cobaltstrike | 05386e91ae5dc3b13b7c5e82183bc7c7f829b627eaf6f8cf1eaa5d3a2f9031a2

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 21:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

0f5d8fe67d8a3ac31d04a6246b4c79c2
SHA1

71f963ca01ec9845d54713ac4370bc902fcedc5a
SHA256

05386e91ae5dc3b13b7c5e82183bc7c7f829b627eaf6f8cf1eaa5d3a2f9031a2
SHA512

9c7281091bb6b8d57faf7014cbd86b6d3ad592bd97bef6910ec39a720b96bfcacbbc71b3952bfe5a153067cbc8adb97e6734ac745eb765aa7e2abf95e84b6086
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6la:RWWBibf56utgpPFotBER/mQ32lUW

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000d000000023b6d-6.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b76-11.dat	cobalt_reflective_dll
behavioral2/files/0x0031000000023b75-12.dat	cobalt_reflective_dll
behavioral2/files/0x000c000000023b72-23.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b77-29.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7a-38.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7c-50.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7d-61.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7b-41.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b79-44.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7e-65.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7f-71.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b80-79.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b83-101.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b82-95.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b81-85.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b85-114.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b87-126.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b88-135.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b86-125.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b84-109.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/5080-98-0x00007FF78F680000-0x00007FF78F9D1000-memory.dmp	xmrig
behavioral2/memory/1008-100-0x00007FF617870000-0x00007FF617BC1000-memory.dmp	xmrig
behavioral2/memory/2772-87-0x00007FF624C90000-0x00007FF624FE1000-memory.dmp	xmrig
behavioral2/memory/3744-83-0x00007FF7C0110000-0x00007FF7C0461000-memory.dmp	xmrig
behavioral2/memory/4244-76-0x00007FF621980000-0x00007FF621CD1000-memory.dmp	xmrig
behavioral2/memory/1748-75-0x00007FF650F60000-0x00007FF6512B1000-memory.dmp	xmrig
behavioral2/memory/3992-70-0x00007FF7E2100000-0x00007FF7E2451000-memory.dmp	xmrig
behavioral2/memory/2276-103-0x00007FF64B230000-0x00007FF64B581000-memory.dmp	xmrig
behavioral2/memory/4296-129-0x00007FF7C8E90000-0x00007FF7C91E1000-memory.dmp	xmrig
behavioral2/memory/4808-128-0x00007FF7003C0000-0x00007FF700711000-memory.dmp	xmrig
behavioral2/memory/4700-121-0x00007FF643F70000-0x00007FF6442C1000-memory.dmp	xmrig
behavioral2/memory/4368-115-0x00007FF7489C0000-0x00007FF748D11000-memory.dmp	xmrig
behavioral2/memory/3964-108-0x00007FF74D940000-0x00007FF74DC91000-memory.dmp	xmrig
behavioral2/memory/3300-107-0x00007FF7AD1F0000-0x00007FF7AD541000-memory.dmp	xmrig
behavioral2/memory/3992-139-0x00007FF7E2100000-0x00007FF7E2451000-memory.dmp	xmrig
behavioral2/memory/2432-145-0x00007FF749410000-0x00007FF749761000-memory.dmp	xmrig
behavioral2/memory/4992-144-0x00007FF725380000-0x00007FF7256D1000-memory.dmp	xmrig
behavioral2/memory/3164-152-0x00007FF7F89F0000-0x00007FF7F8D41000-memory.dmp	xmrig
behavioral2/memory/968-159-0x00007FF6019B0000-0x00007FF601D01000-memory.dmp	xmrig
behavioral2/memory/5020-160-0x00007FF7D5A70000-0x00007FF7D5DC1000-memory.dmp	xmrig
behavioral2/memory/212-161-0x00007FF6E7E40000-0x00007FF6E8191000-memory.dmp	xmrig
behavioral2/memory/2384-165-0x00007FF7222D0000-0x00007FF722621000-memory.dmp	xmrig
behavioral2/memory/4468-166-0x00007FF662F50000-0x00007FF6632A1000-memory.dmp	xmrig
behavioral2/memory/3992-167-0x00007FF7E2100000-0x00007FF7E2451000-memory.dmp	xmrig
behavioral2/memory/4244-216-0x00007FF621980000-0x00007FF621CD1000-memory.dmp	xmrig
behavioral2/memory/2772-218-0x00007FF624C90000-0x00007FF624FE1000-memory.dmp	xmrig
behavioral2/memory/1008-221-0x00007FF617870000-0x00007FF617BC1000-memory.dmp	xmrig
behavioral2/memory/2276-229-0x00007FF64B230000-0x00007FF64B581000-memory.dmp	xmrig
behavioral2/memory/3300-231-0x00007FF7AD1F0000-0x00007FF7AD541000-memory.dmp	xmrig
behavioral2/memory/3964-235-0x00007FF74D940000-0x00007FF74DC91000-memory.dmp	xmrig
behavioral2/memory/4368-234-0x00007FF7489C0000-0x00007FF748D11000-memory.dmp	xmrig
behavioral2/memory/4700-237-0x00007FF643F70000-0x00007FF6442C1000-memory.dmp	xmrig
behavioral2/memory/4808-239-0x00007FF7003C0000-0x00007FF700711000-memory.dmp	xmrig
behavioral2/memory/4296-241-0x00007FF7C8E90000-0x00007FF7C91E1000-memory.dmp	xmrig
behavioral2/memory/1748-248-0x00007FF650F60000-0x00007FF6512B1000-memory.dmp	xmrig
behavioral2/memory/3744-252-0x00007FF7C0110000-0x00007FF7C0461000-memory.dmp	xmrig
behavioral2/memory/5080-254-0x00007FF78F680000-0x00007FF78F9D1000-memory.dmp	xmrig
behavioral2/memory/2432-257-0x00007FF749410000-0x00007FF749761000-memory.dmp	xmrig
behavioral2/memory/4992-258-0x00007FF725380000-0x00007FF7256D1000-memory.dmp	xmrig
behavioral2/memory/3164-260-0x00007FF7F89F0000-0x00007FF7F8D41000-memory.dmp	xmrig
behavioral2/memory/968-266-0x00007FF6019B0000-0x00007FF601D01000-memory.dmp	xmrig
behavioral2/memory/5020-268-0x00007FF7D5A70000-0x00007FF7D5DC1000-memory.dmp	xmrig
behavioral2/memory/212-270-0x00007FF6E7E40000-0x00007FF6E8191000-memory.dmp	xmrig
behavioral2/memory/4468-272-0x00007FF662F50000-0x00007FF6632A1000-memory.dmp	xmrig
behavioral2/memory/2384-274-0x00007FF7222D0000-0x00007FF722621000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4244	hWNOawq.exe
2772	EKVDRpQ.exe
1008	WpcRMLt.exe
2276	XrniUrf.exe
3300	WqNblBf.exe
4368	ZPrbIEh.exe
3964	xXyfWGv.exe
4700	OWFotwo.exe
4808	cCpUBzv.exe
4296	GfTpeej.exe
1748	xkgZvMs.exe
3744	QomPZfI.exe
2432	BkWFEdu.exe
5080	NkQObOO.exe
4992	whvxFqP.exe
3164	WnUAmZZ.exe
968	rfFKUuL.exe
5020	zEUMsPF.exe
212	vKeNvVh.exe
4468	SxNHxAH.exe
2384	elAmxfJ.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3992-0-0x00007FF7E2100000-0x00007FF7E2451000-memory.dmp	upx
behavioral2/files/0x000d000000023b6d-6.dat	upx
behavioral2/memory/4244-7-0x00007FF621980000-0x00007FF621CD1000-memory.dmp	upx
behavioral2/files/0x000a000000023b76-11.dat	upx
behavioral2/memory/2772-14-0x00007FF624C90000-0x00007FF624FE1000-memory.dmp	upx
behavioral2/files/0x0031000000023b75-12.dat	upx
behavioral2/memory/1008-20-0x00007FF617870000-0x00007FF617BC1000-memory.dmp	upx
behavioral2/files/0x000c000000023b72-23.dat	upx
behavioral2/memory/2276-25-0x00007FF64B230000-0x00007FF64B581000-memory.dmp	upx
behavioral2/files/0x000a000000023b77-29.dat	upx
behavioral2/files/0x000a000000023b7a-38.dat	upx
behavioral2/memory/4700-45-0x00007FF643F70000-0x00007FF6442C1000-memory.dmp	upx
behavioral2/files/0x000a000000023b7c-50.dat	upx
behavioral2/memory/4808-51-0x00007FF7003C0000-0x00007FF700711000-memory.dmp	upx
behavioral2/files/0x000a000000023b7d-61.dat	upx
behavioral2/memory/4296-60-0x00007FF7C8E90000-0x00007FF7C91E1000-memory.dmp	upx
behavioral2/files/0x000a000000023b7b-41.dat	upx
behavioral2/files/0x000a000000023b79-44.dat	upx
behavioral2/memory/3964-42-0x00007FF74D940000-0x00007FF74DC91000-memory.dmp	upx
behavioral2/memory/4368-39-0x00007FF7489C0000-0x00007FF748D11000-memory.dmp	upx
behavioral2/memory/3300-36-0x00007FF7AD1F0000-0x00007FF7AD541000-memory.dmp	upx
behavioral2/files/0x000a000000023b7e-65.dat	upx
behavioral2/files/0x000a000000023b7f-71.dat	upx
behavioral2/files/0x000a000000023b80-79.dat	upx
behavioral2/memory/4992-89-0x00007FF725380000-0x00007FF7256D1000-memory.dmp	upx
behavioral2/memory/2432-94-0x00007FF749410000-0x00007FF749761000-memory.dmp	upx
behavioral2/memory/5080-98-0x00007FF78F680000-0x00007FF78F9D1000-memory.dmp	upx
behavioral2/files/0x000a000000023b83-101.dat	upx
behavioral2/memory/1008-100-0x00007FF617870000-0x00007FF617BC1000-memory.dmp	upx
behavioral2/memory/3164-99-0x00007FF7F89F0000-0x00007FF7F8D41000-memory.dmp	upx
behavioral2/files/0x000a000000023b82-95.dat	upx
behavioral2/memory/2772-87-0x00007FF624C90000-0x00007FF624FE1000-memory.dmp	upx
behavioral2/files/0x000a000000023b81-85.dat	upx
behavioral2/memory/3744-83-0x00007FF7C0110000-0x00007FF7C0461000-memory.dmp	upx
behavioral2/memory/4244-76-0x00007FF621980000-0x00007FF621CD1000-memory.dmp	upx
behavioral2/memory/1748-75-0x00007FF650F60000-0x00007FF6512B1000-memory.dmp	upx
behavioral2/memory/3992-70-0x00007FF7E2100000-0x00007FF7E2451000-memory.dmp	upx
behavioral2/memory/2276-103-0x00007FF64B230000-0x00007FF64B581000-memory.dmp	upx
behavioral2/files/0x000a000000023b85-114.dat	upx
behavioral2/memory/5020-118-0x00007FF7D5A70000-0x00007FF7D5DC1000-memory.dmp	upx
behavioral2/files/0x000a000000023b87-126.dat	upx
behavioral2/files/0x000a000000023b88-135.dat	upx
behavioral2/memory/2384-136-0x00007FF7222D0000-0x00007FF722621000-memory.dmp	upx
behavioral2/memory/4468-133-0x00007FF662F50000-0x00007FF6632A1000-memory.dmp	upx
behavioral2/memory/4296-129-0x00007FF7C8E90000-0x00007FF7C91E1000-memory.dmp	upx
behavioral2/memory/4808-128-0x00007FF7003C0000-0x00007FF700711000-memory.dmp	upx
behavioral2/files/0x000a000000023b86-125.dat	upx
behavioral2/memory/212-123-0x00007FF6E7E40000-0x00007FF6E8191000-memory.dmp	upx
behavioral2/memory/4700-121-0x00007FF643F70000-0x00007FF6442C1000-memory.dmp	upx
behavioral2/memory/4368-115-0x00007FF7489C0000-0x00007FF748D11000-memory.dmp	upx
behavioral2/memory/968-110-0x00007FF6019B0000-0x00007FF601D01000-memory.dmp	upx
behavioral2/memory/3964-108-0x00007FF74D940000-0x00007FF74DC91000-memory.dmp	upx
behavioral2/files/0x000a000000023b84-109.dat	upx
behavioral2/memory/3300-107-0x00007FF7AD1F0000-0x00007FF7AD541000-memory.dmp	upx
behavioral2/memory/3992-139-0x00007FF7E2100000-0x00007FF7E2451000-memory.dmp	upx
behavioral2/memory/2432-145-0x00007FF749410000-0x00007FF749761000-memory.dmp	upx
behavioral2/memory/4992-144-0x00007FF725380000-0x00007FF7256D1000-memory.dmp	upx
behavioral2/memory/3164-152-0x00007FF7F89F0000-0x00007FF7F8D41000-memory.dmp	upx
behavioral2/memory/968-159-0x00007FF6019B0000-0x00007FF601D01000-memory.dmp	upx
behavioral2/memory/5020-160-0x00007FF7D5A70000-0x00007FF7D5DC1000-memory.dmp	upx
behavioral2/memory/212-161-0x00007FF6E7E40000-0x00007FF6E8191000-memory.dmp	upx
behavioral2/memory/2384-165-0x00007FF7222D0000-0x00007FF722621000-memory.dmp	upx
behavioral2/memory/4468-166-0x00007FF662F50000-0x00007FF6632A1000-memory.dmp	upx
behavioral2/memory/3992-167-0x00007FF7E2100000-0x00007FF7E2451000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\xkgZvMs.exe	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NkQObOO.exe	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zEUMsPF.exe	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SxNHxAH.exe	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hWNOawq.exe	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EKVDRpQ.exe	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WpcRMLt.exe	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XrniUrf.exe	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WqNblBf.exe	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xXyfWGv.exe	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GfTpeej.exe	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BkWFEdu.exe	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZPrbIEh.exe	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OWFotwo.exe	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cCpUBzv.exe	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QomPZfI.exe	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\whvxFqP.exe	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WnUAmZZ.exe	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rfFKUuL.exe	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vKeNvVh.exe	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\elAmxfJ.exe	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3992	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3992	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3992 wrote to memory of 4244	3992	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 3992 wrote to memory of 4244	3992	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 3992 wrote to memory of 2772	3992	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3992 wrote to memory of 2772	3992	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3992 wrote to memory of 1008	3992	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3992 wrote to memory of 1008	3992	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3992 wrote to memory of 2276	3992	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3992 wrote to memory of 2276	3992	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3992 wrote to memory of 3300	3992	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3992 wrote to memory of 3300	3992	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3992 wrote to memory of 4368	3992	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3992 wrote to memory of 4368	3992	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3992 wrote to memory of 3964	3992	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3992 wrote to memory of 3964	3992	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3992 wrote to memory of 4700	3992	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3992 wrote to memory of 4700	3992	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3992 wrote to memory of 4808	3992	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3992 wrote to memory of 4808	3992	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3992 wrote to memory of 4296	3992	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3992 wrote to memory of 4296	3992	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3992 wrote to memory of 1748	3992	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3992 wrote to memory of 1748	3992	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3992 wrote to memory of 3744	3992	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3992 wrote to memory of 3744	3992	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3992 wrote to memory of 2432	3992	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3992 wrote to memory of 2432	3992	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3992 wrote to memory of 5080	3992	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3992 wrote to memory of 5080	3992	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3992 wrote to memory of 4992	3992	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3992 wrote to memory of 4992	3992	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3992 wrote to memory of 3164	3992	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3992 wrote to memory of 3164	3992	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3992 wrote to memory of 968	3992	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3992 wrote to memory of 968	3992	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3992 wrote to memory of 5020	3992	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3992 wrote to memory of 5020	3992	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3992 wrote to memory of 212	3992	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3992 wrote to memory of 212	3992	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3992 wrote to memory of 4468	3992	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3992 wrote to memory of 4468	3992	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3992 wrote to memory of 2384	3992	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 3992 wrote to memory of 2384	3992	2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe	105

C:\Users\Admin\AppData\Local\Temp\2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-23_0f5d8fe67d8a3ac31d04a6246b4c79c2_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3992
- C:\Windows\System\hWNOawq.exe
  C:\Windows\System\hWNOawq.exe
  2⤵
  - Executes dropped EXE
  PID:4244
- C:\Windows\System\EKVDRpQ.exe
  C:\Windows\System\EKVDRpQ.exe
  2⤵
  - Executes dropped EXE
  PID:2772
- C:\Windows\System\WpcRMLt.exe
  C:\Windows\System\WpcRMLt.exe
  2⤵
  - Executes dropped EXE
  PID:1008
- C:\Windows\System\XrniUrf.exe
  C:\Windows\System\XrniUrf.exe
  2⤵
  - Executes dropped EXE
  PID:2276
- C:\Windows\System\WqNblBf.exe
  C:\Windows\System\WqNblBf.exe
  2⤵
  - Executes dropped EXE
  PID:3300
- C:\Windows\System\ZPrbIEh.exe
  C:\Windows\System\ZPrbIEh.exe
  2⤵
  - Executes dropped EXE
  PID:4368
- C:\Windows\System\xXyfWGv.exe
  C:\Windows\System\xXyfWGv.exe
  2⤵
  - Executes dropped EXE
  PID:3964
- C:\Windows\System\OWFotwo.exe
  C:\Windows\System\OWFotwo.exe
  2⤵
  - Executes dropped EXE
  PID:4700
- C:\Windows\System\cCpUBzv.exe
  C:\Windows\System\cCpUBzv.exe
  2⤵
  - Executes dropped EXE
  PID:4808
- C:\Windows\System\GfTpeej.exe
  C:\Windows\System\GfTpeej.exe
  2⤵
  - Executes dropped EXE
  PID:4296
- C:\Windows\System\xkgZvMs.exe
  C:\Windows\System\xkgZvMs.exe
  2⤵
  - Executes dropped EXE
  PID:1748
- C:\Windows\System\QomPZfI.exe
  C:\Windows\System\QomPZfI.exe
  2⤵
  - Executes dropped EXE
  PID:3744
- C:\Windows\System\BkWFEdu.exe
  C:\Windows\System\BkWFEdu.exe
  2⤵
  - Executes dropped EXE
  PID:2432
- C:\Windows\System\NkQObOO.exe
  C:\Windows\System\NkQObOO.exe
  2⤵
  - Executes dropped EXE
  PID:5080
- C:\Windows\System\whvxFqP.exe
  C:\Windows\System\whvxFqP.exe
  2⤵
  - Executes dropped EXE
  PID:4992
- C:\Windows\System\WnUAmZZ.exe
  C:\Windows\System\WnUAmZZ.exe
  2⤵
  - Executes dropped EXE
  PID:3164
- C:\Windows\System\rfFKUuL.exe
  C:\Windows\System\rfFKUuL.exe
  2⤵
  - Executes dropped EXE
  PID:968
- C:\Windows\System\zEUMsPF.exe
  C:\Windows\System\zEUMsPF.exe
  2⤵
  - Executes dropped EXE
  PID:5020
- C:\Windows\System\vKeNvVh.exe
  C:\Windows\System\vKeNvVh.exe
  2⤵
  - Executes dropped EXE
  PID:212
- C:\Windows\System\SxNHxAH.exe
  C:\Windows\System\SxNHxAH.exe
  2⤵
  - Executes dropped EXE
  PID:4468
- C:\Windows\System\elAmxfJ.exe
  C:\Windows\System\elAmxfJ.exe
  2⤵
  - Executes dropped EXE
  PID:2384

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BkWFEdu.exe

Filesize
5.2MB

MD5
ea5f6268bac3e7b46c71ccaf844b75c2

SHA1
c3a3ed93552ba56a5d9d11d7ebb2dcdfca911c1d

SHA256
e3acb1b8047524c33e5c9e38ae73636f5c93d0d808d2ad7e59d20d4cad9d3c3c

SHA512
c570564fb6214dc8b8b2ed143f632d33c031afcb4044e67d166fff1178ea707d13fff5d015ce7d4402026b3956b3265e551ffe9b378acd3802a890ffa6e0793e

Download Submit
C:\Windows\System\EKVDRpQ.exe

Filesize
5.2MB

MD5
666955e4048a2abce5f8865e3dac1b16

SHA1
ce83a08f97ce88f381f456a8bcfe58d5b733fb5f

SHA256
9964498fe3f8809faad9e6ae06ee09ac81dcae1ff80982269d2ab33b4e728c43

SHA512
01e037f8122f3fb6413ad03890297921b7a6200b1be4dfedcabe86b5aec701c8447d46a4a87aa60a56b9b07341e4a0aea57bda703bc6a5b3849de9afb20e0e13

Download Submit
C:\Windows\System\GfTpeej.exe

Filesize
5.2MB

MD5
8eb73d1bf081c706765918143ae2c8bb

SHA1
48cbc8dd201c9af3e0ac0c4b42179634ad3bebce

SHA256
8816439dd092ea6fe8d86364a57fa676834f6ed9451a9f756d624d3f9db78379

SHA512
0272d072ed4044c7f83c9cdc6b16854dcf8beba88b8b1824f88592635c658e1b69348594498090f19567c6ca4d4046c3fb5029e107dfde7b039ac63f659e0e5c

Download Submit
C:\Windows\System\NkQObOO.exe

Filesize
5.2MB

MD5
231bcd691be971e4fe5b7e6c77d5d258

SHA1
d4fd2871e5e81d940ed57aeb1a5bab7ed1947b4b

SHA256
4c5492bf7e8c275124db317ced0617c6ed6250a1d78c422c8872bdbd6796c526

SHA512
36ac24da02364ed3a830942eb4e98c7b85032c68b8706415253a3c89d7b3bf08efae096509b925697dd2d6087d3e382038bf2964031b34ea0be1002a621f0863

Download Submit
C:\Windows\System\OWFotwo.exe

Filesize
5.2MB

MD5
8c3c219be8c8691aba3ac2c67a6cb535

SHA1
5a32ea33b944a22dcdc0e0ddc860e54b5dcf52e2

SHA256
352f8f248a8048b3efa3b24283aa4e784e1e1f39b0db730e6dd48de153143b40

SHA512
c93a826225e04b9507d3a908f7859bf552110452dd7d0fb63d8a94ef5bb48c7fb9c7d2218faa21cde6d0069d4871a22e7f2ceac6cc124ca8b454114886e6f3c5

Download Submit
C:\Windows\System\QomPZfI.exe

Filesize
5.2MB

MD5
6467bd17bfef48d460d23d7cd03250b7

SHA1
07ed10c67c40ea9a16b78265afe165893f3dd474

SHA256
1a92376b5b0057334bde673803da7d4c3c63232d2cbfa46973d9bebd160ee7ea

SHA512
449ba174998b5e68d249a1c2a76e99d079fb02995e468a6b92da1014fc6c25f6eebdf0366016aecf1534a2b1bb6bfcc4468f87a38de38b87e7283c3eca10f5fb

Download Submit
C:\Windows\System\SxNHxAH.exe

Filesize
5.2MB

MD5
4822faf63c1d551e0458990162fa86d9

SHA1
2b44775aba3c957e90c311e0e84e28d7c85fd1d0

SHA256
b10e8e0b6241a12f808505155b54e7bd06fb030bd28980856dbb2480c94bb01b

SHA512
a245f2b32e39cae54fb66973c524760148dece1bef3ee4ce35fa1fff15efadf45f69c98197451ac00b6e3b22da864d10309063559be29a0c37e43c9d1b0e74e5

Download Submit
C:\Windows\System\WnUAmZZ.exe

Filesize
5.2MB

MD5
b8a61845b00df357a4a4e07b5c6339de

SHA1
64aabfaee679ad9d683f845f8e0595f67d61e7da

SHA256
ea097792382ea808da2e131505e1df22dcfb7e7414ff6c2b3ec57e2d574d31fe

SHA512
b97212fd735a45577f5aba16a4bebf880671635c8a24fc8f7ec7c17567cbf69126f4fb9cbbaf4359aa2d807c191bc5e23a5aaae2718bd95fcdb35ea33477c190

Download Submit
C:\Windows\System\WpcRMLt.exe

Filesize
5.2MB

MD5
f6eff63927c9853bee72fe5637039ec2

SHA1
c2904a2d97d3426bf9e39ed80a8cd6adb32c3917

SHA256
41a4f13bbf8302f645f70bd06bfc54fe0091aa94db8efa11b6e295d428ea0e31

SHA512
98e3ee0a0121a586aaf284d6c96818818b6662f790e686fb4a509591bd15a475ed23695bb1adc911dc4f0662d4457fb20e45db3b3a29d1a86f6f4ff3b57203cb

Download Submit
C:\Windows\System\WqNblBf.exe

Filesize
5.2MB

MD5
7d65c010ca3eb93e31862f97024973d2

SHA1
91222355b677ceb4b753e328a018bd563882a92c

SHA256
62c2db85b098c4c745434ac2e101eed3ff816183937b2088fd37ffa82dcad05c

SHA512
7653b4a788460ae2a6061b5e51a66723820056581eb3512d2091ee265994723d770b59f4c467fd0710798433810ca0d87851a0fb7165906c4df7797e085b3201

Download Submit
C:\Windows\System\XrniUrf.exe

Filesize
5.2MB

MD5
63208c68097d36ad36acf07366003bc4

SHA1
e4f2fcf85fa5c7eb6856105035a9f275604957d5

SHA256
0cc47ed6fa73c5e42fca64975eb8f75bf99ae2814489f02ba98dc99b73d058f6

SHA512
be6e0ebd2855e82d2249f2fcf744679e92a9159d80c5c6222987ef5b812de99238e93e52b70f2f1557e7d715121a6517becc038d63a0db43ae430c43c2a2adb9

Download Submit
C:\Windows\System\ZPrbIEh.exe

Filesize
5.2MB

MD5
bee2e3f3cb33a2c4a541a632aa360fe5

SHA1
b55384018f59398e618301c4befa413b7bbec1d7

SHA256
a00d8055f7951ed327917cef9032c908a2e9ffcafd1d4fe3b30970b7c570ed4e

SHA512
8ab9bd00528123dbc2e5f351dd4efcc07ca1b53fce07e22cd7f9bfefe271b2539fe22e17c72c0bde6d837ad875efb184678147ffaf146d0c5a1fbb914836fc59

Download Submit
C:\Windows\System\cCpUBzv.exe

Filesize
5.2MB

MD5
d091339cca0962a31d8a3c5a1377aae7

SHA1
a52db271cadca1c92bcf0d41fe8f143a68b0dd9e

SHA256
215436347783628163438f845726166b2664ac0a8ba32c9593433eba22a98ba6

SHA512
436d828f6a2749d244f97640bc51f4a333e4af341242c65d15e2397df4627f34948b04e5a41435b57066a32b6ce8f6437413b9b2b06ccffd488c780d104d2286

Download Submit
C:\Windows\System\elAmxfJ.exe

Filesize
5.2MB

MD5
3a535b6af3edc1bc949270e50f8bf389

SHA1
5f0621b847e06d5a3867c545b0774f6823a6960c

SHA256
c43ae54368b95591df46667810e0c3e95c9829f0fb1eda7cc6898460807a9722

SHA512
b5759838fdc8c8a9aef4bc52d24400c22578db500a8b3715d321d70f17a3ff4b26b4496b03f165bd74a25141e94a481677c2f804823506212ba714f345f993d5

Download Submit
C:\Windows\System\hWNOawq.exe

Filesize
5.2MB

MD5
d9ab7dbfd1cca66d3b2acab579e4ba1a

SHA1
7135c3f7c6a307d2d6be7b605e0c4b5dedaeb714

SHA256
93dcbf32cd96e4a47fba6d698db46fb26bbbc84467b34b46d70fc149fc798bc7

SHA512
42a8b010a2d1c55549a2d55e7cf6ab27462c05615e76ef62c94a8a3f302b9c0f4668a76865c061e34620ca2e80b8e274255c7e5c0bbc96902cc3d37f2d2d5195

Download Submit
C:\Windows\System\rfFKUuL.exe

Filesize
5.2MB

MD5
1b91950b3dd9a96e0515f6e41f72e60f

SHA1
ce62b5526de58cf3fbac129e825a987a60283493

SHA256
8368685f58896f1a3fcff2566f73ec824002d4413c268a74b0f1ae4cfc7a6198

SHA512
5e2174169844319bc081f43f27f9ddf70228b5b6114b5fd8b8a5d5e2e20987d15d2d53ac9795450e1cedc4d91d7a4160ef3a25586109f767b78646aeaceabd01

Download Submit
C:\Windows\System\vKeNvVh.exe

Filesize
5.2MB

MD5
760e446e953035f31e2026e6bfe8bc9c

SHA1
10eb51bd05aa430c4f1759525071744a3d52b1f3

SHA256
85364e157e16f32d988845e4940ede85694f7cd348223fef67eb691866554bd6

SHA512
b94b8d786bd614c3e89d49578ac9b8925e9b6357bfe678b960c6113216221cd95a7097d6751704dd8491a5210b21bee9baf4b817ea0655f2f4846dc317093241

Download Submit
C:\Windows\System\whvxFqP.exe

Filesize
5.2MB

MD5
ea188bf03b995cb61849b3613afd99eb

SHA1
87051462398a05e43015eab9c6ca53f1d5937029

SHA256
5da5cff0ae2c1d5a9669f6620cf3d377f0141978f8580be29bb7ced2e093b13c

SHA512
5710e78859f425b6eb86d07d3ac4a00062138d7b3dfc25139dfe0c53264c5bdb8b4fdd20f4ecc9c266cb14f9a2812af9f6f48ae3e91dd906ca94a18bd4c3fb95

Download Submit
C:\Windows\System\xXyfWGv.exe

Filesize
5.2MB

MD5
abae4c973cdd1a5206766aa2b20c85a7

SHA1
dea29a13a2af8a8413d7d9116fb9f15e12da5d13

SHA256
38f8945df26bc73a42f3efd6477dbb272f257eb2e150c81f9d6aa6e8a0048996

SHA512
f9504a0c0c2c56770a7142cdd08564ad34edb1f95722410f217a9ac4aff730deacefe9eb7100fbeebea8c4b8d623129378da2e88e1a64589cb639784c765d47c

Download Submit
C:\Windows\System\xkgZvMs.exe

Filesize
5.2MB

MD5
901c088083bdf7392ce124271c91d2fd

SHA1
a10bf262fb327dcc286091fa6ffb0032f64e31d0

SHA256
a14f70b3eab5a2066fbb7b50df9810363eefc56a6d9f4fdc794899b0283b0081

SHA512
aff14d34a4f902b963b7c95d6912a9823888e61ca1e79ef8252dc121fde8a3161c43dce1e90f330d9894f211a9f27e2bacca1c86ca8ce6bd9b7e28f291f5b2a2

Download Submit
C:\Windows\System\zEUMsPF.exe

Filesize
5.2MB

MD5
0814d2e87a7cd61802e4e9e2ee5e8bdb

SHA1
70b3068b590da0daf3d7b42d219b0202ca095155

SHA256
bb24f2a7556968bac1038c792c38c31ea561e452262f377f01bbf135c7af4271

SHA512
a4a0ac661cb9a9a9cd55adafbdb73e15ea76454f70b6a8f92e3de06647a76b4548e29a617fa736ebde70d62870808375c0fb7151c3bef23879d2b907942fe803

Download Submit
memory/212-270-0x00007FF6E7E40000-0x00007FF6E8191000-memory.dmp

Filesize
3.3MB

Download
memory/212-161-0x00007FF6E7E40000-0x00007FF6E8191000-memory.dmp

Filesize
3.3MB

Download
memory/212-123-0x00007FF6E7E40000-0x00007FF6E8191000-memory.dmp

Filesize
3.3MB

Download
memory/968-266-0x00007FF6019B0000-0x00007FF601D01000-memory.dmp

Filesize
3.3MB

Download
memory/968-159-0x00007FF6019B0000-0x00007FF601D01000-memory.dmp

Filesize
3.3MB

Download
memory/968-110-0x00007FF6019B0000-0x00007FF601D01000-memory.dmp

Filesize
3.3MB

Download
memory/1008-100-0x00007FF617870000-0x00007FF617BC1000-memory.dmp

Filesize
3.3MB

Download
memory/1008-221-0x00007FF617870000-0x00007FF617BC1000-memory.dmp

Filesize
3.3MB

Download
memory/1008-20-0x00007FF617870000-0x00007FF617BC1000-memory.dmp

Filesize
3.3MB

Download
memory/1748-75-0x00007FF650F60000-0x00007FF6512B1000-memory.dmp

Filesize
3.3MB

Download
memory/1748-248-0x00007FF650F60000-0x00007FF6512B1000-memory.dmp

Filesize
3.3MB

Download
memory/2276-25-0x00007FF64B230000-0x00007FF64B581000-memory.dmp

Filesize
3.3MB

Download
memory/2276-103-0x00007FF64B230000-0x00007FF64B581000-memory.dmp

Filesize
3.3MB

Download
memory/2276-229-0x00007FF64B230000-0x00007FF64B581000-memory.dmp

Filesize
3.3MB

Download
memory/2384-136-0x00007FF7222D0000-0x00007FF722621000-memory.dmp

Filesize
3.3MB

Download
memory/2384-165-0x00007FF7222D0000-0x00007FF722621000-memory.dmp

Filesize
3.3MB

Download
memory/2384-274-0x00007FF7222D0000-0x00007FF722621000-memory.dmp

Filesize
3.3MB

Download
memory/2432-94-0x00007FF749410000-0x00007FF749761000-memory.dmp

Filesize
3.3MB

Download
memory/2432-145-0x00007FF749410000-0x00007FF749761000-memory.dmp

Filesize
3.3MB

Download
memory/2432-257-0x00007FF749410000-0x00007FF749761000-memory.dmp

Filesize
3.3MB

Download
memory/2772-14-0x00007FF624C90000-0x00007FF624FE1000-memory.dmp

Filesize
3.3MB

Download
memory/2772-87-0x00007FF624C90000-0x00007FF624FE1000-memory.dmp

Filesize
3.3MB

Download
memory/2772-218-0x00007FF624C90000-0x00007FF624FE1000-memory.dmp

Filesize
3.3MB

Download
memory/3164-152-0x00007FF7F89F0000-0x00007FF7F8D41000-memory.dmp

Filesize
3.3MB

Download
memory/3164-99-0x00007FF7F89F0000-0x00007FF7F8D41000-memory.dmp

Filesize
3.3MB

Download
memory/3164-260-0x00007FF7F89F0000-0x00007FF7F8D41000-memory.dmp

Filesize
3.3MB

Download
memory/3300-36-0x00007FF7AD1F0000-0x00007FF7AD541000-memory.dmp

Filesize
3.3MB

Download
memory/3300-231-0x00007FF7AD1F0000-0x00007FF7AD541000-memory.dmp

Filesize
3.3MB

Download
memory/3300-107-0x00007FF7AD1F0000-0x00007FF7AD541000-memory.dmp

Filesize
3.3MB

Download
memory/3744-83-0x00007FF7C0110000-0x00007FF7C0461000-memory.dmp

Filesize
3.3MB

Download
memory/3744-252-0x00007FF7C0110000-0x00007FF7C0461000-memory.dmp

Filesize
3.3MB

Download
memory/3964-42-0x00007FF74D940000-0x00007FF74DC91000-memory.dmp

Filesize
3.3MB

Download
memory/3964-235-0x00007FF74D940000-0x00007FF74DC91000-memory.dmp

Filesize
3.3MB

Download
memory/3964-108-0x00007FF74D940000-0x00007FF74DC91000-memory.dmp

Filesize
3.3MB

Download
memory/3992-139-0x00007FF7E2100000-0x00007FF7E2451000-memory.dmp

Filesize
3.3MB

Download
memory/3992-0-0x00007FF7E2100000-0x00007FF7E2451000-memory.dmp

Filesize
3.3MB

Download
memory/3992-70-0x00007FF7E2100000-0x00007FF7E2451000-memory.dmp

Filesize
3.3MB

Download
memory/3992-1-0x0000022DBB9B0000-0x0000022DBB9C0000-memory.dmp

Filesize
64KB

Download
memory/3992-167-0x00007FF7E2100000-0x00007FF7E2451000-memory.dmp

Filesize
3.3MB

Download
memory/4244-76-0x00007FF621980000-0x00007FF621CD1000-memory.dmp

Filesize
3.3MB

Download
memory/4244-7-0x00007FF621980000-0x00007FF621CD1000-memory.dmp

Filesize
3.3MB

Download
memory/4244-216-0x00007FF621980000-0x00007FF621CD1000-memory.dmp

Filesize
3.3MB

Download
memory/4296-241-0x00007FF7C8E90000-0x00007FF7C91E1000-memory.dmp

Filesize
3.3MB

Download
memory/4296-60-0x00007FF7C8E90000-0x00007FF7C91E1000-memory.dmp

Filesize
3.3MB

Download
memory/4296-129-0x00007FF7C8E90000-0x00007FF7C91E1000-memory.dmp

Filesize
3.3MB

Download
memory/4368-234-0x00007FF7489C0000-0x00007FF748D11000-memory.dmp

Filesize
3.3MB

Download
memory/4368-39-0x00007FF7489C0000-0x00007FF748D11000-memory.dmp

Filesize
3.3MB

Download
memory/4368-115-0x00007FF7489C0000-0x00007FF748D11000-memory.dmp

Filesize
3.3MB

Download
memory/4468-133-0x00007FF662F50000-0x00007FF6632A1000-memory.dmp

Filesize
3.3MB

Download
memory/4468-166-0x00007FF662F50000-0x00007FF6632A1000-memory.dmp

Filesize
3.3MB

Download
memory/4468-272-0x00007FF662F50000-0x00007FF6632A1000-memory.dmp

Filesize
3.3MB

Download
memory/4700-45-0x00007FF643F70000-0x00007FF6442C1000-memory.dmp

Filesize
3.3MB

Download
memory/4700-237-0x00007FF643F70000-0x00007FF6442C1000-memory.dmp

Filesize
3.3MB

Download
memory/4700-121-0x00007FF643F70000-0x00007FF6442C1000-memory.dmp

Filesize
3.3MB

Download
memory/4808-239-0x00007FF7003C0000-0x00007FF700711000-memory.dmp

Filesize
3.3MB

Download
memory/4808-128-0x00007FF7003C0000-0x00007FF700711000-memory.dmp

Filesize
3.3MB

Download
memory/4808-51-0x00007FF7003C0000-0x00007FF700711000-memory.dmp

Filesize
3.3MB

Download
memory/4992-144-0x00007FF725380000-0x00007FF7256D1000-memory.dmp

Filesize
3.3MB

Download
memory/4992-258-0x00007FF725380000-0x00007FF7256D1000-memory.dmp

Filesize
3.3MB

Download
memory/4992-89-0x00007FF725380000-0x00007FF7256D1000-memory.dmp

Filesize
3.3MB

Download
memory/5020-268-0x00007FF7D5A70000-0x00007FF7D5DC1000-memory.dmp

Filesize
3.3MB

Download
memory/5020-160-0x00007FF7D5A70000-0x00007FF7D5DC1000-memory.dmp

Filesize
3.3MB

Download
memory/5020-118-0x00007FF7D5A70000-0x00007FF7D5DC1000-memory.dmp

Filesize
3.3MB

Download
memory/5080-254-0x00007FF78F680000-0x00007FF78F9D1000-memory.dmp

Filesize
3.3MB

Download
memory/5080-98-0x00007FF78F680000-0x00007FF78F9D1000-memory.dmp

Filesize
3.3MB

Download