cobaltstrike | 38579e96b9da1e8f344c3b79f20b8ba1a2d6b41aded8520b06654ca173c185e2

Analysis

max time kernel
145s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 21:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

0b864522fe966aad17b7a546890ea81d
SHA1

34927353ba74a395bd1abe4ea550ac5d657e7509
SHA256

38579e96b9da1e8f344c3b79f20b8ba1a2d6b41aded8520b06654ca173c185e2
SHA512

cff229573924ef93a7626bdc4450d6662a7c65d97120446913b36a9d49e61ed7c6796de4b9e4e0cf80b82a8e63a88f007891e72582ee760e5d676f274d39bf7a
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lU:RWWBibf56utgpPFotBER/mQ32lU4

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\ThUxcOH.exe	cobalt_reflective_dll
C:\Windows\System\GqoBXZg.exe	cobalt_reflective_dll
C:\Windows\System\SssZztr.exe	cobalt_reflective_dll
C:\Windows\System\FhfjEKP.exe	cobalt_reflective_dll
C:\Windows\System\xNhCzCQ.exe	cobalt_reflective_dll
C:\Windows\System\htWdzcy.exe	cobalt_reflective_dll
C:\Windows\System\rRlcGaX.exe	cobalt_reflective_dll
C:\Windows\System\lRQyqWG.exe	cobalt_reflective_dll
C:\Windows\System\CYsTUop.exe	cobalt_reflective_dll
C:\Windows\System\OCGwnoC.exe	cobalt_reflective_dll
C:\Windows\System\EnnGgfx.exe	cobalt_reflective_dll
C:\Windows\System\nyyBAhC.exe	cobalt_reflective_dll
C:\Windows\System\wsFjkRt.exe	cobalt_reflective_dll
C:\Windows\System\YrOgeGh.exe	cobalt_reflective_dll
C:\Windows\System\puWwKLd.exe	cobalt_reflective_dll
C:\Windows\System\YbVaVAa.exe	cobalt_reflective_dll
C:\Windows\System\AYpLDVG.exe	cobalt_reflective_dll
C:\Windows\System\DetlbbJ.exe	cobalt_reflective_dll
C:\Windows\System\sMHlixC.exe	cobalt_reflective_dll
C:\Windows\System\nJJZmhX.exe	cobalt_reflective_dll
C:\Windows\System\cqxLcEE.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/2276-73-0x00007FF7E7640000-0x00007FF7E7991000-memory.dmp	xmrig
behavioral2/memory/5012-93-0x00007FF7FAC30000-0x00007FF7FAF81000-memory.dmp	xmrig
behavioral2/memory/3272-103-0x00007FF664BF0000-0x00007FF664F41000-memory.dmp	xmrig
behavioral2/memory/1136-132-0x00007FF7A8290000-0x00007FF7A85E1000-memory.dmp	xmrig
behavioral2/memory/1168-127-0x00007FF746270000-0x00007FF7465C1000-memory.dmp	xmrig
behavioral2/memory/2908-121-0x00007FF794DB0000-0x00007FF795101000-memory.dmp	xmrig
behavioral2/memory/636-116-0x00007FF7B9CC0000-0x00007FF7BA011000-memory.dmp	xmrig
behavioral2/memory/4788-102-0x00007FF604A70000-0x00007FF604DC1000-memory.dmp	xmrig
behavioral2/memory/4904-84-0x00007FF64FB10000-0x00007FF64FE61000-memory.dmp	xmrig
behavioral2/memory/1028-61-0x00007FF646FF0000-0x00007FF647341000-memory.dmp	xmrig
behavioral2/memory/4968-60-0x00007FF6E76C0000-0x00007FF6E7A11000-memory.dmp	xmrig
behavioral2/memory/4968-140-0x00007FF6E76C0000-0x00007FF6E7A11000-memory.dmp	xmrig
behavioral2/memory/4980-153-0x00007FF724AF0000-0x00007FF724E41000-memory.dmp	xmrig
behavioral2/memory/5084-156-0x00007FF701060000-0x00007FF7013B1000-memory.dmp	xmrig
behavioral2/memory/4068-157-0x00007FF61BE40000-0x00007FF61C191000-memory.dmp	xmrig
behavioral2/memory/2748-161-0x00007FF7000D0000-0x00007FF700421000-memory.dmp	xmrig
behavioral2/memory/4720-160-0x00007FF6DD390000-0x00007FF6DD6E1000-memory.dmp	xmrig
behavioral2/memory/2068-159-0x00007FF79FA90000-0x00007FF79FDE1000-memory.dmp	xmrig
behavioral2/memory/4112-158-0x00007FF7366C0000-0x00007FF736A11000-memory.dmp	xmrig
behavioral2/memory/2456-155-0x00007FF640950000-0x00007FF640CA1000-memory.dmp	xmrig
behavioral2/memory/1488-154-0x00007FF6F2F90000-0x00007FF6F32E1000-memory.dmp	xmrig
behavioral2/memory/2596-152-0x00007FF67E760000-0x00007FF67EAB1000-memory.dmp	xmrig
behavioral2/memory/2292-151-0x00007FF704A00000-0x00007FF704D51000-memory.dmp	xmrig
behavioral2/memory/4968-162-0x00007FF6E76C0000-0x00007FF6E7A11000-memory.dmp	xmrig
behavioral2/memory/1028-212-0x00007FF646FF0000-0x00007FF647341000-memory.dmp	xmrig
behavioral2/memory/2276-214-0x00007FF7E7640000-0x00007FF7E7991000-memory.dmp	xmrig
behavioral2/memory/4904-219-0x00007FF64FB10000-0x00007FF64FE61000-memory.dmp	xmrig
behavioral2/memory/5012-221-0x00007FF7FAC30000-0x00007FF7FAF81000-memory.dmp	xmrig
behavioral2/memory/4788-230-0x00007FF604A70000-0x00007FF604DC1000-memory.dmp	xmrig
behavioral2/memory/636-232-0x00007FF7B9CC0000-0x00007FF7BA011000-memory.dmp	xmrig
behavioral2/memory/3272-234-0x00007FF664BF0000-0x00007FF664F41000-memory.dmp	xmrig
behavioral2/memory/2908-236-0x00007FF794DB0000-0x00007FF795101000-memory.dmp	xmrig
behavioral2/memory/1168-238-0x00007FF746270000-0x00007FF7465C1000-memory.dmp	xmrig
behavioral2/memory/1136-240-0x00007FF7A8290000-0x00007FF7A85E1000-memory.dmp	xmrig
behavioral2/memory/2596-249-0x00007FF67E760000-0x00007FF67EAB1000-memory.dmp	xmrig
behavioral2/memory/4980-251-0x00007FF724AF0000-0x00007FF724E41000-memory.dmp	xmrig
behavioral2/memory/1488-253-0x00007FF6F2F90000-0x00007FF6F32E1000-memory.dmp	xmrig
behavioral2/memory/2456-255-0x00007FF640950000-0x00007FF640CA1000-memory.dmp	xmrig
behavioral2/memory/5084-257-0x00007FF701060000-0x00007FF7013B1000-memory.dmp	xmrig
behavioral2/memory/4068-259-0x00007FF61BE40000-0x00007FF61C191000-memory.dmp	xmrig
behavioral2/memory/4112-261-0x00007FF7366C0000-0x00007FF736A11000-memory.dmp	xmrig
behavioral2/memory/2068-263-0x00007FF79FA90000-0x00007FF79FDE1000-memory.dmp	xmrig
behavioral2/memory/4720-265-0x00007FF6DD390000-0x00007FF6DD6E1000-memory.dmp	xmrig
behavioral2/memory/2748-267-0x00007FF7000D0000-0x00007FF700421000-memory.dmp	xmrig
behavioral2/memory/2292-271-0x00007FF704A00000-0x00007FF704D51000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

ThUxcOH.exeSssZztr.exeGqoBXZg.exeFhfjEKP.exexNhCzCQ.exehtWdzcy.exerRlcGaX.exelRQyqWG.exeCYsTUop.execqxLcEE.exeOCGwnoC.exenJJZmhX.exesMHlixC.exeDetlbbJ.exeAYpLDVG.exeYbVaVAa.exepuWwKLd.exeEnnGgfx.exenyyBAhC.exeYrOgeGh.exewsFjkRt.exe

pid	process
1028	ThUxcOH.exe
2276	SssZztr.exe
4904	GqoBXZg.exe
5012	FhfjEKP.exe
4788	xNhCzCQ.exe
3272	htWdzcy.exe
636	rRlcGaX.exe
2908	lRQyqWG.exe
1168	CYsTUop.exe
1136	cqxLcEE.exe
2292	OCGwnoC.exe
2596	nJJZmhX.exe
4980	sMHlixC.exe
1488	DetlbbJ.exe
2456	AYpLDVG.exe
5084	YbVaVAa.exe
4068	puWwKLd.exe
4112	EnnGgfx.exe
2068	nyyBAhC.exe
4720	YrOgeGh.exe
2748	wsFjkRt.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4968-0-0x00007FF6E76C0000-0x00007FF6E7A11000-memory.dmp	upx
C:\Windows\System\ThUxcOH.exe	upx
C:\Windows\System\GqoBXZg.exe	upx
C:\Windows\System\SssZztr.exe	upx
behavioral2/memory/2276-17-0x00007FF7E7640000-0x00007FF7E7991000-memory.dmp	upx
behavioral2/memory/4904-18-0x00007FF64FB10000-0x00007FF64FE61000-memory.dmp	upx
behavioral2/memory/1028-12-0x00007FF646FF0000-0x00007FF647341000-memory.dmp	upx
C:\Windows\System\FhfjEKP.exe	upx
C:\Windows\System\xNhCzCQ.exe	upx
behavioral2/memory/4788-29-0x00007FF604A70000-0x00007FF604DC1000-memory.dmp	upx
C:\Windows\System\htWdzcy.exe	upx
C:\Windows\System\rRlcGaX.exe	upx
C:\Windows\System\lRQyqWG.exe	upx
C:\Windows\System\CYsTUop.exe	upx
behavioral2/memory/1168-54-0x00007FF746270000-0x00007FF7465C1000-memory.dmp	upx
C:\Windows\System\OCGwnoC.exe	upx
behavioral2/memory/2276-73-0x00007FF7E7640000-0x00007FF7E7991000-memory.dmp	upx
behavioral2/memory/2292-76-0x00007FF704A00000-0x00007FF704D51000-memory.dmp	upx
behavioral2/memory/5012-93-0x00007FF7FAC30000-0x00007FF7FAF81000-memory.dmp	upx
behavioral2/memory/3272-103-0x00007FF664BF0000-0x00007FF664F41000-memory.dmp	upx
C:\Windows\System\EnnGgfx.exe	upx
C:\Windows\System\nyyBAhC.exe	upx
C:\Windows\System\wsFjkRt.exe	upx
behavioral2/memory/2748-136-0x00007FF7000D0000-0x00007FF700421000-memory.dmp	upx
C:\Windows\System\YrOgeGh.exe	upx
behavioral2/memory/2292-133-0x00007FF704A00000-0x00007FF704D51000-memory.dmp	upx
behavioral2/memory/1136-132-0x00007FF7A8290000-0x00007FF7A85E1000-memory.dmp	upx
behavioral2/memory/4720-131-0x00007FF6DD390000-0x00007FF6DD6E1000-memory.dmp	upx
behavioral2/memory/1168-127-0x00007FF746270000-0x00007FF7465C1000-memory.dmp	upx
behavioral2/memory/2068-126-0x00007FF79FA90000-0x00007FF79FDE1000-memory.dmp	upx
behavioral2/memory/2908-121-0x00007FF794DB0000-0x00007FF795101000-memory.dmp	upx
behavioral2/memory/4112-117-0x00007FF7366C0000-0x00007FF736A11000-memory.dmp	upx
behavioral2/memory/636-116-0x00007FF7B9CC0000-0x00007FF7BA011000-memory.dmp	upx
C:\Windows\System\puWwKLd.exe	upx
C:\Windows\System\YbVaVAa.exe	upx
behavioral2/memory/4068-108-0x00007FF61BE40000-0x00007FF61C191000-memory.dmp	upx
behavioral2/memory/5084-107-0x00007FF701060000-0x00007FF7013B1000-memory.dmp	upx
behavioral2/memory/4788-102-0x00007FF604A70000-0x00007FF604DC1000-memory.dmp	upx
C:\Windows\System\AYpLDVG.exe	upx
behavioral2/memory/2456-96-0x00007FF640950000-0x00007FF640CA1000-memory.dmp	upx
C:\Windows\System\DetlbbJ.exe	upx
C:\Windows\System\sMHlixC.exe	upx
behavioral2/memory/1488-85-0x00007FF6F2F90000-0x00007FF6F32E1000-memory.dmp	upx
behavioral2/memory/4904-84-0x00007FF64FB10000-0x00007FF64FE61000-memory.dmp	upx
behavioral2/memory/4980-83-0x00007FF724AF0000-0x00007FF724E41000-memory.dmp	upx
C:\Windows\System\nJJZmhX.exe	upx
behavioral2/memory/2596-79-0x00007FF67E760000-0x00007FF67EAB1000-memory.dmp	upx
C:\Windows\System\cqxLcEE.exe	upx
behavioral2/memory/1136-64-0x00007FF7A8290000-0x00007FF7A85E1000-memory.dmp	upx
behavioral2/memory/1028-61-0x00007FF646FF0000-0x00007FF647341000-memory.dmp	upx
behavioral2/memory/4968-60-0x00007FF6E76C0000-0x00007FF6E7A11000-memory.dmp	upx
behavioral2/memory/2908-50-0x00007FF794DB0000-0x00007FF795101000-memory.dmp	upx
behavioral2/memory/636-44-0x00007FF7B9CC0000-0x00007FF7BA011000-memory.dmp	upx
behavioral2/memory/3272-38-0x00007FF664BF0000-0x00007FF664F41000-memory.dmp	upx
behavioral2/memory/5012-24-0x00007FF7FAC30000-0x00007FF7FAF81000-memory.dmp	upx
behavioral2/memory/4968-140-0x00007FF6E76C0000-0x00007FF6E7A11000-memory.dmp	upx
behavioral2/memory/4980-153-0x00007FF724AF0000-0x00007FF724E41000-memory.dmp	upx
behavioral2/memory/5084-156-0x00007FF701060000-0x00007FF7013B1000-memory.dmp	upx
behavioral2/memory/4068-157-0x00007FF61BE40000-0x00007FF61C191000-memory.dmp	upx
behavioral2/memory/2748-161-0x00007FF7000D0000-0x00007FF700421000-memory.dmp	upx
behavioral2/memory/4720-160-0x00007FF6DD390000-0x00007FF6DD6E1000-memory.dmp	upx
behavioral2/memory/2068-159-0x00007FF79FA90000-0x00007FF79FDE1000-memory.dmp	upx
behavioral2/memory/4112-158-0x00007FF7366C0000-0x00007FF736A11000-memory.dmp	upx
behavioral2/memory/2456-155-0x00007FF640950000-0x00007FF640CA1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\ThUxcOH.exe	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cqxLcEE.exe	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sMHlixC.exe	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AYpLDVG.exe	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YrOgeGh.exe	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FhfjEKP.exe	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\htWdzcy.exe	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nJJZmhX.exe	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DetlbbJ.exe	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YbVaVAa.exe	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\puWwKLd.exe	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SssZztr.exe	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xNhCzCQ.exe	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rRlcGaX.exe	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CYsTUop.exe	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nyyBAhC.exe	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wsFjkRt.exe	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GqoBXZg.exe	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lRQyqWG.exe	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OCGwnoC.exe	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EnnGgfx.exe	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	4968	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4968	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 4968 wrote to memory of 1028	4968	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe	ThUxcOH.exe
PID 4968 wrote to memory of 1028	4968	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe	ThUxcOH.exe
PID 4968 wrote to memory of 2276	4968	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe	SssZztr.exe
PID 4968 wrote to memory of 2276	4968	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe	SssZztr.exe
PID 4968 wrote to memory of 4904	4968	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe	GqoBXZg.exe
PID 4968 wrote to memory of 4904	4968	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe	GqoBXZg.exe
PID 4968 wrote to memory of 5012	4968	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe	FhfjEKP.exe
PID 4968 wrote to memory of 5012	4968	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe	FhfjEKP.exe
PID 4968 wrote to memory of 4788	4968	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe	xNhCzCQ.exe
PID 4968 wrote to memory of 4788	4968	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe	xNhCzCQ.exe
PID 4968 wrote to memory of 3272	4968	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe	htWdzcy.exe
PID 4968 wrote to memory of 3272	4968	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe	htWdzcy.exe
PID 4968 wrote to memory of 636	4968	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe	rRlcGaX.exe
PID 4968 wrote to memory of 636	4968	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe	rRlcGaX.exe
PID 4968 wrote to memory of 2908	4968	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe	lRQyqWG.exe
PID 4968 wrote to memory of 2908	4968	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe	lRQyqWG.exe
PID 4968 wrote to memory of 1168	4968	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe	CYsTUop.exe
PID 4968 wrote to memory of 1168	4968	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe	CYsTUop.exe
PID 4968 wrote to memory of 1136	4968	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe	cqxLcEE.exe
PID 4968 wrote to memory of 1136	4968	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe	cqxLcEE.exe
PID 4968 wrote to memory of 2292	4968	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe	OCGwnoC.exe
PID 4968 wrote to memory of 2292	4968	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe	OCGwnoC.exe
PID 4968 wrote to memory of 2596	4968	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe	nJJZmhX.exe
PID 4968 wrote to memory of 2596	4968	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe	nJJZmhX.exe
PID 4968 wrote to memory of 4980	4968	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe	sMHlixC.exe
PID 4968 wrote to memory of 4980	4968	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe	sMHlixC.exe
PID 4968 wrote to memory of 1488	4968	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe	DetlbbJ.exe
PID 4968 wrote to memory of 1488	4968	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe	DetlbbJ.exe
PID 4968 wrote to memory of 2456	4968	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe	AYpLDVG.exe
PID 4968 wrote to memory of 2456	4968	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe	AYpLDVG.exe
PID 4968 wrote to memory of 5084	4968	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe	YbVaVAa.exe
PID 4968 wrote to memory of 5084	4968	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe	YbVaVAa.exe
PID 4968 wrote to memory of 4068	4968	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe	puWwKLd.exe
PID 4968 wrote to memory of 4068	4968	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe	puWwKLd.exe
PID 4968 wrote to memory of 4112	4968	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe	EnnGgfx.exe
PID 4968 wrote to memory of 4112	4968	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe	EnnGgfx.exe
PID 4968 wrote to memory of 2068	4968	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe	nyyBAhC.exe
PID 4968 wrote to memory of 2068	4968	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe	nyyBAhC.exe
PID 4968 wrote to memory of 4720	4968	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe	YrOgeGh.exe
PID 4968 wrote to memory of 4720	4968	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe	YrOgeGh.exe
PID 4968 wrote to memory of 2748	4968	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe	wsFjkRt.exe
PID 4968 wrote to memory of 2748	4968	2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe	wsFjkRt.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-23_0b864522fe966aad17b7a546890ea81d_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4968
- C:\Windows\System\ThUxcOH.exe
  C:\Windows\System\ThUxcOH.exe
  2⤵
  - Executes dropped EXE
  PID:1028
- C:\Windows\System\SssZztr.exe
  C:\Windows\System\SssZztr.exe
  2⤵
  - Executes dropped EXE
  PID:2276
- C:\Windows\System\GqoBXZg.exe
  C:\Windows\System\GqoBXZg.exe
  2⤵
  - Executes dropped EXE
  PID:4904
- C:\Windows\System\FhfjEKP.exe
  C:\Windows\System\FhfjEKP.exe
  2⤵
  - Executes dropped EXE
  PID:5012
- C:\Windows\System\xNhCzCQ.exe
  C:\Windows\System\xNhCzCQ.exe
  2⤵
  - Executes dropped EXE
  PID:4788
- C:\Windows\System\htWdzcy.exe
  C:\Windows\System\htWdzcy.exe
  2⤵
  - Executes dropped EXE
  PID:3272
- C:\Windows\System\rRlcGaX.exe
  C:\Windows\System\rRlcGaX.exe
  2⤵
  - Executes dropped EXE
  PID:636
- C:\Windows\System\lRQyqWG.exe
  C:\Windows\System\lRQyqWG.exe
  2⤵
  - Executes dropped EXE
  PID:2908
- C:\Windows\System\CYsTUop.exe
  C:\Windows\System\CYsTUop.exe
  2⤵
  - Executes dropped EXE
  PID:1168
- C:\Windows\System\cqxLcEE.exe
  C:\Windows\System\cqxLcEE.exe
  2⤵
  - Executes dropped EXE
  PID:1136
- C:\Windows\System\OCGwnoC.exe
  C:\Windows\System\OCGwnoC.exe
  2⤵
  - Executes dropped EXE
  PID:2292
- C:\Windows\System\nJJZmhX.exe
  C:\Windows\System\nJJZmhX.exe
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\System\sMHlixC.exe
  C:\Windows\System\sMHlixC.exe
  2⤵
  - Executes dropped EXE
  PID:4980
- C:\Windows\System\DetlbbJ.exe
  C:\Windows\System\DetlbbJ.exe
  2⤵
  - Executes dropped EXE
  PID:1488
- C:\Windows\System\AYpLDVG.exe
  C:\Windows\System\AYpLDVG.exe
  2⤵
  - Executes dropped EXE
  PID:2456
- C:\Windows\System\YbVaVAa.exe
  C:\Windows\System\YbVaVAa.exe
  2⤵
  - Executes dropped EXE
  PID:5084
- C:\Windows\System\puWwKLd.exe
  C:\Windows\System\puWwKLd.exe
  2⤵
  - Executes dropped EXE
  PID:4068
- C:\Windows\System\EnnGgfx.exe
  C:\Windows\System\EnnGgfx.exe
  2⤵
  - Executes dropped EXE
  PID:4112
- C:\Windows\System\nyyBAhC.exe
  C:\Windows\System\nyyBAhC.exe
  2⤵
  - Executes dropped EXE
  PID:2068
- C:\Windows\System\YrOgeGh.exe
  C:\Windows\System\YrOgeGh.exe
  2⤵
  - Executes dropped EXE
  PID:4720
- C:\Windows\System\wsFjkRt.exe
  C:\Windows\System\wsFjkRt.exe
  2⤵
  - Executes dropped EXE
  PID:2748

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AYpLDVG.exe

Filesize
5.2MB

MD5
604065ed7bc25dd7bae65ef313de9425

SHA1
c169712cf51c9cdcd4d350a1f6bc07c09fefb408

SHA256
3ccc1dff4dc7c485e201a0008c6ca3b891ae7df9e4d70f1600e9cdf499bc4fae

SHA512
f116fd1ee12d9632c2add4d55ae3fcba0bdf6b86e33b05b6c13fb518a72d4e4d00fe56038e71eb5eafbcd512902a21c902aec8e4c866292a69f571cd021dc4ec

Download Submit
C:\Windows\System\CYsTUop.exe

Filesize
5.2MB

MD5
fcc85c862bea3065548190ffa3c5fa2c

SHA1
6b26dc3ad5deb4945011e44383668b6195d337d4

SHA256
d438d99ff1af3077b9a8ef15e8b88203e1bf91e92d1699201916b602b3313a05

SHA512
41b266f136bbae697173cffe65dd736117a2b10badbcf98a938eca2db2e427738d8c360cc0aad8e254372ed33ce9ff70befcc9534041213b6f7345370a38a15f

Download Submit
C:\Windows\System\DetlbbJ.exe

Filesize
5.2MB

MD5
5fbebd985aabdc06a074e2b8f978404b

SHA1
83fa8cf3a91831216ab5e1b6fdc11630f73ef46f

SHA256
a8e3ed9633c0009cbddd0f377301ce86f7c44430ceb0dccf87cafa79ac46417b

SHA512
5b129727aaf2d18628f009163b9fb36600c747c711f24d5c71592f683b5477841b1d58935964030c2b3ef4257c00ddc62cde53907e4d632713af5c217ccf4158

Download Submit
C:\Windows\System\EnnGgfx.exe

Filesize
5.2MB

MD5
aaa46073810938e6c30787e3f54073d6

SHA1
56b6f94a5aebb484aa247d0e2ac618e2d88c553f

SHA256
f8d4430368ba12fa3347c2a5800138ac34cf82f084e6df72e7ce65698afe4cb8

SHA512
efc4e07edcfcef922745e56ef3d769641ef2a2c56d64d0bbdc34cd197a7364e7a7330adfabd08eb6c4b846182d4184548e4f49d0426b91ab3ebbf75345889a3a

Download Submit
C:\Windows\System\FhfjEKP.exe

Filesize
5.2MB

MD5
c26bedfd501b62c75fe4e0b54b0c0620

SHA1
3f8c49feb3d8c51614386cf245fb4fa95aabced8

SHA256
83b96957d64673756387804481f4160cf434a5e92b075736a94e25495404abb4

SHA512
9ec33ca0e051d41a0a4cd810cedb85bc58975df16e19de856d97fc94a1b044fb765732b9183a7b787b99931e32f18c0f6c3a8ed88c5e6150b26ac7f69dc03961

Download Submit
C:\Windows\System\GqoBXZg.exe

Filesize
5.2MB

MD5
d9d6222e481c057414bec6889486288f

SHA1
01ca40d196cbd4a660b4e493bb7ad92d23814a19

SHA256
62803884c4bac7f4041f9bc25d4568f57079d6c350275fb83b8ed2a7f24dbd3d

SHA512
231a7b9a81bfc8d5f17aa11b17718d53afe70696b824681b97e5c25ced56a4c8c426a5e71a020b95b31f48d13bf1fb960cda75c3119730ac09b03bf09e2f40e0

Download Submit
C:\Windows\System\OCGwnoC.exe

Filesize
5.2MB

MD5
f6d4391daf587851dceb2afea13e72b1

SHA1
7ca41b135c35d18333924eb1aa4ef04a71cdc459

SHA256
94c4b91eb6b4daba440b0ba21509cf5be4b4072b7dcd2d6ab23d91b38f4d92a9

SHA512
bb58e64d8121dbe1073b0d44eccccf9367599d40d24b1da22ad6f11fee7924c7e36462c16e7e8d6b8d6562c9e79613aad030db672e2ef55b9b7c204b33fff7d4

Download Submit
C:\Windows\System\SssZztr.exe

Filesize
5.2MB

MD5
1881f0e3e661e9cbda1d88445a0cee69

SHA1
908c09ec333e97a371c81428b2f3e747f16b575a

SHA256
16e474df9e7a7f62de464eb9c2362bc6f14c95aa079d7b73c2c23344f6e4172e

SHA512
ce1b8a9b8d3d46c5806761a4b2935668cfdb596cabc1b09ba255841f3f7f063a38c48a244f1f8b716029d1e1fdeb99b720db899ac964892fbbf88c5f50c74e0c

Download Submit
C:\Windows\System\ThUxcOH.exe

Filesize
5.2MB

MD5
28c03f7ea566b8612dc1ee77b330396a

SHA1
98ce3e6d90958652c8565ca11dd3aa72ffe1e2f8

SHA256
ff0da1650deefa79b5c85bebaf6c961e667f7018f0b21ebdcc2f9203687f712c

SHA512
49b2740c56dba6be78c03af2fcc83a0fc7509c2ba234df537aa13244a318a01b9b58f350b8ad3428cf50f7ff0075d6f090a01de12823b94af58f50b67c94b548

Download Submit
C:\Windows\System\YbVaVAa.exe

Filesize
5.2MB

MD5
84e55a975d9654c5ef5aa3326d5e3929

SHA1
0035f4785ead4bfae1fc949cfbde1782836a2c23

SHA256
4c128373aa1b0ef78809c40d1564fc4339e1049d0a1b152a93bf6c2fce6cd975

SHA512
d6aa45754bf9350d091e72e4d1f56fc01d6d64cef2a5caaedc54abbc5ec79c133fd009f59aeaa2eded4ec110ec2ceaa79c5fb8153dfd4b4aa0b90243bc6bac8f

Download Submit
C:\Windows\System\YrOgeGh.exe

Filesize
5.2MB

MD5
5b158fbd55e38852570a7728279c2265

SHA1
41c2a5d53bf935ea3ef660c9c33646483a3353c1

SHA256
62dda3fda01d145f268536c5e019a5feff2d203fed1a1e75034177e66ff102d1

SHA512
24684dc0bb05c3b503ac9b4c55e43dc795f130e32a971046cb3a4c28ad2a02be6927b768138873033e27eaa0e84caefcb5a28849d150f3df1a2778195f9264de

Download Submit
C:\Windows\System\cqxLcEE.exe

Filesize
5.2MB

MD5
f20719a7643e4c13ca2ba3b8ade00cc1

SHA1
488176e8a04596c67f914c2d2f61c2595563fa68

SHA256
54132a5fdcad0fbd8ec6b5a5d28075887ce06c0b4897bbe8b6b8be55435ef752

SHA512
95a6d07cc7632f5cb35e75baedd36ec1412d6121acebb9d49e740c60150e46f23927f879811d6a964f0a4e0dcf1215eade4489c7ace422e9d545860c317ecc93

Download Submit
C:\Windows\System\htWdzcy.exe

Filesize
5.2MB

MD5
57d9b05f24bc84ecb211176a342acf62

SHA1
3972b4195cf8de90c90bf889bf2389d0c22196f8

SHA256
2308d256ba186c3aa867f753bca322b8cc6dfa529f1f1a9ab2f3cdd9ae24b21d

SHA512
0a5622a6d6ac51d66b8fb83f4ca207fd398e29a75aea7aceee76f1e7e46a4bd086b1730d73364397ba8d01ef1f0cc9c452f3d2f2b8e24c48fa9ee5723a358f52

Download Submit
C:\Windows\System\lRQyqWG.exe

Filesize
5.2MB

MD5
46adc1fdfac4f75257593353714be2ea

SHA1
0fd912de095ac52239c35413d505bb8e0549c196

SHA256
2ecc401831fe13d3f001ab51b68ee24d66dfdb99b71178f95836ea43c510ad7d

SHA512
0be10bf8bc51261089b1895e314114ac9d17bec22f8973f8427d54c4ca3eb5b9e899c20df78da72d4b5ce3c09ce90b66e10c47702e2b28c9d6f6d302f484eea9

Download Submit
C:\Windows\System\nJJZmhX.exe

Filesize
5.2MB

MD5
a6275468b3e62624785d8329f74cb6e0

SHA1
767fd19bbb0ec0bed5acbac66baa4f70245c966d

SHA256
087de09b9d5d8049eedc3ace1e6c0536f3badba90d619875610d493c889558de

SHA512
83ff065f32c35cd9d1ef34247650980106b52fb301506dafeb6b1c0bc1d556bca2932f18d198caab8692f473c77d1373c8763aa83672d802a5c018a3b0936015

Download Submit
C:\Windows\System\nyyBAhC.exe

Filesize
5.2MB

MD5
7b12bfc624092ea4a52552b9a75a9d2c

SHA1
31275af78c96bf3efacbd6d53b5b1f7c2475de36

SHA256
1932e94d3030204576bc9105dc741e6fca1d1f58e638c7f8b41f3a8aea8db5ec

SHA512
5096fce8525adfacf7eeb98b5a71db98165be09122fc0f5ebb5fb69695263d0ba0f073a4e3b5d011dfec7d7bf6112fe17b07120c97db4845c99c12f29cb81b48

Download Submit
C:\Windows\System\puWwKLd.exe

Filesize
5.2MB

MD5
961a20ea55ce7f1528b3f14e1879a980

SHA1
9faa6674e695ca8c56801cc4179664b9fc6b5c39

SHA256
c8f8e06149915d8c564fc7b9c5da3815658a81969ccd50e44cd331ad4869b43a

SHA512
227fb19fc5abbcc0f5301e12061524230a8545fca775efd135ef482bf2fb943ec396f3c64adde44c7c3ba3818cb1799461626a1d0d631ca6f59518624a7657a5

Download Submit
C:\Windows\System\rRlcGaX.exe

Filesize
5.2MB

MD5
3a2208890e775bf55a53bedac71db02b

SHA1
310c8de3b2fa57e7ecd4bb2f774d0059d73a61f7

SHA256
26cbe95e1d438d9896ceb5eed2391341afeef1413230eb9f66e9d835348990f7

SHA512
03d067d3ef0c870042ff4617fd3e792719da562a52bd5da4f2fe8cf66c7996192c420931234be29ef81daa008a342f6d05b136ef6b86cd03c3d1bd5503e01f4a

Download Submit
C:\Windows\System\sMHlixC.exe

Filesize
5.2MB

MD5
0112daf19a4498dcf5b595dbb1dc5b05

SHA1
fe3600cac523b7383b97d89ddbd9610003d69ead

SHA256
ce3995af9e8c354ca86d0cb3fc43965e71c83a677d0582758c844209b2564558

SHA512
44fef1e952fbe21fe10b1c997f4777b2a400f0d09334d36e63bf63e74d4570e8c8920776adb2fd1035ff8ca57192d161beab6149bc77f9a517af54abd9523081

Download Submit
C:\Windows\System\wsFjkRt.exe

Filesize
5.2MB

MD5
a45e87551d0832388286bd283e0a2479

SHA1
f96baf11e6eab995b44405b2639ef26045040c82

SHA256
25f8346efb4c80483b3190650acb11c6fb831b022b51d6c3661616779e43cebd

SHA512
3f92903a93dc58a80d086b801180984239a3f7fc835c700d15a09723c1212426bc21ad74eff2fe2684d885e299bf2118f0f5c5fe4df800ed22309b8721a97e49

Download Submit
C:\Windows\System\xNhCzCQ.exe

Filesize
5.2MB

MD5
815e56ec86bd112e9fdd0902927f66c8

SHA1
dc26f79a48aa6cbac3857eace977f4182ec82688

SHA256
15d661050fb1b0d4029319e6409e2a6fc1bceedd17d21a5781c51645b2350aaf

SHA512
2ac54ba13c3a707e6f91621738f217fd421a5e726b30243fc5bfccb1334ed8384e899d67ba72f99ab5becdc7451a2fed3ecca86522de2d4c0a2159935027e370

Download Submit
memory/636-44-0x00007FF7B9CC0000-0x00007FF7BA011000-memory.dmp

Filesize
3.3MB

Download
memory/636-232-0x00007FF7B9CC0000-0x00007FF7BA011000-memory.dmp

Filesize
3.3MB

Download
memory/636-116-0x00007FF7B9CC0000-0x00007FF7BA011000-memory.dmp

Filesize
3.3MB

Download
memory/1028-61-0x00007FF646FF0000-0x00007FF647341000-memory.dmp

Filesize
3.3MB

Download
memory/1028-212-0x00007FF646FF0000-0x00007FF647341000-memory.dmp

Filesize
3.3MB

Download
memory/1028-12-0x00007FF646FF0000-0x00007FF647341000-memory.dmp

Filesize
3.3MB

Download
memory/1136-132-0x00007FF7A8290000-0x00007FF7A85E1000-memory.dmp

Filesize
3.3MB

Download
memory/1136-64-0x00007FF7A8290000-0x00007FF7A85E1000-memory.dmp

Filesize
3.3MB

Download
memory/1136-240-0x00007FF7A8290000-0x00007FF7A85E1000-memory.dmp

Filesize
3.3MB

Download
memory/1168-127-0x00007FF746270000-0x00007FF7465C1000-memory.dmp

Filesize
3.3MB

Download
memory/1168-238-0x00007FF746270000-0x00007FF7465C1000-memory.dmp

Filesize
3.3MB

Download
memory/1168-54-0x00007FF746270000-0x00007FF7465C1000-memory.dmp

Filesize
3.3MB

Download
memory/1488-154-0x00007FF6F2F90000-0x00007FF6F32E1000-memory.dmp

Filesize
3.3MB

Download
memory/1488-253-0x00007FF6F2F90000-0x00007FF6F32E1000-memory.dmp

Filesize
3.3MB

Download
memory/1488-85-0x00007FF6F2F90000-0x00007FF6F32E1000-memory.dmp

Filesize
3.3MB

Download
memory/2068-126-0x00007FF79FA90000-0x00007FF79FDE1000-memory.dmp

Filesize
3.3MB

Download
memory/2068-159-0x00007FF79FA90000-0x00007FF79FDE1000-memory.dmp

Filesize
3.3MB

Download
memory/2068-263-0x00007FF79FA90000-0x00007FF79FDE1000-memory.dmp

Filesize
3.3MB

Download
memory/2276-214-0x00007FF7E7640000-0x00007FF7E7991000-memory.dmp

Filesize
3.3MB

Download
memory/2276-73-0x00007FF7E7640000-0x00007FF7E7991000-memory.dmp

Filesize
3.3MB

Download
memory/2276-17-0x00007FF7E7640000-0x00007FF7E7991000-memory.dmp

Filesize
3.3MB

Download
memory/2292-151-0x00007FF704A00000-0x00007FF704D51000-memory.dmp

Filesize
3.3MB

Download
memory/2292-271-0x00007FF704A00000-0x00007FF704D51000-memory.dmp

Filesize
3.3MB

Download
memory/2292-76-0x00007FF704A00000-0x00007FF704D51000-memory.dmp

Filesize
3.3MB

Download
memory/2292-133-0x00007FF704A00000-0x00007FF704D51000-memory.dmp

Filesize
3.3MB

Download
memory/2456-255-0x00007FF640950000-0x00007FF640CA1000-memory.dmp

Filesize
3.3MB

Download
memory/2456-96-0x00007FF640950000-0x00007FF640CA1000-memory.dmp

Filesize
3.3MB

Download
memory/2456-155-0x00007FF640950000-0x00007FF640CA1000-memory.dmp

Filesize
3.3MB

Download
memory/2596-79-0x00007FF67E760000-0x00007FF67EAB1000-memory.dmp

Filesize
3.3MB

Download
memory/2596-249-0x00007FF67E760000-0x00007FF67EAB1000-memory.dmp

Filesize
3.3MB

Download
memory/2596-152-0x00007FF67E760000-0x00007FF67EAB1000-memory.dmp

Filesize
3.3MB

Download
memory/2748-161-0x00007FF7000D0000-0x00007FF700421000-memory.dmp

Filesize
3.3MB

Download
memory/2748-267-0x00007FF7000D0000-0x00007FF700421000-memory.dmp

Filesize
3.3MB

Download
memory/2748-136-0x00007FF7000D0000-0x00007FF700421000-memory.dmp

Filesize
3.3MB

Download
memory/2908-236-0x00007FF794DB0000-0x00007FF795101000-memory.dmp

Filesize
3.3MB

Download
memory/2908-121-0x00007FF794DB0000-0x00007FF795101000-memory.dmp

Filesize
3.3MB

Download
memory/2908-50-0x00007FF794DB0000-0x00007FF795101000-memory.dmp

Filesize
3.3MB

Download
memory/3272-103-0x00007FF664BF0000-0x00007FF664F41000-memory.dmp

Filesize
3.3MB

Download
memory/3272-234-0x00007FF664BF0000-0x00007FF664F41000-memory.dmp

Filesize
3.3MB

Download
memory/3272-38-0x00007FF664BF0000-0x00007FF664F41000-memory.dmp

Filesize
3.3MB

Download
memory/4068-108-0x00007FF61BE40000-0x00007FF61C191000-memory.dmp

Filesize
3.3MB

Download
memory/4068-157-0x00007FF61BE40000-0x00007FF61C191000-memory.dmp

Filesize
3.3MB

Download
memory/4068-259-0x00007FF61BE40000-0x00007FF61C191000-memory.dmp

Filesize
3.3MB

Download
memory/4112-117-0x00007FF7366C0000-0x00007FF736A11000-memory.dmp

Filesize
3.3MB

Download
memory/4112-261-0x00007FF7366C0000-0x00007FF736A11000-memory.dmp

Filesize
3.3MB

Download
memory/4112-158-0x00007FF7366C0000-0x00007FF736A11000-memory.dmp

Filesize
3.3MB

Download
memory/4720-131-0x00007FF6DD390000-0x00007FF6DD6E1000-memory.dmp

Filesize
3.3MB

Download
memory/4720-265-0x00007FF6DD390000-0x00007FF6DD6E1000-memory.dmp

Filesize
3.3MB

Download
memory/4720-160-0x00007FF6DD390000-0x00007FF6DD6E1000-memory.dmp

Filesize
3.3MB

Download
memory/4788-230-0x00007FF604A70000-0x00007FF604DC1000-memory.dmp

Filesize
3.3MB

Download
memory/4788-102-0x00007FF604A70000-0x00007FF604DC1000-memory.dmp

Filesize
3.3MB

Download
memory/4788-29-0x00007FF604A70000-0x00007FF604DC1000-memory.dmp

Filesize
3.3MB

Download
memory/4904-219-0x00007FF64FB10000-0x00007FF64FE61000-memory.dmp

Filesize
3.3MB

Download
memory/4904-18-0x00007FF64FB10000-0x00007FF64FE61000-memory.dmp

Filesize
3.3MB

Download
memory/4904-84-0x00007FF64FB10000-0x00007FF64FE61000-memory.dmp

Filesize
3.3MB

Download
memory/4968-1-0x000001264E490000-0x000001264E4A0000-memory.dmp

Filesize
64KB

Download
memory/4968-162-0x00007FF6E76C0000-0x00007FF6E7A11000-memory.dmp

Filesize
3.3MB

Download
memory/4968-0-0x00007FF6E76C0000-0x00007FF6E7A11000-memory.dmp

Filesize
3.3MB

Download
memory/4968-60-0x00007FF6E76C0000-0x00007FF6E7A11000-memory.dmp

Filesize
3.3MB

Download
memory/4968-140-0x00007FF6E76C0000-0x00007FF6E7A11000-memory.dmp

Filesize
3.3MB

Download
memory/4980-251-0x00007FF724AF0000-0x00007FF724E41000-memory.dmp

Filesize
3.3MB

Download
memory/4980-83-0x00007FF724AF0000-0x00007FF724E41000-memory.dmp

Filesize
3.3MB

Download
memory/4980-153-0x00007FF724AF0000-0x00007FF724E41000-memory.dmp

Filesize
3.3MB

Download
memory/5012-93-0x00007FF7FAC30000-0x00007FF7FAF81000-memory.dmp

Filesize
3.3MB

Download
memory/5012-221-0x00007FF7FAC30000-0x00007FF7FAF81000-memory.dmp

Filesize
3.3MB

Download
memory/5012-24-0x00007FF7FAC30000-0x00007FF7FAF81000-memory.dmp

Filesize
3.3MB

Download
memory/5084-107-0x00007FF701060000-0x00007FF7013B1000-memory.dmp

Filesize
3.3MB

Download
memory/5084-257-0x00007FF701060000-0x00007FF7013B1000-memory.dmp

Filesize
3.3MB

Download
memory/5084-156-0x00007FF701060000-0x00007FF7013B1000-memory.dmp

Filesize
3.3MB

Download