Malware Analysis Report

2024-10-24 18:11

Sample ID 240628-kwnd5stfjl
Target 2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat
SHA256 b6e7b8e1d526534e6fea86caa155154b8377c5caee9f4588ae50af87d87842ef
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b6e7b8e1d526534e6fea86caa155154b8377c5caee9f4588ae50af87d87842ef

Threat Level: Known bad

The file 2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

UPX dump on OEP (original entry point)

Cobaltstrike family

xmrig

Cobaltstrike

Detects Reflective DLL injection artifacts

Xmrig family

XMRig Miner payload

Cobalt Strike reflective loader

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

XMRig Miner payload

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-28 08:57

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-28 08:57

Reported

2024-06-28 08:59

Platform

win7-20240221-en

Max time kernel

146s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\Cxazprn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wCjDfSj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GSKTtCF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VAFquol.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AKushRZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yDXbGqn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rVLFcGY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MHpmsuV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RzeecdL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LQdDLvJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uxEvXnP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hwKSfWz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IJQHAuw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NFDMZUu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WnsIFbV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aceeiQL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wXlnsUD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YWxWZZT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vfLtssc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UpjWaYb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uqdBvir.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2060 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MHpmsuV.exe
PID 2060 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MHpmsuV.exe
PID 2060 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MHpmsuV.exe
PID 2060 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RzeecdL.exe
PID 2060 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RzeecdL.exe
PID 2060 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RzeecdL.exe
PID 2060 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LQdDLvJ.exe
PID 2060 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LQdDLvJ.exe
PID 2060 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LQdDLvJ.exe
PID 2060 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NFDMZUu.exe
PID 2060 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NFDMZUu.exe
PID 2060 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NFDMZUu.exe
PID 2060 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uxEvXnP.exe
PID 2060 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uxEvXnP.exe
PID 2060 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uxEvXnP.exe
PID 2060 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hwKSfWz.exe
PID 2060 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hwKSfWz.exe
PID 2060 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hwKSfWz.exe
PID 2060 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Cxazprn.exe
PID 2060 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Cxazprn.exe
PID 2060 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Cxazprn.exe
PID 2060 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WnsIFbV.exe
PID 2060 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WnsIFbV.exe
PID 2060 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WnsIFbV.exe
PID 2060 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wCjDfSj.exe
PID 2060 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wCjDfSj.exe
PID 2060 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wCjDfSj.exe
PID 2060 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YWxWZZT.exe
PID 2060 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YWxWZZT.exe
PID 2060 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YWxWZZT.exe
PID 2060 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aceeiQL.exe
PID 2060 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aceeiQL.exe
PID 2060 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aceeiQL.exe
PID 2060 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GSKTtCF.exe
PID 2060 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GSKTtCF.exe
PID 2060 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GSKTtCF.exe
PID 2060 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VAFquol.exe
PID 2060 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VAFquol.exe
PID 2060 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VAFquol.exe
PID 2060 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AKushRZ.exe
PID 2060 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AKushRZ.exe
PID 2060 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AKushRZ.exe
PID 2060 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vfLtssc.exe
PID 2060 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vfLtssc.exe
PID 2060 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vfLtssc.exe
PID 2060 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UpjWaYb.exe
PID 2060 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UpjWaYb.exe
PID 2060 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UpjWaYb.exe
PID 2060 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IJQHAuw.exe
PID 2060 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IJQHAuw.exe
PID 2060 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IJQHAuw.exe
PID 2060 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uqdBvir.exe
PID 2060 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uqdBvir.exe
PID 2060 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uqdBvir.exe
PID 2060 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yDXbGqn.exe
PID 2060 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yDXbGqn.exe
PID 2060 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yDXbGqn.exe
PID 2060 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rVLFcGY.exe
PID 2060 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rVLFcGY.exe
PID 2060 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rVLFcGY.exe
PID 2060 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wXlnsUD.exe
PID 2060 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wXlnsUD.exe
PID 2060 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wXlnsUD.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\MHpmsuV.exe

C:\Windows\System\MHpmsuV.exe

C:\Windows\System\RzeecdL.exe

C:\Windows\System\RzeecdL.exe

C:\Windows\System\LQdDLvJ.exe

C:\Windows\System\LQdDLvJ.exe

C:\Windows\System\NFDMZUu.exe

C:\Windows\System\NFDMZUu.exe

C:\Windows\System\uxEvXnP.exe

C:\Windows\System\uxEvXnP.exe

C:\Windows\System\hwKSfWz.exe

C:\Windows\System\hwKSfWz.exe

C:\Windows\System\Cxazprn.exe

C:\Windows\System\Cxazprn.exe

C:\Windows\System\WnsIFbV.exe

C:\Windows\System\WnsIFbV.exe

C:\Windows\System\wCjDfSj.exe

C:\Windows\System\wCjDfSj.exe

C:\Windows\System\YWxWZZT.exe

C:\Windows\System\YWxWZZT.exe

C:\Windows\System\aceeiQL.exe

C:\Windows\System\aceeiQL.exe

C:\Windows\System\GSKTtCF.exe

C:\Windows\System\GSKTtCF.exe

C:\Windows\System\VAFquol.exe

C:\Windows\System\VAFquol.exe

C:\Windows\System\AKushRZ.exe

C:\Windows\System\AKushRZ.exe

C:\Windows\System\vfLtssc.exe

C:\Windows\System\vfLtssc.exe

C:\Windows\System\UpjWaYb.exe

C:\Windows\System\UpjWaYb.exe

C:\Windows\System\IJQHAuw.exe

C:\Windows\System\IJQHAuw.exe

C:\Windows\System\uqdBvir.exe

C:\Windows\System\uqdBvir.exe

C:\Windows\System\yDXbGqn.exe

C:\Windows\System\yDXbGqn.exe

C:\Windows\System\rVLFcGY.exe

C:\Windows\System\rVLFcGY.exe

C:\Windows\System\wXlnsUD.exe

C:\Windows\System\wXlnsUD.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2060-0-0x000000013FD40000-0x0000000140094000-memory.dmp

memory/2060-1-0x00000000001F0000-0x0000000000200000-memory.dmp

\Windows\system\MHpmsuV.exe

MD5 50bf4460f112953c94fe2c9f917e8c00
SHA1 7ff5ce5db6e55c9367e569c9e1dcb07a426efdda
SHA256 dabf4815de2d3bcc2f0a5751a45bd728747810e4911795fc5b2e031b6a170067
SHA512 0ddf8b1f4e08dee982ba831042cb1b92bcce8914cfad99279876e6c88f0c121e7b7602fd772a2b1b12faa8149fd7e6d9b81424623992444f39698587349e0ac3

memory/2060-7-0x0000000002230000-0x0000000002584000-memory.dmp

memory/1708-9-0x000000013FFB0000-0x0000000140304000-memory.dmp

\Windows\system\RzeecdL.exe

MD5 8cbb926f903dd9a3dacc74c077cc11b9
SHA1 5bb3b62d7379694709c295e5ff2b60996babbf47
SHA256 b387131428a13c9b293dcfabeacb260c70b4464d76e40e28e301a50cc5fb1efd
SHA512 3bee3c229185cf4a70217bffbcc6918a0a11073aa91629f800a28a1807b3b69991951a545e6b600b87fbfbe4cb9097a23db7f09342c498bff32c1b94067d9269

memory/2540-23-0x000000013F210000-0x000000013F564000-memory.dmp

memory/2060-31-0x000000013F660000-0x000000013F9B4000-memory.dmp

memory/2664-29-0x000000013F580000-0x000000013F8D4000-memory.dmp

\Windows\system\uxEvXnP.exe

MD5 184849a10085de62283f3eb5319ce23c
SHA1 689ab107d24cf34af57396d7340f9ac899ab94f0
SHA256 5198b98270a7e18cf8a36aa1fb3bb6ecfa0906a7bb4679f11627c6e1193df45d
SHA512 a06e3d987af141c91cee3a53f37de89390a5f6107bc06d2749053472776085d880089539421c8e5be6184f231b189c79c564dcc60a334d85ce951e6b736026b7

memory/2060-28-0x000000013F580000-0x000000013F8D4000-memory.dmp

C:\Windows\system\NFDMZUu.exe

MD5 ebfc7e93ef375529b9b01368dbbe7b0b
SHA1 96983fe23be02c77eab2e2b83a17d1bb53bba6c8
SHA256 e8bb40c1cb52a75dad4aa9b549f156a55391311021a924f4b978a54e37aa53fd
SHA512 3038d038298667dffc516edbd10b3e630834c8ca302dcf4f1ebe8b605bc1c0329b533b709578bede6b176222481cb41e41acd6ba7236b400708f1ac1a31e0821

memory/2060-21-0x000000013F210000-0x000000013F564000-memory.dmp

memory/2620-15-0x000000013FC60000-0x000000013FFB4000-memory.dmp

C:\Windows\system\LQdDLvJ.exe

MD5 0adcc2c8acad3131146e03f671b92bab
SHA1 5fc109f374331768cc41ae343194848f40d22ecf
SHA256 2357d140c484e7b47e6f78e0ef162d9572a74f1bf847bef186ecd19a51bd35ac
SHA512 4b514f3f1bbae0153d720731121411db2f8f56302e5ebd56a965638024371d4c49da875f289a11e5cbcdbc78b848374487f543aac02c90e93fd6b147ea5e9607

memory/2060-14-0x0000000002230000-0x0000000002584000-memory.dmp

memory/2836-36-0x000000013F660000-0x000000013F9B4000-memory.dmp

C:\Windows\system\Cxazprn.exe

MD5 08e114764500a943daebaee780ebc3d9
SHA1 11c64a8d706769f03fca90507932ea381e36c787
SHA256 c644810fd8b813fe7e629c4f9f0ab1de5f57fdf0372b7e6010bc631a7f901db1
SHA512 4e3c0ae4b65120356a91885308c24541dbc2b4ca89192766476559558248590a1b42f071352bd373184f02cbf3aada2a20e7eb2ccd630945f46b09e2a0b6e982

memory/2960-51-0x000000013FFC0000-0x0000000140314000-memory.dmp

memory/2060-57-0x0000000002230000-0x0000000002584000-memory.dmp

C:\Windows\system\YWxWZZT.exe

MD5 acf8e1daf304d380e4e719d735b7f4f7
SHA1 e8965176828973938c0c59147e642bdf25b2893f
SHA256 dbbdfbc6d58a6a5cbc537a6aaca5c5cbef837860591243942956927a85149cca
SHA512 735acd26b5372ab96461c53e202298d3b9b3726aeeeb9a42ce7a3e8054664dd6922a5cfa49eb60eb88d69652b3a098e4a89fb96f8d62df28a94ec99dc6ee365b

memory/2964-73-0x000000013F8E0000-0x000000013FC34000-memory.dmp

memory/1800-81-0x000000013FF00000-0x0000000140254000-memory.dmp

memory/2540-87-0x000000013F210000-0x000000013F564000-memory.dmp

memory/2772-97-0x000000013F190000-0x000000013F4E4000-memory.dmp

C:\Windows\system\IJQHAuw.exe

MD5 6cb37ee073cca003df738c6f7061643a
SHA1 039389a3cef0d8b647254bc9b3162027614cf910
SHA256 96a49d9fd3cfd04d63c48be25ed2f1a2c0b0e9e1608f136941406674dbee5231
SHA512 235c91a34b209bd41a6675a7b824a5f676126328bd4a6e6c8622bdd418040f41386b43e0307f5a9b73d2f7271ce6bf28b98ec24300ebd32746fdcac467924642

C:\Windows\system\wXlnsUD.exe

MD5 08b6e98468a63768175e751d1de0fdee
SHA1 f3adec2a3e5ba96eb85a72d789784db1ffec5b7d
SHA256 42ce6e2938cefdbaa70f0d02d4a3d0229dadb791e2dd846b356a349003be6308
SHA512 3eaf316ee6b73c5acf10bb98b4929bacc5da96136c17367f5fcbe410f275185abecd8f8ed561fec5baa9022f2ce9bed450947264a749dbc65e5d75f31a5092af

C:\Windows\system\rVLFcGY.exe

MD5 1d5d025b00757293ae3edc6c80f4f66b
SHA1 c0d3abac55ed199f019a32dc682b825017d90123
SHA256 08a5358eadcecbd0ee20ff27efb3a491eaa67faa7f4e405ce0a135e5f452a80a
SHA512 5afdfbc5c896d5c4b4d164c0d4072fa8e4d35d68b48948a5d973e84bd869727680718d7946c1c66745801fba148163a25f482173e1127298a9eabd9f00649407

C:\Windows\system\yDXbGqn.exe

MD5 b74769468363c6e793e2bac693f75700
SHA1 38228baf52f0ee058b68f320294074395d0578d1
SHA256 b1816c5d5acf4f3495e6d3322ed2cbca491a11a9b1c96f83885592800bece437
SHA512 cbc4fcd904c46ce3968a7c2937cd580f9f40ecabc172e4b9bfa9592100b83595486d9415d65b3b39662da70043c81f42966fe927f4e72d68b9e5fe4cedd1bab9

C:\Windows\system\uqdBvir.exe

MD5 54ecdd5d4a701cdf7d8fed45b492a655
SHA1 631c2380281e866343c67c04de013c91494dd025
SHA256 a204a229f40fb9c24dcbe03bb22e4e22527ad86db9738f7c0fe84baa35e25cd7
SHA512 a9e0cd5aea77e9a81a9ab911d9dd4d954c48d67e093998f868233aaff0cc8e25ef429064a56593fe98f3992500f3468c9517ebd287900741af882d8f0cc1f794

C:\Windows\system\UpjWaYb.exe

MD5 3c0e08a2934a54407ecca5d58b7a11d4
SHA1 f66560343c5502d70c1aa88c72e38a5457e98e76
SHA256 b42f3bd1b23e84173272508c595d439219d1143c877433e127fc55381ca230bb
SHA512 b17aec4b28b00e708b5da7f338002d19cd6630bf9f88aaaa54e90078177260b73e3dbb740d8f09c559af285e4a93e6037ff01c50d909347c79a5b8875b89daa0

memory/2060-113-0x000000013F190000-0x000000013F4E4000-memory.dmp

memory/2592-141-0x000000013F120000-0x000000013F474000-memory.dmp

memory/2836-110-0x000000013F660000-0x000000013F9B4000-memory.dmp

C:\Windows\system\vfLtssc.exe

MD5 566df5483d640a89279c198e10c2cd9f
SHA1 a9181e5b1a9337fbd89f7ad767597e6999c402fe
SHA256 72a132808891464a1e14a9011c26b21ce9e42b4fca45c98c30c9c37d30b91451
SHA512 2089e94147d1ea6338e09775a9e94176899dfcfce4e6129addc9574f3e89e7a4e319558aa12a768a8fcce7e651617d166ce40973c64ea50d38ef0330251f4e10

memory/1936-104-0x000000013F8D0000-0x000000013FC24000-memory.dmp

memory/2060-103-0x000000013F8D0000-0x000000013FC24000-memory.dmp

C:\Windows\system\AKushRZ.exe

MD5 6ec3badcc24e3cd623678a32a0317f75
SHA1 f72b1ce1a76a312d89d723cd1f5d130b8f22ab05
SHA256 634556c51171995029ba71b8c7ed7144f7d6e6dedb03115f801641dd871ad63a
SHA512 2d48ba8dbc12bf7340f533129e9db2dc817fcc2b95403aa797fd5ec4ffdc9db004dced869a463ed683a61f74ce6989a7e3b49eea065341e311b361be694aa235

memory/2060-96-0x000000013F190000-0x000000013F4E4000-memory.dmp

memory/2664-95-0x000000013F580000-0x000000013F8D4000-memory.dmp

C:\Windows\system\VAFquol.exe

MD5 0b9199b97cabcfb1b66443da63b980a6
SHA1 5d2c33e7f9e9e8046d5bd68140bb2afc0faaa0eb
SHA256 c856f0a0d8ad1d05b1f21e30989e1615c09e7eb8909ec2e491c736779d576533
SHA512 7bd8ed11a82301469b3871a9d59d0a4f83b5a0c11526273d24a907739aaccd583fbe8559fa912994d2bb211b4feba2bef98dbb5424a289f2b89eba133524a259

memory/2700-89-0x000000013FFB0000-0x0000000140304000-memory.dmp

memory/2060-88-0x0000000002230000-0x0000000002584000-memory.dmp

C:\Windows\system\GSKTtCF.exe

MD5 c191f4e13347af7d47569530792db3a8
SHA1 4c1c4df608ff374f8c507b14a4bcbb53ded1d804
SHA256 e33dc5dcedd0a6b3e9871aa90774a1997db464524d0d2c9ebc9e803bb82e6949
SHA512 2771917fb73e657cffd79f7573399a394185539bf906297941c0e97edddf7b3da5b1f76db1ff207f664e65785f4d638e2c4f9f860940bb99cc33a629af6943e5

memory/2060-80-0x0000000002230000-0x0000000002584000-memory.dmp

memory/2620-79-0x000000013FC60000-0x000000013FFB4000-memory.dmp

C:\Windows\system\aceeiQL.exe

MD5 c1dbffd5b8a83f8f2397df4379fa3443
SHA1 9648d41a5e47ae1c7c3cd8630bf12e599ff2b9ad
SHA256 b57540c839d1960dcd49ea532f410e6a06b50b924f5c101233adc5f3a91899a0
SHA512 a34e04aa0056b67255526df8ecf69ab265117b816f9a8239b2814bbd73144247a31787671a8fec046f222c5ed19d4b7c12c4ceeff162ef671e629767d3c79e31

memory/2060-72-0x000000013F8E0000-0x000000013FC34000-memory.dmp

memory/1708-71-0x000000013FFB0000-0x0000000140304000-memory.dmp

memory/2464-63-0x000000013FCB0000-0x0000000140004000-memory.dmp

memory/2060-62-0x000000013FD40000-0x0000000140094000-memory.dmp

C:\Windows\system\wCjDfSj.exe

MD5 6f7a0619192708554b2b32f4da5db3c0
SHA1 4a00623c531c20853667746322fe347c6b1ad120
SHA256 6185dce9806760ad5362e27e127d560cf2688f88b42d64f4a32aa45f348da1fe
SHA512 caa7bb45afcb39d7794a2037a6304c5d3e8962ffe973f9a7d4b72bdc0071eb0c020187038bbe07f00c897e19fed11e43c8c31d07376a45d34b478fa260c6d0df

memory/2488-58-0x000000013FE60000-0x00000001401B4000-memory.dmp

C:\Windows\system\WnsIFbV.exe

MD5 91d729fb559c7a618ba16167c12df3ad
SHA1 f87694ec70e7cb0179fe6f5efa8dfd45ff8757f1
SHA256 0403b768e29ef99096e6910934b800c18bb7512b046018fd10259044b216bd7a
SHA512 89780678024283e478ca01a234484aeba093580bc6221baf2ca944e1ea6c38548f6218d04df9335e44a39efc9196aab3f1f917e54477166fb17287d71da862b7

memory/2464-142-0x000000013FCB0000-0x0000000140004000-memory.dmp

memory/2060-50-0x0000000002230000-0x0000000002584000-memory.dmp

memory/2592-41-0x000000013F120000-0x000000013F474000-memory.dmp

memory/2060-40-0x000000013F120000-0x000000013F474000-memory.dmp

C:\Windows\system\hwKSfWz.exe

MD5 bffabf183be2890b6970bb178865561f
SHA1 7cb9ccc296e92d55d6e99cf71cdbc5ce5acbfa8c
SHA256 0d4b65814b519e99cc77a317b5e07e845e8a7c3df6c28e22515236ec8f73f1d5
SHA512 52f74adce0d9ae94424e4db2915c5500350d253adf11f5b236f3d749897b959a4259fcd8f707919a1f869c8ddde1c8ad134064260b35b1e6b760858d2ffd80fb

memory/2060-143-0x0000000002230000-0x0000000002584000-memory.dmp

memory/2060-144-0x0000000002230000-0x0000000002584000-memory.dmp

memory/2060-145-0x000000013F190000-0x000000013F4E4000-memory.dmp

memory/2060-146-0x000000013F8D0000-0x000000013FC24000-memory.dmp

memory/2060-147-0x000000013F190000-0x000000013F4E4000-memory.dmp

memory/1708-148-0x000000013FFB0000-0x0000000140304000-memory.dmp

memory/2620-149-0x000000013FC60000-0x000000013FFB4000-memory.dmp

memory/2540-150-0x000000013F210000-0x000000013F564000-memory.dmp

memory/2664-151-0x000000013F580000-0x000000013F8D4000-memory.dmp

memory/2836-152-0x000000013F660000-0x000000013F9B4000-memory.dmp

memory/2960-154-0x000000013FFC0000-0x0000000140314000-memory.dmp

memory/2592-153-0x000000013F120000-0x000000013F474000-memory.dmp

memory/2488-155-0x000000013FE60000-0x00000001401B4000-memory.dmp

memory/2464-156-0x000000013FCB0000-0x0000000140004000-memory.dmp

memory/2964-157-0x000000013F8E0000-0x000000013FC34000-memory.dmp

memory/1800-158-0x000000013FF00000-0x0000000140254000-memory.dmp

memory/2700-159-0x000000013FFB0000-0x0000000140304000-memory.dmp

memory/2772-160-0x000000013F190000-0x000000013F4E4000-memory.dmp

memory/1936-161-0x000000013F8D0000-0x000000013FC24000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-28 08:57

Reported

2024-06-28 08:59

Platform

win10v2004-20240611-en

Max time kernel

139s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\trYiPPs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OThCdDh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ylpHNBe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hUfZsFj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yMBjtUl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nUJqVEE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ogTQsvj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jzYmbnd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DUEdZLp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WAhNSjE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MfewGKo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AQHJNjI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HKhzDpo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vPYVTuH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qAiidTl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\thyFzYj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mBdpTIJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VTNyalh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cRKvRXj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AaxlnpQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sBMQtcZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4056 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cRKvRXj.exe
PID 4056 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cRKvRXj.exe
PID 4056 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AaxlnpQ.exe
PID 4056 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AaxlnpQ.exe
PID 4056 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OThCdDh.exe
PID 4056 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OThCdDh.exe
PID 4056 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DUEdZLp.exe
PID 4056 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DUEdZLp.exe
PID 4056 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WAhNSjE.exe
PID 4056 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WAhNSjE.exe
PID 4056 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AQHJNjI.exe
PID 4056 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AQHJNjI.exe
PID 4056 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sBMQtcZ.exe
PID 4056 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sBMQtcZ.exe
PID 4056 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MfewGKo.exe
PID 4056 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MfewGKo.exe
PID 4056 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yMBjtUl.exe
PID 4056 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yMBjtUl.exe
PID 4056 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vPYVTuH.exe
PID 4056 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vPYVTuH.exe
PID 4056 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qAiidTl.exe
PID 4056 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qAiidTl.exe
PID 4056 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ylpHNBe.exe
PID 4056 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ylpHNBe.exe
PID 4056 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\thyFzYj.exe
PID 4056 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\thyFzYj.exe
PID 4056 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mBdpTIJ.exe
PID 4056 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mBdpTIJ.exe
PID 4056 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hUfZsFj.exe
PID 4056 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hUfZsFj.exe
PID 4056 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VTNyalh.exe
PID 4056 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VTNyalh.exe
PID 4056 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nUJqVEE.exe
PID 4056 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nUJqVEE.exe
PID 4056 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ogTQsvj.exe
PID 4056 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ogTQsvj.exe
PID 4056 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jzYmbnd.exe
PID 4056 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jzYmbnd.exe
PID 4056 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HKhzDpo.exe
PID 4056 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HKhzDpo.exe
PID 4056 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\trYiPPs.exe
PID 4056 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\trYiPPs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\cRKvRXj.exe

C:\Windows\System\cRKvRXj.exe

C:\Windows\System\AaxlnpQ.exe

C:\Windows\System\AaxlnpQ.exe

C:\Windows\System\OThCdDh.exe

C:\Windows\System\OThCdDh.exe

C:\Windows\System\DUEdZLp.exe

C:\Windows\System\DUEdZLp.exe

C:\Windows\System\WAhNSjE.exe

C:\Windows\System\WAhNSjE.exe

C:\Windows\System\AQHJNjI.exe

C:\Windows\System\AQHJNjI.exe

C:\Windows\System\sBMQtcZ.exe

C:\Windows\System\sBMQtcZ.exe

C:\Windows\System\MfewGKo.exe

C:\Windows\System\MfewGKo.exe

C:\Windows\System\yMBjtUl.exe

C:\Windows\System\yMBjtUl.exe

C:\Windows\System\vPYVTuH.exe

C:\Windows\System\vPYVTuH.exe

C:\Windows\System\qAiidTl.exe

C:\Windows\System\qAiidTl.exe

C:\Windows\System\ylpHNBe.exe

C:\Windows\System\ylpHNBe.exe

C:\Windows\System\thyFzYj.exe

C:\Windows\System\thyFzYj.exe

C:\Windows\System\mBdpTIJ.exe

C:\Windows\System\mBdpTIJ.exe

C:\Windows\System\hUfZsFj.exe

C:\Windows\System\hUfZsFj.exe

C:\Windows\System\VTNyalh.exe

C:\Windows\System\VTNyalh.exe

C:\Windows\System\nUJqVEE.exe

C:\Windows\System\nUJqVEE.exe

C:\Windows\System\ogTQsvj.exe

C:\Windows\System\ogTQsvj.exe

C:\Windows\System\jzYmbnd.exe

C:\Windows\System\jzYmbnd.exe

C:\Windows\System\HKhzDpo.exe

C:\Windows\System\HKhzDpo.exe

C:\Windows\System\trYiPPs.exe

C:\Windows\System\trYiPPs.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
BE 88.221.83.232:443 www.bing.com tcp
US 8.8.8.8:53 232.83.221.88.in-addr.arpa udp
BE 88.221.83.232:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4056-0-0x00007FF7DCBE0000-0x00007FF7DCF34000-memory.dmp

memory/4056-1-0x00000244D4CC0000-0x00000244D4CD0000-memory.dmp

C:\Windows\System\cRKvRXj.exe

MD5 47c6fe5f9aa33aa471d007948fe27a6d
SHA1 8090ed93b7e67356cc175aca005f4982efb6b375
SHA256 e3d8d609e678b4c87efdeefa3f58c9a8c40017bf8c2f50b88eb581d69dd469ae
SHA512 c71769fc58d549f14bdff299170b85311098e40632c99d6a52413f660ad49c6065fc4b19cfda713076c04f537f541e90850e699cf97a5bfcf97a8b8ec06d33c6

C:\Windows\System\AaxlnpQ.exe

MD5 b60ad4eb0cd4404c752bc02e68695f7e
SHA1 142c739370161259c57d849c47f5051cbd6aeb43
SHA256 f6d34ba6b2295a9c7f98f28f64011bdc5a401157cf07f21dbd342a89c2efe099
SHA512 2139d0bd73d55138bac888877c7d0b71ce31eee350682adf4c8b4dae3ed54efbb8d58e0c24e9c0865198526ebb07c71ac4537560d7fc0de504ba3774175f6b97

C:\Windows\System\OThCdDh.exe

MD5 fa5782795918e133657e902c2e12e0c8
SHA1 72fe9ceea7a0e08dbe37bb2219f6b6e2736cf033
SHA256 5f2632102ff9402984416b28b4e2c7b20a356aa6e30ba10253fe3b4b7cd51356
SHA512 a90ffe9bb8861964cf3e10440585d50cc926b064794d022dcc5dc881f3c134bf7972e4eb6569fd6c0717d8d0bec0628a7f70f5fda9d66c4b783d2394f55eca25

C:\Windows\System\DUEdZLp.exe

MD5 259d4883a32687d576ef5e539857aa72
SHA1 92bb3c922b24276985bf492b04501ba715b5f7d7
SHA256 13b46ca3ab604c84a652081358c09438810b35d5a940930ab0b55f1ee8f0556e
SHA512 8fb716d3a5fdca62d1a6e45e8a816495ee0463fdd8f769a508a78e46d5977183587be9c13e83d71c0a1fedf2ed2ae8a03e03279618b67d68d4eb12db4815e25e

C:\Windows\System\WAhNSjE.exe

MD5 c64b2f8ecf1de0cee09658736450f57c
SHA1 0f44273b2f86ac7ff3e9e5263ab8cbceb169d8b1
SHA256 0bfc266ef9bd7bf054dbe656af33b758ea6ed65548e8369f649518c839b4a5a3
SHA512 0b34babbaa9ddde0ba220dd3c8fc39bd63a5a0fa6a0ae859b0c2e3692c6a9eee320d7d041d73743b9edb635f86d0b62061f5092217c85d9c6ebb58cad7a9ceed

C:\Windows\System\sBMQtcZ.exe

MD5 32e06ead863ffcbedd9e7d2497fe0a39
SHA1 ea01712e548bd927038ed4f5587d41bfa57cc8b0
SHA256 af112746753a0844eb3763c7cb55e8548291d13143738c2d176755396be15b72
SHA512 627612e274d708a63faca477fc5c97b7406748bb19329a3760ced178c38faddb0482c31a9efaaa6a5dd0054400bb13f502885afd8c30bd7fa5e21f719d6f9256

C:\Windows\System\AQHJNjI.exe

MD5 97c70550a0e3d9322c6053b18f6f559f
SHA1 ff096d9e02d90a3c668bffa8bf34eb1c697218b6
SHA256 3bcf5b2fc84e955f6a87aaf581cb7893756e8a506ad297113db05bb3c96ecc26
SHA512 363daa840b7448b7bc75dc0da02da3380678591a9a03ec25177a5964de9056761772961b5c55ed9ae31871488e1f1023b5cba8d0c60cff09e2d734d945592ec1

C:\Windows\System\MfewGKo.exe

MD5 94f1927e2fd49c35faeac0ab1a26c8c4
SHA1 cccfbdaff99603f9905f55d58de2dd6e8293c334
SHA256 f617ed6e8bdb59b31a79c5cda0f7a13c27ef93e795ceefe0672c48a6b92e8257
SHA512 3ba00a6648218607aa939b85393657d3804df261093c40f3ad11568db20109d392e31c2cf82f0c00d5ab0195adb538124078455ba0648331a0a365644d8db55a

C:\Windows\System\vPYVTuH.exe

MD5 a733823c2c52e94434405213b45667da
SHA1 edcf0c6313b31dd1e596dd51a3e44e8c01e0fe9b
SHA256 5ac5e4434fc71092a3cf4e58216af874eb8a77508de66a4577bf39ebaacf224c
SHA512 c4569d80e8ba01af2219d68ded884c8593c1160775446f220f2bd6aae58afa681271870f6fd7abd1a13ed5a49d9ff9089c5f8cb28c419f275b7f6292f52267da

memory/432-60-0x00007FF77CB80000-0x00007FF77CED4000-memory.dmp

C:\Windows\System\yMBjtUl.exe

MD5 0eeeba704d617656f71e2895cd2f01a3
SHA1 cad2bfb6d4235934ead84c0c51115fc42103652c
SHA256 60c62f8410427b258873a8155f471c2add99e216991ac4449eccf0907d575364
SHA512 0951bb633219c935c2f0de7f1a2fa709f8a1d3f372fea7bfef3f4ec718a70d5ae7ccd34af5df7b274574735a930c00806f6b68e6c194f8d7f6c8c5e69075746a

C:\Windows\System\qAiidTl.exe

MD5 118c8c504bc36a71e52811a4f355511b
SHA1 dc0a8484c9586fd7559b4a28864420b5e00d3abd
SHA256 fc5c713c5ac2b364e38c6635e9c4a5ef6764e7804ce051c13dbdc4c6cd43b9ac
SHA512 69056b5799a97da0cf6ed43388080d890a7464ef010f61e4f354c9044358f6bace4737683ff959bae79999805ac560f44ec58cc40a38bacaf24e26122f0fe01e

memory/5048-62-0x00007FF72F170000-0x00007FF72F4C4000-memory.dmp

memory/3400-61-0x00007FF6B06E0000-0x00007FF6B0A34000-memory.dmp

memory/1136-59-0x00007FF7860F0000-0x00007FF786444000-memory.dmp

memory/3436-48-0x00007FF76A0B0000-0x00007FF76A404000-memory.dmp

memory/656-45-0x00007FF7CFB30000-0x00007FF7CFE84000-memory.dmp

memory/1756-34-0x00007FF71A830000-0x00007FF71AB84000-memory.dmp

memory/3368-27-0x00007FF681EE0000-0x00007FF682234000-memory.dmp

memory/772-19-0x00007FF71E8B0000-0x00007FF71EC04000-memory.dmp

memory/4272-18-0x00007FF6EA690000-0x00007FF6EA9E4000-memory.dmp

memory/216-8-0x00007FF6FBE80000-0x00007FF6FC1D4000-memory.dmp

C:\Windows\System\ylpHNBe.exe

MD5 88aef3a4d2cc0c6890550436dbaff7be
SHA1 97cebee61b792c7e1e83155237abea7f90aa39e8
SHA256 a6218cb746379f8e12a82aaf9f1cc08e573ab4a154a057dcf7e4ee2e6a5d3097
SHA512 b60ec9ccb7cca1c1bd923a14c7ada2cf2a22727dde0998f062f09568763ab470e7c007539ea6df1a893862b7a5ee6e36e62cf0cb23a8ca4e7efc265c082b4622

C:\Windows\System\thyFzYj.exe

MD5 ea349737ded8ebf864d91d027cb49d8a
SHA1 276a7365121c48d474d36dc37a2940116185160b
SHA256 02ed91c4236290fea5cd67d53f4493534f4145ca5dfc8d2f2b27ea1614f7ba5e
SHA512 a2b686f1b9461c952544a51348c3e4cdb130103a7da744c94102ca3bf5140cfa1969613f7cd784990914c1b8be30a724240e38096e0458a9af80f967ff866c9e

C:\Windows\System\mBdpTIJ.exe

MD5 b86876e5775d385d617b4e1bc43c1949
SHA1 2fd45f2844b7f3ec8acccd37f58437401d804c6e
SHA256 7e25354eaf997a0c35a9b43a393bae7709216b34673759f7e36500fcf6a6b81f
SHA512 c9a253eeaaa75119f261be1d10374fb7e579631c113abb8d93cf03fd468ab8acc4e402f1e2f3d55689b4ffe3c70f4ca3fec83d1b15b438eb7aee403fcc74bff0

memory/4056-80-0x00007FF7DCBE0000-0x00007FF7DCF34000-memory.dmp

memory/216-85-0x00007FF6FBE80000-0x00007FF6FC1D4000-memory.dmp

memory/640-91-0x00007FF6F0970000-0x00007FF6F0CC4000-memory.dmp

C:\Windows\System\VTNyalh.exe

MD5 0899ab321b53711ac7c9981c26dfaed6
SHA1 99babd2c2340de82298d970e01ede2f32b0785b5
SHA256 96aa33f5a8f3c554d9413a9f6fe6c4137292b2cfe1e329babb1d27dffe77e874
SHA512 a0a1a1403bcdb26fe55848aa1410186ccfd63497046476849bb7ce8ef3da62f97917cbde195710cfd7d69b471d009b24ed386a562effd605de8287a785030f1d

C:\Windows\System\nUJqVEE.exe

MD5 9ce2d980a6138b9cc20554ea922dfbe6
SHA1 e54e1a94d2546a1de19432f62faf7a1a6ad1c7fe
SHA256 fb305775647e24a3c27575f906bbd44173ab9a2a24d6fa833cdaf543d418fb3a
SHA512 0efe38a74185e18b1afe79d0e43228ab04ea175e3dcebe0431f7e77f265250c9627d78e565ff8df7fac563a7be85b73b1c46d51f8fe30102a53ad0819d228c45

C:\Windows\System\ogTQsvj.exe

MD5 156c5f25d7f4ef1c20ccf15bcddd9603
SHA1 fe3d385d810afd948a64a15fa4f22b6d2dcebda1
SHA256 13b90f1a8dcdc5e7c2d94828130cb266ff3cf2d0897f4fd24b3bc29b36254832
SHA512 04f96628290d2a6d231ebb70be44333865c3eb0c242a98190e560aeb86bbb13b5c6735e2df431aa90b63f92e7efb749d259959144d696d099f42ead5b5a4a1f3

memory/1416-115-0x00007FF6251B0000-0x00007FF625504000-memory.dmp

C:\Windows\System\HKhzDpo.exe

MD5 615c44ea87dd0b3f03fd7be9b5709690
SHA1 99a997cebce4522e2e143289dcd9912cee4e3585
SHA256 eac7385655b8c823cb44e05244bd3c76d37212015a9f24d8c695d31d81006af8
SHA512 ea79ab0c0ad6157727170affac6570c75f4fdf1b3255e72e8694b8f2efc0bcc090f150a659e6d860e72bc5c4a0517c877df3664f3b9a89172d66262f90f4e2e5

C:\Windows\System\trYiPPs.exe

MD5 025a852d983fade36d7363bc8276be8a
SHA1 5a6eae8169f9dde9a87f832b6703e384e841d92c
SHA256 c6647e2b143281cbe557db3452705924cf6b362734d89be8eaa6cb254f850673
SHA512 bedb98bb8c5e30a63c5d4174151e240ce7b341bf229e6bb6b745b0dc730e24dd98cc6da8746e141ca869492cddf61d5696aa967cc72b6ffb7c097128b89b3031

C:\Windows\System\jzYmbnd.exe

MD5 0b59297b9f8d727de96467e0ab22879c
SHA1 bc90f6524a5c931cd9f3d47c2663bda1cff201f3
SHA256 57bbc346b91db0637b221518a74652cf02e11e6ef785a73f3bef50d9c10a9273
SHA512 cb027f1c11c3aa6f40c86619d939a68ce4e58bac40ba063d568787ae5d989f21a74e7d8e3beabeb00e44734d9afec57fd072baddf62c61d1dc2fe4af06aac440

memory/2168-103-0x00007FF759790000-0x00007FF759AE4000-memory.dmp

C:\Windows\System\hUfZsFj.exe

MD5 c44a67a87f6b97f8444d2c1297f54584
SHA1 658e9a6a76932b7a722c1105e43e8d2096cf7237
SHA256 b02bb7a9c5da732903430f02b57cac708ba7dff210eb0217ed45b6e04ec4dabe
SHA512 b773a3be6b660d01abef59f6c805849e1af92a26b0e8fefd66cf62dbb4c63326f503f62004c5a6bedb8e483f1771a7cecc04fb3b1786cfd2204499c0aec24c1c

memory/772-97-0x00007FF71E8B0000-0x00007FF71EC04000-memory.dmp

memory/3988-96-0x00007FF7C64A0000-0x00007FF7C67F4000-memory.dmp

memory/4496-84-0x00007FF617E00000-0x00007FF618154000-memory.dmp

memory/2936-79-0x00007FF6B8510000-0x00007FF6B8864000-memory.dmp

memory/1256-127-0x00007FF6651B0000-0x00007FF665504000-memory.dmp

memory/208-128-0x00007FF6F4C30000-0x00007FF6F4F84000-memory.dmp

memory/2288-129-0x00007FF65B750000-0x00007FF65BAA4000-memory.dmp

memory/3464-130-0x00007FF7CCC20000-0x00007FF7CCF74000-memory.dmp

memory/1136-131-0x00007FF7860F0000-0x00007FF786444000-memory.dmp

memory/3400-132-0x00007FF6B06E0000-0x00007FF6B0A34000-memory.dmp

memory/432-133-0x00007FF77CB80000-0x00007FF77CED4000-memory.dmp

memory/5048-134-0x00007FF72F170000-0x00007FF72F4C4000-memory.dmp

memory/3988-135-0x00007FF7C64A0000-0x00007FF7C67F4000-memory.dmp

memory/2168-136-0x00007FF759790000-0x00007FF759AE4000-memory.dmp

memory/1256-137-0x00007FF6651B0000-0x00007FF665504000-memory.dmp

memory/216-138-0x00007FF6FBE80000-0x00007FF6FC1D4000-memory.dmp

memory/4272-139-0x00007FF6EA690000-0x00007FF6EA9E4000-memory.dmp

memory/3368-140-0x00007FF681EE0000-0x00007FF682234000-memory.dmp

memory/772-141-0x00007FF71E8B0000-0x00007FF71EC04000-memory.dmp

memory/3436-142-0x00007FF76A0B0000-0x00007FF76A404000-memory.dmp

memory/1756-143-0x00007FF71A830000-0x00007FF71AB84000-memory.dmp

memory/656-144-0x00007FF7CFB30000-0x00007FF7CFE84000-memory.dmp

memory/1136-145-0x00007FF7860F0000-0x00007FF786444000-memory.dmp

memory/432-147-0x00007FF77CB80000-0x00007FF77CED4000-memory.dmp

memory/5048-146-0x00007FF72F170000-0x00007FF72F4C4000-memory.dmp

memory/3400-148-0x00007FF6B06E0000-0x00007FF6B0A34000-memory.dmp

memory/2936-149-0x00007FF6B8510000-0x00007FF6B8864000-memory.dmp

memory/4496-150-0x00007FF617E00000-0x00007FF618154000-memory.dmp

memory/640-151-0x00007FF6F0970000-0x00007FF6F0CC4000-memory.dmp

memory/2168-152-0x00007FF759790000-0x00007FF759AE4000-memory.dmp

memory/3988-153-0x00007FF7C64A0000-0x00007FF7C67F4000-memory.dmp

memory/1416-154-0x00007FF6251B0000-0x00007FF625504000-memory.dmp

memory/2288-156-0x00007FF65B750000-0x00007FF65BAA4000-memory.dmp

memory/1256-155-0x00007FF6651B0000-0x00007FF665504000-memory.dmp

memory/3464-158-0x00007FF7CCC20000-0x00007FF7CCF74000-memory.dmp

memory/208-157-0x00007FF6F4C30000-0x00007FF6F4F84000-memory.dmp