Malware Analysis Report

2025-03-15 08:02

Sample ID 240814-z4mj5szdml
Target 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat
SHA256 07255353ae5e995a465f5685e5de3b2691fd0ec17e4b35615bd81556253d596f
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

07255353ae5e995a465f5685e5de3b2691fd0ec17e4b35615bd81556253d596f

Threat Level: Known bad

The file 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobaltstrike family

Xmrig family

xmrig

Cobalt Strike reflective loader

Cobaltstrike

XMRig Miner payload

XMRig Miner payload

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-14 21:16

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-14 21:16

Reported

2024-08-14 21:18

Platform

win7-20240708-en

Max time kernel

142s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\gNolyja.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kGGTJzF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sEBarEe.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cetTRSd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GlAXLPo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ThfPmFt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VhOOMTW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LpDkCQl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\smqsRFf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ONDjsEn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WvAcTLN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lINfzuD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rPSLNGk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LxvXOHC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PGPVQqr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GTPxnyy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OcDTPER.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iuJgiHQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ubvJuWJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KpfEotI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LkNCNUo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3052 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LpDkCQl.exe
PID 3052 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LpDkCQl.exe
PID 3052 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LpDkCQl.exe
PID 3052 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ubvJuWJ.exe
PID 3052 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ubvJuWJ.exe
PID 3052 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ubvJuWJ.exe
PID 3052 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WvAcTLN.exe
PID 3052 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WvAcTLN.exe
PID 3052 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WvAcTLN.exe
PID 3052 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KpfEotI.exe
PID 3052 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KpfEotI.exe
PID 3052 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KpfEotI.exe
PID 3052 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LkNCNUo.exe
PID 3052 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LkNCNUo.exe
PID 3052 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LkNCNUo.exe
PID 3052 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LxvXOHC.exe
PID 3052 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LxvXOHC.exe
PID 3052 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LxvXOHC.exe
PID 3052 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\smqsRFf.exe
PID 3052 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\smqsRFf.exe
PID 3052 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\smqsRFf.exe
PID 3052 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kGGTJzF.exe
PID 3052 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kGGTJzF.exe
PID 3052 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kGGTJzF.exe
PID 3052 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PGPVQqr.exe
PID 3052 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PGPVQqr.exe
PID 3052 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PGPVQqr.exe
PID 3052 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GTPxnyy.exe
PID 3052 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GTPxnyy.exe
PID 3052 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GTPxnyy.exe
PID 3052 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ONDjsEn.exe
PID 3052 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ONDjsEn.exe
PID 3052 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ONDjsEn.exe
PID 3052 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sEBarEe.exe
PID 3052 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sEBarEe.exe
PID 3052 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sEBarEe.exe
PID 3052 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lINfzuD.exe
PID 3052 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lINfzuD.exe
PID 3052 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lINfzuD.exe
PID 3052 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OcDTPER.exe
PID 3052 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OcDTPER.exe
PID 3052 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OcDTPER.exe
PID 3052 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cetTRSd.exe
PID 3052 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cetTRSd.exe
PID 3052 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cetTRSd.exe
PID 3052 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gNolyja.exe
PID 3052 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gNolyja.exe
PID 3052 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gNolyja.exe
PID 3052 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iuJgiHQ.exe
PID 3052 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iuJgiHQ.exe
PID 3052 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iuJgiHQ.exe
PID 3052 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GlAXLPo.exe
PID 3052 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GlAXLPo.exe
PID 3052 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GlAXLPo.exe
PID 3052 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ThfPmFt.exe
PID 3052 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ThfPmFt.exe
PID 3052 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ThfPmFt.exe
PID 3052 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rPSLNGk.exe
PID 3052 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rPSLNGk.exe
PID 3052 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rPSLNGk.exe
PID 3052 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VhOOMTW.exe
PID 3052 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VhOOMTW.exe
PID 3052 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VhOOMTW.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\LpDkCQl.exe

C:\Windows\System\LpDkCQl.exe

C:\Windows\System\ubvJuWJ.exe

C:\Windows\System\ubvJuWJ.exe

C:\Windows\System\WvAcTLN.exe

C:\Windows\System\WvAcTLN.exe

C:\Windows\System\KpfEotI.exe

C:\Windows\System\KpfEotI.exe

C:\Windows\System\LkNCNUo.exe

C:\Windows\System\LkNCNUo.exe

C:\Windows\System\LxvXOHC.exe

C:\Windows\System\LxvXOHC.exe

C:\Windows\System\smqsRFf.exe

C:\Windows\System\smqsRFf.exe

C:\Windows\System\kGGTJzF.exe

C:\Windows\System\kGGTJzF.exe

C:\Windows\System\PGPVQqr.exe

C:\Windows\System\PGPVQqr.exe

C:\Windows\System\GTPxnyy.exe

C:\Windows\System\GTPxnyy.exe

C:\Windows\System\ONDjsEn.exe

C:\Windows\System\ONDjsEn.exe

C:\Windows\System\sEBarEe.exe

C:\Windows\System\sEBarEe.exe

C:\Windows\System\lINfzuD.exe

C:\Windows\System\lINfzuD.exe

C:\Windows\System\OcDTPER.exe

C:\Windows\System\OcDTPER.exe

C:\Windows\System\cetTRSd.exe

C:\Windows\System\cetTRSd.exe

C:\Windows\System\gNolyja.exe

C:\Windows\System\gNolyja.exe

C:\Windows\System\iuJgiHQ.exe

C:\Windows\System\iuJgiHQ.exe

C:\Windows\System\GlAXLPo.exe

C:\Windows\System\GlAXLPo.exe

C:\Windows\System\ThfPmFt.exe

C:\Windows\System\ThfPmFt.exe

C:\Windows\System\rPSLNGk.exe

C:\Windows\System\rPSLNGk.exe

C:\Windows\System\VhOOMTW.exe

C:\Windows\System\VhOOMTW.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3052-0-0x000000013F300000-0x000000013F651000-memory.dmp

memory/3052-1-0x00000000001F0000-0x0000000000200000-memory.dmp

\Windows\system\LpDkCQl.exe

MD5 b3abca92f6ade5fff7d04ab521e24dc4
SHA1 3980b66c9924dacf644faea856004ac015cc7f9b
SHA256 07f4d3c06fd42e874ab361f8b65420793dedd1303f006d32e6a737861311a223
SHA512 fa2cc35588271450f9b01cc96d47a71b24b058adb4c4e93e23dce5c7262cc925a2a0cba67dee2387a62e4dd2c0f5ba6a9b2812ec41b07b8b5afa87b769dc310b

memory/3052-7-0x000000013FF40000-0x0000000140291000-memory.dmp

C:\Windows\system\ubvJuWJ.exe

MD5 76864bdd5586675dbae022da540d1ecf
SHA1 1eaab402a602e157d0cfc756a37e363f16cc045f
SHA256 130dcae26ca4a378e00780a00dc7bcef984d52ddabf65937aff0a391e51eaf55
SHA512 693cc751759ac241e24a80c8248d0a944c96fb598c8e3637f4a754fef340e5f133b62fadc285af6b0789ea99af5cc82f91171043e2a3ad66aeebb6c079d0c779

memory/2748-14-0x000000013FD30000-0x0000000140081000-memory.dmp

C:\Windows\system\WvAcTLN.exe

MD5 406c5090804ef3d0607ff101d6facf93
SHA1 cd92686a4f30fe7f983814ecce00f6c716392179
SHA256 7ee5dd2ae9d1f1a58c0da0763ee7f135e390324d77a5ea5563324b63f5521a4b
SHA512 9f39be358baa532ca9a6e2244c6aa6b6d6ac577b647a666640a4ae8493a832a94fb563ea43f93abc1d5aa42f9397043da31bf038866b40bbf5feb0d42c8109a5

memory/2760-13-0x000000013FF40000-0x0000000140291000-memory.dmp

memory/3052-20-0x000000013FD30000-0x0000000140081000-memory.dmp

C:\Windows\system\KpfEotI.exe

MD5 eb7352b190adb3d10d94d6ddb92abd7d
SHA1 d5096aa58a230969845b9e2cf8c2f8984858afc2
SHA256 33b3cca43504e4689d105350bc78c53a15c326dc794030037ffedf74976dcf59
SHA512 8cede28b377e383ee10edf92948482394faccded4f167972e30b7cd2b3386047b9749c7dde5b190b3f5b7c50112c214be43a77e03d21273954c167f95bb1ba63

memory/2804-28-0x000000013FBB0000-0x000000013FF01000-memory.dmp

memory/3052-30-0x000000013FBB0000-0x000000013FF01000-memory.dmp

memory/3052-29-0x000000013FCC0000-0x0000000140011000-memory.dmp

memory/2788-26-0x000000013FCC0000-0x0000000140011000-memory.dmp

\Windows\system\LkNCNUo.exe

MD5 1c1979c9878466284dd340b000f431bf
SHA1 a0f91cf7606e2f4460519772d1eecc91f00ebee8
SHA256 ddaea488538436dfe056f4cdaa648d93a804f41498b1e329a4d4e3be35e482b2
SHA512 53a4b19e75d6c70bee9a7561f3daef65b2f717eb3eb34abb7fa880d9a6e2f8953c600c36f13b525da0251157eaf1646f3b9a925016e945468caf9b9cae2bccd8

C:\Windows\system\LxvXOHC.exe

MD5 a73af8a7a1c43cda50cea112d4747f06
SHA1 8e3abe68e5f8b75978f533b3637f82c4217ae913
SHA256 8bf6a3a98d29ca3f9696cf792c2fd1662a4f5ef9706e3456499764f97a7f7445
SHA512 3fc799b59ff42ac0e5ad58155193d8238e42729215923e56d48193cdcb86bc357f6cbb41e52aea9897afbf6265895719efedb511475cd6ffffec60cfdd994fdb

C:\Windows\system\kGGTJzF.exe

MD5 cffebf543abcdf0c8c47b46a153b46be
SHA1 91f77710fa40fb09b66e243a00b41ad68d601647
SHA256 92395b9fd6ac20328bedfdd7d2c83ec4593ca2cd7202785d475e1df63961a0d8
SHA512 c93f5f5856b8be9c8321a5b32db05be8a70e110e3bf6d64a0a9a0e0ca09b5eb3fa8284e8c47c1bcb90d8539e45c8608fad9be3af391948834c068fba17738c86

C:\Windows\system\smqsRFf.exe

MD5 a5ec12a330e0a9d24cc8e85f63875a48
SHA1 b18a8b9443c182c07107a419a1542dfd5af7469b
SHA256 2a995049bfe5d971b6fcf24dd4e81cf1c75441851f5f348f6497ac12e33a1709
SHA512 ddd8c9c98128d1f4dcb49b29c8f0fd8cbf5582cffe34cdbe386d4f88097cec1ee9850675421abe37df1dddd14f92feed76530f590a36ebca789c61d05b530926

memory/3052-34-0x000000013F780000-0x000000013FAD1000-memory.dmp

C:\Windows\system\GTPxnyy.exe

MD5 47ed5564d5ba1a849fb961c3efd39c46
SHA1 503562288cb337a6b7324d9461c5bd04899a1926
SHA256 5088658cbde73f25ed99c5b89f1a4fd64974250e70728f629218ca57abb04e75
SHA512 b43548e12c138cde947e6e382011be311ab75b683b3758edf03d97d43bc11b60bcd585a0fb1128ab480b74807c10cab0bad849ce2727ad94adff81e129e55be1

memory/576-64-0x000000013FB30000-0x000000013FE81000-memory.dmp

memory/1696-75-0x000000013F060000-0x000000013F3B1000-memory.dmp

memory/3052-74-0x0000000002220000-0x0000000002571000-memory.dmp

memory/2760-63-0x000000013FF40000-0x0000000140291000-memory.dmp

memory/3052-62-0x000000013F300000-0x000000013F651000-memory.dmp

C:\Windows\system\PGPVQqr.exe

MD5 b3b77e6e07a06dccdff8cd61098b032a
SHA1 bac0130906ccb4f906114987610d3cf1e316db2e
SHA256 1d125ab8e108c58540e609e0906db4bf2ae64e73294024baf47be23ce558254e
SHA512 4fc20c5e9ea451f665fa6e53e9ec5a6855591a41f95d42cc10af8eac415194aae75603b55448c3fe50bd5f66b2b827a75967f82c559ed82b566802418670a558

memory/2788-73-0x000000013FCC0000-0x0000000140011000-memory.dmp

memory/2748-72-0x000000013FD30000-0x0000000140081000-memory.dmp

memory/3052-71-0x000000013FF40000-0x0000000140291000-memory.dmp

memory/2620-55-0x000000013F3C0000-0x000000013F711000-memory.dmp

memory/3052-52-0x0000000002220000-0x0000000002571000-memory.dmp

memory/2568-51-0x000000013F330000-0x000000013F681000-memory.dmp

memory/3052-50-0x000000013FDD0000-0x0000000140121000-memory.dmp

memory/3052-46-0x0000000002220000-0x0000000002571000-memory.dmp

memory/2440-40-0x000000013F780000-0x000000013FAD1000-memory.dmp

\Windows\system\ONDjsEn.exe

MD5 a7ab74dd4a7e0411d1da9d95e4c0ec53
SHA1 15cd127f1eb74bccbcf0a2602d0cb1eddba1f9ea
SHA256 8a340ee4bc7345c9c83d433be37564d14aff0ef9e79596d3a8349920b1ff3374
SHA512 7c0a5e750e443b925878d5b1a1c4e4446bab3bf78b7c3d9708a8910a9fa4a4f731980239e2c8927a71502f493894eef3af8ad8cde2678a71732c02b2ba9bf8f8

memory/3052-81-0x000000013FBB0000-0x000000013FF01000-memory.dmp

memory/2324-82-0x000000013FBB0000-0x000000013FF01000-memory.dmp

\Windows\system\sEBarEe.exe

MD5 a04aee1be211c56b91b0c71267bc525a
SHA1 1e31b7b07197fa6edc398029479978235da41089
SHA256 98ad0408cf1730f67c38f86d4639f818f8f2d09416c10f57145486f01def5f53
SHA512 daf4c1c6794a24314cb63baab9c3f45bafb3f208d66df804b10736d90eb21c6ae1889d5aebb76c8d07322f4ab3cbdc6ae0add714cf22a8c9106fad70953ac84d

memory/3052-89-0x000000013FDD0000-0x0000000140121000-memory.dmp

memory/2916-90-0x000000013F8E0000-0x000000013FC31000-memory.dmp

memory/3052-87-0x000000013F8E0000-0x000000013FC31000-memory.dmp

\Windows\system\lINfzuD.exe

MD5 458b3b394417da20bb79ae6ebb93af0f
SHA1 cf66d24ef222e2e108c44adda23c8e9e7e993b88
SHA256 65c2c727d65232c45b2c2931d8a71f956dfd5574802d6b943e128c53a79ef0d2
SHA512 05302c3b6cab94ae64ef8af7d1a1f273d35e91b528e00109ef2733869a16d32b79c977b18a784f2353789497f87019fb404d8a4cd50099d74806bf8ddee8da62

memory/2188-97-0x000000013F2D0000-0x000000013F621000-memory.dmp

memory/3052-96-0x0000000002220000-0x0000000002571000-memory.dmp

\Windows\system\OcDTPER.exe

MD5 f37fe66f10be0d1814032c7d0f78d20e
SHA1 7a086bb3df223fa03018d9c9e9a0d7dde9b8007b
SHA256 160c6e3f200e81ef3c1ae7c1be6ddb0c3a91a0a700ecf45f015704947c05250a
SHA512 a8e0cf41e49a496a7738c45c1deb62c4391f97405236e6f20d7c9cc843625a84f078f0cbd8ac6bf9446eac7ae7f3e0652e9d968573faea73562df0e69c20d8b2

\Windows\system\cetTRSd.exe

MD5 51fbdf8eec6a5d69ed680a98a58ed4ed
SHA1 449f5aaac2a53ead782e59e62357b230644051f8
SHA256 850e06b05700d7e6625aef491c875e26af5f69b3ed52f1953f6b699d53ec3596
SHA512 bb8d5c53ae51777a656a4230816c77173d65bb417d31b68002a48c600a4dbdcc08c4478d63d1547a30ae00dcb5f52c02192324b9d970b4de51ced0ab90ccbb23

memory/2032-115-0x000000013FDD0000-0x0000000140121000-memory.dmp

memory/2620-133-0x000000013F3C0000-0x000000013F711000-memory.dmp

C:\Windows\system\rPSLNGk.exe

MD5 8841c4a151f5d5ce6a775cafbb592aab
SHA1 bf5a8c16dee9fdd5e67dc412996d9fb7958363e2
SHA256 68261b3c152a09f6cd63db8013139ee9e71ba60aa885477b935bc1809d80b0fd
SHA512 49876743a608b02d33694160580957cab2a8ba3f35d92b1a4e57aa6f172a23b8e8adf2630a5d4f8ee894dfe367ec218570254987eb7e53cecb6fd5685c096c1e

C:\Windows\system\iuJgiHQ.exe

MD5 b0cdd08fe6150a850d11077c11529e00
SHA1 681134996046bd4a4f5786da020feb7ae1f29bf5
SHA256 7b918ca2fe3f73741a81d905e7f8cb9f6aee0b2d75420de8a0de6be10554814c
SHA512 5f9f18fa75f3f34a3c1d3a2a1d5832471b75c8d263978b7d7f963ea8e492377a03239e713ea5ea2e1cdcadaf02c7ba36814fc9554ad22c37f4efc37fd900b7b2

memory/3052-132-0x000000013FE10000-0x0000000140161000-memory.dmp

\Windows\system\VhOOMTW.exe

MD5 5805c7d562a7a40f32ffb74221910389
SHA1 37589801fc35756b883d9847a3122de63f9dccf0
SHA256 f4aa5394f6cf14011a4fa1f20ae41db719eaa73429a801a0e238f10241c955cc
SHA512 26894bccdd2e298b8d557b0c9d8d12cc29d18981843710939946665a0e9a9068daf5aaf8cb8b0fcce079bc8fd58d340789cb9e448ce3ab00dce8bdc8efca9a7d

C:\Windows\system\GlAXLPo.exe

MD5 0087fba98e74a8bcb2b7b2c3c13d2ae0
SHA1 445a3504b557d082be5a8b368650372c0c218720
SHA256 ed5a014408214eb754908ec154b53b40d5994487ec45ce9d692a27ce4d6b4395
SHA512 9dc69140106e9bdf01a02e45966dc8e9d8dd85585a1b6b4e1e94d8b15a9b4d36ca6f8eececf344dd056b48ff2a4d9e32452b9cbb064509fc8c16b3cab663401d

C:\Windows\system\gNolyja.exe

MD5 51cb96e445ea803e0963a214459bbf40
SHA1 e8c776e5692abaabaa3b66781cc1f320d6906932
SHA256 9029c6ec17cba27f8bcb30a40b538c98fbc505827689af7c3357f6603d962725
SHA512 1637fb2ab513766174d9ef7618f1470e87271c559fd291fff0e7ce53c1ff74064f448b554f62a74e679ffe8719dcf78ca40f2eaa31ba08f4ad1b6146277b4a47

memory/3052-119-0x000000013FB20000-0x000000013FE71000-memory.dmp

\Windows\system\ThfPmFt.exe

MD5 40315de74818e984696fcc8db9fd799d
SHA1 5631724e7c1b14cf1c5fef44395ebc699f2d865a
SHA256 a7579b12893fe469a66e76c4928b8510cce94eb7e21535e8ddbfe18d65d549ec
SHA512 a8ac3ed1f1f5986bec8bf262a81154a9078391ddde1d418d13299b4376a6bc677222c543ca0a66bc4aef5fd5035f412856bd1cb788998163eff007b3394114f4

memory/2652-131-0x000000013FB20000-0x000000013FE71000-memory.dmp

memory/576-139-0x000000013FB30000-0x000000013FE81000-memory.dmp

memory/3052-143-0x000000013F300000-0x000000013F651000-memory.dmp

memory/3052-154-0x0000000002220000-0x0000000002571000-memory.dmp

memory/2852-159-0x000000013FE10000-0x0000000140161000-memory.dmp

memory/3068-160-0x000000013F190000-0x000000013F4E1000-memory.dmp

memory/2400-165-0x000000013F400000-0x000000013F751000-memory.dmp

memory/3052-166-0x000000013FBB0000-0x000000013FF01000-memory.dmp

memory/996-163-0x000000013F770000-0x000000013FAC1000-memory.dmp

memory/2320-161-0x000000013F820000-0x000000013FB71000-memory.dmp

memory/2164-164-0x000000013F920000-0x000000013FC71000-memory.dmp

memory/1108-162-0x000000013F950000-0x000000013FCA1000-memory.dmp

memory/3052-167-0x000000013F300000-0x000000013F651000-memory.dmp

memory/3052-178-0x000000013F8E0000-0x000000013FC31000-memory.dmp

memory/3052-190-0x000000013FB20000-0x000000013FE71000-memory.dmp

memory/2760-218-0x000000013FF40000-0x0000000140291000-memory.dmp

memory/2748-220-0x000000013FD30000-0x0000000140081000-memory.dmp

memory/2804-222-0x000000013FBB0000-0x000000013FF01000-memory.dmp

memory/2788-224-0x000000013FCC0000-0x0000000140011000-memory.dmp

memory/2440-226-0x000000013F780000-0x000000013FAD1000-memory.dmp

memory/2568-228-0x000000013F330000-0x000000013F681000-memory.dmp

memory/2620-230-0x000000013F3C0000-0x000000013F711000-memory.dmp

memory/2032-232-0x000000013FDD0000-0x0000000140121000-memory.dmp

memory/576-234-0x000000013FB30000-0x000000013FE81000-memory.dmp

memory/1696-236-0x000000013F060000-0x000000013F3B1000-memory.dmp

memory/2324-238-0x000000013FBB0000-0x000000013FF01000-memory.dmp

memory/2916-240-0x000000013F8E0000-0x000000013FC31000-memory.dmp

memory/2188-242-0x000000013F2D0000-0x000000013F621000-memory.dmp

memory/2652-252-0x000000013FB20000-0x000000013FE71000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-14 21:16

Reported

2024-08-14 21:18

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\lINfzuD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rPSLNGk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KpfEotI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LkNCNUo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kGGTJzF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ThfPmFt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LxvXOHC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GTPxnyy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OcDTPER.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ONDjsEn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cetTRSd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iuJgiHQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GlAXLPo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ubvJuWJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\smqsRFf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PGPVQqr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gNolyja.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VhOOMTW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LpDkCQl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WvAcTLN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sEBarEe.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1092 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LpDkCQl.exe
PID 1092 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LpDkCQl.exe
PID 1092 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ubvJuWJ.exe
PID 1092 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ubvJuWJ.exe
PID 1092 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WvAcTLN.exe
PID 1092 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WvAcTLN.exe
PID 1092 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KpfEotI.exe
PID 1092 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KpfEotI.exe
PID 1092 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LkNCNUo.exe
PID 1092 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LkNCNUo.exe
PID 1092 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LxvXOHC.exe
PID 1092 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LxvXOHC.exe
PID 1092 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\smqsRFf.exe
PID 1092 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\smqsRFf.exe
PID 1092 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kGGTJzF.exe
PID 1092 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kGGTJzF.exe
PID 1092 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PGPVQqr.exe
PID 1092 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PGPVQqr.exe
PID 1092 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GTPxnyy.exe
PID 1092 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GTPxnyy.exe
PID 1092 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ONDjsEn.exe
PID 1092 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ONDjsEn.exe
PID 1092 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sEBarEe.exe
PID 1092 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sEBarEe.exe
PID 1092 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lINfzuD.exe
PID 1092 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lINfzuD.exe
PID 1092 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OcDTPER.exe
PID 1092 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OcDTPER.exe
PID 1092 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cetTRSd.exe
PID 1092 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cetTRSd.exe
PID 1092 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gNolyja.exe
PID 1092 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gNolyja.exe
PID 1092 wrote to memory of 420 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iuJgiHQ.exe
PID 1092 wrote to memory of 420 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iuJgiHQ.exe
PID 1092 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GlAXLPo.exe
PID 1092 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GlAXLPo.exe
PID 1092 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ThfPmFt.exe
PID 1092 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ThfPmFt.exe
PID 1092 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rPSLNGk.exe
PID 1092 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rPSLNGk.exe
PID 1092 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VhOOMTW.exe
PID 1092 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VhOOMTW.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\LpDkCQl.exe

C:\Windows\System\LpDkCQl.exe

C:\Windows\System\ubvJuWJ.exe

C:\Windows\System\ubvJuWJ.exe

C:\Windows\System\WvAcTLN.exe

C:\Windows\System\WvAcTLN.exe

C:\Windows\System\KpfEotI.exe

C:\Windows\System\KpfEotI.exe

C:\Windows\System\LkNCNUo.exe

C:\Windows\System\LkNCNUo.exe

C:\Windows\System\LxvXOHC.exe

C:\Windows\System\LxvXOHC.exe

C:\Windows\System\smqsRFf.exe

C:\Windows\System\smqsRFf.exe

C:\Windows\System\kGGTJzF.exe

C:\Windows\System\kGGTJzF.exe

C:\Windows\System\PGPVQqr.exe

C:\Windows\System\PGPVQqr.exe

C:\Windows\System\GTPxnyy.exe

C:\Windows\System\GTPxnyy.exe

C:\Windows\System\ONDjsEn.exe

C:\Windows\System\ONDjsEn.exe

C:\Windows\System\sEBarEe.exe

C:\Windows\System\sEBarEe.exe

C:\Windows\System\lINfzuD.exe

C:\Windows\System\lINfzuD.exe

C:\Windows\System\OcDTPER.exe

C:\Windows\System\OcDTPER.exe

C:\Windows\System\cetTRSd.exe

C:\Windows\System\cetTRSd.exe

C:\Windows\System\gNolyja.exe

C:\Windows\System\gNolyja.exe

C:\Windows\System\iuJgiHQ.exe

C:\Windows\System\iuJgiHQ.exe

C:\Windows\System\GlAXLPo.exe

C:\Windows\System\GlAXLPo.exe

C:\Windows\System\ThfPmFt.exe

C:\Windows\System\ThfPmFt.exe

C:\Windows\System\rPSLNGk.exe

C:\Windows\System\rPSLNGk.exe

C:\Windows\System\VhOOMTW.exe

C:\Windows\System\VhOOMTW.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4172,i,8548254608087149642,10333768245962368401,262144 --variations-seed-version --mojo-platform-channel-handle=4116 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 91.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1092-0-0x00007FF76FD60000-0x00007FF7700B1000-memory.dmp

memory/1092-1-0x0000018F657B0000-0x0000018F657C0000-memory.dmp

C:\Windows\System\LpDkCQl.exe

MD5 b3abca92f6ade5fff7d04ab521e24dc4
SHA1 3980b66c9924dacf644faea856004ac015cc7f9b
SHA256 07f4d3c06fd42e874ab361f8b65420793dedd1303f006d32e6a737861311a223
SHA512 fa2cc35588271450f9b01cc96d47a71b24b058adb4c4e93e23dce5c7262cc925a2a0cba67dee2387a62e4dd2c0f5ba6a9b2812ec41b07b8b5afa87b769dc310b

C:\Windows\System\WvAcTLN.exe

MD5 406c5090804ef3d0607ff101d6facf93
SHA1 cd92686a4f30fe7f983814ecce00f6c716392179
SHA256 7ee5dd2ae9d1f1a58c0da0763ee7f135e390324d77a5ea5563324b63f5521a4b
SHA512 9f39be358baa532ca9a6e2244c6aa6b6d6ac577b647a666640a4ae8493a832a94fb563ea43f93abc1d5aa42f9397043da31bf038866b40bbf5feb0d42c8109a5

C:\Windows\System\ubvJuWJ.exe

MD5 76864bdd5586675dbae022da540d1ecf
SHA1 1eaab402a602e157d0cfc756a37e363f16cc045f
SHA256 130dcae26ca4a378e00780a00dc7bcef984d52ddabf65937aff0a391e51eaf55
SHA512 693cc751759ac241e24a80c8248d0a944c96fb598c8e3637f4a754fef340e5f133b62fadc285af6b0789ea99af5cc82f91171043e2a3ad66aeebb6c079d0c779

C:\Windows\System\KpfEotI.exe

MD5 eb7352b190adb3d10d94d6ddb92abd7d
SHA1 d5096aa58a230969845b9e2cf8c2f8984858afc2
SHA256 33b3cca43504e4689d105350bc78c53a15c326dc794030037ffedf74976dcf59
SHA512 8cede28b377e383ee10edf92948482394faccded4f167972e30b7cd2b3386047b9749c7dde5b190b3f5b7c50112c214be43a77e03d21273954c167f95bb1ba63

C:\Windows\System\LkNCNUo.exe

MD5 1c1979c9878466284dd340b000f431bf
SHA1 a0f91cf7606e2f4460519772d1eecc91f00ebee8
SHA256 ddaea488538436dfe056f4cdaa648d93a804f41498b1e329a4d4e3be35e482b2
SHA512 53a4b19e75d6c70bee9a7561f3daef65b2f717eb3eb34abb7fa880d9a6e2f8953c600c36f13b525da0251157eaf1646f3b9a925016e945468caf9b9cae2bccd8

C:\Windows\System\kGGTJzF.exe

MD5 cffebf543abcdf0c8c47b46a153b46be
SHA1 91f77710fa40fb09b66e243a00b41ad68d601647
SHA256 92395b9fd6ac20328bedfdd7d2c83ec4593ca2cd7202785d475e1df63961a0d8
SHA512 c93f5f5856b8be9c8321a5b32db05be8a70e110e3bf6d64a0a9a0e0ca09b5eb3fa8284e8c47c1bcb90d8539e45c8608fad9be3af391948834c068fba17738c86

C:\Windows\System\smqsRFf.exe

MD5 a5ec12a330e0a9d24cc8e85f63875a48
SHA1 b18a8b9443c182c07107a419a1542dfd5af7469b
SHA256 2a995049bfe5d971b6fcf24dd4e81cf1c75441851f5f348f6497ac12e33a1709
SHA512 ddd8c9c98128d1f4dcb49b29c8f0fd8cbf5582cffe34cdbe386d4f88097cec1ee9850675421abe37df1dddd14f92feed76530f590a36ebca789c61d05b530926

memory/2500-50-0x00007FF642380000-0x00007FF6426D1000-memory.dmp

C:\Windows\System\lINfzuD.exe

MD5 458b3b394417da20bb79ae6ebb93af0f
SHA1 cf66d24ef222e2e108c44adda23c8e9e7e993b88
SHA256 65c2c727d65232c45b2c2931d8a71f956dfd5574802d6b943e128c53a79ef0d2
SHA512 05302c3b6cab94ae64ef8af7d1a1f273d35e91b528e00109ef2733869a16d32b79c977b18a784f2353789497f87019fb404d8a4cd50099d74806bf8ddee8da62

C:\Windows\System\sEBarEe.exe

MD5 a04aee1be211c56b91b0c71267bc525a
SHA1 1e31b7b07197fa6edc398029479978235da41089
SHA256 98ad0408cf1730f67c38f86d4639f818f8f2d09416c10f57145486f01def5f53
SHA512 daf4c1c6794a24314cb63baab9c3f45bafb3f208d66df804b10736d90eb21c6ae1889d5aebb76c8d07322f4ab3cbdc6ae0add714cf22a8c9106fad70953ac84d

C:\Windows\System\ONDjsEn.exe

MD5 a7ab74dd4a7e0411d1da9d95e4c0ec53
SHA1 15cd127f1eb74bccbcf0a2602d0cb1eddba1f9ea
SHA256 8a340ee4bc7345c9c83d433be37564d14aff0ef9e79596d3a8349920b1ff3374
SHA512 7c0a5e750e443b925878d5b1a1c4e4446bab3bf78b7c3d9708a8910a9fa4a4f731980239e2c8927a71502f493894eef3af8ad8cde2678a71732c02b2ba9bf8f8

memory/420-111-0x00007FF625460000-0x00007FF6257B1000-memory.dmp

C:\Windows\System\rPSLNGk.exe

MD5 8841c4a151f5d5ce6a775cafbb592aab
SHA1 bf5a8c16dee9fdd5e67dc412996d9fb7958363e2
SHA256 68261b3c152a09f6cd63db8013139ee9e71ba60aa885477b935bc1809d80b0fd
SHA512 49876743a608b02d33694160580957cab2a8ba3f35d92b1a4e57aa6f172a23b8e8adf2630a5d4f8ee894dfe367ec218570254987eb7e53cecb6fd5685c096c1e

C:\Windows\System\VhOOMTW.exe

MD5 5805c7d562a7a40f32ffb74221910389
SHA1 37589801fc35756b883d9847a3122de63f9dccf0
SHA256 f4aa5394f6cf14011a4fa1f20ae41db719eaa73429a801a0e238f10241c955cc
SHA512 26894bccdd2e298b8d557b0c9d8d12cc29d18981843710939946665a0e9a9068daf5aaf8cb8b0fcce079bc8fd58d340789cb9e448ce3ab00dce8bdc8efca9a7d

memory/2864-125-0x00007FF7CCBD0000-0x00007FF7CCF21000-memory.dmp

memory/1092-124-0x00007FF76FD60000-0x00007FF7700B1000-memory.dmp

memory/4928-123-0x00007FF7819E0000-0x00007FF781D31000-memory.dmp

memory/2484-120-0x00007FF71FF00000-0x00007FF720251000-memory.dmp

memory/1492-119-0x00007FF6FE6C0000-0x00007FF6FEA11000-memory.dmp

C:\Windows\System\ThfPmFt.exe

MD5 40315de74818e984696fcc8db9fd799d
SHA1 5631724e7c1b14cf1c5fef44395ebc699f2d865a
SHA256 a7579b12893fe469a66e76c4928b8510cce94eb7e21535e8ddbfe18d65d549ec
SHA512 a8ac3ed1f1f5986bec8bf262a81154a9078391ddde1d418d13299b4376a6bc677222c543ca0a66bc4aef5fd5035f412856bd1cb788998163eff007b3394114f4

C:\Windows\System\GlAXLPo.exe

MD5 0087fba98e74a8bcb2b7b2c3c13d2ae0
SHA1 445a3504b557d082be5a8b368650372c0c218720
SHA256 ed5a014408214eb754908ec154b53b40d5994487ec45ce9d692a27ce4d6b4395
SHA512 9dc69140106e9bdf01a02e45966dc8e9d8dd85585a1b6b4e1e94d8b15a9b4d36ca6f8eececf344dd056b48ff2a4d9e32452b9cbb064509fc8c16b3cab663401d

C:\Windows\System\iuJgiHQ.exe

MD5 b0cdd08fe6150a850d11077c11529e00
SHA1 681134996046bd4a4f5786da020feb7ae1f29bf5
SHA256 7b918ca2fe3f73741a81d905e7f8cb9f6aee0b2d75420de8a0de6be10554814c
SHA512 5f9f18fa75f3f34a3c1d3a2a1d5832471b75c8d263978b7d7f963ea8e492377a03239e713ea5ea2e1cdcadaf02c7ba36814fc9554ad22c37f4efc37fd900b7b2

memory/1812-110-0x00007FF747280000-0x00007FF7475D1000-memory.dmp

C:\Windows\System\cetTRSd.exe

MD5 51fbdf8eec6a5d69ed680a98a58ed4ed
SHA1 449f5aaac2a53ead782e59e62357b230644051f8
SHA256 850e06b05700d7e6625aef491c875e26af5f69b3ed52f1953f6b699d53ec3596
SHA512 bb8d5c53ae51777a656a4230816c77173d65bb417d31b68002a48c600a4dbdcc08c4478d63d1547a30ae00dcb5f52c02192324b9d970b4de51ced0ab90ccbb23

C:\Windows\System\gNolyja.exe

MD5 51cb96e445ea803e0963a214459bbf40
SHA1 e8c776e5692abaabaa3b66781cc1f320d6906932
SHA256 9029c6ec17cba27f8bcb30a40b538c98fbc505827689af7c3357f6603d962725
SHA512 1637fb2ab513766174d9ef7618f1470e87271c559fd291fff0e7ce53c1ff74064f448b554f62a74e679ffe8719dcf78ca40f2eaa31ba08f4ad1b6146277b4a47

memory/1232-104-0x00007FF7953D0000-0x00007FF795721000-memory.dmp

memory/1008-84-0x00007FF7A6970000-0x00007FF7A6CC1000-memory.dmp

memory/1964-83-0x00007FF617D40000-0x00007FF618091000-memory.dmp

C:\Windows\System\OcDTPER.exe

MD5 f37fe66f10be0d1814032c7d0f78d20e
SHA1 7a086bb3df223fa03018d9c9e9a0d7dde9b8007b
SHA256 160c6e3f200e81ef3c1ae7c1be6ddb0c3a91a0a700ecf45f015704947c05250a
SHA512 a8e0cf41e49a496a7738c45c1deb62c4391f97405236e6f20d7c9cc843625a84f078f0cbd8ac6bf9446eac7ae7f3e0652e9d968573faea73562df0e69c20d8b2

memory/2888-73-0x00007FF6CA8C0000-0x00007FF6CAC11000-memory.dmp

memory/4640-67-0x00007FF622990000-0x00007FF622CE1000-memory.dmp

memory/3036-66-0x00007FF67C390000-0x00007FF67C6E1000-memory.dmp

memory/3644-72-0x00007FF6DB910000-0x00007FF6DBC61000-memory.dmp

C:\Windows\System\GTPxnyy.exe

MD5 47ed5564d5ba1a849fb961c3efd39c46
SHA1 503562288cb337a6b7324d9461c5bd04899a1926
SHA256 5088658cbde73f25ed99c5b89f1a4fd64974250e70728f629218ca57abb04e75
SHA512 b43548e12c138cde947e6e382011be311ab75b683b3758edf03d97d43bc11b60bcd585a0fb1128ab480b74807c10cab0bad849ce2727ad94adff81e129e55be1

C:\Windows\System\PGPVQqr.exe

MD5 b3b77e6e07a06dccdff8cd61098b032a
SHA1 bac0130906ccb4f906114987610d3cf1e316db2e
SHA256 1d125ab8e108c58540e609e0906db4bf2ae64e73294024baf47be23ce558254e
SHA512 4fc20c5e9ea451f665fa6e53e9ec5a6855591a41f95d42cc10af8eac415194aae75603b55448c3fe50bd5f66b2b827a75967f82c559ed82b566802418670a558

C:\Windows\System\LxvXOHC.exe

MD5 a73af8a7a1c43cda50cea112d4747f06
SHA1 8e3abe68e5f8b75978f533b3637f82c4217ae913
SHA256 8bf6a3a98d29ca3f9696cf792c2fd1662a4f5ef9706e3456499764f97a7f7445
SHA512 3fc799b59ff42ac0e5ad58155193d8238e42729215923e56d48193cdcb86bc357f6cbb41e52aea9897afbf6265895719efedb511475cd6ffffec60cfdd994fdb

memory/4844-46-0x00007FF625A50000-0x00007FF625DA1000-memory.dmp

memory/1300-49-0x00007FF624200000-0x00007FF624551000-memory.dmp

memory/4644-38-0x00007FF7A6E00000-0x00007FF7A7151000-memory.dmp

memory/2280-37-0x00007FF658620000-0x00007FF658971000-memory.dmp

memory/1936-26-0x00007FF755D00000-0x00007FF756051000-memory.dmp

memory/1704-16-0x00007FF720E90000-0x00007FF7211E1000-memory.dmp

memory/2916-7-0x00007FF67CD70000-0x00007FF67D0C1000-memory.dmp

memory/2888-142-0x00007FF6CA8C0000-0x00007FF6CAC11000-memory.dmp

memory/3036-137-0x00007FF67C390000-0x00007FF67C6E1000-memory.dmp

memory/2916-130-0x00007FF67CD70000-0x00007FF67D0C1000-memory.dmp

memory/1232-144-0x00007FF7953D0000-0x00007FF795721000-memory.dmp

memory/2864-150-0x00007FF7CCBD0000-0x00007FF7CCF21000-memory.dmp

memory/1492-147-0x00007FF6FE6C0000-0x00007FF6FEA11000-memory.dmp

memory/420-146-0x00007FF625460000-0x00007FF6257B1000-memory.dmp

memory/1812-145-0x00007FF747280000-0x00007FF7475D1000-memory.dmp

memory/4928-149-0x00007FF7819E0000-0x00007FF781D31000-memory.dmp

memory/1964-143-0x00007FF617D40000-0x00007FF618091000-memory.dmp

memory/3644-140-0x00007FF6DB910000-0x00007FF6DBC61000-memory.dmp

memory/2500-139-0x00007FF642380000-0x00007FF6426D1000-memory.dmp

memory/1300-138-0x00007FF624200000-0x00007FF624551000-memory.dmp

memory/4640-136-0x00007FF622990000-0x00007FF622CE1000-memory.dmp

memory/4844-135-0x00007FF625A50000-0x00007FF625DA1000-memory.dmp

memory/2280-134-0x00007FF658620000-0x00007FF658971000-memory.dmp

memory/1936-132-0x00007FF755D00000-0x00007FF756051000-memory.dmp

memory/1704-131-0x00007FF720E90000-0x00007FF7211E1000-memory.dmp

memory/1092-129-0x00007FF76FD60000-0x00007FF7700B1000-memory.dmp

memory/1092-151-0x00007FF76FD60000-0x00007FF7700B1000-memory.dmp

memory/2916-198-0x00007FF67CD70000-0x00007FF67D0C1000-memory.dmp

memory/1704-200-0x00007FF720E90000-0x00007FF7211E1000-memory.dmp

memory/1936-202-0x00007FF755D00000-0x00007FF756051000-memory.dmp

memory/4644-204-0x00007FF7A6E00000-0x00007FF7A7151000-memory.dmp

memory/2280-206-0x00007FF658620000-0x00007FF658971000-memory.dmp

memory/4844-208-0x00007FF625A50000-0x00007FF625DA1000-memory.dmp

memory/2500-211-0x00007FF642380000-0x00007FF6426D1000-memory.dmp

memory/1300-212-0x00007FF624200000-0x00007FF624551000-memory.dmp

memory/1964-220-0x00007FF617D40000-0x00007FF618091000-memory.dmp

memory/2888-222-0x00007FF6CA8C0000-0x00007FF6CAC11000-memory.dmp

memory/3036-218-0x00007FF67C390000-0x00007FF67C6E1000-memory.dmp

memory/4640-217-0x00007FF622990000-0x00007FF622CE1000-memory.dmp

memory/1008-215-0x00007FF7A6970000-0x00007FF7A6CC1000-memory.dmp

memory/420-231-0x00007FF625460000-0x00007FF6257B1000-memory.dmp

memory/3644-236-0x00007FF6DB910000-0x00007FF6DBC61000-memory.dmp

memory/1812-235-0x00007FF747280000-0x00007FF7475D1000-memory.dmp

memory/1232-233-0x00007FF7953D0000-0x00007FF795721000-memory.dmp

memory/1492-229-0x00007FF6FE6C0000-0x00007FF6FEA11000-memory.dmp

memory/2484-227-0x00007FF71FF00000-0x00007FF720251000-memory.dmp

memory/2864-225-0x00007FF7CCBD0000-0x00007FF7CCF21000-memory.dmp

memory/4928-241-0x00007FF7819E0000-0x00007FF781D31000-memory.dmp