Malware Analysis Report

2025-03-15 08:01

Sample ID 240813-nz5dls1grd
Target 2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat
SHA256 893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

893e03e3c0a1ab9c7d6824aa11929c6173ff3093168e9e95d4e537e77f2ea499

Threat Level: Known bad

The file 2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

xmrig

XMRig Miner payload

Cobaltstrike family

Cobalt Strike reflective loader

Xmrig family

Cobaltstrike

XMRig Miner payload

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-13 11:51

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-13 11:51

Reported

2024-08-13 11:53

Platform

win7-20240729-en

Max time kernel

140s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\VsDpJGR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GeCxbHQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bFprZtU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XfVgkHi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YBYbTXX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IyvHtzD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VmbEyEK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RcWPLHW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RNZevwi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DryfTpw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eAnisVm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\txpXKoj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tEqlZVH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xIocNHM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nbjPqqf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fTqLKdZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LPUBOOY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mZXUgln.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jonqWcK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zBXSEKx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AZCqnvK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1760 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xIocNHM.exe
PID 1760 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xIocNHM.exe
PID 1760 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xIocNHM.exe
PID 1760 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VmbEyEK.exe
PID 1760 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VmbEyEK.exe
PID 1760 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VmbEyEK.exe
PID 1760 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mZXUgln.exe
PID 1760 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mZXUgln.exe
PID 1760 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mZXUgln.exe
PID 1760 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VsDpJGR.exe
PID 1760 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VsDpJGR.exe
PID 1760 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VsDpJGR.exe
PID 1760 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jonqWcK.exe
PID 1760 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jonqWcK.exe
PID 1760 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jonqWcK.exe
PID 1760 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nbjPqqf.exe
PID 1760 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nbjPqqf.exe
PID 1760 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nbjPqqf.exe
PID 1760 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fTqLKdZ.exe
PID 1760 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fTqLKdZ.exe
PID 1760 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fTqLKdZ.exe
PID 1760 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RcWPLHW.exe
PID 1760 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RcWPLHW.exe
PID 1760 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RcWPLHW.exe
PID 1760 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RNZevwi.exe
PID 1760 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RNZevwi.exe
PID 1760 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RNZevwi.exe
PID 1760 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GeCxbHQ.exe
PID 1760 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GeCxbHQ.exe
PID 1760 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GeCxbHQ.exe
PID 1760 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bFprZtU.exe
PID 1760 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bFprZtU.exe
PID 1760 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bFprZtU.exe
PID 1760 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zBXSEKx.exe
PID 1760 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zBXSEKx.exe
PID 1760 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zBXSEKx.exe
PID 1760 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AZCqnvK.exe
PID 1760 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AZCqnvK.exe
PID 1760 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AZCqnvK.exe
PID 1760 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DryfTpw.exe
PID 1760 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DryfTpw.exe
PID 1760 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DryfTpw.exe
PID 1760 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LPUBOOY.exe
PID 1760 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LPUBOOY.exe
PID 1760 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LPUBOOY.exe
PID 1760 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eAnisVm.exe
PID 1760 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eAnisVm.exe
PID 1760 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eAnisVm.exe
PID 1760 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YBYbTXX.exe
PID 1760 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YBYbTXX.exe
PID 1760 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YBYbTXX.exe
PID 1760 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\txpXKoj.exe
PID 1760 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\txpXKoj.exe
PID 1760 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\txpXKoj.exe
PID 1760 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tEqlZVH.exe
PID 1760 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tEqlZVH.exe
PID 1760 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tEqlZVH.exe
PID 1760 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IyvHtzD.exe
PID 1760 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IyvHtzD.exe
PID 1760 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IyvHtzD.exe
PID 1760 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XfVgkHi.exe
PID 1760 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XfVgkHi.exe
PID 1760 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XfVgkHi.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\xIocNHM.exe

C:\Windows\System\xIocNHM.exe

C:\Windows\System\VmbEyEK.exe

C:\Windows\System\VmbEyEK.exe

C:\Windows\System\mZXUgln.exe

C:\Windows\System\mZXUgln.exe

C:\Windows\System\VsDpJGR.exe

C:\Windows\System\VsDpJGR.exe

C:\Windows\System\jonqWcK.exe

C:\Windows\System\jonqWcK.exe

C:\Windows\System\nbjPqqf.exe

C:\Windows\System\nbjPqqf.exe

C:\Windows\System\fTqLKdZ.exe

C:\Windows\System\fTqLKdZ.exe

C:\Windows\System\RcWPLHW.exe

C:\Windows\System\RcWPLHW.exe

C:\Windows\System\RNZevwi.exe

C:\Windows\System\RNZevwi.exe

C:\Windows\System\GeCxbHQ.exe

C:\Windows\System\GeCxbHQ.exe

C:\Windows\System\bFprZtU.exe

C:\Windows\System\bFprZtU.exe

C:\Windows\System\zBXSEKx.exe

C:\Windows\System\zBXSEKx.exe

C:\Windows\System\AZCqnvK.exe

C:\Windows\System\AZCqnvK.exe

C:\Windows\System\DryfTpw.exe

C:\Windows\System\DryfTpw.exe

C:\Windows\System\LPUBOOY.exe

C:\Windows\System\LPUBOOY.exe

C:\Windows\System\eAnisVm.exe

C:\Windows\System\eAnisVm.exe

C:\Windows\System\YBYbTXX.exe

C:\Windows\System\YBYbTXX.exe

C:\Windows\System\txpXKoj.exe

C:\Windows\System\txpXKoj.exe

C:\Windows\System\tEqlZVH.exe

C:\Windows\System\tEqlZVH.exe

C:\Windows\System\IyvHtzD.exe

C:\Windows\System\IyvHtzD.exe

C:\Windows\System\XfVgkHi.exe

C:\Windows\System\XfVgkHi.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1760-0-0x000000013FFC0000-0x0000000140311000-memory.dmp

memory/1760-1-0x00000000001F0000-0x0000000000200000-memory.dmp

\Windows\system\xIocNHM.exe

MD5 328df059ebc9cb583ec9a07442e4b2fb
SHA1 4d1b2f9a2f6c3f0dadde0ceba1e1797ed821adcd
SHA256 e765abe04332882fda0d3ca79522a719a38b5f2a01274e3f41715524df438793
SHA512 f4a062bffa5fbb52d54899a359c1f10192f57565b8733ff54219fcc24ac473c8e87ee7f73a2764989c030a6b2c01c3f3ce80cb6e8d4487b2de9517233a09cc40

\Windows\system\VmbEyEK.exe

MD5 da79951f3cce18f286bb48391e5be54a
SHA1 f8aecfecb05d444f5170e8fae38aaa50ba1672fe
SHA256 ff4fc7187db99a0e07e1e19aa1b4e0e56f889aa6c5bb1e68ab26c76784ac1cc8
SHA512 34bafd59e48b7b9bd483c835823200be8ed27e503f6106ad447be206ca40ee5a253df23e6d4ca6c3ff96259510767ef603a7b4bf7792c05f9c6cd5f269d5ad8c

memory/1760-12-0x000000013F030000-0x000000013F381000-memory.dmp

C:\Windows\system\mZXUgln.exe

MD5 8ffae5ee9b31b084cc6ed496e8f51443
SHA1 8fe5cf38dc5e6068d42722ca752686d3d5b017e0
SHA256 eeab0d1a12187675b02a070ba37d3ebd7a7a504455a66f94245f8c8f06142bd3
SHA512 490d011e78835d38e67b07aa45bc469535ae3f263fcdda0355f2a712a9a665fa9d1e1a93aa9fc4c1ed978cdc49c98506620c36e5449d9eaf3e332edaa7c8f798

memory/1964-18-0x000000013F1B0000-0x000000013F501000-memory.dmp

memory/2936-23-0x000000013F980000-0x000000013FCD1000-memory.dmp

memory/1760-22-0x000000013F1B0000-0x000000013F501000-memory.dmp

memory/1760-20-0x000000013F980000-0x000000013FCD1000-memory.dmp

C:\Windows\system\VsDpJGR.exe

MD5 afe9996ed1e3138af776a04a648e48b2
SHA1 f81f686b35d09cb4d1271b07a4a2278898dfe6c5
SHA256 e6b4947ec77426114384dae8ac82f4faf3f282d71e92342c266c23ab8d4e75cf
SHA512 cbd2e191b81f468fbd3eb0ac83765ecf68ca8c79a0abcc800fbb8d1037d5c33e02b39bb39e523f2658167dda04ddfd0edc93870fc43e30ade40ae962f874889e

\Windows\system\jonqWcK.exe

MD5 8610d4c208abf16182b93053e81f7402
SHA1 5121c83df1da9f4fa52b0a8cac7698132f4fe352
SHA256 da8a31ede1b2347a5815e03471c6b4b0967137435c38cd6931c0618af2a20aad
SHA512 e2c9b234dac6355f3be33664c8cc65fafef0f16a5d4dc0717cdc2be669b02b3bbb893e8f5106868f5067d9611d933a12ee117dbfbb58aa799c6232284993bf96

memory/2272-16-0x000000013F030000-0x000000013F381000-memory.dmp

memory/2960-36-0x000000013F380000-0x000000013F6D1000-memory.dmp

C:\Windows\system\nbjPqqf.exe

MD5 271fda6b6e9052891a7a350047d01b1d
SHA1 ee7b40e550b212bc128c673de763ceddefa0b329
SHA256 fcae241737ffec31121f909f3f2246699191a0a5b8cbe0ce653d738f01991f40
SHA512 af094ca0c3f21ca0ce5da6a6ded36ea361303bc323541b84456afa7fa550ea056623f0853d140974c4b60a85d5aa5f8c527fad243ac7d6b76691d0a7ed679867

C:\Windows\system\RcWPLHW.exe

MD5 2675df7cd7ce0e5a8e03c7ae27a74451
SHA1 bb6758eb2c73581b9359cd11893c77be179d20c2
SHA256 0cbf9f72a419427997741c2e1b65e33f7437156c2af38847adba53d1be66b285
SHA512 0c0227618a76b755cbc170f088fd718cd8faea2ac408a37bc4c87e4cb3308f9eef0634a35197a55dd7b4dd45117cec66e2ac2946e6c87d181743bb8c1c622be4

C:\Windows\system\AZCqnvK.exe

MD5 033e45354e338a4bc28f31dfcddc49c7
SHA1 a4f9532274fd054aeb00d38cf349bff34f6fa840
SHA256 6ba580ee97306ea6c5c42461c1ade79d8b6de1e5f7e36ce5d6bd846ec16f656f
SHA512 205610c97b83595a4e1b9574dc3fbd4484369185c3f25578fdd48fec67a7651b7dcd86654d349272f746ee6b051100ca73d494c6269b1eff26a3a09b6a34f55c

C:\Windows\system\eAnisVm.exe

MD5 cf1dcca23926a063c3119b29ec2b328b
SHA1 dc1481d18cbb853f9e32967430eb4edb3d50b151
SHA256 e4b2d779b05d21214cc2fb964eeef0d92a6d287ac9ee924cfdbebba2603b1d8d
SHA512 b5eadd179d31fdc79d7c05a8df3ef1e9417098020f52b09267765b027c13c841f6803c212131ce337dea0587cfcb606ba66cb58797af3619ed4065de01df0ddd

C:\Windows\system\YBYbTXX.exe

MD5 1e198837fcf5481b24d9e6939e1ea272
SHA1 45694aae7b7460a284bfbd0b1520b435479f9716
SHA256 d09f7bd288a1b574057949cbce1936d548f1b1eac71bdd93babd3eac2593fe1a
SHA512 0b958736d1443ea2125bfa990b2d0479cb1449daa6833d59b09f1ef14a08464a9f74bfbd933786f10ff559d3a0c3a479c99400b7ee1fc66f6b1265d5d02b3f81

C:\Windows\system\txpXKoj.exe

MD5 ebb3649589fafc4219d51dc03230d2af
SHA1 f88bcd7cb59599968da94da6426c7d538430ca4b
SHA256 ca19e895fcaab75ccef206b437707d3a202b1c380390784dd854ab7d2916575c
SHA512 2b6d7daf472717fdbb158b0d4df3a3a62ce24b5a3b043ea679b77dd750071d14997a47e54e3f4f1748e4d54f4ed788cac4ce577d8ac1f7d3d651ee64cf7ee062

C:\Windows\system\tEqlZVH.exe

MD5 3d1675668f0379b7d42c6a19f3729dd2
SHA1 af51c1ce2ba5fc176ba91b8473b18dc3faee247f
SHA256 6b3779adba621da1e9e449dae1b1800908aa08232e829aa346aeee602b45dabf
SHA512 0349a6f0fe35ae43ec867836c1d31458ff0868f62da279847604173d0c538a83d3d0867fd8736f8bfe1a0c7054558973bc081a090fc80feadd1ef7873ba680cb

C:\Windows\system\XfVgkHi.exe

MD5 85f73d6530151719e9d8bacd43e38241
SHA1 66a50a26652febc3dbe3125403be406d56f5056e
SHA256 122de572eb3023ecd711544f817c7e8393e3cf66b7bbf2193310c4898c94b066
SHA512 df2d6f6963e9dee0952a1acde7becd73e0f618571b187481841471a36167d4901c9cbceb6756f8b3301ced883c6b80f1f1d1d37b8f4875e62bbdf0ec120db5c8

C:\Windows\system\IyvHtzD.exe

MD5 a1f5c6f06eb6defbdd5c55a5e35343b1
SHA1 ff2435645d9dd82d2c96a3acbe87e8dd5ff20aba
SHA256 01766f0f1194d9962a1bcb711778ff963fcba231131aeb82844925e8e512822e
SHA512 d18433b34ef4641e99b5775809b2ebd1ea408fdfb99a0dc2f38f6d03484447614307d1524fb38b74b7560fa03fd64d03533c0bda96cd32522e0f60b4b87eef49

memory/1904-128-0x000000013F1D0000-0x000000013F521000-memory.dmp

memory/1760-132-0x000000013F0C0000-0x000000013F411000-memory.dmp

memory/948-131-0x000000013FCE0000-0x0000000140031000-memory.dmp

memory/2280-130-0x000000013F0F0000-0x000000013F441000-memory.dmp

memory/1760-129-0x000000013F0F0000-0x000000013F441000-memory.dmp

memory/1760-127-0x000000013F1D0000-0x000000013F521000-memory.dmp

memory/2772-126-0x000000013FA60000-0x000000013FDB1000-memory.dmp

memory/1760-125-0x000000013FA60000-0x000000013FDB1000-memory.dmp

memory/2708-124-0x000000013FF00000-0x0000000140251000-memory.dmp

memory/2808-123-0x000000013F990000-0x000000013FCE1000-memory.dmp

memory/1760-122-0x000000013F990000-0x000000013FCE1000-memory.dmp

memory/2736-121-0x000000013FCC0000-0x0000000140011000-memory.dmp

memory/2888-120-0x000000013F360000-0x000000013F6B1000-memory.dmp

memory/1760-119-0x000000013F360000-0x000000013F6B1000-memory.dmp

memory/2812-118-0x000000013FF60000-0x00000001402B1000-memory.dmp

memory/1760-117-0x0000000002300000-0x0000000002651000-memory.dmp

C:\Windows\system\LPUBOOY.exe

MD5 65e3230ef4fc0421a6546cee24a54b1d
SHA1 370bcbc0cdfc3ecef6ee83ba6a7af207d22a9e0a
SHA256 b8c6ae006bf1e45ecf96a8a15647656658feac5de0dc4edfab76e5f6d4403a7e
SHA512 e79d183be31200aced79c091ff2312f060a036320cdb4874e0df108c1f25fc4acf2ae465da8dccc297c7a3c1aebdb59b183ea3e39cef49315afb21388eaee1d7

C:\Windows\system\DryfTpw.exe

MD5 7634ffe2164306ea3bda4ec3157d0fda
SHA1 edde526e4378c245cc6e11543bcfb30122665902
SHA256 72de47a6af37bd4b0111b574cb808e2d60c3d9efb5f1d9eb20ce6e7a7f616749
SHA512 63164735d5a18a537763cf6b40c853fefef9a378193f30b5c9936da4733fb21bef2d0a8c33adf6d768b5810bea015d97e5d194e4b55c5b82340d52530c65d42c

C:\Windows\system\zBXSEKx.exe

MD5 40193756142b87a3a95288e77d4526e4
SHA1 a37140fb8e36844f0ceaac04e6750727456cf58d
SHA256 c38956a91d40949d50e1dcecfc8e6d74e7c374eb61c79b9f0817a572e73af491
SHA512 1076ea9e75bacbc79aa4ace59fadbb097b0d769f398a3daf3d040b39ca10edff7b661095619064107900884cd8ad394a2785a751aab1789c2437a31743bf0938

C:\Windows\system\bFprZtU.exe

MD5 3bebe4456bf111173403164d397b085a
SHA1 57368624f1a36ac33d17d434852f5eaaead49b0f
SHA256 e6ebac919678ce7a2b1eb33a40e281d8372bc99411aa7a408376aca0a4f9a0a8
SHA512 431f822b39e06a588cc4ee2fd6ad5f5ad487e3df705c9f8447da54b97601d1c4a6c6af8f055235feb6e8d2c3960cfff4d6201bd52403413fddffcaeceb4a1105

C:\Windows\system\GeCxbHQ.exe

MD5 0eea03504f6469125e39719369b3d636
SHA1 1aceef72f06085a53470506dc92f3125c1d16f2e
SHA256 e6bd4c97f434becd378d6da36606fb216dc3366740b52ab7a117b20963f5613b
SHA512 f9cf3ffc2dfbeb6908b6e234360ea711f352a9e1c2a00b866f6990faf9ba0ef38f48764159b82058732eeb4ecdd4897808126d8b136522b803a957ec28a93ffb

C:\Windows\system\RNZevwi.exe

MD5 ff7eb815bae86bd6d33f3943c3675a87
SHA1 ebeaa8809c94e806d601b7778d02d8d6d9186fc0
SHA256 c80bcdd0473afe1a78cdcf8b924ad800e9f2d9f5fde6e8d14617707347f36a9c
SHA512 11c43323e0a817c71db25a3f4a86b18d8d307485c93e0debe4d5d97c7f86cdc0fd142e948a9b824efc72c0b8cfafcce77b7234ef85ab9cf27e49f76d5b04c47f

C:\Windows\system\fTqLKdZ.exe

MD5 353a7c92b388955d7dfa9661d5dedeac
SHA1 3462856272215c725550000f68a3059baf480e5e
SHA256 bdc9875f97977865f9bd716bcf2dd51b4939b59c351a2409c9b5776c6de23dae
SHA512 047823f9e9b5bc29487bd82b0c66404947eec67a998f8c7e03b179707ff4c688de323277a650b2dab11ff2058bb99273f8a109470c3d9058c9d7a5c102ab8ad1

memory/1760-34-0x000000013F380000-0x000000013F6D1000-memory.dmp

memory/2844-33-0x000000013FA20000-0x000000013FD71000-memory.dmp

memory/1760-31-0x000000013FA20000-0x000000013FD71000-memory.dmp

memory/1760-133-0x000000013FFC0000-0x0000000140311000-memory.dmp

memory/1896-148-0x000000013F0C0000-0x000000013F411000-memory.dmp

memory/3036-153-0x000000013F090000-0x000000013F3E1000-memory.dmp

memory/2384-154-0x000000013F340000-0x000000013F691000-memory.dmp

memory/764-152-0x000000013F810000-0x000000013FB61000-memory.dmp

memory/344-150-0x000000013FFB0000-0x0000000140301000-memory.dmp

memory/2028-149-0x000000013F6E0000-0x000000013FA31000-memory.dmp

memory/1760-156-0x000000013F030000-0x000000013F381000-memory.dmp

memory/2960-138-0x000000013F380000-0x000000013F6D1000-memory.dmp

memory/1760-155-0x000000013FFC0000-0x0000000140311000-memory.dmp

memory/2844-137-0x000000013FA20000-0x000000013FD71000-memory.dmp

memory/2352-151-0x000000013FB30000-0x000000013FE81000-memory.dmp

memory/1760-157-0x000000013FA20000-0x000000013FD71000-memory.dmp

memory/1760-158-0x000000013FFC0000-0x0000000140311000-memory.dmp

memory/2272-203-0x000000013F030000-0x000000013F381000-memory.dmp

memory/1964-205-0x000000013F1B0000-0x000000013F501000-memory.dmp

memory/2936-207-0x000000013F980000-0x000000013FCD1000-memory.dmp

memory/2844-209-0x000000013FA20000-0x000000013FD71000-memory.dmp

memory/2888-211-0x000000013F360000-0x000000013F6B1000-memory.dmp

memory/2736-213-0x000000013FCC0000-0x0000000140011000-memory.dmp

memory/2808-215-0x000000013F990000-0x000000013FCE1000-memory.dmp

memory/2708-217-0x000000013FF00000-0x0000000140251000-memory.dmp

memory/2772-219-0x000000013FA60000-0x000000013FDB1000-memory.dmp

memory/1904-221-0x000000013F1D0000-0x000000013F521000-memory.dmp

memory/2280-223-0x000000013F0F0000-0x000000013F441000-memory.dmp

memory/948-225-0x000000013FCE0000-0x0000000140031000-memory.dmp

memory/2812-230-0x000000013FF60000-0x00000001402B1000-memory.dmp

memory/2960-238-0x000000013F380000-0x000000013F6D1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-13 11:51

Reported

2024-08-13 11:53

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\nbjPqqf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DryfTpw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eAnisVm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XfVgkHi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RcWPLHW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\txpXKoj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bFprZtU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LPUBOOY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YBYbTXX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tEqlZVH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xIocNHM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VmbEyEK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RNZevwi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GeCxbHQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IyvHtzD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zBXSEKx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AZCqnvK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mZXUgln.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VsDpJGR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jonqWcK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fTqLKdZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2668 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xIocNHM.exe
PID 2668 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xIocNHM.exe
PID 2668 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VmbEyEK.exe
PID 2668 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VmbEyEK.exe
PID 2668 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mZXUgln.exe
PID 2668 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mZXUgln.exe
PID 2668 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VsDpJGR.exe
PID 2668 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VsDpJGR.exe
PID 2668 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jonqWcK.exe
PID 2668 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jonqWcK.exe
PID 2668 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nbjPqqf.exe
PID 2668 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nbjPqqf.exe
PID 2668 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fTqLKdZ.exe
PID 2668 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fTqLKdZ.exe
PID 2668 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RcWPLHW.exe
PID 2668 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RcWPLHW.exe
PID 2668 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RNZevwi.exe
PID 2668 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RNZevwi.exe
PID 2668 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GeCxbHQ.exe
PID 2668 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GeCxbHQ.exe
PID 2668 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bFprZtU.exe
PID 2668 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bFprZtU.exe
PID 2668 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zBXSEKx.exe
PID 2668 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zBXSEKx.exe
PID 2668 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AZCqnvK.exe
PID 2668 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AZCqnvK.exe
PID 2668 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DryfTpw.exe
PID 2668 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DryfTpw.exe
PID 2668 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LPUBOOY.exe
PID 2668 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LPUBOOY.exe
PID 2668 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eAnisVm.exe
PID 2668 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eAnisVm.exe
PID 2668 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YBYbTXX.exe
PID 2668 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YBYbTXX.exe
PID 2668 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\txpXKoj.exe
PID 2668 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\txpXKoj.exe
PID 2668 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tEqlZVH.exe
PID 2668 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tEqlZVH.exe
PID 2668 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IyvHtzD.exe
PID 2668 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IyvHtzD.exe
PID 2668 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XfVgkHi.exe
PID 2668 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XfVgkHi.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_5f5b79aa3e462e25668d8890ffb157d3_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\xIocNHM.exe

C:\Windows\System\xIocNHM.exe

C:\Windows\System\VmbEyEK.exe

C:\Windows\System\VmbEyEK.exe

C:\Windows\System\mZXUgln.exe

C:\Windows\System\mZXUgln.exe

C:\Windows\System\VsDpJGR.exe

C:\Windows\System\VsDpJGR.exe

C:\Windows\System\jonqWcK.exe

C:\Windows\System\jonqWcK.exe

C:\Windows\System\nbjPqqf.exe

C:\Windows\System\nbjPqqf.exe

C:\Windows\System\fTqLKdZ.exe

C:\Windows\System\fTqLKdZ.exe

C:\Windows\System\RcWPLHW.exe

C:\Windows\System\RcWPLHW.exe

C:\Windows\System\RNZevwi.exe

C:\Windows\System\RNZevwi.exe

C:\Windows\System\GeCxbHQ.exe

C:\Windows\System\GeCxbHQ.exe

C:\Windows\System\bFprZtU.exe

C:\Windows\System\bFprZtU.exe

C:\Windows\System\zBXSEKx.exe

C:\Windows\System\zBXSEKx.exe

C:\Windows\System\AZCqnvK.exe

C:\Windows\System\AZCqnvK.exe

C:\Windows\System\DryfTpw.exe

C:\Windows\System\DryfTpw.exe

C:\Windows\System\LPUBOOY.exe

C:\Windows\System\LPUBOOY.exe

C:\Windows\System\eAnisVm.exe

C:\Windows\System\eAnisVm.exe

C:\Windows\System\YBYbTXX.exe

C:\Windows\System\YBYbTXX.exe

C:\Windows\System\txpXKoj.exe

C:\Windows\System\txpXKoj.exe

C:\Windows\System\tEqlZVH.exe

C:\Windows\System\tEqlZVH.exe

C:\Windows\System\IyvHtzD.exe

C:\Windows\System\IyvHtzD.exe

C:\Windows\System\XfVgkHi.exe

C:\Windows\System\XfVgkHi.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 21.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp

Files

memory/2668-0-0x00007FF60E3B0000-0x00007FF60E701000-memory.dmp

memory/2668-1-0x000002B2FD360000-0x000002B2FD370000-memory.dmp

C:\Windows\System\xIocNHM.exe

MD5 328df059ebc9cb583ec9a07442e4b2fb
SHA1 4d1b2f9a2f6c3f0dadde0ceba1e1797ed821adcd
SHA256 e765abe04332882fda0d3ca79522a719a38b5f2a01274e3f41715524df438793
SHA512 f4a062bffa5fbb52d54899a359c1f10192f57565b8733ff54219fcc24ac473c8e87ee7f73a2764989c030a6b2c01c3f3ce80cb6e8d4487b2de9517233a09cc40

C:\Windows\System\mZXUgln.exe

MD5 8ffae5ee9b31b084cc6ed496e8f51443
SHA1 8fe5cf38dc5e6068d42722ca752686d3d5b017e0
SHA256 eeab0d1a12187675b02a070ba37d3ebd7a7a504455a66f94245f8c8f06142bd3
SHA512 490d011e78835d38e67b07aa45bc469535ae3f263fcdda0355f2a712a9a665fa9d1e1a93aa9fc4c1ed978cdc49c98506620c36e5449d9eaf3e332edaa7c8f798

memory/2860-14-0x00007FF65AEF0000-0x00007FF65B241000-memory.dmp

memory/3368-22-0x00007FF7AFED0000-0x00007FF7B0221000-memory.dmp

C:\Windows\System\VsDpJGR.exe

MD5 afe9996ed1e3138af776a04a648e48b2
SHA1 f81f686b35d09cb4d1271b07a4a2278898dfe6c5
SHA256 e6b4947ec77426114384dae8ac82f4faf3f282d71e92342c266c23ab8d4e75cf
SHA512 cbd2e191b81f468fbd3eb0ac83765ecf68ca8c79a0abcc800fbb8d1037d5c33e02b39bb39e523f2658167dda04ddfd0edc93870fc43e30ade40ae962f874889e

C:\Windows\System\nbjPqqf.exe

MD5 271fda6b6e9052891a7a350047d01b1d
SHA1 ee7b40e550b212bc128c673de763ceddefa0b329
SHA256 fcae241737ffec31121f909f3f2246699191a0a5b8cbe0ce653d738f01991f40
SHA512 af094ca0c3f21ca0ce5da6a6ded36ea361303bc323541b84456afa7fa550ea056623f0853d140974c4b60a85d5aa5f8c527fad243ac7d6b76691d0a7ed679867

C:\Windows\System\fTqLKdZ.exe

MD5 353a7c92b388955d7dfa9661d5dedeac
SHA1 3462856272215c725550000f68a3059baf480e5e
SHA256 bdc9875f97977865f9bd716bcf2dd51b4939b59c351a2409c9b5776c6de23dae
SHA512 047823f9e9b5bc29487bd82b0c66404947eec67a998f8c7e03b179707ff4c688de323277a650b2dab11ff2058bb99273f8a109470c3d9058c9d7a5c102ab8ad1

C:\Windows\System\RcWPLHW.exe

MD5 2675df7cd7ce0e5a8e03c7ae27a74451
SHA1 bb6758eb2c73581b9359cd11893c77be179d20c2
SHA256 0cbf9f72a419427997741c2e1b65e33f7437156c2af38847adba53d1be66b285
SHA512 0c0227618a76b755cbc170f088fd718cd8faea2ac408a37bc4c87e4cb3308f9eef0634a35197a55dd7b4dd45117cec66e2ac2946e6c87d181743bb8c1c622be4

C:\Windows\System\RNZevwi.exe

MD5 ff7eb815bae86bd6d33f3943c3675a87
SHA1 ebeaa8809c94e806d601b7778d02d8d6d9186fc0
SHA256 c80bcdd0473afe1a78cdcf8b924ad800e9f2d9f5fde6e8d14617707347f36a9c
SHA512 11c43323e0a817c71db25a3f4a86b18d8d307485c93e0debe4d5d97c7f86cdc0fd142e948a9b824efc72c0b8cfafcce77b7234ef85ab9cf27e49f76d5b04c47f

C:\Windows\System\bFprZtU.exe

MD5 3bebe4456bf111173403164d397b085a
SHA1 57368624f1a36ac33d17d434852f5eaaead49b0f
SHA256 e6ebac919678ce7a2b1eb33a40e281d8372bc99411aa7a408376aca0a4f9a0a8
SHA512 431f822b39e06a588cc4ee2fd6ad5f5ad487e3df705c9f8447da54b97601d1c4a6c6af8f055235feb6e8d2c3960cfff4d6201bd52403413fddffcaeceb4a1105

C:\Windows\System\zBXSEKx.exe

MD5 40193756142b87a3a95288e77d4526e4
SHA1 a37140fb8e36844f0ceaac04e6750727456cf58d
SHA256 c38956a91d40949d50e1dcecfc8e6d74e7c374eb61c79b9f0817a572e73af491
SHA512 1076ea9e75bacbc79aa4ace59fadbb097b0d769f398a3daf3d040b39ca10edff7b661095619064107900884cd8ad394a2785a751aab1789c2437a31743bf0938

C:\Windows\System\AZCqnvK.exe

MD5 033e45354e338a4bc28f31dfcddc49c7
SHA1 a4f9532274fd054aeb00d38cf349bff34f6fa840
SHA256 6ba580ee97306ea6c5c42461c1ade79d8b6de1e5f7e36ce5d6bd846ec16f656f
SHA512 205610c97b83595a4e1b9574dc3fbd4484369185c3f25578fdd48fec67a7651b7dcd86654d349272f746ee6b051100ca73d494c6269b1eff26a3a09b6a34f55c

C:\Windows\System\DryfTpw.exe

MD5 7634ffe2164306ea3bda4ec3157d0fda
SHA1 edde526e4378c245cc6e11543bcfb30122665902
SHA256 72de47a6af37bd4b0111b574cb808e2d60c3d9efb5f1d9eb20ce6e7a7f616749
SHA512 63164735d5a18a537763cf6b40c853fefef9a378193f30b5c9936da4733fb21bef2d0a8c33adf6d768b5810bea015d97e5d194e4b55c5b82340d52530c65d42c

C:\Windows\System\tEqlZVH.exe

MD5 3d1675668f0379b7d42c6a19f3729dd2
SHA1 af51c1ce2ba5fc176ba91b8473b18dc3faee247f
SHA256 6b3779adba621da1e9e449dae1b1800908aa08232e829aa346aeee602b45dabf
SHA512 0349a6f0fe35ae43ec867836c1d31458ff0868f62da279847604173d0c538a83d3d0867fd8736f8bfe1a0c7054558973bc081a090fc80feadd1ef7873ba680cb

C:\Windows\System\XfVgkHi.exe

MD5 85f73d6530151719e9d8bacd43e38241
SHA1 66a50a26652febc3dbe3125403be406d56f5056e
SHA256 122de572eb3023ecd711544f817c7e8393e3cf66b7bbf2193310c4898c94b066
SHA512 df2d6f6963e9dee0952a1acde7becd73e0f618571b187481841471a36167d4901c9cbceb6756f8b3301ced883c6b80f1f1d1d37b8f4875e62bbdf0ec120db5c8

C:\Windows\System\IyvHtzD.exe

MD5 a1f5c6f06eb6defbdd5c55a5e35343b1
SHA1 ff2435645d9dd82d2c96a3acbe87e8dd5ff20aba
SHA256 01766f0f1194d9962a1bcb711778ff963fcba231131aeb82844925e8e512822e
SHA512 d18433b34ef4641e99b5775809b2ebd1ea408fdfb99a0dc2f38f6d03484447614307d1524fb38b74b7560fa03fd64d03533c0bda96cd32522e0f60b4b87eef49

C:\Windows\System\txpXKoj.exe

MD5 ebb3649589fafc4219d51dc03230d2af
SHA1 f88bcd7cb59599968da94da6426c7d538430ca4b
SHA256 ca19e895fcaab75ccef206b437707d3a202b1c380390784dd854ab7d2916575c
SHA512 2b6d7daf472717fdbb158b0d4df3a3a62ce24b5a3b043ea679b77dd750071d14997a47e54e3f4f1748e4d54f4ed788cac4ce577d8ac1f7d3d651ee64cf7ee062

C:\Windows\System\YBYbTXX.exe

MD5 1e198837fcf5481b24d9e6939e1ea272
SHA1 45694aae7b7460a284bfbd0b1520b435479f9716
SHA256 d09f7bd288a1b574057949cbce1936d548f1b1eac71bdd93babd3eac2593fe1a
SHA512 0b958736d1443ea2125bfa990b2d0479cb1449daa6833d59b09f1ef14a08464a9f74bfbd933786f10ff559d3a0c3a479c99400b7ee1fc66f6b1265d5d02b3f81

C:\Windows\System\eAnisVm.exe

MD5 cf1dcca23926a063c3119b29ec2b328b
SHA1 dc1481d18cbb853f9e32967430eb4edb3d50b151
SHA256 e4b2d779b05d21214cc2fb964eeef0d92a6d287ac9ee924cfdbebba2603b1d8d
SHA512 b5eadd179d31fdc79d7c05a8df3ef1e9417098020f52b09267765b027c13c841f6803c212131ce337dea0587cfcb606ba66cb58797af3619ed4065de01df0ddd

C:\Windows\System\LPUBOOY.exe

MD5 65e3230ef4fc0421a6546cee24a54b1d
SHA1 370bcbc0cdfc3ecef6ee83ba6a7af207d22a9e0a
SHA256 b8c6ae006bf1e45ecf96a8a15647656658feac5de0dc4edfab76e5f6d4403a7e
SHA512 e79d183be31200aced79c091ff2312f060a036320cdb4874e0df108c1f25fc4acf2ae465da8dccc297c7a3c1aebdb59b183ea3e39cef49315afb21388eaee1d7

C:\Windows\System\GeCxbHQ.exe

MD5 0eea03504f6469125e39719369b3d636
SHA1 1aceef72f06085a53470506dc92f3125c1d16f2e
SHA256 e6bd4c97f434becd378d6da36606fb216dc3366740b52ab7a117b20963f5613b
SHA512 f9cf3ffc2dfbeb6908b6e234360ea711f352a9e1c2a00b866f6990faf9ba0ef38f48764159b82058732eeb4ecdd4897808126d8b136522b803a957ec28a93ffb

memory/1632-51-0x00007FF70FFD0000-0x00007FF710321000-memory.dmp

memory/628-48-0x00007FF6C8B00000-0x00007FF6C8E51000-memory.dmp

memory/4256-47-0x00007FF666810000-0x00007FF666B61000-memory.dmp

memory/3284-37-0x00007FF66D7C0000-0x00007FF66DB11000-memory.dmp

C:\Windows\System\jonqWcK.exe

MD5 8610d4c208abf16182b93053e81f7402
SHA1 5121c83df1da9f4fa52b0a8cac7698132f4fe352
SHA256 da8a31ede1b2347a5815e03471c6b4b0967137435c38cd6931c0618af2a20aad
SHA512 e2c9b234dac6355f3be33664c8cc65fafef0f16a5d4dc0717cdc2be669b02b3bbb893e8f5106868f5067d9611d933a12ee117dbfbb58aa799c6232284993bf96

memory/4976-32-0x00007FF71FFC0000-0x00007FF720311000-memory.dmp

memory/1000-26-0x00007FF751FC0000-0x00007FF752311000-memory.dmp

memory/4988-12-0x00007FF7426C0000-0x00007FF742A11000-memory.dmp

C:\Windows\System\VmbEyEK.exe

MD5 da79951f3cce18f286bb48391e5be54a
SHA1 f8aecfecb05d444f5170e8fae38aaa50ba1672fe
SHA256 ff4fc7187db99a0e07e1e19aa1b4e0e56f889aa6c5bb1e68ab26c76784ac1cc8
SHA512 34bafd59e48b7b9bd483c835823200be8ed27e503f6106ad447be206ca40ee5a253df23e6d4ca6c3ff96259510767ef603a7b4bf7792c05f9c6cd5f269d5ad8c

memory/3640-116-0x00007FF75FE60000-0x00007FF7601B1000-memory.dmp

memory/3668-118-0x00007FF74D290000-0x00007FF74D5E1000-memory.dmp

memory/3020-117-0x00007FF769B40000-0x00007FF769E91000-memory.dmp

memory/2028-119-0x00007FF6BC3D0000-0x00007FF6BC721000-memory.dmp

memory/656-120-0x00007FF607D40000-0x00007FF608091000-memory.dmp

memory/1752-121-0x00007FF7CEAA0000-0x00007FF7CEDF1000-memory.dmp

memory/4600-122-0x00007FF73D120000-0x00007FF73D471000-memory.dmp

memory/3768-123-0x00007FF6E5060000-0x00007FF6E53B1000-memory.dmp

memory/3184-124-0x00007FF6C8090000-0x00007FF6C83E1000-memory.dmp

memory/4516-125-0x00007FF671260000-0x00007FF6715B1000-memory.dmp

memory/1076-126-0x00007FF7F0FD0000-0x00007FF7F1321000-memory.dmp

memory/2520-127-0x00007FF783C80000-0x00007FF783FD1000-memory.dmp

memory/2860-130-0x00007FF65AEF0000-0x00007FF65B241000-memory.dmp

memory/1000-132-0x00007FF751FC0000-0x00007FF752311000-memory.dmp

memory/1632-137-0x00007FF70FFD0000-0x00007FF710321000-memory.dmp

memory/2668-150-0x00007FF60E3B0000-0x00007FF60E701000-memory.dmp

memory/628-136-0x00007FF6C8B00000-0x00007FF6C8E51000-memory.dmp

memory/3284-134-0x00007FF66D7C0000-0x00007FF66DB11000-memory.dmp

memory/4976-133-0x00007FF71FFC0000-0x00007FF720311000-memory.dmp

memory/4256-135-0x00007FF666810000-0x00007FF666B61000-memory.dmp

memory/2668-128-0x00007FF60E3B0000-0x00007FF60E701000-memory.dmp

memory/2668-151-0x00007FF60E3B0000-0x00007FF60E701000-memory.dmp

memory/4988-196-0x00007FF7426C0000-0x00007FF742A11000-memory.dmp

memory/2860-198-0x00007FF65AEF0000-0x00007FF65B241000-memory.dmp

memory/3368-200-0x00007FF7AFED0000-0x00007FF7B0221000-memory.dmp

memory/1000-202-0x00007FF751FC0000-0x00007FF752311000-memory.dmp

memory/4976-204-0x00007FF71FFC0000-0x00007FF720311000-memory.dmp

memory/3284-206-0x00007FF66D7C0000-0x00007FF66DB11000-memory.dmp

memory/628-208-0x00007FF6C8B00000-0x00007FF6C8E51000-memory.dmp

memory/1632-210-0x00007FF70FFD0000-0x00007FF710321000-memory.dmp

memory/4256-212-0x00007FF666810000-0x00007FF666B61000-memory.dmp

memory/3640-214-0x00007FF75FE60000-0x00007FF7601B1000-memory.dmp

memory/1752-224-0x00007FF7CEAA0000-0x00007FF7CEDF1000-memory.dmp

memory/4600-226-0x00007FF73D120000-0x00007FF73D471000-memory.dmp

memory/3768-228-0x00007FF6E5060000-0x00007FF6E53B1000-memory.dmp

memory/3020-222-0x00007FF769B40000-0x00007FF769E91000-memory.dmp

memory/656-219-0x00007FF607D40000-0x00007FF608091000-memory.dmp

memory/2028-217-0x00007FF6BC3D0000-0x00007FF6BC721000-memory.dmp

memory/3668-221-0x00007FF74D290000-0x00007FF74D5E1000-memory.dmp

memory/4516-234-0x00007FF671260000-0x00007FF6715B1000-memory.dmp

memory/3184-232-0x00007FF6C8090000-0x00007FF6C83E1000-memory.dmp

memory/2520-231-0x00007FF783C80000-0x00007FF783FD1000-memory.dmp

memory/1076-236-0x00007FF7F0FD0000-0x00007FF7F1321000-memory.dmp