cobaltstrike | 428108c339ddcbd303ce85d6c9d0bb66acd45e07d19b3e8712a4c4ea85637353

Analysis

max time kernel
140s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 04:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

9ce759427e025ea20d909992eb133d3a
SHA1

0f4114b928841aabf63b23a5b35113052b4dc625
SHA256

428108c339ddcbd303ce85d6c9d0bb66acd45e07d19b3e8712a4c4ea85637353
SHA512

51aa7b24741ddb6fad297a447e21e85cc747da96172068e2793a0e560e24f042341592512e8e178e58f04934a573f11e30f74f4b6303db43658118b750d4990c
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lg:RWWBibd56utgpPFotBER/mQ32lUc

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\uKPjbMO.exe	cobalt_reflective_dll
C:\Windows\System\HuoGeCD.exe	cobalt_reflective_dll
C:\Windows\System\owgGtvG.exe	cobalt_reflective_dll
C:\Windows\System\MNTusQm.exe	cobalt_reflective_dll
C:\Windows\System\hycUUeO.exe	cobalt_reflective_dll
C:\Windows\System\NcAWOIV.exe	cobalt_reflective_dll
C:\Windows\System\HdThURQ.exe	cobalt_reflective_dll
C:\Windows\System\lozshsy.exe	cobalt_reflective_dll
C:\Windows\System\LrUPurg.exe	cobalt_reflective_dll
C:\Windows\System\djsRjoV.exe	cobalt_reflective_dll
C:\Windows\System\hHOBraa.exe	cobalt_reflective_dll
C:\Windows\System\NBBWdnb.exe	cobalt_reflective_dll
C:\Windows\System\deCsluH.exe	cobalt_reflective_dll
C:\Windows\System\fyFyaXI.exe	cobalt_reflective_dll
C:\Windows\System\DtdPMnn.exe	cobalt_reflective_dll
C:\Windows\System\iduFGOv.exe	cobalt_reflective_dll
C:\Windows\System\XEcxOoq.exe	cobalt_reflective_dll
C:\Windows\System\rnIrTDe.exe	cobalt_reflective_dll
C:\Windows\System\RyykYZi.exe	cobalt_reflective_dll
C:\Windows\System\qZKRFWE.exe	cobalt_reflective_dll
C:\Windows\System\WDzCGmq.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3460-55-0x00007FF61C760000-0x00007FF61CAB1000-memory.dmp	xmrig
behavioral2/memory/1028-62-0x00007FF67A170000-0x00007FF67A4C1000-memory.dmp	xmrig
behavioral2/memory/4768-105-0x00007FF7F4DA0000-0x00007FF7F50F1000-memory.dmp	xmrig
behavioral2/memory/32-109-0x00007FF61D980000-0x00007FF61DCD1000-memory.dmp	xmrig
behavioral2/memory/3096-100-0x00007FF69F980000-0x00007FF69FCD1000-memory.dmp	xmrig
behavioral2/memory/2188-94-0x00007FF7BC1E0000-0x00007FF7BC531000-memory.dmp	xmrig
behavioral2/memory/1568-84-0x00007FF741DA0000-0x00007FF7420F1000-memory.dmp	xmrig
behavioral2/memory/2596-76-0x00007FF7F9A10000-0x00007FF7F9D61000-memory.dmp	xmrig
behavioral2/memory/400-73-0x00007FF784F00000-0x00007FF785251000-memory.dmp	xmrig
behavioral2/memory/4276-130-0x00007FF641BA0000-0x00007FF641EF1000-memory.dmp	xmrig
behavioral2/memory/4300-136-0x00007FF6F5980000-0x00007FF6F5CD1000-memory.dmp	xmrig
behavioral2/memory/4336-138-0x00007FF794C40000-0x00007FF794F91000-memory.dmp	xmrig
behavioral2/memory/3740-139-0x00007FF68F900000-0x00007FF68FC51000-memory.dmp	xmrig
behavioral2/memory/1252-137-0x00007FF696370000-0x00007FF6966C1000-memory.dmp	xmrig
behavioral2/memory/3516-135-0x00007FF6A0AF0000-0x00007FF6A0E41000-memory.dmp	xmrig
behavioral2/memory/3356-143-0x00007FF627E90000-0x00007FF6281E1000-memory.dmp	xmrig
behavioral2/memory/4364-140-0x00007FF740FD0000-0x00007FF741321000-memory.dmp	xmrig
behavioral2/memory/5084-146-0x00007FF62E020000-0x00007FF62E371000-memory.dmp	xmrig
behavioral2/memory/1456-151-0x00007FF6D2430000-0x00007FF6D2781000-memory.dmp	xmrig
behavioral2/memory/4220-149-0x00007FF7FA9A0000-0x00007FF7FACF1000-memory.dmp	xmrig
behavioral2/memory/2492-152-0x00007FF76A3A0000-0x00007FF76A6F1000-memory.dmp	xmrig
behavioral2/memory/3460-147-0x00007FF61C760000-0x00007FF61CAB1000-memory.dmp	xmrig
behavioral2/memory/2288-148-0x00007FF7EC520000-0x00007FF7EC871000-memory.dmp	xmrig
behavioral2/memory/3460-169-0x00007FF61C760000-0x00007FF61CAB1000-memory.dmp	xmrig
behavioral2/memory/1028-201-0x00007FF67A170000-0x00007FF67A4C1000-memory.dmp	xmrig
behavioral2/memory/400-210-0x00007FF784F00000-0x00007FF785251000-memory.dmp	xmrig
behavioral2/memory/1568-212-0x00007FF741DA0000-0x00007FF7420F1000-memory.dmp	xmrig
behavioral2/memory/4768-214-0x00007FF7F4DA0000-0x00007FF7F50F1000-memory.dmp	xmrig
behavioral2/memory/3516-216-0x00007FF6A0AF0000-0x00007FF6A0E41000-memory.dmp	xmrig
behavioral2/memory/4300-218-0x00007FF6F5980000-0x00007FF6F5CD1000-memory.dmp	xmrig
behavioral2/memory/1252-220-0x00007FF696370000-0x00007FF6966C1000-memory.dmp	xmrig
behavioral2/memory/4336-222-0x00007FF794C40000-0x00007FF794F91000-memory.dmp	xmrig
behavioral2/memory/3740-224-0x00007FF68F900000-0x00007FF68FC51000-memory.dmp	xmrig
behavioral2/memory/4364-236-0x00007FF740FD0000-0x00007FF741321000-memory.dmp	xmrig
behavioral2/memory/2596-238-0x00007FF7F9A10000-0x00007FF7F9D61000-memory.dmp	xmrig
behavioral2/memory/3356-240-0x00007FF627E90000-0x00007FF6281E1000-memory.dmp	xmrig
behavioral2/memory/2188-242-0x00007FF7BC1E0000-0x00007FF7BC531000-memory.dmp	xmrig
behavioral2/memory/3096-244-0x00007FF69F980000-0x00007FF69FCD1000-memory.dmp	xmrig
behavioral2/memory/32-250-0x00007FF61D980000-0x00007FF61DCD1000-memory.dmp	xmrig
behavioral2/memory/5084-259-0x00007FF62E020000-0x00007FF62E371000-memory.dmp	xmrig
behavioral2/memory/2288-256-0x00007FF7EC520000-0x00007FF7EC871000-memory.dmp	xmrig
behavioral2/memory/4276-254-0x00007FF641BA0000-0x00007FF641EF1000-memory.dmp	xmrig
behavioral2/memory/4220-258-0x00007FF7FA9A0000-0x00007FF7FACF1000-memory.dmp	xmrig
behavioral2/memory/1456-248-0x00007FF6D2430000-0x00007FF6D2781000-memory.dmp	xmrig
behavioral2/memory/2492-261-0x00007FF76A3A0000-0x00007FF76A6F1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

uKPjbMO.exeHuoGeCD.exeowgGtvG.exeMNTusQm.exehycUUeO.exeLrUPurg.exeNcAWOIV.exeHdThURQ.exelozshsy.exeWDzCGmq.exedjsRjoV.exeqZKRFWE.exehHOBraa.exeRyykYZi.exeNBBWdnb.exeXEcxOoq.exeiduFGOv.exedeCsluH.exeDtdPMnn.exefyFyaXI.exernIrTDe.exe

pid	process
1028	uKPjbMO.exe
400	HuoGeCD.exe
1568	owgGtvG.exe
4768	MNTusQm.exe
3516	hycUUeO.exe
4300	LrUPurg.exe
1252	NcAWOIV.exe
4336	HdThURQ.exe
3740	lozshsy.exe
4364	WDzCGmq.exe
2596	djsRjoV.exe
2188	qZKRFWE.exe
3356	hHOBraa.exe
3096	RyykYZi.exe
32	NBBWdnb.exe
5084	XEcxOoq.exe
4220	iduFGOv.exe
4276	deCsluH.exe
2288	DtdPMnn.exe
1456	fyFyaXI.exe
2492	rnIrTDe.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3460-0-0x00007FF61C760000-0x00007FF61CAB1000-memory.dmp	upx
C:\Windows\System\uKPjbMO.exe	upx
behavioral2/memory/1028-8-0x00007FF67A170000-0x00007FF67A4C1000-memory.dmp	upx
C:\Windows\System\HuoGeCD.exe	upx
C:\Windows\System\owgGtvG.exe	upx
behavioral2/memory/400-14-0x00007FF784F00000-0x00007FF785251000-memory.dmp	upx
C:\Windows\System\MNTusQm.exe	upx
behavioral2/memory/1568-21-0x00007FF741DA0000-0x00007FF7420F1000-memory.dmp	upx
C:\Windows\System\hycUUeO.exe	upx
behavioral2/memory/4300-37-0x00007FF6F5980000-0x00007FF6F5CD1000-memory.dmp	upx
C:\Windows\System\NcAWOIV.exe	upx
behavioral2/memory/4336-49-0x00007FF794C40000-0x00007FF794F91000-memory.dmp	upx
behavioral2/memory/3740-50-0x00007FF68F900000-0x00007FF68FC51000-memory.dmp	upx
C:\Windows\System\HdThURQ.exe	upx
C:\Windows\System\lozshsy.exe	upx
behavioral2/memory/1252-47-0x00007FF696370000-0x00007FF6966C1000-memory.dmp	upx
C:\Windows\System\LrUPurg.exe	upx
behavioral2/memory/3516-30-0x00007FF6A0AF0000-0x00007FF6A0E41000-memory.dmp	upx
behavioral2/memory/4768-24-0x00007FF7F4DA0000-0x00007FF7F50F1000-memory.dmp	upx
behavioral2/memory/3460-55-0x00007FF61C760000-0x00007FF61CAB1000-memory.dmp	upx
C:\Windows\System\djsRjoV.exe	upx
behavioral2/memory/1028-62-0x00007FF67A170000-0x00007FF67A4C1000-memory.dmp	upx
C:\Windows\System\hHOBraa.exe	upx
C:\Windows\System\NBBWdnb.exe	upx
behavioral2/memory/4768-105-0x00007FF7F4DA0000-0x00007FF7F50F1000-memory.dmp	upx
behavioral2/memory/32-109-0x00007FF61D980000-0x00007FF61DCD1000-memory.dmp	upx
behavioral2/memory/5084-110-0x00007FF62E020000-0x00007FF62E371000-memory.dmp	upx
C:\Windows\System\deCsluH.exe	upx
C:\Windows\System\fyFyaXI.exe	upx
C:\Windows\System\DtdPMnn.exe	upx
behavioral2/memory/2288-120-0x00007FF7EC520000-0x00007FF7EC871000-memory.dmp	upx
C:\Windows\System\iduFGOv.exe	upx
C:\Windows\System\XEcxOoq.exe	upx
C:\Windows\System\rnIrTDe.exe	upx
behavioral2/memory/4220-106-0x00007FF7FA9A0000-0x00007FF7FACF1000-memory.dmp	upx
behavioral2/memory/3096-100-0x00007FF69F980000-0x00007FF69FCD1000-memory.dmp	upx
behavioral2/memory/2188-94-0x00007FF7BC1E0000-0x00007FF7BC531000-memory.dmp	upx
C:\Windows\System\RyykYZi.exe	upx
behavioral2/memory/1568-84-0x00007FF741DA0000-0x00007FF7420F1000-memory.dmp	upx
C:\Windows\System\qZKRFWE.exe	upx
behavioral2/memory/3356-79-0x00007FF627E90000-0x00007FF6281E1000-memory.dmp	upx
behavioral2/memory/2596-76-0x00007FF7F9A10000-0x00007FF7F9D61000-memory.dmp	upx
behavioral2/memory/400-73-0x00007FF784F00000-0x00007FF785251000-memory.dmp	upx
C:\Windows\System\WDzCGmq.exe	upx
behavioral2/memory/4364-63-0x00007FF740FD0000-0x00007FF741321000-memory.dmp	upx
behavioral2/memory/4276-130-0x00007FF641BA0000-0x00007FF641EF1000-memory.dmp	upx
behavioral2/memory/4300-136-0x00007FF6F5980000-0x00007FF6F5CD1000-memory.dmp	upx
behavioral2/memory/4336-138-0x00007FF794C40000-0x00007FF794F91000-memory.dmp	upx
behavioral2/memory/3740-139-0x00007FF68F900000-0x00007FF68FC51000-memory.dmp	upx
behavioral2/memory/1252-137-0x00007FF696370000-0x00007FF6966C1000-memory.dmp	upx
behavioral2/memory/3516-135-0x00007FF6A0AF0000-0x00007FF6A0E41000-memory.dmp	upx
behavioral2/memory/3356-143-0x00007FF627E90000-0x00007FF6281E1000-memory.dmp	upx
behavioral2/memory/4364-140-0x00007FF740FD0000-0x00007FF741321000-memory.dmp	upx
behavioral2/memory/5084-146-0x00007FF62E020000-0x00007FF62E371000-memory.dmp	upx
behavioral2/memory/1456-151-0x00007FF6D2430000-0x00007FF6D2781000-memory.dmp	upx
behavioral2/memory/4220-149-0x00007FF7FA9A0000-0x00007FF7FACF1000-memory.dmp	upx
behavioral2/memory/2492-152-0x00007FF76A3A0000-0x00007FF76A6F1000-memory.dmp	upx
behavioral2/memory/3460-147-0x00007FF61C760000-0x00007FF61CAB1000-memory.dmp	upx
behavioral2/memory/2288-148-0x00007FF7EC520000-0x00007FF7EC871000-memory.dmp	upx
behavioral2/memory/3460-169-0x00007FF61C760000-0x00007FF61CAB1000-memory.dmp	upx
behavioral2/memory/1028-201-0x00007FF67A170000-0x00007FF67A4C1000-memory.dmp	upx
behavioral2/memory/400-210-0x00007FF784F00000-0x00007FF785251000-memory.dmp	upx
behavioral2/memory/1568-212-0x00007FF741DA0000-0x00007FF7420F1000-memory.dmp	upx
behavioral2/memory/4768-214-0x00007FF7F4DA0000-0x00007FF7F50F1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\WDzCGmq.exe	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qZKRFWE.exe	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fyFyaXI.exe	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rnIrTDe.exe	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uKPjbMO.exe	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NcAWOIV.exe	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HdThURQ.exe	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lozshsy.exe	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RyykYZi.exe	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XEcxOoq.exe	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\deCsluH.exe	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MNTusQm.exe	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\owgGtvG.exe	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LrUPurg.exe	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\djsRjoV.exe	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hHOBraa.exe	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NBBWdnb.exe	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DtdPMnn.exe	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HuoGeCD.exe	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iduFGOv.exe	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hycUUeO.exe	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	3460	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3460	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 3460 wrote to memory of 1028	3460	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe	uKPjbMO.exe
PID 3460 wrote to memory of 1028	3460	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe	uKPjbMO.exe
PID 3460 wrote to memory of 400	3460	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe	HuoGeCD.exe
PID 3460 wrote to memory of 400	3460	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe	HuoGeCD.exe
PID 3460 wrote to memory of 1568	3460	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe	owgGtvG.exe
PID 3460 wrote to memory of 1568	3460	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe	owgGtvG.exe
PID 3460 wrote to memory of 4768	3460	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe	MNTusQm.exe
PID 3460 wrote to memory of 4768	3460	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe	MNTusQm.exe
PID 3460 wrote to memory of 3516	3460	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe	hycUUeO.exe
PID 3460 wrote to memory of 3516	3460	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe	hycUUeO.exe
PID 3460 wrote to memory of 4300	3460	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe	LrUPurg.exe
PID 3460 wrote to memory of 4300	3460	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe	LrUPurg.exe
PID 3460 wrote to memory of 1252	3460	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe	NcAWOIV.exe
PID 3460 wrote to memory of 1252	3460	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe	NcAWOIV.exe
PID 3460 wrote to memory of 4336	3460	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe	HdThURQ.exe
PID 3460 wrote to memory of 4336	3460	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe	HdThURQ.exe
PID 3460 wrote to memory of 3740	3460	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe	lozshsy.exe
PID 3460 wrote to memory of 3740	3460	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe	lozshsy.exe
PID 3460 wrote to memory of 4364	3460	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe	WDzCGmq.exe
PID 3460 wrote to memory of 4364	3460	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe	WDzCGmq.exe
PID 3460 wrote to memory of 2596	3460	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe	djsRjoV.exe
PID 3460 wrote to memory of 2596	3460	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe	djsRjoV.exe
PID 3460 wrote to memory of 2188	3460	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe	qZKRFWE.exe
PID 3460 wrote to memory of 2188	3460	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe	qZKRFWE.exe
PID 3460 wrote to memory of 3356	3460	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe	hHOBraa.exe
PID 3460 wrote to memory of 3356	3460	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe	hHOBraa.exe
PID 3460 wrote to memory of 3096	3460	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe	RyykYZi.exe
PID 3460 wrote to memory of 3096	3460	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe	RyykYZi.exe
PID 3460 wrote to memory of 32	3460	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe	NBBWdnb.exe
PID 3460 wrote to memory of 32	3460	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe	NBBWdnb.exe
PID 3460 wrote to memory of 5084	3460	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe	XEcxOoq.exe
PID 3460 wrote to memory of 5084	3460	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe	XEcxOoq.exe
PID 3460 wrote to memory of 2288	3460	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe	DtdPMnn.exe
PID 3460 wrote to memory of 2288	3460	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe	DtdPMnn.exe
PID 3460 wrote to memory of 4220	3460	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe	iduFGOv.exe
PID 3460 wrote to memory of 4220	3460	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe	iduFGOv.exe
PID 3460 wrote to memory of 4276	3460	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe	deCsluH.exe
PID 3460 wrote to memory of 4276	3460	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe	deCsluH.exe
PID 3460 wrote to memory of 1456	3460	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe	fyFyaXI.exe
PID 3460 wrote to memory of 1456	3460	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe	fyFyaXI.exe
PID 3460 wrote to memory of 2492	3460	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe	rnIrTDe.exe
PID 3460 wrote to memory of 2492	3460	2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe	rnIrTDe.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-21_9ce759427e025ea20d909992eb133d3a_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3460
- C:\Windows\System\uKPjbMO.exe
  C:\Windows\System\uKPjbMO.exe
  2⤵
  - Executes dropped EXE
  PID:1028
- C:\Windows\System\HuoGeCD.exe
  C:\Windows\System\HuoGeCD.exe
  2⤵
  - Executes dropped EXE
  PID:400
- C:\Windows\System\owgGtvG.exe
  C:\Windows\System\owgGtvG.exe
  2⤵
  - Executes dropped EXE
  PID:1568
- C:\Windows\System\MNTusQm.exe
  C:\Windows\System\MNTusQm.exe
  2⤵
  - Executes dropped EXE
  PID:4768
- C:\Windows\System\hycUUeO.exe
  C:\Windows\System\hycUUeO.exe
  2⤵
  - Executes dropped EXE
  PID:3516
- C:\Windows\System\LrUPurg.exe
  C:\Windows\System\LrUPurg.exe
  2⤵
  - Executes dropped EXE
  PID:4300
- C:\Windows\System\NcAWOIV.exe
  C:\Windows\System\NcAWOIV.exe
  2⤵
  - Executes dropped EXE
  PID:1252
- C:\Windows\System\HdThURQ.exe
  C:\Windows\System\HdThURQ.exe
  2⤵
  - Executes dropped EXE
  PID:4336
- C:\Windows\System\lozshsy.exe
  C:\Windows\System\lozshsy.exe
  2⤵
  - Executes dropped EXE
  PID:3740
- C:\Windows\System\WDzCGmq.exe
  C:\Windows\System\WDzCGmq.exe
  2⤵
  - Executes dropped EXE
  PID:4364
- C:\Windows\System\djsRjoV.exe
  C:\Windows\System\djsRjoV.exe
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\System\qZKRFWE.exe
  C:\Windows\System\qZKRFWE.exe
  2⤵
  - Executes dropped EXE
  PID:2188
- C:\Windows\System\hHOBraa.exe
  C:\Windows\System\hHOBraa.exe
  2⤵
  - Executes dropped EXE
  PID:3356
- C:\Windows\System\RyykYZi.exe
  C:\Windows\System\RyykYZi.exe
  2⤵
  - Executes dropped EXE
  PID:3096
- C:\Windows\System\NBBWdnb.exe
  C:\Windows\System\NBBWdnb.exe
  2⤵
  - Executes dropped EXE
  PID:32
- C:\Windows\System\XEcxOoq.exe
  C:\Windows\System\XEcxOoq.exe
  2⤵
  - Executes dropped EXE
  PID:5084
- C:\Windows\System\DtdPMnn.exe
  C:\Windows\System\DtdPMnn.exe
  2⤵
  - Executes dropped EXE
  PID:2288
- C:\Windows\System\iduFGOv.exe
  C:\Windows\System\iduFGOv.exe
  2⤵
  - Executes dropped EXE
  PID:4220
- C:\Windows\System\deCsluH.exe
  C:\Windows\System\deCsluH.exe
  2⤵
  - Executes dropped EXE
  PID:4276
- C:\Windows\System\fyFyaXI.exe
  C:\Windows\System\fyFyaXI.exe
  2⤵
  - Executes dropped EXE
  PID:1456
- C:\Windows\System\rnIrTDe.exe
  C:\Windows\System\rnIrTDe.exe
  2⤵
  - Executes dropped EXE
  PID:2492

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\DtdPMnn.exe

Filesize
5.2MB

MD5
e7653bba1b717e4ba9f8bb0c2fdae7cc

SHA1
686945943a6bc8b03e9dc7bd491f25ec78054338

SHA256
6e4263d99aa74c7df627d1e52cb400b78860de44ea3a91a00251cf8dc52a2f43

SHA512
08b5a05c2aca57cca8e23618adecff0c0f360a270f78bd55e065998c809b4369e7d12bf3dbb693eb0de06d77ac9f275799d2174d0509fec277c2686379b87538

Download Submit
C:\Windows\System\HdThURQ.exe

Filesize
5.2MB

MD5
d549585c4c81adb94ee39d546d82018b

SHA1
81f211b9ef8c810351705a6d8f2ac0af3c6d8565

SHA256
54bee47aabc1b52a63e6d1994b004c2e22d1a2bea8b45a493e17a05dab8be896

SHA512
7ffdbdb80ab4ec394474cfbeb0f74481e3de8822caf5f6e2f039915ecb0e1343da64f4544a03ad63fdb189be01a90c38ba1b49b08dedbe9d8b4bbaba44a86599

Download Submit
C:\Windows\System\HuoGeCD.exe

Filesize
5.2MB

MD5
a5238b7569252ed345f287197f6becc4

SHA1
88bce18d59482725273e7a68c8699b9fb74eb7aa

SHA256
ced0dc9515a6db037ae00a7e24d4d1da769a92fcd5de4067071f8a63fb8f8a04

SHA512
ff747b5af5e55ee79880bc09f9ab156533b14d8bec1ee453fe7031261af9ad8a0e60c1108afd266e27102c362f23c93700faa17f54f4fd6929ed49dd4ab81f22

Download Submit
C:\Windows\System\LrUPurg.exe

Filesize
5.2MB

MD5
c137f578d3111982edeb58f325987995

SHA1
5a043d6694ef9dedbc9bf1b77099e40bd2b6f126

SHA256
73d17a627a92b254bc441ba5adbdfa010e7945eaedba1e4e3837388ac7a3390c

SHA512
32a3de44195f8d3a2ab06a24e325667e2673d11837985d8599c6de0c82bb84bc7645fcf27bcff0f00f8234980ea79d3426c9747c7accbf903a049d7425fa046b

Download Submit
C:\Windows\System\MNTusQm.exe

Filesize
5.2MB

MD5
cb7efa52271f1ccafbc99e07a6109e8c

SHA1
5bc226848f87b2ddab7513e373b6b61517f6c7e1

SHA256
e549507d4ae5fbe0908d3a9d3a401ed161a9052a68b910f255b63c77400c1e45

SHA512
c62bc0a4db588267368542f048847dc4e7c9e34a6c9db43da8787dbd0827982175a15e2da737f09408d4c564490c8bdc5263685f9e4b80e240c2edd5d3d5f8bc

Download Submit
C:\Windows\System\NBBWdnb.exe

Filesize
5.2MB

MD5
26d84c7e1fa8dc97d81b98e4dbe40878

SHA1
45b9fb6bef2c3dd8facbe2231cd261242ae66b57

SHA256
746fb3dba81b8778a0af27d6b41353a08e0832d741daa1260a137ef1e6c0bd84

SHA512
d6beb0ca8ada3cba4b7ad3d1661d22729b23f7b6fe302132cf5e1625ebadb8a56d312d2f1da8c1e2711b56eb69bd150a58cae8069849a1e0937d694f429dcfa6

Download Submit
C:\Windows\System\NcAWOIV.exe

Filesize
5.2MB

MD5
9f6e6f43a11cc7656da8019768ec49ae

SHA1
21b69f65b7bd7ce0988933b7267729ef29f71032

SHA256
25c85c6b3f8cb68b9be583c1b887792ea0f8b34cf70ed5252c5f7c2c0254c220

SHA512
3f54fa2456f9447bb55f83672377db9fc9a965f6b69dde49a5ba02b40f507fef6d0fda19a93baac90ec2430035c2c754421ac597ff072696b0f7381faf2fe3c0

Download Submit
C:\Windows\System\RyykYZi.exe

Filesize
5.2MB

MD5
716b65c467feb03763f875e29ac04d20

SHA1
5e388d696c3341004e51d5b0800d87721dbabae6

SHA256
5b2fdbc466423da3e422060389cc31ff101af1efeac543527153ac95fcca2ea8

SHA512
4173a5e2b8c1c6c0a14460130be802e69c890e4b70d396879e86c202b58af5800b472f191fffbd7ea2b8d86dfa4271ecf6d6708b84ed93c906218f6923fc3324

Download Submit
C:\Windows\System\WDzCGmq.exe

Filesize
5.2MB

MD5
5ad5bd3f14100a5b79d257a0553fcc8d

SHA1
ef0378ee497968ad2dcd463c2d1d35af848d8ae9

SHA256
6028075b58664f161495b8f1f35d8b37cefbc959c0a00d572218e49eec62756e

SHA512
ac01d2a1bad6bddcedf970ac45928abc35c72e0bae3a71f8318d7f0aa6d5a60be5fb1f3bcc2a3e57d3262b7431025cc31a7abd11af3244c5c7ae531b26dc1c7e

Download Submit
C:\Windows\System\XEcxOoq.exe

Filesize
5.2MB

MD5
ff98c72e928854a4f221911ad8c6878c

SHA1
684b9880d9b98c8eb6f146e2104422bf2036a735

SHA256
f77f5265cdd58ab6a0f308d9d10ebd8f025dcfd5d77c68341617d4b6a08faef2

SHA512
479eb8492db91c80f4c125b5b725d191c936c0ad8790b21373c33d2954244e86227162cd4113a6bf6060f18709344629d670bf10355c44325ac51b581b794f65

Download Submit
C:\Windows\System\deCsluH.exe

Filesize
5.2MB

MD5
b577dde6d825e93b4e4a24a671c92701

SHA1
895fe2c404b6e481185143dcbdfc0034ab1bfbcf

SHA256
085e5e0cdda18745e9d2cd7a1a91b56d97eb966c3c9c555d6d5c3b6127e4c540

SHA512
e1958b0c561488754d60dafddc1f714e374a44f1abe3992d0e62af7296a9974f1cb512ae4317696e5aeb311ff254bb4ea3d70177a1844c2f2f6c90dca47675e6

Download Submit
C:\Windows\System\djsRjoV.exe

Filesize
5.2MB

MD5
c51f6fd045a0e00b612378b6d10411d8

SHA1
62a7864960fdf89654430f007967ba4fdda49ce4

SHA256
8c0a6bec61be513a270c24905b31e4ef0809b74199b7b7f15ccc7fbbd0aa2fe9

SHA512
6b198db13950515d4e79a5ce51794bde7eff96d0717b5f1fc75edf9c19ec3bd7f1265892fe48789bc4c3c4b18b41dbb73403bd145c3277dded5a985fe88f350f

Download Submit
C:\Windows\System\fyFyaXI.exe

Filesize
5.2MB

MD5
1c63504e48dcd8c6d577db16e278e6cb

SHA1
c7f187713f851ffaa638c949291965d10de8946c

SHA256
131466cf4e4f6c25fe2a79e0be31c50c3741dddc3e09ccf40991e7b711188028

SHA512
d86033d102ca6a539cd9cbeab9a9b6fceae2904c29928c6449aced0c50ae052272dc5275b81359dc7e8827af3395ba26452802513466b8a05a8b0be857a2cf3f

Download Submit
C:\Windows\System\hHOBraa.exe

Filesize
5.2MB

MD5
cef46b998c3e6474d7e27d0bd7f1aee4

SHA1
89a356d862197a67c99555c9563967366d84910a

SHA256
ef39fdfc6effb7e3e2bed0c2eb053951d245783ff37230e80a309d8222727b77

SHA512
45480d8db3c84fa0d44e4fcc78dd293a9969b0a5542289d83456b0ccf3237086c8df78f105070d933305e7ef2ea088a49d27ce0d0f68e3cf9740d02774dedcbb

Download Submit
C:\Windows\System\hycUUeO.exe

Filesize
5.2MB

MD5
6a5340ffce07d243b5537d00c54173ab

SHA1
8b3fc833ac34afe08af99fc7925298eccf17c3ad

SHA256
262e1aedc8b7202dfc1df6a71a1bea1dbfac489ae953fc77b0be72506df4f47c

SHA512
0d3056b05d1502274e1766ef7ca28b0ca40be8a10dea600ce377701eec89bff29a6726587ba09447174146b91ba1d041be8e55b9d739676cf1fc3e39bfe25419

Download Submit
C:\Windows\System\iduFGOv.exe

Filesize
5.2MB

MD5
e6639578a11d48e03043810389555488

SHA1
b067eb218f7341ec0feb8c9035c9cac58f331efe

SHA256
b8809dfb36826c2999a76429356272f58d253c2b620ce3c317d791d55e8bc192

SHA512
97e432d13c6593ea12a0567d5620561542b7580d1c5c1ab77326dc9849ba67d579edc42a35757e6705f61b5e764ddb2ecac697e14a3efd6e5bdb45b1a858c552

Download Submit
C:\Windows\System\lozshsy.exe

Filesize
5.2MB

MD5
5dd6a1cfd2aedb5d4cf7324ec7b2a7f7

SHA1
ade248d6e34d6f508ef6db5dc609bec319740829

SHA256
59ea5872d73c5cefca29cecd9b37253746d9cafdf57b2c2d44cb30d7eb8feaf7

SHA512
d63500303aa2410cb4b9e79af3c378864300b2e51926ae55f183041b517d43ab82e24b182307a3022e57f9cbc8e2a91582253f30a912401a112b55f5cba303bc

Download Submit
C:\Windows\System\owgGtvG.exe

Filesize
5.2MB

MD5
cdb8badbe445c66978979cbaaa977efd

SHA1
3d3ead348006f6c6c0a5ef49071ddf052063f900

SHA256
ced69bad7108c3184f5049b05be2aa94189cb0c9f3ac37f3a21322de0763e48c

SHA512
4a33841eb6e6013692a569e86abf0a48bd9e903e54341e6ee124d1ccad1286574318f0008e283c9cb72986f6a211bb7192dc4ba74638ea2cac36f6f0b36aff97

Download Submit
C:\Windows\System\qZKRFWE.exe

Filesize
5.2MB

MD5
4e792fd45c20db9c60a929ab8d107027

SHA1
e765f8dc382791b8aaedd544e028c0e4d0969e59

SHA256
86537a5df04617aa21f21503c891d32fda7907a2b03a5ae9bd97ee340c35dbe3

SHA512
338f54d43bdcda353bc2a29c7085d834e8f1ee868cd00cdf0a43fc6923a7f1d4096ca2d0930736f129861b42449ffa363a0de7d874423fdd2f47c2fe9a144cb6

Download Submit
C:\Windows\System\rnIrTDe.exe

Filesize
5.2MB

MD5
fac8f8f5b666d84ad19acd4dae60f328

SHA1
be2f545ce002848f1365e0c7ef341983f16af811

SHA256
15965c1cc86f08c0cd71d36c09394ad35217a3ae89b5491f594579b0ac384eb2

SHA512
43889aa9fabc934de6af12a4150274b92ab1cae07076ec7ced0d3d74aafc161a5e86c429c2fabf20ad9efcef756c969b0092fc461e31b78ce079b5ccd2c7c24a

Download Submit
C:\Windows\System\uKPjbMO.exe

Filesize
5.2MB

MD5
dee95baea3853057adc34fd32efffe37

SHA1
c56ac9f200e10e0ce7402f422b1daa44a4c0fd13

SHA256
96658dfdce590b4b8a5457097d7b3424578f18126713c95ed15ba34333cb25ea

SHA512
ea3c3df7d5a5b8f3c0e47f5a3fa5de57d5b2255ea22c616330deb8fd71e90a9ea81505a7c5c7e87ff59f069ab54f7ef3679ad7fe903e73d37ee8ecbec0e40f4a

Download Submit
memory/32-250-0x00007FF61D980000-0x00007FF61DCD1000-memory.dmp

Filesize
3.3MB

Download
memory/32-109-0x00007FF61D980000-0x00007FF61DCD1000-memory.dmp

Filesize
3.3MB

Download
memory/400-73-0x00007FF784F00000-0x00007FF785251000-memory.dmp

Filesize
3.3MB

Download
memory/400-210-0x00007FF784F00000-0x00007FF785251000-memory.dmp

Filesize
3.3MB

Download
memory/400-14-0x00007FF784F00000-0x00007FF785251000-memory.dmp

Filesize
3.3MB

Download
memory/1028-62-0x00007FF67A170000-0x00007FF67A4C1000-memory.dmp

Filesize
3.3MB

Download
memory/1028-201-0x00007FF67A170000-0x00007FF67A4C1000-memory.dmp

Filesize
3.3MB

Download
memory/1028-8-0x00007FF67A170000-0x00007FF67A4C1000-memory.dmp

Filesize
3.3MB

Download
memory/1252-137-0x00007FF696370000-0x00007FF6966C1000-memory.dmp

Filesize
3.3MB

Download
memory/1252-47-0x00007FF696370000-0x00007FF6966C1000-memory.dmp

Filesize
3.3MB

Download
memory/1252-220-0x00007FF696370000-0x00007FF6966C1000-memory.dmp

Filesize
3.3MB

Download
memory/1456-151-0x00007FF6D2430000-0x00007FF6D2781000-memory.dmp

Filesize
3.3MB

Download
memory/1456-248-0x00007FF6D2430000-0x00007FF6D2781000-memory.dmp

Filesize
3.3MB

Download
memory/1568-84-0x00007FF741DA0000-0x00007FF7420F1000-memory.dmp

Filesize
3.3MB

Download
memory/1568-212-0x00007FF741DA0000-0x00007FF7420F1000-memory.dmp

Filesize
3.3MB

Download
memory/1568-21-0x00007FF741DA0000-0x00007FF7420F1000-memory.dmp

Filesize
3.3MB

Download
memory/2188-242-0x00007FF7BC1E0000-0x00007FF7BC531000-memory.dmp

Filesize
3.3MB

Download
memory/2188-94-0x00007FF7BC1E0000-0x00007FF7BC531000-memory.dmp

Filesize
3.3MB

Download
memory/2288-148-0x00007FF7EC520000-0x00007FF7EC871000-memory.dmp

Filesize
3.3MB

Download
memory/2288-120-0x00007FF7EC520000-0x00007FF7EC871000-memory.dmp

Filesize
3.3MB

Download
memory/2288-256-0x00007FF7EC520000-0x00007FF7EC871000-memory.dmp

Filesize
3.3MB

Download
memory/2492-261-0x00007FF76A3A0000-0x00007FF76A6F1000-memory.dmp

Filesize
3.3MB

Download
memory/2492-152-0x00007FF76A3A0000-0x00007FF76A6F1000-memory.dmp

Filesize
3.3MB

Download
memory/2596-76-0x00007FF7F9A10000-0x00007FF7F9D61000-memory.dmp

Filesize
3.3MB

Download
memory/2596-238-0x00007FF7F9A10000-0x00007FF7F9D61000-memory.dmp

Filesize
3.3MB

Download
memory/3096-244-0x00007FF69F980000-0x00007FF69FCD1000-memory.dmp

Filesize
3.3MB

Download
memory/3096-100-0x00007FF69F980000-0x00007FF69FCD1000-memory.dmp

Filesize
3.3MB

Download
memory/3356-79-0x00007FF627E90000-0x00007FF6281E1000-memory.dmp

Filesize
3.3MB

Download
memory/3356-240-0x00007FF627E90000-0x00007FF6281E1000-memory.dmp

Filesize
3.3MB

Download
memory/3356-143-0x00007FF627E90000-0x00007FF6281E1000-memory.dmp

Filesize
3.3MB

Download
memory/3460-1-0x000001C580120000-0x000001C580130000-memory.dmp

Filesize
64KB

Download
memory/3460-147-0x00007FF61C760000-0x00007FF61CAB1000-memory.dmp

Filesize
3.3MB

Download
memory/3460-0-0x00007FF61C760000-0x00007FF61CAB1000-memory.dmp

Filesize
3.3MB

Download
memory/3460-169-0x00007FF61C760000-0x00007FF61CAB1000-memory.dmp

Filesize
3.3MB

Download
memory/3460-55-0x00007FF61C760000-0x00007FF61CAB1000-memory.dmp

Filesize
3.3MB

Download
memory/3516-135-0x00007FF6A0AF0000-0x00007FF6A0E41000-memory.dmp

Filesize
3.3MB

Download
memory/3516-216-0x00007FF6A0AF0000-0x00007FF6A0E41000-memory.dmp

Filesize
3.3MB

Download
memory/3516-30-0x00007FF6A0AF0000-0x00007FF6A0E41000-memory.dmp

Filesize
3.3MB

Download
memory/3740-50-0x00007FF68F900000-0x00007FF68FC51000-memory.dmp

Filesize
3.3MB

Download
memory/3740-139-0x00007FF68F900000-0x00007FF68FC51000-memory.dmp

Filesize
3.3MB

Download
memory/3740-224-0x00007FF68F900000-0x00007FF68FC51000-memory.dmp

Filesize
3.3MB

Download
memory/4220-149-0x00007FF7FA9A0000-0x00007FF7FACF1000-memory.dmp

Filesize
3.3MB

Download
memory/4220-258-0x00007FF7FA9A0000-0x00007FF7FACF1000-memory.dmp

Filesize
3.3MB

Download
memory/4220-106-0x00007FF7FA9A0000-0x00007FF7FACF1000-memory.dmp

Filesize
3.3MB

Download
memory/4276-254-0x00007FF641BA0000-0x00007FF641EF1000-memory.dmp

Filesize
3.3MB

Download
memory/4276-130-0x00007FF641BA0000-0x00007FF641EF1000-memory.dmp

Filesize
3.3MB

Download
memory/4300-37-0x00007FF6F5980000-0x00007FF6F5CD1000-memory.dmp

Filesize
3.3MB

Download
memory/4300-218-0x00007FF6F5980000-0x00007FF6F5CD1000-memory.dmp

Filesize
3.3MB

Download
memory/4300-136-0x00007FF6F5980000-0x00007FF6F5CD1000-memory.dmp

Filesize
3.3MB

Download
memory/4336-49-0x00007FF794C40000-0x00007FF794F91000-memory.dmp

Filesize
3.3MB

Download
memory/4336-222-0x00007FF794C40000-0x00007FF794F91000-memory.dmp

Filesize
3.3MB

Download
memory/4336-138-0x00007FF794C40000-0x00007FF794F91000-memory.dmp

Filesize
3.3MB

Download
memory/4364-236-0x00007FF740FD0000-0x00007FF741321000-memory.dmp

Filesize
3.3MB

Download
memory/4364-140-0x00007FF740FD0000-0x00007FF741321000-memory.dmp

Filesize
3.3MB

Download
memory/4364-63-0x00007FF740FD0000-0x00007FF741321000-memory.dmp

Filesize
3.3MB

Download
memory/4768-214-0x00007FF7F4DA0000-0x00007FF7F50F1000-memory.dmp

Filesize
3.3MB

Download
memory/4768-24-0x00007FF7F4DA0000-0x00007FF7F50F1000-memory.dmp

Filesize
3.3MB

Download
memory/4768-105-0x00007FF7F4DA0000-0x00007FF7F50F1000-memory.dmp

Filesize
3.3MB

Download
memory/5084-259-0x00007FF62E020000-0x00007FF62E371000-memory.dmp

Filesize
3.3MB

Download
memory/5084-146-0x00007FF62E020000-0x00007FF62E371000-memory.dmp

Filesize
3.3MB

Download
memory/5084-110-0x00007FF62E020000-0x00007FF62E371000-memory.dmp

Filesize
3.3MB

Download