cobaltstrike | 08ffc8dd51b293e058fa3d8cd826527fa986427825733e5cdc076c7f27181635

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 12:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

121f3c5fa940d9c374611253a147afc3
SHA1

a3f2a4d5c3521d10f2c96b153fc4c9f3b542d59c
SHA256

08ffc8dd51b293e058fa3d8cd826527fa986427825733e5cdc076c7f27181635
SHA512

5a8d5dfc3e10993754785367f3acff56a852c7e72b3d79f275ba2bfb5c081c90936030770b8c4d991180bcc510cba74bcad2de64f307de19a472ff3ced35d91c
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l/:RWWBibf56utgpPFotBER/mQ32lUj

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\GnLDAjg.exe	cobalt_reflective_dll
C:\Windows\System\gEixUMR.exe	cobalt_reflective_dll
C:\Windows\System\cDsGIoc.exe	cobalt_reflective_dll
C:\Windows\System\uKgMpZF.exe	cobalt_reflective_dll
C:\Windows\System\pYiIhIR.exe	cobalt_reflective_dll
C:\Windows\System\nbbCgWB.exe	cobalt_reflective_dll
C:\Windows\System\HqBTwrL.exe	cobalt_reflective_dll
C:\Windows\System\yiaWyuQ.exe	cobalt_reflective_dll
C:\Windows\System\wRzKOym.exe	cobalt_reflective_dll
C:\Windows\System\sWWUncb.exe	cobalt_reflective_dll
C:\Windows\System\fDJAncO.exe	cobalt_reflective_dll
C:\Windows\System\VQtXhqQ.exe	cobalt_reflective_dll
C:\Windows\System\JctuKOg.exe	cobalt_reflective_dll
C:\Windows\System\TDMsnSa.exe	cobalt_reflective_dll
C:\Windows\System\BXqIEqH.exe	cobalt_reflective_dll
C:\Windows\System\tUmwNxi.exe	cobalt_reflective_dll
C:\Windows\System\ULfRRqV.exe	cobalt_reflective_dll
C:\Windows\System\uObSebl.exe	cobalt_reflective_dll
C:\Windows\System\xOTBfGD.exe	cobalt_reflective_dll
C:\Windows\System\RdwdIiS.exe	cobalt_reflective_dll
C:\Windows\System\actUkTr.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 44 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3576-97-0x00007FF7274C0000-0x00007FF727811000-memory.dmp	xmrig
behavioral2/memory/3648-103-0x00007FF66AA00000-0x00007FF66AD51000-memory.dmp	xmrig
behavioral2/memory/3196-107-0x00007FF703A10000-0x00007FF703D61000-memory.dmp	xmrig
behavioral2/memory/2552-106-0x00007FF6D4010000-0x00007FF6D4361000-memory.dmp	xmrig
behavioral2/memory/216-98-0x00007FF6146D0000-0x00007FF614A21000-memory.dmp	xmrig
behavioral2/memory/1436-88-0x00007FF63AB40000-0x00007FF63AE91000-memory.dmp	xmrig
behavioral2/memory/4008-135-0x00007FF75FED0000-0x00007FF760221000-memory.dmp	xmrig
behavioral2/memory/2556-136-0x00007FF6E8830000-0x00007FF6E8B81000-memory.dmp	xmrig
behavioral2/memory/3020-144-0x00007FF7F3A20000-0x00007FF7F3D71000-memory.dmp	xmrig
behavioral2/memory/4488-149-0x00007FF691650000-0x00007FF6919A1000-memory.dmp	xmrig
behavioral2/memory/4432-148-0x00007FF6A5700000-0x00007FF6A5A51000-memory.dmp	xmrig
behavioral2/memory/992-147-0x00007FF6BFD80000-0x00007FF6C00D1000-memory.dmp	xmrig
behavioral2/memory/1568-146-0x00007FF7F8450000-0x00007FF7F87A1000-memory.dmp	xmrig
behavioral2/memory/324-145-0x00007FF7F5B50000-0x00007FF7F5EA1000-memory.dmp	xmrig
behavioral2/memory/1460-140-0x00007FF752D10000-0x00007FF753061000-memory.dmp	xmrig
behavioral2/memory/2696-138-0x00007FF704C50000-0x00007FF704FA1000-memory.dmp	xmrig
behavioral2/memory/3704-134-0x00007FF657810000-0x00007FF657B61000-memory.dmp	xmrig
behavioral2/memory/1952-132-0x00007FF74CF90000-0x00007FF74D2E1000-memory.dmp	xmrig
behavioral2/memory/1216-130-0x00007FF65E540000-0x00007FF65E891000-memory.dmp	xmrig
behavioral2/memory/5056-129-0x00007FF6F3580000-0x00007FF6F38D1000-memory.dmp	xmrig
behavioral2/memory/1868-128-0x00007FF657D30000-0x00007FF658081000-memory.dmp	xmrig
behavioral2/memory/4852-131-0x00007FF7D30C0000-0x00007FF7D3411000-memory.dmp	xmrig
behavioral2/memory/1868-150-0x00007FF657D30000-0x00007FF658081000-memory.dmp	xmrig
behavioral2/memory/5056-203-0x00007FF6F3580000-0x00007FF6F38D1000-memory.dmp	xmrig
behavioral2/memory/1216-205-0x00007FF65E540000-0x00007FF65E891000-memory.dmp	xmrig
behavioral2/memory/4852-220-0x00007FF7D30C0000-0x00007FF7D3411000-memory.dmp	xmrig
behavioral2/memory/1952-219-0x00007FF74CF90000-0x00007FF74D2E1000-memory.dmp	xmrig
behavioral2/memory/3704-224-0x00007FF657810000-0x00007FF657B61000-memory.dmp	xmrig
behavioral2/memory/3576-223-0x00007FF7274C0000-0x00007FF727811000-memory.dmp	xmrig
behavioral2/memory/2556-227-0x00007FF6E8830000-0x00007FF6E8B81000-memory.dmp	xmrig
behavioral2/memory/1436-228-0x00007FF63AB40000-0x00007FF63AE91000-memory.dmp	xmrig
behavioral2/memory/216-230-0x00007FF6146D0000-0x00007FF614A21000-memory.dmp	xmrig
behavioral2/memory/2696-232-0x00007FF704C50000-0x00007FF704FA1000-memory.dmp	xmrig
behavioral2/memory/1460-236-0x00007FF752D10000-0x00007FF753061000-memory.dmp	xmrig
behavioral2/memory/3648-234-0x00007FF66AA00000-0x00007FF66AD51000-memory.dmp	xmrig
behavioral2/memory/3020-249-0x00007FF7F3A20000-0x00007FF7F3D71000-memory.dmp	xmrig
behavioral2/memory/324-253-0x00007FF7F5B50000-0x00007FF7F5EA1000-memory.dmp	xmrig
behavioral2/memory/4432-255-0x00007FF6A5700000-0x00007FF6A5A51000-memory.dmp	xmrig
behavioral2/memory/4488-257-0x00007FF691650000-0x00007FF6919A1000-memory.dmp	xmrig
behavioral2/memory/2552-251-0x00007FF6D4010000-0x00007FF6D4361000-memory.dmp	xmrig
behavioral2/memory/1568-245-0x00007FF7F8450000-0x00007FF7F87A1000-memory.dmp	xmrig
behavioral2/memory/992-244-0x00007FF6BFD80000-0x00007FF6C00D1000-memory.dmp	xmrig
behavioral2/memory/3196-248-0x00007FF703A10000-0x00007FF703D61000-memory.dmp	xmrig
behavioral2/memory/4008-242-0x00007FF75FED0000-0x00007FF760221000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

GnLDAjg.exegEixUMR.exeactUkTr.execDsGIoc.exeRdwdIiS.exeuKgMpZF.exetUmwNxi.exepYiIhIR.exeuObSebl.exexOTBfGD.exeBXqIEqH.exenbbCgWB.exeHqBTwrL.exeULfRRqV.exeTDMsnSa.exeJctuKOg.exeVQtXhqQ.exeyiaWyuQ.exewRzKOym.exefDJAncO.exesWWUncb.exe

pid	process
5056	GnLDAjg.exe
1216	gEixUMR.exe
4852	actUkTr.exe
1952	cDsGIoc.exe
3576	RdwdIiS.exe
3704	uKgMpZF.exe
4008	tUmwNxi.exe
216	pYiIhIR.exe
2696	uObSebl.exe
2556	xOTBfGD.exe
3648	BXqIEqH.exe
1460	nbbCgWB.exe
2552	HqBTwrL.exe
1436	ULfRRqV.exe
3196	TDMsnSa.exe
3020	JctuKOg.exe
324	VQtXhqQ.exe
1568	yiaWyuQ.exe
992	wRzKOym.exe
4432	fDJAncO.exe
4488	sWWUncb.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1868-0-0x00007FF657D30000-0x00007FF658081000-memory.dmp	upx
C:\Windows\System\GnLDAjg.exe	upx
C:\Windows\System\gEixUMR.exe	upx
C:\Windows\System\cDsGIoc.exe	upx
C:\Windows\System\uKgMpZF.exe	upx
C:\Windows\System\pYiIhIR.exe	upx
C:\Windows\System\nbbCgWB.exe	upx
C:\Windows\System\HqBTwrL.exe	upx
behavioral2/memory/1460-87-0x00007FF752D10000-0x00007FF753061000-memory.dmp	upx
behavioral2/memory/3020-92-0x00007FF7F3A20000-0x00007FF7F3D71000-memory.dmp	upx
behavioral2/memory/3576-97-0x00007FF7274C0000-0x00007FF727811000-memory.dmp	upx
behavioral2/memory/3648-103-0x00007FF66AA00000-0x00007FF66AD51000-memory.dmp	upx
C:\Windows\System\yiaWyuQ.exe	upx
C:\Windows\System\wRzKOym.exe	upx
C:\Windows\System\sWWUncb.exe	upx
C:\Windows\System\fDJAncO.exe	upx
behavioral2/memory/4432-123-0x00007FF6A5700000-0x00007FF6A5A51000-memory.dmp	upx
behavioral2/memory/4488-120-0x00007FF691650000-0x00007FF6919A1000-memory.dmp	upx
behavioral2/memory/992-119-0x00007FF6BFD80000-0x00007FF6C00D1000-memory.dmp	upx
behavioral2/memory/1568-108-0x00007FF7F8450000-0x00007FF7F87A1000-memory.dmp	upx
behavioral2/memory/3196-107-0x00007FF703A10000-0x00007FF703D61000-memory.dmp	upx
behavioral2/memory/2552-106-0x00007FF6D4010000-0x00007FF6D4361000-memory.dmp	upx
C:\Windows\System\VQtXhqQ.exe	upx
behavioral2/memory/216-98-0x00007FF6146D0000-0x00007FF614A21000-memory.dmp	upx
C:\Windows\System\JctuKOg.exe	upx
C:\Windows\System\TDMsnSa.exe	upx
behavioral2/memory/324-93-0x00007FF7F5B50000-0x00007FF7F5EA1000-memory.dmp	upx
behavioral2/memory/1436-88-0x00007FF63AB40000-0x00007FF63AE91000-memory.dmp	upx
C:\Windows\System\BXqIEqH.exe	upx
C:\Windows\System\tUmwNxi.exe	upx
behavioral2/memory/2556-75-0x00007FF6E8830000-0x00007FF6E8B81000-memory.dmp	upx
C:\Windows\System\ULfRRqV.exe	upx
C:\Windows\System\uObSebl.exe	upx
behavioral2/memory/2696-60-0x00007FF704C50000-0x00007FF704FA1000-memory.dmp	upx
C:\Windows\System\xOTBfGD.exe	upx
behavioral2/memory/4008-53-0x00007FF75FED0000-0x00007FF760221000-memory.dmp	upx
behavioral2/memory/3704-51-0x00007FF657810000-0x00007FF657B61000-memory.dmp	upx
C:\Windows\System\RdwdIiS.exe	upx
behavioral2/memory/1952-39-0x00007FF74CF90000-0x00007FF74D2E1000-memory.dmp	upx
C:\Windows\System\actUkTr.exe	upx
behavioral2/memory/1216-18-0x00007FF65E540000-0x00007FF65E891000-memory.dmp	upx
behavioral2/memory/4852-24-0x00007FF7D30C0000-0x00007FF7D3411000-memory.dmp	upx
behavioral2/memory/5056-8-0x00007FF6F3580000-0x00007FF6F38D1000-memory.dmp	upx
behavioral2/memory/4008-135-0x00007FF75FED0000-0x00007FF760221000-memory.dmp	upx
behavioral2/memory/2556-136-0x00007FF6E8830000-0x00007FF6E8B81000-memory.dmp	upx
behavioral2/memory/3020-144-0x00007FF7F3A20000-0x00007FF7F3D71000-memory.dmp	upx
behavioral2/memory/4488-149-0x00007FF691650000-0x00007FF6919A1000-memory.dmp	upx
behavioral2/memory/4432-148-0x00007FF6A5700000-0x00007FF6A5A51000-memory.dmp	upx
behavioral2/memory/992-147-0x00007FF6BFD80000-0x00007FF6C00D1000-memory.dmp	upx
behavioral2/memory/1568-146-0x00007FF7F8450000-0x00007FF7F87A1000-memory.dmp	upx
behavioral2/memory/324-145-0x00007FF7F5B50000-0x00007FF7F5EA1000-memory.dmp	upx
behavioral2/memory/1460-140-0x00007FF752D10000-0x00007FF753061000-memory.dmp	upx
behavioral2/memory/2696-138-0x00007FF704C50000-0x00007FF704FA1000-memory.dmp	upx
behavioral2/memory/3704-134-0x00007FF657810000-0x00007FF657B61000-memory.dmp	upx
behavioral2/memory/1952-132-0x00007FF74CF90000-0x00007FF74D2E1000-memory.dmp	upx
behavioral2/memory/1216-130-0x00007FF65E540000-0x00007FF65E891000-memory.dmp	upx
behavioral2/memory/5056-129-0x00007FF6F3580000-0x00007FF6F38D1000-memory.dmp	upx
behavioral2/memory/1868-128-0x00007FF657D30000-0x00007FF658081000-memory.dmp	upx
behavioral2/memory/4852-131-0x00007FF7D30C0000-0x00007FF7D3411000-memory.dmp	upx
behavioral2/memory/1868-150-0x00007FF657D30000-0x00007FF658081000-memory.dmp	upx
behavioral2/memory/5056-203-0x00007FF6F3580000-0x00007FF6F38D1000-memory.dmp	upx
behavioral2/memory/1216-205-0x00007FF65E540000-0x00007FF65E891000-memory.dmp	upx
behavioral2/memory/4852-220-0x00007FF7D30C0000-0x00007FF7D3411000-memory.dmp	upx
behavioral2/memory/1952-219-0x00007FF74CF90000-0x00007FF74D2E1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\GnLDAjg.exe	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RdwdIiS.exe	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uKgMpZF.exe	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xOTBfGD.exe	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pYiIhIR.exe	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BXqIEqH.exe	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HqBTwrL.exe	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sWWUncb.exe	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\actUkTr.exe	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nbbCgWB.exe	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ULfRRqV.exe	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JctuKOg.exe	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VQtXhqQ.exe	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wRzKOym.exe	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gEixUMR.exe	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cDsGIoc.exe	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tUmwNxi.exe	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fDJAncO.exe	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uObSebl.exe	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TDMsnSa.exe	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yiaWyuQ.exe	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	1868	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1868	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 1868 wrote to memory of 5056	1868	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe	GnLDAjg.exe
PID 1868 wrote to memory of 5056	1868	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe	GnLDAjg.exe
PID 1868 wrote to memory of 1216	1868	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe	gEixUMR.exe
PID 1868 wrote to memory of 1216	1868	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe	gEixUMR.exe
PID 1868 wrote to memory of 4852	1868	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe	actUkTr.exe
PID 1868 wrote to memory of 4852	1868	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe	actUkTr.exe
PID 1868 wrote to memory of 1952	1868	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe	cDsGIoc.exe
PID 1868 wrote to memory of 1952	1868	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe	cDsGIoc.exe
PID 1868 wrote to memory of 3576	1868	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe	RdwdIiS.exe
PID 1868 wrote to memory of 3576	1868	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe	RdwdIiS.exe
PID 1868 wrote to memory of 3704	1868	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe	uKgMpZF.exe
PID 1868 wrote to memory of 3704	1868	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe	uKgMpZF.exe
PID 1868 wrote to memory of 4008	1868	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe	tUmwNxi.exe
PID 1868 wrote to memory of 4008	1868	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe	tUmwNxi.exe
PID 1868 wrote to memory of 2556	1868	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe	xOTBfGD.exe
PID 1868 wrote to memory of 2556	1868	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe	xOTBfGD.exe
PID 1868 wrote to memory of 216	1868	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe	pYiIhIR.exe
PID 1868 wrote to memory of 216	1868	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe	pYiIhIR.exe
PID 1868 wrote to memory of 2696	1868	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe	uObSebl.exe
PID 1868 wrote to memory of 2696	1868	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe	uObSebl.exe
PID 1868 wrote to memory of 3648	1868	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe	BXqIEqH.exe
PID 1868 wrote to memory of 3648	1868	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe	BXqIEqH.exe
PID 1868 wrote to memory of 1460	1868	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe	nbbCgWB.exe
PID 1868 wrote to memory of 1460	1868	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe	nbbCgWB.exe
PID 1868 wrote to memory of 2552	1868	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe	HqBTwrL.exe
PID 1868 wrote to memory of 2552	1868	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe	HqBTwrL.exe
PID 1868 wrote to memory of 1436	1868	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe	ULfRRqV.exe
PID 1868 wrote to memory of 1436	1868	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe	ULfRRqV.exe
PID 1868 wrote to memory of 3196	1868	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe	TDMsnSa.exe
PID 1868 wrote to memory of 3196	1868	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe	TDMsnSa.exe
PID 1868 wrote to memory of 3020	1868	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe	JctuKOg.exe
PID 1868 wrote to memory of 3020	1868	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe	JctuKOg.exe
PID 1868 wrote to memory of 324	1868	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe	VQtXhqQ.exe
PID 1868 wrote to memory of 324	1868	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe	VQtXhqQ.exe
PID 1868 wrote to memory of 1568	1868	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe	yiaWyuQ.exe
PID 1868 wrote to memory of 1568	1868	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe	yiaWyuQ.exe
PID 1868 wrote to memory of 992	1868	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe	wRzKOym.exe
PID 1868 wrote to memory of 992	1868	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe	wRzKOym.exe
PID 1868 wrote to memory of 4432	1868	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe	fDJAncO.exe
PID 1868 wrote to memory of 4432	1868	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe	fDJAncO.exe
PID 1868 wrote to memory of 4488	1868	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe	sWWUncb.exe
PID 1868 wrote to memory of 4488	1868	2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe	sWWUncb.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-23_121f3c5fa940d9c374611253a147afc3_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Windows\System\GnLDAjg.exe
  C:\Windows\System\GnLDAjg.exe
  2⤵
  - Executes dropped EXE
  PID:5056
- C:\Windows\System\gEixUMR.exe
  C:\Windows\System\gEixUMR.exe
  2⤵
  - Executes dropped EXE
  PID:1216
- C:\Windows\System\actUkTr.exe
  C:\Windows\System\actUkTr.exe
  2⤵
  - Executes dropped EXE
  PID:4852
- C:\Windows\System\cDsGIoc.exe
  C:\Windows\System\cDsGIoc.exe
  2⤵
  - Executes dropped EXE
  PID:1952
- C:\Windows\System\RdwdIiS.exe
  C:\Windows\System\RdwdIiS.exe
  2⤵
  - Executes dropped EXE
  PID:3576
- C:\Windows\System\uKgMpZF.exe
  C:\Windows\System\uKgMpZF.exe
  2⤵
  - Executes dropped EXE
  PID:3704
- C:\Windows\System\tUmwNxi.exe
  C:\Windows\System\tUmwNxi.exe
  2⤵
  - Executes dropped EXE
  PID:4008
- C:\Windows\System\xOTBfGD.exe
  C:\Windows\System\xOTBfGD.exe
  2⤵
  - Executes dropped EXE
  PID:2556
- C:\Windows\System\pYiIhIR.exe
  C:\Windows\System\pYiIhIR.exe
  2⤵
  - Executes dropped EXE
  PID:216
- C:\Windows\System\uObSebl.exe
  C:\Windows\System\uObSebl.exe
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Windows\System\BXqIEqH.exe
  C:\Windows\System\BXqIEqH.exe
  2⤵
  - Executes dropped EXE
  PID:3648
- C:\Windows\System\nbbCgWB.exe
  C:\Windows\System\nbbCgWB.exe
  2⤵
  - Executes dropped EXE
  PID:1460
- C:\Windows\System\HqBTwrL.exe
  C:\Windows\System\HqBTwrL.exe
  2⤵
  - Executes dropped EXE
  PID:2552
- C:\Windows\System\ULfRRqV.exe
  C:\Windows\System\ULfRRqV.exe
  2⤵
  - Executes dropped EXE
  PID:1436
- C:\Windows\System\TDMsnSa.exe
  C:\Windows\System\TDMsnSa.exe
  2⤵
  - Executes dropped EXE
  PID:3196
- C:\Windows\System\JctuKOg.exe
  C:\Windows\System\JctuKOg.exe
  2⤵
  - Executes dropped EXE
  PID:3020
- C:\Windows\System\VQtXhqQ.exe
  C:\Windows\System\VQtXhqQ.exe
  2⤵
  - Executes dropped EXE
  PID:324
- C:\Windows\System\yiaWyuQ.exe
  C:\Windows\System\yiaWyuQ.exe
  2⤵
  - Executes dropped EXE
  PID:1568
- C:\Windows\System\wRzKOym.exe
  C:\Windows\System\wRzKOym.exe
  2⤵
  - Executes dropped EXE
  PID:992
- C:\Windows\System\fDJAncO.exe
  C:\Windows\System\fDJAncO.exe
  2⤵
  - Executes dropped EXE
  PID:4432
- C:\Windows\System\sWWUncb.exe
  C:\Windows\System\sWWUncb.exe
  2⤵
  - Executes dropped EXE
  PID:4488

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BXqIEqH.exe

Filesize
5.2MB

MD5
6bf092e8c5c05254b6d4b21d6a2c80d1

SHA1
3919be41bb2fa196ec09294bfd872a2591d3a896

SHA256
e4c7b0bc744cae2113dddf651150de7f5d6b5e3e5eccd1a685551374c61477d0

SHA512
dae811f8ce4520aeb5e5811ed167fda59fe79f5b4a6d00d813c09f779cbd9c8f3d5db5e12b3b4d6690ecd4130db3a2f7e3b37d8586e419097aa19a08dca335cc

Download Submit
C:\Windows\System\GnLDAjg.exe

Filesize
5.2MB

MD5
934b7528fcc253a6355ae73602431494

SHA1
3909a9ad8f5a118ebcd5d116e43e616856955183

SHA256
82a75edf5d1e763bc9f014e7e659fe7fbc79740ec19f2616ed8bfa8ff045ee9b

SHA512
b57136a07e9277ea54480e603170da0c74f9ea7bc04ce680a3e0821f5dca1d875ff2a080cda489e0676d20a516e03bde43b436986049deb7d49e07fff92727d0

Download Submit
C:\Windows\System\HqBTwrL.exe

Filesize
5.2MB

MD5
ac0431fb7aeb736789c91d6458cbb39c

SHA1
c679fd1d9d7141f444318a2a5bc0ee8967035f0b

SHA256
e9203be73fec55ed5c8fdf98f3302fa8d44f4eb88bc82b5c230143c941cd21d6

SHA512
4e7ad71f1eb49d36fbde683e73ebe83b7fd95cb96e4d6dc4ed784fea987302b91d062290efde9a6262f96ceda2db66296e31d7c7c4ec2b608daeedbd5d83e737

Download Submit
C:\Windows\System\JctuKOg.exe

Filesize
5.2MB

MD5
963903a256cceba2741ca205063ad688

SHA1
4f0be88214475b449a3efa876a921354ef1a7618

SHA256
aee263ac8b8256c4e6665992cd6f48b1d0b67cad43821b8878daffb2030f8e8b

SHA512
2e2c8fdf2bafe3c2e736b1ed875976bb7cbb8c154ef516a556277ac66ca3c0d3a14af1adfe9482bf7b65005826e3dbbce0284d826f39eef0c8ebafdf05cc40e8

Download Submit
C:\Windows\System\RdwdIiS.exe

Filesize
5.2MB

MD5
5e59127ac7788abdc2ab3a632a627d55

SHA1
1e9222b99e8ece0fa74d5b7a7b05858e7c60a19e

SHA256
662fca7d5a8b9f66dccdb240865c41d80f741bdbdc8bca6f5907eef38c93a084

SHA512
21464082c07f2fac4ea8cd71ea959657035fecb0628f9c44660da8acf708355fc838dde2f21811df2aa967f0f6ff3973fd40332f4d32309c7120b2a11eaff0bc

Download Submit
C:\Windows\System\TDMsnSa.exe

Filesize
5.2MB

MD5
a4084aee3fba431e0d441e8ddc26ec7b

SHA1
8643d1214868cab4b8007527d3668398c1b5f350

SHA256
e308905aae85af8571b51aa516631042ce2a9a54fcfb877a005e9df64bb19988

SHA512
17adf1f4de4252ffa3ae3fa36dba9cc5eacb44205669cd70c42db15b3c9fa65f495a91cbd86b7178db95be8691dd87f98e75001255d7755e3a3541d64cc79459

Download Submit
C:\Windows\System\ULfRRqV.exe

Filesize
5.2MB

MD5
fc7680a1027056b9eb226a36d21d34cc

SHA1
4e178d54de05f9206d10276769de42910a3c76a3

SHA256
2b7092a9bb874db622b328e8fed8bb7edbeca1650c9f8ed995de50aea0394954

SHA512
feff19fc1152b41d9ae205d14fd27e9a9ef75b2472b51f5f1cb233b886537197a905339037a6bc5dccdfeead134c4efceb4473c61f048bb649de8f8229388d3d

Download Submit
C:\Windows\System\VQtXhqQ.exe

Filesize
5.2MB

MD5
c1532e45f808321786760bdd946afc08

SHA1
9011658349c75795bcddd82115341e83dcfac5e9

SHA256
72cc918cf9d0aa5517081d57626e1d7ce8dd6c39b11245f1e3cf00b10bba398a

SHA512
0412f31cd1bb6cecdf3cae91aac2f3b3bffbe6f0f7368154a169945f8936492e5a34bfd68873b14bdf8985cfe27c3d78cde55d350b56e2071828430715c384cd

Download Submit
C:\Windows\System\actUkTr.exe

Filesize
5.2MB

MD5
f0baca8a435a3bd7294371b1949c3b35

SHA1
6df6e4e82a2334c11dcde72d93023f06b5984fbb

SHA256
00c58cc198975851e1e63d647394468009e8e5be146dd4399de0746aa2e3b624

SHA512
4082f29855cdcc3319e6bd9ef9a382ccb2bca7d2778ac58cc85ffd466c33ca99609802b44e1f9fd8ca31ca4b56d7090ae4816899e3564aec39b7de13a6c4069a

Download Submit
C:\Windows\System\cDsGIoc.exe

Filesize
5.2MB

MD5
5aff669553397da6547a49f66eea299e

SHA1
4662bcaa052e8252b0ba2cd01908445e0bcf473b

SHA256
66f72ccd17a31cef859c44d292a87701b80e65cb73d4fc5994b03ea8b733d62a

SHA512
c085ca8f9182e756b4d736df65c0200e8add986e14673ae7eabd3a28f28254beccc5c4d2d91bf68ab71575856cd20862547a030f263dd4692647ef56d56780f1

Download Submit
C:\Windows\System\fDJAncO.exe

Filesize
5.2MB

MD5
963bde031d154b488ce9cd31a4e60635

SHA1
c3d05bb2517135569ee93c7f8d34bb7cf1879ef4

SHA256
b0176701ec9da0058f9a7bbece28d1e0f26d9f07892cd9556bbec62aaf19acba

SHA512
dc94ce5b8dd6c2f1e1925df8071a8e444538b16f61483d80411a867dbc92e081985b6f042b58489c16cadfe5574171b962e6229d46c8490cb84be9ab0fce8a8e

Download Submit
C:\Windows\System\gEixUMR.exe

Filesize
5.2MB

MD5
5fc48f42e36c6a7309158b2dc993a47c

SHA1
b0115f2f2a017cda656ffb5bb8840602747ea885

SHA256
c6981530d74ce097a2a0f68bf0c942ce2ed40b9cdee5ef4ac9d1feebc8773880

SHA512
e5d25ce859654f3a633bf10d451e458d60d03998142b8c06fa48d45e854cc124de1708b143a5591eb98aa08c34c89010e841560491984695737e71157fe9b5ef

Download Submit
C:\Windows\System\nbbCgWB.exe

Filesize
5.2MB

MD5
e421b617a39c7cedb15060c7fe226d12

SHA1
7a7a396b551f6f3b086e1690d93cf3cd2b5cdcb1

SHA256
6f9ba6445808b64282d08d618ff7dc9b6c8c624e9d97029d3648852c6b4ab9bf

SHA512
348017e58e9919f41de52f95a61cd113b6f458ebb9405f604bccee92f3873266451c28bd4975a7192a2a362747141ad145ea28e473c25af69a267e573c99e893

Download Submit
C:\Windows\System\pYiIhIR.exe

Filesize
5.2MB

MD5
947205867017800d85806549ffd78246

SHA1
4ddb7cc30f3b040d013a3c859e1ddd64b3ca2cb5

SHA256
c2d143b6fc295fb37b6350ffa0805d817a155c2a9969eb16e46552d055886684

SHA512
ea49b2681fbf45853c0bced0b3874a21c2ca53975fd50fcfb62c98d8071b53b4377077545cb7ede1688f9aa2772c736562f4ab8f93ee36d8c3c987f4426f8319

Download Submit
C:\Windows\System\sWWUncb.exe

Filesize
5.2MB

MD5
5f178c815c613e3dfbdf664dd0d476b0

SHA1
d743fefdfbe53e8dc958964f1aca6e3bec4ade31

SHA256
e6c5097eab2f81e4b787705bebfb20666595862f1ee54c1a7b0d46dcb886798a

SHA512
e93a78c26b00d57c7e510d34c91dd81d1447ee4b3ceb93dff247c594ad99c35859b219a694fe7226c10f2b3ec2b9025609956d6262f296909c2b681fbed0df5f

Download Submit
C:\Windows\System\tUmwNxi.exe

Filesize
5.2MB

MD5
be8b168b606fcd2f22aa377e9eaadf60

SHA1
24df2f206b8ad5a9e219a755c71a20599dc8440b

SHA256
b9fda28e51d1ab948ce5dcbf991bef751e2d617d9479d9e64f5f7af1474a83aa

SHA512
66825a40477a8363781f333354ba457e96ae38816e718f298a84c989d727f04ab35ca38358da674f3a383e3771853a71ebe5a63e1fa7c3f0bb6b0b5acc7de0e3

Download Submit
C:\Windows\System\uKgMpZF.exe

Filesize
5.2MB

MD5
6db68034db5cc15309db93fc67c6722a

SHA1
33588d342c6504640b5d019a45c994748b127418

SHA256
31745cde42b74c5e40621c2e97148d6a9e5f993c4cda327e495e4563e1098266

SHA512
fba0f5e05b5fdda810d30e1f217776eb6fb629adc25d6b44e6aa7adc8155a02fa88d46d461660d90a997b20ab9df0451349f55c1bcfddd8c9d93527fd7c221b1

Download Submit
C:\Windows\System\uObSebl.exe

Filesize
5.2MB

MD5
b4ca2702d4736a5eca7c88a1f2b18cbe

SHA1
021f2431b3a63311722b9e72d7ec24eeaa9b2682

SHA256
ec85992457ff9f398b7d66416f86560a0d65ace2541b42f4a7dbdc79159b3d4f

SHA512
efef07c60b53801a97047a25e40a4350e96bf8bd7db2fd81530eb905801a710ce79c288fbf79b2014ad8f1b94fe5f064c5f536fc099110c55a05f07c12e22e8b

Download Submit
C:\Windows\System\wRzKOym.exe

Filesize
5.2MB

MD5
67d34f83a586d59def2a274dd36a0247

SHA1
79f5509584bb044519588508c5cfbb5b0dbd890f

SHA256
9329f773207ebfa59cd406145be5498f7260c89b2beecb77b4ce9480f56d4fa8

SHA512
3d2d6cc1fa5a207f63d52eb3b5dee2dee38c21786fb209a1b9551172c8a914fe02ca5afb5e8fa3710282db254353d1b41ebf3572b85b9afdfc89026eb6899904

Download Submit
C:\Windows\System\xOTBfGD.exe

Filesize
5.2MB

MD5
9498e122f160a09aea9f137caae2426c

SHA1
8fcd17a1b9fb23579ce13897d2d926b09dd29814

SHA256
665780b7056b53912316f9d34a620451b7ccb55ee325b10c212bbd7d66171f64

SHA512
9d25ea4025bd9bf73733c8eeadca6bf072a90f7220be23e9b23b46b508448bdf142432b03e0c31bf1709011ec13e67907e66526938f15cdeaafa621aa9b86350

Download Submit
C:\Windows\System\yiaWyuQ.exe

Filesize
5.2MB

MD5
3e8b6cf37e03f573edfa24f3c594c7d1

SHA1
9adf95e7cd5f8aeea0c6c2d0ad57d001d633ddea

SHA256
1f8fbe2d6a450ef39ecda07b02ac3ce74fbab583a6e5c9102b5a0c2e7c2f59d2

SHA512
8e44810d5abccbc559401a068cbe8cb3397a01438f016dac78aff4decb577dedeecd8d975f695fd754d5f7f9b5ea83128a039e8dc34c2a7dc55deae79cfd6bc7

Download Submit
memory/216-230-0x00007FF6146D0000-0x00007FF614A21000-memory.dmp

Filesize
3.3MB

Download
memory/216-98-0x00007FF6146D0000-0x00007FF614A21000-memory.dmp

Filesize
3.3MB

Download
memory/324-145-0x00007FF7F5B50000-0x00007FF7F5EA1000-memory.dmp

Filesize
3.3MB

Download
memory/324-253-0x00007FF7F5B50000-0x00007FF7F5EA1000-memory.dmp

Filesize
3.3MB

Download
memory/324-93-0x00007FF7F5B50000-0x00007FF7F5EA1000-memory.dmp

Filesize
3.3MB

Download
memory/992-119-0x00007FF6BFD80000-0x00007FF6C00D1000-memory.dmp

Filesize
3.3MB

Download
memory/992-147-0x00007FF6BFD80000-0x00007FF6C00D1000-memory.dmp

Filesize
3.3MB

Download
memory/992-244-0x00007FF6BFD80000-0x00007FF6C00D1000-memory.dmp

Filesize
3.3MB

Download
memory/1216-205-0x00007FF65E540000-0x00007FF65E891000-memory.dmp

Filesize
3.3MB

Download
memory/1216-130-0x00007FF65E540000-0x00007FF65E891000-memory.dmp

Filesize
3.3MB

Download
memory/1216-18-0x00007FF65E540000-0x00007FF65E891000-memory.dmp

Filesize
3.3MB

Download
memory/1436-88-0x00007FF63AB40000-0x00007FF63AE91000-memory.dmp

Filesize
3.3MB

Download
memory/1436-228-0x00007FF63AB40000-0x00007FF63AE91000-memory.dmp

Filesize
3.3MB

Download
memory/1460-140-0x00007FF752D10000-0x00007FF753061000-memory.dmp

Filesize
3.3MB

Download
memory/1460-236-0x00007FF752D10000-0x00007FF753061000-memory.dmp

Filesize
3.3MB

Download
memory/1460-87-0x00007FF752D10000-0x00007FF753061000-memory.dmp

Filesize
3.3MB

Download
memory/1568-108-0x00007FF7F8450000-0x00007FF7F87A1000-memory.dmp

Filesize
3.3MB

Download
memory/1568-146-0x00007FF7F8450000-0x00007FF7F87A1000-memory.dmp

Filesize
3.3MB

Download
memory/1568-245-0x00007FF7F8450000-0x00007FF7F87A1000-memory.dmp

Filesize
3.3MB

Download
memory/1868-1-0x00000201DEB60000-0x00000201DEB70000-memory.dmp

Filesize
64KB

Download
memory/1868-150-0x00007FF657D30000-0x00007FF658081000-memory.dmp

Filesize
3.3MB

Download
memory/1868-128-0x00007FF657D30000-0x00007FF658081000-memory.dmp

Filesize
3.3MB

Download
memory/1868-0-0x00007FF657D30000-0x00007FF658081000-memory.dmp

Filesize
3.3MB

Download
memory/1952-39-0x00007FF74CF90000-0x00007FF74D2E1000-memory.dmp

Filesize
3.3MB

Download
memory/1952-219-0x00007FF74CF90000-0x00007FF74D2E1000-memory.dmp

Filesize
3.3MB

Download
memory/1952-132-0x00007FF74CF90000-0x00007FF74D2E1000-memory.dmp

Filesize
3.3MB

Download
memory/2552-251-0x00007FF6D4010000-0x00007FF6D4361000-memory.dmp

Filesize
3.3MB

Download
memory/2552-106-0x00007FF6D4010000-0x00007FF6D4361000-memory.dmp

Filesize
3.3MB

Download
memory/2556-75-0x00007FF6E8830000-0x00007FF6E8B81000-memory.dmp

Filesize
3.3MB

Download
memory/2556-136-0x00007FF6E8830000-0x00007FF6E8B81000-memory.dmp

Filesize
3.3MB

Download
memory/2556-227-0x00007FF6E8830000-0x00007FF6E8B81000-memory.dmp

Filesize
3.3MB

Download
memory/2696-60-0x00007FF704C50000-0x00007FF704FA1000-memory.dmp

Filesize
3.3MB

Download
memory/2696-232-0x00007FF704C50000-0x00007FF704FA1000-memory.dmp

Filesize
3.3MB

Download
memory/2696-138-0x00007FF704C50000-0x00007FF704FA1000-memory.dmp

Filesize
3.3MB

Download
memory/3020-92-0x00007FF7F3A20000-0x00007FF7F3D71000-memory.dmp

Filesize
3.3MB

Download
memory/3020-144-0x00007FF7F3A20000-0x00007FF7F3D71000-memory.dmp

Filesize
3.3MB

Download
memory/3020-249-0x00007FF7F3A20000-0x00007FF7F3D71000-memory.dmp

Filesize
3.3MB

Download
memory/3196-248-0x00007FF703A10000-0x00007FF703D61000-memory.dmp

Filesize
3.3MB

Download
memory/3196-107-0x00007FF703A10000-0x00007FF703D61000-memory.dmp

Filesize
3.3MB

Download
memory/3576-97-0x00007FF7274C0000-0x00007FF727811000-memory.dmp

Filesize
3.3MB

Download
memory/3576-223-0x00007FF7274C0000-0x00007FF727811000-memory.dmp

Filesize
3.3MB

Download
memory/3648-103-0x00007FF66AA00000-0x00007FF66AD51000-memory.dmp

Filesize
3.3MB

Download
memory/3648-234-0x00007FF66AA00000-0x00007FF66AD51000-memory.dmp

Filesize
3.3MB

Download
memory/3704-224-0x00007FF657810000-0x00007FF657B61000-memory.dmp

Filesize
3.3MB

Download
memory/3704-51-0x00007FF657810000-0x00007FF657B61000-memory.dmp

Filesize
3.3MB

Download
memory/3704-134-0x00007FF657810000-0x00007FF657B61000-memory.dmp

Filesize
3.3MB

Download
memory/4008-135-0x00007FF75FED0000-0x00007FF760221000-memory.dmp

Filesize
3.3MB

Download
memory/4008-53-0x00007FF75FED0000-0x00007FF760221000-memory.dmp

Filesize
3.3MB

Download
memory/4008-242-0x00007FF75FED0000-0x00007FF760221000-memory.dmp

Filesize
3.3MB

Download
memory/4432-123-0x00007FF6A5700000-0x00007FF6A5A51000-memory.dmp

Filesize
3.3MB

Download
memory/4432-255-0x00007FF6A5700000-0x00007FF6A5A51000-memory.dmp

Filesize
3.3MB

Download
memory/4432-148-0x00007FF6A5700000-0x00007FF6A5A51000-memory.dmp

Filesize
3.3MB

Download
memory/4488-120-0x00007FF691650000-0x00007FF6919A1000-memory.dmp

Filesize
3.3MB

Download
memory/4488-257-0x00007FF691650000-0x00007FF6919A1000-memory.dmp

Filesize
3.3MB

Download
memory/4488-149-0x00007FF691650000-0x00007FF6919A1000-memory.dmp

Filesize
3.3MB

Download
memory/4852-220-0x00007FF7D30C0000-0x00007FF7D3411000-memory.dmp

Filesize
3.3MB

Download
memory/4852-24-0x00007FF7D30C0000-0x00007FF7D3411000-memory.dmp

Filesize
3.3MB

Download
memory/4852-131-0x00007FF7D30C0000-0x00007FF7D3411000-memory.dmp

Filesize
3.3MB

Download
memory/5056-8-0x00007FF6F3580000-0x00007FF6F38D1000-memory.dmp

Filesize
3.3MB

Download
memory/5056-203-0x00007FF6F3580000-0x00007FF6F38D1000-memory.dmp

Filesize
3.3MB

Download
memory/5056-129-0x00007FF6F3580000-0x00007FF6F38D1000-memory.dmp

Filesize
3.3MB

Download