cobaltstrike | 120169afc5a05029ce89f44c5f8fb1779fcfca66e2a9273c563b71148d5d9107

Analysis

max time kernel
140s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 05:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

e0931a2189b2f9e05fb3f0a0ed4fb9e7
SHA1

e6bad048ea57532cf2ab7299d802c4d8fae1ca5a
SHA256

120169afc5a05029ce89f44c5f8fb1779fcfca66e2a9273c563b71148d5d9107
SHA512

db3f7e8609cdd4754312a56d3962ae3dab14d48785b8aebc5fa24d8a1bc18eb7711e2a6109043f899e92843be5f4d472421d82eabc84d0dbd5ecbd27cebc89ff
SSDEEP

49152:ROdWCCi7/raN56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lS:RWWBib+56utgpPFotBER/mQ32lUe

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023c55-6.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c59-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c5a-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c5b-23.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c5c-28.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c5d-35.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c5e-44.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c5f-55.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c61-63.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c62-68.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c65-83.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c6a-125.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c6b-130.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c66-123.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c67-121.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c69-119.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c68-109.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c63-87.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c64-90.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c60-64.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c56-50.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/4648-114-0x00007FF7F0A10000-0x00007FF7F0D61000-memory.dmp	xmrig
behavioral2/memory/376-133-0x00007FF6A5D40000-0x00007FF6A6091000-memory.dmp	xmrig
behavioral2/memory/1668-132-0x00007FF692E40000-0x00007FF693191000-memory.dmp	xmrig
behavioral2/memory/208-129-0x00007FF70E6D0000-0x00007FF70EA21000-memory.dmp	xmrig
behavioral2/memory/1520-104-0x00007FF7958B0000-0x00007FF795C01000-memory.dmp	xmrig
behavioral2/memory/2976-86-0x00007FF656210000-0x00007FF656561000-memory.dmp	xmrig
behavioral2/memory/2776-72-0x00007FF731EB0000-0x00007FF732201000-memory.dmp	xmrig
behavioral2/memory/2504-66-0x00007FF65DD50000-0x00007FF65E0A1000-memory.dmp	xmrig
behavioral2/memory/740-134-0x00007FF6102E0000-0x00007FF610631000-memory.dmp	xmrig
behavioral2/memory/5108-135-0x00007FF6A9280000-0x00007FF6A95D1000-memory.dmp	xmrig
behavioral2/memory/940-136-0x00007FF7FB6B0000-0x00007FF7FBA01000-memory.dmp	xmrig
behavioral2/memory/2504-137-0x00007FF65DD50000-0x00007FF65E0A1000-memory.dmp	xmrig
behavioral2/memory/1104-148-0x00007FF7377A0000-0x00007FF737AF1000-memory.dmp	xmrig
behavioral2/memory/5088-147-0x00007FF7FE200000-0x00007FF7FE551000-memory.dmp	xmrig
behavioral2/memory/1224-154-0x00007FF70C7B0000-0x00007FF70CB01000-memory.dmp	xmrig
behavioral2/memory/4688-160-0x00007FF6BE8E0000-0x00007FF6BEC31000-memory.dmp	xmrig
behavioral2/memory/1484-162-0x00007FF679DF0000-0x00007FF67A141000-memory.dmp	xmrig
behavioral2/memory/4808-161-0x00007FF664CF0000-0x00007FF665041000-memory.dmp	xmrig
behavioral2/memory/3096-158-0x00007FF698690000-0x00007FF6989E1000-memory.dmp	xmrig
behavioral2/memory/3464-156-0x00007FF708C70000-0x00007FF708FC1000-memory.dmp	xmrig
behavioral2/memory/4044-155-0x00007FF7703A0000-0x00007FF7706F1000-memory.dmp	xmrig
behavioral2/memory/1964-152-0x00007FF7E2870000-0x00007FF7E2BC1000-memory.dmp	xmrig
behavioral2/memory/3924-150-0x00007FF6D3660000-0x00007FF6D39B1000-memory.dmp	xmrig
behavioral2/memory/2504-163-0x00007FF65DD50000-0x00007FF65E0A1000-memory.dmp	xmrig
behavioral2/memory/2776-214-0x00007FF731EB0000-0x00007FF732201000-memory.dmp	xmrig
behavioral2/memory/2976-216-0x00007FF656210000-0x00007FF656561000-memory.dmp	xmrig
behavioral2/memory/1520-218-0x00007FF7958B0000-0x00007FF795C01000-memory.dmp	xmrig
behavioral2/memory/4648-220-0x00007FF7F0A10000-0x00007FF7F0D61000-memory.dmp	xmrig
behavioral2/memory/1668-232-0x00007FF692E40000-0x00007FF693191000-memory.dmp	xmrig
behavioral2/memory/740-234-0x00007FF6102E0000-0x00007FF610631000-memory.dmp	xmrig
behavioral2/memory/5108-236-0x00007FF6A9280000-0x00007FF6A95D1000-memory.dmp	xmrig
behavioral2/memory/940-238-0x00007FF7FB6B0000-0x00007FF7FBA01000-memory.dmp	xmrig
behavioral2/memory/5088-240-0x00007FF7FE200000-0x00007FF7FE551000-memory.dmp	xmrig
behavioral2/memory/4808-248-0x00007FF664CF0000-0x00007FF665041000-memory.dmp	xmrig
behavioral2/memory/1104-250-0x00007FF7377A0000-0x00007FF737AF1000-memory.dmp	xmrig
behavioral2/memory/1964-253-0x00007FF7E2870000-0x00007FF7E2BC1000-memory.dmp	xmrig
behavioral2/memory/1484-254-0x00007FF679DF0000-0x00007FF67A141000-memory.dmp	xmrig
behavioral2/memory/3924-256-0x00007FF6D3660000-0x00007FF6D39B1000-memory.dmp	xmrig
behavioral2/memory/1224-260-0x00007FF70C7B0000-0x00007FF70CB01000-memory.dmp	xmrig
behavioral2/memory/3096-262-0x00007FF698690000-0x00007FF6989E1000-memory.dmp	xmrig
behavioral2/memory/3464-264-0x00007FF708C70000-0x00007FF708FC1000-memory.dmp	xmrig
behavioral2/memory/208-259-0x00007FF70E6D0000-0x00007FF70EA21000-memory.dmp	xmrig
behavioral2/memory/4688-268-0x00007FF6BE8E0000-0x00007FF6BEC31000-memory.dmp	xmrig
behavioral2/memory/376-270-0x00007FF6A5D40000-0x00007FF6A6091000-memory.dmp	xmrig
behavioral2/memory/4044-266-0x00007FF7703A0000-0x00007FF7706F1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2776	yoVrCSd.exe
2976	NryZLmc.exe
1520	luuOYRC.exe
4648	zTxoixH.exe
1668	ZPdoLYX.exe
740	cqJWQmt.exe
5108	HANAIQk.exe
940	uaNmGgU.exe
5088	qYPSooK.exe
1104	gzxQTQH.exe
3924	Dqeaoeo.exe
4808	FCqKCWg.exe
1964	sMmTQHH.exe
1484	SfWDZxT.exe
1224	mgqoDvg.exe
3464	CsMwQae.exe
4044	qcngXbH.exe
208	fmmmpbR.exe
3096	xyvwPaD.exe
376	rxhgJEc.exe
4688	VKUqagu.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2504-0-0x00007FF65DD50000-0x00007FF65E0A1000-memory.dmp	upx
behavioral2/files/0x0008000000023c55-6.dat	upx
behavioral2/memory/2776-8-0x00007FF731EB0000-0x00007FF732201000-memory.dmp	upx
behavioral2/files/0x0007000000023c59-10.dat	upx
behavioral2/memory/2976-13-0x00007FF656210000-0x00007FF656561000-memory.dmp	upx
behavioral2/files/0x0007000000023c5a-11.dat	upx
behavioral2/memory/1520-18-0x00007FF7958B0000-0x00007FF795C01000-memory.dmp	upx
behavioral2/files/0x0007000000023c5b-23.dat	upx
behavioral2/memory/4648-26-0x00007FF7F0A10000-0x00007FF7F0D61000-memory.dmp	upx
behavioral2/files/0x0007000000023c5c-28.dat	upx
behavioral2/files/0x0007000000023c5d-35.dat	upx
behavioral2/memory/740-36-0x00007FF6102E0000-0x00007FF610631000-memory.dmp	upx
behavioral2/files/0x0007000000023c5e-44.dat	upx
behavioral2/files/0x0008000000023c5f-55.dat	upx
behavioral2/files/0x0007000000023c61-63.dat	upx
behavioral2/files/0x0007000000023c62-68.dat	upx
behavioral2/files/0x0007000000023c65-83.dat	upx
behavioral2/memory/3464-105-0x00007FF708C70000-0x00007FF708FC1000-memory.dmp	upx
behavioral2/memory/4648-114-0x00007FF7F0A10000-0x00007FF7F0D61000-memory.dmp	upx
behavioral2/files/0x0007000000023c6a-125.dat	upx
behavioral2/memory/376-133-0x00007FF6A5D40000-0x00007FF6A6091000-memory.dmp	upx
behavioral2/memory/1668-132-0x00007FF692E40000-0x00007FF693191000-memory.dmp	upx
behavioral2/files/0x0007000000023c6b-130.dat	upx
behavioral2/memory/208-129-0x00007FF70E6D0000-0x00007FF70EA21000-memory.dmp	upx
behavioral2/memory/4688-128-0x00007FF6BE8E0000-0x00007FF6BEC31000-memory.dmp	upx
behavioral2/memory/3096-127-0x00007FF698690000-0x00007FF6989E1000-memory.dmp	upx
behavioral2/files/0x0007000000023c66-123.dat	upx
behavioral2/files/0x0007000000023c67-121.dat	upx
behavioral2/files/0x0007000000023c69-119.dat	upx
behavioral2/files/0x0007000000023c68-109.dat	upx
behavioral2/memory/4044-106-0x00007FF7703A0000-0x00007FF7706F1000-memory.dmp	upx
behavioral2/memory/1520-104-0x00007FF7958B0000-0x00007FF795C01000-memory.dmp	upx
behavioral2/memory/1224-94-0x00007FF70C7B0000-0x00007FF70CB01000-memory.dmp	upx
behavioral2/memory/1964-93-0x00007FF7E2870000-0x00007FF7E2BC1000-memory.dmp	upx
behavioral2/files/0x0007000000023c63-87.dat	upx
behavioral2/memory/2976-86-0x00007FF656210000-0x00007FF656561000-memory.dmp	upx
behavioral2/memory/1484-85-0x00007FF679DF0000-0x00007FF67A141000-memory.dmp	upx
behavioral2/files/0x0007000000023c64-90.dat	upx
behavioral2/memory/4808-81-0x00007FF664CF0000-0x00007FF665041000-memory.dmp	upx
behavioral2/memory/2776-72-0x00007FF731EB0000-0x00007FF732201000-memory.dmp	upx
behavioral2/memory/3924-70-0x00007FF6D3660000-0x00007FF6D39B1000-memory.dmp	upx
behavioral2/files/0x0007000000023c60-64.dat	upx
behavioral2/memory/2504-66-0x00007FF65DD50000-0x00007FF65E0A1000-memory.dmp	upx
behavioral2/memory/1104-61-0x00007FF7377A0000-0x00007FF737AF1000-memory.dmp	upx
behavioral2/memory/5088-57-0x00007FF7FE200000-0x00007FF7FE551000-memory.dmp	upx
behavioral2/memory/940-51-0x00007FF7FB6B0000-0x00007FF7FBA01000-memory.dmp	upx
behavioral2/files/0x0008000000023c56-50.dat	upx
behavioral2/memory/5108-42-0x00007FF6A9280000-0x00007FF6A95D1000-memory.dmp	upx
behavioral2/memory/1668-30-0x00007FF692E40000-0x00007FF693191000-memory.dmp	upx
behavioral2/memory/740-134-0x00007FF6102E0000-0x00007FF610631000-memory.dmp	upx
behavioral2/memory/5108-135-0x00007FF6A9280000-0x00007FF6A95D1000-memory.dmp	upx
behavioral2/memory/940-136-0x00007FF7FB6B0000-0x00007FF7FBA01000-memory.dmp	upx
behavioral2/memory/2504-137-0x00007FF65DD50000-0x00007FF65E0A1000-memory.dmp	upx
behavioral2/memory/1104-148-0x00007FF7377A0000-0x00007FF737AF1000-memory.dmp	upx
behavioral2/memory/5088-147-0x00007FF7FE200000-0x00007FF7FE551000-memory.dmp	upx
behavioral2/memory/1224-154-0x00007FF70C7B0000-0x00007FF70CB01000-memory.dmp	upx
behavioral2/memory/4688-160-0x00007FF6BE8E0000-0x00007FF6BEC31000-memory.dmp	upx
behavioral2/memory/1484-162-0x00007FF679DF0000-0x00007FF67A141000-memory.dmp	upx
behavioral2/memory/4808-161-0x00007FF664CF0000-0x00007FF665041000-memory.dmp	upx
behavioral2/memory/3096-158-0x00007FF698690000-0x00007FF6989E1000-memory.dmp	upx
behavioral2/memory/3464-156-0x00007FF708C70000-0x00007FF708FC1000-memory.dmp	upx
behavioral2/memory/4044-155-0x00007FF7703A0000-0x00007FF7706F1000-memory.dmp	upx
behavioral2/memory/1964-152-0x00007FF7E2870000-0x00007FF7E2BC1000-memory.dmp	upx
behavioral2/memory/3924-150-0x00007FF6D3660000-0x00007FF6D39B1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\HANAIQk.exe	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FCqKCWg.exe	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qcngXbH.exe	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fmmmpbR.exe	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VKUqagu.exe	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yoVrCSd.exe	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\luuOYRC.exe	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZPdoLYX.exe	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Dqeaoeo.exe	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NryZLmc.exe	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cqJWQmt.exe	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uaNmGgU.exe	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sMmTQHH.exe	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CsMwQae.exe	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rxhgJEc.exe	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zTxoixH.exe	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qYPSooK.exe	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gzxQTQH.exe	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SfWDZxT.exe	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mgqoDvg.exe	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xyvwPaD.exe	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2504	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2504	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 2776	2504	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2504 wrote to memory of 2776	2504	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2504 wrote to memory of 2976	2504	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2504 wrote to memory of 2976	2504	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2504 wrote to memory of 1520	2504	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2504 wrote to memory of 1520	2504	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2504 wrote to memory of 4648	2504	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2504 wrote to memory of 4648	2504	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2504 wrote to memory of 1668	2504	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2504 wrote to memory of 1668	2504	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2504 wrote to memory of 740	2504	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2504 wrote to memory of 740	2504	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2504 wrote to memory of 5108	2504	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2504 wrote to memory of 5108	2504	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2504 wrote to memory of 940	2504	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2504 wrote to memory of 940	2504	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2504 wrote to memory of 5088	2504	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2504 wrote to memory of 5088	2504	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2504 wrote to memory of 1104	2504	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2504 wrote to memory of 1104	2504	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2504 wrote to memory of 3924	2504	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2504 wrote to memory of 3924	2504	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2504 wrote to memory of 4808	2504	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2504 wrote to memory of 4808	2504	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2504 wrote to memory of 1964	2504	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2504 wrote to memory of 1964	2504	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2504 wrote to memory of 1484	2504	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2504 wrote to memory of 1484	2504	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2504 wrote to memory of 1224	2504	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2504 wrote to memory of 1224	2504	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2504 wrote to memory of 4044	2504	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2504 wrote to memory of 4044	2504	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2504 wrote to memory of 3464	2504	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2504 wrote to memory of 3464	2504	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2504 wrote to memory of 208	2504	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2504 wrote to memory of 208	2504	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2504 wrote to memory of 3096	2504	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2504 wrote to memory of 3096	2504	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2504 wrote to memory of 376	2504	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2504 wrote to memory of 376	2504	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2504 wrote to memory of 4688	2504	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2504 wrote to memory of 4688	2504	2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-22_e0931a2189b2f9e05fb3f0a0ed4fb9e7_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Windows\System\yoVrCSd.exe
  C:\Windows\System\yoVrCSd.exe
  2⤵
  - Executes dropped EXE
  PID:2776
- C:\Windows\System\NryZLmc.exe
  C:\Windows\System\NryZLmc.exe
  2⤵
  - Executes dropped EXE
  PID:2976
- C:\Windows\System\luuOYRC.exe
  C:\Windows\System\luuOYRC.exe
  2⤵
  - Executes dropped EXE
  PID:1520
- C:\Windows\System\zTxoixH.exe
  C:\Windows\System\zTxoixH.exe
  2⤵
  - Executes dropped EXE
  PID:4648
- C:\Windows\System\ZPdoLYX.exe
  C:\Windows\System\ZPdoLYX.exe
  2⤵
  - Executes dropped EXE
  PID:1668
- C:\Windows\System\cqJWQmt.exe
  C:\Windows\System\cqJWQmt.exe
  2⤵
  - Executes dropped EXE
  PID:740
- C:\Windows\System\HANAIQk.exe
  C:\Windows\System\HANAIQk.exe
  2⤵
  - Executes dropped EXE
  PID:5108
- C:\Windows\System\uaNmGgU.exe
  C:\Windows\System\uaNmGgU.exe
  2⤵
  - Executes dropped EXE
  PID:940
- C:\Windows\System\qYPSooK.exe
  C:\Windows\System\qYPSooK.exe
  2⤵
  - Executes dropped EXE
  PID:5088
- C:\Windows\System\gzxQTQH.exe
  C:\Windows\System\gzxQTQH.exe
  2⤵
  - Executes dropped EXE
  PID:1104
- C:\Windows\System\Dqeaoeo.exe
  C:\Windows\System\Dqeaoeo.exe
  2⤵
  - Executes dropped EXE
  PID:3924
- C:\Windows\System\FCqKCWg.exe
  C:\Windows\System\FCqKCWg.exe
  2⤵
  - Executes dropped EXE
  PID:4808
- C:\Windows\System\sMmTQHH.exe
  C:\Windows\System\sMmTQHH.exe
  2⤵
  - Executes dropped EXE
  PID:1964
- C:\Windows\System\SfWDZxT.exe
  C:\Windows\System\SfWDZxT.exe
  2⤵
  - Executes dropped EXE
  PID:1484
- C:\Windows\System\mgqoDvg.exe
  C:\Windows\System\mgqoDvg.exe
  2⤵
  - Executes dropped EXE
  PID:1224
- C:\Windows\System\qcngXbH.exe
  C:\Windows\System\qcngXbH.exe
  2⤵
  - Executes dropped EXE
  PID:4044
- C:\Windows\System\CsMwQae.exe
  C:\Windows\System\CsMwQae.exe
  2⤵
  - Executes dropped EXE
  PID:3464
- C:\Windows\System\fmmmpbR.exe
  C:\Windows\System\fmmmpbR.exe
  2⤵
  - Executes dropped EXE
  PID:208
- C:\Windows\System\xyvwPaD.exe
  C:\Windows\System\xyvwPaD.exe
  2⤵
  - Executes dropped EXE
  PID:3096
- C:\Windows\System\rxhgJEc.exe
  C:\Windows\System\rxhgJEc.exe
  2⤵
  - Executes dropped EXE
  PID:376
- C:\Windows\System\VKUqagu.exe
  C:\Windows\System\VKUqagu.exe
  2⤵
  - Executes dropped EXE
  PID:4688

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CsMwQae.exe

Filesize
5.2MB

MD5
66103c8b768fb4354785d5f65befdf2e

SHA1
611fd8eda45349f2cda5761069ab706ac0501187

SHA256
f7d519c3cec9127d487524606a5531f4e1aa0c509e46bcd083b5214f071260f8

SHA512
62582b11ac5bd75d14e312d23921828015e92088bfc37c1a37d2153cd1848bec443377befa5cbb156ba4d5d66335050046bf2d2baea0506f2945d1d714a827fe

Download Submit
C:\Windows\System\Dqeaoeo.exe

Filesize
5.2MB

MD5
cde5909d1d231dea92c35b2322767c14

SHA1
5824097aed1f10d9686cb0a954df07053d4647f2

SHA256
767dc86a45df90521660c34d837b74a89c62189e84a5388a9511294c769496c1

SHA512
9226c80a74bdefc4de7e86e962a35b969f26defdcf1d6031a0984640fdec2857197348e96cd15161735509af64ff713ec19a2d3457b7d16716cd5dac254e9ec1

Download Submit
C:\Windows\System\FCqKCWg.exe

Filesize
5.2MB

MD5
857b33f6713db3917694416e848c7545

SHA1
5d076c3b7ed0b0781a6e1296ad540a79a8439eae

SHA256
e51c8dfbc1beb9abadb674c611d6d276e987fd0622b1f71e95c9512bbefd8442

SHA512
a296868257d32b6a7737dc47c3e463c5bd63d0f16506511e83a61a1d22e50e4f24d2f6a74a6431bceb117dbfa4b0426aaa62718832529907e3d53c258907bcaf

Download Submit
C:\Windows\System\HANAIQk.exe

Filesize
5.2MB

MD5
1a1b92047282c2d9f50e765471f32b26

SHA1
df5c7527a6fd57a113820143b6ca2c8a32a5b5a7

SHA256
c0e0201f4f9c3ba65ae3554c5ef07109b7345aa1abebd518c06665bab73e31e8

SHA512
e09af19dd194ce18c45e176df559ad841425f0dd81175b590770a2d69d1fc98da7cc6c876bf3635c3346172db944fca97ec6b9dc178d4a0dafe9044f7272cafd

Download Submit
C:\Windows\System\NryZLmc.exe

Filesize
5.2MB

MD5
1948cbd93d63054f6f2f576a19b03596

SHA1
93212a3388cd45fbed2e3edfbbd7bfcfdf94fdfb

SHA256
adcf842edfb57d3fe3a553b5989a7104d6b9cfe940bdfcecd78e62d5ae2098e0

SHA512
f6420249d8de4da89bcba6d8459c1e1d9a12a65d8190831d7b0226bc2a779370f0ec3ca1974ba5fca9c2b07f82872d3d9bf5f5853690f81df594fad9d50a9bbd

Download Submit
C:\Windows\System\SfWDZxT.exe

Filesize
5.2MB

MD5
31122c3a014abf50df591b9f72ade2ca

SHA1
79594fd3c32cdbb06e4aa1a0a871b8a926fb076d

SHA256
e5381eceb21e47c0837fe79915de2e6c8acf2274e5eed79598314665c2489507

SHA512
9969d6d669ebaf0c935262fb7d61b0e2c491c99fc4a4e506e4d31baee89c336af50ac5e8c86971ba7f3b82254659bbed9a5691a07de744c2e4ef1184316a0b58

Download Submit
C:\Windows\System\VKUqagu.exe

Filesize
5.2MB

MD5
9ad9aba9533a06325247e9aea976390a

SHA1
1c261a6470b70b4605d781b9343a00ebb5b5dc38

SHA256
27dac970ef18c03d187c9ff16b1e69e528be4f380fda1696440408729a2f3e30

SHA512
a2c2154d1b89d5e7a02e2f25c28e7c060c7731120998efec196107164ca7106480578cab73f801278e572bab9aee397339ac77622036b0a748e920830d3262c0

Download Submit
C:\Windows\System\ZPdoLYX.exe

Filesize
5.2MB

MD5
18440d737de8fa12d5b6a37bbd9a38fd

SHA1
022774e5397b1a0beecbacb9a5d4d82066d7bc2f

SHA256
ba6ebdc87edd326228d6524c31474f3cbf56b211f935a8acb3d68aaaf468b7c4

SHA512
2dcf2053262a5b51f51d7a299ba1c2b1c3dfa0477857bb34f959af99a6efad86aea376854f97ca942fee957a807890b428b9e4521f7219d13d027d1275ddd27c

Download Submit
C:\Windows\System\cqJWQmt.exe

Filesize
5.2MB

MD5
329764cbbe9d8d94467caca5ed0cd2f4

SHA1
58aaef9c6fb6405b513c8f162dedc6c6eea048ba

SHA256
70303d3691a452ef6c22e57cdcae1127aaac0f2e484d6ea699d4d5600249793a

SHA512
9a7352551a8a88d9d46e08355f82a9e68bbe987024c1acdf8a8a38bc17b9928e590dd18caa053ed97ec534bbfda5ed5ad0a7d2179df136a4425634791407333a

Download Submit
C:\Windows\System\fmmmpbR.exe

Filesize
5.2MB

MD5
f2c55991826ca6f6001daddede0f41dc

SHA1
e5b8b49ffd4cbd4e8076fab0035c133fc89ec720

SHA256
3218caf873d4e6fbc99110d895826baa89c4fd5f51a40303be0e5dd2fcc65223

SHA512
f1e44f9b4be0336bfefc092ee26060adc232720aad22a5a59db7ad1020fd627e8a2697461d1ba55ae267b6d8be44e9cb1671e1fd2d461b538a0252dc9b36a370

Download Submit
C:\Windows\System\gzxQTQH.exe

Filesize
5.2MB

MD5
303c1e883fb573d78a531a2ee18b65cf

SHA1
b6909fbf44046d2cb191da72158360c5a711d819

SHA256
8bc3c93980faeedc0c8eea0808c98d6a18be0e9775cb97691c8b4f301a071459

SHA512
25310bf0480418e0889f038546909baec17f1583d9f5df17ebe5806e1dde8b02b2caa226165e918ed0461d1b058211ea293b7bdabd7592ebe6f00260614e4259

Download Submit
C:\Windows\System\luuOYRC.exe

Filesize
5.2MB

MD5
419fe04cdcc0c936fa7d06cbbba1de84

SHA1
c55bb6b4f432dba7f0a91b1ad6b9439ee4b12c46

SHA256
d0fe684fa1767c912582622418eb80890468a22db9b6f3298b5a95a9025fdd86

SHA512
c63a05e409c1a49c507d236c9e0dea04ef2a63e2f043dfb913d75686cea0f141e91ea2932d9e9902d8780af6822fed09f1a9edb3e0f2d0fb14ca62a0623b4fb0

Download Submit
C:\Windows\System\mgqoDvg.exe

Filesize
5.2MB

MD5
90463adfa08f61fae3474cbf99d2fec8

SHA1
be09ec178b9e3efa39f7704fac685c0acdf49135

SHA256
82f5eed16a5eed850053bec6439355bf3c0e2f402a08bbd02de39f36d235c477

SHA512
4cd8a4963972bce483eb66c07236195ef74ec3a9e7879a7ca90eab82e41a302c1f751771b8c3a517a287c76cba5331b61eecc1eaaab4e139b1166bfbf44aaa5b

Download Submit
C:\Windows\System\qYPSooK.exe

Filesize
5.2MB

MD5
799b9786f5fea822093231289b2ea748

SHA1
1bcf338b26de15f6a6fbd218eb5e654fbe72b410

SHA256
19f55cf6925760117a8df1e003f507ac8a04dbd4057707c41f0e1fa360b090ee

SHA512
55e77999bbe9d7c117ddb69e9273712c7e820f5c971b93b620b1061841f9ef0f944bf4b2a0ac8b33fa2b8c9614d87f6a9995af23b36ce97456e4ccba8c7102f1

Download Submit
C:\Windows\System\qcngXbH.exe

Filesize
5.2MB

MD5
fb9a4c6daa7bd3917106a71a34b2a9c3

SHA1
0dfcc2969884614f4eccbb1ab60147ba92e5934b

SHA256
f1e18adb7ca81992177e4fddeef0c215464068fc481fb081c8af201b1b190e23

SHA512
f91affbb0dabf8386da73e49b227af0b1dc170004665f72ca1b8f00b2b0d89563465b7ea787b936a0b6aa536eb95318a8b8abe3ff60732cab1b520c3c1044e84

Download Submit
C:\Windows\System\rxhgJEc.exe

Filesize
5.2MB

MD5
98adb278d34700b61c7799d98f1f44f3

SHA1
94ccf564bfb08646f26d20241457aaeb7008a556

SHA256
3bb105e999b0310603dd2812b2dec408811ad49b28c70bcbebbba3c8e08200e9

SHA512
0469d2d8505652df1532bf068f62830ee7202d164300a016a8a08e4af221a27ef86e4cd3478e2e5c30e12690c102b8f13f7a48205d6a8850c115eb12b35c8fcb

Download Submit
C:\Windows\System\sMmTQHH.exe

Filesize
5.2MB

MD5
ecf7c4bed8da65ce4622c7bed295fa51

SHA1
dd0470fa907ddf6bf65f1bf8d01d9d0da0304326

SHA256
7a1275ea19113cebaece303606838adbae8c3782b2c66d3c41a022c9c8b19487

SHA512
580e0ea93c3b06eb430013283710e71848315dd9f8b1e9070684a41c8ea4e137d28ae42007cac3cbf8520ba0d88892a52d918657a9abb42eb5468a5493a70a55

Download Submit
C:\Windows\System\uaNmGgU.exe

Filesize
5.2MB

MD5
73bf383761222b00a63ca32dc55dbcd9

SHA1
65ab616353f94eb136a6623690d5be5cadcd956e

SHA256
81fbd11cb955e89ebe89ee17dfb837aaa9b0b02bcf0fefd292eeeb244d88ef54

SHA512
c37c69885a90972b6a8ba078a494c5f80556b2482f2dd1d296733c38ca24dff9d1962bc9fe17d4de66f584ea01155958202019dc8298c78725bab9d08506e3ab

Download Submit
C:\Windows\System\xyvwPaD.exe

Filesize
5.2MB

MD5
949467fed0e16aa5d6328293280d5203

SHA1
86931011b812eca1a82a45b6822e9bc255c2564f

SHA256
37ce661c81783e137aaab6845424ef57a2b254e03ff2ee00062818f428d9cc38

SHA512
0960f88190c2063eb8d274e896b5316985ca6dee31697025067e152b2dbeeabecab83f9d45922eff477c08648a3233b86f376a10cd84d4cfa9e71e0e1e43bef3

Download Submit
C:\Windows\System\yoVrCSd.exe

Filesize
5.2MB

MD5
5b708d59a29712e6c1d143d1b0f3dfde

SHA1
8f51b0c047eb6e971121946c8935d89bb0f1647d

SHA256
69de5663296bb20577238c35e84992ce31ed3f37a31e087eb53f09ef56c6ead3

SHA512
5aa9e9394678a9dd993e118132eca676782911638af247d980c5d8e38f4895abe14d2a541cef595904ff746c1b8e26afb30d98689796ff552c2bbb50dd75cc2e

Download Submit
C:\Windows\System\zTxoixH.exe

Filesize
5.2MB

MD5
eec24e6ec84404fe93a319ee4ade29de

SHA1
fe1ec08b67364ecf07148678f4a43deb869769e8

SHA256
43fbad9ddcebe2de6be229b2f65d223a44860e89ba4929f1f19d668ef3d4ecbb

SHA512
3559a6822ea34794fa64f0f8d0c43452aee5da20e949cff80f310c7cfdbb20988796bcdad2fff2dea7966f9b171fab216c88b766132b742f65536a9c36113916

Download Submit
memory/208-259-0x00007FF70E6D0000-0x00007FF70EA21000-memory.dmp

Filesize
3.3MB

Download
memory/208-129-0x00007FF70E6D0000-0x00007FF70EA21000-memory.dmp

Filesize
3.3MB

Download
memory/376-133-0x00007FF6A5D40000-0x00007FF6A6091000-memory.dmp

Filesize
3.3MB

Download
memory/376-270-0x00007FF6A5D40000-0x00007FF6A6091000-memory.dmp

Filesize
3.3MB

Download
memory/740-36-0x00007FF6102E0000-0x00007FF610631000-memory.dmp

Filesize
3.3MB

Download
memory/740-134-0x00007FF6102E0000-0x00007FF610631000-memory.dmp

Filesize
3.3MB

Download
memory/740-234-0x00007FF6102E0000-0x00007FF610631000-memory.dmp

Filesize
3.3MB

Download
memory/940-51-0x00007FF7FB6B0000-0x00007FF7FBA01000-memory.dmp

Filesize
3.3MB

Download
memory/940-238-0x00007FF7FB6B0000-0x00007FF7FBA01000-memory.dmp

Filesize
3.3MB

Download
memory/940-136-0x00007FF7FB6B0000-0x00007FF7FBA01000-memory.dmp

Filesize
3.3MB

Download
memory/1104-250-0x00007FF7377A0000-0x00007FF737AF1000-memory.dmp

Filesize
3.3MB

Download
memory/1104-61-0x00007FF7377A0000-0x00007FF737AF1000-memory.dmp

Filesize
3.3MB

Download
memory/1104-148-0x00007FF7377A0000-0x00007FF737AF1000-memory.dmp

Filesize
3.3MB

Download
memory/1224-260-0x00007FF70C7B0000-0x00007FF70CB01000-memory.dmp

Filesize
3.3MB

Download
memory/1224-94-0x00007FF70C7B0000-0x00007FF70CB01000-memory.dmp

Filesize
3.3MB

Download
memory/1224-154-0x00007FF70C7B0000-0x00007FF70CB01000-memory.dmp

Filesize
3.3MB

Download
memory/1484-162-0x00007FF679DF0000-0x00007FF67A141000-memory.dmp

Filesize
3.3MB

Download
memory/1484-85-0x00007FF679DF0000-0x00007FF67A141000-memory.dmp

Filesize
3.3MB

Download
memory/1484-254-0x00007FF679DF0000-0x00007FF67A141000-memory.dmp

Filesize
3.3MB

Download
memory/1520-218-0x00007FF7958B0000-0x00007FF795C01000-memory.dmp

Filesize
3.3MB

Download
memory/1520-18-0x00007FF7958B0000-0x00007FF795C01000-memory.dmp

Filesize
3.3MB

Download
memory/1520-104-0x00007FF7958B0000-0x00007FF795C01000-memory.dmp

Filesize
3.3MB

Download
memory/1668-30-0x00007FF692E40000-0x00007FF693191000-memory.dmp

Filesize
3.3MB

Download
memory/1668-232-0x00007FF692E40000-0x00007FF693191000-memory.dmp

Filesize
3.3MB

Download
memory/1668-132-0x00007FF692E40000-0x00007FF693191000-memory.dmp

Filesize
3.3MB

Download
memory/1964-152-0x00007FF7E2870000-0x00007FF7E2BC1000-memory.dmp

Filesize
3.3MB

Download
memory/1964-93-0x00007FF7E2870000-0x00007FF7E2BC1000-memory.dmp

Filesize
3.3MB

Download
memory/1964-253-0x00007FF7E2870000-0x00007FF7E2BC1000-memory.dmp

Filesize
3.3MB

Download
memory/2504-66-0x00007FF65DD50000-0x00007FF65E0A1000-memory.dmp

Filesize
3.3MB

Download
memory/2504-1-0x0000016EED100000-0x0000016EED110000-memory.dmp

Filesize
64KB

Download
memory/2504-137-0x00007FF65DD50000-0x00007FF65E0A1000-memory.dmp

Filesize
3.3MB

Download
memory/2504-0-0x00007FF65DD50000-0x00007FF65E0A1000-memory.dmp

Filesize
3.3MB

Download
memory/2504-163-0x00007FF65DD50000-0x00007FF65E0A1000-memory.dmp

Filesize
3.3MB

Download
memory/2776-72-0x00007FF731EB0000-0x00007FF732201000-memory.dmp

Filesize
3.3MB

Download
memory/2776-8-0x00007FF731EB0000-0x00007FF732201000-memory.dmp

Filesize
3.3MB

Download
memory/2776-214-0x00007FF731EB0000-0x00007FF732201000-memory.dmp

Filesize
3.3MB

Download
memory/2976-13-0x00007FF656210000-0x00007FF656561000-memory.dmp

Filesize
3.3MB

Download
memory/2976-86-0x00007FF656210000-0x00007FF656561000-memory.dmp

Filesize
3.3MB

Download
memory/2976-216-0x00007FF656210000-0x00007FF656561000-memory.dmp

Filesize
3.3MB

Download
memory/3096-127-0x00007FF698690000-0x00007FF6989E1000-memory.dmp

Filesize
3.3MB

Download
memory/3096-158-0x00007FF698690000-0x00007FF6989E1000-memory.dmp

Filesize
3.3MB

Download
memory/3096-262-0x00007FF698690000-0x00007FF6989E1000-memory.dmp

Filesize
3.3MB

Download
memory/3464-105-0x00007FF708C70000-0x00007FF708FC1000-memory.dmp

Filesize
3.3MB

Download
memory/3464-156-0x00007FF708C70000-0x00007FF708FC1000-memory.dmp

Filesize
3.3MB

Download
memory/3464-264-0x00007FF708C70000-0x00007FF708FC1000-memory.dmp

Filesize
3.3MB

Download
memory/3924-256-0x00007FF6D3660000-0x00007FF6D39B1000-memory.dmp

Filesize
3.3MB

Download
memory/3924-150-0x00007FF6D3660000-0x00007FF6D39B1000-memory.dmp

Filesize
3.3MB

Download
memory/3924-70-0x00007FF6D3660000-0x00007FF6D39B1000-memory.dmp

Filesize
3.3MB

Download
memory/4044-266-0x00007FF7703A0000-0x00007FF7706F1000-memory.dmp

Filesize
3.3MB

Download
memory/4044-155-0x00007FF7703A0000-0x00007FF7706F1000-memory.dmp

Filesize
3.3MB

Download
memory/4044-106-0x00007FF7703A0000-0x00007FF7706F1000-memory.dmp

Filesize
3.3MB

Download
memory/4648-220-0x00007FF7F0A10000-0x00007FF7F0D61000-memory.dmp

Filesize
3.3MB

Download
memory/4648-26-0x00007FF7F0A10000-0x00007FF7F0D61000-memory.dmp

Filesize
3.3MB

Download
memory/4648-114-0x00007FF7F0A10000-0x00007FF7F0D61000-memory.dmp

Filesize
3.3MB

Download
memory/4688-268-0x00007FF6BE8E0000-0x00007FF6BEC31000-memory.dmp

Filesize
3.3MB

Download
memory/4688-128-0x00007FF6BE8E0000-0x00007FF6BEC31000-memory.dmp

Filesize
3.3MB

Download
memory/4688-160-0x00007FF6BE8E0000-0x00007FF6BEC31000-memory.dmp

Filesize
3.3MB

Download
memory/4808-161-0x00007FF664CF0000-0x00007FF665041000-memory.dmp

Filesize
3.3MB

Download
memory/4808-248-0x00007FF664CF0000-0x00007FF665041000-memory.dmp

Filesize
3.3MB

Download
memory/4808-81-0x00007FF664CF0000-0x00007FF665041000-memory.dmp

Filesize
3.3MB

Download
memory/5088-147-0x00007FF7FE200000-0x00007FF7FE551000-memory.dmp

Filesize
3.3MB

Download
memory/5088-57-0x00007FF7FE200000-0x00007FF7FE551000-memory.dmp

Filesize
3.3MB

Download
memory/5088-240-0x00007FF7FE200000-0x00007FF7FE551000-memory.dmp

Filesize
3.3MB

Download
memory/5108-236-0x00007FF6A9280000-0x00007FF6A95D1000-memory.dmp

Filesize
3.3MB

Download
memory/5108-42-0x00007FF6A9280000-0x00007FF6A95D1000-memory.dmp

Filesize
3.3MB

Download
memory/5108-135-0x00007FF6A9280000-0x00007FF6A95D1000-memory.dmp

Filesize
3.3MB

Download