990b04a48d926e8286d592f0d62118f9d45fad08af5185b39dd08ddef89949543710449167a867298fa819fe2beade43e2c1132ac820d

Download Submit
C:\Windows\System\qvGqEOx.exe

Filesize
5.9MB

MD5
6942c16ea83fa45f68a6339f17f0cdb3

SHA1
6683dfeaaf83af73dd584146a26ca6c9ca00b479

SHA256
6129e493895803fcd49589aadd343d6c7eb61a54c7e21b5c652201c583a24de3

SHA512
e3dd3243b74f8c296235db79e324d68d87ed8f6eb8cd2aa23aac74ab8d12add8d17f1c8f47786086260d6ae864c86288646eec3353e32e206aa27ba9d68013b9

Download Submit
C:\Windows\System\sKkgdTk.exe

Filesize
5.9MB

MD5
c983d6cb114ebe8a30e17041a99d795c

SHA1
7df7e8163fd764c1e70dd1d1c564f3ac42eecf32

SHA256
4271c511eb3eef036cb888740844399e87f8c98dbcde84077434385240fb1238

SHA512
94ebbbc16986e2c3c0001af07484a8a138b307d0ac5bd3eefbb8bf901b73d9df8d47ae31bd0dc785c54b7474d05f692fcb7c026c80e8153fa48991aa4d125ecb

Download Submit
memory/116-133-0x00007FF7ACB20000-0x00007FF7ACE74000-memory.dmp

Filesize
3.3MB

Download
memory/116-82-0x00007FF7ACB20000-0x00007FF7ACE74000-memory.dmp

Filesize
3.3MB

Download
memory/116-154-0x00007FF7ACB20000-0x00007FF7ACE74000-memory.dmp

Filesize
3.3MB

Download
memory/716-149-0x00007FF77F270000-0x00007FF77F5C4000-memory.dmp

Filesize
3.3MB

Download
memory/716-91-0x00007FF77F270000-0x00007FF77F5C4000-memory.dmp

Filesize
3.3MB

Download
memory/1008-135-0x00007FF7CDAE0000-0x00007FF7CDE34000-memory.dmp

Filesize
3.3MB

Download
memory/1008-105-0x00007FF7CDAE0000-0x00007FF7CDE34000-memory.dmp

Filesize
3.3MB

Download
memory/1008-156-0x00007FF7CDAE0000-0x00007FF7CDE34000-memory.dmp

Filesize
3.3MB

Download
memory/1160-145-0x00007FF7882D0000-0x00007FF788624000-memory.dmp

Filesize
3.3MB

Download
memory/1160-89-0x00007FF7882D0000-0x00007FF788624000-memory.dmp

Filesize
3.3MB

Download
memory/1244-127-0x00007FF7C6D80000-0x00007FF7C70D4000-memory.dmp

Filesize
3.3MB

Download
memory/1244-141-0x00007FF7C6D80000-0x00007FF7C70D4000-memory.dmp

Filesize
3.3MB

Download
memory/1244-20-0x00007FF7C6D80000-0x00007FF7C70D4000-memory.dmp

Filesize
3.3MB

Download
memory/1576-39-0x00007FF6C5130000-0x00007FF6C5484000-memory.dmp

Filesize
3.3MB

Download
memory/1576-144-0x00007FF6C5130000-0x00007FF6C5484000-memory.dmp

Filesize
3.3MB

Download
memory/1656-142-0x00007FF6C4040000-0x00007FF6C4394000-memory.dmp

Filesize
3.3MB

Download
memory/1656-26-0x00007FF6C4040000-0x00007FF6C4394000-memory.dmp

Filesize
3.3MB

Download
memory/1656-131-0x00007FF6C4040000-0x00007FF6C4394000-memory.dmp

Filesize
3.3MB

Download
memory/2204-132-0x00007FF670780000-0x00007FF670AD4000-memory.dmp

Filesize
3.3MB

Download
memory/2204-47-0x00007FF670780000-0x00007FF670AD4000-memory.dmp

Filesize
3.3MB

Download
memory/2204-147-0x00007FF670780000-0x00007FF670AD4000-memory.dmp

Filesize
3.3MB

Download
memory/2240-157-0x00007FF6F3ED0000-0x00007FF6F4224000-memory.dmp

Filesize
3.3MB

Download
memory/2240-107-0x00007FF6F3ED0000-0x00007FF6F4224000-memory.dmp

Filesize
3.3MB

Download
memory/2240-136-0x00007FF6F3ED0000-0x00007FF6F4224000-memory.dmp

Filesize
3.3MB

Download
memory/2556-150-0x00007FF6EFF60000-0x00007FF6F02B4000-memory.dmp

Filesize
3.3MB

Download
memory/2556-80-0x00007FF6EFF60000-0x00007FF6F02B4000-memory.dmp

Filesize
3.3MB

Download
memory/2688-138-0x00007FF6EB7B0000-0x00007FF6EBB04000-memory.dmp

Filesize
3.3MB

Download
memory/2688-125-0x00007FF6EB7B0000-0x00007FF6EBB04000-memory.dmp

Filesize
3.3MB

Download
memory/2688-159-0x00007FF6EB7B0000-0x00007FF6EBB04000-memory.dmp

Filesize
3.3MB

Download
memory/2864-113-0x00007FF72F630000-0x00007FF72F984000-memory.dmp

Filesize
3.3MB

Download
memory/2864-158-0x00007FF72F630000-0x00007FF72F984000-memory.dmp

Filesize
3.3MB

Download
memory/2864-137-0x00007FF72F630000-0x00007FF72F984000-memory.dmp

Filesize
3.3MB

Download
memory/3404-90-0x00007FF736B10000-0x00007FF736E64000-memory.dmp

Filesize
3.3MB

Download
memory/3404-148-0x00007FF736B10000-0x00007FF736E64000-memory.dmp

Filesize
3.3MB

Download
memory/4032-126-0x00007FF7A5990000-0x00007FF7A5CE4000-memory.dmp

Filesize
3.3MB

Download
memory/4032-140-0x00007FF7A5990000-0x00007FF7A5CE4000-memory.dmp

Filesize
3.3MB

Download
memory/4032-8-0x00007FF7A5990000-0x00007FF7A5CE4000-memory.dmp

Filesize
3.3MB

Download
memory/4172-143-0x00007FF7888B0000-0x00007FF788C04000-memory.dmp

Filesize
3.3MB

Download
memory/4172-88-0x00007FF7888B0000-0x00007FF788C04000-memory.dmp

Filesize
3.3MB

Download
memory/4600-96-0x00007FF7F68C0000-0x00007FF7F6C14000-memory.dmp

Filesize
3.3MB

Download
memory/4600-134-0x00007FF7F68C0000-0x00007FF7F6C14000-memory.dmp

Filesize
3.3MB

Download
memory/4600-155-0x00007FF7F68C0000-0x00007FF7F6C14000-memory.dmp

Filesize
3.3MB

Download
memory/4612-1-0x00000225F6B10000-0x00000225F6B20000-memory.dmp

Filesize
64KB

Download
memory/4612-121-0x00007FF6FC760000-0x00007FF6FCAB4000-memory.dmp

Filesize
3.3MB

Download
memory/4612-0-0x00007FF6FC760000-0x00007FF6FCAB4000-memory.dmp

Filesize
3.3MB

Download
memory/4824-139-0x00007FF6C2FC0000-0x00007FF6C3314000-memory.dmp

Filesize
3.3MB

Download
memory/4824-129-0x00007FF6C2FC0000-0x00007FF6C3314000-memory.dmp

Filesize
3.3MB

Download
memory/4824-160-0x00007FF6C2FC0000-0x00007FF6C3314000-memory.dmp

Filesize
3.3MB

Download
memory/4976-153-0x00007FF7AB3E0000-0x00007FF7AB734000-memory.dmp

Filesize
3.3MB

Download
memory/4976-87-0x00007FF7AB3E0000-0x00007FF7AB734000-memory.dmp

Filesize
3.3MB

Download
memory/4980-146-0x00007FF62F9B0000-0x00007FF62FD04000-memory.dmp

Filesize
3.3MB

Download
memory/4980-78-0x00007FF62F9B0000-0x00007FF62FD04000-memory.dmp

Filesize
3.3MB

Download
memory/5072-152-0x00007FF744180000-0x00007FF7444D4000-memory.dmp

Filesize
3.3MB

Download
memory/5072-81-0x00007FF744180000-0x00007FF7444D4000-memory.dmp

Filesize
3.3MB

Download
memory/5088-151-0x00007FF678CC0000-0x00007FF679014000-memory.dmp

Filesize
3.3MB

Download
memory/5088-79-0x00007FF678CC0000-0x00007FF679014000-memory.dmp

Filesize
3.3MB

Download