Malware Analysis Report

2025-03-15 08:04

Sample ID 240813-n34lgssamb
Target 2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat
SHA256 11a7933fa0e8f98b2459a1992e0ec2f8996034b4de79f034b31566d84e1e16e6
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

11a7933fa0e8f98b2459a1992e0ec2f8996034b4de79f034b31566d84e1e16e6

Threat Level: Known bad

The file 2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobaltstrike

Cobaltstrike family

XMRig Miner payload

xmrig

Cobalt Strike reflective loader

Xmrig family

XMRig Miner payload

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-13 11:56

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-13 11:56

Reported

2024-08-13 11:58

Platform

win7-20240708-en

Max time kernel

140s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\Wimrvpn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dqhRVJk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KjuTnME.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iJwWOYz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QpLFTDY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NjDWpoh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TpxLbRd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\Phrnhix.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LRMXSAb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yUhSlOZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FKOqBiX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rOyKuVI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sLPmnoh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JmNQwsS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wBbFyJS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZaNDkXD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LaqcycD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DQjXold.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MjaYLlj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NjfisLX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WNCisjA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1964 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Wimrvpn.exe
PID 1964 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Wimrvpn.exe
PID 1964 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Wimrvpn.exe
PID 1964 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FKOqBiX.exe
PID 1964 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FKOqBiX.exe
PID 1964 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FKOqBiX.exe
PID 1964 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NjDWpoh.exe
PID 1964 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NjDWpoh.exe
PID 1964 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NjDWpoh.exe
PID 1964 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rOyKuVI.exe
PID 1964 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rOyKuVI.exe
PID 1964 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rOyKuVI.exe
PID 1964 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NjfisLX.exe
PID 1964 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NjfisLX.exe
PID 1964 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NjfisLX.exe
PID 1964 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sLPmnoh.exe
PID 1964 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sLPmnoh.exe
PID 1964 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sLPmnoh.exe
PID 1964 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dqhRVJk.exe
PID 1964 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dqhRVJk.exe
PID 1964 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dqhRVJk.exe
PID 1964 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KjuTnME.exe
PID 1964 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KjuTnME.exe
PID 1964 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KjuTnME.exe
PID 1964 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iJwWOYz.exe
PID 1964 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iJwWOYz.exe
PID 1964 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iJwWOYz.exe
PID 1964 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TpxLbRd.exe
PID 1964 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TpxLbRd.exe
PID 1964 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TpxLbRd.exe
PID 1964 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JmNQwsS.exe
PID 1964 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JmNQwsS.exe
PID 1964 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JmNQwsS.exe
PID 1964 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Phrnhix.exe
PID 1964 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Phrnhix.exe
PID 1964 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Phrnhix.exe
PID 1964 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wBbFyJS.exe
PID 1964 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wBbFyJS.exe
PID 1964 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wBbFyJS.exe
PID 1964 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZaNDkXD.exe
PID 1964 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZaNDkXD.exe
PID 1964 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZaNDkXD.exe
PID 1964 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QpLFTDY.exe
PID 1964 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QpLFTDY.exe
PID 1964 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QpLFTDY.exe
PID 1964 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LRMXSAb.exe
PID 1964 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LRMXSAb.exe
PID 1964 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LRMXSAb.exe
PID 1964 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WNCisjA.exe
PID 1964 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WNCisjA.exe
PID 1964 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WNCisjA.exe
PID 1964 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LaqcycD.exe
PID 1964 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LaqcycD.exe
PID 1964 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LaqcycD.exe
PID 1964 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yUhSlOZ.exe
PID 1964 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yUhSlOZ.exe
PID 1964 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yUhSlOZ.exe
PID 1964 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DQjXold.exe
PID 1964 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DQjXold.exe
PID 1964 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DQjXold.exe
PID 1964 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MjaYLlj.exe
PID 1964 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MjaYLlj.exe
PID 1964 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MjaYLlj.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\Wimrvpn.exe

C:\Windows\System\Wimrvpn.exe

C:\Windows\System\FKOqBiX.exe

C:\Windows\System\FKOqBiX.exe

C:\Windows\System\NjDWpoh.exe

C:\Windows\System\NjDWpoh.exe

C:\Windows\System\rOyKuVI.exe

C:\Windows\System\rOyKuVI.exe

C:\Windows\System\NjfisLX.exe

C:\Windows\System\NjfisLX.exe

C:\Windows\System\sLPmnoh.exe

C:\Windows\System\sLPmnoh.exe

C:\Windows\System\dqhRVJk.exe

C:\Windows\System\dqhRVJk.exe

C:\Windows\System\KjuTnME.exe

C:\Windows\System\KjuTnME.exe

C:\Windows\System\iJwWOYz.exe

C:\Windows\System\iJwWOYz.exe

C:\Windows\System\TpxLbRd.exe

C:\Windows\System\TpxLbRd.exe

C:\Windows\System\JmNQwsS.exe

C:\Windows\System\JmNQwsS.exe

C:\Windows\System\Phrnhix.exe

C:\Windows\System\Phrnhix.exe

C:\Windows\System\wBbFyJS.exe

C:\Windows\System\wBbFyJS.exe

C:\Windows\System\ZaNDkXD.exe

C:\Windows\System\ZaNDkXD.exe

C:\Windows\System\QpLFTDY.exe

C:\Windows\System\QpLFTDY.exe

C:\Windows\System\LRMXSAb.exe

C:\Windows\System\LRMXSAb.exe

C:\Windows\System\WNCisjA.exe

C:\Windows\System\WNCisjA.exe

C:\Windows\System\LaqcycD.exe

C:\Windows\System\LaqcycD.exe

C:\Windows\System\yUhSlOZ.exe

C:\Windows\System\yUhSlOZ.exe

C:\Windows\System\DQjXold.exe

C:\Windows\System\DQjXold.exe

C:\Windows\System\MjaYLlj.exe

C:\Windows\System\MjaYLlj.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1964-0-0x000000013F780000-0x000000013FAD1000-memory.dmp

memory/1964-1-0x00000000001F0000-0x0000000000200000-memory.dmp

\Windows\system\Wimrvpn.exe

MD5 edabf4d70ef899956cc5690b63a61dd8
SHA1 0a788b00002b2b1c6c195fb2c91033d3d7f9c578
SHA256 6c65d4c32e6e38963eb12c3e0da86a0ac19e60bc3ed2fbb2b7413a7b773ac272
SHA512 c835d36f8b3efeac61a4042bc6cfb544b8e765de3b600d1de9893b95b4373348882d61afd9a10bcce856b8886289f63c7d2a07aef4182bd1105831858417fbf3

C:\Windows\system\FKOqBiX.exe

MD5 6f18363cff745d52bba800a663286f8b
SHA1 7eb261f223c617a27bde98d7f6bcdcf7c705178e
SHA256 cb5c23abb08854f30046d8b41ca1b01741daf66d40d47b3786bf75521f1e7158
SHA512 aeb189738d3dc76994e76b680a586d71425ab59122fa8857fd5b26f8514f3ad1c9c46c51ee6f37627cdaab7da4eae5a8aa052b7f42073f4deb3d898f7f6a2daa

memory/1624-16-0x000000013F0F0000-0x000000013F441000-memory.dmp

memory/1964-14-0x000000013F0F0000-0x000000013F441000-memory.dmp

memory/2072-11-0x000000013F530000-0x000000013F881000-memory.dmp

memory/1964-9-0x0000000002440000-0x0000000002791000-memory.dmp

C:\Windows\system\NjDWpoh.exe

MD5 33324651b35c896fc83f61ffaac8f6df
SHA1 1f565e08b6df1ec93df3b99162efd4b3b6116104
SHA256 2dea67a3fdca0112737a78cfbaf163e60246c0566e0b7687d838f6f2e262daae
SHA512 3c2a045e35e58b0c3e68246917cdb79c4a1e6c734c46e30ffaee337c798dd1d7bfb658c792893ad94c99ad9afa8486f72e174cd793b8cf626e5c4cb2cad2752c

C:\Windows\system\rOyKuVI.exe

MD5 62d91f93b52bec0fb00ae6ba2b6bbd5d
SHA1 a0b1f6210578cc289eb74530f291419f02ddd9d1
SHA256 4c2e3cff74b5921e7a8a1a7663180a77868c6155c08c9cd984a5bb1a078d9368
SHA512 0dbe63f9336112b3e24624ea5f33fc768a075fede3e63845fa7af1de56604209cc23c9fbf338481fb052d6295162863d89667d21c1d82087d7908d6ffda4e863

memory/1964-29-0x000000013FEB0000-0x0000000140201000-memory.dmp

memory/2904-30-0x000000013FEB0000-0x0000000140201000-memory.dmp

memory/2292-23-0x000000013FE20000-0x0000000140171000-memory.dmp

memory/1964-22-0x000000013FE20000-0x0000000140171000-memory.dmp

C:\Windows\system\sLPmnoh.exe

MD5 995691522de11988284d61792ef7cd49
SHA1 b467529c4ca6e7142bd82a50a3a5d91b08f0b3b8
SHA256 7cbd9f2a15ee82d8c6028796c03cf57e2dbcaf3461e361a0c7da39f5dd74364e
SHA512 c13381e98570d2923e3e51c8e76068c579e39774e7bd4da3e4ec286d88dde73efa1e6b27483a7ac7953bd0e5a5e67a54311cf676907dcd129206d60dc062d8d2

memory/1964-41-0x000000013F070000-0x000000013F3C1000-memory.dmp

memory/2776-42-0x000000013F070000-0x000000013F3C1000-memory.dmp

memory/2920-54-0x000000013FE90000-0x00000001401E1000-memory.dmp

memory/1964-53-0x000000013FE90000-0x00000001401E1000-memory.dmp

C:\Windows\system\KjuTnME.exe

MD5 a5db96b65da171e2436d58930d114178
SHA1 73e37b07e55088f3171fcc1970f9cf2cd1cd7995
SHA256 4b38a00db350c54ff6e9e4c78fa17cb462a6c365d0ea66fd9a22099521064f7a
SHA512 c12d6ed3bb1db9f06efa32badd711beeede5ab8f560c4e59bf38a8a0e3b4c5a62079db405956a6be2e856e1d237c4deed66b196fb33033bbccc8a39c40e90ccb

C:\Windows\system\TpxLbRd.exe

MD5 4e62e3452979d555d5fd6f3736069ff9
SHA1 4a16a635ba7baf0c229e98c95c3a05e5734370c7
SHA256 e558d89e156431f15369c66cb8ec6788115f0907ca7c14b53d277b4b0d89761a
SHA512 95a4be378da88b2fe75b6949d473b97db2cc68f03518d2f689e323c0e3a81c818aa7728bb7788256e6e6be250c198be021e2327abcbf2813d05d5b84071052d9

memory/2632-71-0x000000013F850000-0x000000013FBA1000-memory.dmp

memory/2736-65-0x000000013FC20000-0x000000013FF71000-memory.dmp

memory/2648-80-0x000000013F930000-0x000000013FC81000-memory.dmp

memory/3000-87-0x000000013FF20000-0x0000000140271000-memory.dmp

memory/1356-100-0x000000013F520000-0x000000013F871000-memory.dmp

C:\Windows\system\DQjXold.exe

MD5 f597874f408b26264915010a7cde0360
SHA1 22f6bda1fc0ecf0d846a08639dffdb8db31ca9d3
SHA256 994d7e1fd1029373df81afa32144572dab801d944d12e52a5a7f99a355db028c
SHA512 b677e799f7d4b20b7c768ac24189b31acb62ad2bb1846625cfc93ca65efccd238e04226f50f5aa5c0c9e8fdeecf4fb1522a84deb1a37c5db97dfe6693d8a6895

\Windows\system\MjaYLlj.exe

MD5 8cce9f66d3a892ffcb40a1e4be993f71
SHA1 d93bc06fbf2f9928a325ef0d9b0383143481fa32
SHA256 9aacb2d912e0334cfd5a7a93bd1a87c4325d7181d45a255c8cb16fe90c6886ff
SHA512 5725c04b9d37cc0fc95e5283930a49b77c00ad71ba59911f6069bea41c8cd382d20370be5d000bd7c6979ad8413adb37ebb309b175fda66f4cc148e6180ecf6e

C:\Windows\system\yUhSlOZ.exe

MD5 d6451902cfa62699ff8c5266bd62f7a5
SHA1 60fddb060b636cea82fe103e860442d1b8c3a730
SHA256 04f8458e2f0cb3f881e5c39b21bfe258838fbccb317cd51c7d14dc0b29ef4920
SHA512 a5841178f3bd3e2c0526b20652650046b3652ce350115917cdb0bc2abdffafd00a06c3ebbc798ad80ce38e49670cdd18c995c71421dbcd6f03d313c75bd8d8ad

C:\Windows\system\LaqcycD.exe

MD5 abcaaadce2360f05b562d8f43fe803f5
SHA1 c54017840b106384fb506f154575d2f5d65f7211
SHA256 290067c4f667505c07b3f90326433dc1e4979cf82d35a37432b3dc4b1320a58b
SHA512 6535101d3b3bfb63b4da16806fdf06d4f6674d29e769d585580c924d26fd5eba68035f5b456e77fbcad4cb312d3219c58bebb780bf71d66ff1b33acaa26514f1

C:\Windows\system\WNCisjA.exe

MD5 7fc5472e1aa133bd23cf3772d31adb51
SHA1 54ac214f99f02dae736eb1e75c4bd1b8a1f653a2
SHA256 def0e7d91e29fa5404e8cfffbd3686d166a0b14aae880b9c10a20d630028c354
SHA512 fd900d7ad661dba5ef9f1bf76945e207e55280b4c9c8e2d40b56a66acb6568f57ba3ec398ccd19d54444ab595f369d88c92f3ce23a67877ab96cd99416056ead

memory/1964-108-0x0000000002440000-0x0000000002791000-memory.dmp

memory/2776-107-0x000000013F070000-0x000000013F3C1000-memory.dmp

C:\Windows\system\QpLFTDY.exe

MD5 49312f666ab7ec16a6f3612cd41dab51
SHA1 3093d2a420f0bb75f82089f32034a31dd18b56d4
SHA256 8d8ea1df6c18413549439444ccb53667cb47590264c2de999f4c06336a2a68b4
SHA512 ba933b441a64bbc60b694fff03339f1ff42cef252993578f5077d5645388453f0c14fe28936449cdcff1a2aebbe9ba39e6e8bd0568a6274bb4b28c49f36c507d

C:\Windows\system\LRMXSAb.exe

MD5 1146fd19ec25ad029dd0e84353cbe8b5
SHA1 080e3b1ab2f8158b9856548e2f5ba15a78d05aff
SHA256 196c6b7509782293ac26175f645cd8d52da4ba5c899eb9daf03330b262080a87
SHA512 f79c6f18fd45125148f99628070304e8e7c077017b4f6914fb771ca141296a0d3ed66a676152dff498429d9acbc7d3ccaf284e363d2dffebc7d9fe2561c44948

memory/1964-99-0x0000000002440000-0x0000000002791000-memory.dmp

memory/2276-98-0x000000013F510000-0x000000013F861000-memory.dmp

C:\Windows\system\ZaNDkXD.exe

MD5 e9978ab3ba609e744c41746f1ee9fa58
SHA1 2bf0cfab93804840759cbc32a1dbd331d42944dd
SHA256 2665825a8a7b90f2db1366296ee34a7ec3fe5a709e767c55d0f8b933f59980b5
SHA512 0e0900dc1c6a7ddd0841a8401ebb023b04f1c2f300fa04370057616df665426049bb9f33c48081f6bce1e041a5f894cafffae5ea4a8cd057e8b4b8655eb0b918

memory/304-92-0x000000013F170000-0x000000013F4C1000-memory.dmp

memory/1964-91-0x000000013F170000-0x000000013F4C1000-memory.dmp

C:\Windows\system\wBbFyJS.exe

MD5 76e68d3ace6ed8e1a1c052359e99ba0e
SHA1 5181082f0b8de06dfed96202669b4599637bed70
SHA256 f25f823065e9dd098ff8a0a1ade62f31aa7cfeac47759daf77ee4591af393881
SHA512 ec1660c99764e703e49a57ae260f383bb688c08c281b307ecefc9cf75c44899a92a5131755c0fa51db584c09fca46944883b6c2cc4668e96ea26b6462aaae17b

memory/1964-86-0x000000013FF20000-0x0000000140271000-memory.dmp

memory/1964-79-0x0000000002440000-0x0000000002791000-memory.dmp

memory/1624-78-0x000000013F0F0000-0x000000013F441000-memory.dmp

C:\Windows\system\JmNQwsS.exe

MD5 05b986d5923e487b6ea6a1d004607a71
SHA1 4c5b31688435ec8efc8a24ebabd99a248372a06b
SHA256 977888d6682056fec369a7caebcd51e2c7c402c055d2a3c7d88dc9d9b289dd6f
SHA512 e1fe467f02700accaa193800311d72726ea5df0932c43f05d0c4bbb04ccb2d406aac78f0ceef52d8f1dac931e75801a8d4ad88de919ebf3ecabdd1018ec3ca03

C:\Windows\system\Phrnhix.exe

MD5 02f28c767f69b86fb7c6d5d22485adbd
SHA1 c7e6a1ae412b11134f2dc91a1fe9a3811cf25f05
SHA256 281c6f526dd9ad4bd17fd993b90b7f285b64eb89f8d28e69ef797ea5214f4378
SHA512 aad160fdf3d983b59fc9123e4b2526dba17c8d25f044a6220cfee4ad1da14ced70dfbb6a1ca5bc538722d3d30b57545b3cb8dc0eaf2f57db2177ed6a0d205d0e

memory/2072-64-0x000000013F530000-0x000000013F881000-memory.dmp

C:\Windows\system\iJwWOYz.exe

MD5 a399e2ab5e45c5e09fe2b55e301fa434
SHA1 e9527808ddcc65782b1bfbe09a2c9245be38a631
SHA256 245499fc2f3cc55bf9fd7b4fe99b2a3f3505f3f985ceef17e3e4727be3028c82
SHA512 1ed561c7f8f1fc8ce310adbe92a70bf9ad3342cf8f5b560c7398d6226303a3b51484344878a2397787e892113953d8c5653f3ea3cde07aed6b30e2a6e826b75b

memory/2816-60-0x000000013F6F0000-0x000000013FA41000-memory.dmp

memory/1964-59-0x000000013F780000-0x000000013FAD1000-memory.dmp

C:\Windows\system\dqhRVJk.exe

MD5 736da9e5f75adaad4963d2fa19eaa81b
SHA1 53f73147ab05c2a94aeab26352e3b2edddbea78e
SHA256 9a2157a28de9ef0f9e65cf032562eae138b83ce183702ca7496f2e0ee52b1648
SHA512 c544ff975d3494f1983198120170b807d37249294e42c57cd9f4585952844c4a0873e9e21bfd1048e4f4efddd269d200cd6b52f94231770f4f7aa1e355bb7ef5

memory/1964-70-0x0000000002440000-0x0000000002791000-memory.dmp

memory/2276-36-0x000000013F510000-0x000000013F861000-memory.dmp

memory/1964-35-0x0000000002440000-0x0000000002791000-memory.dmp

C:\Windows\system\NjfisLX.exe

MD5 44a9fb981cf87f0018cf1be6c3ab3f2b
SHA1 6c91d01b89ee91361ddd82d77eab5d70e25ee956
SHA256 924a5dc4e1dff9450b4449c0b01246f7e1d681c7786a2950c390862f20477474
SHA512 06c0958c14d9b97b890422110ec75e8515d84422034d4aa38509d7132690afec88208359e12fb9011cd384378605f847b4a39081608aee9035648cbecbf88586

memory/2816-139-0x000000013F6F0000-0x000000013FA41000-memory.dmp

memory/1964-140-0x000000013F780000-0x000000013FAD1000-memory.dmp

memory/2632-150-0x000000013F850000-0x000000013FBA1000-memory.dmp

memory/304-153-0x000000013F170000-0x000000013F4C1000-memory.dmp

memory/1356-154-0x000000013F520000-0x000000013F871000-memory.dmp

memory/1768-160-0x000000013F0D0000-0x000000013F421000-memory.dmp

memory/1928-161-0x000000013F7B0000-0x000000013FB01000-memory.dmp

memory/1964-162-0x0000000002440000-0x0000000002791000-memory.dmp

memory/1900-159-0x000000013FBD0000-0x000000013FF21000-memory.dmp

memory/1056-158-0x000000013F650000-0x000000013F9A1000-memory.dmp

memory/1960-157-0x000000013FD00000-0x0000000140051000-memory.dmp

memory/1708-156-0x000000013F300000-0x000000013F651000-memory.dmp

memory/1756-155-0x000000013F6B0000-0x000000013FA01000-memory.dmp

memory/1964-163-0x000000013FF20000-0x0000000140271000-memory.dmp

memory/1964-164-0x000000013F780000-0x000000013FAD1000-memory.dmp

memory/1964-169-0x000000013F170000-0x000000013F4C1000-memory.dmp

memory/2072-210-0x000000013F530000-0x000000013F881000-memory.dmp

memory/1624-212-0x000000013F0F0000-0x000000013F441000-memory.dmp

memory/2292-214-0x000000013FE20000-0x0000000140171000-memory.dmp

memory/2904-216-0x000000013FEB0000-0x0000000140201000-memory.dmp

memory/2776-218-0x000000013F070000-0x000000013F3C1000-memory.dmp

memory/2920-233-0x000000013FE90000-0x00000001401E1000-memory.dmp

memory/2276-235-0x000000013F510000-0x000000013F861000-memory.dmp

memory/2816-237-0x000000013F6F0000-0x000000013FA41000-memory.dmp

memory/2736-239-0x000000013FC20000-0x000000013FF71000-memory.dmp

memory/2632-241-0x000000013F850000-0x000000013FBA1000-memory.dmp

memory/2648-243-0x000000013F930000-0x000000013FC81000-memory.dmp

memory/3000-245-0x000000013FF20000-0x0000000140271000-memory.dmp

memory/304-247-0x000000013F170000-0x000000013F4C1000-memory.dmp

memory/1356-249-0x000000013F520000-0x000000013F871000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-13 11:56

Reported

2024-08-13 11:58

Platform

win10v2004-20240802-en

Max time kernel

143s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\PzneVRg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PVwDWSA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nNQZONg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RtHqDRM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nbeCNzl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mQOUkVF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UoAbijW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YdivTwH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\namBGys.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cqnPkWi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ktnluqB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fGtornN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DJrQSPM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dKcdNlZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\udtaBWu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BgShqCR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IXVcGBJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jChWjpz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SAQtlhi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZKGeOQg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RNkVPxu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 624 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZKGeOQg.exe
PID 624 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZKGeOQg.exe
PID 624 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RtHqDRM.exe
PID 624 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RtHqDRM.exe
PID 624 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\namBGys.exe
PID 624 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\namBGys.exe
PID 624 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RNkVPxu.exe
PID 624 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RNkVPxu.exe
PID 624 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dKcdNlZ.exe
PID 624 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dKcdNlZ.exe
PID 624 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\udtaBWu.exe
PID 624 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\udtaBWu.exe
PID 624 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nbeCNzl.exe
PID 624 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nbeCNzl.exe
PID 624 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cqnPkWi.exe
PID 624 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cqnPkWi.exe
PID 624 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ktnluqB.exe
PID 624 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ktnluqB.exe
PID 624 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mQOUkVF.exe
PID 624 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mQOUkVF.exe
PID 624 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fGtornN.exe
PID 624 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fGtornN.exe
PID 624 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PzneVRg.exe
PID 624 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PzneVRg.exe
PID 624 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DJrQSPM.exe
PID 624 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DJrQSPM.exe
PID 624 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BgShqCR.exe
PID 624 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BgShqCR.exe
PID 624 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PVwDWSA.exe
PID 624 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PVwDWSA.exe
PID 624 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UoAbijW.exe
PID 624 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UoAbijW.exe
PID 624 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nNQZONg.exe
PID 624 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nNQZONg.exe
PID 624 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IXVcGBJ.exe
PID 624 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IXVcGBJ.exe
PID 624 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jChWjpz.exe
PID 624 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jChWjpz.exe
PID 624 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SAQtlhi.exe
PID 624 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SAQtlhi.exe
PID 624 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YdivTwH.exe
PID 624 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YdivTwH.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\ZKGeOQg.exe

C:\Windows\System\ZKGeOQg.exe

C:\Windows\System\RtHqDRM.exe

C:\Windows\System\RtHqDRM.exe

C:\Windows\System\namBGys.exe

C:\Windows\System\namBGys.exe

C:\Windows\System\RNkVPxu.exe

C:\Windows\System\RNkVPxu.exe

C:\Windows\System\dKcdNlZ.exe

C:\Windows\System\dKcdNlZ.exe

C:\Windows\System\udtaBWu.exe

C:\Windows\System\udtaBWu.exe

C:\Windows\System\nbeCNzl.exe

C:\Windows\System\nbeCNzl.exe

C:\Windows\System\cqnPkWi.exe

C:\Windows\System\cqnPkWi.exe

C:\Windows\System\ktnluqB.exe

C:\Windows\System\ktnluqB.exe

C:\Windows\System\mQOUkVF.exe

C:\Windows\System\mQOUkVF.exe

C:\Windows\System\fGtornN.exe

C:\Windows\System\fGtornN.exe

C:\Windows\System\PzneVRg.exe

C:\Windows\System\PzneVRg.exe

C:\Windows\System\DJrQSPM.exe

C:\Windows\System\DJrQSPM.exe

C:\Windows\System\BgShqCR.exe

C:\Windows\System\BgShqCR.exe

C:\Windows\System\PVwDWSA.exe

C:\Windows\System\PVwDWSA.exe

C:\Windows\System\UoAbijW.exe

C:\Windows\System\UoAbijW.exe

C:\Windows\System\nNQZONg.exe

C:\Windows\System\nNQZONg.exe

C:\Windows\System\IXVcGBJ.exe

C:\Windows\System\IXVcGBJ.exe

C:\Windows\System\jChWjpz.exe

C:\Windows\System\jChWjpz.exe

C:\Windows\System\SAQtlhi.exe

C:\Windows\System\SAQtlhi.exe

C:\Windows\System\YdivTwH.exe

C:\Windows\System\YdivTwH.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 52.111.227.13:443 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/624-0-0x00007FF762660000-0x00007FF7629B1000-memory.dmp

memory/624-1-0x000002384A530000-0x000002384A540000-memory.dmp

C:\Windows\System\ZKGeOQg.exe

MD5 51b8d0280e5eb5c39e9aab10d816fbaa
SHA1 4f9396d46af50af38604ac8e5c1dae1eee1be93e
SHA256 8f76943905cb719785f27d5edbc7842d262a29bf6e078e31fd0ec6c260b50aa9
SHA512 0e9108d98680625f1c7e8b75a6abd8a8bece464a7ee011930e3f83ac4bd8729bf903986dcab50acd0e3dd97b9a79d1f4d194ef705657f5dd94811ae84320dd72

C:\Windows\System\namBGys.exe

MD5 1b50b8c13907faed6975f358c711d024
SHA1 a35726f77674ae7a7a0c98dae4927ed5034dc03c
SHA256 0a98678653b7d9cd523786f843502808cf45fb1f574bc5fc2ce41fb08fa604ea
SHA512 007ea99b10c524cc7758a159b3ab29a96eeaa564a59c3c7617b18c2274d18fe49ec33c123614b58c7f03903321ef98b9573a7388ee17b95b3f85b4fc065e373c

C:\Windows\System\RtHqDRM.exe

MD5 ba4a7263f90eddad57bfc6f7d0d15583
SHA1 9e7176f50e99eafbfd5a7189553bd911378441e5
SHA256 de96581d1e67df0e16dde35e44e3f1c21a082a7a908b83c8ef674862692455f7
SHA512 519b641a7c03adc27a01fbb2ff63374c34b75222d29907d303a1af820c3b0e8683d5511547305ba093c5f60f6d1913b8101c12810392cc3b25f94fc061070e84

C:\Windows\System\udtaBWu.exe

MD5 e846a9d8a2d5a62df51409090194d849
SHA1 7281e546e3df9f79c938cbaae6db9ade511c0c38
SHA256 1e15aea5d2c7bc9c5f421dd960cb3ed7baae192c2138fe4b3feb06441ab61efc
SHA512 797cd7f7740d7bf6c98cd07acce9157bcf914db21a7c249626c98fda621c864ba8836c4a6d5b82e868d0bed901d176c8e803703d9f6dc189dfde27ef2492a803

C:\Windows\System\nbeCNzl.exe

MD5 29093688848a38c82abbd979184fc772
SHA1 292948a9c94b97c41ad0866c9109b82230bab134
SHA256 f3b65cc26062e833d662d867d6f127302a52466e5b5a51fe50083ce2386ada8a
SHA512 a16b2b69b2a950c0c7295b36192381beb0432cf3ce7c4505c54a8e201ec1f2205522fab5001f6cb37a8ea47658c4435879d7449366bc27e980d72e89f403bf71

C:\Windows\System\ktnluqB.exe

MD5 767a92ae86db3ae1ba66059f6d53d588
SHA1 f5c6dcea2a53ffc1ffeab401606c87dffd896082
SHA256 d0ea9d76b53488673d0d8d50f211f616ab8dba64efb61a1214eff50cc79e3806
SHA512 ebc8ec587456655ed2a24de99723548007f5918c84b232dec6531eab8c5bfa77849c39852bd88c4208c0ba3a6b20734ae207457aba6dfa2affed895bc21ea8e4

memory/4500-58-0x00007FF7B2B10000-0x00007FF7B2E61000-memory.dmp

memory/860-62-0x00007FF6ACF20000-0x00007FF6AD271000-memory.dmp

C:\Windows\System\mQOUkVF.exe

MD5 aa704c7a648cd8bbbde216b6c64c1979
SHA1 105ec65bc60a564154913a820d351b4adb30d2c9
SHA256 95bcd2c7bedc6984dba7336ab2aeca15a76d777b013cb751468c1ad826afff0b
SHA512 4dfd9c52790ec40d98b187cbc808ded1da44a36d59db97ee5ea9b015bd8eaf18bf27dd3fa3345b2f2b0c3ac3596e1a3662f843e66b0f49ab7c0d334e069629aa

memory/4824-59-0x00007FF6FEA60000-0x00007FF6FEDB1000-memory.dmp

memory/4364-57-0x00007FF7682A0000-0x00007FF7685F1000-memory.dmp

memory/1376-52-0x00007FF7691D0000-0x00007FF769521000-memory.dmp

C:\Windows\System\cqnPkWi.exe

MD5 eac86ec934647ca014143a2b5e584680
SHA1 ea90a3e8bb4c486933e6c2d28be5861ff009e752
SHA256 4687302e096895afec443fa04f75e55390834aa8e1abf9f6fca71ea4fc8bc315
SHA512 32e6709bf505b3bbf2c65f6b8cc77988702f975b340147245a4b3c9a2d98dd4696aa719e386637570ea3cb78e65d00c667c8531d2e6d4fec2da0f19145b9cdec

C:\Windows\System\PzneVRg.exe

MD5 fcc7b2823b78b78f126115443aadaa56
SHA1 ed659ff918d3994184998298ae19ae7d5df79b14
SHA256 8501632fb9a063294b8d78572ca01b14642148be2affdfc9a25da2e4e73738cf
SHA512 08ae8e3dd52ff1d14ab6e53b6b2be4e572772bf747bf48ae3cf86962ea1488577a235ba8de287a1410628b8edc154ed584309c6d76a0c3ccf07c92830ba37f67

C:\Windows\System\BgShqCR.exe

MD5 9c10dc12add0f550281e1fcf8451ffcb
SHA1 d94ae0ce6f3a8854e66c4bddb172535bb70fde9b
SHA256 2b37d725c55c0c212232041a826b45bc2efbd7dcad370560e5fe394f58f6dff5
SHA512 f8b297046d0cef0f18c374dc23fd6d5a7103ec08116b76d43d76d3c563c322a16504b51af06a4e171ed40e9113d75d1734ea711648118d2eac89352f9c3751bb

memory/4180-80-0x00007FF77FAE0000-0x00007FF77FE31000-memory.dmp

memory/2392-86-0x00007FF63A120000-0x00007FF63A471000-memory.dmp

C:\Windows\System\PVwDWSA.exe

MD5 53b82a4a82439480ee4d4c07f4ee3058
SHA1 71a1ad2e34a4eabb39200b45d0b8b636a36dc41f
SHA256 6a561cd21864678189a52bc3a1bc5ea7c0140b3715a352e8367873ee31816fd8
SHA512 54572d0c3e012199d95143ad2c7d56bcf027e8a858f8c8f36e0ae25f2e36d34e7a98ec6f4825a5918d6332783b045a3474eff4cb853c384d5ab2919417eda7be

C:\Windows\System\DJrQSPM.exe

MD5 1aca05dbaf6aea076421c1f76c909ff8
SHA1 d6ce29dbefa037bfbccee97ac6b0d02b1382e369
SHA256 7f5f5b17dfa1e85c89dec837d61dc0d4205ca75f37264099b164810414eda8b8
SHA512 339e56ff1e244cd0f45a62014669a2dea1ddafb6d47cb45c353614e750738cd9a84e2709339e5ce0859f5ef5dda9aac1d2a40a3eed79f032a233ef962875b3e9

C:\Windows\System\nNQZONg.exe

MD5 3b481bca8014ac2702cb7024bc8bceb4
SHA1 af3506908d7f793c8b520118f1d4aadbe73df4c8
SHA256 88a6425c71364e2158058c08a5a0cb1d78869b40e8a1bca427c91e69e81f386a
SHA512 771ed1a1aa370ba977f64ce714223327be176db6a38a9bd1a5821df0095929c470fa08ae8d80b7df38acb617d832436113ee0eeeac45d23456ed0edb58a67e74

C:\Windows\System\SAQtlhi.exe

MD5 66881e2a311468eb9e1e8e17c79fde26
SHA1 c34dcee3c45c7ce4997b3c05c45a451c371be9d3
SHA256 d04e4ceaa3a636937c53f802a8ba0a5093c1915c026d152d85b7b10badd22a82
SHA512 080e5ebd9e9eaccf6b81408ac5dcae857419d7746e80cfe02d81c3b9582cfc31acdfe658b07dbc7e93a7bbd04c36f98924442db3b8e0590d1669b8c982858d2e

C:\Windows\System\YdivTwH.exe

MD5 8ead08fab85158b13004aba9c18edc8d
SHA1 ef7ed95ad13a57810fae0506d59b04e0e3a78c17
SHA256 a030edc4e399d5a972894f0995baf86e66f6e645a7b5c807f2cdc3472b96b43a
SHA512 854a1b30960362275854e9d9ccc0581db43cbbf823bb0c08b351cbc5ceedd92923ed5b0e85cf647efc5a0aeae23aa70c0f70310631f695a52558e6b40e97c62a

C:\Windows\System\jChWjpz.exe

MD5 1bf3ac02be31d53cf84ac37f14f6bced
SHA1 dd652954f1a348eafb9e2389164aaf6477840d0b
SHA256 12a26088a69a585a03e5e6e47b93d3ae4a82c343190dee88e8bb5b9956d78990
SHA512 447d578e91d5d133538a2b27d71d9401a8e46298568c019b05e498996f661fa69e63d3a10e8ebd8fdf230d0707d72d34177dfd6beb998ec402fa24b289793f97

C:\Windows\System\IXVcGBJ.exe

MD5 26f78a6e357504d86f23211c1537c3bd
SHA1 38fee7b7114c172cf691031143417e84d074fd50
SHA256 0e2dd6cc54dbca71d75cb9d1dc8beddc37652f8b9b271a69fd91a40360b41de5
SHA512 3bccc6c57358f29426d3745d7015da9527aa8da4f9ca03807f7667a36f24a95ca35760cedb192ba3e7a86195b9a8bc231fcd325d5036c3d45c6fd3fb805b746f

C:\Windows\System\UoAbijW.exe

MD5 c8a783e6bc98c640bb339b0f95f4fcd3
SHA1 7011d271e3a1d24c32cd7a3f5b2151b0a777771d
SHA256 ad6639c2ddbb1b411630002e0831d41e1647e5508d2013d1dd4bca5ef0f85e92
SHA512 bbc6ca911bfbb1a744b7d7be3b8dc592c3bffcafc8683805615229497cd64cf2aa02eeb78beee7f6ff2c5e9ab31fd0cf2675aecd6ba99c442e685c93805f2f56

memory/3112-88-0x00007FF77CAB0000-0x00007FF77CE01000-memory.dmp

memory/4472-87-0x00007FF731F10000-0x00007FF732261000-memory.dmp

memory/316-85-0x00007FF79C0E0000-0x00007FF79C431000-memory.dmp

C:\Windows\System\fGtornN.exe

MD5 86b2e1f51b696eae04334a80e4520acd
SHA1 28b7146ab436cd519135fef9beab969ecd299c14
SHA256 46f8d9f5be865cf39a63143913720f7a4a6c1dc2d821400899d592dbfcef6070
SHA512 7c537947ecdb20a85b5d37efa5f2a9aa7b834580b2832308cf2acfec8fc5492a39f19025f17949520c640ed373d5db658f81888defba24d45cb68b9d25421124

memory/956-42-0x00007FF618F80000-0x00007FF6192D1000-memory.dmp

C:\Windows\System\dKcdNlZ.exe

MD5 0c0d58f95cf6bbe8f6059c4112f91072
SHA1 0e3068700b377c33d83d6af14b3b77888cc03fbc
SHA256 65f156dbc5a0ae022edf5ca55bcc8d1e4b641750527a337a5528a19c62a6452a
SHA512 91982643d6712a2daacbcd32ba1c4f311cfc968691c36a751ec0610b3689c3b30a625cd9bcbc1318461cd58042231dca96970aaf812524b0065d5e9c6b3f061b

C:\Windows\System\RNkVPxu.exe

MD5 96b100bf256532b6bfcde939a389956f
SHA1 c56028b3668dd7ab54b5f138998170acd5aed388
SHA256 e1e7f8c58fb58d39794fac6f762473cb16703d0a7d757f64976a17870aba905d
SHA512 1bfad2b3c5202383c54a9f14aaa40f3c987035d9390f83f3bf1af0c9daacbb431527f52a6628affec1b44536cb60ab785ee087d180550dc2d3a39165d8a72269

memory/220-30-0x00007FF62DE90000-0x00007FF62E1E1000-memory.dmp

memory/908-33-0x00007FF68C970000-0x00007FF68CCC1000-memory.dmp

memory/4440-18-0x00007FF616EA0000-0x00007FF6171F1000-memory.dmp

memory/2224-7-0x00007FF6ED490000-0x00007FF6ED7E1000-memory.dmp

memory/624-122-0x00007FF762660000-0x00007FF7629B1000-memory.dmp

memory/956-128-0x00007FF618F80000-0x00007FF6192D1000-memory.dmp

memory/860-132-0x00007FF6ACF20000-0x00007FF6AD271000-memory.dmp

memory/1376-130-0x00007FF7691D0000-0x00007FF769521000-memory.dmp

memory/4988-136-0x00007FF6D4B00000-0x00007FF6D4E51000-memory.dmp

memory/5104-137-0x00007FF67D4A0000-0x00007FF67D7F1000-memory.dmp

memory/5112-138-0x00007FF624BC0000-0x00007FF624F11000-memory.dmp

memory/2824-135-0x00007FF7E8AC0000-0x00007FF7E8E11000-memory.dmp

memory/960-134-0x00007FF79C840000-0x00007FF79CB91000-memory.dmp

memory/3236-139-0x00007FF645E30000-0x00007FF646181000-memory.dmp

memory/908-127-0x00007FF68C970000-0x00007FF68CCC1000-memory.dmp

memory/220-125-0x00007FF62DE90000-0x00007FF62E1E1000-memory.dmp

memory/4440-124-0x00007FF616EA0000-0x00007FF6171F1000-memory.dmp

memory/2224-123-0x00007FF6ED490000-0x00007FF6ED7E1000-memory.dmp

memory/2392-141-0x00007FF63A120000-0x00007FF63A471000-memory.dmp

memory/3112-143-0x00007FF77CAB0000-0x00007FF77CE01000-memory.dmp

memory/624-150-0x00007FF762660000-0x00007FF7629B1000-memory.dmp

memory/624-151-0x00007FF762660000-0x00007FF7629B1000-memory.dmp

memory/2224-197-0x00007FF6ED490000-0x00007FF6ED7E1000-memory.dmp

memory/220-199-0x00007FF62DE90000-0x00007FF62E1E1000-memory.dmp

memory/4440-201-0x00007FF616EA0000-0x00007FF6171F1000-memory.dmp

memory/1376-204-0x00007FF7691D0000-0x00007FF769521000-memory.dmp

memory/4364-207-0x00007FF7682A0000-0x00007FF7685F1000-memory.dmp

memory/956-209-0x00007FF618F80000-0x00007FF6192D1000-memory.dmp

memory/908-205-0x00007FF68C970000-0x00007FF68CCC1000-memory.dmp

memory/4500-213-0x00007FF7B2B10000-0x00007FF7B2E61000-memory.dmp

memory/4824-212-0x00007FF6FEA60000-0x00007FF6FEDB1000-memory.dmp

memory/860-215-0x00007FF6ACF20000-0x00007FF6AD271000-memory.dmp

memory/4180-222-0x00007FF77FAE0000-0x00007FF77FE31000-memory.dmp

memory/316-224-0x00007FF79C0E0000-0x00007FF79C431000-memory.dmp

memory/4472-226-0x00007FF731F10000-0x00007FF732261000-memory.dmp

memory/2392-228-0x00007FF63A120000-0x00007FF63A471000-memory.dmp

memory/3112-230-0x00007FF77CAB0000-0x00007FF77CE01000-memory.dmp

memory/960-232-0x00007FF79C840000-0x00007FF79CB91000-memory.dmp

memory/2824-234-0x00007FF7E8AC0000-0x00007FF7E8E11000-memory.dmp

memory/4988-236-0x00007FF6D4B00000-0x00007FF6D4E51000-memory.dmp

memory/5104-238-0x00007FF67D4A0000-0x00007FF67D7F1000-memory.dmp

memory/5112-240-0x00007FF624BC0000-0x00007FF624F11000-memory.dmp

memory/3236-242-0x00007FF645E30000-0x00007FF646181000-memory.dmp