cobaltstrike | 563559bf4e24eee103b441a36a5be61d2dd9c0801e1e1988bdeda5801d7a98c6

Analysis

max time kernel
141s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 13:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

d238249522a5fa6b4297313a078094a2
SHA1

133a4657faf2b5840958476f2de01c5307d48991
SHA256

563559bf4e24eee103b441a36a5be61d2dd9c0801e1e1988bdeda5801d7a98c6
SHA512

e6cda3126c4cdd438a35065b3038d26e5c53b0300dee43c07827f35e029a299bdf8120009a8a0947effddc3f76ea573c88135fce6636646bb03cfb06ca245444
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lQ:RWWBibf56utgpPFotBER/mQ32lUc

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\zJYaECk.exe	cobalt_reflective_dll
C:\Windows\System\HAxrkwC.exe	cobalt_reflective_dll
C:\Windows\System\tFrisCG.exe	cobalt_reflective_dll
C:\Windows\System\yicYAuf.exe	cobalt_reflective_dll
C:\Windows\System\SklyZLq.exe	cobalt_reflective_dll
C:\Windows\System\nhdhukt.exe	cobalt_reflective_dll
C:\Windows\System\qUFPzTt.exe	cobalt_reflective_dll
C:\Windows\System\ZahRqbY.exe	cobalt_reflective_dll
C:\Windows\System\nzGxzYj.exe	cobalt_reflective_dll
C:\Windows\System\rKUdlXq.exe	cobalt_reflective_dll
C:\Windows\System\caTlRwI.exe	cobalt_reflective_dll
C:\Windows\System\sdcbfVJ.exe	cobalt_reflective_dll
C:\Windows\System\IWrisxc.exe	cobalt_reflective_dll
C:\Windows\System\QEbXvOr.exe	cobalt_reflective_dll
C:\Windows\System\KGjYrUF.exe	cobalt_reflective_dll
C:\Windows\System\HSCvhdc.exe	cobalt_reflective_dll
C:\Windows\System\UVRQnHb.exe	cobalt_reflective_dll
C:\Windows\System\SvKdeHl.exe	cobalt_reflective_dll
C:\Windows\System\RhaKbdp.exe	cobalt_reflective_dll
C:\Windows\System\reGQIto.exe	cobalt_reflective_dll
C:\Windows\System\MJnqxvF.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4876-47-0x00007FF799770000-0x00007FF799AC1000-memory.dmp	xmrig
behavioral2/memory/1556-86-0x00007FF635D90000-0x00007FF6360E1000-memory.dmp	xmrig
behavioral2/memory/2156-85-0x00007FF6BA700000-0x00007FF6BAA51000-memory.dmp	xmrig
behavioral2/memory/2476-80-0x00007FF63F5D0000-0x00007FF63F921000-memory.dmp	xmrig
behavioral2/memory/1384-99-0x00007FF6B4E90000-0x00007FF6B51E1000-memory.dmp	xmrig
behavioral2/memory/4496-97-0x00007FF766FE0000-0x00007FF767331000-memory.dmp	xmrig
behavioral2/memory/3900-90-0x00007FF76F880000-0x00007FF76FBD1000-memory.dmp	xmrig
behavioral2/memory/4244-91-0x00007FF6E91B0000-0x00007FF6E9501000-memory.dmp	xmrig
behavioral2/memory/4812-110-0x00007FF69DC20000-0x00007FF69DF71000-memory.dmp	xmrig
behavioral2/memory/540-118-0x00007FF7F2910000-0x00007FF7F2C61000-memory.dmp	xmrig
behavioral2/memory/3964-135-0x00007FF646680000-0x00007FF6469D1000-memory.dmp	xmrig
behavioral2/memory/2160-128-0x00007FF6AB810000-0x00007FF6ABB61000-memory.dmp	xmrig
behavioral2/memory/3160-117-0x00007FF7C87D0000-0x00007FF7C8B21000-memory.dmp	xmrig
behavioral2/memory/1456-106-0x00007FF770F50000-0x00007FF7712A1000-memory.dmp	xmrig
behavioral2/memory/2476-141-0x00007FF63F5D0000-0x00007FF63F921000-memory.dmp	xmrig
behavioral2/memory/2088-152-0x00007FF6D16D0000-0x00007FF6D1A21000-memory.dmp	xmrig
behavioral2/memory/4684-157-0x00007FF7D7EB0000-0x00007FF7D8201000-memory.dmp	xmrig
behavioral2/memory/432-158-0x00007FF6514F0000-0x00007FF651841000-memory.dmp	xmrig
behavioral2/memory/4836-161-0x00007FF6B80F0000-0x00007FF6B8441000-memory.dmp	xmrig
behavioral2/memory/4596-162-0x00007FF64AD50000-0x00007FF64B0A1000-memory.dmp	xmrig
behavioral2/memory/1132-163-0x00007FF7ED390000-0x00007FF7ED6E1000-memory.dmp	xmrig
behavioral2/memory/2464-165-0x00007FF65ECB0000-0x00007FF65F001000-memory.dmp	xmrig
behavioral2/memory/3400-168-0x00007FF6C1760000-0x00007FF6C1AB1000-memory.dmp	xmrig
behavioral2/memory/2476-169-0x00007FF63F5D0000-0x00007FF63F921000-memory.dmp	xmrig
behavioral2/memory/2476-187-0x00007FF63F5D0000-0x00007FF63F921000-memory.dmp	xmrig
behavioral2/memory/2156-225-0x00007FF6BA700000-0x00007FF6BAA51000-memory.dmp	xmrig
behavioral2/memory/1556-227-0x00007FF635D90000-0x00007FF6360E1000-memory.dmp	xmrig
behavioral2/memory/4244-229-0x00007FF6E91B0000-0x00007FF6E9501000-memory.dmp	xmrig
behavioral2/memory/3900-231-0x00007FF76F880000-0x00007FF76FBD1000-memory.dmp	xmrig
behavioral2/memory/4876-233-0x00007FF799770000-0x00007FF799AC1000-memory.dmp	xmrig
behavioral2/memory/1384-241-0x00007FF6B4E90000-0x00007FF6B51E1000-memory.dmp	xmrig
behavioral2/memory/4496-242-0x00007FF766FE0000-0x00007FF767331000-memory.dmp	xmrig
behavioral2/memory/1456-245-0x00007FF770F50000-0x00007FF7712A1000-memory.dmp	xmrig
behavioral2/memory/4812-246-0x00007FF69DC20000-0x00007FF69DF71000-memory.dmp	xmrig
behavioral2/memory/540-248-0x00007FF7F2910000-0x00007FF7F2C61000-memory.dmp	xmrig
behavioral2/memory/3964-254-0x00007FF646680000-0x00007FF6469D1000-memory.dmp	xmrig
behavioral2/memory/2160-253-0x00007FF6AB810000-0x00007FF6ABB61000-memory.dmp	xmrig
behavioral2/memory/3160-251-0x00007FF7C87D0000-0x00007FF7C8B21000-memory.dmp	xmrig
behavioral2/memory/2088-256-0x00007FF6D16D0000-0x00007FF6D1A21000-memory.dmp	xmrig
behavioral2/memory/4684-260-0x00007FF7D7EB0000-0x00007FF7D8201000-memory.dmp	xmrig
behavioral2/memory/432-262-0x00007FF6514F0000-0x00007FF651841000-memory.dmp	xmrig
behavioral2/memory/4836-266-0x00007FF6B80F0000-0x00007FF6B8441000-memory.dmp	xmrig
behavioral2/memory/4596-271-0x00007FF64AD50000-0x00007FF64B0A1000-memory.dmp	xmrig
behavioral2/memory/1132-273-0x00007FF7ED390000-0x00007FF7ED6E1000-memory.dmp	xmrig
behavioral2/memory/2464-275-0x00007FF65ECB0000-0x00007FF65F001000-memory.dmp	xmrig
behavioral2/memory/3400-277-0x00007FF6C1760000-0x00007FF6C1AB1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

zJYaECk.exeHAxrkwC.exetFrisCG.exeZahRqbY.exenhdhukt.exenzGxzYj.exeyicYAuf.exeqUFPzTt.exeSklyZLq.exeIWrisxc.exesdcbfVJ.exeQEbXvOr.execaTlRwI.exerKUdlXq.exeKGjYrUF.exeHSCvhdc.exeUVRQnHb.exeRhaKbdp.exeSvKdeHl.exereGQIto.exeMJnqxvF.exe

pid	process
2156	zJYaECk.exe
1556	HAxrkwC.exe
4244	tFrisCG.exe
3900	ZahRqbY.exe
1384	nhdhukt.exe
4496	nzGxzYj.exe
4876	yicYAuf.exe
1456	qUFPzTt.exe
4812	SklyZLq.exe
540	IWrisxc.exe
3160	sdcbfVJ.exe
2160	QEbXvOr.exe
3964	caTlRwI.exe
2088	rKUdlXq.exe
4684	KGjYrUF.exe
432	HSCvhdc.exe
4836	UVRQnHb.exe
4596	RhaKbdp.exe
1132	SvKdeHl.exe
2464	reGQIto.exe
3400	MJnqxvF.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2476-0-0x00007FF63F5D0000-0x00007FF63F921000-memory.dmp	upx
C:\Windows\System\zJYaECk.exe	upx
C:\Windows\System\HAxrkwC.exe	upx
C:\Windows\System\tFrisCG.exe	upx
C:\Windows\System\yicYAuf.exe	upx
behavioral2/memory/1384-43-0x00007FF6B4E90000-0x00007FF6B51E1000-memory.dmp	upx
behavioral2/memory/1456-48-0x00007FF770F50000-0x00007FF7712A1000-memory.dmp	upx
behavioral2/memory/4876-47-0x00007FF799770000-0x00007FF799AC1000-memory.dmp	upx
C:\Windows\System\SklyZLq.exe	upx
C:\Windows\System\nhdhukt.exe	upx
C:\Windows\System\qUFPzTt.exe	upx
behavioral2/memory/4496-36-0x00007FF766FE0000-0x00007FF767331000-memory.dmp	upx
C:\Windows\System\ZahRqbY.exe	upx
behavioral2/memory/4244-31-0x00007FF6E91B0000-0x00007FF6E9501000-memory.dmp	upx
C:\Windows\System\nzGxzYj.exe	upx
behavioral2/memory/3900-24-0x00007FF76F880000-0x00007FF76FBD1000-memory.dmp	upx
behavioral2/memory/1556-18-0x00007FF635D90000-0x00007FF6360E1000-memory.dmp	upx
behavioral2/memory/2156-8-0x00007FF6BA700000-0x00007FF6BAA51000-memory.dmp	upx
behavioral2/memory/4812-56-0x00007FF69DC20000-0x00007FF69DF71000-memory.dmp	upx
behavioral2/memory/3160-65-0x00007FF7C87D0000-0x00007FF7C8B21000-memory.dmp	upx
behavioral2/memory/540-71-0x00007FF7F2910000-0x00007FF7F2C61000-memory.dmp	upx
behavioral2/memory/2160-79-0x00007FF6AB810000-0x00007FF6ABB61000-memory.dmp	upx
behavioral2/memory/3964-84-0x00007FF646680000-0x00007FF6469D1000-memory.dmp	upx
C:\Windows\System\rKUdlXq.exe	upx
behavioral2/memory/2088-87-0x00007FF6D16D0000-0x00007FF6D1A21000-memory.dmp	upx
behavioral2/memory/1556-86-0x00007FF635D90000-0x00007FF6360E1000-memory.dmp	upx
behavioral2/memory/2156-85-0x00007FF6BA700000-0x00007FF6BAA51000-memory.dmp	upx
C:\Windows\System\caTlRwI.exe	upx
behavioral2/memory/2476-80-0x00007FF63F5D0000-0x00007FF63F921000-memory.dmp	upx
C:\Windows\System\sdcbfVJ.exe	upx
C:\Windows\System\IWrisxc.exe	upx
C:\Windows\System\QEbXvOr.exe	upx
C:\Windows\System\KGjYrUF.exe	upx
C:\Windows\System\HSCvhdc.exe	upx
behavioral2/memory/432-101-0x00007FF6514F0000-0x00007FF651841000-memory.dmp	upx
behavioral2/memory/1384-99-0x00007FF6B4E90000-0x00007FF6B51E1000-memory.dmp	upx
behavioral2/memory/4684-98-0x00007FF7D7EB0000-0x00007FF7D8201000-memory.dmp	upx
behavioral2/memory/4496-97-0x00007FF766FE0000-0x00007FF767331000-memory.dmp	upx
behavioral2/memory/3900-90-0x00007FF76F880000-0x00007FF76FBD1000-memory.dmp	upx
behavioral2/memory/4244-91-0x00007FF6E91B0000-0x00007FF6E9501000-memory.dmp	upx
behavioral2/memory/4812-110-0x00007FF69DC20000-0x00007FF69DF71000-memory.dmp	upx
C:\Windows\System\UVRQnHb.exe	upx
behavioral2/memory/540-118-0x00007FF7F2910000-0x00007FF7F2C61000-memory.dmp	upx
C:\Windows\System\SvKdeHl.exe	upx
C:\Windows\System\RhaKbdp.exe	upx
behavioral2/memory/3964-135-0x00007FF646680000-0x00007FF6469D1000-memory.dmp	upx
behavioral2/memory/2464-136-0x00007FF65ECB0000-0x00007FF65F001000-memory.dmp	upx
C:\Windows\System\reGQIto.exe	upx
C:\Windows\System\MJnqxvF.exe	upx
behavioral2/memory/3400-133-0x00007FF6C1760000-0x00007FF6C1AB1000-memory.dmp	upx
behavioral2/memory/1132-132-0x00007FF7ED390000-0x00007FF7ED6E1000-memory.dmp	upx
behavioral2/memory/2160-128-0x00007FF6AB810000-0x00007FF6ABB61000-memory.dmp	upx
behavioral2/memory/4596-121-0x00007FF64AD50000-0x00007FF64B0A1000-memory.dmp	upx
behavioral2/memory/3160-117-0x00007FF7C87D0000-0x00007FF7C8B21000-memory.dmp	upx
behavioral2/memory/4836-116-0x00007FF6B80F0000-0x00007FF6B8441000-memory.dmp	upx
behavioral2/memory/1456-106-0x00007FF770F50000-0x00007FF7712A1000-memory.dmp	upx
behavioral2/memory/2476-141-0x00007FF63F5D0000-0x00007FF63F921000-memory.dmp	upx
behavioral2/memory/2088-152-0x00007FF6D16D0000-0x00007FF6D1A21000-memory.dmp	upx
behavioral2/memory/4684-157-0x00007FF7D7EB0000-0x00007FF7D8201000-memory.dmp	upx
behavioral2/memory/432-158-0x00007FF6514F0000-0x00007FF651841000-memory.dmp	upx
behavioral2/memory/4836-161-0x00007FF6B80F0000-0x00007FF6B8441000-memory.dmp	upx
behavioral2/memory/4596-162-0x00007FF64AD50000-0x00007FF64B0A1000-memory.dmp	upx
behavioral2/memory/1132-163-0x00007FF7ED390000-0x00007FF7ED6E1000-memory.dmp	upx
behavioral2/memory/2464-165-0x00007FF65ECB0000-0x00007FF65F001000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\tFrisCG.exe	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZahRqbY.exe	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SklyZLq.exe	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KGjYrUF.exe	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\reGQIto.exe	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HAxrkwC.exe	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sdcbfVJ.exe	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HSCvhdc.exe	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RhaKbdp.exe	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IWrisxc.exe	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nzGxzYj.exe	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qUFPzTt.exe	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UVRQnHb.exe	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MJnqxvF.exe	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nhdhukt.exe	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yicYAuf.exe	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QEbXvOr.exe	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\caTlRwI.exe	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rKUdlXq.exe	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SvKdeHl.exe	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zJYaECk.exe	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	2476	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2476	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 2476 wrote to memory of 2156	2476	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe	zJYaECk.exe
PID 2476 wrote to memory of 2156	2476	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe	zJYaECk.exe
PID 2476 wrote to memory of 1556	2476	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe	HAxrkwC.exe
PID 2476 wrote to memory of 1556	2476	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe	HAxrkwC.exe
PID 2476 wrote to memory of 4244	2476	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe	tFrisCG.exe
PID 2476 wrote to memory of 4244	2476	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe	tFrisCG.exe
PID 2476 wrote to memory of 3900	2476	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe	ZahRqbY.exe
PID 2476 wrote to memory of 3900	2476	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe	ZahRqbY.exe
PID 2476 wrote to memory of 1384	2476	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe	nhdhukt.exe
PID 2476 wrote to memory of 1384	2476	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe	nhdhukt.exe
PID 2476 wrote to memory of 4496	2476	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe	nzGxzYj.exe
PID 2476 wrote to memory of 4496	2476	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe	nzGxzYj.exe
PID 2476 wrote to memory of 4876	2476	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe	yicYAuf.exe
PID 2476 wrote to memory of 4876	2476	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe	yicYAuf.exe
PID 2476 wrote to memory of 1456	2476	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe	qUFPzTt.exe
PID 2476 wrote to memory of 1456	2476	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe	qUFPzTt.exe
PID 2476 wrote to memory of 4812	2476	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe	SklyZLq.exe
PID 2476 wrote to memory of 4812	2476	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe	SklyZLq.exe
PID 2476 wrote to memory of 540	2476	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe	IWrisxc.exe
PID 2476 wrote to memory of 540	2476	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe	IWrisxc.exe
PID 2476 wrote to memory of 3160	2476	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe	sdcbfVJ.exe
PID 2476 wrote to memory of 3160	2476	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe	sdcbfVJ.exe
PID 2476 wrote to memory of 2160	2476	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe	QEbXvOr.exe
PID 2476 wrote to memory of 2160	2476	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe	QEbXvOr.exe
PID 2476 wrote to memory of 3964	2476	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe	caTlRwI.exe
PID 2476 wrote to memory of 3964	2476	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe	caTlRwI.exe
PID 2476 wrote to memory of 2088	2476	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe	rKUdlXq.exe
PID 2476 wrote to memory of 2088	2476	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe	rKUdlXq.exe
PID 2476 wrote to memory of 4684	2476	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe	KGjYrUF.exe
PID 2476 wrote to memory of 4684	2476	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe	KGjYrUF.exe
PID 2476 wrote to memory of 432	2476	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe	HSCvhdc.exe
PID 2476 wrote to memory of 432	2476	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe	HSCvhdc.exe
PID 2476 wrote to memory of 4836	2476	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe	UVRQnHb.exe
PID 2476 wrote to memory of 4836	2476	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe	UVRQnHb.exe
PID 2476 wrote to memory of 4596	2476	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe	RhaKbdp.exe
PID 2476 wrote to memory of 4596	2476	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe	RhaKbdp.exe
PID 2476 wrote to memory of 2464	2476	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe	reGQIto.exe
PID 2476 wrote to memory of 2464	2476	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe	reGQIto.exe
PID 2476 wrote to memory of 1132	2476	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe	SvKdeHl.exe
PID 2476 wrote to memory of 1132	2476	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe	SvKdeHl.exe
PID 2476 wrote to memory of 3400	2476	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe	MJnqxvF.exe
PID 2476 wrote to memory of 3400	2476	2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe	MJnqxvF.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-23_d238249522a5fa6b4297313a078094a2_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Windows\System\zJYaECk.exe
  C:\Windows\System\zJYaECk.exe
  2⤵
  - Executes dropped EXE
  PID:2156
- C:\Windows\System\HAxrkwC.exe
  C:\Windows\System\HAxrkwC.exe
  2⤵
  - Executes dropped EXE
  PID:1556
- C:\Windows\System\tFrisCG.exe
  C:\Windows\System\tFrisCG.exe
  2⤵
  - Executes dropped EXE
  PID:4244
- C:\Windows\System\ZahRqbY.exe
  C:\Windows\System\ZahRqbY.exe
  2⤵
  - Executes dropped EXE
  PID:3900
- C:\Windows\System\nhdhukt.exe
  C:\Windows\System\nhdhukt.exe
  2⤵
  - Executes dropped EXE
  PID:1384
- C:\Windows\System\nzGxzYj.exe
  C:\Windows\System\nzGxzYj.exe
  2⤵
  - Executes dropped EXE
  PID:4496
- C:\Windows\System\yicYAuf.exe
  C:\Windows\System\yicYAuf.exe
  2⤵
  - Executes dropped EXE
  PID:4876
- C:\Windows\System\qUFPzTt.exe
  C:\Windows\System\qUFPzTt.exe
  2⤵
  - Executes dropped EXE
  PID:1456
- C:\Windows\System\SklyZLq.exe
  C:\Windows\System\SklyZLq.exe
  2⤵
  - Executes dropped EXE
  PID:4812
- C:\Windows\System\IWrisxc.exe
  C:\Windows\System\IWrisxc.exe
  2⤵
  - Executes dropped EXE
  PID:540
- C:\Windows\System\sdcbfVJ.exe
  C:\Windows\System\sdcbfVJ.exe
  2⤵
  - Executes dropped EXE
  PID:3160
- C:\Windows\System\QEbXvOr.exe
  C:\Windows\System\QEbXvOr.exe
  2⤵
  - Executes dropped EXE
  PID:2160
- C:\Windows\System\caTlRwI.exe
  C:\Windows\System\caTlRwI.exe
  2⤵
  - Executes dropped EXE
  PID:3964
- C:\Windows\System\rKUdlXq.exe
  C:\Windows\System\rKUdlXq.exe
  2⤵
  - Executes dropped EXE
  PID:2088
- C:\Windows\System\KGjYrUF.exe
  C:\Windows\System\KGjYrUF.exe
  2⤵
  - Executes dropped EXE
  PID:4684
- C:\Windows\System\HSCvhdc.exe
  C:\Windows\System\HSCvhdc.exe
  2⤵
  - Executes dropped EXE
  PID:432
- C:\Windows\System\UVRQnHb.exe
  C:\Windows\System\UVRQnHb.exe
  2⤵
  - Executes dropped EXE
  PID:4836
- C:\Windows\System\RhaKbdp.exe
  C:\Windows\System\RhaKbdp.exe
  2⤵
  - Executes dropped EXE
  PID:4596
- C:\Windows\System\reGQIto.exe
  C:\Windows\System\reGQIto.exe
  2⤵
  - Executes dropped EXE
  PID:2464
- C:\Windows\System\SvKdeHl.exe
  C:\Windows\System\SvKdeHl.exe
  2⤵
  - Executes dropped EXE
  PID:1132
- C:\Windows\System\MJnqxvF.exe
  C:\Windows\System\MJnqxvF.exe
  2⤵
  - Executes dropped EXE
  PID:3400

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\HAxrkwC.exe

Filesize
5.2MB

MD5
ab8a5ce34501ef83598d2f96ce075bf5

SHA1
ff888c6a09f09bcd0db5a5aa35b90f05b009177e

SHA256
8be501e9fae14033c02c918c4e507b55af12c6f2c02fc644a5a79b395db88c20

SHA512
0743256a6a4dcb64657747eb69c42dd97b13232a7a30e75c4afc9fa18553b640ed0a886b3a4223557b1f0233982c74a3b3b1bb4e1636ca91a5ed2ebda5fb7d5b

Download Submit
C:\Windows\System\HSCvhdc.exe

Filesize
5.2MB

MD5
3251f34b7fc05fac669de8d9cb520fb9

SHA1
7c2fe53ae1e985d7214876302a7559851b3e3cf2

SHA256
01ee1019309dd2be35a0b445b20ddc21779b64a6620648082f26951bd2effd35

SHA512
ad6d2e0a380c2de7c01337911cd37017f0b9684164d79e7053fb6d483c24dc6e60a639945618abb74d6fa7df28b620049701d25c40ba0aba9d98e3f43ba37523

Download Submit
C:\Windows\System\IWrisxc.exe

Filesize
5.2MB

MD5
30851d010df9d22dbd37d8e1197c6419

SHA1
09511e072c66b51de6f16bb5fdf8b6eea160ab31

SHA256
d3d93b866d3225b2bd0dd4752d819392ff022f8476a19251411f58ab707811fe

SHA512
f3788425f43407d9bb5fec38baba03a8632378d23016f0477531a09f785fc1a3c21b0a1953a5a6905159abf4c3bfd2045dbdfcf10aefe25086b3bbc965e2be9e

Download Submit
C:\Windows\System\KGjYrUF.exe

Filesize
5.2MB

MD5
727e6af3269d35c649ec05fe3df82d12

SHA1
66088f09b599a525a9aefa3f12218137df8cc846

SHA256
573569565fc7322d1da7c63c565db44fe8dbb1f0be629477d020cd5093c27fa7

SHA512
dcebb8f224983f9862902096f7a535ac20f25aa4c9ce57f0ada6161919e0e435f5a991c1e8e63c212ba43e159486294f437df196713d43c6d12bb2b9e770503d

Download Submit
C:\Windows\System\MJnqxvF.exe

Filesize
5.2MB

MD5
88a7b8d2e33a3f7c4e78ec4df0f73757

SHA1
4a709b62334a370b1badefbcd7e6ec75b6c1cf42

SHA256
7fc9503ba8483ad35be38ecf983ead7efb88f1a3808cdd92c57c48461d830ddb

SHA512
64ed846c59e2aeb5042636bdc9e81aacc9c900049c42f7b96e5078c3d002bd3ed187d76a3df25ebf77fe84f2b62ecc78306f6cac401cea695e3f009ce3d3ba48

Download Submit
C:\Windows\System\QEbXvOr.exe

Filesize
5.2MB

MD5
752838181933a51daaa993f4dc68b087

SHA1
34dff3ccb227cbd87af8595ed3569b84e203a68e

SHA256
f2dab3f79c4154baec82afa909d2123ffe3b2ccd0fb4b5423ac66809d1bf8c78

SHA512
f501aaa201ea2fdede978068f628f70590266d0320965a5b64ad9a407a6a0f63d1d6c4e878733e5d0c7893c009e1c46e39c5c5caaa827da64d6f861ced14cfc1

Download Submit
C:\Windows\System\RhaKbdp.exe

Filesize
5.2MB

MD5
0526ac7798f11a8c1f42a1c95fe55e1c

SHA1
0ffafca14689d2c8df1b7e0e070533381d6d5126

SHA256
0fac710b0bd37442d2030ad5709a5de2dbf4caa023c01e195d844d09c49c263e

SHA512
c58ef5b20d861e1258ba37fd6a8dcdb5522835d59ff9e92dd96544900687529e367f9623bbae85e6c694cdc387aadd31894e457c3359e2993df34e7e04169833

Download Submit
C:\Windows\System\SklyZLq.exe

Filesize
5.2MB

MD5
9a178fc2697837f32d86b027bf1de846

SHA1
3a0bca1f7b1c855418a4e82e483fdcd7d729e187

SHA256
b02bbb44760d9a854f6892b7910614b952934a00a127a5b49a1343ffc92f9cc8

SHA512
a1b921d848bc1a2a90b3c04a04f52e30e74e57e8335ca656c902dc9f4a8e3f6658d0fc72d266caa9c09581cafa8c5e9e1898b48df341ea84c7ee437a6fff698e

Download Submit
C:\Windows\System\SvKdeHl.exe

Filesize
5.2MB

MD5
690a2b18129caebb8bcd6e390e5e8d36

SHA1
d2fa8f68a33a5256fb520cfcde7ac82107b58cec

SHA256
afd3cdec267453cc5ab7ba6b0de6e0349d222598428dffedeca694b4cf3ea06f

SHA512
499701fb1b2fdb87a4e99083a800b3571304acb739b8e64bd702fb05748a2175d5c4205dbd28c3e330d8fad87136b3daf722e976b9fe6c1e4fd57c614590ef5c

Download Submit
C:\Windows\System\UVRQnHb.exe

Filesize
5.2MB

MD5
db6d2f5c9363fc5abb4236fa64afdbdc

SHA1
060155408e282fd6f941af0a7e84fb7e2e428845

SHA256
501f1f88e3d2e056357e692b56189e840934ba2de9f4259cd96fca1f488e9184

SHA512
221f9724a3e5328277b1389fec872863d3e998cc815cce0c31533d3b18491fa207e3a9422b4239b13070f38389ef240cc6bbed26691a154b1bac048a6a58d461

Download Submit
C:\Windows\System\ZahRqbY.exe

Filesize
5.2MB

MD5
2f403ada28ef61aab2180c77e2eb7fd4

SHA1
7b49dc622b30768970050475b80906bdff83ad4e

SHA256
71089107d8f898acb8d4a4a28c35b70ef8b069c1aa0e5bb95a93b82e1b43d864

SHA512
b78579ff3961cc14e64c893dbe30d8c16f63cbcba6afc8120f533a7e24c41337badbcc1be57d49f52c53f6f69f7064f2aa06ee38252123d42b6e1bf877f9f582

Download Submit
C:\Windows\System\caTlRwI.exe

Filesize
5.2MB

MD5
8222676f6b0a3431211ed252b1d8aaa1

SHA1
b67bc89102711f4d81e35177de0bb826ab68ff46

SHA256
fc6ce50fd457241c9fe477a9bc43b9c93d018047303c45fc522c692735c95b11

SHA512
a531104aab4e28810e95f49f993410f436c3f4271aa3a66f35c8d8e73aceccc16a0a0ebfb6b149b807729aeeed2954fd549d939d855ca3de797d559ea8e90b00

Download Submit
C:\Windows\System\nhdhukt.exe

Filesize
5.2MB

MD5
ab92484750fbfb78f88dad4c702a7571

SHA1
1fd66829d48a96494febc12cf44083cdb54b96c2

SHA256
956a6f8c8041ea46a59774849de085e69f8907e8749d4bc396c1bd2242afcbe4

SHA512
05a8d473e1098a091edc704b06b2e52845a216e893d044b3ad3b3d9d82b3eb4676bd9c2f6a9858dfc9fd1b3dc3d7c38d53db60579a51fd44351205e0a7c20d24

Download Submit
C:\Windows\System\nzGxzYj.exe

Filesize
5.2MB

MD5
b14a586889296355a34527cf3d146b54

SHA1
3dcb234db9ea3d5566f6eee4a42c6b9fb58118bf

SHA256
0cc76f8ddb9c470c1e1e5a300122637a36270c996764d39769f6de099b8af6ee

SHA512
35901dfa6faa7c29d46829c3531e549f4e1fc7d3df1167fdd34a61a75ffd64ba061e9d76daced5a688ae8521a988d26786e36084501020ec3c5564eb7faa91b7

Download Submit
C:\Windows\System\qUFPzTt.exe

Filesize
5.2MB

MD5
72963017f75f26ee77ef220c9a6f4670

SHA1
f36894b92cb407ae71f4ace821b40628cb480291

SHA256
233134d90eb40394b078f5741cee6668206f4371188470813f66df8357e8b9ca

SHA512
70691bb7a115466b679d6a5eeb23e1531f855f819149356467571506dca577576bca4efbc15271e594d65eb4bd947d7b49ef1fefb7dbf066700311b9fe9b72a6

Download Submit
C:\Windows\System\rKUdlXq.exe

Filesize
5.2MB

MD5
6cb13e514a50289ec1cc3350c059adb3

SHA1
c0812df73aed0139ed9e7b84a6c53f38e6e76328

SHA256
9097b45a863de2592cbde30d623b34a9c96c4cc04d476f79e11a78d4a2ff98d0

SHA512
8edc89c44bd52bb11323f67783fe48ebeefeb1ddfa6df794930fec4ca389b139aae91c63d2bc44644f766635943248422612b344ec40a72edaaff8bd215f8d96

Download Submit
C:\Windows\System\reGQIto.exe

Filesize
5.2MB

MD5
0240cbc4247833c34deae33927a8f457

SHA1
0ee471362f05d2739dcfbdcdd911d6ef6559369d

SHA256
1bba529b80a691eac8f75c32f33f71110c39563583fa2f64ed604d95113f25bb

SHA512
cc4cbc099e52a5613c347e8c5fe2f058abbc4e824675bfb5b25374721413654d71fee02da0ff824828a77f55f446d79d9e19f20054315b9572412866e5c10568

Download Submit
C:\Windows\System\sdcbfVJ.exe

Filesize
5.2MB

MD5
23ef5cdc8c8680dca7c6fc20fff1ac23

SHA1
3c17aa50ed37b73b8c95d25b5b136ccf480957f3

SHA256
55fedc3f0ceeccd61518f673fb742d6fdea39b21f9a84696691294245a35eee0

SHA512
b1d8ba3b9f68e6460685082b655c3e07a47f2a1282294f6e7097e6607a68fc8a53c4f890ccaa419385b9a6167db5226510b1613b44f14f93ec216e87dca62566

Download Submit
C:\Windows\System\tFrisCG.exe

Filesize
5.2MB

MD5
b50653d51ca8c229b00b3b000645784d

SHA1
93280300804b0b519945cbb6d22fa481c82db4c8

SHA256
74f99962ae2273822c3838e7b6f69b4f75c3054e6bc6e30103599473f34c398e

SHA512
4433d9890d828cc5d8970097eeee401072f1b3bad5c36f5b8a47170c76b3aa61b04b21cab48cda4bb6ae0dccb44099fed4d07218635b9b80a6883771fe51593b

Download Submit
C:\Windows\System\yicYAuf.exe

Filesize
5.2MB

MD5
b3d57ca207d9f4d3546a09808fe27a6a

SHA1
c092e66764a500d2d8af9e26fff1c7b950c46c6d

SHA256
ff381ab668ed49a098adbb3aff19b8fce9bf63be1f3ebbb886f4949d6ad9223a

SHA512
10e797afcc8347c3568acf24c28a121d862866c153d6dd814fa52b7e38483940325c544b1a64d235e8f9a85984270737f09beaeed26d1613d47bb1b1a802ba0f

Download Submit
C:\Windows\System\zJYaECk.exe

Filesize
5.2MB

MD5
e11f2bcb50ca4587980fc13327856a87

SHA1
c157de16884c1af07bd0e2236714627a4ece280a

SHA256
d73ad13c57ec92192ec2dde0f33207254c75bac1573c904f77a4f7f6769cbaa7

SHA512
127d40aea143d71c95275806fe8113dbb5b2bb4627df78177b06a57f73dbfdf7783c64503fbec90dd8ed6567cd0b8fe19512a7302a83f1f3dc09ca4e1c9fe37c

Download Submit
memory/432-101-0x00007FF6514F0000-0x00007FF651841000-memory.dmp

Filesize
3.3MB

Download
memory/432-262-0x00007FF6514F0000-0x00007FF651841000-memory.dmp

Filesize
3.3MB

Download
memory/432-158-0x00007FF6514F0000-0x00007FF651841000-memory.dmp

Filesize
3.3MB

Download
memory/540-71-0x00007FF7F2910000-0x00007FF7F2C61000-memory.dmp

Filesize
3.3MB

Download
memory/540-118-0x00007FF7F2910000-0x00007FF7F2C61000-memory.dmp

Filesize
3.3MB

Download
memory/540-248-0x00007FF7F2910000-0x00007FF7F2C61000-memory.dmp

Filesize
3.3MB

Download
memory/1132-132-0x00007FF7ED390000-0x00007FF7ED6E1000-memory.dmp

Filesize
3.3MB

Download
memory/1132-163-0x00007FF7ED390000-0x00007FF7ED6E1000-memory.dmp

Filesize
3.3MB

Download
memory/1132-273-0x00007FF7ED390000-0x00007FF7ED6E1000-memory.dmp

Filesize
3.3MB

Download
memory/1384-99-0x00007FF6B4E90000-0x00007FF6B51E1000-memory.dmp

Filesize
3.3MB

Download
memory/1384-43-0x00007FF6B4E90000-0x00007FF6B51E1000-memory.dmp

Filesize
3.3MB

Download
memory/1384-241-0x00007FF6B4E90000-0x00007FF6B51E1000-memory.dmp

Filesize
3.3MB

Download
memory/1456-48-0x00007FF770F50000-0x00007FF7712A1000-memory.dmp

Filesize
3.3MB

Download
memory/1456-245-0x00007FF770F50000-0x00007FF7712A1000-memory.dmp

Filesize
3.3MB

Download
memory/1456-106-0x00007FF770F50000-0x00007FF7712A1000-memory.dmp

Filesize
3.3MB

Download
memory/1556-227-0x00007FF635D90000-0x00007FF6360E1000-memory.dmp

Filesize
3.3MB

Download
memory/1556-86-0x00007FF635D90000-0x00007FF6360E1000-memory.dmp

Filesize
3.3MB

Download
memory/1556-18-0x00007FF635D90000-0x00007FF6360E1000-memory.dmp

Filesize
3.3MB

Download
memory/2088-152-0x00007FF6D16D0000-0x00007FF6D1A21000-memory.dmp

Filesize
3.3MB

Download
memory/2088-256-0x00007FF6D16D0000-0x00007FF6D1A21000-memory.dmp

Filesize
3.3MB

Download
memory/2088-87-0x00007FF6D16D0000-0x00007FF6D1A21000-memory.dmp

Filesize
3.3MB

Download
memory/2156-225-0x00007FF6BA700000-0x00007FF6BAA51000-memory.dmp

Filesize
3.3MB

Download
memory/2156-8-0x00007FF6BA700000-0x00007FF6BAA51000-memory.dmp

Filesize
3.3MB

Download
memory/2156-85-0x00007FF6BA700000-0x00007FF6BAA51000-memory.dmp

Filesize
3.3MB

Download
memory/2160-79-0x00007FF6AB810000-0x00007FF6ABB61000-memory.dmp

Filesize
3.3MB

Download
memory/2160-128-0x00007FF6AB810000-0x00007FF6ABB61000-memory.dmp

Filesize
3.3MB

Download
memory/2160-253-0x00007FF6AB810000-0x00007FF6ABB61000-memory.dmp

Filesize
3.3MB

Download
memory/2464-165-0x00007FF65ECB0000-0x00007FF65F001000-memory.dmp

Filesize
3.3MB

Download
memory/2464-136-0x00007FF65ECB0000-0x00007FF65F001000-memory.dmp

Filesize
3.3MB

Download
memory/2464-275-0x00007FF65ECB0000-0x00007FF65F001000-memory.dmp

Filesize
3.3MB

Download
memory/2476-141-0x00007FF63F5D0000-0x00007FF63F921000-memory.dmp

Filesize
3.3MB

Download
memory/2476-0-0x00007FF63F5D0000-0x00007FF63F921000-memory.dmp

Filesize
3.3MB

Download
memory/2476-187-0x00007FF63F5D0000-0x00007FF63F921000-memory.dmp

Filesize
3.3MB

Download
memory/2476-169-0x00007FF63F5D0000-0x00007FF63F921000-memory.dmp

Filesize
3.3MB

Download
memory/2476-1-0x00000288EB890000-0x00000288EB8A0000-memory.dmp

Filesize
64KB

Download
memory/2476-80-0x00007FF63F5D0000-0x00007FF63F921000-memory.dmp

Filesize
3.3MB

Download
memory/3160-65-0x00007FF7C87D0000-0x00007FF7C8B21000-memory.dmp

Filesize
3.3MB

Download
memory/3160-251-0x00007FF7C87D0000-0x00007FF7C8B21000-memory.dmp

Filesize
3.3MB

Download
memory/3160-117-0x00007FF7C87D0000-0x00007FF7C8B21000-memory.dmp

Filesize
3.3MB

Download
memory/3400-168-0x00007FF6C1760000-0x00007FF6C1AB1000-memory.dmp

Filesize
3.3MB

Download
memory/3400-133-0x00007FF6C1760000-0x00007FF6C1AB1000-memory.dmp

Filesize
3.3MB

Download
memory/3400-277-0x00007FF6C1760000-0x00007FF6C1AB1000-memory.dmp

Filesize
3.3MB

Download
memory/3900-24-0x00007FF76F880000-0x00007FF76FBD1000-memory.dmp

Filesize
3.3MB

Download
memory/3900-231-0x00007FF76F880000-0x00007FF76FBD1000-memory.dmp

Filesize
3.3MB

Download
memory/3900-90-0x00007FF76F880000-0x00007FF76FBD1000-memory.dmp

Filesize
3.3MB

Download
memory/3964-84-0x00007FF646680000-0x00007FF6469D1000-memory.dmp

Filesize
3.3MB

Download
memory/3964-135-0x00007FF646680000-0x00007FF6469D1000-memory.dmp

Filesize
3.3MB

Download
memory/3964-254-0x00007FF646680000-0x00007FF6469D1000-memory.dmp

Filesize
3.3MB

Download
memory/4244-31-0x00007FF6E91B0000-0x00007FF6E9501000-memory.dmp

Filesize
3.3MB

Download
memory/4244-229-0x00007FF6E91B0000-0x00007FF6E9501000-memory.dmp

Filesize
3.3MB

Download
memory/4244-91-0x00007FF6E91B0000-0x00007FF6E9501000-memory.dmp

Filesize
3.3MB

Download
memory/4496-97-0x00007FF766FE0000-0x00007FF767331000-memory.dmp

Filesize
3.3MB

Download
memory/4496-36-0x00007FF766FE0000-0x00007FF767331000-memory.dmp

Filesize
3.3MB

Download
memory/4496-242-0x00007FF766FE0000-0x00007FF767331000-memory.dmp

Filesize
3.3MB

Download
memory/4596-162-0x00007FF64AD50000-0x00007FF64B0A1000-memory.dmp

Filesize
3.3MB

Download
memory/4596-271-0x00007FF64AD50000-0x00007FF64B0A1000-memory.dmp

Filesize
3.3MB

Download
memory/4596-121-0x00007FF64AD50000-0x00007FF64B0A1000-memory.dmp

Filesize
3.3MB

Download
memory/4684-157-0x00007FF7D7EB0000-0x00007FF7D8201000-memory.dmp

Filesize
3.3MB

Download
memory/4684-98-0x00007FF7D7EB0000-0x00007FF7D8201000-memory.dmp

Filesize
3.3MB

Download
memory/4684-260-0x00007FF7D7EB0000-0x00007FF7D8201000-memory.dmp

Filesize
3.3MB

Download
memory/4812-246-0x00007FF69DC20000-0x00007FF69DF71000-memory.dmp

Filesize
3.3MB

Download
memory/4812-56-0x00007FF69DC20000-0x00007FF69DF71000-memory.dmp

Filesize
3.3MB

Download
memory/4812-110-0x00007FF69DC20000-0x00007FF69DF71000-memory.dmp

Filesize
3.3MB

Download
memory/4836-266-0x00007FF6B80F0000-0x00007FF6B8441000-memory.dmp

Filesize
3.3MB

Download
memory/4836-161-0x00007FF6B80F0000-0x00007FF6B8441000-memory.dmp

Filesize
3.3MB

Download
memory/4836-116-0x00007FF6B80F0000-0x00007FF6B8441000-memory.dmp

Filesize
3.3MB

Download
memory/4876-233-0x00007FF799770000-0x00007FF799AC1000-memory.dmp

Filesize
3.3MB

Download
memory/4876-47-0x00007FF799770000-0x00007FF799AC1000-memory.dmp

Filesize
3.3MB

Download