Malware Analysis Report

2025-03-15 08:06

Sample ID 240812-a6z6ks1hrh
Target 2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat
SHA256 90ca6d20112814eb280944bab62157a9e254d0777f19947d057188cf54677899
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

90ca6d20112814eb280944bab62157a9e254d0777f19947d057188cf54677899

Threat Level: Known bad

The file 2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

XMRig Miner payload

Xmrig family

Cobalt Strike reflective loader

Cobaltstrike

xmrig

Cobaltstrike family

XMRig Miner payload

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-12 00:50

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-12 00:50

Reported

2024-08-12 00:52

Platform

win7-20240729-en

Max time kernel

141s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\pBvDIwh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DxmUwLd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZPsTwPa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aBkOifW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jlsnRzE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pptoQZK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fpNaByN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oSdhbRv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bYfoYVF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HRghQoL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sCjkxMW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CQwedQF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wlLcHgf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VcPyHho.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kpeyWLl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zBrFPEw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ObkLxnr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CzQilXc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HzMSXIp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KylzsZU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FshksHn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2424 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sCjkxMW.exe
PID 2424 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sCjkxMW.exe
PID 2424 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sCjkxMW.exe
PID 2424 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CQwedQF.exe
PID 2424 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CQwedQF.exe
PID 2424 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CQwedQF.exe
PID 2424 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pBvDIwh.exe
PID 2424 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pBvDIwh.exe
PID 2424 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pBvDIwh.exe
PID 2424 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ObkLxnr.exe
PID 2424 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ObkLxnr.exe
PID 2424 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ObkLxnr.exe
PID 2424 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CzQilXc.exe
PID 2424 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CzQilXc.exe
PID 2424 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CzQilXc.exe
PID 2424 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jlsnRzE.exe
PID 2424 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jlsnRzE.exe
PID 2424 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jlsnRzE.exe
PID 2424 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pptoQZK.exe
PID 2424 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pptoQZK.exe
PID 2424 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pptoQZK.exe
PID 2424 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wlLcHgf.exe
PID 2424 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wlLcHgf.exe
PID 2424 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wlLcHgf.exe
PID 2424 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HzMSXIp.exe
PID 2424 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HzMSXIp.exe
PID 2424 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HzMSXIp.exe
PID 2424 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DxmUwLd.exe
PID 2424 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DxmUwLd.exe
PID 2424 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DxmUwLd.exe
PID 2424 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fpNaByN.exe
PID 2424 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fpNaByN.exe
PID 2424 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fpNaByN.exe
PID 2424 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZPsTwPa.exe
PID 2424 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZPsTwPa.exe
PID 2424 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZPsTwPa.exe
PID 2424 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VcPyHho.exe
PID 2424 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VcPyHho.exe
PID 2424 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VcPyHho.exe
PID 2424 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oSdhbRv.exe
PID 2424 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oSdhbRv.exe
PID 2424 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oSdhbRv.exe
PID 2424 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kpeyWLl.exe
PID 2424 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kpeyWLl.exe
PID 2424 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kpeyWLl.exe
PID 2424 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KylzsZU.exe
PID 2424 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KylzsZU.exe
PID 2424 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KylzsZU.exe
PID 2424 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aBkOifW.exe
PID 2424 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aBkOifW.exe
PID 2424 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aBkOifW.exe
PID 2424 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bYfoYVF.exe
PID 2424 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bYfoYVF.exe
PID 2424 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bYfoYVF.exe
PID 2424 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HRghQoL.exe
PID 2424 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HRghQoL.exe
PID 2424 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HRghQoL.exe
PID 2424 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zBrFPEw.exe
PID 2424 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zBrFPEw.exe
PID 2424 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zBrFPEw.exe
PID 2424 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FshksHn.exe
PID 2424 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FshksHn.exe
PID 2424 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FshksHn.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\sCjkxMW.exe

C:\Windows\System\sCjkxMW.exe

C:\Windows\System\CQwedQF.exe

C:\Windows\System\CQwedQF.exe

C:\Windows\System\pBvDIwh.exe

C:\Windows\System\pBvDIwh.exe

C:\Windows\System\ObkLxnr.exe

C:\Windows\System\ObkLxnr.exe

C:\Windows\System\CzQilXc.exe

C:\Windows\System\CzQilXc.exe

C:\Windows\System\jlsnRzE.exe

C:\Windows\System\jlsnRzE.exe

C:\Windows\System\pptoQZK.exe

C:\Windows\System\pptoQZK.exe

C:\Windows\System\wlLcHgf.exe

C:\Windows\System\wlLcHgf.exe

C:\Windows\System\HzMSXIp.exe

C:\Windows\System\HzMSXIp.exe

C:\Windows\System\DxmUwLd.exe

C:\Windows\System\DxmUwLd.exe

C:\Windows\System\fpNaByN.exe

C:\Windows\System\fpNaByN.exe

C:\Windows\System\ZPsTwPa.exe

C:\Windows\System\ZPsTwPa.exe

C:\Windows\System\VcPyHho.exe

C:\Windows\System\VcPyHho.exe

C:\Windows\System\oSdhbRv.exe

C:\Windows\System\oSdhbRv.exe

C:\Windows\System\kpeyWLl.exe

C:\Windows\System\kpeyWLl.exe

C:\Windows\System\KylzsZU.exe

C:\Windows\System\KylzsZU.exe

C:\Windows\System\aBkOifW.exe

C:\Windows\System\aBkOifW.exe

C:\Windows\System\bYfoYVF.exe

C:\Windows\System\bYfoYVF.exe

C:\Windows\System\HRghQoL.exe

C:\Windows\System\HRghQoL.exe

C:\Windows\System\zBrFPEw.exe

C:\Windows\System\zBrFPEw.exe

C:\Windows\System\FshksHn.exe

C:\Windows\System\FshksHn.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2424-2-0x000000013F670000-0x000000013F9C4000-memory.dmp

memory/2424-0-0x00000000002F0000-0x0000000000300000-memory.dmp

\Windows\system\sCjkxMW.exe

MD5 4f00098e3499ad1b338cfa4ce338bcb5
SHA1 09598cf4ac73fbef781f07c40c2133ef9f9029dd
SHA256 d762bdff9b4091bfcaef06f27599b67aaa6421d6715ed62ac5dc00ac74e03846
SHA512 dd6a0495c2d252d5576aa20886f69835f65a49563f13e876b3c9a0e567b3ddcd08402404cef5a1593460c66911f4ac3ea14a872af2483b92a9fdf82b74ed9437

memory/2424-6-0x000000013F0D0000-0x000000013F424000-memory.dmp

memory/1340-9-0x000000013F0D0000-0x000000013F424000-memory.dmp

\Windows\system\CQwedQF.exe

MD5 22fdc544c8e14eceb5f27b98b261672f
SHA1 192c973c7d0612c6fa4d70504bd1cb65aa4dfbb1
SHA256 d16e9150310875471320337f446deff76ff0f7d26aba782940e8b96559ed036c
SHA512 23e5abd993c31ddb0c6fc070d76ef977face8052edaecb1d11a3e97a8ddd1cede7242643b8b874e916f01d2a270f078c15d111db83e7fb835cfdebc2e4774b95

C:\Windows\system\pBvDIwh.exe

MD5 faaf155e3125bf7bf662633e1e837545
SHA1 7376a82d1e93f585fa96f6a8881f7974050b3fd2
SHA256 fec5b5d3ecab4687aea91b00fe9e8e7cd634c248af79ca8fb6da58dc358ecfc0
SHA512 f6a66c6867916f9341accc9b27a9bf8791f0276e5caa05093fde756c0db06022bf11b7bf01ac181f0d7a27603838fa35e463ec79748154ede27619a14fe0ffc9

memory/2648-21-0x000000013F350000-0x000000013F6A4000-memory.dmp

memory/2424-18-0x0000000002240000-0x0000000002594000-memory.dmp

memory/2328-17-0x000000013FBB0000-0x000000013FF04000-memory.dmp

C:\Windows\system\ObkLxnr.exe

MD5 fa54fa9445d0f30f1014c69c4f053c7b
SHA1 2dd79076f2f19b3905fe832ccebd670ee79fcf9b
SHA256 8b38ff520114f2ebf1942b1e898b404d62fbe417e2494abc94639b0d7ba2b21d
SHA512 4628b02ce3b9366f568e04b1ddc185a39f762132162b543e4e740b6f9c1bc3c00a03ab16b89dc6cf22d2db13eca0ea6e3e46e8c12205c4aa8bacf0c7908bdcd7

memory/2780-28-0x000000013FE90000-0x00000001401E4000-memory.dmp

memory/2424-27-0x000000013FE90000-0x00000001401E4000-memory.dmp

C:\Windows\system\CzQilXc.exe

MD5 5ef858616a3bfcdbfcdd55a5fded342a
SHA1 5d9713cdfa1ee1eb554740f8c4d43daa5eeb5fb9
SHA256 0c2fdb059554b2c91370eee51362d6383780c66995d539a87f975bd07c3c3c7d
SHA512 03f586a0c5f87afe067c34c06f8882ed0f912beb268a842f7c4db2980f6e23d571d432af9998f55d2565a0edbf73462689d6244038dc5a90bbe18f1e58628395

memory/2976-36-0x000000013F560000-0x000000013F8B4000-memory.dmp

memory/2424-35-0x0000000002240000-0x0000000002594000-memory.dmp

\Windows\system\jlsnRzE.exe

MD5 532df2fd6ae377a7127cdf2153b786fe
SHA1 9c39968d12b6063272e290d92b311ad579a7a788
SHA256 29e8c1ad9ee02c9d6f453ead1f7ee010c2b07a5b50a3505aff7b6e1b3839cb90
SHA512 d634216bcd80df6f9d5f186dbf628925731058ad0dbc93fc5d587db0e254a9e452a5953886e67764f71f338af3dfed8a5921df576d965f91fa6ae5dcf525159e

memory/2424-42-0x000000013F050000-0x000000013F3A4000-memory.dmp

memory/2804-43-0x000000013F050000-0x000000013F3A4000-memory.dmp

memory/2424-44-0x000000013F670000-0x000000013F9C4000-memory.dmp

\Windows\system\pptoQZK.exe

MD5 0cd2ec03c60401f66b789a47bd85d65a
SHA1 776040cd20bd09f04b8d83f69f332127c85d3227
SHA256 a9d77ea65bf4611138058382febed0e7ccda33cfa7cd19ed42e5cee08104e4bc
SHA512 2ecf4c0deb030bf5f837c95991564fc1b98171a76e6ddc539fecf20f015f418038a8e7761435ead592c37e6b0400fd15b366e0172b54c1128c3a464802db6f4a

memory/1676-51-0x000000013F3F0000-0x000000013F744000-memory.dmp

memory/2424-50-0x0000000002240000-0x0000000002594000-memory.dmp

\Windows\system\wlLcHgf.exe

MD5 a9a30ab8a27375fdaf67f5d3a6136d80
SHA1 d972be4ef8bc8143d36dfbf93f11eec781ed6b1c
SHA256 3c8406fa556cbdfe4f68f80662eba26c7370aa82fa3931526a2bdc7f80af084e
SHA512 d8d3194ffd04fc85e3ddf83cda286d521082afc2ebc330b28986c06ed244b53e73c3c00048a934b17e807871c8985f7686bd3ab02b2ecec05c3ea3683799121e

\Windows\system\DxmUwLd.exe

MD5 ab000ca4da9b650e4b8ff1aa54217fe6
SHA1 450620c29941905469b15138793f4af072235e0b
SHA256 0b3a5a67c020408270f98dd11246b8cba7d70955fa81f1b6d65c7d0c733fb81b
SHA512 33fbd79faddf14400169f2dc42f869effe17e341815034dbc04f739dec2a44baedd20e36285b373ddad11fb7d389af9011eeb69dbe50d90c1b51aedc739ef2f9

\Windows\system\fpNaByN.exe

MD5 45af9d385f7866e1b5358a2eebe0db17
SHA1 05a45f7fad2688cea3c22310dce39d83a078770b
SHA256 b76d48a88372481db2c5ba25186251615f46433984821fa77555cbd9af57c372
SHA512 1ad9b541d47b71e8142d0fc17e8ffac4aacc6eb7775255de0e1199531e2ba838b19e541b316036c5f00aa303bf15110c3865304293947ede922a724f2e1fccd2

memory/1340-68-0x000000013F0D0000-0x000000013F424000-memory.dmp

memory/2588-81-0x000000013FA70000-0x000000013FDC4000-memory.dmp

memory/2424-85-0x0000000002240000-0x0000000002594000-memory.dmp

memory/1044-86-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

memory/2648-92-0x000000013F350000-0x000000013F6A4000-memory.dmp

\Windows\system\bYfoYVF.exe

MD5 2a8bbfe77b8c0e40fc5312ae86f5d107
SHA1 21ffee0702f31d78b62a86348bb1248f2f683c70
SHA256 5cb853e1e65daf32b21a1160560a856e86cc428d84654398074d5f497aa40ce9
SHA512 c8f2c9e72fcc9ec8ea142aff2b87d8e65609e9b5c48db8d3996ec780264840cc0f0849be3c5c629c8a4edeb7239fff5b01b30faf0c0aad844996159e6165370d

\Windows\system\FshksHn.exe

MD5 5947025c1e643b927df675591a8f9cc1
SHA1 763a0535e9887c261d8b3122236ac35ac1c58263
SHA256 2ee143e534c44b4bd15ca24b4bb91487ae38cc62a875d3d66420cfcf4f35442e
SHA512 b50cc060cf37e7c7d13a8f14d1769d52ca43329772b865219a1a708878b5d97e7fcd1e08ee322f101da43453e21c5de524be39278250947afac6fd2015e63747

C:\Windows\system\zBrFPEw.exe

MD5 cb72a5987cbf8089eae77dae735d9c28
SHA1 fdb8041540d4717259bdcee1cac0dbd644cbf8b2
SHA256 17e1029f7ccc8a12d5599fe4b540bcc3ede6639245a8e3120b0c029caa21529b
SHA512 8312e45b3b2d9a946fe6d9aa7624b913549d7222c88cc309ccb843b02d129dc09e637e5c30e8c168e1a5a631d839039dbb5ea3f8daaefbdbc446af53e54c91da

C:\Windows\system\HRghQoL.exe

MD5 54a39a3f76ff9b4c2eb92bebd2001a6f
SHA1 1c5a42ab3271607bb2f497056165848d5763671f
SHA256 04c3ce0faffe3d168c49a85d3468dbcb82473e476ad6b0b7a63fd8f8d229ccfa
SHA512 b0c0d3318825edddcf84a1756046a2f90702678347320e56de47b27df74f78398721ad19c854edf168100c1ad4b1efec26e7054b5bb5fb2e310357da3b60f71e

C:\Windows\system\aBkOifW.exe

MD5 231dbec3fa505db8c0a4117f164d0995
SHA1 3faa3d3441c3c44b0bf028336472df4c14c553b9
SHA256 a49aae644d27c23341c1b186d922a75764abf1ad6812f3e3e9e0695afdc36acb
SHA512 586f5173a4eadffcac35fd60d4a15759315d90fccf8ff3f7230299d20ab80cedfbf87360829711eefc48a29c6ad3d65f4bac410908e67b68fe695514579ea7ec

C:\Windows\system\KylzsZU.exe

MD5 f96567f5bb76852bea3232177a5e0285
SHA1 691f19ed9c85bfa6abd3ccad321aa18620ed288a
SHA256 3d01fdea01eac08bd90e8774b86f2f3f7a93e85ff6e26a6dce2a14cdb6b9ba75
SHA512 458a4c6c9af0f7257a7c4928dac949868bbbb72b0aa38d6a05571f7fce581179e4b1b57af8b22da44fe6a1ade4377d0a9126b57c98b065c134595c6bc25222dc

C:\Windows\system\kpeyWLl.exe

MD5 53cde31d40ddda05ad8dac482fc39387
SHA1 bd8b7818d384752a278714da02e3687ac35ab785
SHA256 e3105e2715bd60e9c5d0f8700a5d9687f445c30c2de31bb47788e4077e8e285a
SHA512 9fb3ce7478cc2204ab9b8d6d06a5ac311ab08a09a0b546a2f861d5df5b421b416d32dcae4c9b7586f2b95b6c1a67847ef5c07815a6f9cd3d0cf9c4b3eb6f8269

memory/2412-94-0x000000013F590000-0x000000013F8E4000-memory.dmp

memory/2424-93-0x0000000002240000-0x0000000002594000-memory.dmp

memory/2476-101-0x000000013F470000-0x000000013F7C4000-memory.dmp

memory/2424-100-0x0000000002240000-0x0000000002594000-memory.dmp

C:\Windows\system\oSdhbRv.exe

MD5 4e72d0c0d3adf78b33b9e6ff51b110b6
SHA1 91422801469ae665f3939c01b45c9ec54f73f111
SHA256 0de0c618173edc7f1d4926bc5232e68bc9b87393e2715ce89fa1ebd5ff688f21
SHA512 62128689a008b75a49a9e28446b2236a9c85b52a26072b63c247a017dc5125667a1ffdad253c04ca56b48c19a082cb22f7757a95b192b560a1a77b18d27f8583

C:\Windows\system\VcPyHho.exe

MD5 5536285b8c5a06faa42b940386be3947
SHA1 05cbd4164c0748442655341f508fcf20f154edd6
SHA256 88ba3a06c66a3cbed85451969a414b35f9bad62142e0845cc81da7484426a945
SHA512 850bdb8fffc625518aae15e3cadbf529d13fb75b1be5a71fb87748c2b68f3b1465e1183dbdd47d6ad836f19518609aad6f899b8f3ed349f3b9e4a0ed44d9b6fc

memory/2424-76-0x0000000002240000-0x0000000002594000-memory.dmp

memory/2424-74-0x000000013FA70000-0x000000013FDC4000-memory.dmp

memory/3060-84-0x000000013F420000-0x000000013F774000-memory.dmp

memory/2328-83-0x000000013FBB0000-0x000000013FF04000-memory.dmp

C:\Windows\system\ZPsTwPa.exe

MD5 f51d56f29f4429816df031e3539b9326
SHA1 28fb3dc1ce046689accad810ccc5565cf34f6215
SHA256 676faed22be77a563a7d79b21286fea175589e8b41ec9b02093a178b301ff923
SHA512 f7658b6aaeeb02a40a10c539787e7ca1498fec1fda16553b0704fb7ceee55d9deb3268369ec978f10632295bba628365196cf49f05f78533b044cedc04528877

memory/2620-65-0x000000013F1D0000-0x000000013F524000-memory.dmp

memory/2540-62-0x000000013F530000-0x000000013F884000-memory.dmp

C:\Windows\system\HzMSXIp.exe

MD5 88d186483a9b9b28ca02ad8b99a0ed52
SHA1 0e75c29aae1c3a31e46562c52c25f88ce6a8d6e6
SHA256 634a0ecf844e4e602d880689af5f51084d48dced70001a342a03dd81b325591d
SHA512 538258c0b9ff4e50154585fba8a56b2c42277c2325117f7f60a83a9909dbf68adffbbe5ff90db8d1a98bdbbec1a4a6c1b533af5ea12c9006da84ec908be723e0

memory/2424-56-0x000000013F0D0000-0x000000013F424000-memory.dmp

memory/2424-137-0x0000000002240000-0x0000000002594000-memory.dmp

memory/2620-138-0x000000013F1D0000-0x000000013F524000-memory.dmp

memory/2424-139-0x0000000002240000-0x0000000002594000-memory.dmp

memory/2424-140-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

memory/1044-141-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

memory/2412-142-0x000000013F590000-0x000000013F8E4000-memory.dmp

memory/2476-143-0x000000013F470000-0x000000013F7C4000-memory.dmp

memory/2424-144-0x000000013F190000-0x000000013F4E4000-memory.dmp

memory/1340-145-0x000000013F0D0000-0x000000013F424000-memory.dmp

memory/2328-146-0x000000013FBB0000-0x000000013FF04000-memory.dmp

memory/2780-147-0x000000013FE90000-0x00000001401E4000-memory.dmp

memory/2648-148-0x000000013F350000-0x000000013F6A4000-memory.dmp

memory/2976-149-0x000000013F560000-0x000000013F8B4000-memory.dmp

memory/2804-150-0x000000013F050000-0x000000013F3A4000-memory.dmp

memory/1676-151-0x000000013F3F0000-0x000000013F744000-memory.dmp

memory/2620-153-0x000000013F1D0000-0x000000013F524000-memory.dmp

memory/2540-152-0x000000013F530000-0x000000013F884000-memory.dmp

memory/2588-154-0x000000013FA70000-0x000000013FDC4000-memory.dmp

memory/3060-155-0x000000013F420000-0x000000013F774000-memory.dmp

memory/1044-156-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

memory/2412-157-0x000000013F590000-0x000000013F8E4000-memory.dmp

memory/2476-158-0x000000013F470000-0x000000013F7C4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-12 00:50

Reported

2024-08-12 00:52

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\BBuzolH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZpoCcxJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TWaDIIP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\szguHPl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QmpzsSE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aaNdGwW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zSrRJPT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PYDcFPG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JjEiDir.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jVOwaRV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vnLPQmP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\Ozpefsu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PtwYEiB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YtfiZHk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wbWdSXd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rCqxEAB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YVBoguS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OmZjMBB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lDXbfZQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\blfKjni.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QXjMhwK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3064 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vnLPQmP.exe
PID 3064 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vnLPQmP.exe
PID 3064 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Ozpefsu.exe
PID 3064 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Ozpefsu.exe
PID 3064 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YtfiZHk.exe
PID 3064 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YtfiZHk.exe
PID 3064 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wbWdSXd.exe
PID 3064 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wbWdSXd.exe
PID 3064 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aaNdGwW.exe
PID 3064 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aaNdGwW.exe
PID 3064 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lDXbfZQ.exe
PID 3064 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lDXbfZQ.exe
PID 3064 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zSrRJPT.exe
PID 3064 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zSrRJPT.exe
PID 3064 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PtwYEiB.exe
PID 3064 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PtwYEiB.exe
PID 3064 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JjEiDir.exe
PID 3064 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JjEiDir.exe
PID 3064 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PYDcFPG.exe
PID 3064 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PYDcFPG.exe
PID 3064 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BBuzolH.exe
PID 3064 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BBuzolH.exe
PID 3064 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZpoCcxJ.exe
PID 3064 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZpoCcxJ.exe
PID 3064 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\blfKjni.exe
PID 3064 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\blfKjni.exe
PID 3064 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QXjMhwK.exe
PID 3064 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QXjMhwK.exe
PID 3064 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jVOwaRV.exe
PID 3064 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jVOwaRV.exe
PID 3064 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TWaDIIP.exe
PID 3064 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TWaDIIP.exe
PID 3064 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rCqxEAB.exe
PID 3064 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rCqxEAB.exe
PID 3064 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YVBoguS.exe
PID 3064 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YVBoguS.exe
PID 3064 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\szguHPl.exe
PID 3064 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\szguHPl.exe
PID 3064 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OmZjMBB.exe
PID 3064 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OmZjMBB.exe
PID 3064 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QmpzsSE.exe
PID 3064 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QmpzsSE.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\vnLPQmP.exe

C:\Windows\System\vnLPQmP.exe

C:\Windows\System\Ozpefsu.exe

C:\Windows\System\Ozpefsu.exe

C:\Windows\System\YtfiZHk.exe

C:\Windows\System\YtfiZHk.exe

C:\Windows\System\wbWdSXd.exe

C:\Windows\System\wbWdSXd.exe

C:\Windows\System\aaNdGwW.exe

C:\Windows\System\aaNdGwW.exe

C:\Windows\System\lDXbfZQ.exe

C:\Windows\System\lDXbfZQ.exe

C:\Windows\System\zSrRJPT.exe

C:\Windows\System\zSrRJPT.exe

C:\Windows\System\PtwYEiB.exe

C:\Windows\System\PtwYEiB.exe

C:\Windows\System\JjEiDir.exe

C:\Windows\System\JjEiDir.exe

C:\Windows\System\PYDcFPG.exe

C:\Windows\System\PYDcFPG.exe

C:\Windows\System\BBuzolH.exe

C:\Windows\System\BBuzolH.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3996,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=4432 /prefetch:8

C:\Windows\System\ZpoCcxJ.exe

C:\Windows\System\ZpoCcxJ.exe

C:\Windows\System\blfKjni.exe

C:\Windows\System\blfKjni.exe

C:\Windows\System\QXjMhwK.exe

C:\Windows\System\QXjMhwK.exe

C:\Windows\System\jVOwaRV.exe

C:\Windows\System\jVOwaRV.exe

C:\Windows\System\TWaDIIP.exe

C:\Windows\System\TWaDIIP.exe

C:\Windows\System\rCqxEAB.exe

C:\Windows\System\rCqxEAB.exe

C:\Windows\System\YVBoguS.exe

C:\Windows\System\YVBoguS.exe

C:\Windows\System\szguHPl.exe

C:\Windows\System\szguHPl.exe

C:\Windows\System\OmZjMBB.exe

C:\Windows\System\OmZjMBB.exe

C:\Windows\System\QmpzsSE.exe

C:\Windows\System\QmpzsSE.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3064-0-0x00007FF7D87E0000-0x00007FF7D8B34000-memory.dmp

memory/3064-1-0x00000212172F0000-0x0000021217300000-memory.dmp

C:\Windows\System\vnLPQmP.exe

MD5 7540c874683ab1e02ef5c6386a22d660
SHA1 331a506b9c141fb73f66783463fdc1e07daa8805
SHA256 33977e941dec61e69121f6817db61234945d6fe25bb54fd77b070f1f56e000ae
SHA512 70ea6163ea9ba55dc049c9857fdbccdbe7a7743fac7ab008da3e047440663fdc9183a007b66044b0d3258a9a5376398a515c36dce22328af6da79adf32a7f65b

memory/1176-7-0x00007FF7D11B0000-0x00007FF7D1504000-memory.dmp

C:\Windows\System\YtfiZHk.exe

MD5 929bbd9181806f29f7124439bc1d5197
SHA1 85ffedf88badb93d8b8be530dcb705526623ceb9
SHA256 9d4b123c7c495a6bf9fd83a9f832b1d0892be2d6368af8c4df81590ab376bf4c
SHA512 229652b543f9457b3cb15885eb428ef18e8cf0bca9e5fc4d93e4d0c14bb9a0b491b89e94096b97c63fa232d98a7da9a6075d325b991900ae8753f8c3f9c38b84

C:\Windows\System\wbWdSXd.exe

MD5 3d328fffb8bb602e4f29a09067217554
SHA1 9aa9815d4608c69f97fe7607f19a7acefa9d8181
SHA256 e0611fef80690210c3f7ecfdb522172edd59b6a2e21977ddffd2f00387b8b075
SHA512 e928ab4a2bb0880cf935c114cffb9d1073a24c0e084681917d95d48b35b2c73af53185871629e239b2b3e5f493c97ef42d40414bb71635c9241eb1147852ace9

C:\Windows\System\aaNdGwW.exe

MD5 c06d3493da709ff7a939745def339a6e
SHA1 be0d9fce8e076812572eb671a8a492a6e12cacc3
SHA256 74831da31ae63c184ca08b3aec59454c718d50c1034815c1550c347a829d7322
SHA512 64d17ad8733fabf90c6a5126ba31e26fc6a72075335b5e5499c1e532d9bc8c4ffd979f12cb3f250186fe381caa32712353995bb7d582bfb683877a52c3e315ff

memory/5012-30-0x00007FF78E3C0000-0x00007FF78E714000-memory.dmp

memory/680-29-0x00007FF6274E0000-0x00007FF627834000-memory.dmp

memory/3040-23-0x00007FF6A0A80000-0x00007FF6A0DD4000-memory.dmp

memory/1380-19-0x00007FF734D20000-0x00007FF735074000-memory.dmp

C:\Windows\System\Ozpefsu.exe

MD5 39e06659666508d887430b3cdeda43d9
SHA1 0fadca7dc465952cf8ef60891fb36441f9062598
SHA256 7a83084efea7ddb38ec03f32310e4b2c593d6fe637fa04e8ef6d667dfe0ee7c8
SHA512 5c73a5345873ce3f333a6c05c47b2feb080c561ff324526313b0e9e4d90edae0a951b23f39a95544015c13f4d399fd21e8992a047e58c98e79539e2c446041c7

C:\Windows\System\lDXbfZQ.exe

MD5 a3691a29d9fbde6cf04d73d3653579d5
SHA1 695c82a160aa5afdf1793087cd8fa66e5fe56286
SHA256 3eb0bf72b63ad24469c8891c36f3742b526a6346f2af7c3d3814797ab7c048c6
SHA512 48157c589adbd0a3f240e0cbf17fc6c2ad2ca279bf14237cbc2330883dfff26a8781cbb9d6df8d2b10b740694a53e4f07210d403823a6b52a48d226230fcffe3

C:\Windows\System\zSrRJPT.exe

MD5 6de626fc1f87695fb99d87023e08a05b
SHA1 b645c6cbbed84775799209aaca6059d216db556f
SHA256 16d1e88b62955abb605ca98fdd362304e280b7ea28a6cf4042139d6f8be77f3f
SHA512 ef3de80474c4920122b64fab68bc189d65ea79fd145367a400c6f950837f47e62d6c42ba95f1fee3bbff5a5e854d82373c5d41981f0faf2ab801e3ed2ec5acfa

memory/4064-38-0x00007FF7D6C90000-0x00007FF7D6FE4000-memory.dmp

memory/3740-42-0x00007FF60EAF0000-0x00007FF60EE44000-memory.dmp

C:\Windows\System\PtwYEiB.exe

MD5 940483d496c4e22a3af7ae69143b97bc
SHA1 2d9a88fecb2887996ce2407ef27dad4f25cf20e0
SHA256 d7c0485940001690e781859ff4c78704262a39da1a9047d2cbd83c32702ed889
SHA512 67cb0d8ebe4c21b959d660c39ad8a71dc14393d494b3ecf79402eda499a74459f9e3fff2880176b75e2e105096baf35bc8ba7e3cb89612871c1db828c113e725

C:\Windows\System\JjEiDir.exe

MD5 bfdc94edae1fa664d858407d4a17b7e5
SHA1 89a84b366cfc6ed7af59bace55ee2d4fb633721f
SHA256 e270a311d0989064546036c8d3004b9abee27c3ea63b2cd60c9b75592d06d8cf
SHA512 2325370df4208c503168a799602c5dbf4831f916d837e0127a6a245eab5c673eedb0fb17a0b49e7c932b4fa9537342d89ae5511eea50708e9c52410245b9c908

C:\Windows\System\PYDcFPG.exe

MD5 3303c0d295f1e1d7af8a8a5f8e1cf80b
SHA1 b06dee50d25ed43b89e2a59df24113c472c5f7d2
SHA256 e517419b28bd648015d67fdcfaad6e1d1865c23acb6866ccc323d8c0daa694e1
SHA512 1d47986218c6306d99008e932e6471e76c18e490c0cf9065a37683c2486db7b3410d34110b2753d65085a0bf569c19a40e3baaaf3436cce0ecb6a228ba902507

C:\Windows\System\BBuzolH.exe

MD5 19eecfdef55583a9a2149e63534cb14c
SHA1 d7ff675b38b5579bbdbc917bd0f7d8cd0359ffee
SHA256 c27179d6eb163cd991e0714be2b1ae330b5f6e6a3caa6179a0cb2f450816957e
SHA512 a5f233dbdacc77d7b48e50097e0036b39102a65f0c494a8fe152ca43a2ab72511eafbbc99e4fd916b758d1bcb6034fb2a398434af17f4572dbf0573dee51502e

memory/1144-64-0x00007FF7C8890000-0x00007FF7C8BE4000-memory.dmp

memory/2884-65-0x00007FF748B20000-0x00007FF748E74000-memory.dmp

memory/1280-63-0x00007FF7A68F0000-0x00007FF7A6C44000-memory.dmp

memory/1740-51-0x00007FF6936E0000-0x00007FF693A34000-memory.dmp

C:\Windows\System\ZpoCcxJ.exe

MD5 649286abe6b8cc4df9e19de872dfb4da
SHA1 5f4ed2bf5ee7bbd9e6fdcb5e19e69bf5478d9080
SHA256 a0450b0e8d159a253d07b4d78355b8a94bfdd2084a0ceb0f3f8a6ef92d7232f0
SHA512 de5244a95196670adc7ad50b7aa5482a12b9bdbf162bef1b7d8e2e8049d67a72811063f07497b4313498d1c7b5671c7ec83db4fab6daa4fd15ff865d7e8f79b1

memory/2372-75-0x00007FF6B53D0000-0x00007FF6B5724000-memory.dmp

memory/3064-74-0x00007FF7D87E0000-0x00007FF7D8B34000-memory.dmp

C:\Windows\System\blfKjni.exe

MD5 8d075c6a216320e212fbdf6d304cb380
SHA1 44207967d5fa044a486c8382b5351415bb3a9586
SHA256 18b9f32da839e9dd2f39f97a231d5c6abee2589d19101473932aa0ebed09ea4c
SHA512 890044d44aee0a34fbd8a98ee86b1795ab13b2c3d62a54ef79dcee58d1f277d117321850e8d9652961f98e9af43ada983e37d2c7090145df9acb902c990c1b08

C:\Windows\System\QXjMhwK.exe

MD5 eff8054ac6cbbd164f34950ff74be0f2
SHA1 4e3952aae51021b01f223fd47385fc2c95b04c63
SHA256 a1f26fe3e4e168b3340a410968dd72537d70745f78ed8a7c583d6c2da627c451
SHA512 c7b07e3ec93f51b4f50c2320be52911700890f3215896af7779c17c442c23f346625f91f5759c13758d559fd5d01a5f11b14d53dcdd91a0fd213bf7eabbe75a9

memory/1380-82-0x00007FF734D20000-0x00007FF735074000-memory.dmp

memory/1176-81-0x00007FF7D11B0000-0x00007FF7D1504000-memory.dmp

C:\Windows\System\jVOwaRV.exe

MD5 8e2496eead3d947020f282fe8dc4cd63
SHA1 83525f5737d4a660157d4dbf4fe6e7530fd6339b
SHA256 4347daeb7a0b8ae9f9e23f2294c5874b7c3c743c1363c5e9700120b795e50a2e
SHA512 c0f11ba1f64397f24cb011c7d746fe25fb2d985896350c354341a4199203e492f5ed69787658500392b97f6e09077345e380b5bdf977e267f84fafe5533c413c

memory/5088-93-0x00007FF66CC40000-0x00007FF66CF94000-memory.dmp

C:\Windows\System\TWaDIIP.exe

MD5 609578d245363731b2307b1d075347bb
SHA1 8c9bf267cbf33b3e171f5f5abff3de2fd90a57bc
SHA256 37fb57334add9ba6ae7eabd033d4ce81c3faefa164d3d1023b0bfa1caf9f98cc
SHA512 d4c51b37db62b57bac81b6fbe87c035b1bf7179c977fde6b2e71902f2bdcb93e16d9f3ba69f52079021a12dcb5d2dfab4d99fed428ff465fd5643b65221646be

memory/3688-102-0x00007FF7F4590000-0x00007FF7F48E4000-memory.dmp

memory/680-97-0x00007FF6274E0000-0x00007FF627834000-memory.dmp

memory/3964-92-0x00007FF67D210000-0x00007FF67D564000-memory.dmp

memory/2728-90-0x00007FF7B2D90000-0x00007FF7B30E4000-memory.dmp

C:\Windows\System\rCqxEAB.exe

MD5 b851b71d25cf21e054fe2589f4f848be
SHA1 a2a7137d2bde21942ad4c02ec1b5ad0c9504a6ea
SHA256 3e96190f016f0823bd592d9085acbb78f318ff4f71f20b3a58139711301a49b3
SHA512 e7cbde311dd5dffbd9e73aeafbc2dba81d9e69b7affc6d50249945b72a8667623ee73bdeedbd3cb9a77135f2f992c4e635ab5fa262ade0a9c8bac0d04ec1fc9d

memory/1872-110-0x00007FF7C3B40000-0x00007FF7C3E94000-memory.dmp

memory/5012-108-0x00007FF78E3C0000-0x00007FF78E714000-memory.dmp

C:\Windows\System\YVBoguS.exe

MD5 ead7436efdb3a742780c87eeb74e6bec
SHA1 2171209000cff12a83a71edc39599738f251c7a5
SHA256 fd89af8c2451ca75e245bf0a34ba52c371a11ffb1f030c9cd73f0ecc867f58fc
SHA512 8dc85769f4b32cc777b5856d9964e8168a99ec40a6360e02e8489497c93a070f90818c7d53ac72b848fb5e999ac617fcc0bc218c9529c06bc56d789c2174b708

C:\Windows\System\OmZjMBB.exe

MD5 d579ac8f7fde51391c101cf68bb8f1a7
SHA1 b0204387c03a572385d83db2f06fdb199515d5f9
SHA256 cb8bdd075da76c3b7d3969974b8d0145eb073f202c487789dcec227f3672b551
SHA512 886056ef92739d2959dfa1c6388ed817a0c884039d5c3c31a2b2b37a1d062212a71992c9cfde11be8d578e2fd9fa6f17405fad65bd716bf5ee9cc71229614bf7

memory/1572-125-0x00007FF624700000-0x00007FF624A54000-memory.dmp

C:\Windows\System\QmpzsSE.exe

MD5 3e735f8c16c19067691f4f3bd3ad2b65
SHA1 601a7d7c4d360a7c45ee20e05874eec7152efd13
SHA256 84dc9f50d004f463a59cd5a982abaf711fe3fad700d153279648f1750855a70d
SHA512 3d8fd53f8485df45c40356441e8293508e52d39ada2af8c7e6b6112ce2ec9c9bcff8cfc46d77ecebbc5da52f7e81ff906005aa9c62b183efde2b4edf0d3a61f5

memory/1740-133-0x00007FF6936E0000-0x00007FF693A34000-memory.dmp

memory/3376-134-0x00007FF6D6A60000-0x00007FF6D6DB4000-memory.dmp

C:\Windows\System\szguHPl.exe

MD5 754cfc0bd9a3cbfe9d9f3f1dedf962c9
SHA1 a89e48e2ca01ad7517ec486ad51d3495d99fdb32
SHA256 439bf6ab34e5da7cc557b4fba83652eac856100abad6420aac546d0a8c3daf5b
SHA512 66bb63694ecea926d45a713c3a7cc7783db80a55d4b1fd673ba7b7d47ce84077880b3f44df3214c29922bf1a12dc3442f807c57623cbb946c261cf757a2f205d

memory/3088-126-0x00007FF7133C0000-0x00007FF713714000-memory.dmp

memory/3740-123-0x00007FF60EAF0000-0x00007FF60EE44000-memory.dmp

memory/4440-119-0x00007FF797520000-0x00007FF797874000-memory.dmp

memory/2884-135-0x00007FF748B20000-0x00007FF748E74000-memory.dmp

memory/5088-136-0x00007FF66CC40000-0x00007FF66CF94000-memory.dmp

memory/1572-137-0x00007FF624700000-0x00007FF624A54000-memory.dmp

memory/3088-138-0x00007FF7133C0000-0x00007FF713714000-memory.dmp

memory/1176-139-0x00007FF7D11B0000-0x00007FF7D1504000-memory.dmp

memory/1380-140-0x00007FF734D20000-0x00007FF735074000-memory.dmp

memory/3040-141-0x00007FF6A0A80000-0x00007FF6A0DD4000-memory.dmp

memory/680-142-0x00007FF6274E0000-0x00007FF627834000-memory.dmp

memory/5012-143-0x00007FF78E3C0000-0x00007FF78E714000-memory.dmp

memory/4064-144-0x00007FF7D6C90000-0x00007FF7D6FE4000-memory.dmp

memory/3740-145-0x00007FF60EAF0000-0x00007FF60EE44000-memory.dmp

memory/1740-147-0x00007FF6936E0000-0x00007FF693A34000-memory.dmp

memory/1280-146-0x00007FF7A68F0000-0x00007FF7A6C44000-memory.dmp

memory/1144-148-0x00007FF7C8890000-0x00007FF7C8BE4000-memory.dmp

memory/2884-149-0x00007FF748B20000-0x00007FF748E74000-memory.dmp

memory/2372-150-0x00007FF6B53D0000-0x00007FF6B5724000-memory.dmp

memory/2728-151-0x00007FF7B2D90000-0x00007FF7B30E4000-memory.dmp

memory/3964-152-0x00007FF67D210000-0x00007FF67D564000-memory.dmp

memory/3688-153-0x00007FF7F4590000-0x00007FF7F48E4000-memory.dmp

memory/5088-154-0x00007FF66CC40000-0x00007FF66CF94000-memory.dmp

memory/1872-155-0x00007FF7C3B40000-0x00007FF7C3E94000-memory.dmp

memory/4440-156-0x00007FF797520000-0x00007FF797874000-memory.dmp

memory/1572-158-0x00007FF624700000-0x00007FF624A54000-memory.dmp

memory/3376-157-0x00007FF6D6A60000-0x00007FF6D6DB4000-memory.dmp

memory/3088-159-0x00007FF7133C0000-0x00007FF713714000-memory.dmp