cobaltstrike | 77f5872bf8bec8776942b47f8d14bf4120731cae6b580525fc1f0836ec61682e

Analysis

max time kernel
133s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27-01-2025 18:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.7MB
MD5

ad36f9b84524a06fdacaeed214806c8a
SHA1

85ec3f874ac7380511c9a46b45d20e2718f6b686
SHA256

77f5872bf8bec8776942b47f8d14bf4120731cae6b580525fc1f0836ec61682e
SHA512

bfe5bb92d56f5bb6a666ce9f376418679ca65914e2067dc60efd5f4b2ac83a656258cd493180fcbf201f1a8c89721164b09da1430a539a00702675ada1ce5219
SSDEEP

98304:4emTLkNdfE0pZaJ56utgpPFotBER/mQ32lUA:j+R56utgpPF8u/7A

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000d000000012276-3.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000019227-8.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001922c-10.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000019261-21.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001926a-29.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000019279-35.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000019379-39.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019506-57.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019621-102.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019627-123.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019625-120.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019623-113.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019622-107.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001961d-90.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001961f-95.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000195a7-77.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000195e6-83.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001952f-64.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001957e-71.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000194fc-54.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000194ad-46.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 41 IoCs

miner

resource	yara_rule
behavioral1/memory/2348-0-0x000000013F020000-0x000000013F36D000-memory.dmp	xmrig
behavioral1/files/0x000d000000012276-3.dat	xmrig
behavioral1/files/0x0008000000019227-8.dat	xmrig
behavioral1/memory/2440-6-0x000000013F2E0000-0x000000013F62D000-memory.dmp	xmrig
behavioral1/memory/1268-13-0x000000013FFD0000-0x000000014031D000-memory.dmp	xmrig
behavioral1/files/0x000700000001922c-10.dat	xmrig
behavioral1/files/0x0006000000019261-21.dat	xmrig
behavioral1/memory/3052-22-0x000000013F8A0000-0x000000013FBED000-memory.dmp	xmrig
behavioral1/memory/2012-25-0x000000013F130000-0x000000013F47D000-memory.dmp	xmrig
behavioral1/files/0x000600000001926a-29.dat	xmrig
behavioral1/memory/2276-31-0x000000013F850000-0x000000013FB9D000-memory.dmp	xmrig
behavioral1/files/0x0006000000019279-35.dat	xmrig
behavioral1/memory/2724-36-0x000000013F7F0000-0x000000013FB3D000-memory.dmp	xmrig
behavioral1/files/0x0007000000019379-39.dat	xmrig
behavioral1/memory/2636-48-0x000000013F220000-0x000000013F56D000-memory.dmp	xmrig
behavioral1/files/0x0005000000019506-57.dat	xmrig
behavioral1/memory/2648-59-0x000000013F1B0000-0x000000013F4FD000-memory.dmp	xmrig
behavioral1/memory/2664-61-0x000000013F620000-0x000000013F96D000-memory.dmp	xmrig
behavioral1/files/0x0005000000019621-102.dat	xmrig
behavioral1/files/0x0005000000019627-123.dat	xmrig
behavioral1/memory/1152-126-0x000000013FF10000-0x000000014025D000-memory.dmp	xmrig
behavioral1/memory/2504-121-0x000000013F240000-0x000000013F58D000-memory.dmp	xmrig
behavioral1/memory/2052-115-0x000000013F570000-0x000000013F8BD000-memory.dmp	xmrig
behavioral1/files/0x0005000000019625-120.dat	xmrig
behavioral1/files/0x0005000000019623-113.dat	xmrig
behavioral1/memory/1252-103-0x000000013F1E0000-0x000000013F52D000-memory.dmp	xmrig
behavioral1/memory/2880-108-0x000000013FF70000-0x00000001402BD000-memory.dmp	xmrig
behavioral1/files/0x0005000000019622-107.dat	xmrig
behavioral1/files/0x000500000001961d-90.dat	xmrig
behavioral1/files/0x000500000001961f-95.dat	xmrig
behavioral1/memory/2604-85-0x000000013F260000-0x000000013F5AD000-memory.dmp	xmrig
behavioral1/memory/2832-79-0x000000013FA00000-0x000000013FD4D000-memory.dmp	xmrig
behavioral1/files/0x00050000000195a7-77.dat	xmrig
behavioral1/files/0x00050000000195e6-83.dat	xmrig
behavioral1/memory/2696-73-0x000000013F940000-0x000000013FC8D000-memory.dmp	xmrig
behavioral1/memory/2752-67-0x000000013F1A0000-0x000000013F4ED000-memory.dmp	xmrig
behavioral1/files/0x000500000001952f-64.dat	xmrig
behavioral1/files/0x000500000001957e-71.dat	xmrig
behavioral1/files/0x00050000000194fc-54.dat	xmrig
behavioral1/memory/2812-44-0x000000013FF40000-0x000000014028D000-memory.dmp	xmrig
behavioral1/files/0x00060000000194ad-46.dat	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2440	GRQKgYM.exe
1268	hGNkFWC.exe
3052	XKUcEFC.exe
2012	vGuNtHh.exe
2276	eNwqRpf.exe
2724	TiotJSv.exe
2812	Rdrrvll.exe
2636	rCKTQgy.exe
2664	oBghxFx.exe
2648	gcCnnug.exe
2752	fsUjbBu.exe
2696	lXQfjQp.exe
2832	hVJzylU.exe
2604	EauAjdd.exe
2584	rzUQNmg.exe
2184	EIYljgo.exe
1252	zvlCJLL.exe
2880	WlYFnGB.exe
2052	JORgnjA.exe
2504	UtwJDfm.exe
1152	lKdnWjP.exe

Loads dropped DLL 21 IoCs

pid	Process
2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\hGNkFWC.exe	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vGuNtHh.exe	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rCKTQgy.exe	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oBghxFx.exe	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hVJzylU.exe	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XKUcEFC.exe	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JORgnjA.exe	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lKdnWjP.exe	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zvlCJLL.exe	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GRQKgYM.exe	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eNwqRpf.exe	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gcCnnug.exe	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fsUjbBu.exe	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lXQfjQp.exe	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rzUQNmg.exe	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TiotJSv.exe	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Rdrrvll.exe	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EauAjdd.exe	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EIYljgo.exe	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WlYFnGB.exe	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UtwJDfm.exe	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 2440	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2348 wrote to memory of 2440	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2348 wrote to memory of 2440	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2348 wrote to memory of 1268	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2348 wrote to memory of 1268	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2348 wrote to memory of 1268	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2348 wrote to memory of 3052	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2348 wrote to memory of 3052	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2348 wrote to memory of 3052	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2348 wrote to memory of 2012	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2348 wrote to memory of 2012	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2348 wrote to memory of 2012	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2348 wrote to memory of 2276	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2348 wrote to memory of 2276	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2348 wrote to memory of 2276	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2348 wrote to memory of 2724	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2348 wrote to memory of 2724	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2348 wrote to memory of 2724	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2348 wrote to memory of 2812	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2348 wrote to memory of 2812	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2348 wrote to memory of 2812	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2348 wrote to memory of 2636	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2348 wrote to memory of 2636	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2348 wrote to memory of 2636	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2348 wrote to memory of 2664	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2348 wrote to memory of 2664	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2348 wrote to memory of 2664	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2348 wrote to memory of 2648	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2348 wrote to memory of 2648	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2348 wrote to memory of 2648	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2348 wrote to memory of 2752	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2348 wrote to memory of 2752	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2348 wrote to memory of 2752	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2348 wrote to memory of 2696	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2348 wrote to memory of 2696	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2348 wrote to memory of 2696	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2348 wrote to memory of 2832	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2348 wrote to memory of 2832	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2348 wrote to memory of 2832	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2348 wrote to memory of 2604	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2348 wrote to memory of 2604	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2348 wrote to memory of 2604	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2348 wrote to memory of 2584	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2348 wrote to memory of 2584	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2348 wrote to memory of 2584	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2348 wrote to memory of 2184	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2348 wrote to memory of 2184	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2348 wrote to memory of 2184	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2348 wrote to memory of 1252	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2348 wrote to memory of 1252	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2348 wrote to memory of 1252	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2348 wrote to memory of 2880	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2348 wrote to memory of 2880	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2348 wrote to memory of 2880	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2348 wrote to memory of 2052	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2348 wrote to memory of 2052	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2348 wrote to memory of 2052	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2348 wrote to memory of 2504	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2348 wrote to memory of 2504	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2348 wrote to memory of 2504	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2348 wrote to memory of 1152	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2348 wrote to memory of 1152	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2348 wrote to memory of 1152	2348	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	51

C:\Users\Admin\AppData\Local\Temp\2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\System\GRQKgYM.exe
  C:\Windows\System\GRQKgYM.exe
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Windows\System\hGNkFWC.exe
  C:\Windows\System\hGNkFWC.exe
  2⤵
  - Executes dropped EXE
  PID:1268
- C:\Windows\System\XKUcEFC.exe
  C:\Windows\System\XKUcEFC.exe
  2⤵
  - Executes dropped EXE
  PID:3052
- C:\Windows\System\vGuNtHh.exe
  C:\Windows\System\vGuNtHh.exe
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Windows\System\eNwqRpf.exe
  C:\Windows\System\eNwqRpf.exe
  2⤵
  - Executes dropped EXE
  PID:2276
- C:\Windows\System\TiotJSv.exe
  C:\Windows\System\TiotJSv.exe
  2⤵
  - Executes dropped EXE
  PID:2724
- C:\Windows\System\Rdrrvll.exe
  C:\Windows\System\Rdrrvll.exe
  2⤵
  - Executes dropped EXE
  PID:2812
- C:\Windows\System\rCKTQgy.exe
  C:\Windows\System\rCKTQgy.exe
  2⤵
  - Executes dropped EXE
  PID:2636
- C:\Windows\System\oBghxFx.exe
  C:\Windows\System\oBghxFx.exe
  2⤵
  - Executes dropped EXE
  PID:2664
- C:\Windows\System\gcCnnug.exe
  C:\Windows\System\gcCnnug.exe
  2⤵
  - Executes dropped EXE
  PID:2648
- C:\Windows\System\fsUjbBu.exe
  C:\Windows\System\fsUjbBu.exe
  2⤵
  - Executes dropped EXE
  PID:2752
- C:\Windows\System\lXQfjQp.exe
  C:\Windows\System\lXQfjQp.exe
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Windows\System\hVJzylU.exe
  C:\Windows\System\hVJzylU.exe
  2⤵
  - Executes dropped EXE
  PID:2832
- C:\Windows\System\EauAjdd.exe
  C:\Windows\System\EauAjdd.exe
  2⤵
  - Executes dropped EXE
  PID:2604
- C:\Windows\System\rzUQNmg.exe
  C:\Windows\System\rzUQNmg.exe
  2⤵
  - Executes dropped EXE
  PID:2584
- C:\Windows\System\EIYljgo.exe
  C:\Windows\System\EIYljgo.exe
  2⤵
  - Executes dropped EXE
  PID:2184
- C:\Windows\System\zvlCJLL.exe
  C:\Windows\System\zvlCJLL.exe
  2⤵
  - Executes dropped EXE
  PID:1252
- C:\Windows\System\WlYFnGB.exe
  C:\Windows\System\WlYFnGB.exe
  2⤵
  - Executes dropped EXE
  PID:2880
- C:\Windows\System\JORgnjA.exe
  C:\Windows\System\JORgnjA.exe
  2⤵
  - Executes dropped EXE
  PID:2052
- C:\Windows\System\UtwJDfm.exe
  C:\Windows\System\UtwJDfm.exe
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Windows\System\lKdnWjP.exe
  C:\Windows\System\lKdnWjP.exe
  2⤵
  - Executes dropped EXE
  PID:1152

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\EIYljgo.exe

Filesize
5.7MB

MD5
aff13f86ab8c775899fcc7ae2ec0ead4

SHA1
8a873fda99d13e999604fbd236c78d474e7f56a3

SHA256
6c1faee2a7ff5be2b0343fd595c3af49737e4984ba2d6bbc3778edb7ba3bf892

SHA512
dbf59f551e8e5a3da3aa0360a6f73353ce11be9080a89959073e5f0432fdf74552171959cd710144945f9ec70eef2624288e1a98d220d79fda7074364fe35b3f

Download Submit
C:\Windows\system\EauAjdd.exe

Filesize
5.7MB

MD5
6e2f9b5a7a2cc5abe069de4e5ac58d34

SHA1
c116ab03abbe9b1c45bf28d375e84fd57ef562c6

SHA256
efbe496f2c2aa85f695b5b25ef8f0c7834e2b28ca84cd31ec1e0c06bbcc23264

SHA512
a8a13e292b720d1a4f2b8f287812dcc4a8aa0dc7123187252e9dcccc889d4c6789d1842b1dc78e215cd7641ec719c917b16b56a95fc3bf3a76d232c581dd97b8

Download Submit
C:\Windows\system\JORgnjA.exe

Filesize
5.7MB

MD5
da607abddc69bbfeb59326479997e3c9

SHA1
d612ec506b4a49949cac79a66ed6520bcd13195a

SHA256
e2d03db0afd38b94ec185c58beaf765b67557fe4b919e76c1ce1c050fc1b452a

SHA512
4ae601d7e8cc1403f35532ae04bc6fbd0985c087dbb1f93f55ebbd2d30125c069735143c3d5728392fb92870791541e84c7636a6a39211c66d6628f194306e53

Download Submit
C:\Windows\system\TiotJSv.exe

Filesize
5.7MB

MD5
ff9e663a28257311ec1a53edf02d2427

SHA1
17c0ea51cd9120b2ce1628387c397f1f4506478d

SHA256
fde3604abc550ae1b839fce9f663e92e82e55bc42de8383d2a72c0eb21f27802

SHA512
7e32222eaf2b3963fb3b42b2a577cf6895aed65d40f688f74ee9a8ee0a97a9f5194fc6660e70a9c918429fb3f9fc42597e28bac011f42d4aff59002b6cccac33

Download Submit
C:\Windows\system\UtwJDfm.exe

Filesize
5.7MB

MD5
babd33214b751d409629ba00609164c8

SHA1
ae26e00fcf570760875917387b62b66240155bda

SHA256
84d4e5f77a5d9d2e68ff78353d1d6fafa1255d5cf684e7222cb4f97bab3210ff

SHA512
b97191db6ee87a2ceaf6ab11aa634a92071af130d6daab304aa1c8132188b4fb822dfe22340f2e689f604ed7a9c365450c0cadf52d74d0f030559e2f907b3cf6

Download Submit
C:\Windows\system\WlYFnGB.exe

Filesize
5.7MB

MD5
1ce977e681d66701f6eeaf567c8e7f73

SHA1
90e6387c0a19e4cbad709216e4bd4b81a13b7afb

SHA256
180aa332b2a6fbafe33826b66a5d798c404136bfb4274183853b0b6bde400f06

SHA512
219351a09df8e538c690ad68dc1149f4e16e663b92c3205b5458618e5864f6b56d05b4697f67a2b36a73397063d969247db876e26c28a72df12386e327d92ccb

Download Submit
C:\Windows\system\XKUcEFC.exe

Filesize
5.7MB

MD5
76e8bfda44f0556c8930f3cbe8cbf2d0

SHA1
e42660c0c76677fadeafc8925cbe777b43ab985a

SHA256
31d7c34f8b3e27c154c23eec98f0713a211089a89be133d7e3eabca9eaff5d69

SHA512
13a6f2a7d3fde80da09b1bcee66fb37096a35c97190bc51c97cbeb43afcb23a20c48b27d12d385eb7b83ebbfc1d1bbf1d5b2fa0aaedba1fa0b2c822a356036e9

Download Submit
C:\Windows\system\eNwqRpf.exe

Filesize
5.7MB

MD5
024f6aa097a3c23c3f04cae767575cf7

SHA1
8bcdbaa47c79ac4e772b8319431529aec18efa30

SHA256
abab874275913c8565b260cd5acc97cfd795536461c3ead988ef65561f883efe

SHA512
227b9ba905cf2a4456003b5f89d2818eb1385fb0ffcfbba2ed5619f4104bdd50dab1cc008b33dc5fab73bacd8a2e17d4dbee6f2266284a3c266c28881aa38edf

Download Submit
C:\Windows\system\fsUjbBu.exe

Filesize
5.7MB

MD5
fbfca36d2035e1a19fe657b594642a86

SHA1
25894f862477087d9380d1ca10934800fc872a53

SHA256
ef7452cd43bdf50e7deec4263b0607d74648a1653e8698ac849b6eff18b622e5

SHA512
edaf3f48b5532161edde245e8d4b7e02607ca5273f5b00272d88c5b8cff6762bb3c9a7d553d11a9f5b5d3f13668226eef896298cf041a6027c2d33686c88cb9d

Download Submit
C:\Windows\system\gcCnnug.exe

Filesize
5.7MB

MD5
c8a66f06496885d83154f98a629a697f

SHA1
f2468087ae6cf81dbc8d66552073394a5d2c6da1

SHA256
c2f1fa3bb9509e9412c45cce0a3291fe8ee3edb55cd3367b9bf921941921b12b

SHA512
eeaed1bb8f3f2d9f23d0258a88d234ed1f2d724abb54f2f07d5c9708db34a2bdaafa3b22337c6c56c60e73002231e8e1af0282e61ed551947421a3f035bf9989

Download Submit
C:\Windows\system\hVJzylU.exe

Filesize
5.7MB

MD5
29aaeaaf896d5c688539a2fd0f170a0d

SHA1
d9e4e43b13f72ab8b219b98c48506dfcb408cd25

SHA256
3f0a049c793b55f9784995c1c1f16e1e3428301cead4cf959e0872565a567d66

SHA512
2013b4d63d1a069b6b23b3fc8e0e7f33a286fe57f79eaeb192b421114c05fc45bec1c8ef23d0dbcc71b39fea88be0b485319af0f2add7a8788225d4c5bd98e03

Download Submit
C:\Windows\system\lXQfjQp.exe

Filesize
5.7MB

MD5
c9d4e30ee095be2b07e13490ee35bd1d

SHA1
189ee69a08c0b522c4d29b9bf34b091cb20224bb

SHA256
ab284f5bbb8befc00c4292b124b09ce36dbedbd433393bb47816d2680b29af02

SHA512
5fe3ec7d306ded9e8476ec37fc22c0646314fee303ee8ba541203a59e1296eb8bd8743c3fc57a69f8e99f6955b4d053be68a9fd766d3d34c9ea416d99bcae941

Download Submit
C:\Windows\system\oBghxFx.exe

Filesize
5.7MB

MD5
4601011b0cd928662fe9522ca25e329d

SHA1
7a62c533549aa323c944724277f2650c2e4ef7e5

SHA256
a63f7a281ca2d42156ba57f463088c0d913aacef0f11cee1d388a2406dc662f4

SHA512
2b38b2340e98d8e0206d0084cfc17af4afcab9b4935b454f3730bdcbc3dbe91171c84be095a2c49ffedbe367f9281ed46f2631e89bec074fba77084ff7681075

Download Submit
C:\Windows\system\rCKTQgy.exe

Filesize
5.7MB

MD5
3149ab7710c51d3dc327c6f2c47518c7

SHA1
14a3a115c2581c9cb7f1330fc4ee44d930d71ad1

SHA256
de515a3e678e8a9474be089e4d68f3f5767711eaabebf2fbf4005ec5a529577d

SHA512
07ac165b0da098510dbec4e79158a2c3ac87a4b4f5165af609787bb374efc2a879cea08dc2718dcef155165386255300f752634315ffe5d4f84a31385b469abb

Download Submit
C:\Windows\system\rzUQNmg.exe

Filesize
5.7MB

MD5
dc3b3285e0029dcb8985c6286ecfb5f4

SHA1
9bc4f4a6567f98c97f82a4a99f3dc435f93c2c4b

SHA256
4aff3e23c0c10a347ba674f1b3c91893b1440628ce870600eae8edca268f5e66

SHA512
30793bb803298339d9f5584d5c618aed137588f10a6abe4418028e590353ed41548609bf312cc4444f6aeb27916e7dc024557efa2b797a23867851748380e292

Download Submit
C:\Windows\system\vGuNtHh.exe

Filesize
5.7MB

MD5
35a5cffe0b2f558003b9572ace4f3c73

SHA1
713dba14204b7b63384a49a0eb545c4f6bd0bc17

SHA256
48d3a2ab9eff51c18f506883ca8525137315ac9dcbfa180cbd2235c964259220

SHA512
f2c6bc408476abac1429ffaf26568fac9e12db7bb6b16eefcc0d5dc2096d46de358e8fa8dc4ce7855b878d48f274c7c4b5022b0d05d15c3b3ca7671182e3113a

Download Submit
C:\Windows\system\zvlCJLL.exe

Filesize
5.7MB

MD5
13269f88f947f6072d91155d8acc27e1

SHA1
5964f86236d65e46b1fa1ed5f6019607b01d9344

SHA256
663608c9f7a2af04f46c9677b773fb0f58b823ff2823570cacabf9044b773faa

SHA512
c31cdfd6599d5896f836c4d75d084777ab83606d00cd6671fefa1c9db34be9179afda95b13debb4163f742a1f718603966e077235a79a08796b857321eb75808

Download Submit
\Windows\system\GRQKgYM.exe

Filesize
5.7MB

MD5
51fb449cf1de2ddf6d892fb72b4ed168

SHA1
208e4f8f949aa164b8bc56b40f3c3928cfbefb3a

SHA256
aaa6ef9b40c3dba85a235f3dbe88711e09302c8f9d9131d80bd7bd7d832777c8

SHA512
6a6e48b87bae983bfbde17a6ed75b43c500caab7365cec19fac0a3b3d9d5ade2dad6264bea874ca38ddda90f338d1af8fae53b041a541c53e9b50bcd6d3f7706

Download Submit
\Windows\system\Rdrrvll.exe

Filesize
5.7MB

MD5
a71dbcaf4a5cd75749eb72314ddea308

SHA1
5b0aafa824b4905dae529831879d67e31428613a

SHA256
228396c952755673ae1f3ceeec08ff953491377855ccfbe6ffdd18561c35625e

SHA512
cdd4890b5420fccca0a4e0524e8a64d64012b18b7b9e689cbd615963905bffc8092f6b1dfa4e5e8169854a4846276d3be45a96944981aa4c3e6bc68e0da43f9e

Download Submit
\Windows\system\hGNkFWC.exe

Filesize
5.7MB

MD5
e0761045da3f068dcd560d58af10eb9e

SHA1
c25130162fa142d88b04f22268cbdfd4b60565d6

SHA256
51ae3c06f75819d92f5afb55bf081d24b06b0702489ce51d5c57f6001f19c2f8

SHA512
774af98f52980499e7ba859cbe26889963aea56f96966401e3f546c2ef03a576bf27e3afd1aae01d43269674dc686e873e61dd17f457807a32a3dc596c4b689e

Download Submit
\Windows\system\lKdnWjP.exe

Filesize
5.7MB

MD5
9eb46eb7f312c2f3a2b3a305cab83dff

SHA1
55422868db02f2e9a8e67c94de9b97d5f62f4d5c

SHA256
e099e5afd85dfe6dedd54f3823f7bb30c3f1596a4b1a75ebac005255e97256b8

SHA512
eafe16cacc3870c16656810b7707be83d315d7ff6147808d03f6d46fbfb0f17cfb2146052b1566441183d9bf0f0d39dee64134d2b96c69a383c60528a8d6f6d1

Download Submit
memory/1152-126-0x000000013FF10000-0x000000014025D000-memory.dmp

Filesize
3.3MB

Download
memory/1252-103-0x000000013F1E0000-0x000000013F52D000-memory.dmp

Filesize
3.3MB

Download
memory/1268-13-0x000000013FFD0000-0x000000014031D000-memory.dmp

Filesize
3.3MB

Download
memory/2012-25-0x000000013F130000-0x000000013F47D000-memory.dmp

Filesize
3.3MB

Download
memory/2052-115-0x000000013F570000-0x000000013F8BD000-memory.dmp

Filesize
3.3MB

Download
memory/2276-31-0x000000013F850000-0x000000013FB9D000-memory.dmp

Filesize
3.3MB

Download
memory/2348-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/2348-0-0x000000013F020000-0x000000013F36D000-memory.dmp

Filesize
3.3MB

Download
memory/2440-6-0x000000013F2E0000-0x000000013F62D000-memory.dmp

Filesize
3.3MB

Download
memory/2504-121-0x000000013F240000-0x000000013F58D000-memory.dmp

Filesize
3.3MB

Download
memory/2604-85-0x000000013F260000-0x000000013F5AD000-memory.dmp

Filesize
3.3MB

Download
memory/2636-48-0x000000013F220000-0x000000013F56D000-memory.dmp

Filesize
3.3MB

Download
memory/2648-59-0x000000013F1B0000-0x000000013F4FD000-memory.dmp

Filesize
3.3MB

Download
memory/2664-61-0x000000013F620000-0x000000013F96D000-memory.dmp

Filesize
3.3MB

Download
memory/2696-73-0x000000013F940000-0x000000013FC8D000-memory.dmp

Filesize
3.3MB

Download
memory/2724-36-0x000000013F7F0000-0x000000013FB3D000-memory.dmp

Filesize
3.3MB

Download
memory/2752-67-0x000000013F1A0000-0x000000013F4ED000-memory.dmp

Filesize
3.3MB

Download
memory/2812-44-0x000000013FF40000-0x000000014028D000-memory.dmp

Filesize
3.3MB

Download
memory/2832-79-0x000000013FA00000-0x000000013FD4D000-memory.dmp

Filesize
3.3MB

Download
memory/2880-108-0x000000013FF70000-0x00000001402BD000-memory.dmp

Filesize
3.3MB

Download
memory/3052-22-0x000000013F8A0000-0x000000013FBED000-memory.dmp

Filesize
3.3MB

Download