cobaltstrike | d0cfcee5c86b5f229e2e908e00c1937666def8d045e49f6243ed1fd1f511c0f9

Analysis

max time kernel
141s
max time network
144s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-01-2025 12:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.7MB
MD5

9f757061a1f63b3ec5a7b62afb90623f
SHA1

f7b9728eab3f767e5816b4beb503eeed2ec46bb0
SHA256

d0cfcee5c86b5f229e2e908e00c1937666def8d045e49f6243ed1fd1f511c0f9
SHA512

144cb6b738219a36e5bbac5917d18926a2efff27b9b61fc7fd3b303b5f66302ba399578b10c2c32080f05f7b8154aae5820065150f4cbf88b05d93d99f693895
SSDEEP

98304:4emTLkNdfE0pZaJ56utgpPFotBER/mQ32lU/:j+R56utgpPF8u/7/

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000c00000001227e-3.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000195c5-7.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000019609-9.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001960d-19.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000019461-35.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001960f-30.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019838-59.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019c59-84.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a037-123.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019efb-119.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019deb-113.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019dc0-102.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019dc2-106.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019cb9-95.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019c5b-89.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019c57-77.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000199bf-71.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000198f0-65.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000197f8-53.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000019615-48.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000019611-42.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 42 IoCs

miner

resource	yara_rule
behavioral1/memory/1632-0-0x000000013F240000-0x000000013F58D000-memory.dmp	xmrig
behavioral1/files/0x000c00000001227e-3.dat	xmrig
behavioral1/files/0x00070000000195c5-7.dat	xmrig
behavioral1/memory/1936-11-0x000000013FCF0000-0x000000014003D000-memory.dmp	xmrig
behavioral1/files/0x0007000000019609-9.dat	xmrig
behavioral1/files/0x000600000001960d-19.dat	xmrig
behavioral1/memory/2016-12-0x000000013FF80000-0x00000001402CD000-memory.dmp	xmrig
behavioral1/memory/2876-23-0x000000013F840000-0x000000013FB8D000-memory.dmp	xmrig
behavioral1/memory/2248-25-0x000000013F470000-0x000000013F7BD000-memory.dmp	xmrig
behavioral1/files/0x0008000000019461-35.dat	xmrig
behavioral1/memory/2820-31-0x000000013FD30000-0x000000014007D000-memory.dmp	xmrig
behavioral1/files/0x000600000001960f-30.dat	xmrig
behavioral1/memory/2808-37-0x000000013F520000-0x000000013F86D000-memory.dmp	xmrig
behavioral1/memory/2848-49-0x000000013F510000-0x000000013F85D000-memory.dmp	xmrig
behavioral1/memory/2660-61-0x000000013F8E0000-0x000000013FC2D000-memory.dmp	xmrig
behavioral1/files/0x0005000000019838-59.dat	xmrig
behavioral1/memory/2556-67-0x000000013F3B0000-0x000000013F6FD000-memory.dmp	xmrig
behavioral1/files/0x0005000000019c59-84.dat	xmrig
behavioral1/memory/1732-91-0x000000013F550000-0x000000013F89D000-memory.dmp	xmrig
behavioral1/memory/2888-97-0x000000013FE10000-0x000000014015D000-memory.dmp	xmrig
behavioral1/memory/2796-121-0x000000013FD70000-0x00000001400BD000-memory.dmp	xmrig
behavioral1/files/0x000500000001a037-123.dat	xmrig
behavioral1/memory/2108-126-0x000000013FF90000-0x00000001402DD000-memory.dmp	xmrig
behavioral1/files/0x0005000000019efb-119.dat	xmrig
behavioral1/memory/2636-115-0x000000013FB50000-0x000000013FE9D000-memory.dmp	xmrig
behavioral1/files/0x0005000000019deb-113.dat	xmrig
behavioral1/files/0x0005000000019dc0-102.dat	xmrig
behavioral1/memory/2900-108-0x000000013FCD0000-0x000000014001D000-memory.dmp	xmrig
behavioral1/files/0x0005000000019dc2-106.dat	xmrig
behavioral1/files/0x0005000000019cb9-95.dat	xmrig
behavioral1/files/0x0005000000019c5b-89.dat	xmrig
behavioral1/memory/1716-85-0x000000013FDF0000-0x000000014013D000-memory.dmp	xmrig
behavioral1/memory/2596-79-0x000000013F640000-0x000000013F98D000-memory.dmp	xmrig
behavioral1/files/0x0005000000019c57-77.dat	xmrig
behavioral1/memory/2620-73-0x000000013F940000-0x000000013FC8D000-memory.dmp	xmrig
behavioral1/files/0x00050000000199bf-71.dat	xmrig
behavioral1/files/0x00050000000198f0-65.dat	xmrig
behavioral1/memory/2568-55-0x000000013F900000-0x000000013FC4D000-memory.dmp	xmrig
behavioral1/files/0x00060000000197f8-53.dat	xmrig
behavioral1/files/0x0008000000019615-48.dat	xmrig
behavioral1/memory/2672-43-0x000000013FEB0000-0x00000001401FD000-memory.dmp	xmrig
behavioral1/files/0x0006000000019611-42.dat	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2016	dVCNJWr.exe
1936	pLPWqkM.exe
2248	zQyOULL.exe
2876	cPUByDd.exe
2820	hXEnftc.exe
2808	OduYzXR.exe
2672	oLtmcvw.exe
2848	SeBgOnw.exe
2568	ziHUScA.exe
2660	AbKalcD.exe
2556	wWzKrhu.exe
2620	cxGxSKA.exe
2596	DqOXCCr.exe
1716	FMQAwZu.exe
1732	VEhWwET.exe
2888	WsqidaE.exe
532	IGhohDN.exe
2900	eCepNCI.exe
2636	PjbCIIo.exe
2796	vmDqAZx.exe
2108	HhpXpKj.exe

Loads dropped DLL 21 IoCs

pid	Process
1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\cPUByDd.exe	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cxGxSKA.exe	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IGhohDN.exe	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eCepNCI.exe	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vmDqAZx.exe	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HhpXpKj.exe	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pLPWqkM.exe	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ziHUScA.exe	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AbKalcD.exe	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DqOXCCr.exe	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WsqidaE.exe	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oLtmcvw.exe	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OduYzXR.exe	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SeBgOnw.exe	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wWzKrhu.exe	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FMQAwZu.exe	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PjbCIIo.exe	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hXEnftc.exe	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zQyOULL.exe	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VEhWwET.exe	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dVCNJWr.exe	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 2016	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 1632 wrote to memory of 2016	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 1632 wrote to memory of 2016	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 1632 wrote to memory of 1936	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 1632 wrote to memory of 1936	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 1632 wrote to memory of 1936	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 1632 wrote to memory of 2248	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 1632 wrote to memory of 2248	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 1632 wrote to memory of 2248	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 1632 wrote to memory of 2876	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 1632 wrote to memory of 2876	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 1632 wrote to memory of 2876	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 1632 wrote to memory of 2820	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 1632 wrote to memory of 2820	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 1632 wrote to memory of 2820	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 1632 wrote to memory of 2808	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 1632 wrote to memory of 2808	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 1632 wrote to memory of 2808	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 1632 wrote to memory of 2672	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 1632 wrote to memory of 2672	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 1632 wrote to memory of 2672	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 1632 wrote to memory of 2848	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 1632 wrote to memory of 2848	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 1632 wrote to memory of 2848	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 1632 wrote to memory of 2568	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 1632 wrote to memory of 2568	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 1632 wrote to memory of 2568	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 1632 wrote to memory of 2660	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 1632 wrote to memory of 2660	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 1632 wrote to memory of 2660	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 1632 wrote to memory of 2556	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 1632 wrote to memory of 2556	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 1632 wrote to memory of 2556	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 1632 wrote to memory of 2620	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 1632 wrote to memory of 2620	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 1632 wrote to memory of 2620	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 1632 wrote to memory of 2596	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 1632 wrote to memory of 2596	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 1632 wrote to memory of 2596	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 1632 wrote to memory of 1716	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 1632 wrote to memory of 1716	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 1632 wrote to memory of 1716	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 1632 wrote to memory of 1732	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 1632 wrote to memory of 1732	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 1632 wrote to memory of 1732	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 1632 wrote to memory of 2888	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 1632 wrote to memory of 2888	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 1632 wrote to memory of 2888	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 1632 wrote to memory of 532	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 1632 wrote to memory of 532	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 1632 wrote to memory of 532	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 1632 wrote to memory of 2900	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 1632 wrote to memory of 2900	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 1632 wrote to memory of 2900	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 1632 wrote to memory of 2636	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 1632 wrote to memory of 2636	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 1632 wrote to memory of 2636	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 1632 wrote to memory of 2796	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 1632 wrote to memory of 2796	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 1632 wrote to memory of 2796	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 1632 wrote to memory of 2108	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	52
PID 1632 wrote to memory of 2108	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	52
PID 1632 wrote to memory of 2108	1632	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	52

C:\Users\Admin\AppData\Local\Temp\2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Windows\System\dVCNJWr.exe
  C:\Windows\System\dVCNJWr.exe
  2⤵
  - Executes dropped EXE
  PID:2016
- C:\Windows\System\pLPWqkM.exe
  C:\Windows\System\pLPWqkM.exe
  2⤵
  - Executes dropped EXE
  PID:1936
- C:\Windows\System\zQyOULL.exe
  C:\Windows\System\zQyOULL.exe
  2⤵
  - Executes dropped EXE
  PID:2248
- C:\Windows\System\cPUByDd.exe
  C:\Windows\System\cPUByDd.exe
  2⤵
  - Executes dropped EXE
  PID:2876
- C:\Windows\System\hXEnftc.exe
  C:\Windows\System\hXEnftc.exe
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Windows\System\OduYzXR.exe
  C:\Windows\System\OduYzXR.exe
  2⤵
  - Executes dropped EXE
  PID:2808
- C:\Windows\System\oLtmcvw.exe
  C:\Windows\System\oLtmcvw.exe
  2⤵
  - Executes dropped EXE
  PID:2672
- C:\Windows\System\SeBgOnw.exe
  C:\Windows\System\SeBgOnw.exe
  2⤵
  - Executes dropped EXE
  PID:2848
- C:\Windows\System\ziHUScA.exe
  C:\Windows\System\ziHUScA.exe
  2⤵
  - Executes dropped EXE
  PID:2568
- C:\Windows\System\AbKalcD.exe
  C:\Windows\System\AbKalcD.exe
  2⤵
  - Executes dropped EXE
  PID:2660
- C:\Windows\System\wWzKrhu.exe
  C:\Windows\System\wWzKrhu.exe
  2⤵
  - Executes dropped EXE
  PID:2556
- C:\Windows\System\cxGxSKA.exe
  C:\Windows\System\cxGxSKA.exe
  2⤵
  - Executes dropped EXE
  PID:2620
- C:\Windows\System\DqOXCCr.exe
  C:\Windows\System\DqOXCCr.exe
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\System\FMQAwZu.exe
  C:\Windows\System\FMQAwZu.exe
  2⤵
  - Executes dropped EXE
  PID:1716
- C:\Windows\System\VEhWwET.exe
  C:\Windows\System\VEhWwET.exe
  2⤵
  - Executes dropped EXE
  PID:1732
- C:\Windows\System\WsqidaE.exe
  C:\Windows\System\WsqidaE.exe
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\System\IGhohDN.exe
  C:\Windows\System\IGhohDN.exe
  2⤵
  - Executes dropped EXE
  PID:532
- C:\Windows\System\eCepNCI.exe
  C:\Windows\System\eCepNCI.exe
  2⤵
  - Executes dropped EXE
  PID:2900
- C:\Windows\System\PjbCIIo.exe
  C:\Windows\System\PjbCIIo.exe
  2⤵
  - Executes dropped EXE
  PID:2636
- C:\Windows\System\vmDqAZx.exe
  C:\Windows\System\vmDqAZx.exe
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Windows\System\HhpXpKj.exe
  C:\Windows\System\HhpXpKj.exe
  2⤵
  - Executes dropped EXE
  PID:2108

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\AbKalcD.exe

Filesize
5.7MB

MD5
9b8622e0645e86cf32d1405c50f5b1f2

SHA1
f47d31484f69c10856ef5d170a2699f9ce1e42df

SHA256
95b2fe84e768b1149a8a36f4aa495fa3122951c92455e14b659e36467334a740

SHA512
76505b908b949867a4c472c5af923bc4ec5045fc71581013d20cad29085e54dcfb1c43aab0facf48c9bc8b6956f4461b402552b7b52265991e5794e910dc3b80

Download Submit
C:\Windows\system\DqOXCCr.exe

Filesize
5.7MB

MD5
3fa0c1d01e49252ead4cdcc6da152b7e

SHA1
55bda4874d881d93d40d3ea0a4ea75d36fa31098

SHA256
47d5ff6e33a3ac3531c49e8f3a974f6d86820dac1ea845185365e4f9a7cbddc4

SHA512
b27b9c6b5526b4ff99d6192275d352b797f869afa46f1d9ca1fc92f3c431c65a28aab1f7938046fd8e14454f66058f97fbc8f784d52a80a109e16bcbb58b63f2

Download Submit
C:\Windows\system\FMQAwZu.exe

Filesize
5.7MB

MD5
3c1854e18fd769e31406d25495189da5

SHA1
955d420ee2c654ac7320cd708f6e1c3ed4c4cb56

SHA256
ef228aeef95a9d812ba4690df864aabc822a119c7ec33cccdb03829520861f92

SHA512
b59076b4f3d23395bc44bdc1e5f3fd8405d81a8fa335fbe0676f65b6c7aaf0bc52d902b291f4dd3dd19cee5744f05cc52a8b980635f88711256f1dbfcf521328

Download Submit
C:\Windows\system\IGhohDN.exe

Filesize
5.7MB

MD5
20e112fd450b95a23c699909139e3f92

SHA1
47c170e55a696ba1330f26442e6672c0b5b36e43

SHA256
71cf590015e3b4b64070191bb9776b9d8b8663255062e871b4675447bc91be19

SHA512
a196e671a79e87b827b1f61af3e80f6d9bca83960d1d95c44f133ae530b90719bf151da6d615acf11d62d6c0c35e2af37d7927a3d65c81e5640a3d83668fe952

Download Submit
C:\Windows\system\OduYzXR.exe

Filesize
5.7MB

MD5
bb628acef735cd8eab223b5205ba1de9

SHA1
d8f7bb0677f9c179b3b3aa476a7420a491cb3525

SHA256
c4eb002d8c5b638dd431b406712c5dcaa06ec3dc0b01c1cfc3a0574dda67c53b

SHA512
3c5de3fcd76e262d14a3c2d4d67d145f1341254d8683c9d2b2ac9a09d9eeeebd0ccae5ad8831b453ad66865d1bcb6f9de17eff6a355787be3e3b890f6d08ee1a

Download Submit
C:\Windows\system\PjbCIIo.exe

Filesize
5.7MB

MD5
80b62a409c1ba3141dc84dd6785bcd21

SHA1
8499afb6095b154a6db58bf82d3178892a8fa656

SHA256
9932221057895497a1b3c2f42b7646d86d84bb582f4aa57522b38e4ef2f2d797

SHA512
1140337f3327f4ca585c698863626a17531baa057ddbcfdc4cf21be8947dd87322706c87c397f5ee32b2b53244cca2692ab3c1c9285f6600c5872c22f1d2281c

Download Submit
C:\Windows\system\SeBgOnw.exe

Filesize
5.7MB

MD5
e42d50c4b560d4d5bd7296c7f033bd0d

SHA1
39712aae90c04c32d95e746549fe7fdb3a93e5c6

SHA256
fb7c4fe252bce5b44ae30aa5acf6b3732d1b8e58147afde937ec0afb552ec304

SHA512
a95273b484e91d708733abe33862805c152ba9258c482146cbd1b6465f7f7c7e79a5af8595d031446c232a053cb418978108dad26bc53c5f080c57efb7c57633

Download Submit
C:\Windows\system\VEhWwET.exe

Filesize
5.7MB

MD5
1d51d65b4b7fe08452814b25c445ea38

SHA1
827fe1e7e8ed7c431d04c01c51b52ebac518fe1b

SHA256
ee80e2ae32be64cd7595ba0c2458095c162e91233f36fb27185eef31dc8b50e2

SHA512
a0d8879f89628d2fcf23a39bdae5cbc3048df26629ab0b7b34fca8351072206b53970169bcc0cc161d2450302388630a7a52f12235a7e1f8a503d7a900edf788

Download Submit
C:\Windows\system\WsqidaE.exe

Filesize
5.7MB

MD5
f54834ac0548142737469f39a6edec6b

SHA1
1bbcb528b5aa889fc3d4af5c411e616c0c11fdd5

SHA256
c7712657593ccbca7d4c16284b0bab81fb4c4a4b63b4ba12e254c55b10e342f7

SHA512
815f0f23c02e968c62e65ea567b5de25acb09c7c6e73c2d263f99aebebe9bb629045a2d624b92efbe52eb2ea0ca4de4bd91f55ede74bb78d4cd9e533a2a02734

Download Submit
C:\Windows\system\cxGxSKA.exe

Filesize
5.7MB

MD5
34cf4f7f0da9ed9550eae1de07d40a90

SHA1
52250378770d008a586bfd090f048e045cc0e5af

SHA256
fe05bb3300c551bfc19bc45651ff362cdeb0e0c47475ba68ce35be3c89502d43

SHA512
a8f326e1c15850dc750f5658ae6e5e23723a426b1b9f02d332d822ad880507e845bfb2f92efd27cfbf9baac88ec3d43a760a5afda17d1c971abc171e2dd34135

Download Submit
C:\Windows\system\eCepNCI.exe

Filesize
5.7MB

MD5
9042ca8fe42a844e79a9685f7a855536

SHA1
5b760e334825d6a9d801013c38e4b9ed1962b06f

SHA256
6131b835f67247381f9767f5f23bfcb9ab839db8d73c18d0d47db0f540cbd81b

SHA512
69fb8a15b0428afe34a347811595d777e3428ae6032a925c673de2cd7d11887137743a305810dc3f9bd5cc5727ecd7d50630d91ecfc7fbec39039151b3816607

Download Submit
C:\Windows\system\hXEnftc.exe

Filesize
5.7MB

MD5
3319e0f49f28e2dbdebd811e592cf4f7

SHA1
43ac3e498423c050687d36ffa49ac9a745437ce0

SHA256
a4ea8a2ca6ba5082cc26f04c28ddc1e74086d701c241c5b6b8d879d9c5b24c2b

SHA512
a6d3d9f2b688f3a85e44c78eaa7c8404a8b1dc11198623ea91496cd988df9dfca963086b13de97089634ae5d310d1d0958ef250b227be7f88091d5a97849e5ee

Download Submit
C:\Windows\system\oLtmcvw.exe

Filesize
5.7MB

MD5
2b66d5052466b4753d4e2ede897721ce

SHA1
82aeea8bd9d821b0746cbf6e98f2b5f90b4c22bd

SHA256
a4f3196c48b9a8d32e72dbef89a225732cd55c3a6f07ae83ba62f0788ac332c3

SHA512
3a76abcd060175186550588c3ab3fd21dba80a3901b1314d017e6cbff23e72b8293bb246a5492ecb7685d98cecfefd550418b1423738850e45c459693ec38d3f

Download Submit
C:\Windows\system\vmDqAZx.exe

Filesize
5.7MB

MD5
331a2e6a2930c4f5e86e896bfb0d6c27

SHA1
25d4a5118052e3c09eb26185a5ccb52cf759c936

SHA256
18eabcd6c39f14868a206c9db798c571954eb44b7739c658e1aad7438e7cac86

SHA512
5b15a1e62cf40a0cc9e044ad7b7476664e4a95b576e1a8b562441d4ccd054fd69cd4ac87583666e03896e9ffea699c6261c1f0657b355fab6137dcbd4f79f457

Download Submit
C:\Windows\system\wWzKrhu.exe

Filesize
5.7MB

MD5
7725c2417800f50d5057f87cb76be982

SHA1
d8ec7b87b824b0f1949d08b349c75b5f20feb1cc

SHA256
41fcecca2f86b3bddfa42618b61085bbd24ad588bc0fb7787eb6748c07b43005

SHA512
9048576d90b7e59b7299265b02ac7290bdb9f58d716020a2613c72e5190a407b8e953640869a9de71dccba5c3614c941073fa4c05cf0ca4597b70bee4dddd2ca

Download Submit
C:\Windows\system\zQyOULL.exe

Filesize
5.7MB

MD5
e0f371bd43963cad036cb5e678fc235a

SHA1
eccbaa4dff01d192c6da55d2a1e29318f7a11b19

SHA256
81e046a282f53b6183481bfed90b89dc24cb3670e3340c2333e3af76eab39f2e

SHA512
ebef31a69465d510bd0128fd48a930536a26e5ddecda92a77e694de1026f7ce5c07abaf64f40c80ebc366abf9a67b146424942e4e33cdaf70be50b2092249463

Download Submit
C:\Windows\system\ziHUScA.exe

Filesize
5.7MB

MD5
9b7f564c79bd912e7b485d027d279be8

SHA1
4a2c4e0ef3f831347b59089a9d5c167dba2c2b25

SHA256
b02b1e4b74d76d8d4699032943debf93dc5447404cb901a6247ad766efaf4345

SHA512
c1219c119aaf90259e8481cc8d961bdaa542b0f794c1d3e7ae4ee41345712ce1bfa98129546263c47441c316a2fe90d55aca2a3091a04a87d2fbc0b14dcf6159

Download Submit
\Windows\system\HhpXpKj.exe

Filesize
5.7MB

MD5
983d2732bb4ceb28a6b55a4180cf8a27

SHA1
c97e4f065ec32d9050a81fb86625f4616dfc85b8

SHA256
75561c7306b1a969897454cb9c51c442bff311837f31ac01eb1bdb048eea9155

SHA512
fadd2f62a846ad7dbd4aad6809a96bd593115ad25cad23a6669b3f7f001822f4e1b77e2670f1240438cfa5e495bff9f70fc1032dbf4fc364becd24d33974a0a3

Download Submit
\Windows\system\cPUByDd.exe

Filesize
5.7MB

MD5
d7c15c07be201a7fdd7c2b67bb436931

SHA1
2fb1bc2e2ee59283fa488e67bc3481bd3e5b41c8

SHA256
22eb39b69a612bbae6b999b59ec6be13a260877e4bc7db9239a97ffbae957a47

SHA512
b9ed7613270b968f01e6de7be9c68090999425c698c7b2a05a77bb08e714e28a43486143ffb0f2dfcad4ab4deedfdbdb4e85e80b2fb9c6cd2439a87571d54f7e

Download Submit
\Windows\system\dVCNJWr.exe

Filesize
5.7MB

MD5
29ea93a4b262887d13e0051a5acdde2b

SHA1
ced59a968e3921539706432b97a2107bb3b9631d

SHA256
10a7b3b2eb85a380d20cd345a3e7a8195fc52338c64a0a2b12cae30d12f0a39d

SHA512
8c5d47e3033261e05485d375f1c49692a068f844597383d6eeb1a7edbb506fa7adc4dfecead92c012ac503fa2104d1878a3518aa6b130afbfd4c64981261b298

Download Submit
\Windows\system\pLPWqkM.exe

Filesize
5.7MB

MD5
1e540a62496fb202d37173f1c2811bba

SHA1
1539de620c1694cf5d027484285904df2ccee859

SHA256
3579cddd0f6c083df0cf38468bde757b90ef751428df3f8cac07c95eb68e7d43

SHA512
adf4487d0fe4ae9e467bce99d8c275c09ebf479ab84779b864827855b6bba525c6f892c5e81ddbb950e288fd13f2ee78d546b66c8b26edf1001e5e60b98c3929

Download Submit
memory/1632-1-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/1632-0-0x000000013F240000-0x000000013F58D000-memory.dmp

Filesize
3.3MB

Download
memory/1716-85-0x000000013FDF0000-0x000000014013D000-memory.dmp

Filesize
3.3MB

Download
memory/1732-91-0x000000013F550000-0x000000013F89D000-memory.dmp

Filesize
3.3MB

Download
memory/1936-11-0x000000013FCF0000-0x000000014003D000-memory.dmp

Filesize
3.3MB

Download
memory/2016-12-0x000000013FF80000-0x00000001402CD000-memory.dmp

Filesize
3.3MB

Download
memory/2108-126-0x000000013FF90000-0x00000001402DD000-memory.dmp

Filesize
3.3MB

Download
memory/2248-25-0x000000013F470000-0x000000013F7BD000-memory.dmp

Filesize
3.3MB

Download
memory/2556-67-0x000000013F3B0000-0x000000013F6FD000-memory.dmp

Filesize
3.3MB

Download
memory/2568-55-0x000000013F900000-0x000000013FC4D000-memory.dmp

Filesize
3.3MB

Download
memory/2596-79-0x000000013F640000-0x000000013F98D000-memory.dmp

Filesize
3.3MB

Download
memory/2620-73-0x000000013F940000-0x000000013FC8D000-memory.dmp

Filesize
3.3MB

Download
memory/2636-115-0x000000013FB50000-0x000000013FE9D000-memory.dmp

Filesize
3.3MB

Download
memory/2660-61-0x000000013F8E0000-0x000000013FC2D000-memory.dmp

Filesize
3.3MB

Download
memory/2672-43-0x000000013FEB0000-0x00000001401FD000-memory.dmp

Filesize
3.3MB

Download
memory/2796-121-0x000000013FD70000-0x00000001400BD000-memory.dmp

Filesize
3.3MB

Download
memory/2808-37-0x000000013F520000-0x000000013F86D000-memory.dmp

Filesize
3.3MB

Download
memory/2820-31-0x000000013FD30000-0x000000014007D000-memory.dmp

Filesize
3.3MB

Download
memory/2848-49-0x000000013F510000-0x000000013F85D000-memory.dmp

Filesize
3.3MB

Download
memory/2876-23-0x000000013F840000-0x000000013FB8D000-memory.dmp

Filesize
3.3MB

Download
memory/2888-97-0x000000013FE10000-0x000000014015D000-memory.dmp

Filesize
3.3MB

Download
memory/2900-108-0x000000013FCD0000-0x000000014001D000-memory.dmp

Filesize
3.3MB

Download