Malware Analysis Report

2024-10-23 18:48

Sample ID 240628-agbfxssfnq
Target 2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat
SHA256 5e950ef4a9d97474734858be635001e4bbf87d895c2c1df1519ba9a0823b33c2
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5e950ef4a9d97474734858be635001e4bbf87d895c2c1df1519ba9a0823b33c2

Threat Level: Known bad

The file 2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Xmrig family

Detects Reflective DLL injection artifacts

Cobalt Strike reflective loader

xmrig

Cobaltstrike family

UPX dump on OEP (original entry point)

XMRig Miner payload

Cobaltstrike

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

XMRig Miner payload

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-28 00:10

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-28 00:10

Reported

2024-06-28 00:13

Platform

win7-20240508-en

Max time kernel

138s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\CFlOswV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FRXIIDn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QbfasNE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aIWNosM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wvbKalt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WhoTtuV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OHfHQdG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KuZZchi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WqACcaO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ushYuyS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EKgFJHc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ChPgvIM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xrQTSoA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MahYcQZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hQhKKJV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\egzYhee.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ReNPdbO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jgFjCke.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZPGtEfO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wLdxPVQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aOxNwMt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2084 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WqACcaO.exe
PID 2084 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WqACcaO.exe
PID 2084 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WqACcaO.exe
PID 2084 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ushYuyS.exe
PID 2084 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ushYuyS.exe
PID 2084 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ushYuyS.exe
PID 2084 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WhoTtuV.exe
PID 2084 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WhoTtuV.exe
PID 2084 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WhoTtuV.exe
PID 2084 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EKgFJHc.exe
PID 2084 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EKgFJHc.exe
PID 2084 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EKgFJHc.exe
PID 2084 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CFlOswV.exe
PID 2084 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CFlOswV.exe
PID 2084 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CFlOswV.exe
PID 2084 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FRXIIDn.exe
PID 2084 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FRXIIDn.exe
PID 2084 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FRXIIDn.exe
PID 2084 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hQhKKJV.exe
PID 2084 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hQhKKJV.exe
PID 2084 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hQhKKJV.exe
PID 2084 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\egzYhee.exe
PID 2084 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\egzYhee.exe
PID 2084 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\egzYhee.exe
PID 2084 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ReNPdbO.exe
PID 2084 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ReNPdbO.exe
PID 2084 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ReNPdbO.exe
PID 2084 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QbfasNE.exe
PID 2084 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QbfasNE.exe
PID 2084 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QbfasNE.exe
PID 2084 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OHfHQdG.exe
PID 2084 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OHfHQdG.exe
PID 2084 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OHfHQdG.exe
PID 2084 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ChPgvIM.exe
PID 2084 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ChPgvIM.exe
PID 2084 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ChPgvIM.exe
PID 2084 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aIWNosM.exe
PID 2084 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aIWNosM.exe
PID 2084 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aIWNosM.exe
PID 2084 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jgFjCke.exe
PID 2084 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jgFjCke.exe
PID 2084 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jgFjCke.exe
PID 2084 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZPGtEfO.exe
PID 2084 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZPGtEfO.exe
PID 2084 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZPGtEfO.exe
PID 2084 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xrQTSoA.exe
PID 2084 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xrQTSoA.exe
PID 2084 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xrQTSoA.exe
PID 2084 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wLdxPVQ.exe
PID 2084 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wLdxPVQ.exe
PID 2084 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wLdxPVQ.exe
PID 2084 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wvbKalt.exe
PID 2084 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wvbKalt.exe
PID 2084 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wvbKalt.exe
PID 2084 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KuZZchi.exe
PID 2084 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KuZZchi.exe
PID 2084 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KuZZchi.exe
PID 2084 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aOxNwMt.exe
PID 2084 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aOxNwMt.exe
PID 2084 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aOxNwMt.exe
PID 2084 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MahYcQZ.exe
PID 2084 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MahYcQZ.exe
PID 2084 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MahYcQZ.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\WqACcaO.exe

C:\Windows\System\WqACcaO.exe

C:\Windows\System\ushYuyS.exe

C:\Windows\System\ushYuyS.exe

C:\Windows\System\WhoTtuV.exe

C:\Windows\System\WhoTtuV.exe

C:\Windows\System\EKgFJHc.exe

C:\Windows\System\EKgFJHc.exe

C:\Windows\System\CFlOswV.exe

C:\Windows\System\CFlOswV.exe

C:\Windows\System\FRXIIDn.exe

C:\Windows\System\FRXIIDn.exe

C:\Windows\System\hQhKKJV.exe

C:\Windows\System\hQhKKJV.exe

C:\Windows\System\egzYhee.exe

C:\Windows\System\egzYhee.exe

C:\Windows\System\ReNPdbO.exe

C:\Windows\System\ReNPdbO.exe

C:\Windows\System\QbfasNE.exe

C:\Windows\System\QbfasNE.exe

C:\Windows\System\OHfHQdG.exe

C:\Windows\System\OHfHQdG.exe

C:\Windows\System\ChPgvIM.exe

C:\Windows\System\ChPgvIM.exe

C:\Windows\System\aIWNosM.exe

C:\Windows\System\aIWNosM.exe

C:\Windows\System\jgFjCke.exe

C:\Windows\System\jgFjCke.exe

C:\Windows\System\ZPGtEfO.exe

C:\Windows\System\ZPGtEfO.exe

C:\Windows\System\xrQTSoA.exe

C:\Windows\System\xrQTSoA.exe

C:\Windows\System\wLdxPVQ.exe

C:\Windows\System\wLdxPVQ.exe

C:\Windows\System\wvbKalt.exe

C:\Windows\System\wvbKalt.exe

C:\Windows\System\KuZZchi.exe

C:\Windows\System\KuZZchi.exe

C:\Windows\System\aOxNwMt.exe

C:\Windows\System\aOxNwMt.exe

C:\Windows\System\MahYcQZ.exe

C:\Windows\System\MahYcQZ.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2084-0-0x000000013F4F0000-0x000000013F844000-memory.dmp

memory/2084-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\WqACcaO.exe

MD5 8b96c595c1dae64314892bc4fdf35487
SHA1 8d14ffe2374f836edce80c3b4e1552eed0f32c11
SHA256 7b383c5eeba71bbfd156b1d431cdb4d23d2df84ff1f32938a5a0078e013d86b0
SHA512 e0b687e07fb1e83819a038129467be5de71c4b63cb292eb0f7eb80906a3a7c25131bb125301ba0e8dfd882bee46670d4236615417a726211e92ab1f3d1a3b603

\Windows\system\WhoTtuV.exe

MD5 b23b6c2b803a9a42909247ef7727e250
SHA1 becbe66505e7e67734524d2a19700bdb151d20ad
SHA256 519ae91e68a12973dda338cc593e421dced7875f6bcde31539786a2a52e91643
SHA512 42d0bf19f31fb516cac11cf87ed75cc7f346eb57688c91a65db11b64dad2c52dd22a7a174c894c908fdbec3aeaae17bf5d5f3b32cf5220ab0994a503cf23855c

memory/2084-12-0x0000000002420000-0x0000000002774000-memory.dmp

memory/2648-25-0x000000013F790000-0x000000013FAE4000-memory.dmp

memory/2888-30-0x000000013F9C0000-0x000000013FD14000-memory.dmp

memory/2240-21-0x000000013F340000-0x000000013F694000-memory.dmp

memory/1336-19-0x000000013F800000-0x000000013FB54000-memory.dmp

memory/2084-17-0x0000000002420000-0x0000000002774000-memory.dmp

C:\Windows\system\ushYuyS.exe

MD5 ebea477ca9eaf038b389b28b5a6eeb25
SHA1 50bda73ec4f69c3252d2f2bfbb913bfd1f65027d
SHA256 f84497ce3340369cd837f350919b06afb351fab2b62c4d0b78c3241011946f96
SHA512 1de9aa441079553cf36e80f0786ae7abd4f80fa21b6a3a5f92e2019d56d893b219988da1ecba39d7be8d8266d05db8c0bc9b55a8c0e7b49b37e84d412276efe7

memory/2084-28-0x000000013F9C0000-0x000000013FD14000-memory.dmp

C:\Windows\system\EKgFJHc.exe

MD5 660ed8b15812fb92ee3e08432107c291
SHA1 f8b904709b37f30df67d76f22607c828658765a2
SHA256 ea382f7f86598247c64d0c224ebbf9ec470611de891d03dae2458409eac3e1e0
SHA512 9b1837a9b586b968476e831823faa56b7c3b0b0442d493f0e11b47f7042aba68bcc4ffebae9a0e120e6588fbcda95cf0bc2a9c27b84c09dd2e9e27cdbe49c9b1

memory/2084-6-0x0000000002420000-0x0000000002774000-memory.dmp

\Windows\system\FRXIIDn.exe

MD5 0c00286b484e1015a3af70fcd20fac6b
SHA1 34a6462cd3eb145c4ae67c19af0f3fa206d474f6
SHA256 28028adbe0569f12f6782ed963537a50d3eaae4fe7243aaa9c53041109c09735
SHA512 0b53a505836660962d325b1d28ab3f5df21b62401b521c2827801ce12c4a38211e9f441e97b4769656aa0b4401b030f712534177243be9af56b3b767d557ba42

memory/2740-40-0x000000013F9D0000-0x000000013FD24000-memory.dmp

memory/2576-42-0x000000013F640000-0x000000013F994000-memory.dmp

memory/2084-41-0x000000013F4F0000-0x000000013F844000-memory.dmp

memory/2084-38-0x000000013F9D0000-0x000000013FD24000-memory.dmp

C:\Windows\system\CFlOswV.exe

MD5 4c2700265a477514ae869b928004b222
SHA1 487b9e44140b5de743d73c35e5358deb55b75adf
SHA256 3549d964391710c9a7bba11604775bcb06fab93d5cfa9c5d6a26c4964bc43c5a
SHA512 f4d170692823b74b42c3cd354ad3b348658f4ead4c62f4201eb4de5fad099ed515f056b499d0c2c64fcde7b1449c09e9534122e0035f9d338db6b49f18eebea3

memory/2084-49-0x000000013F170000-0x000000013F4C4000-memory.dmp

C:\Windows\system\hQhKKJV.exe

MD5 e0483791709f07396a89b81baafe2a5f
SHA1 6ba9128db7ed7d30ce6e49fa655bdddc13da3b2d
SHA256 4eb09f8a1b17c24817d2d244f3d9fbad1a1009c12d17c97d557707797ae1688f
SHA512 03a8eb3629be98091c5eedbffc8dc4332a62a9c5ff212b0997c4ec4e54df4a604beb06dd3f5d4227e80ee72cc46dc8b9215e7af7bef56af74c94c6a6677791ab

memory/2536-51-0x000000013F170000-0x000000013F4C4000-memory.dmp

C:\Windows\system\egzYhee.exe

MD5 421952eba9ae773cca0c5e47367a7984
SHA1 2744cb3b7e5fb9eaf378323fc4549efafe7936ee
SHA256 a28308ff574f7c95d2c2aea421938ad22f5aed932342f356624a8adf404c0869
SHA512 c410926238faa4fae2b30667e8d081b25953200dbfcd8cc8036d33b785bcf824aa3dcc2ac0e90de6535c2af16835a53869fe9fdaec37b6824209c3233c664515

memory/2084-56-0x0000000002420000-0x0000000002774000-memory.dmp

memory/2992-59-0x000000013F850000-0x000000013FBA4000-memory.dmp

memory/2084-57-0x000000013F850000-0x000000013FBA4000-memory.dmp

\Windows\system\ReNPdbO.exe

MD5 1a63f03d3fcc47a945a2ce9b35869b49
SHA1 7d4abdbd3ac139d1deea0f8b68d4acced3fc60d7
SHA256 4d01c0b6d463b7dbaa4b0b06b4a49da8d2b46b43aa10d23c65895cfe6f6c05c7
SHA512 80bb2d98e2bdc3f55597c6a91a579597ee8b8d50cae12410e1adb7086eb8790511d42a00c7ef1122acdc9d8e5f414e7bb3a92b3c6909676f44cb5aadfe79949e

memory/2084-65-0x000000013FDE0000-0x0000000140134000-memory.dmp

memory/1584-66-0x000000013FDE0000-0x0000000140134000-memory.dmp

memory/2588-78-0x000000013FC90000-0x000000013FFE4000-memory.dmp

C:\Windows\system\QbfasNE.exe

MD5 6618ca68d1fbda48657357e707660294
SHA1 c1a2fae97f457f313d995f595dca7b05a792f50c
SHA256 72ac63c051370672a376bacaed3b6a08ec22d52ba8dd240b6af3b76228c8182a
SHA512 bf58202f2fd311be41c175ca1ca2fd4632d0d0ecdba6068c77898449f8ed45644f809d1f6b18d8226aefd1ab680567169bb97a5367c62d5a22cd739459aa877c

memory/2888-96-0x000000013F9C0000-0x000000013FD14000-memory.dmp

memory/808-101-0x000000013F4C0000-0x000000013F814000-memory.dmp

memory/2084-100-0x0000000002420000-0x0000000002774000-memory.dmp

memory/2844-97-0x000000013FC10000-0x000000013FF64000-memory.dmp

C:\Windows\system\aIWNosM.exe

MD5 c85977f95230e125ab8b12a5f2556a6a
SHA1 affc4b48cb49fb1cccf2f7f7d487c0cbe8d6c9fd
SHA256 27128ad88d077d2ad4edde2fca3a082155d69f59710643b57b58c3b5530c72d1
SHA512 168dcf782ec5d48e0978d2e5b4a6504ea5c90b4e01fd095bd263fd98bd9d17e64640efb2b778f2455e32749529b08191bbf38814eda40e52e5a6ecc894c138c1

C:\Windows\system\ZPGtEfO.exe

MD5 0d84652e9ad70d950880f1cc836187d0
SHA1 b453a900b60f870c1b75636eb6f5dcaf59f76bba
SHA256 aeb4f615a9b6469fa28f74853875d89640e3198b3fadfa4180026367c599cb39
SHA512 7d6f585526a820a23f4d9e3b01845a25ed6e309c7a80cf43db6c779bf45125c0a7f8f64e40744255bc50d4a19a17538041d4716c187c1d9922b751d9ef671f61

\Windows\system\MahYcQZ.exe

MD5 eec06933508c1ade25bed401dc66e446
SHA1 c9bdf5bc6083f4cd7a0cb503e04dcfd553d9f6fa
SHA256 8883724078a7053d4d1f41576bc8ee44a89399b4f5928fbf1ff97b2d4a474821
SHA512 21cbd09947f6433a2d6b284cab306de9d2c8151c1c470a5ce1b723f04fc4d0dc49ec414b048f5a38ac64085e74eb63399a4c0a00120d4e0fd26704a0417800d7

C:\Windows\system\aOxNwMt.exe

MD5 8c3024f86303362435c96d7de765be5e
SHA1 7b77dda01a4a03cb3b9968ef810c506acb423396
SHA256 198ba9c4ef29194aa9e4adbea9dd13d1a069e720cc61a1e9b389fe87ae02f087
SHA512 705a88a6b90c3e1ad2f916247dc470c424f69b2a9c2c1aa8134f4ceac9cf63125716900ef7de60b44606f13c92a2452a9565d96c5ee17adc916a419d47a48c14

C:\Windows\system\KuZZchi.exe

MD5 56b2d82381019dda9e83bfa53cd63566
SHA1 489e1abd1bb6c9362cb7ed8b64140c156d8221c1
SHA256 31d68223a7fec7e58d8ca14817f5915b727dc57b12684a8732113340c06b9418
SHA512 ae406e51571608fdf5b30e81306eb5a368d4b49137910d6da018eaa2daa7f68471a101d3ae9de505af0b37bbb5e0462ad06f2845a383bb4d45b92ac2d64b2fee

C:\Windows\system\wvbKalt.exe

MD5 de1133e02163229a539f3451ddada152
SHA1 d0e026f51d46781903f90d649cdbde1cc366ef56
SHA256 a5165d5819a188b664da232c09174fece6f3fab1ff98020b5007fafd49b42a6a
SHA512 eb056a7cf35a61c80aef7a41ec88bb0bf02a67009142b00e1670ac6d4e71d89ad5b3bd852e1f64429b14897941f9ed38647855ca2f7f459e9612c1b61e50bb54

C:\Windows\system\wLdxPVQ.exe

MD5 c91fdbc000d57cf428d1a6cfc9e214c1
SHA1 7080b7dd6187a432645a3c1e727bf89786c47eeb
SHA256 7f9ce5e4c87f25011517827b326d4c131279f33159a4982e689378bc72fc5ebd
SHA512 17366b931353865aa1bb630a819eff85d43a491286a1cc58100bc565cce528ca355aeb76f3b1a17688719d228e809bd3e023cfa492f5c23909c435e9b7ebc162

memory/2084-108-0x000000013F880000-0x000000013FBD4000-memory.dmp

memory/2576-107-0x000000013F640000-0x000000013F994000-memory.dmp

C:\Windows\system\xrQTSoA.exe

MD5 0d3fb20c3db1ae04e271510e002fa2cb
SHA1 b46f1795b03fb84c2591cb3fdff92f0584c65a2a
SHA256 8b6de5bf8d8e29651e090dc7dbe17ee3b5a7c21a41c8020ec2a52c3a7f537292
SHA512 ef87ca9a4b9ce32d00593a3b7473556a18bd466d17975dd416e96ba0a87e07fc161e4dcb76834a38522b502a77376a40c004e4a5f9b4cb4ce7593fe98cba0c70

memory/2804-90-0x000000013F080000-0x000000013F3D4000-memory.dmp

memory/2828-89-0x000000013F480000-0x000000013F7D4000-memory.dmp

memory/2084-88-0x000000013FC10000-0x000000013FF64000-memory.dmp

memory/2084-87-0x0000000002420000-0x0000000002774000-memory.dmp

C:\Windows\system\OHfHQdG.exe

MD5 ea31510d93f3d1764cb3fa210c7050dd
SHA1 3bcd0ae6f50b1696dc657e3fb76b0c76872ff1bb
SHA256 49004d3532cd0fe44acf071aa526ee95d263d69b16c75b2a3474ae5a53601cf5
SHA512 b2f872a5a131a282fbb9c0269b586fc73300811322b02924318289e758ebac55be2cf6729629b644fcfb9c3a9908cf160c1d283918e876945b898bb05bc334ef

C:\Windows\system\ChPgvIM.exe

MD5 107ce33af51165d9d8e39381a0cb3f33
SHA1 5a8d57c4a3dc77b299219b5572e51ba132c3475b
SHA256 f40e726410ff595ee4ec48315a654b5491435f7c69d1303c316aeed2d41cbffd
SHA512 f70671c8decdbe250bc6aea490df75a40f9561a0843d8492fa920d78c392ea08b42d12ad58fdebe03fbfd8cc36dddfb861c6755bc110552dee636de6a94cfad1

C:\Windows\system\jgFjCke.exe

MD5 8a83d5c75f9a25ddd6ac868ef457fb89
SHA1 ece777369aa1878fe91be83cce01da455b1e35b8
SHA256 d6fed4710d31e81dbea5cecd1a48be1e5e63c40346c0ad6f6a28a5b8af7b249b
SHA512 6cbcb3903b9b377267cfb5a49cec25dd05d4733fc8e29ef1b50a225d2ccc039ab993a7b8002742686f0bc87626236932bc27baabed0208b0a2653cffc5afcb4e

memory/2648-70-0x000000013F790000-0x000000013FAE4000-memory.dmp

memory/2992-139-0x000000013F850000-0x000000013FBA4000-memory.dmp

memory/2084-138-0x000000013F850000-0x000000013FBA4000-memory.dmp

memory/2084-140-0x000000013FDE0000-0x0000000140134000-memory.dmp

memory/2084-141-0x000000013FC90000-0x000000013FFE4000-memory.dmp

memory/2084-143-0x000000013F080000-0x000000013F3D4000-memory.dmp

memory/2588-142-0x000000013FC90000-0x000000013FFE4000-memory.dmp

memory/2084-144-0x0000000002420000-0x0000000002774000-memory.dmp

memory/2844-145-0x000000013FC10000-0x000000013FF64000-memory.dmp

memory/2084-146-0x000000013F880000-0x000000013FBD4000-memory.dmp

memory/1336-147-0x000000013F800000-0x000000013FB54000-memory.dmp

memory/2240-148-0x000000013F340000-0x000000013F694000-memory.dmp

memory/2648-149-0x000000013F790000-0x000000013FAE4000-memory.dmp

memory/2888-150-0x000000013F9C0000-0x000000013FD14000-memory.dmp

memory/2740-151-0x000000013F9D0000-0x000000013FD24000-memory.dmp

memory/2576-152-0x000000013F640000-0x000000013F994000-memory.dmp

memory/2536-153-0x000000013F170000-0x000000013F4C4000-memory.dmp

memory/2992-154-0x000000013F850000-0x000000013FBA4000-memory.dmp

memory/1584-155-0x000000013FDE0000-0x0000000140134000-memory.dmp

memory/2588-156-0x000000013FC90000-0x000000013FFE4000-memory.dmp

memory/2828-157-0x000000013F480000-0x000000013F7D4000-memory.dmp

memory/2804-158-0x000000013F080000-0x000000013F3D4000-memory.dmp

memory/2844-160-0x000000013FC10000-0x000000013FF64000-memory.dmp

memory/808-159-0x000000013F4C0000-0x000000013F814000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-28 00:10

Reported

2024-06-28 00:13

Platform

win10v2004-20240508-en

Max time kernel

140s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\FRXIIDn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hQhKKJV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ReNPdbO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jgFjCke.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wLdxPVQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KuZZchi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aOxNwMt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WhoTtuV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EKgFJHc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QbfasNE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ChPgvIM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZPGtEfO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wvbKalt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MahYcQZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WqACcaO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CFlOswV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aIWNosM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xrQTSoA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ushYuyS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\egzYhee.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OHfHQdG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4124 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WqACcaO.exe
PID 4124 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WqACcaO.exe
PID 4124 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ushYuyS.exe
PID 4124 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ushYuyS.exe
PID 4124 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WhoTtuV.exe
PID 4124 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WhoTtuV.exe
PID 4124 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EKgFJHc.exe
PID 4124 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EKgFJHc.exe
PID 4124 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CFlOswV.exe
PID 4124 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CFlOswV.exe
PID 4124 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FRXIIDn.exe
PID 4124 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FRXIIDn.exe
PID 4124 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hQhKKJV.exe
PID 4124 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hQhKKJV.exe
PID 4124 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\egzYhee.exe
PID 4124 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\egzYhee.exe
PID 4124 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ReNPdbO.exe
PID 4124 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ReNPdbO.exe
PID 4124 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QbfasNE.exe
PID 4124 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QbfasNE.exe
PID 4124 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OHfHQdG.exe
PID 4124 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OHfHQdG.exe
PID 4124 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ChPgvIM.exe
PID 4124 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ChPgvIM.exe
PID 4124 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aIWNosM.exe
PID 4124 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aIWNosM.exe
PID 4124 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jgFjCke.exe
PID 4124 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jgFjCke.exe
PID 4124 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZPGtEfO.exe
PID 4124 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZPGtEfO.exe
PID 4124 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xrQTSoA.exe
PID 4124 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xrQTSoA.exe
PID 4124 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wLdxPVQ.exe
PID 4124 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wLdxPVQ.exe
PID 4124 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wvbKalt.exe
PID 4124 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wvbKalt.exe
PID 4124 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KuZZchi.exe
PID 4124 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KuZZchi.exe
PID 4124 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aOxNwMt.exe
PID 4124 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aOxNwMt.exe
PID 4124 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MahYcQZ.exe
PID 4124 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MahYcQZ.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-27_c2fe27522f4005d647fdc1b4e3a4b9fa_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\WqACcaO.exe

C:\Windows\System\WqACcaO.exe

C:\Windows\System\ushYuyS.exe

C:\Windows\System\ushYuyS.exe

C:\Windows\System\WhoTtuV.exe

C:\Windows\System\WhoTtuV.exe

C:\Windows\System\EKgFJHc.exe

C:\Windows\System\EKgFJHc.exe

C:\Windows\System\CFlOswV.exe

C:\Windows\System\CFlOswV.exe

C:\Windows\System\FRXIIDn.exe

C:\Windows\System\FRXIIDn.exe

C:\Windows\System\hQhKKJV.exe

C:\Windows\System\hQhKKJV.exe

C:\Windows\System\egzYhee.exe

C:\Windows\System\egzYhee.exe

C:\Windows\System\ReNPdbO.exe

C:\Windows\System\ReNPdbO.exe

C:\Windows\System\QbfasNE.exe

C:\Windows\System\QbfasNE.exe

C:\Windows\System\OHfHQdG.exe

C:\Windows\System\OHfHQdG.exe

C:\Windows\System\ChPgvIM.exe

C:\Windows\System\ChPgvIM.exe

C:\Windows\System\aIWNosM.exe

C:\Windows\System\aIWNosM.exe

C:\Windows\System\jgFjCke.exe

C:\Windows\System\jgFjCke.exe

C:\Windows\System\ZPGtEfO.exe

C:\Windows\System\ZPGtEfO.exe

C:\Windows\System\xrQTSoA.exe

C:\Windows\System\xrQTSoA.exe

C:\Windows\System\wLdxPVQ.exe

C:\Windows\System\wLdxPVQ.exe

C:\Windows\System\wvbKalt.exe

C:\Windows\System\wvbKalt.exe

C:\Windows\System\KuZZchi.exe

C:\Windows\System\KuZZchi.exe

C:\Windows\System\aOxNwMt.exe

C:\Windows\System\aOxNwMt.exe

C:\Windows\System\MahYcQZ.exe

C:\Windows\System\MahYcQZ.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4124-0-0x00007FF6A2B00000-0x00007FF6A2E54000-memory.dmp

memory/4124-1-0x0000022C63540000-0x0000022C63550000-memory.dmp

C:\Windows\System\WqACcaO.exe

MD5 8b96c595c1dae64314892bc4fdf35487
SHA1 8d14ffe2374f836edce80c3b4e1552eed0f32c11
SHA256 7b383c5eeba71bbfd156b1d431cdb4d23d2df84ff1f32938a5a0078e013d86b0
SHA512 e0b687e07fb1e83819a038129467be5de71c4b63cb292eb0f7eb80906a3a7c25131bb125301ba0e8dfd882bee46670d4236615417a726211e92ab1f3d1a3b603

memory/4220-8-0x00007FF7E2140000-0x00007FF7E2494000-memory.dmp

C:\Windows\System\ushYuyS.exe

MD5 ebea477ca9eaf038b389b28b5a6eeb25
SHA1 50bda73ec4f69c3252d2f2bfbb913bfd1f65027d
SHA256 f84497ce3340369cd837f350919b06afb351fab2b62c4d0b78c3241011946f96
SHA512 1de9aa441079553cf36e80f0786ae7abd4f80fa21b6a3a5f92e2019d56d893b219988da1ecba39d7be8d8266d05db8c0bc9b55a8c0e7b49b37e84d412276efe7

C:\Windows\System\WhoTtuV.exe

MD5 b23b6c2b803a9a42909247ef7727e250
SHA1 becbe66505e7e67734524d2a19700bdb151d20ad
SHA256 519ae91e68a12973dda338cc593e421dced7875f6bcde31539786a2a52e91643
SHA512 42d0bf19f31fb516cac11cf87ed75cc7f346eb57688c91a65db11b64dad2c52dd22a7a174c894c908fdbec3aeaae17bf5d5f3b32cf5220ab0994a503cf23855c

memory/800-14-0x00007FF6B3F70000-0x00007FF6B42C4000-memory.dmp

C:\Windows\System\EKgFJHc.exe

MD5 660ed8b15812fb92ee3e08432107c291
SHA1 f8b904709b37f30df67d76f22607c828658765a2
SHA256 ea382f7f86598247c64d0c224ebbf9ec470611de891d03dae2458409eac3e1e0
SHA512 9b1837a9b586b968476e831823faa56b7c3b0b0442d493f0e11b47f7042aba68bcc4ffebae9a0e120e6588fbcda95cf0bc2a9c27b84c09dd2e9e27cdbe49c9b1

memory/116-24-0x00007FF676610000-0x00007FF676964000-memory.dmp

C:\Windows\System\CFlOswV.exe

MD5 4c2700265a477514ae869b928004b222
SHA1 487b9e44140b5de743d73c35e5358deb55b75adf
SHA256 3549d964391710c9a7bba11604775bcb06fab93d5cfa9c5d6a26c4964bc43c5a
SHA512 f4d170692823b74b42c3cd354ad3b348658f4ead4c62f4201eb4de5fad099ed515f056b499d0c2c64fcde7b1449c09e9534122e0035f9d338db6b49f18eebea3

memory/4532-32-0x00007FF63D560000-0x00007FF63D8B4000-memory.dmp

C:\Windows\System\FRXIIDn.exe

MD5 0c00286b484e1015a3af70fcd20fac6b
SHA1 34a6462cd3eb145c4ae67c19af0f3fa206d474f6
SHA256 28028adbe0569f12f6782ed963537a50d3eaae4fe7243aaa9c53041109c09735
SHA512 0b53a505836660962d325b1d28ab3f5df21b62401b521c2827801ce12c4a38211e9f441e97b4769656aa0b4401b030f712534177243be9af56b3b767d557ba42

memory/5064-20-0x00007FF7E3E50000-0x00007FF7E41A4000-memory.dmp

memory/4492-40-0x00007FF799AC0000-0x00007FF799E14000-memory.dmp

C:\Windows\System\hQhKKJV.exe

MD5 e0483791709f07396a89b81baafe2a5f
SHA1 6ba9128db7ed7d30ce6e49fa655bdddc13da3b2d
SHA256 4eb09f8a1b17c24817d2d244f3d9fbad1a1009c12d17c97d557707797ae1688f
SHA512 03a8eb3629be98091c5eedbffc8dc4332a62a9c5ff212b0997c4ec4e54df4a604beb06dd3f5d4227e80ee72cc46dc8b9215e7af7bef56af74c94c6a6677791ab

C:\Windows\System\egzYhee.exe

MD5 421952eba9ae773cca0c5e47367a7984
SHA1 2744cb3b7e5fb9eaf378323fc4549efafe7936ee
SHA256 a28308ff574f7c95d2c2aea421938ad22f5aed932342f356624a8adf404c0869
SHA512 c410926238faa4fae2b30667e8d081b25953200dbfcd8cc8036d33b785bcf824aa3dcc2ac0e90de6535c2af16835a53869fe9fdaec37b6824209c3233c664515

memory/3584-46-0x00007FF729F20000-0x00007FF72A274000-memory.dmp

memory/1756-44-0x00007FF72AD60000-0x00007FF72B0B4000-memory.dmp

C:\Windows\System\ReNPdbO.exe

MD5 1a63f03d3fcc47a945a2ce9b35869b49
SHA1 7d4abdbd3ac139d1deea0f8b68d4acced3fc60d7
SHA256 4d01c0b6d463b7dbaa4b0b06b4a49da8d2b46b43aa10d23c65895cfe6f6c05c7
SHA512 80bb2d98e2bdc3f55597c6a91a579597ee8b8d50cae12410e1adb7086eb8790511d42a00c7ef1122acdc9d8e5f414e7bb3a92b3c6909676f44cb5aadfe79949e

memory/620-55-0x00007FF6B6310000-0x00007FF6B6664000-memory.dmp

C:\Windows\System\QbfasNE.exe

MD5 6618ca68d1fbda48657357e707660294
SHA1 c1a2fae97f457f313d995f595dca7b05a792f50c
SHA256 72ac63c051370672a376bacaed3b6a08ec22d52ba8dd240b6af3b76228c8182a
SHA512 bf58202f2fd311be41c175ca1ca2fd4632d0d0ecdba6068c77898449f8ed45644f809d1f6b18d8226aefd1ab680567169bb97a5367c62d5a22cd739459aa877c

memory/4124-62-0x00007FF6A2B00000-0x00007FF6A2E54000-memory.dmp

memory/2388-64-0x00007FF7708C0000-0x00007FF770C14000-memory.dmp

C:\Windows\System\OHfHQdG.exe

MD5 ea31510d93f3d1764cb3fa210c7050dd
SHA1 3bcd0ae6f50b1696dc657e3fb76b0c76872ff1bb
SHA256 49004d3532cd0fe44acf071aa526ee95d263d69b16c75b2a3474ae5a53601cf5
SHA512 b2f872a5a131a282fbb9c0269b586fc73300811322b02924318289e758ebac55be2cf6729629b644fcfb9c3a9908cf160c1d283918e876945b898bb05bc334ef

memory/2184-70-0x00007FF673DD0000-0x00007FF674124000-memory.dmp

C:\Windows\System\ChPgvIM.exe

MD5 107ce33af51165d9d8e39381a0cb3f33
SHA1 5a8d57c4a3dc77b299219b5572e51ba132c3475b
SHA256 f40e726410ff595ee4ec48315a654b5491435f7c69d1303c316aeed2d41cbffd
SHA512 f70671c8decdbe250bc6aea490df75a40f9561a0843d8492fa920d78c392ea08b42d12ad58fdebe03fbfd8cc36dddfb861c6755bc110552dee636de6a94cfad1

memory/4220-69-0x00007FF7E2140000-0x00007FF7E2494000-memory.dmp

C:\Windows\System\aIWNosM.exe

MD5 c85977f95230e125ab8b12a5f2556a6a
SHA1 affc4b48cb49fb1cccf2f7f7d487c0cbe8d6c9fd
SHA256 27128ad88d077d2ad4edde2fca3a082155d69f59710643b57b58c3b5530c72d1
SHA512 168dcf782ec5d48e0978d2e5b4a6504ea5c90b4e01fd095bd263fd98bd9d17e64640efb2b778f2455e32749529b08191bbf38814eda40e52e5a6ecc894c138c1

memory/1520-77-0x00007FF781BB0000-0x00007FF781F04000-memory.dmp

memory/3532-83-0x00007FF742980000-0x00007FF742CD4000-memory.dmp

memory/116-88-0x00007FF676610000-0x00007FF676964000-memory.dmp

C:\Windows\System\jgFjCke.exe

MD5 8a83d5c75f9a25ddd6ac868ef457fb89
SHA1 ece777369aa1878fe91be83cce01da455b1e35b8
SHA256 d6fed4710d31e81dbea5cecd1a48be1e5e63c40346c0ad6f6a28a5b8af7b249b
SHA512 6cbcb3903b9b377267cfb5a49cec25dd05d4733fc8e29ef1b50a225d2ccc039ab993a7b8002742686f0bc87626236932bc27baabed0208b0a2653cffc5afcb4e

C:\Windows\System\ZPGtEfO.exe

MD5 0d84652e9ad70d950880f1cc836187d0
SHA1 b453a900b60f870c1b75636eb6f5dcaf59f76bba
SHA256 aeb4f615a9b6469fa28f74853875d89640e3198b3fadfa4180026367c599cb39
SHA512 7d6f585526a820a23f4d9e3b01845a25ed6e309c7a80cf43db6c779bf45125c0a7f8f64e40744255bc50d4a19a17538041d4716c187c1d9922b751d9ef671f61

memory/1840-94-0x00007FF649B40000-0x00007FF649E94000-memory.dmp

memory/4532-95-0x00007FF63D560000-0x00007FF63D8B4000-memory.dmp

memory/1004-96-0x00007FF688C30000-0x00007FF688F84000-memory.dmp

C:\Windows\System\wLdxPVQ.exe

MD5 c91fdbc000d57cf428d1a6cfc9e214c1
SHA1 7080b7dd6187a432645a3c1e727bf89786c47eeb
SHA256 7f9ce5e4c87f25011517827b326d4c131279f33159a4982e689378bc72fc5ebd
SHA512 17366b931353865aa1bb630a819eff85d43a491286a1cc58100bc565cce528ca355aeb76f3b1a17688719d228e809bd3e023cfa492f5c23909c435e9b7ebc162

memory/1756-108-0x00007FF72AD60000-0x00007FF72B0B4000-memory.dmp

memory/3584-113-0x00007FF729F20000-0x00007FF72A274000-memory.dmp

memory/620-119-0x00007FF6B6310000-0x00007FF6B6664000-memory.dmp

C:\Windows\System\KuZZchi.exe

MD5 56b2d82381019dda9e83bfa53cd63566
SHA1 489e1abd1bb6c9362cb7ed8b64140c156d8221c1
SHA256 31d68223a7fec7e58d8ca14817f5915b727dc57b12684a8732113340c06b9418
SHA512 ae406e51571608fdf5b30e81306eb5a368d4b49137910d6da018eaa2daa7f68471a101d3ae9de505af0b37bbb5e0462ad06f2845a383bb4d45b92ac2d64b2fee

memory/3176-121-0x00007FF7415A0000-0x00007FF7418F4000-memory.dmp

C:\Windows\System\wvbKalt.exe

MD5 de1133e02163229a539f3451ddada152
SHA1 d0e026f51d46781903f90d649cdbde1cc366ef56
SHA256 a5165d5819a188b664da232c09174fece6f3fab1ff98020b5007fafd49b42a6a
SHA512 eb056a7cf35a61c80aef7a41ec88bb0bf02a67009142b00e1670ac6d4e71d89ad5b3bd852e1f64429b14897941f9ed38647855ca2f7f459e9612c1b61e50bb54

memory/4928-116-0x00007FF7027B0000-0x00007FF702B04000-memory.dmp

memory/3316-112-0x00007FF738760000-0x00007FF738AB4000-memory.dmp

memory/948-107-0x00007FF7169D0000-0x00007FF716D24000-memory.dmp

C:\Windows\System\xrQTSoA.exe

MD5 0d3fb20c3db1ae04e271510e002fa2cb
SHA1 b46f1795b03fb84c2591cb3fdff92f0584c65a2a
SHA256 8b6de5bf8d8e29651e090dc7dbe17ee3b5a7c21a41c8020ec2a52c3a7f537292
SHA512 ef87ca9a4b9ce32d00593a3b7473556a18bd466d17975dd416e96ba0a87e07fc161e4dcb76834a38522b502a77376a40c004e4a5f9b4cb4ce7593fe98cba0c70

C:\Windows\System\aOxNwMt.exe

MD5 8c3024f86303362435c96d7de765be5e
SHA1 7b77dda01a4a03cb3b9968ef810c506acb423396
SHA256 198ba9c4ef29194aa9e4adbea9dd13d1a069e720cc61a1e9b389fe87ae02f087
SHA512 705a88a6b90c3e1ad2f916247dc470c424f69b2a9c2c1aa8134f4ceac9cf63125716900ef7de60b44606f13c92a2452a9565d96c5ee17adc916a419d47a48c14

C:\Windows\System\MahYcQZ.exe

MD5 eec06933508c1ade25bed401dc66e446
SHA1 c9bdf5bc6083f4cd7a0cb503e04dcfd553d9f6fa
SHA256 8883724078a7053d4d1f41576bc8ee44a89399b4f5928fbf1ff97b2d4a474821
SHA512 21cbd09947f6433a2d6b284cab306de9d2c8151c1c470a5ce1b723f04fc4d0dc49ec414b048f5a38ac64085e74eb63399a4c0a00120d4e0fd26704a0417800d7

memory/1520-134-0x00007FF781BB0000-0x00007FF781F04000-memory.dmp

memory/4580-135-0x00007FF7C9A50000-0x00007FF7C9DA4000-memory.dmp

memory/4568-128-0x00007FF652040000-0x00007FF652394000-memory.dmp

memory/4928-136-0x00007FF7027B0000-0x00007FF702B04000-memory.dmp

memory/3176-137-0x00007FF7415A0000-0x00007FF7418F4000-memory.dmp

memory/4568-138-0x00007FF652040000-0x00007FF652394000-memory.dmp

memory/4220-139-0x00007FF7E2140000-0x00007FF7E2494000-memory.dmp

memory/800-140-0x00007FF6B3F70000-0x00007FF6B42C4000-memory.dmp

memory/5064-141-0x00007FF7E3E50000-0x00007FF7E41A4000-memory.dmp

memory/116-142-0x00007FF676610000-0x00007FF676964000-memory.dmp

memory/4532-143-0x00007FF63D560000-0x00007FF63D8B4000-memory.dmp

memory/4492-144-0x00007FF799AC0000-0x00007FF799E14000-memory.dmp

memory/3584-146-0x00007FF729F20000-0x00007FF72A274000-memory.dmp

memory/1756-145-0x00007FF72AD60000-0x00007FF72B0B4000-memory.dmp

memory/620-147-0x00007FF6B6310000-0x00007FF6B6664000-memory.dmp

memory/2388-148-0x00007FF7708C0000-0x00007FF770C14000-memory.dmp

memory/2184-149-0x00007FF673DD0000-0x00007FF674124000-memory.dmp

memory/1520-150-0x00007FF781BB0000-0x00007FF781F04000-memory.dmp

memory/3532-151-0x00007FF742980000-0x00007FF742CD4000-memory.dmp

memory/1004-152-0x00007FF688C30000-0x00007FF688F84000-memory.dmp

memory/1840-153-0x00007FF649B40000-0x00007FF649E94000-memory.dmp

memory/948-154-0x00007FF7169D0000-0x00007FF716D24000-memory.dmp

memory/3316-155-0x00007FF738760000-0x00007FF738AB4000-memory.dmp

memory/4928-156-0x00007FF7027B0000-0x00007FF702B04000-memory.dmp

memory/3176-157-0x00007FF7415A0000-0x00007FF7418F4000-memory.dmp

memory/4568-158-0x00007FF652040000-0x00007FF652394000-memory.dmp

memory/4580-159-0x00007FF7C9A50000-0x00007FF7C9DA4000-memory.dmp