cobaltstrike | 038cb944b6ea8603b4e4795b1f08c0c2ae08d4061f5bdf55a624e7bd036a327f

Analysis

max time kernel
149s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-09-2024 07:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

128edf3a01ef0dc158a59b2d4b121c9f
SHA1

1ebdf3d4ed4c56a41313e8f3febbb2dc3e1c7090
SHA256

038cb944b6ea8603b4e4795b1f08c0c2ae08d4061f5bdf55a624e7bd036a327f
SHA512

9aaafc28d91861e5ee608629c4afc866e547404c2743b92d3f81da0d477cf65ffea9a0a5c0926aa9c8f6fe8035e4e9b88a64091f824a469998a27af499b8386c
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lp:RWWBibf56utgpPFotBER/mQ32lUN

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000900000002361c-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023624-7.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023623-15.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023625-25.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002362c-61.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002362b-66.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002362d-73.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023620-83.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002362f-91.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023630-105.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023635-131.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023634-130.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023633-125.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023632-111.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023631-107.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002362e-79.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002362a-69.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023628-56.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023629-49.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023627-45.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023626-33.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/3832-128-0x00007FF67ACB0000-0x00007FF67B001000-memory.dmp	xmrig
behavioral2/memory/4836-127-0x00007FF73CA60000-0x00007FF73CDB1000-memory.dmp	xmrig
behavioral2/memory/2420-124-0x00007FF78BDA0000-0x00007FF78C0F1000-memory.dmp	xmrig
behavioral2/memory/4480-110-0x00007FF74D6B0000-0x00007FF74DA01000-memory.dmp	xmrig
behavioral2/memory/4160-99-0x00007FF76DF00000-0x00007FF76E251000-memory.dmp	xmrig
behavioral2/memory/3160-98-0x00007FF77C3F0000-0x00007FF77C741000-memory.dmp	xmrig
behavioral2/memory/2016-60-0x00007FF7B3ED0000-0x00007FF7B4221000-memory.dmp	xmrig
behavioral2/memory/1636-147-0x00007FF608520000-0x00007FF608871000-memory.dmp	xmrig
behavioral2/memory/1440-152-0x00007FF736960000-0x00007FF736CB1000-memory.dmp	xmrig
behavioral2/memory/1116-155-0x00007FF6093A0000-0x00007FF6096F1000-memory.dmp	xmrig
behavioral2/memory/884-154-0x00007FF7BB2D0000-0x00007FF7BB621000-memory.dmp	xmrig
behavioral2/memory/3408-153-0x00007FF724A40000-0x00007FF724D91000-memory.dmp	xmrig
behavioral2/memory/1684-151-0x00007FF66E570000-0x00007FF66E8C1000-memory.dmp	xmrig
behavioral2/memory/2552-150-0x00007FF74F920000-0x00007FF74FC71000-memory.dmp	xmrig
behavioral2/memory/1432-149-0x00007FF7632A0000-0x00007FF7635F1000-memory.dmp	xmrig
behavioral2/memory/1568-148-0x00007FF603580000-0x00007FF6038D1000-memory.dmp	xmrig
behavioral2/memory/1392-146-0x00007FF6D6720000-0x00007FF6D6A71000-memory.dmp	xmrig
behavioral2/memory/2788-145-0x00007FF7AF230000-0x00007FF7AF581000-memory.dmp	xmrig
behavioral2/memory/3080-144-0x00007FF746EC0000-0x00007FF747211000-memory.dmp	xmrig
behavioral2/memory/3112-143-0x00007FF7A39C0000-0x00007FF7A3D11000-memory.dmp	xmrig
behavioral2/memory/2284-141-0x00007FF755470000-0x00007FF7557C1000-memory.dmp	xmrig
behavioral2/memory/3160-134-0x00007FF77C3F0000-0x00007FF77C741000-memory.dmp	xmrig
behavioral2/memory/5116-140-0x00007FF7FA7B0000-0x00007FF7FAB01000-memory.dmp	xmrig
behavioral2/memory/3160-156-0x00007FF77C3F0000-0x00007FF77C741000-memory.dmp	xmrig
behavioral2/memory/4160-215-0x00007FF76DF00000-0x00007FF76E251000-memory.dmp	xmrig
behavioral2/memory/2420-217-0x00007FF78BDA0000-0x00007FF78C0F1000-memory.dmp	xmrig
behavioral2/memory/4480-219-0x00007FF74D6B0000-0x00007FF74DA01000-memory.dmp	xmrig
behavioral2/memory/4836-225-0x00007FF73CA60000-0x00007FF73CDB1000-memory.dmp	xmrig
behavioral2/memory/3832-224-0x00007FF67ACB0000-0x00007FF67B001000-memory.dmp	xmrig
behavioral2/memory/2016-227-0x00007FF7B3ED0000-0x00007FF7B4221000-memory.dmp	xmrig
behavioral2/memory/5116-222-0x00007FF7FA7B0000-0x00007FF7FAB01000-memory.dmp	xmrig
behavioral2/memory/3112-243-0x00007FF7A39C0000-0x00007FF7A3D11000-memory.dmp	xmrig
behavioral2/memory/3080-245-0x00007FF746EC0000-0x00007FF747211000-memory.dmp	xmrig
behavioral2/memory/1568-249-0x00007FF603580000-0x00007FF6038D1000-memory.dmp	xmrig
behavioral2/memory/2284-248-0x00007FF755470000-0x00007FF7557C1000-memory.dmp	xmrig
behavioral2/memory/2788-242-0x00007FF7AF230000-0x00007FF7AF581000-memory.dmp	xmrig
behavioral2/memory/1636-238-0x00007FF608520000-0x00007FF608871000-memory.dmp	xmrig
behavioral2/memory/1392-240-0x00007FF6D6720000-0x00007FF6D6A71000-memory.dmp	xmrig
behavioral2/memory/1432-253-0x00007FF7632A0000-0x00007FF7635F1000-memory.dmp	xmrig
behavioral2/memory/1440-255-0x00007FF736960000-0x00007FF736CB1000-memory.dmp	xmrig
behavioral2/memory/1684-257-0x00007FF66E570000-0x00007FF66E8C1000-memory.dmp	xmrig
behavioral2/memory/2552-252-0x00007FF74F920000-0x00007FF74FC71000-memory.dmp	xmrig
behavioral2/memory/884-261-0x00007FF7BB2D0000-0x00007FF7BB621000-memory.dmp	xmrig
behavioral2/memory/3408-263-0x00007FF724A40000-0x00007FF724D91000-memory.dmp	xmrig
behavioral2/memory/1116-260-0x00007FF6093A0000-0x00007FF6096F1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4160	vlYKHTZ.exe
4480	XHmgpQm.exe
2420	aYoWjys.exe
3832	sMahhxP.exe
4836	HreRtDv.exe
5116	ViwIDPv.exe
2284	gqhNmXE.exe
2016	KakEHSg.exe
3112	WgHJNot.exe
3080	kLqCFjs.exe
2788	ajOkqmf.exe
1392	ohDzAFQ.exe
1636	MttiMuB.exe
1568	mlpyLJT.exe
1432	HFwrAXn.exe
2552	pFZdcJQ.exe
1684	sNxDqLW.exe
1440	JTecTGh.exe
3408	SWjLWWG.exe
884	lcuSYDe.exe
1116	JccwHac.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3160-0-0x00007FF77C3F0000-0x00007FF77C741000-memory.dmp	upx
behavioral2/files/0x000900000002361c-5.dat	upx
behavioral2/files/0x0007000000023624-7.dat	upx
behavioral2/files/0x0007000000023623-15.dat	upx
behavioral2/files/0x0007000000023625-25.dat	upx
behavioral2/memory/2284-51-0x00007FF755470000-0x00007FF7557C1000-memory.dmp	upx
behavioral2/files/0x000700000002362c-61.dat	upx
behavioral2/files/0x000700000002362b-66.dat	upx
behavioral2/files/0x000700000002362d-73.dat	upx
behavioral2/files/0x0008000000023620-83.dat	upx
behavioral2/files/0x000700000002362f-91.dat	upx
behavioral2/files/0x0007000000023630-105.dat	upx
behavioral2/memory/1440-113-0x00007FF736960000-0x00007FF736CB1000-memory.dmp	upx
behavioral2/memory/1116-123-0x00007FF6093A0000-0x00007FF6096F1000-memory.dmp	upx
behavioral2/files/0x0007000000023635-131.dat	upx
behavioral2/files/0x0007000000023634-130.dat	upx
behavioral2/memory/884-129-0x00007FF7BB2D0000-0x00007FF7BB621000-memory.dmp	upx
behavioral2/memory/3832-128-0x00007FF67ACB0000-0x00007FF67B001000-memory.dmp	upx
behavioral2/memory/4836-127-0x00007FF73CA60000-0x00007FF73CDB1000-memory.dmp	upx
behavioral2/files/0x0007000000023633-125.dat	upx
behavioral2/memory/2420-124-0x00007FF78BDA0000-0x00007FF78C0F1000-memory.dmp	upx
behavioral2/memory/3408-120-0x00007FF724A40000-0x00007FF724D91000-memory.dmp	upx
behavioral2/files/0x0007000000023632-111.dat	upx
behavioral2/memory/4480-110-0x00007FF74D6B0000-0x00007FF74DA01000-memory.dmp	upx
behavioral2/memory/1684-109-0x00007FF66E570000-0x00007FF66E8C1000-memory.dmp	upx
behavioral2/files/0x0007000000023631-107.dat	upx
behavioral2/memory/2552-104-0x00007FF74F920000-0x00007FF74FC71000-memory.dmp	upx
behavioral2/memory/1432-100-0x00007FF7632A0000-0x00007FF7635F1000-memory.dmp	upx
behavioral2/memory/4160-99-0x00007FF76DF00000-0x00007FF76E251000-memory.dmp	upx
behavioral2/memory/3160-98-0x00007FF77C3F0000-0x00007FF77C741000-memory.dmp	upx
behavioral2/memory/1568-90-0x00007FF603580000-0x00007FF6038D1000-memory.dmp	upx
behavioral2/files/0x000700000002362e-79.dat	upx
behavioral2/memory/1636-78-0x00007FF608520000-0x00007FF608871000-memory.dmp	upx
behavioral2/files/0x000700000002362a-69.dat	upx
behavioral2/memory/2788-68-0x00007FF7AF230000-0x00007FF7AF581000-memory.dmp	upx
behavioral2/memory/1392-65-0x00007FF6D6720000-0x00007FF6D6A71000-memory.dmp	upx
behavioral2/memory/3080-64-0x00007FF746EC0000-0x00007FF747211000-memory.dmp	upx
behavioral2/memory/2016-60-0x00007FF7B3ED0000-0x00007FF7B4221000-memory.dmp	upx
behavioral2/memory/3112-57-0x00007FF7A39C0000-0x00007FF7A3D11000-memory.dmp	upx
behavioral2/files/0x0007000000023628-56.dat	upx
behavioral2/files/0x0007000000023629-49.dat	upx
behavioral2/files/0x0007000000023627-45.dat	upx
behavioral2/memory/5116-43-0x00007FF7FA7B0000-0x00007FF7FAB01000-memory.dmp	upx
behavioral2/memory/4836-42-0x00007FF73CA60000-0x00007FF73CDB1000-memory.dmp	upx
behavioral2/files/0x0007000000023626-33.dat	upx
behavioral2/memory/3832-32-0x00007FF67ACB0000-0x00007FF67B001000-memory.dmp	upx
behavioral2/memory/2420-21-0x00007FF78BDA0000-0x00007FF78C0F1000-memory.dmp	upx
behavioral2/memory/4480-18-0x00007FF74D6B0000-0x00007FF74DA01000-memory.dmp	upx
behavioral2/memory/4160-8-0x00007FF76DF00000-0x00007FF76E251000-memory.dmp	upx
behavioral2/memory/1636-147-0x00007FF608520000-0x00007FF608871000-memory.dmp	upx
behavioral2/memory/1440-152-0x00007FF736960000-0x00007FF736CB1000-memory.dmp	upx
behavioral2/memory/1116-155-0x00007FF6093A0000-0x00007FF6096F1000-memory.dmp	upx
behavioral2/memory/884-154-0x00007FF7BB2D0000-0x00007FF7BB621000-memory.dmp	upx
behavioral2/memory/3408-153-0x00007FF724A40000-0x00007FF724D91000-memory.dmp	upx
behavioral2/memory/1684-151-0x00007FF66E570000-0x00007FF66E8C1000-memory.dmp	upx
behavioral2/memory/2552-150-0x00007FF74F920000-0x00007FF74FC71000-memory.dmp	upx
behavioral2/memory/1432-149-0x00007FF7632A0000-0x00007FF7635F1000-memory.dmp	upx
behavioral2/memory/1568-148-0x00007FF603580000-0x00007FF6038D1000-memory.dmp	upx
behavioral2/memory/1392-146-0x00007FF6D6720000-0x00007FF6D6A71000-memory.dmp	upx
behavioral2/memory/2788-145-0x00007FF7AF230000-0x00007FF7AF581000-memory.dmp	upx
behavioral2/memory/3080-144-0x00007FF746EC0000-0x00007FF747211000-memory.dmp	upx
behavioral2/memory/3112-143-0x00007FF7A39C0000-0x00007FF7A3D11000-memory.dmp	upx
behavioral2/memory/2284-141-0x00007FF755470000-0x00007FF7557C1000-memory.dmp	upx
behavioral2/memory/3160-134-0x00007FF77C3F0000-0x00007FF77C741000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\gqhNmXE.exe	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ohDzAFQ.exe	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mlpyLJT.exe	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sNxDqLW.exe	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aYoWjys.exe	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ajOkqmf.exe	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SWjLWWG.exe	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lcuSYDe.exe	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kLqCFjs.exe	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XHmgpQm.exe	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ViwIDPv.exe	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HFwrAXn.exe	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pFZdcJQ.exe	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JccwHac.exe	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vlYKHTZ.exe	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HreRtDv.exe	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KakEHSg.exe	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WgHJNot.exe	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MttiMuB.exe	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JTecTGh.exe	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sMahhxP.exe	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3160	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3160	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3160 wrote to memory of 4160	3160	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3160 wrote to memory of 4160	3160	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3160 wrote to memory of 4480	3160	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3160 wrote to memory of 4480	3160	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3160 wrote to memory of 2420	3160	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3160 wrote to memory of 2420	3160	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3160 wrote to memory of 3832	3160	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3160 wrote to memory of 3832	3160	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3160 wrote to memory of 4836	3160	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3160 wrote to memory of 4836	3160	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3160 wrote to memory of 5116	3160	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3160 wrote to memory of 5116	3160	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3160 wrote to memory of 2284	3160	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3160 wrote to memory of 2284	3160	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3160 wrote to memory of 2016	3160	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3160 wrote to memory of 2016	3160	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3160 wrote to memory of 3112	3160	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3160 wrote to memory of 3112	3160	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3160 wrote to memory of 3080	3160	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3160 wrote to memory of 3080	3160	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3160 wrote to memory of 2788	3160	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3160 wrote to memory of 2788	3160	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3160 wrote to memory of 1392	3160	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3160 wrote to memory of 1392	3160	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3160 wrote to memory of 1636	3160	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3160 wrote to memory of 1636	3160	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3160 wrote to memory of 1568	3160	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3160 wrote to memory of 1568	3160	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3160 wrote to memory of 1432	3160	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3160 wrote to memory of 1432	3160	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3160 wrote to memory of 2552	3160	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 3160 wrote to memory of 2552	3160	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 3160 wrote to memory of 1684	3160	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 3160 wrote to memory of 1684	3160	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 3160 wrote to memory of 1440	3160	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 3160 wrote to memory of 1440	3160	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 3160 wrote to memory of 3408	3160	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 3160 wrote to memory of 3408	3160	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 3160 wrote to memory of 884	3160	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 3160 wrote to memory of 884	3160	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 3160 wrote to memory of 1116	3160	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe	110
PID 3160 wrote to memory of 1116	3160	2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe	110

C:\Users\Admin\AppData\Local\Temp\2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-17_128edf3a01ef0dc158a59b2d4b121c9f_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3160
- C:\Windows\System\vlYKHTZ.exe
  C:\Windows\System\vlYKHTZ.exe
  2⤵
  - Executes dropped EXE
  PID:4160
- C:\Windows\System\XHmgpQm.exe
  C:\Windows\System\XHmgpQm.exe
  2⤵
  - Executes dropped EXE
  PID:4480
- C:\Windows\System\aYoWjys.exe
  C:\Windows\System\aYoWjys.exe
  2⤵
  - Executes dropped EXE
  PID:2420
- C:\Windows\System\sMahhxP.exe
  C:\Windows\System\sMahhxP.exe
  2⤵
  - Executes dropped EXE
  PID:3832
- C:\Windows\System\HreRtDv.exe
  C:\Windows\System\HreRtDv.exe
  2⤵
  - Executes dropped EXE
  PID:4836
- C:\Windows\System\ViwIDPv.exe
  C:\Windows\System\ViwIDPv.exe
  2⤵
  - Executes dropped EXE
  PID:5116
- C:\Windows\System\gqhNmXE.exe
  C:\Windows\System\gqhNmXE.exe
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Windows\System\KakEHSg.exe
  C:\Windows\System\KakEHSg.exe
  2⤵
  - Executes dropped EXE
  PID:2016
- C:\Windows\System\WgHJNot.exe
  C:\Windows\System\WgHJNot.exe
  2⤵
  - Executes dropped EXE
  PID:3112
- C:\Windows\System\kLqCFjs.exe
  C:\Windows\System\kLqCFjs.exe
  2⤵
  - Executes dropped EXE
  PID:3080
- C:\Windows\System\ajOkqmf.exe
  C:\Windows\System\ajOkqmf.exe
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Windows\System\ohDzAFQ.exe
  C:\Windows\System\ohDzAFQ.exe
  2⤵
  - Executes dropped EXE
  PID:1392
- C:\Windows\System\MttiMuB.exe
  C:\Windows\System\MttiMuB.exe
  2⤵
  - Executes dropped EXE
  PID:1636
- C:\Windows\System\mlpyLJT.exe
  C:\Windows\System\mlpyLJT.exe
  2⤵
  - Executes dropped EXE
  PID:1568
- C:\Windows\System\HFwrAXn.exe
  C:\Windows\System\HFwrAXn.exe
  2⤵
  - Executes dropped EXE
  PID:1432
- C:\Windows\System\pFZdcJQ.exe
  C:\Windows\System\pFZdcJQ.exe
  2⤵
  - Executes dropped EXE
  PID:2552
- C:\Windows\System\sNxDqLW.exe
  C:\Windows\System\sNxDqLW.exe
  2⤵
  - Executes dropped EXE
  PID:1684
- C:\Windows\System\JTecTGh.exe
  C:\Windows\System\JTecTGh.exe
  2⤵
  - Executes dropped EXE
  PID:1440
- C:\Windows\System\SWjLWWG.exe
  C:\Windows\System\SWjLWWG.exe
  2⤵
  - Executes dropped EXE
  PID:3408
- C:\Windows\System\lcuSYDe.exe
  C:\Windows\System\lcuSYDe.exe
  2⤵
  - Executes dropped EXE
  PID:884
- C:\Windows\System\JccwHac.exe
  C:\Windows\System\JccwHac.exe
  2⤵
  - Executes dropped EXE
  PID:1116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3836,i,11391966286255097843,10588851088187498028,262144 --variations-seed-version --mojo-platform-channel-handle=4116 /prefetch:8
1⤵
PID:1412

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\HFwrAXn.exe

Filesize
5.2MB

MD5
0c38e82ff4f644f0f1ff3201a978ef60

SHA1
c01664fd8d403a6d86998fc1d8b48b525ee04208

SHA256
510c544548c8b0192658c6cc62fb39c57b67eedb1007f6e8aa44d9291003b8be

SHA512
2f027394a58bd19c84e2a313a1d2e2063b4b637e819ea6c96b27a082d39d7e2bfc5990f2fe04e78b4011fb01bf156c6c43b759889f29fa2e868ea98dfc7889e2

Download Submit
C:\Windows\System\HreRtDv.exe

Filesize
5.2MB

MD5
622fed30bc323fd262e24d40f0fcf9b3

SHA1
9b2f782fd7c6da4aea7c316ee1f9197015047fd2

SHA256
27ac69bff6456f14cd7a554151d298aab5e04854fe214cee57a3590f4951d9f5

SHA512
a0873bc9d6c513734e6e25a5b8bbd8990b878b9b35f9d3c44fe05bf8446716e52a4c2f5719f21f761b8ecd78f26a09696ccd673493ee286c61c975c1387a2a8b

Download Submit
C:\Windows\System\JTecTGh.exe

Filesize
5.2MB

MD5
74c76b98205001ae18ea88bbcffe10b0

SHA1
d87af5cbedbe5a731c1c3f891a89e559f23e5b5a

SHA256
b368d1eec89ef1f1f6c8bc040a9a48a5bde5fd4c3f14620fa30ceedabf90e564

SHA512
fa47720530670fe524e2c49c4e22ed7cd154a7b19afbb1b567d789556469099618ce7d921edb2a02408e28722457e9b0954b427670b4d87c370aae665b15c7f2

Download Submit
C:\Windows\System\JccwHac.exe

Filesize
5.2MB

MD5
71a4e0b2bd9b8a3a4991fb848512705b

SHA1
3ebdfb0a14daba0df08c8735e93a3acb4bf9f39b

SHA256
4c9067a1540e6b8cb4943a4e15e1a65243167f637f1e80edfbee2cd6519915a1

SHA512
4f57b96c9a6ec6b93820a82948d3533796bfeb0491ee8921d8bab8b6e89d0edae4433157420e17495e48a41e9ab4f39bc6fb46acddce279dcd4880c5b4b5951c

Download Submit
C:\Windows\System\KakEHSg.exe

Filesize
5.2MB

MD5
251f66b8babc67c421cc3b436c4bd304

SHA1
0f2ba50413a8712ad1c49c6741bd7309cb6f30a5

SHA256
038cb065bc569630450be09ec207a558a15a6b3b3da83a50c3aca64213155167

SHA512
8fa920dacf077a6d28517bc96dffce5f50431abf5c47c4fa35158edc46d10782ca52cd2491fbc660578627b2063f21a8a9e88d66c20b86d1c1af61306c935edb

Download Submit
C:\Windows\System\MttiMuB.exe

Filesize
5.2MB

MD5
c079f9b3e5098fa35e17b22c3a1e757c

SHA1
e4e9654f8a57bdbe070a62a47ac00af228cd2bdb

SHA256
f8dd79dea276000ad548a52e0d71ecc375a0a68d2bc8e3f06f04db2c96af69c0

SHA512
ba3450d519e3eed9efbee5a2d34b889be16003f64db252505302549f4c8e59d41381d4477a2c9e4df4a1176f5ee66502bb1eb76164781f7e9c54f7162577b659

Download Submit
C:\Windows\System\SWjLWWG.exe

Filesize
5.2MB

MD5
c9bf1892f2ac5c7cd749767a3c6b7136

SHA1
3f1884dad9bc1b6b8346a4f10f5a1f69048d3d5b

SHA256
a51b6a171faa3e87f53663a3d3b8700dbb1b5faa041596c43be0c394f11c4de1

SHA512
cafffb67378c6219118581ec36750ef8a6400ab43e208510f5804d6cc7bf370af7ec5965ba99066c507bf6a8e5d83285beceff45cf11d594dd5c436e6023375f

Download Submit
C:\Windows\System\ViwIDPv.exe

Filesize
5.2MB

MD5
49e7b7f50375a3b93a97890c16404197

SHA1
35dda0af6dadab9997678d23a16202a508a1bfac

SHA256
eacdca3ef40162fb9e6699a8a4b7985559ecbcbe8226e0da20f95c3fbf101ba3

SHA512
b11ec10ceb6464b7e117ca929e630f07b38e84786003787a04acfb47f8c23a7a898e828351d820c69b47a84c81821397bba386652b168e100cff2692d58b47b4

Download Submit
C:\Windows\System\WgHJNot.exe

Filesize
5.2MB

MD5
a7cc096afbd71e1559ac7cb8873e74c0

SHA1
99f2bd0a918ad67b040940bb0f689298ed7372fc

SHA256
40cb4dbc52f198d7a989ed52683a4b2c895bfce1c963cde9f8b36d4693b8928b

SHA512
e737a4a0fa4a74783cde22dd3d7d02044484d4a2c7f6873074b830865de0a5da6e325068a7d53f4e2d6f0b9dd51605b5ac067c4238cdb8164ac65a50de36a603

Download Submit
C:\Windows\System\XHmgpQm.exe

Filesize
5.2MB

MD5
e61764a3a21d570e42a9bac6887c550a

SHA1
50ca397b42baf702456d3b2da4303fba956766a1

SHA256
15a4539d951ed8dabd8ea13d804cd013671beda0037d740662b06728f3471cbb

SHA512
919fce482e8adb16eed5f67983b5d3058581b17c1a54694deac88835d195c82aaa11a1a05e78a851ba2337a940bb6e0c40504c2a10b88aa38998e9696600cddb

Download Submit
C:\Windows\System\aYoWjys.exe

Filesize
5.2MB

MD5
0bb82a829563ce63b16e628b4f08c23e

SHA1
fcc340dd88befc66533abfcc290a6bc18242cf64

SHA256
7083adc37bbe411aff00cf31b4c3167b0a82ec37fa0fb3425753c06cf989f3d8

SHA512
a9ed9f034b8596bd9569ae9a62ceeb5fe45194c36c53931716985d6849f2de09913b2d25b8ac73be3a11ae204956fade5a1b76e849b51f49aae6a673e8d97f40

Download Submit
C:\Windows\System\ajOkqmf.exe

Filesize
5.2MB

MD5
d4cd1f719115e408a78e8a317770158d

SHA1
9a62f605ad1e3148c3e8d988e9c44cf911b981c0

SHA256
af102e51071089b7d9f560175ddf08422f77c0575cd732f40d30abbbc2af4010

SHA512
7bcf4c44886efcd4f84c1604965259a84a51efa471edcb891ff9922bbae3c9cd9a85c6e14b3a90d07a8320f5052e8a275e74780101eec14bd7abb0b7844f5b1a

Download Submit
C:\Windows\System\gqhNmXE.exe

Filesize
5.2MB

MD5
dc2d6f12e750731d5be5dc2297227b63

SHA1
384226c38d45ee4918240e6964bddee6eaaf591a

SHA256
2704406e4122d46b7d214e7f76c727787f02cce668f6bd3d9d8db24d6f35c274

SHA512
3effb40e5ed1dcbf7b766c2144fe29d06ca4c92bb38d74d4ecd8da4b301fe63f201ff2f22b447d6bf9440da772766bb478b1a6a6ea9c6985ff71f5da93935c96

Download Submit
C:\Windows\System\kLqCFjs.exe

Filesize
5.2MB

MD5
f0a24bd5223f9a9248f2aef99a71fe33

SHA1
d3731754ce9079ba884322c21f041bc7b5717c4f

SHA256
a2c3a0179f800bdfe7c3e982f831ed1655302a105c9f9a6d689b2b074a4a6c13

SHA512
49866583ce549e3b00c58caebc2d3b0f8d3bb83bc06b91943b0835caea2a0e08c0c761ff59dc05c95c4d2072609c09eb9f1258258e6b3176b6b9694de6e17b4e

Download Submit
C:\Windows\System\lcuSYDe.exe

Filesize
5.2MB

MD5
fa9cb17c11d8150fcebe0731a42e9845

SHA1
a196e9ad4b346de023b898295a0c02c469017567

SHA256
73b35f42486b3c76c813e88e8e7c91becd2b242317d8e90359da72fe92e01dc5

SHA512
fb98cc1f4d0b671a99aa6169f6f12373665b2cb4a61087a833b2ded2e49a05420c9571cff95f19770699a6d3f53f29130a5479600555dabcaa341d632793d8d5

Download Submit
C:\Windows\System\mlpyLJT.exe

Filesize
5.2MB

MD5
9ada7a78fa42b64cc9eba3e7a77ed49a

SHA1
5d10a47e46e7191f25b7677fb6a2a708fcd20dee

SHA256
18b2e2af3fd99f430fe2102b7519d9cb285a0a4867a48bd49f5f599440be57bb

SHA512
9613cf9a6e9318510b37840c8f624fc5f6cd1940f707b61dc3c9ff77c84444afc60095cbb8c0de908ba3685392c628468c95d299b4edf47031b153e3e1433d24

Download Submit
C:\Windows\System\ohDzAFQ.exe

Filesize
5.2MB

MD5
1ca2b98eed20e38bdd4789653b904444

SHA1
9095c9b6059eb257a414ba988c1d7c24c0c96839

SHA256
2b70fd5a714508c4f1197b76b12075b5ae959dc7935b60cb1bedd13c16a76f6b

SHA512
a8fe93a3b718e29edd74cd052e2d826e9fcb4b5bad00366deffd2cdbf52ffe31a838e1d4d4cb3a456567849f1b9179761f35f5e1cf12c790f216076e3ee8851e

Download Submit
C:\Windows\System\pFZdcJQ.exe

Filesize
5.2MB

MD5
0c83aed861fb5e6e219b615d1b9fdf05

SHA1
0516254b1ef94fad564a49f9fbee6d53ec1b2ebf

SHA256
9421a716b25ba83eaf19f67b321dd711d48ea4218252a4d006d02dc5fc52fde0

SHA512
bd22b28f8a5e337e62ddfa60b861323b467fcacba39c5f1eea85d9b3fdf085fcdafaa438722071ea1e07c0aa051cdad69e987a56f7721f18cb20757b4cbefafd

Download Submit
C:\Windows\System\sMahhxP.exe

Filesize
5.2MB

MD5
9dac8b8625c8681f03be5f91a3a0cd70

SHA1
66c48d2ec92a78f7823013eaeb46c8f284932d05

SHA256
d18a52d76420e3323e58f4aa499fbf69ea1155510018d71ff18b8e9ad9ea5c95

SHA512
f4a80e2b16ebff42d80f57766e86b761bc572b59ebac0def7d4c64a8f612e56af3581ab60086085af0364ab21cf517f803c881dc34238bdb9a5959193bd5aa05

Download Submit
C:\Windows\System\sNxDqLW.exe

Filesize
5.2MB

MD5
412cd45fcb8151ae3c5ec24e7255420e

SHA1
cd05bb51f2499436a80604ac90d80bf2e9e5dd28

SHA256
676239e2f0befe4c78d701f3a7df964f621fd649509ed01ae69778a23f3d2299

SHA512
d799dd8c47ddb56f4453a24050f286619098413d895ffd35157deede72cacc3922a9067643b7c0dcf042d1b92afed8490118ce538dc57477304917bb85585084

Download Submit
C:\Windows\System\vlYKHTZ.exe

Filesize
5.2MB

MD5
06b23ffe929bfa7541fc58542eee4886

SHA1
717c1aebc3347cf399ca87e3324c352c4865aeca

SHA256
56c796bd12c9b55003b6e94a0f0fe4220e2481cc28dd3f06bacd6f8b70546744

SHA512
46f33240cbf574d9a2790c6bb16ce6155046677dc4cde7892fc53f88fbe1e287677c7b90bd011378d2b99b4402a37dba79b2b664f5bdf4d2f27e30fba57a2a15

Download Submit
memory/884-154-0x00007FF7BB2D0000-0x00007FF7BB621000-memory.dmp

Filesize
3.3MB

Download
memory/884-129-0x00007FF7BB2D0000-0x00007FF7BB621000-memory.dmp

Filesize
3.3MB

Download
memory/884-261-0x00007FF7BB2D0000-0x00007FF7BB621000-memory.dmp

Filesize
3.3MB

Download
memory/1116-155-0x00007FF6093A0000-0x00007FF6096F1000-memory.dmp

Filesize
3.3MB

Download
memory/1116-260-0x00007FF6093A0000-0x00007FF6096F1000-memory.dmp

Filesize
3.3MB

Download
memory/1116-123-0x00007FF6093A0000-0x00007FF6096F1000-memory.dmp

Filesize
3.3MB

Download
memory/1392-65-0x00007FF6D6720000-0x00007FF6D6A71000-memory.dmp

Filesize
3.3MB

Download
memory/1392-146-0x00007FF6D6720000-0x00007FF6D6A71000-memory.dmp

Filesize
3.3MB

Download
memory/1392-240-0x00007FF6D6720000-0x00007FF6D6A71000-memory.dmp

Filesize
3.3MB

Download
memory/1432-149-0x00007FF7632A0000-0x00007FF7635F1000-memory.dmp

Filesize
3.3MB

Download
memory/1432-100-0x00007FF7632A0000-0x00007FF7635F1000-memory.dmp

Filesize
3.3MB

Download
memory/1432-253-0x00007FF7632A0000-0x00007FF7635F1000-memory.dmp

Filesize
3.3MB

Download
memory/1440-255-0x00007FF736960000-0x00007FF736CB1000-memory.dmp

Filesize
3.3MB

Download
memory/1440-152-0x00007FF736960000-0x00007FF736CB1000-memory.dmp

Filesize
3.3MB

Download
memory/1440-113-0x00007FF736960000-0x00007FF736CB1000-memory.dmp

Filesize
3.3MB

Download
memory/1568-148-0x00007FF603580000-0x00007FF6038D1000-memory.dmp

Filesize
3.3MB

Download
memory/1568-90-0x00007FF603580000-0x00007FF6038D1000-memory.dmp

Filesize
3.3MB

Download
memory/1568-249-0x00007FF603580000-0x00007FF6038D1000-memory.dmp

Filesize
3.3MB

Download
memory/1636-238-0x00007FF608520000-0x00007FF608871000-memory.dmp

Filesize
3.3MB

Download
memory/1636-147-0x00007FF608520000-0x00007FF608871000-memory.dmp

Filesize
3.3MB

Download
memory/1636-78-0x00007FF608520000-0x00007FF608871000-memory.dmp

Filesize
3.3MB

Download
memory/1684-257-0x00007FF66E570000-0x00007FF66E8C1000-memory.dmp

Filesize
3.3MB

Download
memory/1684-151-0x00007FF66E570000-0x00007FF66E8C1000-memory.dmp

Filesize
3.3MB

Download
memory/1684-109-0x00007FF66E570000-0x00007FF66E8C1000-memory.dmp

Filesize
3.3MB

Download
memory/2016-60-0x00007FF7B3ED0000-0x00007FF7B4221000-memory.dmp

Filesize
3.3MB

Download
memory/2016-227-0x00007FF7B3ED0000-0x00007FF7B4221000-memory.dmp

Filesize
3.3MB

Download
memory/2284-248-0x00007FF755470000-0x00007FF7557C1000-memory.dmp

Filesize
3.3MB

Download
memory/2284-141-0x00007FF755470000-0x00007FF7557C1000-memory.dmp

Filesize
3.3MB

Download
memory/2284-51-0x00007FF755470000-0x00007FF7557C1000-memory.dmp

Filesize
3.3MB

Download
memory/2420-124-0x00007FF78BDA0000-0x00007FF78C0F1000-memory.dmp

Filesize
3.3MB

Download
memory/2420-217-0x00007FF78BDA0000-0x00007FF78C0F1000-memory.dmp

Filesize
3.3MB

Download
memory/2420-21-0x00007FF78BDA0000-0x00007FF78C0F1000-memory.dmp

Filesize
3.3MB

Download
memory/2552-150-0x00007FF74F920000-0x00007FF74FC71000-memory.dmp

Filesize
3.3MB

Download
memory/2552-104-0x00007FF74F920000-0x00007FF74FC71000-memory.dmp

Filesize
3.3MB

Download
memory/2552-252-0x00007FF74F920000-0x00007FF74FC71000-memory.dmp

Filesize
3.3MB

Download
memory/2788-145-0x00007FF7AF230000-0x00007FF7AF581000-memory.dmp

Filesize
3.3MB

Download
memory/2788-68-0x00007FF7AF230000-0x00007FF7AF581000-memory.dmp

Filesize
3.3MB

Download
memory/2788-242-0x00007FF7AF230000-0x00007FF7AF581000-memory.dmp

Filesize
3.3MB

Download
memory/3080-245-0x00007FF746EC0000-0x00007FF747211000-memory.dmp

Filesize
3.3MB

Download
memory/3080-144-0x00007FF746EC0000-0x00007FF747211000-memory.dmp

Filesize
3.3MB

Download
memory/3080-64-0x00007FF746EC0000-0x00007FF747211000-memory.dmp

Filesize
3.3MB

Download
memory/3112-57-0x00007FF7A39C0000-0x00007FF7A3D11000-memory.dmp

Filesize
3.3MB

Download
memory/3112-243-0x00007FF7A39C0000-0x00007FF7A3D11000-memory.dmp

Filesize
3.3MB

Download
memory/3112-143-0x00007FF7A39C0000-0x00007FF7A3D11000-memory.dmp

Filesize
3.3MB

Download
memory/3160-134-0x00007FF77C3F0000-0x00007FF77C741000-memory.dmp

Filesize
3.3MB

Download
memory/3160-156-0x00007FF77C3F0000-0x00007FF77C741000-memory.dmp

Filesize
3.3MB

Download
memory/3160-0-0x00007FF77C3F0000-0x00007FF77C741000-memory.dmp

Filesize
3.3MB

Download
memory/3160-1-0x00000207D1A90000-0x00000207D1AA0000-memory.dmp

Filesize
64KB

Download
memory/3160-98-0x00007FF77C3F0000-0x00007FF77C741000-memory.dmp

Filesize
3.3MB

Download
memory/3408-153-0x00007FF724A40000-0x00007FF724D91000-memory.dmp

Filesize
3.3MB

Download
memory/3408-120-0x00007FF724A40000-0x00007FF724D91000-memory.dmp

Filesize
3.3MB

Download
memory/3408-263-0x00007FF724A40000-0x00007FF724D91000-memory.dmp

Filesize
3.3MB

Download
memory/3832-128-0x00007FF67ACB0000-0x00007FF67B001000-memory.dmp

Filesize
3.3MB

Download
memory/3832-224-0x00007FF67ACB0000-0x00007FF67B001000-memory.dmp

Filesize
3.3MB

Download
memory/3832-32-0x00007FF67ACB0000-0x00007FF67B001000-memory.dmp

Filesize
3.3MB

Download
memory/4160-215-0x00007FF76DF00000-0x00007FF76E251000-memory.dmp

Filesize
3.3MB

Download
memory/4160-8-0x00007FF76DF00000-0x00007FF76E251000-memory.dmp

Filesize
3.3MB

Download
memory/4160-99-0x00007FF76DF00000-0x00007FF76E251000-memory.dmp

Filesize
3.3MB

Download
memory/4480-219-0x00007FF74D6B0000-0x00007FF74DA01000-memory.dmp

Filesize
3.3MB

Download
memory/4480-18-0x00007FF74D6B0000-0x00007FF74DA01000-memory.dmp

Filesize
3.3MB

Download
memory/4480-110-0x00007FF74D6B0000-0x00007FF74DA01000-memory.dmp

Filesize
3.3MB

Download
memory/4836-225-0x00007FF73CA60000-0x00007FF73CDB1000-memory.dmp

Filesize
3.3MB

Download
memory/4836-42-0x00007FF73CA60000-0x00007FF73CDB1000-memory.dmp

Filesize
3.3MB

Download
memory/4836-127-0x00007FF73CA60000-0x00007FF73CDB1000-memory.dmp

Filesize
3.3MB

Download
memory/5116-222-0x00007FF7FA7B0000-0x00007FF7FAB01000-memory.dmp

Filesize
3.3MB

Download
memory/5116-140-0x00007FF7FA7B0000-0x00007FF7FAB01000-memory.dmp

Filesize
3.3MB

Download
memory/5116-43-0x00007FF7FA7B0000-0x00007FF7FAB01000-memory.dmp

Filesize
3.3MB

Download