Malware Analysis Report

2024-10-24 18:11

Sample ID 240630-gla5aaxfkp
Target 2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat
SHA256 eb9b61923469bcee5a18282bb4296973d5ace255a66b32ac5950e792b75b10ba
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

eb9b61923469bcee5a18282bb4296973d5ace255a66b32ac5950e792b75b10ba

Threat Level: Known bad

The file 2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Xmrig family

Cobaltstrike

xmrig

Cobalt Strike reflective loader

XMRig Miner payload

UPX dump on OEP (original entry point)

Cobaltstrike family

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

XMRig Miner payload

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-30 05:53

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-30 05:53

Reported

2024-06-30 05:55

Platform

win7-20240220-en

Max time kernel

142s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\MwkRyIJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fOngIcp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WWQKZbM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RnfWDGS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UkzsSbU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BEWXYsd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RVqAzdF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sWBBNKb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AIkgNHV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QuQaDss.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oPhgscW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\urwiPtt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OoyOoRt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HmkYGNu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mLNWrXB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eIehZtt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GiHeXrB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RVjcfdM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iDEeojR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mpwRZMs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GCoolKQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1892 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mpwRZMs.exe
PID 1892 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mpwRZMs.exe
PID 1892 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mpwRZMs.exe
PID 1892 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UkzsSbU.exe
PID 1892 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UkzsSbU.exe
PID 1892 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UkzsSbU.exe
PID 1892 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GCoolKQ.exe
PID 1892 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GCoolKQ.exe
PID 1892 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GCoolKQ.exe
PID 1892 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BEWXYsd.exe
PID 1892 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BEWXYsd.exe
PID 1892 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BEWXYsd.exe
PID 1892 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QuQaDss.exe
PID 1892 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QuQaDss.exe
PID 1892 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QuQaDss.exe
PID 1892 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oPhgscW.exe
PID 1892 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oPhgscW.exe
PID 1892 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oPhgscW.exe
PID 1892 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mLNWrXB.exe
PID 1892 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mLNWrXB.exe
PID 1892 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mLNWrXB.exe
PID 1892 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MwkRyIJ.exe
PID 1892 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MwkRyIJ.exe
PID 1892 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MwkRyIJ.exe
PID 1892 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eIehZtt.exe
PID 1892 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eIehZtt.exe
PID 1892 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eIehZtt.exe
PID 1892 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GiHeXrB.exe
PID 1892 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GiHeXrB.exe
PID 1892 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GiHeXrB.exe
PID 1892 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\urwiPtt.exe
PID 1892 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\urwiPtt.exe
PID 1892 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\urwiPtt.exe
PID 1892 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RVjcfdM.exe
PID 1892 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RVjcfdM.exe
PID 1892 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RVjcfdM.exe
PID 1892 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iDEeojR.exe
PID 1892 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iDEeojR.exe
PID 1892 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iDEeojR.exe
PID 1892 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fOngIcp.exe
PID 1892 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fOngIcp.exe
PID 1892 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fOngIcp.exe
PID 1892 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WWQKZbM.exe
PID 1892 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WWQKZbM.exe
PID 1892 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WWQKZbM.exe
PID 1892 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RnfWDGS.exe
PID 1892 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RnfWDGS.exe
PID 1892 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RnfWDGS.exe
PID 1892 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RVqAzdF.exe
PID 1892 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RVqAzdF.exe
PID 1892 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RVqAzdF.exe
PID 1892 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OoyOoRt.exe
PID 1892 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OoyOoRt.exe
PID 1892 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OoyOoRt.exe
PID 1892 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HmkYGNu.exe
PID 1892 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HmkYGNu.exe
PID 1892 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HmkYGNu.exe
PID 1892 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sWBBNKb.exe
PID 1892 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sWBBNKb.exe
PID 1892 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sWBBNKb.exe
PID 1892 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AIkgNHV.exe
PID 1892 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AIkgNHV.exe
PID 1892 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AIkgNHV.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\mpwRZMs.exe

C:\Windows\System\mpwRZMs.exe

C:\Windows\System\UkzsSbU.exe

C:\Windows\System\UkzsSbU.exe

C:\Windows\System\GCoolKQ.exe

C:\Windows\System\GCoolKQ.exe

C:\Windows\System\BEWXYsd.exe

C:\Windows\System\BEWXYsd.exe

C:\Windows\System\QuQaDss.exe

C:\Windows\System\QuQaDss.exe

C:\Windows\System\oPhgscW.exe

C:\Windows\System\oPhgscW.exe

C:\Windows\System\mLNWrXB.exe

C:\Windows\System\mLNWrXB.exe

C:\Windows\System\MwkRyIJ.exe

C:\Windows\System\MwkRyIJ.exe

C:\Windows\System\eIehZtt.exe

C:\Windows\System\eIehZtt.exe

C:\Windows\System\GiHeXrB.exe

C:\Windows\System\GiHeXrB.exe

C:\Windows\System\urwiPtt.exe

C:\Windows\System\urwiPtt.exe

C:\Windows\System\RVjcfdM.exe

C:\Windows\System\RVjcfdM.exe

C:\Windows\System\iDEeojR.exe

C:\Windows\System\iDEeojR.exe

C:\Windows\System\fOngIcp.exe

C:\Windows\System\fOngIcp.exe

C:\Windows\System\WWQKZbM.exe

C:\Windows\System\WWQKZbM.exe

C:\Windows\System\RnfWDGS.exe

C:\Windows\System\RnfWDGS.exe

C:\Windows\System\RVqAzdF.exe

C:\Windows\System\RVqAzdF.exe

C:\Windows\System\OoyOoRt.exe

C:\Windows\System\OoyOoRt.exe

C:\Windows\System\HmkYGNu.exe

C:\Windows\System\HmkYGNu.exe

C:\Windows\System\sWBBNKb.exe

C:\Windows\System\sWBBNKb.exe

C:\Windows\System\AIkgNHV.exe

C:\Windows\System\AIkgNHV.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1892-0-0x000000013F460000-0x000000013F7B4000-memory.dmp

memory/1892-1-0x00000000001F0000-0x0000000000200000-memory.dmp

\Windows\system\mpwRZMs.exe

MD5 4fc361aa8ffd3685699ee4b1ec6e82cd
SHA1 87240ad7d8c54bb65d023caa15d138ee79634dcc
SHA256 3a2d39fe8247e2ca36cbddf26beee9765ef67e8066d0e5279d1e7529683f837a
SHA512 5644ead83d9faa4f36e7ad555ce419d6ff08d08cee4b32e538964e843cf7af8f174661b00be8986a16436dfc45d3c8a6726fa401cc89045491b444409bd7a9d2

memory/1892-6-0x0000000002460000-0x00000000027B4000-memory.dmp

\Windows\system\UkzsSbU.exe

MD5 b2e12922c3fa24a472c2612e2fd7c57d
SHA1 20a3e85068b1537daeb475531a93bd3d23c1f5d5
SHA256 6cfcdf393aa441f93cfeef91cabcfe745712fce72ecf52a50bc1de9f61b4d230
SHA512 48af392ffbe2de41508c41f7e7a2a58d402ff99aa193a723354f4bdea99a1c96f42eef1fa448ac09a92f9fbc3b3e5974ef1de9ef9a84b6a6732d0478ca193f55

C:\Windows\system\GCoolKQ.exe

MD5 d8fb333cd9cfc3504bcbfe3c37e49d5a
SHA1 16c42ab51f859dfbd3908893475596360a807832
SHA256 fb6dbc05fd0abe6c320ca66dcce388408f696b9c0887150d83d06f3d0f197869
SHA512 8c884a35404886339c392fbe3748c8ea6bf58fc76e3ae8b035e2e3ecf29f72c9973f7e7716b210bd42e88813863364eaca7babb32cf28674d62c06d3bcaeb982

memory/2496-18-0x000000013F190000-0x000000013F4E4000-memory.dmp

memory/1892-20-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

memory/1892-17-0x0000000002460000-0x00000000027B4000-memory.dmp

memory/2528-22-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

memory/2688-14-0x000000013F6F0000-0x000000013FA44000-memory.dmp

\Windows\system\BEWXYsd.exe

MD5 8b734510f3c58fdcba1ba3589d927304
SHA1 e0f5951d09d338055a0909a7e33fef030031b97f
SHA256 7f94ffcacea9c68e7fd79a774617bb122c6e27399a6e8faaeb271adc0de55167
SHA512 f6a0f9709b594312a927a501483ac717ba07735167dba7a7c603d8fadd442618b804e8c7426c65634fa564a02ad84174051b541fec3afd62ca1fb5d62b9eb5bf

memory/1892-27-0x0000000002460000-0x00000000027B4000-memory.dmp

memory/2584-30-0x000000013F370000-0x000000013F6C4000-memory.dmp

C:\Windows\system\oPhgscW.exe

MD5 ffca5baeb63f9850c7ba81f124ed6bfe
SHA1 c565a269938b16880e238debb8ffdf6794e1190b
SHA256 da6b0e67d94a5d1a9be9814e0419f7a4626f23c540539f6a468dc52d51955f1e
SHA512 dd0eaa481bf907fb7593cfbfffaf2ae1d7167ac6b06fcbc199f6313ec37bfffbd4ce3453978e6f6f0f643aabc207bdde63b93488f2e90318717f44cf1a8998c8

memory/1892-41-0x0000000002460000-0x00000000027B4000-memory.dmp

memory/2304-43-0x000000013F310000-0x000000013F664000-memory.dmp

\Windows\system\mLNWrXB.exe

MD5 5ab2f956342af23a30264f5120d6b0f1
SHA1 2f9a74729b0b69250ebfcd35364792e75f3cc6b2
SHA256 8a39f3c768999a00142136681e769d8c83d663c08d6df96ff678fc1f38905f56
SHA512 df8b7e944b95f102d390b3a81413aa59ad91c02a54b28ea9442b7a111220406b0e9d235cd45d3018c96e72091efa0aa3e7cd256321e071c27b03955e584aa4b2

memory/2448-50-0x000000013FC20000-0x000000013FF74000-memory.dmp

memory/2416-57-0x000000013F2E0000-0x000000013F634000-memory.dmp

C:\Windows\system\GiHeXrB.exe

MD5 0ee3d7794e3e26ff326f0757967709cb
SHA1 40a8b2484d15b419f57b4b267c4633e95bd73d9d
SHA256 b55270a21c0947d24ff2e6552772b0c4702fa805b06cac225e7913afb51adabd
SHA512 72326fbeaad3d9b20f7632b3b801fc92f2172347440959b6e09d6d5c05faebd2b08a4534cdc514516bbcf4bc7701d16de595cb694a72a5652afdd501a4e15d9a

memory/2856-64-0x000000013FC90000-0x000000013FFE4000-memory.dmp

memory/2864-71-0x000000013FD00000-0x0000000140054000-memory.dmp

C:\Windows\system\urwiPtt.exe

MD5 daba168571df35a33b7a4563e3df4249
SHA1 32c77aac422afd5551ad02c86e49bd9cad018068
SHA256 4e005c434aef0bc5848b515110b7dc646c69d5d58bfda24751bbc1ec7b47b678
SHA512 d5b9b9cb477e2b1cb81f128c37073ee18598c7dee03f68b71992a0b78116ab65e37381f803f2d74f6e9994e873dfe3a37be8243a8fe361c05dcc60b5077d37b4

memory/2528-85-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

memory/2640-86-0x000000013F8B0000-0x000000013FC04000-memory.dmp

memory/1892-102-0x000000013FBB0000-0x000000013FF04000-memory.dmp

C:\Windows\system\HmkYGNu.exe

MD5 dbf9adc8ed242f1dcea5c4d61fabbff3
SHA1 47350a33ed2dfb4b0779c579153c0b10cec1165e
SHA256 72c0536f66e7bd859409d5ff773c09020a46f91de344165645a1970446c42853
SHA512 57dac34a63453558f52d4fd8d4ebf82b7fe92b69d35a46c7bb3af46580483b2d8675a5df4438c93dfaad30dabe5f88197ef4442cf6bc9d24e628bb995f291f59

\Windows\system\AIkgNHV.exe

MD5 d0d0c2a44857bbf8d6d1808951146480
SHA1 e112a82f4e27e2e7a80881e0ae8e75f0fab22cf3
SHA256 b6e7b85fb921fb04dd58871f4079680a02ceb7e7b2607d9ce99036b011458435
SHA512 c5a1497428fc0c528bda13a9053a6955cde247c53cd6f7396399efa84cae4640d9b9d0d13502b230b4e45d794d7bdf470a1d623c04be37fffbaa4b7bce263011

C:\Windows\system\sWBBNKb.exe

MD5 f1dd038708574da93481aa4c79d1b8f8
SHA1 59c53b9b5abf79c7b55fccfa557f19e8ba84aa89
SHA256 0f27ed1a2edab13c474b1ffb6f1f25c1407365ca6e63a14df2c167f9abd4305a
SHA512 49e1c5194d214dba68979f4b024374fa3b7e2b3a88c14163dcd417cd1c63deb85b43805d21dd39202774375e65e80639a44e4dd62977416247ea6b5e4b513a47

C:\Windows\system\RVqAzdF.exe

MD5 37877a78701dfd88f102ae855e1389c6
SHA1 6cd99893e5fa7603c7fe84764197583873cfe8d1
SHA256 e5c85921b1cd91eaefaa61fd75d3da225fef65b22bacc7ea6e93576ff9e32492
SHA512 6796ca3ca868e0acaa95e732027c19bd014bc4f359023304209210206db171bfb7d97db4d9da96eee832084351fc0637cd014a410039be7e94f02bca0fcde9c5

C:\Windows\system\OoyOoRt.exe

MD5 87064d32aca9d90ed5fedcf5af111323
SHA1 fe8a8ae67116623ae1d76d325bf8768a1f8972e3
SHA256 f39e4b6e0cf9dda0d51de0d963a629c5f6f45842d4c5bdd0a1e9a486b757de6c
SHA512 a72e0efd1158edbc79506ae142a3c1fb97b97fc6add1acb4cd2f0c26d66343dd5b894bf6f083466faf1effa1610c38f255914b5b8519297cbef17fb0241c0d4d

memory/1892-111-0x0000000002460000-0x00000000027B4000-memory.dmp

memory/2448-110-0x000000013FC20000-0x000000013FF74000-memory.dmp

C:\Windows\system\WWQKZbM.exe

MD5 20c18f48e3e6bd035c0b39cb652aa573
SHA1 be8719c8a32279471acc54aaf39ea3f467749295
SHA256 3ff0a4f3ecc9fbc307967efa6d2d976c29db5a74dc3cf8ecc85bfca58cbf64ea
SHA512 7d79c13a0b89ddbd4c3b9c879a55d488aa0d4c459834108819a6c1066cfa0439388ff49461a3f2e67b1d6e9a894a0fccc396c6e30a8f19f437d21131b99ff3c8

C:\Windows\system\RnfWDGS.exe

MD5 ac016a56da1d3c84f1ba915f83eda7ad
SHA1 394716bfac93c65deeb7f3fe27e97c780873cde3
SHA256 26cd96776f728ca0fb8848899b9faf47fad7fc483735e8ee0009c882897a538c
SHA512 aa55873ad216ff76afd3934dae02d83898a652315212ec222804a5350179e2ef8051646209ad0757b482f873b462e274ef4e582f95c01478a43826ae09eef23e

memory/2844-103-0x000000013FBB0000-0x000000013FF04000-memory.dmp

memory/2304-101-0x000000013F310000-0x000000013F664000-memory.dmp

C:\Windows\system\fOngIcp.exe

MD5 2e7b007c55c9f0200350231925815a58
SHA1 6eaa0b720c9bcb23d7c60df58d9a5dc4be4c5673
SHA256 0ec5e9be123e9c4b94e6efeeda1468b4368b802674bafcc74731a7b6c8f0c46a
SHA512 135561b9a66d58caeffb337d2b1fc046039339ef84c2ead7b2c62a09110c29e78e8b903473c7e1b75fd5b81b7316d793555bd3df934bf69399b09eefbe0d394f

memory/2820-95-0x000000013F980000-0x000000013FCD4000-memory.dmp

C:\Windows\system\iDEeojR.exe

MD5 1fb6b2df3a71873e11ebf8faaec8b2f2
SHA1 73426c2099627f606904c9709d1a7143f626f6c2
SHA256 61d21930eae744dd810cd6260155391bf8bfddc484342e4f75c4503184c91f41
SHA512 2bec0a4351e9f9b8d6e5507af7f0e5ebe3830ee5e6c1eaddb9fea5544d3f09b9da24ddbe9fac2d4d01a9d6aad7cc48a151bc26a7c4ded0d16a40a5763840fa64

memory/1892-92-0x000000013F980000-0x000000013FCD4000-memory.dmp

memory/2584-91-0x000000013F370000-0x000000013F6C4000-memory.dmp

memory/2044-79-0x000000013F630000-0x000000013F984000-memory.dmp

memory/1892-78-0x0000000002460000-0x00000000027B4000-memory.dmp

memory/2496-77-0x000000013F190000-0x000000013F4E4000-memory.dmp

C:\Windows\system\RVjcfdM.exe

MD5 0b1c25445faa4e3b67aa59426ed32af3
SHA1 12329ed97ad95397468a3e4f2a856d300beb3ed8
SHA256 ebdeae83f2bb3f6fa5f7cd9bf270da030bb411bf9551750b20d061ea99f332b4
SHA512 98310f05efb9e569ba67298ef9bb2f2e27d78a91e473c1ebd05a05a7ae78f908e61de19cf49b99e20e724a3c7deeef546280bce3a23411dec1c1fe19829a099b

memory/1892-82-0x000000013F8B0000-0x000000013FC04000-memory.dmp

memory/1892-63-0x000000013F460000-0x000000013F7B4000-memory.dmp

C:\Windows\system\eIehZtt.exe

MD5 e4c88cd9544e9b194272843083d9a94c
SHA1 44c5c05eee6997672a46bd90b4dc31823548f6a5
SHA256 017b0b825cdb4171f881aedf1e2d949595cf971e2dbb09861a6ee3ad22fe9011
SHA512 c059f7f5945b2288c1249c7ef976198b96868b812dce59e0072fa1589aade1376b8ebb17ce4b0b7ab84df0825f81b0f4422d9dbf83cf559c15d1b3bbbbc30c5c

memory/2688-70-0x000000013F6F0000-0x000000013FA44000-memory.dmp

memory/2856-141-0x000000013FC90000-0x000000013FFE4000-memory.dmp

memory/1892-56-0x0000000002460000-0x00000000027B4000-memory.dmp

memory/1892-49-0x000000013FC20000-0x000000013FF74000-memory.dmp

C:\Windows\system\MwkRyIJ.exe

MD5 e7d41265dc6d65a8713301ea99b88b75
SHA1 2bd77852ec265980ec3bdd565a38698415b2071f
SHA256 cf417f49ff41bc7cbdfdb5c7bc64f23641e32343195bdc5923215df8a49278b5
SHA512 48cf3c7a35743800d1a85480dcfe642e0cb2c46a5bc1ca85b68479be9c829d982ca534678eb431c75d4ca3db1e33062ad193385345556caca8d740a636f26bc7

memory/2504-37-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/1892-36-0x0000000002460000-0x00000000027B4000-memory.dmp

C:\Windows\system\QuQaDss.exe

MD5 724a6ad0ffa10fa594d97db56340994e
SHA1 47fcef88f7398c941f86166708edb52e408ac48e
SHA256 86fd7dfd4073a033165cf8c5fe19a059dbbfad5d877b18c6738d4a1266c2492c
SHA512 235631c9060cd364cf88d3ecdb0571a0182c6fae2b3921060f80e87d342d4359fc7d25e922235264c75666aa9ad81dbb6f2cadab7acb2d254f2f5806bc36f47c

memory/2864-142-0x000000013FD00000-0x0000000140054000-memory.dmp

memory/1892-143-0x0000000002460000-0x00000000027B4000-memory.dmp

memory/2044-144-0x000000013F630000-0x000000013F984000-memory.dmp

memory/1892-145-0x000000013F8B0000-0x000000013FC04000-memory.dmp

memory/2640-146-0x000000013F8B0000-0x000000013FC04000-memory.dmp

memory/1892-147-0x000000013F980000-0x000000013FCD4000-memory.dmp

memory/2820-148-0x000000013F980000-0x000000013FCD4000-memory.dmp

memory/1892-149-0x000000013FBB0000-0x000000013FF04000-memory.dmp

memory/2844-150-0x000000013FBB0000-0x000000013FF04000-memory.dmp

memory/2688-151-0x000000013F6F0000-0x000000013FA44000-memory.dmp

memory/2496-152-0x000000013F190000-0x000000013F4E4000-memory.dmp

memory/2584-153-0x000000013F370000-0x000000013F6C4000-memory.dmp

memory/2528-154-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

memory/2504-155-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/2304-156-0x000000013F310000-0x000000013F664000-memory.dmp

memory/2416-157-0x000000013F2E0000-0x000000013F634000-memory.dmp

memory/2448-158-0x000000013FC20000-0x000000013FF74000-memory.dmp

memory/2856-159-0x000000013FC90000-0x000000013FFE4000-memory.dmp

memory/2864-160-0x000000013FD00000-0x0000000140054000-memory.dmp

memory/2044-161-0x000000013F630000-0x000000013F984000-memory.dmp

memory/2640-162-0x000000013F8B0000-0x000000013FC04000-memory.dmp

memory/2820-163-0x000000013F980000-0x000000013FCD4000-memory.dmp

memory/2844-164-0x000000013FBB0000-0x000000013FF04000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-30 05:53

Reported

2024-06-30 05:55

Platform

win10v2004-20240611-en

Max time kernel

143s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\DmEUiSw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KHWvbTH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ljymuIh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wmMHdoN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zeaddxZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UfHLPhk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JiwwkWe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PgYJVpv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ICwSUkV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QhzFxWl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cFNbSDr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RoXsecU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DzVvqZH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xSGMyEj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ucINEzi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ipHpcgc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XTcKlZB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WtgAZVn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rEPLjft.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AOoqhIS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GdfWVgS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5096 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wmMHdoN.exe
PID 5096 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wmMHdoN.exe
PID 5096 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WtgAZVn.exe
PID 5096 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WtgAZVn.exe
PID 5096 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zeaddxZ.exe
PID 5096 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zeaddxZ.exe
PID 5096 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rEPLjft.exe
PID 5096 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rEPLjft.exe
PID 5096 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UfHLPhk.exe
PID 5096 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UfHLPhk.exe
PID 5096 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DzVvqZH.exe
PID 5096 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DzVvqZH.exe
PID 5096 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ICwSUkV.exe
PID 5096 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ICwSUkV.exe
PID 5096 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QhzFxWl.exe
PID 5096 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QhzFxWl.exe
PID 5096 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cFNbSDr.exe
PID 5096 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cFNbSDr.exe
PID 5096 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xSGMyEj.exe
PID 5096 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xSGMyEj.exe
PID 5096 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JiwwkWe.exe
PID 5096 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JiwwkWe.exe
PID 5096 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RoXsecU.exe
PID 5096 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RoXsecU.exe
PID 5096 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ucINEzi.exe
PID 5096 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ucINEzi.exe
PID 5096 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DmEUiSw.exe
PID 5096 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DmEUiSw.exe
PID 5096 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KHWvbTH.exe
PID 5096 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KHWvbTH.exe
PID 5096 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AOoqhIS.exe
PID 5096 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AOoqhIS.exe
PID 5096 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PgYJVpv.exe
PID 5096 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PgYJVpv.exe
PID 5096 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GdfWVgS.exe
PID 5096 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GdfWVgS.exe
PID 5096 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XTcKlZB.exe
PID 5096 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XTcKlZB.exe
PID 5096 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ljymuIh.exe
PID 5096 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ljymuIh.exe
PID 5096 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ipHpcgc.exe
PID 5096 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ipHpcgc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\wmMHdoN.exe

C:\Windows\System\wmMHdoN.exe

C:\Windows\System\WtgAZVn.exe

C:\Windows\System\WtgAZVn.exe

C:\Windows\System\zeaddxZ.exe

C:\Windows\System\zeaddxZ.exe

C:\Windows\System\rEPLjft.exe

C:\Windows\System\rEPLjft.exe

C:\Windows\System\UfHLPhk.exe

C:\Windows\System\UfHLPhk.exe

C:\Windows\System\DzVvqZH.exe

C:\Windows\System\DzVvqZH.exe

C:\Windows\System\ICwSUkV.exe

C:\Windows\System\ICwSUkV.exe

C:\Windows\System\QhzFxWl.exe

C:\Windows\System\QhzFxWl.exe

C:\Windows\System\cFNbSDr.exe

C:\Windows\System\cFNbSDr.exe

C:\Windows\System\xSGMyEj.exe

C:\Windows\System\xSGMyEj.exe

C:\Windows\System\JiwwkWe.exe

C:\Windows\System\JiwwkWe.exe

C:\Windows\System\RoXsecU.exe

C:\Windows\System\RoXsecU.exe

C:\Windows\System\ucINEzi.exe

C:\Windows\System\ucINEzi.exe

C:\Windows\System\DmEUiSw.exe

C:\Windows\System\DmEUiSw.exe

C:\Windows\System\KHWvbTH.exe

C:\Windows\System\KHWvbTH.exe

C:\Windows\System\AOoqhIS.exe

C:\Windows\System\AOoqhIS.exe

C:\Windows\System\PgYJVpv.exe

C:\Windows\System\PgYJVpv.exe

C:\Windows\System\GdfWVgS.exe

C:\Windows\System\GdfWVgS.exe

C:\Windows\System\XTcKlZB.exe

C:\Windows\System\XTcKlZB.exe

C:\Windows\System\ljymuIh.exe

C:\Windows\System\ljymuIh.exe

C:\Windows\System\ipHpcgc.exe

C:\Windows\System\ipHpcgc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/5096-0-0x00007FF75A010000-0x00007FF75A364000-memory.dmp

memory/5096-1-0x000001ED243E0000-0x000001ED243F0000-memory.dmp

C:\Windows\System\wmMHdoN.exe

MD5 1c1aca97941f91233568451f1c5f447a
SHA1 07ee6a841f211c125d1c2024eb0fd1c166c05c71
SHA256 00e1bb7b41e8b77687f293fce3c362d22827a9643ef62960ea2436fec00597c6
SHA512 8708e40806b192f178c85f199cea5304a08c18a542ba1cee371edb04e76b86f59eb9bfa0936d16603641ac29d49f7f9415a1fb598d550d2767c61e446e471d08

C:\Windows\System\zeaddxZ.exe

MD5 e3368dd6ae1c1065fad9f322771328fa
SHA1 ae6a82f13bf826a168a4bc5eac964e0d45860364
SHA256 2c19f215ffcc8689e2df8444e49df99601be2a9be83bf51b89c0cb0729c37282
SHA512 59b125515e4b61ee46b6c994e69bc45d49c952065abc3418293fb6d11b80067f9ab44a0219af4d4acc8ab1c4249224390ee354548e1b39f4e51b616a71f63521

memory/1864-6-0x00007FF786370000-0x00007FF7866C4000-memory.dmp

C:\Windows\System\WtgAZVn.exe

MD5 24a25458fb0736849566d2ae6995b444
SHA1 b7700534b744d2846fcc278d6a5ac52672533739
SHA256 e95d1e28c525f951193534d2675ac0e7dd833b2c509b07621e3d5e5eac7f8674
SHA512 d10d366fb2d645006916978c4025a1519802f01d6d3a06f8a83e732fe329002c6f24f538923b457d299c0ff874611e23be9840ad6a0a289e618e91c3176c144d

memory/5016-15-0x00007FF6A7480000-0x00007FF6A77D4000-memory.dmp

C:\Windows\System\rEPLjft.exe

MD5 d6243a5a31c8a0461f9a30d71dace669
SHA1 c633310f914680bf1365a56c2a4d161d329ad949
SHA256 84bf0c04ca96bce7eb54f7d4be04989bddce70bd06f9bf460d575d1c1658ee2d
SHA512 d08f891f3056c33a38837a49a500de6754f2729397d4a288fa177c18d28e5d05b1ec28a77a9b60a33c0dcc12c6f0fc199af9ecdf063e9d67c208b35b3d3e75e4

C:\Windows\System\DzVvqZH.exe

MD5 8f6f806c091e80ab4cf39e3c6745fa74
SHA1 4a9ad969fa9afa98dbf0a16b99eaeccfbf88e6be
SHA256 ddbc7b1714c3bcda0d9dbbfd1bd12bdee655699c9d3806db00bfc8cf3bf36aee
SHA512 56cdaf739814510b7587644435690b2f64e159b9144ea980bf052375328bf97c3cfe6827e33b102fd1b71180ebcaef31ce5ab18b0bb9d892bf443ea25dea9f10

C:\Windows\System\UfHLPhk.exe

MD5 840049ddda257c115a0cb3a18cfdefc2
SHA1 4ae38221f9273851fa59a8e221e7b32946711e99
SHA256 25a0141a813f1789b4de1cf66552659922e2714dda7bd6e7ac8b6ad4dd00c28b
SHA512 624a535d2da11e4bcd6356d534a7a1944b57c0ceaf21a11362f4b87138b1c10ee258e93b81e0b8c38c768dff5025f98f15e57d0166148656b28b9ad777737d38

C:\Windows\System\QhzFxWl.exe

MD5 cfc2848239fa1bedbbfe4354aafcc578
SHA1 ca3498f17c20628d40d80b4ce6b6673a39a24a43
SHA256 5b626289fc1fe357bc05473d1425b230cb82a5ba2b3fa2fe86bd070ccef7142a
SHA512 8d372db15b6ab61ee4ee238b6f955f23d69d908b1715a332941907fe1c2dc2b9338d26a8a33e91fc4aeeb7981c308e2d5657d31c3cf545a9c5a0ca36b698b50b

C:\Windows\System\ICwSUkV.exe

MD5 630cf0097c375a64529ac2efe001e718
SHA1 635362db1313f9e7a589ec9141e11a51c9f205bd
SHA256 44adf266367d4ff095ca26616453c960e8956947c5c8132c1963565f3301a30c
SHA512 4879b2fe544cba9b616f2ad1213efc35b6d64dfa201c83753d6e5048bce7048184dea985038d683c32eff28d0f5fe3b41b82b5d0ffd435f1a82023330b19e642

memory/4528-48-0x00007FF6CA6B0000-0x00007FF6CAA04000-memory.dmp

C:\Windows\System\cFNbSDr.exe

MD5 bbb5452142202a68e396fbaaf3a34bc6
SHA1 625127fa911443aa31dfa444861f58878b73750a
SHA256 df3bb4bc31ee417e1b1c688f330932ac267f177482d323daad37785fbe437dfa
SHA512 128d965924c36668bbab7d5de39e91eab21334aef9b0d64df213516889b2aff6e7207b8f622b874806cada0c22c5bb57e809b53fde63214b7d7e7f0e073b130c

C:\Windows\System\JiwwkWe.exe

MD5 8b2f6fd6496f202f3a9cb4af77ff639e
SHA1 72adb60a66feaf82810c3ece349aaaaf54780290
SHA256 3621ef25d3d7f44fd5f5feeddc8b8247dd09ec8dbea8f0df4e21e96cdce2d2ed
SHA512 8850c6916ee7916f27c2f40cc606bb5539a88ea28a22409822a1097cd4c7dc6fa6327e3eac797652f90323eb1e7d2814f7225dfc447ade5016eaa77fe3914b0a

C:\Windows\System\RoXsecU.exe

MD5 9e82101b3b96e0827969d93e634d6495
SHA1 f474da87662ac0e166a35fefbafee94d23cf7083
SHA256 cf9409f50496ecbaa00ae4a0b4334bd1d4668917d4d13e7471f9f48abbf79c3b
SHA512 87d591aa75d6bc4284b091d7ac7038583b75a5c8a9d830415ab1b6d275290015826deba533db188052c963b34914d5d7d2fbcbc6808806c7275f3ccdae8a59f1

C:\Windows\System\DmEUiSw.exe

MD5 700497c7cd22f531b7c1628586cde270
SHA1 598c622bf829eda719f69cd1a4dcedcd070fcb94
SHA256 3560bc12a732091da2bc65fb80e27d75312ce3ad93d0cdc9e4a81adcb46bee7a
SHA512 0da551766a322669546cc7a2b4f72176ce433267939bc9814353fc8375fe1d0e0651cd10802e4589230279b91ec9d962cc07f1cbcc6f8095adc1e191b5f4abb4

memory/1692-79-0x00007FF69D1D0000-0x00007FF69D524000-memory.dmp

C:\Windows\System\ucINEzi.exe

MD5 a89c79ea05140756daa6611bff4f4f00
SHA1 4241d3b80d838ee0eb7a0370cf31ec850f4e3850
SHA256 15b617b3d23fa877f38f3c31a4620f0fc6c1e6c8b21900f784fff2a9195f43f1
SHA512 a5d43fc6ce11bd6d745188651c667cbc3aa360cb2c5db7cc327e3a6848c9e1f6ebdcc4cee07a6aa214a821c0c0d531d781b275085a5f6a1daa333eaa16a7f35f

memory/4508-85-0x00007FF616B60000-0x00007FF616EB4000-memory.dmp

memory/2516-84-0x00007FF7F2310000-0x00007FF7F2664000-memory.dmp

memory/4156-81-0x00007FF771940000-0x00007FF771C94000-memory.dmp

memory/3244-80-0x00007FF79C7B0000-0x00007FF79CB04000-memory.dmp

memory/5096-78-0x00007FF75A010000-0x00007FF75A364000-memory.dmp

C:\Windows\System\xSGMyEj.exe

MD5 6e4a47a83aa5c66304d34ec8b402adcb
SHA1 8264f6b5b75731327a72a7464eb9e551201fb31b
SHA256 fa20338a762e312c3805b4b1e9d09bf3e047f7b6590f4124d1387c0261abf345
SHA512 8ce570d8a22fb28584efa7de1734c931e27de1a1f04bc4705b87d19612f22c3df42853a05d61ada7c9d9591d3f830d61bef524ef67bb4a70b00186b3ba317648

memory/4044-52-0x00007FF685D10000-0x00007FF686064000-memory.dmp

memory/4812-47-0x00007FF7EBC90000-0x00007FF7EBFE4000-memory.dmp

memory/2868-38-0x00007FF6E5400000-0x00007FF6E5754000-memory.dmp

memory/2484-35-0x00007FF695230000-0x00007FF695584000-memory.dmp

memory/2540-28-0x00007FF619900000-0x00007FF619C54000-memory.dmp

memory/2348-20-0x00007FF777EC0000-0x00007FF778214000-memory.dmp

C:\Windows\System\KHWvbTH.exe

MD5 2bddfd3b017a14ec5421fc523f8706a6
SHA1 366caf529b7a58c063c088839532efa290d80337
SHA256 572cb8e490951b1b0699c4c1e3d8065e06693a6358829f9bc74b3439343d60f0
SHA512 0f8225e1f18604ef747931fbd7ca3ade5a333f8955915a0eda38560b12b00a395d31efe9c79afbfb8a9d4bff5ebeda1600fb4aeea4953bbfe87fe2d610f0f1db

memory/1864-93-0x00007FF786370000-0x00007FF7866C4000-memory.dmp

C:\Windows\System\AOoqhIS.exe

MD5 bba52c4a2e95ddd3692cacc32c92fe89
SHA1 949b126cf2455c33cc4cbf01c04a50c80d0a8143
SHA256 f4f7ee0e529417f810804c7cd21c8ffe20fd6255253c767b1f40b1024cd7b4ea
SHA512 7d9610a0965746ffa1f652c7f21c63dd570f77d8d8c5af1a3c7ae8c956447db7522750c5eb22925c9cba6f6dc642d2112247f2f01340a930e0b31f155cb33105

C:\Windows\System\PgYJVpv.exe

MD5 b4dae17f1695910549f304260139bb49
SHA1 2a826b0ed4928170a68637157e18b399bd5bd39e
SHA256 fb7b63805725328cf8d431f57e40ebcb8abbb3bd3d399f34c968940f9bef1d16
SHA512 84877e6cfdde606d0511c80fc3ef4e2cf6a7d1e3f50a91db4471ef825bb8e2f61d15777b139332f2425ca3353655ddc541e38d5bee2c495f00acf8a3c25d2c4f

C:\Windows\System\GdfWVgS.exe

MD5 ec72e9f8d46439393d1f2e7c5f756792
SHA1 0eeab93a93f437ef1fc67f3ac7cfdd5fa0430459
SHA256 dd54c4c64438b1696de7be02641fd6d8fd438460a4de11d82c143ba784804837
SHA512 4f59172fa12a0c4d50d538a8c39ac216c5a45446810291e96e05354a375c2802a183d9eeb703aa25145d9927167af5e4cb5dd829cc678ebe6c0609f2fb0ea0b3

C:\Windows\System\ljymuIh.exe

MD5 3e82ebca1b09607f5283641ba6185868
SHA1 87937b089ff29149ff94818ee3ff19043937d2a5
SHA256 2c07483e64f78ae96769d025cbf3fdc41c327fe9de447c208fbb581bddd6042c
SHA512 26fe6019fea1d1622c02ace414f91b8712889fd0c315f22cf8ce668c11a44eb324b52fb40fe83c445749fc212dce8d27755551d2286bd1e86b754647a423c096

C:\Windows\System\XTcKlZB.exe

MD5 af34913a98855b33b34b9ed294e37561
SHA1 a1ef94b13074dbf68420870d8938110d9f4e50bb
SHA256 8397cbb2527f1f249371282fa19cc694f5317eaf02535dd60bfb17b30304d80b
SHA512 c5555bc987cb12cf2f9b198451ddc9a7b21d111c544a6dcef592d3ac15a493e458c7d5ec23a8f09f3e1b870ceb4543f079b688c9cb94c82808a50678d281c8ae

memory/1704-113-0x00007FF6AEA70000-0x00007FF6AEDC4000-memory.dmp

memory/2484-112-0x00007FF695230000-0x00007FF695584000-memory.dmp

memory/4792-106-0x00007FF6C1D70000-0x00007FF6C20C4000-memory.dmp

memory/3036-103-0x00007FF718270000-0x00007FF7185C4000-memory.dmp

memory/1136-99-0x00007FF6E5AE0000-0x00007FF6E5E34000-memory.dmp

memory/3044-125-0x00007FF7A2340000-0x00007FF7A2694000-memory.dmp

memory/3712-124-0x00007FF7FBCA0000-0x00007FF7FBFF4000-memory.dmp

C:\Windows\System\ipHpcgc.exe

MD5 43c4edf90636880a2000a773318503c6
SHA1 28b25db242b8133c72853afde9df14d30213cfc8
SHA256 1a171f7213c0e189a7d808d910b52c199b87503490fd5b01d7a93f48dfa1ae44
SHA512 7dec552ecf9a37d23c6880b0cfd9c622261bdb2d388d6d18ac891ed3215897108dfb4c6cda1f506c96793036a5a2a1e9fabd5c167ba842b7c1ba134f904c314d

memory/2868-130-0x00007FF6E5400000-0x00007FF6E5754000-memory.dmp

memory/2824-131-0x00007FF7E2A60000-0x00007FF7E2DB4000-memory.dmp

memory/4528-132-0x00007FF6CA6B0000-0x00007FF6CAA04000-memory.dmp

memory/4044-133-0x00007FF685D10000-0x00007FF686064000-memory.dmp

memory/2516-134-0x00007FF7F2310000-0x00007FF7F2664000-memory.dmp

memory/4508-135-0x00007FF616B60000-0x00007FF616EB4000-memory.dmp

memory/4792-136-0x00007FF6C1D70000-0x00007FF6C20C4000-memory.dmp

memory/1704-137-0x00007FF6AEA70000-0x00007FF6AEDC4000-memory.dmp

memory/1864-138-0x00007FF786370000-0x00007FF7866C4000-memory.dmp

memory/5016-139-0x00007FF6A7480000-0x00007FF6A77D4000-memory.dmp

memory/2348-140-0x00007FF777EC0000-0x00007FF778214000-memory.dmp

memory/2540-141-0x00007FF619900000-0x00007FF619C54000-memory.dmp

memory/2484-142-0x00007FF695230000-0x00007FF695584000-memory.dmp

memory/2868-143-0x00007FF6E5400000-0x00007FF6E5754000-memory.dmp

memory/4812-144-0x00007FF7EBC90000-0x00007FF7EBFE4000-memory.dmp

memory/4044-145-0x00007FF685D10000-0x00007FF686064000-memory.dmp

memory/4528-146-0x00007FF6CA6B0000-0x00007FF6CAA04000-memory.dmp

memory/1692-147-0x00007FF69D1D0000-0x00007FF69D524000-memory.dmp

memory/3244-148-0x00007FF79C7B0000-0x00007FF79CB04000-memory.dmp

memory/2516-149-0x00007FF7F2310000-0x00007FF7F2664000-memory.dmp

memory/4508-151-0x00007FF616B60000-0x00007FF616EB4000-memory.dmp

memory/4156-150-0x00007FF771940000-0x00007FF771C94000-memory.dmp

memory/1136-152-0x00007FF6E5AE0000-0x00007FF6E5E34000-memory.dmp

memory/3036-153-0x00007FF718270000-0x00007FF7185C4000-memory.dmp

memory/4792-154-0x00007FF6C1D70000-0x00007FF6C20C4000-memory.dmp

memory/1704-155-0x00007FF6AEA70000-0x00007FF6AEDC4000-memory.dmp

memory/3044-157-0x00007FF7A2340000-0x00007FF7A2694000-memory.dmp

memory/3712-156-0x00007FF7FBCA0000-0x00007FF7FBFF4000-memory.dmp

memory/2824-158-0x00007FF7E2A60000-0x00007FF7E2DB4000-memory.dmp