cobaltstrike | 7575b669140f2ded4a48aba683bd19b02f797625a9c31f6a20877aaa2a359d95

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 15:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

a7f11c3995cb30b7d24dcb9d4c6d47fb
SHA1

a2d092207d27623541b4c0adc8df821cc1a47b6a
SHA256

7575b669140f2ded4a48aba683bd19b02f797625a9c31f6a20877aaa2a359d95
SHA512

f85a36da422d827f98b19e4096d93249e9129c7e8f25a3235789a8c9739eed8c2f67c866571c61bc26515f720ead8f411a2ded829be5535275a9782e97192aef
SSDEEP

49152:ROdWCCi7/raN56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l3:RWWBib+56utgpPFotBER/mQ32lUT

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023c90-6.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c94-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c95-15.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c96-25.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c97-28.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c91-35.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c98-41.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c99-44.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9a-50.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9b-60.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9f-79.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca0-86.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9d-93.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca2-109.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca1-107.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9e-90.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9c-76.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca3-115.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca5-121.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca6-132.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca7-134.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/3996-65-0x00007FF75E760000-0x00007FF75EAB1000-memory.dmp	xmrig
behavioral2/memory/2376-104-0x00007FF79F720000-0x00007FF79FA71000-memory.dmp	xmrig
behavioral2/memory/3220-100-0x00007FF7F3580000-0x00007FF7F38D1000-memory.dmp	xmrig
behavioral2/memory/3268-83-0x00007FF61E960000-0x00007FF61ECB1000-memory.dmp	xmrig
behavioral2/memory/116-62-0x00007FF780BD0000-0x00007FF780F21000-memory.dmp	xmrig
behavioral2/memory/3476-57-0x00007FF7CF870000-0x00007FF7CFBC1000-memory.dmp	xmrig
behavioral2/memory/4720-111-0x00007FF785320000-0x00007FF785671000-memory.dmp	xmrig
behavioral2/memory/1328-112-0x00007FF701490000-0x00007FF7017E1000-memory.dmp	xmrig
behavioral2/memory/2284-129-0x00007FF73BC10000-0x00007FF73BF61000-memory.dmp	xmrig
behavioral2/memory/3200-137-0x00007FF7A9A60000-0x00007FF7A9DB1000-memory.dmp	xmrig
behavioral2/memory/1440-136-0x00007FF6B4330000-0x00007FF6B4681000-memory.dmp	xmrig
behavioral2/memory/3724-116-0x00007FF7018C0000-0x00007FF701C11000-memory.dmp	xmrig
behavioral2/memory/1996-139-0x00007FF718C30000-0x00007FF718F81000-memory.dmp	xmrig
behavioral2/memory/3476-138-0x00007FF7CF870000-0x00007FF7CFBC1000-memory.dmp	xmrig
behavioral2/memory/976-146-0x00007FF75BF50000-0x00007FF75C2A1000-memory.dmp	xmrig
behavioral2/memory/3508-148-0x00007FF777EB0000-0x00007FF778201000-memory.dmp	xmrig
behavioral2/memory/3312-147-0x00007FF7E9050000-0x00007FF7E93A1000-memory.dmp	xmrig
behavioral2/memory/448-154-0x00007FF65C1E0000-0x00007FF65C531000-memory.dmp	xmrig
behavioral2/memory/316-153-0x00007FF6A2D80000-0x00007FF6A30D1000-memory.dmp	xmrig
behavioral2/memory/2992-161-0x00007FF7B29C0000-0x00007FF7B2D11000-memory.dmp	xmrig
behavioral2/memory/4692-162-0x00007FF7DFCF0000-0x00007FF7E0041000-memory.dmp	xmrig
behavioral2/memory/5024-163-0x00007FF7405B0000-0x00007FF740901000-memory.dmp	xmrig
behavioral2/memory/4888-164-0x00007FF73B840000-0x00007FF73BB91000-memory.dmp	xmrig
behavioral2/memory/1440-165-0x00007FF6B4330000-0x00007FF6B4681000-memory.dmp	xmrig
behavioral2/memory/3476-170-0x00007FF7CF870000-0x00007FF7CFBC1000-memory.dmp	xmrig
behavioral2/memory/116-219-0x00007FF780BD0000-0x00007FF780F21000-memory.dmp	xmrig
behavioral2/memory/3996-227-0x00007FF75E760000-0x00007FF75EAB1000-memory.dmp	xmrig
behavioral2/memory/3268-231-0x00007FF61E960000-0x00007FF61ECB1000-memory.dmp	xmrig
behavioral2/memory/3220-230-0x00007FF7F3580000-0x00007FF7F38D1000-memory.dmp	xmrig
behavioral2/memory/2376-233-0x00007FF79F720000-0x00007FF79FA71000-memory.dmp	xmrig
behavioral2/memory/4720-235-0x00007FF785320000-0x00007FF785671000-memory.dmp	xmrig
behavioral2/memory/3724-239-0x00007FF7018C0000-0x00007FF701C11000-memory.dmp	xmrig
behavioral2/memory/1328-240-0x00007FF701490000-0x00007FF7017E1000-memory.dmp	xmrig
behavioral2/memory/2284-242-0x00007FF73BC10000-0x00007FF73BF61000-memory.dmp	xmrig
behavioral2/memory/1996-251-0x00007FF718C30000-0x00007FF718F81000-memory.dmp	xmrig
behavioral2/memory/976-253-0x00007FF75BF50000-0x00007FF75C2A1000-memory.dmp	xmrig
behavioral2/memory/3312-255-0x00007FF7E9050000-0x00007FF7E93A1000-memory.dmp	xmrig
behavioral2/memory/316-257-0x00007FF6A2D80000-0x00007FF6A30D1000-memory.dmp	xmrig
behavioral2/memory/448-260-0x00007FF65C1E0000-0x00007FF65C531000-memory.dmp	xmrig
behavioral2/memory/3508-265-0x00007FF777EB0000-0x00007FF778201000-memory.dmp	xmrig
behavioral2/memory/4692-264-0x00007FF7DFCF0000-0x00007FF7E0041000-memory.dmp	xmrig
behavioral2/memory/2992-262-0x00007FF7B29C0000-0x00007FF7B2D11000-memory.dmp	xmrig
behavioral2/memory/5024-271-0x00007FF7405B0000-0x00007FF740901000-memory.dmp	xmrig
behavioral2/memory/4888-273-0x00007FF73B840000-0x00007FF73BB91000-memory.dmp	xmrig
behavioral2/memory/3200-276-0x00007FF7A9A60000-0x00007FF7A9DB1000-memory.dmp	xmrig
behavioral2/memory/1440-278-0x00007FF6B4330000-0x00007FF6B4681000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
116	IXRPIIs.exe
3996	BFQorhy.exe
3268	Kgjtlcw.exe
3220	YdAxYXy.exe
2376	qMfhtid.exe
4720	cRVBEMN.exe
1328	opVVNEY.exe
3724	BpStJIY.exe
2284	nokZOxv.exe
1996	tUVqeta.exe
976	lyEnslX.exe
3312	pTHPfSA.exe
3508	hVKOyXu.exe
316	PCmKVad.exe
4692	mojJpwb.exe
448	dNycQnT.exe
2992	ddqMlgh.exe
5024	qBxFKpm.exe
4888	DjEOved.exe
1440	sNUVJWL.exe
3200	RSfrNAl.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3476-0-0x00007FF7CF870000-0x00007FF7CFBC1000-memory.dmp	upx
behavioral2/files/0x0008000000023c90-6.dat	upx
behavioral2/memory/116-10-0x00007FF780BD0000-0x00007FF780F21000-memory.dmp	upx
behavioral2/files/0x0007000000023c94-11.dat	upx
behavioral2/memory/3996-14-0x00007FF75E760000-0x00007FF75EAB1000-memory.dmp	upx
behavioral2/files/0x0007000000023c95-15.dat	upx
behavioral2/files/0x0007000000023c96-25.dat	upx
behavioral2/memory/3220-24-0x00007FF7F3580000-0x00007FF7F38D1000-memory.dmp	upx
behavioral2/memory/3268-16-0x00007FF61E960000-0x00007FF61ECB1000-memory.dmp	upx
behavioral2/files/0x0007000000023c97-28.dat	upx
behavioral2/memory/2376-31-0x00007FF79F720000-0x00007FF79FA71000-memory.dmp	upx
behavioral2/files/0x0008000000023c91-35.dat	upx
behavioral2/memory/4720-36-0x00007FF785320000-0x00007FF785671000-memory.dmp	upx
behavioral2/files/0x0007000000023c98-41.dat	upx
behavioral2/files/0x0007000000023c99-44.dat	upx
behavioral2/files/0x0007000000023c9a-50.dat	upx
behavioral2/memory/2284-51-0x00007FF73BC10000-0x00007FF73BF61000-memory.dmp	upx
behavioral2/memory/3724-48-0x00007FF7018C0000-0x00007FF701C11000-memory.dmp	upx
behavioral2/memory/1328-43-0x00007FF701490000-0x00007FF7017E1000-memory.dmp	upx
behavioral2/files/0x0007000000023c9b-60.dat	upx
behavioral2/memory/1996-66-0x00007FF718C30000-0x00007FF718F81000-memory.dmp	upx
behavioral2/memory/3996-65-0x00007FF75E760000-0x00007FF75EAB1000-memory.dmp	upx
behavioral2/memory/976-73-0x00007FF75BF50000-0x00007FF75C2A1000-memory.dmp	upx
behavioral2/files/0x0007000000023c9f-79.dat	upx
behavioral2/files/0x0007000000023ca0-86.dat	upx
behavioral2/files/0x0007000000023c9d-93.dat	upx
behavioral2/memory/4692-101-0x00007FF7DFCF0000-0x00007FF7E0041000-memory.dmp	upx
behavioral2/files/0x0007000000023ca2-109.dat	upx
behavioral2/files/0x0007000000023ca1-107.dat	upx
behavioral2/memory/2376-104-0x00007FF79F720000-0x00007FF79FA71000-memory.dmp	upx
behavioral2/memory/2992-102-0x00007FF7B29C0000-0x00007FF7B2D11000-memory.dmp	upx
behavioral2/memory/3220-100-0x00007FF7F3580000-0x00007FF7F38D1000-memory.dmp	upx
behavioral2/memory/448-95-0x00007FF65C1E0000-0x00007FF65C531000-memory.dmp	upx
behavioral2/memory/316-94-0x00007FF6A2D80000-0x00007FF6A30D1000-memory.dmp	upx
behavioral2/memory/3508-89-0x00007FF777EB0000-0x00007FF778201000-memory.dmp	upx
behavioral2/memory/3312-88-0x00007FF7E9050000-0x00007FF7E93A1000-memory.dmp	upx
behavioral2/files/0x0007000000023c9e-90.dat	upx
behavioral2/memory/3268-83-0x00007FF61E960000-0x00007FF61ECB1000-memory.dmp	upx
behavioral2/files/0x0007000000023c9c-76.dat	upx
behavioral2/memory/116-62-0x00007FF780BD0000-0x00007FF780F21000-memory.dmp	upx
behavioral2/memory/3476-57-0x00007FF7CF870000-0x00007FF7CFBC1000-memory.dmp	upx
behavioral2/memory/4720-111-0x00007FF785320000-0x00007FF785671000-memory.dmp	upx
behavioral2/memory/1328-112-0x00007FF701490000-0x00007FF7017E1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca3-115.dat	upx
behavioral2/files/0x0007000000023ca5-121.dat	upx
behavioral2/files/0x0007000000023ca6-132.dat	upx
behavioral2/files/0x0007000000023ca7-134.dat	upx
behavioral2/memory/2284-129-0x00007FF73BC10000-0x00007FF73BF61000-memory.dmp	upx
behavioral2/memory/3200-137-0x00007FF7A9A60000-0x00007FF7A9DB1000-memory.dmp	upx
behavioral2/memory/1440-136-0x00007FF6B4330000-0x00007FF6B4681000-memory.dmp	upx
behavioral2/memory/4888-123-0x00007FF73B840000-0x00007FF73BB91000-memory.dmp	upx
behavioral2/memory/5024-117-0x00007FF7405B0000-0x00007FF740901000-memory.dmp	upx
behavioral2/memory/3724-116-0x00007FF7018C0000-0x00007FF701C11000-memory.dmp	upx
behavioral2/memory/1996-139-0x00007FF718C30000-0x00007FF718F81000-memory.dmp	upx
behavioral2/memory/3476-138-0x00007FF7CF870000-0x00007FF7CFBC1000-memory.dmp	upx
behavioral2/memory/976-146-0x00007FF75BF50000-0x00007FF75C2A1000-memory.dmp	upx
behavioral2/memory/3508-148-0x00007FF777EB0000-0x00007FF778201000-memory.dmp	upx
behavioral2/memory/3312-147-0x00007FF7E9050000-0x00007FF7E93A1000-memory.dmp	upx
behavioral2/memory/448-154-0x00007FF65C1E0000-0x00007FF65C531000-memory.dmp	upx
behavioral2/memory/316-153-0x00007FF6A2D80000-0x00007FF6A30D1000-memory.dmp	upx
behavioral2/memory/2992-161-0x00007FF7B29C0000-0x00007FF7B2D11000-memory.dmp	upx
behavioral2/memory/4692-162-0x00007FF7DFCF0000-0x00007FF7E0041000-memory.dmp	upx
behavioral2/memory/5024-163-0x00007FF7405B0000-0x00007FF740901000-memory.dmp	upx
behavioral2/memory/4888-164-0x00007FF73B840000-0x00007FF73BB91000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\nokZOxv.exe	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tUVqeta.exe	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hVKOyXu.exe	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dNycQnT.exe	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ddqMlgh.exe	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YdAxYXy.exe	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BpStJIY.exe	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PCmKVad.exe	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mojJpwb.exe	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qMfhtid.exe	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cRVBEMN.exe	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\opVVNEY.exe	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pTHPfSA.exe	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qBxFKpm.exe	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Kgjtlcw.exe	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BFQorhy.exe	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lyEnslX.exe	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DjEOved.exe	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sNUVJWL.exe	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RSfrNAl.exe	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IXRPIIs.exe	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3476	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3476	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3476 wrote to memory of 116	3476	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3476 wrote to memory of 116	3476	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3476 wrote to memory of 3996	3476	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3476 wrote to memory of 3996	3476	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3476 wrote to memory of 3268	3476	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3476 wrote to memory of 3268	3476	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3476 wrote to memory of 3220	3476	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3476 wrote to memory of 3220	3476	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3476 wrote to memory of 2376	3476	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3476 wrote to memory of 2376	3476	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3476 wrote to memory of 4720	3476	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3476 wrote to memory of 4720	3476	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3476 wrote to memory of 1328	3476	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3476 wrote to memory of 1328	3476	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3476 wrote to memory of 3724	3476	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3476 wrote to memory of 3724	3476	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3476 wrote to memory of 2284	3476	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3476 wrote to memory of 2284	3476	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3476 wrote to memory of 1996	3476	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3476 wrote to memory of 1996	3476	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3476 wrote to memory of 976	3476	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3476 wrote to memory of 976	3476	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3476 wrote to memory of 3508	3476	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3476 wrote to memory of 3508	3476	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3476 wrote to memory of 3312	3476	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3476 wrote to memory of 3312	3476	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3476 wrote to memory of 316	3476	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3476 wrote to memory of 316	3476	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3476 wrote to memory of 4692	3476	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3476 wrote to memory of 4692	3476	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3476 wrote to memory of 448	3476	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3476 wrote to memory of 448	3476	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3476 wrote to memory of 2992	3476	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3476 wrote to memory of 2992	3476	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3476 wrote to memory of 5024	3476	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3476 wrote to memory of 5024	3476	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3476 wrote to memory of 4888	3476	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3476 wrote to memory of 4888	3476	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3476 wrote to memory of 1440	3476	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3476 wrote to memory of 1440	3476	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3476 wrote to memory of 3200	3476	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3476 wrote to memory of 3200	3476	2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-08_a7f11c3995cb30b7d24dcb9d4c6d47fb_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3476
- C:\Windows\System\IXRPIIs.exe
  C:\Windows\System\IXRPIIs.exe
  2⤵
  - Executes dropped EXE
  PID:116
- C:\Windows\System\BFQorhy.exe
  C:\Windows\System\BFQorhy.exe
  2⤵
  - Executes dropped EXE
  PID:3996
- C:\Windows\System\Kgjtlcw.exe
  C:\Windows\System\Kgjtlcw.exe
  2⤵
  - Executes dropped EXE
  PID:3268
- C:\Windows\System\YdAxYXy.exe
  C:\Windows\System\YdAxYXy.exe
  2⤵
  - Executes dropped EXE
  PID:3220
- C:\Windows\System\qMfhtid.exe
  C:\Windows\System\qMfhtid.exe
  2⤵
  - Executes dropped EXE
  PID:2376
- C:\Windows\System\cRVBEMN.exe
  C:\Windows\System\cRVBEMN.exe
  2⤵
  - Executes dropped EXE
  PID:4720
- C:\Windows\System\opVVNEY.exe
  C:\Windows\System\opVVNEY.exe
  2⤵
  - Executes dropped EXE
  PID:1328
- C:\Windows\System\BpStJIY.exe
  C:\Windows\System\BpStJIY.exe
  2⤵
  - Executes dropped EXE
  PID:3724
- C:\Windows\System\nokZOxv.exe
  C:\Windows\System\nokZOxv.exe
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Windows\System\tUVqeta.exe
  C:\Windows\System\tUVqeta.exe
  2⤵
  - Executes dropped EXE
  PID:1996
- C:\Windows\System\lyEnslX.exe
  C:\Windows\System\lyEnslX.exe
  2⤵
  - Executes dropped EXE
  PID:976
- C:\Windows\System\hVKOyXu.exe
  C:\Windows\System\hVKOyXu.exe
  2⤵
  - Executes dropped EXE
  PID:3508
- C:\Windows\System\pTHPfSA.exe
  C:\Windows\System\pTHPfSA.exe
  2⤵
  - Executes dropped EXE
  PID:3312
- C:\Windows\System\PCmKVad.exe
  C:\Windows\System\PCmKVad.exe
  2⤵
  - Executes dropped EXE
  PID:316
- C:\Windows\System\mojJpwb.exe
  C:\Windows\System\mojJpwb.exe
  2⤵
  - Executes dropped EXE
  PID:4692
- C:\Windows\System\dNycQnT.exe
  C:\Windows\System\dNycQnT.exe
  2⤵
  - Executes dropped EXE
  PID:448
- C:\Windows\System\ddqMlgh.exe
  C:\Windows\System\ddqMlgh.exe
  2⤵
  - Executes dropped EXE
  PID:2992
- C:\Windows\System\qBxFKpm.exe
  C:\Windows\System\qBxFKpm.exe
  2⤵
  - Executes dropped EXE
  PID:5024
- C:\Windows\System\DjEOved.exe
  C:\Windows\System\DjEOved.exe
  2⤵
  - Executes dropped EXE
  PID:4888
- C:\Windows\System\sNUVJWL.exe
  C:\Windows\System\sNUVJWL.exe
  2⤵
  - Executes dropped EXE
  PID:1440
- C:\Windows\System\RSfrNAl.exe
  C:\Windows\System\RSfrNAl.exe
  2⤵
  - Executes dropped EXE
  PID:3200

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BFQorhy.exe

Filesize
5.2MB

MD5
e6f905db2c690d8d33038902710c638b

SHA1
3d8e6728b9b47d9a69a6f80e27fb95521b3da4b0

SHA256
5431e83be2e2bf8f13404b65408b12b5c65500e480746f641df6049724bbc4d9

SHA512
3973640c81c71057170f4419c2f8bf6afcbb6a2753290f1e1ba6b74750f1848afa84faa6aed458bf57f23d561f53bc3be801ecdff941f088764f0b81e25bb783

Download Submit
C:\Windows\System\BpStJIY.exe

Filesize
5.2MB

MD5
828e284ef47b33a35574da2b99237202

SHA1
fa2ccc449db3384afe5bca640119e39683c384ec

SHA256
dcd2f514704e43610a1c1f498b39fedf7ce627dee3bf67c10f61a4e847563027

SHA512
b1e5f66041b830b8d8215b8790fa502be0830817a22a38655807635f8b44b5618e2bac8fe308fef5bbe0d7659e61c88d5645a67fb85f03669d9bd173500aaf68

Download Submit
C:\Windows\System\DjEOved.exe

Filesize
5.2MB

MD5
c312cfda0a271ea7e06c31370a6675a2

SHA1
436dfee1600e243ae2543a7eb881c67811f8559c

SHA256
6626e0b65309291e0fcb5659504fb32f0fe74250f0f6dbf9904dab6175f0b8c8

SHA512
09f626bb51b97b595e0942ffaec8cbd98025b2ef55495550b72a35fa32157884b7272beab3a8981e71b30ef52113d3b249ac5ceda55ce03f52b8e6c2a113d960

Download Submit
C:\Windows\System\IXRPIIs.exe

Filesize
5.2MB

MD5
e07886a91e17bb98575f4688a87f306f

SHA1
cfe808162abc62e0e4753ed574af52347584d5a9

SHA256
7564f06541138346ff4b69c4c63ee9e573f86e974da19c36ec90d3b7d89c56e4

SHA512
8b3f7e5ec6ec7a604fb760b4c6c7393dedb34c2958bd52186d5ba4cac63ff69c5d9dcb486cb010c17197a7f4c9e482488cb224e5ef69c1b36e95bd1c052379fb

Download Submit
C:\Windows\System\Kgjtlcw.exe

Filesize
5.2MB

MD5
906d50536c8e81361e0efdf036b5a5e0

SHA1
5d35d50d90eb5272a013a026f50abdd6fb650177

SHA256
266a2e1def34d2857c577429676fb93246b94cb93479e7ef26c8fde9a19b4567

SHA512
951f25113e4e63e731fe6568a9ff1adba49c3994c2d2d62d049f36b124f770a19181fc30389bea1a5c0b04cc1f18eab0532dc348360459e90d57cf5c5364e88b

Download Submit
C:\Windows\System\PCmKVad.exe

Filesize
5.2MB

MD5
0a2a068ad4cb6ff7eec6835cca3f85d8

SHA1
4a022a2f36c4b85b98b3260ea0f92cf3b543e0ac

SHA256
09e348f19af4494c0a9f71fa3cb144da6b20286826321e37d57ec336d2e3c273

SHA512
cdf10107da5c67e29d14ed39f17d20b716e5379312f4835abcb4adc829cde001462b67b9f4e290c524452d9098137f305c5c17341fc7789dca7d22dffed9f2c9

Download Submit
C:\Windows\System\RSfrNAl.exe

Filesize
5.2MB

MD5
38f8fc6c3d073ed423411853570c1730

SHA1
5f41d3e5d5ae67c6bd20fd8aa81a6c06efd521cb

SHA256
82396abc762afd2cc00ea8b65aa631551df4ac418ad780760f626b6bb44a55cc

SHA512
0f513bf9eef00ad5e1293b6ca39fbb370d659f130ef3833373fc8681c0d17e31ae103f5f2b47214cb0e329b30ffc9d93933e0d2b70db338402f90724eb740139

Download Submit
C:\Windows\System\YdAxYXy.exe

Filesize
5.2MB

MD5
46561f5ef25dc97f4d0495e18cf2408c

SHA1
f52436bb03d939bd5c1a7bb0d47197871d5d2142

SHA256
b3a61335e76ff9b3bcd134fd4d1e1c9b449316934d00cf63ba3d6a5ca7ea7161

SHA512
7aeebf32852f6724b59563ad7032fbc1a3df8764eda7d3a258bae33e8f32098a97ba9033ab6439ad23f5e0cab6e21b9af13e3a37c93b09f01dc569c16de71f40

Download Submit
C:\Windows\System\cRVBEMN.exe

Filesize
5.2MB

MD5
15ee15927d4c1b8b8e6c10e87e8d20a4

SHA1
1fb69a98ad852ae45ff45b1df6040ede6917faeb

SHA256
ad0909bff15276788f25b41178abd641a06fb09d01d1a18806d620ae4077cd5e

SHA512
c58ca7f244054b7c83bf70fc86a751a1a9f5b0df2cc718c0755cb606bbdffdc1e1d06c05ee79e714ed3e08c75ca070e40bdb6571b45d0a51f79a3062a9e9822c

Download Submit
C:\Windows\System\dNycQnT.exe

Filesize
5.2MB

MD5
2025213afb78693c8693cb5db31dddb6

SHA1
9698d2d7b00cfcc810c3e658885b75e4502949f4

SHA256
12ff84709e510c9f8d1a74720df30cbf785d47b620c2e8dce183758cc8072549

SHA512
8740ea6feee4271dcb039d56ded1460be4ec0832dc5d368f71ff946484cb993a709f051939325e55562ef7fe72d1d6462781cc61cf58577eff96861af61e21eb

Download Submit
C:\Windows\System\ddqMlgh.exe

Filesize
5.2MB

MD5
4c99e2c393f525cf27089fc0ba9be7ae

SHA1
67feb5bcc4e611b36012705f784dea2701344c75

SHA256
48cfbf0e9e8cefbcdbc33135885e633a67b356186fa895b20d25f3327fbd414f

SHA512
e81dba5bb4c812339e5d33200044fd5653186d7b2db07aee14ebcbdaf94e7ff36cee100ed99dc37f79feb86d1016d0916a1fa139071a9da1be416b4e762a52e2

Download Submit
C:\Windows\System\hVKOyXu.exe

Filesize
5.2MB

MD5
0d4e596303c08a493d333ed2a4fd13e0

SHA1
7562e7617b57910ce4dd20bb86181de8a99f7d5f

SHA256
016a305d192a6734c834528e961254ec33ea163ea410a6a84f8df4c31008bdff

SHA512
f58f952c07c1acf094355a9b960f412f45479c0f4081ebb56e7db95583f71f84a66a7172cc0641dd50868dabe823c455722251fb71278f673750274bde79da31

Download Submit
C:\Windows\System\lyEnslX.exe

Filesize
5.2MB

MD5
7660cb2b8bdca5fae2f1a1513ecd7aeb

SHA1
aeee0d1f1f2cf4bbd3f79ab215bf3c2fccf89186

SHA256
095e6d5a3270a96d77f986286c5836a09a439a619bc542ec030a5de653c638af

SHA512
9c0b570d37d2b0ee82e7eadeb301bb277d72fcc569c4becad7ef80d9ed9e463c1c922bad1cea354305af32c9c81f3f88be415174ff13cf9e058fa33a54ca7564

Download Submit
C:\Windows\System\mojJpwb.exe

Filesize
5.2MB

MD5
1fa8b72d266dd9f8058657f6f868d631

SHA1
26e2df2061832e11bbd9ea3173704277cc6f2cb7

SHA256
422a1fc3bdd99b2df47ed4d360f59049ca56f027986d9c7fcb21c9063c0fc5c1

SHA512
395ceeb92aef18c8bbb6c599634362b4a37bd42aa2834a53175ca96f1386fb6950148e1ff2be71b7a7494a63bc73f3cbc549e5bfbc3bb43f0b29747d704a9a2b

Download Submit
C:\Windows\System\nokZOxv.exe

Filesize
5.2MB

MD5
57f28e57f89e081119f142224e3e7a60

SHA1
93b6bd94bf7b4bc1bacb64c40dda5eea997740c2

SHA256
0fb555a71feabab12e0fb997dc17167f09f853ce39a273edef4f320fee7dae61

SHA512
321332f8a26ec402a16bb83b249dbc0ea5a14b342841158d866f4eaa1782e7f6ea3e122237691cda7f80dc5e1de01c99e92515ce16ede3bba05ee0dc160fdd74

Download Submit
C:\Windows\System\opVVNEY.exe

Filesize
5.2MB

MD5
a3ed7afd4b96c7238c0934d7d0bd8bb1

SHA1
115afb64491ca20f7cff8083564b6db46beada1a

SHA256
e0e3d1c5ed0659b391c7129b618c6ef4ea6ce66c3fb0fe014eb8137363a09ed4

SHA512
acf57eb71461a29392efa2da6c14bd8c2a082f93dc43e9019500ba42f563914e42dba76c48626845b4a4929f84950ca87bac93ec5161fd4b39916ccfd56abc2e

Download Submit
C:\Windows\System\pTHPfSA.exe

Filesize
5.2MB

MD5
52e7f00e45497bbb549332ad6cce8da1

SHA1
4c3e8d8cff677706f592cdbfeb77bb93c5ea19ef

SHA256
c43091c5cc9fe5ab0efb4e8e7a17e05d41fbcd335967015c206145a92551b3d6

SHA512
b6863425e6dbe79dc93ccc07b940a904c2c5b8e6fc4bcf22ba74397a1d19912b7883dd71015e7493f5abb1e2665b5cc31054bdd6b096e767b524f475279a6077

Download Submit
C:\Windows\System\qBxFKpm.exe

Filesize
5.2MB

MD5
3672912884781521063853a975cd9c2d

SHA1
bffe3fa7822b459cc07bbd6522e3dc4ccf5d307b

SHA256
0a6c059f1227a1d353ad99f071e1743824fd9bda5c3eafd98de2d0fccda18e89

SHA512
ad9ab58aa6c275449f89d9ccaf13cd3b650d546b75d2a4c9ee6a41da316c63e735d62c2443e20435621c49f31708df930cb761cd1cf62710d7fe418c680572d4

Download Submit
C:\Windows\System\qMfhtid.exe

Filesize
5.2MB

MD5
e1fe7cd8a7b650eda9fc3372e377d70f

SHA1
b599615f55d03a9a299fec5f41faf9943775191d

SHA256
3b7b2b755f1b94951e4154ba3424e8d3fadc0bd5af75b4339637a803c58767f7

SHA512
e7e184eef9718b6cdd8359a4140ca9878cdcdcd839af5189fc473af097b281cfd035558d691e2de83c00f9c9aa8a433a9ba9ef0e5769b62fbd80ac4d44f359ae

Download Submit
C:\Windows\System\sNUVJWL.exe

Filesize
5.2MB

MD5
72071cf229e2d1f8d07c6d4530cd88f0

SHA1
97d6f581603dddca66fd7d31e24089ad0fbc48ea

SHA256
b692eb4fc19ccd0766cf8d35e60a59acd6e4fdb57e394f5e96273f11ecec9893

SHA512
409cc9b42f0888654b62922f9cbd1846dba7e2f5b105b02a04b6180d6b8780498b7be92c99ce6fe7408a2333c45e4ce4551d9fde7529056c4621675db176efbb

Download Submit
C:\Windows\System\tUVqeta.exe

Filesize
5.2MB

MD5
a0dcc2c9cce77331141cc73b200b30ad

SHA1
1138ef6cfa1d24179ef51bca998fff3d47019b9b

SHA256
8c12d5355710434f6a92489090f6045b03c68943bb54fc899ff2ea16b445d570

SHA512
e73889630c514cf5d9141968686082e400fb0615bbb639bcd3dbda865575e02d0c6099df88aea118ef386222eccf5bf4939987c7f647b9eca76b62b8e75fbe47

Download Submit
memory/116-62-0x00007FF780BD0000-0x00007FF780F21000-memory.dmp

Filesize
3.3MB

Download
memory/116-10-0x00007FF780BD0000-0x00007FF780F21000-memory.dmp

Filesize
3.3MB

Download
memory/116-219-0x00007FF780BD0000-0x00007FF780F21000-memory.dmp

Filesize
3.3MB

Download
memory/316-257-0x00007FF6A2D80000-0x00007FF6A30D1000-memory.dmp

Filesize
3.3MB

Download
memory/316-153-0x00007FF6A2D80000-0x00007FF6A30D1000-memory.dmp

Filesize
3.3MB

Download
memory/316-94-0x00007FF6A2D80000-0x00007FF6A30D1000-memory.dmp

Filesize
3.3MB

Download
memory/448-95-0x00007FF65C1E0000-0x00007FF65C531000-memory.dmp

Filesize
3.3MB

Download
memory/448-154-0x00007FF65C1E0000-0x00007FF65C531000-memory.dmp

Filesize
3.3MB

Download
memory/448-260-0x00007FF65C1E0000-0x00007FF65C531000-memory.dmp

Filesize
3.3MB

Download
memory/976-146-0x00007FF75BF50000-0x00007FF75C2A1000-memory.dmp

Filesize
3.3MB

Download
memory/976-73-0x00007FF75BF50000-0x00007FF75C2A1000-memory.dmp

Filesize
3.3MB

Download
memory/976-253-0x00007FF75BF50000-0x00007FF75C2A1000-memory.dmp

Filesize
3.3MB

Download
memory/1328-112-0x00007FF701490000-0x00007FF7017E1000-memory.dmp

Filesize
3.3MB

Download
memory/1328-43-0x00007FF701490000-0x00007FF7017E1000-memory.dmp

Filesize
3.3MB

Download
memory/1328-240-0x00007FF701490000-0x00007FF7017E1000-memory.dmp

Filesize
3.3MB

Download
memory/1440-165-0x00007FF6B4330000-0x00007FF6B4681000-memory.dmp

Filesize
3.3MB

Download
memory/1440-136-0x00007FF6B4330000-0x00007FF6B4681000-memory.dmp

Filesize
3.3MB

Download
memory/1440-278-0x00007FF6B4330000-0x00007FF6B4681000-memory.dmp

Filesize
3.3MB

Download
memory/1996-139-0x00007FF718C30000-0x00007FF718F81000-memory.dmp

Filesize
3.3MB

Download
memory/1996-251-0x00007FF718C30000-0x00007FF718F81000-memory.dmp

Filesize
3.3MB

Download
memory/1996-66-0x00007FF718C30000-0x00007FF718F81000-memory.dmp

Filesize
3.3MB

Download
memory/2284-129-0x00007FF73BC10000-0x00007FF73BF61000-memory.dmp

Filesize
3.3MB

Download
memory/2284-242-0x00007FF73BC10000-0x00007FF73BF61000-memory.dmp

Filesize
3.3MB

Download
memory/2284-51-0x00007FF73BC10000-0x00007FF73BF61000-memory.dmp

Filesize
3.3MB

Download
memory/2376-233-0x00007FF79F720000-0x00007FF79FA71000-memory.dmp

Filesize
3.3MB

Download
memory/2376-31-0x00007FF79F720000-0x00007FF79FA71000-memory.dmp

Filesize
3.3MB

Download
memory/2376-104-0x00007FF79F720000-0x00007FF79FA71000-memory.dmp

Filesize
3.3MB

Download
memory/2992-102-0x00007FF7B29C0000-0x00007FF7B2D11000-memory.dmp

Filesize
3.3MB

Download
memory/2992-262-0x00007FF7B29C0000-0x00007FF7B2D11000-memory.dmp

Filesize
3.3MB

Download
memory/2992-161-0x00007FF7B29C0000-0x00007FF7B2D11000-memory.dmp

Filesize
3.3MB

Download
memory/3200-276-0x00007FF7A9A60000-0x00007FF7A9DB1000-memory.dmp

Filesize
3.3MB

Download
memory/3200-137-0x00007FF7A9A60000-0x00007FF7A9DB1000-memory.dmp

Filesize
3.3MB

Download
memory/3220-230-0x00007FF7F3580000-0x00007FF7F38D1000-memory.dmp

Filesize
3.3MB

Download
memory/3220-24-0x00007FF7F3580000-0x00007FF7F38D1000-memory.dmp

Filesize
3.3MB

Download
memory/3220-100-0x00007FF7F3580000-0x00007FF7F38D1000-memory.dmp

Filesize
3.3MB

Download
memory/3268-231-0x00007FF61E960000-0x00007FF61ECB1000-memory.dmp

Filesize
3.3MB

Download
memory/3268-16-0x00007FF61E960000-0x00007FF61ECB1000-memory.dmp

Filesize
3.3MB

Download
memory/3268-83-0x00007FF61E960000-0x00007FF61ECB1000-memory.dmp

Filesize
3.3MB

Download
memory/3312-88-0x00007FF7E9050000-0x00007FF7E93A1000-memory.dmp

Filesize
3.3MB

Download
memory/3312-147-0x00007FF7E9050000-0x00007FF7E93A1000-memory.dmp

Filesize
3.3MB

Download
memory/3312-255-0x00007FF7E9050000-0x00007FF7E93A1000-memory.dmp

Filesize
3.3MB

Download
memory/3476-170-0x00007FF7CF870000-0x00007FF7CFBC1000-memory.dmp

Filesize
3.3MB

Download
memory/3476-1-0x000002958A440000-0x000002958A450000-memory.dmp

Filesize
64KB

Download
memory/3476-0-0x00007FF7CF870000-0x00007FF7CFBC1000-memory.dmp

Filesize
3.3MB

Download
memory/3476-138-0x00007FF7CF870000-0x00007FF7CFBC1000-memory.dmp

Filesize
3.3MB

Download
memory/3476-57-0x00007FF7CF870000-0x00007FF7CFBC1000-memory.dmp

Filesize
3.3MB

Download
memory/3508-148-0x00007FF777EB0000-0x00007FF778201000-memory.dmp

Filesize
3.3MB

Download
memory/3508-265-0x00007FF777EB0000-0x00007FF778201000-memory.dmp

Filesize
3.3MB

Download
memory/3508-89-0x00007FF777EB0000-0x00007FF778201000-memory.dmp

Filesize
3.3MB

Download
memory/3724-239-0x00007FF7018C0000-0x00007FF701C11000-memory.dmp

Filesize
3.3MB

Download
memory/3724-48-0x00007FF7018C0000-0x00007FF701C11000-memory.dmp

Filesize
3.3MB

Download
memory/3724-116-0x00007FF7018C0000-0x00007FF701C11000-memory.dmp

Filesize
3.3MB

Download
memory/3996-65-0x00007FF75E760000-0x00007FF75EAB1000-memory.dmp

Filesize
3.3MB

Download
memory/3996-14-0x00007FF75E760000-0x00007FF75EAB1000-memory.dmp

Filesize
3.3MB

Download
memory/3996-227-0x00007FF75E760000-0x00007FF75EAB1000-memory.dmp

Filesize
3.3MB

Download
memory/4692-264-0x00007FF7DFCF0000-0x00007FF7E0041000-memory.dmp

Filesize
3.3MB

Download
memory/4692-162-0x00007FF7DFCF0000-0x00007FF7E0041000-memory.dmp

Filesize
3.3MB

Download
memory/4692-101-0x00007FF7DFCF0000-0x00007FF7E0041000-memory.dmp

Filesize
3.3MB

Download
memory/4720-36-0x00007FF785320000-0x00007FF785671000-memory.dmp

Filesize
3.3MB

Download
memory/4720-111-0x00007FF785320000-0x00007FF785671000-memory.dmp

Filesize
3.3MB

Download
memory/4720-235-0x00007FF785320000-0x00007FF785671000-memory.dmp

Filesize
3.3MB

Download
memory/4888-164-0x00007FF73B840000-0x00007FF73BB91000-memory.dmp

Filesize
3.3MB

Download
memory/4888-123-0x00007FF73B840000-0x00007FF73BB91000-memory.dmp

Filesize
3.3MB

Download
memory/4888-273-0x00007FF73B840000-0x00007FF73BB91000-memory.dmp

Filesize
3.3MB

Download
memory/5024-271-0x00007FF7405B0000-0x00007FF740901000-memory.dmp

Filesize
3.3MB

Download
memory/5024-117-0x00007FF7405B0000-0x00007FF740901000-memory.dmp

Filesize
3.3MB

Download
memory/5024-163-0x00007FF7405B0000-0x00007FF740901000-memory.dmp

Filesize
3.3MB

Download