cobaltstrike | 04be6853f2229c542f5ed2efe5ccc0e432c8e399c2db2e82b3bd5915a713004d

Analysis

max time kernel
143s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11/12/2024, 03:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

394faed61a340c2d3b8dc44c6b24e0fc
SHA1

4366def9a3008aea8f7826323a9167ab5523602e
SHA256

04be6853f2229c542f5ed2efe5ccc0e432c8e399c2db2e82b3bd5915a713004d
SHA512

2446509caac32d76360ac1d9060b62b4c042d3227f08390260bf62306a22a8345c93a83f26be8be25d20e729b33b46c665a47d0d4188d28da00d4ab39764a866
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lE:RWWBibd56utgpPFotBER/mQ32lUQ

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023cdd-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce4-13.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023ce1-16.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce5-23.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce6-28.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce8-36.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce9-42.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cea-46.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ceb-52.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cee-72.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cef-78.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ced-76.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cec-64.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cf0-89.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cf1-97.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cf2-102.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cf3-108.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cf4-120.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cf5-127.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cf6-143.dat	cobalt_reflective_dll
behavioral2/files/0x000300000001e748-145.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 47 IoCs

miner

resource	yara_rule
behavioral2/memory/4684-62-0x00007FF7EBA20000-0x00007FF7EBD71000-memory.dmp	xmrig
behavioral2/memory/1808-81-0x00007FF7047B0000-0x00007FF704B01000-memory.dmp	xmrig
behavioral2/memory/2956-73-0x00007FF7EA5A0000-0x00007FF7EA8F1000-memory.dmp	xmrig
behavioral2/memory/3036-70-0x00007FF6F46D0000-0x00007FF6F4A21000-memory.dmp	xmrig
behavioral2/memory/3656-54-0x00007FF734E70000-0x00007FF7351C1000-memory.dmp	xmrig
behavioral2/memory/2824-88-0x00007FF662A00000-0x00007FF662D51000-memory.dmp	xmrig
behavioral2/memory/1428-110-0x00007FF78DB40000-0x00007FF78DE91000-memory.dmp	xmrig
behavioral2/memory/4620-109-0x00007FF72ED80000-0x00007FF72F0D1000-memory.dmp	xmrig
behavioral2/memory/5008-103-0x00007FF76DC90000-0x00007FF76DFE1000-memory.dmp	xmrig
behavioral2/memory/4912-96-0x00007FF78A810000-0x00007FF78AB61000-memory.dmp	xmrig
behavioral2/memory/4708-92-0x00007FF77E1F0000-0x00007FF77E541000-memory.dmp	xmrig
behavioral2/memory/1760-115-0x00007FF72B5D0000-0x00007FF72B921000-memory.dmp	xmrig
behavioral2/memory/3228-129-0x00007FF6FE050000-0x00007FF6FE3A1000-memory.dmp	xmrig
behavioral2/memory/1140-130-0x00007FF7C2450000-0x00007FF7C27A1000-memory.dmp	xmrig
behavioral2/memory/3640-138-0x00007FF7810C0000-0x00007FF781411000-memory.dmp	xmrig
behavioral2/memory/2060-141-0x00007FF75EF00000-0x00007FF75F251000-memory.dmp	xmrig
behavioral2/memory/4628-148-0x00007FF793370000-0x00007FF7936C1000-memory.dmp	xmrig
behavioral2/memory/3632-147-0x00007FF74E5E0000-0x00007FF74E931000-memory.dmp	xmrig
behavioral2/memory/1708-150-0x00007FF6FA5B0000-0x00007FF6FA901000-memory.dmp	xmrig
behavioral2/memory/1952-152-0x00007FF715190000-0x00007FF7154E1000-memory.dmp	xmrig
behavioral2/memory/4816-159-0x00007FF6DEB00000-0x00007FF6DEE51000-memory.dmp	xmrig
behavioral2/memory/3164-164-0x00007FF7876E0000-0x00007FF787A31000-memory.dmp	xmrig
behavioral2/memory/1140-165-0x00007FF7C2450000-0x00007FF7C27A1000-memory.dmp	xmrig
behavioral2/memory/3656-166-0x00007FF734E70000-0x00007FF7351C1000-memory.dmp	xmrig
behavioral2/memory/3632-170-0x00007FF74E5E0000-0x00007FF74E931000-memory.dmp	xmrig
behavioral2/memory/3656-188-0x00007FF734E70000-0x00007FF7351C1000-memory.dmp	xmrig
behavioral2/memory/4684-216-0x00007FF7EBA20000-0x00007FF7EBD71000-memory.dmp	xmrig
behavioral2/memory/3036-223-0x00007FF6F46D0000-0x00007FF6F4A21000-memory.dmp	xmrig
behavioral2/memory/2956-225-0x00007FF7EA5A0000-0x00007FF7EA8F1000-memory.dmp	xmrig
behavioral2/memory/1808-227-0x00007FF7047B0000-0x00007FF704B01000-memory.dmp	xmrig
behavioral2/memory/2824-229-0x00007FF662A00000-0x00007FF662D51000-memory.dmp	xmrig
behavioral2/memory/4912-232-0x00007FF78A810000-0x00007FF78AB61000-memory.dmp	xmrig
behavioral2/memory/5008-235-0x00007FF76DC90000-0x00007FF76DFE1000-memory.dmp	xmrig
behavioral2/memory/4620-237-0x00007FF72ED80000-0x00007FF72F0D1000-memory.dmp	xmrig
behavioral2/memory/1760-245-0x00007FF72B5D0000-0x00007FF72B921000-memory.dmp	xmrig
behavioral2/memory/1428-247-0x00007FF78DB40000-0x00007FF78DE91000-memory.dmp	xmrig
behavioral2/memory/3640-252-0x00007FF7810C0000-0x00007FF781411000-memory.dmp	xmrig
behavioral2/memory/3228-253-0x00007FF6FE050000-0x00007FF6FE3A1000-memory.dmp	xmrig
behavioral2/memory/2060-250-0x00007FF75EF00000-0x00007FF75F251000-memory.dmp	xmrig
behavioral2/memory/4708-259-0x00007FF77E1F0000-0x00007FF77E541000-memory.dmp	xmrig
behavioral2/memory/1708-261-0x00007FF6FA5B0000-0x00007FF6FA901000-memory.dmp	xmrig
behavioral2/memory/1952-264-0x00007FF715190000-0x00007FF7154E1000-memory.dmp	xmrig
behavioral2/memory/4816-265-0x00007FF6DEB00000-0x00007FF6DEE51000-memory.dmp	xmrig
behavioral2/memory/3164-270-0x00007FF7876E0000-0x00007FF787A31000-memory.dmp	xmrig
behavioral2/memory/1140-272-0x00007FF7C2450000-0x00007FF7C27A1000-memory.dmp	xmrig
behavioral2/memory/3632-275-0x00007FF74E5E0000-0x00007FF74E931000-memory.dmp	xmrig
behavioral2/memory/4628-277-0x00007FF793370000-0x00007FF7936C1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4684	NqkhuOh.exe
3036	YRwkLqR.exe
2956	jRPdGql.exe
1808	JTKBzAu.exe
2824	SAAQqlW.exe
4912	QDASOto.exe
5008	uNvlyDh.exe
4620	QGqjMQX.exe
1760	ywTFwAX.exe
1428	CmASavJ.exe
3228	BUIXNFQ.exe
3640	hCZiKiW.exe
2060	YRyxrrB.exe
4708	CVylgrz.exe
1708	jbWlZET.exe
1952	wiqBCwZ.exe
4816	vCqakcm.exe
3164	jVumDPE.exe
1140	cQpifuq.exe
3632	WEUyITB.exe
4628	yQbFUgN.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3656-0-0x00007FF734E70000-0x00007FF7351C1000-memory.dmp	upx
behavioral2/files/0x0008000000023cdd-5.dat	upx
behavioral2/memory/4684-8-0x00007FF7EBA20000-0x00007FF7EBD71000-memory.dmp	upx
behavioral2/memory/3036-12-0x00007FF6F46D0000-0x00007FF6F4A21000-memory.dmp	upx
behavioral2/files/0x0007000000023ce4-13.dat	upx
behavioral2/files/0x0008000000023ce1-16.dat	upx
behavioral2/memory/2956-18-0x00007FF7EA5A0000-0x00007FF7EA8F1000-memory.dmp	upx
behavioral2/files/0x0007000000023ce5-23.dat	upx
behavioral2/memory/1808-24-0x00007FF7047B0000-0x00007FF704B01000-memory.dmp	upx
behavioral2/files/0x0007000000023ce6-28.dat	upx
behavioral2/memory/2824-30-0x00007FF662A00000-0x00007FF662D51000-memory.dmp	upx
behavioral2/files/0x0007000000023ce8-36.dat	upx
behavioral2/memory/4912-37-0x00007FF78A810000-0x00007FF78AB61000-memory.dmp	upx
behavioral2/files/0x0007000000023ce9-42.dat	upx
behavioral2/memory/5008-44-0x00007FF76DC90000-0x00007FF76DFE1000-memory.dmp	upx
behavioral2/files/0x0007000000023cea-46.dat	upx
behavioral2/memory/4620-48-0x00007FF72ED80000-0x00007FF72F0D1000-memory.dmp	upx
behavioral2/files/0x0007000000023ceb-52.dat	upx
behavioral2/memory/1760-55-0x00007FF72B5D0000-0x00007FF72B921000-memory.dmp	upx
behavioral2/memory/4684-62-0x00007FF7EBA20000-0x00007FF7EBD71000-memory.dmp	upx
behavioral2/files/0x0007000000023cee-72.dat	upx
behavioral2/memory/3640-74-0x00007FF7810C0000-0x00007FF781411000-memory.dmp	upx
behavioral2/files/0x0007000000023cef-78.dat	upx
behavioral2/memory/2060-82-0x00007FF75EF00000-0x00007FF75F251000-memory.dmp	upx
behavioral2/memory/1808-81-0x00007FF7047B0000-0x00007FF704B01000-memory.dmp	upx
behavioral2/files/0x0007000000023ced-76.dat	upx
behavioral2/memory/2956-73-0x00007FF7EA5A0000-0x00007FF7EA8F1000-memory.dmp	upx
behavioral2/memory/3228-71-0x00007FF6FE050000-0x00007FF6FE3A1000-memory.dmp	upx
behavioral2/memory/3036-70-0x00007FF6F46D0000-0x00007FF6F4A21000-memory.dmp	upx
behavioral2/memory/1428-69-0x00007FF78DB40000-0x00007FF78DE91000-memory.dmp	upx
behavioral2/files/0x0007000000023cec-64.dat	upx
behavioral2/memory/3656-54-0x00007FF734E70000-0x00007FF7351C1000-memory.dmp	upx
behavioral2/files/0x0007000000023cf0-89.dat	upx
behavioral2/memory/2824-88-0x00007FF662A00000-0x00007FF662D51000-memory.dmp	upx
behavioral2/files/0x0007000000023cf1-97.dat	upx
behavioral2/files/0x0007000000023cf2-102.dat	upx
behavioral2/files/0x0007000000023cf3-108.dat	upx
behavioral2/memory/4816-111-0x00007FF6DEB00000-0x00007FF6DEE51000-memory.dmp	upx
behavioral2/memory/1428-110-0x00007FF78DB40000-0x00007FF78DE91000-memory.dmp	upx
behavioral2/memory/4620-109-0x00007FF72ED80000-0x00007FF72F0D1000-memory.dmp	upx
behavioral2/memory/1952-104-0x00007FF715190000-0x00007FF7154E1000-memory.dmp	upx
behavioral2/memory/5008-103-0x00007FF76DC90000-0x00007FF76DFE1000-memory.dmp	upx
behavioral2/memory/1708-99-0x00007FF6FA5B0000-0x00007FF6FA901000-memory.dmp	upx
behavioral2/memory/4912-96-0x00007FF78A810000-0x00007FF78AB61000-memory.dmp	upx
behavioral2/memory/4708-92-0x00007FF77E1F0000-0x00007FF77E541000-memory.dmp	upx
behavioral2/memory/3164-119-0x00007FF7876E0000-0x00007FF787A31000-memory.dmp	upx
behavioral2/files/0x0007000000023cf4-120.dat	upx
behavioral2/memory/1760-115-0x00007FF72B5D0000-0x00007FF72B921000-memory.dmp	upx
behavioral2/memory/3228-129-0x00007FF6FE050000-0x00007FF6FE3A1000-memory.dmp	upx
behavioral2/memory/1140-130-0x00007FF7C2450000-0x00007FF7C27A1000-memory.dmp	upx
behavioral2/files/0x0007000000023cf5-127.dat	upx
behavioral2/memory/3640-138-0x00007FF7810C0000-0x00007FF781411000-memory.dmp	upx
behavioral2/files/0x0007000000023cf6-143.dat	upx
behavioral2/files/0x000300000001e748-145.dat	upx
behavioral2/memory/2060-141-0x00007FF75EF00000-0x00007FF75F251000-memory.dmp	upx
behavioral2/memory/4628-148-0x00007FF793370000-0x00007FF7936C1000-memory.dmp	upx
behavioral2/memory/3632-147-0x00007FF74E5E0000-0x00007FF74E931000-memory.dmp	upx
behavioral2/memory/1708-150-0x00007FF6FA5B0000-0x00007FF6FA901000-memory.dmp	upx
behavioral2/memory/1952-152-0x00007FF715190000-0x00007FF7154E1000-memory.dmp	upx
behavioral2/memory/4816-159-0x00007FF6DEB00000-0x00007FF6DEE51000-memory.dmp	upx
behavioral2/memory/3164-164-0x00007FF7876E0000-0x00007FF787A31000-memory.dmp	upx
behavioral2/memory/1140-165-0x00007FF7C2450000-0x00007FF7C27A1000-memory.dmp	upx
behavioral2/memory/3656-166-0x00007FF734E70000-0x00007FF7351C1000-memory.dmp	upx
behavioral2/memory/3632-170-0x00007FF74E5E0000-0x00007FF74E931000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\YRwkLqR.exe	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uNvlyDh.exe	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hCZiKiW.exe	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jVumDPE.exe	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yQbFUgN.exe	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NqkhuOh.exe	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jRPdGql.exe	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JTKBzAu.exe	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CmASavJ.exe	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BUIXNFQ.exe	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YRyxrrB.exe	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WEUyITB.exe	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QDASOto.exe	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QGqjMQX.exe	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ywTFwAX.exe	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jbWlZET.exe	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wiqBCwZ.exe	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cQpifuq.exe	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SAAQqlW.exe	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CVylgrz.exe	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vCqakcm.exe	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3656	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3656	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3656 wrote to memory of 4684	3656	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3656 wrote to memory of 4684	3656	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3656 wrote to memory of 3036	3656	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3656 wrote to memory of 3036	3656	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3656 wrote to memory of 2956	3656	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3656 wrote to memory of 2956	3656	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3656 wrote to memory of 1808	3656	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3656 wrote to memory of 1808	3656	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3656 wrote to memory of 2824	3656	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3656 wrote to memory of 2824	3656	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3656 wrote to memory of 4912	3656	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3656 wrote to memory of 4912	3656	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3656 wrote to memory of 5008	3656	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3656 wrote to memory of 5008	3656	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3656 wrote to memory of 4620	3656	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3656 wrote to memory of 4620	3656	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3656 wrote to memory of 1760	3656	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3656 wrote to memory of 1760	3656	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3656 wrote to memory of 1428	3656	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3656 wrote to memory of 1428	3656	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3656 wrote to memory of 3228	3656	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3656 wrote to memory of 3228	3656	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3656 wrote to memory of 3640	3656	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3656 wrote to memory of 3640	3656	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3656 wrote to memory of 2060	3656	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3656 wrote to memory of 2060	3656	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3656 wrote to memory of 4708	3656	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3656 wrote to memory of 4708	3656	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3656 wrote to memory of 1708	3656	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3656 wrote to memory of 1708	3656	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3656 wrote to memory of 1952	3656	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3656 wrote to memory of 1952	3656	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3656 wrote to memory of 4816	3656	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3656 wrote to memory of 4816	3656	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3656 wrote to memory of 3164	3656	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3656 wrote to memory of 3164	3656	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3656 wrote to memory of 1140	3656	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3656 wrote to memory of 1140	3656	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3656 wrote to memory of 3632	3656	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 3656 wrote to memory of 3632	3656	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 3656 wrote to memory of 4628	3656	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 3656 wrote to memory of 4628	3656	2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe	106

C:\Users\Admin\AppData\Local\Temp\2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-11_394faed61a340c2d3b8dc44c6b24e0fc_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3656
- C:\Windows\System\NqkhuOh.exe
  C:\Windows\System\NqkhuOh.exe
  2⤵
  - Executes dropped EXE
  PID:4684
- C:\Windows\System\YRwkLqR.exe
  C:\Windows\System\YRwkLqR.exe
  2⤵
  - Executes dropped EXE
  PID:3036
- C:\Windows\System\jRPdGql.exe
  C:\Windows\System\jRPdGql.exe
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\Windows\System\JTKBzAu.exe
  C:\Windows\System\JTKBzAu.exe
  2⤵
  - Executes dropped EXE
  PID:1808
- C:\Windows\System\SAAQqlW.exe
  C:\Windows\System\SAAQqlW.exe
  2⤵
  - Executes dropped EXE
  PID:2824
- C:\Windows\System\QDASOto.exe
  C:\Windows\System\QDASOto.exe
  2⤵
  - Executes dropped EXE
  PID:4912
- C:\Windows\System\uNvlyDh.exe
  C:\Windows\System\uNvlyDh.exe
  2⤵
  - Executes dropped EXE
  PID:5008
- C:\Windows\System\QGqjMQX.exe
  C:\Windows\System\QGqjMQX.exe
  2⤵
  - Executes dropped EXE
  PID:4620
- C:\Windows\System\ywTFwAX.exe
  C:\Windows\System\ywTFwAX.exe
  2⤵
  - Executes dropped EXE
  PID:1760
- C:\Windows\System\CmASavJ.exe
  C:\Windows\System\CmASavJ.exe
  2⤵
  - Executes dropped EXE
  PID:1428
- C:\Windows\System\BUIXNFQ.exe
  C:\Windows\System\BUIXNFQ.exe
  2⤵
  - Executes dropped EXE
  PID:3228
- C:\Windows\System\hCZiKiW.exe
  C:\Windows\System\hCZiKiW.exe
  2⤵
  - Executes dropped EXE
  PID:3640
- C:\Windows\System\YRyxrrB.exe
  C:\Windows\System\YRyxrrB.exe
  2⤵
  - Executes dropped EXE
  PID:2060
- C:\Windows\System\CVylgrz.exe
  C:\Windows\System\CVylgrz.exe
  2⤵
  - Executes dropped EXE
  PID:4708
- C:\Windows\System\jbWlZET.exe
  C:\Windows\System\jbWlZET.exe
  2⤵
  - Executes dropped EXE
  PID:1708
- C:\Windows\System\wiqBCwZ.exe
  C:\Windows\System\wiqBCwZ.exe
  2⤵
  - Executes dropped EXE
  PID:1952
- C:\Windows\System\vCqakcm.exe
  C:\Windows\System\vCqakcm.exe
  2⤵
  - Executes dropped EXE
  PID:4816
- C:\Windows\System\jVumDPE.exe
  C:\Windows\System\jVumDPE.exe
  2⤵
  - Executes dropped EXE
  PID:3164
- C:\Windows\System\cQpifuq.exe
  C:\Windows\System\cQpifuq.exe
  2⤵
  - Executes dropped EXE
  PID:1140
- C:\Windows\System\WEUyITB.exe
  C:\Windows\System\WEUyITB.exe
  2⤵
  - Executes dropped EXE
  PID:3632
- C:\Windows\System\yQbFUgN.exe
  C:\Windows\System\yQbFUgN.exe
  2⤵
  - Executes dropped EXE
  PID:4628

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BUIXNFQ.exe

Filesize
5.2MB

MD5
d7ba58c16293e212d4c04b591fb9472b

SHA1
c7ba3153d2dc032d69e9b6e8e9149cec2d3b6cfd

SHA256
bc594f133dcd6290b0e9b75cadb6117936ed4eb336f0c651663c9dd694eb17a1

SHA512
4eb199877dd1255717348e25350bd07863bfb29757b95352d4424e1530c7070b02fe27d0c130719bdef1b5abfc2e35c20fd0ebe005fd3fa92e3412b7a61b543f

Download Submit
C:\Windows\System\CVylgrz.exe

Filesize
5.2MB

MD5
f4191afef03372a5a47509c095ec83d3

SHA1
ae920ec4e7375da27a6811581b8625ae4a617b22

SHA256
22e4bb75f6a40a81d8634fc2f914d8586e823f1df7445b8a0aac0c395a616e96

SHA512
c89bd02d2c7233d8da0eb6eda62735fee36a87b9135bebe2e404743363764bce29fcb8ed22b64646c579abb17e0f19f7c05954c24d36d15d2b83b050bc347b15

Download Submit
C:\Windows\System\CmASavJ.exe

Filesize
5.2MB

MD5
27e551e3510f66567757bf496db4180a

SHA1
364310a73319964e944016505ad63ada1ca9d6d8

SHA256
84ef6778194cf727b3dfdd168eadb30c256f335996f650427a43a174f0bd1935

SHA512
6ac19f545afb4108cc3e3bdaa2536c4cd2663912cb3b97ff116f4298d66db5568af78c9ffc9da35acb54e0196b2783f229046d0638fbb0f2f5b794be23b968ae

Download Submit
C:\Windows\System\JTKBzAu.exe

Filesize
5.2MB

MD5
3f084a551a692f969a642df19452ed71

SHA1
8223c44a4d41feb717277d476c4461d3fc7d9178

SHA256
4b23d43dfe8df1eb12c80b82739c07c0972ab25e820c4fba770c402a15ba6e01

SHA512
39ed9184fab51d3699961600f234268bab6b9592510dbf53e39f33dcc7ecc7942c6f52e591a493db0227cc72f9ec0d3f4a1bb556909af9ddaefccb6c25ef8a5a

Download Submit
C:\Windows\System\NqkhuOh.exe

Filesize
5.2MB

MD5
09d3eea13ec371f2f27760503e8c64f1

SHA1
fa3f60aecaae549572616ad49af7240802d8cea9

SHA256
ea69abb1d59ac050aaa82e8104053f24583c99ed83c84e58687f5f43cf695eb6

SHA512
50560d3d3caf1c661376c49ca284f9674bffe57541ebe09030dc9d0f5a39a99f1b352b583e21710e8df43e9df898ce13d7d5abd1984ae64687949184aaa87e6d

Download Submit
C:\Windows\System\QDASOto.exe

Filesize
5.2MB

MD5
ad2cc7ef8462df49894afab9b17ba22e

SHA1
332c9f1b5bbdd224c2ad87f5f6026e991e80ffed

SHA256
b3205b10fbb67ffaa29b5612e9a4a37e57c4f0280ee4d93a9384ce461bd5eac7

SHA512
d4b0c125b0c490411951be28eb90c79582f7c05534689471c459d125c15cea0b9e3eeb71b10d6555c1a1d5bf9cbe9c0757a114b918b03eddd33099ec66500b20

Download Submit
C:\Windows\System\QGqjMQX.exe

Filesize
5.2MB

MD5
471fd9949604ff0950bff6ce932ef0df

SHA1
d4c4676027617d65d90ce7da690a93b1f782f5ba

SHA256
d50c2926405e4a1d653d27ca3f5b1d1f7403c48052ae247ce18d6a7e23633f0f

SHA512
9aee143ac09f1c2cad7d8bd2f6b0db8f4c425ad178d2dec2d776852e174cae3c56a6cbfa52d5e22af3f197078c33bd661c65d9a1d1956d0e73226cea02c701f8

Download Submit
C:\Windows\System\SAAQqlW.exe

Filesize
5.2MB

MD5
42d78f0232b32b78b119c173f457bc3e

SHA1
5c042b1bf3a0f238c31ab83007846506aedd7408

SHA256
5d17bde4580a2a0a33b1b7777aa884b5f70a2a5822e9e1145a89e5fe490e0bde

SHA512
40546314691c16cbdc7dfe536857457f3ba1b8de63f3fa8a0fc248cdb509492f0991b228f7cbdffc91975d169f6cfed1c989e724bd20651d792a6fc662f7637c

Download Submit
C:\Windows\System\WEUyITB.exe

Filesize
5.2MB

MD5
f6971955d2d33bcfa89e60cc7dc82aad

SHA1
624131032b6a81c2beb834f8e809ba088cbdff9c

SHA256
cc5eef9e3705d2b5797a1d6c6e9bf9404733bd00be49b67980c850cdc99f4af3

SHA512
c6f75387da41e2448d7aef82359a3a08db565c32424d63062b7bda793ec57aa42d3ccdfde8881036a3bbe0a8eaaeb77767cb5d059e6ddf4fc2b52e265a7f61da

Download Submit
C:\Windows\System\YRwkLqR.exe

Filesize
5.2MB

MD5
cb784c69b8da5f48ce8d1ad1e1cece0d

SHA1
2b0d495c764e36b555319ccff829d8ddc50d4268

SHA256
95dc949527c88319489b947b6ef531f7f1d5d52847a78b779208ebb411706d13

SHA512
105713d4925962c174b77388e0472e4af3e242f679985b34d81cdce3a082fee3fca0b4baf76b38fc4808957fe789caf24ffd3d896bc3681ab206d77c4dfb4d79

Download Submit
C:\Windows\System\YRyxrrB.exe

Filesize
5.2MB

MD5
d1aefe741fa667f54f91abb228b377e8

SHA1
75836b4c645f2c219df02e4fcd868d6144469a54

SHA256
1dd5cc2e3f97197c75ed14e7db0a4b6203e4ae9214dbc724466ed36d96e4c977

SHA512
2a83a69961d6fa3a5b6abd6f7d968f63c4e7ee5e0c9a21783f810bd38711b14f588cfd036978cb2a2de275668a44f01fe8828fa7e69e1a53cf67524e51cd9eb3

Download Submit
C:\Windows\System\cQpifuq.exe

Filesize
5.2MB

MD5
5a577b4e7ab3fedcdaa914364a979a37

SHA1
160a66ceb70c6b1a6c48a3cd85a5c049c1203902

SHA256
736d908771790d071e3727e4f7b66b19b26308014b0133a6f51e68813807c0c3

SHA512
a1b2240f81c5dc2e4f8efc4a4a59b6f8982a8580848904062503e313c9eaaab909327e1b66620ae6070f5549e3f297757e9d0e8631557a2439d76d3b817b9c16

Download Submit
C:\Windows\System\hCZiKiW.exe

Filesize
5.2MB

MD5
c8685f866da65a5d4d97b4ecd245552d

SHA1
19b8ec219b195cd8425b2d9f679f21e75c806279

SHA256
c70a8ed5a2feef860adede17dc83619502a723cdf9e39d4bb3f7b1627102343c

SHA512
069a3fc981cd5fc5e91f9f3adff25b9a266441422ceea03dd7079256dae98af2793f307bf04b37bf2c22d184487b24b007bc87005da97bd4a664bff793ffbd88

Download Submit
C:\Windows\System\jRPdGql.exe

Filesize
5.2MB

MD5
9642a8cc426ab61bd3f020bc0546e8dd

SHA1
cec7da678d721e80244e48795273a78a1f21748a

SHA256
d0cda2ababc2801c6bcf8da0a9a170a76a80ac4a341f3b3c99c9eb650e0fae4b

SHA512
48a45a1d1918c85916e0afcc1b36ebd293a91ff2d678a88e3bba888492793a5bbdacf2151fb37c01aa6194ef57f0a69f88dfbcfb9158e5a683d781f11421f1ac

Download Submit
C:\Windows\System\jVumDPE.exe

Filesize
5.2MB

MD5
0159df7748ceee1553496af8c3be875f

SHA1
21206e2b23a2a03118277517939c777b45c2eb1e

SHA256
0bb520a4b2f0ac8352ab26d7336da94a8950efb9c0548f90a5326548bd285310

SHA512
e3230e7de54033ca57d091666376e17a54a7d5866fcf5597825df7c73babc25d5d38930e6361663ee82879fa7e2327ba2c071199ed8e4450dbbcfc5b8761286b

Download Submit
C:\Windows\System\jbWlZET.exe

Filesize
5.2MB

MD5
74baf1e04f7fefaa16e1c32e81c744dd

SHA1
d46774e9c227f17b314cf91c501e4806b997fae6

SHA256
d5b523d1c0b65d4ec90c5dd94041104707fdb52bfbe55c046fa0bcd610534b5f

SHA512
030ba806dfb93c4d388dd0fd6cea152be9befe9f8c1fa2246db6071ad85fc47d59cad27bf7786bf5f72e5c8fe9d0c92c65b5afb5d1e462c3cc5f5626913abdc0

Download Submit
C:\Windows\System\uNvlyDh.exe

Filesize
5.2MB

MD5
736ba5fc1bd416b145ab97c121625d34

SHA1
7bcb67c4a2b92a9cc7acf582fb59f5256a239ea3

SHA256
16c822af5a921f986c60f082dec11bf8d35376f78dc85e8e7b1c312867dbbccf

SHA512
23338370706c25ad97edac9de8f30f6d924f41961aa90848f817b50a4cc920ed98f4943e44e386425ac4a5233d5d1b9973c25dfd94cc9ac591a59f51919d673d

Download Submit
C:\Windows\System\vCqakcm.exe

Filesize
5.2MB

MD5
52919b5a6aa36942c29820a2888685a6

SHA1
47e394a584a58a997b8d05914d8bf8b7161e9bdb

SHA256
7d461a2bcfee6d092d7b338f219914ccf769b9533e2f23e4710e992b177454e0

SHA512
ee321bc3176d7e922c7e383d02d3f77ec403ebacd111acf3e3897bb909dd49fa606aba2a0b230f0631e1369453215cc3190bcea08ce576819d43af9b12a7a4d4

Download Submit
C:\Windows\System\wiqBCwZ.exe

Filesize
5.2MB

MD5
4f13b9f8bff51371dac41da42f5cc1df

SHA1
20c369f1db69661cfc0b7bdb4c0308d8c3c05cc5

SHA256
d60df611889a5785b01f6c45dece36d94042449e81e1f51ce36b728fe55427f5

SHA512
3dcd884c2d2e0f4b026579196dc8bfe04246a5d7d36a221113ac8cc7fcbe1bbe050aa5b3f01ede4e5d16f88fe8290fed9489ea76156af35639563199e2a6d042

Download Submit
C:\Windows\System\yQbFUgN.exe

Filesize
5.2MB

MD5
05174525a877df754ae3444aae7fd91c

SHA1
5f0340438a4132699d1b7b7694d1c0d11361aa25

SHA256
7468e9a6ab23f3d898b238e713e12e64a6f31bbb90d52ea96ca3990bbc3d2296

SHA512
5206f328dc93d77b969e1e095bc36d7ecc422e5f7809ce337ab133eae9ebb9a8a013fad5ffac245b09761590209a2d4eaef91bd13ade9fb1b02c8900f0af6d39

Download Submit
C:\Windows\System\ywTFwAX.exe

Filesize
5.2MB

MD5
99ac0cf76f47a599cf53afcbcc3ef2a4

SHA1
4dd8c65f5eeb55cede7665ee33f1d3791cc7832d

SHA256
ae089a44059ecafe3adb0ee09d19596c42e9415b59c02d6acc1c4e7ff4933b27

SHA512
c61555acfbb84cf2453335d41be0b5bda89433bef632868893ef0ef480ef8d0e279917970a4d9bbb0beb6b966bbe8a5d401c5e4b3a70328666bded32034afe1c

Download Submit
memory/1140-165-0x00007FF7C2450000-0x00007FF7C27A1000-memory.dmp

Filesize
3.3MB

Download
memory/1140-130-0x00007FF7C2450000-0x00007FF7C27A1000-memory.dmp

Filesize
3.3MB

Download
memory/1140-272-0x00007FF7C2450000-0x00007FF7C27A1000-memory.dmp

Filesize
3.3MB

Download
memory/1428-247-0x00007FF78DB40000-0x00007FF78DE91000-memory.dmp

Filesize
3.3MB

Download
memory/1428-69-0x00007FF78DB40000-0x00007FF78DE91000-memory.dmp

Filesize
3.3MB

Download
memory/1428-110-0x00007FF78DB40000-0x00007FF78DE91000-memory.dmp

Filesize
3.3MB

Download
memory/1708-150-0x00007FF6FA5B0000-0x00007FF6FA901000-memory.dmp

Filesize
3.3MB

Download
memory/1708-99-0x00007FF6FA5B0000-0x00007FF6FA901000-memory.dmp

Filesize
3.3MB

Download
memory/1708-261-0x00007FF6FA5B0000-0x00007FF6FA901000-memory.dmp

Filesize
3.3MB

Download
memory/1760-55-0x00007FF72B5D0000-0x00007FF72B921000-memory.dmp

Filesize
3.3MB

Download
memory/1760-245-0x00007FF72B5D0000-0x00007FF72B921000-memory.dmp

Filesize
3.3MB

Download
memory/1760-115-0x00007FF72B5D0000-0x00007FF72B921000-memory.dmp

Filesize
3.3MB

Download
memory/1808-227-0x00007FF7047B0000-0x00007FF704B01000-memory.dmp

Filesize
3.3MB

Download
memory/1808-81-0x00007FF7047B0000-0x00007FF704B01000-memory.dmp

Filesize
3.3MB

Download
memory/1808-24-0x00007FF7047B0000-0x00007FF704B01000-memory.dmp

Filesize
3.3MB

Download
memory/1952-104-0x00007FF715190000-0x00007FF7154E1000-memory.dmp

Filesize
3.3MB

Download
memory/1952-152-0x00007FF715190000-0x00007FF7154E1000-memory.dmp

Filesize
3.3MB

Download
memory/1952-264-0x00007FF715190000-0x00007FF7154E1000-memory.dmp

Filesize
3.3MB

Download
memory/2060-250-0x00007FF75EF00000-0x00007FF75F251000-memory.dmp

Filesize
3.3MB

Download
memory/2060-141-0x00007FF75EF00000-0x00007FF75F251000-memory.dmp

Filesize
3.3MB

Download
memory/2060-82-0x00007FF75EF00000-0x00007FF75F251000-memory.dmp

Filesize
3.3MB

Download
memory/2824-229-0x00007FF662A00000-0x00007FF662D51000-memory.dmp

Filesize
3.3MB

Download
memory/2824-30-0x00007FF662A00000-0x00007FF662D51000-memory.dmp

Filesize
3.3MB

Download
memory/2824-88-0x00007FF662A00000-0x00007FF662D51000-memory.dmp

Filesize
3.3MB

Download
memory/2956-225-0x00007FF7EA5A0000-0x00007FF7EA8F1000-memory.dmp

Filesize
3.3MB

Download
memory/2956-73-0x00007FF7EA5A0000-0x00007FF7EA8F1000-memory.dmp

Filesize
3.3MB

Download
memory/2956-18-0x00007FF7EA5A0000-0x00007FF7EA8F1000-memory.dmp

Filesize
3.3MB

Download
memory/3036-223-0x00007FF6F46D0000-0x00007FF6F4A21000-memory.dmp

Filesize
3.3MB

Download
memory/3036-12-0x00007FF6F46D0000-0x00007FF6F4A21000-memory.dmp

Filesize
3.3MB

Download
memory/3036-70-0x00007FF6F46D0000-0x00007FF6F4A21000-memory.dmp

Filesize
3.3MB

Download
memory/3164-119-0x00007FF7876E0000-0x00007FF787A31000-memory.dmp

Filesize
3.3MB

Download
memory/3164-164-0x00007FF7876E0000-0x00007FF787A31000-memory.dmp

Filesize
3.3MB

Download
memory/3164-270-0x00007FF7876E0000-0x00007FF787A31000-memory.dmp

Filesize
3.3MB

Download
memory/3228-253-0x00007FF6FE050000-0x00007FF6FE3A1000-memory.dmp

Filesize
3.3MB

Download
memory/3228-129-0x00007FF6FE050000-0x00007FF6FE3A1000-memory.dmp

Filesize
3.3MB

Download
memory/3228-71-0x00007FF6FE050000-0x00007FF6FE3A1000-memory.dmp

Filesize
3.3MB

Download
memory/3632-170-0x00007FF74E5E0000-0x00007FF74E931000-memory.dmp

Filesize
3.3MB

Download
memory/3632-147-0x00007FF74E5E0000-0x00007FF74E931000-memory.dmp

Filesize
3.3MB

Download
memory/3632-275-0x00007FF74E5E0000-0x00007FF74E931000-memory.dmp

Filesize
3.3MB

Download
memory/3640-74-0x00007FF7810C0000-0x00007FF781411000-memory.dmp

Filesize
3.3MB

Download
memory/3640-138-0x00007FF7810C0000-0x00007FF781411000-memory.dmp

Filesize
3.3MB

Download
memory/3640-252-0x00007FF7810C0000-0x00007FF781411000-memory.dmp

Filesize
3.3MB

Download
memory/3656-166-0x00007FF734E70000-0x00007FF7351C1000-memory.dmp

Filesize
3.3MB

Download
memory/3656-0-0x00007FF734E70000-0x00007FF7351C1000-memory.dmp

Filesize
3.3MB

Download
memory/3656-188-0x00007FF734E70000-0x00007FF7351C1000-memory.dmp

Filesize
3.3MB

Download
memory/3656-1-0x00000218029D0000-0x00000218029E0000-memory.dmp

Filesize
64KB

Download
memory/3656-54-0x00007FF734E70000-0x00007FF7351C1000-memory.dmp

Filesize
3.3MB

Download
memory/4620-237-0x00007FF72ED80000-0x00007FF72F0D1000-memory.dmp

Filesize
3.3MB

Download
memory/4620-109-0x00007FF72ED80000-0x00007FF72F0D1000-memory.dmp

Filesize
3.3MB

Download
memory/4620-48-0x00007FF72ED80000-0x00007FF72F0D1000-memory.dmp

Filesize
3.3MB

Download
memory/4628-277-0x00007FF793370000-0x00007FF7936C1000-memory.dmp

Filesize
3.3MB

Download
memory/4628-148-0x00007FF793370000-0x00007FF7936C1000-memory.dmp

Filesize
3.3MB

Download
memory/4684-8-0x00007FF7EBA20000-0x00007FF7EBD71000-memory.dmp

Filesize
3.3MB

Download
memory/4684-62-0x00007FF7EBA20000-0x00007FF7EBD71000-memory.dmp

Filesize
3.3MB

Download
memory/4684-216-0x00007FF7EBA20000-0x00007FF7EBD71000-memory.dmp

Filesize
3.3MB

Download
memory/4708-259-0x00007FF77E1F0000-0x00007FF77E541000-memory.dmp

Filesize
3.3MB

Download
memory/4708-92-0x00007FF77E1F0000-0x00007FF77E541000-memory.dmp

Filesize
3.3MB

Download
memory/4816-111-0x00007FF6DEB00000-0x00007FF6DEE51000-memory.dmp

Filesize
3.3MB

Download
memory/4816-265-0x00007FF6DEB00000-0x00007FF6DEE51000-memory.dmp

Filesize
3.3MB

Download
memory/4816-159-0x00007FF6DEB00000-0x00007FF6DEE51000-memory.dmp

Filesize
3.3MB

Download
memory/4912-232-0x00007FF78A810000-0x00007FF78AB61000-memory.dmp

Filesize
3.3MB

Download
memory/4912-37-0x00007FF78A810000-0x00007FF78AB61000-memory.dmp

Filesize
3.3MB

Download
memory/4912-96-0x00007FF78A810000-0x00007FF78AB61000-memory.dmp

Filesize
3.3MB

Download
memory/5008-235-0x00007FF76DC90000-0x00007FF76DFE1000-memory.dmp

Filesize
3.3MB

Download
memory/5008-44-0x00007FF76DC90000-0x00007FF76DFE1000-memory.dmp

Filesize
3.3MB

Download
memory/5008-103-0x00007FF76DC90000-0x00007FF76DFE1000-memory.dmp

Filesize
3.3MB

Download