cobaltstrike | dc76f09f3da7e0e011038ac2d9fd47a355e27376ef3d66228a56c6d0cb94cebf

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14/12/2024, 03:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

2044a8bb0d43de0b69f371d1f27ffc5a
SHA1

e4e9d3db039df36b9ccc28c06d66b020891617ab
SHA256

dc76f09f3da7e0e011038ac2d9fd47a355e27376ef3d66228a56c6d0cb94cebf
SHA512

e567328c1ff141edb801a937595b87a12d0260d7d9efeb84ce06e3f47447364097c56f0d70915f0fc0ddc2ca5c22a951ececde2bea9f19adf377f2ec4ad7902a
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lp:RWWBibd56utgpPFotBER/mQ32lU9

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000e000000023b88-5.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b91-13.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b96-35.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9b-49.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9e-63.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b92-106.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba1-108.dat	cobalt_reflective_dll
behavioral2/files/0x0058000000023ba6-121.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba5-119.dat	cobalt_reflective_dll
behavioral2/files/0x0031000000023ba4-111.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba3-102.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba2-101.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9f-91.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba0-77.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9d-80.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b99-66.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b98-59.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9c-55.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9a-54.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b97-41.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b95-15.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 47 IoCs

miner

resource	yara_rule
behavioral2/memory/2016-124-0x00007FF797820000-0x00007FF797B71000-memory.dmp	xmrig
behavioral2/memory/1060-127-0x00007FF7814C0000-0x00007FF781811000-memory.dmp	xmrig
behavioral2/memory/3136-126-0x00007FF6E3C10000-0x00007FF6E3F61000-memory.dmp	xmrig
behavioral2/memory/3152-125-0x00007FF66BC80000-0x00007FF66BFD1000-memory.dmp	xmrig
behavioral2/memory/4412-123-0x00007FF6EF250000-0x00007FF6EF5A1000-memory.dmp	xmrig
behavioral2/memory/1540-116-0x00007FF6D4B10000-0x00007FF6D4E61000-memory.dmp	xmrig
behavioral2/memory/532-115-0x00007FF6B5620000-0x00007FF6B5971000-memory.dmp	xmrig
behavioral2/memory/3512-114-0x00007FF758A40000-0x00007FF758D91000-memory.dmp	xmrig
behavioral2/memory/936-104-0x00007FF7BC490000-0x00007FF7BC7E1000-memory.dmp	xmrig
behavioral2/memory/4716-73-0x00007FF792D70000-0x00007FF7930C1000-memory.dmp	xmrig
behavioral2/memory/2104-58-0x00007FF7B3480000-0x00007FF7B37D1000-memory.dmp	xmrig
behavioral2/memory/2652-24-0x00007FF7818F0000-0x00007FF781C41000-memory.dmp	xmrig
behavioral2/memory/2264-130-0x00007FF678C80000-0x00007FF678FD1000-memory.dmp	xmrig
behavioral2/memory/2884-143-0x00007FF731F80000-0x00007FF7322D1000-memory.dmp	xmrig
behavioral2/memory/3244-144-0x00007FF7AC6A0000-0x00007FF7AC9F1000-memory.dmp	xmrig
behavioral2/memory/1392-141-0x00007FF72AFE0000-0x00007FF72B331000-memory.dmp	xmrig
behavioral2/memory/4716-138-0x00007FF792D70000-0x00007FF7930C1000-memory.dmp	xmrig
behavioral2/memory/2104-136-0x00007FF7B3480000-0x00007FF7B37D1000-memory.dmp	xmrig
behavioral2/memory/952-135-0x00007FF61CA10000-0x00007FF61CD61000-memory.dmp	xmrig
behavioral2/memory/2204-133-0x00007FF61E5D0000-0x00007FF61E921000-memory.dmp	xmrig
behavioral2/memory/4272-129-0x00007FF656100000-0x00007FF656451000-memory.dmp	xmrig
behavioral2/memory/4764-128-0x00007FF7EEDC0000-0x00007FF7EF111000-memory.dmp	xmrig
behavioral2/memory/4436-139-0x00007FF724BF0000-0x00007FF724F41000-memory.dmp	xmrig
behavioral2/memory/3516-132-0x00007FF6F7D50000-0x00007FF6F80A1000-memory.dmp	xmrig
behavioral2/memory/4764-150-0x00007FF7EEDC0000-0x00007FF7EF111000-memory.dmp	xmrig
behavioral2/memory/4764-151-0x00007FF7EEDC0000-0x00007FF7EF111000-memory.dmp	xmrig
behavioral2/memory/4272-211-0x00007FF656100000-0x00007FF656451000-memory.dmp	xmrig
behavioral2/memory/2652-213-0x00007FF7818F0000-0x00007FF781C41000-memory.dmp	xmrig
behavioral2/memory/2264-215-0x00007FF678C80000-0x00007FF678FD1000-memory.dmp	xmrig
behavioral2/memory/3516-217-0x00007FF6F7D50000-0x00007FF6F80A1000-memory.dmp	xmrig
behavioral2/memory/2204-219-0x00007FF61E5D0000-0x00007FF61E921000-memory.dmp	xmrig
behavioral2/memory/936-228-0x00007FF7BC490000-0x00007FF7BC7E1000-memory.dmp	xmrig
behavioral2/memory/952-230-0x00007FF61CA10000-0x00007FF61CD61000-memory.dmp	xmrig
behavioral2/memory/2104-232-0x00007FF7B3480000-0x00007FF7B37D1000-memory.dmp	xmrig
behavioral2/memory/4716-234-0x00007FF792D70000-0x00007FF7930C1000-memory.dmp	xmrig
behavioral2/memory/4436-237-0x00007FF724BF0000-0x00007FF724F41000-memory.dmp	xmrig
behavioral2/memory/1540-242-0x00007FF6D4B10000-0x00007FF6D4E61000-memory.dmp	xmrig
behavioral2/memory/532-241-0x00007FF6B5620000-0x00007FF6B5971000-memory.dmp	xmrig
behavioral2/memory/3512-239-0x00007FF758A40000-0x00007FF758D91000-memory.dmp	xmrig
behavioral2/memory/3244-249-0x00007FF7AC6A0000-0x00007FF7AC9F1000-memory.dmp	xmrig
behavioral2/memory/4412-252-0x00007FF6EF250000-0x00007FF6EF5A1000-memory.dmp	xmrig
behavioral2/memory/2016-258-0x00007FF797820000-0x00007FF797B71000-memory.dmp	xmrig
behavioral2/memory/1060-257-0x00007FF7814C0000-0x00007FF781811000-memory.dmp	xmrig
behavioral2/memory/3152-254-0x00007FF66BC80000-0x00007FF66BFD1000-memory.dmp	xmrig
behavioral2/memory/2884-251-0x00007FF731F80000-0x00007FF7322D1000-memory.dmp	xmrig
behavioral2/memory/1392-247-0x00007FF72AFE0000-0x00007FF72B331000-memory.dmp	xmrig
behavioral2/memory/3136-245-0x00007FF6E3C10000-0x00007FF6E3F61000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4272	SXhBtSK.exe
2264	jEFvVJP.exe
2652	yyGTSRv.exe
3516	SiJnsVR.exe
2204	KVOdxSP.exe
936	UjdeMcE.exe
952	WBjnqhv.exe
2104	AmPknOP.exe
3512	CCiZuOO.exe
4716	AUIxigJ.exe
4436	lWKwoJs.exe
532	LHcAMoi.exe
1392	NAlJFex.exe
1540	DhUinFd.exe
2884	DoEhAcf.exe
3244	bKRUEoi.exe
4412	BwLpgIg.exe
2016	shTteQi.exe
1060	uxotyOt.exe
3152	mYYcWnv.exe
3136	LIaGOeI.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4764-0-0x00007FF7EEDC0000-0x00007FF7EF111000-memory.dmp	upx
behavioral2/files/0x000e000000023b88-5.dat	upx
behavioral2/files/0x000b000000023b91-13.dat	upx
behavioral2/files/0x000a000000023b96-35.dat	upx
behavioral2/files/0x000a000000023b9b-49.dat	upx
behavioral2/files/0x000a000000023b9e-63.dat	upx
behavioral2/files/0x000b000000023b92-106.dat	upx
behavioral2/files/0x000a000000023ba1-108.dat	upx
behavioral2/memory/2016-124-0x00007FF797820000-0x00007FF797B71000-memory.dmp	upx
behavioral2/memory/1060-127-0x00007FF7814C0000-0x00007FF781811000-memory.dmp	upx
behavioral2/memory/3136-126-0x00007FF6E3C10000-0x00007FF6E3F61000-memory.dmp	upx
behavioral2/memory/3152-125-0x00007FF66BC80000-0x00007FF66BFD1000-memory.dmp	upx
behavioral2/memory/4412-123-0x00007FF6EF250000-0x00007FF6EF5A1000-memory.dmp	upx
behavioral2/files/0x0058000000023ba6-121.dat	upx
behavioral2/files/0x000a000000023ba5-119.dat	upx
behavioral2/memory/1540-116-0x00007FF6D4B10000-0x00007FF6D4E61000-memory.dmp	upx
behavioral2/memory/532-115-0x00007FF6B5620000-0x00007FF6B5971000-memory.dmp	upx
behavioral2/memory/3512-114-0x00007FF758A40000-0x00007FF758D91000-memory.dmp	upx
behavioral2/files/0x0031000000023ba4-111.dat	upx
behavioral2/memory/936-104-0x00007FF7BC490000-0x00007FF7BC7E1000-memory.dmp	upx
behavioral2/files/0x000a000000023ba3-102.dat	upx
behavioral2/files/0x000a000000023ba2-101.dat	upx
behavioral2/memory/3244-95-0x00007FF7AC6A0000-0x00007FF7AC9F1000-memory.dmp	upx
behavioral2/memory/2884-94-0x00007FF731F80000-0x00007FF7322D1000-memory.dmp	upx
behavioral2/files/0x000a000000023b9f-91.dat	upx
behavioral2/memory/1392-84-0x00007FF72AFE0000-0x00007FF72B331000-memory.dmp	upx
behavioral2/memory/4436-83-0x00007FF724BF0000-0x00007FF724F41000-memory.dmp	upx
behavioral2/files/0x000a000000023ba0-77.dat	upx
behavioral2/memory/4716-73-0x00007FF792D70000-0x00007FF7930C1000-memory.dmp	upx
behavioral2/files/0x000a000000023b9d-80.dat	upx
behavioral2/files/0x000a000000023b99-66.dat	upx
behavioral2/files/0x000a000000023b98-59.dat	upx
behavioral2/files/0x000a000000023b9c-55.dat	upx
behavioral2/files/0x000a000000023b9a-54.dat	upx
behavioral2/memory/2104-58-0x00007FF7B3480000-0x00007FF7B37D1000-memory.dmp	upx
behavioral2/memory/952-47-0x00007FF61CA10000-0x00007FF61CD61000-memory.dmp	upx
behavioral2/memory/2204-45-0x00007FF61E5D0000-0x00007FF61E921000-memory.dmp	upx
behavioral2/files/0x000a000000023b97-41.dat	upx
behavioral2/memory/3516-31-0x00007FF6F7D50000-0x00007FF6F80A1000-memory.dmp	upx
behavioral2/memory/2652-24-0x00007FF7818F0000-0x00007FF781C41000-memory.dmp	upx
behavioral2/memory/2264-20-0x00007FF678C80000-0x00007FF678FD1000-memory.dmp	upx
behavioral2/files/0x000a000000023b95-15.dat	upx
behavioral2/memory/4272-6-0x00007FF656100000-0x00007FF656451000-memory.dmp	upx
behavioral2/memory/2264-130-0x00007FF678C80000-0x00007FF678FD1000-memory.dmp	upx
behavioral2/memory/2884-143-0x00007FF731F80000-0x00007FF7322D1000-memory.dmp	upx
behavioral2/memory/3244-144-0x00007FF7AC6A0000-0x00007FF7AC9F1000-memory.dmp	upx
behavioral2/memory/1392-141-0x00007FF72AFE0000-0x00007FF72B331000-memory.dmp	upx
behavioral2/memory/4716-138-0x00007FF792D70000-0x00007FF7930C1000-memory.dmp	upx
behavioral2/memory/2104-136-0x00007FF7B3480000-0x00007FF7B37D1000-memory.dmp	upx
behavioral2/memory/952-135-0x00007FF61CA10000-0x00007FF61CD61000-memory.dmp	upx
behavioral2/memory/2204-133-0x00007FF61E5D0000-0x00007FF61E921000-memory.dmp	upx
behavioral2/memory/4272-129-0x00007FF656100000-0x00007FF656451000-memory.dmp	upx
behavioral2/memory/4764-128-0x00007FF7EEDC0000-0x00007FF7EF111000-memory.dmp	upx
behavioral2/memory/4436-139-0x00007FF724BF0000-0x00007FF724F41000-memory.dmp	upx
behavioral2/memory/3516-132-0x00007FF6F7D50000-0x00007FF6F80A1000-memory.dmp	upx
behavioral2/memory/4764-150-0x00007FF7EEDC0000-0x00007FF7EF111000-memory.dmp	upx
behavioral2/memory/4764-151-0x00007FF7EEDC0000-0x00007FF7EF111000-memory.dmp	upx
behavioral2/memory/4272-211-0x00007FF656100000-0x00007FF656451000-memory.dmp	upx
behavioral2/memory/2652-213-0x00007FF7818F0000-0x00007FF781C41000-memory.dmp	upx
behavioral2/memory/2264-215-0x00007FF678C80000-0x00007FF678FD1000-memory.dmp	upx
behavioral2/memory/3516-217-0x00007FF6F7D50000-0x00007FF6F80A1000-memory.dmp	upx
behavioral2/memory/2204-219-0x00007FF61E5D0000-0x00007FF61E921000-memory.dmp	upx
behavioral2/memory/936-228-0x00007FF7BC490000-0x00007FF7BC7E1000-memory.dmp	upx
behavioral2/memory/952-230-0x00007FF61CA10000-0x00007FF61CD61000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\jEFvVJP.exe	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DhUinFd.exe	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\shTteQi.exe	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AUIxigJ.exe	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LHcAMoi.exe	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BwLpgIg.exe	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WBjnqhv.exe	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AmPknOP.exe	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CCiZuOO.exe	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LIaGOeI.exe	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yyGTSRv.exe	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SiJnsVR.exe	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KVOdxSP.exe	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NAlJFex.exe	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DoEhAcf.exe	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bKRUEoi.exe	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uxotyOt.exe	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mYYcWnv.exe	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SXhBtSK.exe	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UjdeMcE.exe	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lWKwoJs.exe	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4764	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4764	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4764 wrote to memory of 4272	4764	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4764 wrote to memory of 4272	4764	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4764 wrote to memory of 2264	4764	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4764 wrote to memory of 2264	4764	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4764 wrote to memory of 2652	4764	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4764 wrote to memory of 2652	4764	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4764 wrote to memory of 3516	4764	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4764 wrote to memory of 3516	4764	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4764 wrote to memory of 2204	4764	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4764 wrote to memory of 2204	4764	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4764 wrote to memory of 936	4764	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4764 wrote to memory of 936	4764	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4764 wrote to memory of 952	4764	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4764 wrote to memory of 952	4764	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4764 wrote to memory of 2104	4764	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4764 wrote to memory of 2104	4764	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4764 wrote to memory of 3512	4764	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4764 wrote to memory of 3512	4764	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4764 wrote to memory of 4716	4764	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4764 wrote to memory of 4716	4764	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4764 wrote to memory of 4436	4764	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4764 wrote to memory of 4436	4764	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4764 wrote to memory of 532	4764	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4764 wrote to memory of 532	4764	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4764 wrote to memory of 1392	4764	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4764 wrote to memory of 1392	4764	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4764 wrote to memory of 1540	4764	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4764 wrote to memory of 1540	4764	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4764 wrote to memory of 2884	4764	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4764 wrote to memory of 2884	4764	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4764 wrote to memory of 3244	4764	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4764 wrote to memory of 3244	4764	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4764 wrote to memory of 4412	4764	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4764 wrote to memory of 4412	4764	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4764 wrote to memory of 2016	4764	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4764 wrote to memory of 2016	4764	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4764 wrote to memory of 1060	4764	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4764 wrote to memory of 1060	4764	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4764 wrote to memory of 3152	4764	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4764 wrote to memory of 3152	4764	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4764 wrote to memory of 3136	4764	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4764 wrote to memory of 3136	4764	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Windows\System\SXhBtSK.exe
  C:\Windows\System\SXhBtSK.exe
  2⤵
  - Executes dropped EXE
  PID:4272
- C:\Windows\System\jEFvVJP.exe
  C:\Windows\System\jEFvVJP.exe
  2⤵
  - Executes dropped EXE
  PID:2264
- C:\Windows\System\yyGTSRv.exe
  C:\Windows\System\yyGTSRv.exe
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\System\SiJnsVR.exe
  C:\Windows\System\SiJnsVR.exe
  2⤵
  - Executes dropped EXE
  PID:3516
- C:\Windows\System\KVOdxSP.exe
  C:\Windows\System\KVOdxSP.exe
  2⤵
  - Executes dropped EXE
  PID:2204
- C:\Windows\System\UjdeMcE.exe
  C:\Windows\System\UjdeMcE.exe
  2⤵
  - Executes dropped EXE
  PID:936
- C:\Windows\System\WBjnqhv.exe
  C:\Windows\System\WBjnqhv.exe
  2⤵
  - Executes dropped EXE
  PID:952
- C:\Windows\System\AmPknOP.exe
  C:\Windows\System\AmPknOP.exe
  2⤵
  - Executes dropped EXE
  PID:2104
- C:\Windows\System\CCiZuOO.exe
  C:\Windows\System\CCiZuOO.exe
  2⤵
  - Executes dropped EXE
  PID:3512
- C:\Windows\System\AUIxigJ.exe
  C:\Windows\System\AUIxigJ.exe
  2⤵
  - Executes dropped EXE
  PID:4716
- C:\Windows\System\lWKwoJs.exe
  C:\Windows\System\lWKwoJs.exe
  2⤵
  - Executes dropped EXE
  PID:4436
- C:\Windows\System\LHcAMoi.exe
  C:\Windows\System\LHcAMoi.exe
  2⤵
  - Executes dropped EXE
  PID:532
- C:\Windows\System\NAlJFex.exe
  C:\Windows\System\NAlJFex.exe
  2⤵
  - Executes dropped EXE
  PID:1392
- C:\Windows\System\DhUinFd.exe
  C:\Windows\System\DhUinFd.exe
  2⤵
  - Executes dropped EXE
  PID:1540
- C:\Windows\System\DoEhAcf.exe
  C:\Windows\System\DoEhAcf.exe
  2⤵
  - Executes dropped EXE
  PID:2884
- C:\Windows\System\bKRUEoi.exe
  C:\Windows\System\bKRUEoi.exe
  2⤵
  - Executes dropped EXE
  PID:3244
- C:\Windows\System\BwLpgIg.exe
  C:\Windows\System\BwLpgIg.exe
  2⤵
  - Executes dropped EXE
  PID:4412
- C:\Windows\System\shTteQi.exe
  C:\Windows\System\shTteQi.exe
  2⤵
  - Executes dropped EXE
  PID:2016
- C:\Windows\System\uxotyOt.exe
  C:\Windows\System\uxotyOt.exe
  2⤵
  - Executes dropped EXE
  PID:1060
- C:\Windows\System\mYYcWnv.exe
  C:\Windows\System\mYYcWnv.exe
  2⤵
  - Executes dropped EXE
  PID:3152
- C:\Windows\System\LIaGOeI.exe
  C:\Windows\System\LIaGOeI.exe
  2⤵
  - Executes dropped EXE
  PID:3136

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AUIxigJ.exe

Filesize
5.2MB

MD5
728f26e685f4f1c00fb539112fe471bf

SHA1
7d0f3ebfc1ec439298954a572b3b645c2d29133a

SHA256
9283138371db71cbf33a1db4f2445f25eb5dad594e1b9d4317d45d9a8bc47ff1

SHA512
ec8b714b85958aa832686a89c56edf55f2353d23851de08e323a0c791e2091a04c555b658563a936dea22e8c801e6fe6b55ee7268dfc7d4b89fe772be4730d58

Download Submit
C:\Windows\System\AmPknOP.exe

Filesize
5.2MB

MD5
209a9786046dcdeec9934b8e1496059d

SHA1
71f87e03895efa8c6a88b51414c626f470fbdcbd

SHA256
0274e3a9b8e2aab802906a75e12f64749d93b885cab83d3c60f24692d806ec66

SHA512
bb4d5fdfb8f43f4351479d540db2d0296bf66f3d24203c4e7ded4b1ea687c0e60bd9fa8af2b6a861d16eaacf2760436aab3893e68c19a81082801c027f120fcf

Download Submit
C:\Windows\System\BwLpgIg.exe

Filesize
5.2MB

MD5
8fa1e18fe1e60e4ed063eeb320b75ba4

SHA1
f581fa0550ca73ce5f7672047de8148175983daa

SHA256
c58d3d88b4dc56add06ee3484872965e418b3c3e300d2e740416e5cafd3ce0dc

SHA512
92131fed693ba3b95ba60939fff4448355084cb251a8ae71e9c36d7d473a93645cf652629dd64343eb60f2d84f5873926bee401675ba9cca34465d3ad1e45f2b

Download Submit
C:\Windows\System\CCiZuOO.exe

Filesize
5.2MB

MD5
0f637a71060c65ac0ce279c16d280936

SHA1
3006a4d4159ca603675212f3c2aa307f8773d7b9

SHA256
57e212e473affcc2cf0b123bb0c0453872fa00dae6930e167681b0f88b9733d1

SHA512
21171afe39c23659ba2d5d51557f41ad98967b5a6672c5746503c2e01e72925e5cc480e8f4663d928e393eb80032a51be9844ca382cd5f194456c57ec59fd16f

Download Submit
C:\Windows\System\DhUinFd.exe

Filesize
5.2MB

MD5
ab7d577482ae9450127d8ce17edcc92a

SHA1
942a3047ca430b5c05d11b938a9e1480bb26d730

SHA256
aa000e36519f1493bad4e6bad729e1a51b2319e4431ee10f730c1e7e5bdb7fb4

SHA512
7be84a8cc0e912c6eba324c4a972dcb15c455146c9279d193d7ab6770eaa320b31cc98e0f1930b454775d277dca67bf91ee0fd77d479978b0c23b394a71726a4

Download Submit
C:\Windows\System\DoEhAcf.exe

Filesize
5.2MB

MD5
d0bfc1936094d7c2d990d18445bb478e

SHA1
d2988f9da3f5c378f9b9251745fb66c4122d3bf0

SHA256
2b421714b858535b0c0b3cec4d0baad21375923ec17d9923981665bd56ef0e5e

SHA512
7357bbc3375736777bbba13e7e3995f4fbf55c51c379a23a9eb2a3e46c365a9c0149ee2ae27580d12794c5a1dbd848905194cd7f726172b3093cfc081acffcd2

Download Submit
C:\Windows\System\KVOdxSP.exe

Filesize
5.2MB

MD5
dc8f4194bf00d1fea9b0fd3b223b39f3

SHA1
6012a1b01a9bdcbaa5d220c55d85d29d9defecb7

SHA256
b1549a498306a511c4ae832c9ce24e493065388dcddb047053b86231b1d4e380

SHA512
b10222c58a61e74780361a6a821a7f5bd7967d8fb7927e2fc55d598b30864d65758ea40e3341969ed653ccee1f40c753e16371bf0d854d9e1fd53833e5cb6f18

Download Submit
C:\Windows\System\LHcAMoi.exe

Filesize
5.2MB

MD5
e35f3fa6b3151d3c409d9c6b960915e6

SHA1
274bb3a479c07059d7dcb69cdb7af424875828f9

SHA256
7b41e8dc281b0efcc06436cecbcc981db2d397bd3a0b901faf17cfeff73ae395

SHA512
8721529157c13d097bd2a521aaea119fe57ed259f3c2f1cdcc07e63f1b074b9b4c90b90bf5ebba7a7f7b0d2b2ce82add067658347d1051810e7f8f3f509a3f21

Download Submit
C:\Windows\System\LIaGOeI.exe

Filesize
5.2MB

MD5
9d201e610a7d3fc8a7e08a7b62c939ec

SHA1
c49dde78a01210cf7887baa5c7c48c33c6e0829c

SHA256
f5bc96439d7fac7dd14c8f8ac8bfc8d2497dbb8307096ea76de34520579d39c0

SHA512
88f49fb198d36c38c4c52e497b15c9c15f58be53d7648e6b9086c1f041ba06c5358bae7eab09b04d6c998dc6c0034d7f7afe5add0b108458b7f20e1057ee85df

Download Submit
C:\Windows\System\NAlJFex.exe

Filesize
5.2MB

MD5
dfded37d24873c287b89af016e81e60f

SHA1
d8aaa927bd12f427db66de7a91ec39313ec71bef

SHA256
60f862ed5f0b9a9c9ff34edbfed050e9b22d860073c3c5ca248925f17d86baeb

SHA512
fa4021724dd1b8e264eac5728c9bd7d5e8522dfc0ad407feac329cef3b83bbb8ac0faab8554e6cefce0f011de50598854052b6640d61fc0cd39ed2e507119079

Download Submit
C:\Windows\System\SXhBtSK.exe

Filesize
5.2MB

MD5
6b69278b6f969aafa7775db8e7b15c66

SHA1
f97b86ade532e270972a370a4aeb9d21690f9009

SHA256
072b7364661ee4e8179153ee6935a8712bed276e106bf37d7d7ac3e9fa8321df

SHA512
6aa85787ab6f2a1c58369b012e2c1062b5c6652920cae4b998519a632fae120f750c646b8995bcce28173bbfb82e4f13a59916785a7b40d4dd033563135e3d09

Download Submit
C:\Windows\System\SiJnsVR.exe

Filesize
5.2MB

MD5
329fc667049e010856b6e5fe4e3bf066

SHA1
09d3e20cf244ca0f8beadeb142e95696d0ac97b7

SHA256
a410401c27c905b331053d0f599da48087afa9a8e555dba0884bc5129ae95ab7

SHA512
bcfc52bf1a0aeaf8a19a98b214e52f11c00efabdf652521fece23f36281799d6970d8d2f833c9a0d74ada50d41da4dd12e4c4160d8d11c8b683cd057babc7687

Download Submit
C:\Windows\System\UjdeMcE.exe

Filesize
5.2MB

MD5
c566c33b10c7baf411421ce13bea756a

SHA1
a89b3261e3ed332d4c47fccfe3980df6e47f4ca6

SHA256
fef695c75b70bb9e28a65a7dbe14018fc1d1092c9d6bd37f8d122a3624fb3017

SHA512
a4024e8da8a955c4c9de0b4d918a3e85f27d901696f22a634a8af2108562c37aaf01c205588e4a41014644c188279ab317be5bb908f3a831d2f27b3d952140e0

Download Submit
C:\Windows\System\WBjnqhv.exe

Filesize
5.2MB

MD5
57fd8566a30ef098edc56e162fe03ed4

SHA1
d5e40d15fb6bdd330197619ffc7a7b9b9b893371

SHA256
79dc42857cf33dd579ae400cf6b036cd6323b4e3e19b573bca37ce68fb43f72c

SHA512
b77992e7b1972a2b0dd8a8cfbac4571d9b42956385ca81154cffd83ff3380d836f3b80e32fa55b53155ab7da91ba6a3843d5c89e667072d693b1990ba43c1be3

Download Submit
C:\Windows\System\bKRUEoi.exe

Filesize
5.2MB

MD5
85da487b875eae4d0a85c73342180027

SHA1
18f63d3954314119808bfe8b0ce2c2141b565972

SHA256
6928cff7cd7b8208e5f9b8059deb0e62d052e606a8c40f47bc7b8319ac7c90aa

SHA512
734ac83415730b3fc15aef969bd823d96b9023de44e215a9499ad5ab07943b63a30bebf8c7b761786764c88b924d605f241250fdffa30a3142d3a5367340f3fd

Download Submit
C:\Windows\System\jEFvVJP.exe

Filesize
5.2MB

MD5
ca77421ad9ea77593edfa0eb5567e826

SHA1
f56d59c5cecbd7b69e184813be44768ab2eb3746

SHA256
d06d319ad2509a9cf9c7a94aa69b15ef43fbab1bb7de2b91cc123af6699a8efe

SHA512
d1f1c8cec4c02f3a3eee9eecb017efc5c4977e9faed4b630c44d7a4371fbbbe8fe4bc98a08d618beedaa5755931585c22aa1fcccba5c556f034d92fb68fc4bbf

Download Submit
C:\Windows\System\lWKwoJs.exe

Filesize
5.2MB

MD5
a792ddbc1027ae5718480a3fa4739699

SHA1
42ebf8515e1a7ac0384939e3983ce6b7884e9008

SHA256
6f8665a7cf4a4a85f06ac9bceb8a7dac176b2a7af23b500ec1b43f2e5701099a

SHA512
78ae7fe48a21d565edb56a0d428b7f9956b34e7cfc43a7112e2745e6e23530021fe934a0695a093081d1841a5ae26f5d016ab6d66f2ed43e743beda99d2fc1cc

Download Submit
C:\Windows\System\mYYcWnv.exe

Filesize
5.2MB

MD5
72b4b92c657f126cfaa27a072f34e0e0

SHA1
238cbf4ed43d4776bd1ae6e895e89dd1b533b31f

SHA256
5ef9ee44ed606b8274d2d10661e83af55fcef2110409da2ee18033495e7a35bf

SHA512
ea2146efff480b7c51cff0ececd29d37952c6c042d60da9fc7f5924648601df5931b497e997d9c4aa9c7d8167260c60c1f93ff201fc0bbf361768530159aa871

Download Submit
C:\Windows\System\shTteQi.exe

Filesize
5.2MB

MD5
ba44c28a92b70c6829ac9bcb2795ab44

SHA1
b7d9c422740b0341164ff83c75d62c0edfb343f8

SHA256
f89af73bf6b71253f96fccc9e3a3ab2544ab56a736b8cd0083bddbe23823de88

SHA512
c701348c79bb68b79a44af1fccd52b614137340e3f8b902703f907f35ae7d48da4e8456ed32752825d10a1d7597e67515b98f5545a4c97d8eb108f53d4a4f475

Download Submit
C:\Windows\System\uxotyOt.exe

Filesize
5.2MB

MD5
5750fa9ec5e46206cef61cea13a8f595

SHA1
3cb5b16a1dc4cc69187d8057677cbcae0c3f13ad

SHA256
b9e008c34df44b8f8d740378cf75026570ffdcd2f8c51b4627873772221012e7

SHA512
12832bc373d6a46b6ea76b38098a22ba58807c700a63aad209696a10a0ad5b0850ee5f993784ff5e2d09a1e031a6f5970fd19c560e4ceb30e5a88e4c9bb196c1

Download Submit
C:\Windows\System\yyGTSRv.exe

Filesize
5.2MB

MD5
6780acfe0a975a70ba94a6efe78b8242

SHA1
c53db59d32dff8e935623930f69427d718d56978

SHA256
cccdc2e80eff12f5067139925ddd6941a4ca57e76fba4b65bb12a06dd71a6321

SHA512
da4e13f6c443c13fa6474846c88c4d8955c00d426876caeafec9e95924d02d79f3838fb8d06017502a5e5d6b6577fc3effaa6f4440aef07721d2a72786006353

Download Submit
memory/532-241-0x00007FF6B5620000-0x00007FF6B5971000-memory.dmp

Filesize
3.3MB

Download
memory/532-115-0x00007FF6B5620000-0x00007FF6B5971000-memory.dmp

Filesize
3.3MB

Download
memory/936-104-0x00007FF7BC490000-0x00007FF7BC7E1000-memory.dmp

Filesize
3.3MB

Download
memory/936-228-0x00007FF7BC490000-0x00007FF7BC7E1000-memory.dmp

Filesize
3.3MB

Download
memory/952-135-0x00007FF61CA10000-0x00007FF61CD61000-memory.dmp

Filesize
3.3MB

Download
memory/952-47-0x00007FF61CA10000-0x00007FF61CD61000-memory.dmp

Filesize
3.3MB

Download
memory/952-230-0x00007FF61CA10000-0x00007FF61CD61000-memory.dmp

Filesize
3.3MB

Download
memory/1060-257-0x00007FF7814C0000-0x00007FF781811000-memory.dmp

Filesize
3.3MB

Download
memory/1060-127-0x00007FF7814C0000-0x00007FF781811000-memory.dmp

Filesize
3.3MB

Download
memory/1392-84-0x00007FF72AFE0000-0x00007FF72B331000-memory.dmp

Filesize
3.3MB

Download
memory/1392-247-0x00007FF72AFE0000-0x00007FF72B331000-memory.dmp

Filesize
3.3MB

Download
memory/1392-141-0x00007FF72AFE0000-0x00007FF72B331000-memory.dmp

Filesize
3.3MB

Download
memory/1540-242-0x00007FF6D4B10000-0x00007FF6D4E61000-memory.dmp

Filesize
3.3MB

Download
memory/1540-116-0x00007FF6D4B10000-0x00007FF6D4E61000-memory.dmp

Filesize
3.3MB

Download
memory/2016-258-0x00007FF797820000-0x00007FF797B71000-memory.dmp

Filesize
3.3MB

Download
memory/2016-124-0x00007FF797820000-0x00007FF797B71000-memory.dmp

Filesize
3.3MB

Download
memory/2104-58-0x00007FF7B3480000-0x00007FF7B37D1000-memory.dmp

Filesize
3.3MB

Download
memory/2104-232-0x00007FF7B3480000-0x00007FF7B37D1000-memory.dmp

Filesize
3.3MB

Download
memory/2104-136-0x00007FF7B3480000-0x00007FF7B37D1000-memory.dmp

Filesize
3.3MB

Download
memory/2204-45-0x00007FF61E5D0000-0x00007FF61E921000-memory.dmp

Filesize
3.3MB

Download
memory/2204-133-0x00007FF61E5D0000-0x00007FF61E921000-memory.dmp

Filesize
3.3MB

Download
memory/2204-219-0x00007FF61E5D0000-0x00007FF61E921000-memory.dmp

Filesize
3.3MB

Download
memory/2264-215-0x00007FF678C80000-0x00007FF678FD1000-memory.dmp

Filesize
3.3MB

Download
memory/2264-130-0x00007FF678C80000-0x00007FF678FD1000-memory.dmp

Filesize
3.3MB

Download
memory/2264-20-0x00007FF678C80000-0x00007FF678FD1000-memory.dmp

Filesize
3.3MB

Download
memory/2652-24-0x00007FF7818F0000-0x00007FF781C41000-memory.dmp

Filesize
3.3MB

Download
memory/2652-213-0x00007FF7818F0000-0x00007FF781C41000-memory.dmp

Filesize
3.3MB

Download
memory/2884-143-0x00007FF731F80000-0x00007FF7322D1000-memory.dmp

Filesize
3.3MB

Download
memory/2884-251-0x00007FF731F80000-0x00007FF7322D1000-memory.dmp

Filesize
3.3MB

Download
memory/2884-94-0x00007FF731F80000-0x00007FF7322D1000-memory.dmp

Filesize
3.3MB

Download
memory/3136-126-0x00007FF6E3C10000-0x00007FF6E3F61000-memory.dmp

Filesize
3.3MB

Download
memory/3136-245-0x00007FF6E3C10000-0x00007FF6E3F61000-memory.dmp

Filesize
3.3MB

Download
memory/3152-125-0x00007FF66BC80000-0x00007FF66BFD1000-memory.dmp

Filesize
3.3MB

Download
memory/3152-254-0x00007FF66BC80000-0x00007FF66BFD1000-memory.dmp

Filesize
3.3MB

Download
memory/3244-249-0x00007FF7AC6A0000-0x00007FF7AC9F1000-memory.dmp

Filesize
3.3MB

Download
memory/3244-95-0x00007FF7AC6A0000-0x00007FF7AC9F1000-memory.dmp

Filesize
3.3MB

Download
memory/3244-144-0x00007FF7AC6A0000-0x00007FF7AC9F1000-memory.dmp

Filesize
3.3MB

Download
memory/3512-114-0x00007FF758A40000-0x00007FF758D91000-memory.dmp

Filesize
3.3MB

Download
memory/3512-239-0x00007FF758A40000-0x00007FF758D91000-memory.dmp

Filesize
3.3MB

Download
memory/3516-217-0x00007FF6F7D50000-0x00007FF6F80A1000-memory.dmp

Filesize
3.3MB

Download
memory/3516-31-0x00007FF6F7D50000-0x00007FF6F80A1000-memory.dmp

Filesize
3.3MB

Download
memory/3516-132-0x00007FF6F7D50000-0x00007FF6F80A1000-memory.dmp

Filesize
3.3MB

Download
memory/4272-211-0x00007FF656100000-0x00007FF656451000-memory.dmp

Filesize
3.3MB

Download
memory/4272-6-0x00007FF656100000-0x00007FF656451000-memory.dmp

Filesize
3.3MB

Download
memory/4272-129-0x00007FF656100000-0x00007FF656451000-memory.dmp

Filesize
3.3MB

Download
memory/4412-123-0x00007FF6EF250000-0x00007FF6EF5A1000-memory.dmp

Filesize
3.3MB

Download
memory/4412-252-0x00007FF6EF250000-0x00007FF6EF5A1000-memory.dmp

Filesize
3.3MB

Download
memory/4436-237-0x00007FF724BF0000-0x00007FF724F41000-memory.dmp

Filesize
3.3MB

Download
memory/4436-139-0x00007FF724BF0000-0x00007FF724F41000-memory.dmp

Filesize
3.3MB

Download
memory/4436-83-0x00007FF724BF0000-0x00007FF724F41000-memory.dmp

Filesize
3.3MB

Download
memory/4716-234-0x00007FF792D70000-0x00007FF7930C1000-memory.dmp

Filesize
3.3MB

Download
memory/4716-73-0x00007FF792D70000-0x00007FF7930C1000-memory.dmp

Filesize
3.3MB

Download
memory/4716-138-0x00007FF792D70000-0x00007FF7930C1000-memory.dmp

Filesize
3.3MB

Download
memory/4764-128-0x00007FF7EEDC0000-0x00007FF7EF111000-memory.dmp

Filesize
3.3MB

Download
memory/4764-0-0x00007FF7EEDC0000-0x00007FF7EF111000-memory.dmp

Filesize
3.3MB

Download
memory/4764-150-0x00007FF7EEDC0000-0x00007FF7EF111000-memory.dmp

Filesize
3.3MB

Download
memory/4764-1-0x000001741C4B0000-0x000001741C4C0000-memory.dmp

Filesize
64KB

Download
memory/4764-151-0x00007FF7EEDC0000-0x00007FF7EF111000-memory.dmp

Filesize
3.3MB

Download