cobaltstrike | 1744ba95c58ccac86f3239e50fb1b7f42b5cab656eba3f08ec83777fa57747f5

Analysis

max time kernel
142s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 04:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

eae85687ee7c925cc9573d97c5d14877
SHA1

2f6716ceaa3624d3ab4e56fedfaea0628e6cef9e
SHA256

1744ba95c58ccac86f3239e50fb1b7f42b5cab656eba3f08ec83777fa57747f5
SHA512

46ff68ba7c6975db0d40a0e7848b3301bc78b81c3fa9ac12e0fae9b79f2ef3095826374e2270910534d778c2178ce02b3f48bce274bbaefcc4c0efe02a56aa90
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lH:RWWBibd56utgpPFotBER/mQ32lU7

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\GoElTYe.exe	cobalt_reflective_dll
C:\Windows\System\SLVXFBz.exe	cobalt_reflective_dll
C:\Windows\System\FXqvmjA.exe	cobalt_reflective_dll
C:\Windows\System\rBjJvVu.exe	cobalt_reflective_dll
C:\Windows\System\ILgQyjJ.exe	cobalt_reflective_dll
C:\Windows\System\XKaAMlU.exe	cobalt_reflective_dll
C:\Windows\System\bFfxsIT.exe	cobalt_reflective_dll
C:\Windows\System\reYjmzz.exe	cobalt_reflective_dll
C:\Windows\System\dpWFexH.exe	cobalt_reflective_dll
C:\Windows\System\GnMfwXO.exe	cobalt_reflective_dll
C:\Windows\System\EaXWvCy.exe	cobalt_reflective_dll
C:\Windows\System\cViKPti.exe	cobalt_reflective_dll
C:\Windows\System\MUTWysv.exe	cobalt_reflective_dll
C:\Windows\System\gSgnMiK.exe	cobalt_reflective_dll
C:\Windows\System\VmnCNzU.exe	cobalt_reflective_dll
C:\Windows\System\TMJRiZx.exe	cobalt_reflective_dll
C:\Windows\System\cdUqnVv.exe	cobalt_reflective_dll
C:\Windows\System\zLGcyMh.exe	cobalt_reflective_dll
C:\Windows\System\mhPGrON.exe	cobalt_reflective_dll
C:\Windows\System\fpUyONm.exe	cobalt_reflective_dll
C:\Windows\System\ZtyRenC.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4568-9-0x00007FF605070000-0x00007FF6053C1000-memory.dmp	xmrig
behavioral2/memory/3620-23-0x00007FF7C0AE0000-0x00007FF7C0E31000-memory.dmp	xmrig
behavioral2/memory/2224-51-0x00007FF781B20000-0x00007FF781E71000-memory.dmp	xmrig
behavioral2/memory/3460-20-0x00007FF7DB740000-0x00007FF7DBA91000-memory.dmp	xmrig
behavioral2/memory/2956-84-0x00007FF7748B0000-0x00007FF774C01000-memory.dmp	xmrig
behavioral2/memory/3016-105-0x00007FF7B33A0000-0x00007FF7B36F1000-memory.dmp	xmrig
behavioral2/memory/4792-98-0x00007FF6B4330000-0x00007FF6B4681000-memory.dmp	xmrig
behavioral2/memory/552-73-0x00007FF7255E0000-0x00007FF725931000-memory.dmp	xmrig
behavioral2/memory/3080-134-0x00007FF7270F0000-0x00007FF727441000-memory.dmp	xmrig
behavioral2/memory/2004-137-0x00007FF646860000-0x00007FF646BB1000-memory.dmp	xmrig
behavioral2/memory/1984-139-0x00007FF72BF20000-0x00007FF72C271000-memory.dmp	xmrig
behavioral2/memory/4276-138-0x00007FF704F20000-0x00007FF705271000-memory.dmp	xmrig
behavioral2/memory/5092-140-0x00007FF7B54F0000-0x00007FF7B5841000-memory.dmp	xmrig
behavioral2/memory/4460-141-0x00007FF64D490000-0x00007FF64D7E1000-memory.dmp	xmrig
behavioral2/memory/1020-136-0x00007FF64CF40000-0x00007FF64D291000-memory.dmp	xmrig
behavioral2/memory/2828-135-0x00007FF6B0850000-0x00007FF6B0BA1000-memory.dmp	xmrig
behavioral2/memory/2108-143-0x00007FF6A3720000-0x00007FF6A3A71000-memory.dmp	xmrig
behavioral2/memory/3832-144-0x00007FF67C220000-0x00007FF67C571000-memory.dmp	xmrig
behavioral2/memory/5076-147-0x00007FF746010000-0x00007FF746361000-memory.dmp	xmrig
behavioral2/memory/1068-152-0x00007FF705E90000-0x00007FF7061E1000-memory.dmp	xmrig
behavioral2/memory/448-151-0x00007FF727BE0000-0x00007FF727F31000-memory.dmp	xmrig
behavioral2/memory/552-142-0x00007FF7255E0000-0x00007FF725931000-memory.dmp	xmrig
behavioral2/memory/968-146-0x00007FF747AA0000-0x00007FF747DF1000-memory.dmp	xmrig
behavioral2/memory/552-165-0x00007FF7255E0000-0x00007FF725931000-memory.dmp	xmrig
behavioral2/memory/4568-204-0x00007FF605070000-0x00007FF6053C1000-memory.dmp	xmrig
behavioral2/memory/3460-206-0x00007FF7DB740000-0x00007FF7DBA91000-memory.dmp	xmrig
behavioral2/memory/3620-208-0x00007FF7C0AE0000-0x00007FF7C0E31000-memory.dmp	xmrig
behavioral2/memory/4792-215-0x00007FF6B4330000-0x00007FF6B4681000-memory.dmp	xmrig
behavioral2/memory/3080-220-0x00007FF7270F0000-0x00007FF727441000-memory.dmp	xmrig
behavioral2/memory/2224-224-0x00007FF781B20000-0x00007FF781E71000-memory.dmp	xmrig
behavioral2/memory/2828-225-0x00007FF6B0850000-0x00007FF6B0BA1000-memory.dmp	xmrig
behavioral2/memory/3016-222-0x00007FF7B33A0000-0x00007FF7B36F1000-memory.dmp	xmrig
behavioral2/memory/1020-218-0x00007FF64CF40000-0x00007FF64D291000-memory.dmp	xmrig
behavioral2/memory/2004-230-0x00007FF646860000-0x00007FF646BB1000-memory.dmp	xmrig
behavioral2/memory/2108-241-0x00007FF6A3720000-0x00007FF6A3A71000-memory.dmp	xmrig
behavioral2/memory/3832-243-0x00007FF67C220000-0x00007FF67C571000-memory.dmp	xmrig
behavioral2/memory/2956-245-0x00007FF7748B0000-0x00007FF774C01000-memory.dmp	xmrig
behavioral2/memory/968-250-0x00007FF747AA0000-0x00007FF747DF1000-memory.dmp	xmrig
behavioral2/memory/4276-254-0x00007FF704F20000-0x00007FF705271000-memory.dmp	xmrig
behavioral2/memory/5076-257-0x00007FF746010000-0x00007FF746361000-memory.dmp	xmrig
behavioral2/memory/1068-260-0x00007FF705E90000-0x00007FF7061E1000-memory.dmp	xmrig
behavioral2/memory/1984-256-0x00007FF72BF20000-0x00007FF72C271000-memory.dmp	xmrig
behavioral2/memory/448-253-0x00007FF727BE0000-0x00007FF727F31000-memory.dmp	xmrig
behavioral2/memory/5092-248-0x00007FF7B54F0000-0x00007FF7B5841000-memory.dmp	xmrig
behavioral2/memory/4460-261-0x00007FF64D490000-0x00007FF64D7E1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

FXqvmjA.exeSLVXFBz.exeGoElTYe.exerBjJvVu.exeILgQyjJ.exedpWFexH.exeXKaAMlU.exebFfxsIT.exereYjmzz.exeZtyRenC.exeGnMfwXO.exeEaXWvCy.execViKPti.exeMUTWysv.exefpUyONm.exegSgnMiK.exemhPGrON.exezLGcyMh.execdUqnVv.exeVmnCNzU.exeTMJRiZx.exe

pid	process
4568	FXqvmjA.exe
3460	SLVXFBz.exe
3620	GoElTYe.exe
4792	rBjJvVu.exe
3016	ILgQyjJ.exe
2224	dpWFexH.exe
3080	XKaAMlU.exe
2828	bFfxsIT.exe
1020	reYjmzz.exe
2004	ZtyRenC.exe
2108	GnMfwXO.exe
3832	EaXWvCy.exe
2956	cViKPti.exe
968	MUTWysv.exe
5076	fpUyONm.exe
4276	gSgnMiK.exe
1984	mhPGrON.exe
5092	zLGcyMh.exe
448	cdUqnVv.exe
1068	VmnCNzU.exe
4460	TMJRiZx.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/552-0-0x00007FF7255E0000-0x00007FF725931000-memory.dmp	upx
C:\Windows\System\GoElTYe.exe	upx
C:\Windows\System\SLVXFBz.exe	upx
behavioral2/memory/4568-9-0x00007FF605070000-0x00007FF6053C1000-memory.dmp	upx
C:\Windows\System\FXqvmjA.exe	upx
C:\Windows\System\rBjJvVu.exe	upx
behavioral2/memory/3620-23-0x00007FF7C0AE0000-0x00007FF7C0E31000-memory.dmp	upx
C:\Windows\System\ILgQyjJ.exe	upx
behavioral2/memory/3016-40-0x00007FF7B33A0000-0x00007FF7B36F1000-memory.dmp	upx
behavioral2/memory/3080-41-0x00007FF7270F0000-0x00007FF727441000-memory.dmp	upx
C:\Windows\System\XKaAMlU.exe	upx
C:\Windows\System\bFfxsIT.exe	upx
C:\Windows\System\reYjmzz.exe	upx
behavioral2/memory/1020-54-0x00007FF64CF40000-0x00007FF64D291000-memory.dmp	upx
behavioral2/memory/2224-51-0x00007FF781B20000-0x00007FF781E71000-memory.dmp	upx
behavioral2/memory/2828-47-0x00007FF6B0850000-0x00007FF6B0BA1000-memory.dmp	upx
C:\Windows\System\dpWFexH.exe	upx
behavioral2/memory/4792-27-0x00007FF6B4330000-0x00007FF6B4681000-memory.dmp	upx
behavioral2/memory/3460-20-0x00007FF7DB740000-0x00007FF7DBA91000-memory.dmp	upx
C:\Windows\System\GnMfwXO.exe	upx
C:\Windows\System\EaXWvCy.exe	upx
C:\Windows\System\cViKPti.exe	upx
C:\Windows\System\MUTWysv.exe	upx
behavioral2/memory/2956-84-0x00007FF7748B0000-0x00007FF774C01000-memory.dmp	upx
C:\Windows\System\gSgnMiK.exe	upx
C:\Windows\System\VmnCNzU.exe	upx
behavioral2/memory/448-114-0x00007FF727BE0000-0x00007FF727F31000-memory.dmp	upx
behavioral2/memory/1068-120-0x00007FF705E90000-0x00007FF7061E1000-memory.dmp	upx
C:\Windows\System\TMJRiZx.exe	upx
C:\Windows\System\cdUqnVv.exe	upx
C:\Windows\System\zLGcyMh.exe	upx
C:\Windows\System\mhPGrON.exe	upx
behavioral2/memory/5076-111-0x00007FF746010000-0x00007FF746361000-memory.dmp	upx
behavioral2/memory/3016-105-0x00007FF7B33A0000-0x00007FF7B36F1000-memory.dmp	upx
C:\Windows\System\fpUyONm.exe	upx
behavioral2/memory/4792-98-0x00007FF6B4330000-0x00007FF6B4681000-memory.dmp	upx
behavioral2/memory/968-85-0x00007FF747AA0000-0x00007FF747DF1000-memory.dmp	upx
behavioral2/memory/3832-80-0x00007FF67C220000-0x00007FF67C571000-memory.dmp	upx
behavioral2/memory/552-73-0x00007FF7255E0000-0x00007FF725931000-memory.dmp	upx
behavioral2/memory/2108-70-0x00007FF6A3720000-0x00007FF6A3A71000-memory.dmp	upx
behavioral2/memory/2004-64-0x00007FF646860000-0x00007FF646BB1000-memory.dmp	upx
C:\Windows\System\ZtyRenC.exe	upx
behavioral2/memory/3080-134-0x00007FF7270F0000-0x00007FF727441000-memory.dmp	upx
behavioral2/memory/2004-137-0x00007FF646860000-0x00007FF646BB1000-memory.dmp	upx
behavioral2/memory/1984-139-0x00007FF72BF20000-0x00007FF72C271000-memory.dmp	upx
behavioral2/memory/4276-138-0x00007FF704F20000-0x00007FF705271000-memory.dmp	upx
behavioral2/memory/5092-140-0x00007FF7B54F0000-0x00007FF7B5841000-memory.dmp	upx
behavioral2/memory/4460-141-0x00007FF64D490000-0x00007FF64D7E1000-memory.dmp	upx
behavioral2/memory/1020-136-0x00007FF64CF40000-0x00007FF64D291000-memory.dmp	upx
behavioral2/memory/2828-135-0x00007FF6B0850000-0x00007FF6B0BA1000-memory.dmp	upx
behavioral2/memory/2108-143-0x00007FF6A3720000-0x00007FF6A3A71000-memory.dmp	upx
behavioral2/memory/3832-144-0x00007FF67C220000-0x00007FF67C571000-memory.dmp	upx
behavioral2/memory/5076-147-0x00007FF746010000-0x00007FF746361000-memory.dmp	upx
behavioral2/memory/1068-152-0x00007FF705E90000-0x00007FF7061E1000-memory.dmp	upx
behavioral2/memory/448-151-0x00007FF727BE0000-0x00007FF727F31000-memory.dmp	upx
behavioral2/memory/552-142-0x00007FF7255E0000-0x00007FF725931000-memory.dmp	upx
behavioral2/memory/968-146-0x00007FF747AA0000-0x00007FF747DF1000-memory.dmp	upx
behavioral2/memory/552-165-0x00007FF7255E0000-0x00007FF725931000-memory.dmp	upx
behavioral2/memory/4568-204-0x00007FF605070000-0x00007FF6053C1000-memory.dmp	upx
behavioral2/memory/3460-206-0x00007FF7DB740000-0x00007FF7DBA91000-memory.dmp	upx
behavioral2/memory/3620-208-0x00007FF7C0AE0000-0x00007FF7C0E31000-memory.dmp	upx
behavioral2/memory/4792-215-0x00007FF6B4330000-0x00007FF6B4681000-memory.dmp	upx
behavioral2/memory/3080-220-0x00007FF7270F0000-0x00007FF727441000-memory.dmp	upx
behavioral2/memory/2224-224-0x00007FF781B20000-0x00007FF781E71000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\TMJRiZx.exe	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SLVXFBz.exe	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GoElTYe.exe	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fpUyONm.exe	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cdUqnVv.exe	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bFfxsIT.exe	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZtyRenC.exe	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zLGcyMh.exe	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mhPGrON.exe	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\reYjmzz.exe	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GnMfwXO.exe	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MUTWysv.exe	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ILgQyjJ.exe	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XKaAMlU.exe	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EaXWvCy.exe	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cViKPti.exe	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gSgnMiK.exe	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FXqvmjA.exe	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rBjJvVu.exe	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dpWFexH.exe	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VmnCNzU.exe	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	552	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	552	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 552 wrote to memory of 4568	552	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe	FXqvmjA.exe
PID 552 wrote to memory of 4568	552	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe	FXqvmjA.exe
PID 552 wrote to memory of 3460	552	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe	SLVXFBz.exe
PID 552 wrote to memory of 3460	552	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe	SLVXFBz.exe
PID 552 wrote to memory of 3620	552	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe	GoElTYe.exe
PID 552 wrote to memory of 3620	552	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe	GoElTYe.exe
PID 552 wrote to memory of 4792	552	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe	rBjJvVu.exe
PID 552 wrote to memory of 4792	552	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe	rBjJvVu.exe
PID 552 wrote to memory of 2224	552	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe	dpWFexH.exe
PID 552 wrote to memory of 2224	552	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe	dpWFexH.exe
PID 552 wrote to memory of 3016	552	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe	ILgQyjJ.exe
PID 552 wrote to memory of 3016	552	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe	ILgQyjJ.exe
PID 552 wrote to memory of 3080	552	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe	XKaAMlU.exe
PID 552 wrote to memory of 3080	552	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe	XKaAMlU.exe
PID 552 wrote to memory of 2828	552	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe	bFfxsIT.exe
PID 552 wrote to memory of 2828	552	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe	bFfxsIT.exe
PID 552 wrote to memory of 1020	552	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe	reYjmzz.exe
PID 552 wrote to memory of 1020	552	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe	reYjmzz.exe
PID 552 wrote to memory of 2004	552	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe	ZtyRenC.exe
PID 552 wrote to memory of 2004	552	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe	ZtyRenC.exe
PID 552 wrote to memory of 2108	552	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe	GnMfwXO.exe
PID 552 wrote to memory of 2108	552	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe	GnMfwXO.exe
PID 552 wrote to memory of 3832	552	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe	EaXWvCy.exe
PID 552 wrote to memory of 3832	552	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe	EaXWvCy.exe
PID 552 wrote to memory of 2956	552	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe	cViKPti.exe
PID 552 wrote to memory of 2956	552	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe	cViKPti.exe
PID 552 wrote to memory of 968	552	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe	MUTWysv.exe
PID 552 wrote to memory of 968	552	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe	MUTWysv.exe
PID 552 wrote to memory of 5076	552	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe	fpUyONm.exe
PID 552 wrote to memory of 5076	552	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe	fpUyONm.exe
PID 552 wrote to memory of 4276	552	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe	gSgnMiK.exe
PID 552 wrote to memory of 4276	552	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe	gSgnMiK.exe
PID 552 wrote to memory of 5092	552	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe	zLGcyMh.exe
PID 552 wrote to memory of 5092	552	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe	zLGcyMh.exe
PID 552 wrote to memory of 1984	552	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe	mhPGrON.exe
PID 552 wrote to memory of 1984	552	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe	mhPGrON.exe
PID 552 wrote to memory of 448	552	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe	cdUqnVv.exe
PID 552 wrote to memory of 448	552	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe	cdUqnVv.exe
PID 552 wrote to memory of 1068	552	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe	VmnCNzU.exe
PID 552 wrote to memory of 1068	552	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe	VmnCNzU.exe
PID 552 wrote to memory of 4460	552	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe	TMJRiZx.exe
PID 552 wrote to memory of 4460	552	2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe	TMJRiZx.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-21_eae85687ee7c925cc9573d97c5d14877_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:552
- C:\Windows\System\FXqvmjA.exe
  C:\Windows\System\FXqvmjA.exe
  2⤵
  - Executes dropped EXE
  PID:4568
- C:\Windows\System\SLVXFBz.exe
  C:\Windows\System\SLVXFBz.exe
  2⤵
  - Executes dropped EXE
  PID:3460
- C:\Windows\System\GoElTYe.exe
  C:\Windows\System\GoElTYe.exe
  2⤵
  - Executes dropped EXE
  PID:3620
- C:\Windows\System\rBjJvVu.exe
  C:\Windows\System\rBjJvVu.exe
  2⤵
  - Executes dropped EXE
  PID:4792
- C:\Windows\System\dpWFexH.exe
  C:\Windows\System\dpWFexH.exe
  2⤵
  - Executes dropped EXE
  PID:2224
- C:\Windows\System\ILgQyjJ.exe
  C:\Windows\System\ILgQyjJ.exe
  2⤵
  - Executes dropped EXE
  PID:3016
- C:\Windows\System\XKaAMlU.exe
  C:\Windows\System\XKaAMlU.exe
  2⤵
  - Executes dropped EXE
  PID:3080
- C:\Windows\System\bFfxsIT.exe
  C:\Windows\System\bFfxsIT.exe
  2⤵
  - Executes dropped EXE
  PID:2828
- C:\Windows\System\reYjmzz.exe
  C:\Windows\System\reYjmzz.exe
  2⤵
  - Executes dropped EXE
  PID:1020
- C:\Windows\System\ZtyRenC.exe
  C:\Windows\System\ZtyRenC.exe
  2⤵
  - Executes dropped EXE
  PID:2004
- C:\Windows\System\GnMfwXO.exe
  C:\Windows\System\GnMfwXO.exe
  2⤵
  - Executes dropped EXE
  PID:2108
- C:\Windows\System\EaXWvCy.exe
  C:\Windows\System\EaXWvCy.exe
  2⤵
  - Executes dropped EXE
  PID:3832
- C:\Windows\System\cViKPti.exe
  C:\Windows\System\cViKPti.exe
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\Windows\System\MUTWysv.exe
  C:\Windows\System\MUTWysv.exe
  2⤵
  - Executes dropped EXE
  PID:968
- C:\Windows\System\fpUyONm.exe
  C:\Windows\System\fpUyONm.exe
  2⤵
  - Executes dropped EXE
  PID:5076
- C:\Windows\System\gSgnMiK.exe
  C:\Windows\System\gSgnMiK.exe
  2⤵
  - Executes dropped EXE
  PID:4276
- C:\Windows\System\zLGcyMh.exe
  C:\Windows\System\zLGcyMh.exe
  2⤵
  - Executes dropped EXE
  PID:5092
- C:\Windows\System\mhPGrON.exe
  C:\Windows\System\mhPGrON.exe
  2⤵
  - Executes dropped EXE
  PID:1984
- C:\Windows\System\cdUqnVv.exe
  C:\Windows\System\cdUqnVv.exe
  2⤵
  - Executes dropped EXE
  PID:448
- C:\Windows\System\VmnCNzU.exe
  C:\Windows\System\VmnCNzU.exe
  2⤵
  - Executes dropped EXE
  PID:1068
- C:\Windows\System\TMJRiZx.exe
  C:\Windows\System\TMJRiZx.exe
  2⤵
  - Executes dropped EXE
  PID:4460

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\EaXWvCy.exe

Filesize
5.2MB

MD5
011686c4ab6a8d38e97c9c692c74e129

SHA1
d00cae01550b7f367061ac50f84ca12830944dc6

SHA256
81e1e59bd68ed3c57becf1d43ee6e1e8545444aa204a8e4449358583e0f43804

SHA512
927a76ab58ea2e66cf3dd411f54cc5db0ef6a77ea99d4d6c51385aa421c67d158d529f474f943d9eaf78286839e2801507ee238d848818ffe0f1f8428299212b

Download Submit
C:\Windows\System\FXqvmjA.exe

Filesize
5.2MB

MD5
0927accc906d76b7b4bc065e3ca4ec13

SHA1
6c4f3e82eebbcc0b90db23545c9c2544e6677cb8

SHA256
85e5e1cfb004fd96aa758549edd230c92028c450364f4d5cbbdc2881a60d5099

SHA512
ba3a728607b4cc751cdd90c67e0f916976d755ed6028ea64ff97cbb4a9739d536c909c92bf371edd65863957a9e700e58d96fcc76905b3148aac7945869a7f62

Download Submit
C:\Windows\System\GnMfwXO.exe

Filesize
5.2MB

MD5
b98e3297c3daa6fb41fe7eeec5add292

SHA1
c5596dcf872596b05a11a73fbbd9daf1f90cdbd5

SHA256
96cb3e1d7a6c91885326bbe1677793387272182cb1e5bbb16ec706b23791eda7

SHA512
efde678f12cddc0430652dd66bef4cb31cb559df95e3bd24c4973ef8fd493e46b45a536e774f3523ad0e8b9cefacbb34df9a14797dbcda84ada1464d98167e9c

Download Submit
C:\Windows\System\GoElTYe.exe

Filesize
5.2MB

MD5
7cf7e570320b7f37c75275c68c2a56e6

SHA1
c2067c8c2fc4b4f477c3b789d3fd973b10f3b6e0

SHA256
18a393fb32cfba31dba0943aa6be8378839ecd458c36fba468c29b79801d3367

SHA512
705ccbd52650424753e6d7ae23a1c384cf530658152e8edef04da0d33472195131d2d19f6c8d1299fdcdbd661b818a1b18f3abc619425ebfce2224d8f6d65f85

Download Submit
C:\Windows\System\ILgQyjJ.exe

Filesize
5.2MB

MD5
f26d343e608e213455e9cc636d185c8e

SHA1
bf87bead1c1c9f619fdf3717667fde483e6301fc

SHA256
a8c2677b662a248d8c95564f9c0df3ede608c40348e7dbd14f1f4f9c8dfba3ee

SHA512
15e146f3bc21a7a76d7611cf98775dc5bca3892256d95d83a2fbdbae7dd9ecad3fe53e8de29cf2e4ca84023a0c8939bbc8441f6b497fccdec98663b95ac63186

Download Submit
C:\Windows\System\MUTWysv.exe

Filesize
5.2MB

MD5
c5d909b4ce40c87cb792866b92734f9b

SHA1
e9fceac6ea9ec9a9629d644fec41e0b28343bc14

SHA256
4ed706d5d01888ac67fd100c13a36e86a87d24d5e7f849a962973ffe0dc66740

SHA512
d5fbba5ef8f9f92b34110b65f4635cc6f451b9c01f5725555202319e86d54647034ff6765300656d3b5e6e8acd1ba9aad2982d964da94259d2b0e3a81560ca19

Download Submit
C:\Windows\System\SLVXFBz.exe

Filesize
5.2MB

MD5
1d1e1eeadcb7bcdde54d301ff0a0a57f

SHA1
2d4cc42633a3bcf09b1913b37fc354f196afe7fe

SHA256
fa7443a5e68ce1dc21819bf7e3c8ca25ca3c7be1819bc5315a66718e44c487dc

SHA512
0869329b781a29273c1ed9250dcb8c77e007c3274a8979cce6417023dfa1d2a09dd180871e94efee877e1d7de190afd8d5995ab39eaa3f61a50127ae21369c97

Download Submit
C:\Windows\System\TMJRiZx.exe

Filesize
5.2MB

MD5
fd9fe621eb161f255446be911ac878d1

SHA1
1a9a2b998b10da618dc39102180fdad98aef571c

SHA256
6b28d2a187c53ffe99f31df910dee7004aa5003ed7df84589ae5d8481e312dd0

SHA512
2b6c6e7608f52e0f98c958960ec85b7c543e5cf3a29c5ffd19aa318b5fe71cd7a3029306c0630a8ffc7694b681d57d405be64da93b652fe785de056f9bfd214f

Download Submit
C:\Windows\System\VmnCNzU.exe

Filesize
5.2MB

MD5
711d0f587e680796aa28f93dfe77e6f4

SHA1
2f8bf61c9abafb9f0dffcd58b5e0a330c232921d

SHA256
ae9a083791f5e9aa870e1c4c77cade52ba45e283276070d31d755595578a5a77

SHA512
3672540a5c224dfc333708d437707e5e47705ff9b57b4cfb4940e04f0e9d217a5fc6741a7cb33470a819503dc33cce39057ee77f9d9ef813779f083525e207c5

Download Submit
C:\Windows\System\XKaAMlU.exe

Filesize
5.2MB

MD5
86058686d94bc711c510cd4e88879386

SHA1
f4bec867ff68f8dcc483adb124f63f536c37e6dd

SHA256
721896dec5f9dd637e056d535310fd824df15ff86d6587966ff690fe6dd9e97f

SHA512
b13e4a4722c8cd9410833e44871516acaf4d032b999b4cd1ff9cdad9d14107df3f0f66795206211ac4ce037f16fc71b6fff6a52a32907bcb794a458a8d973c5f

Download Submit
C:\Windows\System\ZtyRenC.exe

Filesize
5.2MB

MD5
a4ee0624d00e4aff2368df55b4e533a1

SHA1
a337ae549ea26e36efc7bad630090a529b52a0e7

SHA256
b77c42df0118edba5cc2b34f4ce100a9a3d70f9981a9a45381eb3b5a8a5b4beb

SHA512
3f57545745553f52af5a3cb955d0962171bebc8ae483a95ca200f4a839b0a041540fe447ecf8ce4a08e6dbc3572735320d524d8a0c487682917fd097a2f71e80

Download Submit
C:\Windows\System\bFfxsIT.exe

Filesize
5.2MB

MD5
cddf93b0e12d2b502f16bc237b5e6af2

SHA1
039d01df934523cf5967a29010543b70acbcf005

SHA256
3aa1a391111d00367a3878687c8bf238ff521e3dc52a5be9b8e4a0739ec30836

SHA512
13798bd7d9b9e13c29cf22ed660de49a9424a411dca2d1f9cac9d19c5175cf2b5f47333a8bf70f6d75cac2e37f825aaa7a8ce7bff2d6d52ee388019ee5ef9c3e

Download Submit
C:\Windows\System\cViKPti.exe

Filesize
5.2MB

MD5
db48e4e3a586d2d902297f410fa6e7ab

SHA1
0f9828e8eabc2b187d8e4794916a6f62871c1769

SHA256
622cd49b5474f3318108f575efd5d95b438c4c216b91e0f2325a55998c04159a

SHA512
73cc9f3f4cf3fe4e2c715e66e71e9b88067b8d29912883a0e34cfd23d9b1656dcb110cf84f2073fbad0eb8c87a15edd6085990b2ee0df84a6aac06c980db1933

Download Submit
C:\Windows\System\cdUqnVv.exe

Filesize
5.2MB

MD5
0124de49b125618fbd890be3fdeeea62

SHA1
f691584557e9366d56fd9f57e6f8b495bbe7e418

SHA256
e351f51163f4c3c392f75a0c563ff5b645d23df46bdb63d8658ec6ada6b198f5

SHA512
a00132f183ce2aefe7b88d5c16ac738c91d356f2d6a945b65edf340e0bcd4735b851bd26f01ad2d7f27c20abb9ac4548c3f3b4e7372f9316632493ef99f71e2d

Download Submit
C:\Windows\System\dpWFexH.exe

Filesize
5.2MB

MD5
9771ef08b224b14e902e22d2bcae69e4

SHA1
f15413d57788e83fe2cfa6b4443ab0da24338176

SHA256
0bb9cb19c6f1b659692afe5f050c7893fb97dfe38f0e752a083b43f118549f75

SHA512
3307e6d25c1c02f07d3d9a254cb13cfc5f8fa4e38aeb002f4279063947afd258ae1dd1819ddb31c911e84e2eb462107c39e44f96fdb1a916a8dc901dac5222cd

Download Submit
C:\Windows\System\fpUyONm.exe

Filesize
5.2MB

MD5
8ab6e2b907a1ba134ec7eb21fedce1c4

SHA1
c5acc88be27f99bea5b4c22ad0ffc61002895d95

SHA256
5ddbdb57861d53b1437d07efba344ed396718bae82ea3d1832b662a3a2cfeb4d

SHA512
24f3d637608454d5a1908443d48d4b95aa97914071d63dc62ac004840695eb69188e01d5e619c3ae181d941db4cce6810c456dadf42db0a79c575e349848574a

Download Submit
C:\Windows\System\gSgnMiK.exe

Filesize
5.2MB

MD5
ffa62a35400362816d9a97e6b937e4c2

SHA1
5c3608142cad8ca3c252ca660287ce8d645abfac

SHA256
5f5f5659631ed0cf3cee0b1154faee0c1d7f51a1873bed0a83ee2718e8eeacb6

SHA512
7af5e67a7ed869e08b899681fb98f2e7d13cd984fdf98bba230eb0ab80f45ae809cefa6dfb884cf08c199fe1793f44b0bd62b2df61e7b235b24e8c80a7b8370f

Download Submit
C:\Windows\System\mhPGrON.exe

Filesize
5.2MB

MD5
84e72d2ccfa809e0d79aec8478939c08

SHA1
ed047f5ba8d1be6188bc69d89d90a3963f81e41e

SHA256
9136567f91ddc34fbc2ceb87218d8812a2a44b5a2248af6b00976c7e97d21c3a

SHA512
281045ce7d475688aa6ec5a0cd4ef920fd240cf6bfa779e84e8a82f1a1a50ae57270a0b425feaa7f6d1a8de15797e4bd786dd8de9021538e874002230e23628b

Download Submit
C:\Windows\System\rBjJvVu.exe

Filesize
5.2MB

MD5
ce6541d9a58260ca36277f38d0b5a4eb

SHA1
258ebb0b73edc935034394586a69557e59afc8bb

SHA256
4c673665666d847f112edfee6e64b615ebc319bc6263eafa7da8d7038eddb961

SHA512
afe0164cccf57a744afaf69ad0e5b15d5ad95942bc978cd94c1175f74ad728fd450c3b5ca84d9fb22e1a1c95e68a6775230e1f32d1545af375b544f6d6987eb9

Download Submit
C:\Windows\System\reYjmzz.exe

Filesize
5.2MB

MD5
331865f75718a58211a46381890c6788

SHA1
514d15f1d1211494d414969530c67ea8f536f4a1

SHA256
5cda8edbc107bc983c84efbb0c249c6246666358b892e7613d087568d643ea34

SHA512
bc34efc5fb4c75334e522d682f692b62dc503a43bcff98c1999a64499c2343062061940194c3752c6c8234b9b27259199e0cf25372820a20099cb936706a613e

Download Submit
C:\Windows\System\zLGcyMh.exe

Filesize
5.2MB

MD5
d89508375fc3c7e9cfb19819e675f76f

SHA1
812f0774cbc121f4eb101afa4f02f299d95eef1c

SHA256
838eae399cc70e33c6d93b77c169244d917b3cff0b7907d5cda6adabac880c33

SHA512
e86b4b8f6d6e10c2b1b3e42b37c7f48f6be96b576222499128fec9b6c5b537bf82cabda5a35a0b64c5ff194d2d40eab083be25979a83a41bed34504bb7c1d7b2

Download Submit
memory/448-253-0x00007FF727BE0000-0x00007FF727F31000-memory.dmp

Filesize
3.3MB

Download
memory/448-151-0x00007FF727BE0000-0x00007FF727F31000-memory.dmp

Filesize
3.3MB

Download
memory/448-114-0x00007FF727BE0000-0x00007FF727F31000-memory.dmp

Filesize
3.3MB

Download
memory/552-165-0x00007FF7255E0000-0x00007FF725931000-memory.dmp

Filesize
3.3MB

Download
memory/552-73-0x00007FF7255E0000-0x00007FF725931000-memory.dmp

Filesize
3.3MB

Download
memory/552-1-0x0000025909010000-0x0000025909020000-memory.dmp

Filesize
64KB

Download
memory/552-142-0x00007FF7255E0000-0x00007FF725931000-memory.dmp

Filesize
3.3MB

Download
memory/552-0-0x00007FF7255E0000-0x00007FF725931000-memory.dmp

Filesize
3.3MB

Download
memory/968-146-0x00007FF747AA0000-0x00007FF747DF1000-memory.dmp

Filesize
3.3MB

Download
memory/968-85-0x00007FF747AA0000-0x00007FF747DF1000-memory.dmp

Filesize
3.3MB

Download
memory/968-250-0x00007FF747AA0000-0x00007FF747DF1000-memory.dmp

Filesize
3.3MB

Download
memory/1020-54-0x00007FF64CF40000-0x00007FF64D291000-memory.dmp

Filesize
3.3MB

Download
memory/1020-136-0x00007FF64CF40000-0x00007FF64D291000-memory.dmp

Filesize
3.3MB

Download
memory/1020-218-0x00007FF64CF40000-0x00007FF64D291000-memory.dmp

Filesize
3.3MB

Download
memory/1068-152-0x00007FF705E90000-0x00007FF7061E1000-memory.dmp

Filesize
3.3MB

Download
memory/1068-120-0x00007FF705E90000-0x00007FF7061E1000-memory.dmp

Filesize
3.3MB

Download
memory/1068-260-0x00007FF705E90000-0x00007FF7061E1000-memory.dmp

Filesize
3.3MB

Download
memory/1984-139-0x00007FF72BF20000-0x00007FF72C271000-memory.dmp

Filesize
3.3MB

Download
memory/1984-256-0x00007FF72BF20000-0x00007FF72C271000-memory.dmp

Filesize
3.3MB

Download
memory/2004-64-0x00007FF646860000-0x00007FF646BB1000-memory.dmp

Filesize
3.3MB

Download
memory/2004-230-0x00007FF646860000-0x00007FF646BB1000-memory.dmp

Filesize
3.3MB

Download
memory/2004-137-0x00007FF646860000-0x00007FF646BB1000-memory.dmp

Filesize
3.3MB

Download
memory/2108-70-0x00007FF6A3720000-0x00007FF6A3A71000-memory.dmp

Filesize
3.3MB

Download
memory/2108-241-0x00007FF6A3720000-0x00007FF6A3A71000-memory.dmp

Filesize
3.3MB

Download
memory/2108-143-0x00007FF6A3720000-0x00007FF6A3A71000-memory.dmp

Filesize
3.3MB

Download
memory/2224-51-0x00007FF781B20000-0x00007FF781E71000-memory.dmp

Filesize
3.3MB

Download
memory/2224-224-0x00007FF781B20000-0x00007FF781E71000-memory.dmp

Filesize
3.3MB

Download
memory/2828-135-0x00007FF6B0850000-0x00007FF6B0BA1000-memory.dmp

Filesize
3.3MB

Download
memory/2828-225-0x00007FF6B0850000-0x00007FF6B0BA1000-memory.dmp

Filesize
3.3MB

Download
memory/2828-47-0x00007FF6B0850000-0x00007FF6B0BA1000-memory.dmp

Filesize
3.3MB

Download
memory/2956-245-0x00007FF7748B0000-0x00007FF774C01000-memory.dmp

Filesize
3.3MB

Download
memory/2956-84-0x00007FF7748B0000-0x00007FF774C01000-memory.dmp

Filesize
3.3MB

Download
memory/3016-40-0x00007FF7B33A0000-0x00007FF7B36F1000-memory.dmp

Filesize
3.3MB

Download
memory/3016-222-0x00007FF7B33A0000-0x00007FF7B36F1000-memory.dmp

Filesize
3.3MB

Download
memory/3016-105-0x00007FF7B33A0000-0x00007FF7B36F1000-memory.dmp

Filesize
3.3MB

Download
memory/3080-220-0x00007FF7270F0000-0x00007FF727441000-memory.dmp

Filesize
3.3MB

Download
memory/3080-41-0x00007FF7270F0000-0x00007FF727441000-memory.dmp

Filesize
3.3MB

Download
memory/3080-134-0x00007FF7270F0000-0x00007FF727441000-memory.dmp

Filesize
3.3MB

Download
memory/3460-20-0x00007FF7DB740000-0x00007FF7DBA91000-memory.dmp

Filesize
3.3MB

Download
memory/3460-206-0x00007FF7DB740000-0x00007FF7DBA91000-memory.dmp

Filesize
3.3MB

Download
memory/3620-208-0x00007FF7C0AE0000-0x00007FF7C0E31000-memory.dmp

Filesize
3.3MB

Download
memory/3620-23-0x00007FF7C0AE0000-0x00007FF7C0E31000-memory.dmp

Filesize
3.3MB

Download
memory/3832-80-0x00007FF67C220000-0x00007FF67C571000-memory.dmp

Filesize
3.3MB

Download
memory/3832-144-0x00007FF67C220000-0x00007FF67C571000-memory.dmp

Filesize
3.3MB

Download
memory/3832-243-0x00007FF67C220000-0x00007FF67C571000-memory.dmp

Filesize
3.3MB

Download
memory/4276-138-0x00007FF704F20000-0x00007FF705271000-memory.dmp

Filesize
3.3MB

Download
memory/4276-254-0x00007FF704F20000-0x00007FF705271000-memory.dmp

Filesize
3.3MB

Download
memory/4460-141-0x00007FF64D490000-0x00007FF64D7E1000-memory.dmp

Filesize
3.3MB

Download
memory/4460-261-0x00007FF64D490000-0x00007FF64D7E1000-memory.dmp

Filesize
3.3MB

Download
memory/4568-204-0x00007FF605070000-0x00007FF6053C1000-memory.dmp

Filesize
3.3MB

Download
memory/4568-9-0x00007FF605070000-0x00007FF6053C1000-memory.dmp

Filesize
3.3MB

Download
memory/4792-98-0x00007FF6B4330000-0x00007FF6B4681000-memory.dmp

Filesize
3.3MB

Download
memory/4792-27-0x00007FF6B4330000-0x00007FF6B4681000-memory.dmp

Filesize
3.3MB

Download
memory/4792-215-0x00007FF6B4330000-0x00007FF6B4681000-memory.dmp

Filesize
3.3MB

Download
memory/5076-147-0x00007FF746010000-0x00007FF746361000-memory.dmp

Filesize
3.3MB

Download
memory/5076-111-0x00007FF746010000-0x00007FF746361000-memory.dmp

Filesize
3.3MB

Download
memory/5076-257-0x00007FF746010000-0x00007FF746361000-memory.dmp

Filesize
3.3MB

Download
memory/5092-140-0x00007FF7B54F0000-0x00007FF7B5841000-memory.dmp

Filesize
3.3MB

Download
memory/5092-248-0x00007FF7B54F0000-0x00007FF7B5841000-memory.dmp

Filesize
3.3MB

Download