Malware Analysis Report

2024-10-24 18:11

Sample ID 240629-hyehxatalh
Target 2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat
SHA256 926b0754561e66c80d9fcb2e21990f0679311998321c9faf77a31ef0c6dbd816
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

926b0754561e66c80d9fcb2e21990f0679311998321c9faf77a31ef0c6dbd816

Threat Level: Known bad

The file 2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

xmrig

Cobaltstrike

UPX dump on OEP (original entry point)

XMRig Miner payload

Cobaltstrike family

Detects Reflective DLL injection artifacts

Xmrig family

Cobalt Strike reflective loader

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

XMRig Miner payload

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-29 07:08

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-29 07:08

Reported

2024-06-29 07:11

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\wLIArfx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NiNheSx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ihnOzGP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DzBHtco.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MQMUiDJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZcWMmoD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aHDWJPg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eooMBWG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XlbRKFl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uVsaSvc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DdRwUTn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RqOMMTO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qFeyUiI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IgcMpER.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lJxUhOb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PdNuTRn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HUFBdeS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rVNMZpm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pwCaugY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zLRtbAJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\InwFwRV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3040 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DzBHtco.exe
PID 3040 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DzBHtco.exe
PID 3040 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lJxUhOb.exe
PID 3040 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lJxUhOb.exe
PID 3040 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MQMUiDJ.exe
PID 3040 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MQMUiDJ.exe
PID 3040 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZcWMmoD.exe
PID 3040 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZcWMmoD.exe
PID 3040 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aHDWJPg.exe
PID 3040 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aHDWJPg.exe
PID 3040 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eooMBWG.exe
PID 3040 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eooMBWG.exe
PID 3040 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PdNuTRn.exe
PID 3040 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PdNuTRn.exe
PID 3040 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wLIArfx.exe
PID 3040 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wLIArfx.exe
PID 3040 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zLRtbAJ.exe
PID 3040 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zLRtbAJ.exe
PID 3040 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DdRwUTn.exe
PID 3040 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DdRwUTn.exe
PID 3040 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RqOMMTO.exe
PID 3040 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RqOMMTO.exe
PID 3040 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HUFBdeS.exe
PID 3040 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HUFBdeS.exe
PID 3040 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NiNheSx.exe
PID 3040 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NiNheSx.exe
PID 3040 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qFeyUiI.exe
PID 3040 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qFeyUiI.exe
PID 3040 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\InwFwRV.exe
PID 3040 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\InwFwRV.exe
PID 3040 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rVNMZpm.exe
PID 3040 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rVNMZpm.exe
PID 3040 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pwCaugY.exe
PID 3040 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pwCaugY.exe
PID 3040 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IgcMpER.exe
PID 3040 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IgcMpER.exe
PID 3040 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ihnOzGP.exe
PID 3040 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ihnOzGP.exe
PID 3040 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XlbRKFl.exe
PID 3040 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XlbRKFl.exe
PID 3040 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uVsaSvc.exe
PID 3040 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uVsaSvc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\DzBHtco.exe

C:\Windows\System\DzBHtco.exe

C:\Windows\System\lJxUhOb.exe

C:\Windows\System\lJxUhOb.exe

C:\Windows\System\MQMUiDJ.exe

C:\Windows\System\MQMUiDJ.exe

C:\Windows\System\ZcWMmoD.exe

C:\Windows\System\ZcWMmoD.exe

C:\Windows\System\aHDWJPg.exe

C:\Windows\System\aHDWJPg.exe

C:\Windows\System\eooMBWG.exe

C:\Windows\System\eooMBWG.exe

C:\Windows\System\PdNuTRn.exe

C:\Windows\System\PdNuTRn.exe

C:\Windows\System\wLIArfx.exe

C:\Windows\System\wLIArfx.exe

C:\Windows\System\zLRtbAJ.exe

C:\Windows\System\zLRtbAJ.exe

C:\Windows\System\DdRwUTn.exe

C:\Windows\System\DdRwUTn.exe

C:\Windows\System\RqOMMTO.exe

C:\Windows\System\RqOMMTO.exe

C:\Windows\System\HUFBdeS.exe

C:\Windows\System\HUFBdeS.exe

C:\Windows\System\NiNheSx.exe

C:\Windows\System\NiNheSx.exe

C:\Windows\System\qFeyUiI.exe

C:\Windows\System\qFeyUiI.exe

C:\Windows\System\InwFwRV.exe

C:\Windows\System\InwFwRV.exe

C:\Windows\System\rVNMZpm.exe

C:\Windows\System\rVNMZpm.exe

C:\Windows\System\pwCaugY.exe

C:\Windows\System\pwCaugY.exe

C:\Windows\System\IgcMpER.exe

C:\Windows\System\IgcMpER.exe

C:\Windows\System\ihnOzGP.exe

C:\Windows\System\ihnOzGP.exe

C:\Windows\System\XlbRKFl.exe

C:\Windows\System\XlbRKFl.exe

C:\Windows\System\uVsaSvc.exe

C:\Windows\System\uVsaSvc.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 52.111.229.43:443 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3040-0-0x00007FF7EB210000-0x00007FF7EB564000-memory.dmp

memory/3040-1-0x0000015EFD190000-0x0000015EFD1A0000-memory.dmp

C:\Windows\System\DzBHtco.exe

MD5 9a39609e131b62597647b94ab28c9ad2
SHA1 3bc5f54290cb2582e268133e72ba4d08a2bc4b3e
SHA256 1cd38c05ee4c655bed869637d61e24f7e8a2a369ca0496a2f7444bd7d6adc3e0
SHA512 11eb49858fae24a4fe7b4dca9c599a84953da1acaf171e568a25414fe257964967fda4b07f63f7de33f98d89b71a3c9f3341367016300fc0e73f0021b6e7a664

C:\Windows\System\lJxUhOb.exe

MD5 125ff3c5a4052c2c4bda1acab0f2f2e5
SHA1 dfa37f96b02bd5543cca820b6c39881de31939ed
SHA256 550606fb3cb6636142ae7da29fd8ba850a831b6f7368eadbe8285e3e6e1eb938
SHA512 5a972b90931d4d0becfd80c3c4d395156e85951c032aacc80b9a2c0cd8436375756c2edee5318b124fcee1c1c1516d36d63e3bd3417cddb9051a027e675dbb3a

C:\Windows\System\MQMUiDJ.exe

MD5 d9288c76989f2e5da80a067ed415603a
SHA1 1bfbb3ac32b77719ed2b90869373db024115c7a5
SHA256 7eab711018e15aad6a711472d74112e7d0bfc6ca56a52125aae63ef756665865
SHA512 42818a5f8485e0646b496002e9952d02755f47188f415aca45286e88487f37c3c45f5096cd5a91b41b637ca3c117b7bab3cba203d8c40dfe652900a4e84b5a6d

C:\Windows\System\eooMBWG.exe

MD5 a44f6587a6cf04724b7202782b39041b
SHA1 b5cf0a3f57ccb7e97efa5cfa549a1c81f5365ae1
SHA256 b05ac91461e6bd23dae30e09d430ec632e25ca60eecf1352ba0ce4978d57dfa3
SHA512 acf6cb87fb55705a2e8b62aed07a1db74ebb4f8dec25413611d4400e50c996506c98b489bd8cecb87a5007cbfdf7150320772744c1b0346149165570db254b77

memory/4172-41-0x00007FF73E200000-0x00007FF73E554000-memory.dmp

C:\Windows\System\PdNuTRn.exe

MD5 556e65a6024dfaac37dcd3b0e989d437
SHA1 e9f647c46ad4a8ade865b6f1a078c73c4477c2a5
SHA256 7acadd29e47c892651e9a9b3947e5454ebd34e926a90fec55dd0aa03e472faa7
SHA512 1ecdc7e6f4a260074f3178a338bf0a79fff2a0c5fb18e437646699bb69c77252c37512161445b0032dad890abe4d250efda713a295fce6105e5682dfb293b70d

memory/216-48-0x00007FF6093C0000-0x00007FF609714000-memory.dmp

memory/1836-44-0x00007FF6AA070000-0x00007FF6AA3C4000-memory.dmp

C:\Windows\System\wLIArfx.exe

MD5 693aed710a094c72314f43ebc1f17e68
SHA1 687b5d3739cf7ab91cfa95752ae680ae6d382634
SHA256 5a5086a0a18c960b94e663bfb8d1bf0468eaf872539f576a0b05148945a8729e
SHA512 8d673e61a6b706aaf81379becc2161467faa17b630e3fde400f0ca31639da75cd1016593a0ba9a800bf8b682ec21120423aa6f57980e7aa3a82b266344d313d9

C:\Windows\System\aHDWJPg.exe

MD5 b298724441c387779a9c76230e09a2ac
SHA1 81cd5563239fac3e19a43153c63a187b718890a5
SHA256 1b4bb1b1c2741453f847f91df978f35a493a665f9bf90754d5698474a2bfc634
SHA512 ed63b959d2f16e8dfe27f1f7408d9e7750001ded9472b258c58adf0662b1063d5fa8f04304afcc91f03daa5a5f7892bf2413406c6f7303ddcb9a31ae3e747133

memory/3704-30-0x00007FF7B0890000-0x00007FF7B0BE4000-memory.dmp

C:\Windows\System\ZcWMmoD.exe

MD5 f2443f7b1f979eb455729f4a7e5beee8
SHA1 b2f4d51e17a7a2f78fe8eaeebfd6fb69db93fa70
SHA256 c89432a27166236b607573de8291bd79e37356bd15adf7c89629c21fee2081ce
SHA512 a87690df6b7699ec5a1cb4f18ee28fb5c225c33fe4d155cd42a49ad276d3036ad29732e09c851053de017f9fee3f5217b9b2ef1497def8933bd102281cc11e03

memory/3012-22-0x00007FF698800000-0x00007FF698B54000-memory.dmp

memory/3968-21-0x00007FF6D6670000-0x00007FF6D69C4000-memory.dmp

memory/4164-19-0x00007FF675D30000-0x00007FF676084000-memory.dmp

memory/3668-18-0x00007FF677010000-0x00007FF677364000-memory.dmp

C:\Windows\System\zLRtbAJ.exe

MD5 67e7eb9e779bcfe4d1a5caade147c1bd
SHA1 fd193ac90ef74d7e378adc06d817e649b05f9632
SHA256 de2e134cf8446d9ba7118d8e455fba4dbb6a1c00cb029a787df6f2b7967e2b81
SHA512 f6d1b7c3d58bdd341184db154628d284b84313f256d4ef53dbe0bc4d0ec3029cd77294bf660af41953c1af04eaf457892d0c6e355877efe791c340cf085f5c66

memory/1492-56-0x00007FF7959D0000-0x00007FF795D24000-memory.dmp

C:\Windows\System\DdRwUTn.exe

MD5 54aa8434bf025352a8c981f7448e2b47
SHA1 fd7c657ddea97a6b8693b24fa8d5eb00a500ae3c
SHA256 308882925ef12019d5109696a810047f339027193902a7311a8f5c765c688d0b
SHA512 9b950f3af68236675fa0ebe91285703633049fbf2995b0edaa3b9a5b21019fa391735bfa47380e3b87fd63a1f2749ec66cc7d3b96c16a25ae141d3cb8c3edd13

C:\Windows\System\NiNheSx.exe

MD5 3d3440c6620b4e1f05e572553d57b243
SHA1 f8dcb06e160284f164ca6b7846101505506a3ed9
SHA256 c58a1496eca055d5f57b7c6ce8ce68b92930ec63028943a6f99124c2e1e96f7f
SHA512 205931ed421b989ae6d5a5c058bdbd84047ca62546fa4048317e81db3523a73d5f9f8b718bba544712017ea13dc17f089033207156a6812329f652d01e577404

memory/2020-74-0x00007FF683F70000-0x00007FF6842C4000-memory.dmp

C:\Windows\System\RqOMMTO.exe

MD5 16b068a0d43508f370fdf0595a9b8fd3
SHA1 5b8bc9f3d785c0f293a4ac90f44fcc54bfcae9f8
SHA256 d72312c44c6892ac460eb2684734af7b18276a2aa1372b6cff403628c3abf8bc
SHA512 149f07d0e3202200342a40379344101027726439a306a01f8272683013cba35c45091f60121cf8f8bc3b06bcb547ac5e9dbdb3fbfc8c4a4ceff042ad5e48b49d

C:\Windows\System\qFeyUiI.exe

MD5 7ca05e48a185c7a55b0d54ceb90bb000
SHA1 e4d26f033102a15d29f84a0b26df9d3f99e7be83
SHA256 7fc2e9b860b3060a6431bd7734e4ae9e61bd9a1a8531a36d68d034e894c1303d
SHA512 6ec343ce82939c0ee481630684454c6cbcc03e6f8111a9d1581d4830f615d410c710f9c7272a36678fca8436f9747d68e81ca57f8d008e6057757a76376100f9

memory/3256-84-0x00007FF6628E0000-0x00007FF662C34000-memory.dmp

memory/2016-80-0x00007FF648930000-0x00007FF648C84000-memory.dmp

memory/3432-75-0x00007FF758890000-0x00007FF758BE4000-memory.dmp

C:\Windows\System\HUFBdeS.exe

MD5 c63098afc847f8229efab41ddbfd0fdc
SHA1 dc6fd8eed999e0ee81385fe4265375a482b0b42a
SHA256 4dd32d8510207324330867face7fbac3ef264604de31bcec1ea274cb57622351
SHA512 67e1ea034eb588879dc3b30c233e1e9faed2ccfac7b2e13201dbf2f71c4e974b66037c8cc2a9a066de2e4fdaec7655fafc3cecd70d49070af70e19950c2bef62

memory/4380-66-0x00007FF68AFC0000-0x00007FF68B314000-memory.dmp

C:\Windows\System\InwFwRV.exe

MD5 e2819476a519b4e09ebb929554a84e9f
SHA1 c1ff5a32417b46629f5da31a660e0c69c933dd66
SHA256 9942ec0359ba2eb2787f2632199457268354cb86c355528d790252ffcd4cd4d7
SHA512 f68148f4f5b82526596c7819711eba216a43aa7599478ba1669308c3f8636280eddb73cae1ed551a9642e9492d145ff7f66a5f1b1cacc56c7b6c661f03a04519

memory/4164-94-0x00007FF675D30000-0x00007FF676084000-memory.dmp

memory/2404-102-0x00007FF7156A0000-0x00007FF7159F4000-memory.dmp

C:\Windows\System\rVNMZpm.exe

MD5 7c9a60ebcf0445dc3c2b327b09a57bf9
SHA1 657e7a8104a6007fde63be0b8593b41f498431ba
SHA256 588a47719220694e29f1d0b8420205eb6e69a6911945ed8bc1db2bdc2beaf73e
SHA512 191ff2e635b73a060da2f3dd91891c2f3ba35d3bd508727cbd5f9e825d80a94186f8c625ad781aa26176bfdf116a36f23a4a1d34eeccfad01ffdde3b4d8b96a1

C:\Windows\System\IgcMpER.exe

MD5 7998352ee9335ee91df913b8f17ac469
SHA1 d1f046308bf8a7586d6c8a12b354e12ce9c1b51a
SHA256 0a9592bd01972256809bc59c1902fa2e6b060b8a4fbb8614c4b779e274e23ad9
SHA512 21973ed95306ad1f8b390682c0f7875e8d83bf7e706ddfbf991d4dc50c1174af9dd20bd945c323da4b67310706076d5f4680a168fefb984248f8a97026051315

C:\Windows\System\pwCaugY.exe

MD5 1579d1b4e353b37cbc3d842d78b938f2
SHA1 95f0d3b8b5acfdb39c346e3a8ca75c82edc24eb0
SHA256 66ed2853bf5afdd2f01a61fc868b110f5a3fbdfee551c5c3098ef600d95107d3
SHA512 f21b92ca8d0e1de07db6cdfecd4939109f1aa4ee765cc2a0b7ca8f2173708eadbb27d10d115c4d820fb0e69bebaa132428490a66fd1347bd57237816909b2e18

memory/4340-106-0x00007FF695020000-0x00007FF695374000-memory.dmp

memory/3012-103-0x00007FF698800000-0x00007FF698B54000-memory.dmp

memory/2076-98-0x00007FF73DCB0000-0x00007FF73E004000-memory.dmp

memory/3040-91-0x00007FF7EB210000-0x00007FF7EB564000-memory.dmp

memory/3704-113-0x00007FF7B0890000-0x00007FF7B0BE4000-memory.dmp

memory/3772-119-0x00007FF7C0480000-0x00007FF7C07D4000-memory.dmp

C:\Windows\System\XlbRKFl.exe

MD5 73bb3ff349695dfb2ba0735c126a5f16
SHA1 05dc272b2f24f2585b04eba1fb1de3421f9b1240
SHA256 ff05492db2375eddef48590636ba22e73dc10e7671b29a1933d67645bc4f7317
SHA512 a11428b6b5bd32edeebb57011000d9c5fa33c2f52c261d8a3a9fae12cecb90a4e8964a5542e80c026376d14c0e0ac938514542122be8818f03502bdc690bbca6

memory/1836-121-0x00007FF6AA070000-0x00007FF6AA3C4000-memory.dmp

C:\Windows\System\uVsaSvc.exe

MD5 22fb8bf409ba6c2284e73d45fcd89201
SHA1 2e9b863a257cb1c34774501eaaacdeaece695a40
SHA256 bb65866eaf17f914b0924d29634624b05909e84d65323d4124f2b002c90088cb
SHA512 f2fc87ffd5fdf40c8e70b814858a123a4e3f44f7945137cd2a82508c702ea00743f7128f0f6739ff40a08a05965692e0ba7a30d8965ddff1c81ef225209c22e2

memory/4812-129-0x00007FF63E390000-0x00007FF63E6E4000-memory.dmp

memory/216-127-0x00007FF6093C0000-0x00007FF609714000-memory.dmp

C:\Windows\System\ihnOzGP.exe

MD5 1b54b798fa921130d4d9b4758ceedd84
SHA1 22cef904ae85acfcc54056f8aae7bf3bb30d3384
SHA256 05ca0ffa2dd24e4df3ba4d2d614c769f6af3db8cd56dffedb9ff0b10e2184dc4
SHA512 69afcd89f1097eb2194c6b53e51a2988dd553060a2d781cbabdd663468b94f2dd8f6e0808960b55ac7465a7ea92e32440e2b2caf8bfad92f51d555f8d555d1bf

memory/2848-123-0x00007FF7B71B0000-0x00007FF7B7504000-memory.dmp

memory/1492-133-0x00007FF7959D0000-0x00007FF795D24000-memory.dmp

memory/4380-134-0x00007FF68AFC0000-0x00007FF68B314000-memory.dmp

memory/2816-135-0x00007FF61B460000-0x00007FF61B7B4000-memory.dmp

memory/2016-136-0x00007FF648930000-0x00007FF648C84000-memory.dmp

memory/3432-137-0x00007FF758890000-0x00007FF758BE4000-memory.dmp

memory/3256-138-0x00007FF6628E0000-0x00007FF662C34000-memory.dmp

memory/2076-139-0x00007FF73DCB0000-0x00007FF73E004000-memory.dmp

memory/2404-140-0x00007FF7156A0000-0x00007FF7159F4000-memory.dmp

memory/4340-141-0x00007FF695020000-0x00007FF695374000-memory.dmp

memory/2848-142-0x00007FF7B71B0000-0x00007FF7B7504000-memory.dmp

memory/3668-143-0x00007FF677010000-0x00007FF677364000-memory.dmp

memory/3968-144-0x00007FF6D6670000-0x00007FF6D69C4000-memory.dmp

memory/4164-145-0x00007FF675D30000-0x00007FF676084000-memory.dmp

memory/3704-146-0x00007FF7B0890000-0x00007FF7B0BE4000-memory.dmp

memory/3012-147-0x00007FF698800000-0x00007FF698B54000-memory.dmp

memory/4172-148-0x00007FF73E200000-0x00007FF73E554000-memory.dmp

memory/1836-149-0x00007FF6AA070000-0x00007FF6AA3C4000-memory.dmp

memory/216-150-0x00007FF6093C0000-0x00007FF609714000-memory.dmp

memory/1492-151-0x00007FF7959D0000-0x00007FF795D24000-memory.dmp

memory/4380-152-0x00007FF68AFC0000-0x00007FF68B314000-memory.dmp

memory/2020-153-0x00007FF683F70000-0x00007FF6842C4000-memory.dmp

memory/3432-154-0x00007FF758890000-0x00007FF758BE4000-memory.dmp

memory/2016-155-0x00007FF648930000-0x00007FF648C84000-memory.dmp

memory/3256-156-0x00007FF6628E0000-0x00007FF662C34000-memory.dmp

memory/2076-157-0x00007FF73DCB0000-0x00007FF73E004000-memory.dmp

memory/4340-159-0x00007FF695020000-0x00007FF695374000-memory.dmp

memory/3772-158-0x00007FF7C0480000-0x00007FF7C07D4000-memory.dmp

memory/2404-160-0x00007FF7156A0000-0x00007FF7159F4000-memory.dmp

memory/4812-161-0x00007FF63E390000-0x00007FF63E6E4000-memory.dmp

memory/2848-162-0x00007FF7B71B0000-0x00007FF7B7504000-memory.dmp

memory/2816-163-0x00007FF61B460000-0x00007FF61B7B4000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-29 07:08

Reported

2024-06-29 07:11

Platform

win7-20240221-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\xbZWvaH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OrYTODu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DkxMhnD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xznBIny.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FsQSbbe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WwPEuUT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HuKLxvj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SPMPBCl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ipZIKGj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IBtnNIh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ibkDKkM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zUsCRMS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cfJYnpu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\veivZYT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HZxVKMD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dYdpRtG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rvzoLPK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KgGboqm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YvwrQKt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AOhcaBw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QaEUenm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2128 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AOhcaBw.exe
PID 2128 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AOhcaBw.exe
PID 2128 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AOhcaBw.exe
PID 2128 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QaEUenm.exe
PID 2128 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QaEUenm.exe
PID 2128 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QaEUenm.exe
PID 2128 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dYdpRtG.exe
PID 2128 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dYdpRtG.exe
PID 2128 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dYdpRtG.exe
PID 2128 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zUsCRMS.exe
PID 2128 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zUsCRMS.exe
PID 2128 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zUsCRMS.exe
PID 2128 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KgGboqm.exe
PID 2128 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KgGboqm.exe
PID 2128 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KgGboqm.exe
PID 2128 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cfJYnpu.exe
PID 2128 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cfJYnpu.exe
PID 2128 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cfJYnpu.exe
PID 2128 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FsQSbbe.exe
PID 2128 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FsQSbbe.exe
PID 2128 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FsQSbbe.exe
PID 2128 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WwPEuUT.exe
PID 2128 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WwPEuUT.exe
PID 2128 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WwPEuUT.exe
PID 2128 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xbZWvaH.exe
PID 2128 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xbZWvaH.exe
PID 2128 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xbZWvaH.exe
PID 2128 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rvzoLPK.exe
PID 2128 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rvzoLPK.exe
PID 2128 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rvzoLPK.exe
PID 2128 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\veivZYT.exe
PID 2128 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\veivZYT.exe
PID 2128 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\veivZYT.exe
PID 2128 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HuKLxvj.exe
PID 2128 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HuKLxvj.exe
PID 2128 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HuKLxvj.exe
PID 2128 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HZxVKMD.exe
PID 2128 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HZxVKMD.exe
PID 2128 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HZxVKMD.exe
PID 2128 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OrYTODu.exe
PID 2128 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OrYTODu.exe
PID 2128 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OrYTODu.exe
PID 2128 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SPMPBCl.exe
PID 2128 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SPMPBCl.exe
PID 2128 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SPMPBCl.exe
PID 2128 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ipZIKGj.exe
PID 2128 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ipZIKGj.exe
PID 2128 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ipZIKGj.exe
PID 2128 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YvwrQKt.exe
PID 2128 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YvwrQKt.exe
PID 2128 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YvwrQKt.exe
PID 2128 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DkxMhnD.exe
PID 2128 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DkxMhnD.exe
PID 2128 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DkxMhnD.exe
PID 2128 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xznBIny.exe
PID 2128 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xznBIny.exe
PID 2128 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xznBIny.exe
PID 2128 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IBtnNIh.exe
PID 2128 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IBtnNIh.exe
PID 2128 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IBtnNIh.exe
PID 2128 wrote to memory of 504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ibkDKkM.exe
PID 2128 wrote to memory of 504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ibkDKkM.exe
PID 2128 wrote to memory of 504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ibkDKkM.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-29_daf8c1f4e989079a41bc0175817478ca_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\AOhcaBw.exe

C:\Windows\System\AOhcaBw.exe

C:\Windows\System\QaEUenm.exe

C:\Windows\System\QaEUenm.exe

C:\Windows\System\dYdpRtG.exe

C:\Windows\System\dYdpRtG.exe

C:\Windows\System\zUsCRMS.exe

C:\Windows\System\zUsCRMS.exe

C:\Windows\System\KgGboqm.exe

C:\Windows\System\KgGboqm.exe

C:\Windows\System\cfJYnpu.exe

C:\Windows\System\cfJYnpu.exe

C:\Windows\System\FsQSbbe.exe

C:\Windows\System\FsQSbbe.exe

C:\Windows\System\WwPEuUT.exe

C:\Windows\System\WwPEuUT.exe

C:\Windows\System\xbZWvaH.exe

C:\Windows\System\xbZWvaH.exe

C:\Windows\System\rvzoLPK.exe

C:\Windows\System\rvzoLPK.exe

C:\Windows\System\veivZYT.exe

C:\Windows\System\veivZYT.exe

C:\Windows\System\HuKLxvj.exe

C:\Windows\System\HuKLxvj.exe

C:\Windows\System\HZxVKMD.exe

C:\Windows\System\HZxVKMD.exe

C:\Windows\System\OrYTODu.exe

C:\Windows\System\OrYTODu.exe

C:\Windows\System\SPMPBCl.exe

C:\Windows\System\SPMPBCl.exe

C:\Windows\System\ipZIKGj.exe

C:\Windows\System\ipZIKGj.exe

C:\Windows\System\YvwrQKt.exe

C:\Windows\System\YvwrQKt.exe

C:\Windows\System\DkxMhnD.exe

C:\Windows\System\DkxMhnD.exe

C:\Windows\System\xznBIny.exe

C:\Windows\System\xznBIny.exe

C:\Windows\System\IBtnNIh.exe

C:\Windows\System\IBtnNIh.exe

C:\Windows\System\ibkDKkM.exe

C:\Windows\System\ibkDKkM.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2128-0-0x000000013FD30000-0x0000000140084000-memory.dmp

memory/2128-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\AOhcaBw.exe

MD5 3734b64e9deb9fb4d319e7b8c2dc0000
SHA1 aca81c5620c7eb80f38682312e6739449370e391
SHA256 d7d84e038afa574be6f92d7972d16455f4a87ca94c8d546575ce6019ba3f06c6
SHA512 38c1801981e0ad79f0f007abd6d2d41f875feef1f547629179c1605ab34537d0e7a4db4c89079441e2ccdbcd351a47d9ca960b6e8fd47254b54d4124a10f3d2e

memory/2128-6-0x000000013F130000-0x000000013F484000-memory.dmp

memory/2380-8-0x000000013F130000-0x000000013F484000-memory.dmp

\Windows\system\QaEUenm.exe

MD5 d5d12d57ba17785b09b51e86f956d2ce
SHA1 af3afab22a7e0d4c518682b6d86088e4197b90f3
SHA256 43c42824c92ef22aae0c116de238d6abe3840129f09b25f31e436639eadb2535
SHA512 a857696cfd665c4ed258d35edfcd898b85daf2eb775b0b483294de2269759399e4526b28a98c3efede37b530b996bfa457d742defece13e21ac4748efa30d2a4

memory/2128-13-0x000000013F100000-0x000000013F454000-memory.dmp

memory/3020-15-0x000000013F100000-0x000000013F454000-memory.dmp

C:\Windows\system\dYdpRtG.exe

MD5 1757b56efd5109787e8ab991e36bbf6f
SHA1 ccec58e2f080c9bf38f90c626386b0c2231f7a5d
SHA256 f84458ea3295ef0668b23969f69e7de20a68776293cbd63c230d89d4372bc2e4
SHA512 bce0cf424f43c2e4c2ebeca6bcd7221673f2de1a2e324ec462db64ec3e90fc81ce85d79274ee2008cb68c49a708534a6be07d51b33115e7a5c18941ba267aa74

memory/2128-21-0x000000013F180000-0x000000013F4D4000-memory.dmp

C:\Windows\system\zUsCRMS.exe

MD5 a9328d6a90af8c008042d6f9b2d85d67
SHA1 17732545aaf3ee6f742fad5bfcd0641c848ebced
SHA256 7a6962ba1f59344f485e402b11bb18f4ac1f39fd59fe9cf33da91e9c2ae2d76f
SHA512 acb72f8767a9d171799688147a7698c12f9aa7ee366cb8ead4b3c6c324cb35e41a53a78d6c55fd34f6976dc1334dfc3ea8799567347e6d877258402f78babace

C:\Windows\system\cfJYnpu.exe

MD5 e7bd1638a0fdb4de14e5f01f3908cda1
SHA1 31ee45faf435af41532bdbaa63254ce09e7dbd2b
SHA256 4bde3b82b1cc67fdad50c800c44ef9a88d2c54913f9f4905b2021ba0bd2cdedb
SHA512 1a13042061ccf9bf6496ca727f976e22f4b80c0f9bf9e3dfa3bc70c3912600893586836babcae48cc6da9b2775838df69bf9b34209c9dca4dd8e13faa7349614

memory/2128-30-0x00000000022A0000-0x00000000025F4000-memory.dmp

memory/2564-44-0x000000013FBB0000-0x000000013FF04000-memory.dmp

memory/2380-43-0x000000013F130000-0x000000013F484000-memory.dmp

memory/2836-41-0x000000013F400000-0x000000013F754000-memory.dmp

C:\Windows\system\KgGboqm.exe

MD5 4fe871f01c728532dc0cbba1cbaaae12
SHA1 7510b9ca459f20e6f96bbc725862c46d7f37576c
SHA256 f2d92e734fe83272afdb048852cd084fbc4c59d046f083eb7e64e44c8dca4ea5
SHA512 0599dbc8f0d7a39e0347d46c5b80be035e0889f22b227ba3ea76b3dfde85ada6467694c5a0c9a9b42e9bbf19ce08db46437722561a2fee328b5b62500150225e

C:\Windows\system\WwPEuUT.exe

MD5 f99aa0ed0bc414441561ca648a18ea4c
SHA1 1abfecc3d37941e7dde1dec591beb49113d17b6b
SHA256 2eca06af6f4b32492d416851854b5274928be93cb6d9534210b3128ac43aab01
SHA512 20e8db8d4a0776c8b81d806c054e85799b6be498fcc47feda37188c1f0f15c24292678626e939e5f07b64a3d3b5b646b18a8cdd57945fb1622824b928ed72f91

C:\Windows\system\rvzoLPK.exe

MD5 0248223f87ed018152168f780f9fd6aa
SHA1 925ffa2ffe92fe7ddd02688e720f83d1fdd2b045
SHA256 b3ad04f3c24dde84e1075217ca50d10a1b74466ff8e6f7693f924db250ad77a3
SHA512 170a8b8de52280ec5bace52eb415b4fd08a70f5e24e8a810bf98d38ca029c317932413df8cda0cd7df1a4620932f9039c215365e26fba4e73ca7fdf0fb0ffb16

memory/2936-73-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

memory/2528-86-0x000000013FA60000-0x000000013FDB4000-memory.dmp

memory/2208-79-0x000000013F870000-0x000000013FBC4000-memory.dmp

memory/2128-100-0x000000013F230000-0x000000013F584000-memory.dmp

C:\Windows\system\IBtnNIh.exe

MD5 84f42ff4a3d31d0d085dc72409165581
SHA1 2e78d9dbd1dcb76feb49e779a7c318eec4366d75
SHA256 16ec498f3f2fd4e823e9c719fb056da82ade122baa6b8c11988df20af47d4b0d
SHA512 9e2eeecf4e80207559c1986d35458607326172502fc6bdae7cdcc8fcf51eae6e2972a6403f423c3e90c04c4908bf231e04ac7869c7c77b346bcdcf9c7b466d6f

\Windows\system\ibkDKkM.exe

MD5 cda6db5db093f8670cc9e840d841bd27
SHA1 bab05f71b0af59f24b294c72c9629e231cd73fc0
SHA256 2c0a1b937a49868b76f982d14e878ab4b876d6c86a1f9ed346a958a324773bea
SHA512 16f681f945599c5125fe38667d795bd46338e19969b660349d40033899fb5c7b0c0a69c993cb37f91a71068c6e629ec85561461af94717dfc4789c6b82a5df08

C:\Windows\system\xznBIny.exe

MD5 967261403d0a71b263710c93a1640b7e
SHA1 a792aaea13a0795106063a7ba9be2cf18ca58a5d
SHA256 31352d587b956dc1054e549f130e7f0de6bb8209d4e94b6eec78cfe8b54f4907
SHA512 7e167bd9670e675adfc7782a7d6961ea35a0ea81c5241ec7b3630a36a07b3075fd799b7f5ff984af12bc3a9f2b47b523c149a79fd076cf4898527e06dc1ed742

C:\Windows\system\DkxMhnD.exe

MD5 63d300f127a561417a824f3cbd442fc2
SHA1 28dbe54755ca703e3845f23811abd31f12f53270
SHA256 7a3364181c62f7fcb214504106f2effee848348989119f9d0618f6b10dcf1641
SHA512 461c2b33589f848363c675c3f855c2bba4779c187e4d4ed607214249c9bd0fd77880b632ca77e2610da95e359a45562b56c45886841368658ae84c56c333f6e1

C:\Windows\system\YvwrQKt.exe

MD5 a91fe00a2e426c762ff1fa45de917ee0
SHA1 90387f31acf1335b9275e39ecb0f16ff2fafd226
SHA256 00363f328144a4147565a0787c0976cb8aee749efb7e970e88d74c154ee9fc33
SHA512 4e57d2c2312e61f7aaeea6440c58e46315c8acb19b2cfcc101a884aa10da33772d4e8035dc44f9b907289c5bd0df2f40d83aaf80c40a40a7fa763c7b3b6572a0

memory/2128-108-0x000000013F3E0000-0x000000013F734000-memory.dmp

memory/2496-140-0x000000013F640000-0x000000013F994000-memory.dmp

memory/2128-139-0x000000013F640000-0x000000013F994000-memory.dmp

memory/2732-107-0x000000013F230000-0x000000013F584000-memory.dmp

C:\Windows\system\ipZIKGj.exe

MD5 f6930b94fd7fe540efcaf486fe06b4a7
SHA1 061790406debb6228ed3908341494f7ecc396328
SHA256 c66a10cc408f0e2c18fd26530e6dc38d15215cc11a62d737ebc11077cc7a76db
SHA512 27886c38b312326edb17b399a2c08664af8c4a7f296ac0b61c18791822bd9028337d80e6d7d6d37e01fdcbdb910faaf987546f64410f68f0e556571e33a36cf1

C:\Windows\system\SPMPBCl.exe

MD5 feb00383acbed9a64872d38cb28c7983
SHA1 df747b59a9a703582f6c7e75c45b1ee37cd1baae
SHA256 a590a8da7011d3c4cc4d5dbbba8992e8e61250d60c4351db24008230e8cf53ce
SHA512 c723f0926356d99f8885e349e1b789ca1a72a6cb95ac8bf69ffdc5b96bf011d25464db80f64f044e4518d173a8086b03ecf1f66295ad78156febecb656343696

memory/2784-94-0x000000013F640000-0x000000013F994000-memory.dmp

C:\Windows\system\HZxVKMD.exe

MD5 30cf8ae259bfa789cfe316b6582cda76
SHA1 6d587d4d86520270a95287ae57df16b363efb8ed
SHA256 0d4513602286c18b0f930b866ec1a1cb9e800bff0986815070b188be47259e89
SHA512 2e9bce0f29d1ff302eb701471f1846f868b39116d9f7f31bbcb38e98c66633a31dc8db6115d335626ea5d29e22e4ac5b4e339662606cf34b4573c3fce4d9d351

memory/2820-101-0x000000013FD40000-0x0000000140094000-memory.dmp

memory/2836-90-0x000000013F400000-0x000000013F754000-memory.dmp

memory/2512-142-0x000000013FA30000-0x000000013FD84000-memory.dmp

memory/2128-141-0x00000000022A0000-0x00000000025F4000-memory.dmp

memory/2752-89-0x000000013FB90000-0x000000013FEE4000-memory.dmp

C:\Windows\system\OrYTODu.exe

MD5 7cdfe615bd66d414a4ac9987ff3bc24c
SHA1 b0b6d8959a91792d8b602348a11a3d9b9ccb7e3a
SHA256 a1e5804615ac73a25456925b9855c758f7d05e5a313556f75a6412efc85c86ed
SHA512 44a711a87054674ba7a341e2ee40a6befe52f756c40c7ddb61b014c50acaadc7dc972a0f6c376dcacd3d769b9f75b1f92dd38d974c54df7f0ced10257fad851f

memory/2128-85-0x00000000022A0000-0x00000000025F4000-memory.dmp

C:\Windows\system\veivZYT.exe

MD5 5eb74251d7478c99c663bf968e6ffb9e
SHA1 91fbe30bd145f680808ad08541021b982be57e90
SHA256 b0431776df700a2d425eabf755c66a14997e443c17d2895405666468bffa1390
SHA512 260bda0ddcd9ef26fc7e478079b30abaf439e3b5371388e1250307d08852e4a0d419113e319f4727670081c5a0ecd5cc5db7bd3cb47f0f00b209a07111c5514a

C:\Windows\system\HuKLxvj.exe

MD5 f957932686e9b990270b641035c0acba
SHA1 9f5d10ade10d74e8c6844d74b05141c2b75e452a
SHA256 9a50db284b7138bcdf8ec12e4e7f67a8fc8c2d8930ac9f6c87530a9dfc2198ce
SHA512 998c68ca9c3ac7099d43162999c4d415a038aff506c82948c4f35761b47805a4623b51fa1f31ceff5de720e492f51bfb335a1283825bf7d356ace5cfc44bfb25

memory/2936-144-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

memory/2128-143-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

memory/2512-67-0x000000013FA30000-0x000000013FD84000-memory.dmp

memory/2128-66-0x00000000022A0000-0x00000000025F4000-memory.dmp

C:\Windows\system\xbZWvaH.exe

MD5 7bd9580b47274579f4fbe61db4368bfb
SHA1 9b538399897624d6a17ab698400ce814ef0b7bdf
SHA256 b392ac2850df667e413075b98b44e8e6433da72474724b8ac00d9601e045cf31
SHA512 39e902adc43e1a3aa86c4a321224636c8d98c0096eac2506c6954f2ed7953bd7454afb800aec95ffe3003c8aee75c73155207c12be371c67b187e7bdf12f91f2

memory/2496-60-0x000000013F640000-0x000000013F994000-memory.dmp

memory/2128-59-0x000000013F640000-0x000000013F994000-memory.dmp

memory/2672-58-0x000000013F180000-0x000000013F4D4000-memory.dmp

memory/2732-51-0x000000013F230000-0x000000013F584000-memory.dmp

memory/3020-50-0x000000013F100000-0x000000013F454000-memory.dmp

C:\Windows\system\FsQSbbe.exe

MD5 6c5bec1c9b05dfa35fc2d320937adc99
SHA1 1af9733b14b1f3c00e57fff361f2cad623bf928e
SHA256 3ac14acaec314dbdbff7018850064bd87f54ee6a3c082c050bebf971ce5de2d7
SHA512 2c5d9031895b18a56bd17f4d192acf9e7a505fdcfbd5a6cc1c692531ad4f1ee13bc0d19779d0a05f4f67cf119dbb2b14c346845946c1547b4f57f5fb751906dc

memory/2208-145-0x000000013F870000-0x000000013FBC4000-memory.dmp

memory/2752-38-0x000000013FB90000-0x000000013FEE4000-memory.dmp

memory/2128-37-0x000000013FD30000-0x0000000140084000-memory.dmp

memory/2128-35-0x000000013F400000-0x000000013F754000-memory.dmp

memory/2128-33-0x00000000022A0000-0x00000000025F4000-memory.dmp

memory/2672-26-0x000000013F180000-0x000000013F4D4000-memory.dmp

memory/2128-146-0x00000000022A0000-0x00000000025F4000-memory.dmp

memory/2784-147-0x000000013F640000-0x000000013F994000-memory.dmp

memory/2128-148-0x00000000022A0000-0x00000000025F4000-memory.dmp

memory/2820-149-0x000000013FD40000-0x0000000140094000-memory.dmp

memory/2380-150-0x000000013F130000-0x000000013F484000-memory.dmp

memory/3020-151-0x000000013F100000-0x000000013F454000-memory.dmp

memory/2672-152-0x000000013F180000-0x000000013F4D4000-memory.dmp

memory/2564-153-0x000000013FBB0000-0x000000013FF04000-memory.dmp

memory/2752-154-0x000000013FB90000-0x000000013FEE4000-memory.dmp

memory/2836-155-0x000000013F400000-0x000000013F754000-memory.dmp

memory/2732-156-0x000000013F230000-0x000000013F584000-memory.dmp

memory/2496-157-0x000000013F640000-0x000000013F994000-memory.dmp

memory/2512-158-0x000000013FA30000-0x000000013FD84000-memory.dmp

memory/2936-159-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

memory/2528-160-0x000000013FA60000-0x000000013FDB4000-memory.dmp

memory/2208-161-0x000000013F870000-0x000000013FBC4000-memory.dmp

memory/2784-162-0x000000013F640000-0x000000013F994000-memory.dmp

memory/2820-163-0x000000013FD40000-0x0000000140094000-memory.dmp