cobaltstrike | bd191079c6eb4dec87246fc227542e9d6a9748943bf3c8d3b67a093adfb41bd5

Analysis

max time kernel
140s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 02:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

659e76ce67314c68bf4a1831ddfea722
SHA1

337169fc0ec7483e2e4a3ad72b0cb075854aa8fb
SHA256

bd191079c6eb4dec87246fc227542e9d6a9748943bf3c8d3b67a093adfb41bd5
SHA512

c740cbf4c6cce1c073cde74dbcdb9e1a036e7fe47eda57cb2ff340d840889611c189b746f7c1d56a5640f693e57772206606a5438e0a1966f6c8709d29d94b20
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lu:RWWBibf56utgpPFotBER/mQ32lUy

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
behavioral2/files/0x000c000000023b94-4.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9e-9.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9d-11.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba1-33.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba0-37.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023ba4-50.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023ba3-53.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba2-47.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9f-26.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023ba5-60.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023bb4-80.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bbd-86.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bc3-91.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bc2-96.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023bad-71.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023bc8-121.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bce-131.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bcf-142.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bcd-141.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bca-132.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bc4-128.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3228-57-0x00007FF7A0020000-0x00007FF7A0371000-memory.dmp	xmrig
behavioral2/memory/1968-72-0x00007FF735690000-0x00007FF7359E1000-memory.dmp	xmrig
behavioral2/memory/532-78-0x00007FF7C6910000-0x00007FF7C6C61000-memory.dmp	xmrig
behavioral2/memory/5064-94-0x00007FF6BAB40000-0x00007FF6BAE91000-memory.dmp	xmrig
behavioral2/memory/2940-93-0x00007FF6F0770000-0x00007FF6F0AC1000-memory.dmp	xmrig
behavioral2/memory/4416-89-0x00007FF75B740000-0x00007FF75BA91000-memory.dmp	xmrig
behavioral2/memory/1920-70-0x00007FF768F90000-0x00007FF7692E1000-memory.dmp	xmrig
behavioral2/memory/5028-61-0x00007FF78DE50000-0x00007FF78E1A1000-memory.dmp	xmrig
behavioral2/memory/2212-111-0x00007FF7C6C60000-0x00007FF7C6FB1000-memory.dmp	xmrig
behavioral2/memory/4980-135-0x00007FF6DCE50000-0x00007FF6DD1A1000-memory.dmp	xmrig
behavioral2/memory/3484-134-0x00007FF603210000-0x00007FF603561000-memory.dmp	xmrig
behavioral2/memory/836-110-0x00007FF7F0DC0000-0x00007FF7F1111000-memory.dmp	xmrig
behavioral2/memory/832-108-0x00007FF6B9C50000-0x00007FF6B9FA1000-memory.dmp	xmrig
behavioral2/memory/1240-109-0x00007FF781EE0000-0x00007FF782231000-memory.dmp	xmrig
behavioral2/memory/1968-149-0x00007FF735690000-0x00007FF7359E1000-memory.dmp	xmrig
behavioral2/memory/2156-154-0x00007FF681E10000-0x00007FF682161000-memory.dmp	xmrig
behavioral2/memory/232-152-0x00007FF6A9E60000-0x00007FF6AA1B1000-memory.dmp	xmrig
behavioral2/memory/1980-150-0x00007FF6CC290000-0x00007FF6CC5E1000-memory.dmp	xmrig
behavioral2/memory/3228-146-0x00007FF7A0020000-0x00007FF7A0371000-memory.dmp	xmrig
behavioral2/memory/1636-153-0x00007FF6DB920000-0x00007FF6DBC71000-memory.dmp	xmrig
behavioral2/memory/1232-163-0x00007FF72DD10000-0x00007FF72E061000-memory.dmp	xmrig
behavioral2/memory/3432-168-0x00007FF65D360000-0x00007FF65D6B1000-memory.dmp	xmrig
behavioral2/memory/840-167-0x00007FF677D20000-0x00007FF678071000-memory.dmp	xmrig
behavioral2/memory/5004-166-0x00007FF6C3450000-0x00007FF6C37A1000-memory.dmp	xmrig
behavioral2/memory/3228-174-0x00007FF7A0020000-0x00007FF7A0371000-memory.dmp	xmrig
behavioral2/memory/5028-204-0x00007FF78DE50000-0x00007FF78E1A1000-memory.dmp	xmrig
behavioral2/memory/1920-206-0x00007FF768F90000-0x00007FF7692E1000-memory.dmp	xmrig
behavioral2/memory/532-208-0x00007FF7C6910000-0x00007FF7C6C61000-memory.dmp	xmrig
behavioral2/memory/4416-215-0x00007FF75B740000-0x00007FF75BA91000-memory.dmp	xmrig
behavioral2/memory/2212-219-0x00007FF7C6C60000-0x00007FF7C6FB1000-memory.dmp	xmrig
behavioral2/memory/5064-220-0x00007FF6BAB40000-0x00007FF6BAE91000-memory.dmp	xmrig
behavioral2/memory/832-222-0x00007FF6B9C50000-0x00007FF6B9FA1000-memory.dmp	xmrig
behavioral2/memory/2940-217-0x00007FF6F0770000-0x00007FF6F0AC1000-memory.dmp	xmrig
behavioral2/memory/1240-224-0x00007FF781EE0000-0x00007FF782231000-memory.dmp	xmrig
behavioral2/memory/836-237-0x00007FF7F0DC0000-0x00007FF7F1111000-memory.dmp	xmrig
behavioral2/memory/1968-239-0x00007FF735690000-0x00007FF7359E1000-memory.dmp	xmrig
behavioral2/memory/1980-241-0x00007FF6CC290000-0x00007FF6CC5E1000-memory.dmp	xmrig
behavioral2/memory/232-243-0x00007FF6A9E60000-0x00007FF6AA1B1000-memory.dmp	xmrig
behavioral2/memory/1636-245-0x00007FF6DB920000-0x00007FF6DBC71000-memory.dmp	xmrig
behavioral2/memory/2156-248-0x00007FF681E10000-0x00007FF682161000-memory.dmp	xmrig
behavioral2/memory/3484-256-0x00007FF603210000-0x00007FF603561000-memory.dmp	xmrig
behavioral2/memory/4980-259-0x00007FF6DCE50000-0x00007FF6DD1A1000-memory.dmp	xmrig
behavioral2/memory/1232-260-0x00007FF72DD10000-0x00007FF72E061000-memory.dmp	xmrig
behavioral2/memory/840-262-0x00007FF677D20000-0x00007FF678071000-memory.dmp	xmrig
behavioral2/memory/5004-264-0x00007FF6C3450000-0x00007FF6C37A1000-memory.dmp	xmrig
behavioral2/memory/3432-267-0x00007FF65D360000-0x00007FF65D6B1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

oDQWTUJ.exeRUlmakT.exeBaXczjb.exeWUckJWf.exerOFhowF.exeuSewQAw.exetvKwHVj.exeKRxooND.exeKqaUzev.exeBKuyJAL.exeTQUchQA.exeGYmOcQn.exeFQtaWCI.exehMOPbze.exeeTDVpPM.exeESXhyfK.exejEhRobh.exekIbIcdp.exeQZxZGDK.exegRUEeJK.exevHAyAvh.exe

pid	Process
5028	oDQWTUJ.exe
1920	RUlmakT.exe
532	BaXczjb.exe
4416	WUckJWf.exe
2940	rOFhowF.exe
5064	uSewQAw.exe
2212	tvKwHVj.exe
832	KRxooND.exe
1240	KqaUzev.exe
836	BKuyJAL.exe
1968	TQUchQA.exe
1980	GYmOcQn.exe
232	FQtaWCI.exe
1636	hMOPbze.exe
2156	eTDVpPM.exe
1232	ESXhyfK.exe
3484	jEhRobh.exe
4980	kIbIcdp.exe
5004	QZxZGDK.exe
840	gRUEeJK.exe
3432	vHAyAvh.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3228-0-0x00007FF7A0020000-0x00007FF7A0371000-memory.dmp	upx
behavioral2/files/0x000c000000023b94-4.dat	upx
behavioral2/files/0x000a000000023b9e-9.dat	upx
behavioral2/files/0x000a000000023b9d-11.dat	upx
behavioral2/memory/5028-10-0x00007FF78DE50000-0x00007FF78E1A1000-memory.dmp	upx
behavioral2/memory/532-18-0x00007FF7C6910000-0x00007FF7C6C61000-memory.dmp	upx
behavioral2/files/0x000a000000023ba1-33.dat	upx
behavioral2/files/0x000a000000023ba0-37.dat	upx
behavioral2/files/0x000b000000023ba4-50.dat	upx
behavioral2/files/0x000b000000023ba3-53.dat	upx
behavioral2/memory/1240-52-0x00007FF781EE0000-0x00007FF782231000-memory.dmp	upx
behavioral2/memory/832-51-0x00007FF6B9C50000-0x00007FF6B9FA1000-memory.dmp	upx
behavioral2/files/0x000a000000023ba2-47.dat	upx
behavioral2/memory/2212-46-0x00007FF7C6C60000-0x00007FF7C6FB1000-memory.dmp	upx
behavioral2/memory/5064-39-0x00007FF6BAB40000-0x00007FF6BAE91000-memory.dmp	upx
behavioral2/memory/2940-32-0x00007FF6F0770000-0x00007FF6F0AC1000-memory.dmp	upx
behavioral2/files/0x000a000000023b9f-26.dat	upx
behavioral2/memory/4416-24-0x00007FF75B740000-0x00007FF75BA91000-memory.dmp	upx
behavioral2/memory/1920-12-0x00007FF768F90000-0x00007FF7692E1000-memory.dmp	upx
behavioral2/memory/3228-57-0x00007FF7A0020000-0x00007FF7A0371000-memory.dmp	upx
behavioral2/files/0x000b000000023ba5-60.dat	upx
behavioral2/memory/836-64-0x00007FF7F0DC0000-0x00007FF7F1111000-memory.dmp	upx
behavioral2/memory/1968-72-0x00007FF735690000-0x00007FF7359E1000-memory.dmp	upx
behavioral2/memory/532-78-0x00007FF7C6910000-0x00007FF7C6C61000-memory.dmp	upx
behavioral2/files/0x000e000000023bb4-80.dat	upx
behavioral2/files/0x0008000000023bbd-86.dat	upx
behavioral2/files/0x0009000000023bc3-91.dat	upx
behavioral2/memory/5064-94-0x00007FF6BAB40000-0x00007FF6BAE91000-memory.dmp	upx
behavioral2/files/0x0009000000023bc2-96.dat	upx
behavioral2/memory/2156-95-0x00007FF681E10000-0x00007FF682161000-memory.dmp	upx
behavioral2/memory/2940-93-0x00007FF6F0770000-0x00007FF6F0AC1000-memory.dmp	upx
behavioral2/memory/1636-92-0x00007FF6DB920000-0x00007FF6DBC71000-memory.dmp	upx
behavioral2/memory/4416-89-0x00007FF75B740000-0x00007FF75BA91000-memory.dmp	upx
behavioral2/memory/232-83-0x00007FF6A9E60000-0x00007FF6AA1B1000-memory.dmp	upx
behavioral2/memory/1980-79-0x00007FF6CC290000-0x00007FF6CC5E1000-memory.dmp	upx
behavioral2/files/0x000a000000023bad-71.dat	upx
behavioral2/memory/1920-70-0x00007FF768F90000-0x00007FF7692E1000-memory.dmp	upx
behavioral2/memory/5028-61-0x00007FF78DE50000-0x00007FF78E1A1000-memory.dmp	upx
behavioral2/memory/2212-111-0x00007FF7C6C60000-0x00007FF7C6FB1000-memory.dmp	upx
behavioral2/files/0x000e000000023bc8-121.dat	upx
behavioral2/files/0x0008000000023bce-131.dat	upx
behavioral2/memory/840-138-0x00007FF677D20000-0x00007FF678071000-memory.dmp	upx
behavioral2/memory/5004-139-0x00007FF6C3450000-0x00007FF6C37A1000-memory.dmp	upx
behavioral2/files/0x0008000000023bcf-142.dat	upx
behavioral2/files/0x0008000000023bcd-141.dat	upx
behavioral2/memory/3432-140-0x00007FF65D360000-0x00007FF65D6B1000-memory.dmp	upx
behavioral2/memory/4980-135-0x00007FF6DCE50000-0x00007FF6DD1A1000-memory.dmp	upx
behavioral2/memory/3484-134-0x00007FF603210000-0x00007FF603561000-memory.dmp	upx
behavioral2/files/0x0008000000023bca-132.dat	upx
behavioral2/memory/1232-125-0x00007FF72DD10000-0x00007FF72E061000-memory.dmp	upx
behavioral2/files/0x0009000000023bc4-128.dat	upx
behavioral2/memory/836-110-0x00007FF7F0DC0000-0x00007FF7F1111000-memory.dmp	upx
behavioral2/memory/832-108-0x00007FF6B9C50000-0x00007FF6B9FA1000-memory.dmp	upx
behavioral2/memory/1240-109-0x00007FF781EE0000-0x00007FF782231000-memory.dmp	upx
behavioral2/memory/1968-149-0x00007FF735690000-0x00007FF7359E1000-memory.dmp	upx
behavioral2/memory/2156-154-0x00007FF681E10000-0x00007FF682161000-memory.dmp	upx
behavioral2/memory/232-152-0x00007FF6A9E60000-0x00007FF6AA1B1000-memory.dmp	upx
behavioral2/memory/1980-150-0x00007FF6CC290000-0x00007FF6CC5E1000-memory.dmp	upx
behavioral2/memory/3228-146-0x00007FF7A0020000-0x00007FF7A0371000-memory.dmp	upx
behavioral2/memory/1636-153-0x00007FF6DB920000-0x00007FF6DBC71000-memory.dmp	upx
behavioral2/memory/1232-163-0x00007FF72DD10000-0x00007FF72E061000-memory.dmp	upx
behavioral2/memory/3432-168-0x00007FF65D360000-0x00007FF65D6B1000-memory.dmp	upx
behavioral2/memory/840-167-0x00007FF677D20000-0x00007FF678071000-memory.dmp	upx
behavioral2/memory/5004-166-0x00007FF6C3450000-0x00007FF6C37A1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	Process
File created	C:\Windows\System\gRUEeJK.exe	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vHAyAvh.exe	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GYmOcQn.exe	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FQtaWCI.exe	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ESXhyfK.exe	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jEhRobh.exe	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QZxZGDK.exe	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WUckJWf.exe	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rOFhowF.exe	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KRxooND.exe	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kIbIcdp.exe	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oDQWTUJ.exe	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RUlmakT.exe	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BaXczjb.exe	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BKuyJAL.exe	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eTDVpPM.exe	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uSewQAw.exe	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tvKwHVj.exe	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KqaUzev.exe	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TQUchQA.exe	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hMOPbze.exe	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	Process
Token: SeLockMemoryPrivilege	3228	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3228	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	Process	procid_target
PID 3228 wrote to memory of 5028	3228	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 3228 wrote to memory of 5028	3228	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 3228 wrote to memory of 1920	3228	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3228 wrote to memory of 1920	3228	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3228 wrote to memory of 532	3228	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3228 wrote to memory of 532	3228	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3228 wrote to memory of 4416	3228	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3228 wrote to memory of 4416	3228	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3228 wrote to memory of 2940	3228	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3228 wrote to memory of 2940	3228	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3228 wrote to memory of 5064	3228	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3228 wrote to memory of 5064	3228	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3228 wrote to memory of 2212	3228	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3228 wrote to memory of 2212	3228	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3228 wrote to memory of 832	3228	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3228 wrote to memory of 832	3228	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3228 wrote to memory of 1240	3228	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3228 wrote to memory of 1240	3228	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3228 wrote to memory of 836	3228	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3228 wrote to memory of 836	3228	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3228 wrote to memory of 1968	3228	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3228 wrote to memory of 1968	3228	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3228 wrote to memory of 1980	3228	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3228 wrote to memory of 1980	3228	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3228 wrote to memory of 232	3228	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3228 wrote to memory of 232	3228	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3228 wrote to memory of 1636	3228	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3228 wrote to memory of 1636	3228	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3228 wrote to memory of 2156	3228	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3228 wrote to memory of 2156	3228	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3228 wrote to memory of 1232	3228	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3228 wrote to memory of 1232	3228	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3228 wrote to memory of 3484	3228	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3228 wrote to memory of 3484	3228	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3228 wrote to memory of 4980	3228	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3228 wrote to memory of 4980	3228	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3228 wrote to memory of 5004	3228	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3228 wrote to memory of 5004	3228	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3228 wrote to memory of 840	3228	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3228 wrote to memory of 840	3228	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3228 wrote to memory of 3432	3228	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3228 wrote to memory of 3432	3228	2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-21_659e76ce67314c68bf4a1831ddfea722_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3228
- C:\Windows\System\oDQWTUJ.exe
  C:\Windows\System\oDQWTUJ.exe
  2⤵
  - Executes dropped EXE
  PID:5028
- C:\Windows\System\RUlmakT.exe
  C:\Windows\System\RUlmakT.exe
  2⤵
  - Executes dropped EXE
  PID:1920
- C:\Windows\System\BaXczjb.exe
  C:\Windows\System\BaXczjb.exe
  2⤵
  - Executes dropped EXE
  PID:532
- C:\Windows\System\WUckJWf.exe
  C:\Windows\System\WUckJWf.exe
  2⤵
  - Executes dropped EXE
  PID:4416
- C:\Windows\System\rOFhowF.exe
  C:\Windows\System\rOFhowF.exe
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\System\uSewQAw.exe
  C:\Windows\System\uSewQAw.exe
  2⤵
  - Executes dropped EXE
  PID:5064
- C:\Windows\System\tvKwHVj.exe
  C:\Windows\System\tvKwHVj.exe
  2⤵
  - Executes dropped EXE
  PID:2212
- C:\Windows\System\KRxooND.exe
  C:\Windows\System\KRxooND.exe
  2⤵
  - Executes dropped EXE
  PID:832
- C:\Windows\System\KqaUzev.exe
  C:\Windows\System\KqaUzev.exe
  2⤵
  - Executes dropped EXE
  PID:1240
- C:\Windows\System\BKuyJAL.exe
  C:\Windows\System\BKuyJAL.exe
  2⤵
  - Executes dropped EXE
  PID:836
- C:\Windows\System\TQUchQA.exe
  C:\Windows\System\TQUchQA.exe
  2⤵
  - Executes dropped EXE
  PID:1968
- C:\Windows\System\GYmOcQn.exe
  C:\Windows\System\GYmOcQn.exe
  2⤵
  - Executes dropped EXE
  PID:1980
- C:\Windows\System\FQtaWCI.exe
  C:\Windows\System\FQtaWCI.exe
  2⤵
  - Executes dropped EXE
  PID:232
- C:\Windows\System\hMOPbze.exe
  C:\Windows\System\hMOPbze.exe
  2⤵
  - Executes dropped EXE
  PID:1636
- C:\Windows\System\eTDVpPM.exe
  C:\Windows\System\eTDVpPM.exe
  2⤵
  - Executes dropped EXE
  PID:2156
- C:\Windows\System\ESXhyfK.exe
  C:\Windows\System\ESXhyfK.exe
  2⤵
  - Executes dropped EXE
  PID:1232
- C:\Windows\System\jEhRobh.exe
  C:\Windows\System\jEhRobh.exe
  2⤵
  - Executes dropped EXE
  PID:3484
- C:\Windows\System\kIbIcdp.exe
  C:\Windows\System\kIbIcdp.exe
  2⤵
  - Executes dropped EXE
  PID:4980
- C:\Windows\System\QZxZGDK.exe
  C:\Windows\System\QZxZGDK.exe
  2⤵
  - Executes dropped EXE
  PID:5004
- C:\Windows\System\gRUEeJK.exe
  C:\Windows\System\gRUEeJK.exe
  2⤵
  - Executes dropped EXE
  PID:840
- C:\Windows\System\vHAyAvh.exe
  C:\Windows\System\vHAyAvh.exe
  2⤵
  - Executes dropped EXE
  PID:3432

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BKuyJAL.exe

Filesize
5.2MB

MD5
fef45fa72f240cfc2dbd079fbdd568ef

SHA1
0bc8ef2d78c576ff036592225c03a6c536d9d89d

SHA256
92b3352a347d84455a83913790f2ca672571c23627908b47ca410b54359cd938

SHA512
7ff7bd39897f088e3c8352b2e5dea89968a0118c7cafab3e1c96e567d3ec3ecc1a0b3c3664d1d57e7d723328ea21856876bd447c416f7e313ed4400f0dcdc763

Download Submit
C:\Windows\System\BaXczjb.exe

Filesize
5.2MB

MD5
5a2473fbb1b56e63d5322e21b8af7d61

SHA1
eda456cce663452a507be1d1657ffb1722b7c634

SHA256
fd624a6ea0ab979f5691273834853a78871d584612c61c8748f78c7acdf4593c

SHA512
48aed04acba120ac070bb588bef7e8572ced1248e218cce2cfec185f7b703b18ad0d3d14fa7846fbe4850817ba007dbe6ad2c3b9b49296bf7a442bd9bc318d6f

Download Submit
C:\Windows\System\ESXhyfK.exe

Filesize
5.2MB

MD5
689744a9aec66fd0752f3b3ff1162170

SHA1
4c0712318aba7c5a35f56a64af0bf0dedadcdcb3

SHA256
cd93e1717c259f763b575b4690a057ce6c63c3232b1a4d4f5c58f8a10e1d4699

SHA512
6529b51b0bee835f8abb888550ba193a3e4d7220eebc89c1b05fe2dd85e24afd046e37a1c738ad1dd7b2e4645933023457daf28eb998cbcb6e2f3438dc2005e8

Download Submit
C:\Windows\System\FQtaWCI.exe

Filesize
5.2MB

MD5
caba291a2de924d6a3db2164eaceb1b5

SHA1
668e09e3a43e73dcb0d7315c4cbaac135aa5904f

SHA256
0643081179d3103111088904684596201787c3468cfde9bb92843293c21d94d7

SHA512
d4bbf72f24122eb10ea52e733761e03e5cafa53f821a5ba26571f704e2e1dc6e7f6d7963a5b293535545a84950bdf4ab9d7bff1f2937bbbc90d3eec6dce38330

Download Submit
C:\Windows\System\GYmOcQn.exe

Filesize
5.2MB

MD5
048f15e668335220408ffde112c24201

SHA1
5ca6647f244ae9bb0c4f98b59fe3551bea25e55f

SHA256
89f84ef9d6d10fee1125ba2097ec0e3a4121e78e35a5f4b7f50d72860882fb41

SHA512
a78439e7faeaffb8c253dd10a36d4166cdb6d94806102561df57e06500df98c51737cf6b5cc1a3b3d5585cdacd0893277e468b6c9ce6a1492801639e154d8729

Download Submit
C:\Windows\System\KRxooND.exe

Filesize
5.2MB

MD5
a98d868ba8166b0e93b704fc07c642d5

SHA1
7629ff46a024cc1815a72622717e30416e56bcd0

SHA256
f0a0ba0c6d717310b520c2316ee17d5ab5c83e714f2b02c99deeb3f70343c091

SHA512
e10169aa4ce9a5fb612e997c545e8feb49b9707efe3cf0e3a94399faee8620eb44443744f1d7178fa5578f822b7dea53304be240f8de8275e9c4cacf1dfd3d0d

Download Submit
C:\Windows\System\KqaUzev.exe

Filesize
5.2MB

MD5
c05ff2f0fbb8efb35a1ea70c8543d6ac

SHA1
04395eba68ffba4a78fd2b58aa7e6ab148b0f488

SHA256
5480be0c7895680834dd1d8a903251114a1c9a0c6bc91ce688ce24261914a6e1

SHA512
717cd1830073f73539d8c8d38f6db88ee42f6b0d9ae0384a4bcf981651228a55734fd851bdba447a1f3d941446a42a0c4ffb7fb5dd7a621db685160b7309f0e0

Download Submit
C:\Windows\System\QZxZGDK.exe

Filesize
5.2MB

MD5
6e783bd5476e5d22a1c26a4498093fbb

SHA1
904ab02ebf4ab8d9ca4b344204f922cad8cf6a73

SHA256
4db821bb73606aa8b322791937bff182029b9592dc7ad9ccb6a607fa03a27bf1

SHA512
1f7ecadf28bdf48da48fc8c3e9b529231909d2165f71d5087373fe1add8bbf32e15a9a32b5afb055270ffe5f8995e172c406a30317fe765d14a183d1bc74905c

Download Submit
C:\Windows\System\RUlmakT.exe

Filesize
5.2MB

MD5
8b2a60f7cd9457c634c985bec6364ddb

SHA1
8ae977d95953d281602cf6d059a5d701d240f512

SHA256
e87d0b26bbd7ece7a1f969e50b675bfe41b85a5186ac978c5a7c62dba387f853

SHA512
09f1eefab301cbfa1b01bf4940593d372b2c39953308cf3adb44c09a121ed8166a63e1fe14b7929ec9f452bfa07d433af66eb942ae934e2376ce865149dfd2c8

Download Submit
C:\Windows\System\TQUchQA.exe

Filesize
5.2MB

MD5
bb8bc680166700bf8ecab27b8e1b7c14

SHA1
4865078445993d4c0c9c780c605af9a1fefc7dec

SHA256
579d18883e92d664abae42355aca9b1017fe5eb97025c0a883bf3750c3fa5601

SHA512
545c43a27e897c6a5278e3273dedd42686fe184bb200a0f093fc7e5205121efd599b456df8f6765a727e7abae101cabbc06ddc3b4bef47ef2d1e862deea3c81e

Download Submit
C:\Windows\System\WUckJWf.exe

Filesize
5.2MB

MD5
5c951ad5b3ec9e31f97062a29a3af322

SHA1
13385e2f6a9c1dd71e2e4e9c81f69cbfcffb3d38

SHA256
0de3ad6ab4b41a846b9fe2a803953e2baaa7ad5986a3c58061c08e2eb50eaf79

SHA512
957d6fcd6a6bcaf20d166d21b191d5418c815c8873c7fd483fbff7693fd98e882eef29c76ec8e0c7c83da3c9e7cead49e4900470a94e57a7781b5ca477c65ce9

Download Submit
C:\Windows\System\eTDVpPM.exe

Filesize
5.2MB

MD5
3a5f94481a1414b4d716246af1245c46

SHA1
fa3687686a5b76897fe0f53d62c58e643538338b

SHA256
cd960f603d1d4a83df87547ed0e652a28ab1df2c1fa3c6ed1df3e208d3adb27e

SHA512
d879dd5d3d8aef4c1d79e19f2c5583d7e51b3ede3f2c4245126abfdfba37fc2963cf3c75b2fbe601141a880f071ed1843d1be00fa99f531785d9a96ed11fb8a9

Download Submit
C:\Windows\System\gRUEeJK.exe

Filesize
5.2MB

MD5
334903a78658676b5cc4d11c888f555f

SHA1
439b67df03de18fd028abc3397f4a81d7f412df1

SHA256
fe013f7576e246f43f9b69391eaf0fc2dc5c2dcc3af91160e299c83aa2305afc

SHA512
ecae7b614a4cdf50cd778b4f1a425070c9eaa3e4a49694299713175c10841941d7a63022c8b06f78a6060af76b823dad1ae02ceb35018c82dc8de170eace9e3c

Download Submit
C:\Windows\System\hMOPbze.exe

Filesize
5.2MB

MD5
3021c6f5eaed688a85bb53d96bdf6e44

SHA1
555af5fdbb34c1904b1db926d9b36803e1ee0859

SHA256
18f07d962cbf96ac76dda91275cb7adc1aa2314412666f7824449dd73b2de686

SHA512
a15c7fca9ea8824847af476d45c60b294d4042ec03820e6b2f1e8e71826b4acac50a12db822471384dc5ea2d78adc0255d8804c84b20f8a3abfdd3a856ba48a1

Download Submit
C:\Windows\System\jEhRobh.exe

Filesize
5.2MB

MD5
c178c11e83a8c7ba0d7d7eb36c9e27d0

SHA1
19b15d1bd8e6bb7cd84411c18fccccfe81bb1aa5

SHA256
e5c19a52a5087c02a87a54c13edee6abbec337e699ef7d4a053f89ebb6178034

SHA512
b3c166cb06b4f55ab8d4e97781e685201f84a8838298e021b7d584d54b5bf30510b29dba8b977ba418a0950ede6e12ddd9639aaba8fbf8831cacfff7e4c49b1a

Download Submit
C:\Windows\System\kIbIcdp.exe

Filesize
5.2MB

MD5
f62a9dc94fce98b7061b65d84aa79fbf

SHA1
8ac74184ab0981c26f503a53e0b447cdd93c28f0

SHA256
57a08bcc6f08a4ef7756d6b6e0daee8621ff4f768734e9cf80b05ac917fe72f8

SHA512
a1cfc4e7c1e02a4c831c70eee923417212b6734c15282596b6dd2379716ab45e4a71fb9d1d2309952632de82c6efc18621d98b565350ade35a84cb3092b1826f

Download Submit
C:\Windows\System\oDQWTUJ.exe

Filesize
5.2MB

MD5
a085e42b175487877b8390643da20293

SHA1
89e0486447b1fa8c17a3be45cd9e5bf5ed3c7e87

SHA256
be4db40877d165626a66a9a31240a4b0f1ddae6f633de1339a32ea629b2f7ca9

SHA512
5978c85a9aa909969320429c9d652098c05ada778282cdbcc68e08f4825b4809968110d33d5181cc2b80199f13e0ff785bc5086da7002b688517a648ca3ba364

Download Submit
C:\Windows\System\rOFhowF.exe

Filesize
5.2MB

MD5
10e074a2d09eaaed2ea55936487362fb

SHA1
8831e15195d003b956a3017b7481757338b9b04a

SHA256
0e8fdd17feffc97368ea3020efd689087aa0387025b9f915a63365ca0b3edde7

SHA512
5b46460f187bd5d277d012adc2dc1461973d844022a86ad8ce79e246a2c3ac0d6a052b37ad071c51dd0cba6d401296b4ad738a15ef9a4b9c69d7b8bbf106a930

Download Submit
C:\Windows\System\tvKwHVj.exe

Filesize
5.2MB

MD5
e8210a1c9b2ae16826daf8883f1f0678

SHA1
4c0045d0013b1450d01de3d0abe526ed20c273ef

SHA256
c082ccb9b351e8504bdd05e5af8ad0997779870be7c72c9ada83e93bb7894b31

SHA512
7ef1090f6d0adc24fd64bdbe58f19e02e163ba24ffe1af95858fe79df6b107b5714c04442022ccf919b8127d01ce41390db97170450b365f1dc43e019fb77a83

Download Submit
C:\Windows\System\uSewQAw.exe

Filesize
5.2MB

MD5
2fbb94317378a7510ef53179efd0ce5b

SHA1
65a4536085b74a6e4ceea519738714dcf24079f5

SHA256
eb9116fcde062a709c9e3207c137afc60271488c08739b0a1d5605a11b2cc589

SHA512
b29a1cd28f4f00671dd46334031953c5f91f967907ec19901d338660bf681f24c6abe63fc3c8ac9cb60412e2694441cbe5764810d5a9aadb61868f8c1df64148

Download Submit
C:\Windows\System\vHAyAvh.exe

Filesize
5.2MB

MD5
265df767ed10d168fe2760f33728eab7

SHA1
bb599429259ec70ee425f44e4b971f0dd1057656

SHA256
0bbd3f4c7cbc4d8940e2b15ff82759a46455ea28b9b4f128d1f8a6cd5c446c23

SHA512
73c836886214e39c529ee34b64c69929d3710ab337a66a923ffaf5f36ba1ce97db2c922beb7777646d63d7e91a01c87423ae25e07fb6e80a58654f0cc630491a

Download Submit
memory/232-152-0x00007FF6A9E60000-0x00007FF6AA1B1000-memory.dmp

Filesize
3.3MB

Download
memory/232-83-0x00007FF6A9E60000-0x00007FF6AA1B1000-memory.dmp

Filesize
3.3MB

Download
memory/232-243-0x00007FF6A9E60000-0x00007FF6AA1B1000-memory.dmp

Filesize
3.3MB

Download
memory/532-78-0x00007FF7C6910000-0x00007FF7C6C61000-memory.dmp

Filesize
3.3MB

Download
memory/532-208-0x00007FF7C6910000-0x00007FF7C6C61000-memory.dmp

Filesize
3.3MB

Download
memory/532-18-0x00007FF7C6910000-0x00007FF7C6C61000-memory.dmp

Filesize
3.3MB

Download
memory/832-108-0x00007FF6B9C50000-0x00007FF6B9FA1000-memory.dmp

Filesize
3.3MB

Download
memory/832-51-0x00007FF6B9C50000-0x00007FF6B9FA1000-memory.dmp

Filesize
3.3MB

Download
memory/832-222-0x00007FF6B9C50000-0x00007FF6B9FA1000-memory.dmp

Filesize
3.3MB

Download
memory/836-64-0x00007FF7F0DC0000-0x00007FF7F1111000-memory.dmp

Filesize
3.3MB

Download
memory/836-110-0x00007FF7F0DC0000-0x00007FF7F1111000-memory.dmp

Filesize
3.3MB

Download
memory/836-237-0x00007FF7F0DC0000-0x00007FF7F1111000-memory.dmp

Filesize
3.3MB

Download
memory/840-138-0x00007FF677D20000-0x00007FF678071000-memory.dmp

Filesize
3.3MB

Download
memory/840-262-0x00007FF677D20000-0x00007FF678071000-memory.dmp

Filesize
3.3MB

Download
memory/840-167-0x00007FF677D20000-0x00007FF678071000-memory.dmp

Filesize
3.3MB

Download
memory/1232-125-0x00007FF72DD10000-0x00007FF72E061000-memory.dmp

Filesize
3.3MB

Download
memory/1232-260-0x00007FF72DD10000-0x00007FF72E061000-memory.dmp

Filesize
3.3MB

Download
memory/1232-163-0x00007FF72DD10000-0x00007FF72E061000-memory.dmp

Filesize
3.3MB

Download
memory/1240-224-0x00007FF781EE0000-0x00007FF782231000-memory.dmp

Filesize
3.3MB

Download
memory/1240-52-0x00007FF781EE0000-0x00007FF782231000-memory.dmp

Filesize
3.3MB

Download
memory/1240-109-0x00007FF781EE0000-0x00007FF782231000-memory.dmp

Filesize
3.3MB

Download
memory/1636-153-0x00007FF6DB920000-0x00007FF6DBC71000-memory.dmp

Filesize
3.3MB

Download
memory/1636-92-0x00007FF6DB920000-0x00007FF6DBC71000-memory.dmp

Filesize
3.3MB

Download
memory/1636-245-0x00007FF6DB920000-0x00007FF6DBC71000-memory.dmp

Filesize
3.3MB

Download
memory/1920-70-0x00007FF768F90000-0x00007FF7692E1000-memory.dmp

Filesize
3.3MB

Download
memory/1920-12-0x00007FF768F90000-0x00007FF7692E1000-memory.dmp

Filesize
3.3MB

Download
memory/1920-206-0x00007FF768F90000-0x00007FF7692E1000-memory.dmp

Filesize
3.3MB

Download
memory/1968-149-0x00007FF735690000-0x00007FF7359E1000-memory.dmp

Filesize
3.3MB

Download
memory/1968-72-0x00007FF735690000-0x00007FF7359E1000-memory.dmp

Filesize
3.3MB

Download
memory/1968-239-0x00007FF735690000-0x00007FF7359E1000-memory.dmp

Filesize
3.3MB

Download
memory/1980-79-0x00007FF6CC290000-0x00007FF6CC5E1000-memory.dmp

Filesize
3.3MB

Download
memory/1980-241-0x00007FF6CC290000-0x00007FF6CC5E1000-memory.dmp

Filesize
3.3MB

Download
memory/1980-150-0x00007FF6CC290000-0x00007FF6CC5E1000-memory.dmp

Filesize
3.3MB

Download
memory/2156-95-0x00007FF681E10000-0x00007FF682161000-memory.dmp

Filesize
3.3MB

Download
memory/2156-154-0x00007FF681E10000-0x00007FF682161000-memory.dmp

Filesize
3.3MB

Download
memory/2156-248-0x00007FF681E10000-0x00007FF682161000-memory.dmp

Filesize
3.3MB

Download
memory/2212-111-0x00007FF7C6C60000-0x00007FF7C6FB1000-memory.dmp

Filesize
3.3MB

Download
memory/2212-219-0x00007FF7C6C60000-0x00007FF7C6FB1000-memory.dmp

Filesize
3.3MB

Download
memory/2212-46-0x00007FF7C6C60000-0x00007FF7C6FB1000-memory.dmp

Filesize
3.3MB

Download
memory/2940-217-0x00007FF6F0770000-0x00007FF6F0AC1000-memory.dmp

Filesize
3.3MB

Download
memory/2940-32-0x00007FF6F0770000-0x00007FF6F0AC1000-memory.dmp

Filesize
3.3MB

Download
memory/2940-93-0x00007FF6F0770000-0x00007FF6F0AC1000-memory.dmp

Filesize
3.3MB

Download
memory/3228-174-0x00007FF7A0020000-0x00007FF7A0371000-memory.dmp

Filesize
3.3MB

Download
memory/3228-57-0x00007FF7A0020000-0x00007FF7A0371000-memory.dmp

Filesize
3.3MB

Download
memory/3228-146-0x00007FF7A0020000-0x00007FF7A0371000-memory.dmp

Filesize
3.3MB

Download
memory/3228-1-0x000001EEC3F90000-0x000001EEC3FA0000-memory.dmp

Filesize
64KB

Download
memory/3228-0-0x00007FF7A0020000-0x00007FF7A0371000-memory.dmp

Filesize
3.3MB

Download
memory/3432-140-0x00007FF65D360000-0x00007FF65D6B1000-memory.dmp

Filesize
3.3MB

Download
memory/3432-168-0x00007FF65D360000-0x00007FF65D6B1000-memory.dmp

Filesize
3.3MB

Download
memory/3432-267-0x00007FF65D360000-0x00007FF65D6B1000-memory.dmp

Filesize
3.3MB

Download
memory/3484-256-0x00007FF603210000-0x00007FF603561000-memory.dmp

Filesize
3.3MB

Download
memory/3484-134-0x00007FF603210000-0x00007FF603561000-memory.dmp

Filesize
3.3MB

Download
memory/4416-24-0x00007FF75B740000-0x00007FF75BA91000-memory.dmp

Filesize
3.3MB

Download
memory/4416-215-0x00007FF75B740000-0x00007FF75BA91000-memory.dmp

Filesize
3.3MB

Download
memory/4416-89-0x00007FF75B740000-0x00007FF75BA91000-memory.dmp

Filesize
3.3MB

Download
memory/4980-135-0x00007FF6DCE50000-0x00007FF6DD1A1000-memory.dmp

Filesize
3.3MB

Download
memory/4980-259-0x00007FF6DCE50000-0x00007FF6DD1A1000-memory.dmp

Filesize
3.3MB

Download
memory/5004-139-0x00007FF6C3450000-0x00007FF6C37A1000-memory.dmp

Filesize
3.3MB

Download
memory/5004-166-0x00007FF6C3450000-0x00007FF6C37A1000-memory.dmp

Filesize
3.3MB

Download
memory/5004-264-0x00007FF6C3450000-0x00007FF6C37A1000-memory.dmp

Filesize
3.3MB

Download
memory/5028-10-0x00007FF78DE50000-0x00007FF78E1A1000-memory.dmp

Filesize
3.3MB

Download
memory/5028-61-0x00007FF78DE50000-0x00007FF78E1A1000-memory.dmp

Filesize
3.3MB

Download
memory/5028-204-0x00007FF78DE50000-0x00007FF78E1A1000-memory.dmp

Filesize
3.3MB

Download
memory/5064-220-0x00007FF6BAB40000-0x00007FF6BAE91000-memory.dmp

Filesize
3.3MB

Download
memory/5064-94-0x00007FF6BAB40000-0x00007FF6BAE91000-memory.dmp

Filesize
3.3MB

Download
memory/5064-39-0x00007FF6BAB40000-0x00007FF6BAE91000-memory.dmp

Filesize
3.3MB

Download