cobaltstrike | f59bdf91166adc7ab0bece3d0edfb4f7725b2bf6cda10de8022fd4eff066444f

Analysis

max time kernel
137s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-01-2025 04:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.7MB
MD5

4fc025f4fabc9fd37315f7a23b08f429
SHA1

c5bd48ea66b8a0c761b06892df19b7075a1cb5ca
SHA256

f59bdf91166adc7ab0bece3d0edfb4f7725b2bf6cda10de8022fd4eff066444f
SHA512

6e1e4258bab652bf95f2b558c4ec22a2d46d04bdad8e332e6242789a1998d81268e604c086ce6a27b6ace8f72c592996fe98d5c4e86079c0e50e179e952ce02f
SSDEEP

98304:4emTLkNdfE0pZaJ56utgpPFotBER/mQ32lUN:j+R56utgpPF8u/7N

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x0008000000012102-5.dat	cobalt_reflective_dll
behavioral1/files/0x00080000000173b2-7.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000173ee-14.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000173f6-21.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001746c-27.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000017474-33.dat	cobalt_reflective_dll
behavioral1/files/0x000a00000001749c-40.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000019238-45.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019614-57.dat	cobalt_reflective_dll
behavioral1/files/0x0033000000016e73-52.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000196ac-81.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019c53-119.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019c38-114.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019c3a-113.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019c36-106.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001966c-90.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019618-87.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000196e8-84.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001997c-93.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001962a-72.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019616-63.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 43 IoCs

miner

resource	yara_rule
behavioral1/memory/2708-0-0x000000013F640000-0x000000013F98D000-memory.dmp	xmrig
behavioral1/files/0x0008000000012102-5.dat	xmrig
behavioral1/files/0x00080000000173b2-7.dat	xmrig
behavioral1/memory/2716-19-0x000000013FCA0000-0x000000013FFED000-memory.dmp	xmrig
behavioral1/memory/2964-16-0x000000013FE10000-0x000000014015D000-memory.dmp	xmrig
behavioral1/memory/2868-15-0x000000013F240000-0x000000013F58D000-memory.dmp	xmrig
behavioral1/files/0x00070000000173ee-14.dat	xmrig
behavioral1/files/0x00070000000173f6-21.dat	xmrig
behavioral1/files/0x000700000001746c-27.dat	xmrig
behavioral1/memory/2816-25-0x000000013F0F0000-0x000000013F43D000-memory.dmp	xmrig
behavioral1/memory/2748-31-0x000000013F930000-0x000000013FC7D000-memory.dmp	xmrig
behavioral1/files/0x0007000000017474-33.dat	xmrig
behavioral1/memory/2812-42-0x000000013F300000-0x000000013F64D000-memory.dmp	xmrig
behavioral1/memory/2724-41-0x000000013FE30000-0x000000014017D000-memory.dmp	xmrig
behavioral1/files/0x000a00000001749c-40.dat	xmrig
behavioral1/files/0x0006000000019238-45.dat	xmrig
behavioral1/memory/3052-55-0x000000013F740000-0x000000013FA8D000-memory.dmp	xmrig
behavioral1/files/0x0005000000019614-57.dat	xmrig
behavioral1/memory/2632-50-0x000000013F9F0000-0x000000013FD3D000-memory.dmp	xmrig
behavioral1/files/0x0033000000016e73-52.dat	xmrig
behavioral1/memory/2376-75-0x000000013F680000-0x000000013F9CD000-memory.dmp	xmrig
behavioral1/files/0x00050000000196ac-81.dat	xmrig
behavioral1/memory/1252-96-0x000000013FD90000-0x00000001400DD000-memory.dmp	xmrig
behavioral1/files/0x0005000000019c53-119.dat	xmrig
behavioral1/memory/2792-108-0x000000013FC10000-0x000000013FF5D000-memory.dmp	xmrig
behavioral1/memory/2072-115-0x000000013F0B0000-0x000000013F3FD000-memory.dmp	xmrig
behavioral1/files/0x0005000000019c38-114.dat	xmrig
behavioral1/files/0x0005000000019c3a-113.dat	xmrig
behavioral1/files/0x0005000000019c36-106.dat	xmrig
behavioral1/memory/1920-102-0x000000013FBB0000-0x000000013FEFD000-memory.dmp	xmrig
behavioral1/memory/2104-125-0x000000013FB20000-0x000000013FE6D000-memory.dmp	xmrig
behavioral1/memory/944-100-0x000000013FDE0000-0x000000014012D000-memory.dmp	xmrig
behavioral1/memory/828-99-0x000000013F150000-0x000000013F49D000-memory.dmp	xmrig
behavioral1/memory/380-122-0x000000013F660000-0x000000013F9AD000-memory.dmp	xmrig
behavioral1/files/0x000500000001966c-90.dat	xmrig
behavioral1/files/0x0005000000019618-87.dat	xmrig
behavioral1/files/0x00050000000196e8-84.dat	xmrig
behavioral1/files/0x000500000001997c-93.dat	xmrig
behavioral1/memory/2196-73-0x000000013F020000-0x000000013F36D000-memory.dmp	xmrig
behavioral1/files/0x000500000001962a-72.dat	xmrig
behavioral1/memory/2096-65-0x000000013F770000-0x000000013FABD000-memory.dmp	xmrig
behavioral1/files/0x0005000000019616-63.dat	xmrig
behavioral1/memory/2144-88-0x000000013FDF0000-0x000000014013D000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2868	KXCBAIs.exe
2716	trdywgs.exe
2964	DERAAsD.exe
2816	mcYofLE.exe
2748	UzWgeOh.exe
2724	jToLPbj.exe
2812	qbndVoS.exe
2632	zUwTUWA.exe
3052	YIDNXQZ.exe
2376	netFkSG.exe
2096	IpIcqwj.exe
2196	KGWNBIP.exe
2144	QHIHPsN.exe
944	MCleApk.exe
1920	AgFqPyi.exe
1252	IhjEcax.exe
828	dfPvzmL.exe
2792	sldgZYy.exe
2072	fyEvCRV.exe
380	afkQoGt.exe
2104	RPjzQqO.exe

Loads dropped DLL 21 IoCs

pid	Process
2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\IhjEcax.exe	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\trdywgs.exe	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UzWgeOh.exe	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zUwTUWA.exe	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\netFkSG.exe	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KGWNBIP.exe	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AgFqPyi.exe	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dfPvzmL.exe	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DERAAsD.exe	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jToLPbj.exe	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sldgZYy.exe	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RPjzQqO.exe	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mcYofLE.exe	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qbndVoS.exe	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YIDNXQZ.exe	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QHIHPsN.exe	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\afkQoGt.exe	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KXCBAIs.exe	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IpIcqwj.exe	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MCleApk.exe	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fyEvCRV.exe	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 2868	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2708 wrote to memory of 2868	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2708 wrote to memory of 2868	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2708 wrote to memory of 2716	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2708 wrote to memory of 2716	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2708 wrote to memory of 2716	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2708 wrote to memory of 2964	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2708 wrote to memory of 2964	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2708 wrote to memory of 2964	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2708 wrote to memory of 2816	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2708 wrote to memory of 2816	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2708 wrote to memory of 2816	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2708 wrote to memory of 2748	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2708 wrote to memory of 2748	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2708 wrote to memory of 2748	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2708 wrote to memory of 2724	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2708 wrote to memory of 2724	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2708 wrote to memory of 2724	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2708 wrote to memory of 2812	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2708 wrote to memory of 2812	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2708 wrote to memory of 2812	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2708 wrote to memory of 2632	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2708 wrote to memory of 2632	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2708 wrote to memory of 2632	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2708 wrote to memory of 3052	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2708 wrote to memory of 3052	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2708 wrote to memory of 3052	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2708 wrote to memory of 2096	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2708 wrote to memory of 2096	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2708 wrote to memory of 2096	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2708 wrote to memory of 2376	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2708 wrote to memory of 2376	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2708 wrote to memory of 2376	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2708 wrote to memory of 2144	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2708 wrote to memory of 2144	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2708 wrote to memory of 2144	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2708 wrote to memory of 2196	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2708 wrote to memory of 2196	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2708 wrote to memory of 2196	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2708 wrote to memory of 1920	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2708 wrote to memory of 1920	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2708 wrote to memory of 1920	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2708 wrote to memory of 944	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2708 wrote to memory of 944	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2708 wrote to memory of 944	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2708 wrote to memory of 828	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2708 wrote to memory of 828	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2708 wrote to memory of 828	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2708 wrote to memory of 1252	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2708 wrote to memory of 1252	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2708 wrote to memory of 1252	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2708 wrote to memory of 2792	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2708 wrote to memory of 2792	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2708 wrote to memory of 2792	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2708 wrote to memory of 2072	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2708 wrote to memory of 2072	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2708 wrote to memory of 2072	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2708 wrote to memory of 2104	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2708 wrote to memory of 2104	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2708 wrote to memory of 2104	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2708 wrote to memory of 380	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	52
PID 2708 wrote to memory of 380	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	52
PID 2708 wrote to memory of 380	2708	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	52

C:\Users\Admin\AppData\Local\Temp\2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Windows\System\KXCBAIs.exe
  C:\Windows\System\KXCBAIs.exe
  2⤵
  - Executes dropped EXE
  PID:2868
- C:\Windows\System\trdywgs.exe
  C:\Windows\System\trdywgs.exe
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Windows\System\DERAAsD.exe
  C:\Windows\System\DERAAsD.exe
  2⤵
  - Executes dropped EXE
  PID:2964
- C:\Windows\System\mcYofLE.exe
  C:\Windows\System\mcYofLE.exe
  2⤵
  - Executes dropped EXE
  PID:2816
- C:\Windows\System\UzWgeOh.exe
  C:\Windows\System\UzWgeOh.exe
  2⤵
  - Executes dropped EXE
  PID:2748
- C:\Windows\System\jToLPbj.exe
  C:\Windows\System\jToLPbj.exe
  2⤵
  - Executes dropped EXE
  PID:2724
- C:\Windows\System\qbndVoS.exe
  C:\Windows\System\qbndVoS.exe
  2⤵
  - Executes dropped EXE
  PID:2812
- C:\Windows\System\zUwTUWA.exe
  C:\Windows\System\zUwTUWA.exe
  2⤵
  - Executes dropped EXE
  PID:2632
- C:\Windows\System\YIDNXQZ.exe
  C:\Windows\System\YIDNXQZ.exe
  2⤵
  - Executes dropped EXE
  PID:3052
- C:\Windows\System\IpIcqwj.exe
  C:\Windows\System\IpIcqwj.exe
  2⤵
  - Executes dropped EXE
  PID:2096
- C:\Windows\System\netFkSG.exe
  C:\Windows\System\netFkSG.exe
  2⤵
  - Executes dropped EXE
  PID:2376
- C:\Windows\System\QHIHPsN.exe
  C:\Windows\System\QHIHPsN.exe
  2⤵
  - Executes dropped EXE
  PID:2144
- C:\Windows\System\KGWNBIP.exe
  C:\Windows\System\KGWNBIP.exe
  2⤵
  - Executes dropped EXE
  PID:2196
- C:\Windows\System\AgFqPyi.exe
  C:\Windows\System\AgFqPyi.exe
  2⤵
  - Executes dropped EXE
  PID:1920
- C:\Windows\System\MCleApk.exe
  C:\Windows\System\MCleApk.exe
  2⤵
  - Executes dropped EXE
  PID:944
- C:\Windows\System\dfPvzmL.exe
  C:\Windows\System\dfPvzmL.exe
  2⤵
  - Executes dropped EXE
  PID:828
- C:\Windows\System\IhjEcax.exe
  C:\Windows\System\IhjEcax.exe
  2⤵
  - Executes dropped EXE
  PID:1252
- C:\Windows\System\sldgZYy.exe
  C:\Windows\System\sldgZYy.exe
  2⤵
  - Executes dropped EXE
  PID:2792
- C:\Windows\System\fyEvCRV.exe
  C:\Windows\System\fyEvCRV.exe
  2⤵
  - Executes dropped EXE
  PID:2072
- C:\Windows\System\RPjzQqO.exe
  C:\Windows\System\RPjzQqO.exe
  2⤵
  - Executes dropped EXE
  PID:2104
- C:\Windows\System\afkQoGt.exe
  C:\Windows\System\afkQoGt.exe
  2⤵
  - Executes dropped EXE
  PID:380

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\AgFqPyi.exe

Filesize
5.7MB

MD5
00cf5106e85b9e960d10741bb267e9b4

SHA1
ada4cc79293a43e8562a83bc6d9755a50ebaf4cb

SHA256
2615d49a3958ec135805bf57e64e59d69248adf0ccbf228e8341a258c40da132

SHA512
adc1043c04c06f7dffe0eeb4b6d3abb6ee4ff54992f69df6b8551c1f6c3a86dc1d928b311ac1bc9be278d0640868fbb003d45b0c2dd1117dcb49e1453152ec69

Download Submit
C:\Windows\system\DERAAsD.exe

Filesize
5.7MB

MD5
030378d4e4fc92efa606108d882f6696

SHA1
1be7968d746745d4f0225a01d4f22f29e87d13aa

SHA256
c34f6683fbe439c4e04584463db2fa298700b62180744782a94f872a8b4dfe6a

SHA512
401d7e22f72daa0b8d903c417e4240e5bb01ab739ff5c31e55c4ddfd68849cabd47ff87a2d17f936260ded8d9db77a33d6396031999b7254e03efc62c6f99962

Download Submit
C:\Windows\system\IhjEcax.exe

Filesize
5.7MB

MD5
1db6c8dcfa4a894d093e55df1b67dade

SHA1
f3ca470e99d1d8c79a90f4ebcda116a8ac247285

SHA256
6b6fd2b608814f93c93f9158ed6ee43468f8c31d926f37026d26b7b3a6b3f76b

SHA512
393668366de714d5f6b6c61a023bcc7c5872f340040d50bb9be73c846979c3c91f2bf1e96fb50474e8698281ff8cb50e9c3f1072d5de47c6b6da527a4475c902

Download Submit
C:\Windows\system\KGWNBIP.exe

Filesize
5.7MB

MD5
6fe9ca99c980a9c9f2ec87f9003b4250

SHA1
91444aaa8c523bc26918501cc3dac8ca34902141

SHA256
5db9d6ee9caf044b7b74367b8f03389b4577e0aa448e18a1a490160eefabe81a

SHA512
93f187389db125c6112b8df21bee93adf2a70bb1d4f45dab4a97def923469c7d3e609a7ac3a29e8a41e3d6c5408684596f4dc4702ac43f49046796d000e3fe67

Download Submit
C:\Windows\system\KXCBAIs.exe

Filesize
5.7MB

MD5
743337ae18c29a25dc5c8494008ee6fa

SHA1
e7ab2fb92de376cb92054acf040b6ed965f401d9

SHA256
4582cc3ed5f589c27eecfe9e1f6f9f864e47a14b2899d09e8463482e0e436136

SHA512
fe4615163f7aa75404367d30c48c6ee20da7e9c693d8987305d12a921a18733f90f80b3809bcbc8ff9a7b0e2042671e1d2f58527d4cb813f2b4f9364379b18ae

Download Submit
C:\Windows\system\QHIHPsN.exe

Filesize
5.7MB

MD5
3de5fcb41fe8e7d2b4c9bba55727ae7b

SHA1
9714f6300680e8dac79acee811e7c8a361fffa5b

SHA256
790a50f447061f95a5153e0bfebeb7c175018c3e7c9dff0bb145141309c4f898

SHA512
345490f43a02524a49110b788becb4e59f4a177814cf1f7cede6e0e96ca8f7c41e56dc8d5b42e47130e4e477ecb04c6c1b47d73a861128772372915111495e82

Download Submit
C:\Windows\system\YIDNXQZ.exe

Filesize
5.7MB

MD5
7435fdc6d6063625b9dbbca3c396f6e8

SHA1
662171b4a84d3f4695d077afb0f8dd41e9e291d3

SHA256
aee5522817a8f9cc4f97fda2e3f89aac99bdb2bad6c4a3cd1bc0aec1d8d037f4

SHA512
87b4259155ef268f064e856d1e37a0798c1faf642cc26c25b937959e107f923c7dc04c627411c287c64fae37ad0d331601761d517a30780b0fe82db47ff96469

Download Submit
C:\Windows\system\fyEvCRV.exe

Filesize
5.7MB

MD5
f47739dce120eee702565a079e15368f

SHA1
3eff64f7b70c37f116ec40935b6a5e505461de6c

SHA256
f0defb6586c31834826c59f30041a04ea2dbd5955a8f54f8a9092e21fb4e1f44

SHA512
1c25f68d6bdd0d93cd5eeaa61e23cd9a205934c225230a85d5386f7694fd64fb33f6cec06d379c9a05371f2507aef3e24ed052620e811298c3d877c84d014858

Download Submit
C:\Windows\system\netFkSG.exe

Filesize
5.7MB

MD5
6b8e28942822c520f0cc42e8a643cea4

SHA1
d53f2c5edbcd23aadc4c17b1f8fe3ad28fb43d66

SHA256
7d5a0969e7ce80864a61f5225e3c7ed3c3fd420a485997c338d98b7619c44664

SHA512
5fadb633b2635db6f309e3ccf13c1d93d01d941f674272005a27a5f3a18cac5270d98c512d68708233cfa81084b6460678d19321333aaae9115dab3c61c5336f

Download Submit
C:\Windows\system\qbndVoS.exe

Filesize
5.7MB

MD5
56278230b5d5eef373a466ca9596ee26

SHA1
44e3a516f2d8ef8bdf12623f9c4b9b000890aa81

SHA256
f0745702996892fe0b73032f7bf4e834bc9866b09253c797c569aa897efc25f1

SHA512
508dcad2dffba5e4bb0edfc840098e7ef5d412f335d01ddf16bac59be16eb07b3ec6f6db047010363abe92384bef2136d9215d4c502bd5428eb6a31c5c9a1f70

Download Submit
C:\Windows\system\sldgZYy.exe

Filesize
5.7MB

MD5
5ded865f70f03d0db2ba6a96f97c6344

SHA1
27820a57b6b36cef1e3c34de84827acdba9a5d93

SHA256
c1cdd668e4035f34b24d91af162cc990375fdacf141ca668833caeef8d33f90d

SHA512
2f3aa4460b9af587771b0350f2a34f8ce50dced74632dd7b06c4f224bf2c396086b2f64bc45be31aced8f3149d44196448a8f30e950dcf58204af31da0af5c85

Download Submit
\Windows\system\IpIcqwj.exe

Filesize
5.7MB

MD5
db1275d4a01e66b9b259149530f57a3d

SHA1
5b5d99c9e59c575b4c8999b066204231c71aa844

SHA256
3f96981e4c88c0992c0916f7ec9eb692116d8151f65723d81388fafb85e90264

SHA512
218ba799dfce270855525847ad3bd9f6f27c81d0e4d66fc2918d61129cd2bb036db768bcf76252758110ce453bf585fd900928b82dee0d94aa433557f5759d4d

Download Submit
\Windows\system\MCleApk.exe

Filesize
5.7MB

MD5
c42cc46097eb4c4ac45b49dfa70e64e5

SHA1
e4ee47864e9d0c4bb301eb9522c5946ba6ed3427

SHA256
09293356cc36c6cd411ca188a99876315c486643404d29c5a33002ff4df0ed7b

SHA512
5a9656fa5d9acef84c65028bdbb394bd41f5975d7f2c0e0736f376063158283407f1ce8a44234885980655b0e49d8377583fed316a91ff4621e364fb6848346c

Download Submit
\Windows\system\RPjzQqO.exe

Filesize
5.7MB

MD5
772cc1dd81cecc84533554f8c99431a6

SHA1
74a47ee554b655fdc4265eee8e66287bb3ce80b4

SHA256
d78918c9e88637abc08b28ba7b3863ee1111f70fa5763d0a24352588b73e8794

SHA512
ede36f13413af06c8f94cddacd22ce4cf4a8207fed7ebc653bc7a69b0895ed650b5d442a3450724b09d147f852e55e98dc21e215751c6d32451748e8ea59b139

Download Submit
\Windows\system\UzWgeOh.exe

Filesize
5.7MB

MD5
ffe2d097f7ef71df4d166c836fb3df7c

SHA1
797acc37d1620cf39549a771b0bea9ea008c9457

SHA256
7f1dead40b7db21f4bec1b76ac156dd4ba9e32c6b701bea137b1a2c70e510c6b

SHA512
ff9154355acc5d09579d7e5a68679e3494479d2577b5fb114cc29705ff09a71b5142de44d358a6bc8369c110fbf8b80a49cd4eebe3804dd77a6ed95273abf504

Download Submit
\Windows\system\afkQoGt.exe

Filesize
5.7MB

MD5
96ab2813a1c6c47b6deb539798ec2218

SHA1
9b6f2a58d862279864dcadb98a8a3060c3b793dd

SHA256
b1d1892f9ac1973e120f7d305a1fd13f1049bec1c9871e0f1777ad78f797c713

SHA512
b9ca2d1fc6c77330b724ed950e87dda501bb0a703b33ded1ba8f218c122502988f12648e7be515bc5433561b470ad7842d7060bad3b06cc920e9c8a3a88d4a46

Download Submit
\Windows\system\dfPvzmL.exe

Filesize
5.7MB

MD5
20987b953759cc443237d7e53bc1463a

SHA1
6de45f6397e5ef77c227bf5432b9e82b67993440

SHA256
27d8d17eeed28f411469c30fc32c6166f98b71989c8f02bda28bda207dbb011b

SHA512
b25bcea986752bcc2d94411cf93216463257c66e8fc73d5c4b4295072b370b34990e76fa44ae6e6576a6cb9afeaf45364344d3cc62deb5d83add7b235618a4cc

Download Submit
\Windows\system\jToLPbj.exe

Filesize
5.7MB

MD5
37cd0e6bb152bc3b412a01a4b6a2527d

SHA1
486938ed45181789065700037e7bd7c6d1d6b86d

SHA256
f9153acd4a970c7e5a1e18a34442b523e9760d1640a37654f12cd16ccea695a1

SHA512
6162137e6045df15680accebc91bbb80366deddf96fdc0b1b00e22010da33d6d8f660beb8724225f57c7d9c762792d7aee144e22e025b64c623b67e274daa345

Download Submit
\Windows\system\mcYofLE.exe

Filesize
5.7MB

MD5
561d6bb4a4b40ee6bee05537132995a3

SHA1
ef9b07b5221d4fe6bcec5f9f0df39bfd84672370

SHA256
4c8a835c99acce7a2a9c3e260f506e394370148bbc75616899120d4011561d96

SHA512
39f6beaea1a7d31bd0de0db458b7f48550c65b1428351ae41d1cd23c1340225f66cb4047fc031fa3f6f331485931221ca1b48995bf19eccf1e33ae1811ab0cda

Download Submit
\Windows\system\trdywgs.exe

Filesize
5.7MB

MD5
e6fe8e332ce1be3a4be8048586a69879

SHA1
439b37a5534bbcb426b1dbe837e6aa04b44f4f4a

SHA256
cdfef9ba05536d0f1052eca40c16a05e59138e892abc40a2d44d2211c2499487

SHA512
62ca8ea2bc499b905470fd5717b13e800a27338a42b92c603a7dde576c24e66406536e41922492172dbce38f9d4350c80822c309f51f9d9aaa702a4db671b312

Download Submit
\Windows\system\zUwTUWA.exe

Filesize
5.7MB

MD5
97bbe065954059704b479f4a5bd96b2c

SHA1
be474320f0e7d7cb3def9e29c936c151c44d8a07

SHA256
583e02d36e3ac5c288094911cbebbc45242d10936a928e8b3f649bbe56552541

SHA512
f48ca7c00d246d3c4602abd22acb775499e33c1718f09a7aca629f2dd6136c8a1b98d96d40aba4548b47cd755a9ef238c6f90d3cc36f69b6411e61533d4c81b2

Download Submit
memory/380-122-0x000000013F660000-0x000000013F9AD000-memory.dmp

Filesize
3.3MB

Download
memory/828-99-0x000000013F150000-0x000000013F49D000-memory.dmp

Filesize
3.3MB

Download
memory/944-100-0x000000013FDE0000-0x000000014012D000-memory.dmp

Filesize
3.3MB

Download
memory/1252-96-0x000000013FD90000-0x00000001400DD000-memory.dmp

Filesize
3.3MB

Download
memory/1920-102-0x000000013FBB0000-0x000000013FEFD000-memory.dmp

Filesize
3.3MB

Download
memory/2072-115-0x000000013F0B0000-0x000000013F3FD000-memory.dmp

Filesize
3.3MB

Download
memory/2096-65-0x000000013F770000-0x000000013FABD000-memory.dmp

Filesize
3.3MB

Download
memory/2104-125-0x000000013FB20000-0x000000013FE6D000-memory.dmp

Filesize
3.3MB

Download
memory/2144-88-0x000000013FDF0000-0x000000014013D000-memory.dmp

Filesize
3.3MB

Download
memory/2196-73-0x000000013F020000-0x000000013F36D000-memory.dmp

Filesize
3.3MB

Download
memory/2376-75-0x000000013F680000-0x000000013F9CD000-memory.dmp

Filesize
3.3MB

Download
memory/2632-50-0x000000013F9F0000-0x000000013FD3D000-memory.dmp

Filesize
3.3MB

Download
memory/2708-0-0x000000013F640000-0x000000013F98D000-memory.dmp

Filesize
3.3MB

Download
memory/2708-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/2716-19-0x000000013FCA0000-0x000000013FFED000-memory.dmp

Filesize
3.3MB

Download
memory/2724-41-0x000000013FE30000-0x000000014017D000-memory.dmp

Filesize
3.3MB

Download
memory/2748-31-0x000000013F930000-0x000000013FC7D000-memory.dmp

Filesize
3.3MB

Download
memory/2792-108-0x000000013FC10000-0x000000013FF5D000-memory.dmp

Filesize
3.3MB

Download
memory/2812-42-0x000000013F300000-0x000000013F64D000-memory.dmp

Filesize
3.3MB

Download
memory/2816-25-0x000000013F0F0000-0x000000013F43D000-memory.dmp

Filesize
3.3MB

Download
memory/2868-15-0x000000013F240000-0x000000013F58D000-memory.dmp

Filesize
3.3MB

Download
memory/2964-16-0x000000013FE10000-0x000000014015D000-memory.dmp

Filesize
3.3MB

Download
memory/3052-55-0x000000013F740000-0x000000013FA8D000-memory.dmp

Filesize
3.3MB

Download