cobaltstrike | 0dd9b62ece79eb25fd02d73d49b8e657fa37ca7fa834bf41d9b15eb284eef06a

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2024 19:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

bfb5e6e2de5e6b0c4dea88ac5de97e43
SHA1

6a5b1590ddb323018e89cec1e29b4c88a5f8ce29
SHA256

0dd9b62ece79eb25fd02d73d49b8e657fa37ca7fa834bf41d9b15eb284eef06a
SHA512

c304ccbad984fc658b3577c1585596da8664402db4c6836595867bc8681a6ec33b106be769fdd4e5ee90d27c812cb5e567d7fa1f7f98299f5ef125284bb9d257
SSDEEP

49152:ROdWCCi7/raN56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6le:RWWBib+56utgpPFotBER/mQ32lUq

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023c93-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c98-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c97-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9b-28.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca0-57.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca4-87.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c94-102.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca7-114.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caa-125.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca9-119.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca8-116.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca6-112.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca5-110.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca3-104.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca2-81.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c9f-67.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9e-62.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9d-59.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9c-52.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c99-33.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9a-40.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/4068-75-0x00007FF697790000-0x00007FF697AE1000-memory.dmp	xmrig
behavioral2/memory/4844-123-0x00007FF67FD60000-0x00007FF6800B1000-memory.dmp	xmrig
behavioral2/memory/4064-122-0x00007FF7A94D0000-0x00007FF7A9821000-memory.dmp	xmrig
behavioral2/memory/3784-60-0x00007FF6B3550000-0x00007FF6B38A1000-memory.dmp	xmrig
behavioral2/memory/3496-58-0x00007FF7C8370000-0x00007FF7C86C1000-memory.dmp	xmrig
behavioral2/memory/4032-128-0x00007FF7E40D0000-0x00007FF7E4421000-memory.dmp	xmrig
behavioral2/memory/2776-131-0x00007FF7F0860000-0x00007FF7F0BB1000-memory.dmp	xmrig
behavioral2/memory/212-129-0x00007FF6FDC90000-0x00007FF6FDFE1000-memory.dmp	xmrig
behavioral2/memory/3400-130-0x00007FF720580000-0x00007FF7208D1000-memory.dmp	xmrig
behavioral2/memory/4704-132-0x00007FF62A240000-0x00007FF62A591000-memory.dmp	xmrig
behavioral2/memory/5108-139-0x00007FF6756C0000-0x00007FF675A11000-memory.dmp	xmrig
behavioral2/memory/224-148-0x00007FF650820000-0x00007FF650B71000-memory.dmp	xmrig
behavioral2/memory/1780-146-0x00007FF7E7140000-0x00007FF7E7491000-memory.dmp	xmrig
behavioral2/memory/1140-142-0x00007FF6EFC40000-0x00007FF6EFF91000-memory.dmp	xmrig
behavioral2/memory/4448-137-0x00007FF7A4C10000-0x00007FF7A4F61000-memory.dmp	xmrig
behavioral2/memory/460-135-0x00007FF6FFF30000-0x00007FF700281000-memory.dmp	xmrig
behavioral2/memory/856-147-0x00007FF68A340000-0x00007FF68A691000-memory.dmp	xmrig
behavioral2/memory/4720-145-0x00007FF728C80000-0x00007FF728FD1000-memory.dmp	xmrig
behavioral2/memory/2696-143-0x00007FF6CB740000-0x00007FF6CBA91000-memory.dmp	xmrig
behavioral2/memory/1396-140-0x00007FF61A480000-0x00007FF61A7D1000-memory.dmp	xmrig
behavioral2/memory/3740-136-0x00007FF758C60000-0x00007FF758FB1000-memory.dmp	xmrig
behavioral2/memory/4032-150-0x00007FF7E40D0000-0x00007FF7E4421000-memory.dmp	xmrig
behavioral2/memory/3232-149-0x00007FF6E89F0000-0x00007FF6E8D41000-memory.dmp	xmrig
behavioral2/memory/4032-151-0x00007FF7E40D0000-0x00007FF7E4421000-memory.dmp	xmrig
behavioral2/memory/212-209-0x00007FF6FDC90000-0x00007FF6FDFE1000-memory.dmp	xmrig
behavioral2/memory/3400-211-0x00007FF720580000-0x00007FF7208D1000-memory.dmp	xmrig
behavioral2/memory/2776-213-0x00007FF7F0860000-0x00007FF7F0BB1000-memory.dmp	xmrig
behavioral2/memory/3496-216-0x00007FF7C8370000-0x00007FF7C86C1000-memory.dmp	xmrig
behavioral2/memory/4704-217-0x00007FF62A240000-0x00007FF62A591000-memory.dmp	xmrig
behavioral2/memory/3784-220-0x00007FF6B3550000-0x00007FF6B38A1000-memory.dmp	xmrig
behavioral2/memory/460-223-0x00007FF6FFF30000-0x00007FF700281000-memory.dmp	xmrig
behavioral2/memory/1396-232-0x00007FF61A480000-0x00007FF61A7D1000-memory.dmp	xmrig
behavioral2/memory/4448-240-0x00007FF7A4C10000-0x00007FF7A4F61000-memory.dmp	xmrig
behavioral2/memory/3740-239-0x00007FF758C60000-0x00007FF758FB1000-memory.dmp	xmrig
behavioral2/memory/4068-236-0x00007FF697790000-0x00007FF697AE1000-memory.dmp	xmrig
behavioral2/memory/5108-235-0x00007FF6756C0000-0x00007FF675A11000-memory.dmp	xmrig
behavioral2/memory/4844-253-0x00007FF67FD60000-0x00007FF6800B1000-memory.dmp	xmrig
behavioral2/memory/1780-249-0x00007FF7E7140000-0x00007FF7E7491000-memory.dmp	xmrig
behavioral2/memory/224-245-0x00007FF650820000-0x00007FF650B71000-memory.dmp	xmrig
behavioral2/memory/1140-257-0x00007FF6EFC40000-0x00007FF6EFF91000-memory.dmp	xmrig
behavioral2/memory/4064-258-0x00007FF7A94D0000-0x00007FF7A9821000-memory.dmp	xmrig
behavioral2/memory/2696-255-0x00007FF6CB740000-0x00007FF6CBA91000-memory.dmp	xmrig
behavioral2/memory/4720-251-0x00007FF728C80000-0x00007FF728FD1000-memory.dmp	xmrig
behavioral2/memory/856-247-0x00007FF68A340000-0x00007FF68A691000-memory.dmp	xmrig
behavioral2/memory/3232-242-0x00007FF6E89F0000-0x00007FF6E8D41000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
212	rdfUQZR.exe
3400	YFSyjTy.exe
2776	DLUPKtR.exe
4704	cKQaNsV.exe
3496	rpHjhAt.exe
3784	xTEpWIm.exe
460	NRsvaXX.exe
3740	cPZRXcz.exe
4448	jgidwCM.exe
4068	OYflkII.exe
5108	qUGvEsH.exe
1396	yQmjbrz.exe
4064	WvyNVud.exe
1140	Urqezte.exe
2696	jNrrPfW.exe
4844	HYYVdde.exe
4720	dszWtbZ.exe
1780	VacodBa.exe
856	lChbaiX.exe
224	lFmxDDQ.exe
3232	jpiKCfY.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4032-0-0x00007FF7E40D0000-0x00007FF7E4421000-memory.dmp	upx
behavioral2/files/0x0008000000023c93-5.dat	upx
behavioral2/memory/212-8-0x00007FF6FDC90000-0x00007FF6FDFE1000-memory.dmp	upx
behavioral2/files/0x0007000000023c98-11.dat	upx
behavioral2/files/0x0007000000023c97-10.dat	upx
behavioral2/files/0x0007000000023c9b-28.dat	upx
behavioral2/files/0x0007000000023ca0-57.dat	upx
behavioral2/memory/4068-75-0x00007FF697790000-0x00007FF697AE1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca4-87.dat	upx
behavioral2/files/0x0008000000023c94-102.dat	upx
behavioral2/files/0x0007000000023ca7-114.dat	upx
behavioral2/memory/3232-124-0x00007FF6E89F0000-0x00007FF6E8D41000-memory.dmp	upx
behavioral2/files/0x0007000000023caa-125.dat	upx
behavioral2/memory/4844-123-0x00007FF67FD60000-0x00007FF6800B1000-memory.dmp	upx
behavioral2/memory/4064-122-0x00007FF7A94D0000-0x00007FF7A9821000-memory.dmp	upx
behavioral2/memory/224-120-0x00007FF650820000-0x00007FF650B71000-memory.dmp	upx
behavioral2/files/0x0007000000023ca9-119.dat	upx
behavioral2/files/0x0007000000023ca8-116.dat	upx
behavioral2/files/0x0007000000023ca6-112.dat	upx
behavioral2/files/0x0007000000023ca5-110.dat	upx
behavioral2/memory/856-109-0x00007FF68A340000-0x00007FF68A691000-memory.dmp	upx
behavioral2/memory/1780-108-0x00007FF7E7140000-0x00007FF7E7491000-memory.dmp	upx
behavioral2/files/0x0007000000023ca3-104.dat	upx
behavioral2/memory/4720-101-0x00007FF728C80000-0x00007FF728FD1000-memory.dmp	upx
behavioral2/memory/2696-100-0x00007FF6CB740000-0x00007FF6CBA91000-memory.dmp	upx
behavioral2/memory/1140-94-0x00007FF6EFC40000-0x00007FF6EFF91000-memory.dmp	upx
behavioral2/memory/1396-91-0x00007FF61A480000-0x00007FF61A7D1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca2-81.dat	upx
behavioral2/files/0x0008000000023c9f-67.dat	upx
behavioral2/memory/5108-66-0x00007FF6756C0000-0x00007FF675A11000-memory.dmp	upx
behavioral2/memory/3740-65-0x00007FF758C60000-0x00007FF758FB1000-memory.dmp	upx
behavioral2/files/0x0007000000023c9e-62.dat	upx
behavioral2/memory/3784-60-0x00007FF6B3550000-0x00007FF6B38A1000-memory.dmp	upx
behavioral2/files/0x0007000000023c9d-59.dat	upx
behavioral2/memory/3496-58-0x00007FF7C8370000-0x00007FF7C86C1000-memory.dmp	upx
behavioral2/memory/4448-49-0x00007FF7A4C10000-0x00007FF7A4F61000-memory.dmp	upx
behavioral2/files/0x0007000000023c9c-52.dat	upx
behavioral2/memory/460-39-0x00007FF6FFF30000-0x00007FF700281000-memory.dmp	upx
behavioral2/memory/4704-36-0x00007FF62A240000-0x00007FF62A591000-memory.dmp	upx
behavioral2/files/0x0007000000023c99-33.dat	upx
behavioral2/files/0x0007000000023c9a-40.dat	upx
behavioral2/memory/2776-26-0x00007FF7F0860000-0x00007FF7F0BB1000-memory.dmp	upx
behavioral2/memory/3400-12-0x00007FF720580000-0x00007FF7208D1000-memory.dmp	upx
behavioral2/memory/4032-128-0x00007FF7E40D0000-0x00007FF7E4421000-memory.dmp	upx
behavioral2/memory/2776-131-0x00007FF7F0860000-0x00007FF7F0BB1000-memory.dmp	upx
behavioral2/memory/212-129-0x00007FF6FDC90000-0x00007FF6FDFE1000-memory.dmp	upx
behavioral2/memory/3400-130-0x00007FF720580000-0x00007FF7208D1000-memory.dmp	upx
behavioral2/memory/4704-132-0x00007FF62A240000-0x00007FF62A591000-memory.dmp	upx
behavioral2/memory/5108-139-0x00007FF6756C0000-0x00007FF675A11000-memory.dmp	upx
behavioral2/memory/224-148-0x00007FF650820000-0x00007FF650B71000-memory.dmp	upx
behavioral2/memory/1780-146-0x00007FF7E7140000-0x00007FF7E7491000-memory.dmp	upx
behavioral2/memory/1140-142-0x00007FF6EFC40000-0x00007FF6EFF91000-memory.dmp	upx
behavioral2/memory/4448-137-0x00007FF7A4C10000-0x00007FF7A4F61000-memory.dmp	upx
behavioral2/memory/460-135-0x00007FF6FFF30000-0x00007FF700281000-memory.dmp	upx
behavioral2/memory/856-147-0x00007FF68A340000-0x00007FF68A691000-memory.dmp	upx
behavioral2/memory/4720-145-0x00007FF728C80000-0x00007FF728FD1000-memory.dmp	upx
behavioral2/memory/2696-143-0x00007FF6CB740000-0x00007FF6CBA91000-memory.dmp	upx
behavioral2/memory/1396-140-0x00007FF61A480000-0x00007FF61A7D1000-memory.dmp	upx
behavioral2/memory/3740-136-0x00007FF758C60000-0x00007FF758FB1000-memory.dmp	upx
behavioral2/memory/4032-150-0x00007FF7E40D0000-0x00007FF7E4421000-memory.dmp	upx
behavioral2/memory/3232-149-0x00007FF6E89F0000-0x00007FF6E8D41000-memory.dmp	upx
behavioral2/memory/4032-151-0x00007FF7E40D0000-0x00007FF7E4421000-memory.dmp	upx
behavioral2/memory/212-209-0x00007FF6FDC90000-0x00007FF6FDFE1000-memory.dmp	upx
behavioral2/memory/3400-211-0x00007FF720580000-0x00007FF7208D1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\NRsvaXX.exe	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dszWtbZ.exe	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cKQaNsV.exe	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HYYVdde.exe	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lChbaiX.exe	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jgidwCM.exe	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DLUPKtR.exe	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cPZRXcz.exe	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Urqezte.exe	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lFmxDDQ.exe	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jpiKCfY.exe	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rdfUQZR.exe	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rpHjhAt.exe	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xTEpWIm.exe	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OYflkII.exe	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qUGvEsH.exe	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yQmjbrz.exe	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WvyNVud.exe	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jNrrPfW.exe	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YFSyjTy.exe	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VacodBa.exe	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4032	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4032	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4032 wrote to memory of 212	4032	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4032 wrote to memory of 212	4032	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4032 wrote to memory of 3400	4032	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4032 wrote to memory of 3400	4032	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4032 wrote to memory of 2776	4032	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4032 wrote to memory of 2776	4032	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4032 wrote to memory of 4704	4032	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4032 wrote to memory of 4704	4032	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4032 wrote to memory of 3496	4032	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4032 wrote to memory of 3496	4032	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4032 wrote to memory of 3784	4032	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4032 wrote to memory of 3784	4032	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4032 wrote to memory of 460	4032	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4032 wrote to memory of 460	4032	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4032 wrote to memory of 3740	4032	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4032 wrote to memory of 3740	4032	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4032 wrote to memory of 4448	4032	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4032 wrote to memory of 4448	4032	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4032 wrote to memory of 4068	4032	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4032 wrote to memory of 4068	4032	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4032 wrote to memory of 5108	4032	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4032 wrote to memory of 5108	4032	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4032 wrote to memory of 1396	4032	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4032 wrote to memory of 1396	4032	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4032 wrote to memory of 4064	4032	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4032 wrote to memory of 4064	4032	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4032 wrote to memory of 1140	4032	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4032 wrote to memory of 1140	4032	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4032 wrote to memory of 2696	4032	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4032 wrote to memory of 2696	4032	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4032 wrote to memory of 4844	4032	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4032 wrote to memory of 4844	4032	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4032 wrote to memory of 4720	4032	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4032 wrote to memory of 4720	4032	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4032 wrote to memory of 1780	4032	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4032 wrote to memory of 1780	4032	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4032 wrote to memory of 856	4032	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4032 wrote to memory of 856	4032	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4032 wrote to memory of 224	4032	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4032 wrote to memory of 224	4032	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4032 wrote to memory of 3232	4032	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 4032 wrote to memory of 3232	4032	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	106

C:\Users\Admin\AppData\Local\Temp\2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4032
- C:\Windows\System\rdfUQZR.exe
  C:\Windows\System\rdfUQZR.exe
  2⤵
  - Executes dropped EXE
  PID:212
- C:\Windows\System\YFSyjTy.exe
  C:\Windows\System\YFSyjTy.exe
  2⤵
  - Executes dropped EXE
  PID:3400
- C:\Windows\System\DLUPKtR.exe
  C:\Windows\System\DLUPKtR.exe
  2⤵
  - Executes dropped EXE
  PID:2776
- C:\Windows\System\cKQaNsV.exe
  C:\Windows\System\cKQaNsV.exe
  2⤵
  - Executes dropped EXE
  PID:4704
- C:\Windows\System\rpHjhAt.exe
  C:\Windows\System\rpHjhAt.exe
  2⤵
  - Executes dropped EXE
  PID:3496
- C:\Windows\System\xTEpWIm.exe
  C:\Windows\System\xTEpWIm.exe
  2⤵
  - Executes dropped EXE
  PID:3784
- C:\Windows\System\NRsvaXX.exe
  C:\Windows\System\NRsvaXX.exe
  2⤵
  - Executes dropped EXE
  PID:460
- C:\Windows\System\cPZRXcz.exe
  C:\Windows\System\cPZRXcz.exe
  2⤵
  - Executes dropped EXE
  PID:3740
- C:\Windows\System\jgidwCM.exe
  C:\Windows\System\jgidwCM.exe
  2⤵
  - Executes dropped EXE
  PID:4448
- C:\Windows\System\OYflkII.exe
  C:\Windows\System\OYflkII.exe
  2⤵
  - Executes dropped EXE
  PID:4068
- C:\Windows\System\qUGvEsH.exe
  C:\Windows\System\qUGvEsH.exe
  2⤵
  - Executes dropped EXE
  PID:5108
- C:\Windows\System\yQmjbrz.exe
  C:\Windows\System\yQmjbrz.exe
  2⤵
  - Executes dropped EXE
  PID:1396
- C:\Windows\System\WvyNVud.exe
  C:\Windows\System\WvyNVud.exe
  2⤵
  - Executes dropped EXE
  PID:4064
- C:\Windows\System\Urqezte.exe
  C:\Windows\System\Urqezte.exe
  2⤵
  - Executes dropped EXE
  PID:1140
- C:\Windows\System\jNrrPfW.exe
  C:\Windows\System\jNrrPfW.exe
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Windows\System\HYYVdde.exe
  C:\Windows\System\HYYVdde.exe
  2⤵
  - Executes dropped EXE
  PID:4844
- C:\Windows\System\dszWtbZ.exe
  C:\Windows\System\dszWtbZ.exe
  2⤵
  - Executes dropped EXE
  PID:4720
- C:\Windows\System\VacodBa.exe
  C:\Windows\System\VacodBa.exe
  2⤵
  - Executes dropped EXE
  PID:1780
- C:\Windows\System\lChbaiX.exe
  C:\Windows\System\lChbaiX.exe
  2⤵
  - Executes dropped EXE
  PID:856
- C:\Windows\System\lFmxDDQ.exe
  C:\Windows\System\lFmxDDQ.exe
  2⤵
  - Executes dropped EXE
  PID:224
- C:\Windows\System\jpiKCfY.exe
  C:\Windows\System\jpiKCfY.exe
  2⤵
  - Executes dropped EXE
  PID:3232

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\DLUPKtR.exe

Filesize
5.2MB

MD5
d593ea5ffef17c5d28d2723405b45f13

SHA1
7911bfb5546bc5e7f89c10ade3df5420791efb83

SHA256
13e86f9fb530e67c20f5f5dd004fde8b8fbeaaf9de8a961ea2c869747d66fca0

SHA512
318524ac87210c57bb6af07ef6d1f03fd49ee51ada861723cc07cf5847117c902f7fce823651e3a2510c4b79960d45ff6b7d87e943663c35e8efc59ddab3bd16

Download Submit
C:\Windows\System\HYYVdde.exe

Filesize
5.2MB

MD5
31f7936da074d77327497f233ff955b6

SHA1
8e857d1878a5048a036c5835d0c58b82e8512086

SHA256
e51e243f0e748a11b9363b3a581afbee73a9ab715f8a3230be3996b1003d4df5

SHA512
fc5978af9e98d5c1ea5a9753deaa838225816b3db6f1b273d0017f822e7bf337403dcb662548d5e9d9323e7bfcea0cf4ea917afd86067b33d7155645d5e0eacf

Download Submit
C:\Windows\System\NRsvaXX.exe

Filesize
5.2MB

MD5
7bf3a689fcf3cd628e526037756ad125

SHA1
18125b3075c8ed2150329c240576103d1b2d0b49

SHA256
f690db104818ebb9f3cb74da5c3ea84fd6084ec3682bd9f6ee531ffa1e96bd5e

SHA512
4d6967f9e2cc8e7ebb17e4a2a0f628d3a2c90e9a7de75561da6a5078be4476bea13b5a4ebed1c4bc2e8e0f3e23dd73ac5cee47774a50eb21710a7c849ae2c394

Download Submit
C:\Windows\System\OYflkII.exe

Filesize
5.2MB

MD5
5fbe8034914a1f9f52b99a2356b0664e

SHA1
d16c992c192bf28ace9a4e9a4ad916844bd54fcb

SHA256
fd50d521145ed0a194ef2113b14418bb28753010d9e30ffeb6396d68782c1093

SHA512
55b56bd7b85f4b811fe04d9de69fde40bb8ddf9643c7aa78c3f0f4fdbeb700b39d1f0642767eace6572031bc6c1dd8a094219648bda5fcf21c2e18768bc7990b

Download Submit
C:\Windows\System\Urqezte.exe

Filesize
5.2MB

MD5
af5ea118ff241baf2c9c7d0da246c143

SHA1
0ff6db318323f35fb100f6d0dd38db76415d5a2c

SHA256
bba859b33a27b64ce5739b1ba3eaf3eefd5dcfdac10f6553d18c6f9cf3a78a84

SHA512
3543628de04001d924da3679a5745854601aa548d55400a454fe95c0533c06d32925495e7bdbd72a8d0b48779bcc38ece6f0403b76f3cd3f7ad6579ddc0d3caa

Download Submit
C:\Windows\System\VacodBa.exe

Filesize
5.2MB

MD5
e4638409cc4bc80f19262ac1dd56bf1c

SHA1
e1b250b804fa7bedd729db49b3e459a5cafd96fb

SHA256
734789b377f020ec14528a8e0cb7fc07322b7542e749179dd187b744831959c3

SHA512
fb144a444fe5a447a69760571672cd83d72f7f696c84fb017751cc55038139b237025148f026a080f7a3327bd68e1874750b4a21b6532e33ef2a635d2d83c3b4

Download Submit
C:\Windows\System\WvyNVud.exe

Filesize
5.2MB

MD5
746e0b3de2bd065bfc72a9724da8b3aa

SHA1
f8c3a9e66fc9a3360a258295863f19309058390e

SHA256
3eb915360656e2a94294ed5110c235c260742dba6d23a546a2dfb1beb649c3c8

SHA512
e21084d2d98d74a1f711109349145a5762ef2692d0ba79d424f46c582b523d5fe9e353cb6b326ec0fcd6e4a3e2da2bb8eca5c2bcf0e32ac0d14a63ad3d871acd

Download Submit
C:\Windows\System\YFSyjTy.exe

Filesize
5.2MB

MD5
562630263d9da65051758c92b3b74103

SHA1
cbc2c537e9525cc396e72c31c06ed6a02c5e8476

SHA256
9b0d85b5f2faa2ef21d4809e2f0a17166f0b51c5f29f229c358c215c6afdb983

SHA512
c68095b7a4e3246e569444e15b5c208dd7c5d799c461d9932e6981091bb6f46790b05810028122343403bef4d1094a004befe8d5b573ba0920c1f12ed80e7afb

Download Submit
C:\Windows\System\cKQaNsV.exe

Filesize
5.2MB

MD5
68107aebf70cc137412aa1df50ad09d6

SHA1
d2f14480891031e78ec63c7ce824d95120f42d74

SHA256
4dd6d4decdb62a8ee2d387cd05cd699a3f1b6d6258c916a8b2fd41d8c56e7199

SHA512
6d5eec16e576ed7abf300358881bc8bbcf49ada727d23eec8bfc011696a6156981578228043aed510f1bb32051a90b7cef3ff13ebe4a5b8cd5f7d222e3db857c

Download Submit
C:\Windows\System\cPZRXcz.exe

Filesize
5.2MB

MD5
c406e5f2e60c36a0b24e5a5d54fe5645

SHA1
59b5c6879a48dce3ad1d5824d5d34b24bae68e1d

SHA256
f3e56c81b2cf8424fcab5c428dbd27bb6e034e71250b53f5f89b39951bc51b87

SHA512
2621f3e97120eb5567ee1a9bb69b92630305aff6e3ef1f96de9247aae0478bddfc5e940eab5df6f79f91c4ffb2b9d416817e35c7094f856da7ca17133697e764

Download Submit
C:\Windows\System\dszWtbZ.exe

Filesize
5.2MB

MD5
e66f2e5d0fab1849b2eec29a901ee035

SHA1
bad15e7aa588224ce9d559e06319285ea635ddf3

SHA256
5d326b18e002e88e1c94d21171edc9228f5980361faa659867983009d89eb239

SHA512
08eb4700e3814d5b4041e10956a6de711abc6b0a61f25f1d54710e5d6f0912f4740e73fdbc8bf1343f8f5aeef674d0ebd29255f61f77d967da622c8de3174206

Download Submit
C:\Windows\System\jNrrPfW.exe

Filesize
5.2MB

MD5
d8bc6a1c431091b5feade9dd3e75dfa2

SHA1
e7d54a06926b8fb4cf5caf38d2de14d8bdc5f840

SHA256
5817b21ff9a05a52cc2b342993c9987c3083e39860bbd8d8020840f50fc96582

SHA512
62012411198bfffae07b228c3b1df4636e896922467112cf2f7572795ca8cf3a8bc18f0ce08b64aba02bb49e3059f2e1ecfba12e8c40e71f136542f53458c31a

Download Submit
C:\Windows\System\jgidwCM.exe

Filesize
5.2MB

MD5
61483884fc4b3ce9fe9872590acccf28

SHA1
73b81825de13f02fa9ca65055189198c7608cd33

SHA256
85fecca813a50af69a164c7c17ab067bdf5fa8e5372f536132a9a73082992bae

SHA512
9fb95dd3242f7a4129465714ca17332fb2772a82ff13ce0f9a96178364d7a760393cd9a5c7780887d2b771d96d7b67adc460173599689348f60bfb9c0e3d45d1

Download Submit
C:\Windows\System\jpiKCfY.exe

Filesize
5.2MB

MD5
b64c0382810b2c943cd707e21158d05d

SHA1
98557cb2f9f0c3c4f6580d4d15c94222af57b60c

SHA256
b921e48b96d01739342ff121edcdc2124ae116ab216330739c89088afb62b61c

SHA512
91f94626482362503968f9a3650c1c292a4b13dd4e4ca5de831232cd035a6938bb61179de0a12f1e54930c9cb6b0398a94c79c619a9189d15ee4991146a653ed

Download Submit
C:\Windows\System\lChbaiX.exe

Filesize
5.2MB

MD5
07e4996af1fe3d2568406d623e9b4614

SHA1
f2eea89ab470a8bf5597f3652ef2f11ac0ac9f02

SHA256
92d3f0899c58301e851f4e70c8c085feabafdbef5d168a8f1f71bc72d8602779

SHA512
ccea6ef12a1648e6dc9e33aacb7866770c4f6e103a5295cbae9f8074a8d21af978729dbedfd812fb4859b00d82a473de162808e1e492a7cba6251c7c8645f153

Download Submit
C:\Windows\System\lFmxDDQ.exe

Filesize
5.2MB

MD5
bf624cc323a95b7da9502030b70a58bb

SHA1
87b199fe72359d08a8d1d5469a81ae8abf88ffa8

SHA256
bdb151e18acd4a91df7bcffe0eab698c0791b9a6ffad41de35275d095232c02d

SHA512
ea55539779f8c22bc5d5505edb5fb3c0dbe235462a3ac27d7c62b53549eed61fe207b31afd907c8e9bd878307b2d5ca808f4a1c201619f48822d1d532ecd37a7

Download Submit
C:\Windows\System\qUGvEsH.exe

Filesize
5.2MB

MD5
424f36fdebd28529c788d1b044d656b1

SHA1
f8407ac08431f30b8e9a10d922942530b133d0ba

SHA256
740216d8f567b374b2c1edd83394b9d4cfdf459d93c2b94501874b260c8a07ce

SHA512
02786e314b84dcd9c37a5ad331c1f34d27fe74eb187de66d4e2824aa1f5faa1b080190ebab3c2e93b30fd26158f1eb4093eca33496ae470e5daaca2516488eb1

Download Submit
C:\Windows\System\rdfUQZR.exe

Filesize
5.2MB

MD5
96a9fddfe31b5ec9cf8a7318b31d2d11

SHA1
f918f79a95f47ea0c36e250bbfaeddefaea64943

SHA256
84bcdecc9055dcd73638d724a9c7b26866a1872907399296d6231e5809477e7b

SHA512
5a07d3c38e6cb52bddb022e3c19fbafd24ab1a02d52c1c7566bf729b20a2b27d57572f3a189808a46c098f2ee5528d0703510dbc34ee4722874785e329090d0a

Download Submit
C:\Windows\System\rpHjhAt.exe

Filesize
5.2MB

MD5
3669f48b24da662012c665d178164b3d

SHA1
f344071ea186f5de7e9b81143f2377ce30bfff68

SHA256
a0e48c0ff153dbae6cc4f263818d96f7cf004b1c70a0009821b7c90164f20d77

SHA512
92ab5cd29fd44963e140af6991847b4cf9f3598a17ffc825ac556062e428dd8d733b9865793ae5a0e5765f8c887994eb0af20b933b99d7a5f20a9f58504dcba3

Download Submit
C:\Windows\System\xTEpWIm.exe

Filesize
5.2MB

MD5
e01162a9b85062ccbdc834ba6182534b

SHA1
81fd57e8cb3f3ca068932652df169a6c8edaa373

SHA256
c1e5f93149e34c1fa72ab4e3892204b040fc51671c688e1330bd3659789ed619

SHA512
a3ded5286a4bdf456d7f9b42b7750c6d15c80dad5c276982ef44f99f2a5ff710512b6329677532a702198500046ce28c3e0e5f9da51c184d17569d08f5b406a7

Download Submit
C:\Windows\System\yQmjbrz.exe

Filesize
5.2MB

MD5
cd79b6176f148e1da316ff8b7004e857

SHA1
6f4fcde3fecd94ff9d08de0de23ebe8d6949e256

SHA256
80f785055da4282e9eab37c073f19094db6fba361dc87750345dfaffc3ea8b9c

SHA512
7c55fce5d0ca338f0d6ae73e1a31f613c5c475b6079a27db581f76fc9f4ba34f4baf1b2c9cccd48b526b927a11fc41bd07cfd065cbc772d7979f9314901e635c

Download Submit
memory/212-129-0x00007FF6FDC90000-0x00007FF6FDFE1000-memory.dmp

Filesize
3.3MB

Download
memory/212-8-0x00007FF6FDC90000-0x00007FF6FDFE1000-memory.dmp

Filesize
3.3MB

Download
memory/212-209-0x00007FF6FDC90000-0x00007FF6FDFE1000-memory.dmp

Filesize
3.3MB

Download
memory/224-120-0x00007FF650820000-0x00007FF650B71000-memory.dmp

Filesize
3.3MB

Download
memory/224-245-0x00007FF650820000-0x00007FF650B71000-memory.dmp

Filesize
3.3MB

Download
memory/224-148-0x00007FF650820000-0x00007FF650B71000-memory.dmp

Filesize
3.3MB

Download
memory/460-223-0x00007FF6FFF30000-0x00007FF700281000-memory.dmp

Filesize
3.3MB

Download
memory/460-39-0x00007FF6FFF30000-0x00007FF700281000-memory.dmp

Filesize
3.3MB

Download
memory/460-135-0x00007FF6FFF30000-0x00007FF700281000-memory.dmp

Filesize
3.3MB

Download
memory/856-109-0x00007FF68A340000-0x00007FF68A691000-memory.dmp

Filesize
3.3MB

Download
memory/856-147-0x00007FF68A340000-0x00007FF68A691000-memory.dmp

Filesize
3.3MB

Download
memory/856-247-0x00007FF68A340000-0x00007FF68A691000-memory.dmp

Filesize
3.3MB

Download
memory/1140-94-0x00007FF6EFC40000-0x00007FF6EFF91000-memory.dmp

Filesize
3.3MB

Download
memory/1140-142-0x00007FF6EFC40000-0x00007FF6EFF91000-memory.dmp

Filesize
3.3MB

Download
memory/1140-257-0x00007FF6EFC40000-0x00007FF6EFF91000-memory.dmp

Filesize
3.3MB

Download
memory/1396-140-0x00007FF61A480000-0x00007FF61A7D1000-memory.dmp

Filesize
3.3MB

Download
memory/1396-91-0x00007FF61A480000-0x00007FF61A7D1000-memory.dmp

Filesize
3.3MB

Download
memory/1396-232-0x00007FF61A480000-0x00007FF61A7D1000-memory.dmp

Filesize
3.3MB

Download
memory/1780-108-0x00007FF7E7140000-0x00007FF7E7491000-memory.dmp

Filesize
3.3MB

Download
memory/1780-249-0x00007FF7E7140000-0x00007FF7E7491000-memory.dmp

Filesize
3.3MB

Download
memory/1780-146-0x00007FF7E7140000-0x00007FF7E7491000-memory.dmp

Filesize
3.3MB

Download
memory/2696-143-0x00007FF6CB740000-0x00007FF6CBA91000-memory.dmp

Filesize
3.3MB

Download
memory/2696-100-0x00007FF6CB740000-0x00007FF6CBA91000-memory.dmp

Filesize
3.3MB

Download
memory/2696-255-0x00007FF6CB740000-0x00007FF6CBA91000-memory.dmp

Filesize
3.3MB

Download
memory/2776-26-0x00007FF7F0860000-0x00007FF7F0BB1000-memory.dmp

Filesize
3.3MB

Download
memory/2776-131-0x00007FF7F0860000-0x00007FF7F0BB1000-memory.dmp

Filesize
3.3MB

Download
memory/2776-213-0x00007FF7F0860000-0x00007FF7F0BB1000-memory.dmp

Filesize
3.3MB

Download
memory/3232-149-0x00007FF6E89F0000-0x00007FF6E8D41000-memory.dmp

Filesize
3.3MB

Download
memory/3232-124-0x00007FF6E89F0000-0x00007FF6E8D41000-memory.dmp

Filesize
3.3MB

Download
memory/3232-242-0x00007FF6E89F0000-0x00007FF6E8D41000-memory.dmp

Filesize
3.3MB

Download
memory/3400-12-0x00007FF720580000-0x00007FF7208D1000-memory.dmp

Filesize
3.3MB

Download
memory/3400-130-0x00007FF720580000-0x00007FF7208D1000-memory.dmp

Filesize
3.3MB

Download
memory/3400-211-0x00007FF720580000-0x00007FF7208D1000-memory.dmp

Filesize
3.3MB

Download
memory/3496-216-0x00007FF7C8370000-0x00007FF7C86C1000-memory.dmp

Filesize
3.3MB

Download
memory/3496-58-0x00007FF7C8370000-0x00007FF7C86C1000-memory.dmp

Filesize
3.3MB

Download
memory/3740-136-0x00007FF758C60000-0x00007FF758FB1000-memory.dmp

Filesize
3.3MB

Download
memory/3740-239-0x00007FF758C60000-0x00007FF758FB1000-memory.dmp

Filesize
3.3MB

Download
memory/3740-65-0x00007FF758C60000-0x00007FF758FB1000-memory.dmp

Filesize
3.3MB

Download
memory/3784-220-0x00007FF6B3550000-0x00007FF6B38A1000-memory.dmp

Filesize
3.3MB

Download
memory/3784-60-0x00007FF6B3550000-0x00007FF6B38A1000-memory.dmp

Filesize
3.3MB

Download
memory/4032-150-0x00007FF7E40D0000-0x00007FF7E4421000-memory.dmp

Filesize
3.3MB

Download
memory/4032-1-0x0000029174E70000-0x0000029174E80000-memory.dmp

Filesize
64KB

Download
memory/4032-151-0x00007FF7E40D0000-0x00007FF7E4421000-memory.dmp

Filesize
3.3MB

Download
memory/4032-0-0x00007FF7E40D0000-0x00007FF7E4421000-memory.dmp

Filesize
3.3MB

Download
memory/4032-128-0x00007FF7E40D0000-0x00007FF7E4421000-memory.dmp

Filesize
3.3MB

Download
memory/4064-122-0x00007FF7A94D0000-0x00007FF7A9821000-memory.dmp

Filesize
3.3MB

Download
memory/4064-258-0x00007FF7A94D0000-0x00007FF7A9821000-memory.dmp

Filesize
3.3MB

Download
memory/4068-236-0x00007FF697790000-0x00007FF697AE1000-memory.dmp

Filesize
3.3MB

Download
memory/4068-75-0x00007FF697790000-0x00007FF697AE1000-memory.dmp

Filesize
3.3MB

Download
memory/4448-49-0x00007FF7A4C10000-0x00007FF7A4F61000-memory.dmp

Filesize
3.3MB

Download
memory/4448-240-0x00007FF7A4C10000-0x00007FF7A4F61000-memory.dmp

Filesize
3.3MB

Download
memory/4448-137-0x00007FF7A4C10000-0x00007FF7A4F61000-memory.dmp

Filesize
3.3MB

Download
memory/4704-36-0x00007FF62A240000-0x00007FF62A591000-memory.dmp

Filesize
3.3MB

Download
memory/4704-217-0x00007FF62A240000-0x00007FF62A591000-memory.dmp

Filesize
3.3MB

Download
memory/4704-132-0x00007FF62A240000-0x00007FF62A591000-memory.dmp

Filesize
3.3MB

Download
memory/4720-145-0x00007FF728C80000-0x00007FF728FD1000-memory.dmp

Filesize
3.3MB

Download
memory/4720-101-0x00007FF728C80000-0x00007FF728FD1000-memory.dmp

Filesize
3.3MB

Download
memory/4720-251-0x00007FF728C80000-0x00007FF728FD1000-memory.dmp

Filesize
3.3MB

Download
memory/4844-253-0x00007FF67FD60000-0x00007FF6800B1000-memory.dmp

Filesize
3.3MB

Download
memory/4844-123-0x00007FF67FD60000-0x00007FF6800B1000-memory.dmp

Filesize
3.3MB

Download
memory/5108-235-0x00007FF6756C0000-0x00007FF675A11000-memory.dmp

Filesize
3.3MB

Download
memory/5108-66-0x00007FF6756C0000-0x00007FF675A11000-memory.dmp

Filesize
3.3MB

Download
memory/5108-139-0x00007FF6756C0000-0x00007FF675A11000-memory.dmp

Filesize
3.3MB

Download