Malware Analysis Report

2024-10-24 18:11

Sample ID 240628-kswlca1bmd
Target 2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat
SHA256 33f46ef55469f3ec834da05b32b19fbd2d6dde0cee007399470beae879ea3801
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

33f46ef55469f3ec834da05b32b19fbd2d6dde0cee007399470beae879ea3801

Threat Level: Known bad

The file 2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Xmrig family

xmrig

Cobaltstrike

UPX dump on OEP (original entry point)

Cobaltstrike family

Cobalt Strike reflective loader

XMRig Miner payload

Detects Reflective DLL injection artifacts

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX dump on OEP (original entry point)

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-28 08:52

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-28 08:52

Reported

2024-06-28 08:54

Platform

win7-20240220-en

Max time kernel

139s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\QLmTKEM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AqBDFJO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oxwEPvy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BlANNKq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DVSMxEq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CXRPSyD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JTwMjCE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CdfWzuY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XXSnQgC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eJPtKCI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LJgomjl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wXLpifw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FlvqaMe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IRJKkrI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kyrsBks.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XzukAXA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LCQbLOQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MipylSz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qyXxwfE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oBxiNGR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PGYNcJM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2192 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BlANNKq.exe
PID 2192 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BlANNKq.exe
PID 2192 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BlANNKq.exe
PID 2192 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XXSnQgC.exe
PID 2192 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XXSnQgC.exe
PID 2192 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XXSnQgC.exe
PID 2192 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MipylSz.exe
PID 2192 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MipylSz.exe
PID 2192 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MipylSz.exe
PID 2192 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FlvqaMe.exe
PID 2192 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FlvqaMe.exe
PID 2192 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FlvqaMe.exe
PID 2192 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qyXxwfE.exe
PID 2192 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qyXxwfE.exe
PID 2192 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qyXxwfE.exe
PID 2192 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DVSMxEq.exe
PID 2192 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DVSMxEq.exe
PID 2192 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DVSMxEq.exe
PID 2192 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eJPtKCI.exe
PID 2192 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eJPtKCI.exe
PID 2192 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eJPtKCI.exe
PID 2192 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CXRPSyD.exe
PID 2192 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CXRPSyD.exe
PID 2192 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CXRPSyD.exe
PID 2192 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oBxiNGR.exe
PID 2192 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oBxiNGR.exe
PID 2192 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oBxiNGR.exe
PID 2192 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JTwMjCE.exe
PID 2192 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JTwMjCE.exe
PID 2192 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JTwMjCE.exe
PID 2192 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CdfWzuY.exe
PID 2192 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CdfWzuY.exe
PID 2192 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CdfWzuY.exe
PID 2192 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IRJKkrI.exe
PID 2192 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IRJKkrI.exe
PID 2192 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IRJKkrI.exe
PID 2192 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QLmTKEM.exe
PID 2192 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QLmTKEM.exe
PID 2192 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QLmTKEM.exe
PID 2192 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AqBDFJO.exe
PID 2192 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AqBDFJO.exe
PID 2192 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AqBDFJO.exe
PID 2192 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oxwEPvy.exe
PID 2192 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oxwEPvy.exe
PID 2192 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oxwEPvy.exe
PID 2192 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kyrsBks.exe
PID 2192 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kyrsBks.exe
PID 2192 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kyrsBks.exe
PID 2192 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XzukAXA.exe
PID 2192 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XzukAXA.exe
PID 2192 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XzukAXA.exe
PID 2192 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LJgomjl.exe
PID 2192 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LJgomjl.exe
PID 2192 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LJgomjl.exe
PID 2192 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wXLpifw.exe
PID 2192 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wXLpifw.exe
PID 2192 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wXLpifw.exe
PID 2192 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PGYNcJM.exe
PID 2192 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PGYNcJM.exe
PID 2192 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PGYNcJM.exe
PID 2192 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LCQbLOQ.exe
PID 2192 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LCQbLOQ.exe
PID 2192 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LCQbLOQ.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\BlANNKq.exe

C:\Windows\System\BlANNKq.exe

C:\Windows\System\XXSnQgC.exe

C:\Windows\System\XXSnQgC.exe

C:\Windows\System\MipylSz.exe

C:\Windows\System\MipylSz.exe

C:\Windows\System\FlvqaMe.exe

C:\Windows\System\FlvqaMe.exe

C:\Windows\System\qyXxwfE.exe

C:\Windows\System\qyXxwfE.exe

C:\Windows\System\DVSMxEq.exe

C:\Windows\System\DVSMxEq.exe

C:\Windows\System\eJPtKCI.exe

C:\Windows\System\eJPtKCI.exe

C:\Windows\System\CXRPSyD.exe

C:\Windows\System\CXRPSyD.exe

C:\Windows\System\oBxiNGR.exe

C:\Windows\System\oBxiNGR.exe

C:\Windows\System\JTwMjCE.exe

C:\Windows\System\JTwMjCE.exe

C:\Windows\System\CdfWzuY.exe

C:\Windows\System\CdfWzuY.exe

C:\Windows\System\IRJKkrI.exe

C:\Windows\System\IRJKkrI.exe

C:\Windows\System\QLmTKEM.exe

C:\Windows\System\QLmTKEM.exe

C:\Windows\System\AqBDFJO.exe

C:\Windows\System\AqBDFJO.exe

C:\Windows\System\oxwEPvy.exe

C:\Windows\System\oxwEPvy.exe

C:\Windows\System\kyrsBks.exe

C:\Windows\System\kyrsBks.exe

C:\Windows\System\XzukAXA.exe

C:\Windows\System\XzukAXA.exe

C:\Windows\System\LJgomjl.exe

C:\Windows\System\LJgomjl.exe

C:\Windows\System\wXLpifw.exe

C:\Windows\System\wXLpifw.exe

C:\Windows\System\PGYNcJM.exe

C:\Windows\System\PGYNcJM.exe

C:\Windows\System\LCQbLOQ.exe

C:\Windows\System\LCQbLOQ.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2192-0-0x0000000001BA0000-0x0000000001BB0000-memory.dmp

memory/2192-1-0x000000013FF90000-0x00000001402E4000-memory.dmp

\Windows\system\BlANNKq.exe

MD5 9da0afb0283b1f8ff6c7b55e226e7b54
SHA1 91697d73a42c6ba869d8757b203e74c52e95d07b
SHA256 2f2ad7a87569598855aca602e61a1567c49d17f408ef4dff5786fe08d4c7fc09
SHA512 857e75b230fe035ad98a08b41a3dfbc3fbc70a52fd828139386af86d327f4139ea70f408e4c8eccec7b59571fdeb292dcce0a4f357f6c69f112de6ab3831a282

memory/1788-9-0x000000013FB00000-0x000000013FE54000-memory.dmp

\Windows\system\XXSnQgC.exe

MD5 0f759d03a42d80630e2c1b8eae7eaf20
SHA1 6d8153afcabf146331d23e2a400fb0b24e308276
SHA256 0ccc4f18cd2a0740941e8556b8dad48f78a1a94514090958d1fec2e2701507d1
SHA512 23b127cd9e3d8ab9315d5f54f4d238c1def46c28c817c05e9cc02ffe7b235310e581657cf32010f0400807738e0254710a8f1a77530004bf334eedf0bba33ec9

memory/2192-6-0x000000013FB00000-0x000000013FE54000-memory.dmp

memory/1036-15-0x000000013F900000-0x000000013FC54000-memory.dmp

C:\Windows\system\MipylSz.exe

MD5 78e1de6c0ce7e58521b423d8ac51f101
SHA1 dc8aa45aeb9d1641ca430d982a68f3fb5efd691d
SHA256 edb8c4ee4624f4a3b7d19c971b1ecde3215ebc258d26a063a5d43946d92fa850
SHA512 dba566c7ab0efdf9bf604cb8c5c05cbe8b7222d65d3cdbcf53766bfb9adfa61f9024d4d4a21a2c4bd01629fec7b468a2182e49164446b8d8c730b07592ccf4a3

memory/2532-22-0x000000013F300000-0x000000013F654000-memory.dmp

\Windows\system\FlvqaMe.exe

MD5 1af17ca2af2351572253911409e2b0c9
SHA1 d69400b7a0ff56f926b7fa9a06cabd013ec003d8
SHA256 a3d4bdbfec52420d8ab97c1248254df82261367d1d30d34ab58843bf10b59a3c
SHA512 eccb255d9dd344cdbb9c3de1142f08ccac01ddefea2cd5813e76e5a9bba8d9236a0e4aedbf9a30b5491d2e80b5a8771bc11bd72f4c42b02b3fe9fe5bbcbeb52f

memory/2644-30-0x000000013F890000-0x000000013FBE4000-memory.dmp

memory/2192-29-0x000000013F890000-0x000000013FBE4000-memory.dmp

memory/2192-21-0x000000013F300000-0x000000013F654000-memory.dmp

memory/2192-13-0x000000013F900000-0x000000013FC54000-memory.dmp

\Windows\system\qyXxwfE.exe

MD5 1c1884980da077ab6a31bc2ce1db3133
SHA1 a2e52320f159804bc5934a8a489a655746743b04
SHA256 687e67a8837cb7d7b2a73d74b9cc4e4bdbb45792643cb7c8055cab49e8902bb3
SHA512 d53b9a34a3ed9366add8187466ae7de9342f6813cbade651e7dfd79aa23d23257ae671c4f5ff340588b131e6099c0c6d224d6c48a2cac9c124c8fdd217f9bbac

\Windows\system\DVSMxEq.exe

MD5 7aae6656e12d2b127ad12075c22aab76
SHA1 10cd00b3ba049517351c1244ba175dbee1b2bf75
SHA256 f07ef5c13f11c42624dd31ceab6410595ec6ef815443160926beb3ecd4688462
SHA512 1114d96309cd99ea1ac5dce1ba5aedb8d8494f737261d2f1e73ecd8d011776d29336560253f1d8f9e7de20adb32db6698f40643819443365253b828713f19926

\Windows\system\eJPtKCI.exe

MD5 8cf213b21fd3a428156c46346ae4c80f
SHA1 cbf3b0b2b7bf817299314d7c717892579211ff13
SHA256 45fff5577b710b0c60d1bc012301add010e4d9d32b3680bc4551646972995b0e
SHA512 962d068c5e002ce4dbf94390fe9986600cf30bd54dcec728ac9d2828e8b3d03c14522cd67e77571f8612d226775cc2257e543724168b0e9c872b1817cbc276fd

memory/2192-37-0x000000013F320000-0x000000013F674000-memory.dmp

memory/2304-50-0x000000013F900000-0x000000013FC54000-memory.dmp

memory/2660-49-0x000000013F320000-0x000000013F674000-memory.dmp

memory/2192-48-0x000000013F900000-0x000000013FC54000-memory.dmp

memory/2420-46-0x000000013FBB0000-0x000000013FF04000-memory.dmp

\Windows\system\CXRPSyD.exe

MD5 7c6ac8b2715d076a0871c7e83c5941aa
SHA1 08ce125e401f1751586d0bf1a056fabf8536c26a
SHA256 b3f730dc045a1f1bfd2c125d08fd3658b2721791e129670f0e6a22d4c0c018e3
SHA512 e5fa3a30662053d2c15fe3047e25f77c6e0e4727d7cc20e74581be9fe93e208b14ac2b18d1992d43bcd9b4ca8852532c0f6862c4a1a8322e0f1ff996ae9d7430

memory/2192-56-0x000000013FF90000-0x00000001402E4000-memory.dmp

memory/2396-57-0x000000013F1E0000-0x000000013F534000-memory.dmp

\Windows\system\oBxiNGR.exe

MD5 ee914ec67042e2dbaaa64208bd4f1ca8
SHA1 c091fb6ad91ab1fed5a446ad61837463cd6cd1f2
SHA256 a4b2efee3ac758594a0e0937d266afabdf216ecb4a430d3021015d2da8ee71f8
SHA512 1447403959fd18c6eef85a343887109d9ea26069b7e4a95e91c86262f157c068824cc6fda4d64f2953733dab9f2f9f13c945c0e1bdd6847366e77b61ddaca18f

memory/2556-63-0x000000013FD70000-0x00000001400C4000-memory.dmp

memory/1788-62-0x000000013FB00000-0x000000013FE54000-memory.dmp

C:\Windows\system\JTwMjCE.exe

MD5 b3f6a99e00501a76a2fe13d83474dae1
SHA1 0cb42c230f988d461b73472037463cbe2255c51a
SHA256 d457ab2ff8e0705ff4b9f5748a489f59efd11d2742881c0bb26db463b94d47ec
SHA512 7b16adec25e942bba02d15bd3f1ea0e684fd4d5925e93c77b7636df748e4ae6cce16dc7c018cc5603b50f650a000d4d825f9738b1e3417fa3e4cc4864c2a7c18

memory/2192-68-0x00000000021A0000-0x00000000024F4000-memory.dmp

memory/2084-71-0x000000013FF80000-0x00000001402D4000-memory.dmp

C:\Windows\system\CdfWzuY.exe

MD5 f35c87bd74f9b65aa031d324918dc395
SHA1 8c247aa9e1c9e44a1608879fcd012dda7edc72a7
SHA256 b0acf3d35414de64f44088cdb48b87a0b9a6f0ab92582b472f6d75f5f06f2ca5
SHA512 67abfdf3322c8e081816576a7be677ba9075607ed2d79c9ca5142cb36bcb80eeaa77d43f3ab21775ad46679bd6210c07f0c6b78c11c25b020c6306cf5412b710

memory/776-79-0x000000013F6C0000-0x000000013FA14000-memory.dmp

memory/2192-77-0x000000013F6C0000-0x000000013FA14000-memory.dmp

memory/1036-76-0x000000013F900000-0x000000013FC54000-memory.dmp

C:\Windows\system\IRJKkrI.exe

MD5 33586cb4a817a120e77e601e6580a21a
SHA1 9712f74ce93609907b1f95059c8e6c02dd16e774
SHA256 3b8fa4c59c80b6f86f283f2139d8bf158de4dbf485a521c298a4ab2b9b23b1b1
SHA512 2cf0cf8f15782201c6cdad51a0f2b4e75dcf1e073dd96e575cd3da18450b4977bcebbd33a147232615264b5b902946f4200f5d5b41734bcea5412b3afbcbe2dd

memory/2192-86-0x000000013F710000-0x000000013FA64000-memory.dmp

memory/2616-87-0x000000013F710000-0x000000013FA64000-memory.dmp

memory/2532-84-0x000000013F300000-0x000000013F654000-memory.dmp

C:\Windows\system\QLmTKEM.exe

MD5 8a3e9d0137585b9bcb27fbbd191b80a1
SHA1 ad1bfc2071519bef81c73c0b6168834efcd714e0
SHA256 33003e6467342f0afc6b107a2fe1d15040b4d336782d96421ab7f31e27691a42
SHA512 db37faec1be878216c27fa30f762e115d0910c2d388952d9f89361c491b987006daa90c065b5e2a28f3fdbaef3323eb064572e5de1b484e6cb75ecaac8fbc6de

memory/2700-93-0x000000013F270000-0x000000013F5C4000-memory.dmp

memory/2192-91-0x000000013F270000-0x000000013F5C4000-memory.dmp

C:\Windows\system\AqBDFJO.exe

MD5 c107cd353852a1efdbdf6288e4b954c3
SHA1 a36d8443c4580660bb1ed79d63689f54235c13b3
SHA256 dc11b42e6bf7adfc4be8cd90e763f9f1f7ed4752abcc52cb98072c35e1384d07
SHA512 c21b1fdffdf1351ac16599da13e685694a67e1c62c9ca4c5e08feeb6e8f8c8ca33ea0fe2326736da9a4c209441fe6857b606afee0601136bf37e8aadae4cd8a9

memory/2836-99-0x000000013F1C0000-0x000000013F514000-memory.dmp

C:\Windows\system\kyrsBks.exe

MD5 b00eb73bf6b17107af55e2c265f0cdc5
SHA1 6df098d90f741d60a36121d54f698b59cde5b8b6
SHA256 5ada2670b3132eddf9fe4ab96a7c565d20925fa9af2ae4a3622b774245f1b32e
SHA512 a93d3ca969a23419b8fa9fa2306532a30c333937a007df1b81e72e22a9790c703e98ea8332587072a355d70b572b62ce45125f9bee46853c31cd7e82e816dfb0

\Windows\system\oxwEPvy.exe

MD5 c1928b333ac4fbfd5b1b6685d7d70593
SHA1 e47458acbe71eb78d73f0aa566cbd46e50e1f4d4
SHA256 6939f3e40b1608a7a7b4a1e9ae724c360ae54deda88bf81a703cc7a6ff7c313d
SHA512 dfd7b2c3a5619f2db3d7606fd170581b40b1a899e960c97670b8e3e7fae4f4d0faf2cdb8839c24ea93fa5037f51b6f5a50ca8627f0af156c7d0b80a4ff7ca8a6

C:\Windows\system\LJgomjl.exe

MD5 ffc6db81dd2c285c8b40858f94065b0e
SHA1 30c1f02bd5304d656e5620078b88c11cbe8f37e2
SHA256 7d6d2bb9a9f78d720e13cbe269c0b87a55cd17cac6e02594647ad1299f48e892
SHA512 61f24edeb04ddc8628f8c85fdca04865b974a84de5bfb6d6276ca462233f4b865a97f3125279525d90d00c6feb0811ba04a149acb8b192b648bc60941c742c21

C:\Windows\system\PGYNcJM.exe

MD5 0db98266b4501d11d301c5d6fbe2a011
SHA1 57c576cf9ac16a92e57720da6f855baa4542f071
SHA256 2f0b57cf8ec98be956ed74b27d8de5e7aaecb28b2051684791d12b56408eb209
SHA512 6bea64702b3983a352eea5d8527d9495481af96a6c7c205c097373b1d488641dec1c0cf029a8babb9ea5425ccc1e94e017257ce706ed5e89cd07d8f6053d7f6b

\Windows\system\LCQbLOQ.exe

MD5 086b9eb486dd0f6be948e7f08d721bef
SHA1 c492521f7668ac1382fd89df5fb385c4357ac486
SHA256 dd41ff2095c775c0ea02dc4386ae8d268de1fa3013e329f4bc57e9757dcc5d42
SHA512 0a369787de22dd2a6c750f2bb57f1e3578addb9cf15ecebcbd7025f926fbd77b2f97f827642d79333de46ccc23955e379f18782425a03726a8e00cca58bf3890

C:\Windows\system\wXLpifw.exe

MD5 b91741aa995e99e21eeb4ddbdaae38a2
SHA1 2c3737ebe414b30b8e4d5894860be5f3c9b1e2f4
SHA256 ff5820e6b0c7e505d69da86603c7bded5c78d766984c7eec74e8b75680f3a123
SHA512 0f0bdaf231de0815f329267c56543ad9d2b366dbfa14adaf7ba16775a392fd8f0f93ede6726491c9feccf8b8df4b56d75cc33aebddf4b7191d8b448b4c2d5dd7

C:\Windows\system\XzukAXA.exe

MD5 769823eafaa828bf4b00a83447c3ea10
SHA1 71841e5622cb78b30aa2928ea5eadd1f452081c0
SHA256 a68bbdad13fad18afb39b7fcf1e9378ab240e7ddadbbd16d2e605e7aa418b234
SHA512 cddeffddaf2b5702573b74fb19881f3ce68c3ba5de4940805ee4bc08c60afa2c4e3b218ae21302a418415ecd3ff48789187c980acccab26f3a14af2799818777

memory/2192-102-0x000000013F460000-0x000000013F7B4000-memory.dmp

memory/2556-136-0x000000013FD70000-0x00000001400C4000-memory.dmp

memory/2192-137-0x00000000021A0000-0x00000000024F4000-memory.dmp

memory/2084-138-0x000000013FF80000-0x00000001402D4000-memory.dmp

memory/2192-139-0x000000013F6C0000-0x000000013FA14000-memory.dmp

memory/776-140-0x000000013F6C0000-0x000000013FA14000-memory.dmp

memory/2192-141-0x000000013F710000-0x000000013FA64000-memory.dmp

memory/2192-142-0x000000013F270000-0x000000013F5C4000-memory.dmp

memory/2700-143-0x000000013F270000-0x000000013F5C4000-memory.dmp

memory/2836-144-0x000000013F1C0000-0x000000013F514000-memory.dmp

memory/2192-145-0x000000013F460000-0x000000013F7B4000-memory.dmp

memory/1788-146-0x000000013FB00000-0x000000013FE54000-memory.dmp

memory/1036-147-0x000000013F900000-0x000000013FC54000-memory.dmp

memory/2532-148-0x000000013F300000-0x000000013F654000-memory.dmp

memory/2644-149-0x000000013F890000-0x000000013FBE4000-memory.dmp

memory/2420-150-0x000000013FBB0000-0x000000013FF04000-memory.dmp

memory/2660-151-0x000000013F320000-0x000000013F674000-memory.dmp

memory/2304-152-0x000000013F900000-0x000000013FC54000-memory.dmp

memory/2396-153-0x000000013F1E0000-0x000000013F534000-memory.dmp

memory/2556-154-0x000000013FD70000-0x00000001400C4000-memory.dmp

memory/2084-155-0x000000013FF80000-0x00000001402D4000-memory.dmp

memory/776-156-0x000000013F6C0000-0x000000013FA14000-memory.dmp

memory/2616-157-0x000000013F710000-0x000000013FA64000-memory.dmp

memory/2700-158-0x000000013F270000-0x000000013F5C4000-memory.dmp

memory/2836-159-0x000000013F1C0000-0x000000013F514000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-28 08:52

Reported

2024-06-28 08:54

Platform

win10v2004-20240611-en

Max time kernel

143s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\HAHxnPc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ADolDPm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RVXkMXJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VJTtWjq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LDMbNjD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uifkavW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MhAMemt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dhvpRfu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LiYLJmT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZgyvXZV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ntpelzu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GBhLKUf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jlrCadd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZOarXqV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BTWzRya.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EJancyI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vjHhIUw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KFFbnBa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mygkGPX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AjwakiQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DyMvSyK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1020 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LiYLJmT.exe
PID 1020 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LiYLJmT.exe
PID 1020 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZgyvXZV.exe
PID 1020 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZgyvXZV.exe
PID 1020 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EJancyI.exe
PID 1020 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EJancyI.exe
PID 1020 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ntpelzu.exe
PID 1020 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ntpelzu.exe
PID 1020 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vjHhIUw.exe
PID 1020 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vjHhIUw.exe
PID 1020 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KFFbnBa.exe
PID 1020 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KFFbnBa.exe
PID 1020 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HAHxnPc.exe
PID 1020 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HAHxnPc.exe
PID 1020 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GBhLKUf.exe
PID 1020 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GBhLKUf.exe
PID 1020 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mygkGPX.exe
PID 1020 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mygkGPX.exe
PID 1020 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ADolDPm.exe
PID 1020 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ADolDPm.exe
PID 1020 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RVXkMXJ.exe
PID 1020 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RVXkMXJ.exe
PID 1020 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AjwakiQ.exe
PID 1020 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AjwakiQ.exe
PID 1020 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jlrCadd.exe
PID 1020 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jlrCadd.exe
PID 1020 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZOarXqV.exe
PID 1020 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZOarXqV.exe
PID 1020 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dhvpRfu.exe
PID 1020 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dhvpRfu.exe
PID 1020 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MhAMemt.exe
PID 1020 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MhAMemt.exe
PID 1020 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VJTtWjq.exe
PID 1020 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VJTtWjq.exe
PID 1020 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DyMvSyK.exe
PID 1020 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DyMvSyK.exe
PID 1020 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LDMbNjD.exe
PID 1020 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LDMbNjD.exe
PID 1020 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BTWzRya.exe
PID 1020 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BTWzRya.exe
PID 1020 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uifkavW.exe
PID 1020 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uifkavW.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\LiYLJmT.exe

C:\Windows\System\LiYLJmT.exe

C:\Windows\System\ZgyvXZV.exe

C:\Windows\System\ZgyvXZV.exe

C:\Windows\System\EJancyI.exe

C:\Windows\System\EJancyI.exe

C:\Windows\System\ntpelzu.exe

C:\Windows\System\ntpelzu.exe

C:\Windows\System\vjHhIUw.exe

C:\Windows\System\vjHhIUw.exe

C:\Windows\System\KFFbnBa.exe

C:\Windows\System\KFFbnBa.exe

C:\Windows\System\HAHxnPc.exe

C:\Windows\System\HAHxnPc.exe

C:\Windows\System\GBhLKUf.exe

C:\Windows\System\GBhLKUf.exe

C:\Windows\System\mygkGPX.exe

C:\Windows\System\mygkGPX.exe

C:\Windows\System\ADolDPm.exe

C:\Windows\System\ADolDPm.exe

C:\Windows\System\RVXkMXJ.exe

C:\Windows\System\RVXkMXJ.exe

C:\Windows\System\AjwakiQ.exe

C:\Windows\System\AjwakiQ.exe

C:\Windows\System\jlrCadd.exe

C:\Windows\System\jlrCadd.exe

C:\Windows\System\ZOarXqV.exe

C:\Windows\System\ZOarXqV.exe

C:\Windows\System\dhvpRfu.exe

C:\Windows\System\dhvpRfu.exe

C:\Windows\System\MhAMemt.exe

C:\Windows\System\MhAMemt.exe

C:\Windows\System\VJTtWjq.exe

C:\Windows\System\VJTtWjq.exe

C:\Windows\System\DyMvSyK.exe

C:\Windows\System\DyMvSyK.exe

C:\Windows\System\LDMbNjD.exe

C:\Windows\System\LDMbNjD.exe

C:\Windows\System\BTWzRya.exe

C:\Windows\System\BTWzRya.exe

C:\Windows\System\uifkavW.exe

C:\Windows\System\uifkavW.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 19.177.190.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1020-0-0x00007FF730790000-0x00007FF730AE4000-memory.dmp

memory/1020-1-0x00000247DA340000-0x00000247DA350000-memory.dmp

C:\Windows\System\LiYLJmT.exe

MD5 fa46400c9ba8f74c46b099da19932d57
SHA1 b103657ac1f54bbd49c957739501a957d048fef1
SHA256 5e69362cd8f0b62603e1c7e571bfad38e2d3fff1e179ccb5368fc8d2b7729ebd
SHA512 70f5cea05dd9b111c0910cde64a5a0e4b0ded96504b1be9e4b49fc864b92aaeb5742573bfb4ddefbe8ba41542b52e6d8666a69a1a9083357fe42271d32863fb2

memory/1112-8-0x00007FF60FA80000-0x00007FF60FDD4000-memory.dmp

C:\Windows\System\ZgyvXZV.exe

MD5 6800e6d0472d6500d6045c566c072ff5
SHA1 45f68b60e4351fc2cc827b731893c8eb0e161e06
SHA256 da51914a0a5c79e17fb58259381b740895e0dbd721b3d299b282a38f103556fd
SHA512 24a7c9b3aa4cc3dfb36e5af7b41859cb95b298267db2a532ec1b810c54f178b310ee37466263fe5d6003436ea8834fe8340a449a7437c5dd6d674334ca7f5573

C:\Windows\System\ntpelzu.exe

MD5 88ceff45ee8c66ed384c394711a1a3ee
SHA1 aec14c0e63318217f1dd593dc1d2128a457a65fa
SHA256 21c506b9923ca056e8c2a89ce7da76234bd33bef85d2d1b693289458e8e64b69
SHA512 9580ca2cae3a3b5c82f75c912b388fc02a25896b1ec74a0b8d06ce5d563f5497ac13aadee5aad8f0956a9f9b8ad7fc931f16c825182e3d95d4fcbe7f547582e0

C:\Windows\System\vjHhIUw.exe

MD5 39f279397b476d3ba2f187ba1ac8e310
SHA1 54e3622a90489bdee038fb0e4d647f62bb8263b6
SHA256 4e54e5034e61231fc8ae24730e96ba044f1d7942a965eaf86d1cd85b353d545a
SHA512 2dd88641c916971e8afebdda32bbc804e3bac63211c7631040dc968d1dc13b5a56c0c13243477268d94ff9ea387addee9fb93e911fedb692d8fa22a4ff822809

C:\Windows\System\KFFbnBa.exe

MD5 017cf30e3308843d50c3b96be62e20b4
SHA1 4d94be446b7625f1d64659b32244827c1dc61b04
SHA256 04452d8865ec0acc8fd0d71d84deb57ef621547479b16c84c89c582d0e9695bb
SHA512 14e3ecae9c9aeba7ef637f8c5b30b1a3099b72c3be24a6dffdebc91dfd132ff2658fa2a620af64231610759798f141cebdbd3d6869bb184a445141d3732598bd

C:\Windows\System\GBhLKUf.exe

MD5 44eb8c878fb024d7d3d6583d431b3530
SHA1 46020e6ac278750f82d57d935bf831c0b8c2323c
SHA256 8bd889c10d6624da478f79a05157f80554725c3e5d0e09ab92077a738e3d1d55
SHA512 7265013ace4df201a623c506415dd42c883c1c5761bf924684906ce89a2400a2141f2c095b8719ef8a8ef37d61d2b1a0e1fed962b86f92ca4c8930c475c934f2

memory/676-56-0x00007FF65DCA0000-0x00007FF65DFF4000-memory.dmp

C:\Windows\System\RVXkMXJ.exe

MD5 9e8fc1bcb90993383822a4b095b34d70
SHA1 7ef79e18f53878939b1135dba07fe075137a3f80
SHA256 573349de0a25b17aa1faa6dd76f083719a3d17509e3596c77f1e6bf1ad8a0842
SHA512 374e2248e61431a7139279cfbb0835c712de60b5ce727a2d1ef4acfe9316847d8835a3bc277516a7f1d47d0baab05b824494c018968758d3cf6dc20387905bca

C:\Windows\System\AjwakiQ.exe

MD5 139b699a3836d2f3d2ff8bd142ecd5f1
SHA1 622c27205a0dd4d3ffc6a343a59bc9950fc94499
SHA256 cddcacda1272ea45a9366660cc1b23c1f0cb62c10fc71b8818f505445ad43f9a
SHA512 de8023a4f816ccb1e2ac36af2bdea81bb30d0c7c7bca8801a80b9d49154296ac1d9fdf7856db41aac0dacd85d616e97752f3203ead4f6ba4732eb0be89849aed

C:\Windows\System\jlrCadd.exe

MD5 a38938fbe6edd2ffe0c0eec79f90459a
SHA1 b900c167422c12e4194db41bf277c151528f3cc9
SHA256 bec4744713d9bd45466d5264bb8ebcffd8fc13c28215504044605b0ca873115a
SHA512 78a00d56d8141695bb6146c4a9b3504ccc7466fe893ecc5a03fcc549e5a4688aff4f03f635c2fc6f6768be22d47edb60bb66e0e0c674e20f1829410238b3d886

C:\Windows\System\ZOarXqV.exe

MD5 ac7bdd95210d32da26b5e817ac5bcf54
SHA1 3c9b90294a7279d4fd0da0da5f2dfbf73a9b65c2
SHA256 addfe4066533b83649bcc9f406668bebf8e9eacf51c28b0a81ff20bfe5afaf7e
SHA512 0d77e0d9844d376b3fb1cd50cbac335f598d0452fc15a08d3fbee980607291eea300c9d0f70f979353163ee49bdd043ede43519a629e6f4e241c5b4120f3a007

memory/1776-84-0x00007FF788070000-0x00007FF7883C4000-memory.dmp

memory/2888-81-0x00007FF63B870000-0x00007FF63BBC4000-memory.dmp

memory/1548-75-0x00007FF7D3E30000-0x00007FF7D4184000-memory.dmp

memory/2524-71-0x00007FF6D9480000-0x00007FF6D97D4000-memory.dmp

C:\Windows\System\mygkGPX.exe

MD5 07ab7339dc6ac47566ef411309b5a993
SHA1 9091635303cdb4da4ed563495b589a26fbc92b0e
SHA256 acea62084f23916265de9944ab3836f7b19c8ba48ad78ec73e620f25eb9ec51c
SHA512 535712ea0b730d73667a9f20ecd668d2be081098af2b0daf276cf4a9a1c0c094410ebc8eed1de7bc02d01ab577e75b03e3f6bddf3aec2c881718b1402e4b66fe

memory/3952-63-0x00007FF64CF00000-0x00007FF64D254000-memory.dmp

C:\Windows\System\ADolDPm.exe

MD5 dfda5ce4816579697f9fdc400885ba42
SHA1 bed088cdd8d27d5c3e0152b2b1e59e8f06476171
SHA256 a90b3eeb55c50bce6e4c081072b1ea945e097b29d79443b959ed812b0145e457
SHA512 8e4eff0ab8e7526d66f0555db5c270b945d5d4479b5455af4e0cdea6aec16e00acd7d0dff387de7d5f6bf630b1055fdf20dd31781cfb0511e3a0b9085733d3f6

C:\Windows\System\HAHxnPc.exe

MD5 56a6d718c8123858cd84d4903038acbe
SHA1 3c85bea6b8ed1c7b90ccb8ffe8dea44b8597276f
SHA256 163066cc135ccb023ba3e18463a8717584f0db6dd29570da0c337f2d9c9063c4
SHA512 a1413da147c87487beb8be375354236e37b3f6485117fe56090fa14828f8b5815fce1e7ef4341e87251559e4e52005084bbb676f8d66711ea84532f4dd752dd5

memory/4736-47-0x00007FF645630000-0x00007FF645984000-memory.dmp

memory/1912-45-0x00007FF61DBF0000-0x00007FF61DF44000-memory.dmp

memory/3904-38-0x00007FF7082A0000-0x00007FF7085F4000-memory.dmp

memory/4308-34-0x00007FF7150A0000-0x00007FF7153F4000-memory.dmp

memory/4632-32-0x00007FF7D4430000-0x00007FF7D4784000-memory.dmp

memory/4128-26-0x00007FF726BA0000-0x00007FF726EF4000-memory.dmp

C:\Windows\System\EJancyI.exe

MD5 7456387162aad0d54b85b7d8adcd2504
SHA1 d0517a5d4338017d62b90d24f3176e4c35b661c0
SHA256 650add9a166712aa78cd3682869fd985836ed26be03c5c50eb8a5d633080421b
SHA512 40cbcc6a071661ce286cda519047dacd4c8566d6a4891b98d64198d7db6233abce51b9bf9695b4ffa4f00194c6152ab7e14e66f2c58cb105a4a65601a03b902f

memory/2960-21-0x00007FF697290000-0x00007FF6975E4000-memory.dmp

C:\Windows\System\dhvpRfu.exe

MD5 f919722671fbf10bb7688242b0ad0e16
SHA1 84db69ffe042e5f7bb6a627a762d1b3d65634797
SHA256 1f6845aecffbfe70295d788dc8a17765a3bfe66e24c5b7ff7b3c728e5d2ce76a
SHA512 f9c0b941108fbb7e80e81fe05a39052e8ba8ab45b6da1e412edd33034c451d672e34f3e886413feb5c8c5d92c6957f7af67918cdd1e5e273d11c352a67399744

memory/1088-92-0x00007FF607F90000-0x00007FF6082E4000-memory.dmp

C:\Windows\System\MhAMemt.exe

MD5 fb7c3bbeee6288697e8fecb68a1d7b08
SHA1 4bf7ecabb26465824a5d97f684b4c8df562a3e96
SHA256 e771e767386d67443b189b6bfde73582079d318362ca781b20acefb3182cb21a
SHA512 f5e268570a11ad21703d72f83d000a1c9d9a9dbdaa8a7d566b12147590a6ac7f2ddaa7915caa3a026c5e62611d887c5dfa059eeef167d2e884f7f46b5911b01d

memory/1020-96-0x00007FF730790000-0x00007FF730AE4000-memory.dmp

C:\Windows\System\DyMvSyK.exe

MD5 56c2bf531890e37225ec14905e06a126
SHA1 123bf6a020e89b4e80a7d721965dea63122baad1
SHA256 e5ade23c3a19d35a6267bdc33ddff892fedcb15ac59601ef00377250703b39d9
SHA512 ec0f670a245c266d3231ffe7e9297853feb805803bb04c5c95216b6f3431d8cd5e8149d91b31e77b2e9ccdc1e86d797a5805829093fa9862382cdde181e074ed

memory/4632-111-0x00007FF7D4430000-0x00007FF7D4784000-memory.dmp

memory/2960-110-0x00007FF697290000-0x00007FF6975E4000-memory.dmp

memory/1112-108-0x00007FF60FA80000-0x00007FF60FDD4000-memory.dmp

memory/2400-105-0x00007FF773F30000-0x00007FF774284000-memory.dmp

C:\Windows\System\VJTtWjq.exe

MD5 d25f92153815fc608055826487ae3b65
SHA1 c266a6b552c2f5aead42ab6e753e4468f07ca8c0
SHA256 352be4bd5ceb276a3f26c61057ee71f39119412c87c77040b4e4a4a3a110e8b7
SHA512 0c85738a3d29de38ab02a6a00370d07da697d76973c71f2414bb7ce6737bf22a49c85ce0555f809c06b8b0ae4df87b3a9ad3a03d1ed3265e297d4155d8a89a73

memory/3380-120-0x00007FF73FC20000-0x00007FF73FF74000-memory.dmp

C:\Windows\System\uifkavW.exe

MD5 0772a01670f80635b81b37a5a24d0f95
SHA1 f01f0698ba4a14aa7e244a99684bd75cf994510e
SHA256 4a3189a7ca2b31f6d842eaabea1ebe526b0664ed6dec19861033c52029cb8e5d
SHA512 c060dd5e5e7ec7a7c827fd79eb7e77315758959da0f1a1d0de501b9ab071d8d167c4dc196a47f3f905a83e483ad5d33f626e7ed9619aa6476c82b1935244a27b

memory/4128-130-0x00007FF726BA0000-0x00007FF726EF4000-memory.dmp

memory/4400-126-0x00007FF656230000-0x00007FF656584000-memory.dmp

C:\Windows\System\BTWzRya.exe

MD5 dc0c523549a9cf5e996b347d1836bbbc
SHA1 3f77f899a9e70669dd241a57804b9a2a82e4dd80
SHA256 cae4a084b7b76055575f76ed82f6a07472a0e4c4dc48eff0f5f0d652805eacaa
SHA512 a9f68a0aec9fb8c6f08c82d0c78b85877c105a3f2d383d40df403586d2a7bd26f7a4c841e6d0a06ae73cde03dfaf4584be0844b4cf9cd9351f1f7f98cbc03e3f

C:\Windows\System\LDMbNjD.exe

MD5 c28b76fb7ecf9707f8d6b5d82f4d486f
SHA1 230f8270fec256db7ff206e77757b741ccefd4ae
SHA256 0c942867db0b842b8aca90d9a1e248d324e4fad8cef3e1d51b7321da3d3025aa
SHA512 642c144c7f893188240d2855dc1d683d6b86907cac78b1fcb81f4f5d00c019e5bb9dcc704eaf05448f4bcca01dc09a2697a736a2d57706a95023bd086a83797c

memory/3108-116-0x00007FF758520000-0x00007FF758874000-memory.dmp

memory/872-131-0x00007FF659DF0000-0x00007FF65A144000-memory.dmp

memory/3200-132-0x00007FF6CED60000-0x00007FF6CF0B4000-memory.dmp

memory/1912-134-0x00007FF61DBF0000-0x00007FF61DF44000-memory.dmp

memory/3904-133-0x00007FF7082A0000-0x00007FF7085F4000-memory.dmp

memory/4736-135-0x00007FF645630000-0x00007FF645984000-memory.dmp

memory/676-136-0x00007FF65DCA0000-0x00007FF65DFF4000-memory.dmp

memory/3952-137-0x00007FF64CF00000-0x00007FF64D254000-memory.dmp

memory/2524-138-0x00007FF6D9480000-0x00007FF6D97D4000-memory.dmp

memory/1548-139-0x00007FF7D3E30000-0x00007FF7D4184000-memory.dmp

memory/1776-140-0x00007FF788070000-0x00007FF7883C4000-memory.dmp

memory/3380-141-0x00007FF73FC20000-0x00007FF73FF74000-memory.dmp

memory/4400-142-0x00007FF656230000-0x00007FF656584000-memory.dmp

memory/1112-143-0x00007FF60FA80000-0x00007FF60FDD4000-memory.dmp

memory/2960-144-0x00007FF697290000-0x00007FF6975E4000-memory.dmp

memory/4308-145-0x00007FF7150A0000-0x00007FF7153F4000-memory.dmp

memory/4128-146-0x00007FF726BA0000-0x00007FF726EF4000-memory.dmp

memory/4632-147-0x00007FF7D4430000-0x00007FF7D4784000-memory.dmp

memory/4736-148-0x00007FF645630000-0x00007FF645984000-memory.dmp

memory/676-149-0x00007FF65DCA0000-0x00007FF65DFF4000-memory.dmp

memory/1912-150-0x00007FF61DBF0000-0x00007FF61DF44000-memory.dmp

memory/3952-151-0x00007FF64CF00000-0x00007FF64D254000-memory.dmp

memory/1548-152-0x00007FF7D3E30000-0x00007FF7D4184000-memory.dmp

memory/2888-154-0x00007FF63B870000-0x00007FF63BBC4000-memory.dmp

memory/1776-156-0x00007FF788070000-0x00007FF7883C4000-memory.dmp

memory/3904-155-0x00007FF7082A0000-0x00007FF7085F4000-memory.dmp

memory/2524-153-0x00007FF6D9480000-0x00007FF6D97D4000-memory.dmp

memory/1088-157-0x00007FF607F90000-0x00007FF6082E4000-memory.dmp

memory/2400-158-0x00007FF773F30000-0x00007FF774284000-memory.dmp

memory/3108-159-0x00007FF758520000-0x00007FF758874000-memory.dmp

memory/872-160-0x00007FF659DF0000-0x00007FF65A144000-memory.dmp

memory/4400-162-0x00007FF656230000-0x00007FF656584000-memory.dmp

memory/3380-161-0x00007FF73FC20000-0x00007FF73FF74000-memory.dmp

memory/3200-163-0x00007FF6CED60000-0x00007FF6CF0B4000-memory.dmp