Malware Analysis Report

2024-10-24 18:12

Sample ID 240628-kr3m9s1bka
Target 2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat
SHA256 a7cf964013e0b1cf2842ba8c2cc9edce7bb17e829c22ffda9fea8ef4c5764436
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a7cf964013e0b1cf2842ba8c2cc9edce7bb17e829c22ffda9fea8ef4c5764436

Threat Level: Known bad

The file 2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

XMRig Miner payload

Cobaltstrike

Xmrig family

Detects Reflective DLL injection artifacts

Cobalt Strike reflective loader

xmrig

Cobaltstrike family

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX dump on OEP (original entry point)

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-28 08:50

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-28 08:50

Reported

2024-06-28 08:53

Platform

win10v2004-20240508-en

Max time kernel

140s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\slGfwgI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dmMhXqw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dAaBUkt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\geUDvvt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XfytqnK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ygObmpj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kcWndlU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mxbbdCp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oqniZcK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dNknnRT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rpxAizt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AiKRwIF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KclfuBB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GLzeqTJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FhgEtsM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yMGPJYS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jgUvNft.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VdUqWIw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nLdPVdM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sEbxpxY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\piXvaGT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1860 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nLdPVdM.exe
PID 1860 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nLdPVdM.exe
PID 1860 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oqniZcK.exe
PID 1860 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oqniZcK.exe
PID 1860 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GLzeqTJ.exe
PID 1860 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GLzeqTJ.exe
PID 1860 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sEbxpxY.exe
PID 1860 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sEbxpxY.exe
PID 1860 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\piXvaGT.exe
PID 1860 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\piXvaGT.exe
PID 1860 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\slGfwgI.exe
PID 1860 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\slGfwgI.exe
PID 1860 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jgUvNft.exe
PID 1860 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jgUvNft.exe
PID 1860 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dNknnRT.exe
PID 1860 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dNknnRT.exe
PID 1860 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FhgEtsM.exe
PID 1860 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FhgEtsM.exe
PID 1860 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rpxAizt.exe
PID 1860 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rpxAizt.exe
PID 1860 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dmMhXqw.exe
PID 1860 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dmMhXqw.exe
PID 1860 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VdUqWIw.exe
PID 1860 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VdUqWIw.exe
PID 1860 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yMGPJYS.exe
PID 1860 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yMGPJYS.exe
PID 1860 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KclfuBB.exe
PID 1860 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KclfuBB.exe
PID 1860 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\geUDvvt.exe
PID 1860 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\geUDvvt.exe
PID 1860 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dAaBUkt.exe
PID 1860 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dAaBUkt.exe
PID 1860 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XfytqnK.exe
PID 1860 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XfytqnK.exe
PID 1860 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ygObmpj.exe
PID 1860 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ygObmpj.exe
PID 1860 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kcWndlU.exe
PID 1860 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kcWndlU.exe
PID 1860 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mxbbdCp.exe
PID 1860 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mxbbdCp.exe
PID 1860 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AiKRwIF.exe
PID 1860 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AiKRwIF.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\nLdPVdM.exe

C:\Windows\System\nLdPVdM.exe

C:\Windows\System\oqniZcK.exe

C:\Windows\System\oqniZcK.exe

C:\Windows\System\GLzeqTJ.exe

C:\Windows\System\GLzeqTJ.exe

C:\Windows\System\sEbxpxY.exe

C:\Windows\System\sEbxpxY.exe

C:\Windows\System\piXvaGT.exe

C:\Windows\System\piXvaGT.exe

C:\Windows\System\slGfwgI.exe

C:\Windows\System\slGfwgI.exe

C:\Windows\System\jgUvNft.exe

C:\Windows\System\jgUvNft.exe

C:\Windows\System\dNknnRT.exe

C:\Windows\System\dNknnRT.exe

C:\Windows\System\FhgEtsM.exe

C:\Windows\System\FhgEtsM.exe

C:\Windows\System\rpxAizt.exe

C:\Windows\System\rpxAizt.exe

C:\Windows\System\dmMhXqw.exe

C:\Windows\System\dmMhXqw.exe

C:\Windows\System\VdUqWIw.exe

C:\Windows\System\VdUqWIw.exe

C:\Windows\System\yMGPJYS.exe

C:\Windows\System\yMGPJYS.exe

C:\Windows\System\KclfuBB.exe

C:\Windows\System\KclfuBB.exe

C:\Windows\System\geUDvvt.exe

C:\Windows\System\geUDvvt.exe

C:\Windows\System\dAaBUkt.exe

C:\Windows\System\dAaBUkt.exe

C:\Windows\System\XfytqnK.exe

C:\Windows\System\XfytqnK.exe

C:\Windows\System\ygObmpj.exe

C:\Windows\System\ygObmpj.exe

C:\Windows\System\kcWndlU.exe

C:\Windows\System\kcWndlU.exe

C:\Windows\System\mxbbdCp.exe

C:\Windows\System\mxbbdCp.exe

C:\Windows\System\AiKRwIF.exe

C:\Windows\System\AiKRwIF.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1860-0-0x00007FF6DDF70000-0x00007FF6DE2C4000-memory.dmp

memory/1860-1-0x0000016BEE4E0000-0x0000016BEE4F0000-memory.dmp

C:\Windows\System\nLdPVdM.exe

MD5 bea22b7c4cf20239a69e2bf663ef72ba
SHA1 f5afa0737144f5a32210ad065435e5b58d27f66b
SHA256 5a9727a0d743b61b98eccb24252d472071ff3134b9d66989caf96f180dc78c4f
SHA512 8c94da93aec2fea9fed1c4c805f0ba996663f119e1bdde82a70d45d73818100d5530489cd4abebfa92a8e225468b86a270ad1e937c20b81a652d3919360a7076

C:\Windows\System\oqniZcK.exe

MD5 9df48cb8d51dda757687ecc0e02b5541
SHA1 84e1193f737c747a0043297a97abbd09416e293e
SHA256 b8ca2a532ef8ccfb76f61d8bfdeebd7e2b6d9636f6932cb71a40992beeb0ae3d
SHA512 006af90d00d1f20e5bf971ce370112e68e2614d671799ea7aa4b841dcf40e859b19aea7e0008183aeb1ba408f78ac32b2d44b69b13454d13d7bd981ede95da9f

C:\Windows\System\GLzeqTJ.exe

MD5 cb6b8fb56c68cada5b1bd88e9268314e
SHA1 76d232403db163c936b50845632a727e0fd0d74e
SHA256 423184b7d9e40cc236407109a797a85505eb811a1c893da8b9b562d753ec857f
SHA512 31a690879720beedc5427aea8952019966e865f011458bb1688efbfa28e9c86fb19850c029d5418581c8cd085e73bfbf10e31dd7a4fd5edf43fb2845dc7aa111

memory/800-14-0x00007FF623B20000-0x00007FF623E74000-memory.dmp

memory/5028-7-0x00007FF7A0FB0000-0x00007FF7A1304000-memory.dmp

C:\Windows\System\sEbxpxY.exe

MD5 5ff91b6e457c738766b75c737b94008f
SHA1 5b00a3051492d6f050cdf40e7c5efd8eca6a512c
SHA256 ac7a7252eb3fae9c4b2bf58572ee8ed409b989c9683a07563ac6ee12aa2728c2
SHA512 534f24df7b02475b6481c67a3affb4c7eec30e5953c5890a6ad397a822ac602d937789df9f41fb3cddf032e93c54ba0c53d5df41462d443d22007dcf602ba0be

C:\Windows\System\piXvaGT.exe

MD5 e8ee17dd9e4b236660b4e90704046e2c
SHA1 b1c2a6347a6ae513861a6959e9351844074dc372
SHA256 648c03fbb1b2ac3c6c8a143766241f341dd09ac3f505310ae17a026883ed16d1
SHA512 50fbe101c1d3e69939173c55eee183840dbf881611a2d6b9ed764a3de5fd0726becedf0f79b573d3f8854590fde318f1dea06dada2498fabd5c052d9cc521afa

C:\Windows\System\jgUvNft.exe

MD5 46b8423ba9deb5d303aa2f2281a5a868
SHA1 29178bf20b9e985cc1893bf03f0c491bf227833f
SHA256 1a928e0584c009e49989d9bb564765ff2e69d7a5ef59b06e3a70c2638be74580
SHA512 2bbdf8352b05a246163b8eb1f3173f38e4f1e582afc5ef2d0138127e1f67a7469dc103db556c71d09564f640024786e035ea76d9f9de6e0c26d8fac2952c2388

C:\Windows\System\dNknnRT.exe

MD5 f166c61dd6aaa6d18c8a2121ed691221
SHA1 6118d1d0354d38cc2ea8e58f0e07fb0303794ecf
SHA256 646048e26a4eefb272e959199df7e26bace4b5768d72c33f4517ed5bf883392e
SHA512 1b13f8c3c056b53704fa8568d9744b6ea8b66a32d01d5185035d0f3bc1b7a6ee4123abf44fa55d5196d14d13116d817849c558b17e9079e6e74f427232ae2243

C:\Windows\System\FhgEtsM.exe

MD5 73057017cf80feb76485c167d48acc0b
SHA1 f5e0c4f9b61c915f1fc535f6c6eb24266e826fbb
SHA256 0f17cfb66431cca0ff26af0fd9344cd311c9fc52855ee75d8fbed69782de78b4
SHA512 8afb5e55bb05312c24cffd78b6bdb43cb61df1bd103e549453a1c900da136b392271235d712270e505ebee6fa5db53a004d516dc609f71e35a81136c39388fef

C:\Windows\System\rpxAizt.exe

MD5 e3e0058ce29cfb8dc01fd02daaa41ba3
SHA1 963a2796ee834562c7c600213b769ace508dfa6a
SHA256 68b6a3744d1ad3801267aca6fe7d761b76ff95b718faa059db820221d90c8304
SHA512 05937ced40aa715bffb33d6b35962bcc3b0fb5780006fc581e82a5878ba23f585e9ee1d2d35132ddc8eddd30557e97a704045c3e0e6ee064c3d5c08c7ad0b90f

C:\Windows\System\yMGPJYS.exe

MD5 91a2e3e94e7a61dcce50f299f3111cb4
SHA1 d9bae4e673f31943802c14b41d273841b76a5f29
SHA256 5a7cd367433e7ebd74269b7d6b3a0747c4ee2db0445c98fb27892d835b8cf229
SHA512 768a20d16915f50b8c859ec88021d98e4e336535d73c0fe3a976d5220a451372c5d5584392ec5dec0f33705bbeadda08d0852bd66c9c636833ed2208491aee28

C:\Windows\System\geUDvvt.exe

MD5 69e9c97de85b7a13a9019192f130dbf4
SHA1 64331d2386cf7574db825f7de16922b9f2ed2f4b
SHA256 bdf538b88aba6350af22945d348be0a26476cbb78ceebd62d94abda9e5ae5952
SHA512 852767feade48f612984e178f2bc9e3768f6c3ceddf569af3511e0d9200267b68f53e7424a1d91b53f91b10d1b71857a22fecd4e6400e2845f445d93b19cd983

C:\Windows\System\ygObmpj.exe

MD5 7188d820cdb47a8ae0b636e21b480d47
SHA1 99da54392aa102e9b5c3fb23bf0d6ff8f05a8d87
SHA256 0928c5410ef5ae638bbdeca844e96dcc9e88c7972ef91dba6bea955f996712a9
SHA512 d1c844cc727df612465c5758935ad8e639c7d3245610867d12655102f18e76613838ced728a5ed9acbd3c161e49dc82990277d99e98f81e76562c64cddbdb8a3

C:\Windows\System\AiKRwIF.exe

MD5 62fd12c617da0b288ae84747d91b261e
SHA1 5f3089affd2bc335774a5f3093cf167e8a8d20a9
SHA256 b13863431a74a46cc7b2ed9e72144b83e264df0d0646461ca2606ac2496c02fe
SHA512 38e2d70f465d22253e46f151b43381ecbc9ad67d785767e8d40859210719f751ea42da7974cb41dbd2aaaafddf625601c2733e89cddf4bec1e2d7ad8b4269fac

C:\Windows\System\mxbbdCp.exe

MD5 1b07e64b5103630a8f3baff84d521249
SHA1 2efc48c86941e718d91524d9f74a3333c26f67f3
SHA256 ba15cb26ec0df153eeb48a5d7fb5409778233de221ce292af91de363d9783655
SHA512 18ce792a1b39f4465918257c5af911e5cc49e23a4cbe2e961e4b6f50ab7d3d6104ca173ae890b45307778fd79865ceb76ef58c195ebb4a086f165f34adaac2be

C:\Windows\System\kcWndlU.exe

MD5 65cdd9efe8b11126820fc6807929499e
SHA1 3e57f0befe18ce16fe35675eb5a2c20dbe4dee53
SHA256 8182ba4b6384dcd0f315ff086fdeaa6cb2ada571292aa5699d0e7bb238457c96
SHA512 df0b2c37352d2891beaa055618aaf409250caf16e1a8aa408cab30af0b6ce39612e24015aa158e707f83cb7f3f385f1f9bb52a264bc03a4ef18269afce682f08

C:\Windows\System\XfytqnK.exe

MD5 95580cc6f3c35456180376e9eb0747d2
SHA1 8c4f942bc57a04b2b6b24aafd05ba2d5cc56ad6b
SHA256 09dba446902aba7acb2a1394534c3edfe8e829f6797f494620735066a0a0554a
SHA512 106cc4fac01bcc1bcab64864c13407b3ad4371b80faecb4dab15797020b8187ddaf0f90190d6f958a8043c526922aabeec5efe6fcd246a0765bec488cde39d72

C:\Windows\System\dAaBUkt.exe

MD5 7b1e2f9afb38ea01a0a381fb860a04c8
SHA1 0cc81b7228c632d5b2b1a822da413f8e81ba1430
SHA256 7ad404e177d1192076e057cce56c7a27d0e94d80bd58cddfe8f0420ce402a928
SHA512 89fb146eff811cd7ccaed7b58ee8ae6751110b648f7fb4cff04bd154521277c76f17c8325fd4bf5c0a75486abc6ac5ccdcdac7b25bf3967221242ec28241ddde

C:\Windows\System\KclfuBB.exe

MD5 6a38a1acc96f5111e4cd8c30f219a456
SHA1 10ceeee8ebe900715d0250a70abe4429cc242e06
SHA256 2f79984771d6a71a39e836553b11828ac1cdaf3917fc4beadbb536b2c6a66112
SHA512 10826103778e4662d5bfdd05814b36c442c0708f490a62a33ac7c1cb69511e987d23f31fab94f9fd1023b2910b848dc942b4954a3a7f9dfa263c2c780d514988

C:\Windows\System\VdUqWIw.exe

MD5 c940ed003cb92f0f1c8b8331e26d7842
SHA1 37cbf66609a226391a9824d519a25056410739c2
SHA256 1e73f08b911e63c3182c8d501da07c0fe10127a97361a78af30d9b205f7a30bc
SHA512 f216d257791612f719e533f2716287ef76ff518221d636b25d6e89ec9949f2c1c863639a3850b91e199cfa8b0e96615a52f0db20a9d8ad83a335edbf787c84d8

C:\Windows\System\dmMhXqw.exe

MD5 4f28a93703f408671dfb2601efe03f74
SHA1 e1f446aeb536c657258cce58d0c12fdedcc66260
SHA256 d377700b011fef58eb6c94c465f1b6902d43ff058891290bb37784fc0a261fb1
SHA512 5954220419b652b623ea7811d3dc69c3d2e89f8fdec4ec938a7fd29707014a6ef90b2f592b936ed96730e459008716397350029ff99b47dd0f29dbda664cf867

memory/4624-42-0x00007FF7B5890000-0x00007FF7B5BE4000-memory.dmp

memory/1756-40-0x00007FF646AF0000-0x00007FF646E44000-memory.dmp

C:\Windows\System\slGfwgI.exe

MD5 d2594f38215751c3bf4fc52a6d6d060b
SHA1 ec573ff4255229d2f06617a521c54b2c1bbbf4c3
SHA256 e49d0cf90f71bd3beb7dfaf722623355ee7ca573d38b91aff66f965f837cd0db
SHA512 cae2ab542664676ffa2f02043efa6902bdabc46f334d6bb546b656f8b2e43a362d68fb89ef1801df5fa2e092f99d6abf0941fe5f042f674c217156bb4b7f7ab6

memory/1428-34-0x00007FF644690000-0x00007FF6449E4000-memory.dmp

memory/1836-27-0x00007FF6AE4F0000-0x00007FF6AE844000-memory.dmp

memory/3260-20-0x00007FF7BE140000-0x00007FF7BE494000-memory.dmp

memory/3188-114-0x00007FF7901C0000-0x00007FF790514000-memory.dmp

memory/2448-116-0x00007FF778250000-0x00007FF7785A4000-memory.dmp

memory/3180-118-0x00007FF75C660000-0x00007FF75C9B4000-memory.dmp

memory/1840-120-0x00007FF7809D0000-0x00007FF780D24000-memory.dmp

memory/4968-121-0x00007FF7530F0000-0x00007FF753444000-memory.dmp

memory/3948-122-0x00007FF60A3E0000-0x00007FF60A734000-memory.dmp

memory/2528-123-0x00007FF788B30000-0x00007FF788E84000-memory.dmp

memory/2396-124-0x00007FF74D890000-0x00007FF74DBE4000-memory.dmp

memory/3256-119-0x00007FF7F68B0000-0x00007FF7F6C04000-memory.dmp

memory/2184-117-0x00007FF6E55C0000-0x00007FF6E5914000-memory.dmp

memory/676-115-0x00007FF7DCDD0000-0x00007FF7DD124000-memory.dmp

memory/368-126-0x00007FF68C360000-0x00007FF68C6B4000-memory.dmp

memory/1384-127-0x00007FF6079A0000-0x00007FF607CF4000-memory.dmp

memory/3316-125-0x00007FF659E60000-0x00007FF65A1B4000-memory.dmp

memory/1860-128-0x00007FF6DDF70000-0x00007FF6DE2C4000-memory.dmp

memory/5028-129-0x00007FF7A0FB0000-0x00007FF7A1304000-memory.dmp

memory/1756-130-0x00007FF646AF0000-0x00007FF646E44000-memory.dmp

memory/4624-131-0x00007FF7B5890000-0x00007FF7B5BE4000-memory.dmp

memory/5028-132-0x00007FF7A0FB0000-0x00007FF7A1304000-memory.dmp

memory/800-133-0x00007FF623B20000-0x00007FF623E74000-memory.dmp

memory/3260-134-0x00007FF7BE140000-0x00007FF7BE494000-memory.dmp

memory/1836-135-0x00007FF6AE4F0000-0x00007FF6AE844000-memory.dmp

memory/1428-136-0x00007FF644690000-0x00007FF6449E4000-memory.dmp

memory/1756-137-0x00007FF646AF0000-0x00007FF646E44000-memory.dmp

memory/4624-138-0x00007FF7B5890000-0x00007FF7B5BE4000-memory.dmp

memory/3188-139-0x00007FF7901C0000-0x00007FF790514000-memory.dmp

memory/676-140-0x00007FF7DCDD0000-0x00007FF7DD124000-memory.dmp

memory/3180-143-0x00007FF75C660000-0x00007FF75C9B4000-memory.dmp

memory/2184-142-0x00007FF6E55C0000-0x00007FF6E5914000-memory.dmp

memory/2448-141-0x00007FF778250000-0x00007FF7785A4000-memory.dmp

memory/3256-144-0x00007FF7F68B0000-0x00007FF7F6C04000-memory.dmp

memory/1840-145-0x00007FF7809D0000-0x00007FF780D24000-memory.dmp

memory/2528-148-0x00007FF788B30000-0x00007FF788E84000-memory.dmp

memory/4968-147-0x00007FF7530F0000-0x00007FF753444000-memory.dmp

memory/3948-146-0x00007FF60A3E0000-0x00007FF60A734000-memory.dmp

memory/3316-149-0x00007FF659E60000-0x00007FF65A1B4000-memory.dmp

memory/2396-150-0x00007FF74D890000-0x00007FF74DBE4000-memory.dmp

memory/1384-152-0x00007FF6079A0000-0x00007FF607CF4000-memory.dmp

memory/368-151-0x00007FF68C360000-0x00007FF68C6B4000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-28 08:50

Reported

2024-06-28 08:53

Platform

win7-20240611-en

Max time kernel

139s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\DwooMaS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HagIcvB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UclwFBq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eMtxoFk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kaJbDCU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SExfcVm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sEivhSY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zvWbnKD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ppDuoFo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\THtiXBV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZzaAFhZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KyrrqPq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XGorZvQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hGkFAgR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BjkceYV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XTQrhJG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hccrayw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZvWLdpk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dLZIiaG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iXgBgWm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HfsCUSe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2372 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kaJbDCU.exe
PID 2372 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kaJbDCU.exe
PID 2372 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kaJbDCU.exe
PID 2372 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\THtiXBV.exe
PID 2372 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\THtiXBV.exe
PID 2372 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\THtiXBV.exe
PID 2372 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XTQrhJG.exe
PID 2372 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XTQrhJG.exe
PID 2372 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XTQrhJG.exe
PID 2372 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SExfcVm.exe
PID 2372 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SExfcVm.exe
PID 2372 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SExfcVm.exe
PID 2372 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZzaAFhZ.exe
PID 2372 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZzaAFhZ.exe
PID 2372 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZzaAFhZ.exe
PID 2372 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hccrayw.exe
PID 2372 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hccrayw.exe
PID 2372 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hccrayw.exe
PID 2372 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZvWLdpk.exe
PID 2372 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZvWLdpk.exe
PID 2372 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZvWLdpk.exe
PID 2372 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KyrrqPq.exe
PID 2372 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KyrrqPq.exe
PID 2372 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KyrrqPq.exe
PID 2372 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DwooMaS.exe
PID 2372 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DwooMaS.exe
PID 2372 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DwooMaS.exe
PID 2372 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XGorZvQ.exe
PID 2372 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XGorZvQ.exe
PID 2372 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XGorZvQ.exe
PID 2372 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HagIcvB.exe
PID 2372 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HagIcvB.exe
PID 2372 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HagIcvB.exe
PID 2372 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dLZIiaG.exe
PID 2372 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dLZIiaG.exe
PID 2372 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dLZIiaG.exe
PID 2372 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sEivhSY.exe
PID 2372 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sEivhSY.exe
PID 2372 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sEivhSY.exe
PID 2372 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iXgBgWm.exe
PID 2372 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iXgBgWm.exe
PID 2372 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iXgBgWm.exe
PID 2372 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hGkFAgR.exe
PID 2372 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hGkFAgR.exe
PID 2372 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hGkFAgR.exe
PID 2372 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UclwFBq.exe
PID 2372 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UclwFBq.exe
PID 2372 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UclwFBq.exe
PID 2372 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HfsCUSe.exe
PID 2372 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HfsCUSe.exe
PID 2372 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HfsCUSe.exe
PID 2372 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BjkceYV.exe
PID 2372 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BjkceYV.exe
PID 2372 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BjkceYV.exe
PID 2372 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zvWbnKD.exe
PID 2372 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zvWbnKD.exe
PID 2372 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zvWbnKD.exe
PID 2372 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eMtxoFk.exe
PID 2372 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eMtxoFk.exe
PID 2372 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eMtxoFk.exe
PID 2372 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ppDuoFo.exe
PID 2372 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ppDuoFo.exe
PID 2372 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ppDuoFo.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\kaJbDCU.exe

C:\Windows\System\kaJbDCU.exe

C:\Windows\System\THtiXBV.exe

C:\Windows\System\THtiXBV.exe

C:\Windows\System\XTQrhJG.exe

C:\Windows\System\XTQrhJG.exe

C:\Windows\System\SExfcVm.exe

C:\Windows\System\SExfcVm.exe

C:\Windows\System\ZzaAFhZ.exe

C:\Windows\System\ZzaAFhZ.exe

C:\Windows\System\hccrayw.exe

C:\Windows\System\hccrayw.exe

C:\Windows\System\ZvWLdpk.exe

C:\Windows\System\ZvWLdpk.exe

C:\Windows\System\KyrrqPq.exe

C:\Windows\System\KyrrqPq.exe

C:\Windows\System\DwooMaS.exe

C:\Windows\System\DwooMaS.exe

C:\Windows\System\XGorZvQ.exe

C:\Windows\System\XGorZvQ.exe

C:\Windows\System\HagIcvB.exe

C:\Windows\System\HagIcvB.exe

C:\Windows\System\dLZIiaG.exe

C:\Windows\System\dLZIiaG.exe

C:\Windows\System\sEivhSY.exe

C:\Windows\System\sEivhSY.exe

C:\Windows\System\iXgBgWm.exe

C:\Windows\System\iXgBgWm.exe

C:\Windows\System\hGkFAgR.exe

C:\Windows\System\hGkFAgR.exe

C:\Windows\System\UclwFBq.exe

C:\Windows\System\UclwFBq.exe

C:\Windows\System\HfsCUSe.exe

C:\Windows\System\HfsCUSe.exe

C:\Windows\System\BjkceYV.exe

C:\Windows\System\BjkceYV.exe

C:\Windows\System\zvWbnKD.exe

C:\Windows\System\zvWbnKD.exe

C:\Windows\System\eMtxoFk.exe

C:\Windows\System\eMtxoFk.exe

C:\Windows\System\ppDuoFo.exe

C:\Windows\System\ppDuoFo.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2372-2-0x000000013FDF0000-0x0000000140144000-memory.dmp

memory/2372-0-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\kaJbDCU.exe

MD5 3dfa26f46e7527cc9de8775b60a4e917
SHA1 2e9bf163d29ed186b818d47f4b62e1cd1e27baea
SHA256 6ae5addc435cca3ac14011550bf7c4f651d4dde2ba0e2cc8bb14b3f99b0e5abd
SHA512 18a7b25ed03083942b026a45e89ff7ebff5440169417a214a1996f41269405621f17803d7aed651aab96981bdf3ff9f98ad3e9ade0fa666c5e27a1ea01567f4a

\Windows\system\XTQrhJG.exe

MD5 0d868ecf46f0f837835c6b22952cc63b
SHA1 7b0ef054a5fad97e37c48e76c2c0c09726873faa
SHA256 bebc6e19750287f017d12d5da843b4272cbf2ecd9301fdf2e5789cdd42c8aa04
SHA512 9f3b07fb76f465614e69865ace79bfe57bca5845b2e9d4b066d8270622bdde4305e562968af321befefc4af6715a6d3185d9ca47a7bc7692a8f80fa145b734f9

C:\Windows\system\SExfcVm.exe

MD5 006b09e15945a1bf9bc635051bb22459
SHA1 ca78b7ae626c4086b5e24044faa67777afedc24b
SHA256 0fb4528c853282234bebb3c09720f2b5621b9e7834cb3e6c519b4c2291f3cd11
SHA512 dd7ba8ef3c399c147e5fda3c024670f5f7eba2b2d253b42ebc7c6a4fe1abb9ff2b94728a6dd944d0bd52eb9802fa45b5d29d6168a43555862f8a97f50ca2097c

memory/2848-28-0x000000013F700000-0x000000013FA54000-memory.dmp

memory/1660-16-0x000000013F980000-0x000000013FCD4000-memory.dmp

C:\Windows\system\THtiXBV.exe

MD5 a6bded2b2cf026cce0bc448e4dd16d1e
SHA1 e6d170d6cdac103779da7998432bd64a8d9179d7
SHA256 68ea70fd2edcec2fa6c5fdcf91817df3ec10cc6b4b3fa5be61389194dc83f28d
SHA512 31a459e0e332a9f5ab797b39d3c1f0766843662fb89156203be0bcb9c6d350dc1ea1263c9f8a64a1aeba99374a7becf21d9e519ed2df1b559ad0dac560dcc13e

memory/2508-26-0x000000013FA40000-0x000000013FD94000-memory.dmp

memory/2372-23-0x000000013FA40000-0x000000013FD94000-memory.dmp

memory/2372-22-0x000000013F700000-0x000000013FA54000-memory.dmp

memory/1944-20-0x000000013FB30000-0x000000013FE84000-memory.dmp

memory/2372-7-0x000000013F980000-0x000000013FCD4000-memory.dmp

C:\Windows\system\ZzaAFhZ.exe

MD5 696097a82c4b7510174077b0fc7eef6f
SHA1 ff6e569b81e2176d3664cc99ffa9cb0bb6096f14
SHA256 e2d845880315ee16331ba5f6a4746d3588af1b72d1f71f46832a1058bdf9f4c3
SHA512 ce5a6ce6ae5c9ac2b67bc253440a3224d0b1d42df7a5bfb23e3db4df5cd67e547485d2ff4b01eece6959fdf07e76c0b4512450335fb05bdb7fe4325552b3ec19

memory/2632-34-0x000000013F6F0000-0x000000013FA44000-memory.dmp

\Windows\system\hccrayw.exe

MD5 510730e0f2a3018a2e28979d519736f7
SHA1 08d3b7aa7c2fdc583223a5aa52e4376a8ceebf8b
SHA256 b9c315df67d3f39ea1117d10511401ab8ee17b663e14cdff8a469227bcf092bc
SHA512 781b2f57771d8751f22d5ba74ae25f715dba0d0e9c969a69f52dfea92fecb4f219fde17bf6525c378a6031a4001244a416925723fb10a1442093c37f74341fb4

memory/2764-40-0x000000013F520000-0x000000013F874000-memory.dmp

memory/2892-52-0x000000013F470000-0x000000013F7C4000-memory.dmp

memory/2372-51-0x000000013F470000-0x000000013F7C4000-memory.dmp

C:\Windows\system\XGorZvQ.exe

MD5 c2657242151643f629418b7985ef3aa1
SHA1 54d524900864c643ea84fdac8cf14595402897f4
SHA256 e1f9433b5b676a4679fc4ee2c129ce26e18515825f65daaf5c1d39a666643fdc
SHA512 bfda86b61ad742218ccbdcf89611b30f41c5400d69f47cef73874f33b8f46c325fbd5a01b23ed28dd453e77f95dc5023bf8f35f4aec44d32300dc5ad68269103

C:\Windows\system\HagIcvB.exe

MD5 a3bd86d39a4a6c048a73d6e94532f2f7
SHA1 e78e8f007a7460120adc492a749a0d33f7d14c9a
SHA256 f766f433bb692ce2544d9b17f962b7939195af8c8bb451c406b99451f7efff3c
SHA512 8d3211af76d0af16aa3080c3ca8412ce12b3b5dc7d46330053ff43a684ecd5dd676df4c25a086fa70d35dfbec39f0534a73e1e2b7a273ee4dc9f341381966077

memory/2480-77-0x000000013F690000-0x000000013F9E4000-memory.dmp

memory/2848-87-0x000000013F700000-0x000000013FA54000-memory.dmp

C:\Windows\system\BjkceYV.exe

MD5 d28eae58f67ff9f871a5fc032a8c8784
SHA1 b851e4409eadb46c08c444918d57301efb16ede1
SHA256 2c9bb3997922871a03dd00554f793ba88bceb9498e2c9060a000cea10a9f1e5d
SHA512 1b2d2704daf31f0b100682ac01b89f09a5d986ca33d5be41420e82fa9774737fb5029340e765d79765bd1a42915d86690121fa0a90e75a1ed73b4af2900a320a

\Windows\system\ppDuoFo.exe

MD5 69b6a98c2b2d245c2cce86eb89fd38a6
SHA1 f442af2679f334e655e6aa6d803ba8770408d798
SHA256 f3dceb27fc5a4d0fe0000275f0f6a8cf7ec4559ed0963770758c92e31798d89b
SHA512 e6ff8710212aad3c728fd306344ba0c4b19dfa39ffd6868d95e118c1be110a3799bfe01983008a8a33a9d80156eb637f040def483d551aa9accdc028a380e7cd

C:\Windows\system\eMtxoFk.exe

MD5 c95840de56bcb877296e78de6fcdcc40
SHA1 382298d2bd7c472afbee000e8d44e67fd4b6a946
SHA256 189f95cff858b7d72538a7fd210bc333a724382942fc21efc02fd7c101beef98
SHA512 52f451a14f7367b4743fe6af17eb28a37a76f9f93013b65fd60f46310fa191bc9e555aa999e03c52043733d1118b49025003cc092923299aaa14b70c91275faa

C:\Windows\system\zvWbnKD.exe

MD5 1c9e84c5f8cd4b444290a858228d6598
SHA1 be33da5b2d9a0e2630cfe6dc0f39c1692821dc41
SHA256 1dbd461a6be0db03f25146d2d2f7bda9e5341ce918d9117ef6ad3eac535e8e8d
SHA512 e49cbd1bdc89200b439b860daac5cca9ee32e54a49c79ddd1981331bf382b1ed0818180d11e7bf626c54287b02228d6a6c4293d6303f67221c6d9de9b96955fe

C:\Windows\system\HfsCUSe.exe

MD5 9e9e419d6c9ba87cf5d33b9a99c11040
SHA1 f461d5c3bfab31c2073d928643d3a8deb4d21d92
SHA256 4d0b9f8eba2206c9265d8ae5b594f4f7d98890d11075fad78b8b1a63e73cfc63
SHA512 6de6c740c81dae7b33c269e64ec2b51208e22a31c5a25bf89b6436f42bb11eee863b6ef5b0bc55fd1f5c127f388bf324ab4db649d3ee26b80a0f95dca1e24a44

C:\Windows\system\UclwFBq.exe

MD5 5b7bc1b1d98a1595629ce0a22eea8979
SHA1 e96aa9433eeb77c692657d18c5c3cf01d29aaaa0
SHA256 74f3a17b6a287f15807fff2ce9480d5080032c18d4445f80288ea5aa5f0cd437
SHA512 065b8cfece46e009166936bbddb8f91ebbe2228c3a0f06ed0034be2f17d25768e758c999c8b99e613afb3fdec4a4b24163174c1476d6aed866d22274dcc5ba85

memory/2372-96-0x000000013F410000-0x000000013F764000-memory.dmp

memory/2632-95-0x000000013F6F0000-0x000000013FA44000-memory.dmp

memory/2372-94-0x000000013F6F0000-0x000000013FA44000-memory.dmp

C:\Windows\system\hGkFAgR.exe

MD5 eb4afa259067f80b63f83e6ce0e36a43
SHA1 44887fa14d21f8ad66da21a3e2a9c85f82885114
SHA256 78affb3aeebc3c3b3e5130a9bec424c40a66d2caee852d4c5f370c12dfe0da6e
SHA512 b12f75110de5b592bcc6bc00436367cff2f4420cdb688837a7f7ccbabf6c0d75807629a73ce61eff73bc622d33ef1a17454d1c16c42be98d35448e6528369582

memory/2832-89-0x000000013F850000-0x000000013FBA4000-memory.dmp

memory/2372-88-0x000000013F850000-0x000000013FBA4000-memory.dmp

C:\Windows\system\iXgBgWm.exe

MD5 8cfc89d90d240f0ba35942cd048689e0
SHA1 833797eed8e3a76a891596d69a2856d28059de87
SHA256 079088c55663157ac19144c1a83b25ecef96081744987b81fc8bf089253621b9
SHA512 f4bf130cdf24fd66e9969442b1a8acf7319de911b8f74ad636b9dfe201e0dac5dc4b00ec7690e07325b50c4e21077d153f0495fa34088a7c4d56140a5fc15ba9

C:\Windows\system\sEivhSY.exe

MD5 23d0d4a8000c41e4c12bc80673cb50cd
SHA1 74970739ee8c6a83a5def587befe1f5c58a81b78
SHA256 75ce04068c844711dc3195085c452afdf4749dec9cfe846a8b80f38b2f3c4389
SHA512 422250da6df5400a834876d6e5e5e2171b1eeea16a6eff5247513834259a3e50ed0703767ffa2822fad4d593b2cdfc7e61404253852773698490478e01e7dbc1

memory/2372-80-0x000000013F470000-0x000000013F7C4000-memory.dmp

memory/2372-76-0x000000013F690000-0x000000013F9E4000-memory.dmp

memory/2508-75-0x000000013FA40000-0x000000013FD94000-memory.dmp

memory/2416-70-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

memory/2372-69-0x0000000002360000-0x00000000026B4000-memory.dmp

C:\Windows\system\dLZIiaG.exe

MD5 45f4a2cf393ce82be8de58b310251d8b
SHA1 d89103e1a01962e5fef8b1efa3926c1b7e352781
SHA256 bd4391bfe41ef7658352a679671ee28de5b1e2a1bfcd236edfbd8153b09b35cc
SHA512 b1fb0857c3fedf832618803af396d89b3064a1fd16c901a317e2747fb607e4fe616a82e933000d7a5fc0909a1c7f1be8d7865d064b0f53693aa41edd12bdd58e

memory/2640-64-0x000000013F1C0000-0x000000013F514000-memory.dmp

memory/2732-58-0x000000013F980000-0x000000013FCD4000-memory.dmp

memory/1944-63-0x000000013FB30000-0x000000013FE84000-memory.dmp

memory/2372-57-0x000000013FDF0000-0x0000000140144000-memory.dmp

C:\Windows\system\DwooMaS.exe

MD5 99bb1e7304c8d40ce47c0bab292e7e65
SHA1 418d58f834f776bafbfc73a43852765124f8cc07
SHA256 f0d645ef39e8bdfac213c41aa17a715b8ba5f85cb48dae8cef989a1a97090bbb
SHA512 ed11cd8073a7da6f6e2f3ef02e4dee11f889b246cb8de7e806ed83856be7075315c47d9cb8f00fb54e720399d25f7bdd5122ce960b568591b6f5ab94fa4feb89

memory/2652-46-0x000000013FAE0000-0x000000013FE34000-memory.dmp

memory/2372-45-0x0000000002360000-0x00000000026B4000-memory.dmp

C:\Windows\system\KyrrqPq.exe

MD5 8140f808c62739a547349b0d2bfe6ba4
SHA1 5737ba719f6338da45e6ea8231e20bae98ea3d72
SHA256 58c1afcee3ed54636289a606f185328340e57fd2eecb37bbaf5eb4d555d1f72f
SHA512 0719724568d73af84a8a3ba8f5fccf09bcfbbc7a7eb1f552438a6fc502f4a1d793744cc2befb5ae7c1487ce056ce989b21f67f0b28ab7aa99ddc2a35fbf0452a

C:\Windows\system\ZvWLdpk.exe

MD5 fe2ab940cec6ce9df32943b6230bea01
SHA1 acfffd9aa41c92542347960cafa048e2fed087ca
SHA256 7f83917db4acc702fff1256f347eab301cef7fde67e5c70903f36a2f8ec9e6ab
SHA512 8e36f4125a90eae623ae786e13a87f84348a0842179849257f652b79fbb6529e66a3b185a3d8478a4ff97d397401e07761909b22e8d89aa4d6db75574de7c255

memory/2372-39-0x000000013F520000-0x000000013F874000-memory.dmp

memory/2892-137-0x000000013F470000-0x000000013F7C4000-memory.dmp

memory/2732-138-0x000000013F980000-0x000000013FCD4000-memory.dmp

memory/2372-139-0x000000013F1C0000-0x000000013F514000-memory.dmp

memory/2640-140-0x000000013F1C0000-0x000000013F514000-memory.dmp

memory/2372-141-0x0000000002360000-0x00000000026B4000-memory.dmp

memory/2416-142-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

memory/2372-143-0x000000013F690000-0x000000013F9E4000-memory.dmp

memory/2480-144-0x000000013F690000-0x000000013F9E4000-memory.dmp

memory/2684-145-0x000000013F470000-0x000000013F7C4000-memory.dmp

memory/2832-146-0x000000013F850000-0x000000013FBA4000-memory.dmp

memory/2372-147-0x000000013F410000-0x000000013F764000-memory.dmp

memory/1660-148-0x000000013F980000-0x000000013FCD4000-memory.dmp

memory/1944-149-0x000000013FB30000-0x000000013FE84000-memory.dmp

memory/2508-150-0x000000013FA40000-0x000000013FD94000-memory.dmp

memory/2848-151-0x000000013F700000-0x000000013FA54000-memory.dmp

memory/2892-153-0x000000013F470000-0x000000013F7C4000-memory.dmp

memory/2832-156-0x000000013F850000-0x000000013FBA4000-memory.dmp

memory/2480-155-0x000000013F690000-0x000000013F9E4000-memory.dmp

memory/2640-154-0x000000013F1C0000-0x000000013F514000-memory.dmp

memory/2632-157-0x000000013F6F0000-0x000000013FA44000-memory.dmp

memory/2684-160-0x000000013F470000-0x000000013F7C4000-memory.dmp

memory/2732-159-0x000000013F980000-0x000000013FCD4000-memory.dmp

memory/2652-158-0x000000013FAE0000-0x000000013FE34000-memory.dmp

memory/2764-152-0x000000013F520000-0x000000013F874000-memory.dmp

memory/2416-161-0x000000013FCA0000-0x000000013FFF4000-memory.dmp