cobaltstrike | 00ad4c05113c91181511e676c2779a74c1b83ab02b37241dd1022f5714a64ec7

Analysis

max time kernel
135s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-01-2025 04:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.7MB
MD5

df98cb3e1d8ee0d90bce51b6bf2748c0
SHA1

db4eb0af961d30388f61094a2bf1bf952c6dcbea
SHA256

00ad4c05113c91181511e676c2779a74c1b83ab02b37241dd1022f5714a64ec7
SHA512

27f9b4e332320a8c2dda3c40433e8df806f5e75a8a4d070166adfe2596a5ed6176fccfecaa01ec30ff7ccc887fcfbc5b70393a5d4ddc19da8b7603dc45362289
SSDEEP

98304:4emTLkNdfE0pZaJ56utgpPFotBER/mQ32lUo:j+R56utgpPF8u/7o

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x0005000000018696-99.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001757f-91.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000174a6-80.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001746a-72.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016ac1-66.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000017400-62.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016c8c-52.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018697-105.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000015f96-42.dat	cobalt_reflective_dll
behavioral1/files/0x0015000000018676-104.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000174c3-88.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000017488-79.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000017403-69.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001686c-35.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000173f3-58.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000016c73-50.dat	cobalt_reflective_dll
behavioral1/files/0x00080000000164db-24.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016645-28.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016334-16.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016210-11.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000012117-5.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 43 IoCs

miner

resource	yara_rule
behavioral1/memory/628-121-0x000000013F190000-0x000000013F4DD000-memory.dmp	xmrig
behavioral1/memory/2532-120-0x000000013F880000-0x000000013FBCD000-memory.dmp	xmrig
behavioral1/memory/2652-119-0x000000013FE50000-0x000000014019D000-memory.dmp	xmrig
behavioral1/memory/2696-118-0x000000013FF60000-0x00000001402AD000-memory.dmp	xmrig
behavioral1/memory/2700-117-0x000000013F370000-0x000000013F6BD000-memory.dmp	xmrig
behavioral1/memory/2720-116-0x000000013F240000-0x000000013F58D000-memory.dmp	xmrig
behavioral1/memory/1852-113-0x000000013FA30000-0x000000013FD7D000-memory.dmp	xmrig
behavioral1/memory/2964-112-0x000000013F460000-0x000000013F7AD000-memory.dmp	xmrig
behavioral1/files/0x0005000000018696-99.dat	xmrig
behavioral1/files/0x000600000001757f-91.dat	xmrig
behavioral1/memory/2828-83-0x000000013F040000-0x000000013F38D000-memory.dmp	xmrig
behavioral1/files/0x00060000000174a6-80.dat	xmrig
behavioral1/memory/2168-74-0x000000013F9C0000-0x000000013FD0D000-memory.dmp	xmrig
behavioral1/files/0x000600000001746a-72.dat	xmrig
behavioral1/files/0x0007000000016ac1-66.dat	xmrig
behavioral1/files/0x0006000000017400-62.dat	xmrig
behavioral1/files/0x0008000000016c8c-52.dat	xmrig
behavioral1/files/0x0005000000018697-105.dat	xmrig
behavioral1/files/0x0009000000015f96-42.dat	xmrig
behavioral1/memory/3040-40-0x000000013F8B0000-0x000000013FBFD000-memory.dmp	xmrig
behavioral1/files/0x0015000000018676-104.dat	xmrig
behavioral1/memory/2484-90-0x000000013F790000-0x000000013FADD000-memory.dmp	xmrig
behavioral1/files/0x00060000000174c3-88.dat	xmrig
behavioral1/files/0x0006000000017488-79.dat	xmrig
behavioral1/memory/2856-71-0x000000013F690000-0x000000013F9DD000-memory.dmp	xmrig
behavioral1/files/0x0006000000017403-69.dat	xmrig
behavioral1/files/0x000700000001686c-35.dat	xmrig
behavioral1/memory/2744-59-0x000000013FBA0000-0x000000013FEED000-memory.dmp	xmrig
behavioral1/files/0x00060000000173f3-58.dat	xmrig
behavioral1/memory/3060-51-0x000000013FCD0000-0x000000014001D000-memory.dmp	xmrig
behavioral1/files/0x0009000000016c73-50.dat	xmrig
behavioral1/memory/2940-45-0x000000013F020000-0x000000013F36D000-memory.dmp	xmrig
behavioral1/files/0x00080000000164db-24.dat	xmrig
behavioral1/memory/2400-31-0x000000013F420000-0x000000013F76D000-memory.dmp	xmrig
behavioral1/memory/2912-29-0x000000013FA70000-0x000000013FDBD000-memory.dmp	xmrig
behavioral1/files/0x0007000000016645-28.dat	xmrig
behavioral1/memory/1728-18-0x000000013FD20000-0x000000014006D000-memory.dmp	xmrig
behavioral1/memory/1612-17-0x000000013F200000-0x000000013F54D000-memory.dmp	xmrig
behavioral1/files/0x0008000000016334-16.dat	xmrig
behavioral1/files/0x0008000000016210-11.dat	xmrig
behavioral1/memory/2452-7-0x000000013F8E0000-0x000000013FC2D000-memory.dmp	xmrig
behavioral1/files/0x0008000000012117-5.dat	xmrig
behavioral1/memory/1016-0-0x000000013FDB0000-0x00000001400FD000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2452	RngyYvK.exe
1612	EXNnZRS.exe
1728	XWVfCDm.exe
2400	GjpbcbM.exe
2912	qQAJiqf.exe
3040	EDYAhrF.exe
2940	NVljFso.exe
3060	EcxWgHB.exe
2744	XEcWiqM.exe
2856	YnrgbIu.exe
2168	rnizKoE.exe
2828	FheeTUa.exe
2484	uhfKGEn.exe
2964	uoaBGuo.exe
1852	GISTZsN.exe
2720	oEullQt.exe
2700	kvMWIUM.exe
2696	qWLKVpu.exe
2652	MBeSKeX.exe
2532	ObIyzqi.exe
628	cXvDTIj.exe

Loads dropped DLL 21 IoCs

pid	Process
1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe
1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe
1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe
1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe
1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe
1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe
1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe
1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe
1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe
1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe
1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe
1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe
1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe
1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe
1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe
1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe
1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe
1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe
1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe
1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe
1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\NVljFso.exe	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YnrgbIu.exe	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rnizKoE.exe	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ObIyzqi.exe	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uoaBGuo.exe	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GjpbcbM.exe	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qQAJiqf.exe	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XEcWiqM.exe	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kvMWIUM.exe	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MBeSKeX.exe	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uhfKGEn.exe	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GISTZsN.exe	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EXNnZRS.exe	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XWVfCDm.exe	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EDYAhrF.exe	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oEullQt.exe	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RngyYvK.exe	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EcxWgHB.exe	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qWLKVpu.exe	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FheeTUa.exe	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cXvDTIj.exe	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1016 wrote to memory of 2452	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe	29
PID 1016 wrote to memory of 2452	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe	29
PID 1016 wrote to memory of 2452	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe	29
PID 1016 wrote to memory of 1612	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe	30
PID 1016 wrote to memory of 1612	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe	30
PID 1016 wrote to memory of 1612	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe	30
PID 1016 wrote to memory of 1728	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 1016 wrote to memory of 1728	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 1016 wrote to memory of 1728	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 1016 wrote to memory of 2400	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 1016 wrote to memory of 2400	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 1016 wrote to memory of 2400	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 1016 wrote to memory of 2912	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 1016 wrote to memory of 2912	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 1016 wrote to memory of 2912	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 1016 wrote to memory of 3040	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 1016 wrote to memory of 3040	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 1016 wrote to memory of 3040	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 1016 wrote to memory of 2940	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 1016 wrote to memory of 2940	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 1016 wrote to memory of 2940	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 1016 wrote to memory of 2856	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 1016 wrote to memory of 2856	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 1016 wrote to memory of 2856	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 1016 wrote to memory of 3060	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 1016 wrote to memory of 3060	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 1016 wrote to memory of 3060	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 1016 wrote to memory of 2720	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 1016 wrote to memory of 2720	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 1016 wrote to memory of 2720	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 1016 wrote to memory of 2744	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 1016 wrote to memory of 2744	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 1016 wrote to memory of 2744	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 1016 wrote to memory of 2700	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 1016 wrote to memory of 2700	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 1016 wrote to memory of 2700	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 1016 wrote to memory of 2168	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 1016 wrote to memory of 2168	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 1016 wrote to memory of 2168	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 1016 wrote to memory of 2696	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 1016 wrote to memory of 2696	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 1016 wrote to memory of 2696	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 1016 wrote to memory of 2828	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 1016 wrote to memory of 2828	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 1016 wrote to memory of 2828	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 1016 wrote to memory of 2652	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 1016 wrote to memory of 2652	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 1016 wrote to memory of 2652	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 1016 wrote to memory of 2484	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 1016 wrote to memory of 2484	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 1016 wrote to memory of 2484	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 1016 wrote to memory of 2532	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 1016 wrote to memory of 2532	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 1016 wrote to memory of 2532	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 1016 wrote to memory of 2964	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 1016 wrote to memory of 2964	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 1016 wrote to memory of 2964	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 1016 wrote to memory of 628	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 1016 wrote to memory of 628	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 1016 wrote to memory of 628	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 1016 wrote to memory of 1852	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 1016 wrote to memory of 1852	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 1016 wrote to memory of 1852	1016	2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe	49

C:\Users\Admin\AppData\Local\Temp\2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-25_df98cb3e1d8ee0d90bce51b6bf2748c0_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Windows\System\RngyYvK.exe
  C:\Windows\System\RngyYvK.exe
  2⤵
  - Executes dropped EXE
  PID:2452
- C:\Windows\System\EXNnZRS.exe
  C:\Windows\System\EXNnZRS.exe
  2⤵
  - Executes dropped EXE
  PID:1612
- C:\Windows\System\XWVfCDm.exe
  C:\Windows\System\XWVfCDm.exe
  2⤵
  - Executes dropped EXE
  PID:1728
- C:\Windows\System\GjpbcbM.exe
  C:\Windows\System\GjpbcbM.exe
  2⤵
  - Executes dropped EXE
  PID:2400
- C:\Windows\System\qQAJiqf.exe
  C:\Windows\System\qQAJiqf.exe
  2⤵
  - Executes dropped EXE
  PID:2912
- C:\Windows\System\EDYAhrF.exe
  C:\Windows\System\EDYAhrF.exe
  2⤵
  - Executes dropped EXE
  PID:3040
- C:\Windows\System\NVljFso.exe
  C:\Windows\System\NVljFso.exe
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\System\YnrgbIu.exe
  C:\Windows\System\YnrgbIu.exe
  2⤵
  - Executes dropped EXE
  PID:2856
- C:\Windows\System\EcxWgHB.exe
  C:\Windows\System\EcxWgHB.exe
  2⤵
  - Executes dropped EXE
  PID:3060
- C:\Windows\System\oEullQt.exe
  C:\Windows\System\oEullQt.exe
  2⤵
  - Executes dropped EXE
  PID:2720
- C:\Windows\System\XEcWiqM.exe
  C:\Windows\System\XEcWiqM.exe
  2⤵
  - Executes dropped EXE
  PID:2744
- C:\Windows\System\kvMWIUM.exe
  C:\Windows\System\kvMWIUM.exe
  2⤵
  - Executes dropped EXE
  PID:2700
- C:\Windows\System\rnizKoE.exe
  C:\Windows\System\rnizKoE.exe
  2⤵
  - Executes dropped EXE
  PID:2168
- C:\Windows\System\qWLKVpu.exe
  C:\Windows\System\qWLKVpu.exe
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Windows\System\FheeTUa.exe
  C:\Windows\System\FheeTUa.exe
  2⤵
  - Executes dropped EXE
  PID:2828
- C:\Windows\System\MBeSKeX.exe
  C:\Windows\System\MBeSKeX.exe
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\System\uhfKGEn.exe
  C:\Windows\System\uhfKGEn.exe
  2⤵
  - Executes dropped EXE
  PID:2484
- C:\Windows\System\ObIyzqi.exe
  C:\Windows\System\ObIyzqi.exe
  2⤵
  - Executes dropped EXE
  PID:2532
- C:\Windows\System\uoaBGuo.exe
  C:\Windows\System\uoaBGuo.exe
  2⤵
  - Executes dropped EXE
  PID:2964
- C:\Windows\System\cXvDTIj.exe
  C:\Windows\System\cXvDTIj.exe
  2⤵
  - Executes dropped EXE
  PID:628
- C:\Windows\System\GISTZsN.exe
  C:\Windows\System\GISTZsN.exe
  2⤵
  - Executes dropped EXE
  PID:1852

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\EDYAhrF.exe

Filesize
5.7MB

MD5
2d017250d41c868211b0d2c922331f1b

SHA1
a4045deaaaceacd0ef907fcef9c510e147ab40a0

SHA256
6e9bef060e42f4bad10a8bc67c95e1f13e9149a98b1a1a270e82c1bfb16f50dc

SHA512
82ead2b11e024e1e59f7d6b898e48e91b983168a159f3aa17b91dbeb631c3652cce93b6f4adc201d5bae438646d1cfa9e9623eeb9994a6668ccaae4aff5d4789

Download Submit
C:\Windows\system\EXNnZRS.exe

Filesize
5.7MB

MD5
cc36e122a5d799d2c52dc1896ecdb819

SHA1
32079d2e872ff6eacd9cf48a5865bedc40630a89

SHA256
def70b59f434aca2df61cea80718e5853b683600c171e9518b1114d4875146e6

SHA512
8424ddfde48acce706f03d17f8ef541063d4d94336599ae080a2e7ba79ce5798662c9f0a2029d9f91ecb1ff8f1723e548a90cf55ef86cbcc7ecf0c14be3c5b16

Download Submit
C:\Windows\system\EcxWgHB.exe

Filesize
5.7MB

MD5
0200632efe3b74198cbd10971db0b25e

SHA1
9f6cfb052294a98b9d19f30e1e4029ab35a653f4

SHA256
5c4dd9b0c0c98d362ac5df55ea1c5ce202116bda1706aaf9d271a662a8052921

SHA512
7adfa28a764c2ca1d79673ffc1c94cf5ae3e369f0086c2c44e67b122b18028fb223429a63bd0ecd0a3214f9001b4c5d6df885d7d7a250458ff2adefa306a9c73

Download Submit
C:\Windows\system\FheeTUa.exe

Filesize
5.7MB

MD5
8ee1fa1abb86fb1244769cfd30648b1a

SHA1
86656f59b0a39c26925c406d81878e344af95e6e

SHA256
6cb42caa35e2276a1ec6e643cc3ee1f2b106403fa55520840b7e1858b1712c2f

SHA512
8bb02391d189de6d10ee27a924ce5e31331a3e3a2e6e28eec97248b7d02a959bf70c164a70246e83a9786a35fa8e3bf352671c9d7fd4205e57a41953c9bd077f

Download Submit
C:\Windows\system\GISTZsN.exe

Filesize
5.7MB

MD5
9b1f610e5a479f18651d5bbf0819c4f9

SHA1
71be2aadb94a09d1b9303339b8dc1a3a53b5cf41

SHA256
65e8f1bbd46928710bb2904829ca023aad762f7f2c229227686668dd593f49c5

SHA512
2132752cde567d493854d039039b3d956aee9c388fe42c88c17711e1e7dd134d252c9d3a9109fc3f00476e80f70fb6f7f4db7c394336184106bd7e85bf308610

Download Submit
C:\Windows\system\GjpbcbM.exe

Filesize
5.7MB

MD5
60ff8bbaa7195e5e978b7a764db3f92f

SHA1
6ec26201523e294360da9cec21d3e99ad9f70f06

SHA256
c7ee54b07b6c220ccb9edde166295cee14cee261bac9b85a869d19d32a3db03f

SHA512
5e2f4db11324c4884194c372e13e691a19a581b44f357c36e427a96de9ab780d8cf395fedbcdedf77b65c748d03ec3749aa3cdd3597957d822941d053538a0b0

Download Submit
C:\Windows\system\NVljFso.exe

Filesize
5.7MB

MD5
a1a6d555f7f07e907abff6484615b962

SHA1
b48ac650ecf91b1377f0b488f44e8108b0de9802

SHA256
f62bff1f18dd8a7334aa92ed152964be55b658b961e99c37f32e73c2aabde499

SHA512
bd994118ca13850077e2590a32b9336ccc4d437b5be334141ab4bf1e0e89686b8c31118385d96fa47c9296f7792528f32d257cf6da9662767ac629c3d19eda87

Download Submit
C:\Windows\system\RngyYvK.exe

Filesize
5.7MB

MD5
a1b72c8cd82c9f9ef728e81031713697

SHA1
8755dda1defa1535e64e018c43811e097c62bb48

SHA256
4a8506167992e1b1c78430aa5c6a79305a50e53bf998ff0bfae990132f5f4f82

SHA512
e0a24fa0a83d7cf92ce7d63e99aa92435c97b997286bcaa6c86ea46ed7b1b3c72bef3b54819336d44cb26b63239dff9bb6a51ec9d18d97aa4252a8784c7a51e6

Download Submit
C:\Windows\system\XEcWiqM.exe

Filesize
5.7MB

MD5
a197f1dd54d7f543686ec82d610720f5

SHA1
9ac7f41753c24d4e2334f1c313a0832f4161767a

SHA256
6f4ac005113754046896d4d70e4f45f987edf28865f04f8bf99e4be6717f78d3

SHA512
c59c705e25a330e8534f81eeb213fdc9c0d5e4550638622a22ab2ec7114f2fa27b6d4d72abc8ccbc9d1a461731165700c05c40016e730f6323d97b7240b22a84

Download Submit
C:\Windows\system\XWVfCDm.exe

Filesize
5.7MB

MD5
cbe37ebdfdcefa760edfa402d9e552a7

SHA1
c4d892a5fe4edbfba134966f1e71796597e02ccc

SHA256
200eb8f042827940101575742f02560d84593a457efa1ce4061063a76293fb44

SHA512
0d83299b9c7e96406494066d2a1ad9b15c42f4039f0faf455ea09d757b71e0e3b80a4f8c3572d11a3d98e8c49802cf010e4418c9c2e7db4890b8ce75761ce864

Download Submit
C:\Windows\system\YnrgbIu.exe

Filesize
5.7MB

MD5
513c46181d6ab827df113017434e52c3

SHA1
5d2869fc2a84d0e02e1b5561d60dd1e66981d5bf

SHA256
5a04e7872a1afd402545b91ab4d7edb4b640590ccfdccdd9a65d999d9b94c9aa

SHA512
aa97959551564fb626a5b4763a455110c238a6386c66efac24cb63c522de0f8a6eafd5cb698de0c76d3e7e9251a59db57ce2cd41bcdcf9e0be0d5d8c7d912c55

Download Submit
C:\Windows\system\qQAJiqf.exe

Filesize
5.7MB

MD5
89992e1957a61ffa694ad3bfb8a96520

SHA1
eaedd904c0814918589609a6f3929dff54fdd2e7

SHA256
dd0349fe8d9d4e6cb928faabbc8492b275ac6ae789d04a83bcb8bf9d4cfea290

SHA512
2e2b0fae07397c620aefca81fd2940a59bd4b8b25e136a42e4aa2b5b5e0060fc48a5ba3250b7db5bd82b005688914e8efe01a1ee9ba72099315473c0bfd941f7

Download Submit
C:\Windows\system\rnizKoE.exe

Filesize
5.7MB

MD5
5d93b7b56ce1670fff115e4468e413b3

SHA1
17ce2c17e33bf40d92a1713bf0c137841cb50f23

SHA256
d8cded2adf64c9094d40c4945260ce45cadf6d485c590bdad38484072c39c0ba

SHA512
bd3baba2309d8f33e50b5088c176af9203ffd4435e5fcb9d323cb0eb38d05b0e973fad34e144395624c046bcc9091ecbd8b3eccf0d7959ba374bb1ab93eb3d9d

Download Submit
C:\Windows\system\uhfKGEn.exe

Filesize
5.7MB

MD5
cd1827f61d683949c6abdf194a77e429

SHA1
deb516fca6291907ae6c7d9c115b680a543d7770

SHA256
e26a2e4273c7339fb1d2a76770764c7193087c1709600c15a23c446f4793b6f0

SHA512
64b4a4b7efb736774f8244d8c4f711d1f5a8cff834f13bd0b0b2975fc77c7cc3bfbdaad61ec9f067752b560d56a81e306bcd14c1d02665b12017a6910f7ceb13

Download Submit
C:\Windows\system\uoaBGuo.exe

Filesize
5.7MB

MD5
ab0e18fc1cbe85192d8eb618186db43c

SHA1
d26fa0f20231952895c7074496e63a109c397b4f

SHA256
bdd763804b3d294583e4af974659bf7ae5712cdaf9b178cd99d29661163aaa29

SHA512
9eb6c685d1cf6e8d817380687cb70f598384e54b70ade0b1b0a2bf4495f8e54c3de2d38389d4084d5ec20225c32042717776b0e789faf91c6af24c4001fd4d79

Download Submit
\Windows\system\MBeSKeX.exe

Filesize
5.7MB

MD5
0d04b00cce17ef0c2afbc22e211d6623

SHA1
db57fb4c0d304b80022a21436274e40c82b7d18d

SHA256
ccda02543fd2cfed2781ab46a7ea6f9b7d4d2b0ce114369be9d6f54e076a3549

SHA512
3cf2f511caca564c296d1eb57313fead01538fd82ea74be7cb5ac7c0091c150ace4af6a3e5ee069cc83fd7c6e6abd4b32de6befc3c3a404543eb2fc4245fc720

Download Submit
\Windows\system\ObIyzqi.exe

Filesize
5.7MB

MD5
dd3023b3eba01fb8a75ea262efa89c0f

SHA1
b9ab7f5506edacbf0c005d30fbc00b797be62798

SHA256
9aaee551789ac0be95424932aeaed8c08ecbd0c46614f3a70ee2d3ef88f898e8

SHA512
9208dc1048e8495d9770c79ae5e589301527d08bf5a592a08bf2061d9e0a76d294485c34da85f971713cd011e24f81b3b9be678d44e95af409304bf1b56249c6

Download Submit
\Windows\system\cXvDTIj.exe

Filesize
5.7MB

MD5
c70ac0493a31240cd1f20d63a10ab746

SHA1
ba693719d816dbbb231644392c5bec41ba2518c8

SHA256
0c2828a6873e44d2cc2679a43cc58da4b7ca8b8801e6661be525119f4aca38d4

SHA512
10a7935fffb2caf8cda9d29b79aeb766f4b9101632c8ae8336b5acfbd1ecb8b626ab0865ff0d841d61a482681528aeb9eb97b8144df63c5be8f858406424cd27

Download Submit
\Windows\system\kvMWIUM.exe

Filesize
5.7MB

MD5
de7fe16f38a7cb57d9ced01d2f7eedb8

SHA1
f49a077aeff91dde908c339b71abda78de34715c

SHA256
5b8b419b276ae094577d037aa25075d5ba81781b7ce9ed7b8a6baa5a111a1f8d

SHA512
c6fad0279b5d11550e120b77de8cbe8ac815a514c763326fd29fc40c91a1fd15c3529fe27ee5bc4dc568c82ad394e8b2f1ab05c51f4940566b908784f1a5a86d

Download Submit
\Windows\system\oEullQt.exe

Filesize
5.7MB

MD5
8666287f99371ebc2f09c167c27090e5

SHA1
2a218a3dd0c19f0efa0dea87040184bc67b2f75f

SHA256
a46088244aca460bcbb9f9498bb9cc814d214f3484bf4c00e515b280a616075b

SHA512
8ec4a49b46d5f7633221fa578bee396c65a56b2bb8ea76e34d2bc8a965ab4b1baa39b604bd20ce5c16c9c2e4ca723d84afb6f5da01c974581918a52b17a74809

Download Submit
\Windows\system\qWLKVpu.exe

Filesize
5.7MB

MD5
ad533d52325b8713b94646de03635b19

SHA1
14ab8fbcb7a00e67a547eb57aef7425bd22d45e8

SHA256
5ded4074bbadfc505ab7f8d19e955d6ecbabbde6d883a107140c26f6dab1fc52

SHA512
1f291a6688810048dc378e16ec3783c8fa4d0d78c6e12f5eb46303c67412a444b5a5c59cb171d049c70c20e197fcb025ffb3fd241f3c2eb313f45d2470bdac13

Download Submit
memory/628-121-0x000000013F190000-0x000000013F4DD000-memory.dmp

Filesize
3.3MB

Download
memory/1016-0-0x000000013FDB0000-0x00000001400FD000-memory.dmp

Filesize
3.3MB

Download
memory/1016-1-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/1612-17-0x000000013F200000-0x000000013F54D000-memory.dmp

Filesize
3.3MB

Download
memory/1728-18-0x000000013FD20000-0x000000014006D000-memory.dmp

Filesize
3.3MB

Download
memory/1852-113-0x000000013FA30000-0x000000013FD7D000-memory.dmp

Filesize
3.3MB

Download
memory/2168-74-0x000000013F9C0000-0x000000013FD0D000-memory.dmp

Filesize
3.3MB

Download
memory/2400-31-0x000000013F420000-0x000000013F76D000-memory.dmp

Filesize
3.3MB

Download
memory/2452-7-0x000000013F8E0000-0x000000013FC2D000-memory.dmp

Filesize
3.3MB

Download
memory/2484-90-0x000000013F790000-0x000000013FADD000-memory.dmp

Filesize
3.3MB

Download
memory/2532-120-0x000000013F880000-0x000000013FBCD000-memory.dmp

Filesize
3.3MB

Download
memory/2652-119-0x000000013FE50000-0x000000014019D000-memory.dmp

Filesize
3.3MB

Download
memory/2696-118-0x000000013FF60000-0x00000001402AD000-memory.dmp

Filesize
3.3MB

Download
memory/2700-117-0x000000013F370000-0x000000013F6BD000-memory.dmp

Filesize
3.3MB

Download
memory/2720-116-0x000000013F240000-0x000000013F58D000-memory.dmp

Filesize
3.3MB

Download
memory/2744-59-0x000000013FBA0000-0x000000013FEED000-memory.dmp

Filesize
3.3MB

Download
memory/2828-83-0x000000013F040000-0x000000013F38D000-memory.dmp

Filesize
3.3MB

Download
memory/2856-71-0x000000013F690000-0x000000013F9DD000-memory.dmp

Filesize
3.3MB

Download
memory/2912-29-0x000000013FA70000-0x000000013FDBD000-memory.dmp

Filesize
3.3MB

Download
memory/2940-45-0x000000013F020000-0x000000013F36D000-memory.dmp

Filesize
3.3MB

Download
memory/2964-112-0x000000013F460000-0x000000013F7AD000-memory.dmp

Filesize
3.3MB

Download
memory/3040-40-0x000000013F8B0000-0x000000013FBFD000-memory.dmp

Filesize
3.3MB

Download
memory/3060-51-0x000000013FCD0000-0x000000014001D000-memory.dmp

Filesize
3.3MB

Download