Malware Analysis Report

2024-10-23 18:48

Sample ID 240628-acantssdpk
Target 2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat
SHA256 c866fd74a259d82124228e798b2b359742482802064e606ac015187b32bc9546
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c866fd74a259d82124228e798b2b359742482802064e606ac015187b32bc9546

Threat Level: Known bad

The file 2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Cobalt Strike reflective loader

UPX dump on OEP (original entry point)

XMRig Miner payload

Xmrig family

xmrig

Detects Reflective DLL injection artifacts

Cobaltstrike

Cobaltstrike family

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-28 00:03

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-28 00:03

Reported

2024-06-28 00:06

Platform

win10v2004-20240226-en

Max time kernel

157s

Max time network

163s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\ydOCuGI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ElsHgtI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XRbSxuN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gbfwXKy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OpgNKXS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aMIuLwN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KRJHAJM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kXbduzy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lwPaLKK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IZQfjVr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mElHPpi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ENSEawX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VZbiPtN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kTCKACZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IUfEnMw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ibwPEaK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EuZdOnh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DdOtKnm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jIhfjMN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QxQxrBg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\akWthba.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4660 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mElHPpi.exe
PID 4660 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mElHPpi.exe
PID 4660 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aMIuLwN.exe
PID 4660 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aMIuLwN.exe
PID 4660 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\akWthba.exe
PID 4660 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\akWthba.exe
PID 4660 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ydOCuGI.exe
PID 4660 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ydOCuGI.exe
PID 4660 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KRJHAJM.exe
PID 4660 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KRJHAJM.exe
PID 4660 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jIhfjMN.exe
PID 4660 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jIhfjMN.exe
PID 4660 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ElsHgtI.exe
PID 4660 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ElsHgtI.exe
PID 4660 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kXbduzy.exe
PID 4660 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kXbduzy.exe
PID 4660 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DdOtKnm.exe
PID 4660 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DdOtKnm.exe
PID 4660 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ENSEawX.exe
PID 4660 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ENSEawX.exe
PID 4660 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VZbiPtN.exe
PID 4660 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VZbiPtN.exe
PID 4660 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XRbSxuN.exe
PID 4660 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XRbSxuN.exe
PID 4660 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kTCKACZ.exe
PID 4660 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kTCKACZ.exe
PID 4660 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gbfwXKy.exe
PID 4660 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gbfwXKy.exe
PID 4660 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IUfEnMw.exe
PID 4660 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IUfEnMw.exe
PID 4660 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OpgNKXS.exe
PID 4660 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OpgNKXS.exe
PID 4660 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QxQxrBg.exe
PID 4660 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QxQxrBg.exe
PID 4660 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ibwPEaK.exe
PID 4660 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ibwPEaK.exe
PID 4660 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lwPaLKK.exe
PID 4660 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lwPaLKK.exe
PID 4660 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IZQfjVr.exe
PID 4660 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IZQfjVr.exe
PID 4660 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EuZdOnh.exe
PID 4660 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EuZdOnh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\mElHPpi.exe

C:\Windows\System\mElHPpi.exe

C:\Windows\System\aMIuLwN.exe

C:\Windows\System\aMIuLwN.exe

C:\Windows\System\akWthba.exe

C:\Windows\System\akWthba.exe

C:\Windows\System\ydOCuGI.exe

C:\Windows\System\ydOCuGI.exe

C:\Windows\System\KRJHAJM.exe

C:\Windows\System\KRJHAJM.exe

C:\Windows\System\jIhfjMN.exe

C:\Windows\System\jIhfjMN.exe

C:\Windows\System\ElsHgtI.exe

C:\Windows\System\ElsHgtI.exe

C:\Windows\System\kXbduzy.exe

C:\Windows\System\kXbduzy.exe

C:\Windows\System\DdOtKnm.exe

C:\Windows\System\DdOtKnm.exe

C:\Windows\System\ENSEawX.exe

C:\Windows\System\ENSEawX.exe

C:\Windows\System\VZbiPtN.exe

C:\Windows\System\VZbiPtN.exe

C:\Windows\System\XRbSxuN.exe

C:\Windows\System\XRbSxuN.exe

C:\Windows\System\kTCKACZ.exe

C:\Windows\System\kTCKACZ.exe

C:\Windows\System\gbfwXKy.exe

C:\Windows\System\gbfwXKy.exe

C:\Windows\System\IUfEnMw.exe

C:\Windows\System\IUfEnMw.exe

C:\Windows\System\OpgNKXS.exe

C:\Windows\System\OpgNKXS.exe

C:\Windows\System\QxQxrBg.exe

C:\Windows\System\QxQxrBg.exe

C:\Windows\System\ibwPEaK.exe

C:\Windows\System\ibwPEaK.exe

C:\Windows\System\lwPaLKK.exe

C:\Windows\System\lwPaLKK.exe

C:\Windows\System\IZQfjVr.exe

C:\Windows\System\IZQfjVr.exe

C:\Windows\System\EuZdOnh.exe

C:\Windows\System\EuZdOnh.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4140 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
GB 142.250.187.202:443 chromewebstore.googleapis.com tcp
GB 142.250.187.202:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 202.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 120.150.79.40.in-addr.arpa udp
DE 3.120.209.58:8080 tcp

Files

memory/4660-0-0x00007FF76B200000-0x00007FF76B554000-memory.dmp

memory/4660-1-0x0000019E59BA0000-0x0000019E59BB0000-memory.dmp

C:\Windows\System\mElHPpi.exe

MD5 24431caeba60865396028200fbd3720a
SHA1 ed68acba72d9f8bc963f7f6b7e58fa1aa1036aa8
SHA256 923c96a3b5dc87b43af4265c73feba9af3579c12ec22a66fc2ce63ca8065084c
SHA512 eee61b5122c3b7da7ca761c03884781b97900b1d838a4e41661e2f5d44e0e5ef7bcdcc5b4ee90e6715c5f1b3e615cc4fcc1d4f3e1d6aa205ebbde8bfb3f1677e

memory/4384-8-0x00007FF6024D0000-0x00007FF602824000-memory.dmp

C:\Windows\System\aMIuLwN.exe

MD5 670d86bffc00e96da48a0aa7bd6f4642
SHA1 2395439546d5aadc32aadebc82ea80f59f9497d3
SHA256 d01f4e05b4c260b39a3b1449adc65de27337069fe071d73c41d05e46bda9161c
SHA512 5cfa538b611ce9e19b5c110b9a697ac9c82f93f5b1997cbd40ef5106cd4ab76333afd2df722265e8d6ba4fc0a0e31888cd03e497312a1c6807edccfc6a554c5c

memory/2320-14-0x00007FF7ED2B0000-0x00007FF7ED604000-memory.dmp

C:\Windows\System\akWthba.exe

MD5 9b4afd2bd671931379d01f20afe7bb06
SHA1 942463ed57e3a31ebae5fcdeac67c57ee8a5d8bb
SHA256 432c74aac08dfd0caea381590e07f55fc131d629f2bbd6806145b95fce558cdc
SHA512 f8f238bb1cb259a16d8003622c3ce0640ca9618a88c31222e361f931cad72bea7e8d799a3a06bc8c79d791cf6a4c6c57a2518a207f311ecbd4e04f26397bfc92

memory/1844-20-0x00007FF7009B0000-0x00007FF700D04000-memory.dmp

C:\Windows\System\ydOCuGI.exe

MD5 8d9645a9e195ed1e82661a86fbccee31
SHA1 b6710ade85d0895e6dabe238d2c381d0fe6aa7bc
SHA256 1b974b8ec64200ad618ce300bfe4870fe86cc78b1842f9794f996aedd7d11085
SHA512 53afe635cbf31b63f8e3ecbfc7373d7eae380942f6f9f166e07a9cf0f95f99a598ff6f7ea9a7ee83f1feb91a084538d052e70495b7b7404a8ec19b1d5d98ff7a

memory/928-26-0x00007FF620570000-0x00007FF6208C4000-memory.dmp

C:\Windows\System\KRJHAJM.exe

MD5 5408772a47d89ed7a3c84a69438887c9
SHA1 54ac9cca64bb400925abc90ed82ebd3118afd7be
SHA256 75ba0a0adc9aa0734eb479cef523d66077ed7d2f22fe25f9d3180efaa5cab715
SHA512 d369ff6f6f330d5e5404979e6dec7ca70e245d1a8e4494eaef37df09763e2cb5ed87cfcd854da4ef5955382dcff0eda69481cd6254a1fd3dfc5323fc4cde1ffc

memory/1568-32-0x00007FF7851D0000-0x00007FF785524000-memory.dmp

C:\Windows\System\jIhfjMN.exe

MD5 3955cd0de42c1efe9b90a042345054ec
SHA1 b0b1e44d95aa651390e87de2b0025d114cf59ba3
SHA256 4a5f862f19b7ea5eb360e1fc405752ed2e3968bfb1b9be599f07a7b9d8412e2c
SHA512 dd6c2bf38b8fc417bdb6f690e9fd4530c76079acbbf75a32331fcbe7e3a2ef7f8dc3c2d8d159df1e1a8ba6ccdaea0880794f8b9d0bf8dd0ec34a1a7bde10c7ba

memory/3808-38-0x00007FF69E030000-0x00007FF69E384000-memory.dmp

C:\Windows\System\ElsHgtI.exe

MD5 308461950a8a0437affd703bc8db14f4
SHA1 86f4e094011b8a5e4a95422671a273250d155794
SHA256 e7dfd015ac5fcc7044297965bbcadcbb2861cde03b2d9240972b45547b0ea670
SHA512 7e794e7236404b4d12ee4692199d43bca32acadb78c7ca87b4490fbee1acf5472de2639989d1a4adfd35695e376bf61a13625c2d7ba7fcbda4bfca7e02f7d23f

memory/2304-43-0x00007FF710230000-0x00007FF710584000-memory.dmp

C:\Windows\System\kXbduzy.exe

MD5 3d2b915d14cbde7bab25beef9e941aa9
SHA1 ab879e6314254f86fa301c4c9d92c43cf55e1f6a
SHA256 ab6e461d864062085f4065b62b84dc3d8dd41c8f09def985cbe59badc7974171
SHA512 8fe18f84fe605b04bccfea202fda1485fc1da017f5f7e48ea2578ed51d6d78039d00c0e8d88cd5f5c4f47d50bc00e299d25d17f610b9a58c75c763c0a450c7d6

memory/2884-50-0x00007FF71B200000-0x00007FF71B554000-memory.dmp

C:\Windows\System\DdOtKnm.exe

MD5 9e19aa8cfcbcdc44d6c379ecaa6cca31
SHA1 0bd6f23b2a90fe3cf79cc0b02f48faaaa6367a14
SHA256 02122060e255938e33f25f7d0e98d6be6209ba7ffbc85ab6874a95eb4d9200b0
SHA512 a38ba9f1a4c7342465717affd168b30add520788f62a72f63959a7ed63524e1b7d7690c9ba5b7801cb09f84683263a70cf5ac5574753cad8f80ba433dac8901a

memory/448-56-0x00007FF702580000-0x00007FF7028D4000-memory.dmp

C:\Windows\System\ENSEawX.exe

MD5 f5143e3027e0939a7cd566b63adc6fa6
SHA1 431444e9256d564a862e7be670340e3cdc2a5585
SHA256 e915527ada344341cf413f1b222c2c3372ff838950abb4898d6fe24d3053855c
SHA512 221223b520fdc25505d3be7640e2909a667f883cb6f0a3463e4436fe78c04397e44ce21edaf9e7fc41ffd4083e4d2ce0ade15245518dbf0c5e5eb89cf04917e3

memory/4660-62-0x00007FF76B200000-0x00007FF76B554000-memory.dmp

memory/4676-63-0x00007FF73F5A0000-0x00007FF73F8F4000-memory.dmp

C:\Windows\System\VZbiPtN.exe

MD5 681297d9e62e2ece64a3006213c84e75
SHA1 01d3d16e879f39de3a4658fc6712af5cd87c22f4
SHA256 75f9d16168e63fea76215d633f073a48025673b6db3e009b0c6e378a67ce2770
SHA512 c2759e9a4f6799af07a814915cca1c735ea80f21b3f345705e7b75c0bdc16abf0c896725053f50c4b80d146e017a6c4b558817df20816747bab969096d270bf3

memory/4384-67-0x00007FF6024D0000-0x00007FF602824000-memory.dmp

memory/3756-70-0x00007FF77E110000-0x00007FF77E464000-memory.dmp

C:\Windows\System\XRbSxuN.exe

MD5 0027c5a1661375a61198060dbe9ec874
SHA1 768fb1aff5f4f11ea975e372446ad2c537dca9af
SHA256 0c204a98a3b8bc343d9b420eb3535390fd468d230730242ae4abf22eb61d611a
SHA512 c975c7161bb235234b2e1adbc42614dc73503a4523080f77afb6121f88d022c7dccf0def9e3b2bda062f2e800c524f14635528b42f502afcff134180affc987d

memory/2320-75-0x00007FF7ED2B0000-0x00007FF7ED604000-memory.dmp

memory/2696-77-0x00007FF706820000-0x00007FF706B74000-memory.dmp

C:\Windows\System\kTCKACZ.exe

MD5 8b20a082bc612a2a5a1776f3776d912f
SHA1 9e07642cc3f5dec7146f666df05e1dcccfe9fff2
SHA256 20a7163c5f552e24772287d9159cdef0a54d57677347187e790a870b3840d6e0
SHA512 ddbd943d7b0eaf390cdd258ec57768658158fe8f7a3afca95b8e6f35762a16937a10de7ef94233074983ac440515cd60537fe4ffedc788f19bdc2ab60f8b005c

memory/1216-84-0x00007FF7D4790000-0x00007FF7D4AE4000-memory.dmp

memory/1844-83-0x00007FF7009B0000-0x00007FF700D04000-memory.dmp

C:\Windows\System\gbfwXKy.exe

MD5 5d74c32d4bbe2c8d9216173228567498
SHA1 cc85b93f1543294cde77d5a847d4368cc7183ec9
SHA256 739bc2cca7cf5bd9b5aa13fcbd92d220fa6a55b5f4854e920bd2893f118fd126
SHA512 4f063c9d5ff633821a2cc2736c3d42b669547f6763b1fd7d9f52cdbdad2f555a546bf1bca587116b85242a45dec0aec80dbc44ce01d07cb1bf4c895cacc5b0b5

memory/1792-89-0x00007FF724050000-0x00007FF7243A4000-memory.dmp

memory/928-88-0x00007FF620570000-0x00007FF6208C4000-memory.dmp

C:\Windows\System\IUfEnMw.exe

MD5 d9c47551abb1da741e331264e37482e3
SHA1 bdcb2273ad4279db53bc5ee460d901fd36b26891
SHA256 3c060e48ba5e312f44101bcfbb40361b7c4185a18ab0c4986314187a69f437c5
SHA512 01244f3d5796d24d412c3b159245baf1d9bda65e9b6d52a63a700f22d5e130d4926e391bc0fa18681fd37cb5d17b3b3937b4325421dfb6f3f09367a36cf81cdd

memory/1568-96-0x00007FF7851D0000-0x00007FF785524000-memory.dmp

memory/224-98-0x00007FF677FC0000-0x00007FF678314000-memory.dmp

C:\Windows\System\OpgNKXS.exe

MD5 bbb07ef29759ac2adb7b100a54b6df75
SHA1 9e1296c03f92deb6b70ff6a63b6a1bf25e0bb99e
SHA256 de533be185e47a10a46d410a480b1fcd9ad9a912bccaded6d28ff1f1de35880d
SHA512 f6f5f8a0499e20652358526040e30939e8f855a5677be546b5f34882b5ca113ced8813fe46d30870b0ceafd1d806778a44e28b95ff3aa7aab163c0fa1ce55bbb

memory/4084-106-0x00007FF602D80000-0x00007FF6030D4000-memory.dmp

C:\Windows\System\QxQxrBg.exe

MD5 d6d0fab8e3366af3fe71f10b45108d69
SHA1 656ff75b349ae9236a227874f699946f3525a9a2
SHA256 072ed5f3daf1330353e4b821b3d27cbc8c8fed66a4c494bb07d331391ce6f6f6
SHA512 8d41fc82137c516d6c0b2d135c088fc6ea224a379df10d8e13876ec4cb1e92369a7fc351ef77d60b08769c1fb922bfec2b084c3c27ad9e67274fb23d586e8357

memory/2304-110-0x00007FF710230000-0x00007FF710584000-memory.dmp

memory/1728-113-0x00007FF680B60000-0x00007FF680EB4000-memory.dmp

C:\Windows\System\lwPaLKK.exe

MD5 ae16963c08318d0535886a3a299f6fc8
SHA1 253bd00f44563d77da40cf717ef8ddc532c99bcf
SHA256 335e1409b03f8d18aa909ee9455a1716ad269d9fc06e907ca57ec3a0c31a5874
SHA512 6dd37f5496da0dd95d4827b82ea8207e7ad6b0219c7bbfb4ede6ac340fa8230f3409617bb987543d855895caa850a93ab0abd58e26ab66370eedccc0726a352e

C:\Windows\System\ibwPEaK.exe

MD5 afec3d42486cab33c1006f08b39c37df
SHA1 5607e20183b6ff673e8fcb537267098949e853da
SHA256 d0d26d69cba64f9c0ca292b13a4ab4ce06e41bffa782d7a4e119038e022a09cb
SHA512 c4c8b707e0bb43b1cab09a264b18c0925c273ec3f29fe958944e0e6f929d1dda743e61376b7d9b1812011c6e54a7d684468a92a5817f3778dd935d0960406da7

memory/2884-120-0x00007FF71B200000-0x00007FF71B554000-memory.dmp

C:\Windows\System\IZQfjVr.exe

MD5 09da4b4a77600120113d13b61a6890ad
SHA1 5e2f07d3bf577f22156026345773e1641525cc2a
SHA256 2a1d019d5502599a5ab7e658e25af27950f1f8a7e48b62ef17849a041433a28e
SHA512 6772217ddf42dde26787ff763ac165256c3d7c20a2689496cf1e531115c56ae26982d327a6425bba735be114eabac0f20953f18a5b8dabc97cd73495672df352

memory/3580-126-0x00007FF7BF0F0000-0x00007FF7BF444000-memory.dmp

memory/3276-128-0x00007FF7174E0000-0x00007FF717834000-memory.dmp

C:\Windows\System\EuZdOnh.exe

MD5 b318be8a8be73f74666abf604a161d94
SHA1 a574ad915c3cda7df439faede5a3459241a1a931
SHA256 0c4dd9cc572c8a479dd0e29081a13a72d3ab5ecd254d49a20acf4bcfd8684798
SHA512 230cc26c325ab5865fc001833ec4060ed2892986a2fddfefe41381ca5ec47400ae45affb3b244ce36f75216c8bac6f6b33a45fa29a0447780ce8d17773aafa4b

memory/2512-123-0x00007FF6C88F0000-0x00007FF6C8C44000-memory.dmp

memory/1520-135-0x00007FF7E9F50000-0x00007FF7EA2A4000-memory.dmp

memory/1792-136-0x00007FF724050000-0x00007FF7243A4000-memory.dmp

memory/2512-137-0x00007FF6C88F0000-0x00007FF6C8C44000-memory.dmp

memory/4384-138-0x00007FF6024D0000-0x00007FF602824000-memory.dmp

memory/3276-139-0x00007FF7174E0000-0x00007FF717834000-memory.dmp

memory/2320-140-0x00007FF7ED2B0000-0x00007FF7ED604000-memory.dmp

memory/1844-141-0x00007FF7009B0000-0x00007FF700D04000-memory.dmp

memory/928-142-0x00007FF620570000-0x00007FF6208C4000-memory.dmp

memory/1568-143-0x00007FF7851D0000-0x00007FF785524000-memory.dmp

memory/3808-144-0x00007FF69E030000-0x00007FF69E384000-memory.dmp

memory/2304-145-0x00007FF710230000-0x00007FF710584000-memory.dmp

memory/2884-146-0x00007FF71B200000-0x00007FF71B554000-memory.dmp

memory/448-147-0x00007FF702580000-0x00007FF7028D4000-memory.dmp

memory/4676-148-0x00007FF73F5A0000-0x00007FF73F8F4000-memory.dmp

memory/3756-149-0x00007FF77E110000-0x00007FF77E464000-memory.dmp

memory/2696-150-0x00007FF706820000-0x00007FF706B74000-memory.dmp

memory/1216-151-0x00007FF7D4790000-0x00007FF7D4AE4000-memory.dmp

memory/1792-152-0x00007FF724050000-0x00007FF7243A4000-memory.dmp

memory/224-153-0x00007FF677FC0000-0x00007FF678314000-memory.dmp

memory/4084-154-0x00007FF602D80000-0x00007FF6030D4000-memory.dmp

memory/1728-155-0x00007FF680B60000-0x00007FF680EB4000-memory.dmp

memory/3580-156-0x00007FF7BF0F0000-0x00007FF7BF444000-memory.dmp

memory/3276-157-0x00007FF7174E0000-0x00007FF717834000-memory.dmp

memory/2512-158-0x00007FF6C88F0000-0x00007FF6C8C44000-memory.dmp

memory/1520-159-0x00007FF7E9F50000-0x00007FF7EA2A4000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-28 00:03

Reported

2024-06-28 00:06

Platform

win7-20240221-en

Max time kernel

142s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\cLzyBsd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dyrzJeN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xJXMDhi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SClfJlR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UQlztaZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xfTtiKB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KMaoRBO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\izLMAzd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MYSnAfA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aOHWWUs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IOoheHg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FMVHQPu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TjtOXUO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BXQFHHt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wsEuehh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wNotxgj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iGuvvdH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zNieVyo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pSrZlUz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bHzQDnN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oCsLcjm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1924 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pSrZlUz.exe
PID 1924 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pSrZlUz.exe
PID 1924 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pSrZlUz.exe
PID 1924 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TjtOXUO.exe
PID 1924 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TjtOXUO.exe
PID 1924 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TjtOXUO.exe
PID 1924 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KMaoRBO.exe
PID 1924 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KMaoRBO.exe
PID 1924 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KMaoRBO.exe
PID 1924 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\izLMAzd.exe
PID 1924 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\izLMAzd.exe
PID 1924 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\izLMAzd.exe
PID 1924 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MYSnAfA.exe
PID 1924 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MYSnAfA.exe
PID 1924 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MYSnAfA.exe
PID 1924 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cLzyBsd.exe
PID 1924 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cLzyBsd.exe
PID 1924 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cLzyBsd.exe
PID 1924 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bHzQDnN.exe
PID 1924 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bHzQDnN.exe
PID 1924 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bHzQDnN.exe
PID 1924 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BXQFHHt.exe
PID 1924 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BXQFHHt.exe
PID 1924 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BXQFHHt.exe
PID 1924 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wsEuehh.exe
PID 1924 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wsEuehh.exe
PID 1924 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wsEuehh.exe
PID 1924 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dyrzJeN.exe
PID 1924 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dyrzJeN.exe
PID 1924 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dyrzJeN.exe
PID 1924 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aOHWWUs.exe
PID 1924 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aOHWWUs.exe
PID 1924 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aOHWWUs.exe
PID 1924 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wNotxgj.exe
PID 1924 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wNotxgj.exe
PID 1924 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wNotxgj.exe
PID 1924 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IOoheHg.exe
PID 1924 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IOoheHg.exe
PID 1924 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IOoheHg.exe
PID 1924 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oCsLcjm.exe
PID 1924 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oCsLcjm.exe
PID 1924 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oCsLcjm.exe
PID 1924 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xJXMDhi.exe
PID 1924 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xJXMDhi.exe
PID 1924 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xJXMDhi.exe
PID 1924 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SClfJlR.exe
PID 1924 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SClfJlR.exe
PID 1924 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SClfJlR.exe
PID 1924 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iGuvvdH.exe
PID 1924 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iGuvvdH.exe
PID 1924 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iGuvvdH.exe
PID 1924 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zNieVyo.exe
PID 1924 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zNieVyo.exe
PID 1924 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zNieVyo.exe
PID 1924 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UQlztaZ.exe
PID 1924 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UQlztaZ.exe
PID 1924 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UQlztaZ.exe
PID 1924 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FMVHQPu.exe
PID 1924 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FMVHQPu.exe
PID 1924 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FMVHQPu.exe
PID 1924 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xfTtiKB.exe
PID 1924 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xfTtiKB.exe
PID 1924 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xfTtiKB.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\pSrZlUz.exe

C:\Windows\System\pSrZlUz.exe

C:\Windows\System\TjtOXUO.exe

C:\Windows\System\TjtOXUO.exe

C:\Windows\System\KMaoRBO.exe

C:\Windows\System\KMaoRBO.exe

C:\Windows\System\izLMAzd.exe

C:\Windows\System\izLMAzd.exe

C:\Windows\System\MYSnAfA.exe

C:\Windows\System\MYSnAfA.exe

C:\Windows\System\cLzyBsd.exe

C:\Windows\System\cLzyBsd.exe

C:\Windows\System\bHzQDnN.exe

C:\Windows\System\bHzQDnN.exe

C:\Windows\System\BXQFHHt.exe

C:\Windows\System\BXQFHHt.exe

C:\Windows\System\wsEuehh.exe

C:\Windows\System\wsEuehh.exe

C:\Windows\System\dyrzJeN.exe

C:\Windows\System\dyrzJeN.exe

C:\Windows\System\aOHWWUs.exe

C:\Windows\System\aOHWWUs.exe

C:\Windows\System\wNotxgj.exe

C:\Windows\System\wNotxgj.exe

C:\Windows\System\IOoheHg.exe

C:\Windows\System\IOoheHg.exe

C:\Windows\System\oCsLcjm.exe

C:\Windows\System\oCsLcjm.exe

C:\Windows\System\xJXMDhi.exe

C:\Windows\System\xJXMDhi.exe

C:\Windows\System\SClfJlR.exe

C:\Windows\System\SClfJlR.exe

C:\Windows\System\iGuvvdH.exe

C:\Windows\System\iGuvvdH.exe

C:\Windows\System\zNieVyo.exe

C:\Windows\System\zNieVyo.exe

C:\Windows\System\UQlztaZ.exe

C:\Windows\System\UQlztaZ.exe

C:\Windows\System\FMVHQPu.exe

C:\Windows\System\FMVHQPu.exe

C:\Windows\System\xfTtiKB.exe

C:\Windows\System\xfTtiKB.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1924-1-0x000000013FFC0000-0x0000000140314000-memory.dmp

memory/1924-0-0x00000000003F0000-0x0000000000400000-memory.dmp

\Windows\system\pSrZlUz.exe

MD5 e61b44209f6e62d2154753741d348cba
SHA1 78e621dc2bc859a991a3f18065129b5f2c58e325
SHA256 7425e4a18c2ed221fa9bee737619a96df1849f7f3541446d4e7d7aff3cd3c906
SHA512 eb8fa29b0bca450b66c56fe7a0b5602ba1592ef56f8620d78e54400f7539db5f855eb652ac207af25b79c6f836485c8e0935d37cadbdc73243a5f65ea6a4ce14

C:\Windows\system\TjtOXUO.exe

MD5 9584f88a916fb23c3cea499cdabe69b8
SHA1 0b4f777ea817a1e25586f609efc82f38085c5751
SHA256 83826d289145a66fce64cd1b143615d3e207e75ddc1756cefb684abab50318e1
SHA512 35c15603cf255a4b0e162429d636af846b4f1abdb207c054511aa0fef1523760208aa2bf4e441641e83b8a16f477f77f5a04a54c04b974a68f0e8c0be8710453

C:\Windows\system\KMaoRBO.exe

MD5 275abd2a2ba9a08ca4fb06e59702bad6
SHA1 026dc6fbfa5fa7de184137cc86a9386127f96881
SHA256 3a941edbae3289a08530df777e54e38beb2747cc486cd7f073ce560d187bac2f
SHA512 676b10140ec1510d3dce3bf93c96453137072a9f92d16134d5451a665ff588023654438a541b445daed5c49fbf685a66cfe44d3a2b6f7002eb8c83a52b50c4c0

memory/2484-18-0x000000013FAB0000-0x000000013FE04000-memory.dmp

memory/1924-17-0x000000013FAB0000-0x000000013FE04000-memory.dmp

\Windows\system\izLMAzd.exe

MD5 96c205fb9080365f9dc670fbad2a0d35
SHA1 892021b9679716b32a365fb0735e31bb697ebe99
SHA256 e3666fcc913c1870feb241511c19f259585c157d0666d5fbfdf64987d6017728
SHA512 8eb97f54fcee91a3eff82ca519e67a58a9dd0e32d8dab09a912bfd52bcd4b61a99796e16f2c7b69824caf05b1927825fc3751d7ab339619f0d60f1ddb1bf7248

memory/2056-21-0x000000013F260000-0x000000013F5B4000-memory.dmp

memory/1924-25-0x000000013F530000-0x000000013F884000-memory.dmp

memory/2612-27-0x000000013F530000-0x000000013F884000-memory.dmp

memory/1924-14-0x000000013F260000-0x000000013F5B4000-memory.dmp

memory/2320-13-0x000000013FF70000-0x00000001402C4000-memory.dmp

C:\Windows\system\MYSnAfA.exe

MD5 b4c0b74d744aee45ecf6714acef7cf3e
SHA1 37bf5130b8ff62078c484db54eb0c8dc278e5976
SHA256 02903a6213e4a86b06f235e0aa6f2c64cbc24888394d6655d23b5dff51ea962a
SHA512 a0854f0de8266315c0f4c2072018b36732e54d66cd3e342d0e0dc6a8c56b3a3aea17cf2a8c2bab3a3f562c54fe0a12f3d0413f38f6eb165dd41eacd0a31d111f

memory/2700-35-0x000000013F8D0000-0x000000013FC24000-memory.dmp

memory/1924-37-0x0000000002300000-0x0000000002654000-memory.dmp

\Windows\system\cLzyBsd.exe

MD5 1bd343ba1307aa72e70a3afbe7b0f953
SHA1 f61cb2f76d66e0d631a763ed74563a7ce481c2e8
SHA256 b563137aeb9b9f9e3602dfbbca69c2e0d932d3eed70edd1680b7490cfb131acb
SHA512 95736db208d4bf97d3ed6756347fd1b3fcfe92387562d36f87fe61c6eb07454d168aeed7bb00149f69d0c6b9b619e61ee45b63170805700d118e662857e6208b

memory/1924-34-0x000000013F8D0000-0x000000013FC24000-memory.dmp

memory/2816-42-0x000000013FD70000-0x00000001400C4000-memory.dmp

\Windows\system\bHzQDnN.exe

MD5 a156368ce4b825ece70516e64bdc2640
SHA1 9a2fcd83c007862f45e4f538e4b26effc8b474fe
SHA256 e7cbd62eb51c26a6beb94e764f20755570235edf6e223e1dc78fee714e92a2fc
SHA512 4105d4781343cd23ce4593707c7722b2ba62f5fe2dc1433096b9d82c6fd3743fdfec1508dd9c58777fbcb2e971e8d97ebea805c2387e5012976c803efc836a16

memory/2556-50-0x000000013F130000-0x000000013F484000-memory.dmp

memory/1924-49-0x000000013F130000-0x000000013F484000-memory.dmp

\Windows\system\BXQFHHt.exe

MD5 619ef588264cbc611358474177ce71bb
SHA1 65a704c38a23715fa6df967387bc2992a1027d77
SHA256 2abad0d6eb83c26d26290763e7d41d172dfa8919a29622c0485cca2930a9b656
SHA512 246f92d941d5b6b28712a869943d1147656d123a57bf7657dc565b100fe69fa2196c377a7e96731d0021d6f248660e405e4c2a55f15a2c8622ba497ca0926d25

memory/1924-65-0x0000000002300000-0x0000000002654000-memory.dmp

C:\Windows\system\wNotxgj.exe

MD5 6e5a23f03cea7513a99d3687dd2d85b5
SHA1 660b85df5cb563adba2955522ccaca574affe7ab
SHA256 1e383d18689a177d0d726253af317fa1d160e59d08c8e0f8f9b16b24d35dbbd3
SHA512 c2b893201e35ef587e7cd3ce93598b76158122677347ed67442c546fc455cc2b90ba1f430a929ed5374c486aee4a23a325a7b94c5db40970f1a8eed3c79a69d5

memory/1924-79-0x0000000002300000-0x0000000002654000-memory.dmp

\Windows\system\oCsLcjm.exe

MD5 3c78ad00044a8d7e0786878bb240616d
SHA1 306b63c18896d5165cde111473578bdd5d8236fa
SHA256 b2562d1e7ce5f973115e09df5d0f249d3028a420a0a1ef1bf7e3e7a1b21a08a2
SHA512 096aab5feaec1bf77e2ff4832eae917bc71e9bc6aca7a55cd15f4d27d967cc3a85b10d1cb305cd30aacc993d7724bc3b77b6d1136a8b215e28f7f6f2ebc6e01c

memory/1924-90-0x000000013F1D0000-0x000000013F524000-memory.dmp

memory/2720-93-0x000000013F1D0000-0x000000013F524000-memory.dmp

C:\Windows\system\dyrzJeN.exe

MD5 f3fda021e270d30a4a2f80870dab009e
SHA1 93060ccb503bb04895b8dc883189314b5358c452
SHA256 8913961bc82a9902579bed14652250d96c82641509723b7a21a145f05229f814
SHA512 21291453efd4a27a4f3a1b0fffa91dd3e4461c686011cf4b53c20acc776b6c736a5a25182fa1d94aa12f891c119e23fbc3e763957db52275b174e0eea2239b29

C:\Windows\system\wsEuehh.exe

MD5 3797b3c55f66656bcabac038d779c1d3
SHA1 823206bc57bdb915e60d0166a0d239a0739837ea
SHA256 7b895c55cc09a18d9a911d827b89f1a14bbf2aaf0a70f875fd1b036aefedb6dd
SHA512 3c5c9717d383d91333dfcdbe46a9f87650125dcf33efb9756d105a6fb6f846a1a927d645fd02ed703f82c65e004194848eb1c50b57f8bec5f1ef5d076dd90daf

memory/2816-99-0x000000013FD70000-0x00000001400C4000-memory.dmp

C:\Windows\system\IOoheHg.exe

MD5 5cdc9d661741cb91da511921afccb4de
SHA1 ad293ef6f10bc9d166696bff46b05ffdf4a89b17
SHA256 26d9802b460a5d8bc6154aeca0abe69b40c95fd90b41e70a629a368eb0205805
SHA512 c2b14543eb897ac6dd994457fcb18f7d2b1b3986e3c7c0acb86e9ce040bb955a28e9e8d3ac51426bbfbc63a4371cde170cd5f9284b64a407f9c20fe06063fcf1

C:\Windows\system\SClfJlR.exe

MD5 0fa420bb399b170b0f6a7a3e48eb694b
SHA1 79044c9768bd38828cb9be870ad0734c483d2469
SHA256 d7662852b525e887594e51eab7dc8ac8c801781bec3f90024c36502e14ff1e85
SHA512 609e8fabaf92729667a613db004ca146fabe3dd9fa7e61b1afbf0e52c888a21d4ecda35b7ed4735ae48e17ad1f0a9bea920702ff4fab512ec243e92f047c4b29

C:\Windows\system\FMVHQPu.exe

MD5 d774656d0ec882caa834a17519594b52
SHA1 15fb3916ade5d4eeea0f5085b48800e59fa83606
SHA256 68b8eb2f537feadbdb44719d575bcef68b6d57fbc1021b3035973be19da9706e
SHA512 97e354f184cf2f77fd3471163a94f50534478d508e6a83e868285b4bb5029bfcfc8edeee67a77ec03b24801926551a96c1589033b927b6b44414b6e7d26b0608

\Windows\system\xfTtiKB.exe

MD5 7921d781d3e3185603de4d87a84c5198
SHA1 98465fbc90760d0e5966bde7f9cf75312d59ab41
SHA256 e7ded7ccdcb8eb4b1f7ee9c45ea2e14a9ea87f2515ea6b709af253275301eee6
SHA512 676f7508659eb27e7b306f76b59d853c1b86cf3a4a5302a2f0be593033cb12d32ce42812b18bbfd6b886ab4e5affa03b36f5393d3cd851a0d0d382e45e587409

C:\Windows\system\UQlztaZ.exe

MD5 af9cbb5552be0214215a33986a7b8337
SHA1 77eb0ae760be86ae493953bbacc7a27c4587b26e
SHA256 4e36595c44ac0c1cf47db926ad80319b169bc3a9d2c1da588853e2719195b85e
SHA512 0f75051f28e6678208d4d90b58935e5da742e84751df3daf6bd50953811c3e6a291e7530668250ba60c5cfa473414c33a51003d045bb2a33b0c3fc0c2f050836

C:\Windows\system\zNieVyo.exe

MD5 94dfba64e63ce76b89932cafa992d609
SHA1 dc12b246c5ebe0e5acff6fec2519bdb2756a961c
SHA256 a66f38c44d591c2a13975aaae345a7c79b4f098c9a2e330c134ba15f6304369c
SHA512 1f6f927eabad324af9c7faa49a77209c9bd58313c4f173ebfb59d1d878d5dd04b64f86c31757b00b59741c8f38b43ed45ee56bd24c50909158175c508ad30aea

C:\Windows\system\iGuvvdH.exe

MD5 5c30cf73ee59a5d14196cb5b48c4db24
SHA1 60d16a5537294566d3879c2896cf30cd2ba5d4fa
SHA256 9cbe8a9e82fd26aaaaf134159b584756d018fc658d2790bc9f011ff76f4cd4df
SHA512 0a08d876bf0d780cdf6cacdea4505a5181c3ce9c2e526ce14f9550f59af9e556e556c715a004bb10611081d8be84805fc8e008da19eb80c0b8d8184cd98cc69c

memory/2568-108-0x000000013FEA0000-0x00000001401F4000-memory.dmp

C:\Windows\system\xJXMDhi.exe

MD5 61e61418952bdc252c7ac41760cf06bc
SHA1 5286b0d19e90eb831eab91105307591a888f216b
SHA256 991962c51d697fbdb66d7082f934d99fee49fce86bd82f3e7a3d7dd8748831e3
SHA512 dd92e06c467c46f3dfbe95b4d066ddb9fad9020831958a4a66623517d1d16773c4822aaf6b3f6614f2e6ba7d1ec2588bc253bc90ccd1ff927656d7798d5e0b20

memory/2056-84-0x000000013F260000-0x000000013F5B4000-memory.dmp

memory/1924-70-0x000000013F230000-0x000000013F584000-memory.dmp

\Windows\system\aOHWWUs.exe

MD5 bf201f930e1a18625ca8816930391fc9
SHA1 8d5cfd9d932a20687d1cb7f8a61c6e477c3426a3
SHA256 c3aefc8ad7925624af6be6f95fb03b6a121f268bd7ca6e7fe959ff6ccf0edc10
SHA512 8e1d92210294349bb762c6744b7c9d8e76c323b922121effe4f4ecd7df990cecc0ab5593b292b34de209f5b6b1f21c231cb9f6589f6ede6d2a7c167dc65d9616

memory/760-100-0x000000013FA80000-0x000000013FDD4000-memory.dmp

memory/2904-97-0x000000013F230000-0x000000013F584000-memory.dmp

memory/1924-139-0x000000013F230000-0x000000013F584000-memory.dmp

memory/2700-92-0x000000013F8D0000-0x000000013FC24000-memory.dmp

memory/2612-91-0x000000013F530000-0x000000013F884000-memory.dmp

memory/1924-86-0x0000000002300000-0x0000000002654000-memory.dmp

memory/2668-80-0x000000013FD90000-0x00000001400E4000-memory.dmp

memory/1924-78-0x000000013FA80000-0x000000013FDD4000-memory.dmp

memory/2908-76-0x000000013F190000-0x000000013F4E4000-memory.dmp

memory/2408-63-0x000000013F900000-0x000000013FC54000-memory.dmp

memory/2320-57-0x000000013FF70000-0x00000001402C4000-memory.dmp

memory/1924-56-0x000000013FFC0000-0x0000000140314000-memory.dmp

memory/1924-140-0x000000013FA80000-0x000000013FDD4000-memory.dmp

memory/1924-141-0x0000000002300000-0x0000000002654000-memory.dmp

memory/1924-142-0x000000013F1D0000-0x000000013F524000-memory.dmp

memory/2720-143-0x000000013F1D0000-0x000000013F524000-memory.dmp

memory/760-144-0x000000013FA80000-0x000000013FDD4000-memory.dmp

memory/2320-145-0x000000013FF70000-0x00000001402C4000-memory.dmp

memory/2484-146-0x000000013FAB0000-0x000000013FE04000-memory.dmp

memory/2056-147-0x000000013F260000-0x000000013F5B4000-memory.dmp

memory/2612-148-0x000000013F530000-0x000000013F884000-memory.dmp

memory/2700-149-0x000000013F8D0000-0x000000013FC24000-memory.dmp

memory/2556-150-0x000000013F130000-0x000000013F484000-memory.dmp

memory/2816-151-0x000000013FD70000-0x00000001400C4000-memory.dmp

memory/2408-152-0x000000013F900000-0x000000013FC54000-memory.dmp

memory/2908-153-0x000000013F190000-0x000000013F4E4000-memory.dmp

memory/2668-154-0x000000013FD90000-0x00000001400E4000-memory.dmp

memory/2720-155-0x000000013F1D0000-0x000000013F524000-memory.dmp

memory/2904-156-0x000000013F230000-0x000000013F584000-memory.dmp

memory/760-157-0x000000013FA80000-0x000000013FDD4000-memory.dmp

memory/2568-158-0x000000013FEA0000-0x00000001401F4000-memory.dmp