cobaltstrike | 4d59bf9a42ae8194b20c8683427320d6d167061448b96fbebcb4b5c02d35da2e

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-11-2024 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

a1c1a1fbfe18029c956ca5498c0c5ff7
SHA1

2fa527e9cc98228827b5dbb2156b4aa96eec6488
SHA256

4d59bf9a42ae8194b20c8683427320d6d167061448b96fbebcb4b5c02d35da2e
SHA512

c1edd6bf50578002cf37397fda96603cf86efc57754e810748649fac527007363cb3ddd1ede38adf976b9e97f4cce1590796490a7d0ffc404d769179f4f97693
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lh:RWWBibf56utgpPFotBER/mQ32lUt

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000d000000023b53-4.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7a-12.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7b-17.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7c-23.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b77-29.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7d-34.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7e-41.dat	cobalt_reflective_dll
behavioral2/files/0x0031000000023b81-50.dat	cobalt_reflective_dll
behavioral2/files/0x0031000000023b7f-52.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b83-64.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b84-76.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b82-63.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b85-81.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b87-93.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b88-101.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b89-112.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b86-95.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023aa7-133.dat	cobalt_reflective_dll
behavioral2/files/0x000f000000023aad-137.dat	cobalt_reflective_dll
behavioral2/files/0x001d0000000239ed-131.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8a-123.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/380-14-0x00007FF731860000-0x00007FF731BB1000-memory.dmp	xmrig
behavioral2/memory/380-74-0x00007FF731860000-0x00007FF731BB1000-memory.dmp	xmrig
behavioral2/memory/1084-66-0x00007FF63B060000-0x00007FF63B3B1000-memory.dmp	xmrig
behavioral2/memory/2360-60-0x00007FF6EE880000-0x00007FF6EEBD1000-memory.dmp	xmrig
behavioral2/memory/876-83-0x00007FF687F00000-0x00007FF688251000-memory.dmp	xmrig
behavioral2/memory/2836-88-0x00007FF7F3120000-0x00007FF7F3471000-memory.dmp	xmrig
behavioral2/memory/1320-94-0x00007FF6CE510000-0x00007FF6CE861000-memory.dmp	xmrig
behavioral2/memory/3680-109-0x00007FF7051F0000-0x00007FF705541000-memory.dmp	xmrig
behavioral2/memory/4756-108-0x00007FF6293D0000-0x00007FF629721000-memory.dmp	xmrig
behavioral2/memory/4980-104-0x00007FF682570000-0x00007FF6828C1000-memory.dmp	xmrig
behavioral2/memory/4024-90-0x00007FF6EB7F0000-0x00007FF6EBB41000-memory.dmp	xmrig
behavioral2/memory/3356-85-0x00007FF68F700000-0x00007FF68FA51000-memory.dmp	xmrig
behavioral2/memory/3504-118-0x00007FF6D36A0000-0x00007FF6D39F1000-memory.dmp	xmrig
behavioral2/memory/3656-125-0x00007FF796C70000-0x00007FF796FC1000-memory.dmp	xmrig
behavioral2/memory/4172-130-0x00007FF720D40000-0x00007FF721091000-memory.dmp	xmrig
behavioral2/memory/2936-141-0x00007FF747250000-0x00007FF7475A1000-memory.dmp	xmrig
behavioral2/memory/412-143-0x00007FF6DF1C0000-0x00007FF6DF511000-memory.dmp	xmrig
behavioral2/memory/2632-145-0x00007FF6AC7E0000-0x00007FF6ACB31000-memory.dmp	xmrig
behavioral2/memory/2360-142-0x00007FF6EE880000-0x00007FF6EEBD1000-memory.dmp	xmrig
behavioral2/memory/2816-158-0x00007FF790100000-0x00007FF790451000-memory.dmp	xmrig
behavioral2/memory/1168-165-0x00007FF68D000000-0x00007FF68D351000-memory.dmp	xmrig
behavioral2/memory/1960-164-0x00007FF7C5E50000-0x00007FF7C61A1000-memory.dmp	xmrig
behavioral2/memory/3776-167-0x00007FF74BFD0000-0x00007FF74C321000-memory.dmp	xmrig
behavioral2/memory/1264-170-0x00007FF7B4AD0000-0x00007FF7B4E21000-memory.dmp	xmrig
behavioral2/memory/2360-171-0x00007FF6EE880000-0x00007FF6EEBD1000-memory.dmp	xmrig
behavioral2/memory/1084-221-0x00007FF63B060000-0x00007FF63B3B1000-memory.dmp	xmrig
behavioral2/memory/380-223-0x00007FF731860000-0x00007FF731BB1000-memory.dmp	xmrig
behavioral2/memory/876-226-0x00007FF687F00000-0x00007FF688251000-memory.dmp	xmrig
behavioral2/memory/2836-231-0x00007FF7F3120000-0x00007FF7F3471000-memory.dmp	xmrig
behavioral2/memory/4024-233-0x00007FF6EB7F0000-0x00007FF6EBB41000-memory.dmp	xmrig
behavioral2/memory/1320-235-0x00007FF6CE510000-0x00007FF6CE861000-memory.dmp	xmrig
behavioral2/memory/4980-237-0x00007FF682570000-0x00007FF6828C1000-memory.dmp	xmrig
behavioral2/memory/4756-244-0x00007FF6293D0000-0x00007FF629721000-memory.dmp	xmrig
behavioral2/memory/3680-246-0x00007FF7051F0000-0x00007FF705541000-memory.dmp	xmrig
behavioral2/memory/3656-248-0x00007FF796C70000-0x00007FF796FC1000-memory.dmp	xmrig
behavioral2/memory/3504-250-0x00007FF6D36A0000-0x00007FF6D39F1000-memory.dmp	xmrig
behavioral2/memory/4172-252-0x00007FF720D40000-0x00007FF721091000-memory.dmp	xmrig
behavioral2/memory/3356-255-0x00007FF68F700000-0x00007FF68FA51000-memory.dmp	xmrig
behavioral2/memory/2936-261-0x00007FF747250000-0x00007FF7475A1000-memory.dmp	xmrig
behavioral2/memory/412-263-0x00007FF6DF1C0000-0x00007FF6DF511000-memory.dmp	xmrig
behavioral2/memory/2632-265-0x00007FF6AC7E0000-0x00007FF6ACB31000-memory.dmp	xmrig
behavioral2/memory/2816-267-0x00007FF790100000-0x00007FF790451000-memory.dmp	xmrig
behavioral2/memory/1960-272-0x00007FF7C5E50000-0x00007FF7C61A1000-memory.dmp	xmrig
behavioral2/memory/1264-274-0x00007FF7B4AD0000-0x00007FF7B4E21000-memory.dmp	xmrig
behavioral2/memory/3776-276-0x00007FF74BFD0000-0x00007FF74C321000-memory.dmp	xmrig
behavioral2/memory/1168-278-0x00007FF68D000000-0x00007FF68D351000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1084	oHmIsfv.exe
380	WTWuHVN.exe
876	JVoUEve.exe
2836	nrHietq.exe
4024	kllRfEA.exe
1320	IfRdPEh.exe
4980	FwCQocx.exe
4756	iZGKLqu.exe
3680	GmXDMIv.exe
3504	NxvVbVC.exe
3656	XMCQkuy.exe
4172	jlKUOKo.exe
3356	ENQyGTi.exe
2936	dGbPyus.exe
412	jLpKzzx.exe
2632	prBfVkg.exe
2816	bMjVfGo.exe
1960	fJAIRYK.exe
1168	FUeBXKa.exe
3776	jAAcYEl.exe
1264	BmwXvLu.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2360-0-0x00007FF6EE880000-0x00007FF6EEBD1000-memory.dmp	upx
behavioral2/files/0x000d000000023b53-4.dat	upx
behavioral2/memory/1084-6-0x00007FF63B060000-0x00007FF63B3B1000-memory.dmp	upx
behavioral2/files/0x000a000000023b7a-12.dat	upx
behavioral2/files/0x000a000000023b7b-17.dat	upx
behavioral2/memory/380-14-0x00007FF731860000-0x00007FF731BB1000-memory.dmp	upx
behavioral2/memory/876-18-0x00007FF687F00000-0x00007FF688251000-memory.dmp	upx
behavioral2/files/0x000a000000023b7c-23.dat	upx
behavioral2/memory/2836-24-0x00007FF7F3120000-0x00007FF7F3471000-memory.dmp	upx
behavioral2/files/0x000b000000023b77-29.dat	upx
behavioral2/files/0x000a000000023b7d-34.dat	upx
behavioral2/memory/1320-38-0x00007FF6CE510000-0x00007FF6CE861000-memory.dmp	upx
behavioral2/files/0x000a000000023b7e-41.dat	upx
behavioral2/memory/4980-42-0x00007FF682570000-0x00007FF6828C1000-memory.dmp	upx
behavioral2/memory/4024-30-0x00007FF6EB7F0000-0x00007FF6EBB41000-memory.dmp	upx
behavioral2/files/0x0031000000023b81-50.dat	upx
behavioral2/files/0x0031000000023b7f-52.dat	upx
behavioral2/files/0x000a000000023b83-64.dat	upx
behavioral2/memory/3656-67-0x00007FF796C70000-0x00007FF796FC1000-memory.dmp	upx
behavioral2/memory/380-74-0x00007FF731860000-0x00007FF731BB1000-memory.dmp	upx
behavioral2/files/0x000a000000023b84-76.dat	upx
behavioral2/memory/4172-75-0x00007FF720D40000-0x00007FF721091000-memory.dmp	upx
behavioral2/memory/1084-66-0x00007FF63B060000-0x00007FF63B3B1000-memory.dmp	upx
behavioral2/files/0x000a000000023b82-63.dat	upx
behavioral2/memory/3504-61-0x00007FF6D36A0000-0x00007FF6D39F1000-memory.dmp	upx
behavioral2/memory/2360-60-0x00007FF6EE880000-0x00007FF6EEBD1000-memory.dmp	upx
behavioral2/memory/3680-55-0x00007FF7051F0000-0x00007FF705541000-memory.dmp	upx
behavioral2/memory/4756-51-0x00007FF6293D0000-0x00007FF629721000-memory.dmp	upx
behavioral2/files/0x000a000000023b85-81.dat	upx
behavioral2/memory/876-83-0x00007FF687F00000-0x00007FF688251000-memory.dmp	upx
behavioral2/memory/2836-88-0x00007FF7F3120000-0x00007FF7F3471000-memory.dmp	upx
behavioral2/files/0x000a000000023b87-93.dat	upx
behavioral2/memory/1320-94-0x00007FF6CE510000-0x00007FF6CE861000-memory.dmp	upx
behavioral2/files/0x000a000000023b88-101.dat	upx
behavioral2/memory/3680-109-0x00007FF7051F0000-0x00007FF705541000-memory.dmp	upx
behavioral2/memory/2816-113-0x00007FF790100000-0x00007FF790451000-memory.dmp	upx
behavioral2/files/0x000a000000023b89-112.dat	upx
behavioral2/memory/4756-108-0x00007FF6293D0000-0x00007FF629721000-memory.dmp	upx
behavioral2/memory/2632-107-0x00007FF6AC7E0000-0x00007FF6ACB31000-memory.dmp	upx
behavioral2/memory/4980-104-0x00007FF682570000-0x00007FF6828C1000-memory.dmp	upx
behavioral2/memory/412-98-0x00007FF6DF1C0000-0x00007FF6DF511000-memory.dmp	upx
behavioral2/files/0x000a000000023b86-95.dat	upx
behavioral2/memory/4024-90-0x00007FF6EB7F0000-0x00007FF6EBB41000-memory.dmp	upx
behavioral2/memory/2936-89-0x00007FF747250000-0x00007FF7475A1000-memory.dmp	upx
behavioral2/memory/3356-85-0x00007FF68F700000-0x00007FF68FA51000-memory.dmp	upx
behavioral2/memory/3504-118-0x00007FF6D36A0000-0x00007FF6D39F1000-memory.dmp	upx
behavioral2/memory/3656-125-0x00007FF796C70000-0x00007FF796FC1000-memory.dmp	upx
behavioral2/files/0x000e000000023aa7-133.dat	upx
behavioral2/files/0x000f000000023aad-137.dat	upx
behavioral2/memory/1264-136-0x00007FF7B4AD0000-0x00007FF7B4E21000-memory.dmp	upx
behavioral2/memory/3776-134-0x00007FF74BFD0000-0x00007FF74C321000-memory.dmp	upx
behavioral2/files/0x001d0000000239ed-131.dat	upx
behavioral2/memory/4172-130-0x00007FF720D40000-0x00007FF721091000-memory.dmp	upx
behavioral2/memory/1168-129-0x00007FF68D000000-0x00007FF68D351000-memory.dmp	upx
behavioral2/files/0x000a000000023b8a-123.dat	upx
behavioral2/memory/1960-121-0x00007FF7C5E50000-0x00007FF7C61A1000-memory.dmp	upx
behavioral2/memory/2936-141-0x00007FF747250000-0x00007FF7475A1000-memory.dmp	upx
behavioral2/memory/412-143-0x00007FF6DF1C0000-0x00007FF6DF511000-memory.dmp	upx
behavioral2/memory/2632-145-0x00007FF6AC7E0000-0x00007FF6ACB31000-memory.dmp	upx
behavioral2/memory/2360-142-0x00007FF6EE880000-0x00007FF6EEBD1000-memory.dmp	upx
behavioral2/memory/2816-158-0x00007FF790100000-0x00007FF790451000-memory.dmp	upx
behavioral2/memory/1168-165-0x00007FF68D000000-0x00007FF68D351000-memory.dmp	upx
behavioral2/memory/1960-164-0x00007FF7C5E50000-0x00007FF7C61A1000-memory.dmp	upx
behavioral2/memory/3776-167-0x00007FF74BFD0000-0x00007FF74C321000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\ENQyGTi.exe	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bMjVfGo.exe	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WTWuHVN.exe	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XMCQkuy.exe	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jlKUOKo.exe	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fJAIRYK.exe	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BmwXvLu.exe	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oHmIsfv.exe	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nrHietq.exe	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dGbPyus.exe	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iZGKLqu.exe	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GmXDMIv.exe	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\prBfVkg.exe	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FUeBXKa.exe	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jAAcYEl.exe	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JVoUEve.exe	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IfRdPEh.exe	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FwCQocx.exe	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kllRfEA.exe	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NxvVbVC.exe	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jLpKzzx.exe	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2360	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2360	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 1084	2360	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2360 wrote to memory of 1084	2360	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2360 wrote to memory of 380	2360	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2360 wrote to memory of 380	2360	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2360 wrote to memory of 876	2360	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2360 wrote to memory of 876	2360	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2360 wrote to memory of 2836	2360	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2360 wrote to memory of 2836	2360	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2360 wrote to memory of 4024	2360	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2360 wrote to memory of 4024	2360	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2360 wrote to memory of 1320	2360	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2360 wrote to memory of 1320	2360	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2360 wrote to memory of 4980	2360	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2360 wrote to memory of 4980	2360	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2360 wrote to memory of 4756	2360	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2360 wrote to memory of 4756	2360	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2360 wrote to memory of 3680	2360	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2360 wrote to memory of 3680	2360	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2360 wrote to memory of 3504	2360	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2360 wrote to memory of 3504	2360	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2360 wrote to memory of 3656	2360	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2360 wrote to memory of 3656	2360	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2360 wrote to memory of 4172	2360	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2360 wrote to memory of 4172	2360	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2360 wrote to memory of 3356	2360	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2360 wrote to memory of 3356	2360	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2360 wrote to memory of 2936	2360	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2360 wrote to memory of 2936	2360	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2360 wrote to memory of 412	2360	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2360 wrote to memory of 412	2360	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2360 wrote to memory of 2632	2360	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2360 wrote to memory of 2632	2360	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2360 wrote to memory of 2816	2360	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2360 wrote to memory of 2816	2360	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2360 wrote to memory of 1960	2360	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2360 wrote to memory of 1960	2360	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2360 wrote to memory of 1168	2360	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 2360 wrote to memory of 1168	2360	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 2360 wrote to memory of 3776	2360	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 2360 wrote to memory of 3776	2360	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 2360 wrote to memory of 1264	2360	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 2360 wrote to memory of 1264	2360	2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe	107

C:\Users\Admin\AppData\Local\Temp\2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-16_a1c1a1fbfe18029c956ca5498c0c5ff7_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\System\oHmIsfv.exe
  C:\Windows\System\oHmIsfv.exe
  2⤵
  - Executes dropped EXE
  PID:1084
- C:\Windows\System\WTWuHVN.exe
  C:\Windows\System\WTWuHVN.exe
  2⤵
  - Executes dropped EXE
  PID:380
- C:\Windows\System\JVoUEve.exe
  C:\Windows\System\JVoUEve.exe
  2⤵
  - Executes dropped EXE
  PID:876
- C:\Windows\System\nrHietq.exe
  C:\Windows\System\nrHietq.exe
  2⤵
  - Executes dropped EXE
  PID:2836
- C:\Windows\System\kllRfEA.exe
  C:\Windows\System\kllRfEA.exe
  2⤵
  - Executes dropped EXE
  PID:4024
- C:\Windows\System\IfRdPEh.exe
  C:\Windows\System\IfRdPEh.exe
  2⤵
  - Executes dropped EXE
  PID:1320
- C:\Windows\System\FwCQocx.exe
  C:\Windows\System\FwCQocx.exe
  2⤵
  - Executes dropped EXE
  PID:4980
- C:\Windows\System\iZGKLqu.exe
  C:\Windows\System\iZGKLqu.exe
  2⤵
  - Executes dropped EXE
  PID:4756
- C:\Windows\System\GmXDMIv.exe
  C:\Windows\System\GmXDMIv.exe
  2⤵
  - Executes dropped EXE
  PID:3680
- C:\Windows\System\NxvVbVC.exe
  C:\Windows\System\NxvVbVC.exe
  2⤵
  - Executes dropped EXE
  PID:3504
- C:\Windows\System\XMCQkuy.exe
  C:\Windows\System\XMCQkuy.exe
  2⤵
  - Executes dropped EXE
  PID:3656
- C:\Windows\System\jlKUOKo.exe
  C:\Windows\System\jlKUOKo.exe
  2⤵
  - Executes dropped EXE
  PID:4172
- C:\Windows\System\ENQyGTi.exe
  C:\Windows\System\ENQyGTi.exe
  2⤵
  - Executes dropped EXE
  PID:3356
- C:\Windows\System\dGbPyus.exe
  C:\Windows\System\dGbPyus.exe
  2⤵
  - Executes dropped EXE
  PID:2936
- C:\Windows\System\jLpKzzx.exe
  C:\Windows\System\jLpKzzx.exe
  2⤵
  - Executes dropped EXE
  PID:412
- C:\Windows\System\prBfVkg.exe
  C:\Windows\System\prBfVkg.exe
  2⤵
  - Executes dropped EXE
  PID:2632
- C:\Windows\System\bMjVfGo.exe
  C:\Windows\System\bMjVfGo.exe
  2⤵
  - Executes dropped EXE
  PID:2816
- C:\Windows\System\fJAIRYK.exe
  C:\Windows\System\fJAIRYK.exe
  2⤵
  - Executes dropped EXE
  PID:1960
- C:\Windows\System\FUeBXKa.exe
  C:\Windows\System\FUeBXKa.exe
  2⤵
  - Executes dropped EXE
  PID:1168
- C:\Windows\System\jAAcYEl.exe
  C:\Windows\System\jAAcYEl.exe
  2⤵
  - Executes dropped EXE
  PID:3776
- C:\Windows\System\BmwXvLu.exe
  C:\Windows\System\BmwXvLu.exe
  2⤵
  - Executes dropped EXE
  PID:1264

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BmwXvLu.exe

Filesize
5.2MB

MD5
106c8d027bb0ddea35d67e479bf6ae80

SHA1
28fe0dd8484272afa6a41a2486117720a655f414

SHA256
540823acbc65eb6e7577c608a0cda5286c6ba329ab089d5af2ff930b60eb88f2

SHA512
2c5428b472c1e87cfd371973f576fb5f4bda44434de31a49e7840d9041dd6d6054c069c745eb1e1b43f149d320720de2ac5eebb4823e617a7a6e4f315ffd22a2

Download Submit
C:\Windows\System\ENQyGTi.exe

Filesize
5.2MB

MD5
3b833afaa3922d5722842e87b23617e2

SHA1
1e835562f1710131b13ff04386eecdb1cc5c6bdd

SHA256
2ae57a3b2ea68b8746de47f18c1a4e9d5b0193fc33a7f4a5ce9e25bb6550ff5e

SHA512
9a30c637fd6929d59874f8a9038a00208f167d4ba6f6160c1ae9b4ddb69dcd467196525e9d1f0ecb96d5985b49c4cb2f688d44fec4a29e53211a0d0038984f42

Download Submit
C:\Windows\System\FUeBXKa.exe

Filesize
5.2MB

MD5
fb61ad76d3b2157807de4fec3b2a8e67

SHA1
f852f6b31dea7d2d22c37b6457b12c05a3b686bb

SHA256
aeb1eff0f87e1063be8ab7b82796e2d75c7925ed306c6edc390a365e0dd7207b

SHA512
5313f862526461e0dcf6948c99da5d5b73f5be6d2d1c1d55da7533d421c0e758a08e4a8deb667b375c4660d1393b345781f637e81d7d5764673de4f098ece562

Download Submit
C:\Windows\System\FwCQocx.exe

Filesize
5.2MB

MD5
c40b54efbaee9af8e86d6cf357e292f7

SHA1
53809d4f644dfc57a6ec7a96a0ce8336f19d6192

SHA256
ddd310cf64abddfab0af0b6501651059a2ae91edfbe065b4cf11532f09f3c559

SHA512
52ca1eb8cf69ac6874ad95b107eabf30c1e416540a8e7aa72a532b6eac6c319ca28ad3038bc8bbd88dab6f45b0bf905c4c10c67ac244e2e8da01af9d70dc3808

Download Submit
C:\Windows\System\GmXDMIv.exe

Filesize
5.2MB

MD5
7cd1cdd5eee24fdc0b86d166bdc2a9b5

SHA1
a00803b99d59241f111b912651795425bee35535

SHA256
1f8dc80302cd2de3adc6120e2c09b5bf956eebc8b8456754b46ecfba48ed4e64

SHA512
4519dc1961f194dac41c8167424088d9020b6e51511ba2be5aabdb3a0d57907ac39067439db07b9d89170b39bda47ed57c3f71ded4183f4b3a8fe1161f57875d

Download Submit
C:\Windows\System\IfRdPEh.exe

Filesize
5.2MB

MD5
eb47980c025da154837d2eb49d8e0087

SHA1
2b0424b801641fee5a88f86b965231838fe42500

SHA256
a5ce1459fe0e9f99a3c857522d0056705eb5a5c999b7329c13cba839fbd33781

SHA512
a5e49462a95c765dd8e5c7a4326513352cf4f7fa76ba324ad278b635a98857805f01bab622c2fc7ff28ab6bf26e779ab0179db425c151d140087fa3c2856a045

Download Submit
C:\Windows\System\JVoUEve.exe

Filesize
5.2MB

MD5
751e129555cac612ebe560a117ee0232

SHA1
1012b4c15da81206389a781b2f5e48c61fb2034b

SHA256
6d3a240adba1ee9d5c53bd9da0a46ca58e6a3def8859ce91ee5777bfff292b22

SHA512
465be266188975cf63eea8a9711508e534aa722f70a65b6a7fd940668c1e8341dc6c1fa68d98e4b5a70480800ecec14b9c56328f05284b19d1836ce48c8b4af0

Download Submit
C:\Windows\System\NxvVbVC.exe

Filesize
5.2MB

MD5
b5aa5edea333cb7fc8a8e8c31c6f29c3

SHA1
a322759a66a72eb4f56fad7ddd851374648fcd04

SHA256
3f603ba9f839e05dfa0281e05b02784db35a04518e1bfba242ae7657460b79f8

SHA512
90b3c2b741054f34dc70b7a2c6a267b3909f3216dd0e4ad99815d3926f558fd99d76a5ff38afce8e01388bd09abebe8763e41a9609621ec8922fe393c784c659

Download Submit
C:\Windows\System\WTWuHVN.exe

Filesize
5.2MB

MD5
d7db9cb11d65992db3461bedb9d3378b

SHA1
673a6e8687ef5a90d701b1a5f74c58ad4affe9c2

SHA256
38220f8d3edd9111a2c96d3f927e90a7fb04f9ed833c082156bbd55e40b2067a

SHA512
676fef99196d3be980c1dc5890143121cd516ccb0a6ba4eae4ea755dd9b857274df56741d45b8440e4d0686147c05f6efab88f9f65d7a99aa68fcb38bb1c4ef2

Download Submit
C:\Windows\System\XMCQkuy.exe

Filesize
5.2MB

MD5
a4dcf1b2c15fb0d0013c95d70a453a5a

SHA1
040987e2b62ddaf99168de78a4f81cc4cf2d20a8

SHA256
113f5ea68a24164a264c14071d4a1f7237d2e76ef91057dadbdf2b9d7f8d2d89

SHA512
97b3dd569c40e2138e6013b229fbeba1c8425549dc6a8fd0b4c97fb2abd7bd55218ce18dbc35b54b295619b3f42131c687babe9657fd07e0df3c354c05404280

Download Submit
C:\Windows\System\bMjVfGo.exe

Filesize
5.2MB

MD5
01c88ca0fd5d0e6b9f15a7c4fc49eb75

SHA1
ae887ffb4acd996cb66caa5ec118608321b8b7fe

SHA256
2809934cb4df9db7255773988b584438acd49e70d8898457d08b952764d6b15b

SHA512
3f4eb37852ffb658d2734e946e753e999397cdf00c7e086583c7b009fac0c0dfb228c50a7f72e8af37cd7b0248897a2468ed8a89cd3ef656d7b181b08e5008f1

Download Submit
C:\Windows\System\dGbPyus.exe

Filesize
5.2MB

MD5
246a9cb57a010483ab4e073e5d8b0183

SHA1
67e4fc7742a1e6f5b96a1338b94248b8eef63d43

SHA256
83d0612ac350554dcb6ee3c0fadb7d2b60277bdedbc1ed960f003fe5540d56d8

SHA512
fda4cbba5022efc399f4f3ffc511b1a50e71908fc1890e829e6926bf26bfaba54b23b39552fe101da3d835f0cb6188958d234e84aaee123a84e674af48a49d85

Download Submit
C:\Windows\System\fJAIRYK.exe

Filesize
5.2MB

MD5
d0f0e1b2647768e4d0314792ffd4b1f4

SHA1
13a0a75b85e1cfd592173dd5b79e76feaed357f2

SHA256
aea457ad7616b240599ab573b2892bd4206cfb03f2a27264bf71aef5cdad069b

SHA512
f8fca825f2c4b323685928f2540ae1abc3c299260aeb39cb1d9ba5cf48c7267f57360158b4bbe20062b59bc7ab5eb995fe343928a3d367fd96c897280e8d264d

Download Submit
C:\Windows\System\iZGKLqu.exe

Filesize
5.2MB

MD5
b76053da52af8b1256d02b54cfc429f3

SHA1
1c0c2d1be00f0cdcdfe834c96f14476d9f1de2d8

SHA256
4cf3196cfa2efa39984eec75bd4e11e206013566eea7ec6151b1559dfef60d0d

SHA512
71f388ba53b8313254a9454702c0714479407fdef5566972f4c2fcfc815e1cd627e8bf392284fce4e0a50474b6e1909b2d4d3084faa5bfa1f0ec7a140309ede8

Download Submit
C:\Windows\System\jAAcYEl.exe

Filesize
5.2MB

MD5
3685609215f7e106936ca8d3dd7bb3e8

SHA1
29d110fdb0a4a619976e814a0940d9633b3a09c3

SHA256
c9cbc8d21541693d019d88a992eca0c85078032ad894907f8aced8e14d5d25e2

SHA512
90681f50eefb10aa8f18847a3796b4127328a7bd3cdae64186e28d024993c02b84ca46dc59b3bbc83d9cd1611a700af3cf0d47e7e7efb61e1909490a7412f2b0

Download Submit
C:\Windows\System\jLpKzzx.exe

Filesize
5.2MB

MD5
bf9dcebea6711a1dec22ac2773cc8018

SHA1
7a88ecce31ce7a7911518d07f5f24a12283a30c9

SHA256
8503990fe4c6cca06fce00ebbe28c89b5393b09aebcfd62e695e8318996d7eee

SHA512
7f43da4d155524fe684e1272169399eecd42741e38bdbb1cd1a2ae28a8a7c31d5dedb664eb7dd75f3888701c9a4583c7040b6d373e853b5c1d96c2bc9bd59349

Download Submit
C:\Windows\System\jlKUOKo.exe

Filesize
5.2MB

MD5
0cb99b4931d20b80302f322b62e74b59

SHA1
fa1483b1d48db3d8e445f28255c2904d246bc974

SHA256
fd2f39d4ab030382a99f7f2299cd9f6ed8d6404b49da7ce6b334d129d5ef570d

SHA512
363bac2b6609e8ca48d71f783191c4a294547453d0914f05e5c7aee671cd52b8caa3e7a1515607a96aa575775f8f22d5d90b0a4413c8d2cb00934a1c3c6d68dc

Download Submit
C:\Windows\System\kllRfEA.exe

Filesize
5.2MB

MD5
c58e4043bb6a814109588ad8b306eca7

SHA1
664dee689258e7ac7fe6395e697ad825fc195067

SHA256
7784e9e3cdd2187ffce1bfe5352bc30a693342c1656e931b2646a985f6272feb

SHA512
cfca3affaa789d53ae9e545b7b405cc9b202530f4460631400e1570a287b73813ab4026e39358e0cbe150dfa144d62507c6260cbaad2d8aa22486deb9e676767

Download Submit
C:\Windows\System\nrHietq.exe

Filesize
5.2MB

MD5
94b0a94f786586c1fc54c67eadf52752

SHA1
10986476e11b0e739685192b2b3e72ecf9ef1197

SHA256
43d6da3dd6efcd44076cdc9715585f0b6ad6d1717ac054f247a5e33b8872217f

SHA512
c7fc13c6b7394e8bc903c6a8e0bfefadb555ac519e2daf28868bc2a8792b4fb5ea8c9ab5b7670ca3d7c0a4b9aa3dae188f93265f0ce560abea1ca8461672aba1

Download Submit
C:\Windows\System\oHmIsfv.exe

Filesize
5.2MB

MD5
7372fd115e6be783cb4fa2fd157c7971

SHA1
352d95eebe9b3ebd33f6faa446c69e746062cc8f

SHA256
2fb010c2ab4c06ff8b5a9929b09003becc42ead802645cf37326984251fbfa27

SHA512
44917bd34542829195b37abf76aa4c0eaa6717b7380623aaac0cbaf7cac9ee84fd2db3d1658db123fcafc30ec16522635272049cd9b471aa3b9af49cff1051a4

Download Submit
C:\Windows\System\prBfVkg.exe

Filesize
5.2MB

MD5
8d31d9e60302764e28455d91961fdd03

SHA1
dda4fbdea9b1e80f65748d04a9f9dbfe44a9dea2

SHA256
1684a6a9059e1eff26452554fcf15d4683b02b6ada1ec1b552d44a1700187b2c

SHA512
e7fe4e15900732bb1e458de6cd0487c273b4a847d0d33beed294895e61a57e95df7d664ca35206d11f17713bf58e0e24c5b62750dec8f27850d2fbdbd4f58324

Download Submit
memory/380-74-0x00007FF731860000-0x00007FF731BB1000-memory.dmp

Filesize
3.3MB

Download
memory/380-223-0x00007FF731860000-0x00007FF731BB1000-memory.dmp

Filesize
3.3MB

Download
memory/380-14-0x00007FF731860000-0x00007FF731BB1000-memory.dmp

Filesize
3.3MB

Download
memory/412-143-0x00007FF6DF1C0000-0x00007FF6DF511000-memory.dmp

Filesize
3.3MB

Download
memory/412-263-0x00007FF6DF1C0000-0x00007FF6DF511000-memory.dmp

Filesize
3.3MB

Download
memory/412-98-0x00007FF6DF1C0000-0x00007FF6DF511000-memory.dmp

Filesize
3.3MB

Download
memory/876-83-0x00007FF687F00000-0x00007FF688251000-memory.dmp

Filesize
3.3MB

Download
memory/876-18-0x00007FF687F00000-0x00007FF688251000-memory.dmp

Filesize
3.3MB

Download
memory/876-226-0x00007FF687F00000-0x00007FF688251000-memory.dmp

Filesize
3.3MB

Download
memory/1084-66-0x00007FF63B060000-0x00007FF63B3B1000-memory.dmp

Filesize
3.3MB

Download
memory/1084-6-0x00007FF63B060000-0x00007FF63B3B1000-memory.dmp

Filesize
3.3MB

Download
memory/1084-221-0x00007FF63B060000-0x00007FF63B3B1000-memory.dmp

Filesize
3.3MB

Download
memory/1168-129-0x00007FF68D000000-0x00007FF68D351000-memory.dmp

Filesize
3.3MB

Download
memory/1168-165-0x00007FF68D000000-0x00007FF68D351000-memory.dmp

Filesize
3.3MB

Download
memory/1168-278-0x00007FF68D000000-0x00007FF68D351000-memory.dmp

Filesize
3.3MB

Download
memory/1264-170-0x00007FF7B4AD0000-0x00007FF7B4E21000-memory.dmp

Filesize
3.3MB

Download
memory/1264-136-0x00007FF7B4AD0000-0x00007FF7B4E21000-memory.dmp

Filesize
3.3MB

Download
memory/1264-274-0x00007FF7B4AD0000-0x00007FF7B4E21000-memory.dmp

Filesize
3.3MB

Download
memory/1320-94-0x00007FF6CE510000-0x00007FF6CE861000-memory.dmp

Filesize
3.3MB

Download
memory/1320-38-0x00007FF6CE510000-0x00007FF6CE861000-memory.dmp

Filesize
3.3MB

Download
memory/1320-235-0x00007FF6CE510000-0x00007FF6CE861000-memory.dmp

Filesize
3.3MB

Download
memory/1960-272-0x00007FF7C5E50000-0x00007FF7C61A1000-memory.dmp

Filesize
3.3MB

Download
memory/1960-121-0x00007FF7C5E50000-0x00007FF7C61A1000-memory.dmp

Filesize
3.3MB

Download
memory/1960-164-0x00007FF7C5E50000-0x00007FF7C61A1000-memory.dmp

Filesize
3.3MB

Download
memory/2360-1-0x000001C3C3CD0000-0x000001C3C3CE0000-memory.dmp

Filesize
64KB

Download
memory/2360-60-0x00007FF6EE880000-0x00007FF6EEBD1000-memory.dmp

Filesize
3.3MB

Download
memory/2360-142-0x00007FF6EE880000-0x00007FF6EEBD1000-memory.dmp

Filesize
3.3MB

Download
memory/2360-171-0x00007FF6EE880000-0x00007FF6EEBD1000-memory.dmp

Filesize
3.3MB

Download
memory/2360-0-0x00007FF6EE880000-0x00007FF6EEBD1000-memory.dmp

Filesize
3.3MB

Download
memory/2632-107-0x00007FF6AC7E0000-0x00007FF6ACB31000-memory.dmp

Filesize
3.3MB

Download
memory/2632-265-0x00007FF6AC7E0000-0x00007FF6ACB31000-memory.dmp

Filesize
3.3MB

Download
memory/2632-145-0x00007FF6AC7E0000-0x00007FF6ACB31000-memory.dmp

Filesize
3.3MB

Download
memory/2816-113-0x00007FF790100000-0x00007FF790451000-memory.dmp

Filesize
3.3MB

Download
memory/2816-158-0x00007FF790100000-0x00007FF790451000-memory.dmp

Filesize
3.3MB

Download
memory/2816-267-0x00007FF790100000-0x00007FF790451000-memory.dmp

Filesize
3.3MB

Download
memory/2836-88-0x00007FF7F3120000-0x00007FF7F3471000-memory.dmp

Filesize
3.3MB

Download
memory/2836-231-0x00007FF7F3120000-0x00007FF7F3471000-memory.dmp

Filesize
3.3MB

Download
memory/2836-24-0x00007FF7F3120000-0x00007FF7F3471000-memory.dmp

Filesize
3.3MB

Download
memory/2936-89-0x00007FF747250000-0x00007FF7475A1000-memory.dmp

Filesize
3.3MB

Download
memory/2936-141-0x00007FF747250000-0x00007FF7475A1000-memory.dmp

Filesize
3.3MB

Download
memory/2936-261-0x00007FF747250000-0x00007FF7475A1000-memory.dmp

Filesize
3.3MB

Download
memory/3356-255-0x00007FF68F700000-0x00007FF68FA51000-memory.dmp

Filesize
3.3MB

Download
memory/3356-85-0x00007FF68F700000-0x00007FF68FA51000-memory.dmp

Filesize
3.3MB

Download
memory/3504-118-0x00007FF6D36A0000-0x00007FF6D39F1000-memory.dmp

Filesize
3.3MB

Download
memory/3504-61-0x00007FF6D36A0000-0x00007FF6D39F1000-memory.dmp

Filesize
3.3MB

Download
memory/3504-250-0x00007FF6D36A0000-0x00007FF6D39F1000-memory.dmp

Filesize
3.3MB

Download
memory/3656-125-0x00007FF796C70000-0x00007FF796FC1000-memory.dmp

Filesize
3.3MB

Download
memory/3656-67-0x00007FF796C70000-0x00007FF796FC1000-memory.dmp

Filesize
3.3MB

Download
memory/3656-248-0x00007FF796C70000-0x00007FF796FC1000-memory.dmp

Filesize
3.3MB

Download
memory/3680-55-0x00007FF7051F0000-0x00007FF705541000-memory.dmp

Filesize
3.3MB

Download
memory/3680-109-0x00007FF7051F0000-0x00007FF705541000-memory.dmp

Filesize
3.3MB

Download
memory/3680-246-0x00007FF7051F0000-0x00007FF705541000-memory.dmp

Filesize
3.3MB

Download
memory/3776-167-0x00007FF74BFD0000-0x00007FF74C321000-memory.dmp

Filesize
3.3MB

Download
memory/3776-134-0x00007FF74BFD0000-0x00007FF74C321000-memory.dmp

Filesize
3.3MB

Download
memory/3776-276-0x00007FF74BFD0000-0x00007FF74C321000-memory.dmp

Filesize
3.3MB

Download
memory/4024-233-0x00007FF6EB7F0000-0x00007FF6EBB41000-memory.dmp

Filesize
3.3MB

Download
memory/4024-30-0x00007FF6EB7F0000-0x00007FF6EBB41000-memory.dmp

Filesize
3.3MB

Download
memory/4024-90-0x00007FF6EB7F0000-0x00007FF6EBB41000-memory.dmp

Filesize
3.3MB

Download
memory/4172-252-0x00007FF720D40000-0x00007FF721091000-memory.dmp

Filesize
3.3MB

Download
memory/4172-130-0x00007FF720D40000-0x00007FF721091000-memory.dmp

Filesize
3.3MB

Download
memory/4172-75-0x00007FF720D40000-0x00007FF721091000-memory.dmp

Filesize
3.3MB

Download
memory/4756-244-0x00007FF6293D0000-0x00007FF629721000-memory.dmp

Filesize
3.3MB

Download
memory/4756-51-0x00007FF6293D0000-0x00007FF629721000-memory.dmp

Filesize
3.3MB

Download
memory/4756-108-0x00007FF6293D0000-0x00007FF629721000-memory.dmp

Filesize
3.3MB

Download
memory/4980-237-0x00007FF682570000-0x00007FF6828C1000-memory.dmp

Filesize
3.3MB

Download
memory/4980-42-0x00007FF682570000-0x00007FF6828C1000-memory.dmp

Filesize
3.3MB

Download
memory/4980-104-0x00007FF682570000-0x00007FF6828C1000-memory.dmp

Filesize
3.3MB

Download