cobaltstrike | d32c66a38a60e023d5a936c41cf5ed8b04fe27de2c3abbd5eb48bc299621d818

Analysis

max time kernel
142s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/01/2025, 22:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.7MB
MD5

1b7deb1a82a7af372458458b5e2f4688
SHA1

e223fa9257989911d6ab247c53f55013c0e60428
SHA256

d32c66a38a60e023d5a936c41cf5ed8b04fe27de2c3abbd5eb48bc299621d818
SHA512

2a8294e3263b82cb0669a9ddcac64dbb3557b12166205f55caacb5f196c8edbbcc1c5e4c48a02aba206732f399861f2199a56ed2106f0b19463f442244530b54
SSDEEP

98304:4emTLkNdfE0pZaJ56utgpPFotBER/mQ32lUb:j+R56utgpPF8u/7b

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x0007000000012119-3.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015d6e-9.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015d7e-18.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015d87-21.dat	cobalt_reflective_dll
behavioral1/files/0x0033000000015d1f-24.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d3e-70.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016c84-98.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016dd1-91.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d96-85.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d25-83.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d9a-81.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d46-73.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016cd1-69.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d36-64.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000015e18-59.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016cfc-56.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015da7-38.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016dd7-96.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016dbe-89.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015d8f-54.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015d9a-35.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 42 IoCs

miner

resource	yara_rule
behavioral1/memory/3032-0-0x000000013F610000-0x000000013F95D000-memory.dmp	xmrig
behavioral1/files/0x0007000000012119-3.dat	xmrig
behavioral1/memory/2752-7-0x000000013FEC0000-0x000000014020D000-memory.dmp	xmrig
behavioral1/files/0x0008000000015d6e-9.dat	xmrig
behavioral1/memory/2652-13-0x000000013FD60000-0x00000001400AD000-memory.dmp	xmrig
behavioral1/files/0x0008000000015d7e-18.dat	xmrig
behavioral1/memory/2532-19-0x000000013FA30000-0x000000013FD7D000-memory.dmp	xmrig
behavioral1/files/0x0007000000015d87-21.dat	xmrig
behavioral1/files/0x0033000000015d1f-24.dat	xmrig
behavioral1/files/0x0006000000016d3e-70.dat	xmrig
behavioral1/files/0x0006000000016c84-98.dat	xmrig
behavioral1/files/0x0006000000016dd1-91.dat	xmrig
behavioral1/files/0x0006000000016d96-85.dat	xmrig
behavioral1/files/0x0006000000016d25-83.dat	xmrig
behavioral1/files/0x0006000000016d9a-81.dat	xmrig
behavioral1/memory/692-74-0x000000013F0E0000-0x000000013F42D000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d46-73.dat	xmrig
behavioral1/files/0x0006000000016cd1-69.dat	xmrig
behavioral1/memory/2768-63-0x000000013F530000-0x000000013F87D000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d36-64.dat	xmrig
behavioral1/files/0x0009000000015e18-59.dat	xmrig
behavioral1/memory/2636-55-0x000000013F4A0000-0x000000013F7ED000-memory.dmp	xmrig
behavioral1/files/0x0006000000016cfc-56.dat	xmrig
behavioral1/files/0x0007000000015da7-38.dat	xmrig
behavioral1/files/0x0006000000016dd7-96.dat	xmrig
behavioral1/files/0x0006000000016dbe-89.dat	xmrig
behavioral1/files/0x0007000000015d8f-54.dat	xmrig
behavioral1/memory/2688-42-0x000000013F7F0000-0x000000013FB3D000-memory.dmp	xmrig
behavioral1/memory/2792-41-0x000000013F4E0000-0x000000013F82D000-memory.dmp	xmrig
behavioral1/memory/2544-36-0x000000013F130000-0x000000013F47D000-memory.dmp	xmrig
behavioral1/files/0x0007000000015d9a-35.dat	xmrig
behavioral1/memory/2436-119-0x000000013F020000-0x000000013F36D000-memory.dmp	xmrig
behavioral1/memory/1948-120-0x000000013FF50000-0x000000014029D000-memory.dmp	xmrig
behavioral1/memory/2704-118-0x000000013F560000-0x000000013F8AD000-memory.dmp	xmrig
behavioral1/memory/2284-117-0x000000013F170000-0x000000013F4BD000-memory.dmp	xmrig
behavioral1/memory/772-116-0x000000013FBC0000-0x000000013FF0D000-memory.dmp	xmrig
behavioral1/memory/1428-115-0x000000013FFE0000-0x000000014032D000-memory.dmp	xmrig
behavioral1/memory/2336-114-0x000000013FFC0000-0x000000014030D000-memory.dmp	xmrig
behavioral1/memory/2012-107-0x000000013F6B0000-0x000000013F9FD000-memory.dmp	xmrig
behavioral1/memory/2564-106-0x000000013FF20000-0x000000014026D000-memory.dmp	xmrig
behavioral1/memory/2624-105-0x000000013F090000-0x000000013F3DD000-memory.dmp	xmrig
behavioral1/memory/756-104-0x000000013F050000-0x000000013F39D000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2752	AcDwdAb.exe
2652	SfaKysN.exe
2532	SjRFnpK.exe
2688	BDxSlGI.exe
2792	AJTMemm.exe
2544	NlBTWap.exe
2636	HiMyVhw.exe
2768	rsBAQXq.exe
692	oNSqUVN.exe
756	aiSFlPb.exe
2624	GzfSQLO.exe
2564	dYlIhuT.exe
2012	OYTyifK.exe
1724	bjMwUfT.exe
2336	rSMequb.exe
1428	RYImKEY.exe
772	BqYywjP.exe
2284	zRmawWb.exe
2704	IelPboD.exe
2436	ezdZvta.exe
1948	DAQVydD.exe

Loads dropped DLL 21 IoCs

pid	Process
3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe
3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe
3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe
3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe
3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe
3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe
3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe
3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe
3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe
3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe
3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe
3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe
3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe
3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe
3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe
3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe
3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe
3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe
3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe
3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe
3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\rsBAQXq.exe	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DAQVydD.exe	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bjMwUfT.exe	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SfaKysN.exe	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BDxSlGI.exe	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oNSqUVN.exe	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OYTyifK.exe	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HiMyVhw.exe	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BqYywjP.exe	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aiSFlPb.exe	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dYlIhuT.exe	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rSMequb.exe	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RYImKEY.exe	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zRmawWb.exe	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GzfSQLO.exe	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AcDwdAb.exe	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SjRFnpK.exe	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AJTMemm.exe	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NlBTWap.exe	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IelPboD.exe	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ezdZvta.exe	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2752	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 3032 wrote to memory of 2752	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 3032 wrote to memory of 2752	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 3032 wrote to memory of 2652	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 3032 wrote to memory of 2652	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 3032 wrote to memory of 2652	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 3032 wrote to memory of 2532	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 3032 wrote to memory of 2532	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 3032 wrote to memory of 2532	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 3032 wrote to memory of 2792	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 3032 wrote to memory of 2792	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 3032 wrote to memory of 2792	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 3032 wrote to memory of 2688	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 3032 wrote to memory of 2688	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 3032 wrote to memory of 2688	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 3032 wrote to memory of 2636	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 3032 wrote to memory of 2636	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 3032 wrote to memory of 2636	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 3032 wrote to memory of 2544	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 3032 wrote to memory of 2544	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 3032 wrote to memory of 2544	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 3032 wrote to memory of 2336	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 3032 wrote to memory of 2336	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 3032 wrote to memory of 2336	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 3032 wrote to memory of 2768	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 3032 wrote to memory of 2768	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 3032 wrote to memory of 2768	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 3032 wrote to memory of 1428	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 3032 wrote to memory of 1428	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 3032 wrote to memory of 1428	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 3032 wrote to memory of 692	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 3032 wrote to memory of 692	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 3032 wrote to memory of 692	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 3032 wrote to memory of 772	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 3032 wrote to memory of 772	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 3032 wrote to memory of 772	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 3032 wrote to memory of 756	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 3032 wrote to memory of 756	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 3032 wrote to memory of 756	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 3032 wrote to memory of 2284	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 3032 wrote to memory of 2284	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 3032 wrote to memory of 2284	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 3032 wrote to memory of 2624	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 3032 wrote to memory of 2624	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 3032 wrote to memory of 2624	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 3032 wrote to memory of 2704	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 3032 wrote to memory of 2704	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 3032 wrote to memory of 2704	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 3032 wrote to memory of 2564	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 3032 wrote to memory of 2564	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 3032 wrote to memory of 2564	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 3032 wrote to memory of 2436	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 3032 wrote to memory of 2436	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 3032 wrote to memory of 2436	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 3032 wrote to memory of 2012	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 3032 wrote to memory of 2012	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 3032 wrote to memory of 2012	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 3032 wrote to memory of 1948	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 3032 wrote to memory of 1948	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 3032 wrote to memory of 1948	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 3032 wrote to memory of 1724	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 3032 wrote to memory of 1724	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 3032 wrote to memory of 1724	3032	2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe	51

C:\Users\Admin\AppData\Local\Temp\2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-21_1b7deb1a82a7af372458458b5e2f4688_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\System\AcDwdAb.exe
  C:\Windows\System\AcDwdAb.exe
  2⤵
  - Executes dropped EXE
  PID:2752
- C:\Windows\System\SfaKysN.exe
  C:\Windows\System\SfaKysN.exe
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\System\SjRFnpK.exe
  C:\Windows\System\SjRFnpK.exe
  2⤵
  - Executes dropped EXE
  PID:2532
- C:\Windows\System\AJTMemm.exe
  C:\Windows\System\AJTMemm.exe
  2⤵
  - Executes dropped EXE
  PID:2792
- C:\Windows\System\BDxSlGI.exe
  C:\Windows\System\BDxSlGI.exe
  2⤵
  - Executes dropped EXE
  PID:2688
- C:\Windows\System\HiMyVhw.exe
  C:\Windows\System\HiMyVhw.exe
  2⤵
  - Executes dropped EXE
  PID:2636
- C:\Windows\System\NlBTWap.exe
  C:\Windows\System\NlBTWap.exe
  2⤵
  - Executes dropped EXE
  PID:2544
- C:\Windows\System\rSMequb.exe
  C:\Windows\System\rSMequb.exe
  2⤵
  - Executes dropped EXE
  PID:2336
- C:\Windows\System\rsBAQXq.exe
  C:\Windows\System\rsBAQXq.exe
  2⤵
  - Executes dropped EXE
  PID:2768
- C:\Windows\System\RYImKEY.exe
  C:\Windows\System\RYImKEY.exe
  2⤵
  - Executes dropped EXE
  PID:1428
- C:\Windows\System\oNSqUVN.exe
  C:\Windows\System\oNSqUVN.exe
  2⤵
  - Executes dropped EXE
  PID:692
- C:\Windows\System\BqYywjP.exe
  C:\Windows\System\BqYywjP.exe
  2⤵
  - Executes dropped EXE
  PID:772
- C:\Windows\System\aiSFlPb.exe
  C:\Windows\System\aiSFlPb.exe
  2⤵
  - Executes dropped EXE
  PID:756
- C:\Windows\System\zRmawWb.exe
  C:\Windows\System\zRmawWb.exe
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Windows\System\GzfSQLO.exe
  C:\Windows\System\GzfSQLO.exe
  2⤵
  - Executes dropped EXE
  PID:2624
- C:\Windows\System\IelPboD.exe
  C:\Windows\System\IelPboD.exe
  2⤵
  - Executes dropped EXE
  PID:2704
- C:\Windows\System\dYlIhuT.exe
  C:\Windows\System\dYlIhuT.exe
  2⤵
  - Executes dropped EXE
  PID:2564
- C:\Windows\System\ezdZvta.exe
  C:\Windows\System\ezdZvta.exe
  2⤵
  - Executes dropped EXE
  PID:2436
- C:\Windows\System\OYTyifK.exe
  C:\Windows\System\OYTyifK.exe
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Windows\System\DAQVydD.exe
  C:\Windows\System\DAQVydD.exe
  2⤵
  - Executes dropped EXE
  PID:1948
- C:\Windows\System\bjMwUfT.exe
  C:\Windows\System\bjMwUfT.exe
  2⤵
  - Executes dropped EXE
  PID:1724

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\HiMyVhw.exe

Filesize
5.7MB

MD5
53a9e6d21d0d3cc6f28f9653ea4b37fe

SHA1
265af3cba11d8f9d8cf6fa1a76f9c6888f5426ba

SHA256
6bcd04a95cb0d27fc5b52b01a4cc116fe456017eb975329e6eff6c1b36bb39a2

SHA512
93df3d7eeef0ca6a14928ee262f965ad847e5985cbe87fbd1e7a54ec4807fcddec13a44b92c96ca18705c9d5684c6d5a846927309c9e55888223b60af3630d88

Download Submit
C:\Windows\system\NlBTWap.exe

Filesize
5.7MB

MD5
b26b5c5cba5900206a0cea79513ca0d0

SHA1
b902f5a81ea3afebc4b7cb477cdef91fff2eadbb

SHA256
ea2c851d4cf3c5b18a5973ae9bc9ee2571f9393adbf262da68cc2041d2c6a350

SHA512
8c7049abe40d11239afa9de12824bf6a9174e3879e03f6119c853b837443e0bb4ff753b94c5967f8576722af071104d2c356f951cdf667af6315611e257395f5

Download Submit
C:\Windows\system\OYTyifK.exe

Filesize
5.7MB

MD5
666a3d6c7105199b2fe50fda65ae288e

SHA1
acaa06795d2ebc1c272975a293ef8e76b0b1a2b0

SHA256
5d6326a467c949d4811e6b52b7fa67a478f034b997fdb5c9d25c45c5124b9b41

SHA512
d15729c99bc4e7d2c375e88e39886c7b25f0f6f6c19dca9a16bf8d20297845075fb18553ca24736465e3c726cca2c984791610c04eb6daac23d1f829a4a00ae9

Download Submit
C:\Windows\system\RYImKEY.exe

Filesize
5.7MB

MD5
4e78aad9ba74f086fa216f165d24f137

SHA1
23e73ad018684a7c5b2fd74ec21db2a7df1652e5

SHA256
bb094e7607e31bd97b3c8670d6a984436532e2ad8f5f8575c539fc1c2d753881

SHA512
802339d0a4ecc05eeac1ccf37f72a69ecea0063af473b8f8cd488a79caf0bdd281735df98e7330ac92d11769921977d62e16fbab6f59d82c4ea14b6f0e5d69b6

Download Submit
C:\Windows\system\SjRFnpK.exe

Filesize
5.7MB

MD5
af534ff7779adf75f4d769021b409dfe

SHA1
5adbb13983bdf71f42dcdc7b86034df6dca3d520

SHA256
a6ff12ec9958bf3a151626e41db1edd2b11dee62727897ceee639382b0c35498

SHA512
56fedd025e686c2d3678cc4d9049724dbebff788c68dad667047931a915ce0b31aab3eaf10ae88f435f041ab32fbfc9cacc8ab93497e04ea7bf3275263658496

Download Submit
C:\Windows\system\aiSFlPb.exe

Filesize
5.7MB

MD5
8e4fbf1fab3ba5124888b02022a4fd13

SHA1
a9fa61fb05903b13ac482224f1fd564794bb0b5b

SHA256
24f93926dca6a3adc3b2e63fec11f0b651000425aa6b5cdc8a406a54bcb71839

SHA512
22ae26f5c3caab5d63920d45f12df3fe4561e090cd878f59d3a0bdbb874fd61ec0afebc72feb92f3f91db18ed5d5c487f5fd7363716a79fa8b8416be3d3478b1

Download Submit
C:\Windows\system\bjMwUfT.exe

Filesize
5.7MB

MD5
7c24cdabc6986d1c181b1c902e972363

SHA1
b6df07aab46398a56d2d47b24bbfd0f19ea0c3c1

SHA256
1334002489a3a5bf6e0f8279270d7de83e9e617c1893bd7cb08be094202ac789

SHA512
8b1fef949fa05e8e460055cf11c85f96f6bf61207f23a3d622905b91a79a2e89793c41bc5e108f8900212dedd3d09f1db5a43d1022ed61eec0e9b910e05e6c2b

Download Submit
C:\Windows\system\dYlIhuT.exe

Filesize
5.7MB

MD5
1db421bf972b63c40d271b9571aebb1f

SHA1
6a6b790e1a112d281bb89ffc9c475fbd03cfe643

SHA256
fbcc597a9789eda6bc5d9b27721da6976d019b5263be01ab086590b746a6dd42

SHA512
d139ea5957c99eeb9a1cd0ce2d23d88e9c76782fe758391929908e2cf644cf9b28c69473f5781a134ea636363b60c099bec7c84b5e5461eb70c0d0c3b6a73b2a

Download Submit
C:\Windows\system\oNSqUVN.exe

Filesize
5.7MB

MD5
fda6ce7fef27d3cb88ead58b0df03bc6

SHA1
b14ede90278331ad8c46f4c542dd0cee1a9658f5

SHA256
404950b1155a9414fc7801bc316b8c18b9ea9a64acbed06a1448ef2b0aed5da0

SHA512
b25c8b49bb6c63973546f1d66c5bda7655ca8dbc9d14fc34e6824834355d7e7148ea82cd5538d03d93d2166d67c0939887d1f130018ad0bf00662f3233fbdb2a

Download Submit
C:\Windows\system\rsBAQXq.exe

Filesize
5.7MB

MD5
c3f3e4cbd922c090b2ec375124b04029

SHA1
01cfbad8e8f648361f2c222651815026beca8344

SHA256
be825260ee1cffb3382427ec0920268d4b3da76f3cc2616e6160c89bf9df9f34

SHA512
31ee1b3fad55e46f5faac05e62a3bf918b8ccf024fa95b1ab08354c00e26fba8a83609ac955d806da04eddeb30b93b54f3f389c6925d915d72320d3ce42d60be

Download Submit
\Windows\system\AJTMemm.exe

Filesize
5.7MB

MD5
0ad14bac5db6120f4e3bb61b8bb8b471

SHA1
12845f093c749a7b3f1210e8cd15ffa4ddc03dc3

SHA256
234e4486c71fe37d51f63b6ef29ed3055b0da72e4f73027270ae28ea8377070d

SHA512
cd7aef01612d38d4e3200d0e8bdd8d92a89f63b97ec53d51e9cf33767420647f204243ff4984db2a2b2e70e47a7ba1511fc809e110f38b6a78fb205df3a547ee

Download Submit
\Windows\system\AcDwdAb.exe

Filesize
5.7MB

MD5
26f73a945b97705bbee77acb29c10571

SHA1
731a4a7acad104fe28412f0431757e6e19075325

SHA256
303e9a5ba51647f316b5799d5373021dc06ecf75663da5aaa06f66f79c0705a0

SHA512
b0224bb44e6e8ed54d99deb577b5ed74dfdeb9abf61657c5e9a6f0482e3997b17fc5ff3658d2e9b5e40f538dbf265811f63df08eff064974eb64c8f5ce42b715

Download Submit
\Windows\system\BDxSlGI.exe

Filesize
5.7MB

MD5
f185e20e768d7f5d4dafb4190b538c38

SHA1
2d7c66abbdba6fee0464a45a0e4014f3f924fff3

SHA256
6b95cec388f0c0a67d0ba97bc25bac642598e77014a75eb4309e1a0f7ffdc075

SHA512
0bed3e191d8b6496a49aca682f4cccccbc2dba02433159754125281c0c3e466aabfb839267f602dc304b42e2e6721d84f8ab32d6d161de7632ac90dc14291a6a

Download Submit
\Windows\system\BqYywjP.exe

Filesize
5.7MB

MD5
ad09f88f8d9eac7655f0cd9a1d5b980c

SHA1
fa685117ddb7c6cbf1b4e1f683173c0719a26983

SHA256
fd3b9f4686d3549a4b0021619120fcc1a45068f6e92a1c07ea606ee757cea4e5

SHA512
b116a82c1f648aee5529b3d4ab5311418d91fbeb29ac2ab80208b17e007b3bc18d77b615a30276269151bde966b0a719f0e74b67fa4e939e47690cf2351a5ff5

Download Submit
\Windows\system\DAQVydD.exe

Filesize
5.7MB

MD5
04b8f4f25698a6a38217042c492e3b56

SHA1
5f0e628d6af36f4d68e832407be392e4fb8058f0

SHA256
4ab6673eb73038d94c87bf6c2345b7e72471427dc366f916f39dff35f15f4a3b

SHA512
f3d3309f4731a343d8b7d172b810727afb6fb424a363b976445e55bc23a07f3ed9217b92253d63c7fb5ef18868aa164103da1754aed1e0fef020c2b4393ead88

Download Submit
\Windows\system\GzfSQLO.exe

Filesize
5.7MB

MD5
fb4d9f3464c792f31a0ad8e124a1bad7

SHA1
f9207866e65e06361bdd906cb4bfffebbfbdeeaf

SHA256
792f0a8d065b2cd7ec6ec2453d0e5377873601b16f100befec8fbdbde8176448

SHA512
fecb41551d39013780edb8dcdeeb53beea33c504ed3e5aed8dac8262a8ced7250416e6cec85416f915a1a354adc81e71493adfb5bacbf56a084077c19f5dfac2

Download Submit
\Windows\system\IelPboD.exe

Filesize
5.7MB

MD5
83cf17b01e26c509e9c647726144e66b

SHA1
8362a8fe44df4efc208fb43543ccebb9fd541d88

SHA256
77014f64ceb067c5dfcf67c98ef98e58ceeb96aff7b37ac519ec4d6961a66f82

SHA512
b631a84b4dd9e01fbe513b1c030c3985ff8bc5975efd048bbedb8c48ff227c5122158bc686d8d4b088f94aac10076f2ea66c0ac8067b4220b3c0efb21406529d

Download Submit
\Windows\system\SfaKysN.exe

Filesize
5.7MB

MD5
75660f290c85bf687119d7e69feab3a5

SHA1
67300b2f822a58b66243850ecf00613977ece9c9

SHA256
aff0d5da963ea27fd9a1f59c0c9fa390f100a60f719ac82ff33c59945967a919

SHA512
14cc86ea40ffdf8767f4228e01af4cd5e6f2f4f3bffbfbfb2673a5669bfcc440d2a6582c8162dca7a87664bae925aa1f33ce78f53478ec757aee017bbffcfe37

Download Submit
\Windows\system\ezdZvta.exe

Filesize
5.7MB

MD5
7f21ab6dadb907e8958920b81980a853

SHA1
82638e24c56b8118287cb5d1579204a6444aa2c4

SHA256
3ae161c77060453b0c95f1732b2737d6faed89371d5f0d044cd605747b22b9e0

SHA512
974e6a80087ad77c07274bc50dfef2aeb52653c265a4a4314b8d68536812b7bfab713d9c42bd164de0f14de0ddf7a9f57f649db51fe3adc246e569a051c70dff

Download Submit
\Windows\system\rSMequb.exe

Filesize
5.7MB

MD5
bd7e1581a3477943a3ad23f3a5dae27f

SHA1
8cddf8ab4f86e55a7899acc46a48957dd86652d9

SHA256
22292dc313f0783dab3ffefec5419643c6d245c6d4ad3d6f66e340480227a17a

SHA512
a27e305d42891686557ffff9135f7e23ca8cd342de597d01512e4c8cbe836d9df00e6bae1f54441c015ecd6ef45dcb2ee12da40d795ee59bf9db2abb0c123060

Download Submit
\Windows\system\zRmawWb.exe

Filesize
5.7MB

MD5
2ece4e7949add9af9a35cf26aed008b9

SHA1
a4192c88e950fc8e8a8a8ce2a51b47de9bd30303

SHA256
a446a4d3d605b378bf6173a02627eeb7caa2930beee6204de00e0bf0a3e0c8ca

SHA512
da37006e987857ecc37dedca1ff3bd83dba0f7c05976294b39a21880e984f80ebb7567ac4d67c92ecc22db44ad5d2587e75b24f0c76e6c9ddcc0af2cd6972c6a

Download Submit
memory/692-74-0x000000013F0E0000-0x000000013F42D000-memory.dmp

Filesize
3.3MB

Download
memory/756-104-0x000000013F050000-0x000000013F39D000-memory.dmp

Filesize
3.3MB

Download
memory/772-116-0x000000013FBC0000-0x000000013FF0D000-memory.dmp

Filesize
3.3MB

Download
memory/1428-115-0x000000013FFE0000-0x000000014032D000-memory.dmp

Filesize
3.3MB

Download
memory/1948-120-0x000000013FF50000-0x000000014029D000-memory.dmp

Filesize
3.3MB

Download
memory/2012-107-0x000000013F6B0000-0x000000013F9FD000-memory.dmp

Filesize
3.3MB

Download
memory/2284-117-0x000000013F170000-0x000000013F4BD000-memory.dmp

Filesize
3.3MB

Download
memory/2336-114-0x000000013FFC0000-0x000000014030D000-memory.dmp

Filesize
3.3MB

Download
memory/2436-119-0x000000013F020000-0x000000013F36D000-memory.dmp

Filesize
3.3MB

Download
memory/2532-19-0x000000013FA30000-0x000000013FD7D000-memory.dmp

Filesize
3.3MB

Download
memory/2544-36-0x000000013F130000-0x000000013F47D000-memory.dmp

Filesize
3.3MB

Download
memory/2564-106-0x000000013FF20000-0x000000014026D000-memory.dmp

Filesize
3.3MB

Download
memory/2624-105-0x000000013F090000-0x000000013F3DD000-memory.dmp

Filesize
3.3MB

Download
memory/2636-55-0x000000013F4A0000-0x000000013F7ED000-memory.dmp

Filesize
3.3MB

Download
memory/2652-13-0x000000013FD60000-0x00000001400AD000-memory.dmp

Filesize
3.3MB

Download
memory/2688-42-0x000000013F7F0000-0x000000013FB3D000-memory.dmp

Filesize
3.3MB

Download
memory/2704-118-0x000000013F560000-0x000000013F8AD000-memory.dmp

Filesize
3.3MB

Download
memory/2752-7-0x000000013FEC0000-0x000000014020D000-memory.dmp

Filesize
3.3MB

Download
memory/2768-63-0x000000013F530000-0x000000013F87D000-memory.dmp

Filesize
3.3MB

Download
memory/2792-41-0x000000013F4E0000-0x000000013F82D000-memory.dmp

Filesize
3.3MB

Download
memory/3032-1-0x0000000001B20000-0x0000000001B30000-memory.dmp

Filesize
64KB

Download
memory/3032-0-0x000000013F610000-0x000000013F95D000-memory.dmp

Filesize
3.3MB

Download