cobaltstrike | d46de897c3037a8d75b8d8edf0ac2c3646a68f948c2720b80fd07dc2c85581eb

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-11-2024 02:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

5899a7b8ae8d1dfd4b273989a82b8fbd
SHA1

83c943ef583811f61ee2c8c5de7a87537f88b31b
SHA256

d46de897c3037a8d75b8d8edf0ac2c3646a68f948c2720b80fd07dc2c85581eb
SHA512

13027c7cfcfaa588a37895a1a84237b485ffcaccb060f84a238b9f9ce0dae8dff8e7077741d6997983b7d6c24fd7cbd0758f6605d56d9723f248431abf524717
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l7:RWWBibf56utgpPFotBER/mQ32lUH

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023c95-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c97-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c96-13.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c99-34.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9b-45.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9c-47.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c93-57.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9d-61.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9e-69.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9a-39.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c98-27.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9f-72.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca0-82.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca2-92.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca1-85.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca3-100.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca5-112.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca7-123.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca8-131.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca6-126.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca4-110.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 47 IoCs

miner

resource	yara_rule
behavioral2/memory/1732-67-0x00007FF796830000-0x00007FF796B81000-memory.dmp	xmrig
behavioral2/memory/1684-59-0x00007FF7F1C20000-0x00007FF7F1F71000-memory.dmp	xmrig
behavioral2/memory/2464-74-0x00007FF777F70000-0x00007FF7782C1000-memory.dmp	xmrig
behavioral2/memory/2196-87-0x00007FF7F3F00000-0x00007FF7F4251000-memory.dmp	xmrig
behavioral2/memory/4724-101-0x00007FF6EEDB0000-0x00007FF6EF101000-memory.dmp	xmrig
behavioral2/memory/3376-98-0x00007FF605130000-0x00007FF605481000-memory.dmp	xmrig
behavioral2/memory/4572-94-0x00007FF653790000-0x00007FF653AE1000-memory.dmp	xmrig
behavioral2/memory/3040-70-0x00007FF7ABEF0000-0x00007FF7AC241000-memory.dmp	xmrig
behavioral2/memory/3524-128-0x00007FF7D4C90000-0x00007FF7D4FE1000-memory.dmp	xmrig
behavioral2/memory/4880-135-0x00007FF73DEC0000-0x00007FF73E211000-memory.dmp	xmrig
behavioral2/memory/3276-134-0x00007FF7959E0000-0x00007FF795D31000-memory.dmp	xmrig
behavioral2/memory/2972-130-0x00007FF70FBC0000-0x00007FF70FF11000-memory.dmp	xmrig
behavioral2/memory/3660-116-0x00007FF73F5C0000-0x00007FF73F911000-memory.dmp	xmrig
behavioral2/memory/4424-115-0x00007FF680C40000-0x00007FF680F91000-memory.dmp	xmrig
behavioral2/memory/1028-107-0x00007FF7C09E0000-0x00007FF7C0D31000-memory.dmp	xmrig
behavioral2/memory/1684-136-0x00007FF7F1C20000-0x00007FF7F1F71000-memory.dmp	xmrig
behavioral2/memory/2200-146-0x00007FF782650000-0x00007FF7829A1000-memory.dmp	xmrig
behavioral2/memory/4040-147-0x00007FF7887C0000-0x00007FF788B11000-memory.dmp	xmrig
behavioral2/memory/5052-149-0x00007FF7888E0000-0x00007FF788C31000-memory.dmp	xmrig
behavioral2/memory/1824-148-0x00007FF698AF0000-0x00007FF698E41000-memory.dmp	xmrig
behavioral2/memory/1464-153-0x00007FF66F750000-0x00007FF66FAA1000-memory.dmp	xmrig
behavioral2/memory/4572-154-0x00007FF653790000-0x00007FF653AE1000-memory.dmp	xmrig
behavioral2/memory/2308-157-0x00007FF7FB9A0000-0x00007FF7FBCF1000-memory.dmp	xmrig
behavioral2/memory/3592-159-0x00007FF64E580000-0x00007FF64E8D1000-memory.dmp	xmrig
behavioral2/memory/3524-156-0x00007FF7D4C90000-0x00007FF7D4FE1000-memory.dmp	xmrig
behavioral2/memory/1684-160-0x00007FF7F1C20000-0x00007FF7F1F71000-memory.dmp	xmrig
behavioral2/memory/1732-213-0x00007FF796830000-0x00007FF796B81000-memory.dmp	xmrig
behavioral2/memory/3040-215-0x00007FF7ABEF0000-0x00007FF7AC241000-memory.dmp	xmrig
behavioral2/memory/2464-217-0x00007FF777F70000-0x00007FF7782C1000-memory.dmp	xmrig
behavioral2/memory/2196-219-0x00007FF7F3F00000-0x00007FF7F4251000-memory.dmp	xmrig
behavioral2/memory/4724-221-0x00007FF6EEDB0000-0x00007FF6EF101000-memory.dmp	xmrig
behavioral2/memory/4424-228-0x00007FF680C40000-0x00007FF680F91000-memory.dmp	xmrig
behavioral2/memory/2972-230-0x00007FF70FBC0000-0x00007FF70FF11000-memory.dmp	xmrig
behavioral2/memory/4880-232-0x00007FF73DEC0000-0x00007FF73E211000-memory.dmp	xmrig
behavioral2/memory/2200-234-0x00007FF782650000-0x00007FF7829A1000-memory.dmp	xmrig
behavioral2/memory/4040-236-0x00007FF7887C0000-0x00007FF788B11000-memory.dmp	xmrig
behavioral2/memory/1824-247-0x00007FF698AF0000-0x00007FF698E41000-memory.dmp	xmrig
behavioral2/memory/5052-249-0x00007FF7888E0000-0x00007FF788C31000-memory.dmp	xmrig
behavioral2/memory/4572-251-0x00007FF653790000-0x00007FF653AE1000-memory.dmp	xmrig
behavioral2/memory/3376-254-0x00007FF605130000-0x00007FF605481000-memory.dmp	xmrig
behavioral2/memory/1028-255-0x00007FF7C09E0000-0x00007FF7C0D31000-memory.dmp	xmrig
behavioral2/memory/3660-257-0x00007FF73F5C0000-0x00007FF73F911000-memory.dmp	xmrig
behavioral2/memory/3524-259-0x00007FF7D4C90000-0x00007FF7D4FE1000-memory.dmp	xmrig
behavioral2/memory/1464-261-0x00007FF66F750000-0x00007FF66FAA1000-memory.dmp	xmrig
behavioral2/memory/3276-264-0x00007FF7959E0000-0x00007FF795D31000-memory.dmp	xmrig
behavioral2/memory/2308-265-0x00007FF7FB9A0000-0x00007FF7FBCF1000-memory.dmp	xmrig
behavioral2/memory/3592-268-0x00007FF64E580000-0x00007FF64E8D1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1732	uVwuKDL.exe
3040	GprYGMD.exe
2464	vPGqExN.exe
2196	XpUEDhZ.exe
4724	GaYdvOk.exe
4424	zSLQwYQ.exe
2972	ByPoBDP.exe
4880	vsdqxek.exe
2200	borInxE.exe
4040	aBXLBlx.exe
1824	fcieijE.exe
5052	pOSpGLB.exe
3376	kVKPOkZ.exe
4572	WsZXojs.exe
1028	egOXOBj.exe
1464	tTuuSBA.exe
3660	ZPAoHun.exe
3524	bGLTQtA.exe
2308	sWQRoGT.exe
3276	wwXntnr.exe
3592	cTKHgvt.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1684-0-0x00007FF7F1C20000-0x00007FF7F1F71000-memory.dmp	upx
behavioral2/files/0x0008000000023c95-5.dat	upx
behavioral2/memory/1732-7-0x00007FF796830000-0x00007FF796B81000-memory.dmp	upx
behavioral2/files/0x0007000000023c97-11.dat	upx
behavioral2/files/0x0007000000023c96-13.dat	upx
behavioral2/memory/2196-28-0x00007FF7F3F00000-0x00007FF7F4251000-memory.dmp	upx
behavioral2/files/0x0007000000023c99-34.dat	upx
behavioral2/memory/4424-36-0x00007FF680C40000-0x00007FF680F91000-memory.dmp	upx
behavioral2/files/0x0007000000023c9b-45.dat	upx
behavioral2/files/0x0007000000023c9c-47.dat	upx
behavioral2/files/0x0008000000023c93-57.dat	upx
behavioral2/files/0x0007000000023c9d-61.dat	upx
behavioral2/memory/4040-64-0x00007FF7887C0000-0x00007FF788B11000-memory.dmp	upx
behavioral2/memory/1732-67-0x00007FF796830000-0x00007FF796B81000-memory.dmp	upx
behavioral2/files/0x0007000000023c9e-69.dat	upx
behavioral2/memory/1824-68-0x00007FF698AF0000-0x00007FF698E41000-memory.dmp	upx
behavioral2/memory/1684-59-0x00007FF7F1C20000-0x00007FF7F1F71000-memory.dmp	upx
behavioral2/memory/2200-56-0x00007FF782650000-0x00007FF7829A1000-memory.dmp	upx
behavioral2/memory/4880-49-0x00007FF73DEC0000-0x00007FF73E211000-memory.dmp	upx
behavioral2/memory/2972-42-0x00007FF70FBC0000-0x00007FF70FF11000-memory.dmp	upx
behavioral2/files/0x0007000000023c9a-39.dat	upx
behavioral2/memory/4724-33-0x00007FF6EEDB0000-0x00007FF6EF101000-memory.dmp	upx
behavioral2/files/0x0007000000023c98-27.dat	upx
behavioral2/memory/2464-19-0x00007FF777F70000-0x00007FF7782C1000-memory.dmp	upx
behavioral2/memory/3040-12-0x00007FF7ABEF0000-0x00007FF7AC241000-memory.dmp	upx
behavioral2/files/0x0007000000023c9f-72.dat	upx
behavioral2/memory/2464-74-0x00007FF777F70000-0x00007FF7782C1000-memory.dmp	upx
behavioral2/memory/5052-78-0x00007FF7888E0000-0x00007FF788C31000-memory.dmp	upx
behavioral2/files/0x0007000000023ca0-82.dat	upx
behavioral2/files/0x0007000000023ca2-92.dat	upx
behavioral2/memory/2196-87-0x00007FF7F3F00000-0x00007FF7F4251000-memory.dmp	upx
behavioral2/files/0x0007000000023ca1-85.dat	upx
behavioral2/files/0x0007000000023ca3-100.dat	upx
behavioral2/memory/4724-101-0x00007FF6EEDB0000-0x00007FF6EF101000-memory.dmp	upx
behavioral2/memory/3376-98-0x00007FF605130000-0x00007FF605481000-memory.dmp	upx
behavioral2/memory/4572-94-0x00007FF653790000-0x00007FF653AE1000-memory.dmp	upx
behavioral2/memory/3040-70-0x00007FF7ABEF0000-0x00007FF7AC241000-memory.dmp	upx
behavioral2/files/0x0007000000023ca5-112.dat	upx
behavioral2/memory/1464-111-0x00007FF66F750000-0x00007FF66FAA1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca7-123.dat	upx
behavioral2/memory/3524-128-0x00007FF7D4C90000-0x00007FF7D4FE1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca8-131.dat	upx
behavioral2/memory/4880-135-0x00007FF73DEC0000-0x00007FF73E211000-memory.dmp	upx
behavioral2/memory/3276-134-0x00007FF7959E0000-0x00007FF795D31000-memory.dmp	upx
behavioral2/memory/3592-133-0x00007FF64E580000-0x00007FF64E8D1000-memory.dmp	upx
behavioral2/memory/2972-130-0x00007FF70FBC0000-0x00007FF70FF11000-memory.dmp	upx
behavioral2/files/0x0007000000023ca6-126.dat	upx
behavioral2/memory/2308-121-0x00007FF7FB9A0000-0x00007FF7FBCF1000-memory.dmp	upx
behavioral2/memory/3660-116-0x00007FF73F5C0000-0x00007FF73F911000-memory.dmp	upx
behavioral2/memory/4424-115-0x00007FF680C40000-0x00007FF680F91000-memory.dmp	upx
behavioral2/files/0x0007000000023ca4-110.dat	upx
behavioral2/memory/1028-107-0x00007FF7C09E0000-0x00007FF7C0D31000-memory.dmp	upx
behavioral2/memory/1684-136-0x00007FF7F1C20000-0x00007FF7F1F71000-memory.dmp	upx
behavioral2/memory/2200-146-0x00007FF782650000-0x00007FF7829A1000-memory.dmp	upx
behavioral2/memory/4040-147-0x00007FF7887C0000-0x00007FF788B11000-memory.dmp	upx
behavioral2/memory/5052-149-0x00007FF7888E0000-0x00007FF788C31000-memory.dmp	upx
behavioral2/memory/1824-148-0x00007FF698AF0000-0x00007FF698E41000-memory.dmp	upx
behavioral2/memory/1464-153-0x00007FF66F750000-0x00007FF66FAA1000-memory.dmp	upx
behavioral2/memory/4572-154-0x00007FF653790000-0x00007FF653AE1000-memory.dmp	upx
behavioral2/memory/2308-157-0x00007FF7FB9A0000-0x00007FF7FBCF1000-memory.dmp	upx
behavioral2/memory/3592-159-0x00007FF64E580000-0x00007FF64E8D1000-memory.dmp	upx
behavioral2/memory/3524-156-0x00007FF7D4C90000-0x00007FF7D4FE1000-memory.dmp	upx
behavioral2/memory/1684-160-0x00007FF7F1C20000-0x00007FF7F1F71000-memory.dmp	upx
behavioral2/memory/1732-213-0x00007FF796830000-0x00007FF796B81000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\WsZXojs.exe	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cTKHgvt.exe	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XpUEDhZ.exe	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ByPoBDP.exe	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vsdqxek.exe	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aBXLBlx.exe	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pOSpGLB.exe	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZPAoHun.exe	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vPGqExN.exe	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fcieijE.exe	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\egOXOBj.exe	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tTuuSBA.exe	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bGLTQtA.exe	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sWQRoGT.exe	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wwXntnr.exe	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uVwuKDL.exe	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GprYGMD.exe	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GaYdvOk.exe	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zSLQwYQ.exe	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\borInxE.exe	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kVKPOkZ.exe	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1684	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1684	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 1732	1684	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1684 wrote to memory of 1732	1684	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1684 wrote to memory of 3040	1684	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1684 wrote to memory of 3040	1684	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1684 wrote to memory of 2464	1684	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1684 wrote to memory of 2464	1684	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1684 wrote to memory of 2196	1684	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1684 wrote to memory of 2196	1684	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1684 wrote to memory of 4724	1684	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1684 wrote to memory of 4724	1684	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1684 wrote to memory of 4424	1684	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1684 wrote to memory of 4424	1684	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1684 wrote to memory of 2972	1684	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1684 wrote to memory of 2972	1684	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1684 wrote to memory of 4880	1684	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1684 wrote to memory of 4880	1684	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1684 wrote to memory of 2200	1684	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1684 wrote to memory of 2200	1684	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1684 wrote to memory of 4040	1684	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1684 wrote to memory of 4040	1684	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1684 wrote to memory of 1824	1684	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1684 wrote to memory of 1824	1684	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1684 wrote to memory of 5052	1684	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1684 wrote to memory of 5052	1684	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1684 wrote to memory of 3376	1684	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1684 wrote to memory of 3376	1684	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1684 wrote to memory of 4572	1684	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1684 wrote to memory of 4572	1684	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1684 wrote to memory of 1028	1684	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1684 wrote to memory of 1028	1684	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1684 wrote to memory of 1464	1684	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1684 wrote to memory of 1464	1684	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1684 wrote to memory of 3660	1684	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1684 wrote to memory of 3660	1684	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1684 wrote to memory of 3524	1684	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1684 wrote to memory of 3524	1684	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1684 wrote to memory of 2308	1684	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1684 wrote to memory of 2308	1684	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1684 wrote to memory of 3276	1684	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 1684 wrote to memory of 3276	1684	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 1684 wrote to memory of 3592	1684	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 1684 wrote to memory of 3592	1684	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	106

C:\Users\Admin\AppData\Local\Temp\2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\System\uVwuKDL.exe
  C:\Windows\System\uVwuKDL.exe
  2⤵
  - Executes dropped EXE
  PID:1732
- C:\Windows\System\GprYGMD.exe
  C:\Windows\System\GprYGMD.exe
  2⤵
  - Executes dropped EXE
  PID:3040
- C:\Windows\System\vPGqExN.exe
  C:\Windows\System\vPGqExN.exe
  2⤵
  - Executes dropped EXE
  PID:2464
- C:\Windows\System\XpUEDhZ.exe
  C:\Windows\System\XpUEDhZ.exe
  2⤵
  - Executes dropped EXE
  PID:2196
- C:\Windows\System\GaYdvOk.exe
  C:\Windows\System\GaYdvOk.exe
  2⤵
  - Executes dropped EXE
  PID:4724
- C:\Windows\System\zSLQwYQ.exe
  C:\Windows\System\zSLQwYQ.exe
  2⤵
  - Executes dropped EXE
  PID:4424
- C:\Windows\System\ByPoBDP.exe
  C:\Windows\System\ByPoBDP.exe
  2⤵
  - Executes dropped EXE
  PID:2972
- C:\Windows\System\vsdqxek.exe
  C:\Windows\System\vsdqxek.exe
  2⤵
  - Executes dropped EXE
  PID:4880
- C:\Windows\System\borInxE.exe
  C:\Windows\System\borInxE.exe
  2⤵
  - Executes dropped EXE
  PID:2200
- C:\Windows\System\aBXLBlx.exe
  C:\Windows\System\aBXLBlx.exe
  2⤵
  - Executes dropped EXE
  PID:4040
- C:\Windows\System\fcieijE.exe
  C:\Windows\System\fcieijE.exe
  2⤵
  - Executes dropped EXE
  PID:1824
- C:\Windows\System\pOSpGLB.exe
  C:\Windows\System\pOSpGLB.exe
  2⤵
  - Executes dropped EXE
  PID:5052
- C:\Windows\System\kVKPOkZ.exe
  C:\Windows\System\kVKPOkZ.exe
  2⤵
  - Executes dropped EXE
  PID:3376
- C:\Windows\System\WsZXojs.exe
  C:\Windows\System\WsZXojs.exe
  2⤵
  - Executes dropped EXE
  PID:4572
- C:\Windows\System\egOXOBj.exe
  C:\Windows\System\egOXOBj.exe
  2⤵
  - Executes dropped EXE
  PID:1028
- C:\Windows\System\tTuuSBA.exe
  C:\Windows\System\tTuuSBA.exe
  2⤵
  - Executes dropped EXE
  PID:1464
- C:\Windows\System\ZPAoHun.exe
  C:\Windows\System\ZPAoHun.exe
  2⤵
  - Executes dropped EXE
  PID:3660
- C:\Windows\System\bGLTQtA.exe
  C:\Windows\System\bGLTQtA.exe
  2⤵
  - Executes dropped EXE
  PID:3524
- C:\Windows\System\sWQRoGT.exe
  C:\Windows\System\sWQRoGT.exe
  2⤵
  - Executes dropped EXE
  PID:2308
- C:\Windows\System\wwXntnr.exe
  C:\Windows\System\wwXntnr.exe
  2⤵
  - Executes dropped EXE
  PID:3276
- C:\Windows\System\cTKHgvt.exe
  C:\Windows\System\cTKHgvt.exe
  2⤵
  - Executes dropped EXE
  PID:3592

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\ByPoBDP.exe

Filesize
5.2MB

MD5
4c9d8040386c7d524480f16046a65cde

SHA1
19a78532d56e5443583fc3cee31580a9c4935a88

SHA256
58497271873b59421e614f75953a842e44af725a5f6f92a71c7c777acc938bf0

SHA512
bf3d25163c96888aec1b590de1876a4c31d8e1b0aa05256807e2742962626ce1e8a4a339f021df2c955ef43458499a8822e2697128e7bdf38ac66b5838080b75

Download Submit
C:\Windows\System\GaYdvOk.exe

Filesize
5.2MB

MD5
543e3a5c7409ffd4e55f1286d5cc3fb4

SHA1
1ea5adeb1b7b099c38894be269cdb287ae95b39f

SHA256
225fdbf8dea389082422f3421413aa92eb429d1c4b2a8485f3de71f99a746aa6

SHA512
d766f0b004458f892380c31192988b1f6eca49ab9665dbd4ad9a4d22fac56ff4ff91d110ff89de4198bf8c6f333fb995de8ec2d55038f9ab415ab53198f5da52

Download Submit
C:\Windows\System\GprYGMD.exe

Filesize
5.2MB

MD5
841dee9da46dc6f511328eaf7d32afe1

SHA1
7b6c750c2e080b5c5ebde7a3d101ee430c8c5d1b

SHA256
a85d3071e13154d9410b772a415ebdc98db068bb7da9b5db279eae130ef7dff3

SHA512
d1cddd8c2cbffdc6d46b8041858e344c98acfab76fe5afd9276f612a44a2d4095a665434eb2030dc932666c8af84787f03f2b938d382c5454106c63cd74ee8da

Download Submit
C:\Windows\System\WsZXojs.exe

Filesize
5.2MB

MD5
5299784daed5552aefd49f72fea2f75d

SHA1
d5ce96a5a73b269321f67e03ddfcd852aa3f6e8e

SHA256
14940ceca458c6001a2c09fe68e9917b4a58379e592de12b2df5342a57935bae

SHA512
0b7485c1dff50198c5a76f0cc273b79968bd6569d03edf250e2e3e97c3ab258a1cf324c6842dd80363c55d54b4c3990ccadd7140b95f0279d34719e5ac67a90b

Download Submit
C:\Windows\System\XpUEDhZ.exe

Filesize
5.2MB

MD5
74642d1320f581146f078be1d88dcd6e

SHA1
f2161e02d3cd831c19c29d3a92ffd6f2024c95e3

SHA256
c1d8a265018d72cb9eb07e4e229f386698682ec94a6a2b99b12aedc182c16734

SHA512
6785adc5729612613f139e40e5a7ecbfd5f21411a2d26a3c61076650ce23e1ee2371e8f298ce3d8878fb8102b3a9e6400002d33f33ece185ce9142f8e45fece2

Download Submit
C:\Windows\System\ZPAoHun.exe

Filesize
5.2MB

MD5
9935810e5452aede37947d66126585ee

SHA1
a68e17a8aca77ee93a7c72d8b350eeeb48a35e69

SHA256
c2bb579f59c426dd8db45d5c450eaafde3eaef97344912d8d141b2e65cf42922

SHA512
9b87edf9b087d67819ec25dc1db2210822977aeb4b565f93aa517be63ab7f96c26c3420731f1ce76bddee5a55981abc880ca23b3fd21ff80467a3a852de456e7

Download Submit
C:\Windows\System\aBXLBlx.exe

Filesize
5.2MB

MD5
327f895aff0ce8b644f7404e15f051ae

SHA1
98d80f0195bc5bd124fd14b5b3e7f1a80ec3a810

SHA256
1620abb19a2275332652479e13ae28a48322f0f2a9ed804fa69b7ecf7e026247

SHA512
3ff466e32171017ff3e2923bccfbd41af935c0da08b14ef5aca1d38dda4779c2453a64388d279e3016f1d67d446c26ce2ee1ca6d67c6deccdaaa2477b42cdf33

Download Submit
C:\Windows\System\bGLTQtA.exe

Filesize
5.2MB

MD5
d49d9b93c09e73768aa8c9cd394c54e6

SHA1
b0d6b65440d27c667093c384a7c6a95e7b8d3b02

SHA256
32349645965c484ba3054554af39deb688cdfb1ea0b4b598d49e60d5e6669638

SHA512
bbd6073b1492cdd5dce5021abe3682b32fd6cbe1607f9f292c9a9fe76c2c26b8d780b715087acb354fb4a1506b0098d735fec98a795d08f03b3edbed858c08e2

Download Submit
C:\Windows\System\borInxE.exe

Filesize
5.2MB

MD5
4786650fdff2b4785ac81f86d5bd6c2a

SHA1
a1a04a3d27d8b563ee612c3d0b67b079af486c39

SHA256
fcbdab7dadcaee4bcd01af2207c5240147243fe674a73ae929d8c242bd688189

SHA512
45b797a74d8e1eab8136d308ba39f580a36902b5247a7d443e354bf839ffa36bad6f682a7de084065343bedbccd30d0e8257c9927ea596b57e50e780409754d3

Download Submit
C:\Windows\System\cTKHgvt.exe

Filesize
5.2MB

MD5
8d8992a13a4cec5fa85d9615d4d00d19

SHA1
8e207841c29fe6641e4d912cbea30debf61865b0

SHA256
9a61088e5a65013c01c857266584c225b09a0e0281537b5360a1f37d2644612a

SHA512
674abad51fdc3a615bf3807dfdbfc344e27a0ec8ce0097b99092d680572f9d165a1d92e33b4bd982e8f425c4a29969607db26a149459f1068ec05122f603014c

Download Submit
C:\Windows\System\egOXOBj.exe

Filesize
5.2MB

MD5
d7f15e6acf2a59ec92c8427f5296139e

SHA1
466892cce2a850cc7a4aa558dab3774050ca9c44

SHA256
aa77644ccc421bcd3f23850fc199a6985f78c2ec1f50472c8c07c346e63600f7

SHA512
44311602bd6212230615ee2195aa61db22c049db70daa254ce7e2141102cf94ec585bb79bc74d5d15e22725ac67ac7fa8629f6697c4487d76eaab8e30db0faf8

Download Submit
C:\Windows\System\fcieijE.exe

Filesize
5.2MB

MD5
cc36984f8ab57ea913ee26fdcd507612

SHA1
09d0ea7f94a52e52a273efdbd31999d688002c61

SHA256
52ac0b1cbff384a3b52475154f5767e89d82cf2a22851e2818618bf42e9cb706

SHA512
139260bf48d6aec56513056b1ab25137877728fbdf753434d4c20029a4af18f78d80f09c8c01cf0e9a3dc671c0afd85d5177e1f1879bfb0ab132c956fa35fd83

Download Submit
C:\Windows\System\kVKPOkZ.exe

Filesize
5.2MB

MD5
35d9421682d39c0cac8a20fa7b6f912a

SHA1
72c52088d3eddec1ded765064e1fc26426863cdb

SHA256
f1d5823124068eee2a7219ef1bfab3b0e4395b73d560e3dedaeed05fe2eea5b4

SHA512
1c91b909fddab6f8fa08ce089308aeac0d21e5624e545f079b75ca600742937e48330de315827ac4f1c608eca755d4a3479149ef9a1308a3c0c09247eef791bd

Download Submit
C:\Windows\System\pOSpGLB.exe

Filesize
5.2MB

MD5
301ef4deaffd46d4620ebb3af3d16ace

SHA1
4e33e4cb1a4483e6b8f41781da6ada839c5848d6

SHA256
e24655630ba89598f58efcebfe21558dd71143d17aa663cca664f0597080560d

SHA512
a8db0ccd0803c321ea2c2c91073d6b5bea827e8e46a17090dd20d026fece03567ac2b255a51cb8be20c173a32db4922a07f33778cc8c2878b2c3302be0f0f20c

Download Submit
C:\Windows\System\sWQRoGT.exe

Filesize
5.2MB

MD5
bf6aac02802993ba59ae3182b8de8069

SHA1
d93891c0c1f671898fe85bb9ff645c137e9a89d1

SHA256
8c36379f5821a6835fdf7828062b3a8e57b8bd167b25e15f215cd121d89ae5fe

SHA512
3c84a91a3879ea07f54aece1f80549a05e079d0a1ed88d5cf38850349ce53197c0f1fd598d34088e5be0e50169d6577cc23ba73b60f661b3e6058f7ff01fcc26

Download Submit
C:\Windows\System\tTuuSBA.exe

Filesize
5.2MB

MD5
e9a55c2794eb279e8c5e287ddf5ae513

SHA1
015849e85818845beb33bb6a1e60f2d930c6a712

SHA256
dd8f3ecd55eff82b81e9d71575caed7fde3d1ae4894b1429d45c5218210f609f

SHA512
df99060c759665e7ffaad2dbba5ed6c3cbadd00669d9769c407c1ef09f795af07264dfb6bc1b1ac5d0e7c0fbeee1592c33f306f5c62faa8d0b5f8b2615fda8a9

Download Submit
C:\Windows\System\uVwuKDL.exe

Filesize
5.2MB

MD5
bf3b43f4efc83a51c2d9a047ddf87e76

SHA1
5cc6f77642ca8f7482e36bba280f6c2e3afb493f

SHA256
cfe736e3493d103fb0c09d13d0fbc9be495511c9ebc13e0bd0fd53be559b4b04

SHA512
9d283517506a781e7cef7a3d118d5bb11a1ce7ffd97c03f29517a4c847e161b68c879cde5134581b777d83c9cc2617c785b3b70aca955a2b6f043dc35694f0f8

Download Submit
C:\Windows\System\vPGqExN.exe

Filesize
5.2MB

MD5
280ef0b87fbf53770eb69b49d89e1f2e

SHA1
f22248804aaeaba36526a97559e2922a651452b0

SHA256
73a2bc7d2d42e8e75403f0145c6a1a390041207aa1b1b013f75f6af75ed7d5e9

SHA512
8f39e309fef10d34f8372e7fb7c3077a2b14f1af058080c298083ccf1cb6a939691dfa73e2cb89460fb829385615ca41b6b33bedbc5c8875ff15cc165d74ee85

Download Submit
C:\Windows\System\vsdqxek.exe

Filesize
5.2MB

MD5
dc264650205a6ff5c805c7f56e6c5d8a

SHA1
f4b22d42c10549d3f39fa0a2a875908215c4fc6a

SHA256
16348406adb19e1c1226c971b8e63ea7315cc31c9bd6515c89dc06a6f7a4db87

SHA512
74fc55602d5a1dc62ad904310f00219c6cbbff9ae504c54e3369af6853600ea8339d987fc935e09f19b6e359fc648abe012502c4abdd8e0ab26a9fa3a0bd309a

Download Submit
C:\Windows\System\wwXntnr.exe

Filesize
5.2MB

MD5
cb56ba21daad2635dc9c1fcf95b827c8

SHA1
d7af72a73d5b633548d378a8844e9c5d2afbbcbd

SHA256
141d4c1bf817fff8d54d5264a5be0932c1f4990714f8475d5ad93ba14857a307

SHA512
0ceacecdc546a0c8dc341a0f4cb19fefe46c430408920ad423bbdc71709fba5fe39e0498226729c088b08dfb3d4158c3e2134089f3080dbe6bee7222f6718ab3

Download Submit
C:\Windows\System\zSLQwYQ.exe

Filesize
5.2MB

MD5
661b8fa563d9cac44f03c026931fea27

SHA1
a5139638b87a76bedc16a03322fd7d587c49a503

SHA256
d62fc4d1bd7593621f4ab07dbaad13de92615a811bbb841c8617cc0dfe05425b

SHA512
ec0986f66bad7f00c4cf3600c0c2be83e10afbbc8797611f65f11c07b521ded23e06b20097f4a8af9f435ce50da039e4896cb4ddcc7f9f3df02098cc5078735b

Download Submit
memory/1028-255-0x00007FF7C09E0000-0x00007FF7C0D31000-memory.dmp

Filesize
3.3MB

Download
memory/1028-107-0x00007FF7C09E0000-0x00007FF7C0D31000-memory.dmp

Filesize
3.3MB

Download
memory/1464-111-0x00007FF66F750000-0x00007FF66FAA1000-memory.dmp

Filesize
3.3MB

Download
memory/1464-153-0x00007FF66F750000-0x00007FF66FAA1000-memory.dmp

Filesize
3.3MB

Download
memory/1464-261-0x00007FF66F750000-0x00007FF66FAA1000-memory.dmp

Filesize
3.3MB

Download
memory/1684-160-0x00007FF7F1C20000-0x00007FF7F1F71000-memory.dmp

Filesize
3.3MB

Download
memory/1684-59-0x00007FF7F1C20000-0x00007FF7F1F71000-memory.dmp

Filesize
3.3MB

Download
memory/1684-1-0x0000011610E60000-0x0000011610E70000-memory.dmp

Filesize
64KB

Download
memory/1684-136-0x00007FF7F1C20000-0x00007FF7F1F71000-memory.dmp

Filesize
3.3MB

Download
memory/1684-0-0x00007FF7F1C20000-0x00007FF7F1F71000-memory.dmp

Filesize
3.3MB

Download
memory/1732-7-0x00007FF796830000-0x00007FF796B81000-memory.dmp

Filesize
3.3MB

Download
memory/1732-67-0x00007FF796830000-0x00007FF796B81000-memory.dmp

Filesize
3.3MB

Download
memory/1732-213-0x00007FF796830000-0x00007FF796B81000-memory.dmp

Filesize
3.3MB

Download
memory/1824-148-0x00007FF698AF0000-0x00007FF698E41000-memory.dmp

Filesize
3.3MB

Download
memory/1824-247-0x00007FF698AF0000-0x00007FF698E41000-memory.dmp

Filesize
3.3MB

Download
memory/1824-68-0x00007FF698AF0000-0x00007FF698E41000-memory.dmp

Filesize
3.3MB

Download
memory/2196-28-0x00007FF7F3F00000-0x00007FF7F4251000-memory.dmp

Filesize
3.3MB

Download
memory/2196-87-0x00007FF7F3F00000-0x00007FF7F4251000-memory.dmp

Filesize
3.3MB

Download
memory/2196-219-0x00007FF7F3F00000-0x00007FF7F4251000-memory.dmp

Filesize
3.3MB

Download
memory/2200-56-0x00007FF782650000-0x00007FF7829A1000-memory.dmp

Filesize
3.3MB

Download
memory/2200-146-0x00007FF782650000-0x00007FF7829A1000-memory.dmp

Filesize
3.3MB

Download
memory/2200-234-0x00007FF782650000-0x00007FF7829A1000-memory.dmp

Filesize
3.3MB

Download
memory/2308-157-0x00007FF7FB9A0000-0x00007FF7FBCF1000-memory.dmp

Filesize
3.3MB

Download
memory/2308-265-0x00007FF7FB9A0000-0x00007FF7FBCF1000-memory.dmp

Filesize
3.3MB

Download
memory/2308-121-0x00007FF7FB9A0000-0x00007FF7FBCF1000-memory.dmp

Filesize
3.3MB

Download
memory/2464-217-0x00007FF777F70000-0x00007FF7782C1000-memory.dmp

Filesize
3.3MB

Download
memory/2464-74-0x00007FF777F70000-0x00007FF7782C1000-memory.dmp

Filesize
3.3MB

Download
memory/2464-19-0x00007FF777F70000-0x00007FF7782C1000-memory.dmp

Filesize
3.3MB

Download
memory/2972-42-0x00007FF70FBC0000-0x00007FF70FF11000-memory.dmp

Filesize
3.3MB

Download
memory/2972-130-0x00007FF70FBC0000-0x00007FF70FF11000-memory.dmp

Filesize
3.3MB

Download
memory/2972-230-0x00007FF70FBC0000-0x00007FF70FF11000-memory.dmp

Filesize
3.3MB

Download
memory/3040-12-0x00007FF7ABEF0000-0x00007FF7AC241000-memory.dmp

Filesize
3.3MB

Download
memory/3040-215-0x00007FF7ABEF0000-0x00007FF7AC241000-memory.dmp

Filesize
3.3MB

Download
memory/3040-70-0x00007FF7ABEF0000-0x00007FF7AC241000-memory.dmp

Filesize
3.3MB

Download
memory/3276-134-0x00007FF7959E0000-0x00007FF795D31000-memory.dmp

Filesize
3.3MB

Download
memory/3276-264-0x00007FF7959E0000-0x00007FF795D31000-memory.dmp

Filesize
3.3MB

Download
memory/3376-254-0x00007FF605130000-0x00007FF605481000-memory.dmp

Filesize
3.3MB

Download
memory/3376-98-0x00007FF605130000-0x00007FF605481000-memory.dmp

Filesize
3.3MB

Download
memory/3524-156-0x00007FF7D4C90000-0x00007FF7D4FE1000-memory.dmp

Filesize
3.3MB

Download
memory/3524-259-0x00007FF7D4C90000-0x00007FF7D4FE1000-memory.dmp

Filesize
3.3MB

Download
memory/3524-128-0x00007FF7D4C90000-0x00007FF7D4FE1000-memory.dmp

Filesize
3.3MB

Download
memory/3592-268-0x00007FF64E580000-0x00007FF64E8D1000-memory.dmp

Filesize
3.3MB

Download
memory/3592-159-0x00007FF64E580000-0x00007FF64E8D1000-memory.dmp

Filesize
3.3MB

Download
memory/3592-133-0x00007FF64E580000-0x00007FF64E8D1000-memory.dmp

Filesize
3.3MB

Download
memory/3660-116-0x00007FF73F5C0000-0x00007FF73F911000-memory.dmp

Filesize
3.3MB

Download
memory/3660-257-0x00007FF73F5C0000-0x00007FF73F911000-memory.dmp

Filesize
3.3MB

Download
memory/4040-147-0x00007FF7887C0000-0x00007FF788B11000-memory.dmp

Filesize
3.3MB

Download
memory/4040-236-0x00007FF7887C0000-0x00007FF788B11000-memory.dmp

Filesize
3.3MB

Download
memory/4040-64-0x00007FF7887C0000-0x00007FF788B11000-memory.dmp

Filesize
3.3MB

Download
memory/4424-115-0x00007FF680C40000-0x00007FF680F91000-memory.dmp

Filesize
3.3MB

Download
memory/4424-228-0x00007FF680C40000-0x00007FF680F91000-memory.dmp

Filesize
3.3MB

Download
memory/4424-36-0x00007FF680C40000-0x00007FF680F91000-memory.dmp

Filesize
3.3MB

Download
memory/4572-251-0x00007FF653790000-0x00007FF653AE1000-memory.dmp

Filesize
3.3MB

Download
memory/4572-94-0x00007FF653790000-0x00007FF653AE1000-memory.dmp

Filesize
3.3MB

Download
memory/4572-154-0x00007FF653790000-0x00007FF653AE1000-memory.dmp

Filesize
3.3MB

Download
memory/4724-101-0x00007FF6EEDB0000-0x00007FF6EF101000-memory.dmp

Filesize
3.3MB

Download
memory/4724-33-0x00007FF6EEDB0000-0x00007FF6EF101000-memory.dmp

Filesize
3.3MB

Download
memory/4724-221-0x00007FF6EEDB0000-0x00007FF6EF101000-memory.dmp

Filesize
3.3MB

Download
memory/4880-49-0x00007FF73DEC0000-0x00007FF73E211000-memory.dmp

Filesize
3.3MB

Download
memory/4880-232-0x00007FF73DEC0000-0x00007FF73E211000-memory.dmp

Filesize
3.3MB

Download
memory/4880-135-0x00007FF73DEC0000-0x00007FF73E211000-memory.dmp

Filesize
3.3MB

Download
memory/5052-249-0x00007FF7888E0000-0x00007FF788C31000-memory.dmp

Filesize
3.3MB

Download
memory/5052-78-0x00007FF7888E0000-0x00007FF788C31000-memory.dmp

Filesize
3.3MB

Download
memory/5052-149-0x00007FF7888E0000-0x00007FF788C31000-memory.dmp

Filesize
3.3MB

Download