cobaltstrike | aea94fe149b68f4f3f80957fe06945ded169db114a3a917d434381d3630bae2d

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 04:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

714a5c92b117a7d4ef7bb250a759fe5b
SHA1

834ecc8000d9928c6357eff7f4211949678f8da6
SHA256

aea94fe149b68f4f3f80957fe06945ded169db114a3a917d434381d3630bae2d
SHA512

a27bf26df3648bbd0c9fa9a013b37a11ec03d05d1d803c6feef1642261da07a203bcfc819b7f433fe69a5066a56bdd5def061c4ba2d30423c62095a5b68e2117
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lR:RWWBibd56utgpPFotBER/mQ32lUN

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0010000000023ba3-7.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c89-9.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c85-12.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8a-23.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8b-30.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8c-34.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c86-48.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8d-42.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8f-54.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c91-68.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c92-73.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c93-80.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c90-62.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c94-91.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c95-97.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c96-103.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c97-108.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c98-118.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9a-135.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9b-138.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c99-126.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 47 IoCs

miner

resource	yara_rule
behavioral2/memory/1172-60-0x00007FF61CB10000-0x00007FF61CE61000-memory.dmp	xmrig
behavioral2/memory/1700-67-0x00007FF63B5C0000-0x00007FF63B911000-memory.dmp	xmrig
behavioral2/memory/4756-81-0x00007FF7D02A0000-0x00007FF7D05F1000-memory.dmp	xmrig
behavioral2/memory/5092-74-0x00007FF6D09D0000-0x00007FF6D0D21000-memory.dmp	xmrig
behavioral2/memory/4536-87-0x00007FF7DC6D0000-0x00007FF7DCA21000-memory.dmp	xmrig
behavioral2/memory/4268-96-0x00007FF7A9F50000-0x00007FF7AA2A1000-memory.dmp	xmrig
behavioral2/memory/5052-110-0x00007FF7ABF20000-0x00007FF7AC271000-memory.dmp	xmrig
behavioral2/memory/3164-106-0x00007FF62A620000-0x00007FF62A971000-memory.dmp	xmrig
behavioral2/memory/4528-104-0x00007FF783760000-0x00007FF783AB1000-memory.dmp	xmrig
behavioral2/memory/4444-99-0x00007FF65C8E0000-0x00007FF65CC31000-memory.dmp	xmrig
behavioral2/memory/1412-89-0x00007FF730270000-0x00007FF7305C1000-memory.dmp	xmrig
behavioral2/memory/4980-133-0x00007FF62E8B0000-0x00007FF62EC01000-memory.dmp	xmrig
behavioral2/memory/4864-132-0x00007FF7D7980000-0x00007FF7D7CD1000-memory.dmp	xmrig
behavioral2/memory/1764-125-0x00007FF6D7C80000-0x00007FF6D7FD1000-memory.dmp	xmrig
behavioral2/memory/1940-122-0x00007FF748620000-0x00007FF748971000-memory.dmp	xmrig
behavioral2/memory/4520-120-0x00007FF7F3F10000-0x00007FF7F4261000-memory.dmp	xmrig
behavioral2/memory/2224-114-0x00007FF7FAB20000-0x00007FF7FAE71000-memory.dmp	xmrig
behavioral2/memory/1820-142-0x00007FF79EEC0000-0x00007FF79F211000-memory.dmp	xmrig
behavioral2/memory/4444-143-0x00007FF65C8E0000-0x00007FF65CC31000-memory.dmp	xmrig
behavioral2/memory/3164-144-0x00007FF62A620000-0x00007FF62A971000-memory.dmp	xmrig
behavioral2/memory/1172-145-0x00007FF61CB10000-0x00007FF61CE61000-memory.dmp	xmrig
behavioral2/memory/3960-152-0x00007FF6BE360000-0x00007FF6BE6B1000-memory.dmp	xmrig
behavioral2/memory/2780-165-0x00007FF622B30000-0x00007FF622E81000-memory.dmp	xmrig
behavioral2/memory/1848-166-0x00007FF7F2DB0000-0x00007FF7F3101000-memory.dmp	xmrig
behavioral2/memory/3308-170-0x00007FF7D6710000-0x00007FF7D6A61000-memory.dmp	xmrig
behavioral2/memory/1172-171-0x00007FF61CB10000-0x00007FF61CE61000-memory.dmp	xmrig
behavioral2/memory/1700-223-0x00007FF63B5C0000-0x00007FF63B911000-memory.dmp	xmrig
behavioral2/memory/5092-225-0x00007FF6D09D0000-0x00007FF6D0D21000-memory.dmp	xmrig
behavioral2/memory/4756-227-0x00007FF7D02A0000-0x00007FF7D05F1000-memory.dmp	xmrig
behavioral2/memory/4536-229-0x00007FF7DC6D0000-0x00007FF7DCA21000-memory.dmp	xmrig
behavioral2/memory/1412-231-0x00007FF730270000-0x00007FF7305C1000-memory.dmp	xmrig
behavioral2/memory/4268-233-0x00007FF7A9F50000-0x00007FF7AA2A1000-memory.dmp	xmrig
behavioral2/memory/4528-242-0x00007FF783760000-0x00007FF783AB1000-memory.dmp	xmrig
behavioral2/memory/5052-244-0x00007FF7ABF20000-0x00007FF7AC271000-memory.dmp	xmrig
behavioral2/memory/2224-246-0x00007FF7FAB20000-0x00007FF7FAE71000-memory.dmp	xmrig
behavioral2/memory/4520-248-0x00007FF7F3F10000-0x00007FF7F4261000-memory.dmp	xmrig
behavioral2/memory/1764-250-0x00007FF6D7C80000-0x00007FF6D7FD1000-memory.dmp	xmrig
behavioral2/memory/4864-253-0x00007FF7D7980000-0x00007FF7D7CD1000-memory.dmp	xmrig
behavioral2/memory/4980-255-0x00007FF62E8B0000-0x00007FF62EC01000-memory.dmp	xmrig
behavioral2/memory/1820-261-0x00007FF79EEC0000-0x00007FF79F211000-memory.dmp	xmrig
behavioral2/memory/4444-263-0x00007FF65C8E0000-0x00007FF65CC31000-memory.dmp	xmrig
behavioral2/memory/3164-265-0x00007FF62A620000-0x00007FF62A971000-memory.dmp	xmrig
behavioral2/memory/3960-267-0x00007FF6BE360000-0x00007FF6BE6B1000-memory.dmp	xmrig
behavioral2/memory/1940-272-0x00007FF748620000-0x00007FF748971000-memory.dmp	xmrig
behavioral2/memory/2780-274-0x00007FF622B30000-0x00007FF622E81000-memory.dmp	xmrig
behavioral2/memory/1848-276-0x00007FF7F2DB0000-0x00007FF7F3101000-memory.dmp	xmrig
behavioral2/memory/3308-278-0x00007FF7D6710000-0x00007FF7D6A61000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1700	uXvGgwO.exe
5092	wWyIqtx.exe
4756	gOOcIKk.exe
4536	XbrCIPn.exe
1412	VLiFNcY.exe
4268	fgFLYBL.exe
4528	ZhruxUR.exe
5052	huXekBr.exe
2224	pcTuvxT.exe
4520	ZqCAMJb.exe
1764	PzbJANQ.exe
4864	SFoemxT.exe
4980	pNpucPc.exe
1820	DpJDEcA.exe
4444	UwJgFoc.exe
3164	zOJbMuF.exe
3960	MKDnont.exe
1940	NxXGUPj.exe
2780	VhkRRqf.exe
1848	JIKqaGP.exe
3308	zLvyPEo.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1172-0-0x00007FF61CB10000-0x00007FF61CE61000-memory.dmp	upx
behavioral2/files/0x0010000000023ba3-7.dat	upx
behavioral2/memory/1700-6-0x00007FF63B5C0000-0x00007FF63B911000-memory.dmp	upx
behavioral2/files/0x0007000000023c89-9.dat	upx
behavioral2/files/0x0008000000023c85-12.dat	upx
behavioral2/memory/5092-14-0x00007FF6D09D0000-0x00007FF6D0D21000-memory.dmp	upx
behavioral2/memory/4756-20-0x00007FF7D02A0000-0x00007FF7D05F1000-memory.dmp	upx
behavioral2/files/0x0007000000023c8a-23.dat	upx
behavioral2/memory/4536-24-0x00007FF7DC6D0000-0x00007FF7DCA21000-memory.dmp	upx
behavioral2/files/0x0007000000023c8b-30.dat	upx
behavioral2/files/0x0007000000023c8c-34.dat	upx
behavioral2/memory/4268-35-0x00007FF7A9F50000-0x00007FF7AA2A1000-memory.dmp	upx
behavioral2/memory/1412-33-0x00007FF730270000-0x00007FF7305C1000-memory.dmp	upx
behavioral2/files/0x0008000000023c86-48.dat	upx
behavioral2/memory/5052-49-0x00007FF7ABF20000-0x00007FF7AC271000-memory.dmp	upx
behavioral2/memory/4528-43-0x00007FF783760000-0x00007FF783AB1000-memory.dmp	upx
behavioral2/files/0x0007000000023c8d-42.dat	upx
behavioral2/files/0x0007000000023c8f-54.dat	upx
behavioral2/memory/1172-60-0x00007FF61CB10000-0x00007FF61CE61000-memory.dmp	upx
behavioral2/memory/1700-67-0x00007FF63B5C0000-0x00007FF63B911000-memory.dmp	upx
behavioral2/files/0x0007000000023c91-68.dat	upx
behavioral2/files/0x0007000000023c92-73.dat	upx
behavioral2/files/0x0007000000023c93-80.dat	upx
behavioral2/memory/4980-82-0x00007FF62E8B0000-0x00007FF62EC01000-memory.dmp	upx
behavioral2/memory/4756-81-0x00007FF7D02A0000-0x00007FF7D05F1000-memory.dmp	upx
behavioral2/memory/4864-76-0x00007FF7D7980000-0x00007FF7D7CD1000-memory.dmp	upx
behavioral2/memory/1764-72-0x00007FF6D7C80000-0x00007FF6D7FD1000-memory.dmp	upx
behavioral2/memory/5092-74-0x00007FF6D09D0000-0x00007FF6D0D21000-memory.dmp	upx
behavioral2/files/0x0007000000023c90-62.dat	upx
behavioral2/memory/4520-61-0x00007FF7F3F10000-0x00007FF7F4261000-memory.dmp	upx
behavioral2/memory/2224-56-0x00007FF7FAB20000-0x00007FF7FAE71000-memory.dmp	upx
behavioral2/memory/4536-87-0x00007FF7DC6D0000-0x00007FF7DCA21000-memory.dmp	upx
behavioral2/files/0x0007000000023c94-91.dat	upx
behavioral2/memory/4268-96-0x00007FF7A9F50000-0x00007FF7AA2A1000-memory.dmp	upx
behavioral2/files/0x0007000000023c95-97.dat	upx
behavioral2/files/0x0007000000023c96-103.dat	upx
behavioral2/files/0x0007000000023c97-108.dat	upx
behavioral2/memory/3960-111-0x00007FF6BE360000-0x00007FF6BE6B1000-memory.dmp	upx
behavioral2/memory/5052-110-0x00007FF7ABF20000-0x00007FF7AC271000-memory.dmp	upx
behavioral2/memory/3164-106-0x00007FF62A620000-0x00007FF62A971000-memory.dmp	upx
behavioral2/memory/4528-104-0x00007FF783760000-0x00007FF783AB1000-memory.dmp	upx
behavioral2/memory/4444-99-0x00007FF65C8E0000-0x00007FF65CC31000-memory.dmp	upx
behavioral2/memory/1820-90-0x00007FF79EEC0000-0x00007FF79F211000-memory.dmp	upx
behavioral2/memory/1412-89-0x00007FF730270000-0x00007FF7305C1000-memory.dmp	upx
behavioral2/files/0x0007000000023c98-118.dat	upx
behavioral2/files/0x0007000000023c9a-135.dat	upx
behavioral2/memory/1848-134-0x00007FF7F2DB0000-0x00007FF7F3101000-memory.dmp	upx
behavioral2/memory/4980-133-0x00007FF62E8B0000-0x00007FF62EC01000-memory.dmp	upx
behavioral2/files/0x0007000000023c9b-138.dat	upx
behavioral2/memory/3308-139-0x00007FF7D6710000-0x00007FF7D6A61000-memory.dmp	upx
behavioral2/memory/4864-132-0x00007FF7D7980000-0x00007FF7D7CD1000-memory.dmp	upx
behavioral2/memory/2780-129-0x00007FF622B30000-0x00007FF622E81000-memory.dmp	upx
behavioral2/files/0x0007000000023c99-126.dat	upx
behavioral2/memory/1764-125-0x00007FF6D7C80000-0x00007FF6D7FD1000-memory.dmp	upx
behavioral2/memory/1940-122-0x00007FF748620000-0x00007FF748971000-memory.dmp	upx
behavioral2/memory/4520-120-0x00007FF7F3F10000-0x00007FF7F4261000-memory.dmp	upx
behavioral2/memory/2224-114-0x00007FF7FAB20000-0x00007FF7FAE71000-memory.dmp	upx
behavioral2/memory/1820-142-0x00007FF79EEC0000-0x00007FF79F211000-memory.dmp	upx
behavioral2/memory/4444-143-0x00007FF65C8E0000-0x00007FF65CC31000-memory.dmp	upx
behavioral2/memory/3164-144-0x00007FF62A620000-0x00007FF62A971000-memory.dmp	upx
behavioral2/memory/1172-145-0x00007FF61CB10000-0x00007FF61CE61000-memory.dmp	upx
behavioral2/memory/3960-152-0x00007FF6BE360000-0x00007FF6BE6B1000-memory.dmp	upx
behavioral2/memory/2780-165-0x00007FF622B30000-0x00007FF622E81000-memory.dmp	upx
behavioral2/memory/1848-166-0x00007FF7F2DB0000-0x00007FF7F3101000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\VhkRRqf.exe	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zLvyPEo.exe	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wWyIqtx.exe	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VLiFNcY.exe	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\huXekBr.exe	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DpJDEcA.exe	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UwJgFoc.exe	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MKDnont.exe	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XbrCIPn.exe	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZhruxUR.exe	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pcTuvxT.exe	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZqCAMJb.exe	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PzbJANQ.exe	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uXvGgwO.exe	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SFoemxT.exe	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pNpucPc.exe	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NxXGUPj.exe	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gOOcIKk.exe	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fgFLYBL.exe	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zOJbMuF.exe	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JIKqaGP.exe	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1172	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1172	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1172 wrote to memory of 1700	1172	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1172 wrote to memory of 1700	1172	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1172 wrote to memory of 5092	1172	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1172 wrote to memory of 5092	1172	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1172 wrote to memory of 4756	1172	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1172 wrote to memory of 4756	1172	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1172 wrote to memory of 4536	1172	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1172 wrote to memory of 4536	1172	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1172 wrote to memory of 1412	1172	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1172 wrote to memory of 1412	1172	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1172 wrote to memory of 4268	1172	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1172 wrote to memory of 4268	1172	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1172 wrote to memory of 4528	1172	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1172 wrote to memory of 4528	1172	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1172 wrote to memory of 5052	1172	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1172 wrote to memory of 5052	1172	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1172 wrote to memory of 2224	1172	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1172 wrote to memory of 2224	1172	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1172 wrote to memory of 4520	1172	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1172 wrote to memory of 4520	1172	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1172 wrote to memory of 1764	1172	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1172 wrote to memory of 1764	1172	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1172 wrote to memory of 4864	1172	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1172 wrote to memory of 4864	1172	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1172 wrote to memory of 4980	1172	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1172 wrote to memory of 4980	1172	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1172 wrote to memory of 1820	1172	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1172 wrote to memory of 1820	1172	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1172 wrote to memory of 4444	1172	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1172 wrote to memory of 4444	1172	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1172 wrote to memory of 3164	1172	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1172 wrote to memory of 3164	1172	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1172 wrote to memory of 3960	1172	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1172 wrote to memory of 3960	1172	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1172 wrote to memory of 1940	1172	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1172 wrote to memory of 1940	1172	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1172 wrote to memory of 2780	1172	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1172 wrote to memory of 2780	1172	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1172 wrote to memory of 1848	1172	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1172 wrote to memory of 1848	1172	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1172 wrote to memory of 3308	1172	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1172 wrote to memory of 3308	1172	2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-19_714a5c92b117a7d4ef7bb250a759fe5b_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Windows\System\uXvGgwO.exe
  C:\Windows\System\uXvGgwO.exe
  2⤵
  - Executes dropped EXE
  PID:1700
- C:\Windows\System\wWyIqtx.exe
  C:\Windows\System\wWyIqtx.exe
  2⤵
  - Executes dropped EXE
  PID:5092
- C:\Windows\System\gOOcIKk.exe
  C:\Windows\System\gOOcIKk.exe
  2⤵
  - Executes dropped EXE
  PID:4756
- C:\Windows\System\XbrCIPn.exe
  C:\Windows\System\XbrCIPn.exe
  2⤵
  - Executes dropped EXE
  PID:4536
- C:\Windows\System\VLiFNcY.exe
  C:\Windows\System\VLiFNcY.exe
  2⤵
  - Executes dropped EXE
  PID:1412
- C:\Windows\System\fgFLYBL.exe
  C:\Windows\System\fgFLYBL.exe
  2⤵
  - Executes dropped EXE
  PID:4268
- C:\Windows\System\ZhruxUR.exe
  C:\Windows\System\ZhruxUR.exe
  2⤵
  - Executes dropped EXE
  PID:4528
- C:\Windows\System\huXekBr.exe
  C:\Windows\System\huXekBr.exe
  2⤵
  - Executes dropped EXE
  PID:5052
- C:\Windows\System\pcTuvxT.exe
  C:\Windows\System\pcTuvxT.exe
  2⤵
  - Executes dropped EXE
  PID:2224
- C:\Windows\System\ZqCAMJb.exe
  C:\Windows\System\ZqCAMJb.exe
  2⤵
  - Executes dropped EXE
  PID:4520
- C:\Windows\System\PzbJANQ.exe
  C:\Windows\System\PzbJANQ.exe
  2⤵
  - Executes dropped EXE
  PID:1764
- C:\Windows\System\SFoemxT.exe
  C:\Windows\System\SFoemxT.exe
  2⤵
  - Executes dropped EXE
  PID:4864
- C:\Windows\System\pNpucPc.exe
  C:\Windows\System\pNpucPc.exe
  2⤵
  - Executes dropped EXE
  PID:4980
- C:\Windows\System\DpJDEcA.exe
  C:\Windows\System\DpJDEcA.exe
  2⤵
  - Executes dropped EXE
  PID:1820
- C:\Windows\System\UwJgFoc.exe
  C:\Windows\System\UwJgFoc.exe
  2⤵
  - Executes dropped EXE
  PID:4444
- C:\Windows\System\zOJbMuF.exe
  C:\Windows\System\zOJbMuF.exe
  2⤵
  - Executes dropped EXE
  PID:3164
- C:\Windows\System\MKDnont.exe
  C:\Windows\System\MKDnont.exe
  2⤵
  - Executes dropped EXE
  PID:3960
- C:\Windows\System\NxXGUPj.exe
  C:\Windows\System\NxXGUPj.exe
  2⤵
  - Executes dropped EXE
  PID:1940
- C:\Windows\System\VhkRRqf.exe
  C:\Windows\System\VhkRRqf.exe
  2⤵
  - Executes dropped EXE
  PID:2780
- C:\Windows\System\JIKqaGP.exe
  C:\Windows\System\JIKqaGP.exe
  2⤵
  - Executes dropped EXE
  PID:1848
- C:\Windows\System\zLvyPEo.exe
  C:\Windows\System\zLvyPEo.exe
  2⤵
  - Executes dropped EXE
  PID:3308

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\DpJDEcA.exe

Filesize
5.2MB

MD5
fb4c9c299fd6fe4bc4b474cafdd1582f

SHA1
01d60de19b5582923755e38eec09ffdbdd596e48

SHA256
f9c4a06fcd48a01f6fefd59340b1c762c82b24cf7c2ecc8bc2c652e683fb1eee

SHA512
41bea747052ae877c66e5fd5d753ea1e580deef72ab98819c94bba4612cbdb294c39ce7d7f7b9ebfb5c221ad49d73da46e680a9423e97d14aaeb95b703afd7a6

Download Submit
C:\Windows\System\JIKqaGP.exe

Filesize
5.2MB

MD5
ef66d4737b39168c28004b1019040d4c

SHA1
f0a54a53b15c5c4ff2cddb4128e3455200152b32

SHA256
86059777edf4f31db72b2d844058beb0352cdb9aa416abb9919990f0e5dc7b1b

SHA512
c20f1c463edd60e12560050b4641b3268b58d57b68928eb1495745801e1e928c98cda1d2c962abb8b49ef77547b84c27130cdb6a83137bbfb482534579ae0f37

Download Submit
C:\Windows\System\MKDnont.exe

Filesize
5.2MB

MD5
d57020017ccefce24d04d010f18b927d

SHA1
d214507a5034d4b446257ce732716b3901518831

SHA256
696d5fe1c8de39f27cb21360b29a9fdeb9f712be7503fd6cbd1fcad803760489

SHA512
307aef3f4b8816194305509bf963f46bf40464663be2ef874e3660ab80073bee405343708a5e7700b825df3ce83cd3bd218d19c45729de41c73c3d698bc91bdb

Download Submit
C:\Windows\System\NxXGUPj.exe

Filesize
5.2MB

MD5
361ac028c74b5932fb0f089ea4c343a4

SHA1
b0e1b8a33f27dfc8f7829e32b97f37d9062b1fb0

SHA256
e7ff1d8a6248db355ccb4fc0c2208446ca8192a89f4de667e0c1d9f991ae8311

SHA512
fa3a8aaf0968784972b9b18bf1d042f1762d4e16213997aee67b6ec74ff8d5d18b984d8834cea6867dd93df47724b8d44302cea24eb4c7a5f11587e50b0c1596

Download Submit
C:\Windows\System\PzbJANQ.exe

Filesize
5.2MB

MD5
15203a323f7e83696174e0abccd637bd

SHA1
74763cc0d852cae76d9cce53a5b6e06361f62e67

SHA256
8f52190486102144b8aab4675c1d9bab0a24488c9f19968de2479b9aa9838a83

SHA512
1f663374ad9c4f57b15ce49d0b4ca675e6e7b041e7ec4aba3f0f4014e5239aca051f898d370681f42b4dcbcfa9606a3fc97485bcb67f0420c5a646ef084105c5

Download Submit
C:\Windows\System\SFoemxT.exe

Filesize
5.2MB

MD5
98f3ee9d72c21c51b525ced60bf052fa

SHA1
13b99b637da3f110c69f4fe8e94e0279d0c4c17a

SHA256
9f8e4af876cf5deac186e462e073ef8cd80233649c6a659b58e32edb4db9a137

SHA512
295946daa32a71dbe9508cf9a6e2c65e0ca1e7965981c8e4f0269cfa19035d73c9e2e3d63970da458f2f46748ea1d35d600a4def3957d64fab199b78274ea2f3

Download Submit
C:\Windows\System\UwJgFoc.exe

Filesize
5.2MB

MD5
f4d052c70115f6fd7de614bd657741c3

SHA1
8364bd8a51af055d6848053eb2afb4b2354d85d3

SHA256
8826336a5c06975be6a01b20ebe4532db3f6e8c53ae2376cb5d9f65ce51c9b41

SHA512
e47df1acab1a39dbfb35f40c4e1ee9766b05b84a61d64fdcd53a791ba8326d5dba45b0a8aeaa03e4c148e0a0ea2580c125e26a6267fcb373a45124714582b277

Download Submit
C:\Windows\System\VLiFNcY.exe

Filesize
5.2MB

MD5
5166ddc220fbcb9d99904086557ac557

SHA1
f6058d432ea7b6e0a17e3842dd2b2ba8b3c8569a

SHA256
e1b2e7bd74b4aeb8ff477ed187534543d771f8f79c598a9e3260edadd609b2fb

SHA512
6216fbe844cf68d537a69cd19bac174e29a143d30570785c2fee22d4fe27fb2dcd7788c5fb6fcc1c069a4fa4012f41afdfdf721ca2240a2edc692b0df822c18e

Download Submit
C:\Windows\System\VhkRRqf.exe

Filesize
5.2MB

MD5
364b48aabd826b3e5c6c6113b2fc260a

SHA1
4d68c63b6190d1deb2cfda3e2f24bfd2161944d9

SHA256
bbc1f57cb71f9dcf7b61f52474155e5dd8a2fb1ccad1852189a6854e5bb2f76c

SHA512
12ad4af7914934006bd8441b4369b5d7191171270fd9d9697fd71def93820ac7ecd577abef2af74907a43fc5756ef7960733a3d7fa412ea727f13f2ba109245f

Download Submit
C:\Windows\System\XbrCIPn.exe

Filesize
5.2MB

MD5
c7f38300650c3fdde2dc60b7566fbdb3

SHA1
e42dbdc35b4041e4bddb139082316621697c0b55

SHA256
915a07b116098c4df19797bb830b23b0cb92de815c0ac9964d0739c9b3bb695f

SHA512
a86079c81fd8a16959491004a88fb193d740cb96a4c317b487a00a2493c75a51eb6cf03dcb2932441176642a6aa308df4a4c6a73fee2448d6a2e540815062571

Download Submit
C:\Windows\System\ZhruxUR.exe

Filesize
5.2MB

MD5
a02ee018cc83a32accba7da1f3a3a2d0

SHA1
cddfdbde13dbc4de57fca187a02253319da58324

SHA256
4225da52b66a10eaa7f37db453559eb1b09101e747cd1f9f8aad97f7c20cb1da

SHA512
6ef91139c5c5c80283721ce4efb7443180a1413e757405c46ab280737e8744b971987f5854643bedfdb1eb682d1a73b510b5e24598fda14498835bffaac66762

Download Submit
C:\Windows\System\ZqCAMJb.exe

Filesize
5.2MB

MD5
ea06ea502333e3d9aa5b2c1dc8d73ad0

SHA1
7c999f060de9de40d6b614c9b759b64c565bb90c

SHA256
b42c7bca2450386982631ab7bfeae024419c434f29e02b5d1293d58fb3ce4604

SHA512
714ecb7ac96a473f25202f0c822329a8f4865f039d6653b20b478ae8e76b1f20d72598af4c4e708eada2744e7f98160503c9d760d5defa8bd4798d63a5c914c9

Download Submit
C:\Windows\System\fgFLYBL.exe

Filesize
5.2MB

MD5
9ace4d0140e5abcc0edf45406a86fc8e

SHA1
53725c7e182e122634666ce1d3328b05b9a2afcb

SHA256
647124816106554874cc7cca124c563c1c2483586bde0feeaa45d93c56f9d82c

SHA512
bed40e741218a32f2eb3c4fc36fd6abf2c3e6f7aceba745a3aa0fd3f69ec75f9a5f78a0ed26ac783b95d91b3bff9166b29cb634fe26dd88fd916e6f7ed26323a

Download Submit
C:\Windows\System\gOOcIKk.exe

Filesize
5.2MB

MD5
210f15d54af8e9a390e517169f39a440

SHA1
862bd7b2df334ee8896ac0a1b3df16e8818067b0

SHA256
926c24d5370e3033a8a9a5e388d27d28aa514f75afe3cb6ac4bad02d1b0ae819

SHA512
660beb6804fb70483fb2a8f956f18c88c307145566e900ac0f30a53555a04e1405622ff13fdceed33c6546183e9b8fbaa3feed78bb8a739d724cf3ea9e9e113d

Download Submit
C:\Windows\System\huXekBr.exe

Filesize
5.2MB

MD5
bceab4c034c6cdec954403fc88f0c3ea

SHA1
120c1bc92f88bf18a5129cb9343e0c99f6766d72

SHA256
d20b9a037191bd05eb34d6b60296721dd2e1ddac8d59708141ebfb3d41f13538

SHA512
df910d3ab1936e4f9bd3b64f12a5cdd6dcd2c501d43ef7155fe3d781edb2bb604bf637c08e663fc2d1759515fb9bdad551cff378aebc46b6c611221dec928004

Download Submit
C:\Windows\System\pNpucPc.exe

Filesize
5.2MB

MD5
5a304e367bd9bda18dac990c88066080

SHA1
a17b86fac811e39cde97af4e9843adc866778748

SHA256
950af3e2aa5d16f04971375c24660df0242d1829e81229ceec606c6dbbf3f48e

SHA512
07bce1c93d8017bf8ac09f2d892e0a8f55cb04101975027e6eb6800dabd620aa009831734cd1b32f9730572955279aab99feae912c4490ac0c6392ca5707ca4f

Download Submit
C:\Windows\System\pcTuvxT.exe

Filesize
5.2MB

MD5
ffa9aadd5c34f41db3c18e581a549ec2

SHA1
33997c410a587c9dc90c171cf88cc9f0105c4397

SHA256
3709d1d7079b181df1eb6a01209b430cd622b99962d0aae670c5c055591fef58

SHA512
24b56fc1c84e174842d81e68eed05f104bca97e1771fbd22e37d614310d8f81d75ed4f0b8b1c416c942856bb1e5c5fb62a29d4b887a65be6094b6606c6493bf7

Download Submit
C:\Windows\System\uXvGgwO.exe

Filesize
5.2MB

MD5
22880e9ae964243da6c1e6362c19b5f3

SHA1
f944d82de02d5c8c727150a27740700c74cf35b6

SHA256
bcc641cecaf0ddaaefa56a997e5d3442d8f839067654b0bf3d23bb7c2e5012fa

SHA512
f210459d7343ae487b9b3b67510d7a282fbbca9d9c8ab491454bd4e049a6fc69e1d3812c5b2f1ba19e1a162ad6144d5349864d3e76b82879ffaf2cdb7ec47e69

Download Submit
C:\Windows\System\wWyIqtx.exe

Filesize
5.2MB

MD5
a06383e203ae1fa990776b6b7bb78f35

SHA1
d863ca547cee6027174d9e956ac2f19dd0995c3e

SHA256
5588985986bd00f8bd360b5031c4abb92b474bb5040c677b44bf2c49b62e7b85

SHA512
ab749e8bafb93719801b59f7c98c9189c652d11c30627004ba17865adbf22080383c7415bc3d4413f990fa1feb3182a8f250d055a483213f346bbe95e4259dbb

Download Submit
C:\Windows\System\zLvyPEo.exe

Filesize
5.2MB

MD5
f1cda4b29619bee0850c185e7a71e49e

SHA1
8065de393441baa3e37d9a441031bd8b570a911b

SHA256
29abe180dc4451d05094fdb36db9dab53184fd0eddbf6fcaa9868f1f6d801529

SHA512
a3d42e6c914bded0b103373db17acc55c5ed9b939c6749a9b1e08001db0f2a7b724d1c3cf132d26f532209af7b84006108dcd4b9059f838f6604af4ea7ae09fc

Download Submit
C:\Windows\System\zOJbMuF.exe

Filesize
5.2MB

MD5
6c7aaa715cf2bc6d5f2758a77b7853a8

SHA1
a9d29d04d14ccbcc36b62e693ce3add17d412464

SHA256
73be8da2c811354d08234b054d7b4f44af0b3b7d4bd5b58442aaef9237b1ce35

SHA512
4ecc496fbb59021b200958abff5077d06f48c2a0eac4d63fb8938fd5a4255aa759e47a81bab88d4072d01e198955946c3de309b64897e0d812e5cbb361175875

Download Submit
memory/1172-0-0x00007FF61CB10000-0x00007FF61CE61000-memory.dmp

Filesize
3.3MB

Download
memory/1172-60-0x00007FF61CB10000-0x00007FF61CE61000-memory.dmp

Filesize
3.3MB

Download
memory/1172-145-0x00007FF61CB10000-0x00007FF61CE61000-memory.dmp

Filesize
3.3MB

Download
memory/1172-171-0x00007FF61CB10000-0x00007FF61CE61000-memory.dmp

Filesize
3.3MB

Download
memory/1172-1-0x000001F2793E0000-0x000001F2793F0000-memory.dmp

Filesize
64KB

Download
memory/1412-89-0x00007FF730270000-0x00007FF7305C1000-memory.dmp

Filesize
3.3MB

Download
memory/1412-33-0x00007FF730270000-0x00007FF7305C1000-memory.dmp

Filesize
3.3MB

Download
memory/1412-231-0x00007FF730270000-0x00007FF7305C1000-memory.dmp

Filesize
3.3MB

Download
memory/1700-67-0x00007FF63B5C0000-0x00007FF63B911000-memory.dmp

Filesize
3.3MB

Download
memory/1700-6-0x00007FF63B5C0000-0x00007FF63B911000-memory.dmp

Filesize
3.3MB

Download
memory/1700-223-0x00007FF63B5C0000-0x00007FF63B911000-memory.dmp

Filesize
3.3MB

Download
memory/1764-250-0x00007FF6D7C80000-0x00007FF6D7FD1000-memory.dmp

Filesize
3.3MB

Download
memory/1764-125-0x00007FF6D7C80000-0x00007FF6D7FD1000-memory.dmp

Filesize
3.3MB

Download
memory/1764-72-0x00007FF6D7C80000-0x00007FF6D7FD1000-memory.dmp

Filesize
3.3MB

Download
memory/1820-142-0x00007FF79EEC0000-0x00007FF79F211000-memory.dmp

Filesize
3.3MB

Download
memory/1820-261-0x00007FF79EEC0000-0x00007FF79F211000-memory.dmp

Filesize
3.3MB

Download
memory/1820-90-0x00007FF79EEC0000-0x00007FF79F211000-memory.dmp

Filesize
3.3MB

Download
memory/1848-166-0x00007FF7F2DB0000-0x00007FF7F3101000-memory.dmp

Filesize
3.3MB

Download
memory/1848-276-0x00007FF7F2DB0000-0x00007FF7F3101000-memory.dmp

Filesize
3.3MB

Download
memory/1848-134-0x00007FF7F2DB0000-0x00007FF7F3101000-memory.dmp

Filesize
3.3MB

Download
memory/1940-122-0x00007FF748620000-0x00007FF748971000-memory.dmp

Filesize
3.3MB

Download
memory/1940-272-0x00007FF748620000-0x00007FF748971000-memory.dmp

Filesize
3.3MB

Download
memory/2224-246-0x00007FF7FAB20000-0x00007FF7FAE71000-memory.dmp

Filesize
3.3MB

Download
memory/2224-56-0x00007FF7FAB20000-0x00007FF7FAE71000-memory.dmp

Filesize
3.3MB

Download
memory/2224-114-0x00007FF7FAB20000-0x00007FF7FAE71000-memory.dmp

Filesize
3.3MB

Download
memory/2780-129-0x00007FF622B30000-0x00007FF622E81000-memory.dmp

Filesize
3.3MB

Download
memory/2780-274-0x00007FF622B30000-0x00007FF622E81000-memory.dmp

Filesize
3.3MB

Download
memory/2780-165-0x00007FF622B30000-0x00007FF622E81000-memory.dmp

Filesize
3.3MB

Download
memory/3164-265-0x00007FF62A620000-0x00007FF62A971000-memory.dmp

Filesize
3.3MB

Download
memory/3164-106-0x00007FF62A620000-0x00007FF62A971000-memory.dmp

Filesize
3.3MB

Download
memory/3164-144-0x00007FF62A620000-0x00007FF62A971000-memory.dmp

Filesize
3.3MB

Download
memory/3308-139-0x00007FF7D6710000-0x00007FF7D6A61000-memory.dmp

Filesize
3.3MB

Download
memory/3308-170-0x00007FF7D6710000-0x00007FF7D6A61000-memory.dmp

Filesize
3.3MB

Download
memory/3308-278-0x00007FF7D6710000-0x00007FF7D6A61000-memory.dmp

Filesize
3.3MB

Download
memory/3960-152-0x00007FF6BE360000-0x00007FF6BE6B1000-memory.dmp

Filesize
3.3MB

Download
memory/3960-111-0x00007FF6BE360000-0x00007FF6BE6B1000-memory.dmp

Filesize
3.3MB

Download
memory/3960-267-0x00007FF6BE360000-0x00007FF6BE6B1000-memory.dmp

Filesize
3.3MB

Download
memory/4268-233-0x00007FF7A9F50000-0x00007FF7AA2A1000-memory.dmp

Filesize
3.3MB

Download
memory/4268-96-0x00007FF7A9F50000-0x00007FF7AA2A1000-memory.dmp

Filesize
3.3MB

Download
memory/4268-35-0x00007FF7A9F50000-0x00007FF7AA2A1000-memory.dmp

Filesize
3.3MB

Download
memory/4444-99-0x00007FF65C8E0000-0x00007FF65CC31000-memory.dmp

Filesize
3.3MB

Download
memory/4444-263-0x00007FF65C8E0000-0x00007FF65CC31000-memory.dmp

Filesize
3.3MB

Download
memory/4444-143-0x00007FF65C8E0000-0x00007FF65CC31000-memory.dmp

Filesize
3.3MB

Download
memory/4520-120-0x00007FF7F3F10000-0x00007FF7F4261000-memory.dmp

Filesize
3.3MB

Download
memory/4520-61-0x00007FF7F3F10000-0x00007FF7F4261000-memory.dmp

Filesize
3.3MB

Download
memory/4520-248-0x00007FF7F3F10000-0x00007FF7F4261000-memory.dmp

Filesize
3.3MB

Download
memory/4528-242-0x00007FF783760000-0x00007FF783AB1000-memory.dmp

Filesize
3.3MB

Download
memory/4528-104-0x00007FF783760000-0x00007FF783AB1000-memory.dmp

Filesize
3.3MB

Download
memory/4528-43-0x00007FF783760000-0x00007FF783AB1000-memory.dmp

Filesize
3.3MB

Download
memory/4536-24-0x00007FF7DC6D0000-0x00007FF7DCA21000-memory.dmp

Filesize
3.3MB

Download
memory/4536-229-0x00007FF7DC6D0000-0x00007FF7DCA21000-memory.dmp

Filesize
3.3MB

Download
memory/4536-87-0x00007FF7DC6D0000-0x00007FF7DCA21000-memory.dmp

Filesize
3.3MB

Download
memory/4756-227-0x00007FF7D02A0000-0x00007FF7D05F1000-memory.dmp

Filesize
3.3MB

Download
memory/4756-81-0x00007FF7D02A0000-0x00007FF7D05F1000-memory.dmp

Filesize
3.3MB

Download
memory/4756-20-0x00007FF7D02A0000-0x00007FF7D05F1000-memory.dmp

Filesize
3.3MB

Download
memory/4864-253-0x00007FF7D7980000-0x00007FF7D7CD1000-memory.dmp

Filesize
3.3MB

Download
memory/4864-132-0x00007FF7D7980000-0x00007FF7D7CD1000-memory.dmp

Filesize
3.3MB

Download
memory/4864-76-0x00007FF7D7980000-0x00007FF7D7CD1000-memory.dmp

Filesize
3.3MB

Download
memory/4980-255-0x00007FF62E8B0000-0x00007FF62EC01000-memory.dmp

Filesize
3.3MB

Download
memory/4980-82-0x00007FF62E8B0000-0x00007FF62EC01000-memory.dmp

Filesize
3.3MB

Download
memory/4980-133-0x00007FF62E8B0000-0x00007FF62EC01000-memory.dmp

Filesize
3.3MB

Download
memory/5052-110-0x00007FF7ABF20000-0x00007FF7AC271000-memory.dmp

Filesize
3.3MB

Download
memory/5052-244-0x00007FF7ABF20000-0x00007FF7AC271000-memory.dmp

Filesize
3.3MB

Download
memory/5052-49-0x00007FF7ABF20000-0x00007FF7AC271000-memory.dmp

Filesize
3.3MB

Download
memory/5092-225-0x00007FF6D09D0000-0x00007FF6D0D21000-memory.dmp

Filesize
3.3MB

Download
memory/5092-14-0x00007FF6D09D0000-0x00007FF6D0D21000-memory.dmp

Filesize
3.3MB

Download
memory/5092-74-0x00007FF6D09D0000-0x00007FF6D0D21000-memory.dmp

Filesize
3.3MB

Download