Malware Analysis Report

2024-10-24 18:11

Sample ID 240630-gjcv4athle
Target 2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat
SHA256 0f834825e381d257401550e01f5cbb614c613420b683b53c4fb9a4822c21a517
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0f834825e381d257401550e01f5cbb614c613420b683b53c4fb9a4822c21a517

Threat Level: Known bad

The file 2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

UPX dump on OEP (original entry point)

XMRig Miner payload

Detects Reflective DLL injection artifacts

Cobalt Strike reflective loader

Cobaltstrike family

Xmrig family

Cobaltstrike

xmrig

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX dump on OEP (original entry point)

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-30 05:49

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-30 05:49

Reported

2024-06-30 05:52

Platform

win7-20240221-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\xRcpVlb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mroSnaF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YhFRJIm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zqtpqeM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aocPJyK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kHoVBff.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dYzVTTO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MrjASOa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SnsvSnH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LyzHETX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VkGoaaD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zCwGBlX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ySJDbsy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PvWucwC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lPjLJKz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FSUAFUx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wgBtMEe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BRQcdML.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RWODoVb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\epFeYvi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\feJhtJz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 756 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zqtpqeM.exe
PID 756 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zqtpqeM.exe
PID 756 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zqtpqeM.exe
PID 756 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LyzHETX.exe
PID 756 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LyzHETX.exe
PID 756 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LyzHETX.exe
PID 756 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FSUAFUx.exe
PID 756 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FSUAFUx.exe
PID 756 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FSUAFUx.exe
PID 756 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xRcpVlb.exe
PID 756 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xRcpVlb.exe
PID 756 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xRcpVlb.exe
PID 756 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aocPJyK.exe
PID 756 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aocPJyK.exe
PID 756 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aocPJyK.exe
PID 756 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kHoVBff.exe
PID 756 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kHoVBff.exe
PID 756 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kHoVBff.exe
PID 756 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mroSnaF.exe
PID 756 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mroSnaF.exe
PID 756 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mroSnaF.exe
PID 756 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VkGoaaD.exe
PID 756 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VkGoaaD.exe
PID 756 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VkGoaaD.exe
PID 756 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wgBtMEe.exe
PID 756 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wgBtMEe.exe
PID 756 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wgBtMEe.exe
PID 756 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zCwGBlX.exe
PID 756 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zCwGBlX.exe
PID 756 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zCwGBlX.exe
PID 756 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BRQcdML.exe
PID 756 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BRQcdML.exe
PID 756 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BRQcdML.exe
PID 756 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ySJDbsy.exe
PID 756 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ySJDbsy.exe
PID 756 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ySJDbsy.exe
PID 756 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PvWucwC.exe
PID 756 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PvWucwC.exe
PID 756 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PvWucwC.exe
PID 756 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lPjLJKz.exe
PID 756 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lPjLJKz.exe
PID 756 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lPjLJKz.exe
PID 756 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MrjASOa.exe
PID 756 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MrjASOa.exe
PID 756 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MrjASOa.exe
PID 756 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RWODoVb.exe
PID 756 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RWODoVb.exe
PID 756 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RWODoVb.exe
PID 756 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\epFeYvi.exe
PID 756 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\epFeYvi.exe
PID 756 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\epFeYvi.exe
PID 756 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dYzVTTO.exe
PID 756 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dYzVTTO.exe
PID 756 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dYzVTTO.exe
PID 756 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YhFRJIm.exe
PID 756 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YhFRJIm.exe
PID 756 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YhFRJIm.exe
PID 756 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\feJhtJz.exe
PID 756 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\feJhtJz.exe
PID 756 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\feJhtJz.exe
PID 756 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SnsvSnH.exe
PID 756 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SnsvSnH.exe
PID 756 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SnsvSnH.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\zqtpqeM.exe

C:\Windows\System\zqtpqeM.exe

C:\Windows\System\LyzHETX.exe

C:\Windows\System\LyzHETX.exe

C:\Windows\System\FSUAFUx.exe

C:\Windows\System\FSUAFUx.exe

C:\Windows\System\xRcpVlb.exe

C:\Windows\System\xRcpVlb.exe

C:\Windows\System\aocPJyK.exe

C:\Windows\System\aocPJyK.exe

C:\Windows\System\kHoVBff.exe

C:\Windows\System\kHoVBff.exe

C:\Windows\System\mroSnaF.exe

C:\Windows\System\mroSnaF.exe

C:\Windows\System\VkGoaaD.exe

C:\Windows\System\VkGoaaD.exe

C:\Windows\System\wgBtMEe.exe

C:\Windows\System\wgBtMEe.exe

C:\Windows\System\zCwGBlX.exe

C:\Windows\System\zCwGBlX.exe

C:\Windows\System\BRQcdML.exe

C:\Windows\System\BRQcdML.exe

C:\Windows\System\ySJDbsy.exe

C:\Windows\System\ySJDbsy.exe

C:\Windows\System\PvWucwC.exe

C:\Windows\System\PvWucwC.exe

C:\Windows\System\lPjLJKz.exe

C:\Windows\System\lPjLJKz.exe

C:\Windows\System\MrjASOa.exe

C:\Windows\System\MrjASOa.exe

C:\Windows\System\RWODoVb.exe

C:\Windows\System\RWODoVb.exe

C:\Windows\System\epFeYvi.exe

C:\Windows\System\epFeYvi.exe

C:\Windows\System\dYzVTTO.exe

C:\Windows\System\dYzVTTO.exe

C:\Windows\System\YhFRJIm.exe

C:\Windows\System\YhFRJIm.exe

C:\Windows\System\feJhtJz.exe

C:\Windows\System\feJhtJz.exe

C:\Windows\System\SnsvSnH.exe

C:\Windows\System\SnsvSnH.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/756-0-0x000000013FE60000-0x00000001401B4000-memory.dmp

memory/756-1-0x00000000001F0000-0x0000000000200000-memory.dmp

\Windows\system\zqtpqeM.exe

MD5 86d5ad997e98ddcd792baca56d83e7ad
SHA1 6394332506be7c520dbe3a02d4474635b213bd13
SHA256 ce893359a042f471c65649b27751cbd31f875c0066aee0ed4f391bf64888b626
SHA512 e276483c42e06592ad329f71ff7b188142fad35b477370b7871581f46659254946e56052e81cd430092ca7911ceae97e46e38fa5efeb6e9bd4fe75ee019fea13

memory/2352-9-0x000000013F4E0000-0x000000013F834000-memory.dmp

memory/756-8-0x000000013F4E0000-0x000000013F834000-memory.dmp

\Windows\system\LyzHETX.exe

MD5 4598eff25b32a744ebc6e9b94a532797
SHA1 be9d6859e3b2bd7541db5b3bde395afaed8d60a5
SHA256 e04323fdfd7c8f14af4c911d506c20f7718d47abf467b508f79662e8fc0ae14d
SHA512 ee0f47ead3f92de6e79b21d2533956fe3899b29aae29f7811d5ac8ab889cc8be8d4ca48f779c9fc43ef128b32dddfab375cfc03d771de0fdd5b797edb071282c

memory/2264-15-0x000000013F250000-0x000000013F5A4000-memory.dmp

memory/756-14-0x000000013F250000-0x000000013F5A4000-memory.dmp

C:\Windows\system\FSUAFUx.exe

MD5 583fff7ae87900d861886e124314565f
SHA1 9095ec5ce06a55e6a4940e1f65e3fa9679f48c1c
SHA256 8a8a5caf98c6443d3f970579cb30b7d50214b0e2d59af76b4e50eb5961d86e3a
SHA512 726c4b7321697dfcac7e8d4e5ff67071df3093c7cd2b3b1e4706aa7da853bb3f46440c419e01857a97e0b10a37ed135b11d44773f58be2436e55c1a791bcb973

memory/2588-21-0x000000013FF90000-0x00000001402E4000-memory.dmp

\Windows\system\xRcpVlb.exe

MD5 2f59113600917b365de089624b7b7cca
SHA1 97408e1abd3e1dff66a7effb24afce3feb4ea448
SHA256 1c5d34152abe9b4de7f2b0e5c1a8d259ced08b55a5c5272cc9244ac2b2d5f807
SHA512 b7f1fda7fec9fcaa879269a0eb9951bad35d1fa0bb037c6199f6a55c96e477201173e1ef8bb64d9e73aa552e34e9385cc3efa489b7d3fa7049fdbb47a0e75709

memory/756-37-0x000000013F6D0000-0x000000013FA24000-memory.dmp

memory/756-51-0x000000013FE60000-0x00000001401B4000-memory.dmp

C:\Windows\system\zCwGBlX.exe

MD5 7b7ec9d5ec62f2f827fffcda459fb601
SHA1 f5cc06819d6ff9474c3369438a6a17eedac574c2
SHA256 5760b6c83fa49adf4ed232186ac453bd48e35c0428c990bd5ccd11c66208f82c
SHA512 67449529cf5f372a9d2e8efb33e2de5c2c2e8df257b827d60ed5223bb0cd142bfeab92df710d0ff6f8723ce826e23f2de39468af12e0477ec634ce13e08bfb51

C:\Windows\system\BRQcdML.exe

MD5 c45d1d56386744e690d569dac1b88700
SHA1 40a60521859bfde9e77a0616fcb8ff143976932d
SHA256 5a3d1123c43dd2e5e69c276b7c7af43340159978456a24053d79a700c8ac996a
SHA512 fd5740ae96c2c53288d7c0792330c404eb56f3f7c890f90dbd8ebe47f6d49c3b64117c7e406fec0aec4359f43b61513e8311b28767dec43a95f3723678de99e3

memory/756-76-0x000000013F830000-0x000000013FB84000-memory.dmp

C:\Windows\system\RWODoVb.exe

MD5 221eed26cd2b08b69d7c9b90e0ebbb63
SHA1 0b2088799ea17f0c2ea281c4905635c6e842ff58
SHA256 52aeb808cde8130fdb51dea202bf9a73e00ac48e92640b641e1ef23f5802c58c
SHA512 3d374961afcf1c17c4fe7916775706e7f5e00a1b200e3f7eac75003989387f12ef7f6c8c184bc80dbc1d17d83d9a495829d7a40eedc8c9ca8ebc32549e99939c

\Windows\system\SnsvSnH.exe

MD5 f87f4ce5cc287480fe05f498a81a49c8
SHA1 abddda7461c1768fd3d8cfc52492f1d0720363c3
SHA256 2f4bd13f83917adae7f0accdff0546f6cf865d24e0a5a8db2ea551ba56980beb
SHA512 c86668d58d3af46225aa493cf4ef917aea466615cc6d37f5a495afe1e32d508aa0414c961a9ca5415371200f8798cb14c85ad148b74746bb290f58860cc67739

C:\Windows\system\feJhtJz.exe

MD5 ed99b1eff963854d27cf7a99418e0a88
SHA1 52e72475c9215e5186dab38770cb9f76b59d5c79
SHA256 51225a2b839b9d43580a79fd096cbfee666c31814a59918cc7330018e62f2ceb
SHA512 bf48a98861544d4377f33b7fab14c6ecbd87755b0568a6e8e3f0eb14c6ed5f64300875bd556770bc22bc4b20488b1b898b9db94ad0fab524ffea04f065464c3a

C:\Windows\system\YhFRJIm.exe

MD5 949395f2a6a8265233584931c3943ef6
SHA1 99121a7b1ed0946b034f6ec8e54e8589c803c1a2
SHA256 20d5062c787841e6cc0c43a24607d067543223bc490890fb6987ee52f7b613fd
SHA512 63fe612c5bd46b875bb3de2b653db170e46fa8bae484c3815e01758d5f189e707b569db552e5260a301b2f46e4c69f338a6d68849c6b8e3c4bab85ee0e5d4c70

C:\Windows\system\epFeYvi.exe

MD5 391e1f65d17e80a6e1583b894a1fb679
SHA1 c92bd3521823c51d2c9c14db87bc674469f9a1b0
SHA256 bb731274d111a9519e2bdb6c5d22bc64a0ce99fec5c6d5b19730d93d7bc8d408
SHA512 170595bf9a19594aac2aa3611df26bcbb3832606a1e3f19be6d032a5c4d32d4f06ca95fbd6dd7248959f03b6d0ce18ead8b13b6397e1f1cb1939b63a4cbc8cfa

memory/756-93-0x000000013F860000-0x000000013FBB4000-memory.dmp

C:\Windows\system\dYzVTTO.exe

MD5 dcf6678c64eef0fc1612e3498f724cee
SHA1 79567cf92b2d5d1c535c401fb761b1f13d12adaa
SHA256 3ad511fbd957de595bd8857e4d7f91b6e96d717e04ed4ca65792cae8bd8301c6
SHA512 26372011a678dd68475230bcbc149b06747e560bdea2e96093f029a4566a0e7406227e8e1e240f167ceb5489c69c359e11069f1fe50c24d7c3eb43f069889c9d

C:\Windows\system\MrjASOa.exe

MD5 f5f873c5b4755301aaeb54f021d03e65
SHA1 9a701b78eed0459fb7e3c995342bb28fc544b8e1
SHA256 cf04013b2aed2a04518b886d55a39c4fc6e27028cc413bd98b624b5e8e293c74
SHA512 4801bf8862398a8654a81f145b34a3b49c46c5938dafb3ed9a98215ae10d9f12303c8fa2d5cf448306c126f524c5f466f0bd6aebf62fc05c6b9c89659eab6ed5

memory/2972-88-0x000000013FA30000-0x000000013FD84000-memory.dmp

memory/1452-83-0x000000013F790000-0x000000013FAE4000-memory.dmp

C:\Windows\system\lPjLJKz.exe

MD5 ba52332e9c8c93a8ddbed4ba9ec77d67
SHA1 08f420ae520424c7c545ab6ef88a039fb36c7996
SHA256 218a34f6ed901992108809c9ed60b60750c1b2f1d1c0fd2e139b1a090afb2448
SHA512 5b02eb4b5d42cc68175ea5dede2bab6a9ab67bb33194e681271e8618c20db55f153e22f881aed40f111752d5fab83fc2c7735ab05ff07aac095bac776bce2760

memory/756-82-0x000000013F790000-0x000000013FAE4000-memory.dmp

C:\Windows\system\PvWucwC.exe

MD5 eabead199db2dbcdecfcc58ac196caf1
SHA1 c9a234d34b678bf4894b4ddbd530d8968671cf28
SHA256 cb73765880f192509398824e8ed2339c83d343a79196e89a78bfe5d885d4b272
SHA512 7dc18e7b2b4c965c8f510c712dd1cb75aa89222989de11df1b338b6303273640be356198e80592ffffe9f18cf827fb1ae266ddadfd30dd6380c18f3db15deb64

memory/2324-77-0x000000013F830000-0x000000013FB84000-memory.dmp

memory/2564-71-0x000000013F0D0000-0x000000013F424000-memory.dmp

C:\Windows\system\ySJDbsy.exe

MD5 f969bb82de5307b6b07a8d6d143506f6
SHA1 70b8901037b5f80db3005bc206ab1cc513ca05b6
SHA256 daa04463d2fb21badcefb3b938a6c7cb50ce9d7922e5c9b336b7c136b84f6b4a
SHA512 bdd6e7089ae349ef361798cd44eba15aa714bd202f73e12bc31e25e7a970a9f3a8ab0775ce498319890bf9c832f04c10fcb176db091dca7e4c45d923e9bebdaf

memory/756-70-0x000000013F0D0000-0x000000013F424000-memory.dmp

memory/2588-69-0x000000013FF90000-0x00000001402E4000-memory.dmp

memory/2432-64-0x000000013F850000-0x000000013FBA4000-memory.dmp

memory/756-63-0x000000013F850000-0x000000013FBA4000-memory.dmp

memory/2264-62-0x000000013F250000-0x000000013F5A4000-memory.dmp

memory/2484-56-0x000000013F080000-0x000000013F3D4000-memory.dmp

C:\Windows\system\wgBtMEe.exe

MD5 2745b03b47f154aad713da9813dffbff
SHA1 90cfba4d80e755d183698945ec28b45a4a72da48
SHA256 9aa2a17da7e5d2e6e5217765e0d6ef92e6137c9422b076833276b4c2b61d40fa
SHA512 3f9e47804dcef45b60ca801c54f7288f99d776d5a911345b115fcbf09ba2fb85fa33b986adc4908b2c8c7dd2100526d8efc58ca29f6b3ba36966f978c328423e

memory/3056-52-0x000000013F320000-0x000000013F674000-memory.dmp

C:\Windows\system\VkGoaaD.exe

MD5 4ef5c9231a1290e22021d50630a22349
SHA1 18c2504e3cfa642f586e39c682cef084c9b1b0c8
SHA256 b3776257e94264aedf1adb5000a71f5725b2cbed9334daf9ec44c986ea62d5c9
SHA512 71c3ec8752860c38eeef3b4c10068bb29f1fa8ef605f0550755841d4814a67416087d1f95257cf770c3488b872b2e7bcb15bff28fc37447ae55b200be18a675a

memory/756-48-0x000000013F320000-0x000000013F674000-memory.dmp

memory/2472-45-0x000000013FD70000-0x00000001400C4000-memory.dmp

memory/756-44-0x00000000023A0000-0x00000000026F4000-memory.dmp

C:\Windows\system\mroSnaF.exe

MD5 c1ebc773865451e0b2ea076e6b48e82d
SHA1 f2561ffe851ec60d1ca8525f285f05268be49041
SHA256 e09efd445e97720fbfc987a8f1ddb9f3ac558d3e0fa6f6dffacf5534185b273e
SHA512 865bd44cf1d03da4df566927f207e5cd6c87edff2bf51b5d487491c0a8f319dedc50c362dae6ed8fef645ce3d73f9ce2d7cfbd1f32815c700a3dcbdee843c6fa

memory/1724-38-0x000000013F6D0000-0x000000013FA24000-memory.dmp

C:\Windows\system\kHoVBff.exe

MD5 063bdfac8297b6b5b5a3ff9e0a158131
SHA1 8432da9b93fe333e4bee24f6275b52c364539b3e
SHA256 beaf9d39802b8785e6ab688940f7ca5f946bd306bc8215c682ebfb49a8028bad
SHA512 0f6031faaa62a68eda5f4184a58e6cb70f5fb802d1800846c12b6745933553416f80fdb3e68c9a763a9a869680fc4c192683531f62c1aca53a6e0df88334c15f

memory/2592-33-0x000000013F280000-0x000000013F5D4000-memory.dmp

memory/756-32-0x000000013F280000-0x000000013F5D4000-memory.dmp

C:\Windows\system\aocPJyK.exe

MD5 11aaeb6a54c045cd600ac1d0c8deea2c
SHA1 4ecb12e350f6dc147b670899f25b53441c23b7c0
SHA256 4f132ac72046f6a3f039af38981ca372befac07b0771b796f5ed9e0d51e7defe
SHA512 01ab7395a35bfc5723b0f05c75a9f5e62bf194e0ee9d5deae38c27584a83d2505abe98caedff31d11b0406e4dbb6d1bef965a9cb140a4560fef857ffa5cfeb44

memory/2656-27-0x000000013F100000-0x000000013F454000-memory.dmp

memory/756-25-0x000000013F100000-0x000000013F454000-memory.dmp

memory/756-20-0x00000000023A0000-0x00000000026F4000-memory.dmp

memory/756-117-0x000000013F850000-0x000000013FBA4000-memory.dmp

memory/756-118-0x000000013F0D0000-0x000000013F424000-memory.dmp

memory/756-139-0x000000013F830000-0x000000013FB84000-memory.dmp

memory/756-140-0x000000013F790000-0x000000013FAE4000-memory.dmp

memory/1452-141-0x000000013F790000-0x000000013FAE4000-memory.dmp

memory/756-142-0x000000013FA30000-0x000000013FD84000-memory.dmp

memory/2972-143-0x000000013FA30000-0x000000013FD84000-memory.dmp

memory/756-144-0x000000013F860000-0x000000013FBB4000-memory.dmp

memory/2352-145-0x000000013F4E0000-0x000000013F834000-memory.dmp

memory/2264-146-0x000000013F250000-0x000000013F5A4000-memory.dmp

memory/1724-155-0x000000013F6D0000-0x000000013FA24000-memory.dmp

memory/2324-157-0x000000013F830000-0x000000013FB84000-memory.dmp

memory/2472-156-0x000000013FD70000-0x00000001400C4000-memory.dmp

memory/2588-154-0x000000013FF90000-0x00000001402E4000-memory.dmp

memory/2972-153-0x000000013FA30000-0x000000013FD84000-memory.dmp

memory/2564-152-0x000000013F0D0000-0x000000013F424000-memory.dmp

memory/2656-151-0x000000013F100000-0x000000013F454000-memory.dmp

memory/1452-150-0x000000013F790000-0x000000013FAE4000-memory.dmp

memory/2432-149-0x000000013F850000-0x000000013FBA4000-memory.dmp

memory/2484-148-0x000000013F080000-0x000000013F3D4000-memory.dmp

memory/3056-147-0x000000013F320000-0x000000013F674000-memory.dmp

memory/2592-158-0x000000013F280000-0x000000013F5D4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-30 05:49

Reported

2024-06-30 05:52

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\YhsPGCM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nQTJXNr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wUlDfIG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yRsIAWg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LcNPKpA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\flwBQHG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qPRKeXN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ytFtPah.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OdopPpV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LPMxVcK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aBCIvEW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iVeUbsU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CbVUJFF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XRNAqVN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vqKNuYN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RGxdzaD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VhzKRqY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gKDfOeA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nrrkXkh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VEmGwCo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vOzKpGE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3532 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CbVUJFF.exe
PID 3532 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CbVUJFF.exe
PID 3532 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YhsPGCM.exe
PID 3532 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YhsPGCM.exe
PID 3532 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gKDfOeA.exe
PID 3532 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gKDfOeA.exe
PID 3532 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XRNAqVN.exe
PID 3532 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XRNAqVN.exe
PID 3532 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qPRKeXN.exe
PID 3532 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qPRKeXN.exe
PID 3532 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nQTJXNr.exe
PID 3532 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nQTJXNr.exe
PID 3532 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wUlDfIG.exe
PID 3532 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wUlDfIG.exe
PID 3532 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nrrkXkh.exe
PID 3532 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nrrkXkh.exe
PID 3532 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yRsIAWg.exe
PID 3532 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yRsIAWg.exe
PID 3532 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LcNPKpA.exe
PID 3532 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LcNPKpA.exe
PID 3532 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\flwBQHG.exe
PID 3532 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\flwBQHG.exe
PID 3532 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ytFtPah.exe
PID 3532 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ytFtPah.exe
PID 3532 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VEmGwCo.exe
PID 3532 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VEmGwCo.exe
PID 3532 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OdopPpV.exe
PID 3532 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OdopPpV.exe
PID 3532 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LPMxVcK.exe
PID 3532 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LPMxVcK.exe
PID 3532 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aBCIvEW.exe
PID 3532 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aBCIvEW.exe
PID 3532 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vqKNuYN.exe
PID 3532 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vqKNuYN.exe
PID 3532 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iVeUbsU.exe
PID 3532 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iVeUbsU.exe
PID 3532 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RGxdzaD.exe
PID 3532 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RGxdzaD.exe
PID 3532 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vOzKpGE.exe
PID 3532 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vOzKpGE.exe
PID 3532 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VhzKRqY.exe
PID 3532 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VhzKRqY.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\CbVUJFF.exe

C:\Windows\System\CbVUJFF.exe

C:\Windows\System\YhsPGCM.exe

C:\Windows\System\YhsPGCM.exe

C:\Windows\System\gKDfOeA.exe

C:\Windows\System\gKDfOeA.exe

C:\Windows\System\XRNAqVN.exe

C:\Windows\System\XRNAqVN.exe

C:\Windows\System\qPRKeXN.exe

C:\Windows\System\qPRKeXN.exe

C:\Windows\System\nQTJXNr.exe

C:\Windows\System\nQTJXNr.exe

C:\Windows\System\wUlDfIG.exe

C:\Windows\System\wUlDfIG.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1296,i,17325488789339133686,9539570259395798500,262144 --variations-seed-version --mojo-platform-channel-handle=3760 /prefetch:8

C:\Windows\System\nrrkXkh.exe

C:\Windows\System\nrrkXkh.exe

C:\Windows\System\yRsIAWg.exe

C:\Windows\System\yRsIAWg.exe

C:\Windows\System\LcNPKpA.exe

C:\Windows\System\LcNPKpA.exe

C:\Windows\System\flwBQHG.exe

C:\Windows\System\flwBQHG.exe

C:\Windows\System\ytFtPah.exe

C:\Windows\System\ytFtPah.exe

C:\Windows\System\VEmGwCo.exe

C:\Windows\System\VEmGwCo.exe

C:\Windows\System\OdopPpV.exe

C:\Windows\System\OdopPpV.exe

C:\Windows\System\LPMxVcK.exe

C:\Windows\System\LPMxVcK.exe

C:\Windows\System\aBCIvEW.exe

C:\Windows\System\aBCIvEW.exe

C:\Windows\System\vqKNuYN.exe

C:\Windows\System\vqKNuYN.exe

C:\Windows\System\iVeUbsU.exe

C:\Windows\System\iVeUbsU.exe

C:\Windows\System\RGxdzaD.exe

C:\Windows\System\RGxdzaD.exe

C:\Windows\System\vOzKpGE.exe

C:\Windows\System\vOzKpGE.exe

C:\Windows\System\VhzKRqY.exe

C:\Windows\System\VhzKRqY.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3532-0-0x00007FF6A9C40000-0x00007FF6A9F94000-memory.dmp

memory/3532-1-0x000001EBE9CF0000-0x000001EBE9D00000-memory.dmp

C:\Windows\System\CbVUJFF.exe

MD5 fbb89110113d3948e22040fccba4d151
SHA1 b56c57e7bd45dd9abb0e977de3e8d383fa2f36aa
SHA256 67d9c168d7dbbc5519305b88bb29193cb018401fb7ce18796fe1f34f372be2b5
SHA512 36a823ca68aa886be9992b3b6337e293d6534e0e31907ae5adad464a571f124319ab01672b68e6e041f780b1a961c666af6796e7379c8c5744f937c9b85a6348

C:\Windows\System\gKDfOeA.exe

MD5 01509851b723a3b9f428ff0601cb2611
SHA1 c7fb69366d3db5673fea9e05c0010a25808b708a
SHA256 3cde1c348ea54cad604fa5eb619d4fb5ad6d1caa8e627b33f12ae7fd5610861a
SHA512 32c6ecd04efdbaa71ecc23a9086bd9f46d68fca628392a4cfee714b8b5d1bf32ec9bbf02526c36b8ea24b40883506c0092cace8569b3ab4cea0da0340e4e9f85

C:\Windows\System\qPRKeXN.exe

MD5 6db8d1822f4ea1b4e9101d752a2377d6
SHA1 0f948d035c6a324b3044aa055712b81df6725388
SHA256 9376a63fd371020e72880268b0957445abfc76e8c52efcb007f113498bbbc391
SHA512 677054098e1a3064f9d1dc4efacf3c67f03f6c89c783dacf6062204e23967582bc783dbd4135a2eb152fa291bf70ccea5bf4d112589befba72d439ae93ec9fed

memory/4152-27-0x00007FF7D3010000-0x00007FF7D3364000-memory.dmp

C:\Windows\System\nQTJXNr.exe

MD5 2897f39ce4744a32dfb4d0e681720463
SHA1 1a71cc60876fea859c59c7570bc01f0a7ed5dbd6
SHA256 fbc0082a6117e962caac95352e0653d21c3e8f00e333247495edb2a64e553de3
SHA512 8da5107c7419069ab566656c1451e74927cbf457b1a976d850cad08ab34c65f100b92a9fc292a0e68f17487310138c5455ff09ee886bb378ad3d3d2425774f43

memory/3456-35-0x00007FF683980000-0x00007FF683CD4000-memory.dmp

memory/2356-34-0x00007FF72B6A0000-0x00007FF72B9F4000-memory.dmp

memory/2620-28-0x00007FF78F400000-0x00007FF78F754000-memory.dmp

memory/1940-22-0x00007FF70ABE0000-0x00007FF70AF34000-memory.dmp

C:\Windows\System\XRNAqVN.exe

MD5 1ba1f65468efbd722ce49fce5016976a
SHA1 2aef6d700995b1ea43c695a5be1910c3ba19314b
SHA256 5b56a4888960ca42bf3f6ba098949bed68a89df7c535cf71699a1532df6bba6e
SHA512 627044642724711a7685b20919ea970b69c4eadbf5f6d1f226c6ee6be37ffc554ed43525c02f066b514de2c55aee2cf5c30e5b9e45e6f23c64a8b094a8c6fe3f

C:\Windows\System\YhsPGCM.exe

MD5 2da91d9aa18fa52d85525dc1f83033ae
SHA1 9bf518d7e83a54a4fb52a632d4d28fb6c9a79e79
SHA256 f938b5dcaa9fa349734bfc79b8a4600c5217d60789417aa5256ea971a0496375
SHA512 d2b2d3601f358237cd40b3dffb471ef18d6886e27a13ab43d19fab1c0bc097632d6bb2b8f87a7f2809f413250c2cc61a85391e3d208827c3e060b211b7be8f06

memory/2828-11-0x00007FF6C85F0000-0x00007FF6C8944000-memory.dmp

C:\Windows\System\wUlDfIG.exe

MD5 d936a10029209be27a239bd1e6d43459
SHA1 67cf43ad3f0022a26479da33691e26838480b964
SHA256 ef646e755ab2be6583356baf3303e7f698df211bb8aa7f8d5a3ab4611fd6560d
SHA512 78aab960537450f67016cc6326d233429739415002b016fd8b44def099da6a5e692f7f7d8c6ae18e4b3d7f1c505ba01023ddc3c5b561e18aff4862ec8591942e

memory/4508-44-0x00007FF7DAFF0000-0x00007FF7DB344000-memory.dmp

memory/520-50-0x00007FF7EC5C0000-0x00007FF7EC914000-memory.dmp

C:\Windows\System\nrrkXkh.exe

MD5 e051c1ebb387c9d186f143647064225f
SHA1 bad912b8ccb3f01531df8b08c6654f47c9593eaa
SHA256 3da403ce26e92b5387af34199d8b4656eed78f1b61951a26ba95afec7e46b5c5
SHA512 13563494572715fac85db22472998727200d1070cfb9f372425e07108309c8d496fac4e741a62e13fc5a99829d726ed6413b128ea1570e8a01d42240fd382c29

C:\Windows\System\yRsIAWg.exe

MD5 e34370fdbfa4e924f29640cfb793aa8f
SHA1 2499af9bfe2c34e37bb4e8dd211de4e13edc2894
SHA256 5542ff2c9fa0292151fa0c6b3381bd8df6d2640502102eaf44d19143d8ae6d2f
SHA512 a54a3f32d80ab91623eed130ebb036510132aca48b24ebd2fc8ce4a5795694fde5478f3f117d33169b03217cf256325bdc88064556cc9cc8bdda652f9c313539

memory/4428-56-0x00007FF744EE0000-0x00007FF745234000-memory.dmp

C:\Windows\System\LcNPKpA.exe

MD5 c4407826f5a77ad3a29d7c70db2b6158
SHA1 b1514c5237df7f0c3a923d394961ade337585190
SHA256 4f485a2dac3b027658a045ca9ca776451119649753ecc6f08cd02bccd3e02e4e
SHA512 2b225fc90a5a12ec5e64c9e3addae28a1f40cac72e35675231b3a670e7485ca391867369de7fa27bcaa656b82214ea777603390b96aab78783397e2515ad925e

C:\Windows\System\flwBQHG.exe

MD5 7eca1c3dac4d6e6909a442bdd89ec0f7
SHA1 0878c0fc1bd2a17378824ea7cea1ab45b7c28b64
SHA256 c25863793c5ef19e552bcf3c806d6fcb0ba4afe78a1099ffa3600b8cb4f03670
SHA512 b31ecd0802c7c04b5a34c17f238eaad633270bc44c8b07f88c3bcc72bad44072a54e9dee7f28fc6d21ec4a92520cd86db5e7e0c576bca9bffb857705e4e758e3

C:\Windows\System\ytFtPah.exe

MD5 9c8383ad30c763a685382f0db5ea324c
SHA1 ba5517d2003a387d888175ed6f6256e37ca6d5a4
SHA256 c966a589e9f449c6b8ce6a2337c973ae4b22efeffddd065f7031edb9dcb1363b
SHA512 cfeb3445e4ef687eb214dddb0a7c5967e85b94fefc204d2fa7c1b8952aca5533a50a7cb2de28cac928f7686b421c579400728b2b25e889e7952df536ea8c9b0f

memory/5032-72-0x00007FF7B70A0000-0x00007FF7B73F4000-memory.dmp

memory/3232-69-0x00007FF625760000-0x00007FF625AB4000-memory.dmp

memory/3320-62-0x00007FF7F4090000-0x00007FF7F43E4000-memory.dmp

C:\Windows\System\VEmGwCo.exe

MD5 5bda4db9c904d9517ec3bbab5eabed65
SHA1 466b2f4e035d1a92bab2d4f6d842a2180d88effc
SHA256 b66fc34571f43266130192f03bebf1648addde82aafeb970aa06ec164f72e7ee
SHA512 c72a5c237fc8072aae751e51baede40efc566e9604d7aa8307fed6e35ffde6de5164ace41aab227e1a07550cdfc3dadb7491adaa29a83c62d38a7d8359add045

memory/5108-85-0x00007FF691DB0000-0x00007FF692104000-memory.dmp

C:\Windows\System\LPMxVcK.exe

MD5 9ea28d843536186f2386e5f4f98ffcef
SHA1 308560df89997fba30a70adeb092e3fc52b2ef5d
SHA256 cd82665c197ec0b6ea63b4404f75bcac4982c831af511e313967a900a17f98cd
SHA512 2be601ad0b184977cae244205a2707e118e32c1c39dba6162c58cc082fc46fff389d5c91de4b15ead414b8b5f0e7029115ccdbd0482e6a40f5766957e99deada

C:\Windows\System\aBCIvEW.exe

MD5 6126d9399a249c9294b1933da19d537b
SHA1 b88c7e67c0f8e6cc874f6705450fa379481121d0
SHA256 fe70cc8b636857ba3f300d42836f3679000e7153a3e653999b9004330d3540e5
SHA512 a8dc171ff47d0bcfa3585fdd82d5df22e2370f16e176170fd76b3321a155e6122a02d88eafb8cf7fc144505b64ae285b9c6de79021891956520914da7c82ceda

C:\Windows\System\vqKNuYN.exe

MD5 21660b3d07c33a77550a7e015f89d52e
SHA1 6c6d243e11cabc6b0514fdf7d8ede2665d93791d
SHA256 a113a329771b065de4509f77cf82ee135a04d88801b8ccbaf6ffdd5b71588331
SHA512 402035f6ce9508cd2b17b0ed00d10d869db7e63087dd442168a65e26c52c3c3d813e13b6b2fb90af93c9dfddf1f40dc0f78c7ab2e6d99d74b1b58f8ceaa7d8ad

memory/1500-109-0x00007FF69DAB0000-0x00007FF69DE04000-memory.dmp

memory/3456-108-0x00007FF683980000-0x00007FF683CD4000-memory.dmp

memory/1412-107-0x00007FF7BD7B0000-0x00007FF7BDB04000-memory.dmp

memory/2620-103-0x00007FF78F400000-0x00007FF78F754000-memory.dmp

memory/384-99-0x00007FF661E20000-0x00007FF662174000-memory.dmp

C:\Windows\System\OdopPpV.exe

MD5 a5c0d7149d51d53ddca0539fdba89e7b
SHA1 f06fb8fe8ad710e0b396a74bc8ae511c88c1c58f
SHA256 0db3cd1e032f6551f9a0df67ca1146f0c6963faa659292c57c94db273b6d3bfd
SHA512 48168508b9631856b8442ca6143cbe2ce55809f5b9517c23b929a7bf32d47131b38299e8ce1d5ef476df268cd620cdca3beb56d77fde6e5c0b2a49a7da178cee

memory/2356-94-0x00007FF72B6A0000-0x00007FF72B9F4000-memory.dmp

memory/4272-93-0x00007FF737B90000-0x00007FF737EE4000-memory.dmp

memory/4152-89-0x00007FF7D3010000-0x00007FF7D3364000-memory.dmp

memory/1940-86-0x00007FF70ABE0000-0x00007FF70AF34000-memory.dmp

memory/2828-81-0x00007FF6C85F0000-0x00007FF6C8944000-memory.dmp

memory/3532-80-0x00007FF6A9C40000-0x00007FF6A9F94000-memory.dmp

C:\Windows\System\iVeUbsU.exe

MD5 45be6ac93bc2de6bd51a7daa43caf4ee
SHA1 9487699896b9e67d5fc7c491ea83528af41c0cc7
SHA256 ac5fe50247359e163ca290c51f6dbd25d534554dd0a30ed8d5ad83fe2fffc0c9
SHA512 515d22edf3ac7e0f8914fefcd1b69432032c7601a4862ded07a6875a7086052418560c46fa54e48def30e3a47a1d645d38447a1d615face13b471b712f1e3251

C:\Windows\System\RGxdzaD.exe

MD5 9f7a613b017cde67913864f97f7a58d1
SHA1 fc4f68d67ead4dfc2230e3ecb722ca1cb2c50796
SHA256 2061606e47900234770be7ec507557fb476048bef0df1734d8bf6726adcb7c8b
SHA512 e646dbe929ef2083ee4d22c926d6cea6a1362a072ea2acb9d676e2b5090398f908abeda7a8b737c221c4835ccdaa57ccc7c5d9a8e454da8a4b7c24a71eb6e3e9

C:\Windows\System\vOzKpGE.exe

MD5 8c84479efe22dab6b2b9f1e31bc28f8e
SHA1 4b56bcfc8ad606b10b1cbbb82289d22159d2dac5
SHA256 5f2e2a6427913f754b684dfb90b933cae8c3d884cf58f4e8734e9fb9b0b61501
SHA512 3d178025f534366c7ecc5fb04c591db927adf792b79c398a35d47b172231468e17ff666a93546b090011e598bd42d72baaf92524f01836d70d9eb2765eb3ac41

memory/4600-124-0x00007FF747E50000-0x00007FF7481A4000-memory.dmp

memory/3424-128-0x00007FF791830000-0x00007FF791B84000-memory.dmp

memory/3244-117-0x00007FF775210000-0x00007FF775564000-memory.dmp

C:\Windows\System\VhzKRqY.exe

MD5 458802432ddb0c5cfd243cb3f8e12aa1
SHA1 3b1b54a95bd6066132fae75fd5ea1e37af307fd2
SHA256 3bbf794b431e56ff778439c0c04f8093e1404c7a2bade3bc61a5eff85dac3e59
SHA512 8582eb6c24a8b34bf68627ec610b348594fa9b5867f988047b035cc167d10f09bd516fbe5b5d46983dfbb169938940822cf98116e7a1141b8992e62dc19565bb

memory/3320-134-0x00007FF7F4090000-0x00007FF7F43E4000-memory.dmp

memory/2240-135-0x00007FF6AD390000-0x00007FF6AD6E4000-memory.dmp

memory/5032-136-0x00007FF7B70A0000-0x00007FF7B73F4000-memory.dmp

memory/4272-137-0x00007FF737B90000-0x00007FF737EE4000-memory.dmp

memory/384-138-0x00007FF661E20000-0x00007FF662174000-memory.dmp

memory/1412-139-0x00007FF7BD7B0000-0x00007FF7BDB04000-memory.dmp

memory/1500-140-0x00007FF69DAB0000-0x00007FF69DE04000-memory.dmp

memory/3424-141-0x00007FF791830000-0x00007FF791B84000-memory.dmp

memory/2828-142-0x00007FF6C85F0000-0x00007FF6C8944000-memory.dmp

memory/1940-143-0x00007FF70ABE0000-0x00007FF70AF34000-memory.dmp

memory/4152-144-0x00007FF7D3010000-0x00007FF7D3364000-memory.dmp

memory/2620-145-0x00007FF78F400000-0x00007FF78F754000-memory.dmp

memory/3456-146-0x00007FF683980000-0x00007FF683CD4000-memory.dmp

memory/2356-147-0x00007FF72B6A0000-0x00007FF72B9F4000-memory.dmp

memory/4508-148-0x00007FF7DAFF0000-0x00007FF7DB344000-memory.dmp

memory/520-149-0x00007FF7EC5C0000-0x00007FF7EC914000-memory.dmp

memory/4428-150-0x00007FF744EE0000-0x00007FF745234000-memory.dmp

memory/3232-151-0x00007FF625760000-0x00007FF625AB4000-memory.dmp

memory/3320-152-0x00007FF7F4090000-0x00007FF7F43E4000-memory.dmp

memory/5032-153-0x00007FF7B70A0000-0x00007FF7B73F4000-memory.dmp

memory/5108-154-0x00007FF691DB0000-0x00007FF692104000-memory.dmp

memory/4272-155-0x00007FF737B90000-0x00007FF737EE4000-memory.dmp

memory/384-156-0x00007FF661E20000-0x00007FF662174000-memory.dmp

memory/1412-157-0x00007FF7BD7B0000-0x00007FF7BDB04000-memory.dmp

memory/1500-158-0x00007FF69DAB0000-0x00007FF69DE04000-memory.dmp

memory/3244-159-0x00007FF775210000-0x00007FF775564000-memory.dmp

memory/4600-160-0x00007FF747E50000-0x00007FF7481A4000-memory.dmp

memory/3424-161-0x00007FF791830000-0x00007FF791B84000-memory.dmp

memory/2240-162-0x00007FF6AD390000-0x00007FF6AD6E4000-memory.dmp