Malware Analysis Report

2025-03-15 08:00

Sample ID 240813-nzbras1gna
Target 2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat
SHA256 845864b9e7b30155bbba6b676d5cb474133040e0d73d13d7b5d6cebff25a251c
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

845864b9e7b30155bbba6b676d5cb474133040e0d73d13d7b5d6cebff25a251c

Threat Level: Known bad

The file 2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobalt Strike reflective loader

XMRig Miner payload

Xmrig family

xmrig

Cobaltstrike

Cobaltstrike family

XMRig Miner payload

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-13 11:49

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-13 11:49

Reported

2024-08-13 11:52

Platform

win7-20240705-en

Max time kernel

141s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\yLxOcbu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aFxdURB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cRmdQAc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gCqeBux.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UJFSLJW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gxqyuzx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lgddCBN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gIQcCQb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KxpBfWf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SitvTkl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hCDrqZJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MYHCrIr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OfhnEms.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IgOAnZC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wkJffJO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RWCzxZc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BaIzVqz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XwPjGEc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MvnPKAu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iXtDCdc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aLxeDQa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1984 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gxqyuzx.exe
PID 1984 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gxqyuzx.exe
PID 1984 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gxqyuzx.exe
PID 1984 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RWCzxZc.exe
PID 1984 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RWCzxZc.exe
PID 1984 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RWCzxZc.exe
PID 1984 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yLxOcbu.exe
PID 1984 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yLxOcbu.exe
PID 1984 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yLxOcbu.exe
PID 1984 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aLxeDQa.exe
PID 1984 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aLxeDQa.exe
PID 1984 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aLxeDQa.exe
PID 1984 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KxpBfWf.exe
PID 1984 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KxpBfWf.exe
PID 1984 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KxpBfWf.exe
PID 1984 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SitvTkl.exe
PID 1984 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SitvTkl.exe
PID 1984 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SitvTkl.exe
PID 1984 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aFxdURB.exe
PID 1984 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aFxdURB.exe
PID 1984 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aFxdURB.exe
PID 1984 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hCDrqZJ.exe
PID 1984 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hCDrqZJ.exe
PID 1984 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hCDrqZJ.exe
PID 1984 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gIQcCQb.exe
PID 1984 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gIQcCQb.exe
PID 1984 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gIQcCQb.exe
PID 1984 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cRmdQAc.exe
PID 1984 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cRmdQAc.exe
PID 1984 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cRmdQAc.exe
PID 1984 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gCqeBux.exe
PID 1984 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gCqeBux.exe
PID 1984 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gCqeBux.exe
PID 1984 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MvnPKAu.exe
PID 1984 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MvnPKAu.exe
PID 1984 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MvnPKAu.exe
PID 1984 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UJFSLJW.exe
PID 1984 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UJFSLJW.exe
PID 1984 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UJFSLJW.exe
PID 1984 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lgddCBN.exe
PID 1984 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lgddCBN.exe
PID 1984 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lgddCBN.exe
PID 1984 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MYHCrIr.exe
PID 1984 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MYHCrIr.exe
PID 1984 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MYHCrIr.exe
PID 1984 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OfhnEms.exe
PID 1984 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OfhnEms.exe
PID 1984 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OfhnEms.exe
PID 1984 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IgOAnZC.exe
PID 1984 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IgOAnZC.exe
PID 1984 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IgOAnZC.exe
PID 1984 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iXtDCdc.exe
PID 1984 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iXtDCdc.exe
PID 1984 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iXtDCdc.exe
PID 1984 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wkJffJO.exe
PID 1984 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wkJffJO.exe
PID 1984 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wkJffJO.exe
PID 1984 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XwPjGEc.exe
PID 1984 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XwPjGEc.exe
PID 1984 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XwPjGEc.exe
PID 1984 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BaIzVqz.exe
PID 1984 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BaIzVqz.exe
PID 1984 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BaIzVqz.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\gxqyuzx.exe

C:\Windows\System\gxqyuzx.exe

C:\Windows\System\RWCzxZc.exe

C:\Windows\System\RWCzxZc.exe

C:\Windows\System\yLxOcbu.exe

C:\Windows\System\yLxOcbu.exe

C:\Windows\System\aLxeDQa.exe

C:\Windows\System\aLxeDQa.exe

C:\Windows\System\KxpBfWf.exe

C:\Windows\System\KxpBfWf.exe

C:\Windows\System\SitvTkl.exe

C:\Windows\System\SitvTkl.exe

C:\Windows\System\aFxdURB.exe

C:\Windows\System\aFxdURB.exe

C:\Windows\System\hCDrqZJ.exe

C:\Windows\System\hCDrqZJ.exe

C:\Windows\System\gIQcCQb.exe

C:\Windows\System\gIQcCQb.exe

C:\Windows\System\cRmdQAc.exe

C:\Windows\System\cRmdQAc.exe

C:\Windows\System\gCqeBux.exe

C:\Windows\System\gCqeBux.exe

C:\Windows\System\MvnPKAu.exe

C:\Windows\System\MvnPKAu.exe

C:\Windows\System\UJFSLJW.exe

C:\Windows\System\UJFSLJW.exe

C:\Windows\System\lgddCBN.exe

C:\Windows\System\lgddCBN.exe

C:\Windows\System\MYHCrIr.exe

C:\Windows\System\MYHCrIr.exe

C:\Windows\System\OfhnEms.exe

C:\Windows\System\OfhnEms.exe

C:\Windows\System\IgOAnZC.exe

C:\Windows\System\IgOAnZC.exe

C:\Windows\System\iXtDCdc.exe

C:\Windows\System\iXtDCdc.exe

C:\Windows\System\wkJffJO.exe

C:\Windows\System\wkJffJO.exe

C:\Windows\System\XwPjGEc.exe

C:\Windows\System\XwPjGEc.exe

C:\Windows\System\BaIzVqz.exe

C:\Windows\System\BaIzVqz.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2816-110-0x000000013F830000-0x000000013FB81000-memory.dmp

memory/1984-109-0x000000013F830000-0x000000013FB81000-memory.dmp

C:\Windows\system\BaIzVqz.exe

MD5 8d955ebd79492b32b805c76922e455a3
SHA1 29bb40bc45a24e1ec6f3e8fe0940a19ed1a5087f
SHA256 b3b4d8565be02f2d2f87aaf1c2d312bf0067dd51d5ad71cf5ed0d0c4ae16fc2b
SHA512 3ba68d1d5469b21c4e13761642725dacbc3916953a09ca44bd0ebf934f47002007764f2a81513c74347a9ae3e6d59ae6623951b55ac3baad9c9ebe94f728a6a8

C:\Windows\system\XwPjGEc.exe

MD5 188e6d45c852c11ddcaf228fb068c15b
SHA1 79ff6149b6710440ba040510094cf35c4113b117
SHA256 a9a3d77819d49a48c5f075e4025205f2d019e09f80a7d4a99d49fa5f376ed148
SHA512 1cfff07343bfcde001d661635d3e6c2efd8cb98173f939f37d514cf10073d3059adef5265c2f06d78ec6064fd439b8aedfd41ad8c4a0400cfc4614d3c9aefd9e

C:\Windows\system\wkJffJO.exe

MD5 0560d403571a5ed96a8d0af71b56f898
SHA1 ac19eedae2e1300bfa45cbfe9e4be6b19a18026e
SHA256 4e80e0a22fcbaaa0c3a7a8071b76bb64545f8c9d33e9f067d18ae8d079e6367e
SHA512 e66fda8fa1d07304e5ed57bfdc74765e73c40af2b7d8aec50f48676f840d645194e99a40ea36eccaf3a552c63ca5c8006981a934424830675fd1e3acc0bd70b4

C:\Windows\system\iXtDCdc.exe

MD5 7e9ae66bfcdf146e468cf22b96c0d97f
SHA1 85fba5243668f542c235f1cdb160dfe11093cc51
SHA256 179f858beb8579196cccd80bc073354bd5e16e4dbdd3d37fc2f83f551f86257f
SHA512 6ed155bb81c24febfcf80887b7eb02efe089fa529d05abf381a95d4e5c1653feec6f4c7c994cd0e75706c060cca0dc8b6f4835677796a3f74b94a97dfd7a6cc0

C:\Windows\system\IgOAnZC.exe

MD5 2cc83247dcc98f1ca440cd3b6b7bf9df
SHA1 571fe88cb107fb28f85cf44b8cdf3dce96b1c20a
SHA256 e9951cf8e90a562f3a8bd41a132cf9b6c3ae426bda3a5703c5daeab43a77f670
SHA512 ce6401f7cebdf0829ffd08047be789d730f59be142651e9a22f72146f9ff9497dba6511eb8317f9714fc5009e807bf079182766c0fd41ae17b9c7f4918e307d9

C:\Windows\system\OfhnEms.exe

MD5 8ee6c8ef3009e2cb5e04b93fa3ccfbe5
SHA1 c9c6bd18d667453cb6b6093e85ad2f7e71501036
SHA256 2b61f2d2d965277302649e018d4f08324fb8e7b2a232ebb6771857694fa5aca5
SHA512 8786bd6e35c21d1d48f6d82c8f870df3508567b620951d9ebf45dee016243ae22c8ffbd14b05165f89ebff1c6ff7ae9918694d03ec5fe8e7fc67e4178acc5cdf

C:\Windows\system\MYHCrIr.exe

MD5 cea76e3a6a59236abbd561cbd4f3d39c
SHA1 152453e51c4e4c7b72af8bb61ea62d07eb36237e
SHA256 e2ecd8db2b06670307f5f6de038bfc1c90e43fb1e966893a89e134438fee0e18
SHA512 0a9909bb2877a0bb0c06f23861a5690926d61021a4a9761116a48378cde88969abae4d7a86af8e41ebfe4a613a7e0d1f171a4cc96582c0b3ed4241d96bcd076d

C:\Windows\system\lgddCBN.exe

MD5 b0ebd617d7833a856c48949cfb157914
SHA1 d25cb062ff9b82c0b27e19e4f658221792e10e37
SHA256 3139390514109be450f6688cfd9d7eff62dea7d88759a2a48ad5c4d8bf9e820e
SHA512 b734da32ff483548fbfa0a51385d94a1e29e2dfd56272099e739ffb014af0510085fca563220d557b06ade084bf5b50f9502f6ca5d02096487e92d4758ea480a

C:\Windows\system\UJFSLJW.exe

MD5 d2058a5a3d22e9cf4c514bba6e81d26c
SHA1 0e8b8711b95b955249414ddb85df0621a58e6c02
SHA256 47a869f6bde069bc4e9c50870fb29f4a719d5900b9f278667f10ca6e02b32e75
SHA512 7a36f1cd314094525cce9d22a5a7b66c17eacec5cd331ba2401451fe90d6f36020900428726bb2d393b985f25a4a6d83e5c6b6ca08076b8019887b91ab87dcb5

C:\Windows\system\MvnPKAu.exe

MD5 f7d0d654f4e99386f961d6c9132d0cb7
SHA1 5436120115463fe231295494d78fa57fea77c93d
SHA256 0265c56fd2afff78fb505468c7b0882d2397fe74feb69573f3169ca50955a1c0
SHA512 22d67158817243c0d19a20a97d25834ce752b81a26b158d37ad4d70a81ad1c5d30bcf814552b4d4f7b627f6b4db3f79d400fce55a6ec90915eda720126045310

C:\Windows\system\gCqeBux.exe

MD5 4816eea8b3d5c4b87c2f486ea64f4abe
SHA1 fae19e2bda817bbe5ebc9e9a7510b60927359649
SHA256 35711877a7f7e365516496d2125acb0b5d66ace20111cc212f7dd94c0e0b035f
SHA512 2a6a05dcb166887b9053d7e6611d972b0ebbb9a98023b503b2342e269e3bcc0c3a4dff92c0f158bd6968017cd26f4ec8ddcba8870f7c2679bf3339c4897d1aea

C:\Windows\system\cRmdQAc.exe

MD5 93599197889da509ad9b44b647945d71
SHA1 8d77457608736e1ab605b3f45b7a56a2f5344a10
SHA256 c347030c98a97c0fc8891e4251d06b2b04b39625cddd32f69e215068b901f768
SHA512 aa43c1701897a5d959a816d479414dc051ec74e6ab883759d61ec4c402526fda1b6d6f47eab1bf93675c60505295a34403909eb7ba1e181950b55841625a739a

C:\Windows\system\gIQcCQb.exe

MD5 a28cfc210f13f4d6b6fb720ed7adc3f6
SHA1 1813c0b7c80588fc1752fd070537e9e6e789ad8e
SHA256 3e14a95ef4d084bfe6b83597a5a583a95337265e7a5ef14052777887158086ad
SHA512 b1da8e9709ff299e5c5c7491cf9471930d040d6ed1d906ae71f75458b847f11a7b07ea5881b380ba29ce2c91545b48faa563caf1cd6b975a4dc897161b114345

C:\Windows\system\hCDrqZJ.exe

MD5 be5d85e0f5c69780a647673e8fcffb36
SHA1 31974e362417fb0668977f7c9578bfdc2f1d2675
SHA256 506af81610db7925c5bce29b163d67f9dd0ecc16a15e7be277686d56c1518d7b
SHA512 6e41ecf6e663366e144d92f952f3bc7ac01ac18a8c23281979e155c44727919e61b64463f1e287dd836d09793715537f9141bfb9234de5a66b3b184b7e6f6d0d

C:\Windows\system\aFxdURB.exe

MD5 2171e3012e6f1e3e71539406e8a2a487
SHA1 cb29a6a39d18db869a2626aab1355824e2b3e2fe
SHA256 7d5bd2a79db1d94d2022f442c51872e47eb1c32740abeaa36ec20da96f236052
SHA512 afa82387bcfdb35d235784444c8b86c84a15fef65277af34027961e63ec8652c3485f24982ceecd84c4b1fa265c0da90b8974d842c0a1f3b9f9078caa5b4f3e5

C:\Windows\system\SitvTkl.exe

MD5 1f64d8242394b9e8f6a8033498ec82fd
SHA1 0df04b40fa6bde8a0ec2b5977fe4f65883d38777
SHA256 253eef6cdc8d6fff42efe38233a630a08b027edb6a375c1b08bd4c8a7a2fec66
SHA512 f2439b8c798d971644c72f1f08602b017623004ba6953565aa9f36f9771ca0dbca7c12cda4fbffaeb1c0e3bc7a3a295010cb202149e7224233cb7a7772981814

C:\Windows\system\KxpBfWf.exe

MD5 2fe93e83e8de892f21f5c0bdb61e68bc
SHA1 12239b619ebda8463702e916451bd0a84f2a633f
SHA256 79171c8511d334812a3d2c09a29aede5d54c2329451755ec9344d34024fdb5a4
SHA512 cdc73cf5ffb756c7df73ce9412b90b7876efeb7ac3887e48bf8518a3d33aacbcc9b59f0aaa89cd49463ef2a98efbb412b273d323a44e28c059febaaeba778901

C:\Windows\system\aLxeDQa.exe

MD5 f72551d9b5eb39b908ceb140cb02f96a
SHA1 da70c3fe744296fa1b5b0612b97d729447a38cd5
SHA256 100464528215d2a6046f5cf4e1c96f6159d98a41fd5e91022501fd33087ad162
SHA512 80b7eb20d80ead9a1f0767784ad3e2a98bb60ded30e519ebb289cd9e4b5e41cfb2b0bded13d5bc61aadd004b0af5b399d341051bfb4adc4945ffbe895bbcaf4c

memory/2916-20-0x000000013F080000-0x000000013F3D1000-memory.dmp

C:\Windows\system\yLxOcbu.exe

MD5 537a02359b3838b35ed53fa009e9d4bb
SHA1 b1d843acd7b02ac960a68475d347e17af326001f
SHA256 8503e7aa8b3bf6aad589d8836e8c49b9327d7660c7d26a8fd1e1e8dc191252a9
SHA512 6759248b45debdf6bafd5fe80ed918b72d351e4e7f879be750a01484c4b83896438298bd0571032eca02a08187f46abb58929efcaac2b2000ee01195c79ba3cf

C:\Windows\system\RWCzxZc.exe

MD5 27fa35c0db408ece325b4b5192bd8085
SHA1 7e5780fd432620b3069ab3771804cf806f6407d2
SHA256 e1f46a919e89e84ea2192ab9f700127053b1af261e420ab1c3963dcaf52a37dd
SHA512 9e8007a9f8b6dbcbc57a89d2c47edd5d1083e61f3c7884dae694939c1c27bad87259faa4029001e22463bad0e5f1facf6945bcd45ab44085d6c1ef58013fd374

memory/1984-10-0x000000013F080000-0x000000013F3D1000-memory.dmp

C:\Windows\system\gxqyuzx.exe

MD5 c5344155b13031a6f0bb488383c75e22
SHA1 3a04cf9d68c3daeab824db953de0212f272282be
SHA256 801110fd2fab2e70ed4a80ad32836dd1e227f85b3a6620b668a0266ce5227324
SHA512 25cfdff488dfbfa46b08a999110bff665fa1cc06d490e82583e3fba6ce3f00447626365dac5d5bd167f565a65e3278924853e64f459c26d4af556154d799a5ac

memory/1984-1-0x00000000000F0000-0x0000000000100000-memory.dmp

memory/1984-0-0x000000013FD10000-0x0000000140061000-memory.dmp

memory/1984-111-0x00000000022F0000-0x0000000002641000-memory.dmp

memory/1984-112-0x000000013F7E0000-0x000000013FB31000-memory.dmp

memory/2828-113-0x000000013F7E0000-0x000000013FB31000-memory.dmp

memory/2800-114-0x000000013FA80000-0x000000013FDD1000-memory.dmp

memory/1984-115-0x000000013F690000-0x000000013F9E1000-memory.dmp

memory/2960-116-0x000000013F690000-0x000000013F9E1000-memory.dmp

memory/1984-117-0x000000013F3C0000-0x000000013F711000-memory.dmp

memory/2708-118-0x000000013F3C0000-0x000000013F711000-memory.dmp

memory/2948-132-0x000000013FD00000-0x0000000140051000-memory.dmp

memory/2768-131-0x000000013FB70000-0x000000013FEC1000-memory.dmp

memory/1984-130-0x000000013F4F0000-0x000000013F841000-memory.dmp

memory/2252-129-0x000000013F100000-0x000000013F451000-memory.dmp

memory/1984-128-0x000000013F100000-0x000000013F451000-memory.dmp

memory/2724-127-0x000000013F750000-0x000000013FAA1000-memory.dmp

memory/1984-126-0x000000013F750000-0x000000013FAA1000-memory.dmp

memory/2668-125-0x000000013FA90000-0x000000013FDE1000-memory.dmp

memory/2728-124-0x000000013F2E0000-0x000000013F631000-memory.dmp

memory/1984-123-0x000000013F2E0000-0x000000013F631000-memory.dmp

memory/2932-122-0x000000013F5E0000-0x000000013F931000-memory.dmp

memory/1984-121-0x000000013F5E0000-0x000000013F931000-memory.dmp

memory/2852-120-0x000000013F070000-0x000000013F3C1000-memory.dmp

memory/1984-119-0x000000013F070000-0x000000013F3C1000-memory.dmp

memory/1984-133-0x000000013FD10000-0x0000000140061000-memory.dmp

memory/2916-134-0x000000013F080000-0x000000013F3D1000-memory.dmp

memory/2884-149-0x000000013FB00000-0x000000013FE51000-memory.dmp

memory/2008-153-0x000000013F050000-0x000000013F3A1000-memory.dmp

memory/2332-152-0x000000013FE40000-0x0000000140191000-memory.dmp

memory/2508-151-0x000000013F0B0000-0x000000013F401000-memory.dmp

memory/2160-150-0x000000013FC90000-0x000000013FFE1000-memory.dmp

memory/2524-148-0x000000013F4F0000-0x000000013F841000-memory.dmp

memory/1208-154-0x000000013F110000-0x000000013F461000-memory.dmp

memory/1984-155-0x000000013FD10000-0x0000000140061000-memory.dmp

memory/1984-177-0x000000013FD10000-0x0000000140061000-memory.dmp

memory/1984-178-0x000000013F830000-0x000000013FB81000-memory.dmp

memory/2916-224-0x000000013F080000-0x000000013F3D1000-memory.dmp

memory/2816-226-0x000000013F830000-0x000000013FB81000-memory.dmp

memory/2828-228-0x000000013F7E0000-0x000000013FB31000-memory.dmp

memory/2960-230-0x000000013F690000-0x000000013F9E1000-memory.dmp

memory/2852-232-0x000000013F070000-0x000000013F3C1000-memory.dmp

memory/2728-234-0x000000013F2E0000-0x000000013F631000-memory.dmp

memory/2724-238-0x000000013F750000-0x000000013FAA1000-memory.dmp

memory/2800-248-0x000000013FA80000-0x000000013FDD1000-memory.dmp

memory/2708-252-0x000000013F3C0000-0x000000013F711000-memory.dmp

memory/2668-251-0x000000013FA90000-0x000000013FDE1000-memory.dmp

memory/2932-247-0x000000013F5E0000-0x000000013F931000-memory.dmp

memory/2948-244-0x000000013FD00000-0x0000000140051000-memory.dmp

memory/2768-242-0x000000013FB70000-0x000000013FEC1000-memory.dmp

memory/2252-257-0x000000013F100000-0x000000013F451000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-13 11:49

Reported

2024-08-13 11:52

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\mFzevaY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UBmKsML.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DuisWPi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MNafKrC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GinJJlz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hShKRhW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\loLnhvd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SXjHDTv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BBGnksf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QSqROvr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EEpaweU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SEtRUrM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LZBJSNV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RJNUoti.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\quOoqbT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rmjLTHM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xGzHhgs.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iNZKasB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jGfIkXF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OigmrLX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\njCJbho.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2248 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\quOoqbT.exe
PID 2248 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\quOoqbT.exe
PID 2248 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SXjHDTv.exe
PID 2248 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SXjHDTv.exe
PID 2248 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rmjLTHM.exe
PID 2248 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rmjLTHM.exe
PID 2248 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QSqROvr.exe
PID 2248 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QSqROvr.exe
PID 2248 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OigmrLX.exe
PID 2248 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OigmrLX.exe
PID 2248 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hShKRhW.exe
PID 2248 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hShKRhW.exe
PID 2248 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EEpaweU.exe
PID 2248 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EEpaweU.exe
PID 2248 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\loLnhvd.exe
PID 2248 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\loLnhvd.exe
PID 2248 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mFzevaY.exe
PID 2248 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mFzevaY.exe
PID 2248 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UBmKsML.exe
PID 2248 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UBmKsML.exe
PID 2248 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DuisWPi.exe
PID 2248 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DuisWPi.exe
PID 2248 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MNafKrC.exe
PID 2248 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MNafKrC.exe
PID 2248 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\njCJbho.exe
PID 2248 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\njCJbho.exe
PID 2248 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SEtRUrM.exe
PID 2248 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SEtRUrM.exe
PID 2248 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BBGnksf.exe
PID 2248 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BBGnksf.exe
PID 2248 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xGzHhgs.exe
PID 2248 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xGzHhgs.exe
PID 2248 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GinJJlz.exe
PID 2248 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GinJJlz.exe
PID 2248 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iNZKasB.exe
PID 2248 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iNZKasB.exe
PID 2248 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LZBJSNV.exe
PID 2248 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LZBJSNV.exe
PID 2248 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RJNUoti.exe
PID 2248 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RJNUoti.exe
PID 2248 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jGfIkXF.exe
PID 2248 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jGfIkXF.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\quOoqbT.exe

C:\Windows\System\quOoqbT.exe

C:\Windows\System\SXjHDTv.exe

C:\Windows\System\SXjHDTv.exe

C:\Windows\System\rmjLTHM.exe

C:\Windows\System\rmjLTHM.exe

C:\Windows\System\QSqROvr.exe

C:\Windows\System\QSqROvr.exe

C:\Windows\System\OigmrLX.exe

C:\Windows\System\OigmrLX.exe

C:\Windows\System\hShKRhW.exe

C:\Windows\System\hShKRhW.exe

C:\Windows\System\EEpaweU.exe

C:\Windows\System\EEpaweU.exe

C:\Windows\System\loLnhvd.exe

C:\Windows\System\loLnhvd.exe

C:\Windows\System\mFzevaY.exe

C:\Windows\System\mFzevaY.exe

C:\Windows\System\UBmKsML.exe

C:\Windows\System\UBmKsML.exe

C:\Windows\System\DuisWPi.exe

C:\Windows\System\DuisWPi.exe

C:\Windows\System\MNafKrC.exe

C:\Windows\System\MNafKrC.exe

C:\Windows\System\njCJbho.exe

C:\Windows\System\njCJbho.exe

C:\Windows\System\SEtRUrM.exe

C:\Windows\System\SEtRUrM.exe

C:\Windows\System\BBGnksf.exe

C:\Windows\System\BBGnksf.exe

C:\Windows\System\xGzHhgs.exe

C:\Windows\System\xGzHhgs.exe

C:\Windows\System\GinJJlz.exe

C:\Windows\System\GinJJlz.exe

C:\Windows\System\iNZKasB.exe

C:\Windows\System\iNZKasB.exe

C:\Windows\System\LZBJSNV.exe

C:\Windows\System\LZBJSNV.exe

C:\Windows\System\RJNUoti.exe

C:\Windows\System\RJNUoti.exe

C:\Windows\System\jGfIkXF.exe

C:\Windows\System\jGfIkXF.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp

Files

memory/2248-0-0x00007FF67EC00000-0x00007FF67EF51000-memory.dmp

memory/2248-1-0x00000265D6C80000-0x00000265D6C90000-memory.dmp

C:\Windows\System\quOoqbT.exe

MD5 2ed7d5d4377856e1940ba788667d2089
SHA1 226658813a6ec46e19bdd2a4fdfe0926c8eb124f
SHA256 cce8b08ab210560359ed19bb1c92cec873595727cd7b8ed60485e31b0da8ea42
SHA512 a02e5e258ad857eafb064b5b329ebaa9dfee819ce26ecb188997254b8fa0c616e900377821882bfd77c70e4dd58a22be91aec9a608b72c3648e8322fb82310dc

C:\Windows\System\SXjHDTv.exe

MD5 03bb8f7d0f18e1dc4c6ba12ca37e8ba4
SHA1 2d6b4abe16f6c0519581393f7d4bb7a145fe97fe
SHA256 38dcc3aa84211f9033c96c7e254fefce3d46e2d97c8722e272e6488dc3a4b7f7
SHA512 c3f19273898b3855211fd8c28d03b9a5895e47689d8efd3813f1e88dfe7d4f53cb64326f3cf529a3e9c1a422f5e9e0306998968941468328470f13d51001a93c

memory/4948-14-0x00007FF7DC900000-0x00007FF7DCC51000-memory.dmp

memory/1000-12-0x00007FF7EEB50000-0x00007FF7EEEA1000-memory.dmp

C:\Windows\System\rmjLTHM.exe

MD5 eec3556c2f335b37240f282d73f325f5
SHA1 331ae3dc19396aebf25b91f02d7b70acc5f6ac86
SHA256 bb77eecf9112deba8886e7a94800ced2da22af4afa620382ff72d43d27a52c10
SHA512 28fab65eaf72483904a41e6f1215ec0e5487320d36a208c408a3ae50df8d258e06ce1660d06fdc8a275cc2230995bbf16bd391854c06d5ca0f660dab5cd05d59

memory/3976-20-0x00007FF62F5E0000-0x00007FF62F931000-memory.dmp

C:\Windows\System\QSqROvr.exe

MD5 ad1b31e32c8f0f186b849b73b8905b8b
SHA1 656b25cfea3cce87ae340ff3b0c6ea280dce3ac2
SHA256 993e3376d28e4a0d0c9dc0fc92c3840f117f5a977bc030a313f22884522d0758
SHA512 85a3a165683e31455919530e01b35e90e3d9342fc8f48ce773a0db700a813daaa7912ecc7817cacf47fe0d397a485003b353d5451a8051f4a35164368763dd3b

C:\Windows\System\OigmrLX.exe

MD5 9e70e11908b259385c8c3b8c719b957c
SHA1 749d86a04aeaaba3532576b6bafee58a6d93ce63
SHA256 7bd69622f9cc3505a8ca57109a4cd3f3cdaa77bb58cf8f5fc0b1ecec02679cbb
SHA512 771a8c8dec982f767adb5316f1880c7a3a526e8756a23cd400963c291e027810e226752ad43b6e7c1e6e80dfa3d3ac2c7d382f3864a7bfdcefabd1afca88ea7d

memory/2128-32-0x00007FF6CE990000-0x00007FF6CECE1000-memory.dmp

memory/1440-28-0x00007FF7B9700000-0x00007FF7B9A51000-memory.dmp

C:\Windows\System\hShKRhW.exe

MD5 216c8a75359e24279f3e09340b024958
SHA1 99bb04d218bd8534fce428dc184fe6d455215690
SHA256 68e4b53084d2d49879d2ac49b5cf501017bde5e5bf5a608d0a2c3754b7a84832
SHA512 2bf8cecfdae0075afcb170aeb31044068db1cae1c429501932d464d27a6526db72ce60dc43c7f21f0496b25e9e69fde4da735a5537b89faf9ec002fb642e716c

memory/2700-36-0x00007FF62EF30000-0x00007FF62F281000-memory.dmp

C:\Windows\System\EEpaweU.exe

MD5 db62cdb8c83aa8e0dc7c1ceb5cee23d5
SHA1 c886446f9106f5183600a76d3d5be90c3e65aa7a
SHA256 966df473c8fb7d92c2608ce94d6b50f271d29807adf02b5c1b2cfa8a8f5a051e
SHA512 30f5c2c8225f3dac098fbeeab2c16b69c2b6ff409a457733fdd10e31b3998444474c67a1ea18366e62368b35f594ea9aec207599c842f5d695a9f16b777932f3

C:\Windows\System\loLnhvd.exe

MD5 2bf254070884298f25f24cd6b376b6b7
SHA1 1b01a46ef7d63611f2f38da636bd1f3013e8a0bf
SHA256 1b798f1b05378d74f890eb57c314047e38dc5d1d0d32238772eeff54d010c446
SHA512 2a6abc55765b79ee27c12373f48346ccfbaad57ab0b201dcafaed31696cbf9203b983fa37808e775e86777d7390b5a484ee832fba1bbb1374b86f6247246d9ff

C:\Windows\System\mFzevaY.exe

MD5 8508661505956340be5984a9031f450d
SHA1 054cf943ffe4c68dba3f40594bab30e6867e5405
SHA256 81569232e1b16a3810a33a619792edf450af6288bf64aef59ac7a9a45d75edf5
SHA512 775954121fc3faffd41825df234687d7b1344e24033bd74c07394589b8345d163729b6c4f5c1c9a293a317a0326723173036088b7c9b66ffd847267a2b337608

memory/2352-56-0x00007FF6181B0000-0x00007FF618501000-memory.dmp

memory/4500-50-0x00007FF6DA9D0000-0x00007FF6DAD21000-memory.dmp

memory/740-42-0x00007FF6E9ED0000-0x00007FF6EA221000-memory.dmp

C:\Windows\System\UBmKsML.exe

MD5 9bdc17c6b43282f60d835d2053d7d50f
SHA1 f34c992ad59e0b2317edefaf70469eaa4661fa99
SHA256 7af915594b8ce70e5ea3b0b793582a213479c527a3180cc3f7bd8789271bdfa0
SHA512 a83d85fdafb64965730db6aa48eec4558c5981dd32f3a383ab10f08f1b6433fab248f8657b2b4964dbdd9cf9f320de43e5fcce7637c2a3a10e0f96cf8d740685

memory/3448-68-0x00007FF6EC9D0000-0x00007FF6ECD21000-memory.dmp

C:\Windows\System\MNafKrC.exe

MD5 d8b41482954634719cfb2b66b0ab78d6
SHA1 8a02289f47d76c5f2dd9774e3aadcc0ea2452740
SHA256 a24e3fa06d0c910c73f2d0fb315e66eb98bfff5881e1d37f766d126eb6925e8c
SHA512 245d057a06163b0fbe558863ca3831189e6cfd5e277d047e21f92b608e4117d6746a1c1aceba4d59f4de5693fe35d71eb5656e4688738260d8897f9c9772f7e6

C:\Windows\System\njCJbho.exe

MD5 9d1f02af485999a4fc3f0c7784c433b1
SHA1 8ab3446738964dbf352f56bba5c340d6668b500d
SHA256 2a366c9543da8ed08ca4f23f91706e05ea3a3f4dde35a2a4c466ff5335d043bb
SHA512 4b2fc18626e52297228d820bd3e6c1eb368e1f4a649daa8d6fae0dda1c75f88714876b9f84ac66d5d97a5566251f6d9563601918462a9141c535d3e0c52f4478

memory/1964-79-0x00007FF610EE0000-0x00007FF611231000-memory.dmp

memory/1204-86-0x00007FF6D23C0000-0x00007FF6D2711000-memory.dmp

C:\Windows\System\xGzHhgs.exe

MD5 1774cd35f0580094fd82548368d2431a
SHA1 8acd1218f5696fd697efc8bf6e675c0c22bb4b8a
SHA256 b4addfcbdb33b7dda0d4690e21911405d11c3e3ed62aa3a9255851141b13ab76
SHA512 4cae071878a32ed5c500140979819ab66246b295f56fe006b7fae700d0ebbf7927b478e3b9fc655d8b9c2c54e0dccee65ed589f05db5b48ceecf1dc57fe24810

C:\Windows\System\iNZKasB.exe

MD5 5fe31f76d36d4ba959b024b22a449b60
SHA1 9b77f655d51cc4232c1a85c904e482dcfe7e3d87
SHA256 17b542fd40e1c6071322d4a0f449c3011ffbd3f32960264da439942b8dc8a1e9
SHA512 75ad86611bcc2e3fedd55b92b29898022b3a156e89dde2f7195d07726cd77ca10aa39f41a06d7d5716fb8cc81ec83260e949ddcc44d7af64f35e0ef210f976a3

C:\Windows\System\LZBJSNV.exe

MD5 0fe80f1460440ac3444d89005547a311
SHA1 0a6049d577119dd00469d16ee4210b0ed800b8ec
SHA256 6b28461b4f9b9ed8cadb6f00674316c0aa0d20d6ec260acdf380de772dc8a3be
SHA512 744183e8e28baccbf469afce87057dd1b9f0f729e49704ff828270e85f3256010e99ea9fb664b5474b6b7b64bbcb5ce4929d8cf0bedecaff0ea111bc4c347b5b

C:\Windows\System\RJNUoti.exe

MD5 a9be11576312588bf34d9d6e95c01218
SHA1 5cdbe10b42ff5facd0bea0e601f3082a96c8842b
SHA256 b39fde143c2d8ae0e5ec1354cee5c8a2a116b4c151da728f6fd79f6d0d14b99d
SHA512 61142c24a1d1b7a1e5ac05cfd9e8ba3cca6ce16faa8f011ddbf7e6cce10d97fe36e3f828e56154a7eba1b5f0359ba862c24fef610195258952f4f58f89bdd15d

C:\Windows\System\jGfIkXF.exe

MD5 9e922b766f90617e4fb08871905452fa
SHA1 440e7e79485c95395f3f1fb5be2732b50da64263
SHA256 2acefe981e6baa20e15f76b4e9bc8790018db51d8dfd4bb20050c39b1e9578b8
SHA512 cc5645680093ba57c10f1b2d70fe5ac7a8c556454c276969b851f69376b2708641f2380fa28458528a4f0b6115ca13bc08d07c75df1aa23e7b9f66dbcafb86bd

C:\Windows\System\GinJJlz.exe

MD5 ff5403c3991c45a0ad173e39cae79141
SHA1 a6a7b511b0d2c2d6a754ce9df1d3dffbfeec186c
SHA256 452a38f49070f4360fcf4b2001de11c8b528251dbeaf43506618595ebb58b112
SHA512 e4f124bfa34734e16690e23b3ea90a4eb4d73caebddd2eda0fc6b7f01a4934d5bbe8f44f4d2d751205284a80034792fd29be7b9f77cb0d2a39ace70b63900953

C:\Windows\System\BBGnksf.exe

MD5 1f50749d9b1e468e12d083a2ef0d9933
SHA1 47efb7b4be645cb78f9915bfb02194fe3b0dc96e
SHA256 d6f65be187a70e48d998c572d3854217f8bcfaf77aff5e0212e2aa92d0df3219
SHA512 2dba7834c68315af83b659c3d235f7323eaa59c70aadd8776b79d1315e6fa2dca7d9ede71724b2259c63126a55d185e39b0d40863208d9a649b3e4b52b74b8c5

C:\Windows\System\SEtRUrM.exe

MD5 cd8b2081d67b5b7784362372f9337b7d
SHA1 d4ea7fac471b007a76b541760e0fd4368b48d428
SHA256 819f0eb27cadb3a0890ce91a4b3f9d0a0039d9eed8fb0363eb7104903efda96f
SHA512 1c8b5078208836df49188a89f66fa4814943b0abadb1ad86fa2dd06438e3ffa6de4a02f4224f5c8efceaded0019ee5e7f4ebefb665f754406d525192238ceb13

memory/2776-81-0x00007FF7797D0000-0x00007FF779B21000-memory.dmp

C:\Windows\System\DuisWPi.exe

MD5 ad4c9997eae69ab016c02557152e029f
SHA1 e2d3ae525d7dc677d83eb5df4f2b332bdae2b5d6
SHA256 20019840cbbc7c4c3732c24a81a290a0f2e6ce32049d484d44d2cb423bc6be49
SHA512 3aa6943b1af9cee016b98566a9cd7cdf7238e7cddfbacf8530a95781b3d716cef1d2f90d2552967f782543c5ee08b7518805fa93147aa4d0ea26283fbac8a5ca

memory/1680-67-0x00007FF7568F0000-0x00007FF756C41000-memory.dmp

memory/1000-61-0x00007FF7EEB50000-0x00007FF7EEEA1000-memory.dmp

memory/2248-60-0x00007FF67EC00000-0x00007FF67EF51000-memory.dmp

memory/2248-122-0x00007FF67EC00000-0x00007FF67EF51000-memory.dmp

memory/3176-127-0x00007FF72A560000-0x00007FF72A8B1000-memory.dmp

memory/1580-128-0x00007FF77C060000-0x00007FF77C3B1000-memory.dmp

memory/4348-129-0x00007FF620590000-0x00007FF6208E1000-memory.dmp

memory/2700-132-0x00007FF62EF30000-0x00007FF62F281000-memory.dmp

memory/4000-134-0x00007FF7B93F0000-0x00007FF7B9741000-memory.dmp

memory/3876-135-0x00007FF6F3610000-0x00007FF6F3961000-memory.dmp

memory/2868-136-0x00007FF6489A0000-0x00007FF648CF1000-memory.dmp

memory/1052-133-0x00007FF6E4EC0000-0x00007FF6E5211000-memory.dmp

memory/740-137-0x00007FF6E9ED0000-0x00007FF6EA221000-memory.dmp

memory/3448-141-0x00007FF6EC9D0000-0x00007FF6ECD21000-memory.dmp

memory/1204-144-0x00007FF6D23C0000-0x00007FF6D2711000-memory.dmp

memory/2776-143-0x00007FF7797D0000-0x00007FF779B21000-memory.dmp

memory/2248-152-0x00007FF67EC00000-0x00007FF67EF51000-memory.dmp

memory/1000-197-0x00007FF7EEB50000-0x00007FF7EEEA1000-memory.dmp

memory/4948-199-0x00007FF7DC900000-0x00007FF7DCC51000-memory.dmp

memory/3976-206-0x00007FF62F5E0000-0x00007FF62F931000-memory.dmp

memory/1440-208-0x00007FF7B9700000-0x00007FF7B9A51000-memory.dmp

memory/2128-210-0x00007FF6CE990000-0x00007FF6CECE1000-memory.dmp

memory/2700-215-0x00007FF62EF30000-0x00007FF62F281000-memory.dmp

memory/740-217-0x00007FF6E9ED0000-0x00007FF6EA221000-memory.dmp

memory/4500-219-0x00007FF6DA9D0000-0x00007FF6DAD21000-memory.dmp

memory/2352-221-0x00007FF6181B0000-0x00007FF618501000-memory.dmp

memory/1680-235-0x00007FF7568F0000-0x00007FF756C41000-memory.dmp

memory/3448-237-0x00007FF6EC9D0000-0x00007FF6ECD21000-memory.dmp

memory/1964-239-0x00007FF610EE0000-0x00007FF611231000-memory.dmp

memory/2776-241-0x00007FF7797D0000-0x00007FF779B21000-memory.dmp

memory/3176-243-0x00007FF72A560000-0x00007FF72A8B1000-memory.dmp

memory/1580-245-0x00007FF77C060000-0x00007FF77C3B1000-memory.dmp

memory/4348-247-0x00007FF620590000-0x00007FF6208E1000-memory.dmp

memory/1052-249-0x00007FF6E4EC0000-0x00007FF6E5211000-memory.dmp

memory/4000-251-0x00007FF7B93F0000-0x00007FF7B9741000-memory.dmp

memory/2868-254-0x00007FF6489A0000-0x00007FF648CF1000-memory.dmp

memory/3876-255-0x00007FF6F3610000-0x00007FF6F3961000-memory.dmp

memory/1204-258-0x00007FF6D23C0000-0x00007FF6D2711000-memory.dmp