Malware Analysis Report

2025-03-15 08:03

Sample ID 240813-n5gvhaxajp
Target 2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat
SHA256 49307a5fec33154e269e337a739fa3412b7a4086d58ea53b0f942b86b88627d3
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

49307a5fec33154e269e337a739fa3412b7a4086d58ea53b0f942b86b88627d3

Threat Level: Known bad

The file 2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobaltstrike

Cobaltstrike family

Xmrig family

Cobalt Strike reflective loader

XMRig Miner payload

xmrig

XMRig Miner payload

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-13 11:58

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-13 11:58

Reported

2024-08-13 12:01

Platform

win7-20240704-en

Max time kernel

143s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\rCuIulK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wxtYblt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qqvkfLE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DbrFeIl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cUbMJxQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OeBHpna.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bmeHQNh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lmXFcFG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pUMsvay.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\odbmNYS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lnNCnST.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IyngoOA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FtrOxLe.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oWzbYVx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mFAViNp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oMpWhAX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CkVIbUB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KZgTPkD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kgefsDQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nXINvRj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZcExsAV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2564 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lmXFcFG.exe
PID 2564 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lmXFcFG.exe
PID 2564 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lmXFcFG.exe
PID 2564 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZcExsAV.exe
PID 2564 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZcExsAV.exe
PID 2564 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZcExsAV.exe
PID 2564 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FtrOxLe.exe
PID 2564 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FtrOxLe.exe
PID 2564 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FtrOxLe.exe
PID 2564 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DbrFeIl.exe
PID 2564 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DbrFeIl.exe
PID 2564 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DbrFeIl.exe
PID 2564 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pUMsvay.exe
PID 2564 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pUMsvay.exe
PID 2564 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pUMsvay.exe
PID 2564 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oWzbYVx.exe
PID 2564 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oWzbYVx.exe
PID 2564 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oWzbYVx.exe
PID 2564 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mFAViNp.exe
PID 2564 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mFAViNp.exe
PID 2564 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mFAViNp.exe
PID 2564 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cUbMJxQ.exe
PID 2564 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cUbMJxQ.exe
PID 2564 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cUbMJxQ.exe
PID 2564 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rCuIulK.exe
PID 2564 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rCuIulK.exe
PID 2564 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rCuIulK.exe
PID 2564 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wxtYblt.exe
PID 2564 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wxtYblt.exe
PID 2564 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wxtYblt.exe
PID 2564 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\odbmNYS.exe
PID 2564 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\odbmNYS.exe
PID 2564 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\odbmNYS.exe
PID 2564 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OeBHpna.exe
PID 2564 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OeBHpna.exe
PID 2564 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OeBHpna.exe
PID 2564 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oMpWhAX.exe
PID 2564 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oMpWhAX.exe
PID 2564 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oMpWhAX.exe
PID 2564 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bmeHQNh.exe
PID 2564 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bmeHQNh.exe
PID 2564 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bmeHQNh.exe
PID 2564 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qqvkfLE.exe
PID 2564 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qqvkfLE.exe
PID 2564 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qqvkfLE.exe
PID 2564 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lnNCnST.exe
PID 2564 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lnNCnST.exe
PID 2564 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lnNCnST.exe
PID 2564 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IyngoOA.exe
PID 2564 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IyngoOA.exe
PID 2564 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IyngoOA.exe
PID 2564 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CkVIbUB.exe
PID 2564 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CkVIbUB.exe
PID 2564 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CkVIbUB.exe
PID 2564 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KZgTPkD.exe
PID 2564 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KZgTPkD.exe
PID 2564 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KZgTPkD.exe
PID 2564 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kgefsDQ.exe
PID 2564 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kgefsDQ.exe
PID 2564 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kgefsDQ.exe
PID 2564 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nXINvRj.exe
PID 2564 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nXINvRj.exe
PID 2564 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nXINvRj.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\lmXFcFG.exe

C:\Windows\System\lmXFcFG.exe

C:\Windows\System\ZcExsAV.exe

C:\Windows\System\ZcExsAV.exe

C:\Windows\System\FtrOxLe.exe

C:\Windows\System\FtrOxLe.exe

C:\Windows\System\DbrFeIl.exe

C:\Windows\System\DbrFeIl.exe

C:\Windows\System\pUMsvay.exe

C:\Windows\System\pUMsvay.exe

C:\Windows\System\oWzbYVx.exe

C:\Windows\System\oWzbYVx.exe

C:\Windows\System\mFAViNp.exe

C:\Windows\System\mFAViNp.exe

C:\Windows\System\cUbMJxQ.exe

C:\Windows\System\cUbMJxQ.exe

C:\Windows\System\rCuIulK.exe

C:\Windows\System\rCuIulK.exe

C:\Windows\System\wxtYblt.exe

C:\Windows\System\wxtYblt.exe

C:\Windows\System\odbmNYS.exe

C:\Windows\System\odbmNYS.exe

C:\Windows\System\OeBHpna.exe

C:\Windows\System\OeBHpna.exe

C:\Windows\System\oMpWhAX.exe

C:\Windows\System\oMpWhAX.exe

C:\Windows\System\bmeHQNh.exe

C:\Windows\System\bmeHQNh.exe

C:\Windows\System\qqvkfLE.exe

C:\Windows\System\qqvkfLE.exe

C:\Windows\System\lnNCnST.exe

C:\Windows\System\lnNCnST.exe

C:\Windows\System\IyngoOA.exe

C:\Windows\System\IyngoOA.exe

C:\Windows\System\CkVIbUB.exe

C:\Windows\System\CkVIbUB.exe

C:\Windows\System\KZgTPkD.exe

C:\Windows\System\KZgTPkD.exe

C:\Windows\System\kgefsDQ.exe

C:\Windows\System\kgefsDQ.exe

C:\Windows\System\nXINvRj.exe

C:\Windows\System\nXINvRj.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2564-0-0x000000013F520000-0x000000013F871000-memory.dmp

memory/2564-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\lmXFcFG.exe

MD5 e1cd4f3c2f05902818c9d7883bbf1555
SHA1 9df702f65beb0f031eacbaccd8d945ae5bda47bb
SHA256 4c4f7380f2ac0bcd2d463773c41c8d4bdde33711257a8cb64b83884fe8822a71
SHA512 f4e81d0e4abaa50e0f3b93d88c1969d8d41b27c58ff5eec9d0b08f041e5bf1aa62e73ed71864a574b018968b385bdf82aedf7f0b59b6cf7feebcbf9f85a863d9

C:\Windows\system\DbrFeIl.exe

MD5 137fb3b5800630314aee87c131289ddf
SHA1 e383bb28d630e70a8599315ae49986f4a726a7db
SHA256 c423194e4ce233b0aa8bb33bae2974681c26e08c291e6d4b58f19943c96638d1
SHA512 daf187f9ea8cbd41a640c5dde7e5d4c7c1fccf01fb342980eb5e8c703e8de10ef5f13917417ed7c092dc9b4b3807bb96d0061ff318851becdce9feb761f8f91c

\Windows\system\ZcExsAV.exe

MD5 c2619ca7f858d426aabf7e2761489697
SHA1 4b07b21bda25f66905cefdbe424447aac14ffbb9
SHA256 5ea799a31bf031d5f02864c1003331b0340612817048a597d7b23b2c30a24659
SHA512 ac32895d555f3c8f0d1f3ba36856b91c7d90e3d8aa04eb02cb80ad2ea91afde927176e11389c25710325d4c8c03632972688d82667f57a8e4522520ad8d1876d

C:\Windows\system\pUMsvay.exe

MD5 db173ce1a0208d7e305a7d5bdd908b30
SHA1 0df0f0453f180785321c7b1462c3ae8056fe030b
SHA256 5d995077ccd7eca93a292fcbf911dec9885ca8e1f543cf89fd0358ffbec8361e
SHA512 7c67298c159f0272e68ba3647ac8ffa6b379ea974724fef2905df8797ff39b264d51ebf17c063c1f085f1544e2fa06339fa0505160e7cbfdffcdbe2ef147397f

C:\Windows\system\oWzbYVx.exe

MD5 3ccfd9f4b0ca62d9f137afa3defcfd1d
SHA1 e40332747358730428279423c978f95208d31431
SHA256 2440066553c4d126208af35173474777fe6baa5c0bad37e0366d94735ca70936
SHA512 a5c11df24b4c53246dd203608927d58bc15a7414145923a98dfede02d4effe0ce1d5922d564a4f81de95795ef34b76e8663af1cb68f17c77be46cef437041ecd

C:\Windows\system\mFAViNp.exe

MD5 04c48dba0ac14bb8105d81af4d31feb6
SHA1 dfe28ea52f761fa48d4914862ccece8972706268
SHA256 3dcae3adc54cc8ed9cae9d6c1d955a21617cca0a37757cc7ec5246321c37dd1e
SHA512 3bc6ba0fab63778ec2900b030faa1b31ca1ebe449dab7d7b2b3ef883ec8e8eeb5c209445601e70d25801c79f3a090d90a2e466f2d7c0d26400c9434823125069

C:\Windows\system\cUbMJxQ.exe

MD5 eb0e88e1408b631fd4a8b4048e169b7b
SHA1 522450a9a23793040d33cc0397aba1fc28a7357c
SHA256 480bd81a8bad814e0b15fe3dfa1d2d17193cd6802c5876f59c87aa912cba7094
SHA512 6c875fed36b9e6a56004515b095119140de0ceb0319e5accddeb337722917c927503a38e03ccb3373683820fffb77011ff5b4442df4f78396cfb3d20455bdd21

C:\Windows\system\wxtYblt.exe

MD5 2d6af4d0fd7ec96b79de95ca0559f02e
SHA1 93f228237b82cc0367849d1e7e0a6c55ac8f5b5e
SHA256 2f6d9d216380924369408ea126a7b513e66cc9fcb8ba18c376a430fbd6281c0a
SHA512 1f80a6ee86863aa237345bb0d3c4d632f7592b2bd2b2e1a07be7f0fdca34cb81d575803c326d712572392b36e75e4f664fa646213179cdb4df5d290c8af5d70e

C:\Windows\system\oMpWhAX.exe

MD5 9d7805452edbd8473408cd4641e47816
SHA1 05476c101149e9b221e3e8df9362ba1f87202c85
SHA256 28a3781bd127c61671b652e69211d58086c556a2871a77a4a1c727d99f418856
SHA512 32064cbd277d19207a25e3be2262e822a404ca14a1c0bd67fd63aad595e0e877cc750e76d1711f548de6d44604a72d59bbd9e5d7bb4cd2246780dad16198e80c

C:\Windows\system\KZgTPkD.exe

MD5 2705346f263c61832beceb01bdeb68fd
SHA1 d1799323a5451b10b3b861b9590a7ba4a26befa7
SHA256 71da389fa28401fc20a18352ded37e20b72a4ef88d0fe74491d08defdf5cb065
SHA512 7d214b1a8c75e51ba1497922f6894cc8a73bd5a5a76b67a334a13eda94f4db0b18b090529a27e0ea6212824c4bde286f49be23ba12cc171c0a885234eb732c1f

C:\Windows\system\nXINvRj.exe

MD5 97dab9e00c615f53b182b50d5dc9bade
SHA1 f782df30bb2539577887563db9fa1139bd446ab9
SHA256 77fb0558243bb85ee897c9bb5385e412b4d71301cd56e51ade0422ced1bb7220
SHA512 9064785b40319e979eddec518aa8db3a39a05dcb755f96197df5628511df4f3f1cfe2486852c8958e6cd6e7f9cca723684bbd2dc8778286da18e056660a11a49

C:\Windows\system\kgefsDQ.exe

MD5 52c6fd637e8214ccde9102af616986e5
SHA1 97d01e42229148cc0f6feaec45d89c5876d1815b
SHA256 80e8082d5bf1cb4522779499dd353863296562f6a22917e00f880a7cf24140cb
SHA512 5a61c5497c095850ba0f4bfdb4fca743e65fe43c9beba38b809a35cc3c68d9fe4908a09e19045ac9848f7449bd0b838457ae479da62a76b8e447cf1c492a5f7b

C:\Windows\system\CkVIbUB.exe

MD5 2b345ff60b5058ff034068fdcb2b5f61
SHA1 d648085ae05bd2c27ff01750384939376dd314ad
SHA256 6e61566c0c3575f2980409456f35df70d81a9e195b8a63b4806eb1aa9604f34b
SHA512 8bb41484921a082626e5f4222dffdd01561b70c5f9daa9813528587a7d87a2ad01854a08ea7cf7e7e25e4d8d9c30566d0968327099318f5614083cbb13318fcd

memory/2564-108-0x000000013FB10000-0x000000013FE61000-memory.dmp

memory/2588-107-0x000000013F3D0000-0x000000013F721000-memory.dmp

C:\Windows\system\lnNCnST.exe

MD5 cb42ec7a60a7134288c662d0f69a238e
SHA1 17049ce757731ce7bfb30183e445268ad65ccb5d
SHA256 848727cb52a31c36998baf2ef0d58e7b54d6c9cd3b5f3d3012de9c6a0303a930
SHA512 bdfd88826454372ee65243b7ea4910c9151e897e72e1e776cf4ea673f85ac074a6de72c5843e98e9357449bb705efab2cbfcfc659600dd4d2e3e37fdded5143b

C:\Windows\system\IyngoOA.exe

MD5 12e510cd57788a2cb91df08ec97e7807
SHA1 650f759b87365dd44fdc41187b41f232a2eea92d
SHA256 58cba5a5bc8cac90c31914e888e526e74cb5f229f3da6d19000761ef6e584c27
SHA512 7e2adcbabc4cd7bf146659d69c0474df02fbb9e0d1445d5c754b79df250a6ef55124cc356b5b2531c1409e57548aad623883fedcdc654bc79060aec72fd59f55

C:\Windows\system\qqvkfLE.exe

MD5 dae963379c7d9ae89527ee7af1112f63
SHA1 e2c65de3b8316c3f98e2a2e22121e15c7943fc6b
SHA256 1fe90f3c3e8a4818bf82eab0f3f7bec5fee64d1e461a78a3210dcdf3e2fcbafe
SHA512 88324e3a5d11d8241e6d9c08f636ed4641e6bde71c9e9deec7fe8124946a1d70964e801aa3cbac67da309509b6970f9d453db0bfcbe3de9127d9fd067bd17e89

C:\Windows\system\bmeHQNh.exe

MD5 bb163c95756c774631fa7780b54d519e
SHA1 b2d8acfe74eb197cc8fb0915fff3cfdacb1b93b7
SHA256 359d9f30df20f5f0f8f004611e5341a07ca626caf606275cdae0943a723ec91a
SHA512 f79f0d1508c108d569f980b36db34f3b9dac1419713192d64ff4f1824ccf26d04e7ddee2a52acd4f6efed2c8c1d52758e8f60e6848b7e7bb0f6f6adaf8e81561

C:\Windows\system\OeBHpna.exe

MD5 57dfa1782766b08127392ca1054eb6f4
SHA1 3c546867470713f14e37ff933a6816d8856bcb0e
SHA256 c14c7006ff3007a1531f1c0246a0f597925d30437151513f40bcd34416707a9d
SHA512 0c9c301e6f0aa9b6626f62f35602b8acea46db8f17033fb7402f4190ccaaf0fdbafad7106851eab61d476257ca7dabd9335886015286cefba0ccf168e5ee9c98

C:\Windows\system\odbmNYS.exe

MD5 97272f725f8f2b8c58b1e1512e46fcdb
SHA1 d04ca1e9052a4ffbc13fb5a4c83631886df7d93f
SHA256 038d0fd41e9af6ab2f485994fff723fa7f43f8e165ab3814703aebfb5cea65f1
SHA512 40f107182a48761a750200445858b86efbe844ca2d75c02dbbff0f5685e3de3dee3a9f1f242777022b6386b3963c9fcf01bf65c754a03c0b77ac9598485f7eef

C:\Windows\system\rCuIulK.exe

MD5 232d47f0e3a3a3e9e2b2019118fed1fd
SHA1 32ec7d369b5389c6a98eb2c352d22549da60728c
SHA256 532f0fa210c72aa102bffc1b1c88a12cf7b0297f9e279b71829eab953e5e8898
SHA512 c2d7d4f342de7a95756e5d70167eda13ba6a96295879bf2e9b730924e639caba385f9e10d16aec305f567d2f8b7287e9534b282a831decb5b48252b2f6d6ac24

C:\Windows\system\FtrOxLe.exe

MD5 ab1fe7f9db9b91d78221f7a56794c661
SHA1 a993b55c6450d18bd3366a7da11d6904294e3962
SHA256 1f9fe3c476462abbabe8e979b306db5273c3eaaf58b0e65d6ee1d85f04ddf349
SHA512 f71d77773f9f5b166b0a4946e2b2df899015b600f852de79d17fa3b3e8f47e4283aad7b9d1e63e635cf0dd7e3458405ef204ad8f115d9c71d6025cbeedbc6b1a

memory/2528-109-0x000000013FC90000-0x000000013FFE1000-memory.dmp

memory/2564-113-0x000000013F880000-0x000000013FBD1000-memory.dmp

memory/1816-112-0x000000013F4E0000-0x000000013F831000-memory.dmp

memory/2564-111-0x00000000023A0000-0x00000000026F1000-memory.dmp

memory/1612-110-0x000000013FB10000-0x000000013FE61000-memory.dmp

memory/2520-116-0x000000013FBC0000-0x000000013FF11000-memory.dmp

memory/2280-124-0x000000013F860000-0x000000013FBB1000-memory.dmp

memory/2564-130-0x000000013FC90000-0x000000013FFE1000-memory.dmp

memory/2564-129-0x000000013FAE0000-0x000000013FE31000-memory.dmp

memory/2688-128-0x000000013F900000-0x000000013FC51000-memory.dmp

memory/2564-127-0x000000013F900000-0x000000013FC51000-memory.dmp

memory/1680-126-0x000000013F4C0000-0x000000013F811000-memory.dmp

memory/2668-125-0x000000013F670000-0x000000013F9C1000-memory.dmp

memory/2932-123-0x000000013FDA0000-0x00000001400F1000-memory.dmp

memory/2564-122-0x000000013FDA0000-0x00000001400F1000-memory.dmp

memory/2788-121-0x000000013F510000-0x000000013F861000-memory.dmp

memory/2908-120-0x000000013FD40000-0x0000000140091000-memory.dmp

memory/2564-119-0x000000013FD40000-0x0000000140091000-memory.dmp

memory/2776-118-0x000000013FA70000-0x000000013FDC1000-memory.dmp

memory/2564-117-0x000000013FA70000-0x000000013FDC1000-memory.dmp

memory/2564-115-0x000000013FBC0000-0x000000013FF11000-memory.dmp

memory/2824-114-0x000000013F880000-0x000000013FBD1000-memory.dmp

memory/2564-131-0x000000013F520000-0x000000013F871000-memory.dmp

memory/2588-132-0x000000013F3D0000-0x000000013F721000-memory.dmp

memory/2044-152-0x000000013FA90000-0x000000013FDE1000-memory.dmp

memory/2968-151-0x000000013F340000-0x000000013F691000-memory.dmp

memory/1932-150-0x000000013F4D0000-0x000000013F821000-memory.dmp

memory/600-149-0x000000013F1C0000-0x000000013F511000-memory.dmp

memory/584-148-0x000000013F710000-0x000000013FA61000-memory.dmp

memory/2692-147-0x000000013F670000-0x000000013F9C1000-memory.dmp

memory/2628-146-0x000000013FAE0000-0x000000013FE31000-memory.dmp

memory/2564-153-0x000000013F520000-0x000000013F871000-memory.dmp

memory/2564-175-0x000000013F520000-0x000000013F871000-memory.dmp

memory/2588-200-0x000000013F3D0000-0x000000013F721000-memory.dmp

memory/2528-202-0x000000013FC90000-0x000000013FFE1000-memory.dmp

memory/1612-204-0x000000013FB10000-0x000000013FE61000-memory.dmp

memory/2824-206-0x000000013F880000-0x000000013FBD1000-memory.dmp

memory/2520-208-0x000000013FBC0000-0x000000013FF11000-memory.dmp

memory/2776-210-0x000000013FA70000-0x000000013FDC1000-memory.dmp

memory/2908-212-0x000000013FD40000-0x0000000140091000-memory.dmp

memory/2788-214-0x000000013F510000-0x000000013F861000-memory.dmp

memory/2932-216-0x000000013FDA0000-0x00000001400F1000-memory.dmp

memory/2280-218-0x000000013F860000-0x000000013FBB1000-memory.dmp

memory/2668-220-0x000000013F670000-0x000000013F9C1000-memory.dmp

memory/1680-222-0x000000013F4C0000-0x000000013F811000-memory.dmp

memory/2688-224-0x000000013F900000-0x000000013FC51000-memory.dmp

memory/1816-234-0x000000013F4E0000-0x000000013F831000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-13 11:58

Reported

2024-08-13 12:01

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\OJtnlwa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PcBXXgk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AwICIcd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FTvhLsA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hJncnGI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gFpRkXS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cGcpltz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GWtgJvr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BddBVLD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qzGGfFL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\Veyiehn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wPdmOdF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EdeQAKU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oggswVt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JKYzCfZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DrqLJdQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\szTQNHr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GCsxwSz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MjziUMI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NjxDDJH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gvIfdpQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1960 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\szTQNHr.exe
PID 1960 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\szTQNHr.exe
PID 1960 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GCsxwSz.exe
PID 1960 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GCsxwSz.exe
PID 1960 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PcBXXgk.exe
PID 1960 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PcBXXgk.exe
PID 1960 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MjziUMI.exe
PID 1960 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MjziUMI.exe
PID 1960 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Veyiehn.exe
PID 1960 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Veyiehn.exe
PID 1960 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AwICIcd.exe
PID 1960 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AwICIcd.exe
PID 1960 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FTvhLsA.exe
PID 1960 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FTvhLsA.exe
PID 1960 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NjxDDJH.exe
PID 1960 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NjxDDJH.exe
PID 1960 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wPdmOdF.exe
PID 1960 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wPdmOdF.exe
PID 1960 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cGcpltz.exe
PID 1960 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cGcpltz.exe
PID 1960 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hJncnGI.exe
PID 1960 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hJncnGI.exe
PID 1960 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GWtgJvr.exe
PID 1960 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GWtgJvr.exe
PID 1960 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BddBVLD.exe
PID 1960 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BddBVLD.exe
PID 1960 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gFpRkXS.exe
PID 1960 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gFpRkXS.exe
PID 1960 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gvIfdpQ.exe
PID 1960 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gvIfdpQ.exe
PID 1960 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DrqLJdQ.exe
PID 1960 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DrqLJdQ.exe
PID 1960 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qzGGfFL.exe
PID 1960 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qzGGfFL.exe
PID 1960 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EdeQAKU.exe
PID 1960 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EdeQAKU.exe
PID 1960 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oggswVt.exe
PID 1960 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oggswVt.exe
PID 1960 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OJtnlwa.exe
PID 1960 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OJtnlwa.exe
PID 1960 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JKYzCfZ.exe
PID 1960 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JKYzCfZ.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\szTQNHr.exe

C:\Windows\System\szTQNHr.exe

C:\Windows\System\GCsxwSz.exe

C:\Windows\System\GCsxwSz.exe

C:\Windows\System\PcBXXgk.exe

C:\Windows\System\PcBXXgk.exe

C:\Windows\System\MjziUMI.exe

C:\Windows\System\MjziUMI.exe

C:\Windows\System\Veyiehn.exe

C:\Windows\System\Veyiehn.exe

C:\Windows\System\AwICIcd.exe

C:\Windows\System\AwICIcd.exe

C:\Windows\System\FTvhLsA.exe

C:\Windows\System\FTvhLsA.exe

C:\Windows\System\NjxDDJH.exe

C:\Windows\System\NjxDDJH.exe

C:\Windows\System\wPdmOdF.exe

C:\Windows\System\wPdmOdF.exe

C:\Windows\System\cGcpltz.exe

C:\Windows\System\cGcpltz.exe

C:\Windows\System\hJncnGI.exe

C:\Windows\System\hJncnGI.exe

C:\Windows\System\GWtgJvr.exe

C:\Windows\System\GWtgJvr.exe

C:\Windows\System\BddBVLD.exe

C:\Windows\System\BddBVLD.exe

C:\Windows\System\gFpRkXS.exe

C:\Windows\System\gFpRkXS.exe

C:\Windows\System\gvIfdpQ.exe

C:\Windows\System\gvIfdpQ.exe

C:\Windows\System\DrqLJdQ.exe

C:\Windows\System\DrqLJdQ.exe

C:\Windows\System\qzGGfFL.exe

C:\Windows\System\qzGGfFL.exe

C:\Windows\System\EdeQAKU.exe

C:\Windows\System\EdeQAKU.exe

C:\Windows\System\oggswVt.exe

C:\Windows\System\oggswVt.exe

C:\Windows\System\OJtnlwa.exe

C:\Windows\System\OJtnlwa.exe

C:\Windows\System\JKYzCfZ.exe

C:\Windows\System\JKYzCfZ.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 52.111.227.13:443 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1960-0-0x00007FF7A74C0000-0x00007FF7A7811000-memory.dmp

memory/1960-1-0x0000016308100000-0x0000016308110000-memory.dmp

C:\Windows\System\szTQNHr.exe

MD5 114ea54f2068b86e0b358086121a1e1e
SHA1 9af64512681e2aee0961610621cf82b0b028469a
SHA256 8d3877ac363daf90da673de368b2a7f67ddeda3f9a20ef3715bbae36fad2d492
SHA512 9a8f78c337a5f1d9d68d8c874c72b59c58ef7ffd0477442051a954bd4a981775e71950db63e708232d661717006fff44848b9177468006a2aa49161ec43f494b

C:\Windows\System\GCsxwSz.exe

MD5 66e80c7e5fd2a536852c5f0208fd2476
SHA1 6b865c959c2afc37f5414a7cb57f5d7510560987
SHA256 68a22b38272e3cb1b3e67077ed22a0fe9e37843b06597eb0442a836a8e078466
SHA512 d80125e129af828a00420519a442fdd75da6a4d89b719382681f66c377c3d812c1150031aacb02e3f97d26ec227a9ba4114d148fa32b19e6a292543b592c2501

memory/2964-13-0x00007FF6D57C0000-0x00007FF6D5B11000-memory.dmp

memory/2492-22-0x00007FF673C80000-0x00007FF673FD1000-memory.dmp

C:\Windows\System\PcBXXgk.exe

MD5 31fb2b969cb0850fdbec04f3a43c5a44
SHA1 cac2437af2df6fcca0745bdc9807ba8b833aea15
SHA256 aaea38740c88624812eed119b7fb8a60823315c33e5f30b2b584d6e74dbada10
SHA512 37f813ac6a4e021ccc5ce8585705dee2e32a37115481a2e6a9360d1a3a665c9e9ba4e31c1b1914cedecaa7821d3f311459efbdb585e66ca47e8b2c6340c25e30

C:\Windows\System\Veyiehn.exe

MD5 3fc998e27e3ce1fe3333d3ba1151015b
SHA1 7f9166cd838cf8735fee91044a1fc999a2fdffa9
SHA256 dd6ed7f08ef237a784dc406f0c086e20299a461b51f7599b1981476d812842eb
SHA512 4c4b3724541bb2d9c863f666bc9b34a58dc49e010897a041b1ed488db996c40d7e7662ced6a36dcf45fc39b9ac6171d6e6b4fe96962a94012384827bbefe8be2

C:\Windows\System\AwICIcd.exe

MD5 c6b728f239b3d703960538a3fa2a5e8f
SHA1 7d5a10fc8f398f841e68f6ff1d82bd0d2ff520b0
SHA256 5cc961dde7767368857c440a928a665607494617d92fdb9aa55af4abe96b9eea
SHA512 a2445ea38c2e8eabd0d3e2f18bb2d6c04d6879912b34b3f115cb6d89c21aba203156024cc959cd1add0e482788f74a1d14bd59c08399c7c1015b9df1e2ab92b5

memory/696-50-0x00007FF732400000-0x00007FF732751000-memory.dmp

C:\Windows\System\cGcpltz.exe

MD5 7d22153edd154824397d2c3b20aae57e
SHA1 fa1fbdff7478f9db955bae12a1c56643f014f58a
SHA256 d1686d03c61b3f8b9f1124bbcdd7f60914d83231001ff0d2664c8a0fcbdcaa58
SHA512 e843bfa477d4c766b138366b748bca7032f34304fddebd6643820581584b333b28ab585be427cba84884588e8b187dab7ea8a8e01b2f16df057697daace13920

C:\Windows\System\gFpRkXS.exe

MD5 17b9f882a2533e8efa55f81d6bd5243e
SHA1 41a33e89afd2d233c007098da7c0a1bd0b7b25eb
SHA256 e5b8512601a1e704b733d0aebdd19ab9b676d9d030d872d479cdbea6667d35cb
SHA512 d01a52ebe247a3e9a7b8bfea05d8c5aa19e47503979076a1d6ebc3d67b0158d210873237df00a80cc171ef6de4060cd1c2a417757087fcf521fa884fef4eee53

memory/3296-93-0x00007FF6354C0000-0x00007FF635811000-memory.dmp

memory/4708-97-0x00007FF682B20000-0x00007FF682E71000-memory.dmp

C:\Windows\System\qzGGfFL.exe

MD5 11c703f6d944597be377fcb255fcae1f
SHA1 673dc5b66a585d724fa2b17f649481f1b91030f2
SHA256 dc7cec926b88a8bdc6ea9d2f05f3e513e3931f05602b9692a8a890818662602d
SHA512 06b8f2e5498f0be06fb15bcf0f5c0c82aae8800a5f84e99c20bded10aa4550f02ba5fe6b9cc8d2629ca3afd790ca53ecb29f037bb2e3bf7a4d371c0640fecd41

C:\Windows\System\DrqLJdQ.exe

MD5 6c90de6c49e2388cfe8b747694829bcc
SHA1 104677e9ee78b4033187151cae8435d1f89f46c7
SHA256 db959280b582fcfbc4cd01d008413d4d6e3f1fe1791d2aaffb93b5e95e3614af
SHA512 a355882a34834b69c09827ef3093dcb9cfac28fb40fa6dfc2349ed2ea3dbec70772633c1d521bc642281dd6c86df3b08be79038eca024b22ef01c17c94310454

C:\Windows\System\gvIfdpQ.exe

MD5 343b08a5b17bdc521c9eb1956a1bf117
SHA1 74bf98149c5cda386e4830d433e42e2f3e71284d
SHA256 43c55dcb379991ba40e8a35771ec7807ddcddfbd5f8be9872eb1b9dad0dec95b
SHA512 fd70585dfcea0a5ee9bcc8f91c1e237f23529a269c9dad0d9445a73ddc52ec7dcc4d369c9cd566a811d1984dd972be6ed0dc8915860c8d0f7bc9d0e59cd5aafe

memory/3696-98-0x00007FF7C9D30000-0x00007FF7CA081000-memory.dmp

memory/3972-96-0x00007FF65BC40000-0x00007FF65BF91000-memory.dmp

memory/1600-95-0x00007FF6E7180000-0x00007FF6E74D1000-memory.dmp

memory/4052-92-0x00007FF660AA0000-0x00007FF660DF1000-memory.dmp

memory/1360-91-0x00007FF76C090000-0x00007FF76C3E1000-memory.dmp

C:\Windows\System\BddBVLD.exe

MD5 a16794f961c42d92dae17c36a97fbb2e
SHA1 d848fd2a105b427e9badf4878f0747c5f31cead7
SHA256 0e0bdab06100bebb2f283438150ad618cb2290cbfd618c8c5ef6dc82ed5ef529
SHA512 c8bb69f8d1b2daad25a62980ab0f8be076aa5e4a920e2932130b6c0e6d961d958653ac67e02f9fb639260b45e6d6182b42a705843135d01201f65f640f6a10f7

C:\Windows\System\hJncnGI.exe

MD5 f83e836165d0a5b6e13c751bb9ca6aec
SHA1 70e13087eb90ca898869a233f37ca550dfb99b75
SHA256 44131d47287fe87f804790a497b94f74a6aac42c3fa30c32aa452b0dae3b9bd6
SHA512 be390e8ea133afdc8201410486191c16912b269f930ff59d95497e3e921487e981bfbbe2f0b64229c1dd5bd1ece1bcab25a066604370e4e1a9a91e242958d474

memory/3512-82-0x00007FF655370000-0x00007FF6556C1000-memory.dmp

C:\Windows\System\GWtgJvr.exe

MD5 85399359b27ff463a474549870b56a56
SHA1 f9b32f36e98d7d4e3661b9d929b29f7b217ea643
SHA256 daf75de527ed20f6d5efdcc1de79c8f33094de93b11d360d52360cde12f8c5d6
SHA512 423617f22a783b353c254372b8a98a161e822923206a808a3d52c20cef139d36e0b3d07043f5131a35a8344064b6ae9fb98c80a8cf611bca9c39489ebc2f67b5

C:\Windows\System\NjxDDJH.exe

MD5 64e3cc63a16ee34619a2924db27d91a4
SHA1 8a00028701021dfe525e58ca782d4644d14f1b88
SHA256 211dceb8d519a5a342e350be53e25b6aeacefbe875418954e1d64da112cf3622
SHA512 b218225d059222e38a63ae45165f782493a3335131ef0589cafc75553fb06faafa9f78dbc104a135ff5c76f66d2a18a29728619cb8d8cb22e08669ed816bfa17

memory/2836-65-0x00007FF77C290000-0x00007FF77C5E1000-memory.dmp

memory/320-60-0x00007FF7EB970000-0x00007FF7EBCC1000-memory.dmp

C:\Windows\System\wPdmOdF.exe

MD5 33d04f94a639c26a4983e1f332754685
SHA1 11bd15d6f3124ef4b9cdd2799213b95098f6ef98
SHA256 3a98c8eca538abb204e7eb5ea0dc14f0e103dc1bedceb0497de5681ac3a3af2b
SHA512 98cb77e8271ed9234e34448be4aad6ddce3a4ea0c0ecd2783aff5c2906b1667792fac9af843a5c1fb1b13a7f890eb6be0d08878a7a8cf7f74834d50ba3835202

C:\Windows\System\FTvhLsA.exe

MD5 e1ac26671c813a02b90bff419a9da199
SHA1 9b11a1cbd3c3df9c70de66d19457952b1a75d36b
SHA256 5057ae8b9afc102d2f1d5d047dd7d629ed0695e2cb777773cabd41d68e3b3412
SHA512 91fee55be31bfc56c5c229ea0e3dd7708667c89581aeff40226312d4b431fc52e0da04a910e8a782d2d46553580993cd3cefc196ad989d19499bd4cbe6fbce37

memory/780-42-0x00007FF66E700000-0x00007FF66EA51000-memory.dmp

memory/996-37-0x00007FF6F0DC0000-0x00007FF6F1111000-memory.dmp

memory/2628-30-0x00007FF784270000-0x00007FF7845C1000-memory.dmp

C:\Windows\System\MjziUMI.exe

MD5 d49ae2a63908297b7ea9348d7ea6de84
SHA1 d9a94582e7bb1037280ce72941e61c443e73ce86
SHA256 776472582696656b10d36a5d27c8c51de277c3ec0f26748a859948dc5c509bfc
SHA512 d3ced1a772ed857aa65d11ca23f4a2744c381d984518bbaa08ed95689b4f893d7092aa248561ea450772385fe1c9c98fbeedacfa57a376900b639d2e7a48a0b7

memory/3480-19-0x00007FF6CBBD0000-0x00007FF6CBF21000-memory.dmp

C:\Windows\System\EdeQAKU.exe

MD5 37ecb16daf5eed5ff425b45d18c475f4
SHA1 abd7071a7ca17fb3cc01aae582401919ccbfaa01
SHA256 472bd4493ea9411e795f21c3d4f84e94dd56c19f9523d78bc03a24d82803ef92
SHA512 16655510a3f9b19cccc472319886e84feb48ae4bc08045bad06fd6ab6c6fe7295527bc1cc511149a76a1f7461ffe33b0412c823642ecda0321cbc1c4a7f5cea2

memory/2964-119-0x00007FF6D57C0000-0x00007FF6D5B11000-memory.dmp

memory/1944-122-0x00007FF7B7150000-0x00007FF7B74A1000-memory.dmp

C:\Windows\System\JKYzCfZ.exe

MD5 cc6f8e4dac721ca438ce1242b451e127
SHA1 d9dbc60e5aa94a118e71145cb26782c24e2bd087
SHA256 96b6e958911a1f878286d49adf743343edd49690a2aa40fd5d3e295710b522d9
SHA512 6f1836b26a7a689b9a3d16e69a2d95e2376e59e29216512e8d459634f7919deed3bcb5480ab6e31286e4349fe68aa632bcea817187afd6509a0040317293f080

memory/2628-131-0x00007FF784270000-0x00007FF7845C1000-memory.dmp

memory/2780-132-0x00007FF64DC00000-0x00007FF64DF51000-memory.dmp

memory/2492-128-0x00007FF673C80000-0x00007FF673FD1000-memory.dmp

memory/3480-127-0x00007FF6CBBD0000-0x00007FF6CBF21000-memory.dmp

memory/4100-126-0x00007FF698CF0000-0x00007FF699041000-memory.dmp

C:\Windows\System\OJtnlwa.exe

MD5 92aa135144e5abb37dfb700bec4d6345
SHA1 0213fadc7f166eed50f7351f2b079892ecd09efb
SHA256 df4da16991aa27460f583c13244b6115d218f81b17d9d7aae8df7f3a8b0da364
SHA512 8a16c518d6b3cb15a09c050aee78049cd63d729a1314a45fe8544862571ca73c0992a6f1380352564c694e456edcd5a3e0fc3acda0af1201206fbfd3107175c5

C:\Windows\System\oggswVt.exe

MD5 42cf9b3ac1d70829283295dbee6b2bc2
SHA1 58b7eb7c6cfbebac531d9c096c5cece6de2c575f
SHA256 87f69ac917f4bac82df8020c7040c6a670392fd5274d814954a357322bbeb8c0
SHA512 eb8a7c45938a205681706875f7bd8551e250dbc69fcb15055e1aec055361b9289c8223d35bd7a10a9687085a2215b6305576bd9f6d24f91707f63d3d26b9d082

memory/1960-114-0x00007FF7A74C0000-0x00007FF7A7811000-memory.dmp

memory/4936-111-0x00007FF7DD0C0000-0x00007FF7DD411000-memory.dmp

memory/1960-133-0x00007FF7A74C0000-0x00007FF7A7811000-memory.dmp

memory/3512-146-0x00007FF655370000-0x00007FF6556C1000-memory.dmp

memory/3296-144-0x00007FF6354C0000-0x00007FF635811000-memory.dmp

memory/4708-150-0x00007FF682B20000-0x00007FF682E71000-memory.dmp

memory/3972-149-0x00007FF65BC40000-0x00007FF65BF91000-memory.dmp

memory/3696-148-0x00007FF7C9D30000-0x00007FF7CA081000-memory.dmp

memory/2836-141-0x00007FF77C290000-0x00007FF77C5E1000-memory.dmp

memory/780-139-0x00007FF66E700000-0x00007FF66EA51000-memory.dmp

memory/696-142-0x00007FF732400000-0x00007FF732751000-memory.dmp

memory/320-140-0x00007FF7EB970000-0x00007FF7EBCC1000-memory.dmp

memory/996-138-0x00007FF6F0DC0000-0x00007FF6F1111000-memory.dmp

memory/4936-151-0x00007FF7DD0C0000-0x00007FF7DD411000-memory.dmp

memory/1960-152-0x00007FF7A74C0000-0x00007FF7A7811000-memory.dmp

memory/4100-158-0x00007FF698CF0000-0x00007FF699041000-memory.dmp

memory/1944-157-0x00007FF7B7150000-0x00007FF7B74A1000-memory.dmp

memory/1960-174-0x00007FF7A74C0000-0x00007FF7A7811000-memory.dmp

memory/2964-200-0x00007FF6D57C0000-0x00007FF6D5B11000-memory.dmp

memory/3480-202-0x00007FF6CBBD0000-0x00007FF6CBF21000-memory.dmp

memory/2492-204-0x00007FF673C80000-0x00007FF673FD1000-memory.dmp

memory/2628-206-0x00007FF784270000-0x00007FF7845C1000-memory.dmp

memory/996-208-0x00007FF6F0DC0000-0x00007FF6F1111000-memory.dmp

memory/780-210-0x00007FF66E700000-0x00007FF66EA51000-memory.dmp

memory/320-227-0x00007FF7EB970000-0x00007FF7EBCC1000-memory.dmp

memory/696-226-0x00007FF732400000-0x00007FF732751000-memory.dmp

memory/1360-229-0x00007FF76C090000-0x00007FF76C3E1000-memory.dmp

memory/2836-231-0x00007FF77C290000-0x00007FF77C5E1000-memory.dmp

memory/4052-233-0x00007FF660AA0000-0x00007FF660DF1000-memory.dmp

memory/1600-235-0x00007FF6E7180000-0x00007FF6E74D1000-memory.dmp

memory/3512-237-0x00007FF655370000-0x00007FF6556C1000-memory.dmp

memory/3296-239-0x00007FF6354C0000-0x00007FF635811000-memory.dmp

memory/3696-241-0x00007FF7C9D30000-0x00007FF7CA081000-memory.dmp

memory/3972-243-0x00007FF65BC40000-0x00007FF65BF91000-memory.dmp

memory/4708-245-0x00007FF682B20000-0x00007FF682E71000-memory.dmp

memory/4936-250-0x00007FF7DD0C0000-0x00007FF7DD411000-memory.dmp

memory/1944-253-0x00007FF7B7150000-0x00007FF7B74A1000-memory.dmp

memory/4100-254-0x00007FF698CF0000-0x00007FF699041000-memory.dmp

memory/2780-256-0x00007FF64DC00000-0x00007FF64DF51000-memory.dmp