Malware Analysis Report

2024-10-23 18:50

Sample ID 240628-ac794asejr
Target 2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat
SHA256 f05388cdf43a0d1a2c044028bae15f37daf248f56f0c90b935a0a1c54531b578
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f05388cdf43a0d1a2c044028bae15f37daf248f56f0c90b935a0a1c54531b578

Threat Level: Known bad

The file 2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobaltstrike

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX dump on OEP (original entry point)

xmrig

Cobaltstrike family

Cobalt Strike reflective loader

Xmrig family

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

XMRig Miner payload

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-28 00:05

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-28 00:05

Reported

2024-06-28 00:07

Platform

win7-20240611-en

Max time kernel

142s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\QQUoClO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\djOZiUV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AmIFHXM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TZCJWiw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yOwFeQX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WnxErXS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oqETHEn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QFeoVts.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KtnzCzO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VzJIbAi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CFQeLdh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OgDTiSL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RnHFHMt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vENbMVM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CTiOIiT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ozMNUaQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LLiCfdG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uktMksu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ChIESgi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mxfYWBr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tPuXsFw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2312 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AmIFHXM.exe
PID 2312 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AmIFHXM.exe
PID 2312 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AmIFHXM.exe
PID 2312 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KtnzCzO.exe
PID 2312 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KtnzCzO.exe
PID 2312 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KtnzCzO.exe
PID 2312 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ozMNUaQ.exe
PID 2312 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ozMNUaQ.exe
PID 2312 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ozMNUaQ.exe
PID 2312 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LLiCfdG.exe
PID 2312 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LLiCfdG.exe
PID 2312 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LLiCfdG.exe
PID 2312 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TZCJWiw.exe
PID 2312 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TZCJWiw.exe
PID 2312 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TZCJWiw.exe
PID 2312 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uktMksu.exe
PID 2312 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uktMksu.exe
PID 2312 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uktMksu.exe
PID 2312 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yOwFeQX.exe
PID 2312 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yOwFeQX.exe
PID 2312 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yOwFeQX.exe
PID 2312 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ChIESgi.exe
PID 2312 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ChIESgi.exe
PID 2312 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ChIESgi.exe
PID 2312 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mxfYWBr.exe
PID 2312 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mxfYWBr.exe
PID 2312 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mxfYWBr.exe
PID 2312 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VzJIbAi.exe
PID 2312 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VzJIbAi.exe
PID 2312 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VzJIbAi.exe
PID 2312 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tPuXsFw.exe
PID 2312 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tPuXsFw.exe
PID 2312 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tPuXsFw.exe
PID 2312 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CFQeLdh.exe
PID 2312 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CFQeLdh.exe
PID 2312 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CFQeLdh.exe
PID 2312 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CTiOIiT.exe
PID 2312 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CTiOIiT.exe
PID 2312 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CTiOIiT.exe
PID 2312 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OgDTiSL.exe
PID 2312 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OgDTiSL.exe
PID 2312 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OgDTiSL.exe
PID 2312 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RnHFHMt.exe
PID 2312 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RnHFHMt.exe
PID 2312 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RnHFHMt.exe
PID 2312 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WnxErXS.exe
PID 2312 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WnxErXS.exe
PID 2312 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WnxErXS.exe
PID 2312 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QQUoClO.exe
PID 2312 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QQUoClO.exe
PID 2312 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QQUoClO.exe
PID 2312 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vENbMVM.exe
PID 2312 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vENbMVM.exe
PID 2312 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vENbMVM.exe
PID 2312 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oqETHEn.exe
PID 2312 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oqETHEn.exe
PID 2312 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oqETHEn.exe
PID 2312 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\djOZiUV.exe
PID 2312 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\djOZiUV.exe
PID 2312 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\djOZiUV.exe
PID 2312 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QFeoVts.exe
PID 2312 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QFeoVts.exe
PID 2312 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QFeoVts.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\AmIFHXM.exe

C:\Windows\System\AmIFHXM.exe

C:\Windows\System\KtnzCzO.exe

C:\Windows\System\KtnzCzO.exe

C:\Windows\System\ozMNUaQ.exe

C:\Windows\System\ozMNUaQ.exe

C:\Windows\System\LLiCfdG.exe

C:\Windows\System\LLiCfdG.exe

C:\Windows\System\TZCJWiw.exe

C:\Windows\System\TZCJWiw.exe

C:\Windows\System\uktMksu.exe

C:\Windows\System\uktMksu.exe

C:\Windows\System\yOwFeQX.exe

C:\Windows\System\yOwFeQX.exe

C:\Windows\System\ChIESgi.exe

C:\Windows\System\ChIESgi.exe

C:\Windows\System\mxfYWBr.exe

C:\Windows\System\mxfYWBr.exe

C:\Windows\System\VzJIbAi.exe

C:\Windows\System\VzJIbAi.exe

C:\Windows\System\tPuXsFw.exe

C:\Windows\System\tPuXsFw.exe

C:\Windows\System\CFQeLdh.exe

C:\Windows\System\CFQeLdh.exe

C:\Windows\System\CTiOIiT.exe

C:\Windows\System\CTiOIiT.exe

C:\Windows\System\OgDTiSL.exe

C:\Windows\System\OgDTiSL.exe

C:\Windows\System\RnHFHMt.exe

C:\Windows\System\RnHFHMt.exe

C:\Windows\System\WnxErXS.exe

C:\Windows\System\WnxErXS.exe

C:\Windows\System\QQUoClO.exe

C:\Windows\System\QQUoClO.exe

C:\Windows\System\vENbMVM.exe

C:\Windows\System\vENbMVM.exe

C:\Windows\System\oqETHEn.exe

C:\Windows\System\oqETHEn.exe

C:\Windows\System\djOZiUV.exe

C:\Windows\System\djOZiUV.exe

C:\Windows\System\QFeoVts.exe

C:\Windows\System\QFeoVts.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2312-0-0x000000013FB50000-0x000000013FEA4000-memory.dmp

memory/2312-1-0x0000000000080000-0x0000000000090000-memory.dmp

\Windows\system\AmIFHXM.exe

MD5 dd7a5bc3f6731f507532219539a3023b
SHA1 7ada8ed66fe65949dd31e4131c176c63b034a88f
SHA256 6e59326f057ed34ec83a49a3a46c5cd04d55405846bddf4270318824ef398fa5
SHA512 97fe9b0ed5f6d69319c291405ea209baa918b95bc9f03f5a2bdec7253a255b5c920860796c5ade225c066b297cec8f4fa4422a240ddd6150eeaf78c46dd2f6bb

C:\Windows\system\KtnzCzO.exe

MD5 ef096a231130c1303f78de3b727c6a9b
SHA1 e11fe955dd2d103dca264119ad919ba843c2f745
SHA256 168b302617a60abe4bb1b85972c1c43fc49b4127f8aa17977ddcf1d4bdd540b2
SHA512 35a592a0e35f278f1682d1e73bd102d3dc445c8bce917ff288471632f1a9c2081ba578e4ee499b7d153881b0ddd5e4671eab93b1fdc63b04412dcaaa5a9e57af

\Windows\system\ozMNUaQ.exe

MD5 2e0c0c7b8c75282633391d679087c90f
SHA1 f2f62a53d06f51ad616394b70ca063d5968b1d82
SHA256 b394922c926a1bb5f57164e75ee8c72c9c8899ce7b0c5bcd62ae91957021c797
SHA512 c8f242c496d308e2048afcd74489bbd43530502ee3498809c3253bc7f5d6da5cab8300a891c6a86fa8dfa37d41e9ffb0f74590ef55f3035f52efd87bb1858f79

memory/2312-25-0x000000013F3B0000-0x000000013F704000-memory.dmp

\Windows\system\TZCJWiw.exe

MD5 55bcb11d35054c88ffe8687d03000ac0
SHA1 7d65072a3b2e40032ccf1bdc86b611ca65c0ea9c
SHA256 665aab2b9daf77f7fa17470d319a78c7994625ee44808066619074c0f9def981
SHA512 9fb8e01535b22063f395bbf12593c804f9c9a9d5916fc699f1755af8367b2e825bec2ee79ebc7b11ee10e7f5d5fca3b11533c0e511c2bd6b2e76643bd498743b

memory/2312-21-0x0000000002430000-0x0000000002784000-memory.dmp

memory/1688-36-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/2008-34-0x000000013FD10000-0x0000000140064000-memory.dmp

C:\Windows\system\uktMksu.exe

MD5 c3d1c73bd82842b6f8b6a0beff25d9fb
SHA1 2038da6baa81a33a00732abbbd7a3c4d7e036f2b
SHA256 5398c4a918106ae6402997d04b1e335d6f631d3a49d2686bbc8905fab7b2b958
SHA512 9a0e390ea8375fba67a1b53f30eb01ae03fb7263e21dab6c9736a732b149caf49561ad5bd176d209433ff4327906e0e830438fa2e52a340c9883517ab4e7dee9

memory/2312-41-0x0000000002430000-0x0000000002784000-memory.dmp

memory/2636-42-0x000000013FC50000-0x000000013FFA4000-memory.dmp

C:\Windows\system\ChIESgi.exe

MD5 3fdac4f9b57b8f85dfc80a6f756cc7c0
SHA1 217d6aa70ce5bd349ef86b0c35f3106a6eb2a061
SHA256 c0b7acbb7b52fdd54af9343167c651e858f37e284a65a8291251166ff9d21af9
SHA512 d1a0ac8cc5b6b7f9d93bca60f0a430198daa08a8ce2353896fdbc5c7ddfb0528a2c8540a845b53e906ea50d3190e5d156f6e1720d4fc85aabb48940aaf026b52

memory/2632-57-0x000000013F100000-0x000000013F454000-memory.dmp

memory/2312-52-0x000000013F100000-0x000000013F454000-memory.dmp

memory/2212-69-0x000000013F3B0000-0x000000013F704000-memory.dmp

memory/2744-70-0x000000013FCD0000-0x0000000140024000-memory.dmp

memory/2312-85-0x000000013F4E0000-0x000000013F834000-memory.dmp

memory/2584-94-0x000000013FC60000-0x000000013FFB4000-memory.dmp

memory/2344-101-0x000000013FD40000-0x0000000140094000-memory.dmp

memory/2312-100-0x0000000002430000-0x0000000002784000-memory.dmp

C:\Windows\system\oqETHEn.exe

MD5 bf577045d5b9dc534f0aae6999c3191c
SHA1 a264f1210abb387f0215518234786e3a56a35cf1
SHA256 c4136518f5d809dd11a070e415aa1d46a6d61f6c36797334b720e512ec364475
SHA512 ac4f5c15ad78c8a2ad6600b86572397ba0a7374d2f163200993f7172f0f5a291b050ce0d6ea4accfb0f2b9c0f68c8be458f56055394da46427408168f1eadac0

\Windows\system\QFeoVts.exe

MD5 f4318d14c24c63aee7e7d0317755ed5d
SHA1 6674e72e9e506cf5f8311a7176473d811c8bec4c
SHA256 c213dc2ac3ac9e3abefd7cf2126149612b5bf2f090a1ea7ee606c371bdd937df
SHA512 2874d542735e8528849ce968bb6c308407603bcde6e10caeaed6bd6a7eaf5d3030189e32181eb818d4005d0f8fd150b00885330524edc625dd6a0e051ea792c1

C:\Windows\system\djOZiUV.exe

MD5 90a9fcc86a3aa0e9066d39a940202313
SHA1 66e2544f20ace57d9c0449ee39be1e3dff8b3ad7
SHA256 0907b145ccd902177cde951903ba36add005d6d982ff63f33611eac0c8c73253
SHA512 da50a8230c8f242d53cb4146803245806dcad93d1b6c36c5c0dfb574ccb59b3f217664e69dbda5e86586f67c64e8feac32c04e78c70a335ae99e8944b7238ba5

C:\Windows\system\QQUoClO.exe

MD5 3568c4e5a878a52dca7bb05867efbca1
SHA1 7a9204b70cfd41c4e28c9b0ac9f8da78317a769e
SHA256 fbaee43a0397033ff03ae813f1688a65d2d2234952f33b2d47e6abcb01bb969a
SHA512 026aca1e8af077f3237c0fc7aa1aa4e0eba00067351dcef5402109a60438d5818ecca56132a9aa634c46247a3261b0c302f8baf3331b03f8f18aacc2dbd12f1e

C:\Windows\system\RnHFHMt.exe

MD5 d83d341bbf3c5e277ab600efd29b244c
SHA1 38fa9c3ccbd6d18d83048aef1c645de3805bfea6
SHA256 1004d81b8108529f682a216777210daac2811ffd42efabfa73de381f8893eea9
SHA512 8c9c6a6b9d7f3a3be6225a4d29c2497e1dcaa5b2b68c8e1ee5a6d9f9c731b8e15cdce8cf0e136be2c6d0f46e12aaba030a6ea3e8a660265eec39db2289aba5c3

memory/2312-107-0x000000013F610000-0x000000013F964000-memory.dmp

memory/2636-106-0x000000013FC50000-0x000000013FFA4000-memory.dmp

C:\Windows\system\vENbMVM.exe

MD5 6118f8fe1063767319d994a20d92ebd6
SHA1 ca4ebde8c16319452f2af385ba9b9184c6affcb3
SHA256 32f6133b994eb6c8d89ba7cb1f64793f2ded0d03fd63f1e5b0fc1ffdc965c2ea
SHA512 19598bcab5778056a343c58407b87c012b2b1a8f5e64c0c2aefa7dfd697561ba2fa0c6a20756186c9c7d15e91241f533d0b231fbfc9ae5ad077ccd3a2b8516dd

C:\Windows\system\WnxErXS.exe

MD5 67dc7e9ea6031deabb56f15061e8e8d5
SHA1 cf496b65cd87de7da990ab3942790c9f084da754
SHA256 84ebfa50b2f0b214970bbaad4151266a441075cb6657df9a97c4216cc7caef0b
SHA512 b9ed72bc829c9b44ffa7d66239b41f6f4549c94f6edd33e48f2a4c0824b18ff64f5d168237f87973d2de74cfa4ad875c3bd1671d281357b28f5a228216f79eb1

memory/1688-99-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/2312-93-0x0000000002430000-0x0000000002784000-memory.dmp

C:\Windows\system\OgDTiSL.exe

MD5 462c54b01918502a5ed1b474afe48907
SHA1 967b5da5e3ccbe1129455f9588022f44cd7b3e80
SHA256 eba33156debd0b6fd06925bda27a1fbece5a36d2fb8d2bfa9978c19b74cb3559
SHA512 b9fc3600c7d1e4882714103433e82398d532da70d6266f59a9e989d96026aab20d12c35cfe9620ac5cc65f54d712db0fb88070d64f89c898be5754616f07e30e

C:\Windows\system\CTiOIiT.exe

MD5 87b3dd1516dba00f2977f84553583d0c
SHA1 a7188940c6e9e4742095522bb754c6af6dd9f429
SHA256 1ed5669a3a1aa0636d3b53fd70cdbc08f2710548786b23b85081ca1f4c08deb2
SHA512 7119ab66f20a6f29656f4e82000098025b9806b56eb94901c3df285d7372f1dfcc28627ebc81b4732abd50c1aef6b0b3d32d0a7be5b0daf762e961222192dbd7

memory/2512-86-0x000000013F4E0000-0x000000013F834000-memory.dmp

memory/2676-78-0x000000013F240000-0x000000013F594000-memory.dmp

memory/2312-77-0x000000013F240000-0x000000013F594000-memory.dmp

memory/2312-76-0x000000013F3B0000-0x000000013F704000-memory.dmp

C:\Windows\system\tPuXsFw.exe

MD5 4c4ccfc04e6ea5a043fc46df3255d35b
SHA1 8f2b15dc0ba881dcdc7f216d8da00df5ee702a8e
SHA256 a832c8ff37aedb34fd407faec1f344411a91749d63e9419f71ce20d33da62a48
SHA512 ed798b5870e51feab14082ad61a699a7dadb118895a7703ba5c9fd729f9a4f3805e31a4523eb89cd737215b84679648bbb91262ad37e0594277403f5f77e4e03

C:\Windows\system\CFQeLdh.exe

MD5 7a7c5839632f94e25d84c8f0bd27631d
SHA1 ddf9edac1181f686904c5551bd87a0fc049c2cea
SHA256 584ad761d5cd6391cb01a81fe01c29c6928a6ab5e09eee574ead7781d17fd604
SHA512 6f4f245f157507877d9df39599a12882da8b1523aa14292ba880c932b1798507ecdcac5d901447d7befabfd0f0523245c73a9f10805813a8ecc2dd04a250e6cb

memory/1424-64-0x000000013F5B0000-0x000000013F904000-memory.dmp

memory/2312-63-0x000000013FB50000-0x000000013FEA4000-memory.dmp

C:\Windows\system\mxfYWBr.exe

MD5 8552d4493ec0356276df99b5694747dd
SHA1 129ea6198f076f6213e025392010241f0540244d
SHA256 c2c4a901cb1b38e523d7eea1692a47067c8a87f73c2b450b9a858425b0c78402
SHA512 ba51f81506abe2747b8483ecfb8a140e2c07eea73eb154d2f879f4438acdb8f67d669772bab1a3f30e6b7c6add39430b8503b36bda2ae8616e9b23af94fb69bf

memory/2220-68-0x000000013F8D0000-0x000000013FC24000-memory.dmp

C:\Windows\system\VzJIbAi.exe

MD5 221eb3ba97534a15321b657e44f0409f
SHA1 647e3c6fbcc59fe9ff0cc89dbeacad512802a48a
SHA256 2d3c0570c6c50968bcabd0e1665b2757485fbef3ee80fb8872957262396d6eee
SHA512 178ba13488b316b3ba9f67a2f59040c91ae2bc52c2465176c75948d61f0e2c5be6ef0cb2e30f586cfef85139fd76e8ad4ecaf7b3d64d5cd5fe6e4d0f5b5dd086

memory/2796-50-0x000000013F5D0000-0x000000013F924000-memory.dmp

memory/2312-49-0x000000013F5D0000-0x000000013F924000-memory.dmp

C:\Windows\system\yOwFeQX.exe

MD5 7a2fb44900e5550f9026ae7f5559ad76
SHA1 8e972f77fe73391cd8eb1c760f716c1ac0cf70a0
SHA256 c9a96e25e63c93d3a4131e83f1c2eba5067a061302009aaa4b4b31e7a9190b6e
SHA512 68f52b6d6babd93030182fb9dc5d167f71d2022b2890db9ce3230aa1707c9ae3a75414952f41fc49f381fd8267ed7c24d1c96bb838701f82dd734ac5724adf01

memory/1700-32-0x000000013F850000-0x000000013FBA4000-memory.dmp

memory/2312-31-0x000000013F1B0000-0x000000013F504000-memory.dmp

C:\Windows\system\LLiCfdG.exe

MD5 dba357c746d6ba431431c054d4d67aa3
SHA1 7eccefe4248a59c1cced2c07700f2fe4d5d7b44e
SHA256 ac7cc97ceccf92bfc3308c4e3df96ca741b63f33a228d8e497b8b40d7de6761f
SHA512 f30858b6ed36da54ef6dff84b1e127bc8657bed6cbe05ed0b87a6cfb14d502e898715515e3f16d1bf8bcb14ed2356010c45b39a308043cfc443c4c3734c08cbb

memory/2312-26-0x0000000002430000-0x0000000002784000-memory.dmp

memory/2212-20-0x000000013F3B0000-0x000000013F704000-memory.dmp

memory/2220-12-0x000000013F8D0000-0x000000013FC24000-memory.dmp

memory/2312-139-0x0000000002430000-0x0000000002784000-memory.dmp

memory/2744-140-0x000000013FCD0000-0x0000000140024000-memory.dmp

memory/2312-141-0x000000013F240000-0x000000013F594000-memory.dmp

memory/2676-142-0x000000013F240000-0x000000013F594000-memory.dmp

memory/2312-143-0x000000013F4E0000-0x000000013F834000-memory.dmp

memory/2512-144-0x000000013F4E0000-0x000000013F834000-memory.dmp

memory/2344-145-0x000000013FD40000-0x0000000140094000-memory.dmp

memory/2312-146-0x000000013F610000-0x000000013F964000-memory.dmp

memory/2220-147-0x000000013F8D0000-0x000000013FC24000-memory.dmp

memory/2212-148-0x000000013F3B0000-0x000000013F704000-memory.dmp

memory/2008-149-0x000000013FD10000-0x0000000140064000-memory.dmp

memory/1700-150-0x000000013F850000-0x000000013FBA4000-memory.dmp

memory/1688-151-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/2636-152-0x000000013FC50000-0x000000013FFA4000-memory.dmp

memory/2796-153-0x000000013F5D0000-0x000000013F924000-memory.dmp

memory/2632-154-0x000000013F100000-0x000000013F454000-memory.dmp

memory/1424-155-0x000000013F5B0000-0x000000013F904000-memory.dmp

memory/2744-156-0x000000013FCD0000-0x0000000140024000-memory.dmp

memory/2676-157-0x000000013F240000-0x000000013F594000-memory.dmp

memory/2512-158-0x000000013F4E0000-0x000000013F834000-memory.dmp

memory/2584-159-0x000000013FC60000-0x000000013FFB4000-memory.dmp

memory/2344-160-0x000000013FD40000-0x0000000140094000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-28 00:05

Reported

2024-06-28 00:07

Platform

win10v2004-20240508-en

Max time kernel

139s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\uktMksu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tPuXsFw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QFeoVts.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TZCJWiw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LLiCfdG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VzJIbAi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CTiOIiT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RnHFHMt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QQUoClO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oqETHEn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KtnzCzO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ozMNUaQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yOwFeQX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\djOZiUV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AmIFHXM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mxfYWBr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CFQeLdh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OgDTiSL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WnxErXS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vENbMVM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ChIESgi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2328 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AmIFHXM.exe
PID 2328 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AmIFHXM.exe
PID 2328 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KtnzCzO.exe
PID 2328 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KtnzCzO.exe
PID 2328 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ozMNUaQ.exe
PID 2328 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ozMNUaQ.exe
PID 2328 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LLiCfdG.exe
PID 2328 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LLiCfdG.exe
PID 2328 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TZCJWiw.exe
PID 2328 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TZCJWiw.exe
PID 2328 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uktMksu.exe
PID 2328 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uktMksu.exe
PID 2328 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yOwFeQX.exe
PID 2328 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yOwFeQX.exe
PID 2328 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ChIESgi.exe
PID 2328 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ChIESgi.exe
PID 2328 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mxfYWBr.exe
PID 2328 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mxfYWBr.exe
PID 2328 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VzJIbAi.exe
PID 2328 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VzJIbAi.exe
PID 2328 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tPuXsFw.exe
PID 2328 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tPuXsFw.exe
PID 2328 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CFQeLdh.exe
PID 2328 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CFQeLdh.exe
PID 2328 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CTiOIiT.exe
PID 2328 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CTiOIiT.exe
PID 2328 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OgDTiSL.exe
PID 2328 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OgDTiSL.exe
PID 2328 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RnHFHMt.exe
PID 2328 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RnHFHMt.exe
PID 2328 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WnxErXS.exe
PID 2328 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WnxErXS.exe
PID 2328 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QQUoClO.exe
PID 2328 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QQUoClO.exe
PID 2328 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vENbMVM.exe
PID 2328 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vENbMVM.exe
PID 2328 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oqETHEn.exe
PID 2328 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oqETHEn.exe
PID 2328 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\djOZiUV.exe
PID 2328 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\djOZiUV.exe
PID 2328 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QFeoVts.exe
PID 2328 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QFeoVts.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\AmIFHXM.exe

C:\Windows\System\AmIFHXM.exe

C:\Windows\System\KtnzCzO.exe

C:\Windows\System\KtnzCzO.exe

C:\Windows\System\ozMNUaQ.exe

C:\Windows\System\ozMNUaQ.exe

C:\Windows\System\LLiCfdG.exe

C:\Windows\System\LLiCfdG.exe

C:\Windows\System\TZCJWiw.exe

C:\Windows\System\TZCJWiw.exe

C:\Windows\System\uktMksu.exe

C:\Windows\System\uktMksu.exe

C:\Windows\System\yOwFeQX.exe

C:\Windows\System\yOwFeQX.exe

C:\Windows\System\ChIESgi.exe

C:\Windows\System\ChIESgi.exe

C:\Windows\System\mxfYWBr.exe

C:\Windows\System\mxfYWBr.exe

C:\Windows\System\VzJIbAi.exe

C:\Windows\System\VzJIbAi.exe

C:\Windows\System\tPuXsFw.exe

C:\Windows\System\tPuXsFw.exe

C:\Windows\System\CFQeLdh.exe

C:\Windows\System\CFQeLdh.exe

C:\Windows\System\CTiOIiT.exe

C:\Windows\System\CTiOIiT.exe

C:\Windows\System\OgDTiSL.exe

C:\Windows\System\OgDTiSL.exe

C:\Windows\System\RnHFHMt.exe

C:\Windows\System\RnHFHMt.exe

C:\Windows\System\WnxErXS.exe

C:\Windows\System\WnxErXS.exe

C:\Windows\System\QQUoClO.exe

C:\Windows\System\QQUoClO.exe

C:\Windows\System\vENbMVM.exe

C:\Windows\System\vENbMVM.exe

C:\Windows\System\oqETHEn.exe

C:\Windows\System\oqETHEn.exe

C:\Windows\System\djOZiUV.exe

C:\Windows\System\djOZiUV.exe

C:\Windows\System\QFeoVts.exe

C:\Windows\System\QFeoVts.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
IE 52.111.236.23:443 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2328-0-0x00007FF6A5E70000-0x00007FF6A61C4000-memory.dmp

memory/2328-1-0x00000247D72D0000-0x00000247D72E0000-memory.dmp

C:\Windows\System\AmIFHXM.exe

MD5 dd7a5bc3f6731f507532219539a3023b
SHA1 7ada8ed66fe65949dd31e4131c176c63b034a88f
SHA256 6e59326f057ed34ec83a49a3a46c5cd04d55405846bddf4270318824ef398fa5
SHA512 97fe9b0ed5f6d69319c291405ea209baa918b95bc9f03f5a2bdec7253a255b5c920860796c5ade225c066b297cec8f4fa4422a240ddd6150eeaf78c46dd2f6bb

C:\Windows\System\KtnzCzO.exe

MD5 ef096a231130c1303f78de3b727c6a9b
SHA1 e11fe955dd2d103dca264119ad919ba843c2f745
SHA256 168b302617a60abe4bb1b85972c1c43fc49b4127f8aa17977ddcf1d4bdd540b2
SHA512 35a592a0e35f278f1682d1e73bd102d3dc445c8bce917ff288471632f1a9c2081ba578e4ee499b7d153881b0ddd5e4671eab93b1fdc63b04412dcaaa5a9e57af

memory/1596-13-0x00007FF600510000-0x00007FF600864000-memory.dmp

C:\Windows\System\ozMNUaQ.exe

MD5 2e0c0c7b8c75282633391d679087c90f
SHA1 f2f62a53d06f51ad616394b70ca063d5968b1d82
SHA256 b394922c926a1bb5f57164e75ee8c72c9c8899ce7b0c5bcd62ae91957021c797
SHA512 c8f242c496d308e2048afcd74489bbd43530502ee3498809c3253bc7f5d6da5cab8300a891c6a86fa8dfa37d41e9ffb0f74590ef55f3035f52efd87bb1858f79

memory/1660-7-0x00007FF76A690000-0x00007FF76A9E4000-memory.dmp

memory/4524-20-0x00007FF760EE0000-0x00007FF761234000-memory.dmp

C:\Windows\System\LLiCfdG.exe

MD5 dba357c746d6ba431431c054d4d67aa3
SHA1 7eccefe4248a59c1cced2c07700f2fe4d5d7b44e
SHA256 ac7cc97ceccf92bfc3308c4e3df96ca741b63f33a228d8e497b8b40d7de6761f
SHA512 f30858b6ed36da54ef6dff84b1e127bc8657bed6cbe05ed0b87a6cfb14d502e898715515e3f16d1bf8bcb14ed2356010c45b39a308043cfc443c4c3734c08cbb

C:\Windows\System\TZCJWiw.exe

MD5 55bcb11d35054c88ffe8687d03000ac0
SHA1 7d65072a3b2e40032ccf1bdc86b611ca65c0ea9c
SHA256 665aab2b9daf77f7fa17470d319a78c7994625ee44808066619074c0f9def981
SHA512 9fb8e01535b22063f395bbf12593c804f9c9a9d5916fc699f1755af8367b2e825bec2ee79ebc7b11ee10e7f5d5fca3b11533c0e511c2bd6b2e76643bd498743b

memory/464-29-0x00007FF74F040000-0x00007FF74F394000-memory.dmp

C:\Windows\System\uktMksu.exe

MD5 c3d1c73bd82842b6f8b6a0beff25d9fb
SHA1 2038da6baa81a33a00732abbbd7a3c4d7e036f2b
SHA256 5398c4a918106ae6402997d04b1e335d6f631d3a49d2686bbc8905fab7b2b958
SHA512 9a0e390ea8375fba67a1b53f30eb01ae03fb7263e21dab6c9736a732b149caf49561ad5bd176d209433ff4327906e0e830438fa2e52a340c9883517ab4e7dee9

C:\Windows\System\yOwFeQX.exe

MD5 7a2fb44900e5550f9026ae7f5559ad76
SHA1 8e972f77fe73391cd8eb1c760f716c1ac0cf70a0
SHA256 c9a96e25e63c93d3a4131e83f1c2eba5067a061302009aaa4b4b31e7a9190b6e
SHA512 68f52b6d6babd93030182fb9dc5d167f71d2022b2890db9ce3230aa1707c9ae3a75414952f41fc49f381fd8267ed7c24d1c96bb838701f82dd734ac5724adf01

memory/3896-48-0x00007FF788AF0000-0x00007FF788E44000-memory.dmp

C:\Windows\System\VzJIbAi.exe

MD5 221eb3ba97534a15321b657e44f0409f
SHA1 647e3c6fbcc59fe9ff0cc89dbeacad512802a48a
SHA256 2d3c0570c6c50968bcabd0e1665b2757485fbef3ee80fb8872957262396d6eee
SHA512 178ba13488b316b3ba9f67a2f59040c91ae2bc52c2465176c75948d61f0e2c5be6ef0cb2e30f586cfef85139fd76e8ad4ecaf7b3d64d5cd5fe6e4d0f5b5dd086

C:\Windows\System\ChIESgi.exe

MD5 3fdac4f9b57b8f85dfc80a6f756cc7c0
SHA1 217d6aa70ce5bd349ef86b0c35f3106a6eb2a061
SHA256 c0b7acbb7b52fdd54af9343167c651e858f37e284a65a8291251166ff9d21af9
SHA512 d1a0ac8cc5b6b7f9d93bca60f0a430198daa08a8ce2353896fdbc5c7ddfb0528a2c8540a845b53e906ea50d3190e5d156f6e1720d4fc85aabb48940aaf026b52

C:\Windows\System\tPuXsFw.exe

MD5 4c4ccfc04e6ea5a043fc46df3255d35b
SHA1 8f2b15dc0ba881dcdc7f216d8da00df5ee702a8e
SHA256 a832c8ff37aedb34fd407faec1f344411a91749d63e9419f71ce20d33da62a48
SHA512 ed798b5870e51feab14082ad61a699a7dadb118895a7703ba5c9fd729f9a4f3805e31a4523eb89cd737215b84679648bbb91262ad37e0594277403f5f77e4e03

C:\Windows\System\mxfYWBr.exe

MD5 8552d4493ec0356276df99b5694747dd
SHA1 129ea6198f076f6213e025392010241f0540244d
SHA256 c2c4a901cb1b38e523d7eea1692a47067c8a87f73c2b450b9a858425b0c78402
SHA512 ba51f81506abe2747b8483ecfb8a140e2c07eea73eb154d2f879f4438acdb8f67d669772bab1a3f30e6b7c6add39430b8503b36bda2ae8616e9b23af94fb69bf

C:\Windows\System\CFQeLdh.exe

MD5 7a7c5839632f94e25d84c8f0bd27631d
SHA1 ddf9edac1181f686904c5551bd87a0fc049c2cea
SHA256 584ad761d5cd6391cb01a81fe01c29c6928a6ab5e09eee574ead7781d17fd604
SHA512 6f4f245f157507877d9df39599a12882da8b1523aa14292ba880c932b1798507ecdcac5d901447d7befabfd0f0523245c73a9f10805813a8ecc2dd04a250e6cb

memory/3480-70-0x00007FF7B6ED0000-0x00007FF7B7224000-memory.dmp

C:\Windows\System\CTiOIiT.exe

MD5 87b3dd1516dba00f2977f84553583d0c
SHA1 a7188940c6e9e4742095522bb754c6af6dd9f429
SHA256 1ed5669a3a1aa0636d3b53fd70cdbc08f2710548786b23b85081ca1f4c08deb2
SHA512 7119ab66f20a6f29656f4e82000098025b9806b56eb94901c3df285d7372f1dfcc28627ebc81b4732abd50c1aef6b0b3d32d0a7be5b0daf762e961222192dbd7

C:\Windows\System\RnHFHMt.exe

MD5 d83d341bbf3c5e277ab600efd29b244c
SHA1 38fa9c3ccbd6d18d83048aef1c645de3805bfea6
SHA256 1004d81b8108529f682a216777210daac2811ffd42efabfa73de381f8893eea9
SHA512 8c9c6a6b9d7f3a3be6225a4d29c2497e1dcaa5b2b68c8e1ee5a6d9f9c731b8e15cdce8cf0e136be2c6d0f46e12aaba030a6ea3e8a660265eec39db2289aba5c3

C:\Windows\System\WnxErXS.exe

MD5 67dc7e9ea6031deabb56f15061e8e8d5
SHA1 cf496b65cd87de7da990ab3942790c9f084da754
SHA256 84ebfa50b2f0b214970bbaad4151266a441075cb6657df9a97c4216cc7caef0b
SHA512 b9ed72bc829c9b44ffa7d66239b41f6f4549c94f6edd33e48f2a4c0824b18ff64f5d168237f87973d2de74cfa4ad875c3bd1671d281357b28f5a228216f79eb1

memory/2084-90-0x00007FF608C80000-0x00007FF608FD4000-memory.dmp

memory/4828-95-0x00007FF6A0660000-0x00007FF6A09B4000-memory.dmp

C:\Windows\System\QQUoClO.exe

MD5 3568c4e5a878a52dca7bb05867efbca1
SHA1 7a9204b70cfd41c4e28c9b0ac9f8da78317a769e
SHA256 fbaee43a0397033ff03ae813f1688a65d2d2234952f33b2d47e6abcb01bb969a
SHA512 026aca1e8af077f3237c0fc7aa1aa4e0eba00067351dcef5402109a60438d5818ecca56132a9aa634c46247a3261b0c302f8baf3331b03f8f18aacc2dbd12f1e

memory/1436-98-0x00007FF64D3B0000-0x00007FF64D704000-memory.dmp

memory/1704-92-0x00007FF799B40000-0x00007FF799E94000-memory.dmp

memory/3060-89-0x00007FF70A110000-0x00007FF70A464000-memory.dmp

C:\Windows\System\OgDTiSL.exe

MD5 462c54b01918502a5ed1b474afe48907
SHA1 967b5da5e3ccbe1129455f9588022f44cd7b3e80
SHA256 eba33156debd0b6fd06925bda27a1fbece5a36d2fb8d2bfa9978c19b74cb3559
SHA512 b9fc3600c7d1e4882714103433e82398d532da70d6266f59a9e989d96026aab20d12c35cfe9620ac5cc65f54d712db0fb88070d64f89c898be5754616f07e30e

memory/1768-82-0x00007FF6A7380000-0x00007FF6A76D4000-memory.dmp

memory/4856-73-0x00007FF6CF210000-0x00007FF6CF564000-memory.dmp

memory/3208-71-0x00007FF693150000-0x00007FF6934A4000-memory.dmp

memory/4420-39-0x00007FF6097C0000-0x00007FF609B14000-memory.dmp

memory/2812-30-0x00007FF703570000-0x00007FF7038C4000-memory.dmp

memory/2328-104-0x00007FF6A5E70000-0x00007FF6A61C4000-memory.dmp

memory/4648-105-0x00007FF7321B0000-0x00007FF732504000-memory.dmp

memory/1596-121-0x00007FF600510000-0x00007FF600864000-memory.dmp

memory/3764-125-0x00007FF673650000-0x00007FF6739A4000-memory.dmp

C:\Windows\System\QFeoVts.exe

MD5 f4318d14c24c63aee7e7d0317755ed5d
SHA1 6674e72e9e506cf5f8311a7176473d811c8bec4c
SHA256 c213dc2ac3ac9e3abefd7cf2126149612b5bf2f090a1ea7ee606c371bdd937df
SHA512 2874d542735e8528849ce968bb6c308407603bcde6e10caeaed6bd6a7eaf5d3030189e32181eb818d4005d0f8fd150b00885330524edc625dd6a0e051ea792c1

C:\Windows\System\djOZiUV.exe

MD5 90a9fcc86a3aa0e9066d39a940202313
SHA1 66e2544f20ace57d9c0449ee39be1e3dff8b3ad7
SHA256 0907b145ccd902177cde951903ba36add005d6d982ff63f33611eac0c8c73253
SHA512 da50a8230c8f242d53cb4146803245806dcad93d1b6c36c5c0dfb574ccb59b3f217664e69dbda5e86586f67c64e8feac32c04e78c70a335ae99e8944b7238ba5

memory/4796-126-0x00007FF7BC1C0000-0x00007FF7BC514000-memory.dmp

memory/3628-124-0x00007FF626860000-0x00007FF626BB4000-memory.dmp

C:\Windows\System\oqETHEn.exe

MD5 bf577045d5b9dc534f0aae6999c3191c
SHA1 a264f1210abb387f0215518234786e3a56a35cf1
SHA256 c4136518f5d809dd11a070e415aa1d46a6d61f6c36797334b720e512ec364475
SHA512 ac4f5c15ad78c8a2ad6600b86572397ba0a7374d2f163200993f7172f0f5a291b050ce0d6ea4accfb0f2b9c0f68c8be458f56055394da46427408168f1eadac0

memory/3800-113-0x00007FF72A590000-0x00007FF72A8E4000-memory.dmp

memory/1660-111-0x00007FF76A690000-0x00007FF76A9E4000-memory.dmp

C:\Windows\System\vENbMVM.exe

MD5 6118f8fe1063767319d994a20d92ebd6
SHA1 ca4ebde8c16319452f2af385ba9b9184c6affcb3
SHA256 32f6133b994eb6c8d89ba7cb1f64793f2ded0d03fd63f1e5b0fc1ffdc965c2ea
SHA512 19598bcab5778056a343c58407b87c012b2b1a8f5e64c0c2aefa7dfd697561ba2fa0c6a20756186c9c7d15e91241f533d0b231fbfc9ae5ad077ccd3a2b8516dd

memory/2812-131-0x00007FF703570000-0x00007FF7038C4000-memory.dmp

memory/3480-132-0x00007FF7B6ED0000-0x00007FF7B7224000-memory.dmp

memory/1768-133-0x00007FF6A7380000-0x00007FF6A76D4000-memory.dmp

memory/2084-134-0x00007FF608C80000-0x00007FF608FD4000-memory.dmp

memory/1436-135-0x00007FF64D3B0000-0x00007FF64D704000-memory.dmp

memory/3764-136-0x00007FF673650000-0x00007FF6739A4000-memory.dmp

memory/4796-137-0x00007FF7BC1C0000-0x00007FF7BC514000-memory.dmp

memory/1660-138-0x00007FF76A690000-0x00007FF76A9E4000-memory.dmp

memory/1596-139-0x00007FF600510000-0x00007FF600864000-memory.dmp

memory/4524-140-0x00007FF760EE0000-0x00007FF761234000-memory.dmp

memory/464-141-0x00007FF74F040000-0x00007FF74F394000-memory.dmp

memory/4420-142-0x00007FF6097C0000-0x00007FF609B14000-memory.dmp

memory/2812-143-0x00007FF703570000-0x00007FF7038C4000-memory.dmp

memory/3896-144-0x00007FF788AF0000-0x00007FF788E44000-memory.dmp

memory/3480-148-0x00007FF7B6ED0000-0x00007FF7B7224000-memory.dmp

memory/1704-147-0x00007FF799B40000-0x00007FF799E94000-memory.dmp

memory/4856-146-0x00007FF6CF210000-0x00007FF6CF564000-memory.dmp

memory/3208-145-0x00007FF693150000-0x00007FF6934A4000-memory.dmp

memory/3060-149-0x00007FF70A110000-0x00007FF70A464000-memory.dmp

memory/4828-150-0x00007FF6A0660000-0x00007FF6A09B4000-memory.dmp

memory/1768-151-0x00007FF6A7380000-0x00007FF6A76D4000-memory.dmp

memory/2084-152-0x00007FF608C80000-0x00007FF608FD4000-memory.dmp

memory/1436-153-0x00007FF64D3B0000-0x00007FF64D704000-memory.dmp

memory/4648-154-0x00007FF7321B0000-0x00007FF732504000-memory.dmp

memory/3800-155-0x00007FF72A590000-0x00007FF72A8E4000-memory.dmp

memory/3628-156-0x00007FF626860000-0x00007FF626BB4000-memory.dmp

memory/3764-158-0x00007FF673650000-0x00007FF6739A4000-memory.dmp

memory/4796-157-0x00007FF7BC1C0000-0x00007FF7BC514000-memory.dmp