cobaltstrike | 9c9179cbd2f2b080b57648ab7e781da05cd0a406cb0d0ee19533d9ecfbef50a5

Analysis

max time kernel
141s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/09/2024, 10:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

8571f6e2ce349ffdb2d78329e2f64773
SHA1

1862e8fd7709c4d851d520a671ffc86f272823e7
SHA256

9c9179cbd2f2b080b57648ab7e781da05cd0a406cb0d0ee19533d9ecfbef50a5
SHA512

5ac2fd60e763515bbb6b5516e43015c6994137ee97c083a7408528b6068e829eb8b1280e9c0b95a38b3b1a1335071f1000b71f1839271f0c4f9254271ddac3fe
SSDEEP

98304:BemTLkNdfE0pZrT56utgpPFotBER/mQ32lU1:Q+u56utgpPF8u/71

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000900000002342e-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023435-12.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023436-17.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023437-18.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023439-32.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343b-42.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343e-65.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343f-70.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023440-79.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343d-61.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343c-58.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343a-35.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023438-36.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023443-102.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023444-107.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023442-91.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023441-84.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023445-113.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023446-121.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023447-126.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023448-134.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/2664-0-0x00007FF6A7420000-0x00007FF6A7774000-memory.dmp	xmrig
behavioral2/files/0x000900000002342e-5.dat	xmrig
behavioral2/files/0x0007000000023435-12.dat	xmrig
behavioral2/files/0x0007000000023436-17.dat	xmrig
behavioral2/files/0x0007000000023437-18.dat	xmrig
behavioral2/files/0x0007000000023439-32.dat	xmrig
behavioral2/files/0x000700000002343b-42.dat	xmrig
behavioral2/memory/1436-52-0x00007FF72BBE0000-0x00007FF72BF34000-memory.dmp	xmrig
behavioral2/files/0x000700000002343e-65.dat	xmrig
behavioral2/files/0x000700000002343f-70.dat	xmrig
behavioral2/files/0x0007000000023440-79.dat	xmrig
behavioral2/memory/3648-76-0x00007FF6A4F10000-0x00007FF6A5264000-memory.dmp	xmrig
behavioral2/memory/2932-75-0x00007FF613810000-0x00007FF613B64000-memory.dmp	xmrig
behavioral2/memory/4980-74-0x00007FF66F5B0000-0x00007FF66F904000-memory.dmp	xmrig
behavioral2/files/0x000700000002343d-61.dat	xmrig
behavioral2/memory/3052-60-0x00007FF759A30000-0x00007FF759D84000-memory.dmp	xmrig
behavioral2/files/0x000700000002343c-58.dat	xmrig
behavioral2/memory/4072-57-0x00007FF739080000-0x00007FF7393D4000-memory.dmp	xmrig
behavioral2/memory/3764-53-0x00007FF6EA9F0000-0x00007FF6EAD44000-memory.dmp	xmrig
behavioral2/memory/2648-46-0x00007FF79B830000-0x00007FF79BB84000-memory.dmp	xmrig
behavioral2/memory/4800-39-0x00007FF708D80000-0x00007FF7090D4000-memory.dmp	xmrig
behavioral2/files/0x000700000002343a-35.dat	xmrig
behavioral2/memory/1312-33-0x00007FF7DEF20000-0x00007FF7DF274000-memory.dmp	xmrig
behavioral2/files/0x0007000000023438-36.dat	xmrig
behavioral2/memory/2620-28-0x00007FF68C110000-0x00007FF68C464000-memory.dmp	xmrig
behavioral2/memory/872-22-0x00007FF7DDCC0000-0x00007FF7DE014000-memory.dmp	xmrig
behavioral2/memory/1520-8-0x00007FF7C22D0000-0x00007FF7C2624000-memory.dmp	xmrig
behavioral2/memory/872-94-0x00007FF7DDCC0000-0x00007FF7DE014000-memory.dmp	xmrig
behavioral2/memory/2756-103-0x00007FF624390000-0x00007FF6246E4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023443-102.dat	xmrig
behavioral2/memory/2648-100-0x00007FF79B830000-0x00007FF79BB84000-memory.dmp	xmrig
behavioral2/files/0x0007000000023444-107.dat	xmrig
behavioral2/memory/4272-108-0x00007FF6550E0000-0x00007FF655434000-memory.dmp	xmrig
behavioral2/memory/2620-99-0x00007FF68C110000-0x00007FF68C464000-memory.dmp	xmrig
behavioral2/memory/3520-97-0x00007FF661930000-0x00007FF661C84000-memory.dmp	xmrig
behavioral2/memory/1312-95-0x00007FF7DEF20000-0x00007FF7DF274000-memory.dmp	xmrig
behavioral2/memory/1520-93-0x00007FF7C22D0000-0x00007FF7C2624000-memory.dmp	xmrig
behavioral2/files/0x0007000000023442-91.dat	xmrig
behavioral2/memory/636-87-0x00007FF6A2080000-0x00007FF6A23D4000-memory.dmp	xmrig
behavioral2/memory/2664-86-0x00007FF6A7420000-0x00007FF6A7774000-memory.dmp	xmrig
behavioral2/files/0x0007000000023441-84.dat	xmrig
behavioral2/files/0x0007000000023445-113.dat	xmrig
behavioral2/files/0x0007000000023446-121.dat	xmrig
behavioral2/memory/4072-115-0x00007FF739080000-0x00007FF7393D4000-memory.dmp	xmrig
behavioral2/memory/3764-114-0x00007FF6EA9F0000-0x00007FF6EAD44000-memory.dmp	xmrig
behavioral2/memory/3708-123-0x00007FF61EB30000-0x00007FF61EE84000-memory.dmp	xmrig
behavioral2/memory/4928-130-0x00007FF6530A0000-0x00007FF6533F4000-memory.dmp	xmrig
behavioral2/memory/4980-129-0x00007FF66F5B0000-0x00007FF66F904000-memory.dmp	xmrig
behavioral2/memory/3052-128-0x00007FF759A30000-0x00007FF759D84000-memory.dmp	xmrig
behavioral2/memory/3232-127-0x00007FF6F43C0000-0x00007FF6F4714000-memory.dmp	xmrig
behavioral2/files/0x0007000000023447-126.dat	xmrig
behavioral2/files/0x0007000000023448-134.dat	xmrig
behavioral2/memory/1500-137-0x00007FF733160000-0x00007FF7334B4000-memory.dmp	xmrig
behavioral2/memory/2932-135-0x00007FF613810000-0x00007FF613B64000-memory.dmp	xmrig
behavioral2/memory/3648-139-0x00007FF6A4F10000-0x00007FF6A5264000-memory.dmp	xmrig
behavioral2/memory/2756-140-0x00007FF624390000-0x00007FF6246E4000-memory.dmp	xmrig
behavioral2/memory/3708-142-0x00007FF61EB30000-0x00007FF61EE84000-memory.dmp	xmrig
behavioral2/memory/4272-141-0x00007FF6550E0000-0x00007FF655434000-memory.dmp	xmrig
behavioral2/memory/4928-143-0x00007FF6530A0000-0x00007FF6533F4000-memory.dmp	xmrig
behavioral2/memory/1500-144-0x00007FF733160000-0x00007FF7334B4000-memory.dmp	xmrig
behavioral2/memory/1520-145-0x00007FF7C22D0000-0x00007FF7C2624000-memory.dmp	xmrig
behavioral2/memory/872-146-0x00007FF7DDCC0000-0x00007FF7DE014000-memory.dmp	xmrig
behavioral2/memory/4800-147-0x00007FF708D80000-0x00007FF7090D4000-memory.dmp	xmrig
behavioral2/memory/2620-148-0x00007FF68C110000-0x00007FF68C464000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1520	SHqTLHB.exe
872	veFvnaN.exe
4800	oNNDrtC.exe
2620	pHGcjXl.exe
1312	KUYhjlc.exe
2648	TXOpkus.exe
1436	UqpAVDh.exe
3764	ZIEFiik.exe
4072	dWswSnw.exe
3052	WAotdlC.exe
4980	RwWivmG.exe
3648	kJHCnFr.exe
2932	JerlBld.exe
636	wxbrMUG.exe
3520	OITbRXV.exe
2756	dfxWLCA.exe
4272	fNFmxCj.exe
3708	pmkOVyA.exe
3232	zVrHTYS.exe
4928	NIumdIs.exe
1500	nFsEHoS.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2664-0-0x00007FF6A7420000-0x00007FF6A7774000-memory.dmp	upx
behavioral2/files/0x000900000002342e-5.dat	upx
behavioral2/files/0x0007000000023435-12.dat	upx
behavioral2/files/0x0007000000023436-17.dat	upx
behavioral2/files/0x0007000000023437-18.dat	upx
behavioral2/files/0x0007000000023439-32.dat	upx
behavioral2/files/0x000700000002343b-42.dat	upx
behavioral2/memory/1436-52-0x00007FF72BBE0000-0x00007FF72BF34000-memory.dmp	upx
behavioral2/files/0x000700000002343e-65.dat	upx
behavioral2/files/0x000700000002343f-70.dat	upx
behavioral2/files/0x0007000000023440-79.dat	upx
behavioral2/memory/3648-76-0x00007FF6A4F10000-0x00007FF6A5264000-memory.dmp	upx
behavioral2/memory/2932-75-0x00007FF613810000-0x00007FF613B64000-memory.dmp	upx
behavioral2/memory/4980-74-0x00007FF66F5B0000-0x00007FF66F904000-memory.dmp	upx
behavioral2/files/0x000700000002343d-61.dat	upx
behavioral2/memory/3052-60-0x00007FF759A30000-0x00007FF759D84000-memory.dmp	upx
behavioral2/files/0x000700000002343c-58.dat	upx
behavioral2/memory/4072-57-0x00007FF739080000-0x00007FF7393D4000-memory.dmp	upx
behavioral2/memory/3764-53-0x00007FF6EA9F0000-0x00007FF6EAD44000-memory.dmp	upx
behavioral2/memory/2648-46-0x00007FF79B830000-0x00007FF79BB84000-memory.dmp	upx
behavioral2/memory/4800-39-0x00007FF708D80000-0x00007FF7090D4000-memory.dmp	upx
behavioral2/files/0x000700000002343a-35.dat	upx
behavioral2/memory/1312-33-0x00007FF7DEF20000-0x00007FF7DF274000-memory.dmp	upx
behavioral2/files/0x0007000000023438-36.dat	upx
behavioral2/memory/2620-28-0x00007FF68C110000-0x00007FF68C464000-memory.dmp	upx
behavioral2/memory/872-22-0x00007FF7DDCC0000-0x00007FF7DE014000-memory.dmp	upx
behavioral2/memory/1520-8-0x00007FF7C22D0000-0x00007FF7C2624000-memory.dmp	upx
behavioral2/memory/872-94-0x00007FF7DDCC0000-0x00007FF7DE014000-memory.dmp	upx
behavioral2/memory/2756-103-0x00007FF624390000-0x00007FF6246E4000-memory.dmp	upx
behavioral2/files/0x0007000000023443-102.dat	upx
behavioral2/memory/2648-100-0x00007FF79B830000-0x00007FF79BB84000-memory.dmp	upx
behavioral2/files/0x0007000000023444-107.dat	upx
behavioral2/memory/4272-108-0x00007FF6550E0000-0x00007FF655434000-memory.dmp	upx
behavioral2/memory/2620-99-0x00007FF68C110000-0x00007FF68C464000-memory.dmp	upx
behavioral2/memory/3520-97-0x00007FF661930000-0x00007FF661C84000-memory.dmp	upx
behavioral2/memory/1312-95-0x00007FF7DEF20000-0x00007FF7DF274000-memory.dmp	upx
behavioral2/memory/1520-93-0x00007FF7C22D0000-0x00007FF7C2624000-memory.dmp	upx
behavioral2/files/0x0007000000023442-91.dat	upx
behavioral2/memory/636-87-0x00007FF6A2080000-0x00007FF6A23D4000-memory.dmp	upx
behavioral2/memory/2664-86-0x00007FF6A7420000-0x00007FF6A7774000-memory.dmp	upx
behavioral2/files/0x0007000000023441-84.dat	upx
behavioral2/files/0x0007000000023445-113.dat	upx
behavioral2/files/0x0007000000023446-121.dat	upx
behavioral2/memory/4072-115-0x00007FF739080000-0x00007FF7393D4000-memory.dmp	upx
behavioral2/memory/3764-114-0x00007FF6EA9F0000-0x00007FF6EAD44000-memory.dmp	upx
behavioral2/memory/3708-123-0x00007FF61EB30000-0x00007FF61EE84000-memory.dmp	upx
behavioral2/memory/4928-130-0x00007FF6530A0000-0x00007FF6533F4000-memory.dmp	upx
behavioral2/memory/4980-129-0x00007FF66F5B0000-0x00007FF66F904000-memory.dmp	upx
behavioral2/memory/3052-128-0x00007FF759A30000-0x00007FF759D84000-memory.dmp	upx
behavioral2/memory/3232-127-0x00007FF6F43C0000-0x00007FF6F4714000-memory.dmp	upx
behavioral2/files/0x0007000000023447-126.dat	upx
behavioral2/files/0x0007000000023448-134.dat	upx
behavioral2/memory/1500-137-0x00007FF733160000-0x00007FF7334B4000-memory.dmp	upx
behavioral2/memory/2932-135-0x00007FF613810000-0x00007FF613B64000-memory.dmp	upx
behavioral2/memory/3648-139-0x00007FF6A4F10000-0x00007FF6A5264000-memory.dmp	upx
behavioral2/memory/2756-140-0x00007FF624390000-0x00007FF6246E4000-memory.dmp	upx
behavioral2/memory/3708-142-0x00007FF61EB30000-0x00007FF61EE84000-memory.dmp	upx
behavioral2/memory/4272-141-0x00007FF6550E0000-0x00007FF655434000-memory.dmp	upx
behavioral2/memory/4928-143-0x00007FF6530A0000-0x00007FF6533F4000-memory.dmp	upx
behavioral2/memory/1500-144-0x00007FF733160000-0x00007FF7334B4000-memory.dmp	upx
behavioral2/memory/1520-145-0x00007FF7C22D0000-0x00007FF7C2624000-memory.dmp	upx
behavioral2/memory/872-146-0x00007FF7DDCC0000-0x00007FF7DE014000-memory.dmp	upx
behavioral2/memory/4800-147-0x00007FF708D80000-0x00007FF7090D4000-memory.dmp	upx
behavioral2/memory/2620-148-0x00007FF68C110000-0x00007FF68C464000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\oNNDrtC.exe	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KUYhjlc.exe	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZIEFiik.exe	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NIumdIs.exe	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OITbRXV.exe	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\veFvnaN.exe	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TXOpkus.exe	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UqpAVDh.exe	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WAotdlC.exe	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RwWivmG.exe	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kJHCnFr.exe	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JerlBld.exe	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pmkOVyA.exe	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SHqTLHB.exe	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dWswSnw.exe	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wxbrMUG.exe	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dfxWLCA.exe	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fNFmxCj.exe	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zVrHTYS.exe	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pHGcjXl.exe	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nFsEHoS.exe	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2664	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2664	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 1520	2664	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 2664 wrote to memory of 1520	2664	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 2664 wrote to memory of 872	2664	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2664 wrote to memory of 872	2664	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2664 wrote to memory of 4800	2664	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2664 wrote to memory of 4800	2664	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2664 wrote to memory of 2620	2664	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2664 wrote to memory of 2620	2664	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2664 wrote to memory of 1312	2664	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2664 wrote to memory of 1312	2664	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2664 wrote to memory of 2648	2664	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2664 wrote to memory of 2648	2664	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2664 wrote to memory of 1436	2664	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2664 wrote to memory of 1436	2664	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2664 wrote to memory of 3764	2664	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2664 wrote to memory of 3764	2664	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2664 wrote to memory of 4072	2664	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2664 wrote to memory of 4072	2664	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2664 wrote to memory of 3052	2664	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2664 wrote to memory of 3052	2664	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2664 wrote to memory of 4980	2664	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2664 wrote to memory of 4980	2664	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2664 wrote to memory of 3648	2664	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2664 wrote to memory of 3648	2664	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2664 wrote to memory of 2932	2664	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2664 wrote to memory of 2932	2664	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2664 wrote to memory of 636	2664	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2664 wrote to memory of 636	2664	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2664 wrote to memory of 3520	2664	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2664 wrote to memory of 3520	2664	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2664 wrote to memory of 2756	2664	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2664 wrote to memory of 2756	2664	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2664 wrote to memory of 4272	2664	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2664 wrote to memory of 4272	2664	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2664 wrote to memory of 3708	2664	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2664 wrote to memory of 3708	2664	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2664 wrote to memory of 3232	2664	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2664 wrote to memory of 3232	2664	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2664 wrote to memory of 4928	2664	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2664 wrote to memory of 4928	2664	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2664 wrote to memory of 1500	2664	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2664 wrote to memory of 1500	2664	2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-29_8571f6e2ce349ffdb2d78329e2f64773_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Windows\System\SHqTLHB.exe
  C:\Windows\System\SHqTLHB.exe
  2⤵
  - Executes dropped EXE
  PID:1520
- C:\Windows\System\veFvnaN.exe
  C:\Windows\System\veFvnaN.exe
  2⤵
  - Executes dropped EXE
  PID:872
- C:\Windows\System\oNNDrtC.exe
  C:\Windows\System\oNNDrtC.exe
  2⤵
  - Executes dropped EXE
  PID:4800
- C:\Windows\System\pHGcjXl.exe
  C:\Windows\System\pHGcjXl.exe
  2⤵
  - Executes dropped EXE
  PID:2620
- C:\Windows\System\KUYhjlc.exe
  C:\Windows\System\KUYhjlc.exe
  2⤵
  - Executes dropped EXE
  PID:1312
- C:\Windows\System\TXOpkus.exe
  C:\Windows\System\TXOpkus.exe
  2⤵
  - Executes dropped EXE
  PID:2648
- C:\Windows\System\UqpAVDh.exe
  C:\Windows\System\UqpAVDh.exe
  2⤵
  - Executes dropped EXE
  PID:1436
- C:\Windows\System\ZIEFiik.exe
  C:\Windows\System\ZIEFiik.exe
  2⤵
  - Executes dropped EXE
  PID:3764
- C:\Windows\System\dWswSnw.exe
  C:\Windows\System\dWswSnw.exe
  2⤵
  - Executes dropped EXE
  PID:4072
- C:\Windows\System\WAotdlC.exe
  C:\Windows\System\WAotdlC.exe
  2⤵
  - Executes dropped EXE
  PID:3052
- C:\Windows\System\RwWivmG.exe
  C:\Windows\System\RwWivmG.exe
  2⤵
  - Executes dropped EXE
  PID:4980
- C:\Windows\System\kJHCnFr.exe
  C:\Windows\System\kJHCnFr.exe
  2⤵
  - Executes dropped EXE
  PID:3648
- C:\Windows\System\JerlBld.exe
  C:\Windows\System\JerlBld.exe
  2⤵
  - Executes dropped EXE
  PID:2932
- C:\Windows\System\wxbrMUG.exe
  C:\Windows\System\wxbrMUG.exe
  2⤵
  - Executes dropped EXE
  PID:636
- C:\Windows\System\OITbRXV.exe
  C:\Windows\System\OITbRXV.exe
  2⤵
  - Executes dropped EXE
  PID:3520
- C:\Windows\System\dfxWLCA.exe
  C:\Windows\System\dfxWLCA.exe
  2⤵
  - Executes dropped EXE
  PID:2756
- C:\Windows\System\fNFmxCj.exe
  C:\Windows\System\fNFmxCj.exe
  2⤵
  - Executes dropped EXE
  PID:4272
- C:\Windows\System\pmkOVyA.exe
  C:\Windows\System\pmkOVyA.exe
  2⤵
  - Executes dropped EXE
  PID:3708
- C:\Windows\System\zVrHTYS.exe
  C:\Windows\System\zVrHTYS.exe
  2⤵
  - Executes dropped EXE
  PID:3232
- C:\Windows\System\NIumdIs.exe
  C:\Windows\System\NIumdIs.exe
  2⤵
  - Executes dropped EXE
  PID:4928
- C:\Windows\System\nFsEHoS.exe
  C:\Windows\System\nFsEHoS.exe
  2⤵
  - Executes dropped EXE
  PID:1500

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\JerlBld.exe

Filesize
5.9MB

MD5
6a1eab38ba152f9d5fd1c8cc85150225

SHA1
3aa3cc00e46433a8ce4399dfc5fa90f8368d421e

SHA256
5a4c5b416f788d01625b723e7874223a0bbad674c3a6131cc53c000b5558ac7d

SHA512
989b601e2d2212e0d1dc4d1bf35144f05711be895851c5281a3f671414c424b2765ebc47a758211bbc0f85eacc5647f6602a4adfbe65acea2cb7c46c402e24e1

Download Submit
C:\Windows\System\KUYhjlc.exe

Filesize
5.9MB

MD5
fb3ea331f785035b86149a6968ac24dc

SHA1
60060a584540d5fa55ee6851d137d945d357c6f3

SHA256
f71455ee827c66d72de42f6d510542c5ae686e00afe057f9b6bc140a7d88c8e6

SHA512
8c4e0031f3860d24a49b9447ba923d2e30af1dd4c3501f98a8394bab6bbb234e49c58f2ef4a4e6f18a9aba1333da596c3f1ecaa108e2e69bf68f6629a47be366

Download Submit
C:\Windows\System\NIumdIs.exe

Filesize
5.9MB

MD5
d971eda3f29682920bef9d619dd3e8a0

SHA1
225b54ed971d3803edadbdce8636b724cb75083a

SHA256
286666134bea0d7498f3338aa44ee4259b31cf0c69004f060c21dfd43becd9ac

SHA512
b8df2864657e8608b89a1e27bafc4d563d5e1c74b0629cf5f57b28162246c3f1884f86492af9e62dcb5a4c26ffe8c44aef0dd8d95a338c766886640072e3299c

Download Submit
C:\Windows\System\OITbRXV.exe

Filesize
5.9MB

MD5
72251f4d43d83505ccb639fade7c50ee

SHA1
5b034a8a7e5c6901c31aaaed6e41ee79ab859f48

SHA256
1042086b2b5903aa1440579253e4e8c4c03cbb345fd729a53dc3c594e6625768

SHA512
4d36459b1db5695fcf7bf4ca17652ad52d11b503028091b64527da5366412a966c6df0f11b3963fbfea037766b23fe7fc22bc7606f47d5f5992590aaf7deb3d0

Download Submit
C:\Windows\System\RwWivmG.exe

Filesize
5.9MB

MD5
7ac371150586fe969a2d27273a627c80

SHA1
3e0a48d44cd734623424a45451c088bdad4695b5

SHA256
27778fac6aef109375cae70aeb2ec33a518d5404fd42a8b78fbf21194a6262f3

SHA512
e2f0b62b759888dea2add400020bf592281a1e51a37190ca766d4e295c22cbef20643d73bc68166dab93907c263cfc2ac74cfa7ac9796b836bcfed2b5f1b1ce0

Download Submit
C:\Windows\System\SHqTLHB.exe

Filesize
5.9MB

MD5
6cb3d094d1d7feb3290b062e96efb14b

SHA1
e3ed525c840af85c1c21c72dd8f61d811b529542

SHA256
a34bde4b9a6e8450cbedc3a2b6bc2487102080e4d1ffea77af1e56434be365ff

SHA512
74adc259b00d1a85b59eb587359bd9e44ba5ea17b6d576eeba08dcb4837705ce94ceac165d3d28c31e1d79fca4d63ee73f675dfa2fcf0de20c0c2aa88d7e044e

Download Submit
C:\Windows\System\TXOpkus.exe

Filesize
5.9MB

MD5
bbc998a53d5e1e6c01a715e541d99253

SHA1
38e69f699678f4312cdcd562ea05a94fd422aaba

SHA256
4bf76f33f1717a7cf76ca7eb6b57d91cebc85a3387f96561ad0882dcd7d5a95c

SHA512
55b828ffa04ee3348b12d225ebee3abddc2b298faca0f8d14f450170da6f950db96d01af9d7e7c55d465f3539af6e8aad21bf37ee793f0371084ba1251c21429

Download Submit
C:\Windows\System\UqpAVDh.exe

Filesize
5.9MB

MD5
a6b80ce2c0dcd0216673953c6999e4d5

SHA1
4c63c404f68615c936c1396ed358ec44d63dad70

SHA256
6cfa7c161964db7d4cb5c5c62f0e478146ca6b9cadd0379c517a3da00620984e

SHA512
516deaa18beec95aa21d2b991924ae62cb9e3f474edb8b0524cca674b6e469ef02222b4fa66037a41a95aaeea867b80f49d80181476de39fcd8c03357cc87828

Download Submit
C:\Windows\System\WAotdlC.exe

Filesize
5.9MB

MD5
f538dc474e91076e034e84bd4d5c5294

SHA1
b15bed40dc6002ad8ca6e4350445254900a850c1

SHA256
b9ab3c5f197da6a7a75972546b700b3d8e33425a784c40a64a659906a30955be

SHA512
9dd6121df5a688115e471ee78c0164888cb623aa4731f888e8516cbc7828c8f737aa96f7d9638a2a66f8452bfb2b83f01bbce932a80496173d4d79171116071f

Download Submit
C:\Windows\System\ZIEFiik.exe

Filesize
5.9MB

MD5
503aa7043eff31c05b33b9158455a1a9

SHA1
3631c55e39bde2f1a4be33dafdeafb781b1e05bb

SHA256
81f5c312796d21cd827ea5fc236a861768d47d29b73d216d5bccd03aea817b87

SHA512
15b8fa8daf324ebee5e8e1ad9fa98b05395c05ffbc31e2aa27ac0c5fc37772070d3b526ff10cd8fbed3eaa31ea3765ead75e1be6374499cb81426cb1d349ddc9

Download Submit
C:\Windows\System\dWswSnw.exe

Filesize
5.9MB

MD5
23530e68693fc77820b6b1051489246f

SHA1
1ab0d7af643f481ce8cf9d347b02689ddd649608

SHA256
bf1f44a08702ea56fc1eaa5af19fd81ef48fb0d4ebf4a18250ea5d43dc280b51

SHA512
3dd5f176ec0c145a3dc696636c6f352c91a152cf843f7e1125ecdc4203630e1ac4c9b362757ab2831c095c7ecaed6a5959385d7eb4f67079ecb468dc12890c61

Download Submit
C:\Windows\System\dfxWLCA.exe

Filesize
5.9MB

MD5
d17f965fe2f88264c1cd07f49c22aaf1

SHA1
35f27fa537b518b53d92b8e5fb3dcfa4a580ac34

SHA256
6719bd0fc4222f328898ce71d55cbb46c8586d288124cc2561d9af88b1b8f1ed

SHA512
b2fcf173c295ba48f7b64b45da2df8fc481250eb43338b619e2bd2c5850460456fa762c7b049155c2fac116807d020f7682aa3a65c298129e2c382771cec61fa

Download Submit
C:\Windows\System\fNFmxCj.exe

Filesize
5.9MB

MD5
8a91140d488a92d5145211b99262a913

SHA1
653273ef91240e1cdba32ea2ba685e60fc13ede2

SHA256
3e3c4d88c36b6a4b7206faa7fdb93f7d6f7954e6ca2b9bf984a34c512cdbe685

SHA512
4395cad2b9e0b40d9055e07337a9a55c0e3ca24c06a6a0afa13e2343229aa90e901997a329dd200d485affeb6839884c2ae2fa25a3b604e77cb2d7b6f372e5f3

Download Submit
C:\Windows\System\kJHCnFr.exe

Filesize
5.9MB

MD5
5738822aa4ed3af14cbd426acf8ccac5

SHA1
75a008c8e94c36c27b97ce2154daf1582e20da8c

SHA256
401e61f10a45e585dc0e34fb739c3051b8ca81de67634e7977d5ad74f07db4c8

SHA512
19d34f504dc9bd7d664f69809f7ddbb3e229e4d801a4359eabb6a54e8707df6792c5f9e28f220f78d43db779b24dc5d731ba939f48a9e39f2bfe876527544ac4

Download Submit
C:\Windows\System\nFsEHoS.exe

Filesize
5.9MB

MD5
d98dc6e2dd717889e9da78948091ed7b

SHA1
0259f6b590c77e2439924636144efb624b3c0999

SHA256
f7a3ee05e2b554410ad3f87a207f56efee16324ceab1bc1acfadaf5c503f8e3a

SHA512
1e8f421b620bab827c73836bbe47049d01a75b933463c22d33d0d8a95f678d36fe2a7b186a1a56d1395565fe531f8dfc92b5a6e9011b74ed09e26dde3de95452

Download Submit
C:\Windows\System\oNNDrtC.exe

Filesize
5.9MB

MD5
f3babfcd4fc2812bc8f2c6eec1a02cdb

SHA1
fceb04284f668d656c70635562665e868039460b

SHA256
0f7acdc79d166d2988bfcdcab194fc3900189a18d4d46fc2f2cc6107745ed7c4

SHA512
c369b1079f900b3374192012ec90804e0b0046d158c2c9c09902c85605ee6b827281fd5a12b7182c8e97b60ba56873300860c3c4b6b9f3359a6c11755345d1fc

Download Submit
C:\Windows\System\pHGcjXl.exe

Filesize
5.9MB

MD5
c7c40a65335379d5eba57cef70e05f26

SHA1
4d2b155cb3d3ac53c267d2e4d7272db81b65c058

SHA256
05221c9953b3c783f1caaa72a20d47db260ad15ad2b166ed3b93478b14107f28

SHA512
43401e102b70ee40b1cfe39c51cdb2b57369e3598057cbaf98349ef532a334b1bcd5e69505eaf267931fa3c5fdd84118289df22850f2d5aecf6150398ab734e9

Download Submit
C:\Windows\System\pmkOVyA.exe

Filesize
5.9MB

MD5
38cfc9bda475f2baa9255734895dced7

SHA1
8d32fd7dafe39765655a4621f075f5d77543a706

SHA256
d9b98aa7804f878d713f631f0be6514173095d43c12cdaa0923320191aa7c717

SHA512
f06cf7dea578155764ed8cfa9f35fdca84d6c6c0d5e3b73ecd3ef2d03618ab655e79482226a68d6e1871c37c568c36ea867029070d792abcfd48cd4e57b06f3a

Download Submit
C:\Windows\System\veFvnaN.exe

Filesize
5.9MB

MD5
f0cfa3fc9d4db16e8d93180b244fa5bd

SHA1
1472d797d3134ee572d4ecb035f7051c16c284aa

SHA256
b2c13c93ea5005131f065c73d5df98f295ced453b3182240291daa8024be34de

SHA512
dd1c164b19fa033c58c1dac689f532777321757a1d6a43ac730d611a913c11cf8efe941fd38f8af8ad6c3799c95a6212a96c5b10e90e84e286c6e85f8810755d

Download Submit
C:\Windows\System\wxbrMUG.exe

Filesize
5.9MB

MD5
885d2375e84936a7304d7899d0dfa341

SHA1
001c050fef3d06f2151ff06b6d097df96454c97e

SHA256
67883e7215d16042ea5d3bb5261081c4d6f94a14021822d92ca73d0cd5cb833d

SHA512
6904a38a2de62a7057f91b03482ef748d1d6d1b994887dfdb7a2b9d5241d716fd82d92d5dfb9cb3fcca772b09ad7500ff9f7d15515158bdc9d9bf863246f78f2

Download Submit
C:\Windows\System\zVrHTYS.exe

Filesize
5.9MB

MD5
3016685543cfc3fa2b0faf1e06b2fcd9

SHA1
b663eddae40d8a344b967a91d20e74b2930f55be

SHA256
cca8990014f0249c73c27cbcdafdf95de2b15a4823565b72ae60ef201863185b

SHA512
8a7588eb6566aad05c0d5955d21b8a4cc4e029edabe1a8f673c8f0d3212d09f5ec2cb3297cf3bbc517d3a8c71e58511fefb684e152347cbc0d6095f2caca353a

Download Submit
memory/636-87-0x00007FF6A2080000-0x00007FF6A23D4000-memory.dmp

Filesize
3.3MB

Download
memory/636-158-0x00007FF6A2080000-0x00007FF6A23D4000-memory.dmp

Filesize
3.3MB

Download
memory/872-146-0x00007FF7DDCC0000-0x00007FF7DE014000-memory.dmp

Filesize
3.3MB

Download
memory/872-22-0x00007FF7DDCC0000-0x00007FF7DE014000-memory.dmp

Filesize
3.3MB

Download
memory/872-94-0x00007FF7DDCC0000-0x00007FF7DE014000-memory.dmp

Filesize
3.3MB

Download
memory/1312-33-0x00007FF7DEF20000-0x00007FF7DF274000-memory.dmp

Filesize
3.3MB

Download
memory/1312-95-0x00007FF7DEF20000-0x00007FF7DF274000-memory.dmp

Filesize
3.3MB

Download
memory/1312-149-0x00007FF7DEF20000-0x00007FF7DF274000-memory.dmp

Filesize
3.3MB

Download
memory/1436-150-0x00007FF72BBE0000-0x00007FF72BF34000-memory.dmp

Filesize
3.3MB

Download
memory/1436-52-0x00007FF72BBE0000-0x00007FF72BF34000-memory.dmp

Filesize
3.3MB

Download
memory/1500-137-0x00007FF733160000-0x00007FF7334B4000-memory.dmp

Filesize
3.3MB

Download
memory/1500-144-0x00007FF733160000-0x00007FF7334B4000-memory.dmp

Filesize
3.3MB

Download
memory/1500-165-0x00007FF733160000-0x00007FF7334B4000-memory.dmp

Filesize
3.3MB

Download
memory/1520-145-0x00007FF7C22D0000-0x00007FF7C2624000-memory.dmp

Filesize
3.3MB

Download
memory/1520-93-0x00007FF7C22D0000-0x00007FF7C2624000-memory.dmp

Filesize
3.3MB

Download
memory/1520-8-0x00007FF7C22D0000-0x00007FF7C2624000-memory.dmp

Filesize
3.3MB

Download
memory/2620-28-0x00007FF68C110000-0x00007FF68C464000-memory.dmp

Filesize
3.3MB

Download
memory/2620-99-0x00007FF68C110000-0x00007FF68C464000-memory.dmp

Filesize
3.3MB

Download
memory/2620-148-0x00007FF68C110000-0x00007FF68C464000-memory.dmp

Filesize
3.3MB

Download
memory/2648-46-0x00007FF79B830000-0x00007FF79BB84000-memory.dmp

Filesize
3.3MB

Download
memory/2648-100-0x00007FF79B830000-0x00007FF79BB84000-memory.dmp

Filesize
3.3MB

Download
memory/2648-154-0x00007FF79B830000-0x00007FF79BB84000-memory.dmp

Filesize
3.3MB

Download
memory/2664-0-0x00007FF6A7420000-0x00007FF6A7774000-memory.dmp

Filesize
3.3MB

Download
memory/2664-86-0x00007FF6A7420000-0x00007FF6A7774000-memory.dmp

Filesize
3.3MB

Download
memory/2664-1-0x000002106D8C0000-0x000002106D8D0000-memory.dmp

Filesize
64KB

Download
memory/2756-103-0x00007FF624390000-0x00007FF6246E4000-memory.dmp

Filesize
3.3MB

Download
memory/2756-160-0x00007FF624390000-0x00007FF6246E4000-memory.dmp

Filesize
3.3MB

Download
memory/2756-140-0x00007FF624390000-0x00007FF6246E4000-memory.dmp

Filesize
3.3MB

Download
memory/2932-156-0x00007FF613810000-0x00007FF613B64000-memory.dmp

Filesize
3.3MB

Download
memory/2932-135-0x00007FF613810000-0x00007FF613B64000-memory.dmp

Filesize
3.3MB

Download
memory/2932-75-0x00007FF613810000-0x00007FF613B64000-memory.dmp

Filesize
3.3MB

Download
memory/3052-128-0x00007FF759A30000-0x00007FF759D84000-memory.dmp

Filesize
3.3MB

Download
memory/3052-60-0x00007FF759A30000-0x00007FF759D84000-memory.dmp

Filesize
3.3MB

Download
memory/3052-152-0x00007FF759A30000-0x00007FF759D84000-memory.dmp

Filesize
3.3MB

Download
memory/3232-127-0x00007FF6F43C0000-0x00007FF6F4714000-memory.dmp

Filesize
3.3MB

Download
memory/3232-163-0x00007FF6F43C0000-0x00007FF6F4714000-memory.dmp

Filesize
3.3MB

Download
memory/3520-159-0x00007FF661930000-0x00007FF661C84000-memory.dmp

Filesize
3.3MB

Download
memory/3520-97-0x00007FF661930000-0x00007FF661C84000-memory.dmp

Filesize
3.3MB

Download
memory/3648-76-0x00007FF6A4F10000-0x00007FF6A5264000-memory.dmp

Filesize
3.3MB

Download
memory/3648-139-0x00007FF6A4F10000-0x00007FF6A5264000-memory.dmp

Filesize
3.3MB

Download
memory/3648-157-0x00007FF6A4F10000-0x00007FF6A5264000-memory.dmp

Filesize
3.3MB

Download
memory/3708-123-0x00007FF61EB30000-0x00007FF61EE84000-memory.dmp

Filesize
3.3MB

Download
memory/3708-142-0x00007FF61EB30000-0x00007FF61EE84000-memory.dmp

Filesize
3.3MB

Download
memory/3708-162-0x00007FF61EB30000-0x00007FF61EE84000-memory.dmp

Filesize
3.3MB

Download
memory/3764-153-0x00007FF6EA9F0000-0x00007FF6EAD44000-memory.dmp

Filesize
3.3MB

Download
memory/3764-53-0x00007FF6EA9F0000-0x00007FF6EAD44000-memory.dmp

Filesize
3.3MB

Download
memory/3764-114-0x00007FF6EA9F0000-0x00007FF6EAD44000-memory.dmp

Filesize
3.3MB

Download
memory/4072-151-0x00007FF739080000-0x00007FF7393D4000-memory.dmp

Filesize
3.3MB

Download
memory/4072-115-0x00007FF739080000-0x00007FF7393D4000-memory.dmp

Filesize
3.3MB

Download
memory/4072-57-0x00007FF739080000-0x00007FF7393D4000-memory.dmp

Filesize
3.3MB

Download
memory/4272-108-0x00007FF6550E0000-0x00007FF655434000-memory.dmp

Filesize
3.3MB

Download
memory/4272-141-0x00007FF6550E0000-0x00007FF655434000-memory.dmp

Filesize
3.3MB

Download
memory/4272-161-0x00007FF6550E0000-0x00007FF655434000-memory.dmp

Filesize
3.3MB

Download
memory/4800-39-0x00007FF708D80000-0x00007FF7090D4000-memory.dmp

Filesize
3.3MB

Download
memory/4800-147-0x00007FF708D80000-0x00007FF7090D4000-memory.dmp

Filesize
3.3MB

Download
memory/4928-143-0x00007FF6530A0000-0x00007FF6533F4000-memory.dmp

Filesize
3.3MB

Download
memory/4928-164-0x00007FF6530A0000-0x00007FF6533F4000-memory.dmp

Filesize
3.3MB

Download
memory/4928-130-0x00007FF6530A0000-0x00007FF6533F4000-memory.dmp

Filesize
3.3MB

Download
memory/4980-155-0x00007FF66F5B0000-0x00007FF66F904000-memory.dmp

Filesize
3.3MB

Download
memory/4980-129-0x00007FF66F5B0000-0x00007FF66F904000-memory.dmp

Filesize
3.3MB

Download
memory/4980-74-0x00007FF66F5B0000-0x00007FF66F904000-memory.dmp

Filesize
3.3MB

Download