cobaltstrike | c8bf87778e6793f4fed5d2b9999b27cbc04fae639798e0c48685917c884c76ab

Analysis

max time kernel
140s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27-09-2024 14:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

d7c1c5df3eaca6ee14eeed00db7c4e2b
SHA1

7e469b75941d2a7e485229198985e2b409fbd66f
SHA256

c8bf87778e6793f4fed5d2b9999b27cbc04fae639798e0c48685917c884c76ab
SHA512

ddd512ad094db15e6bcf72b80cd251b59120dc062b98e824d50547dd861218dda81ae0f57c1b799964c919de314d04b98094a72e47b939c4d39b15ad7e5a89fe
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6ln:RWWBibf56utgpPFotBER/mQ32lUr

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00080000000234a4-6.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234a5-10.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234a6-11.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234a7-23.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234aa-43.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ac-47.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ab-54.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ad-63.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234af-69.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b0-89.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b4-105.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b7-127.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b6-125.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b3-119.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b5-107.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b2-111.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b1-92.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000234a2-91.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ae-65.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234a9-40.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234a8-30.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/4348-35-0x00007FF710840000-0x00007FF710B91000-memory.dmp	xmrig
behavioral2/memory/2756-58-0x00007FF683FA0000-0x00007FF6842F1000-memory.dmp	xmrig
behavioral2/memory/4448-110-0x00007FF75DC90000-0x00007FF75DFE1000-memory.dmp	xmrig
behavioral2/memory/4344-122-0x00007FF7A4210000-0x00007FF7A4561000-memory.dmp	xmrig
behavioral2/memory/4048-124-0x00007FF6EB600000-0x00007FF6EB951000-memory.dmp	xmrig
behavioral2/memory/2452-116-0x00007FF7EF740000-0x00007FF7EFA91000-memory.dmp	xmrig
behavioral2/memory/4496-66-0x00007FF75BB70000-0x00007FF75BEC1000-memory.dmp	xmrig
behavioral2/memory/2904-59-0x00007FF7F7590000-0x00007FF7F78E1000-memory.dmp	xmrig
behavioral2/memory/3544-36-0x00007FF726330000-0x00007FF726681000-memory.dmp	xmrig
behavioral2/memory/2288-130-0x00007FF6478D0000-0x00007FF647C21000-memory.dmp	xmrig
behavioral2/memory/4488-131-0x00007FF6F7A60000-0x00007FF6F7DB1000-memory.dmp	xmrig
behavioral2/memory/4448-132-0x00007FF75DC90000-0x00007FF75DFE1000-memory.dmp	xmrig
behavioral2/memory/3016-142-0x00007FF647780000-0x00007FF647AD1000-memory.dmp	xmrig
behavioral2/memory/4796-143-0x00007FF74FE30000-0x00007FF750181000-memory.dmp	xmrig
behavioral2/memory/388-139-0x00007FF6B42A0000-0x00007FF6B45F1000-memory.dmp	xmrig
behavioral2/memory/4060-151-0x00007FF684530000-0x00007FF684881000-memory.dmp	xmrig
behavioral2/memory/4740-153-0x00007FF6B14D0000-0x00007FF6B1821000-memory.dmp	xmrig
behavioral2/memory/4012-152-0x00007FF7E20A0000-0x00007FF7E23F1000-memory.dmp	xmrig
behavioral2/memory/4476-148-0x00007FF64F340000-0x00007FF64F691000-memory.dmp	xmrig
behavioral2/memory/3332-149-0x00007FF7D43C0000-0x00007FF7D4711000-memory.dmp	xmrig
behavioral2/memory/1032-146-0x00007FF6C7830000-0x00007FF6C7B81000-memory.dmp	xmrig
behavioral2/memory/4848-145-0x00007FF669780000-0x00007FF669AD1000-memory.dmp	xmrig
behavioral2/memory/1516-144-0x00007FF6F1670000-0x00007FF6F19C1000-memory.dmp	xmrig
behavioral2/memory/4448-154-0x00007FF75DC90000-0x00007FF75DFE1000-memory.dmp	xmrig
behavioral2/memory/4048-202-0x00007FF6EB600000-0x00007FF6EB951000-memory.dmp	xmrig
behavioral2/memory/2288-217-0x00007FF6478D0000-0x00007FF647C21000-memory.dmp	xmrig
behavioral2/memory/4348-219-0x00007FF710840000-0x00007FF710B91000-memory.dmp	xmrig
behavioral2/memory/3544-223-0x00007FF726330000-0x00007FF726681000-memory.dmp	xmrig
behavioral2/memory/4488-222-0x00007FF6F7A60000-0x00007FF6F7DB1000-memory.dmp	xmrig
behavioral2/memory/388-227-0x00007FF6B42A0000-0x00007FF6B45F1000-memory.dmp	xmrig
behavioral2/memory/2756-226-0x00007FF683FA0000-0x00007FF6842F1000-memory.dmp	xmrig
behavioral2/memory/4496-231-0x00007FF75BB70000-0x00007FF75BEC1000-memory.dmp	xmrig
behavioral2/memory/2904-230-0x00007FF7F7590000-0x00007FF7F78E1000-memory.dmp	xmrig
behavioral2/memory/3016-233-0x00007FF647780000-0x00007FF647AD1000-memory.dmp	xmrig
behavioral2/memory/4796-235-0x00007FF74FE30000-0x00007FF750181000-memory.dmp	xmrig
behavioral2/memory/1516-245-0x00007FF6F1670000-0x00007FF6F19C1000-memory.dmp	xmrig
behavioral2/memory/2452-247-0x00007FF7EF740000-0x00007FF7EFA91000-memory.dmp	xmrig
behavioral2/memory/1032-249-0x00007FF6C7830000-0x00007FF6C7B81000-memory.dmp	xmrig
behavioral2/memory/4848-243-0x00007FF669780000-0x00007FF669AD1000-memory.dmp	xmrig
behavioral2/memory/4344-261-0x00007FF7A4210000-0x00007FF7A4561000-memory.dmp	xmrig
behavioral2/memory/4060-260-0x00007FF684530000-0x00007FF684881000-memory.dmp	xmrig
behavioral2/memory/3332-257-0x00007FF7D43C0000-0x00007FF7D4711000-memory.dmp	xmrig
behavioral2/memory/4476-256-0x00007FF64F340000-0x00007FF64F691000-memory.dmp	xmrig
behavioral2/memory/4740-253-0x00007FF6B14D0000-0x00007FF6B1821000-memory.dmp	xmrig
behavioral2/memory/4012-252-0x00007FF7E20A0000-0x00007FF7E23F1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4048	ifjpmMh.exe
2288	XoFufTq.exe
4488	HduaRdT.exe
4348	xwbcowz.exe
3544	uBJEPyE.exe
2756	BMINzLQ.exe
388	abYhUkY.exe
4496	UkTbBHE.exe
2904	LJzLYwG.exe
3016	fBdmtJP.exe
4796	dVYEjVm.exe
1516	JXgsBKT.exe
4848	RJKMjNA.exe
1032	YLvJlNE.exe
2452	jzIByZc.exe
4476	aMWZZLB.exe
3332	BzRyzZx.exe
4344	DtryxIL.exe
4060	ovwkdjg.exe
4012	uRCjRig.exe
4740	JNzYJFu.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4448-0-0x00007FF75DC90000-0x00007FF75DFE1000-memory.dmp	upx
behavioral2/files/0x00080000000234a4-6.dat	upx
behavioral2/files/0x00070000000234a5-10.dat	upx
behavioral2/files/0x00070000000234a6-11.dat	upx
behavioral2/files/0x00070000000234a7-23.dat	upx
behavioral2/memory/4348-35-0x00007FF710840000-0x00007FF710B91000-memory.dmp	upx
behavioral2/memory/388-39-0x00007FF6B42A0000-0x00007FF6B45F1000-memory.dmp	upx
behavioral2/files/0x00070000000234aa-43.dat	upx
behavioral2/files/0x00070000000234ac-47.dat	upx
behavioral2/files/0x00070000000234ab-54.dat	upx
behavioral2/memory/2756-58-0x00007FF683FA0000-0x00007FF6842F1000-memory.dmp	upx
behavioral2/files/0x00070000000234ad-63.dat	upx
behavioral2/memory/4796-70-0x00007FF74FE30000-0x00007FF750181000-memory.dmp	upx
behavioral2/files/0x00070000000234af-69.dat	upx
behavioral2/files/0x00070000000234b0-89.dat	upx
behavioral2/files/0x00070000000234b4-105.dat	upx
behavioral2/memory/4448-110-0x00007FF75DC90000-0x00007FF75DFE1000-memory.dmp	upx
behavioral2/memory/4344-122-0x00007FF7A4210000-0x00007FF7A4561000-memory.dmp	upx
behavioral2/files/0x00070000000234b7-127.dat	upx
behavioral2/memory/4012-129-0x00007FF7E20A0000-0x00007FF7E23F1000-memory.dmp	upx
behavioral2/files/0x00070000000234b6-125.dat	upx
behavioral2/memory/4048-124-0x00007FF6EB600000-0x00007FF6EB951000-memory.dmp	upx
behavioral2/memory/4740-123-0x00007FF6B14D0000-0x00007FF6B1821000-memory.dmp	upx
behavioral2/files/0x00070000000234b3-119.dat	upx
behavioral2/memory/2452-116-0x00007FF7EF740000-0x00007FF7EFA91000-memory.dmp	upx
behavioral2/memory/4060-109-0x00007FF684530000-0x00007FF684881000-memory.dmp	upx
behavioral2/files/0x00070000000234b5-107.dat	upx
behavioral2/memory/3332-104-0x00007FF7D43C0000-0x00007FF7D4711000-memory.dmp	upx
behavioral2/files/0x00070000000234b2-111.dat	upx
behavioral2/memory/4476-101-0x00007FF64F340000-0x00007FF64F691000-memory.dmp	upx
behavioral2/files/0x00070000000234b1-92.dat	upx
behavioral2/files/0x00080000000234a2-91.dat	upx
behavioral2/memory/4848-87-0x00007FF669780000-0x00007FF669AD1000-memory.dmp	upx
behavioral2/memory/1032-84-0x00007FF6C7830000-0x00007FF6C7B81000-memory.dmp	upx
behavioral2/memory/1516-73-0x00007FF6F1670000-0x00007FF6F19C1000-memory.dmp	upx
behavioral2/files/0x00070000000234ae-65.dat	upx
behavioral2/memory/4496-66-0x00007FF75BB70000-0x00007FF75BEC1000-memory.dmp	upx
behavioral2/memory/3016-62-0x00007FF647780000-0x00007FF647AD1000-memory.dmp	upx
behavioral2/memory/2904-59-0x00007FF7F7590000-0x00007FF7F78E1000-memory.dmp	upx
behavioral2/files/0x00070000000234a9-40.dat	upx
behavioral2/memory/3544-36-0x00007FF726330000-0x00007FF726681000-memory.dmp	upx
behavioral2/files/0x00070000000234a8-30.dat	upx
behavioral2/memory/4488-21-0x00007FF6F7A60000-0x00007FF6F7DB1000-memory.dmp	upx
behavioral2/memory/2288-14-0x00007FF6478D0000-0x00007FF647C21000-memory.dmp	upx
behavioral2/memory/4048-8-0x00007FF6EB600000-0x00007FF6EB951000-memory.dmp	upx
behavioral2/memory/2288-130-0x00007FF6478D0000-0x00007FF647C21000-memory.dmp	upx
behavioral2/memory/4488-131-0x00007FF6F7A60000-0x00007FF6F7DB1000-memory.dmp	upx
behavioral2/memory/4448-132-0x00007FF75DC90000-0x00007FF75DFE1000-memory.dmp	upx
behavioral2/memory/3016-142-0x00007FF647780000-0x00007FF647AD1000-memory.dmp	upx
behavioral2/memory/4796-143-0x00007FF74FE30000-0x00007FF750181000-memory.dmp	upx
behavioral2/memory/388-139-0x00007FF6B42A0000-0x00007FF6B45F1000-memory.dmp	upx
behavioral2/memory/4060-151-0x00007FF684530000-0x00007FF684881000-memory.dmp	upx
behavioral2/memory/4740-153-0x00007FF6B14D0000-0x00007FF6B1821000-memory.dmp	upx
behavioral2/memory/4012-152-0x00007FF7E20A0000-0x00007FF7E23F1000-memory.dmp	upx
behavioral2/memory/4476-148-0x00007FF64F340000-0x00007FF64F691000-memory.dmp	upx
behavioral2/memory/3332-149-0x00007FF7D43C0000-0x00007FF7D4711000-memory.dmp	upx
behavioral2/memory/1032-146-0x00007FF6C7830000-0x00007FF6C7B81000-memory.dmp	upx
behavioral2/memory/4848-145-0x00007FF669780000-0x00007FF669AD1000-memory.dmp	upx
behavioral2/memory/1516-144-0x00007FF6F1670000-0x00007FF6F19C1000-memory.dmp	upx
behavioral2/memory/4448-154-0x00007FF75DC90000-0x00007FF75DFE1000-memory.dmp	upx
behavioral2/memory/4048-202-0x00007FF6EB600000-0x00007FF6EB951000-memory.dmp	upx
behavioral2/memory/2288-217-0x00007FF6478D0000-0x00007FF647C21000-memory.dmp	upx
behavioral2/memory/4348-219-0x00007FF710840000-0x00007FF710B91000-memory.dmp	upx
behavioral2/memory/3544-223-0x00007FF726330000-0x00007FF726681000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\uBJEPyE.exe	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BzRyzZx.exe	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DtryxIL.exe	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uRCjRig.exe	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ifjpmMh.exe	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fBdmtJP.exe	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dVYEjVm.exe	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jzIByZc.exe	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JNzYJFu.exe	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xwbcowz.exe	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BMINzLQ.exe	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\abYhUkY.exe	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LJzLYwG.exe	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JXgsBKT.exe	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RJKMjNA.exe	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YLvJlNE.exe	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aMWZZLB.exe	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XoFufTq.exe	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UkTbBHE.exe	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ovwkdjg.exe	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HduaRdT.exe	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4448	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4448	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4448 wrote to memory of 4048	4448	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4448 wrote to memory of 4048	4448	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4448 wrote to memory of 2288	4448	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4448 wrote to memory of 2288	4448	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4448 wrote to memory of 4488	4448	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4448 wrote to memory of 4488	4448	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4448 wrote to memory of 4348	4448	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4448 wrote to memory of 4348	4448	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4448 wrote to memory of 3544	4448	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4448 wrote to memory of 3544	4448	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4448 wrote to memory of 2756	4448	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4448 wrote to memory of 2756	4448	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4448 wrote to memory of 388	4448	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4448 wrote to memory of 388	4448	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4448 wrote to memory of 2904	4448	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4448 wrote to memory of 2904	4448	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4448 wrote to memory of 4496	4448	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4448 wrote to memory of 4496	4448	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4448 wrote to memory of 3016	4448	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4448 wrote to memory of 3016	4448	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4448 wrote to memory of 4796	4448	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4448 wrote to memory of 4796	4448	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4448 wrote to memory of 1516	4448	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4448 wrote to memory of 1516	4448	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4448 wrote to memory of 4848	4448	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4448 wrote to memory of 4848	4448	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4448 wrote to memory of 1032	4448	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4448 wrote to memory of 1032	4448	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4448 wrote to memory of 2452	4448	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4448 wrote to memory of 2452	4448	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4448 wrote to memory of 4476	4448	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4448 wrote to memory of 4476	4448	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4448 wrote to memory of 3332	4448	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4448 wrote to memory of 3332	4448	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4448 wrote to memory of 4344	4448	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4448 wrote to memory of 4344	4448	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4448 wrote to memory of 4060	4448	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4448 wrote to memory of 4060	4448	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4448 wrote to memory of 4012	4448	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4448 wrote to memory of 4012	4448	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4448 wrote to memory of 4740	4448	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4448 wrote to memory of 4740	4448	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4448
- C:\Windows\System\ifjpmMh.exe
  C:\Windows\System\ifjpmMh.exe
  2⤵
  - Executes dropped EXE
  PID:4048
- C:\Windows\System\XoFufTq.exe
  C:\Windows\System\XoFufTq.exe
  2⤵
  - Executes dropped EXE
  PID:2288
- C:\Windows\System\HduaRdT.exe
  C:\Windows\System\HduaRdT.exe
  2⤵
  - Executes dropped EXE
  PID:4488
- C:\Windows\System\xwbcowz.exe
  C:\Windows\System\xwbcowz.exe
  2⤵
  - Executes dropped EXE
  PID:4348
- C:\Windows\System\uBJEPyE.exe
  C:\Windows\System\uBJEPyE.exe
  2⤵
  - Executes dropped EXE
  PID:3544
- C:\Windows\System\BMINzLQ.exe
  C:\Windows\System\BMINzLQ.exe
  2⤵
  - Executes dropped EXE
  PID:2756
- C:\Windows\System\abYhUkY.exe
  C:\Windows\System\abYhUkY.exe
  2⤵
  - Executes dropped EXE
  PID:388
- C:\Windows\System\LJzLYwG.exe
  C:\Windows\System\LJzLYwG.exe
  2⤵
  - Executes dropped EXE
  PID:2904
- C:\Windows\System\UkTbBHE.exe
  C:\Windows\System\UkTbBHE.exe
  2⤵
  - Executes dropped EXE
  PID:4496
- C:\Windows\System\fBdmtJP.exe
  C:\Windows\System\fBdmtJP.exe
  2⤵
  - Executes dropped EXE
  PID:3016
- C:\Windows\System\dVYEjVm.exe
  C:\Windows\System\dVYEjVm.exe
  2⤵
  - Executes dropped EXE
  PID:4796
- C:\Windows\System\JXgsBKT.exe
  C:\Windows\System\JXgsBKT.exe
  2⤵
  - Executes dropped EXE
  PID:1516
- C:\Windows\System\RJKMjNA.exe
  C:\Windows\System\RJKMjNA.exe
  2⤵
  - Executes dropped EXE
  PID:4848
- C:\Windows\System\YLvJlNE.exe
  C:\Windows\System\YLvJlNE.exe
  2⤵
  - Executes dropped EXE
  PID:1032
- C:\Windows\System\jzIByZc.exe
  C:\Windows\System\jzIByZc.exe
  2⤵
  - Executes dropped EXE
  PID:2452
- C:\Windows\System\aMWZZLB.exe
  C:\Windows\System\aMWZZLB.exe
  2⤵
  - Executes dropped EXE
  PID:4476
- C:\Windows\System\BzRyzZx.exe
  C:\Windows\System\BzRyzZx.exe
  2⤵
  - Executes dropped EXE
  PID:3332
- C:\Windows\System\DtryxIL.exe
  C:\Windows\System\DtryxIL.exe
  2⤵
  - Executes dropped EXE
  PID:4344
- C:\Windows\System\ovwkdjg.exe
  C:\Windows\System\ovwkdjg.exe
  2⤵
  - Executes dropped EXE
  PID:4060
- C:\Windows\System\uRCjRig.exe
  C:\Windows\System\uRCjRig.exe
  2⤵
  - Executes dropped EXE
  PID:4012
- C:\Windows\System\JNzYJFu.exe
  C:\Windows\System\JNzYJFu.exe
  2⤵
  - Executes dropped EXE
  PID:4740

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BMINzLQ.exe

Filesize
5.2MB

MD5
a497d3a9735707da41d9fe28cf248971

SHA1
ec1b82e97148537601e3b5f04ccd1320a60ec546

SHA256
a48284b303b76a2cf7f72634c1efc8007f5b92dd3353392156d100ba4890b20e

SHA512
44d3d4db5df7fd64729abfc5c3f797ccd347711b7941bcca471d5ea56c12331e3e0cf40caceb481e35dcc3cb5b4af16ae2d61e04ff151b912c18971131591f50

Download Submit
C:\Windows\System\BzRyzZx.exe

Filesize
5.2MB

MD5
f4ae90f7605deb7f4fdc53269a92553d

SHA1
1ff8c14357c765b81552e463190f1bacc98f43cb

SHA256
a67d023c8dda4e6be933272ceb49d78871c05de2439c6ef6a3a6ed8703769fab

SHA512
f6fede7b0b03b85036605a5493612f1c3191583972cc4e044eef7f794de47a2950c13c310388ec70aac307856890ad40a94a04d4cbd606155e3593d459b73200

Download Submit
C:\Windows\System\DtryxIL.exe

Filesize
5.2MB

MD5
c949a02a36971f08b7fc4e7f46e076a7

SHA1
8493c5035c7d4f4a8b40851ebe527fe39ce1ee1e

SHA256
7bcd6b480ac02ed7fe88d3b59aaaa97db1faa5a6f7edc71239903f29b7cb8a66

SHA512
3e12651e6384df728eea6f9610d572774f88c53be93c934674010c240c757c9329cfabefacef7bd08b5f5cfddf741b892853563a348d6ef52a0b22549f84acd4

Download Submit
C:\Windows\System\HduaRdT.exe

Filesize
5.2MB

MD5
8f16d0b7290fc51b556848be2b5b88bf

SHA1
c0c7ec97d111297051a10c47a1afdb72a4f03eba

SHA256
0e216fdd93ca0b246edfe28b133c35d0c0e4952a13c71c51080ea6f4f1b44187

SHA512
e6c81bd9361d9ffbba927c21705d2f9d9533f0e19b48cc662d1bb5c5f4cdf55dc86ec33a65585a0289e7cace3bb27955369152541cf10914a4a20729e62db470

Download Submit
C:\Windows\System\JNzYJFu.exe

Filesize
5.2MB

MD5
ca33859588957c7b8ec6422c67c5b32c

SHA1
4ee26efb13434b8cd0be21fca8cc6be74a619823

SHA256
52e7dfc6d0815061880d503ca24730cbd50470bb3f55b44a7720ed7db3c45593

SHA512
ffd456bce7f8b174d3e33de4a9122ef76eb00dc57337ce6c497f6bc3bfcbd190b27629ee211958239a575315a9de9ceeaea7ae303f1b6876609cd89100b0bb06

Download Submit
C:\Windows\System\JXgsBKT.exe

Filesize
5.2MB

MD5
f7f7d506106d56bb898ac6bcbe7e55d6

SHA1
54e44c91164cd897a05314a557ebfc01467a7538

SHA256
4389b131ae9f2bcf7f9e02dc7d3a1d1ec843b23927fedc948543c8ca785b43ed

SHA512
6a555de8a62bf3427ca30313ced1fbfff276be47f7b52b9ca03ec70b94412f261f406fbbcc8d92125adf828e7e3b10f59d120d98f19c0517cc92a51ed22a29a7

Download Submit
C:\Windows\System\LJzLYwG.exe

Filesize
5.2MB

MD5
c71fc5848cbe97344a0b39f0e7317b4d

SHA1
ea0454380b2e917a62597bc3cb2ebb64b7f048b7

SHA256
97cb9b19d54b6e909b1c25624ebdf01da53031a50c837a4b8a197664b5f89be5

SHA512
9b73114ac9565799d5d7ef224afc5a05f557d313dc3d42d29dad048714c6e9e1786dedb5738bb8d6e9794ba89a053a9f0f94b99b679ccd648495153b816d4069

Download Submit
C:\Windows\System\RJKMjNA.exe

Filesize
5.2MB

MD5
91615b222ab10fbe28128d1730c2ef9b

SHA1
edbf8e4c8a26b818746e0743419bf20b51c8f24c

SHA256
a192dc00e4cccbe7bedb93395364701c8169abb7010fa3195a31a27d507080a0

SHA512
1660e2cb40f503f68996392aea213c84c8814ae7d3757dc089a736913bd4e77df92b9b874309e75699598095b42c7512b939cd71ed6687ff251d5397ef617154

Download Submit
C:\Windows\System\UkTbBHE.exe

Filesize
5.2MB

MD5
0cfee4923511659cb080733917c1192f

SHA1
67c6765947360d0b19088c12cc3ddffc5201e7d5

SHA256
18328b5d1859f2da7bed43cd0bd9826ae5899d0b1ac47c2dc7aaeb76314d5d98

SHA512
0c94f6184232ff38ca14741b46330d6595f94a49a2f10ab36649fc3a48ba2d6024dd6c5d20abc7fdbfc4c1c09f3928a3ead486810b09ffdb46aebf05267e1efd

Download Submit
C:\Windows\System\XoFufTq.exe

Filesize
5.2MB

MD5
c875c84735bc7e5cac70d549bfc83010

SHA1
acd198d1ac87e00036746ab30ca854d6fcc9a5d2

SHA256
1486865eb33feadf45ff617feccc16cc8ceb2b1a3a1fc57b3a35c892b81c434f

SHA512
34dd147abdf303347ad976e373c6e2eb4f9e9361119f7d08acc563f0bf2d39e2ea97f8a43108d4f10b1c098a1ff90e80e40c9a90ed8fa238cc5ae2cdae1d5bc0

Download Submit
C:\Windows\System\YLvJlNE.exe

Filesize
5.2MB

MD5
b9e2ec10edd3e823991740af81c08c87

SHA1
48d066ae85c6f17175cdb9f5c1686a25dc85cd4a

SHA256
bf20769b949392977d23f0117735a0a507937998cce542260030a2ea1c2f19fb

SHA512
53aa8ece71c8d11ff7e04e7eaf6d2c4bbb63f5d0fd3be41c968ac6bf317a1cf33fbf074362049933b608bae1eec74ad39770347972a5ba5ddc88269699f15f11

Download Submit
C:\Windows\System\aMWZZLB.exe

Filesize
5.2MB

MD5
bbef16c1a79515f90d67518139f279ad

SHA1
8bd2437722a2b575aaaf50f25f0f4d37463325af

SHA256
ca8846d24c439356977c91f73921a73baaa4ddf954aca287163cb357212795d1

SHA512
85e76e9ed57a09e2bcbbedb034a41d152e1f7cfcb7685e23bae5cdbe403406898a8d921521a1e405866e3a878b60b3265eee52d053ac59c96ff8f0e04d34cd98

Download Submit
C:\Windows\System\abYhUkY.exe

Filesize
5.2MB

MD5
43bcc088819f9d09fc46c683a010abe5

SHA1
92b5bf7ca99f9cf42845b760042497aab779de30

SHA256
9fd7627e6218801797eb72fefff682b91f715d84f185862f90f44f9663fe29bc

SHA512
74cf12eaefd2980f0cabe51803ccd84917d1fe6338a7007afb3b9048983b4ce7811b26128085b1802ed227212e42c8962332d60534eaf89e04ac85b4d4cf57c1

Download Submit
C:\Windows\System\dVYEjVm.exe

Filesize
5.2MB

MD5
82558913b92ca7dc1e3372e1a55a379f

SHA1
932d225ce3af0ffa3bc0715f73c1e5cb9e83f69b

SHA256
2fc6dce34c35a070de281215c76529578b61b0d55be4a196c66ede969dd246c0

SHA512
f5c2f6a4e55ff00e5a3f525d45db3f24bbc9fee0eeab7cd5bd93d9289f52c436d4f63acf02e3163806a3b95d713d507e08e6f4163f5663719a10b14983d07e30

Download Submit
C:\Windows\System\fBdmtJP.exe

Filesize
5.2MB

MD5
789718e220062ba5d1f3d9a523e280ba

SHA1
5a174fc1079b98c60692ad68fcef598d13c9c55a

SHA256
7584c51516adf62aef7eee507c224a5ca3688f829c78e711f09cefdc27d6b246

SHA512
78e04b72bc39d0490ba409f996e9942cc2d3032f1aebe080388f229b9eb120b8036ca50f0884c582af95e3e3a0810ab74921c7f3787ba70796fd192c04c755de

Download Submit
C:\Windows\System\ifjpmMh.exe

Filesize
5.2MB

MD5
bcd0303c66fc2f2144957b2154021541

SHA1
5a8a08526942ce3892e10f6223a1c80968a524d1

SHA256
7dd186738e980d92bcbb2ee1d1b9a4da02b4030e7ac318ae5d7dc324b528c2f6

SHA512
340a1d7e3475ddc9d7c3d7bc5ec01f56ec47c2c05bc6a1ef680d34a1a8ca5e61e7599ae6c4d96282f84a118d3a5735338fd52b42a1e02254df9cee11c2215863

Download Submit
C:\Windows\System\jzIByZc.exe

Filesize
5.2MB

MD5
40f3be2acce1c9541577076ee20be13c

SHA1
3b19078094df13172306c8f111d173231b3987ae

SHA256
3255738a22c3aa7ff29b4dc22c470c77a157786b86f356a79e22354db22af75c

SHA512
1f8954d20d397715d7c2fa8125c9822ed0b965f8f37b8a7703f561af4729360ed0364e3004fff379806b79115cb1e2c39367bdc294c43bd0ed5c65ca2c9d5c09

Download Submit
C:\Windows\System\ovwkdjg.exe

Filesize
5.2MB

MD5
2968409233cc0a73d8d6d66ef8bdd8e3

SHA1
d87df3147df32cd3a1af2a5614499cf208263cbe

SHA256
b833083f8741db6f4b55b6ab50367eeb2694691d28adfd92fe97cd67646fcf4e

SHA512
17bb7a1d664286e51448cd8d07a37e6c2abfc430c739d0c445dd5d3084aea6fad3e9b24a9cc35a65bafdf0a2f8fc3e6cf128dae99d75f525cb9f7c39c30bb33b

Download Submit
C:\Windows\System\uBJEPyE.exe

Filesize
5.2MB

MD5
4442206cc239e6efd9e1faf7f7be7c02

SHA1
31a845b40a8cb99fe9332491d7ac2ffb54aa9eac

SHA256
3ea7ca07dd15a390dd32a9e3ba1608a73f76588b3b398ad7cfde7268af8f1909

SHA512
f6b7b3a303d127da311e3fcafd52df6a4c5831ec64253fcb5f2697f92c304ec32bfacd0758ac9c24d0bfb357fdc6e01c6037f1f6d7ddfe4f640731f0dba7cad9

Download Submit
C:\Windows\System\uRCjRig.exe

Filesize
5.2MB

MD5
d1557a5a8bb55e8efe9a9b6830286a47

SHA1
799fbbf2745d5fdb4f1449f6c666ea9fd65a614b

SHA256
1748cff8323632c839a4d841a358bb16e3cbbc755d99c9ae0ea3d6d2a052bac1

SHA512
3fca4c8ac0ef639e856bd0bd5ca53c4ddfc25c6972430d2b57a3124631e4a6623bce6195fc3d9f4482bfd1900b3046b10ca1be2d4c398268325c711d91bfe10d

Download Submit
C:\Windows\System\xwbcowz.exe

Filesize
5.2MB

MD5
c511799252a54d5abe7c18e886360e23

SHA1
73d1bd019a5a4876e5bebe330cd649879d7f1118

SHA256
5a1846aa66b9304427b8b3d61c6c6f491785a1c59dcd89b4ed6ca818f46f4237

SHA512
8faebf2113a40336216e22ee26184dbae945c3d9980a9eae2c83b2efa77969d6be675bd6c1e221d2f8ff4e1efad5f9657ef7efa44efcfd1e15a7460c908b1592

Download Submit
memory/388-39-0x00007FF6B42A0000-0x00007FF6B45F1000-memory.dmp

Filesize
3.3MB

Download
memory/388-227-0x00007FF6B42A0000-0x00007FF6B45F1000-memory.dmp

Filesize
3.3MB

Download
memory/388-139-0x00007FF6B42A0000-0x00007FF6B45F1000-memory.dmp

Filesize
3.3MB

Download
memory/1032-249-0x00007FF6C7830000-0x00007FF6C7B81000-memory.dmp

Filesize
3.3MB

Download
memory/1032-84-0x00007FF6C7830000-0x00007FF6C7B81000-memory.dmp

Filesize
3.3MB

Download
memory/1032-146-0x00007FF6C7830000-0x00007FF6C7B81000-memory.dmp

Filesize
3.3MB

Download
memory/1516-144-0x00007FF6F1670000-0x00007FF6F19C1000-memory.dmp

Filesize
3.3MB

Download
memory/1516-245-0x00007FF6F1670000-0x00007FF6F19C1000-memory.dmp

Filesize
3.3MB

Download
memory/1516-73-0x00007FF6F1670000-0x00007FF6F19C1000-memory.dmp

Filesize
3.3MB

Download
memory/2288-130-0x00007FF6478D0000-0x00007FF647C21000-memory.dmp

Filesize
3.3MB

Download
memory/2288-14-0x00007FF6478D0000-0x00007FF647C21000-memory.dmp

Filesize
3.3MB

Download
memory/2288-217-0x00007FF6478D0000-0x00007FF647C21000-memory.dmp

Filesize
3.3MB

Download
memory/2452-247-0x00007FF7EF740000-0x00007FF7EFA91000-memory.dmp

Filesize
3.3MB

Download
memory/2452-116-0x00007FF7EF740000-0x00007FF7EFA91000-memory.dmp

Filesize
3.3MB

Download
memory/2756-58-0x00007FF683FA0000-0x00007FF6842F1000-memory.dmp

Filesize
3.3MB

Download
memory/2756-226-0x00007FF683FA0000-0x00007FF6842F1000-memory.dmp

Filesize
3.3MB

Download
memory/2904-59-0x00007FF7F7590000-0x00007FF7F78E1000-memory.dmp

Filesize
3.3MB

Download
memory/2904-230-0x00007FF7F7590000-0x00007FF7F78E1000-memory.dmp

Filesize
3.3MB

Download
memory/3016-62-0x00007FF647780000-0x00007FF647AD1000-memory.dmp

Filesize
3.3MB

Download
memory/3016-142-0x00007FF647780000-0x00007FF647AD1000-memory.dmp

Filesize
3.3MB

Download
memory/3016-233-0x00007FF647780000-0x00007FF647AD1000-memory.dmp

Filesize
3.3MB

Download
memory/3332-104-0x00007FF7D43C0000-0x00007FF7D4711000-memory.dmp

Filesize
3.3MB

Download
memory/3332-149-0x00007FF7D43C0000-0x00007FF7D4711000-memory.dmp

Filesize
3.3MB

Download
memory/3332-257-0x00007FF7D43C0000-0x00007FF7D4711000-memory.dmp

Filesize
3.3MB

Download
memory/3544-223-0x00007FF726330000-0x00007FF726681000-memory.dmp

Filesize
3.3MB

Download
memory/3544-36-0x00007FF726330000-0x00007FF726681000-memory.dmp

Filesize
3.3MB

Download
memory/4012-129-0x00007FF7E20A0000-0x00007FF7E23F1000-memory.dmp

Filesize
3.3MB

Download
memory/4012-252-0x00007FF7E20A0000-0x00007FF7E23F1000-memory.dmp

Filesize
3.3MB

Download
memory/4012-152-0x00007FF7E20A0000-0x00007FF7E23F1000-memory.dmp

Filesize
3.3MB

Download
memory/4048-124-0x00007FF6EB600000-0x00007FF6EB951000-memory.dmp

Filesize
3.3MB

Download
memory/4048-202-0x00007FF6EB600000-0x00007FF6EB951000-memory.dmp

Filesize
3.3MB

Download
memory/4048-8-0x00007FF6EB600000-0x00007FF6EB951000-memory.dmp

Filesize
3.3MB

Download
memory/4060-151-0x00007FF684530000-0x00007FF684881000-memory.dmp

Filesize
3.3MB

Download
memory/4060-109-0x00007FF684530000-0x00007FF684881000-memory.dmp

Filesize
3.3MB

Download
memory/4060-260-0x00007FF684530000-0x00007FF684881000-memory.dmp

Filesize
3.3MB

Download
memory/4344-122-0x00007FF7A4210000-0x00007FF7A4561000-memory.dmp

Filesize
3.3MB

Download
memory/4344-261-0x00007FF7A4210000-0x00007FF7A4561000-memory.dmp

Filesize
3.3MB

Download
memory/4348-219-0x00007FF710840000-0x00007FF710B91000-memory.dmp

Filesize
3.3MB

Download
memory/4348-35-0x00007FF710840000-0x00007FF710B91000-memory.dmp

Filesize
3.3MB

Download
memory/4448-154-0x00007FF75DC90000-0x00007FF75DFE1000-memory.dmp

Filesize
3.3MB

Download
memory/4448-132-0x00007FF75DC90000-0x00007FF75DFE1000-memory.dmp

Filesize
3.3MB

Download
memory/4448-1-0x0000018B21C40000-0x0000018B21C50000-memory.dmp

Filesize
64KB

Download
memory/4448-0-0x00007FF75DC90000-0x00007FF75DFE1000-memory.dmp

Filesize
3.3MB

Download
memory/4448-110-0x00007FF75DC90000-0x00007FF75DFE1000-memory.dmp

Filesize
3.3MB

Download
memory/4476-148-0x00007FF64F340000-0x00007FF64F691000-memory.dmp

Filesize
3.3MB

Download
memory/4476-101-0x00007FF64F340000-0x00007FF64F691000-memory.dmp

Filesize
3.3MB

Download
memory/4476-256-0x00007FF64F340000-0x00007FF64F691000-memory.dmp

Filesize
3.3MB

Download
memory/4488-131-0x00007FF6F7A60000-0x00007FF6F7DB1000-memory.dmp

Filesize
3.3MB

Download
memory/4488-21-0x00007FF6F7A60000-0x00007FF6F7DB1000-memory.dmp

Filesize
3.3MB

Download
memory/4488-222-0x00007FF6F7A60000-0x00007FF6F7DB1000-memory.dmp

Filesize
3.3MB

Download
memory/4496-231-0x00007FF75BB70000-0x00007FF75BEC1000-memory.dmp

Filesize
3.3MB

Download
memory/4496-66-0x00007FF75BB70000-0x00007FF75BEC1000-memory.dmp

Filesize
3.3MB

Download
memory/4740-253-0x00007FF6B14D0000-0x00007FF6B1821000-memory.dmp

Filesize
3.3MB

Download
memory/4740-153-0x00007FF6B14D0000-0x00007FF6B1821000-memory.dmp

Filesize
3.3MB

Download
memory/4740-123-0x00007FF6B14D0000-0x00007FF6B1821000-memory.dmp

Filesize
3.3MB

Download
memory/4796-143-0x00007FF74FE30000-0x00007FF750181000-memory.dmp

Filesize
3.3MB

Download
memory/4796-70-0x00007FF74FE30000-0x00007FF750181000-memory.dmp

Filesize
3.3MB

Download
memory/4796-235-0x00007FF74FE30000-0x00007FF750181000-memory.dmp

Filesize
3.3MB

Download
memory/4848-87-0x00007FF669780000-0x00007FF669AD1000-memory.dmp

Filesize
3.3MB

Download
memory/4848-243-0x00007FF669780000-0x00007FF669AD1000-memory.dmp

Filesize
3.3MB

Download
memory/4848-145-0x00007FF669780000-0x00007FF669AD1000-memory.dmp

Filesize
3.3MB

Download