cobaltstrike | bd49895f9b6bc3c2c3024915d989bd974f54e8e06c61d38d831c2e4aeb360f09

Analysis

max time kernel
140s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2024 09:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

8c25628119774509ffcbf6bedbc7bd34
SHA1

0959b1d94cd15a7e8e427df4839a167d3aae020f
SHA256

bd49895f9b6bc3c2c3024915d989bd974f54e8e06c61d38d831c2e4aeb360f09
SHA512

2baad64370891799962521bbbbaec757a6b8e4e02eae791870227858a28703e8b165c867599d73868aac2a2a1168a0e0017b30eb2a255191f0e721ada4988962
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lv:RWWBibf56utgpPFotBER/mQ32lUz

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
behavioral2/files/0x0008000000023c61-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c65-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c66-19.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c68-34.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c6e-71.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c6f-80.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c75-108.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c77-117.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c76-115.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c62-106.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c74-104.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c73-102.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c72-100.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c70-88.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c71-86.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c6d-66.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c6c-57.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c69-56.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c6a-49.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c6b-44.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c67-31.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/2144-70-0x00007FF77ABA0000-0x00007FF77AEF1000-memory.dmp	xmrig
behavioral2/memory/2940-72-0x00007FF7EE7C0000-0x00007FF7EEB11000-memory.dmp	xmrig
behavioral2/memory/32-73-0x00007FF738990000-0x00007FF738CE1000-memory.dmp	xmrig
behavioral2/memory/4712-64-0x00007FF795630000-0x00007FF795981000-memory.dmp	xmrig
behavioral2/memory/1640-119-0x00007FF6FD490000-0x00007FF6FD7E1000-memory.dmp	xmrig
behavioral2/memory/544-121-0x00007FF69F640000-0x00007FF69F991000-memory.dmp	xmrig
behavioral2/memory/4164-122-0x00007FF7441D0000-0x00007FF744521000-memory.dmp	xmrig
behavioral2/memory/2888-123-0x00007FF703080000-0x00007FF7033D1000-memory.dmp	xmrig
behavioral2/memory/1296-120-0x00007FF7C66A0000-0x00007FF7C69F1000-memory.dmp	xmrig
behavioral2/memory/1896-127-0x00007FF6AE5A0000-0x00007FF6AE8F1000-memory.dmp	xmrig
behavioral2/memory/1000-128-0x00007FF699740000-0x00007FF699A91000-memory.dmp	xmrig
behavioral2/memory/4176-125-0x00007FF6B8990000-0x00007FF6B8CE1000-memory.dmp	xmrig
behavioral2/memory/3448-126-0x00007FF7C0A80000-0x00007FF7C0DD1000-memory.dmp	xmrig
behavioral2/memory/1500-124-0x00007FF7F7060000-0x00007FF7F73B1000-memory.dmp	xmrig
behavioral2/memory/736-130-0x00007FF640D00000-0x00007FF641051000-memory.dmp	xmrig
behavioral2/memory/872-140-0x00007FF62E040000-0x00007FF62E391000-memory.dmp	xmrig
behavioral2/memory/1288-139-0x00007FF76BFC0000-0x00007FF76C311000-memory.dmp	xmrig
behavioral2/memory/3492-137-0x00007FF7A09D0000-0x00007FF7A0D21000-memory.dmp	xmrig
behavioral2/memory/3384-135-0x00007FF626830000-0x00007FF626B81000-memory.dmp	xmrig
behavioral2/memory/2196-132-0x00007FF7F3AA0000-0x00007FF7F3DF1000-memory.dmp	xmrig
behavioral2/memory/380-129-0x00007FF744030000-0x00007FF744381000-memory.dmp	xmrig
behavioral2/memory/4476-133-0x00007FF6DBA70000-0x00007FF6DBDC1000-memory.dmp	xmrig
behavioral2/memory/3448-150-0x00007FF7C0A80000-0x00007FF7C0DD1000-memory.dmp	xmrig
behavioral2/memory/3448-151-0x00007FF7C0A80000-0x00007FF7C0DD1000-memory.dmp	xmrig
behavioral2/memory/380-202-0x00007FF744030000-0x00007FF744381000-memory.dmp	xmrig
behavioral2/memory/736-204-0x00007FF640D00000-0x00007FF641051000-memory.dmp	xmrig
behavioral2/memory/4712-218-0x00007FF795630000-0x00007FF795981000-memory.dmp	xmrig
behavioral2/memory/4476-220-0x00007FF6DBA70000-0x00007FF6DBDC1000-memory.dmp	xmrig
behavioral2/memory/2940-224-0x00007FF7EE7C0000-0x00007FF7EEB11000-memory.dmp	xmrig
behavioral2/memory/2196-223-0x00007FF7F3AA0000-0x00007FF7F3DF1000-memory.dmp	xmrig
behavioral2/memory/3492-227-0x00007FF7A09D0000-0x00007FF7A0D21000-memory.dmp	xmrig
behavioral2/memory/2144-230-0x00007FF77ABA0000-0x00007FF77AEF1000-memory.dmp	xmrig
behavioral2/memory/3384-229-0x00007FF626830000-0x00007FF626B81000-memory.dmp	xmrig
behavioral2/memory/32-232-0x00007FF738990000-0x00007FF738CE1000-memory.dmp	xmrig
behavioral2/memory/1296-242-0x00007FF7C66A0000-0x00007FF7C69F1000-memory.dmp	xmrig
behavioral2/memory/1640-240-0x00007FF6FD490000-0x00007FF6FD7E1000-memory.dmp	xmrig
behavioral2/memory/1288-239-0x00007FF76BFC0000-0x00007FF76C311000-memory.dmp	xmrig
behavioral2/memory/2888-245-0x00007FF703080000-0x00007FF7033D1000-memory.dmp	xmrig
behavioral2/memory/4176-256-0x00007FF6B8990000-0x00007FF6B8CE1000-memory.dmp	xmrig
behavioral2/memory/1896-258-0x00007FF6AE5A0000-0x00007FF6AE8F1000-memory.dmp	xmrig
behavioral2/memory/544-254-0x00007FF69F640000-0x00007FF69F991000-memory.dmp	xmrig
behavioral2/memory/4164-249-0x00007FF7441D0000-0x00007FF744521000-memory.dmp	xmrig
behavioral2/memory/872-252-0x00007FF62E040000-0x00007FF62E391000-memory.dmp	xmrig
behavioral2/memory/1000-251-0x00007FF699740000-0x00007FF699A91000-memory.dmp	xmrig
behavioral2/memory/1500-247-0x00007FF7F7060000-0x00007FF7F73B1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

gxCSdtp.execENQJtF.exeztOrluK.exemMjRdax.exermmKTNu.exeuBUZcyK.exewyGVpvF.exevnzdvtk.exepQCQOlE.exeqkejtgF.exeTMjUOff.exedrRXrAJ.exelfIAWmM.exeTlqMzLs.exeStBDgNy.exeuKktsRK.exeiXjYmbC.exeiBxBXPF.exeEWVqKTy.exeIMZwNLJ.exeIAVMPHo.exe

pid	Process
380	gxCSdtp.exe
736	cENQJtF.exe
4712	ztOrluK.exe
2196	mMjRdax.exe
4476	rmmKTNu.exe
2144	uBUZcyK.exe
3384	wyGVpvF.exe
2940	vnzdvtk.exe
3492	pQCQOlE.exe
32	qkejtgF.exe
1288	TMjUOff.exe
872	drRXrAJ.exe
1640	lfIAWmM.exe
1296	TlqMzLs.exe
1000	StBDgNy.exe
544	uKktsRK.exe
4164	iXjYmbC.exe
2888	iBxBXPF.exe
1500	EWVqKTy.exe
4176	IMZwNLJ.exe
1896	IAVMPHo.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3448-0-0x00007FF7C0A80000-0x00007FF7C0DD1000-memory.dmp	upx
behavioral2/files/0x0008000000023c61-5.dat	upx
behavioral2/files/0x0007000000023c65-11.dat	upx
behavioral2/files/0x0007000000023c66-19.dat	upx
behavioral2/files/0x0007000000023c68-34.dat	upx
behavioral2/memory/3492-53-0x00007FF7A09D0000-0x00007FF7A0D21000-memory.dmp	upx
behavioral2/files/0x0007000000023c6e-71.dat	upx
behavioral2/memory/2144-70-0x00007FF77ABA0000-0x00007FF77AEF1000-memory.dmp	upx
behavioral2/memory/2940-72-0x00007FF7EE7C0000-0x00007FF7EEB11000-memory.dmp	upx
behavioral2/files/0x0007000000023c6f-80.dat	upx
behavioral2/files/0x0007000000023c75-108.dat	upx
behavioral2/files/0x0007000000023c77-117.dat	upx
behavioral2/files/0x0007000000023c76-115.dat	upx
behavioral2/files/0x0008000000023c62-106.dat	upx
behavioral2/files/0x0007000000023c74-104.dat	upx
behavioral2/files/0x0007000000023c73-102.dat	upx
behavioral2/files/0x0007000000023c72-100.dat	upx
behavioral2/files/0x0007000000023c70-88.dat	upx
behavioral2/files/0x0007000000023c71-86.dat	upx
behavioral2/memory/1288-75-0x00007FF76BFC0000-0x00007FF76C311000-memory.dmp	upx
behavioral2/memory/872-74-0x00007FF62E040000-0x00007FF62E391000-memory.dmp	upx
behavioral2/memory/32-73-0x00007FF738990000-0x00007FF738CE1000-memory.dmp	upx
behavioral2/files/0x0007000000023c6d-66.dat	upx
behavioral2/memory/4712-64-0x00007FF795630000-0x00007FF795981000-memory.dmp	upx
behavioral2/files/0x0007000000023c6c-57.dat	upx
behavioral2/files/0x0007000000023c69-56.dat	upx
behavioral2/files/0x0007000000023c6a-49.dat	upx
behavioral2/memory/3384-46-0x00007FF626830000-0x00007FF626B81000-memory.dmp	upx
behavioral2/files/0x0007000000023c6b-44.dat	upx
behavioral2/memory/4476-39-0x00007FF6DBA70000-0x00007FF6DBDC1000-memory.dmp	upx
behavioral2/files/0x0007000000023c67-31.dat	upx
behavioral2/memory/2196-30-0x00007FF7F3AA0000-0x00007FF7F3DF1000-memory.dmp	upx
behavioral2/memory/736-24-0x00007FF640D00000-0x00007FF641051000-memory.dmp	upx
behavioral2/memory/380-14-0x00007FF744030000-0x00007FF744381000-memory.dmp	upx
behavioral2/memory/1640-119-0x00007FF6FD490000-0x00007FF6FD7E1000-memory.dmp	upx
behavioral2/memory/544-121-0x00007FF69F640000-0x00007FF69F991000-memory.dmp	upx
behavioral2/memory/4164-122-0x00007FF7441D0000-0x00007FF744521000-memory.dmp	upx
behavioral2/memory/2888-123-0x00007FF703080000-0x00007FF7033D1000-memory.dmp	upx
behavioral2/memory/1296-120-0x00007FF7C66A0000-0x00007FF7C69F1000-memory.dmp	upx
behavioral2/memory/1896-127-0x00007FF6AE5A0000-0x00007FF6AE8F1000-memory.dmp	upx
behavioral2/memory/1000-128-0x00007FF699740000-0x00007FF699A91000-memory.dmp	upx
behavioral2/memory/4176-125-0x00007FF6B8990000-0x00007FF6B8CE1000-memory.dmp	upx
behavioral2/memory/3448-126-0x00007FF7C0A80000-0x00007FF7C0DD1000-memory.dmp	upx
behavioral2/memory/1500-124-0x00007FF7F7060000-0x00007FF7F73B1000-memory.dmp	upx
behavioral2/memory/736-130-0x00007FF640D00000-0x00007FF641051000-memory.dmp	upx
behavioral2/memory/872-140-0x00007FF62E040000-0x00007FF62E391000-memory.dmp	upx
behavioral2/memory/1288-139-0x00007FF76BFC0000-0x00007FF76C311000-memory.dmp	upx
behavioral2/memory/3492-137-0x00007FF7A09D0000-0x00007FF7A0D21000-memory.dmp	upx
behavioral2/memory/3384-135-0x00007FF626830000-0x00007FF626B81000-memory.dmp	upx
behavioral2/memory/2196-132-0x00007FF7F3AA0000-0x00007FF7F3DF1000-memory.dmp	upx
behavioral2/memory/380-129-0x00007FF744030000-0x00007FF744381000-memory.dmp	upx
behavioral2/memory/4476-133-0x00007FF6DBA70000-0x00007FF6DBDC1000-memory.dmp	upx
behavioral2/memory/3448-150-0x00007FF7C0A80000-0x00007FF7C0DD1000-memory.dmp	upx
behavioral2/memory/3448-151-0x00007FF7C0A80000-0x00007FF7C0DD1000-memory.dmp	upx
behavioral2/memory/380-202-0x00007FF744030000-0x00007FF744381000-memory.dmp	upx
behavioral2/memory/736-204-0x00007FF640D00000-0x00007FF641051000-memory.dmp	upx
behavioral2/memory/4712-218-0x00007FF795630000-0x00007FF795981000-memory.dmp	upx
behavioral2/memory/4476-220-0x00007FF6DBA70000-0x00007FF6DBDC1000-memory.dmp	upx
behavioral2/memory/2940-224-0x00007FF7EE7C0000-0x00007FF7EEB11000-memory.dmp	upx
behavioral2/memory/2196-223-0x00007FF7F3AA0000-0x00007FF7F3DF1000-memory.dmp	upx
behavioral2/memory/3492-227-0x00007FF7A09D0000-0x00007FF7A0D21000-memory.dmp	upx
behavioral2/memory/2144-230-0x00007FF77ABA0000-0x00007FF77AEF1000-memory.dmp	upx
behavioral2/memory/3384-229-0x00007FF626830000-0x00007FF626B81000-memory.dmp	upx
behavioral2/memory/32-232-0x00007FF738990000-0x00007FF738CE1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	Process
File created	C:\Windows\System\ztOrluK.exe	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uBUZcyK.exe	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pQCQOlE.exe	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TMjUOff.exe	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IMZwNLJ.exe	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gxCSdtp.exe	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iXjYmbC.exe	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EWVqKTy.exe	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vnzdvtk.exe	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\drRXrAJ.exe	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TlqMzLs.exe	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iBxBXPF.exe	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\StBDgNy.exe	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IAVMPHo.exe	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cENQJtF.exe	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rmmKTNu.exe	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wyGVpvF.exe	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qkejtgF.exe	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lfIAWmM.exe	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uKktsRK.exe	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mMjRdax.exe	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	Process
Token: SeLockMemoryPrivilege	3448	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3448	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	Process	procid_target
PID 3448 wrote to memory of 380	3448	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3448 wrote to memory of 380	3448	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3448 wrote to memory of 736	3448	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3448 wrote to memory of 736	3448	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3448 wrote to memory of 4712	3448	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3448 wrote to memory of 4712	3448	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3448 wrote to memory of 2196	3448	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3448 wrote to memory of 2196	3448	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3448 wrote to memory of 4476	3448	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3448 wrote to memory of 4476	3448	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3448 wrote to memory of 2144	3448	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3448 wrote to memory of 2144	3448	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3448 wrote to memory of 3384	3448	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3448 wrote to memory of 3384	3448	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3448 wrote to memory of 2940	3448	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3448 wrote to memory of 2940	3448	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3448 wrote to memory of 3492	3448	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3448 wrote to memory of 3492	3448	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3448 wrote to memory of 32	3448	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3448 wrote to memory of 32	3448	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3448 wrote to memory of 1288	3448	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3448 wrote to memory of 1288	3448	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3448 wrote to memory of 872	3448	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3448 wrote to memory of 872	3448	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3448 wrote to memory of 1296	3448	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3448 wrote to memory of 1296	3448	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3448 wrote to memory of 1640	3448	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3448 wrote to memory of 1640	3448	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3448 wrote to memory of 2888	3448	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3448 wrote to memory of 2888	3448	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3448 wrote to memory of 1000	3448	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3448 wrote to memory of 1000	3448	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3448 wrote to memory of 544	3448	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3448 wrote to memory of 544	3448	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3448 wrote to memory of 4164	3448	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3448 wrote to memory of 4164	3448	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3448 wrote to memory of 1500	3448	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3448 wrote to memory of 1500	3448	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3448 wrote to memory of 4176	3448	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3448 wrote to memory of 4176	3448	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3448 wrote to memory of 1896	3448	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3448 wrote to memory of 1896	3448	2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-25_8c25628119774509ffcbf6bedbc7bd34_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3448
- C:\Windows\System\gxCSdtp.exe
  C:\Windows\System\gxCSdtp.exe
  2⤵
  - Executes dropped EXE
  PID:380
- C:\Windows\System\cENQJtF.exe
  C:\Windows\System\cENQJtF.exe
  2⤵
  - Executes dropped EXE
  PID:736
- C:\Windows\System\ztOrluK.exe
  C:\Windows\System\ztOrluK.exe
  2⤵
  - Executes dropped EXE
  PID:4712
- C:\Windows\System\mMjRdax.exe
  C:\Windows\System\mMjRdax.exe
  2⤵
  - Executes dropped EXE
  PID:2196
- C:\Windows\System\rmmKTNu.exe
  C:\Windows\System\rmmKTNu.exe
  2⤵
  - Executes dropped EXE
  PID:4476
- C:\Windows\System\uBUZcyK.exe
  C:\Windows\System\uBUZcyK.exe
  2⤵
  - Executes dropped EXE
  PID:2144
- C:\Windows\System\wyGVpvF.exe
  C:\Windows\System\wyGVpvF.exe
  2⤵
  - Executes dropped EXE
  PID:3384
- C:\Windows\System\vnzdvtk.exe
  C:\Windows\System\vnzdvtk.exe
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\System\pQCQOlE.exe
  C:\Windows\System\pQCQOlE.exe
  2⤵
  - Executes dropped EXE
  PID:3492
- C:\Windows\System\qkejtgF.exe
  C:\Windows\System\qkejtgF.exe
  2⤵
  - Executes dropped EXE
  PID:32
- C:\Windows\System\TMjUOff.exe
  C:\Windows\System\TMjUOff.exe
  2⤵
  - Executes dropped EXE
  PID:1288
- C:\Windows\System\drRXrAJ.exe
  C:\Windows\System\drRXrAJ.exe
  2⤵
  - Executes dropped EXE
  PID:872
- C:\Windows\System\TlqMzLs.exe
  C:\Windows\System\TlqMzLs.exe
  2⤵
  - Executes dropped EXE
  PID:1296
- C:\Windows\System\lfIAWmM.exe
  C:\Windows\System\lfIAWmM.exe
  2⤵
  - Executes dropped EXE
  PID:1640
- C:\Windows\System\iBxBXPF.exe
  C:\Windows\System\iBxBXPF.exe
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\System\StBDgNy.exe
  C:\Windows\System\StBDgNy.exe
  2⤵
  - Executes dropped EXE
  PID:1000
- C:\Windows\System\uKktsRK.exe
  C:\Windows\System\uKktsRK.exe
  2⤵
  - Executes dropped EXE
  PID:544
- C:\Windows\System\iXjYmbC.exe
  C:\Windows\System\iXjYmbC.exe
  2⤵
  - Executes dropped EXE
  PID:4164
- C:\Windows\System\EWVqKTy.exe
  C:\Windows\System\EWVqKTy.exe
  2⤵
  - Executes dropped EXE
  PID:1500
- C:\Windows\System\IMZwNLJ.exe
  C:\Windows\System\IMZwNLJ.exe
  2⤵
  - Executes dropped EXE
  PID:4176
- C:\Windows\System\IAVMPHo.exe
  C:\Windows\System\IAVMPHo.exe
  2⤵
  - Executes dropped EXE
  PID:1896

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\EWVqKTy.exe

Filesize
5.2MB

MD5
7028b0b3b9545a72e30b266c4fa5f168

SHA1
657e077036d8bdf5624c4a6c55abb73c89796d0f

SHA256
a7c7d7c9ff735a8346e4d24ae34f21b118b20dba157d8809673b8a6509a2a8dd

SHA512
ffc8a25ffaf58ff4c58c137679535d72f74fe408467dec330d31e001a2b1d6f937314540e530668d6508555b7adb1794edc77cea207704cb7c2ae9d506f200b6

Download Submit
C:\Windows\System\IAVMPHo.exe

Filesize
5.2MB

MD5
b88ac8e579680d8f69730683f43bc147

SHA1
3a958f3f8da5223c98077d7a5f919070405032fe

SHA256
90a7a81b572bd3128346d7393c82019be9a62e11ea870473806d6c09567587f4

SHA512
310225633e9ab8a5607561fb05b8117926474faf97701d7cdc06a3a43378febbd554ad604fe337d18bebc332fb38b9fffccf9c193841829d01aada75f684bb4c

Download Submit
C:\Windows\System\IMZwNLJ.exe

Filesize
5.2MB

MD5
35d3881896837630eb9bb6079ceb3402

SHA1
e8a8096e8c41a03488436759453793a18554afcc

SHA256
1e185a276755689a8e1a2ba838f7f62c3c3de50562478cdb7ad00d934e383085

SHA512
f990f684d29d85500fd48c749f19f4eea3bcc49ef432e60451a717a188053e7744a5e78c50a71f7951c38a64aa4991cb17293c74537769736d4b45b241dcf503

Download Submit
C:\Windows\System\StBDgNy.exe

Filesize
5.2MB

MD5
c45b7f5a9e71858f7a569d88d97ff8e1

SHA1
fed54a4dfe604aef2e647dfba62f98775c751b1d

SHA256
07a44bf8b48a190984ddc0b58a0b458490fac689804050a4854663065f90602a

SHA512
4b8687f5ecd7847b1977e277096d4ad636d98b72f6cef26e57b4e8d5348f1cd233b086407f5946aabf996b8ed7a5e54fc805699fbca44847591e629fecd6c730

Download Submit
C:\Windows\System\TMjUOff.exe

Filesize
5.2MB

MD5
608ccd97691d09489565988e77e45034

SHA1
c9f32839192bee9402271cae9e118670ce589fce

SHA256
f0f559fd20c22e6d97036ed5d1a6c39b2d7b8aed06144e190be10959b9b3c4e3

SHA512
b6006d10a5bb769c82e2ea73bc5bd75aa69942977742bd082da832b5559459dde489d57355a0ba1c7e302d5fbeb8e198e03b3ba369df67e1b19f6cc668d89eba

Download Submit
C:\Windows\System\TlqMzLs.exe

Filesize
5.2MB

MD5
41b75c6af7bcac68289b03779c44a9b1

SHA1
84669ba50fea9698ea9d984268cf494466ef8944

SHA256
3b8153636d803ff7bd63723218d463e40ddd60bf1cb878068e48c9ec30500740

SHA512
554fbca826a58040cfab2254f8c01fcd84adc3a515b5daa45c82eb974a29b6e9c2a5adf3aa425b68fa67c71c1062a7d0f4575d0d4df6063f9df416cfa1db230e

Download Submit
C:\Windows\System\cENQJtF.exe

Filesize
5.2MB

MD5
9b53ea24cf305cc964297ce48210dd29

SHA1
c204a86657e79ac05d6a8a532f8037ada8c447df

SHA256
20c6e48b2cf509fef190df4772ee6a620584b9b66dbd79c35785f7d8f634cb71

SHA512
440464d45d8a4597b199acf1e0870667b6b35bfe6e6936c2de4372bf36e4985516b298b3baf4d8dcc4e197e49cab6df8c276f386c36d586ee3c1dc619a6b30f4

Download Submit
C:\Windows\System\drRXrAJ.exe

Filesize
5.2MB

MD5
ee6312f74a74c45151816c4b19233111

SHA1
30f52981e0e319ab319d25a5373df3a0b6112bc4

SHA256
49268fd2c2ae607c84c551e7ccd741537e9e8e91f6a0ffeb753e572106d3e662

SHA512
b45f0a149047d1fd62220ea5767132f1f3924903491b9a80672923bf40cf44e545b72979ea0df4d1c5c25c539ca301fa2102e6aab74aed48b8cdce1778591c17

Download Submit
C:\Windows\System\gxCSdtp.exe

Filesize
5.2MB

MD5
136274fd97a0785acf1b118face0e674

SHA1
452d2ff3fcac4d3f01477b1d6fdedc9369ef785e

SHA256
367e847cf0343bea7d56dbd3e6e210b62d915f93455d1d512dcf2aef713c0912

SHA512
d6ab85766227b4d91c361cb5b18caae6c7e9b337fdb7009fbfa1f01097f0ee189fcbb6043ca256a52d044339b63451650f4a17b25a6118cadd154d93bebd02e5

Download Submit
C:\Windows\System\iBxBXPF.exe

Filesize
5.2MB

MD5
cca7894b83edac914f2934de006e231d

SHA1
6c1b5f21be626aac8b865fee976a844af7b58500

SHA256
b025c6626c6ebbb9666398266d508e021fc3100cf12dd5f79731de6549270dbf

SHA512
d5f34808098fbfdf2e89676b5f0714b12f56eaecb3909d11be9e6b749ebba638f2a9922357758126d9e4f929cb911a30ad7ff447a831cd6307608f456f52e3b1

Download Submit
C:\Windows\System\iXjYmbC.exe

Filesize
5.2MB

MD5
12ce97e792ddcc37e65d8221dad5450c

SHA1
4b95fc0cecef1eac1837678b65cad7ba96bc5239

SHA256
da3e7c1c828f0607bb79b903c562cc6faa5bf71a54829e0d5d83a0500c8cae54

SHA512
eb814d8ec29572f4aab46032d2866c93037e2df1da4faa35e524fcde9952860182f5b995ecba8ba8ddbba5833b4f6234a95ab708a6f5813c5fec1a3f04d0a2b9

Download Submit
C:\Windows\System\lfIAWmM.exe

Filesize
5.2MB

MD5
a257e992c70f866247b8ddf87957bd45

SHA1
472cc09aac77e520f6273eae282e8d032b25ee7e

SHA256
087e7c3500d4b3b3c9fee909de6f68436d04c5e951e24ea99d3143eb63bf68d2

SHA512
d8c78efeabb640395ceb51e65d039be7aa7f0fa5763cdffba84d52d53782930659625009a02b9283d07a804a9a343d256bf8e373ffa4d877b4d5589c837dad2c

Download Submit
C:\Windows\System\mMjRdax.exe

Filesize
5.2MB

MD5
d2a27523ccc375bc62631e5be2af5ea7

SHA1
6d812605ac1397022e65f3337354570d1ab97201

SHA256
13b6f13377f0fe1d13e5742d5c515cb0b54e3967459f6f096752a4d7491b76ab

SHA512
64980e8b982f76c0001db4d13d4e8f2d545b15d04fb30711a62c50c77e7b49bc248664dc1b4b4dfb4083da254befc096752985d6b9cef6825f7db8480accbed3

Download Submit
C:\Windows\System\pQCQOlE.exe

Filesize
5.2MB

MD5
3b04eebcb313d866b270f01346115e06

SHA1
3d05a1581111a8ecfd28484f4822b3a060054b4d

SHA256
1ceeaf376cc39ffc6355a7d23aa068c2f233d62c3e3f69c93cbd18b634243144

SHA512
8bd41e1c8987dbf04103977f4e3222deb654aff49808c62cc7493fcc4e00670a67baaeff073857807e0c20f404c92de7ecf479363c2b4ccb50352141290d6267

Download Submit
C:\Windows\System\qkejtgF.exe

Filesize
5.2MB

MD5
f0e2caa19daa71bde9a8079ce82af179

SHA1
8cf0292a6af53744fb51ad55d5dbf84569ae0a2c

SHA256
88d3fd113880099d28299b0fe45de77852e3e4c420a1a6a02a5d0281c09cf421

SHA512
dafcb51946d72527166995c00fd95940ed96819ba9de5ae78b902088e557229bb10ba58ac8cd9af029c112ab5f1c64ac4e0461bb9767a50a0d5681f63e6a5706

Download Submit
C:\Windows\System\rmmKTNu.exe

Filesize
5.2MB

MD5
267639981865bc2e560e705a379b67df

SHA1
abd73880f093585402f115332ce2026e23754b05

SHA256
513ea9b75bd3070dbec66b745503701404e6102b6801620c2086a6cc386c08e9

SHA512
29915ae4cd7f730e361991e666dc45069446d210a76a8b8957276b34cd955e2476159997059fae84b9fa26c5c779fc712c871e4b441c8ccdd33b5e296ff40091

Download Submit
C:\Windows\System\uBUZcyK.exe

Filesize
5.2MB

MD5
bcc30ad17cf154aac45b1efa1972668e

SHA1
6184d5c8465e750b35a610ff4fee44e849fce452

SHA256
27a10c666ca6a3f2bcbdf3a7bb4995755c9bfab3fe3aa077bd6de728e7147d81

SHA512
4a9407cacd51d197e45d94edb2d92f9647dc13217655bb6f1f3a68ba97e013ff6656946f6d76ce361b8baee9fc748356a3b3cc7bcf972ad2e11c0796f8927eff

Download Submit
C:\Windows\System\uKktsRK.exe

Filesize
5.2MB

MD5
e8794fc7d892ddaa6d11452dba2ff1b0

SHA1
2958ec6c0ed97da150f9017287e5046d457dfc32

SHA256
1186c1853c213fc14852f512fc504a32050bc0e90d30cd97e72c11e7298f0ad4

SHA512
f2db6dc9cac43f2568d9e4bc19f1fab94dad7d06a50976c6bb51a36dcfeb2ba684aeaa84fe5ae2705d6fe2ad18362818f80a77f22253baf46a1b57054567779c

Download Submit
C:\Windows\System\vnzdvtk.exe

Filesize
5.2MB

MD5
d33b54f182162fed75dc03a9d40cf0ab

SHA1
d90398d468751b03884bc021ce801a4223fb81fa

SHA256
e0aa11f874ea0c9e1182f68ba44c4a8c4e841741879397782da47bf3a1d1163c

SHA512
6744a4dfdb941a3abd8583496eaaedd8c26736eb6ec3bdae3094e2d69157007f118af9c2f65e43334f2f4a429fd846006c4e2ccec1c91dc7f17f877bfe3873c5

Download Submit
C:\Windows\System\wyGVpvF.exe

Filesize
5.2MB

MD5
e5dcc005f04c90464dddf5ac0b897f68

SHA1
f61593882c1eb13d9ad647cacc97a7cfd1615635

SHA256
f9530e2a89dd29e4b7dde5452c6a17cde2f37bfa2eb49725a980f79531383f3e

SHA512
c4b21a68a3a8a4849ddd258669fbd94a049ac3e150274e02e2cdcb70dac70e06776bcc9e254bf8636d6a392c98ce66fab1f2d6552565859a1de566314b08d1d2

Download Submit
C:\Windows\System\ztOrluK.exe

Filesize
5.2MB

MD5
17f0b363a79c08e55837dea8b046cbf1

SHA1
3b61273eb9c7f47618663d84fff59bdc9ff4bc36

SHA256
4a8fcb9a919d95e7034805f043693f65f2e1da0f03acba417cac4d5e86916b23

SHA512
18ae16a83a11eeafa85111baf350fa42eadb348d2a5a0ebfb9e34cdf04875724965e9a55b7b60971771cd935bee2e6a8efa67c80d1be592f95e24922f94ac174

Download Submit
memory/32-232-0x00007FF738990000-0x00007FF738CE1000-memory.dmp

Filesize
3.3MB

Download
memory/32-73-0x00007FF738990000-0x00007FF738CE1000-memory.dmp

Filesize
3.3MB

Download
memory/380-129-0x00007FF744030000-0x00007FF744381000-memory.dmp

Filesize
3.3MB

Download
memory/380-14-0x00007FF744030000-0x00007FF744381000-memory.dmp

Filesize
3.3MB

Download
memory/380-202-0x00007FF744030000-0x00007FF744381000-memory.dmp

Filesize
3.3MB

Download
memory/544-121-0x00007FF69F640000-0x00007FF69F991000-memory.dmp

Filesize
3.3MB

Download
memory/544-254-0x00007FF69F640000-0x00007FF69F991000-memory.dmp

Filesize
3.3MB

Download
memory/736-24-0x00007FF640D00000-0x00007FF641051000-memory.dmp

Filesize
3.3MB

Download
memory/736-204-0x00007FF640D00000-0x00007FF641051000-memory.dmp

Filesize
3.3MB

Download
memory/736-130-0x00007FF640D00000-0x00007FF641051000-memory.dmp

Filesize
3.3MB

Download
memory/872-252-0x00007FF62E040000-0x00007FF62E391000-memory.dmp

Filesize
3.3MB

Download
memory/872-74-0x00007FF62E040000-0x00007FF62E391000-memory.dmp

Filesize
3.3MB

Download
memory/872-140-0x00007FF62E040000-0x00007FF62E391000-memory.dmp

Filesize
3.3MB

Download
memory/1000-128-0x00007FF699740000-0x00007FF699A91000-memory.dmp

Filesize
3.3MB

Download
memory/1000-251-0x00007FF699740000-0x00007FF699A91000-memory.dmp

Filesize
3.3MB

Download
memory/1288-239-0x00007FF76BFC0000-0x00007FF76C311000-memory.dmp

Filesize
3.3MB

Download
memory/1288-139-0x00007FF76BFC0000-0x00007FF76C311000-memory.dmp

Filesize
3.3MB

Download
memory/1288-75-0x00007FF76BFC0000-0x00007FF76C311000-memory.dmp

Filesize
3.3MB

Download
memory/1296-120-0x00007FF7C66A0000-0x00007FF7C69F1000-memory.dmp

Filesize
3.3MB

Download
memory/1296-242-0x00007FF7C66A0000-0x00007FF7C69F1000-memory.dmp

Filesize
3.3MB

Download
memory/1500-124-0x00007FF7F7060000-0x00007FF7F73B1000-memory.dmp

Filesize
3.3MB

Download
memory/1500-247-0x00007FF7F7060000-0x00007FF7F73B1000-memory.dmp

Filesize
3.3MB

Download
memory/1640-240-0x00007FF6FD490000-0x00007FF6FD7E1000-memory.dmp

Filesize
3.3MB

Download
memory/1640-119-0x00007FF6FD490000-0x00007FF6FD7E1000-memory.dmp

Filesize
3.3MB

Download
memory/1896-127-0x00007FF6AE5A0000-0x00007FF6AE8F1000-memory.dmp

Filesize
3.3MB

Download
memory/1896-258-0x00007FF6AE5A0000-0x00007FF6AE8F1000-memory.dmp

Filesize
3.3MB

Download
memory/2144-70-0x00007FF77ABA0000-0x00007FF77AEF1000-memory.dmp

Filesize
3.3MB

Download
memory/2144-230-0x00007FF77ABA0000-0x00007FF77AEF1000-memory.dmp

Filesize
3.3MB

Download
memory/2196-223-0x00007FF7F3AA0000-0x00007FF7F3DF1000-memory.dmp

Filesize
3.3MB

Download
memory/2196-30-0x00007FF7F3AA0000-0x00007FF7F3DF1000-memory.dmp

Filesize
3.3MB

Download
memory/2196-132-0x00007FF7F3AA0000-0x00007FF7F3DF1000-memory.dmp

Filesize
3.3MB

Download
memory/2888-123-0x00007FF703080000-0x00007FF7033D1000-memory.dmp

Filesize
3.3MB

Download
memory/2888-245-0x00007FF703080000-0x00007FF7033D1000-memory.dmp

Filesize
3.3MB

Download
memory/2940-224-0x00007FF7EE7C0000-0x00007FF7EEB11000-memory.dmp

Filesize
3.3MB

Download
memory/2940-72-0x00007FF7EE7C0000-0x00007FF7EEB11000-memory.dmp

Filesize
3.3MB

Download
memory/3384-229-0x00007FF626830000-0x00007FF626B81000-memory.dmp

Filesize
3.3MB

Download
memory/3384-135-0x00007FF626830000-0x00007FF626B81000-memory.dmp

Filesize
3.3MB

Download
memory/3384-46-0x00007FF626830000-0x00007FF626B81000-memory.dmp

Filesize
3.3MB

Download
memory/3448-0-0x00007FF7C0A80000-0x00007FF7C0DD1000-memory.dmp

Filesize
3.3MB

Download
memory/3448-1-0x000001BE49E00000-0x000001BE49E10000-memory.dmp

Filesize
64KB

Download
memory/3448-151-0x00007FF7C0A80000-0x00007FF7C0DD1000-memory.dmp

Filesize
3.3MB

Download
memory/3448-126-0x00007FF7C0A80000-0x00007FF7C0DD1000-memory.dmp

Filesize
3.3MB

Download
memory/3448-150-0x00007FF7C0A80000-0x00007FF7C0DD1000-memory.dmp

Filesize
3.3MB

Download
memory/3492-227-0x00007FF7A09D0000-0x00007FF7A0D21000-memory.dmp

Filesize
3.3MB

Download
memory/3492-137-0x00007FF7A09D0000-0x00007FF7A0D21000-memory.dmp

Filesize
3.3MB

Download
memory/3492-53-0x00007FF7A09D0000-0x00007FF7A0D21000-memory.dmp

Filesize
3.3MB

Download
memory/4164-122-0x00007FF7441D0000-0x00007FF744521000-memory.dmp

Filesize
3.3MB

Download
memory/4164-249-0x00007FF7441D0000-0x00007FF744521000-memory.dmp

Filesize
3.3MB

Download
memory/4176-125-0x00007FF6B8990000-0x00007FF6B8CE1000-memory.dmp

Filesize
3.3MB

Download
memory/4176-256-0x00007FF6B8990000-0x00007FF6B8CE1000-memory.dmp

Filesize
3.3MB

Download
memory/4476-39-0x00007FF6DBA70000-0x00007FF6DBDC1000-memory.dmp

Filesize
3.3MB

Download
memory/4476-133-0x00007FF6DBA70000-0x00007FF6DBDC1000-memory.dmp

Filesize
3.3MB

Download
memory/4476-220-0x00007FF6DBA70000-0x00007FF6DBDC1000-memory.dmp

Filesize
3.3MB

Download
memory/4712-218-0x00007FF795630000-0x00007FF795981000-memory.dmp

Filesize
3.3MB

Download
memory/4712-64-0x00007FF795630000-0x00007FF795981000-memory.dmp

Filesize
3.3MB

Download