cobaltstrike | af13467ceb0e2c5443e4bf279eb8778f31729b5b2f252c94256bbb7d19ccaf43

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-12-2024 09:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

443eba04f8d72c279fcd832286d2328f
SHA1

a3fd3ef189a4bdab648dde344ea5aa1ec17c8e86
SHA256

af13467ceb0e2c5443e4bf279eb8778f31729b5b2f252c94256bbb7d19ccaf43
SHA512

571f52eec047dc489e1d12b6d9f8679f722070872cbfa3da6fa51b37dcad2cac59be6f612b3625ddc039605339af58f792e0391665bedccf81e99e438ba30f5d
SSDEEP

98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUy:T+856utgpPF8u/7y

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023ca4-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca9-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca8-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caa-23.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cab-29.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023ca5-34.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cac-40.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cad-44.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cae-52.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb0-59.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb1-67.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb2-74.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb3-84.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb4-89.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb5-94.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb6-107.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb8-116.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb7-111.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb9-122.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cba-129.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbb-133.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/2340-0-0x00007FF686590000-0x00007FF6868E4000-memory.dmp	xmrig
behavioral2/files/0x0008000000023ca4-4.dat	xmrig
behavioral2/memory/1028-7-0x00007FF60D240000-0x00007FF60D594000-memory.dmp	xmrig
behavioral2/files/0x0007000000023ca9-10.dat	xmrig
behavioral2/files/0x0007000000023ca8-11.dat	xmrig
behavioral2/files/0x0007000000023caa-23.dat	xmrig
behavioral2/memory/4560-24-0x00007FF7C02F0000-0x00007FF7C0644000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cab-29.dat	xmrig
behavioral2/memory/2160-30-0x00007FF6F8180000-0x00007FF6F84D4000-memory.dmp	xmrig
behavioral2/memory/2056-22-0x00007FF68E520000-0x00007FF68E874000-memory.dmp	xmrig
behavioral2/memory/400-15-0x00007FF729390000-0x00007FF7296E4000-memory.dmp	xmrig
behavioral2/files/0x0008000000023ca5-34.dat	xmrig
behavioral2/files/0x0007000000023cac-40.dat	xmrig
behavioral2/files/0x0007000000023cad-44.dat	xmrig
behavioral2/memory/4336-45-0x00007FF7D4CF0000-0x00007FF7D5044000-memory.dmp	xmrig
behavioral2/memory/3476-42-0x00007FF699D20000-0x00007FF69A074000-memory.dmp	xmrig
behavioral2/memory/4300-36-0x00007FF6F6AA0000-0x00007FF6F6DF4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cae-52.dat	xmrig
behavioral2/memory/2340-56-0x00007FF686590000-0x00007FF6868E4000-memory.dmp	xmrig
behavioral2/memory/1796-61-0x00007FF7D7850000-0x00007FF7D7BA4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cb0-59.dat	xmrig
behavioral2/memory/1028-64-0x00007FF60D240000-0x00007FF60D594000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cb1-67.dat	xmrig
behavioral2/memory/4664-69-0x00007FF79C950000-0x00007FF79CCA4000-memory.dmp	xmrig
behavioral2/memory/2164-71-0x00007FF798830000-0x00007FF798B84000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cb2-74.dat	xmrig
behavioral2/memory/2056-75-0x00007FF68E520000-0x00007FF68E874000-memory.dmp	xmrig
behavioral2/memory/4560-81-0x00007FF7C02F0000-0x00007FF7C0644000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cb3-84.dat	xmrig
behavioral2/memory/212-83-0x00007FF64AAF0000-0x00007FF64AE44000-memory.dmp	xmrig
behavioral2/memory/4980-76-0x00007FF6FDFA0000-0x00007FF6FE2F4000-memory.dmp	xmrig
behavioral2/memory/400-70-0x00007FF729390000-0x00007FF7296E4000-memory.dmp	xmrig
behavioral2/memory/2160-86-0x00007FF6F8180000-0x00007FF6F84D4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cb4-89.dat	xmrig
behavioral2/files/0x0007000000023cb5-94.dat	xmrig
behavioral2/files/0x0007000000023cb6-107.dat	xmrig
behavioral2/memory/4336-105-0x00007FF7D4CF0000-0x00007FF7D5044000-memory.dmp	xmrig
behavioral2/memory/4288-112-0x00007FF6F4330000-0x00007FF6F4684000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cb8-116.dat	xmrig
behavioral2/memory/4524-117-0x00007FF7E2390000-0x00007FF7E26E4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cb7-111.dat	xmrig
behavioral2/memory/1164-110-0x00007FF7A4990000-0x00007FF7A4CE4000-memory.dmp	xmrig
behavioral2/memory/2852-102-0x00007FF6886F0000-0x00007FF688A44000-memory.dmp	xmrig
behavioral2/memory/3476-98-0x00007FF699D20000-0x00007FF69A074000-memory.dmp	xmrig
behavioral2/memory/4660-93-0x00007FF6152B0000-0x00007FF615604000-memory.dmp	xmrig
behavioral2/memory/4300-92-0x00007FF6F6AA0000-0x00007FF6F6DF4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cb9-122.dat	xmrig
behavioral2/memory/3288-123-0x00007FF7FD3C0000-0x00007FF7FD714000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cba-129.dat	xmrig
behavioral2/memory/4392-132-0x00007FF646190000-0x00007FF6464E4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cbb-133.dat	xmrig
behavioral2/memory/4980-134-0x00007FF6FDFA0000-0x00007FF6FE2F4000-memory.dmp	xmrig
behavioral2/memory/3364-137-0x00007FF6BF3E0000-0x00007FF6BF734000-memory.dmp	xmrig
behavioral2/memory/212-138-0x00007FF64AAF0000-0x00007FF64AE44000-memory.dmp	xmrig
behavioral2/memory/4660-139-0x00007FF6152B0000-0x00007FF615604000-memory.dmp	xmrig
behavioral2/memory/1164-140-0x00007FF7A4990000-0x00007FF7A4CE4000-memory.dmp	xmrig
behavioral2/memory/4288-141-0x00007FF6F4330000-0x00007FF6F4684000-memory.dmp	xmrig
behavioral2/memory/4524-142-0x00007FF7E2390000-0x00007FF7E26E4000-memory.dmp	xmrig
behavioral2/memory/3288-143-0x00007FF7FD3C0000-0x00007FF7FD714000-memory.dmp	xmrig
behavioral2/memory/4392-144-0x00007FF646190000-0x00007FF6464E4000-memory.dmp	xmrig
behavioral2/memory/3364-145-0x00007FF6BF3E0000-0x00007FF6BF734000-memory.dmp	xmrig
behavioral2/memory/1028-146-0x00007FF60D240000-0x00007FF60D594000-memory.dmp	xmrig
behavioral2/memory/400-147-0x00007FF729390000-0x00007FF7296E4000-memory.dmp	xmrig
behavioral2/memory/2056-148-0x00007FF68E520000-0x00007FF68E874000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1028	SBTMewQ.exe
400	JWymGza.exe
2056	ncKmWSx.exe
4560	vGFCywk.exe
2160	nECtItD.exe
4300	MvcBKDF.exe
3476	zXOJbdA.exe
4336	cwMoEcm.exe
1796	cGnTabG.exe
4664	yVNtzEJ.exe
2164	rhvhFsL.exe
4980	DVwbbcR.exe
212	yCnMBEw.exe
4660	xnlcdkz.exe
2852	yVwHQFu.exe
1164	jqwyDpZ.exe
4288	dDvgadL.exe
4524	oSdQZzx.exe
3288	wDtHPYi.exe
4392	jRyCRVc.exe
3364	ODXYMQU.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2340-0-0x00007FF686590000-0x00007FF6868E4000-memory.dmp	upx
behavioral2/files/0x0008000000023ca4-4.dat	upx
behavioral2/memory/1028-7-0x00007FF60D240000-0x00007FF60D594000-memory.dmp	upx
behavioral2/files/0x0007000000023ca9-10.dat	upx
behavioral2/files/0x0007000000023ca8-11.dat	upx
behavioral2/files/0x0007000000023caa-23.dat	upx
behavioral2/memory/4560-24-0x00007FF7C02F0000-0x00007FF7C0644000-memory.dmp	upx
behavioral2/files/0x0007000000023cab-29.dat	upx
behavioral2/memory/2160-30-0x00007FF6F8180000-0x00007FF6F84D4000-memory.dmp	upx
behavioral2/memory/2056-22-0x00007FF68E520000-0x00007FF68E874000-memory.dmp	upx
behavioral2/memory/400-15-0x00007FF729390000-0x00007FF7296E4000-memory.dmp	upx
behavioral2/files/0x0008000000023ca5-34.dat	upx
behavioral2/files/0x0007000000023cac-40.dat	upx
behavioral2/files/0x0007000000023cad-44.dat	upx
behavioral2/memory/4336-45-0x00007FF7D4CF0000-0x00007FF7D5044000-memory.dmp	upx
behavioral2/memory/3476-42-0x00007FF699D20000-0x00007FF69A074000-memory.dmp	upx
behavioral2/memory/4300-36-0x00007FF6F6AA0000-0x00007FF6F6DF4000-memory.dmp	upx
behavioral2/files/0x0007000000023cae-52.dat	upx
behavioral2/memory/2340-56-0x00007FF686590000-0x00007FF6868E4000-memory.dmp	upx
behavioral2/memory/1796-61-0x00007FF7D7850000-0x00007FF7D7BA4000-memory.dmp	upx
behavioral2/files/0x0007000000023cb0-59.dat	upx
behavioral2/memory/1028-64-0x00007FF60D240000-0x00007FF60D594000-memory.dmp	upx
behavioral2/files/0x0007000000023cb1-67.dat	upx
behavioral2/memory/4664-69-0x00007FF79C950000-0x00007FF79CCA4000-memory.dmp	upx
behavioral2/memory/2164-71-0x00007FF798830000-0x00007FF798B84000-memory.dmp	upx
behavioral2/files/0x0007000000023cb2-74.dat	upx
behavioral2/memory/2056-75-0x00007FF68E520000-0x00007FF68E874000-memory.dmp	upx
behavioral2/memory/4560-81-0x00007FF7C02F0000-0x00007FF7C0644000-memory.dmp	upx
behavioral2/files/0x0007000000023cb3-84.dat	upx
behavioral2/memory/212-83-0x00007FF64AAF0000-0x00007FF64AE44000-memory.dmp	upx
behavioral2/memory/4980-76-0x00007FF6FDFA0000-0x00007FF6FE2F4000-memory.dmp	upx
behavioral2/memory/400-70-0x00007FF729390000-0x00007FF7296E4000-memory.dmp	upx
behavioral2/memory/2160-86-0x00007FF6F8180000-0x00007FF6F84D4000-memory.dmp	upx
behavioral2/files/0x0007000000023cb4-89.dat	upx
behavioral2/files/0x0007000000023cb5-94.dat	upx
behavioral2/files/0x0007000000023cb6-107.dat	upx
behavioral2/memory/4336-105-0x00007FF7D4CF0000-0x00007FF7D5044000-memory.dmp	upx
behavioral2/memory/4288-112-0x00007FF6F4330000-0x00007FF6F4684000-memory.dmp	upx
behavioral2/files/0x0007000000023cb8-116.dat	upx
behavioral2/memory/4524-117-0x00007FF7E2390000-0x00007FF7E26E4000-memory.dmp	upx
behavioral2/files/0x0007000000023cb7-111.dat	upx
behavioral2/memory/1164-110-0x00007FF7A4990000-0x00007FF7A4CE4000-memory.dmp	upx
behavioral2/memory/2852-102-0x00007FF6886F0000-0x00007FF688A44000-memory.dmp	upx
behavioral2/memory/3476-98-0x00007FF699D20000-0x00007FF69A074000-memory.dmp	upx
behavioral2/memory/4660-93-0x00007FF6152B0000-0x00007FF615604000-memory.dmp	upx
behavioral2/memory/4300-92-0x00007FF6F6AA0000-0x00007FF6F6DF4000-memory.dmp	upx
behavioral2/files/0x0007000000023cb9-122.dat	upx
behavioral2/memory/3288-123-0x00007FF7FD3C0000-0x00007FF7FD714000-memory.dmp	upx
behavioral2/files/0x0007000000023cba-129.dat	upx
behavioral2/memory/4392-132-0x00007FF646190000-0x00007FF6464E4000-memory.dmp	upx
behavioral2/files/0x0007000000023cbb-133.dat	upx
behavioral2/memory/4980-134-0x00007FF6FDFA0000-0x00007FF6FE2F4000-memory.dmp	upx
behavioral2/memory/3364-137-0x00007FF6BF3E0000-0x00007FF6BF734000-memory.dmp	upx
behavioral2/memory/212-138-0x00007FF64AAF0000-0x00007FF64AE44000-memory.dmp	upx
behavioral2/memory/4660-139-0x00007FF6152B0000-0x00007FF615604000-memory.dmp	upx
behavioral2/memory/1164-140-0x00007FF7A4990000-0x00007FF7A4CE4000-memory.dmp	upx
behavioral2/memory/4288-141-0x00007FF6F4330000-0x00007FF6F4684000-memory.dmp	upx
behavioral2/memory/4524-142-0x00007FF7E2390000-0x00007FF7E26E4000-memory.dmp	upx
behavioral2/memory/3288-143-0x00007FF7FD3C0000-0x00007FF7FD714000-memory.dmp	upx
behavioral2/memory/4392-144-0x00007FF646190000-0x00007FF6464E4000-memory.dmp	upx
behavioral2/memory/3364-145-0x00007FF6BF3E0000-0x00007FF6BF734000-memory.dmp	upx
behavioral2/memory/1028-146-0x00007FF60D240000-0x00007FF60D594000-memory.dmp	upx
behavioral2/memory/400-147-0x00007FF729390000-0x00007FF7296E4000-memory.dmp	upx
behavioral2/memory/2056-148-0x00007FF68E520000-0x00007FF68E874000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\vGFCywk.exe	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nECtItD.exe	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zXOJbdA.exe	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cGnTabG.exe	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DVwbbcR.exe	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xnlcdkz.exe	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ODXYMQU.exe	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ncKmWSx.exe	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dDvgadL.exe	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oSdQZzx.exe	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wDtHPYi.exe	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jRyCRVc.exe	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jqwyDpZ.exe	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JWymGza.exe	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MvcBKDF.exe	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cwMoEcm.exe	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yVNtzEJ.exe	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rhvhFsL.exe	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SBTMewQ.exe	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yVwHQFu.exe	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yCnMBEw.exe	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2340	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2340	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 1028	2340	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 2340 wrote to memory of 1028	2340	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 2340 wrote to memory of 400	2340	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2340 wrote to memory of 400	2340	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2340 wrote to memory of 2056	2340	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2340 wrote to memory of 2056	2340	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2340 wrote to memory of 4560	2340	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2340 wrote to memory of 4560	2340	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2340 wrote to memory of 2160	2340	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2340 wrote to memory of 2160	2340	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2340 wrote to memory of 4300	2340	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2340 wrote to memory of 4300	2340	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2340 wrote to memory of 3476	2340	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2340 wrote to memory of 3476	2340	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2340 wrote to memory of 4336	2340	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2340 wrote to memory of 4336	2340	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2340 wrote to memory of 1796	2340	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2340 wrote to memory of 1796	2340	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2340 wrote to memory of 4664	2340	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2340 wrote to memory of 4664	2340	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2340 wrote to memory of 2164	2340	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2340 wrote to memory of 2164	2340	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2340 wrote to memory of 4980	2340	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2340 wrote to memory of 4980	2340	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2340 wrote to memory of 212	2340	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2340 wrote to memory of 212	2340	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2340 wrote to memory of 4660	2340	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2340 wrote to memory of 4660	2340	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2340 wrote to memory of 2852	2340	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2340 wrote to memory of 2852	2340	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2340 wrote to memory of 1164	2340	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2340 wrote to memory of 1164	2340	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2340 wrote to memory of 4288	2340	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2340 wrote to memory of 4288	2340	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2340 wrote to memory of 4524	2340	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2340 wrote to memory of 4524	2340	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2340 wrote to memory of 3288	2340	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2340 wrote to memory of 3288	2340	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2340 wrote to memory of 4392	2340	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2340 wrote to memory of 4392	2340	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2340 wrote to memory of 3364	2340	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2340 wrote to memory of 3364	2340	2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-11_443eba04f8d72c279fcd832286d2328f_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Windows\System\SBTMewQ.exe
  C:\Windows\System\SBTMewQ.exe
  2⤵
  - Executes dropped EXE
  PID:1028
- C:\Windows\System\JWymGza.exe
  C:\Windows\System\JWymGza.exe
  2⤵
  - Executes dropped EXE
  PID:400
- C:\Windows\System\ncKmWSx.exe
  C:\Windows\System\ncKmWSx.exe
  2⤵
  - Executes dropped EXE
  PID:2056
- C:\Windows\System\vGFCywk.exe
  C:\Windows\System\vGFCywk.exe
  2⤵
  - Executes dropped EXE
  PID:4560
- C:\Windows\System\nECtItD.exe
  C:\Windows\System\nECtItD.exe
  2⤵
  - Executes dropped EXE
  PID:2160
- C:\Windows\System\MvcBKDF.exe
  C:\Windows\System\MvcBKDF.exe
  2⤵
  - Executes dropped EXE
  PID:4300
- C:\Windows\System\zXOJbdA.exe
  C:\Windows\System\zXOJbdA.exe
  2⤵
  - Executes dropped EXE
  PID:3476
- C:\Windows\System\cwMoEcm.exe
  C:\Windows\System\cwMoEcm.exe
  2⤵
  - Executes dropped EXE
  PID:4336
- C:\Windows\System\cGnTabG.exe
  C:\Windows\System\cGnTabG.exe
  2⤵
  - Executes dropped EXE
  PID:1796
- C:\Windows\System\yVNtzEJ.exe
  C:\Windows\System\yVNtzEJ.exe
  2⤵
  - Executes dropped EXE
  PID:4664
- C:\Windows\System\rhvhFsL.exe
  C:\Windows\System\rhvhFsL.exe
  2⤵
  - Executes dropped EXE
  PID:2164
- C:\Windows\System\DVwbbcR.exe
  C:\Windows\System\DVwbbcR.exe
  2⤵
  - Executes dropped EXE
  PID:4980
- C:\Windows\System\yCnMBEw.exe
  C:\Windows\System\yCnMBEw.exe
  2⤵
  - Executes dropped EXE
  PID:212
- C:\Windows\System\xnlcdkz.exe
  C:\Windows\System\xnlcdkz.exe
  2⤵
  - Executes dropped EXE
  PID:4660
- C:\Windows\System\yVwHQFu.exe
  C:\Windows\System\yVwHQFu.exe
  2⤵
  - Executes dropped EXE
  PID:2852
- C:\Windows\System\jqwyDpZ.exe
  C:\Windows\System\jqwyDpZ.exe
  2⤵
  - Executes dropped EXE
  PID:1164
- C:\Windows\System\dDvgadL.exe
  C:\Windows\System\dDvgadL.exe
  2⤵
  - Executes dropped EXE
  PID:4288
- C:\Windows\System\oSdQZzx.exe
  C:\Windows\System\oSdQZzx.exe
  2⤵
  - Executes dropped EXE
  PID:4524
- C:\Windows\System\wDtHPYi.exe
  C:\Windows\System\wDtHPYi.exe
  2⤵
  - Executes dropped EXE
  PID:3288
- C:\Windows\System\jRyCRVc.exe
  C:\Windows\System\jRyCRVc.exe
  2⤵
  - Executes dropped EXE
  PID:4392
- C:\Windows\System\ODXYMQU.exe
  C:\Windows\System\ODXYMQU.exe
  2⤵
  - Executes dropped EXE
  PID:3364

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\DVwbbcR.exe

Filesize
5.9MB

MD5
e99252e87a1fa41b5fbfa04a9c8ddcec

SHA1
5eae561a36e9d5c290329318837f40afa666b3dc

SHA256
c5c1627a4455771b88c5229a5bcce3a6c282c2389705e7310db973228e917a22

SHA512
a0844a8d28f28847230daa3833e9541b182a24636e6586764ef68cc35dbd0cd1dc977f3cdfea670a01b88c95aaa039ed8461f8d4075592a1f738b430811f7fb6

Download Submit
C:\Windows\System\JWymGza.exe

Filesize
5.9MB

MD5
653341bcb8f81d2dccc74ee1405b57ee

SHA1
6a8e07b381d06c3ccf289a91072aea3f9adc0e31

SHA256
e5fddbca2b1c53b53f575d727389a5a49e32c715b51d9e1e208020c162f5a665

SHA512
32863192c9764727ef513bd239caeda6fed6abe213cbf2eca7268daa02d4f047a22fc7dd2a8e71af5aa0e4905c1eba641be8976fbb4365e0a6e5fc3001f0cf22

Download Submit
C:\Windows\System\MvcBKDF.exe

Filesize
5.9MB

MD5
dc7c5f3fa9f0605dfcba4de8b9a7d31a

SHA1
86f51bc0b3bade80cc3eda83f9d42370565d0d62

SHA256
35e49454042b56cedc74992734d6a2b9139410e01662bb9694dad5564f26a66b

SHA512
1ef2d26fb1da6bd2557c646db5044be031c97ec9d1596f8235a8351def8f7d704be45095f4df4b6afb1c3a48564ed0d656a16825673e1acccdf2211ada820771

Download Submit
C:\Windows\System\ODXYMQU.exe

Filesize
5.9MB

MD5
77caeaa01724689b2c861533804bf057

SHA1
bb442c52ad34bf50335bcc65df39951a6fdf5c64

SHA256
4f08b58571388b84e6f0675134a919e5df1e2718ee7f7696501043b073e71a3e

SHA512
8f714e5bd8fc0271ac84df0e767338af67921321ab2d65406d7582ff61fa65c63d50122617bf667462ac8bcb0a5f1b0c5751de342adb746f659db6235ee1b7c2

Download Submit
C:\Windows\System\SBTMewQ.exe

Filesize
5.9MB

MD5
d5dd3c6587b9d5715bb06e9880ceeae9

SHA1
60ac7fedcde6e069b1be898b9bf71196f904bb5f

SHA256
a39e55d6a5927367fa7098bd23b5d8ba46a2f44977818d2adb0f6622ca8fe35f

SHA512
49a56724bbe8382600958c5bfa8acd5c22d1d3993bfa935f78401e8a57ae2a17e50e7d69585adb62d6df86b72bb530822b62de1e5b232297633111fa358f67bb

Download Submit
C:\Windows\System\cGnTabG.exe

Filesize
5.9MB

MD5
9a19ae7ad9aff8d5078a62877571986f

SHA1
83acca357504febf85c38681c46b2821e9a61a5d

SHA256
4e2bc048fd1d33b82a039ee7a77b3d661f164b8ac1972930a4b62a286ff28e05

SHA512
e5e7d0e45f9e6743b52c1d532b7b645fae0bd4a8ebf3727942ebbd76eb7e370fca3b80a85db1094b2ea4959ebb56c65b2746a2c3d8f3b0f21824d4e43c63add5

Download Submit
C:\Windows\System\cwMoEcm.exe

Filesize
5.9MB

MD5
6e2bd556c6b429e1aba77457b62bf9d9

SHA1
3a2d25e573db03064853da05922181ad309e14b1

SHA256
316d2ea49d7f0e5acb51e71fbf4a84da5565a3c42e4a1310096230265db62e14

SHA512
e229582ca70f02791ca93ac9a87d22af3ad24e3685f006066e6ae87258f09d851bce00cded4aff7613f3ceacb0161326bd158b0ee61fa4ad1dcfe4e7f6c89821

Download Submit
C:\Windows\System\dDvgadL.exe

Filesize
5.9MB

MD5
778e0f946f7be46797a10b6fb101c325

SHA1
a4755284bcf42e7f0e4387da8e6ffb3d11c2ba88

SHA256
fb9b3ebc8d6492e0e1912eea4c873d31a2acb715bbecac51baf2d53c0491fd8e

SHA512
f5c2d4ef86ab3b7119eaf386033cda3b921578beca341be04a07d80404a4a0caff426587758b995fd4b29c8500342c570b580c8395cb2ce584e422fda4496146

Download Submit
C:\Windows\System\jRyCRVc.exe

Filesize
5.9MB

MD5
79517ab181fb39a05c1f3558934db531

SHA1
0143b595d446337d0223334f4780f41dd2687d20

SHA256
2c15a927b19c4e5fa6bd33ce3182e9b5c214fae02b76dc70b96c751fb6fc84fc

SHA512
c39bbb0dc5ce95666fa78db9dd3c8ba8957f2ab1efcfa925365626078ec5824882e4b05e9372da9c163bf608c8e33c840fd1541c39047390537e9a183c423959

Download Submit
C:\Windows\System\jqwyDpZ.exe

Filesize
5.9MB

MD5
fb095ead5ab4dda08fe475a1e0f01ed7

SHA1
f0c369cddbd5d2c05eb8277313d65599b850ae72

SHA256
3d4056f680f2cb19bda5999c77fac94fbe50eb45cff691924fb7260eaa0dad49

SHA512
67a9aac967251379b5aa51ba13c475a6caf99f9d01b1e917c4bdf6001ba51cdf901c63aa05532ebc0563bc6c97a86b8f6df89bc4c63699773181f999c13e5682

Download Submit
C:\Windows\System\nECtItD.exe

Filesize
5.9MB

MD5
088e464c91c903ca08dd9940924e4821

SHA1
7adbd84f1b7d1590078787428b8988f3442cccfa

SHA256
f848724fec00f73521b44dafcbbbc1a101f891b819c93a2292fa4753a5a766af

SHA512
752aafad2453011185173d5dd9aca9d7528ab733a7442f27356cc48aa5cf86f6dcdfc3640b5769caf24c861b7cccf4be6e360b92859a6db40e0b0f67e4f84127

Download Submit
C:\Windows\System\ncKmWSx.exe

Filesize
5.9MB

MD5
72ca7926ee3877911e2b88cee0e184ca

SHA1
a95764cb2077ae028abbda3a65d505bf213c2b77

SHA256
03e5f9baf520cf7715e734a6c04dcb1ab686dc7da05c32c689fb1ebf5f4f4848

SHA512
5a18ccfc0d801ca037ee06fa9a205b4aeb39a42bec55cf2fee87fc7c8a74e2f54246a979c27b63a599c37294bbc3897075dfa437124de301cca2e01bb8744475

Download Submit
C:\Windows\System\oSdQZzx.exe

Filesize
5.9MB

MD5
ddd8d1952f44c45a4b30ce7022d5c52b

SHA1
301000e02857ccf9768b40359d090f7f6e85f3da

SHA256
fd221442f14d7b80bcbf0c9f9257fe849d56f1cead66bfa6ede6cc90c0cb9b54

SHA512
12f300cfa2ecf62a5a5693884fd3db914db7e6c251ef29d6f766e31b774fcbd4f0a4f8be2a31d12c8568772b286a2299d83a97e6732de88b6a885ccb90bd6032

Download Submit
C:\Windows\System\rhvhFsL.exe

Filesize
5.9MB

MD5
3c29dd8333ca015a1eb8a9ceaff381c0

SHA1
025797f57088179981ac0304b3b421e1e72a2266

SHA256
b375df0fda39983a2240a0b5739d0fe50aafd57011ade34f06e67dd73305cd49

SHA512
f032cfb3891224660ec931032ebcaef91c6fc50b83dac5c17226bab1e79e3cce24e566e0b65c0d467e9fc9cc6626e7283ec73c2a88e3015c4aaedd4e415dcb92

Download Submit
C:\Windows\System\vGFCywk.exe

Filesize
5.9MB

MD5
4d8e6e60136b8753af8a5d41ea1f26f7

SHA1
0d6c6f6a34675a6a100c871f3a1c42c1558e3daf

SHA256
0c80affb8939827ead64d606491bb1696bf75841940e44b31e2c65c051300907

SHA512
e2eb8ba91d53621577416075ad5530ccbfdb1f866eb5b71992ae5619fab3450da01eb092480c1687a44f0cff64643c46597eae43952142bed15fb7b5cb8be273

Download Submit
C:\Windows\System\wDtHPYi.exe

Filesize
5.9MB

MD5
73039bf07cd65e3193e90f109638d0d4

SHA1
fc9a3bef8f965a01a018496f66718c9567dd5101

SHA256
9d0e7cf0293e94c7229189450e9c1adb938266b17abf6b6226d72e86fe62c360

SHA512
71b92a88613955e78d17dff583c555a2912e3664394ec0d257990e8d8174757e99a24e95be993dca748bed93a1ba82364b4a0779a13229b35e50098567bb45f8

Download Submit
C:\Windows\System\xnlcdkz.exe

Filesize
5.9MB

MD5
ba4de429dcda073d912d0278cd4c4a12

SHA1
34c758f2914c129f045ff0c855d381f1aabac1c8

SHA256
37bb8a775d0bb7200346eba5dd144011c30030afc3046b4ca9131f33325279d4

SHA512
9eaefa8d96883fd5b81c3ca3aafa52a71008dc8b62ecc6e81d01d6b6df96d4f36c0f72d0d85206437ebea944de9cfc45ddec75eedfe85fa1c517f174a0c70ebb

Download Submit
C:\Windows\System\yCnMBEw.exe

Filesize
5.9MB

MD5
b959d027843e44f40b89efefc4f49fae

SHA1
39ff5df96aac41a6a2e1be3e72fb8f7a13033385

SHA256
21e066b85bac77c63410d8cc9bf93c5380a28a18b1b47b09edd3f08fd20a3834

SHA512
111546c29bd3cd08867368a3154172a55f0979b9875f3bd4d25dc2cb41d110edf04cec49114fdcc6c02fea03e731b650d7b816cb482e913aa1b80ce5139c4bb0

Download Submit
C:\Windows\System\yVNtzEJ.exe

Filesize
5.9MB

MD5
f06f5561f4b3b86f46a4e62318a57fc5

SHA1
236269f65f980820ae47270c5d88df20ae9e816c

SHA256
1831d266d2ce04862c53dff8fb1e0ff231c931c10ef06ff86fd859d5410eec21

SHA512
81e2fd8d775a1dad1ae3320ceb2440d51c50ecc41acac7f3ad65cddcbfb231a36e59a75f1bb8026246c8a202a894b9663968f200ac7e5c5b0750c73f94636ed1

Download Submit
C:\Windows\System\yVwHQFu.exe

Filesize
5.9MB

MD5
d7118084605b601fa2e0fa497003dd01

SHA1
7eeae127860c51f810df64fbe2a2b995f5bb6473

SHA256
4a109e1cad4144ee4d13a65646aad8fe082d02204d1750f10e9686d036e0fb69

SHA512
0ee66fbafa26b753c872928d3a61297b8bfde2a97d6315c34bc5ad713a93ac92c2aebb08897595e39bb89fb9435889079988f5be0b7af1f4da1cf0ee935c18ea

Download Submit
C:\Windows\System\zXOJbdA.exe

Filesize
5.9MB

MD5
de40c1cfaf594cde864f1765154e9f37

SHA1
f29ee8c8365521916b210354719be618405f47a9

SHA256
b8ff26eab99b65cecc97ff317cd72e3147ba9af242649f86c4c3f041509e4728

SHA512
40543bb813aa7a297c0eb0fd8b96bdcab5242acce5393c6b463c7f3bf06098ff7ccdfe108bdd5f30eaed484358cb0e34bfdc68b0b65c429348dbb014a6fcb997

Download Submit
memory/212-138-0x00007FF64AAF0000-0x00007FF64AE44000-memory.dmp

Filesize
3.3MB

Download
memory/212-158-0x00007FF64AAF0000-0x00007FF64AE44000-memory.dmp

Filesize
3.3MB

Download
memory/212-83-0x00007FF64AAF0000-0x00007FF64AE44000-memory.dmp

Filesize
3.3MB

Download
memory/400-15-0x00007FF729390000-0x00007FF7296E4000-memory.dmp

Filesize
3.3MB

Download
memory/400-147-0x00007FF729390000-0x00007FF7296E4000-memory.dmp

Filesize
3.3MB

Download
memory/400-70-0x00007FF729390000-0x00007FF7296E4000-memory.dmp

Filesize
3.3MB

Download
memory/1028-64-0x00007FF60D240000-0x00007FF60D594000-memory.dmp

Filesize
3.3MB

Download
memory/1028-146-0x00007FF60D240000-0x00007FF60D594000-memory.dmp

Filesize
3.3MB

Download
memory/1028-7-0x00007FF60D240000-0x00007FF60D594000-memory.dmp

Filesize
3.3MB

Download
memory/1164-140-0x00007FF7A4990000-0x00007FF7A4CE4000-memory.dmp

Filesize
3.3MB

Download
memory/1164-110-0x00007FF7A4990000-0x00007FF7A4CE4000-memory.dmp

Filesize
3.3MB

Download
memory/1164-163-0x00007FF7A4990000-0x00007FF7A4CE4000-memory.dmp

Filesize
3.3MB

Download
memory/1796-61-0x00007FF7D7850000-0x00007FF7D7BA4000-memory.dmp

Filesize
3.3MB

Download
memory/1796-154-0x00007FF7D7850000-0x00007FF7D7BA4000-memory.dmp

Filesize
3.3MB

Download
memory/2056-75-0x00007FF68E520000-0x00007FF68E874000-memory.dmp

Filesize
3.3MB

Download
memory/2056-22-0x00007FF68E520000-0x00007FF68E874000-memory.dmp

Filesize
3.3MB

Download
memory/2056-148-0x00007FF68E520000-0x00007FF68E874000-memory.dmp

Filesize
3.3MB

Download
memory/2160-150-0x00007FF6F8180000-0x00007FF6F84D4000-memory.dmp

Filesize
3.3MB

Download
memory/2160-86-0x00007FF6F8180000-0x00007FF6F84D4000-memory.dmp

Filesize
3.3MB

Download
memory/2160-30-0x00007FF6F8180000-0x00007FF6F84D4000-memory.dmp

Filesize
3.3MB

Download
memory/2164-71-0x00007FF798830000-0x00007FF798B84000-memory.dmp

Filesize
3.3MB

Download
memory/2164-156-0x00007FF798830000-0x00007FF798B84000-memory.dmp

Filesize
3.3MB

Download
memory/2340-1-0x0000012C16EB0000-0x0000012C16EC0000-memory.dmp

Filesize
64KB

Download
memory/2340-56-0x00007FF686590000-0x00007FF6868E4000-memory.dmp

Filesize
3.3MB

Download
memory/2340-0-0x00007FF686590000-0x00007FF6868E4000-memory.dmp

Filesize
3.3MB

Download
memory/2852-160-0x00007FF6886F0000-0x00007FF688A44000-memory.dmp

Filesize
3.3MB

Download
memory/2852-102-0x00007FF6886F0000-0x00007FF688A44000-memory.dmp

Filesize
3.3MB

Download
memory/3288-123-0x00007FF7FD3C0000-0x00007FF7FD714000-memory.dmp

Filesize
3.3MB

Download
memory/3288-164-0x00007FF7FD3C0000-0x00007FF7FD714000-memory.dmp

Filesize
3.3MB

Download
memory/3288-143-0x00007FF7FD3C0000-0x00007FF7FD714000-memory.dmp

Filesize
3.3MB

Download
memory/3364-166-0x00007FF6BF3E0000-0x00007FF6BF734000-memory.dmp

Filesize
3.3MB

Download
memory/3364-145-0x00007FF6BF3E0000-0x00007FF6BF734000-memory.dmp

Filesize
3.3MB

Download
memory/3364-137-0x00007FF6BF3E0000-0x00007FF6BF734000-memory.dmp

Filesize
3.3MB

Download
memory/3476-98-0x00007FF699D20000-0x00007FF69A074000-memory.dmp

Filesize
3.3MB

Download
memory/3476-42-0x00007FF699D20000-0x00007FF69A074000-memory.dmp

Filesize
3.3MB

Download
memory/3476-153-0x00007FF699D20000-0x00007FF69A074000-memory.dmp

Filesize
3.3MB

Download
memory/4288-141-0x00007FF6F4330000-0x00007FF6F4684000-memory.dmp

Filesize
3.3MB

Download
memory/4288-112-0x00007FF6F4330000-0x00007FF6F4684000-memory.dmp

Filesize
3.3MB

Download
memory/4288-161-0x00007FF6F4330000-0x00007FF6F4684000-memory.dmp

Filesize
3.3MB

Download
memory/4300-92-0x00007FF6F6AA0000-0x00007FF6F6DF4000-memory.dmp

Filesize
3.3MB

Download
memory/4300-151-0x00007FF6F6AA0000-0x00007FF6F6DF4000-memory.dmp

Filesize
3.3MB

Download
memory/4300-36-0x00007FF6F6AA0000-0x00007FF6F6DF4000-memory.dmp

Filesize
3.3MB

Download
memory/4336-105-0x00007FF7D4CF0000-0x00007FF7D5044000-memory.dmp

Filesize
3.3MB

Download
memory/4336-45-0x00007FF7D4CF0000-0x00007FF7D5044000-memory.dmp

Filesize
3.3MB

Download
memory/4336-152-0x00007FF7D4CF0000-0x00007FF7D5044000-memory.dmp

Filesize
3.3MB

Download
memory/4392-132-0x00007FF646190000-0x00007FF6464E4000-memory.dmp

Filesize
3.3MB

Download
memory/4392-165-0x00007FF646190000-0x00007FF6464E4000-memory.dmp

Filesize
3.3MB

Download
memory/4392-144-0x00007FF646190000-0x00007FF6464E4000-memory.dmp

Filesize
3.3MB

Download
memory/4524-142-0x00007FF7E2390000-0x00007FF7E26E4000-memory.dmp

Filesize
3.3MB

Download
memory/4524-117-0x00007FF7E2390000-0x00007FF7E26E4000-memory.dmp

Filesize
3.3MB

Download
memory/4524-162-0x00007FF7E2390000-0x00007FF7E26E4000-memory.dmp

Filesize
3.3MB

Download
memory/4560-149-0x00007FF7C02F0000-0x00007FF7C0644000-memory.dmp

Filesize
3.3MB

Download
memory/4560-81-0x00007FF7C02F0000-0x00007FF7C0644000-memory.dmp

Filesize
3.3MB

Download
memory/4560-24-0x00007FF7C02F0000-0x00007FF7C0644000-memory.dmp

Filesize
3.3MB

Download
memory/4660-139-0x00007FF6152B0000-0x00007FF615604000-memory.dmp

Filesize
3.3MB

Download
memory/4660-93-0x00007FF6152B0000-0x00007FF615604000-memory.dmp

Filesize
3.3MB

Download
memory/4660-159-0x00007FF6152B0000-0x00007FF615604000-memory.dmp

Filesize
3.3MB

Download
memory/4664-69-0x00007FF79C950000-0x00007FF79CCA4000-memory.dmp

Filesize
3.3MB

Download
memory/4664-155-0x00007FF79C950000-0x00007FF79CCA4000-memory.dmp

Filesize
3.3MB

Download
memory/4980-157-0x00007FF6FDFA0000-0x00007FF6FE2F4000-memory.dmp

Filesize
3.3MB

Download
memory/4980-134-0x00007FF6FDFA0000-0x00007FF6FE2F4000-memory.dmp

Filesize
3.3MB

Download
memory/4980-76-0x00007FF6FDFA0000-0x00007FF6FE2F4000-memory.dmp

Filesize
3.3MB

Download