cobaltstrike | 83b3cdf2042091135811d9f5170873fde8c60989b3b5013cdd9c5e6bc0f0d78d

Analysis

max time kernel
141s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27-09-2024 14:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

c6cd21f0d4e9a3fd1a40aae68a9fc6a2
SHA1

21813b2b37f1a22bd2ec2f91fc59af9910b43b78
SHA256

83b3cdf2042091135811d9f5170873fde8c60989b3b5013cdd9c5e6bc0f0d78d
SHA512

0086c747ea0b065204ca2fcef2b1ddc97efc1525c4750579c04e1a3870c54cb83bd840644782da8179b7a4654bd322771b9f3429ccabbd26bc730a33220eec87
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6ls:RWWBibf56utgpPFotBER/mQ32lUg

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00080000000234b9-4.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234bd-11.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234be-10.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c1-30.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c0-29.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000234ba-31.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c2-36.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c3-48.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c5-61.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c4-55.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c6-65.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c7-74.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c8-90.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c9-89.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ca-97.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234cc-108.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234cd-116.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ce-123.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234cb-109.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234cf-127.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d0-130.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/1508-53-0x00007FF72FEB0000-0x00007FF730201000-memory.dmp	xmrig
behavioral2/memory/3492-67-0x00007FF7FD200000-0x00007FF7FD551000-memory.dmp	xmrig
behavioral2/memory/1892-69-0x00007FF723550000-0x00007FF7238A1000-memory.dmp	xmrig
behavioral2/memory/4764-70-0x00007FF7BA730000-0x00007FF7BAA81000-memory.dmp	xmrig
behavioral2/memory/4396-75-0x00007FF6AF3F0000-0x00007FF6AF741000-memory.dmp	xmrig
behavioral2/memory/3040-73-0x00007FF672930000-0x00007FF672C81000-memory.dmp	xmrig
behavioral2/memory/3556-82-0x00007FF6CD1D0000-0x00007FF6CD521000-memory.dmp	xmrig
behavioral2/memory/3668-85-0x00007FF7CF240000-0x00007FF7CF591000-memory.dmp	xmrig
behavioral2/memory/2336-81-0x00007FF774270000-0x00007FF7745C1000-memory.dmp	xmrig
behavioral2/memory/1472-84-0x00007FF63FCF0000-0x00007FF640041000-memory.dmp	xmrig
behavioral2/memory/4336-102-0x00007FF65FDA0000-0x00007FF6600F1000-memory.dmp	xmrig
behavioral2/memory/1344-107-0x00007FF60CFC0000-0x00007FF60D311000-memory.dmp	xmrig
behavioral2/memory/4028-129-0x00007FF646B30000-0x00007FF646E81000-memory.dmp	xmrig
behavioral2/memory/3492-134-0x00007FF7FD200000-0x00007FF7FD551000-memory.dmp	xmrig
behavioral2/memory/4972-140-0x00007FF721390000-0x00007FF7216E1000-memory.dmp	xmrig
behavioral2/memory/1668-149-0x00007FF7BC1E0000-0x00007FF7BC531000-memory.dmp	xmrig
behavioral2/memory/2092-150-0x00007FF62A910000-0x00007FF62AC61000-memory.dmp	xmrig
behavioral2/memory/2128-152-0x00007FF7D34A0000-0x00007FF7D37F1000-memory.dmp	xmrig
behavioral2/memory/2920-154-0x00007FF6409E0000-0x00007FF640D31000-memory.dmp	xmrig
behavioral2/memory/2280-158-0x00007FF755B60000-0x00007FF755EB1000-memory.dmp	xmrig
behavioral2/memory/4748-157-0x00007FF7320A0000-0x00007FF7323F1000-memory.dmp	xmrig
behavioral2/memory/3228-162-0x00007FF64C2D0000-0x00007FF64C621000-memory.dmp	xmrig
behavioral2/memory/4028-160-0x00007FF646B30000-0x00007FF646E81000-memory.dmp	xmrig
behavioral2/memory/4836-159-0x00007FF689DB0000-0x00007FF68A101000-memory.dmp	xmrig
behavioral2/memory/3492-164-0x00007FF7FD200000-0x00007FF7FD551000-memory.dmp	xmrig
behavioral2/memory/4764-213-0x00007FF7BA730000-0x00007FF7BAA81000-memory.dmp	xmrig
behavioral2/memory/3040-215-0x00007FF672930000-0x00007FF672C81000-memory.dmp	xmrig
behavioral2/memory/4396-223-0x00007FF6AF3F0000-0x00007FF6AF741000-memory.dmp	xmrig
behavioral2/memory/2336-225-0x00007FF774270000-0x00007FF7745C1000-memory.dmp	xmrig
behavioral2/memory/1472-227-0x00007FF63FCF0000-0x00007FF640041000-memory.dmp	xmrig
behavioral2/memory/1508-230-0x00007FF72FEB0000-0x00007FF730201000-memory.dmp	xmrig
behavioral2/memory/3556-233-0x00007FF6CD1D0000-0x00007FF6CD521000-memory.dmp	xmrig
behavioral2/memory/3668-232-0x00007FF7CF240000-0x00007FF7CF591000-memory.dmp	xmrig
behavioral2/memory/4336-238-0x00007FF65FDA0000-0x00007FF6600F1000-memory.dmp	xmrig
behavioral2/memory/1344-239-0x00007FF60CFC0000-0x00007FF60D311000-memory.dmp	xmrig
behavioral2/memory/1892-242-0x00007FF723550000-0x00007FF7238A1000-memory.dmp	xmrig
behavioral2/memory/2092-245-0x00007FF62A910000-0x00007FF62AC61000-memory.dmp	xmrig
behavioral2/memory/2128-250-0x00007FF7D34A0000-0x00007FF7D37F1000-memory.dmp	xmrig
behavioral2/memory/2920-252-0x00007FF6409E0000-0x00007FF640D31000-memory.dmp	xmrig
behavioral2/memory/2280-258-0x00007FF755B60000-0x00007FF755EB1000-memory.dmp	xmrig
behavioral2/memory/4748-260-0x00007FF7320A0000-0x00007FF7323F1000-memory.dmp	xmrig
behavioral2/memory/4972-264-0x00007FF721390000-0x00007FF7216E1000-memory.dmp	xmrig
behavioral2/memory/4028-262-0x00007FF646B30000-0x00007FF646E81000-memory.dmp	xmrig
behavioral2/memory/4836-266-0x00007FF689DB0000-0x00007FF68A101000-memory.dmp	xmrig
behavioral2/memory/1668-270-0x00007FF7BC1E0000-0x00007FF7BC531000-memory.dmp	xmrig
behavioral2/memory/3228-272-0x00007FF64C2D0000-0x00007FF64C621000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4764	dRzHnHm.exe
3040	stFWVCg.exe
4396	EKvjGyR.exe
2336	XyfOsfc.exe
3556	GqnJPxq.exe
3668	eQuWEgc.exe
1472	UaWdJce.exe
1508	BPiBegh.exe
4336	aWRVCAy.exe
1344	hTBhUgO.exe
1892	uWERPyJ.exe
2092	MBURUph.exe
2128	CzJPExW.exe
2920	jWwfiZh.exe
2280	KAAWFff.exe
4748	jDoeGWK.exe
4836	CHamRPv.exe
4028	WtWfhhg.exe
4972	oGzvvnG.exe
3228	hRDYTSM.exe
1668	vQHHyov.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3492-0-0x00007FF7FD200000-0x00007FF7FD551000-memory.dmp	upx
behavioral2/files/0x00080000000234b9-4.dat	upx
behavioral2/memory/4764-7-0x00007FF7BA730000-0x00007FF7BAA81000-memory.dmp	upx
behavioral2/files/0x00070000000234bd-11.dat	upx
behavioral2/files/0x00070000000234be-10.dat	upx
behavioral2/memory/3040-14-0x00007FF672930000-0x00007FF672C81000-memory.dmp	upx
behavioral2/memory/4396-18-0x00007FF6AF3F0000-0x00007FF6AF741000-memory.dmp	upx
behavioral2/files/0x00070000000234c1-30.dat	upx
behavioral2/files/0x00070000000234c0-29.dat	upx
behavioral2/memory/2336-24-0x00007FF774270000-0x00007FF7745C1000-memory.dmp	upx
behavioral2/files/0x00080000000234ba-31.dat	upx
behavioral2/files/0x00070000000234c2-36.dat	upx
behavioral2/memory/1472-37-0x00007FF63FCF0000-0x00007FF640041000-memory.dmp	upx
behavioral2/files/0x00070000000234c3-48.dat	upx
behavioral2/memory/1508-53-0x00007FF72FEB0000-0x00007FF730201000-memory.dmp	upx
behavioral2/memory/4336-54-0x00007FF65FDA0000-0x00007FF6600F1000-memory.dmp	upx
behavioral2/memory/1344-60-0x00007FF60CFC0000-0x00007FF60D311000-memory.dmp	upx
behavioral2/files/0x00070000000234c5-61.dat	upx
behavioral2/files/0x00070000000234c4-55.dat	upx
behavioral2/memory/3668-41-0x00007FF7CF240000-0x00007FF7CF591000-memory.dmp	upx
behavioral2/memory/3556-32-0x00007FF6CD1D0000-0x00007FF6CD521000-memory.dmp	upx
behavioral2/files/0x00070000000234c6-65.dat	upx
behavioral2/memory/3492-67-0x00007FF7FD200000-0x00007FF7FD551000-memory.dmp	upx
behavioral2/memory/1892-69-0x00007FF723550000-0x00007FF7238A1000-memory.dmp	upx
behavioral2/memory/4764-70-0x00007FF7BA730000-0x00007FF7BAA81000-memory.dmp	upx
behavioral2/files/0x00070000000234c7-74.dat	upx
behavioral2/memory/2092-77-0x00007FF62A910000-0x00007FF62AC61000-memory.dmp	upx
behavioral2/memory/4396-75-0x00007FF6AF3F0000-0x00007FF6AF741000-memory.dmp	upx
behavioral2/memory/3040-73-0x00007FF672930000-0x00007FF672C81000-memory.dmp	upx
behavioral2/memory/3556-82-0x00007FF6CD1D0000-0x00007FF6CD521000-memory.dmp	upx
behavioral2/files/0x00070000000234c8-90.dat	upx
behavioral2/files/0x00070000000234c9-89.dat	upx
behavioral2/files/0x00070000000234ca-97.dat	upx
behavioral2/memory/2280-98-0x00007FF755B60000-0x00007FF755EB1000-memory.dmp	upx
behavioral2/memory/2920-92-0x00007FF6409E0000-0x00007FF640D31000-memory.dmp	upx
behavioral2/memory/2128-86-0x00007FF7D34A0000-0x00007FF7D37F1000-memory.dmp	upx
behavioral2/memory/3668-85-0x00007FF7CF240000-0x00007FF7CF591000-memory.dmp	upx
behavioral2/memory/2336-81-0x00007FF774270000-0x00007FF7745C1000-memory.dmp	upx
behavioral2/memory/1472-84-0x00007FF63FCF0000-0x00007FF640041000-memory.dmp	upx
behavioral2/memory/4336-102-0x00007FF65FDA0000-0x00007FF6600F1000-memory.dmp	upx
behavioral2/files/0x00070000000234cc-108.dat	upx
behavioral2/memory/4748-110-0x00007FF7320A0000-0x00007FF7323F1000-memory.dmp	upx
behavioral2/files/0x00070000000234cd-116.dat	upx
behavioral2/files/0x00070000000234ce-123.dat	upx
behavioral2/memory/4836-115-0x00007FF689DB0000-0x00007FF68A101000-memory.dmp	upx
behavioral2/files/0x00070000000234cb-109.dat	upx
behavioral2/memory/1344-107-0x00007FF60CFC0000-0x00007FF60D311000-memory.dmp	upx
behavioral2/files/0x00070000000234cf-127.dat	upx
behavioral2/files/0x00070000000234d0-130.dat	upx
behavioral2/memory/3228-131-0x00007FF64C2D0000-0x00007FF64C621000-memory.dmp	upx
behavioral2/memory/4028-129-0x00007FF646B30000-0x00007FF646E81000-memory.dmp	upx
behavioral2/memory/3492-134-0x00007FF7FD200000-0x00007FF7FD551000-memory.dmp	upx
behavioral2/memory/4972-140-0x00007FF721390000-0x00007FF7216E1000-memory.dmp	upx
behavioral2/memory/1668-149-0x00007FF7BC1E0000-0x00007FF7BC531000-memory.dmp	upx
behavioral2/memory/2092-150-0x00007FF62A910000-0x00007FF62AC61000-memory.dmp	upx
behavioral2/memory/2128-152-0x00007FF7D34A0000-0x00007FF7D37F1000-memory.dmp	upx
behavioral2/memory/2920-154-0x00007FF6409E0000-0x00007FF640D31000-memory.dmp	upx
behavioral2/memory/2280-158-0x00007FF755B60000-0x00007FF755EB1000-memory.dmp	upx
behavioral2/memory/4748-157-0x00007FF7320A0000-0x00007FF7323F1000-memory.dmp	upx
behavioral2/memory/3228-162-0x00007FF64C2D0000-0x00007FF64C621000-memory.dmp	upx
behavioral2/memory/4028-160-0x00007FF646B30000-0x00007FF646E81000-memory.dmp	upx
behavioral2/memory/4836-159-0x00007FF689DB0000-0x00007FF68A101000-memory.dmp	upx
behavioral2/memory/3492-164-0x00007FF7FD200000-0x00007FF7FD551000-memory.dmp	upx
behavioral2/memory/4764-213-0x00007FF7BA730000-0x00007FF7BAA81000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\WtWfhhg.exe	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hRDYTSM.exe	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dRzHnHm.exe	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aWRVCAy.exe	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KAAWFff.exe	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jDoeGWK.exe	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CHamRPv.exe	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XyfOsfc.exe	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GqnJPxq.exe	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UaWdJce.exe	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MBURUph.exe	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oGzvvnG.exe	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vQHHyov.exe	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\stFWVCg.exe	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EKvjGyR.exe	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hTBhUgO.exe	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CzJPExW.exe	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eQuWEgc.exe	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BPiBegh.exe	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uWERPyJ.exe	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jWwfiZh.exe	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3492	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3492	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3492 wrote to memory of 4764	3492	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 3492 wrote to memory of 4764	3492	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 3492 wrote to memory of 3040	3492	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3492 wrote to memory of 3040	3492	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3492 wrote to memory of 4396	3492	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3492 wrote to memory of 4396	3492	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3492 wrote to memory of 2336	3492	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3492 wrote to memory of 2336	3492	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3492 wrote to memory of 3556	3492	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3492 wrote to memory of 3556	3492	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3492 wrote to memory of 3668	3492	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3492 wrote to memory of 3668	3492	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3492 wrote to memory of 1472	3492	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3492 wrote to memory of 1472	3492	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3492 wrote to memory of 1508	3492	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3492 wrote to memory of 1508	3492	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3492 wrote to memory of 4336	3492	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3492 wrote to memory of 4336	3492	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3492 wrote to memory of 1344	3492	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3492 wrote to memory of 1344	3492	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3492 wrote to memory of 1892	3492	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3492 wrote to memory of 1892	3492	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3492 wrote to memory of 2092	3492	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3492 wrote to memory of 2092	3492	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3492 wrote to memory of 2128	3492	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3492 wrote to memory of 2128	3492	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3492 wrote to memory of 2920	3492	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3492 wrote to memory of 2920	3492	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3492 wrote to memory of 2280	3492	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3492 wrote to memory of 2280	3492	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3492 wrote to memory of 4748	3492	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3492 wrote to memory of 4748	3492	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3492 wrote to memory of 4836	3492	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3492 wrote to memory of 4836	3492	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3492 wrote to memory of 4028	3492	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3492 wrote to memory of 4028	3492	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3492 wrote to memory of 4972	3492	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3492 wrote to memory of 4972	3492	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3492 wrote to memory of 3228	3492	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3492 wrote to memory of 3228	3492	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3492 wrote to memory of 1668	3492	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3492 wrote to memory of 1668	3492	2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-27_c6cd21f0d4e9a3fd1a40aae68a9fc6a2_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3492
- C:\Windows\System\dRzHnHm.exe
  C:\Windows\System\dRzHnHm.exe
  2⤵
  - Executes dropped EXE
  PID:4764
- C:\Windows\System\stFWVCg.exe
  C:\Windows\System\stFWVCg.exe
  2⤵
  - Executes dropped EXE
  PID:3040
- C:\Windows\System\EKvjGyR.exe
  C:\Windows\System\EKvjGyR.exe
  2⤵
  - Executes dropped EXE
  PID:4396
- C:\Windows\System\XyfOsfc.exe
  C:\Windows\System\XyfOsfc.exe
  2⤵
  - Executes dropped EXE
  PID:2336
- C:\Windows\System\GqnJPxq.exe
  C:\Windows\System\GqnJPxq.exe
  2⤵
  - Executes dropped EXE
  PID:3556
- C:\Windows\System\eQuWEgc.exe
  C:\Windows\System\eQuWEgc.exe
  2⤵
  - Executes dropped EXE
  PID:3668
- C:\Windows\System\UaWdJce.exe
  C:\Windows\System\UaWdJce.exe
  2⤵
  - Executes dropped EXE
  PID:1472
- C:\Windows\System\BPiBegh.exe
  C:\Windows\System\BPiBegh.exe
  2⤵
  - Executes dropped EXE
  PID:1508
- C:\Windows\System\aWRVCAy.exe
  C:\Windows\System\aWRVCAy.exe
  2⤵
  - Executes dropped EXE
  PID:4336
- C:\Windows\System\hTBhUgO.exe
  C:\Windows\System\hTBhUgO.exe
  2⤵
  - Executes dropped EXE
  PID:1344
- C:\Windows\System\uWERPyJ.exe
  C:\Windows\System\uWERPyJ.exe
  2⤵
  - Executes dropped EXE
  PID:1892
- C:\Windows\System\MBURUph.exe
  C:\Windows\System\MBURUph.exe
  2⤵
  - Executes dropped EXE
  PID:2092
- C:\Windows\System\CzJPExW.exe
  C:\Windows\System\CzJPExW.exe
  2⤵
  - Executes dropped EXE
  PID:2128
- C:\Windows\System\jWwfiZh.exe
  C:\Windows\System\jWwfiZh.exe
  2⤵
  - Executes dropped EXE
  PID:2920
- C:\Windows\System\KAAWFff.exe
  C:\Windows\System\KAAWFff.exe
  2⤵
  - Executes dropped EXE
  PID:2280
- C:\Windows\System\jDoeGWK.exe
  C:\Windows\System\jDoeGWK.exe
  2⤵
  - Executes dropped EXE
  PID:4748
- C:\Windows\System\CHamRPv.exe
  C:\Windows\System\CHamRPv.exe
  2⤵
  - Executes dropped EXE
  PID:4836
- C:\Windows\System\WtWfhhg.exe
  C:\Windows\System\WtWfhhg.exe
  2⤵
  - Executes dropped EXE
  PID:4028
- C:\Windows\System\oGzvvnG.exe
  C:\Windows\System\oGzvvnG.exe
  2⤵
  - Executes dropped EXE
  PID:4972
- C:\Windows\System\hRDYTSM.exe
  C:\Windows\System\hRDYTSM.exe
  2⤵
  - Executes dropped EXE
  PID:3228
- C:\Windows\System\vQHHyov.exe
  C:\Windows\System\vQHHyov.exe
  2⤵
  - Executes dropped EXE
  PID:1668

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BPiBegh.exe

Filesize
5.2MB

MD5
1f8879a6bf330184b075de84816447ab

SHA1
20222c2d2f98ab2c34e1b6936065a722566012ac

SHA256
349009479b5d98b91e81fe47e87cda5dec3f9bc7b2a9fd91eca504fb99986360

SHA512
525b65a7f9a407967d77a0251f1eb39977a60976b6d5300dd726f9eb1ea49d0bc56fd24a59942442c9fa2befa617a71dd232bf77233e18c8e70cd04b0555d34c

Download Submit
C:\Windows\System\CHamRPv.exe

Filesize
5.2MB

MD5
0bbd253daa2e20a089d1dedae2167e8d

SHA1
42956c714410227f6eec32a465136c6bc89c1ff4

SHA256
82b65bcce5c4710f7ba10ed5fc46f93936fd37f603f8e1cccafd326b0494fe93

SHA512
28d3fc680ba6961bf1eada633e632460a21b4d674f737104beec72efd6db4605cf5f77f011db68affbe621514e364bbd8b6c83f4da7a911a1eadb406aa1cfcaf

Download Submit
C:\Windows\System\CzJPExW.exe

Filesize
5.2MB

MD5
029c6c1c8460e9e1d2e1bef518c8c765

SHA1
508cb938805a685871bc912baafa8b5dbb24d944

SHA256
77c5f001787350a86fc8ed8d664bb3f35fc6fd6f9318479224b285e935fab857

SHA512
39a84707c672176f322da2dcb2d4097e3df4c521917991e0626e85fa2fbb66c5cc65f00ba5646220a06b1a7a479ef893ccf6b559c2da56842bd9960a892da139

Download Submit
C:\Windows\System\EKvjGyR.exe

Filesize
5.2MB

MD5
a84d9866553274dd53307cc787576a33

SHA1
506b13d85aa6f3aeb3f8504d95074188f76a11e6

SHA256
d982b217302dbcd1daffd66afbf136a5c0a82a2dbd10d1248a4deb1febe66e05

SHA512
f5644272ccbcdd666fd1a6976c830c9099b1bd8bb22a85467e90d8e4807942a576362c596eb7f7ebc5ed4e901ddf3f6bb29ada4c6c5dad7767de2a3db8f209f1

Download Submit
C:\Windows\System\GqnJPxq.exe

Filesize
5.2MB

MD5
f4f6c9946b6fd38785d356545e6ab0aa

SHA1
f3d884be6f135b08b373fc1347085cffefe8f7f3

SHA256
01aa0109583efec7fefc4980a4de2ee4df9656f00fafab2318a604e604fa5dd0

SHA512
ff693cab76b5032310c2e91bbf92a9076aae2800e1266f00204366dac0a64bfd9b79588c84dedfbda5b184cdac05456b6ba667f5dbc3fc0dbe2c75c4b14f7ebd

Download Submit
C:\Windows\System\KAAWFff.exe

Filesize
5.2MB

MD5
686ae450d9724256f6406e6b13613139

SHA1
031d7fa2aab25d26cfdef2e7790b72984fb1c018

SHA256
1bdf8cf28a82d8729a34434e6ae49bf79b28e790ffd9389ef377d45b1430dc60

SHA512
3b626a26f9f7f224f56e5bf9d1f7e97d86923fd4dc8d18a1c8807402c47804a84aab2c8ef35a8e35ad8ddeff723e580f0061cec3e42b9d649b00fa53c2f26c70

Download Submit
C:\Windows\System\MBURUph.exe

Filesize
5.2MB

MD5
2a7f309ea58fde66bcff1d4af862fd4e

SHA1
dbcdb3ee32f1b1273c5de02e556830121fd21e3f

SHA256
f603a418d2ff841f99776dfd6e7e7a909aaa74e10a79c1b8d26a2b6121dce88b

SHA512
b6a18b19a0cd9e193ec9c19fa46fd6ed5be1d65da38b811b5bc2fa41ef9011be602cd4cfcd2b0948fccf4e5566a88e04d0d82b8c63a10bc67a76e97cb7ee6e69

Download Submit
C:\Windows\System\UaWdJce.exe

Filesize
5.2MB

MD5
be4fcded4dc0999c5e785faac169add4

SHA1
52865d60aef29e4960c6b7e63cb6185bbb7b7ed7

SHA256
091a29ab4dd6cd3ca921210434c4ecf1901a39f3d277b5e9d2950622553d0d4c

SHA512
51d2f09d9f76e2d8a92576688fa672c4c0a68629a4c78b2947977eceecff3e278b9970130238f5da28faf718208d316b6e5ea5258f3fddb63421d4b94a01c20e

Download Submit
C:\Windows\System\WtWfhhg.exe

Filesize
5.2MB

MD5
ea833305f817168dbb5dcb8ddb0cb8d5

SHA1
b9ff308e402724d21c3cca63e9ca877c8f21631f

SHA256
5198fd250b3c501a446a1e69ba151bbca0c58757d4ac3a224434a67251b4a35a

SHA512
938a1e1349c8cc960be5310bfee3e46e6bc2a0094a7b55fe164162d8806f13f70d03a1aae1fe58f7c96849576028335c59741b0a26b46688c09b6fbdbbf37090

Download Submit
C:\Windows\System\XyfOsfc.exe

Filesize
5.2MB

MD5
32164a1953433d803a29a889e036c92c

SHA1
2a5df220ed52e3301b1c6a7215ec443f2edf6888

SHA256
467bd709be3c66f2efe053b5bbab929322fae61aae9c554c59b15bb3a5f36120

SHA512
7e8fbda0c0539ba9c384e2a9e53c1597b16f0328f767f9058ba7b342b43cdf02c7785c33561c2c9de6d6c2d754441f228347165e05260a3369c11efd55f63269

Download Submit
C:\Windows\System\aWRVCAy.exe

Filesize
5.2MB

MD5
5a0c20575047eb8a06095f0b7822337d

SHA1
032feb3a5bff14ddeb6040ba23a8a6444a150cd3

SHA256
4ca17a7a3beea0c707f59e4b4c0d5cf4a53f38f7731214eb754c8c870608e6bd

SHA512
7a41f4356b719a17dc5405bbcde4d6d525c674f5e7ba5df1706229b7ea7e313cdeaea80236da547d4bf936a1c19a93144b6eb1e2358534bb3868934bda85a3b3

Download Submit
C:\Windows\System\dRzHnHm.exe

Filesize
5.2MB

MD5
397388235701e2a9d3ceba3146287afa

SHA1
d60c4d2bf9756e372f2904be1421ebe88c9e1a7c

SHA256
3be90a9d984df59233a63cf00fc3d63351a420d2801d834ae8fa133c9ad35afc

SHA512
ee542b1497a533ab3b0fc36c734df0e41e81b552225bb83a9edf63b9281550254a992a739f70acf262045b2e9265d7f47f4f11b460af0ebf753ebda941258758

Download Submit
C:\Windows\System\eQuWEgc.exe

Filesize
5.2MB

MD5
ed60fc78f8745e1c37b31ec345a07a1e

SHA1
b4226b9fb8a6a46b057c2ace3420e455a50b6646

SHA256
1431a0cd66524a641b0954ff1c885cb86a1e3394803f10452bafdcce723e9ccc

SHA512
b0e42d9200cdda1d8815dc477270d6e56077c3cc82ee0c62fcc55157b1046a316a60a0465637c20faccc575f76e8af10660b9335598795eabeef442d309414dc

Download Submit
C:\Windows\System\hRDYTSM.exe

Filesize
5.2MB

MD5
9e581097a247f3a64f76609fd70a33e9

SHA1
eed55caef4e1fe42c010e3e2ab72f534ea4ce336

SHA256
d0add44cdd1e3c5833290bf54fc39e2a1a3abe0438ec2a31c97fb2a7f829f217

SHA512
0a6a5e1e1a9d09a233bfff2e04005846065fdacf9adf86ddcab01c58e0ad15d566ebb720e3806d84cc983329b30db97902c73f0a1b4c81aca09dd23d8b034079

Download Submit
C:\Windows\System\hTBhUgO.exe

Filesize
5.2MB

MD5
e3f84b1076484fb94d5aa434cde8a4a1

SHA1
fafc31512e69bd1531793cf0c123e2fc674c23d4

SHA256
f17fe82e0ece59d05b4995e1078e6f17f3f60cdc15aee2a800c25ae0371dc709

SHA512
23c32abede6bba487351ca68c6019aeb8b5bfab905d1967da40d6e91c299ddbc5b57c6c407ad5c632c545dce9549544004b4c2fb7e57b296088ec50b14ae9c15

Download Submit
C:\Windows\System\jDoeGWK.exe

Filesize
5.2MB

MD5
89fbb422b8474603bec8777d3ce8d4a4

SHA1
463410ca2c09db8001e106fa41f1f32b9e0f0064

SHA256
9c4f9343109919213074f52f267faac9fe87490a120e404cc839674ac06529ad

SHA512
621bfd94b376d1bb95ca6b249dd930b66e871bc20f5523faf3f9f6ab7032432bbc5e885ddb4e855b9c793d1feebb6c4edeab849810b4c1dad269dacc36f427ce

Download Submit
C:\Windows\System\jWwfiZh.exe

Filesize
5.2MB

MD5
f4c9d9e2e209f267ec8f4ea276e93fe9

SHA1
ecf95d2bf6c627dd1d2786a7035bd894490eb5a2

SHA256
d90a1f6ca70605e1ffdafe7958fe16298dbbe2b472149891bdb68d2dc992fc6e

SHA512
8339fde90fcb58d7d87fc81fa602e575a3454355812b54fe178c16eba356191774dbfcc1563488d9ea95b2c69643ad1abea8699a3f551fb082d445256c8289a2

Download Submit
C:\Windows\System\oGzvvnG.exe

Filesize
5.2MB

MD5
cbc61c292cdce7377df01f4ba30ff3de

SHA1
d603095f6c6a66208c09b9286f2f2c2d26d2821e

SHA256
4685d8fae514b7333fbf3fe73997014b1595767c1330c0dc4c8c66da6ac10624

SHA512
086315aba3580b3b3764f225f1129aa44897dd5c973a3117378ec2339aeaba7bc684ef60c6acad02e5769e84331b30ce12d0f4f3b098b84aabf92b193a0777ec

Download Submit
C:\Windows\System\stFWVCg.exe

Filesize
5.2MB

MD5
32bc9bc3c8eb3647b0f142da463fe344

SHA1
c1d85c309be146c94028afc82195af97b5e5dcb8

SHA256
9b7a37c1760f2dbd61dcfcc76e1d246090ada473548305243c9a17afac874364

SHA512
15d2912e23fcf1aff66fe24d406c8335a4aa50c19a3c8b89b24db9574a59c461ef6d5997bc946314ffbc79c667eb332307a32975bf63c80faac38d5c2e4968af

Download Submit
C:\Windows\System\uWERPyJ.exe

Filesize
5.2MB

MD5
2b725173e1a0d1008a11cb33e64518f3

SHA1
feb9c970ceb357ad9c2df978ffb9894dd2ce53af

SHA256
72baccd76a153895acc363c9fb35aedc65918aad9387c3a3d2ffef0106df188a

SHA512
d4c0af75e63473f9f8ae9938554a5a39f6c566960f06decddf770152054822127123efcd239da5a6e25cc1e2cf74c05b3f34974eec21cb5e97f504b60e44c1ef

Download Submit
C:\Windows\System\vQHHyov.exe

Filesize
5.2MB

MD5
b46bdbb2254a7d06743801b502006629

SHA1
f62c5de592b5d205d86c5a44ad8bc394f0253927

SHA256
a92f7c4ca38bfbcb518da2dd8b1006dab58d4c0fb5b9eba0ac710fbdc97e8115

SHA512
189b24d595e9878c2eb5ac678638d0619860b491efe7f1e7d97960545ee86068c9791a180186833c59d8772efbf6aa18c8a7da724cde60fb4c4afb266683bfe9

Download Submit
memory/1344-239-0x00007FF60CFC0000-0x00007FF60D311000-memory.dmp

Filesize
3.3MB

Download
memory/1344-60-0x00007FF60CFC0000-0x00007FF60D311000-memory.dmp

Filesize
3.3MB

Download
memory/1344-107-0x00007FF60CFC0000-0x00007FF60D311000-memory.dmp

Filesize
3.3MB

Download
memory/1472-37-0x00007FF63FCF0000-0x00007FF640041000-memory.dmp

Filesize
3.3MB

Download
memory/1472-84-0x00007FF63FCF0000-0x00007FF640041000-memory.dmp

Filesize
3.3MB

Download
memory/1472-227-0x00007FF63FCF0000-0x00007FF640041000-memory.dmp

Filesize
3.3MB

Download
memory/1508-53-0x00007FF72FEB0000-0x00007FF730201000-memory.dmp

Filesize
3.3MB

Download
memory/1508-230-0x00007FF72FEB0000-0x00007FF730201000-memory.dmp

Filesize
3.3MB

Download
memory/1668-149-0x00007FF7BC1E0000-0x00007FF7BC531000-memory.dmp

Filesize
3.3MB

Download
memory/1668-270-0x00007FF7BC1E0000-0x00007FF7BC531000-memory.dmp

Filesize
3.3MB

Download
memory/1892-242-0x00007FF723550000-0x00007FF7238A1000-memory.dmp

Filesize
3.3MB

Download
memory/1892-69-0x00007FF723550000-0x00007FF7238A1000-memory.dmp

Filesize
3.3MB

Download
memory/2092-150-0x00007FF62A910000-0x00007FF62AC61000-memory.dmp

Filesize
3.3MB

Download
memory/2092-77-0x00007FF62A910000-0x00007FF62AC61000-memory.dmp

Filesize
3.3MB

Download
memory/2092-245-0x00007FF62A910000-0x00007FF62AC61000-memory.dmp

Filesize
3.3MB

Download
memory/2128-86-0x00007FF7D34A0000-0x00007FF7D37F1000-memory.dmp

Filesize
3.3MB

Download
memory/2128-250-0x00007FF7D34A0000-0x00007FF7D37F1000-memory.dmp

Filesize
3.3MB

Download
memory/2128-152-0x00007FF7D34A0000-0x00007FF7D37F1000-memory.dmp

Filesize
3.3MB

Download
memory/2280-258-0x00007FF755B60000-0x00007FF755EB1000-memory.dmp

Filesize
3.3MB

Download
memory/2280-158-0x00007FF755B60000-0x00007FF755EB1000-memory.dmp

Filesize
3.3MB

Download
memory/2280-98-0x00007FF755B60000-0x00007FF755EB1000-memory.dmp

Filesize
3.3MB

Download
memory/2336-81-0x00007FF774270000-0x00007FF7745C1000-memory.dmp

Filesize
3.3MB

Download
memory/2336-225-0x00007FF774270000-0x00007FF7745C1000-memory.dmp

Filesize
3.3MB

Download
memory/2336-24-0x00007FF774270000-0x00007FF7745C1000-memory.dmp

Filesize
3.3MB

Download
memory/2920-252-0x00007FF6409E0000-0x00007FF640D31000-memory.dmp

Filesize
3.3MB

Download
memory/2920-92-0x00007FF6409E0000-0x00007FF640D31000-memory.dmp

Filesize
3.3MB

Download
memory/2920-154-0x00007FF6409E0000-0x00007FF640D31000-memory.dmp

Filesize
3.3MB

Download
memory/3040-14-0x00007FF672930000-0x00007FF672C81000-memory.dmp

Filesize
3.3MB

Download
memory/3040-73-0x00007FF672930000-0x00007FF672C81000-memory.dmp

Filesize
3.3MB

Download
memory/3040-215-0x00007FF672930000-0x00007FF672C81000-memory.dmp

Filesize
3.3MB

Download
memory/3228-272-0x00007FF64C2D0000-0x00007FF64C621000-memory.dmp

Filesize
3.3MB

Download
memory/3228-131-0x00007FF64C2D0000-0x00007FF64C621000-memory.dmp

Filesize
3.3MB

Download
memory/3228-162-0x00007FF64C2D0000-0x00007FF64C621000-memory.dmp

Filesize
3.3MB

Download
memory/3492-134-0x00007FF7FD200000-0x00007FF7FD551000-memory.dmp

Filesize
3.3MB

Download
memory/3492-0-0x00007FF7FD200000-0x00007FF7FD551000-memory.dmp

Filesize
3.3MB

Download
memory/3492-67-0x00007FF7FD200000-0x00007FF7FD551000-memory.dmp

Filesize
3.3MB

Download
memory/3492-164-0x00007FF7FD200000-0x00007FF7FD551000-memory.dmp

Filesize
3.3MB

Download
memory/3492-1-0x0000023A68320000-0x0000023A68330000-memory.dmp

Filesize
64KB

Download
memory/3556-32-0x00007FF6CD1D0000-0x00007FF6CD521000-memory.dmp

Filesize
3.3MB

Download
memory/3556-233-0x00007FF6CD1D0000-0x00007FF6CD521000-memory.dmp

Filesize
3.3MB

Download
memory/3556-82-0x00007FF6CD1D0000-0x00007FF6CD521000-memory.dmp

Filesize
3.3MB

Download
memory/3668-41-0x00007FF7CF240000-0x00007FF7CF591000-memory.dmp

Filesize
3.3MB

Download
memory/3668-85-0x00007FF7CF240000-0x00007FF7CF591000-memory.dmp

Filesize
3.3MB

Download
memory/3668-232-0x00007FF7CF240000-0x00007FF7CF591000-memory.dmp

Filesize
3.3MB

Download
memory/4028-160-0x00007FF646B30000-0x00007FF646E81000-memory.dmp

Filesize
3.3MB

Download
memory/4028-262-0x00007FF646B30000-0x00007FF646E81000-memory.dmp

Filesize
3.3MB

Download
memory/4028-129-0x00007FF646B30000-0x00007FF646E81000-memory.dmp

Filesize
3.3MB

Download
memory/4336-54-0x00007FF65FDA0000-0x00007FF6600F1000-memory.dmp

Filesize
3.3MB

Download
memory/4336-102-0x00007FF65FDA0000-0x00007FF6600F1000-memory.dmp

Filesize
3.3MB

Download
memory/4336-238-0x00007FF65FDA0000-0x00007FF6600F1000-memory.dmp

Filesize
3.3MB

Download
memory/4396-223-0x00007FF6AF3F0000-0x00007FF6AF741000-memory.dmp

Filesize
3.3MB

Download
memory/4396-75-0x00007FF6AF3F0000-0x00007FF6AF741000-memory.dmp

Filesize
3.3MB

Download
memory/4396-18-0x00007FF6AF3F0000-0x00007FF6AF741000-memory.dmp

Filesize
3.3MB

Download
memory/4748-110-0x00007FF7320A0000-0x00007FF7323F1000-memory.dmp

Filesize
3.3MB

Download
memory/4748-157-0x00007FF7320A0000-0x00007FF7323F1000-memory.dmp

Filesize
3.3MB

Download
memory/4748-260-0x00007FF7320A0000-0x00007FF7323F1000-memory.dmp

Filesize
3.3MB

Download
memory/4764-7-0x00007FF7BA730000-0x00007FF7BAA81000-memory.dmp

Filesize
3.3MB

Download
memory/4764-213-0x00007FF7BA730000-0x00007FF7BAA81000-memory.dmp

Filesize
3.3MB

Download
memory/4764-70-0x00007FF7BA730000-0x00007FF7BAA81000-memory.dmp

Filesize
3.3MB

Download
memory/4836-159-0x00007FF689DB0000-0x00007FF68A101000-memory.dmp

Filesize
3.3MB

Download
memory/4836-266-0x00007FF689DB0000-0x00007FF68A101000-memory.dmp

Filesize
3.3MB

Download
memory/4836-115-0x00007FF689DB0000-0x00007FF68A101000-memory.dmp

Filesize
3.3MB

Download
memory/4972-264-0x00007FF721390000-0x00007FF7216E1000-memory.dmp

Filesize
3.3MB

Download
memory/4972-140-0x00007FF721390000-0x00007FF7216E1000-memory.dmp

Filesize
3.3MB

Download