cobaltstrike | 453f2516e7fa7c2186974fa5ee7f11c2a2ed01de259efd0cb44c913a053e14b6

Analysis

max time kernel
146s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2024 02:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

f02b157d8159e9b8d479b0ffaa3287f5
SHA1

0589bb19044ac053c9b1756c0250f5e6df613062
SHA256

453f2516e7fa7c2186974fa5ee7f11c2a2ed01de259efd0cb44c913a053e14b6
SHA512

d694ce49116cbb12c6006e3ed21ab45a8c077298c64d822d9dbb30eaed897183653aa28f407a2cfaad5b0cd9ef24631a5207b101c428dd226635686ca2275b30
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l/:RWWBibd56utgpPFotBER/mQ32lUr

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
behavioral2/files/0x000b000000023b73-4.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b77-10.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b78-11.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b79-23.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7a-29.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b74-35.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7c-39.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7d-46.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7e-56.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b80-64.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7f-66.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b81-75.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b83-98.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023a97-103.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b84-115.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b86-125.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b85-121.dat	cobalt_reflective_dll
behavioral2/files/0x00050000000230d8-92.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b82-82.dat	cobalt_reflective_dll
behavioral2/files/0x0006000000023080-151.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b87-150.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 44 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4636-73-0x00007FF7D4E10000-0x00007FF7D5161000-memory.dmp	xmrig
behavioral2/memory/2628-123-0x00007FF7414C0000-0x00007FF741811000-memory.dmp	xmrig
behavioral2/memory/4480-112-0x00007FF755EA0000-0x00007FF7561F1000-memory.dmp	xmrig
behavioral2/memory/2844-111-0x00007FF6D93B0000-0x00007FF6D9701000-memory.dmp	xmrig
behavioral2/memory/5004-102-0x00007FF650730000-0x00007FF650A81000-memory.dmp	xmrig
behavioral2/memory/3824-97-0x00007FF6A7DE0000-0x00007FF6A8131000-memory.dmp	xmrig
behavioral2/memory/3908-88-0x00007FF720BD0000-0x00007FF720F21000-memory.dmp	xmrig
behavioral2/memory/5012-81-0x00007FF67CA30000-0x00007FF67CD81000-memory.dmp	xmrig
behavioral2/memory/2788-65-0x00007FF7B71E0000-0x00007FF7B7531000-memory.dmp	xmrig
behavioral2/memory/716-60-0x00007FF7EB6B0000-0x00007FF7EBA01000-memory.dmp	xmrig
behavioral2/memory/4968-137-0x00007FF6C8BF0000-0x00007FF6C8F41000-memory.dmp	xmrig
behavioral2/memory/3560-139-0x00007FF7BB4A0000-0x00007FF7BB7F1000-memory.dmp	xmrig
behavioral2/memory/2596-138-0x00007FF7EAB80000-0x00007FF7EAED1000-memory.dmp	xmrig
behavioral2/memory/3144-144-0x00007FF707940000-0x00007FF707C91000-memory.dmp	xmrig
behavioral2/memory/3544-149-0x00007FF6CEAB0000-0x00007FF6CEE01000-memory.dmp	xmrig
behavioral2/memory/4816-147-0x00007FF703B10000-0x00007FF703E61000-memory.dmp	xmrig
behavioral2/memory/2892-146-0x00007FF619EB0000-0x00007FF61A201000-memory.dmp	xmrig
behavioral2/memory/4416-140-0x00007FF7F28C0000-0x00007FF7F2C11000-memory.dmp	xmrig
behavioral2/memory/4548-148-0x00007FF63D580000-0x00007FF63D8D1000-memory.dmp	xmrig
behavioral2/memory/3972-145-0x00007FF6D1850000-0x00007FF6D1BA1000-memory.dmp	xmrig
behavioral2/memory/3360-157-0x00007FF6C0C20000-0x00007FF6C0F71000-memory.dmp	xmrig
behavioral2/memory/716-158-0x00007FF7EB6B0000-0x00007FF7EBA01000-memory.dmp	xmrig
behavioral2/memory/492-179-0x00007FF617430000-0x00007FF617781000-memory.dmp	xmrig
behavioral2/memory/2788-206-0x00007FF7B71E0000-0x00007FF7B7531000-memory.dmp	xmrig
behavioral2/memory/4636-212-0x00007FF7D4E10000-0x00007FF7D5161000-memory.dmp	xmrig
behavioral2/memory/5012-214-0x00007FF67CA30000-0x00007FF67CD81000-memory.dmp	xmrig
behavioral2/memory/3908-216-0x00007FF720BD0000-0x00007FF720F21000-memory.dmp	xmrig
behavioral2/memory/3824-218-0x00007FF6A7DE0000-0x00007FF6A8131000-memory.dmp	xmrig
behavioral2/memory/5004-226-0x00007FF650730000-0x00007FF650A81000-memory.dmp	xmrig
behavioral2/memory/2844-228-0x00007FF6D93B0000-0x00007FF6D9701000-memory.dmp	xmrig
behavioral2/memory/2628-230-0x00007FF7414C0000-0x00007FF741811000-memory.dmp	xmrig
behavioral2/memory/4480-232-0x00007FF755EA0000-0x00007FF7561F1000-memory.dmp	xmrig
behavioral2/memory/2596-234-0x00007FF7EAB80000-0x00007FF7EAED1000-memory.dmp	xmrig
behavioral2/memory/3560-244-0x00007FF7BB4A0000-0x00007FF7BB7F1000-memory.dmp	xmrig
behavioral2/memory/4968-246-0x00007FF6C8BF0000-0x00007FF6C8F41000-memory.dmp	xmrig
behavioral2/memory/4416-248-0x00007FF7F28C0000-0x00007FF7F2C11000-memory.dmp	xmrig
behavioral2/memory/3144-250-0x00007FF707940000-0x00007FF707C91000-memory.dmp	xmrig
behavioral2/memory/3972-253-0x00007FF6D1850000-0x00007FF6D1BA1000-memory.dmp	xmrig
behavioral2/memory/2892-256-0x00007FF619EB0000-0x00007FF61A201000-memory.dmp	xmrig
behavioral2/memory/4816-257-0x00007FF703B10000-0x00007FF703E61000-memory.dmp	xmrig
behavioral2/memory/3544-261-0x00007FF6CEAB0000-0x00007FF6CEE01000-memory.dmp	xmrig
behavioral2/memory/4548-259-0x00007FF63D580000-0x00007FF63D8D1000-memory.dmp	xmrig
behavioral2/memory/492-268-0x00007FF617430000-0x00007FF617781000-memory.dmp	xmrig
behavioral2/memory/3360-267-0x00007FF6C0C20000-0x00007FF6C0F71000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

mLIldte.exeAeVXgNu.exeNWIyzHY.exeolqdCzS.exeLpZCBQJ.exeIziXSjP.exeVYFvzFz.exejgySqtH.execAFkDDO.exeKlJvSlQ.exeSOqanxU.exeylfnuYC.exemKsPxie.exepVCmfym.exeyvbvTYJ.exejQeCzLg.exekrRDWTB.exeUnDwpvD.exeYnIzBOK.exenVAetfV.exeiRXmaJG.exe

pid	Process
2788	mLIldte.exe
4636	AeVXgNu.exe
5012	NWIyzHY.exe
3908	olqdCzS.exe
3824	LpZCBQJ.exe
5004	IziXSjP.exe
2844	VYFvzFz.exe
4480	jgySqtH.exe
2628	cAFkDDO.exe
4968	KlJvSlQ.exe
2596	SOqanxU.exe
3560	ylfnuYC.exe
4416	mKsPxie.exe
3144	pVCmfym.exe
3972	yvbvTYJ.exe
2892	jQeCzLg.exe
4816	krRDWTB.exe
4548	UnDwpvD.exe
3544	YnIzBOK.exe
3360	nVAetfV.exe
492	iRXmaJG.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/716-0-0x00007FF7EB6B0000-0x00007FF7EBA01000-memory.dmp	upx
behavioral2/files/0x000b000000023b73-4.dat	upx
behavioral2/memory/2788-7-0x00007FF7B71E0000-0x00007FF7B7531000-memory.dmp	upx
behavioral2/files/0x000a000000023b77-10.dat	upx
behavioral2/files/0x000a000000023b78-11.dat	upx
behavioral2/memory/5012-18-0x00007FF67CA30000-0x00007FF67CD81000-memory.dmp	upx
behavioral2/memory/4636-12-0x00007FF7D4E10000-0x00007FF7D5161000-memory.dmp	upx
behavioral2/files/0x000a000000023b79-23.dat	upx
behavioral2/files/0x000a000000023b7a-29.dat	upx
behavioral2/memory/3824-30-0x00007FF6A7DE0000-0x00007FF6A8131000-memory.dmp	upx
behavioral2/memory/3908-24-0x00007FF720BD0000-0x00007FF720F21000-memory.dmp	upx
behavioral2/files/0x000b000000023b74-35.dat	upx
behavioral2/memory/5004-36-0x00007FF650730000-0x00007FF650A81000-memory.dmp	upx
behavioral2/files/0x000a000000023b7c-39.dat	upx
behavioral2/files/0x000a000000023b7d-46.dat	upx
behavioral2/files/0x000a000000023b7e-56.dat	upx
behavioral2/memory/4968-61-0x00007FF6C8BF0000-0x00007FF6C8F41000-memory.dmp	upx
behavioral2/files/0x000a000000023b80-64.dat	upx
behavioral2/files/0x000a000000023b7f-66.dat	upx
behavioral2/memory/4636-73-0x00007FF7D4E10000-0x00007FF7D5161000-memory.dmp	upx
behavioral2/files/0x000a000000023b81-75.dat	upx
behavioral2/memory/3560-74-0x00007FF7BB4A0000-0x00007FF7BB7F1000-memory.dmp	upx
behavioral2/memory/4416-84-0x00007FF7F28C0000-0x00007FF7F2C11000-memory.dmp	upx
behavioral2/files/0x000a000000023b83-98.dat	upx
behavioral2/files/0x000e000000023a97-103.dat	upx
behavioral2/files/0x000a000000023b84-115.dat	upx
behavioral2/memory/2628-123-0x00007FF7414C0000-0x00007FF741811000-memory.dmp	upx
behavioral2/files/0x000a000000023b86-125.dat	upx
behavioral2/memory/3544-124-0x00007FF6CEAB0000-0x00007FF6CEE01000-memory.dmp	upx
behavioral2/files/0x000a000000023b85-121.dat	upx
behavioral2/memory/4548-117-0x00007FF63D580000-0x00007FF63D8D1000-memory.dmp	upx
behavioral2/memory/4816-116-0x00007FF703B10000-0x00007FF703E61000-memory.dmp	upx
behavioral2/memory/4480-112-0x00007FF755EA0000-0x00007FF7561F1000-memory.dmp	upx
behavioral2/memory/2844-111-0x00007FF6D93B0000-0x00007FF6D9701000-memory.dmp	upx
behavioral2/memory/2892-107-0x00007FF619EB0000-0x00007FF61A201000-memory.dmp	upx
behavioral2/memory/5004-102-0x00007FF650730000-0x00007FF650A81000-memory.dmp	upx
behavioral2/memory/3972-101-0x00007FF6D1850000-0x00007FF6D1BA1000-memory.dmp	upx
behavioral2/memory/3824-97-0x00007FF6A7DE0000-0x00007FF6A8131000-memory.dmp	upx
behavioral2/files/0x00050000000230d8-92.dat	upx
behavioral2/memory/3144-91-0x00007FF707940000-0x00007FF707C91000-memory.dmp	upx
behavioral2/memory/3908-88-0x00007FF720BD0000-0x00007FF720F21000-memory.dmp	upx
behavioral2/files/0x000a000000023b82-82.dat	upx
behavioral2/memory/5012-81-0x00007FF67CA30000-0x00007FF67CD81000-memory.dmp	upx
behavioral2/memory/2596-69-0x00007FF7EAB80000-0x00007FF7EAED1000-memory.dmp	upx
behavioral2/memory/2788-65-0x00007FF7B71E0000-0x00007FF7B7531000-memory.dmp	upx
behavioral2/memory/716-60-0x00007FF7EB6B0000-0x00007FF7EBA01000-memory.dmp	upx
behavioral2/memory/2628-52-0x00007FF7414C0000-0x00007FF741811000-memory.dmp	upx
behavioral2/memory/4480-50-0x00007FF755EA0000-0x00007FF7561F1000-memory.dmp	upx
behavioral2/memory/2844-42-0x00007FF6D93B0000-0x00007FF6D9701000-memory.dmp	upx
behavioral2/memory/4968-137-0x00007FF6C8BF0000-0x00007FF6C8F41000-memory.dmp	upx
behavioral2/memory/3560-139-0x00007FF7BB4A0000-0x00007FF7BB7F1000-memory.dmp	upx
behavioral2/memory/2596-138-0x00007FF7EAB80000-0x00007FF7EAED1000-memory.dmp	upx
behavioral2/memory/3144-144-0x00007FF707940000-0x00007FF707C91000-memory.dmp	upx
behavioral2/files/0x0006000000023080-151.dat	upx
behavioral2/files/0x000a000000023b87-150.dat	upx
behavioral2/memory/3544-149-0x00007FF6CEAB0000-0x00007FF6CEE01000-memory.dmp	upx
behavioral2/memory/4816-147-0x00007FF703B10000-0x00007FF703E61000-memory.dmp	upx
behavioral2/memory/2892-146-0x00007FF619EB0000-0x00007FF61A201000-memory.dmp	upx
behavioral2/memory/4416-140-0x00007FF7F28C0000-0x00007FF7F2C11000-memory.dmp	upx
behavioral2/memory/4548-148-0x00007FF63D580000-0x00007FF63D8D1000-memory.dmp	upx
behavioral2/memory/3972-145-0x00007FF6D1850000-0x00007FF6D1BA1000-memory.dmp	upx
behavioral2/memory/492-156-0x00007FF617430000-0x00007FF617781000-memory.dmp	upx
behavioral2/memory/3360-157-0x00007FF6C0C20000-0x00007FF6C0F71000-memory.dmp	upx
behavioral2/memory/716-158-0x00007FF7EB6B0000-0x00007FF7EBA01000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	Process
File created	C:\Windows\System\mKsPxie.exe	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pVCmfym.exe	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iRXmaJG.exe	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NWIyzHY.exe	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\olqdCzS.exe	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VYFvzFz.exe	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jgySqtH.exe	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jQeCzLg.exe	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UnDwpvD.exe	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nVAetfV.exe	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mLIldte.exe	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AeVXgNu.exe	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LpZCBQJ.exe	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yvbvTYJ.exe	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ylfnuYC.exe	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YnIzBOK.exe	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\krRDWTB.exe	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IziXSjP.exe	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cAFkDDO.exe	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KlJvSlQ.exe	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SOqanxU.exe	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	Process
Token: SeLockMemoryPrivilege	716	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	716	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	Process	procid_target
PID 716 wrote to memory of 2788	716	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 716 wrote to memory of 2788	716	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 716 wrote to memory of 4636	716	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 716 wrote to memory of 4636	716	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 716 wrote to memory of 5012	716	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 716 wrote to memory of 5012	716	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 716 wrote to memory of 3908	716	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 716 wrote to memory of 3908	716	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 716 wrote to memory of 3824	716	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 716 wrote to memory of 3824	716	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 716 wrote to memory of 5004	716	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 716 wrote to memory of 5004	716	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 716 wrote to memory of 2844	716	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 716 wrote to memory of 2844	716	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 716 wrote to memory of 4480	716	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 716 wrote to memory of 4480	716	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 716 wrote to memory of 2628	716	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 716 wrote to memory of 2628	716	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 716 wrote to memory of 4968	716	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 716 wrote to memory of 4968	716	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 716 wrote to memory of 2596	716	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 716 wrote to memory of 2596	716	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 716 wrote to memory of 3560	716	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 716 wrote to memory of 3560	716	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 716 wrote to memory of 4416	716	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 716 wrote to memory of 4416	716	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 716 wrote to memory of 3144	716	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 716 wrote to memory of 3144	716	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 716 wrote to memory of 3972	716	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 716 wrote to memory of 3972	716	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 716 wrote to memory of 2892	716	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 716 wrote to memory of 2892	716	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 716 wrote to memory of 4816	716	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 716 wrote to memory of 4816	716	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 716 wrote to memory of 4548	716	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 716 wrote to memory of 4548	716	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 716 wrote to memory of 3544	716	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 716 wrote to memory of 3544	716	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 716 wrote to memory of 3360	716	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 716 wrote to memory of 3360	716	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 716 wrote to memory of 492	716	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 716 wrote to memory of 492	716	2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe	108

C:\Users\Admin\AppData\Local\Temp\2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-20_f02b157d8159e9b8d479b0ffaa3287f5_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:716
- C:\Windows\System\mLIldte.exe
  C:\Windows\System\mLIldte.exe
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Windows\System\AeVXgNu.exe
  C:\Windows\System\AeVXgNu.exe
  2⤵
  - Executes dropped EXE
  PID:4636
- C:\Windows\System\NWIyzHY.exe
  C:\Windows\System\NWIyzHY.exe
  2⤵
  - Executes dropped EXE
  PID:5012
- C:\Windows\System\olqdCzS.exe
  C:\Windows\System\olqdCzS.exe
  2⤵
  - Executes dropped EXE
  PID:3908
- C:\Windows\System\LpZCBQJ.exe
  C:\Windows\System\LpZCBQJ.exe
  2⤵
  - Executes dropped EXE
  PID:3824
- C:\Windows\System\IziXSjP.exe
  C:\Windows\System\IziXSjP.exe
  2⤵
  - Executes dropped EXE
  PID:5004
- C:\Windows\System\VYFvzFz.exe
  C:\Windows\System\VYFvzFz.exe
  2⤵
  - Executes dropped EXE
  PID:2844
- C:\Windows\System\jgySqtH.exe
  C:\Windows\System\jgySqtH.exe
  2⤵
  - Executes dropped EXE
  PID:4480
- C:\Windows\System\cAFkDDO.exe
  C:\Windows\System\cAFkDDO.exe
  2⤵
  - Executes dropped EXE
  PID:2628
- C:\Windows\System\KlJvSlQ.exe
  C:\Windows\System\KlJvSlQ.exe
  2⤵
  - Executes dropped EXE
  PID:4968
- C:\Windows\System\SOqanxU.exe
  C:\Windows\System\SOqanxU.exe
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\System\ylfnuYC.exe
  C:\Windows\System\ylfnuYC.exe
  2⤵
  - Executes dropped EXE
  PID:3560
- C:\Windows\System\mKsPxie.exe
  C:\Windows\System\mKsPxie.exe
  2⤵
  - Executes dropped EXE
  PID:4416
- C:\Windows\System\pVCmfym.exe
  C:\Windows\System\pVCmfym.exe
  2⤵
  - Executes dropped EXE
  PID:3144
- C:\Windows\System\yvbvTYJ.exe
  C:\Windows\System\yvbvTYJ.exe
  2⤵
  - Executes dropped EXE
  PID:3972
- C:\Windows\System\jQeCzLg.exe
  C:\Windows\System\jQeCzLg.exe
  2⤵
  - Executes dropped EXE
  PID:2892
- C:\Windows\System\krRDWTB.exe
  C:\Windows\System\krRDWTB.exe
  2⤵
  - Executes dropped EXE
  PID:4816
- C:\Windows\System\UnDwpvD.exe
  C:\Windows\System\UnDwpvD.exe
  2⤵
  - Executes dropped EXE
  PID:4548
- C:\Windows\System\YnIzBOK.exe
  C:\Windows\System\YnIzBOK.exe
  2⤵
  - Executes dropped EXE
  PID:3544
- C:\Windows\System\nVAetfV.exe
  C:\Windows\System\nVAetfV.exe
  2⤵
  - Executes dropped EXE
  PID:3360
- C:\Windows\System\iRXmaJG.exe
  C:\Windows\System\iRXmaJG.exe
  2⤵
  - Executes dropped EXE
  PID:492

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AeVXgNu.exe

Filesize
5.2MB

MD5
4c6a50669169d869525abe43d82c2db9

SHA1
917983ecec4d62a2ff071bfd5087437061c211e9

SHA256
e57db2efcbf0bb795dcc08b8b856aa30f84b8e4b699848b08b10666a8d61c1cc

SHA512
27ca10382ff8aaefe7eed589eaee8ff17297b56dd08693093d42e7716f8a8a3f117e157f92668d243646d4ef9692d66be3244805b7dcbe8c94545190629a9e38

Download Submit
C:\Windows\System\IziXSjP.exe

Filesize
5.2MB

MD5
4fa70baa76964c5151ac4c490152847d

SHA1
e55cfa513a978bbf52a7cb69fdbb1c7be50a5a30

SHA256
a4fe05481133459a9b6e5025a1c74ce23667680471ecc74dce8b1361e65c825e

SHA512
849475c05b44067549a13f33134c9bf1aa15b9e56ce63e773ab31b3671f546c38a17111eebe0980abab586a789a08419aceb36438538565a3f0e189d09f244cf

Download Submit
C:\Windows\System\KlJvSlQ.exe

Filesize
5.2MB

MD5
654ab68933bdeef97448bca560b06735

SHA1
8bb7853f1ae8adfca8d44cfefb94e48c6e06a701

SHA256
4caf95e135df1ad5ab2a4d9d1432481de44daee1b4d7e5177fd2df5bb673dae8

SHA512
c7aa4e5d067dd0da5c7196ba816b086ca3bf89eec0b5c432d6e74b5369642adacff62103616af76339fb0e8f5f0a5446c14c4c4edbe447148d2908cec7b53f2d

Download Submit
C:\Windows\System\LpZCBQJ.exe

Filesize
5.2MB

MD5
072952319536fe71e1dcb447c1696805

SHA1
5af0969052492c194605df5985a651d2b2eedeed

SHA256
1ec8924cb5dea7439c3b518899d02334a3fa2bc40381c437ab37cc056dcc022e

SHA512
e8a7e22c1e346432099799bf6ea2daf5c0419c425187b43c6580245d7e0f2d28e5b3eb7646977dfc5d2c285f78f6e4a31684e6099a82c289256a64d58a80d964

Download Submit
C:\Windows\System\NWIyzHY.exe

Filesize
5.2MB

MD5
c55db126517e69f96b8aa7b5076efd27

SHA1
7e3b6dcf70f2731fd847a101c0fe31ca9dbb833b

SHA256
c9970bc728f45bb83899cd8fa5b84b6da56ccb27e93c1f06702fa0e319a910d5

SHA512
e3174819c9b4fbd48e16aa6cbe9b08cbed4c21195149ace4b9216431a7fb296dffe6f3ebcd09b225f19069a94e0fea08a6cada945f3b1e054c508124ce5cc427

Download Submit
C:\Windows\System\SOqanxU.exe

Filesize
5.2MB

MD5
888e9b666aa0837f0a65c28b3c86c7f9

SHA1
3e6d07b414e7f627d082dd1a48cc6669c8861cf6

SHA256
b0f73275bd0bd53aa324067d42b0f54c545afe73e39d784e145239abcf1dd1d5

SHA512
a96b8760ce04d2799c0633a18d02503e02bebaa42cc5919d1a15cc872fbf73c39ec2e4976a729f353fc7a46fb5dea478a25546aaae8e4b1533892126b9bfd7fa

Download Submit
C:\Windows\System\UnDwpvD.exe

Filesize
5.2MB

MD5
a27c9acdb67b0a6df2a1bdcf91ca876d

SHA1
f6239422ad1576781aed005247ea06a1986998e3

SHA256
9836aa31e364d8d7e8be7ce305d4a2bb0fc3272521d7fae4991406c8c5aae1b8

SHA512
0abdf45b6c3159ffafca58a5679aa1d2534c468f3d7d7d2ec0acb236f3bf19c58fd6fcfc11e9792fa8ccc73d0224a5a156e82f06af3492c434c0626ea18a73fd

Download Submit
C:\Windows\System\VYFvzFz.exe

Filesize
5.2MB

MD5
87b528968a0036c62a5f6172dbde93d9

SHA1
b058197db72984042d9ea76b7120418346288b03

SHA256
5630180e0b2b501e8f07d5d229c72050fafca93700f71c509d197aa38c94afa7

SHA512
b76ee6adf6448e615309c6230ab0251f349f3dc00a3bffee515e59f3436426ecae149e7455a7ca237adbc1ac3c1e5697c2801ea4556ca2b8e424006b9f320f76

Download Submit
C:\Windows\System\YnIzBOK.exe

Filesize
5.2MB

MD5
9e3ed7773387fa81b4cb80bb6b076bc2

SHA1
687a7231e14cd03c76687928e912a1d2b5baf75e

SHA256
273497e78a991321037c1f3c1d2b69bbf02fdad8d4cb92527b59e4f556644df0

SHA512
7c12e3cfc346adacae9dfaf2bab228aaa54da7d48416ec9581ab30dbea55cbc5aef2df4d86f6c8573f5b8cd776ca920284d97215c54736e3f50c3861278d5f7d

Download Submit
C:\Windows\System\cAFkDDO.exe

Filesize
5.2MB

MD5
cd2f2bf4e3fb7b831e87f40f9d6cbaf4

SHA1
40b4db20c93ffe232282e635c97513d2c0fc7656

SHA256
e3c4cb013c4dd1e53c3833bbbfd589e4a00bedf96e500c5360db36d6c255e2ac

SHA512
6695156941892621c04dcb968c68e8a1abd5f559d0caa1fcec54a742ee72a5ea0d3a226c8a8df54272df2c5b03c374cc03fea2d53831d9c1f6995bf6d003f95c

Download Submit
C:\Windows\System\iRXmaJG.exe

Filesize
5.2MB

MD5
cdb57e2f8bc511f534fb9245b7c503fd

SHA1
5bca0d7bfac94eff138fc7370429ad1a83c0ba10

SHA256
f9fed7b371071820b56241c28771e916a2cdc8a01fc8963b14a7d3221a01e833

SHA512
dd28b57141eb8b37ba94dc46e876ab3e884fed48147306b25009220d4c0988541169edc005bbc15f7955a310ead6c0a7b26ce467edf33df94758ed7cab4674a1

Download Submit
C:\Windows\System\jQeCzLg.exe

Filesize
5.2MB

MD5
6e2e60c77e817528c7dae6f7d53686c9

SHA1
ab81a1f8bf77b79861832afafd1ef486112139d2

SHA256
7d3d2d664257f37681eb4290e7a36a71bea86326a2aae0cbc964199ee22c8ed4

SHA512
7c9a11102371de0b2ce48e3a93c034fa634f3fcdb3d7c06e98bc07c2c007afcddd673067231b2ab8178e8e3c3be94c8574ba84f8823e584022627dfbe129ebfc

Download Submit
C:\Windows\System\jgySqtH.exe

Filesize
5.2MB

MD5
ad9f6cc656c5a0d8bf4e239a45f2fbec

SHA1
f8505cc7487c6b7d32f7b6c88d42c846f52b0965

SHA256
15a31ab484d5d4cfabd7714dfd72e3def7a796c9479b8e120424c1993bda5e30

SHA512
84762bb2611d4ebb73dbd3b2b40035b4a79d7ef9585c0f3ff57280c25a8a458d4d332b30ed788b9220e559d2883289f7fd84e8d9b8999a2c7fc988150907ea32

Download Submit
C:\Windows\System\krRDWTB.exe

Filesize
5.2MB

MD5
78c2d80686580fc997e9424bb1d8cd77

SHA1
6c6a469fb773a5ce5b9a28f024e4e12337f34d5f

SHA256
f981a06ea84b964df2dd28473bb0f89fb31ade318129c894e5ca35b61a11587d

SHA512
b295a33743b04b62ea3604266cbebc87c47c5079252ff8b0381b4c0a237ed4e92124fff7d131cbba4615a852bfbb785ffdd33e0ff00840d9648f5be813c3122f

Download Submit
C:\Windows\System\mKsPxie.exe

Filesize
5.2MB

MD5
ea5989d51e9986845c4183933e1bc8d4

SHA1
c9c14232799dae6093872855f470f4d001afa1cb

SHA256
1cde720d6befe218f1949ce1ef9ba3cf930093bcf98bd6dd13024df67526aa12

SHA512
e985d660f0302524345fea57228d8d62b386baca3c54db0e9a9734c63ffec38e652af918faaf427e04696047f21444cc6b8265f2b3e3032c632112b53a894d72

Download Submit
C:\Windows\System\mLIldte.exe

Filesize
5.2MB

MD5
11ea86d249535b80ba7715eb978e4774

SHA1
d05f431ca51bf2973c49686842a0e738287d61c4

SHA256
5b29e91fab583095fc68715f8c6572243800e37180af4b2f3a8f5cb3a99c5355

SHA512
aa0ad198a9a20a0a154d9d60d954beef8b746baf68be63b352d16427183111585ee68aa5a9a06e08efbced236284d14c8aa8533f70fd3c01689302fafdfb887c

Download Submit
C:\Windows\System\nVAetfV.exe

Filesize
5.2MB

MD5
7f5df7c8ed4d61b58fe57df64c22450b

SHA1
b0e3ca7c31dd7a67dc02b9ae62810342059e84f2

SHA256
289937a1dff9cefd1d5241fdd4065a6e841a22ba768950485e4c09a51f753032

SHA512
b04273506cbbd9c7777de54470cb1ced56bcd1f22a4b4142a621b5a13bd77f0be24fc40b4e063f62216883d5d00fcee79ad702d7a8dbc78ea83eb4dca749553f

Download Submit
C:\Windows\System\olqdCzS.exe

Filesize
5.2MB

MD5
586c2131ea84c0393a87a014758b1800

SHA1
8661c5fdc1f235433b2dc8c51fb87676eab861ae

SHA256
7898eda76ea46250eef04cdc0522b6e4c39379db4c7946fb7ef88dd3c8fefb70

SHA512
770b4438a51c7415ef84908f2a5e7555c918cfb68d1e8d753d8de90f11f0a534768ae23eb678db76340db0a629361e1865979a279e036cadfabfa2b3a981c338

Download Submit
C:\Windows\System\pVCmfym.exe

Filesize
5.2MB

MD5
26b748049c6f53c0e2eb27b6b74ac503

SHA1
115bdbafd003fd1b355c9a90a6d72791f51fead9

SHA256
a086c2f158198ee4b2f6e6407e8252b9cfa2a6ed6b31c896b5d8819f069f0c69

SHA512
cc3290ecc152cd720d1a6774ed54a2d180363c8f75ac9f9710dbd754c2dbe6ac19e374040eb1b7531999ef62c2552c5d9bcafb7d8d818b1c3ee955d85a32f311

Download Submit
C:\Windows\System\ylfnuYC.exe

Filesize
5.2MB

MD5
1c919d4a84be3ac2a32f436811cb62a3

SHA1
6ec1aaac8c08fb3cba220fa9d85f8383cc316e0e

SHA256
46c87f833bff5a236760c4ed80c195267ca426c36d8560aa7e12c2448d4c1ffd

SHA512
c0a3f267c382a8afcef5bfe04f827d5ec9b83a2b08ff4d43ca1f9b5e14e6e15d8c4f328a9c1555ee50c0d34fdb6555b43bae8e6138364bb49b69f57aba1cff06

Download Submit
C:\Windows\System\yvbvTYJ.exe

Filesize
5.2MB

MD5
637dca1fcfd23dcdaec5091c1478bd7c

SHA1
424952a893aca2428250d2886e37c159f5e38270

SHA256
5bfaffab0c2929442928ae0a650b8e306af306ada139914e4f0f864f494b3090

SHA512
b3ee916252eb9f84c0ff1041ac775e0863c6006252403fa8f1cd8b39663e42cc54fe4cbc856e1269c6d29f832da8e8d7d92da1d386ca3ebacce1ce0e98043695

Download Submit
memory/492-179-0x00007FF617430000-0x00007FF617781000-memory.dmp

Filesize
3.3MB

Download
memory/492-268-0x00007FF617430000-0x00007FF617781000-memory.dmp

Filesize
3.3MB

Download
memory/492-156-0x00007FF617430000-0x00007FF617781000-memory.dmp

Filesize
3.3MB

Download
memory/716-0-0x00007FF7EB6B0000-0x00007FF7EBA01000-memory.dmp

Filesize
3.3MB

Download
memory/716-60-0x00007FF7EB6B0000-0x00007FF7EBA01000-memory.dmp

Filesize
3.3MB

Download
memory/716-1-0x0000016271250000-0x0000016271260000-memory.dmp

Filesize
64KB

Download
memory/716-158-0x00007FF7EB6B0000-0x00007FF7EBA01000-memory.dmp

Filesize
3.3MB

Download
memory/2596-234-0x00007FF7EAB80000-0x00007FF7EAED1000-memory.dmp

Filesize
3.3MB

Download
memory/2596-69-0x00007FF7EAB80000-0x00007FF7EAED1000-memory.dmp

Filesize
3.3MB

Download
memory/2596-138-0x00007FF7EAB80000-0x00007FF7EAED1000-memory.dmp

Filesize
3.3MB

Download
memory/2628-52-0x00007FF7414C0000-0x00007FF741811000-memory.dmp

Filesize
3.3MB

Download
memory/2628-230-0x00007FF7414C0000-0x00007FF741811000-memory.dmp

Filesize
3.3MB

Download
memory/2628-123-0x00007FF7414C0000-0x00007FF741811000-memory.dmp

Filesize
3.3MB

Download
memory/2788-7-0x00007FF7B71E0000-0x00007FF7B7531000-memory.dmp

Filesize
3.3MB

Download
memory/2788-65-0x00007FF7B71E0000-0x00007FF7B7531000-memory.dmp

Filesize
3.3MB

Download
memory/2788-206-0x00007FF7B71E0000-0x00007FF7B7531000-memory.dmp

Filesize
3.3MB

Download
memory/2844-42-0x00007FF6D93B0000-0x00007FF6D9701000-memory.dmp

Filesize
3.3MB

Download
memory/2844-111-0x00007FF6D93B0000-0x00007FF6D9701000-memory.dmp

Filesize
3.3MB

Download
memory/2844-228-0x00007FF6D93B0000-0x00007FF6D9701000-memory.dmp

Filesize
3.3MB

Download
memory/2892-256-0x00007FF619EB0000-0x00007FF61A201000-memory.dmp

Filesize
3.3MB

Download
memory/2892-146-0x00007FF619EB0000-0x00007FF61A201000-memory.dmp

Filesize
3.3MB

Download
memory/2892-107-0x00007FF619EB0000-0x00007FF61A201000-memory.dmp

Filesize
3.3MB

Download
memory/3144-91-0x00007FF707940000-0x00007FF707C91000-memory.dmp

Filesize
3.3MB

Download
memory/3144-250-0x00007FF707940000-0x00007FF707C91000-memory.dmp

Filesize
3.3MB

Download
memory/3144-144-0x00007FF707940000-0x00007FF707C91000-memory.dmp

Filesize
3.3MB

Download
memory/3360-157-0x00007FF6C0C20000-0x00007FF6C0F71000-memory.dmp

Filesize
3.3MB

Download
memory/3360-267-0x00007FF6C0C20000-0x00007FF6C0F71000-memory.dmp

Filesize
3.3MB

Download
memory/3544-149-0x00007FF6CEAB0000-0x00007FF6CEE01000-memory.dmp

Filesize
3.3MB

Download
memory/3544-124-0x00007FF6CEAB0000-0x00007FF6CEE01000-memory.dmp

Filesize
3.3MB

Download
memory/3544-261-0x00007FF6CEAB0000-0x00007FF6CEE01000-memory.dmp

Filesize
3.3MB

Download
memory/3560-74-0x00007FF7BB4A0000-0x00007FF7BB7F1000-memory.dmp

Filesize
3.3MB

Download
memory/3560-244-0x00007FF7BB4A0000-0x00007FF7BB7F1000-memory.dmp

Filesize
3.3MB

Download
memory/3560-139-0x00007FF7BB4A0000-0x00007FF7BB7F1000-memory.dmp

Filesize
3.3MB

Download
memory/3824-97-0x00007FF6A7DE0000-0x00007FF6A8131000-memory.dmp

Filesize
3.3MB

Download
memory/3824-30-0x00007FF6A7DE0000-0x00007FF6A8131000-memory.dmp

Filesize
3.3MB

Download
memory/3824-218-0x00007FF6A7DE0000-0x00007FF6A8131000-memory.dmp

Filesize
3.3MB

Download
memory/3908-88-0x00007FF720BD0000-0x00007FF720F21000-memory.dmp

Filesize
3.3MB

Download
memory/3908-216-0x00007FF720BD0000-0x00007FF720F21000-memory.dmp

Filesize
3.3MB

Download
memory/3908-24-0x00007FF720BD0000-0x00007FF720F21000-memory.dmp

Filesize
3.3MB

Download
memory/3972-253-0x00007FF6D1850000-0x00007FF6D1BA1000-memory.dmp

Filesize
3.3MB

Download
memory/3972-145-0x00007FF6D1850000-0x00007FF6D1BA1000-memory.dmp

Filesize
3.3MB

Download
memory/3972-101-0x00007FF6D1850000-0x00007FF6D1BA1000-memory.dmp

Filesize
3.3MB

Download
memory/4416-140-0x00007FF7F28C0000-0x00007FF7F2C11000-memory.dmp

Filesize
3.3MB

Download
memory/4416-248-0x00007FF7F28C0000-0x00007FF7F2C11000-memory.dmp

Filesize
3.3MB

Download
memory/4416-84-0x00007FF7F28C0000-0x00007FF7F2C11000-memory.dmp

Filesize
3.3MB

Download
memory/4480-112-0x00007FF755EA0000-0x00007FF7561F1000-memory.dmp

Filesize
3.3MB

Download
memory/4480-232-0x00007FF755EA0000-0x00007FF7561F1000-memory.dmp

Filesize
3.3MB

Download
memory/4480-50-0x00007FF755EA0000-0x00007FF7561F1000-memory.dmp

Filesize
3.3MB

Download
memory/4548-148-0x00007FF63D580000-0x00007FF63D8D1000-memory.dmp

Filesize
3.3MB

Download
memory/4548-259-0x00007FF63D580000-0x00007FF63D8D1000-memory.dmp

Filesize
3.3MB

Download
memory/4548-117-0x00007FF63D580000-0x00007FF63D8D1000-memory.dmp

Filesize
3.3MB

Download
memory/4636-12-0x00007FF7D4E10000-0x00007FF7D5161000-memory.dmp

Filesize
3.3MB

Download
memory/4636-212-0x00007FF7D4E10000-0x00007FF7D5161000-memory.dmp

Filesize
3.3MB

Download
memory/4636-73-0x00007FF7D4E10000-0x00007FF7D5161000-memory.dmp

Filesize
3.3MB

Download
memory/4816-257-0x00007FF703B10000-0x00007FF703E61000-memory.dmp

Filesize
3.3MB

Download
memory/4816-116-0x00007FF703B10000-0x00007FF703E61000-memory.dmp

Filesize
3.3MB

Download
memory/4816-147-0x00007FF703B10000-0x00007FF703E61000-memory.dmp

Filesize
3.3MB

Download
memory/4968-246-0x00007FF6C8BF0000-0x00007FF6C8F41000-memory.dmp

Filesize
3.3MB

Download
memory/4968-137-0x00007FF6C8BF0000-0x00007FF6C8F41000-memory.dmp

Filesize
3.3MB

Download
memory/4968-61-0x00007FF6C8BF0000-0x00007FF6C8F41000-memory.dmp

Filesize
3.3MB

Download
memory/5004-102-0x00007FF650730000-0x00007FF650A81000-memory.dmp

Filesize
3.3MB

Download
memory/5004-36-0x00007FF650730000-0x00007FF650A81000-memory.dmp

Filesize
3.3MB

Download
memory/5004-226-0x00007FF650730000-0x00007FF650A81000-memory.dmp

Filesize
3.3MB

Download
memory/5012-81-0x00007FF67CA30000-0x00007FF67CD81000-memory.dmp

Filesize
3.3MB

Download
memory/5012-214-0x00007FF67CA30000-0x00007FF67CD81000-memory.dmp

Filesize
3.3MB

Download
memory/5012-18-0x00007FF67CA30000-0x00007FF67CD81000-memory.dmp

Filesize
3.3MB

Download