Malware Analysis Report

2024-10-23 18:49

Sample ID 240628-aemfeazena
Target 2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat
SHA256 cb58fa51dcdd9a6b1bbe1d77aff502f1286b301ea0696e89bc0fd47c83383ffb
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cb58fa51dcdd9a6b1bbe1d77aff502f1286b301ea0696e89bc0fd47c83383ffb

Threat Level: Known bad

The file 2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Detects Reflective DLL injection artifacts

Cobalt Strike reflective loader

XMRig Miner payload

Cobaltstrike family

Xmrig family

xmrig

Cobaltstrike

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

XMRig Miner payload

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-28 00:07

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-28 00:07

Reported

2024-06-28 00:10

Platform

win7-20240221-en

Max time kernel

134s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\ndGNHry.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xnGBQkb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kIGnYNy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vPTDxqD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MOZgeMm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KdcyjiW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BEwtrHQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\negbOLm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fmSfEGG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fHEOxOT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xaQaMnJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xYpnuop.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mgoMKQV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uncVOzC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lBrEbni.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pSVIhoE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XqmQwPV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FsSYzmb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uPmmWDA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BcePnrb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QNKQnzr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1724 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MOZgeMm.exe
PID 1724 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MOZgeMm.exe
PID 1724 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MOZgeMm.exe
PID 1724 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KdcyjiW.exe
PID 1724 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KdcyjiW.exe
PID 1724 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KdcyjiW.exe
PID 1724 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xaQaMnJ.exe
PID 1724 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xaQaMnJ.exe
PID 1724 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xaQaMnJ.exe
PID 1724 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xYpnuop.exe
PID 1724 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xYpnuop.exe
PID 1724 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xYpnuop.exe
PID 1724 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XqmQwPV.exe
PID 1724 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XqmQwPV.exe
PID 1724 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XqmQwPV.exe
PID 1724 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ndGNHry.exe
PID 1724 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ndGNHry.exe
PID 1724 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ndGNHry.exe
PID 1724 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FsSYzmb.exe
PID 1724 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FsSYzmb.exe
PID 1724 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FsSYzmb.exe
PID 1724 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BEwtrHQ.exe
PID 1724 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BEwtrHQ.exe
PID 1724 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BEwtrHQ.exe
PID 1724 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uPmmWDA.exe
PID 1724 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uPmmWDA.exe
PID 1724 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uPmmWDA.exe
PID 1724 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mgoMKQV.exe
PID 1724 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mgoMKQV.exe
PID 1724 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mgoMKQV.exe
PID 1724 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uncVOzC.exe
PID 1724 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uncVOzC.exe
PID 1724 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uncVOzC.exe
PID 1724 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BcePnrb.exe
PID 1724 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BcePnrb.exe
PID 1724 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BcePnrb.exe
PID 1724 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\negbOLm.exe
PID 1724 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\negbOLm.exe
PID 1724 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\negbOLm.exe
PID 1724 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xnGBQkb.exe
PID 1724 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xnGBQkb.exe
PID 1724 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xnGBQkb.exe
PID 1724 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kIGnYNy.exe
PID 1724 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kIGnYNy.exe
PID 1724 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kIGnYNy.exe
PID 1724 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fmSfEGG.exe
PID 1724 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fmSfEGG.exe
PID 1724 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fmSfEGG.exe
PID 1724 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lBrEbni.exe
PID 1724 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lBrEbni.exe
PID 1724 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lBrEbni.exe
PID 1724 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pSVIhoE.exe
PID 1724 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pSVIhoE.exe
PID 1724 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pSVIhoE.exe
PID 1724 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QNKQnzr.exe
PID 1724 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QNKQnzr.exe
PID 1724 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QNKQnzr.exe
PID 1724 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vPTDxqD.exe
PID 1724 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vPTDxqD.exe
PID 1724 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vPTDxqD.exe
PID 1724 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fHEOxOT.exe
PID 1724 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fHEOxOT.exe
PID 1724 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fHEOxOT.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\MOZgeMm.exe

C:\Windows\System\MOZgeMm.exe

C:\Windows\System\KdcyjiW.exe

C:\Windows\System\KdcyjiW.exe

C:\Windows\System\xaQaMnJ.exe

C:\Windows\System\xaQaMnJ.exe

C:\Windows\System\xYpnuop.exe

C:\Windows\System\xYpnuop.exe

C:\Windows\System\XqmQwPV.exe

C:\Windows\System\XqmQwPV.exe

C:\Windows\System\ndGNHry.exe

C:\Windows\System\ndGNHry.exe

C:\Windows\System\FsSYzmb.exe

C:\Windows\System\FsSYzmb.exe

C:\Windows\System\BEwtrHQ.exe

C:\Windows\System\BEwtrHQ.exe

C:\Windows\System\uPmmWDA.exe

C:\Windows\System\uPmmWDA.exe

C:\Windows\System\mgoMKQV.exe

C:\Windows\System\mgoMKQV.exe

C:\Windows\System\uncVOzC.exe

C:\Windows\System\uncVOzC.exe

C:\Windows\System\BcePnrb.exe

C:\Windows\System\BcePnrb.exe

C:\Windows\System\negbOLm.exe

C:\Windows\System\negbOLm.exe

C:\Windows\System\xnGBQkb.exe

C:\Windows\System\xnGBQkb.exe

C:\Windows\System\kIGnYNy.exe

C:\Windows\System\kIGnYNy.exe

C:\Windows\System\fmSfEGG.exe

C:\Windows\System\fmSfEGG.exe

C:\Windows\System\lBrEbni.exe

C:\Windows\System\lBrEbni.exe

C:\Windows\System\pSVIhoE.exe

C:\Windows\System\pSVIhoE.exe

C:\Windows\System\QNKQnzr.exe

C:\Windows\System\QNKQnzr.exe

C:\Windows\System\vPTDxqD.exe

C:\Windows\System\vPTDxqD.exe

C:\Windows\System\fHEOxOT.exe

C:\Windows\System\fHEOxOT.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1724-0-0x000000013FDF0000-0x0000000140144000-memory.dmp

memory/1724-1-0x00000000001F0000-0x0000000000200000-memory.dmp

\Windows\system\MOZgeMm.exe

MD5 a49212db9c2d5138183fc477c021849c
SHA1 7231de13b07b3dad7187b4e545cd84d9efdcfca3
SHA256 ced8031f0d4968fe69c9d61a8c22b569c3c8b9c0492759869f0170432a7f02d4
SHA512 5b0301b38d14f12e09580d0d489640eb52d2065ff6921bc6efbfdfd2004e305eb7e1f6371322c026e7923c7eb577fa32fe8777aa937db02a0d3ac5cfc98713f2

C:\Windows\system\KdcyjiW.exe

MD5 9683780eb366372e51978a9c0a0bb097
SHA1 46b05e1cfaa22c275ea413ffd6825be63664faf7
SHA256 a05cbc2862fe3dd70c076c8abb02bdc0eb04ee2d2fba69e518ae01e485e2daed
SHA512 9160be6a52fd51e197976d9fe67c44eb238ffe1089ceac266e4af3e92f648da7a4baaf326b4a0ccd6dfeb81bd483ec7ddea6ee0ae3517b4d05e290fdb1a145ca

memory/2916-15-0x000000013FAC0000-0x000000013FE14000-memory.dmp

C:\Windows\system\xaQaMnJ.exe

MD5 1f4cecc2cc041edcafa77e3b557c9069
SHA1 8902075d45bedd0f206e0258b396459b48d6603e
SHA256 5e41a374d67b9c5a8b97b0cc7f5f19c014f9a943220468eaeac9cf3abced8702
SHA512 8a8541e6bde289b6b82b3176a938cc9fd0f222d1c3cf8530ce47e17b5c5e004af3f91a9bda60764ce7b18f638fa2e625921f6f3b8df6c34f656ecb95be5aabd7

memory/1984-22-0x000000013F1E0000-0x000000013F534000-memory.dmp

memory/1724-20-0x000000013F1E0000-0x000000013F534000-memory.dmp

memory/1724-14-0x0000000002390000-0x00000000026E4000-memory.dmp

C:\Windows\system\xYpnuop.exe

MD5 f458103f408c06d8f6023f06059961d8
SHA1 a8194c402bed1335310d62a5f540d66a35add031
SHA256 c0ade637b34f4736c33998bd0b333b5f8e5116bfac8a7945ab502ac41181cfa7
SHA512 87606e5c6f29bae04f310e7de99dee2fd852edd72e1e0b9c5e4df26e658a6bbbfc1076099b7329bf920a69969f970acd0b1ba3b5b2b0e94016e23cfb4b70d15f

memory/1724-27-0x0000000002390000-0x00000000026E4000-memory.dmp

memory/1724-33-0x000000013F1D0000-0x000000013F524000-memory.dmp

memory/2608-70-0x000000013F2E0000-0x000000013F634000-memory.dmp

C:\Windows\system\mgoMKQV.exe

MD5 7462f66317242d50e408ca6d80621146
SHA1 096008fe572dcc1ab620c868a02bcfd6162f9cdc
SHA256 7ea7f38c9d9bc2a8155e63a5fd614901399df69d4681cd16c9f117543e520ebf
SHA512 467d4f2e55eec6b4735ce19a2bd4c96ee3ee68db1eccd484e298985d5e5494724caa9ff5bd1dbb432201db93e9a1fbfbf81339ae83762258d83900124d6663bd

memory/2656-78-0x000000013F6B0000-0x000000013FA04000-memory.dmp

memory/2544-85-0x000000013F110000-0x000000013F464000-memory.dmp

\Windows\system\kIGnYNy.exe

MD5 1310b6d1537331e092bbe9c16213e8c1
SHA1 62283415421431c9acb849e363974f029a2412cc
SHA256 0335cf6f1ea51103de853c37996b9ea4d81f387dabb8d84970bc8e42ff39e67e
SHA512 9a0887d77678657d9d73b00b74a38e19d51a2f4a7884d88e27a71169d78e5cc1a1d7096c05f12fa790e7f0024a80c2f13b926ec7070d2c32f5feb5ad217cb2e3

C:\Windows\system\vPTDxqD.exe

MD5 36c05e6b67f56f47eb4ca759153268d9
SHA1 58b6cfbd4bc420ecbdb7635ea9653df0a7048de1
SHA256 b55a4b507e84b5d8571f12c8e7077a255eb40c055158f0ab706ae220681c75a7
SHA512 fa75e646e0530b91f465e4f71ff29503f27dde840a70b0eb9a199faf7746d9214c16576235c101458c3390226c74ae6b902f82db5f3a9977d21749795d2f2996

C:\Windows\system\fHEOxOT.exe

MD5 63148a7a090e256c946dc2ba640d4400
SHA1 e9cdcc153229101a099c1bf635d4a104b71d9659
SHA256 dbc185db363ccc1d74646404bbb601183476233d252e0f390d06973d03243295
SHA512 2223c49fd01fdf879cc90280f13db1c731d41bb2a7a6cc48ddcea7108027dfd8d70998184e360706b0989ccf22f797e18c64287574c8b359290ba266d284ab80

C:\Windows\system\QNKQnzr.exe

MD5 f79db33abde91e4825214ae735abeea6
SHA1 8228e71a46902e399ecbf2f3d9860bb2c31af501
SHA256 e5c12a647149a6bbdad1556b41e4f10c9e8c3dde2aae9df3534478fae6c2cde8
SHA512 d23814902bdd3dcc9f357cd23951a56ac396aac435eff4c7ced5cceb69c6a75d44489b117c550e569fea556e34fd4402047447e6a7b188832f9058614e10074a

C:\Windows\system\pSVIhoE.exe

MD5 594c4893dddf4477e39f0af7121b2dd3
SHA1 491f4c8d1241a7994b5a1c3f1469050b8807d94d
SHA256 1ac2d991beec66fbe80a610ab5750757335b70c2b3e02ee48b17428e5e1beefc
SHA512 4418e68c2b1f90a360f01e0cbb06e7b6b5936b24b99c50afaf171fbc71d600e5fe359c278e955c23f62293e7acc4bb823604a2ad42bf342b8247dc88333ef165

C:\Windows\system\lBrEbni.exe

MD5 74782875cbe17eaf178c0d53e6110377
SHA1 7e8655b412e4bd6eb88a4369df032f5dc23d71df
SHA256 8714fb3516cfe05c0abfe10e06e13ea932b1f173af39239973f2b6471a829707
SHA512 7d23e9dc8918e146500208b92a3301398d1972069e1621f3ffeb7333f9c5a66ef3079f457b564d40a958db77c52d982b0b2b4b8fe79c428cc415590efd9cce86

C:\Windows\system\fmSfEGG.exe

MD5 dab54fc3f68992f5a2943ddb82dab4b0
SHA1 1ada026db366b5725fb982f31d03dc526a98afa3
SHA256 8818fd1e7b6871f54059791a1c50c1dd244b3e79ae509d904dfa679a312c6ca8
SHA512 ff901a77e13fd181a6358e6313db2e1a17980c64705fd6a156a77b157cd68f22dc367480bb90748d9637bfe90477fafd48a2bd1c33c8d7e3120d5194a378d43b

memory/1984-108-0x000000013F1E0000-0x000000013F534000-memory.dmp

memory/1724-107-0x0000000002390000-0x00000000026E4000-memory.dmp

memory/2880-106-0x000000013FCD0000-0x0000000140024000-memory.dmp

memory/1724-105-0x0000000002390000-0x00000000026E4000-memory.dmp

C:\Windows\system\xnGBQkb.exe

MD5 4182349233c7d3b500362217646d594e
SHA1 571c3c4c5b6124dfcccb3aa512003328729c5a52
SHA256 4cc733a347d4e273df207834f04211129f028d070e7a4b64a2224de61c29811d
SHA512 e4ac8f4db12b86d7fd140b626ab9a83fd334cd60b4ba647f6a02d9823fdf9aac641c5ff9d1ea251620d17193652ba6c21789c1bc24407fc828bbde0a1dba7d60

memory/2840-93-0x000000013F7D0000-0x000000013FB24000-memory.dmp

memory/1724-92-0x000000013F7D0000-0x000000013FB24000-memory.dmp

memory/1724-91-0x000000013FDF0000-0x0000000140144000-memory.dmp

memory/1724-84-0x000000013F110000-0x000000013F464000-memory.dmp

C:\Windows\system\negbOLm.exe

MD5 e6e8e99bbb77f364247790baf8bc46bd
SHA1 c54e3cec677f79a13e0b23df20bfbb063cb56bfe
SHA256 95924da6a87cbe2a1cc9a83b68cc9c84ca37614e8e3c01ba34a2cc98f1d15067
SHA512 d3d00e458b4e53db85f0c275ce95f0949a9e6f337071c701a801c8d76d33796714b402f23afbbc4efdd874af54cc840ef1817761f55ef56c955afbe803bf72ba

C:\Windows\system\BcePnrb.exe

MD5 d030d5dfacc8eb4681a44d9a08c2fc33
SHA1 e5865bde1da0da36e832482b7239643bd9d9b2d4
SHA256 e551da40d444c3dd4022a26db1c264236cecc8857b3ef73cacf907d3b5ff50c3
SHA512 6c1a46e46e2cfa3c2b13fe803d5c86e4988aeec5f265d120dd19d1d67637216738c86140683e16007d47e8fbb327b6fe87ded3a86475b047e434656be720a91c

memory/2316-77-0x000000013F9F0000-0x000000013FD44000-memory.dmp

C:\Windows\system\uPmmWDA.exe

MD5 57ef304594f26b46134f00448361e450
SHA1 b83d11db7e04b69df34c3b1df0c3a2676605eafd
SHA256 2b50d3da6e1224664fefc594398da72dcab317b6f63f2f8a262e3186348715c0
SHA512 14b881595b856a0e4b9d4ecbb669d420cef5fd0c3bb7da7266e9190067694cb95c95fdfb23941ba2fdc627e46bf543dfc6a0216180b967481026a1f49aa68d27

memory/1724-49-0x000000013F9F0000-0x000000013FD44000-memory.dmp

memory/2624-47-0x000000013F8E0000-0x000000013FC34000-memory.dmp

\Windows\system\BEwtrHQ.exe

MD5 a320fca53ab458b508bbb484067a77c5
SHA1 7daac9c7c22d5695591503648ea36ac0284d35f0
SHA256 4d6d0ad97e0dab5dbbba3384f8ea03bdedee622a20ed29b750e5a0940ec9aa4a
SHA512 fd97742fffea5622b081dc28174d5ec501c348f1433daabeb6a09562e39e0dc8cea6eee64f7e601231510d3b05d7fa5eccc5b1dcfeaefce6888159f8558b46ac

memory/1724-41-0x000000013F8E0000-0x000000013FC34000-memory.dmp

memory/2492-72-0x000000013FDD0000-0x0000000140124000-memory.dmp

memory/1724-71-0x0000000002390000-0x00000000026E4000-memory.dmp

C:\Windows\system\ndGNHry.exe

MD5 63adea601a1770307c45b4c6d73e0d9b
SHA1 949428bffca791f823fc64ab43743f86488472c9
SHA256 6df1d28b16c4f7397dc8e792a7f48357a966ee98e70ff6959efb79b45b771c11
SHA512 3cfc8b2cdfb920a12a483984a970f402bc72ecc1d68c230c84335deb9581715601350a5561df8f45fc46f1c78d0686f7178940e52fe49b1c031e3de87b23d460

memory/1724-68-0x000000013F790000-0x000000013FAE4000-memory.dmp

memory/2716-67-0x000000013F790000-0x000000013FAE4000-memory.dmp

C:\Windows\system\uncVOzC.exe

MD5 c3063c6a8040738d76b5abaac2b6d330
SHA1 4a75764c655bbdfdd5b708f969c87628ebe262df
SHA256 d7b263404d165051ebc7ceb6ef3e33f37534d3b5ffa814d54cd774201643b6fb
SHA512 10966fee31e9307b0c7dbb7024b0ee122ddfbc46f3f27a3cf803f9dc3f9155d05a6ee2f55fef57c097e581ef03ce5887bae559fd2ddef1e868f7b18c07f9a661

memory/1724-65-0x000000013F6B0000-0x000000013FA04000-memory.dmp

memory/1724-64-0x000000013F2E0000-0x000000013F634000-memory.dmp

C:\Windows\system\FsSYzmb.exe

MD5 17dabfe31cb73d66e256e510dd820dc0
SHA1 f6cf7286b606771ef439028f1b8b8ebec53e373b
SHA256 08e58f33d0aa6dee7e7a69df0d0c39dfc3efbc96ca73aabc91696e8aa38411cf
SHA512 c87f5d7ab9e1448568fcab5a9933bb046ec5084ee8af254a155141d7a50ba059d318fcdd00e7a42903cc955a0ec20ff1b5348a721839a8bec90f0e15e56adf3b

memory/2696-36-0x000000013F1D0000-0x000000013F524000-memory.dmp

C:\Windows\system\XqmQwPV.exe

MD5 7d6e0c6ecd521ce5b560b9920a372af2
SHA1 0b5421b52474c2315b4658ac75b71190f101cdff
SHA256 7d9fc5883ed85a3219987920bdcd90f7f960654a273504c38c459b3a6339bf42
SHA512 8777813ccc6e5ede18a580c7396917bca009bed371db3ad3a63f281f8ea839d6d481dac3f0cadbe1751fa5c58a3ff1f003d7cff858e4b7ce297e2f69019d9906

memory/2708-28-0x000000013FC20000-0x000000013FF74000-memory.dmp

memory/1760-13-0x000000013FC00000-0x000000013FF54000-memory.dmp

memory/2708-137-0x000000013FC20000-0x000000013FF74000-memory.dmp

memory/2696-138-0x000000013F1D0000-0x000000013F524000-memory.dmp

memory/2624-139-0x000000013F8E0000-0x000000013FC34000-memory.dmp

memory/1724-140-0x0000000002390000-0x00000000026E4000-memory.dmp

memory/1760-141-0x000000013FC00000-0x000000013FF54000-memory.dmp

memory/2916-142-0x000000013FAC0000-0x000000013FE14000-memory.dmp

memory/1984-143-0x000000013F1E0000-0x000000013F534000-memory.dmp

memory/2696-145-0x000000013F1D0000-0x000000013F524000-memory.dmp

memory/2708-144-0x000000013FC20000-0x000000013FF74000-memory.dmp

memory/2608-147-0x000000013F2E0000-0x000000013F634000-memory.dmp

memory/2624-146-0x000000013F8E0000-0x000000013FC34000-memory.dmp

memory/2492-149-0x000000013FDD0000-0x0000000140124000-memory.dmp

memory/2716-148-0x000000013F790000-0x000000013FAE4000-memory.dmp

memory/2316-150-0x000000013F9F0000-0x000000013FD44000-memory.dmp

memory/2544-152-0x000000013F110000-0x000000013F464000-memory.dmp

memory/2656-151-0x000000013F6B0000-0x000000013FA04000-memory.dmp

memory/2840-153-0x000000013F7D0000-0x000000013FB24000-memory.dmp

memory/2880-154-0x000000013FCD0000-0x0000000140024000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-28 00:07

Reported

2024-06-28 00:10

Platform

win10v2004-20240611-en

Max time kernel

141s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\xnGBQkb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fHEOxOT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KdcyjiW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XqmQwPV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FsSYzmb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pSVIhoE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xaQaMnJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mgoMKQV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kIGnYNy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fmSfEGG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lBrEbni.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vPTDxqD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MOZgeMm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uPmmWDA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uncVOzC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BcePnrb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\negbOLm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QNKQnzr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xYpnuop.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ndGNHry.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BEwtrHQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4892 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MOZgeMm.exe
PID 4892 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MOZgeMm.exe
PID 4892 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KdcyjiW.exe
PID 4892 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KdcyjiW.exe
PID 4892 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xaQaMnJ.exe
PID 4892 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xaQaMnJ.exe
PID 4892 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xYpnuop.exe
PID 4892 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xYpnuop.exe
PID 4892 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XqmQwPV.exe
PID 4892 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XqmQwPV.exe
PID 4892 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ndGNHry.exe
PID 4892 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ndGNHry.exe
PID 4892 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FsSYzmb.exe
PID 4892 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FsSYzmb.exe
PID 4892 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BEwtrHQ.exe
PID 4892 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BEwtrHQ.exe
PID 4892 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uPmmWDA.exe
PID 4892 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uPmmWDA.exe
PID 4892 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mgoMKQV.exe
PID 4892 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mgoMKQV.exe
PID 4892 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uncVOzC.exe
PID 4892 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uncVOzC.exe
PID 4892 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BcePnrb.exe
PID 4892 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BcePnrb.exe
PID 4892 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\negbOLm.exe
PID 4892 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\negbOLm.exe
PID 4892 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xnGBQkb.exe
PID 4892 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xnGBQkb.exe
PID 4892 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kIGnYNy.exe
PID 4892 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kIGnYNy.exe
PID 4892 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fmSfEGG.exe
PID 4892 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fmSfEGG.exe
PID 4892 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lBrEbni.exe
PID 4892 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lBrEbni.exe
PID 4892 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pSVIhoE.exe
PID 4892 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pSVIhoE.exe
PID 4892 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QNKQnzr.exe
PID 4892 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QNKQnzr.exe
PID 4892 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vPTDxqD.exe
PID 4892 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vPTDxqD.exe
PID 4892 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fHEOxOT.exe
PID 4892 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fHEOxOT.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\MOZgeMm.exe

C:\Windows\System\MOZgeMm.exe

C:\Windows\System\KdcyjiW.exe

C:\Windows\System\KdcyjiW.exe

C:\Windows\System\xaQaMnJ.exe

C:\Windows\System\xaQaMnJ.exe

C:\Windows\System\xYpnuop.exe

C:\Windows\System\xYpnuop.exe

C:\Windows\System\XqmQwPV.exe

C:\Windows\System\XqmQwPV.exe

C:\Windows\System\ndGNHry.exe

C:\Windows\System\ndGNHry.exe

C:\Windows\System\FsSYzmb.exe

C:\Windows\System\FsSYzmb.exe

C:\Windows\System\BEwtrHQ.exe

C:\Windows\System\BEwtrHQ.exe

C:\Windows\System\uPmmWDA.exe

C:\Windows\System\uPmmWDA.exe

C:\Windows\System\mgoMKQV.exe

C:\Windows\System\mgoMKQV.exe

C:\Windows\System\uncVOzC.exe

C:\Windows\System\uncVOzC.exe

C:\Windows\System\BcePnrb.exe

C:\Windows\System\BcePnrb.exe

C:\Windows\System\negbOLm.exe

C:\Windows\System\negbOLm.exe

C:\Windows\System\xnGBQkb.exe

C:\Windows\System\xnGBQkb.exe

C:\Windows\System\kIGnYNy.exe

C:\Windows\System\kIGnYNy.exe

C:\Windows\System\fmSfEGG.exe

C:\Windows\System\fmSfEGG.exe

C:\Windows\System\lBrEbni.exe

C:\Windows\System\lBrEbni.exe

C:\Windows\System\pSVIhoE.exe

C:\Windows\System\pSVIhoE.exe

C:\Windows\System\QNKQnzr.exe

C:\Windows\System\QNKQnzr.exe

C:\Windows\System\vPTDxqD.exe

C:\Windows\System\vPTDxqD.exe

C:\Windows\System\fHEOxOT.exe

C:\Windows\System\fHEOxOT.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4892-0-0x00007FF63F720000-0x00007FF63FA74000-memory.dmp

memory/4892-1-0x0000019227990000-0x00000192279A0000-memory.dmp

C:\Windows\System\MOZgeMm.exe

MD5 a49212db9c2d5138183fc477c021849c
SHA1 7231de13b07b3dad7187b4e545cd84d9efdcfca3
SHA256 ced8031f0d4968fe69c9d61a8c22b569c3c8b9c0492759869f0170432a7f02d4
SHA512 5b0301b38d14f12e09580d0d489640eb52d2065ff6921bc6efbfdfd2004e305eb7e1f6371322c026e7923c7eb577fa32fe8777aa937db02a0d3ac5cfc98713f2

C:\Windows\System\KdcyjiW.exe

MD5 9683780eb366372e51978a9c0a0bb097
SHA1 46b05e1cfaa22c275ea413ffd6825be63664faf7
SHA256 a05cbc2862fe3dd70c076c8abb02bdc0eb04ee2d2fba69e518ae01e485e2daed
SHA512 9160be6a52fd51e197976d9fe67c44eb238ffe1089ceac266e4af3e92f648da7a4baaf326b4a0ccd6dfeb81bd483ec7ddea6ee0ae3517b4d05e290fdb1a145ca

C:\Windows\System\xaQaMnJ.exe

MD5 1f4cecc2cc041edcafa77e3b557c9069
SHA1 8902075d45bedd0f206e0258b396459b48d6603e
SHA256 5e41a374d67b9c5a8b97b0cc7f5f19c014f9a943220468eaeac9cf3abced8702
SHA512 8a8541e6bde289b6b82b3176a938cc9fd0f222d1c3cf8530ce47e17b5c5e004af3f91a9bda60764ce7b18f638fa2e625921f6f3b8df6c34f656ecb95be5aabd7

memory/1432-19-0x00007FF7CE200000-0x00007FF7CE554000-memory.dmp

memory/2448-20-0x00007FF767490000-0x00007FF7677E4000-memory.dmp

C:\Windows\System\xYpnuop.exe

MD5 f458103f408c06d8f6023f06059961d8
SHA1 a8194c402bed1335310d62a5f540d66a35add031
SHA256 c0ade637b34f4736c33998bd0b333b5f8e5116bfac8a7945ab502ac41181cfa7
SHA512 87606e5c6f29bae04f310e7de99dee2fd852edd72e1e0b9c5e4df26e658a6bbbfc1076099b7329bf920a69969f970acd0b1ba3b5b2b0e94016e23cfb4b70d15f

memory/1692-24-0x00007FF7647A0000-0x00007FF764AF4000-memory.dmp

memory/2776-12-0x00007FF6DED80000-0x00007FF6DF0D4000-memory.dmp

C:\Windows\System\XqmQwPV.exe

MD5 7d6e0c6ecd521ce5b560b9920a372af2
SHA1 0b5421b52474c2315b4658ac75b71190f101cdff
SHA256 7d9fc5883ed85a3219987920bdcd90f7f960654a273504c38c459b3a6339bf42
SHA512 8777813ccc6e5ede18a580c7396917bca009bed371db3ad3a63f281f8ea839d6d481dac3f0cadbe1751fa5c58a3ff1f003d7cff858e4b7ce297e2f69019d9906

memory/552-32-0x00007FF608830000-0x00007FF608B84000-memory.dmp

C:\Windows\System\ndGNHry.exe

MD5 63adea601a1770307c45b4c6d73e0d9b
SHA1 949428bffca791f823fc64ab43743f86488472c9
SHA256 6df1d28b16c4f7397dc8e792a7f48357a966ee98e70ff6959efb79b45b771c11
SHA512 3cfc8b2cdfb920a12a483984a970f402bc72ecc1d68c230c84335deb9581715601350a5561df8f45fc46f1c78d0686f7178940e52fe49b1c031e3de87b23d460

memory/2584-38-0x00007FF61E7E0000-0x00007FF61EB34000-memory.dmp

C:\Windows\System\FsSYzmb.exe

MD5 17dabfe31cb73d66e256e510dd820dc0
SHA1 f6cf7286b606771ef439028f1b8b8ebec53e373b
SHA256 08e58f33d0aa6dee7e7a69df0d0c39dfc3efbc96ca73aabc91696e8aa38411cf
SHA512 c87f5d7ab9e1448568fcab5a9933bb046ec5084ee8af254a155141d7a50ba059d318fcdd00e7a42903cc955a0ec20ff1b5348a721839a8bec90f0e15e56adf3b

memory/5040-43-0x00007FF7AA010000-0x00007FF7AA364000-memory.dmp

C:\Windows\System\BEwtrHQ.exe

MD5 a320fca53ab458b508bbb484067a77c5
SHA1 7daac9c7c22d5695591503648ea36ac0284d35f0
SHA256 4d6d0ad97e0dab5dbbba3384f8ea03bdedee622a20ed29b750e5a0940ec9aa4a
SHA512 fd97742fffea5622b081dc28174d5ec501c348f1433daabeb6a09562e39e0dc8cea6eee64f7e601231510d3b05d7fa5eccc5b1dcfeaefce6888159f8558b46ac

memory/5052-48-0x00007FF7F6760000-0x00007FF7F6AB4000-memory.dmp

C:\Windows\System\uPmmWDA.exe

MD5 57ef304594f26b46134f00448361e450
SHA1 b83d11db7e04b69df34c3b1df0c3a2676605eafd
SHA256 2b50d3da6e1224664fefc594398da72dcab317b6f63f2f8a262e3186348715c0
SHA512 14b881595b856a0e4b9d4ecbb669d420cef5fd0c3bb7da7266e9190067694cb95c95fdfb23941ba2fdc627e46bf543dfc6a0216180b967481026a1f49aa68d27

memory/3800-57-0x00007FF6CE510000-0x00007FF6CE864000-memory.dmp

memory/4892-56-0x00007FF63F720000-0x00007FF63FA74000-memory.dmp

C:\Windows\System\mgoMKQV.exe

MD5 7462f66317242d50e408ca6d80621146
SHA1 096008fe572dcc1ab620c868a02bcfd6162f9cdc
SHA256 7ea7f38c9d9bc2a8155e63a5fd614901399df69d4681cd16c9f117543e520ebf
SHA512 467d4f2e55eec6b4735ce19a2bd4c96ee3ee68db1eccd484e298985d5e5494724caa9ff5bd1dbb432201db93e9a1fbfbf81339ae83762258d83900124d6663bd

C:\Windows\System\uncVOzC.exe

MD5 c3063c6a8040738d76b5abaac2b6d330
SHA1 4a75764c655bbdfdd5b708f969c87628ebe262df
SHA256 d7b263404d165051ebc7ceb6ef3e33f37534d3b5ffa814d54cd774201643b6fb
SHA512 10966fee31e9307b0c7dbb7024b0ee122ddfbc46f3f27a3cf803f9dc3f9155d05a6ee2f55fef57c097e581ef03ce5887bae559fd2ddef1e868f7b18c07f9a661

memory/1992-61-0x00007FF6C8030000-0x00007FF6C8384000-memory.dmp

C:\Windows\System\BcePnrb.exe

MD5 d030d5dfacc8eb4681a44d9a08c2fc33
SHA1 e5865bde1da0da36e832482b7239643bd9d9b2d4
SHA256 e551da40d444c3dd4022a26db1c264236cecc8857b3ef73cacf907d3b5ff50c3
SHA512 6c1a46e46e2cfa3c2b13fe803d5c86e4988aeec5f265d120dd19d1d67637216738c86140683e16007d47e8fbb327b6fe87ded3a86475b047e434656be720a91c

memory/4492-70-0x00007FF6371F0000-0x00007FF637544000-memory.dmp

memory/4980-75-0x00007FF6F90B0000-0x00007FF6F9404000-memory.dmp

C:\Windows\System\negbOLm.exe

MD5 e6e8e99bbb77f364247790baf8bc46bd
SHA1 c54e3cec677f79a13e0b23df20bfbb063cb56bfe
SHA256 95924da6a87cbe2a1cc9a83b68cc9c84ca37614e8e3c01ba34a2cc98f1d15067
SHA512 d3d00e458b4e53db85f0c275ce95f0949a9e6f337071c701a801c8d76d33796714b402f23afbbc4efdd874af54cc840ef1817761f55ef56c955afbe803bf72ba

C:\Windows\System\xnGBQkb.exe

MD5 4182349233c7d3b500362217646d594e
SHA1 571c3c4c5b6124dfcccb3aa512003328729c5a52
SHA256 4cc733a347d4e273df207834f04211129f028d070e7a4b64a2224de61c29811d
SHA512 e4ac8f4db12b86d7fd140b626ab9a83fd334cd60b4ba647f6a02d9823fdf9aac641c5ff9d1ea251620d17193652ba6c21789c1bc24407fc828bbde0a1dba7d60

C:\Windows\System\kIGnYNy.exe

MD5 1310b6d1537331e092bbe9c16213e8c1
SHA1 62283415421431c9acb849e363974f029a2412cc
SHA256 0335cf6f1ea51103de853c37996b9ea4d81f387dabb8d84970bc8e42ff39e67e
SHA512 9a0887d77678657d9d73b00b74a38e19d51a2f4a7884d88e27a71169d78e5cc1a1d7096c05f12fa790e7f0024a80c2f13b926ec7070d2c32f5feb5ad217cb2e3

memory/4652-90-0x00007FF775890000-0x00007FF775BE4000-memory.dmp

memory/1692-89-0x00007FF7647A0000-0x00007FF764AF4000-memory.dmp

memory/4000-83-0x00007FF6312F0000-0x00007FF631644000-memory.dmp

memory/4876-95-0x00007FF6B6120000-0x00007FF6B6474000-memory.dmp

C:\Windows\System\fmSfEGG.exe

MD5 dab54fc3f68992f5a2943ddb82dab4b0
SHA1 1ada026db366b5725fb982f31d03dc526a98afa3
SHA256 8818fd1e7b6871f54059791a1c50c1dd244b3e79ae509d904dfa679a312c6ca8
SHA512 ff901a77e13fd181a6358e6313db2e1a17980c64705fd6a156a77b157cd68f22dc367480bb90748d9637bfe90477fafd48a2bd1c33c8d7e3120d5194a378d43b

memory/552-94-0x00007FF608830000-0x00007FF608B84000-memory.dmp

memory/5040-105-0x00007FF7AA010000-0x00007FF7AA364000-memory.dmp

C:\Windows\System\lBrEbni.exe

MD5 74782875cbe17eaf178c0d53e6110377
SHA1 7e8655b412e4bd6eb88a4369df032f5dc23d71df
SHA256 8714fb3516cfe05c0abfe10e06e13ea932b1f173af39239973f2b6471a829707
SHA512 7d23e9dc8918e146500208b92a3301398d1972069e1621f3ffeb7333f9c5a66ef3079f457b564d40a958db77c52d982b0b2b4b8fe79c428cc415590efd9cce86

memory/5012-106-0x00007FF7D3190000-0x00007FF7D34E4000-memory.dmp

memory/1616-99-0x00007FF681A20000-0x00007FF681D74000-memory.dmp

C:\Windows\System\pSVIhoE.exe

MD5 594c4893dddf4477e39f0af7121b2dd3
SHA1 491f4c8d1241a7994b5a1c3f1469050b8807d94d
SHA256 1ac2d991beec66fbe80a610ab5750757335b70c2b3e02ee48b17428e5e1beefc
SHA512 4418e68c2b1f90a360f01e0cbb06e7b6b5936b24b99c50afaf171fbc71d600e5fe359c278e955c23f62293e7acc4bb823604a2ad42bf342b8247dc88333ef165

memory/2036-113-0x00007FF61C9D0000-0x00007FF61CD24000-memory.dmp

C:\Windows\System\QNKQnzr.exe

MD5 f79db33abde91e4825214ae735abeea6
SHA1 8228e71a46902e399ecbf2f3d9860bb2c31af501
SHA256 e5c12a647149a6bbdad1556b41e4f10c9e8c3dde2aae9df3534478fae6c2cde8
SHA512 d23814902bdd3dcc9f357cd23951a56ac396aac435eff4c7ced5cceb69c6a75d44489b117c550e569fea556e34fd4402047447e6a7b188832f9058614e10074a

C:\Windows\System\vPTDxqD.exe

MD5 36c05e6b67f56f47eb4ca759153268d9
SHA1 58b6cfbd4bc420ecbdb7635ea9653df0a7048de1
SHA256 b55a4b507e84b5d8571f12c8e7077a255eb40c055158f0ab706ae220681c75a7
SHA512 fa75e646e0530b91f465e4f71ff29503f27dde840a70b0eb9a199faf7746d9214c16576235c101458c3390226c74ae6b902f82db5f3a9977d21749795d2f2996

memory/740-119-0x00007FF654ED0000-0x00007FF655224000-memory.dmp

C:\Windows\System\fHEOxOT.exe

MD5 63148a7a090e256c946dc2ba640d4400
SHA1 e9cdcc153229101a099c1bf635d4a104b71d9659
SHA256 dbc185db363ccc1d74646404bbb601183476233d252e0f390d06973d03243295
SHA512 2223c49fd01fdf879cc90280f13db1c731d41bb2a7a6cc48ddcea7108027dfd8d70998184e360706b0989ccf22f797e18c64287574c8b359290ba266d284ab80

memory/1872-129-0x00007FF65F500000-0x00007FF65F854000-memory.dmp

memory/1992-128-0x00007FF6C8030000-0x00007FF6C8384000-memory.dmp

memory/5052-112-0x00007FF7F6760000-0x00007FF7F6AB4000-memory.dmp

memory/1496-133-0x00007FF69BAA0000-0x00007FF69BDF4000-memory.dmp

memory/1616-134-0x00007FF681A20000-0x00007FF681D74000-memory.dmp

memory/5012-135-0x00007FF7D3190000-0x00007FF7D34E4000-memory.dmp

memory/2036-136-0x00007FF61C9D0000-0x00007FF61CD24000-memory.dmp

memory/740-137-0x00007FF654ED0000-0x00007FF655224000-memory.dmp

memory/2776-138-0x00007FF6DED80000-0x00007FF6DF0D4000-memory.dmp

memory/1432-139-0x00007FF7CE200000-0x00007FF7CE554000-memory.dmp

memory/2448-140-0x00007FF767490000-0x00007FF7677E4000-memory.dmp

memory/1692-141-0x00007FF7647A0000-0x00007FF764AF4000-memory.dmp

memory/552-142-0x00007FF608830000-0x00007FF608B84000-memory.dmp

memory/2584-143-0x00007FF61E7E0000-0x00007FF61EB34000-memory.dmp

memory/5040-144-0x00007FF7AA010000-0x00007FF7AA364000-memory.dmp

memory/5052-145-0x00007FF7F6760000-0x00007FF7F6AB4000-memory.dmp

memory/3800-146-0x00007FF6CE510000-0x00007FF6CE864000-memory.dmp

memory/1992-147-0x00007FF6C8030000-0x00007FF6C8384000-memory.dmp

memory/4492-148-0x00007FF6371F0000-0x00007FF637544000-memory.dmp

memory/4980-149-0x00007FF6F90B0000-0x00007FF6F9404000-memory.dmp

memory/4000-150-0x00007FF6312F0000-0x00007FF631644000-memory.dmp

memory/4652-151-0x00007FF775890000-0x00007FF775BE4000-memory.dmp

memory/4876-152-0x00007FF6B6120000-0x00007FF6B6474000-memory.dmp

memory/1616-153-0x00007FF681A20000-0x00007FF681D74000-memory.dmp

memory/5012-154-0x00007FF7D3190000-0x00007FF7D34E4000-memory.dmp

memory/2036-155-0x00007FF61C9D0000-0x00007FF61CD24000-memory.dmp

memory/740-157-0x00007FF654ED0000-0x00007FF655224000-memory.dmp

memory/1872-156-0x00007FF65F500000-0x00007FF65F854000-memory.dmp

memory/1496-158-0x00007FF69BAA0000-0x00007FF69BDF4000-memory.dmp