cobaltstrike | 8c4f5acf8ca15b6737531b6571db71e5780dbc4593cf884228cfc285094baaaf

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-11-2024 19:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

873565007998c3a95a3e12bbca689002
SHA1

d05af4adbe1c1b9b962509a77c3b8d9180cf323b
SHA256

8c4f5acf8ca15b6737531b6571db71e5780dbc4593cf884228cfc285094baaaf
SHA512

e27caa83fc106b2c5c724083c0e9e72007df25bb0446e73edfdd4e1a1971087a03707bf7ca39e8fd558957ee75c0587a58031293aaa4a11e297d2aebe169d6c4
SSDEEP

98304:oemTLkNdfE0pZrD56utgpPFotBER/mQ32lUL:T+q56utgpPF8u/7L

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\QuiGmQn.exe	cobalt_reflective_dll
C:\Windows\System\ijOOXoR.exe	cobalt_reflective_dll
C:\Windows\System\KFJtKPg.exe	cobalt_reflective_dll
C:\Windows\System\HzfJDhL.exe	cobalt_reflective_dll
C:\Windows\System\YzQvmYk.exe	cobalt_reflective_dll
C:\Windows\System\BScmbfO.exe	cobalt_reflective_dll
C:\Windows\System\XGrOoYs.exe	cobalt_reflective_dll
C:\Windows\System\xlHHifR.exe	cobalt_reflective_dll
C:\Windows\System\NMyHEqC.exe	cobalt_reflective_dll
C:\Windows\System\awlfxPJ.exe	cobalt_reflective_dll
C:\Windows\System\zDzhAQQ.exe	cobalt_reflective_dll
C:\Windows\System\ZVidqhy.exe	cobalt_reflective_dll
C:\Windows\System\gqXdrcI.exe	cobalt_reflective_dll
C:\Windows\System\zgpNNhq.exe	cobalt_reflective_dll
C:\Windows\System\HlztEBn.exe	cobalt_reflective_dll
C:\Windows\System\SBFBFdv.exe	cobalt_reflective_dll
C:\Windows\System\FJVXFkU.exe	cobalt_reflective_dll
C:\Windows\System\PYfiXcD.exe	cobalt_reflective_dll
C:\Windows\System\LFUbsRG.exe	cobalt_reflective_dll
C:\Windows\System\xyRpAkA.exe	cobalt_reflective_dll
C:\Windows\System\RgGYMNW.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/448-0-0x00007FF7A74B0000-0x00007FF7A7804000-memory.dmp	xmrig
C:\Windows\System\QuiGmQn.exe	xmrig
behavioral2/memory/1660-7-0x00007FF755340000-0x00007FF755694000-memory.dmp	xmrig
C:\Windows\System\ijOOXoR.exe	xmrig
C:\Windows\System\KFJtKPg.exe	xmrig
C:\Windows\System\HzfJDhL.exe	xmrig
C:\Windows\System\YzQvmYk.exe	xmrig
C:\Windows\System\BScmbfO.exe	xmrig
C:\Windows\System\XGrOoYs.exe	xmrig
behavioral2/memory/3700-46-0x00007FF6818F0000-0x00007FF681C44000-memory.dmp	xmrig
C:\Windows\System\xlHHifR.exe	xmrig
C:\Windows\System\NMyHEqC.exe	xmrig
C:\Windows\System\awlfxPJ.exe	xmrig
C:\Windows\System\zDzhAQQ.exe	xmrig
C:\Windows\System\ZVidqhy.exe	xmrig
C:\Windows\System\gqXdrcI.exe	xmrig
C:\Windows\System\zgpNNhq.exe	xmrig
C:\Windows\System\HlztEBn.exe	xmrig
C:\Windows\System\SBFBFdv.exe	xmrig
C:\Windows\System\FJVXFkU.exe	xmrig
C:\Windows\System\PYfiXcD.exe	xmrig
C:\Windows\System\LFUbsRG.exe	xmrig
C:\Windows\System\xyRpAkA.exe	xmrig
behavioral2/memory/4152-57-0x00007FF79D110000-0x00007FF79D464000-memory.dmp	xmrig
behavioral2/memory/1440-54-0x00007FF74F740000-0x00007FF74FA94000-memory.dmp	xmrig
C:\Windows\System\RgGYMNW.exe	xmrig
behavioral2/memory/4976-42-0x00007FF766200000-0x00007FF766554000-memory.dmp	xmrig
behavioral2/memory/1376-34-0x00007FF716D70000-0x00007FF7170C4000-memory.dmp	xmrig
behavioral2/memory/3340-29-0x00007FF762A20000-0x00007FF762D74000-memory.dmp	xmrig
behavioral2/memory/3612-24-0x00007FF7F3AC0000-0x00007FF7F3E14000-memory.dmp	xmrig
behavioral2/memory/964-19-0x00007FF676130000-0x00007FF676484000-memory.dmp	xmrig
behavioral2/memory/5084-116-0x00007FF7DA470000-0x00007FF7DA7C4000-memory.dmp	xmrig
behavioral2/memory/2540-117-0x00007FF629550000-0x00007FF6298A4000-memory.dmp	xmrig
behavioral2/memory/4692-118-0x00007FF7E5890000-0x00007FF7E5BE4000-memory.dmp	xmrig
behavioral2/memory/2484-120-0x00007FF7670B0000-0x00007FF767404000-memory.dmp	xmrig
behavioral2/memory/2880-121-0x00007FF7C16F0000-0x00007FF7C1A44000-memory.dmp	xmrig
behavioral2/memory/216-119-0x00007FF7AFB00000-0x00007FF7AFE54000-memory.dmp	xmrig
behavioral2/memory/3048-123-0x00007FF6C67A0000-0x00007FF6C6AF4000-memory.dmp	xmrig
behavioral2/memory/3572-124-0x00007FF658930000-0x00007FF658C84000-memory.dmp	xmrig
behavioral2/memory/3868-122-0x00007FF761990000-0x00007FF761CE4000-memory.dmp	xmrig
behavioral2/memory/652-125-0x00007FF7D0460000-0x00007FF7D07B4000-memory.dmp	xmrig
behavioral2/memory/1796-126-0x00007FF737400000-0x00007FF737754000-memory.dmp	xmrig
behavioral2/memory/3144-128-0x00007FF6F15B0000-0x00007FF6F1904000-memory.dmp	xmrig
behavioral2/memory/448-127-0x00007FF7A74B0000-0x00007FF7A7804000-memory.dmp	xmrig
behavioral2/memory/3612-131-0x00007FF7F3AC0000-0x00007FF7F3E14000-memory.dmp	xmrig
behavioral2/memory/964-130-0x00007FF676130000-0x00007FF676484000-memory.dmp	xmrig
behavioral2/memory/1660-129-0x00007FF755340000-0x00007FF755694000-memory.dmp	xmrig
behavioral2/memory/1376-132-0x00007FF716D70000-0x00007FF7170C4000-memory.dmp	xmrig
behavioral2/memory/3700-133-0x00007FF6818F0000-0x00007FF681C44000-memory.dmp	xmrig
behavioral2/memory/1440-134-0x00007FF74F740000-0x00007FF74FA94000-memory.dmp	xmrig
behavioral2/memory/4152-135-0x00007FF79D110000-0x00007FF79D464000-memory.dmp	xmrig
behavioral2/memory/5084-136-0x00007FF7DA470000-0x00007FF7DA7C4000-memory.dmp	xmrig
behavioral2/memory/1660-137-0x00007FF755340000-0x00007FF755694000-memory.dmp	xmrig
behavioral2/memory/964-138-0x00007FF676130000-0x00007FF676484000-memory.dmp	xmrig
behavioral2/memory/3612-139-0x00007FF7F3AC0000-0x00007FF7F3E14000-memory.dmp	xmrig
behavioral2/memory/3340-140-0x00007FF762A20000-0x00007FF762D74000-memory.dmp	xmrig
behavioral2/memory/1376-141-0x00007FF716D70000-0x00007FF7170C4000-memory.dmp	xmrig
behavioral2/memory/4976-142-0x00007FF766200000-0x00007FF766554000-memory.dmp	xmrig
behavioral2/memory/3700-143-0x00007FF6818F0000-0x00007FF681C44000-memory.dmp	xmrig
behavioral2/memory/1440-144-0x00007FF74F740000-0x00007FF74FA94000-memory.dmp	xmrig
behavioral2/memory/4152-145-0x00007FF79D110000-0x00007FF79D464000-memory.dmp	xmrig
behavioral2/memory/2540-146-0x00007FF629550000-0x00007FF6298A4000-memory.dmp	xmrig
behavioral2/memory/3144-147-0x00007FF6F15B0000-0x00007FF6F1904000-memory.dmp	xmrig
behavioral2/memory/5084-148-0x00007FF7DA470000-0x00007FF7DA7C4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

QuiGmQn.exeijOOXoR.exeKFJtKPg.exeHzfJDhL.exeYzQvmYk.exeBScmbfO.exeXGrOoYs.exeRgGYMNW.exexlHHifR.exeNMyHEqC.exexyRpAkA.exeawlfxPJ.exezDzhAQQ.exeLFUbsRG.exeZVidqhy.exegqXdrcI.exePYfiXcD.exeFJVXFkU.exeSBFBFdv.exezgpNNhq.exeHlztEBn.exe

pid	process
1660	QuiGmQn.exe
964	ijOOXoR.exe
3612	KFJtKPg.exe
3340	HzfJDhL.exe
1376	YzQvmYk.exe
4976	BScmbfO.exe
3700	XGrOoYs.exe
1440	RgGYMNW.exe
4152	xlHHifR.exe
5084	NMyHEqC.exe
3144	xyRpAkA.exe
2540	awlfxPJ.exe
4692	zDzhAQQ.exe
216	LFUbsRG.exe
2484	ZVidqhy.exe
2880	gqXdrcI.exe
3868	PYfiXcD.exe
3048	FJVXFkU.exe
3572	SBFBFdv.exe
652	zgpNNhq.exe
1796	HlztEBn.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/448-0-0x00007FF7A74B0000-0x00007FF7A7804000-memory.dmp	upx
C:\Windows\System\QuiGmQn.exe	upx
behavioral2/memory/1660-7-0x00007FF755340000-0x00007FF755694000-memory.dmp	upx
C:\Windows\System\ijOOXoR.exe	upx
C:\Windows\System\KFJtKPg.exe	upx
C:\Windows\System\HzfJDhL.exe	upx
C:\Windows\System\YzQvmYk.exe	upx
C:\Windows\System\BScmbfO.exe	upx
C:\Windows\System\XGrOoYs.exe	upx
behavioral2/memory/3700-46-0x00007FF6818F0000-0x00007FF681C44000-memory.dmp	upx
C:\Windows\System\xlHHifR.exe	upx
C:\Windows\System\NMyHEqC.exe	upx
C:\Windows\System\awlfxPJ.exe	upx
C:\Windows\System\zDzhAQQ.exe	upx
C:\Windows\System\ZVidqhy.exe	upx
C:\Windows\System\gqXdrcI.exe	upx
C:\Windows\System\zgpNNhq.exe	upx
C:\Windows\System\HlztEBn.exe	upx
C:\Windows\System\SBFBFdv.exe	upx
C:\Windows\System\FJVXFkU.exe	upx
C:\Windows\System\PYfiXcD.exe	upx
C:\Windows\System\LFUbsRG.exe	upx
C:\Windows\System\xyRpAkA.exe	upx
behavioral2/memory/4152-57-0x00007FF79D110000-0x00007FF79D464000-memory.dmp	upx
behavioral2/memory/1440-54-0x00007FF74F740000-0x00007FF74FA94000-memory.dmp	upx
C:\Windows\System\RgGYMNW.exe	upx
behavioral2/memory/4976-42-0x00007FF766200000-0x00007FF766554000-memory.dmp	upx
behavioral2/memory/1376-34-0x00007FF716D70000-0x00007FF7170C4000-memory.dmp	upx
behavioral2/memory/3340-29-0x00007FF762A20000-0x00007FF762D74000-memory.dmp	upx
behavioral2/memory/3612-24-0x00007FF7F3AC0000-0x00007FF7F3E14000-memory.dmp	upx
behavioral2/memory/964-19-0x00007FF676130000-0x00007FF676484000-memory.dmp	upx
behavioral2/memory/5084-116-0x00007FF7DA470000-0x00007FF7DA7C4000-memory.dmp	upx
behavioral2/memory/2540-117-0x00007FF629550000-0x00007FF6298A4000-memory.dmp	upx
behavioral2/memory/4692-118-0x00007FF7E5890000-0x00007FF7E5BE4000-memory.dmp	upx
behavioral2/memory/2484-120-0x00007FF7670B0000-0x00007FF767404000-memory.dmp	upx
behavioral2/memory/2880-121-0x00007FF7C16F0000-0x00007FF7C1A44000-memory.dmp	upx
behavioral2/memory/216-119-0x00007FF7AFB00000-0x00007FF7AFE54000-memory.dmp	upx
behavioral2/memory/3048-123-0x00007FF6C67A0000-0x00007FF6C6AF4000-memory.dmp	upx
behavioral2/memory/3572-124-0x00007FF658930000-0x00007FF658C84000-memory.dmp	upx
behavioral2/memory/3868-122-0x00007FF761990000-0x00007FF761CE4000-memory.dmp	upx
behavioral2/memory/652-125-0x00007FF7D0460000-0x00007FF7D07B4000-memory.dmp	upx
behavioral2/memory/1796-126-0x00007FF737400000-0x00007FF737754000-memory.dmp	upx
behavioral2/memory/3144-128-0x00007FF6F15B0000-0x00007FF6F1904000-memory.dmp	upx
behavioral2/memory/448-127-0x00007FF7A74B0000-0x00007FF7A7804000-memory.dmp	upx
behavioral2/memory/3612-131-0x00007FF7F3AC0000-0x00007FF7F3E14000-memory.dmp	upx
behavioral2/memory/964-130-0x00007FF676130000-0x00007FF676484000-memory.dmp	upx
behavioral2/memory/1660-129-0x00007FF755340000-0x00007FF755694000-memory.dmp	upx
behavioral2/memory/1376-132-0x00007FF716D70000-0x00007FF7170C4000-memory.dmp	upx
behavioral2/memory/3700-133-0x00007FF6818F0000-0x00007FF681C44000-memory.dmp	upx
behavioral2/memory/1440-134-0x00007FF74F740000-0x00007FF74FA94000-memory.dmp	upx
behavioral2/memory/4152-135-0x00007FF79D110000-0x00007FF79D464000-memory.dmp	upx
behavioral2/memory/5084-136-0x00007FF7DA470000-0x00007FF7DA7C4000-memory.dmp	upx
behavioral2/memory/1660-137-0x00007FF755340000-0x00007FF755694000-memory.dmp	upx
behavioral2/memory/964-138-0x00007FF676130000-0x00007FF676484000-memory.dmp	upx
behavioral2/memory/3612-139-0x00007FF7F3AC0000-0x00007FF7F3E14000-memory.dmp	upx
behavioral2/memory/3340-140-0x00007FF762A20000-0x00007FF762D74000-memory.dmp	upx
behavioral2/memory/1376-141-0x00007FF716D70000-0x00007FF7170C4000-memory.dmp	upx
behavioral2/memory/4976-142-0x00007FF766200000-0x00007FF766554000-memory.dmp	upx
behavioral2/memory/3700-143-0x00007FF6818F0000-0x00007FF681C44000-memory.dmp	upx
behavioral2/memory/1440-144-0x00007FF74F740000-0x00007FF74FA94000-memory.dmp	upx
behavioral2/memory/4152-145-0x00007FF79D110000-0x00007FF79D464000-memory.dmp	upx
behavioral2/memory/2540-146-0x00007FF629550000-0x00007FF6298A4000-memory.dmp	upx
behavioral2/memory/3144-147-0x00007FF6F15B0000-0x00007FF6F1904000-memory.dmp	upx
behavioral2/memory/5084-148-0x00007FF7DA470000-0x00007FF7DA7C4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\ijOOXoR.exe	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BScmbfO.exe	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xlHHifR.exe	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\awlfxPJ.exe	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HlztEBn.exe	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZVidqhy.exe	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gqXdrcI.exe	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PYfiXcD.exe	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KFJtKPg.exe	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HzfJDhL.exe	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YzQvmYk.exe	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NMyHEqC.exe	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xyRpAkA.exe	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FJVXFkU.exe	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zgpNNhq.exe	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QuiGmQn.exe	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XGrOoYs.exe	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LFUbsRG.exe	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RgGYMNW.exe	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zDzhAQQ.exe	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SBFBFdv.exe	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	448	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	448	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 448 wrote to memory of 1660	448	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	QuiGmQn.exe
PID 448 wrote to memory of 1660	448	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	QuiGmQn.exe
PID 448 wrote to memory of 964	448	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	ijOOXoR.exe
PID 448 wrote to memory of 964	448	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	ijOOXoR.exe
PID 448 wrote to memory of 3612	448	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	KFJtKPg.exe
PID 448 wrote to memory of 3612	448	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	KFJtKPg.exe
PID 448 wrote to memory of 3340	448	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	HzfJDhL.exe
PID 448 wrote to memory of 3340	448	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	HzfJDhL.exe
PID 448 wrote to memory of 1376	448	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	YzQvmYk.exe
PID 448 wrote to memory of 1376	448	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	YzQvmYk.exe
PID 448 wrote to memory of 4976	448	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	BScmbfO.exe
PID 448 wrote to memory of 4976	448	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	BScmbfO.exe
PID 448 wrote to memory of 3700	448	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	XGrOoYs.exe
PID 448 wrote to memory of 3700	448	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	XGrOoYs.exe
PID 448 wrote to memory of 1440	448	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	RgGYMNW.exe
PID 448 wrote to memory of 1440	448	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	RgGYMNW.exe
PID 448 wrote to memory of 4152	448	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	xlHHifR.exe
PID 448 wrote to memory of 4152	448	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	xlHHifR.exe
PID 448 wrote to memory of 5084	448	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	NMyHEqC.exe
PID 448 wrote to memory of 5084	448	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	NMyHEqC.exe
PID 448 wrote to memory of 3144	448	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	xyRpAkA.exe
PID 448 wrote to memory of 3144	448	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	xyRpAkA.exe
PID 448 wrote to memory of 2540	448	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	awlfxPJ.exe
PID 448 wrote to memory of 2540	448	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	awlfxPJ.exe
PID 448 wrote to memory of 4692	448	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	zDzhAQQ.exe
PID 448 wrote to memory of 4692	448	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	zDzhAQQ.exe
PID 448 wrote to memory of 216	448	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	LFUbsRG.exe
PID 448 wrote to memory of 216	448	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	LFUbsRG.exe
PID 448 wrote to memory of 2484	448	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	ZVidqhy.exe
PID 448 wrote to memory of 2484	448	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	ZVidqhy.exe
PID 448 wrote to memory of 2880	448	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	gqXdrcI.exe
PID 448 wrote to memory of 2880	448	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	gqXdrcI.exe
PID 448 wrote to memory of 3868	448	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	PYfiXcD.exe
PID 448 wrote to memory of 3868	448	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	PYfiXcD.exe
PID 448 wrote to memory of 3048	448	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	FJVXFkU.exe
PID 448 wrote to memory of 3048	448	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	FJVXFkU.exe
PID 448 wrote to memory of 3572	448	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	SBFBFdv.exe
PID 448 wrote to memory of 3572	448	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	SBFBFdv.exe
PID 448 wrote to memory of 652	448	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	zgpNNhq.exe
PID 448 wrote to memory of 652	448	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	zgpNNhq.exe
PID 448 wrote to memory of 1796	448	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	HlztEBn.exe
PID 448 wrote to memory of 1796	448	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	HlztEBn.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:448

C:\Windows\System\QuiGmQn.exe
C:\Windows\System\QuiGmQn.exe
2⤵
- Executes dropped EXE
PID:1660

C:\Windows\System\ijOOXoR.exe
C:\Windows\System\ijOOXoR.exe
2⤵
- Executes dropped EXE
PID:964

C:\Windows\System\KFJtKPg.exe
C:\Windows\System\KFJtKPg.exe
2⤵
- Executes dropped EXE
PID:3612

C:\Windows\System\HzfJDhL.exe
C:\Windows\System\HzfJDhL.exe
2⤵
- Executes dropped EXE
PID:3340

C:\Windows\System\YzQvmYk.exe
C:\Windows\System\YzQvmYk.exe
2⤵
- Executes dropped EXE
PID:1376

C:\Windows\System\BScmbfO.exe
C:\Windows\System\BScmbfO.exe
2⤵
- Executes dropped EXE
PID:4976

C:\Windows\System\XGrOoYs.exe
C:\Windows\System\XGrOoYs.exe
2⤵
- Executes dropped EXE
PID:3700

C:\Windows\System\RgGYMNW.exe
C:\Windows\System\RgGYMNW.exe
2⤵
- Executes dropped EXE
PID:1440

C:\Windows\System\xlHHifR.exe
C:\Windows\System\xlHHifR.exe
2⤵
- Executes dropped EXE
PID:4152

C:\Windows\System\NMyHEqC.exe
C:\Windows\System\NMyHEqC.exe
2⤵
- Executes dropped EXE
PID:5084

C:\Windows\System\xyRpAkA.exe
C:\Windows\System\xyRpAkA.exe
2⤵
- Executes dropped EXE
PID:3144

C:\Windows\System\awlfxPJ.exe
C:\Windows\System\awlfxPJ.exe
2⤵
- Executes dropped EXE
PID:2540

C:\Windows\System\zDzhAQQ.exe
C:\Windows\System\zDzhAQQ.exe
2⤵
- Executes dropped EXE
PID:4692

C:\Windows\System\LFUbsRG.exe
C:\Windows\System\LFUbsRG.exe
2⤵
- Executes dropped EXE
PID:216

C:\Windows\System\ZVidqhy.exe
C:\Windows\System\ZVidqhy.exe
2⤵
- Executes dropped EXE
PID:2484

C:\Windows\System\gqXdrcI.exe
C:\Windows\System\gqXdrcI.exe
2⤵
- Executes dropped EXE
PID:2880

C:\Windows\System\PYfiXcD.exe
C:\Windows\System\PYfiXcD.exe
2⤵
- Executes dropped EXE
PID:3868

C:\Windows\System\FJVXFkU.exe
C:\Windows\System\FJVXFkU.exe
2⤵
- Executes dropped EXE
PID:3048

C:\Windows\System\SBFBFdv.exe
C:\Windows\System\SBFBFdv.exe
2⤵
- Executes dropped EXE
PID:3572

C:\Windows\System\zgpNNhq.exe
C:\Windows\System\zgpNNhq.exe
2⤵
- Executes dropped EXE
PID:652

C:\Windows\System\HlztEBn.exe
C:\Windows\System\HlztEBn.exe
2⤵
- Executes dropped EXE
PID:1796

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BScmbfO.exe

Filesize
5.9MB

MD5
2a8f162e245fc826e52f7c1ceeac948b

SHA1
ef1fab7a6bc3d0b15732e0ec54c1d2088fcdd83b

SHA256
f712a71a3eebe23d461b8f88200828e5324b8492b1adbd5214d60c06fe618def

SHA512
ddf020c5468923b6cedd738b160a13d23725f83a820b2b580e09957989751a954e94c8cbe8111682514d675f8bfe32ce3792bdae4f15728a2dd77a7f59179173

Download Submit
C:\Windows\System\FJVXFkU.exe

Filesize
5.9MB

MD5
b9a36d252fa2c1c52be77405a7f71dea

SHA1
794e21751b43ed4b09a90e3659e2e59257f29a9c

SHA256
f75b1236ddf870faf9610cc2d7a9749400a8653c061ddb238092e7304e9dfc99

SHA512
82171d04d785d1825fe9c2a3f04cec85d261ab9934f5464177946584bde0db15171b58e58888460c4e19429c327161a96c39b66912fcb9b671237c0f72a85b94

Download Submit
C:\Windows\System\HlztEBn.exe

Filesize
5.9MB

MD5
949b80f18188ae6b5482facf8900c53c

SHA1
9cfdec0b46c68beb78df6fd9a56192dc6b55c586

SHA256
a66dcff243b52af48aeb89ec08e9701d8e0245225cace8fc3272ffb89420442a

SHA512
5ba46b246fe9b549f330459906d7297e3487c6ee2580d03e43632b4ed5e41619c926cacade7a7af2de2a6df802d81bddf4754dd1a058a2931edddfff0202986a

Download Submit
C:\Windows\System\HzfJDhL.exe

Filesize
5.9MB

MD5
da3e866e7f277a0ba603ef5583fb47e9

SHA1
694173175ec4c19b0a408bbe330b0e83412df39e

SHA256
b67161020a3a3eab25e87add3e7fc85deec5c7795581d6d4348aa1b7f09a81c9

SHA512
3f38fef9afb296997241df67343326a4fe4c3661d96119b51d8c41a4125184e06af6c1524f0db68eb33eb06be82e180ecd7296c36f66bc3183cf3d86bda75e87

Download Submit
C:\Windows\System\KFJtKPg.exe

Filesize
5.9MB

MD5
436e610d37bbb4c7230b45a501cb6ff5

SHA1
3d7e1454446ca4a85af6f742431c8a45c0813294

SHA256
0a84a44893f3e0333471367c8e43739f42c753641f7cc0d2639e76dac714a391

SHA512
f1d312e90ff5bcc761ed3513d32411935bedaa0ecba4170e91f9ce1669215a89892082ec644ecb1d7461eedfd26035842599dc1a190d603bacaa76fc11d833bb

Download Submit
C:\Windows\System\LFUbsRG.exe

Filesize
5.9MB

MD5
74d90f31e6cca06cb08716d58584b02f

SHA1
944e1cb9e294fb58743e4c59886b5fe5b60212f0

SHA256
6585af7a05ece3be5b811ea66cdbea7a444ee4fcd78e15070d05695d1edb7dd9

SHA512
88082cb5a216b5f8a9a570b87db17ccbaa59b31f0f99ab1bdc31bbf7a1feaccda6cb3c64c5d828300b58d41168ae4504c960443d26aba782e2c5534e5c9883f9

Download Submit
C:\Windows\System\NMyHEqC.exe

Filesize
5.9MB

MD5
0b8e0283d41c58f853c07b0d972d6180

SHA1
c568361936a4d9e0d4126ccf6e011944115aee19

SHA256
c773884b81c42956a6b5a01e72177f774a6db8de162d56d03d91106951559126

SHA512
bbf67890bdc716649cc20a556cc1d07296005ca19ff101939a37affbc44a0f860db3077863a8cb35616d0276da2b3c52b9b5f4d22c3791f22b811da9ea1079a8

Download Submit
C:\Windows\System\PYfiXcD.exe

Filesize
5.9MB

MD5
ccfdd0793bf419dfe3480b05d8073352

SHA1
99303fdce7113714698f94cadf3cb8b4a6de4945

SHA256
bbe2c5519f3d83dff3aef2f1527513b7af1c0fbf685bb1cc5138f302e32db4f6

SHA512
f1df85fbe176ab7809e1e3327a2ced5b3959d47e541545e1d859816875d58a00977f3caf47487564239aef6bf6dfdf38171e2be0ed6691185d27c629ffd5510d

Download Submit
C:\Windows\System\QuiGmQn.exe

Filesize
5.9MB

MD5
6b4efb4201157fb0605e38df93b776ae

SHA1
b47fbfc9e62ddc01d826d1ea2991d1675d2076f0

SHA256
b1dce35c00197de2fc6e09942245d5ed374fa2febeec5c537e2427db06378e08

SHA512
51f60bc4963e6d084b2a16c5db5b246cb0aa4003a60da1d045e391f199907ab4db6d35fcb986edeacb7ffc384246f5452c9085f95a71f7fc67287eb271eb4eb7

Download Submit
C:\Windows\System\RgGYMNW.exe

Filesize
5.9MB

MD5
728d65575ca72f826163a595a3308eb2

SHA1
576131410533ab219b79b6be0023cd8b6c8dd4c1

SHA256
60f2a40cc832f8d55b0aeed768caa158fcd03fda5cd7f63a6cba717b6fadd04f

SHA512
5549af850c2aba655fad97d7741bae46ee771a234aa1a3d84cf631997a10239dddecab548afe22e004d85626cf5fbf3bc88f954602a9929d406b943948af89f0

Download Submit
C:\Windows\System\SBFBFdv.exe

Filesize
5.9MB

MD5
59a6e66373c9658dea097af2073910a6

SHA1
66f0ea50f73df3ef67269120b24d95fb97302729

SHA256
8c82aadaae0c00a2db748f199281b821f3c82f3efbb6dc29984a41c409efaab0

SHA512
fb6a610fbee4c975ba071660708f19ef7f49e5428e20ff4e24faa06ef8ceb6c9c4cb2a322a6522dd3bd7d6da0425ddd7aa77924fc24abe341672aec75587b38a

Download Submit
C:\Windows\System\XGrOoYs.exe

Filesize
5.9MB

MD5
78380f1d1e0f25c3016c6cbd379f0853

SHA1
402fe7bf4951cf244639a9d0b6547eefbf876a53

SHA256
b8132824291f8acb44a4e625b499c00c648dd5b377ab9e84f9ce673fc4f6aa9f

SHA512
0ed8c1372e0edb7151263e62a8ba30a67be96df785592bcdfab5ac3a91722e744f1c2a5d060d007769b5c4fa3eca21daf1e5e2fd6d3a03ae3884ea45c2b180ea

Download Submit
C:\Windows\System\YzQvmYk.exe

Filesize
5.9MB

MD5
7b006b3bd5247a1b0bccf2d04bb3f369

SHA1
bfb372a1c41ed30c6618230c6917a9a6fabf4cb8

SHA256
d3ddd603e2d49af9840dad011559368d4f38bae117bd2f86ebbdcb4b39015807

SHA512
b728cd7601ce89f5028844a7552a070d2f50f9c86b97426281ee8db847ca3b373e1be1eb541b7a403fe468828e95a0ba10ec40534c7db801865325a0c80cf8e6

Download Submit
C:\Windows\System\ZVidqhy.exe

Filesize
5.9MB

MD5
6af2f2f418f6d743ec1dda1d9d82a55c

SHA1
b31204bfa6932d82987e010a4a4641227a9758bc

SHA256
dd40726d295adf78b93e676c13fa2a423f72b822defb47673326311a7cb00acb

SHA512
175c0e4e21a7dc650b0c9b1ddaa0e468b38203a5c683a21ef7a78f48c356a45634cba09a7e421ea18864295fde28604aa4092d8d7acd3420244607eaccb1de8b

Download Submit
C:\Windows\System\awlfxPJ.exe

Filesize
5.9MB

MD5
0a949766e3221bc1843d056f1e2f346c

SHA1
23bffb07a9fd8239a516b1da753df1d92adef631

SHA256
a1b832a3d2cbd86022d094aa001a73565e22e6a3489990e134563ccf9edb30da

SHA512
91f41b99feb68bd52009f9519832b52bd17065fc9a9ec31c6f86615477be64a992145a68495cff8b6caa65fe96d97027a1a99b805b6eaac3e9cb65c3c4002a25

Download Submit
C:\Windows\System\gqXdrcI.exe

Filesize
5.9MB

MD5
e7d7075ff456256589e0e8d9e29254a4

SHA1
991b94f7cdaa0b5d472c0a5e2d049332cd4095ff

SHA256
ac518ac4b1e9a57ae3261656a895725945dc00a3959c496b5030f04eccb54f60

SHA512
ee4462b2cbf93b744b8f06df0995b86b018e57deb1ca6392bca40146595a68fcbac0b9905bb051d3bea41044324f5375c7da7f723b473818555b1c405cf60526

Download Submit
C:\Windows\System\ijOOXoR.exe

Filesize
5.9MB

MD5
373187b38ed34d8cb23b29f19506d8f7

SHA1
dc11a45a927f9ca1646b50046fb9764b2a65ea3f

SHA256
88bc6a1cf440f54aa85d944ab15529cd994e423a3ceb6d5c32a4c7b554991609

SHA512
350a92503bec53f2360247fd036b4df59bf6c0483eb565a0cca086f56ab1404d2ba6395bf401eb95fb112c960793bf3d5c635960dba91138f595e5773e746de2

Download Submit
C:\Windows\System\xlHHifR.exe

Filesize
5.9MB

MD5
fc35cf9f7b4226549e9dd442c260393b

SHA1
47922b7c6bf9b636ecb85fb33378293761a7b3d1

SHA256
a74f3453a71a1de48eb141e2d5fea3af86ec360d8c4e88780f0ebb84641caaa5

SHA512
0845aca018cb5a5256fdc16f571a423de63e25a5473f985eaf4a37067e5ae66b3803e745040be28b8fb7b91233193168c11e6fa3367fde58f3fe47ede289ca87

Download Submit
C:\Windows\System\xyRpAkA.exe

Filesize
5.9MB

MD5
42c56f7731324f670e50d03c2634a4f2

SHA1
43bfe5781436b7155417e0551cdf29c30a5712bd

SHA256
aefe8bc63913db7b3b4b1178121a5c12464fb7fc763e1d06229eb5653f663e20

SHA512
ea83c00d702dede3cd1b7df8a2085eb5dd7336cb74de2e7ec07cb09502e24520f14766858ff843026833ac1e6478dc9364890217a3687b141da9cf04907cdf26

Download Submit
C:\Windows\System\zDzhAQQ.exe

Filesize
5.9MB

MD5
9d12b8ce6f175e7d29464a62f12a39cb

SHA1
93c2cbeecac3428a6b35537145ae188d4fad5e30

SHA256
f1b869a29f5096afb748482699dd3730ebb34b0d4fd86d54321a74dd33040f92

SHA512
19566acd9c7ab2c2a16c5a7e772ea75b785a5e1225db360ae9f4ca6088692159adf2a77fc3d94aafd010509c38e3e8deabebe37af43f49caa8cef802abf905ff

Download Submit
C:\Windows\System\zgpNNhq.exe

Filesize
5.9MB

MD5
e47fc4f37209eb1df9c8f36d0a8e8442

SHA1
f7e407af79b6f14785a1509eec0c86e3958544b2

SHA256
de19f05262cabd52cd425e9e00006c58bcb298880318355ea86a113d67e0fee8

SHA512
64315b647aeb2b30bd29047ee6ce5ca477ff9edccd5da7da62cac89a40b8e4d42ac86348e4eacbfecf34d3bf1bc3de944db51c36e4eae64413099739a5ebe33c

Download Submit
memory/216-150-0x00007FF7AFB00000-0x00007FF7AFE54000-memory.dmp

Filesize
3.3MB

Download
memory/216-119-0x00007FF7AFB00000-0x00007FF7AFE54000-memory.dmp

Filesize
3.3MB

Download
memory/448-0-0x00007FF7A74B0000-0x00007FF7A7804000-memory.dmp

Filesize
3.3MB

Download
memory/448-1-0x000002720DF50000-0x000002720DF60000-memory.dmp

Filesize
64KB

Download
memory/448-127-0x00007FF7A74B0000-0x00007FF7A7804000-memory.dmp

Filesize
3.3MB

Download
memory/652-125-0x00007FF7D0460000-0x00007FF7D07B4000-memory.dmp

Filesize
3.3MB

Download
memory/652-155-0x00007FF7D0460000-0x00007FF7D07B4000-memory.dmp

Filesize
3.3MB

Download
memory/964-19-0x00007FF676130000-0x00007FF676484000-memory.dmp

Filesize
3.3MB

Download
memory/964-130-0x00007FF676130000-0x00007FF676484000-memory.dmp

Filesize
3.3MB

Download
memory/964-138-0x00007FF676130000-0x00007FF676484000-memory.dmp

Filesize
3.3MB

Download
memory/1376-141-0x00007FF716D70000-0x00007FF7170C4000-memory.dmp

Filesize
3.3MB

Download
memory/1376-132-0x00007FF716D70000-0x00007FF7170C4000-memory.dmp

Filesize
3.3MB

Download
memory/1376-34-0x00007FF716D70000-0x00007FF7170C4000-memory.dmp

Filesize
3.3MB

Download
memory/1440-134-0x00007FF74F740000-0x00007FF74FA94000-memory.dmp

Filesize
3.3MB

Download
memory/1440-144-0x00007FF74F740000-0x00007FF74FA94000-memory.dmp

Filesize
3.3MB

Download
memory/1440-54-0x00007FF74F740000-0x00007FF74FA94000-memory.dmp

Filesize
3.3MB

Download
memory/1660-137-0x00007FF755340000-0x00007FF755694000-memory.dmp

Filesize
3.3MB

Download
memory/1660-129-0x00007FF755340000-0x00007FF755694000-memory.dmp

Filesize
3.3MB

Download
memory/1660-7-0x00007FF755340000-0x00007FF755694000-memory.dmp

Filesize
3.3MB

Download
memory/1796-126-0x00007FF737400000-0x00007FF737754000-memory.dmp

Filesize
3.3MB

Download
memory/1796-154-0x00007FF737400000-0x00007FF737754000-memory.dmp

Filesize
3.3MB

Download
memory/2484-120-0x00007FF7670B0000-0x00007FF767404000-memory.dmp

Filesize
3.3MB

Download
memory/2484-151-0x00007FF7670B0000-0x00007FF767404000-memory.dmp

Filesize
3.3MB

Download
memory/2540-117-0x00007FF629550000-0x00007FF6298A4000-memory.dmp

Filesize
3.3MB

Download
memory/2540-146-0x00007FF629550000-0x00007FF6298A4000-memory.dmp

Filesize
3.3MB

Download
memory/2880-121-0x00007FF7C16F0000-0x00007FF7C1A44000-memory.dmp

Filesize
3.3MB

Download
memory/2880-153-0x00007FF7C16F0000-0x00007FF7C1A44000-memory.dmp

Filesize
3.3MB

Download
memory/3048-123-0x00007FF6C67A0000-0x00007FF6C6AF4000-memory.dmp

Filesize
3.3MB

Download
memory/3048-157-0x00007FF6C67A0000-0x00007FF6C6AF4000-memory.dmp

Filesize
3.3MB

Download
memory/3144-128-0x00007FF6F15B0000-0x00007FF6F1904000-memory.dmp

Filesize
3.3MB

Download
memory/3144-147-0x00007FF6F15B0000-0x00007FF6F1904000-memory.dmp

Filesize
3.3MB

Download
memory/3340-140-0x00007FF762A20000-0x00007FF762D74000-memory.dmp

Filesize
3.3MB

Download
memory/3340-29-0x00007FF762A20000-0x00007FF762D74000-memory.dmp

Filesize
3.3MB

Download
memory/3572-124-0x00007FF658930000-0x00007FF658C84000-memory.dmp

Filesize
3.3MB

Download
memory/3572-156-0x00007FF658930000-0x00007FF658C84000-memory.dmp

Filesize
3.3MB

Download
memory/3612-131-0x00007FF7F3AC0000-0x00007FF7F3E14000-memory.dmp

Filesize
3.3MB

Download
memory/3612-139-0x00007FF7F3AC0000-0x00007FF7F3E14000-memory.dmp

Filesize
3.3MB

Download
memory/3612-24-0x00007FF7F3AC0000-0x00007FF7F3E14000-memory.dmp

Filesize
3.3MB

Download
memory/3700-46-0x00007FF6818F0000-0x00007FF681C44000-memory.dmp

Filesize
3.3MB

Download
memory/3700-143-0x00007FF6818F0000-0x00007FF681C44000-memory.dmp

Filesize
3.3MB

Download
memory/3700-133-0x00007FF6818F0000-0x00007FF681C44000-memory.dmp

Filesize
3.3MB

Download
memory/3868-122-0x00007FF761990000-0x00007FF761CE4000-memory.dmp

Filesize
3.3MB

Download
memory/3868-152-0x00007FF761990000-0x00007FF761CE4000-memory.dmp

Filesize
3.3MB

Download
memory/4152-57-0x00007FF79D110000-0x00007FF79D464000-memory.dmp

Filesize
3.3MB

Download
memory/4152-145-0x00007FF79D110000-0x00007FF79D464000-memory.dmp

Filesize
3.3MB

Download
memory/4152-135-0x00007FF79D110000-0x00007FF79D464000-memory.dmp

Filesize
3.3MB

Download
memory/4692-118-0x00007FF7E5890000-0x00007FF7E5BE4000-memory.dmp

Filesize
3.3MB

Download
memory/4692-149-0x00007FF7E5890000-0x00007FF7E5BE4000-memory.dmp

Filesize
3.3MB

Download
memory/4976-142-0x00007FF766200000-0x00007FF766554000-memory.dmp

Filesize
3.3MB

Download
memory/4976-42-0x00007FF766200000-0x00007FF766554000-memory.dmp

Filesize
3.3MB

Download
memory/5084-148-0x00007FF7DA470000-0x00007FF7DA7C4000-memory.dmp

Filesize
3.3MB

Download
memory/5084-116-0x00007FF7DA470000-0x00007FF7DA7C4000-memory.dmp

Filesize
3.3MB

Download
memory/5084-136-0x00007FF7DA470000-0x00007FF7DA7C4000-memory.dmp

Filesize
3.3MB

Download